I had built a script which would utilize the katello-agent to install errata on. However, we started noticing that old kernels would not get cleaned up, filling /boot up and cause the server(s) to panic. I recently came across this article:
Which confirms that the katello-agent will not follow the install limit from yum.conf. The bug is apparently not a bug but rather a working as intended and no fix will be issued.
So if you're using katello-agent, stop and just use REX to update your systems, using yum update -y or feeding it the errata numbers. For me, I went with this method:
yum --disablerepo="*" --enablerepo="rhel*" --disablerepo="rhel-source*" update -y
First, needed to disable all repos as we have many systems with repos that are not from RH, we do not want updates from those repos. Then, enable all the rhel repos which then enables the rhel-source repo, which was causing some timeout issues on some systems; so disabled it, then let yum run the updates.
Hope this helps.