Running Foreman on Debian 11 Bullseye


Many of you would like to upgrade your Foreman installations from Debian 10 Buster to Debian 11 Bullseye and have been asking what the state of this is.

The good news is, we’re getting pretty close to have the next release (3.2) being available on Debian 11 Bullseye.

The bad news is, we’re not 100% there yet, so fetch some tea (or other cozy drink you prefer) and read on.

After Foreman 3.1 has branched and we were able to introduce potentially breaking changes to the development stream, we started working on packaging for Debian 11.

Thankfully, there aren’t too many differences between Debian 11 Bullseye and Ubuntu 20.04 Focal in terms of “the stack” (Ruby, PostgreSQL etc.), so that we could mostly just rebuild the packages and carry on.

As soon as all required packages were built, we started testing them. Hooray for automated testing where you can just say “and now, execute the very same tests but on a different Debian release”. However, this was also the place where we faced our biggest problem.

Foreman was originally designed as a Puppet dashboard, and still relies on “Puppet being present” in many places. And even though there are efforts on the way to make this optional, in the default Foreman installation Puppet is still mandatory. Sadly, as it turns out, there is no Puppet Server for Debian 11 yet.

In theory, our installer is capable of installing Foreman without a Puppet Server. In practice however, it turns out that we use Puppet Server generated artifacts for more than the Puppet integration: we use the certificates generated by Puppet as the default certificates for Apache and for communicating with Foreman Proxies. And if those are missing, things just don’t work that well.

There are two ways out of this situation:

  1. deploy Foreman without Puppet and with custom certificates, signed by whichever CA you trust
  2. use Puppet Server (and Agent) for Debian 10 Buster on your Debian 11 Bullseye installation

Obviously, deploying custom certificates is the most correct answer here (and you really should do this in production setups anyways!), but this is not the “default path” and also requires passing additional parameters to the installer for cleanly disabling Puppet, so for our integration tests we’ve taken the Frankenstein aproach.

So, as of today, you will see nightly packages for Debian 11 Bullseye on deb.theforeman.org that got tested with a Buster Puppet. We hope that until Foreman 3.2 is about to be released, Puppet will release packages for Debian 11 Bullseye and we can drop this workaround.


Comments from the community:


Foreman 3.13.0 has been released! Follow the quick start to install it.

Foreman 3.12.1 has been released! Follow the quick start to install it.