Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Content patching overview

Patching leverages Red Hat software and management automation expertise to enable consistent patch workflows for Red Hat Enterprise Linux (RHEL) systems across the open hybrid cloud. It provides a single canonical view of applicable advisories across all of your deployments, whether they be Red Hat Satellite, hosted Red Hat Subscription Management (RHSM), or the public cloud.

Use content patching in Insights to

  • see all of the applicable Red Hat and Extra Packages for Enterprise Linux (EPEL) advisories for your RHEL systems checking into Insights.
  • patch any system with one or more advisories by using remediation plans.
  • see package updates available for Red Hat and non-Red Hat repositories as of the last system checkin. Your host must be running Red Hat Enterprise Linux (RHEL) 7, RHEL 8.6+ or RHEL 9 and it must maintain a fresh yum/dnf cache.
Note

1.1. Criteria for patch and vulnerability errata
Copy link

The content patching function collects a variety of data to create meaningful and actionable errata for your systems. The Insights client collects the following data on each checkin:

  • List of installed packages, including name, epoch, version, release, and architecture (NEVRA)
  • List of enabled modules (RHEL 8 and later)
  • List of enabled repositories
  • Output of yum updateinfo -C or dnf updateinfo -C
  • Release version from systems with a version lock
  • System architecture (eg. x86_64)

Additionally, Insights for Red Hat Enterprise Linux collects metadata from the following data sources:

  • Product repositories delivered by the Red Hat Content Delivery Network (CDN)
  • Extra Packages for Enterprise Linux (EPEL) repositories
  • Common Security Advisory Framework (CSAF)
  • Vulnerability Exploitability eXchange (VEX)

Insights for Red Hat Enterprise Linux compares the set of system data to the collected errata and vulnerability metadata in order to generate a set of available updates for each system. These updates include package updates, Red Hat errata, and Common Vulnerabilities and Exposures (CVEs).

Important

Unlike the patch service, the vulnerability service supports only official Red Hat source repositories and does not support custom repositories. Insights vulnerability can find CVEs in local mirrors of official Red Hat repositories, but only if the original Red Hat designated name is preserved. If your infrastructure uses custom or renamed Red Hat local mirror repositories, CVEs or errata from those sources will not appear in the Insights vulnerability results.

Additional resources

For more information about Common Vulnerabilities and Exposures (CVEs), refer to the following resources:

You can see all of the applicable advisories and installed packages for systems checking into Red Hat Insights for Red Hat Enterprise Linux.

Procedure

  1. On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.

  2. You can also search for advisories by name using the search box, and filter advisories by:

    1. Type - Security, Bugfix, Enhancement, Unknown
    2. Publish date - Last 7 days, 30 days, 90 days, Last year, or More than 1 year ago
  3. Navigate to Content > Systems to see a list of affected systems you can patch with applicable advisories. You can also search for specific systems using the search box.
  4. Navigate to Content > Packages to see a list of packages with updates available in your environment. You can also search for specific packages using the search box.

The following steps demonstrate the patching workflow from the Content > Advisories page in Red Hat Insights for Red Hat Enterprise Linux:

Procedure

  1. On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
  2. Click the advisory you want to apply to affected systems. You will see a description of the advisory, a link to view packages and errata at access.redhat.com, and a list of affected systems. The total number of applicable advisories of each type (Security, Bugfix, Enhancement) against each system are also displayed. As a bulk operation, you can click the options menu located next to a system, then click Apply all applicable advisories to patch the system with all applicable advisories at once.
  3. Alternatively, select the system(s) you want to patch with this particular advisory, then click Plan remediation.
  4. On the Remediate with Ansible page, you can choose to modify an existing Playbook or create a new one to remediate with Ansible. Accordingly, select Existing Playbook and the playbook name from the drop-down list, then click Next. Or, select Create new Playbook and enter a name for your playbook, then click Next.
  5. You will then see a summary of the action and resolution. If a reboot is required to fix the issue or risk, each system will be automatically rebooted. To disable automatic reboot, toggle the Auto-reboot button on the review summary panel.
  6. Click Submit.
  7. On the left navigation, click on Remediations.
  8. Click on the playbook name to see the playbook details, or simply select and click Download playbook.

The following steps demonstrate the patching workflow from the Content > Systems page:

  1. Click the Systems tab to see a list of affected systems. As a bulk operation, you can click the options menu located next to a system, then click Apply all applicable advisories to patch the system with all applicable advisories at once.
  2. Alternatively, click the system you want to patch. You will see the system details and a list of applicable advisories for remediation, along with additional details such as the advisory publish date, type, and synopsis. Select the advisories you want to apply to the system, then click Plan remediation.
  3. On the Remediate with Ansible page, you can either modify an existing Playbook or create a new one to remediate with Ansible. Accordingly, click Existing Playbook and select the playbook name from the drop-down list, then click Next. Or, click Create new Playbook, enter a name for your playbook, then click Next.

