Release notes

Compliance remediation wizard

Previously, you had to remediate OpenSCAP compliance failures by manually creating a remote execution job to apply remediation scripts or snippets. With this update, Satellite web UI provides a compliance remediation wizard that you can use to remediate OpenSCAP compliance failures. For more information, see Remediating compliance failures in Managing Security Compliance.

Manifest expiration warnings and extension of expiration date

Users are now notified in the web UI before their subscription manifest expires. The number of days of notice is determined by the expire_soon_days setting.

satellite-maintain update command for minor releases

The`satellite-maintain update`command replaces satellite-maintain upgrade with --target-version for updating minor (z-stream) versions. As the upgrade command is now dedicated to major upgrades, the --target-version parameter has been removed.

Puppet Server updated to version 8

Puppet Server 8 is now included in Satellite. Existing clients with Puppet agent 7 will continue to work against Puppet Server 8.

Upgrading to Satellite 6.16 also upgrades to PostgreSQL 13

When you upgrade your Satellite Server 6.15 to version 6.16, the PostgreSQL database on the system is upgraded from version 12 to version 13. During the upgrade, a backup of the PostgreSQL data is created in the /var/lib/pgsql/data-old/ directory. You can safely remove this directory after the upgrade completes.

SCRAM hashing for PostgreSQL passwords

PostgreSQL 13 uses SCRAM hashing for passwords. The installer updates existing user passwords to SCRAM hashing. You can view the existing users and their password hashes by running the following command:

Content repair command for Capsule

To repair all content on Capsule, run the following command:

Publishing content views during repository synchronization is blocked to prevent incorrect metadata

An error message is displayed if you try to publish a content view while a child repository is performing one of the following actions:

Containers can now be pushed to Satellite’s container registry

Each pushed container repository path must include the organization, product, and repository name. Example: podman push <image> satellite.example.com/organization/product/repository.

Command for container label migration

The container image API now shows manifest labels, annotations, and if the manifest represents bootable or flatpak content. Satellite performs a pre-migration in the background after the upgrade to make this data available.

Provisioning templates for reconfiguring a self-signed CA certificate on hosts

Satellite now provides public provisioning templates. You can use the templates to refresh your self-signed CA certificate on hosts when you renew the CA certificate on Satellite Server. You can use the following public provisioning templates:

Job templates for running remote scripts on hosts

Satellite now provides job templates that you can use to download a script from a URL and execute the script on a host. You can use one of the following REX templates to run a script from an URL:

Root passwords are hashed by using SHA512

Satellite now uses the SHA512 algorithm to hash the root passwords of operating systems by default. The new default is only applied to new operating system entries. If you want to use the SHA512 algorithm in your existing operating systems, you have to change the algorithm manually and reprovision your hosts.

Improved RHEL 9 network configuration in Kickstart provisioning templates

Previously, Satellite created ifcfg files in the Finish template to configure host network interfaces. In RHEL 9, the ifcfg files have been replaced with key files. For more information, see RHEL 9 networking: Say goodbye to ifcfg-files, and hello to keyfiles.

rhsm command registers RHEL 9 hosts to Satellite and enables Insights

Previously, you registered RHEL hosts to Satellite in the redhat_register snippet and enabled Insights in the insights snippet. With this release, you can use the kickstart_rhsm snippet to register RHEL 9 hosts to Satellite and, optionally, enable Insights.. This snippet uses the rhsm command, which is part of Anaconda Kickstart native syntax. As a result, the number of required transactions is reduced to make the host configuration more robust. The workflow does not change for you. The new snippet accepts the same host parameters.

timesource configures NTP server when provisioning RHEL 9 hosts

Previously, the Kickstart default provisioning template used the single timezone Kickstart command to configure both the time zone and NTP server. With this release, the NTP configuration is split into two Kickstart commands, timezone and timesource, to incorporate the new RHEL 9 Kickstart syntax.

Updated syntax for Anaconda options when provisioning RHEL 8 hosts

Previously, the kickstart_kernel_options provisioning snippet used deprecated legacy syntax for Anaconda options when provisioning RHEL 8 hosts. With this release, the snippet uses the current syntax for Anaconda options. As a result, provisioning RHEL 8 hosts does not produce that warning.

use-ntp installs chrony when provisioning RHEL 7 hosts

Previously, the use-ntp parameter installed the ntpdate package to configure an NTP client on RHEL 7 hosts. With this release, the Kickstart default provisioning template and ntp snippet install the chrony suite on RHEL 7 hosts. As a result, time synchronization is more accurate and robust.

Improved customization of host registration

The Global Registration template can now include user-defined snippets before_registration and after_registration. You can create these snippets to add custom commands to registration without editing the original template.

VMware vCenter Server 8 support

You can now provision virtual machines by using a VMware compute resource with vCenter Server 8.

