Chapter 1. Patch service overview
Patch leverages Red Hat software and management automation expertise to enable consistent patch workflows for Red Hat Enterprise Linux (RHEL) systems across the open hybrid cloud. It provides a single canonical view of applicable advisories across all of your deployments, whether they be Red Hat Satellite, hosted Red Hat Subscription Management (RHSM), or the public cloud.
Use the Insights patch service to
- see all of the applicable Red Hat and Extra Packages for Enterprise Linux (EPEL) advisories for your RHEL systems checking into Insights.
- patch any system with one or more advisories by using remediation playbooks.
-
see package updates available for Red Hat and non-Red Hat repositories as of the last system checkin. Your host must be running Red Hat Enterprise Linux (RHEL) 7, RHEL 8.6+ or RHEL 9 and it must maintain a fresh
yum/dnfcache.
- Configure Role Based Access Control (RBAC) in Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Users.
- See User Access Configuration Guide for Role-based Access Control (RBAC) for more information about this feature and example use cases.
1.1. Criteria for patch and vulnerability errata
The patch service collects a variety of data to create meaningful and actionable errata for your systems. The Insights client collects the following data on each checkin:
- List of installed packages, including name, epoch, version, release, and architecture (NEVRA)
- List of enabled modules (RHEL 8 and later)
- List of enabled repositories
-
Output of
yum updateinfo -Cordnf updateinfo -C - Release version from systems with a version lock
-
System architecture (eg.
x86_64)
Additionally, Insights for Red Hat Enterprise Linux collects metadata from the following data sources:
- Metadata from product repositories delivered by the Red Hat Content Delivery Network (CDN)
- Metadata from Extra Packages for Enterprise Linux (EPEL) repositories
- Red Hat Open Vulnerability and Assessment Language (OVAL) feed
Insights for Red Hat Enterprise Linux compares the set of system data to the collected errata and vulnerability metadata in order to generate a set of available updates for each system. These updates include package updates, Red Hat errata, and Common Vulnerabilities and Exposures (CVEs).
Additional resources
For more information about Common Vulnerabilities and Exposures (CVEs), refer to the following resources:
1.2. Reviewing and filtering applicable advisories and systems in the inventory
You can see all of the applicable advisories and installed packages for systems checking into Red Hat Insights for Red Hat Enterprise Linux.
Procedure
- On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
You can also search for advisories by name using the search box, and filter advisories by:
- Type - Security, Bugfix, Enhancement, Unknown
- Publish date - Last 7 days, 30 days, 90 days, Last year, or More than 1 year ago
- Navigate to Content > Patch > Systems to see a list of affected systems you can patch with applicable advisories. You can also search for specific systems using the search box.
- Navigate to Content > Packages to see a list of packages with updates available in your environment. You can also search for specific packages using the search box.
1.3. System patching using Insights remediation playbooks
The following steps demonstrate the patching workflow from the Content > Advisories page in Red Hat Insights for Red Hat Enterprise Linux:
Procedure
- On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
- Click the advisory you want to apply to affected systems. You will see a description of the advisory, a link to view packages and errata at access.redhat.com, and a list of affected systems. The total number of applicable advisories of each type (Security, Bugfix, Enhancement) against each system are also displayed.
- Select the system(s) for which you want to create a playbook, then click Remediate.
- You can choose to modify an existing Playbook or create a new one. Accordingly, select Existing Playbook and the playbook name from the drop-down list, then click Next. Or, select Create new Playbook and enter a name for your playbook, then click Next.
- On the left navigation, click on Remediations.
- Click on the playbook name to see the playbook details, or simply select and click Download playbook.
1.4. Enabling notifications and integrations
You can enable the notifications service on Red Hat Hybrid Cloud Console to send notifications whenever the patch service detects an issue and generates an advisory. Using the notifications service frees you from having to continually check the Red Hat Insights for Red Hat Enterprise Linux dashboard for advisories.
For example, you can configure the notifications service to automatically send an email message whenever the patch service generates an advisory.
Enabling the notifications service requires three main steps:
- First, an Organization Administrator creates a User Access group with the Notifications-administrator role, and then adds account members to the group.
- Next, a Notifications administrator sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users, or just to Organization Administrators.
- Finally, users who receive email notifications from events must set their user preferences so that they receive individual emails for each event.
In addition to sending email messages, you can configure the notifications service to send event data using an authenticated client to query Red Hat Insights APIs.
Additional resources
- For more information about how to set up notifications for patch advisories, see Configuring notifications on the Red Hat Hybrid Cloud Console with FedRAMP.