  4. You will then see a summary of the action and resolution.

    Note

    If a reboot is required to fix the issue or risk, all systems in the remediation plan will be automatically rebooted. If you prefer to reboot manually after the plan has been executed, toggle the Auto-reboot button accordingly.

  5. On the left navigation, click Automation Toolkit > Remediation Plans.

  6. Click on the playbook name to see the playbook details, or simply select and click Download playbook.

    Important

    Review and test the recommended actions and playbooks that are available before you deploy on your Red Hat Enterprise Linux systems. Red Hat is not responsible for any adverse outcomes related to Insights recommendations or remediation plans.

Insights for Red Hat Enterprise Linux calculates applicable updates based on the packages, repositories, and modules that a system reports when it checks in. Insights combines these results with a client-side evaluation, and stores the resulting superset of updates as applicable updates.

A system check-in to Red Hat Insights includes the following content-related data:

  • Installed packages
  • Enabled repositories
  • Enabled modules
  • List of updates, which the client determines using the dnf updateinfo -C command. This command primarily captures package updates for non-Red Hat repositories

Insights uses this collection of data to calculate applicable updates for the system.

Sometimes Insights calculates applicable updates for systems managed by Red Hat Satellite and reports inaccurate results. This issue can manifest in two ways:

  • Insights shows installable updates that cannot be installed on the Satellite-managed system.
  • Insights shows applicable updates that match what can be installed on the system immediately after patching, but shows outdated or missing updates a day or two later. This can occur when the system is subscribed to RHEL repositories that have been renamed.

Insights now provides an optional check-in command to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches and creates a refreshed list of applicable updates for the system.

Note

Satellite-managed systems are not eligible to have Red Hat Insights content templates applied.

Prerequisites

  • Admin-level access to the system

Procedure

  • To rebuild the package caches from the command line, enter the following command: 

    # insights-client --build-packagecache
    Copy to Clipboard Toggle word wrap

The command regenerates the dnf/yum caches and collects the relevant installable errata from Satellite. insights-client then generates a refreshed list of updates and sends it to Insights.

Note

The generated list of updates is equivalent to the output from the command dnf updateinfo list.

You can edit the insights-client configuration file on your system (/etc/insights-client/insights-client.conf) to rebuild the package caches automatically each time the system checks in to Insights.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file in a text editor.

  2. Look in the file for the following comment: 

    #Set build_packagecache=True to refresh the yum/dnf cache during the insights-client check-in
    Copy to Clipboard Toggle word wrap

  3. Add the following line after the comment: 

    build_packagecache=True
    Copy to Clipboard Toggle word wrap
  4. Save your edits and exit the editor.

When the system next checks in to Satellite, insights-client executes a yum/dnf cache refresh before collecting the output of the client-side evaluation. Insights then reports the client-side evaluation output as installable updates. The evaluation output, based on what has been published to the CDN, is reported as applicable updates.

Additional resources

1.5. Enabling notifications and integrations
Copy link

You can enable the notifications service on Red Hat Hybrid Cloud Console to send notifications whenever the patch service detects an issue and generates an advisory. Using the notifications service frees you from having to continually check the Red Hat Insights for Red Hat Enterprise Linux dashboard for advisories.

For example, you can configure the notifications service to automatically send an email message whenever the patch service generates an advisory.

Important

For the patch service, the notification service generates notifications only about updates for the registered Red Hat Enterprise Linux systems. If you want to receive notifications about all updates for every subscription that you have, configure the notifications service for errata events.

Enabling the notifications service requires three main steps:

  • First, an Organization Administrator creates a User Access group with the Notifications administrator role, and then adds account members to the group.
  • Next, a Notifications administrator sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users, or just to Organization Administrators.
  • Finally, users who receive email notifications from events must set their user preferences so that they receive individual emails for each event.

In addition to sending email messages, you can configure the notifications service to send event data in other ways:

  • Using an authenticated client to query Red Hat Insights APIs for event data
  • Using webhooks to send events to third-party applications that accept inbound requests
  • Integrating notifications with applications such as Splunk to route patch advisories to the application dashboard

In addition to sending email messages, you can configure the notifications service to send event data using an authenticated client to query Red Hat Insights APIs.

User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):

  • Control user access by organizing roles instead of assigning permissions individually to users.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

1.6.1. Predefined User Access groups and roles
Copy link

To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:

  • Predefined groups

    The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.

    Note

    If the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.

    The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.

  • Predefined roles assigned to groups

    The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.

    The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.

1.6.2. Access permissions
Copy link

The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.

If you try to access Insights for Red Hat Enterprise Linux features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.

Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.

Additional resources

For more information about user access and permissions, see User Access Configuration Guide for Role-based Access Control (RBAC).

The following roles enable standard or enhanced access to content template features in Insights for Red Hat Enterprise Linux:

  • Content Template viewer. Read any content template resource.
  • Content Template administrator. Perform any available operation on any content template resource.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat