Using Cloud Connector to remediate issues across your Red Hat Satellite infrastructure

Red Hat Insights 2023

A guide to remediating RHEL system issues throughout your Satellite infrastructure from the Red Hat Insights application

Red Hat Customer Content Services

Abstract

This guide is for Red Hat Insights users who want to use Cloud Connector to remediate issues on RHEL systems managed by Red Hat Satellite.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright's message.

Chapter 1. Cloud Connector overview

Red Hat Insights analyzes Red Hat Enterprise Linux systems for configuration or security issues, recommends actions to remediate those issues, and enables you to create Ansible Playbooks to automate remediations.

If you use Red Hat Satellite to manage your systems, you can upload your host inventory from Satellite to Red Hat Hybrid Cloud Console so that Satellite can report issues on your Satellite-managed hosts. You can then create and run remediation playbooks to fix issues on hosts across multiple Satellite Servers directly from the Red Hat Hybrid Cloud Console.

Chapter 2. Configuration overview

To remediate issues across your Satellite infrastructure, you will configure your Satellite infrastructure to communicate with Insights for Red Hat Enterprise Linux, then start remediating issues in Insights. The following prerequisites are comprehensive for Satellite configuration and Insights remediations:

Prerequisites

  • Remediations Cloud Connector requires a Red Hat Smart Management subscription.
  • Satellite must be version 6.9 or later.
  • You must have permissions to create and execute playbooks from the Red Hat Insights for Red Hat Enterprise Linux Remediations service.
  • Import a Subscription Manifest into Satellite. Only hosts in organizations with a valid Red Hat certificate can be connected to Red Hat Hybrid Cloud Console. For more information, see Importing a Subscription Manifest into Satellite Server in the Red Hat Satellite Content Management Guide.
  • Register your hosts to Satellite using an activation key to attach Red Hat subscriptions. For more information, see Registering Hosts in the Red Hat Satellite Managing Hosts guide.
  • Enable remote execution on your hosts so that Satellite can run remediation playbooks on them. For more information, see Distributing SSH Keys for Remote Execution in the Red Hat Satellite Managing Hosts guide.

Chapter 3. Configuring your Satellite infrastructure to communicate with Insights

Before you can remediate issues in your Satellite infrastructure, you must connect your hosts to Insights for Red Hat Enterprise Linux and configure Cloud Connector on Satellite Server.

3.1. Uploading your host inventory from Satellite to Insights for Red Hat Enterprise Linux

Use this procedure to upload your host inventory from Red Hat Satellite to Red Hat Insights for Red Hat Enterprise Linux.

Prerequisites

  • Register your hosts to Satellite using an activation key to attach Red Hat subscriptions.

Procedure

  1. On Satellite Server, enable the Inventory plug-in. Note that the --foreman-proxy-plugin-remote-execution-ssh-install-key true option installs an SSH key for the root user on Satellite Server, so that Satellite can use remote execution on itself. This allows all Satellite users with the create_job_invocation permission to run commands over SSH as root on Satellite Server. If required, you can generate and install this key manually instead of using this option.

    • On Satellite Server 6.9 and later, enter the following command: 

      # satellite-installer \
--foreman-proxy-plugin-remote-execution-ssh-install-key
  1. In the Satellite web UI, navigate to Configure > Inventory Upload and select your organization.

  2. Click Restart to upload your host inventory to Red Hat Insights for Red Hat Enterprise Linux.

    Repeat this step for each organization from which you want to upload a host inventory.

  3. Optional: Toggle the Auto upload switch to the ON position to enable Satellite to automatically upload your host inventory once a day. Toggle the Obfuscate host names switch to the ON position to hide host names that Satellite reports to Red Hat Cloud.

    Auto upload and Obfuscate host names are global settings. They affect hosts that belong to all organizations.

To verify that the upload was successful, log into https://console.redhat.com/insights/inventory/ and search for your hosts.

3.2. Installing the Insights for Red Hat Enterprise Linux client on hosts managed by Satellite

Use this procedure to install the Insights for Red Hat Enterprise Linux client on each of your hosts.

Prerequisites

  • Register your hosts to Satellite using an activation key to attach Red Hat subscriptions.

Procedure

  1. Install the Insights for Red Hat Enterprise Linux client: 

    # yum install insights-client

  2. Register the host to Insights for Red Hat Enterprise Linux: 

    # insights-client --register

Repeat these steps on each host.