Improved error message for missing VMware datastore

Previously, when you attempted to provision a host on a VMware datastore cluster by using the API, it might fail with an ambiguous InvalidDatastorePath error. With this release, the API produces a specific ArgumentError with a descriptive message when the datastore is missing. As a result, you can easily debug the problem.

Provisioning supports NVMe

Previously, you could only provision VMware machines with SCSI controllers. With this release, you can provision VMware machines with non-volatile memory express (NVMe) storage options. As a result, your virtual machines can access data faster and you have more flexibility for storage solutions.

SCSI storage connection for VMware ESXi Quick Boot enabled by default

Previously, when performing a VMware ESXi Quick Boot with GRUB2 chainloading, you had to enable the connectefi scsi command in the pxegrub2_chainload snippet and the provisioning templates in which it is included. With this release, the command is enabled by default and you can disable it with the grub2-connectefi host parameter. As a result, you do not have to edit the provisioning templates to enable the feature. For more information, see the snippet.

Active Directory login with user name only

Active Directory (AD) users can now log in to the web UI or use the kinit utility by entering only a user name without specifying a domain. You can set a default AD domain name by using the foreman-ipa-sssd-default-realm option in the satellite-installer utility.

New Hammer subcommands and options

The following Hammer command has been added:

New API endpoints

The following API endpoints have been added:

OVAL-only contents and policies

Management of the Open Vulnerability and Assessment Language (OVAL) contents and policies, which were provided as Technology Previews, are no longer available. If you used an OVAL policy on your clients, you must reconfigure them.

Entitlement-based subscription management

Entitlement-based subscription management has been removed. You must use Simple Content Access, which simplifies the entitlement experience for administrators. For more information, see the Subscription Management Administration Guide for Red Hat Enterprise Linux on the Red Hat Customer Portal.

Telemetry disablement in Convert2RHEL job templates

You cannot disable telemetry when you use the Convert2RHEL utility.

foreman_hooks plugin

The foreman_hooks plugin has been removed. You must use the foreman_webhooks plugin instead.

Snapshot backup

satellite-maintain no longer supports snapshot backups. You must use online backups instead.

Removed Hammer commands and options

The following Hammer command has been removed:

Removed API endpoints and routes

The following API endpoints have been removed:

Package Group Actions

Package Group Actions in the web UI was deprecated in 6.10.

Capsule port 8443

Port 8443 on Capsules is deprecated in 6.16. This port is disabled by default on new installations and upgrades.

Overriding organizations and locations on the filter level

The ability for a filter to override organizations and locations associated with a role is deprecated in 6.16. When the functionality is removed, filters will honor the organizations and locations set at the role level.

Asynchronous SSH remote execution mode

The async-ssh remote execution mode was deprecated in 6.13. If you have unstable connectivity between Capsules and managed hosts, use the pull mode instead. For more information about pull mode, see Transport Modes for Remote Execution in Managing hosts.

Provisioning on Red Hat Virtualization

The integration of Red Hat Virtualization (RHV) with Satellite was deprecated in 6.13. All the existing compute resources of RHV type will be removed and the hosts associated with RHV will be disconnected.

Bootstrap.py

The bootstrap.py script used to register a host to Satellite or Capsule was deprecated in 6.9. It has been replaced by the curl command created with the global registration template.

katello-ca-consumer package and katello-rhsm-consumer script

The katello-ca-consumer package and katello-rhsm-consumer script were deprecated in 6.9. You must use the global registration template to register a host.

hammer host subscription attach and hammer host subscription auto-attach commands

The hammer host subscription attach and hammer host subscription auto-attach commands are deprecated in 6.16. The commands are non-functional and do not result in attaching a subscription.

Unable to specify a custom organization label in the Satellite web UI

When creating a new organization in the Satellite web UI, the field to specify a custom label for the organization is missing. Each time you create a new organization from the Satellite web UI, Satellite creates a default label which mirrors the organization name. For example, if you create an organization named New Organization, Satellite creates a label named New_Organization. Note that you cannot change the label after it is created.

Unable to upload an OpenSCAP report from hosts that run RHEL 9.3 or earlier with FIPS mode enabled

On Satellite hosts that run RHEL 9.3 or earlier with FIPS mode enabled, uploading an OpenSCAP report fails with the following error:

Repositories listed but not active

The Red Hat Repositories page lists the Red Hat Satellite 6 Client 2 repositories as recommended repositories, but these repositories are not active yet. Continue using Red Hat Satellite Client 6 repositories.

Organization deletion fails

If there are container push repositories among the organization’s products, then organization deletion fails. To work around this problem, delete the container push repositories before deleting the organization.

Concurrently synchronizing many large repositories to a Capsule might cause core dumps for the pulpcore-api

The pulpcore-api might experience core dumps when multiple large repositories are synchronized to a Capsule concurrently. When this problem occurs, the following error message is displayed in /var/log/messages: capsule systemd-coredump[16056]: Process 9867 (pulpcore-api) of user 988 dumped core. The synchronization completes successfully despite the errors.

Newly created filters do not inherit organizations and locations associated with the role

When an organization and location are defined for a role, these organizations and locations are not propagated to the filters created within the role. Consequently, users with a role assigned can access resources in any other organization or location that they have sufficient permissions to view instead of only organizations and locations defined for the role.

Web UI displays short names of hosts consistently

Previously, some pages in the Satellite web UI displayed names of hosts as FQDNs even when Display FQDN for hosts was disabled. With this release, the Display FQDN for hosts setting is applied consistently.

Suggest New link for IPv4 addresses exhausted Infobox DHCP pool

Satellite suggests new IPv4 addresses in subnets with DHCP when creating or editing hosts in the UI via the Suggest New link or via the /api/subnets/:id/freeip API endpoint. Previously, when using the Infoblox DHCP provider, it would stop suggesting addresses after some time. This was because the suggestions did not expire after a period of time causing the pool of available IP addresses to be used up. With this release, the issue is now fixed.

Libvirt VM details with any volume type can be accessed in the web UI

Previously, when you manually created a virtual machine with a volume type other than file in Libvirt and then attempted to access the details of the virtual machine in the web UI, Satellite produced an ambiguous error. The loading of volumes in the Libvirt compute resource has been fixed. As a result, you can access details of your virtual machines with volumes of any type in the web UI.

Host details display all overridden Ansible variables

Previously, when you accessed the list of Ansible variables in Host details, Satellite displayed only the first page of Ansible variables and pagination controls were missing. The Satellite web UI has been fixed to provide pagination controls and follow the Entries per page setting. As a result, you can browse all Ansible variables that you have overridden for Ansible roles assigned to your host.

Ansible jobs use passwords from Advanced fields correctly

Previously, the Ansible provider for remote execution ignored the following Advanced fields inputs from the job wizard:

Ansible jobs use the SSH User field from Advanced fields

Previously, the Ansible provider for remote execution ignored the SSH User field of the Advanced fields inputs from the job wizard. The foreman_ansible component has been fixed to use the value of SSH User as the Ansible user. As a result, the Ansible provider uses this value correctly.

Uploading an OpenSCAP report no longer fails on hosts that run RHEL 9.4 or later with FIPS mode enabled

On Satellite hosts that run RHEL 9 in FIPS mode, uploading an OpenSCAP report previously failed with the following error:

Checksum set value has changed

The supported --checksum-type set of sha1 and sha256 for repositories has changed to sha256, sha384 and sha512. The checksum sha1 is no longer secure and modern systems such as Red Hat Enterprise Linux 6 and up support file checksums greater than sha1. Synchronizing sha1 content is still possible but content published in repositories by Satellite will now use sha256, sha384, or sha512. The default checksum is now sha256 and not sha1.

Host owner set correctly during registration

Previously, when you registered a host, Satellite set the host owner to Anonymous Admin. With this release, Satellite sets the host owner to the user who generated the registration command.

Satellite uses the Default location subscribed hosts setting as the default location for registered hosts

Previously, if you did not specify the location to which you were registering the host, Satellite ignored the Default location subscribed hosts setting. With this fix, Satellite uses the value of that setting as the default location.

CloudInit default no longer generates invalid YAML output

Previously, when you generated the CloudInit default provisioning template, the YAML output was incorrectly indented. The incorrect indentation caused the output to be invalid. The subscription_manager_setup snippet has been fixed to produce correct indentation. As a result, the generated YAML output is valid.

Path to Red Hat Image Builder image renders correctly

Previously, when you provisioned a host by using a Red Hat Image Builder image and provided a relative path to the image in the kickstart_liveimg parameter, the Kickstart default provisioning template failed to render. The Katello component has been fixed to render the absolute path of the image correctly. As a result, the Kickstart default template renders successfully and you can provision hosts by using the image.

Discovery image updated with the latest RHEL 8

Previously, the Foreman Discovery image was based on Red Hat Enterprise Linux 8.6, which was limiting discovery of systems that require a later RHEL version. The Foreman Discovery image has been updated with the Red Hat Enterprise Linux 8.10.0 base. As a result, you can discover newer systems.

The certificate .tar file is now collected when using satellite-maintain backup on Capsule Server

Previously, the satellite-maintain backup command did not collect the certificate .tar file of the Capsule Server when creating a backup. As a consequence, restoring the archive failed. With this update, restoring the archive completes successfully in this situation.

All Hosts page

The new All Hosts page has the following features:

Job details page

The Job details page is redesigned for enhanced user experience.

OpenShift Virtualization plugin

You can provision virtual machines by using the OpenShift Virtualization plugin.

Kernel execution template

You can use the kernel execution (kexec) provisioning template for PXE-less boot methods.