Chapter 1. Introducing Red Hat Satellite 6.13

These release notes highlight major changes, enhancements, technology preview items, known issues, deprecated functionality, and removed functionality you must take into consideration when deploying this release of Red Hat Satellite 6. Notes for updates released during the support lifecycle of this Red Hat Satellite 6 release will appear in the advisory text associated with each update.

1.1. Major Changes

The 6.13 release of Red Hat Satellite features the following major changes:

Persistent customization of Ansible configuration

Previously, Satellite stored essential Ansible configuration in /etc/foreman-proxy/ansible.cfg, which was symlinked to the home directory of the foreman-proxy user as /usr/share/foreman-proxy/.ansible.cfg. This file was overwritten on each run of Satellite installer. Therefore, and because Ansible ignored other configuration files, you could not customize Ansible configuration persistently.

With this release, Satellite stores essential Ansible configuration as environment variables in /etc/foreman-proxy/ansible.env instead. This means that Ansible now reads configuration from /etc/ansible/ansible.cfg and the environment provided by Capsule. You can use /etc/ansible/ansible.cfg to customize Ansible configuration persistently, because Satellite installer does not affect this file.

Note that environment variables take precedence over values in /etc/ansible/ansible.cfg, which ensures that the essential configuration required by Satellite is retained.

Host registration through a Capsule load balancer
In a deployment with load balancing, you can configure Capsules to provide a load balancer as an option for the global registration feature. You can pass the URL of the load balancer as the --foreman-proxy-registration-url argument to Satellite installer when you configure Capsule for load balancing. Then you can register hosts in Satellite to the load balancer directly, which eliminates the need to manually reconfigure subscription manager on the hosts after registration.

1.2. Enhancements

The 6.13 release of Red Hat Satellite features the following enhancements:

HTTP/2 enabled by default in Apache
With this release, Apache web server is configured to provide HTTP/2. Web clients can use capabilities of the newer HTTP such as to retrieve resources in parallel, which means that the resources load faster. Apache still provides HTTP/1.1 as well, therefore, web clients are not required to support HTTP/2.
Enable Simple Content Access with new task
A new enhancement has been added for users of custom products who are switching on Simple Content Access (SCA). When SCA is turned on, the system will now create content overrides to disable any repositories for which you had not attached a subscription. This way, hosts and activation keys will have access to the same content as before. If, for some reason, you need to turn on SCA without automatically creating these overrides, you can do this through Hammer with hammer simple-content-access enable --organization-id xxx --auto-create-overrides=false. This enhancement is available starting with 6.13.2.
New report template Host - Enabled Repositories
You can now generate reports using the new template that iterates over all of your hosts and looks at the repositories your host can consume from known as bound repositories. The report shows information about the host, repository, iteration, and package count. The package count is limited by Content View filters due to the bound repositories, so the report will not just display what is available in the Library environment but the exact package count after filtering.
Host details page Module streams updates
Filters have been added to the Modules streams listing on the Host details page. You can use filter options such as Enabled, Installed, Disabled, Unknown, Upgradable, and Installation status. You can filter module streams by Installation status. Additionally, you can perform actions for the module streams. These actions include selecting Enable, Disable, Install, Upgrade, Reset, and Remove module streams.
Syncing Capsule from Red Hat CDN
You can now sync Capsules directly from Red Hat CDN. Create a simplified alternate content source and add Red Hat products to it. Make sure that you add the Capsules that you want to sync from the Red Hat CDN to this simplified alternate content source.
Foreman Discovery Image is now based on RHEL 8
Previously, the Foreman Discovery Image (FDI) was based on Red Hat Enterprise Linux 7. With this release, Satellite provides an FDI that is based on Red Hat Enterprise Linux 8 kernel and includes updated network card drivers.
Updated data model and form to add Google compute resources
Previously, when you were adding a Google Cloud Engine (GCE) compute resource, you had to provide a Google Project ID, Client Email, and Certificate in a JSON key separately, all of which came from your service account in Google Cloud. With this release, you provide just the JSON key, which already contains all these data. Satellite now stores these data together. Existing GCE compute resources are migrated to the new data model automatically during an upgrade.
Users can now authenticate to Satellite using their IdM credentials

