Red Hat SummitChapter 6. Executing remediation plans
After you create a remediation plan, you can download and run the generated playbook by using your organization’s Ansible Automation Platform (AAP) workflow, or you can execute the playbook on remote systems from the Red Hat Lightspeed application.
6.1. Ensure that your remediation plan is ready to run
When you create a remediation plan, you must ensure that the plan can successfully execute on your systems. Before a plan can execute successfully, it must meet the criteria for execution readiness in the Hybrid Cloud Console.
As a general rule, you can run smaller-scale remediation plans directly within Red Hat Lightspeed. Use Red Hat Lightspeed for rapid, targeted remediations.
A larger-scale remediation plan contains large numbers of systems or includes multiple complex remediation operations, or both. If a larger-scale plan cannot execute directly on Red Hat Lightspeed, you can download it to run with Ansible Automation Platform (AAP). AAP allows you to execute at scale with greater functionality designed specifically for enterprise-grade execution, such as advanced orchestration capabilities: scheduling, RBAC, and auditing features.
You can also download a larger-scale remediation plan and use a Red Hat Satellite integration to execute it. For more information about using a Satellite integration, see Creating an Insights remediation plan for hosts.
Additional resources
6.1.1. View execution readiness criteria
Execution readiness criteria are conditions that your remediation plan must meet before the plan is ready to execute. Before you execute a remediation plan, make sure that your plan meets the criteria.
A remediation plan must meet the following criteria before it can execute:
- You have the required user permissions to run the remediation plan on your systems.
- The remote host configuration manager is enabled.
- The rhc client is active on all systems.
- All systems are connected and visible in Red Hat Lightspeed inventory.
Remediation plans must fall within execution limits before they can be executed remotely using Red Hat Lightspeed. An execution limit is the threshold that determines whether a remediation plan can successfully execute on your systems. If a remediation plan falls outside execution limits, you cannot execute the plan within Red Hat Lightspeed. However, you can download the plan and run it manually with Red Hat Ansible Automation Platform (AAP) or with a Red Hat Satellite integration.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
- You have the required user permissions to run remediation plans on your system.
Procedure
- To view readiness criteria in the Red Hat Hybrid Cloud Console, navigate to Automation toolkit > Remediation plans.
Select the remediation plan that you want to view from the list. The details page for the plan displays.
The General tab shows details about your remediation plan, such as creation date and number of systems in the plan. The Execution Readiness Summary lists the readiness criteria for your plan, and whether or not the plan meets the criteria.
If your remediation plan meets the criteria, the summary shows checkmarks next to each of the criteria, and the status message shows Ready. The Execute button is available.
If your remediation plan does not meet readiness criteria, the Execute button is disabled and the status message Not ready (# errors) displays. (# errors) shows the number of Execution readiness steps that failed. If this happens, you must decide whether to modify the remediation plan to run with Red Hat Lightspeed, or to download the plan and execute it with AAP or a Satellite integration.
6.1.2. About action points
When you create a remediation plan, you can use action points to decide how and where to execute it. Red Hat Lightspeed uses a system of action points to calculate the relative complexity and performance impact of a remediation plan. Complex issues require a higher number of action points, and simpler issues require a lower number. Red Hat Lightspeed assigns a specific point value to each type of issue and calculates the plan’s total size against the platform’s performance capabilities.
Red Hat Lightspeed supports execution reliability for plans up to 100 systems and 1,000 action points. If the total number of systems and action points for your plan falls within these limits, you can run the plan directly on Red Hat Lightspeed.
If the plan exceeds those limits, the Execute button on the Remediation Plans page in the Red Hat Hybrid Cloud Console is disabled, and the Execution readiness summary shows how many systems and action points you must remove to execute the remediation plan within Red Hat Lightspeed. You must either remove systems and issues from the remediation plan to execute it within Red Hat Lightspeed, or download the plan and run it with Ansible Automation Platform (AAP) or with a Satellite integration.
6.1.3. Optimize the number of planned remediations
The Execution readiness summary shows the number of systems and action points in your remediation plan. If the number of remediations exceeds 100 systems and 1,000 action points, the summary shows how many systems and action points you must remove to execute the remediation plan within Red Hat Lightspeed.
If your plan falls slightly over the execution limits, you can remove individual systems or issues from the plan to make reductions in your planned remediation. Removing a single Advisor issue frees up 20 points, whereas you would need to remove 10 Patch issues to achieve the same reduction.