Alternatively, you can use the RedHatInsights.insights-client Ansible role to install the Insights for Red Hat Enterprise Linux client and register the hosts. For more information, see Using Red Hat Insights with Hosts in Satellite in the Red Hat Satellite Managing Hosts guide.

3.3. Configuring Cloud Connector on Satellite Server

Before you can run remediation playbooks on your Satellite infrastructure, you must install and configure the Cloud Connector on Satellite Server. Perform the following tasks to install, configure, and verify the configuration of Cloud Connector.

Create the Cloud Connector configuration playbook

A Satellite administrator can install and configure the Cloud Connector by activating the Configure Cloud Connector button. This automatically creates the service user that the Cloud Connector will use to trigger remediation jobs on Satellite, then runs the Cloud Connector installation playbook using the service-user credentials.

Enable Cloud Connector operation on Satellite

To ensure that the Cloud Connector operates, verify that Automatic Inventory Upload (Configure > Inventory Upload) and Sync Automatically ( Configure > Insights) are turned ON.

Verify Satellite and Insights communication

Apart from this, you need to perform both tasks manually to verify the system functions. Refer to the steps mentioned below:

  • By uploading the report: Select the required organization from the inventory page, and click Restart. This step is asynchronous and it may take time to be processed by the cloud.
  • By syncing Insights information: Select the three dots menu from the Insights page, and click Sync Recommendations.

Enable Auto Sync and perform initial, manual sync

Click Sync Inventory Status and enable Auto Sync for the organization.

Important

Make sure you need to sync manually for the first time before it starts.

It is normal that while syncing the inventory, you may get a notification indicating the number of hosts that are in disconnected status or not uploaded to your Hybrid Cloud Console inventory. At this stage, a user is required to re-sync the inventory. In some cases, the host processing at Hybrid Cloud Console can take some time to remediate.

Disable direct remediations on a host

By default the parameter is not set in the system. It is set to True for the hostgroup to allow the execution of playbooks by default on the Cloud Connector. Note that all the hosts that are present in that particular organization will inherit the same parameters.

When the Satellite receives the remediation playbook run request from Cloud Connector, that request will have a list of hosts where it should be executed. However, to ensure the playbook run does not get invoked from the cloud, set the enable_cloud_remediations parameter to False at the host level.

Disable direct remediation on a hostgroup

By default the parameter is not set in the system. It is set to True for the hostgroup to allow the execution of playbooks by default on the Cloud Connector. Note that all the hosts that are present in that particular organization will inherit the same parameters.

Optionally, an Organization Administrator can disable the cloud remediations for the whole organization or hostgroup by setting the value of the enable_cloud_remediations parameter to False.

Configure inventory uploads

  1. In the Satellite web UI, navigate to Configure > Inventory Upload.
  2. Click on the Configure Cloud Connector button.

Verify successful configuration

To verify that the playbook was successful, log into https://console.redhat.com/settings/sources and search for your Satellite Server.

3.3.1. Configuring Cloud Connector after upgrading Satellite Server

Note

This only applies to upgrades from Satellite version 6.10 to 6.11. Refer to the Upgrading and Updating Red Hat Satellite guide for more information.

To configure Cloud Connector after upgrading the Satellite Server, click Configure Cloud Connector button from Configure > RH Cloud - Inventory Upload to enable it on the new version of Satellite Server. Simultaneously, you are required to remove the previous Source from the cloud manually on the Red Hat Hybrid Cloud Console after upgrading your Satellite Server.

Once the Cloud Connector is configured, it will remove the receptor bits and install the RHC bits. At the same time, the Cloud Connector announces all the organizations in the Satellite to the Source and is ready to receive the connections.

3.4. Configuring Insights recommendations on Satellite

You can use Insights for Red Hat Enterprise Linux synchronization to provide Insights recommendations for Satellite-managed hosts. Use this procedure to configure Insights synchronization on Red Hat Satellite.

Procedure

  1. Navigate to Configure > Insights to synchronize Insights for Red Hat Enterprise Linux recommendations manually. Then click the more options icon img more options and choose Sync recommendations.
  2. Optionally, toggle the Synchronize Automatically switch to the ON position to enable Satellite to download Insights recommendations from the Hybrid Cloud Console automatically, once a day.

You have now configured Red Hat Insights for Red Hat Enterprise Linux Synchronization on Satellite.

In the Satellite web UI, navigate to Hosts > All Hosts to see Insights for Red Hat Enterprise Linux recommendations for each Satellite-managed host.