Users can now use their Red Hat Identity Management (IdM) login and password to log in to their Satellite Hammer CLI, API and Web UI. Administrators can choose between enabling one of the following access modes:

  • Access only to the Satellite web UI.
  • Access to the Satellite web UI, the Satellite API, and the Hammer CLI.
WARNING
Enabling access to all interfaces can lead to security problems. After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering kinit user_name, an attacker can obtain an API session even though no credentials were entered, for example, in the browser.
Non-root sudoers requiring a password can now perform sudo operations on RHEL web console
Users requiring a password to perform sudo operations can now log in to RHEL web console in a privileged session. If the users have the sudo password set in Satellite, they do not have to enter the password when logging in.
Create host from host group
You can now create a host directly from the host group by going to Configure > Host Groups. For the hostgroup, click the drop-down menu in the Actions column, select Create Host. This opens the host creation wizard with the host group field automatically populated. The wizard will look for other parameters in the host group and populate them automatically.
Ability to search by Insights status
When searching for hosts, you can now filter search results by Insights status of the hosts: not registered, registered but not reporting, and registered and reporting.
Ability to search by Ansible role
When searching for host groups, you can now filter search results by Ansible role.
Labels on the host page are now clickable
Clicking on labels next to the host name on the host page now leads to search of all hosts with the same characteristics.
Host-group counts on the Ansible Roles page are now clickable
Clicking on a host-group count now leads to a list of host-groups which have the Ansible role assigned.
Selectable columns in the host table
You can now choose what columns are displayed in the host table on the Hosts > All Hosts page. For more information, see Selecting Host Columns in Managing Hosts.
Packages tab now has a dropdown menu to select the upgrade version
A dropdown menu was added to the Packages tab under the Content tab in Content Hosts to select the upgrade version you want to filter. Under the Status dropdown menu, you can select Upgradable or Up-to date to filter the packages. If there are multiple upgrade versions available and none are selected, the most recent one is used for the upgrade.
New Report Template to list installed packages
In this release, you can get a list of all installed packages for the complete list of content hosts in your environment with the new Report Template namely Host - All Installed Packages.
Filter installed packages by vendor
Users can now filter installed packages by the vendor after an update to the Content tab of the host details page. In the Content tab, click Packages sub-tab, and type vendor into the search box for autocomplete or regular search.
REX pull transport improvements
  • You can limit the maximum number of active jobs on Capsule. For more information, see Setting the Job Rate Limit on Capsule in Managing Hosts
  • New global setting Time to pickup specifies time after which the job is canceled if not picked up by the host. The setting can be overridden on a job level. For more information, see Remote Execution Settings in Administering Red Hat Satellite.
  • You can now specify an effective user when scheduling a remote job. For more information, see Advanced Settings in the Job Wizard in Managing Hosts.
  • You can now schedule jobs even if the host is offline. The host picks up the job once online, unless time to pickup expires first.
New job wizard form
With this release, the wizard for scheduling a remote job has been redesigned. You can still use the old form of the job wizard. For more information, see Executing a Remote Job in Managing Hosts.
You can generate a report with details about invoked remote execution jobs
To generate a report about invoked remote execution jobs, click Generate report on the Monitor > Jobs page.
Failed remote execution jobs now provide more specific error messages
With this release, pre-flight checks were added to remote execution jobs. Pre-flight checks detect whether the script can be executed in the target directory and whether it is possible to change to the effective user required for the job. If either condition is not met, an error message is displayed. If you want to see concrete commands that were run within the job, ensure that the log level is set to debug on the Satellite Server or Capsule through which the job was executed. You can then find the commands in /var/log/foreman-proxy/proxy.log. In addition, remote execution now detects a failure in authentication and reports tried authentication methods.
Content View versions can now be compared
Users can now compare Content View versions. For more information, see Comparing Content View Versions in Managing Content.
Alternate Content Sources

You can populate a repository with content that is locally stored or geographically closer to you, using the alternate content sources feature. This can be used to accelerate repository synchronization, as only the metadata is pulled in from the repository server, while the content itself is synchronized from the alternate content source.

The alternate content source can be set up for a Satellite server, as well as for Capsule servers.

To create alternate content sources, navigate to Content > Alternate Content Sources > Add Source.

This release introduces three types of alternate content sources:

  • Custom Alternate Content Source

  • Simplified Alternate Content Source

    • You can use simplified alternate content source to sync Capsule content directly from the upstream repositories by selecting the desired products. For more information, see Configuring Simplified Alternate Content Sources in Managing Content.

  • RHUI Alternate Content Source

Simple Content Access Improvements
  • Importing a manifest no longer changes the content access mode (SCA/entitlement). This is because the content access mode is now set on the organization, not the manifest. Instead of toggling SCA in Subscriptions > Manage Manifest, you can toggle it with a checkbox located on the Organization Edit page.
  • Toggling SCA on the Organization Edit page no longer causes a manifest refresh.
  • SCA is enabled by default when you create a new organization. If you want to disable SCA, uncheck Simple Content Access on the Primary tab when creating the organization.

For more information on SCA, see Simple Content Access.

Improved visibility for Any Organization and Any Location
With this release, the web UI displays special icons for Any Organization and Any Location to show that these are special names. The WebUI shows an error if users try to create an organization with the name Any Organization or a location with the name Any Location as these are special names.

1.3. Bug Fixes

The 6.13 release of Red Hat Satellite features the following bug fixes:

Upgrading the Satellite Server no longer fails with a satellite-maintain error
Prior to this fix, the upgrade process of Satellite Server required you to enable the next version of the Satellite repository in addition to the Satellite Maintenance repository. With this release, you must only enable the Satellite Maintenance repository. As a prerequisite, enable the new satellite-maintenance:el8 dnf module to access the packages inside the Satellite Maintenance repository.
Last sync dates no longer disappear from the capsule page after a task cleanup
Previously, the last sync date on the capsule page relied only on tasks. As a result, task cleanup caused the last sync date to show never synced. With this release, capsules can get their last sync date from audit records if there are no tasks found.
Provisioning a RHEL 9 host does not result in booting into the emergency mode
Previously, when you provisioned the RHEL 9 host, the operating system could go into the emergency mode when attempting to boot the new kernel. This is resolved with an update in the RHEL 9 Kickstart repository. Synchronize your repository with the updated Kickstart repository.
Job is not dropped in pull mode when MQTT client is not running at invocation time
Previously, the 'yggdrasild' service dropped the remote execution job after restart if it was not runnning at the time you invoked the job on a host in pull mode. With this release, the job is not dropped after yggrasild restarts and is executed normally.
You can enable Ansible callback per job template

Ansible callback allows hosts to send facts, which are used to create configuration reports, back to Satellite after a job finishes. You can now enable the callback for Ansible job templates per template. By default, the callback is enabled only for the original Ansible Roles - Ansible Default template and disabled for all the other original Ansible job templates. To enable the callback, create, clone, or edit an unlocked Ansible job template, navigate to the Ansible tab and select the Enable Ansible Callback checkbox.

This is fixed in 6.13.4.

The Insights tab shows the correct recommendations after switching to another host
Previously, when you switched to the next host using the breadcrumbs switch, the Insights tab kept displaying the data from the previous host. With this release, the Insights tab displays the data of the host you switched to.
The Insights tab shows the correct recommendations after switching to a new host
Previously, when you switch to a new host using the breadcrumb switcher, the Insights tab continued to show data from the previous host. With this release, the Insights tab displays data from the new host when you switch to it.
New host page bug fixes
  • Previously, the new host page did not display global host parameters. With this release, you can now view global host parameters under the Parameters tab on the new host page.
  • Previously, you could not review host templates on the new host page. With this release, you can find the host template details on the Templates card under the Details tab.

1.4. Technology Previews

Important

Technology Preview features are not supported with Red Hat production service-level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information, see Red Hat Technology Preview Features Support Scope.

The following features are available as Technology Previews in Red Hat Satellite 6.13:

OVAL / CVE Reporting Support

Satellite now includes the ability to scan systems for vulnerabilities using the OVAL standard data feed provided by Red Hat.

foreman_openscap contains the API to upload the OVAL content used to trigger the OVAL oscap scans. The results are parsed for CVEs and sent to Satellite which then generates reports of managed hosts and the CVEs that effect them.

OpenShift Virtualization plugin
You can provision virtual machines using the OpenShift Virtualization compute resource as a Technology Preview.
Kernel execution (kexec) template
Kernel execution template for PXE-less boot methods.