Use these guidelines to view the number of action points required to run your remediation plan:
- Advisor issues: 20 points for each issue (High complexity)
- Vulnerability issues: 20 points for each issue (High complexity)
- Compliance issues: 5 points for each issue (Medium complexity)
- Patch issues: 2 points for each issue (Low complexity)
For example, a plan containing 50 Patch issues would only total 100 points (50 x 2), which falls well within execution limits. However, a plan with 50 Advisor issues would total 1,000 points (50 x 20), reaching the maximum limit immediately. The plan with 50 Advisor issues would still run on Red Hat Lightspeed, but only if the number of systems is fewer than 100.
If your plan falls slightly over the limit of 1,000 action points, you can remove individual issues from the plan to make reductions in your planned remediation. Removing a single Advisor issue frees up 20 points, whereas you would need to remove 10 Patch issues to achieve the same reduction.
If your plan exceeds the limits by a significant number, you can download the plan and execute it with AAP without needing to first remove systems or reduce the number and type of issues that you want to fix.
6.2. Executing remediation plans from the Red Hat Lightspeed UI
You can execute the playbooks generated by your remediation plans from the Red Hat Lightspeed UI on the Red Hat Hybrid Cloud Console, if you have the required permissions and pass the readiness check.
Prerequisites
To pass the remediations execution readiness check, ensure the following prerequisites are met:
- You can log on to the Red Hat Hybrid Cloud Console.
- Your user account is a member of a User Access group with the Remediations administrator role, as outlined earlier in this section.
- You have completed the steps in Enabling host communication with Red Hat Lightspeed
- The option Allow permitted Red Hat Lightspeed users to execute remediation playbooks on rhc-connected systems is enabled on the Remote Host Configuration Manager page in the Red Hat Lightspeed UI.
You have the Organization Administrator or Remediations administrator role.
IMPORTANT:
- The Remediations user role does not have the required permissions to execute remediation plans on remote systems. The Remediations administrator role permits access to all remediations capabilities and enables you to discover whether your systems are connected.
- If you do not have the required permissions, the connection status for your system will be set to Unknown, even though you can connect to that system for other use cases in the console.
- The Remediations administrator role is not a default role. You must create the group and add yourself. For more information about User Access permissions, see Managing group access with roles and members.
- You have successfully completed the execution readiness check in the remediation plan in the Red Hat Lightspeed UI. You can find the readiness results in the Execution readiness section of the remediation plan details.
Procedure
- Navigate to Automation Toolkit > Remediation Plans.
- Scroll through the list and find a remediation plan.
- Click the name to open the Remediation plan details view.
Click Execute.
ImportantIf the Execute button is disabled, this means that the execution readiness check failed because one of the requirements was not met. To help you troubleshoot and complete the execution readiness check successfully, see Execution readiness check.
When prompted, click Execute playbook on systems. The playbook runs on the systems included in the remediation plan.
Note, that a remediation plan with a large number of actions to execute on many systems might take a while to complete.
Next steps
- To monitor the progress, go to the Execution History tab for the plan you just executed. The Execution History tab displays the status, history and links to the logs of a plan execution for each included system.
- When the remediation plan is successfully executed, find and open the recommendation or issue that your remediation plan addressed, and verify that the impacted systems you remediated are no longer in the list.
6.3. Executing remediations from the Satellite UI
You can also remediate using the Satellite UI.
Prerequisites
- You are a Cloud Administrator.
- You are a Remediations Administrator.
- You have completed Host registration by using the insights-client.
Procedure
To remediate a recommendation on RHEL systems managed by Red Hat Satellite, see Remediating issues based on Red Hat Lightspeed recommendations in the Satellite Managing hosts documentation.
ImportantWhen you introduce a new host into your Satellite inventory, by means of provisioning or registration, two automatic background tasks will initiate. It will take 24 hours for these tasks to complete. This is a typical time frame for the automatic synchronization.
If you identify security issues or another scenario that warrants not waiting 24 hours for the automatic sync, you can manually synchronize by clicking the sync button in the UI. This manual sync will complete in a few minutes.
- To view the procedures for enabling automatic and manual synchronization, see the Configuring Synchronization of Red Hat Lightspeed Recommendations for Hosts in the Satellite documentation.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}