Chapter 4. Remediating issues on RHEL systems managed by Satellite

Use Insights for Red Hat Enterprise Linux to create a remediations playbook, and execute that playbook on your Satellite systems from the Insights UI.

4.1. Using Insights for Red Hat Enterprise Linux to create a remediations playbook

You can use Insights for Red Hat Enterprise Linux to create an Ansible Playbook for system remediation across your Satellite infrastructure.

Prerequisites

Procedure

  1. Log in to your Red Hat Hybrid Cloud Console account and open Red Hat Insights for Red Hat Enterprise Linux.

  2. Perform one of the following actions to see what fixes are available.

  3. After selecting Red Hat Enterprise Linux > Advisor > Recommendations or Red Hat Enterprise Linux > Vulnerability > CVEs, click on one of the listed remediation items.

    An Affected systems list appears that shows you which systems might need the remediation applied.

  4. From the list, click the check box to select the systems you want to remediate. When you select the systems, the Ansible Remediate button becomes active.
  5. Click the Ansible Remediate button to create an Ansible Playbook. You can choose to create a new playbook or modify an existing playbook.

4.2. Executing the remediations playbook

You can execute an Ansible Playbook that you created to apply remediations to your Satellite managed systems.

Note

Only users who are assigned the Remediations administrator role can execute an Ansible Playbook. For information on how to manage and assign user roles, see the User Access Configuration Guide for Role-based Access Control (RBAC).

Prerequisites

Procedure

  1. Navigate to Red Hat Enterprise Linux > Red Hat Insights > Toolkit > Remediations. A list of available playbooks appears.
  2. Click the name of the playbook that you want to execute. A summary window displays information about the actions in the playbook.

  3. In the summary window you can switch states of the auto reboot. If it is enabled you can turn it off and if it is disabled you can turn it on.

    Note

    The selection to Turn off auto reboot applies to the playbook and not individual systems. If multiple systems use the playbook, the auto reboot choice of enabled or disabled applies to all systems and cannot be individually toggled.

  4. (Optional) You can select specific actions in the confirmation window and delete them.
  5. Click the Execute Playbook button. A confirmation window appears and asks for a final confirmation to execute the playbook. You can view the readiness state for the target systems.
  6. In the confirmation window, click the button Execute Playbook on X systems to start running the playbook. The X represents the number of systems.

4.3. Using Red Hat Insights for Red Hat Enterprise Linux to monitor remediation status

You can view the remediation status for each playbook that you execute from the Insights for Red Hat Enterprise Linux Remediations service. The status information tells you the results of the latest activity and provides a summary of all activity for playbook execution. You can also view log information for playbook execution.

Prerequisites

  • Create and execute a remediation playbook.

Procedure

  1. In the Red Hat Insights for Red Hat Enterprise Linux application, click the Remediations tab. The tab window displays a list of remediation playbooks.
  2. Click on the name of a playbook. Additional choices are displayed for the latest playbook activity and all playbook activity.
  3. Click View in the Playbook summary area to see results of the latest activity for the playbook execution.
  4. Click the Activity tab to see information about all activity for the playbook.
  5. When you hover on any item in the Status column, a pop-up box appears with summary information for Run, Failed, and Pending activity.
  6. Click the expand button next to a Run on entry to show additional activity for each connection on that run. A "Results by connection" window appears.
  7. Under the Connection heading, click a connection name. A Name list appears.

  8. Click on the expand button next to an entry in the Name list. A Playbook log appears.

    Note

    You can view the Playbook log while a playbook is executing to see near real time information on the execution status.

To monitor the status of a playbook in the Satellite web UI, see Monitoring Remote Jobs in the Red Hat Satellite Managing Hosts guide.

Providing feedback on Red Hat documentation

We appreciate your feedback on our documentation. To provide feedback, highlight text in a document and add comments.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.
  • In the Red Hat Customer Portal, the document is in the Multi-page HTML viewing format.

Procedure

To provide your feedback, perform the following steps:

  1. Click the Feedback button in the top-right corner of the document to see existing feedback.

    Note

    The feedback feature is enabled only in the Multi-page HTML format.

  2. Highlight the section of the document where you want to provide feedback.

  3. Click the Add Feedback pop-up that appears near the highlighted text.

    A text box appears in the feedback section on the right side of the page.

  4. Enter your feedback in the text box and click Submit.

    A documentation issue is created.

  5. To view the issue, click the issue link in the feedback view.

Legal Notice

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.