1.5. Known Issues

The following known issues exist in Red Hat Satellite 6.13 at this time:

Disabled Puppet with all data removed cannot be re-enabled

If the Puppet plug-in was disabled with the -f, --remove-all-data argument and you attempt to enable it again, Satellite maintain fails.

BZ#(2087067)

Alternate Content Sources that use HTTP proxies cannot have the HTTP proxy removed

If the Use HTTP Proxy flag is unset on the Alternate Content Source, traffic continues to go through the HTTP proxy. The workaround is to destroy the Alternate Content Source and recreate it.

BZ#(2162458)

Logging error during the host registration with Red Hat Insights

During host provisioning, the host is registered with Red Hat Insights by running the command insights-client --register --verbose. It ended up with a logging error after package installation.

However, it requires no workaround as this error occurs only once and it does not repeat after the initial output. More details for the same can be found in the provisioning log.

BZ#(2129254)

Job invocation details show incorrect results of execution on multiple hosts

When you run an Ansible job against multiple hosts and the execution fails on some hosts, the results of the execution on all hosts are marked as failed in the job invocation details. As a result, partial failure of jobs is not respected and you can see the failed result status even for hosts on which execution succeeded.

BZ#(2167396)

This is fixed in the 6.13.1 update.

Information from host group is not completely inherited when provisioning a discovered host in the Satellite web UI

When you provision a discovered host, after selecting a host group and trying to customize the host entry, many critical pieces of information are missing. This results in a failed deployment attempt.

As a workaround, perform one of the following actions:

  • Provision the host using hammer: 

    # hammer discovery provision --name discovered_host_name \
--hostgroup-id your_hostgroup_id \
--organization-id your_organization_id \
--location-id your_location_id \
--new-name new_host_name\
--build true

    For more information, see hammer discovery provision in Hammer CLI Guide.

  • Configure discovery rules and enable auto-provisioning so that no manual intervention is required to provision a discovered host. For more information, see Creating Discovery Rules in Provisioning Hosts.

BZ#(2069324)

1.6. Deprecated Functionality

This part provides an overview of functionalities that have been deprecated in Red Hat Satellite 6.13.

Deprecated functionality will likely not be supported in a future release of this product and is not recommended for new deployments.

Asynchronous SSH remote execution mode
The async-ssh remote execution mode is deprecated and will be removed in a future release. When you have unstable connectivity between Capsules and managed hosts, Red Hat advises you to use the pull mode instead. For more information about pull mode, see Transport Modes for Remote Execution in Managing Hosts.
Concurrency control and Time span
Concurrency control and Time span settings in remote job scheduling are deprecated and will be removed in a future release.
Append domain names to the host
The Append domain names to the host setting is deprecated and will be removed in a future release. Use FQDN (Fully Qualified Domain Name) to identify the hosts.
Foreman Hooks
Foreman Hooks functionality has been deprecated and will be removed in a future release. The functionality will be replaced by the new Foreman Webhooks feature that will be documented with its release.
Provisioning on Red Hat Virtualization
The integration of Red Hat Virtualization (RHV) with Satellite is deprecated and will be removed in a future release. All the existing compute resources of RHV type will be removed and the hosts associated with RHV will be disconnected.
Bootstrap.py
The bootstrap.py script used to register a host to Satellite or Capsule Server has been replaced with the curl command created with the global registration template.
Entitlements

Entitlement-based Subscription Management is deprecated and will be removed in a future release.

It is recommended to use Simple Content Access, which simplifies the entitlement experience for administrators in regards to subscriptions as a substitute.

Katello Agent
Katello Agent is deprecated and will be removed in a future release. Transition your workloads to use the Remote Execution feature.
Katello-ca-consumer package
The katello-ca-consumer package is deprecated and will be removed in a future release. Use the global registration template for registering a host to Red Hat Satellite.

1.7. Removed Functionality

This part provides an overview of functionalities that have been removed in Red Hat Satellite 6.13.

The Satellite-installer option --disable-system-checks is removed
The --disable-system-checks option has been removed from the satellite-installer. A Satellite installation now requires the minimum recommended system resources to be allocated. For non-production deployments, and only if absolutely necessary, you can use --tuning development as an alternative option.