Red Hat SummitChapter 1. Client tools and components
Red Hat Enterprise Linux (RHEL) client tools are a collection of utilities that you can use to connect, register, and manage RHEL systems. These tools, such as the insights-client, subscription-manager, and the remote host configuration client (rhc), facilitate system registration, entitlement management, and proactive remediation. By integrating RHEL and the correct User Access permissions for your needs with Red Hat Lightspeed and other Red Hat services, these clients streamline the deployment, troubleshooting, and optimization of your hybrid cloud environment.
1.1. Understanding the client tools and components
Before you register or manage your system, you should understand the client tools that are available. Red Hat Enterprise Linux (RHEL) includes several client tools:
- The rhc client
- The subscription-manager
- The insights-client
Learning the purpose of each tool helps you understand how they integrate to connect your RHEL system to Red Hat services. After learning about the clients and their components, make sure that you have the correct Hybrid Cloud Console User Access roles and permissions required for a successful connection. After you complete the steps, you can register your systems.
1.1.1. The rhc client
The rhc client is the recommended tool to register and manage your RHEL systems that are connected to the Red Hat Hybrid Cloud Console. Use the rhc client to register and connect systems directly to Red Hat services.
To register and connect systems with Red Hat Satellite or Capsule, see Red Hat Satellite product documentation.
The rhc client works in conjunction with insights-client and subscription-manager to offer a unified client experience including the registration of the system to Red Hat, and the configuration of feature levels and the remote management capabilities.
The remote host configuration service includes the following two main components:
- The rhc client remote host configuration client (a client-side daemon)
- The remote host configuration manager (a server-side service)
The remote host configuration (rhc) client enables the following capabilities:
- Easy registration. With the rhc client, you can register systems to Red Hat Subscription Management (RHSM) and Red Hat Lightspeed.
- Remediations and Tasks from Red Hat Lightspeed. When you connect systems to Red Hat Lightspeed with the rhc client, you can manage the end-to-end experience of finding and fixing issues. Registered systems can directly use tasks and remediation playbooks that are automatically generated from remediation plans and executed from within the Red Hat Lightspeed Automation Toolkit.
RHC client components and support. The rhc client is preinstalled and fully supported with all Red Hat Enterprise Linux (RHEL) 8.6 and later installations, with the exception of minimal installations. The rhc client consists of the following utility programs:
-
The
yggdrasil(rhcdon version RHEL 9 and earlier) daemon runs on the system and listens for messages from the Hybrid Cloud Console. On properly configured systems, theyggdrasildaemon can receive and execute playbooks that are generated by Red Hat Lightspeed remediation plans. -
The
rhccommand-line utility for RHEL.
Remote remediation using the remote host configuration manager. To enable or disable Red Hat Lightspeed remediation capabiliities for systems that connect using the rhc client and that are also running the yggdrasil daemon, use the remote host configuration manager.
You can access the remote host configuration manager, by logging in to the Red Hat Hybrid Cloud Console as a user with RHC user privileges. To make changes to settings in the remote host configuration manager, located at Red Hat Hybrid Cloud Console > Red Hat Lightspeed > Inventory > System Configuration > Remote Host Configuration (RHC), you need RHC administrator privileges.
1.1.2. The subscription-manager client
As an option, you can use the subscription-manager client to directly register your RHEL systems, but the available RHSM features will be limited with Red Hat Lightspeed. Registering with only the subscription-manager client will establish your system’s identity and provide access to the Red Hat Content Delivery Network (CDN) for updates and packages. For additional features provided by Red Hat Lightspeed, consider using the rhc client.
1.1.3. The insights-client
The insights-client is mainly responsible for collecting data for analytics provided by Red Hat Lightspeed. The insights-client relies on the subscription-manager client to establish the identity of the system.
The insights-client is available for the following releases of Red Hat Enterprise Linux (RHEL).
| RHEL release | Comments |
|---|---|
| RHEL 10 | Distributed with insights-client pre-installed. |
| RHEL 9 | Distributed with insights-client pre-installed. |
| RHEL 8 | Distributed with insights-client pre-installed, unless RHEL 8 was installed as a minimal installation. |
| RHEL 7 | Distributed with the insights-client RPM package loaded but not installed. |
Additional resources
1.2. Manage user permissions for Red Hat Lightspeed services
Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.
1.2.1. User Access overview
Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.
You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.
If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:
- Control user permissions and organize roles.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
1.2.2. Predefined groups in User Access
Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.
- The Default access group
- By default, the Default access group is assigned many granular predefined roles, such as Remediations viewer and Inventory Hosts viewer, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
If your Organization Administrator modifies the Default access group, for example, by removing roles to restrict access to specific applications or to use the consolidated roles, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.
- The Default admin access group
- The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.
1.2.3. Predefined roles assigned to groups
Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.
The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.
By default, Red Hat provides a set of consolidated roles and a set of granular roles in the Red Hat Hybrid Cloud Console User Access UI. The consolidated roles significantly reduce the administrative effort required to manage user permissions, while the granular roles provide more fine-tuned control over specific features of Red Hat Lightspeed.
You can use the predefined consolidated and granular roles in User Access simultaneously, but using consolidated roles can significantly reduce the administrative effort.
- Select from the predefined consolidated roles library
The Red Hat Hybrid Cloud Console provides three predefined, consolidated User Access roles to help you manage user permissions to Red Hat Lightspeed applications and services that run on registered Red Hat Enterprise Linux systems. These roles help simplify how the Organization Administrator creates groups and permissions for various levels of access to the Red Hat Lightspeed services. If you want to reduce the administrative effort required to manage user permissions and your use case aligns with the permissions included in these roles, select from the consolidated roles library.
The consolidated roles are as follows:
RHEL viewer: The RHEL viewer role provides users visibility without the ability to make changes. It allows read-only access to Red Hat Lightspeed. You can view system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.
RHEL operator: The RHEL operator role allows active management of your Red Hat Lightspeed environment. With this role, you can edit system configurations, inventory details, policies, and notification/integration settings. The RHEL operator role allows many of the RHEL administrator role functions, but it is restricted from editing compliance policies, content source templates, policies, or tasks. In addition, the RHEL operator role cannot execute remediation plans.
RHEL administrator: The RHEL administrator role provides comprehensive administrative privileges across your RHEL systems and Red Hat Lightspeed. With this role, you can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. The role can also view and modify all vulnerability settings.
ImportantTo use the consolidated roles effectively, you might need to remove the granular RHEL roles from the Default access group to prevent permission conflicts. This action automatically changes the name of the predefined Default access group to Custom default access group, after which, it is no longer automatically updated by Red Hat.
See Predefined User Access roles for a list of the roles included in the Default admin access group and a reference table that lists most of the predefined groups and roles that are available in the Red Hat Hybrid Cloud Console and the permissions included in each role.
- Granular roles
- The granular roles are specific roles for individual services that allow for fine-tuned control over specific features of Red Hat Lightspeed, for example, Inventory Hosts administrator or Compliance viewer. If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the consolidated roles, use the granular predefined roles.
Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.
1.2.4. Check your permissions
Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.
Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
- Optional: If you require additional permissions, use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Results
All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.
You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.
1.2.5. Configure user permissions
If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.
If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.
Prerequisites
- You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to Identity & Access Management > User Access.
Results
From here, you can create and manage:
1.2.6. User Access roles for using the remote host configuration manager
Understand the predefined roles that control permissions to manage and remediate your RHEL systems remotely using the remote host configuration manager with Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.
The following User Access roles enable standard or enhanced access to the remote host configuration manager in the Red Hat Hybrid Cloud Console:
| User Access role | Grants permissions to … | Included in the Default access group |
|---|---|---|
| RHC administrator |
| |
| RHC user |
| X |
| RHEL administrator |
| |
| RHEL operator |
Note The RHEL operator role is restricted from editing compliance policies, content source templates, policies, or tasks. Also, the RHEL operator role cannot execute remediation plans. | |
| RHEL viewer |
Note Cannot perform actions other than generating activation keys. |
See also the following information about the required User Access roles for remotely executing remediation plans in the Red Hat Hybrid Cloud Console:
1.3. Install the insights-client
The insights-client is automatically installed when you install a new RHEL system with the default settings. Certain types of RHEL deployments, such as minimal installation or RHEL instances deployed from pre-built images provided by the Red Hat Certified Cloud and Service Providers (CCSP), might not install the insights-client. Installation steps vary slightly depending on your RHEL version and installation type, either standard or minimal.
After you install the insights-client, register your system. Registering your system might require activation keys. For more information about registering systems and activation keys, see: Getting started with activation keys on the Hybrid Cloud Console.
1.3.1. Install the insights-client on an existing system managed by Red Hat Cloud Access
You can install insights-client on an existing Red Hat Enterprise Linux (RHEL) system connected to Red Hat Cloud Access to get automated system health checks and other services to find and fix problems before they cause problems with systems in your organization.
Additional resources
1.3.2. Install insights-client on an existing system managed by Red Hat Update Infrastructure
You can install the insights-client on an existing, cloud marketplace-purchased Red Hat Enterprise Linux system that is managed by Red Hat Update Infrastructure (RHUI) to get automated system health checks and other services to find and fix issues before they cause problems with systems in your organization.
Prerequisites
- Root-level access for the system.
Procedure
Enter the following command to install the current version of the insights-client package:
RHEL versions 6 and 7
[root@server ~]# yum install insights-clientRHEL version 8 and later
[root@server ~]# dnf install insights-clientVerification step
Run the following command to confirm successful installation of the insights-client:
[root@server ~]# insights-client --version
1.4. Client command-line interface and configuration interaction
The insights-client runs automatically based on its scheduler settings. By default, it runs every 24 hours. To run the client interactively, enter the insights-client command.
When you run insights-client, the following values and settings determine the results:
-
Values that you enter when you run
insights-clientfrom the command line temporarily override the preset configuration file settings and system environment settings. Any values that you enter for options in theinsights-clientcommand are used only for that instance of insights-client. -
Settings in the configuration file (
/etc/insights-client/insights-client.conf) override system environment settings. -
Values of any system environment variables (
printenv) are not affected by the commands entered on the command line or the client configuration files.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}