Chapter 2. New features

Compliance remediation wizard

Previously, you had to remediate OpenSCAP compliance failures by manually creating a remote execution job to apply remediation scripts or snippets. With this update, Satellite web UI provides a compliance remediation wizard that you can use to remediate OpenSCAP compliance failures. For more information, see Remediating compliance failures in Managing Security Compliance.

Manifest expiration warnings and extension of expiration date

Users are now notified in the web UI before their subscription manifest expires. The number of days of notice is determined by the expire_soon_days setting.

satellite-maintain update command for minor releases

The`satellite-maintain update`command replaces satellite-maintain upgrade with --target-version for updating minor (z-stream) versions. As the upgrade command is now dedicated to major upgrades, the --target-version parameter has been removed.

Puppet Server updated to version 8

Puppet Server 8 is now included in Satellite. Existing clients with Puppet agent 7 will continue to work against Puppet Server 8.

Upgrading to Satellite 6.16 also upgrades to PostgreSQL 13

When you upgrade your Satellite Server 6.15 to version 6.16, the PostgreSQL database on the system is upgraded from version 12 to version 13. During the upgrade, a backup of the PostgreSQL data is created in the /var/lib/pgsql/data-old/ directory. You can safely remove this directory after the upgrade completes.

SCRAM hashing for PostgreSQL passwords

PostgreSQL 13 uses SCRAM hashing for passwords. The installer updates existing user passwords to SCRAM hashing. You can view the existing users and their password hashes by running the following command:

Content repair command for Capsule

To repair all content on Capsule, run the following command:

Publishing content views during repository synchronization is blocked to prevent incorrect metadata

An error message is displayed if you try to publish a content view while a child repository is performing one of the following actions:

Containers can now be pushed to Satellite’s container registry

Each pushed container repository path must include the organization, product, and repository name. Example: podman push <image> satellite.example.com/organization/product/repository.

Command for container label migration

The container image API now shows manifest labels, annotations, and if the manifest represents bootable or flatpak content. Satellite performs a pre-migration in the background after the upgrade to make this data available.

Provisioning templates for reconfiguring a self-signed CA certificate on hosts

Satellite now provides public provisioning templates. You can use the templates to refresh your self-signed CA certificate on hosts when you renew the CA certificate on Satellite Server. You can use the following public provisioning templates:

Job templates for running remote scripts on hosts

Satellite now provides job templates that you can use to download a script from a URL and execute the script on a host. You can use one of the following REX templates to run a script from an URL:

Root passwords are hashed by using SHA512

Satellite now uses the SHA512 algorithm to hash the root passwords of operating systems by default. The new default is only applied to new operating system entries. If you want to use the SHA512 algorithm in your existing operating systems, you have to change the algorithm manually and reprovision your hosts.

Improved RHEL 9 network configuration in Kickstart provisioning templates

Previously, Satellite created ifcfg files in the Finish template to configure host network interfaces. In RHEL 9, the ifcfg files have been replaced with key files. For more information, see RHEL 9 networking: Say goodbye to ifcfg-files, and hello to keyfiles.

rhsm command registers RHEL 9 hosts to Satellite and enables Insights

Previously, you registered RHEL hosts to Satellite in the redhat_register snippet and enabled Insights in the insights snippet. With this release, you can use the kickstart_rhsm snippet to register RHEL 9 hosts to Satellite and, optionally, enable Insights.. This snippet uses the rhsm command, which is part of Anaconda Kickstart native syntax. As a result, the number of required transactions is reduced to make the host configuration more robust. The workflow does not change for you. The new snippet accepts the same host parameters.

timesource configures NTP server when provisioning RHEL 9 hosts

Previously, the Kickstart default provisioning template used the single timezone Kickstart command to configure both the time zone and NTP server. With this release, the NTP configuration is split into two Kickstart commands, timezone and timesource, to incorporate the new RHEL 9 Kickstart syntax.

Updated syntax for Anaconda options when provisioning RHEL 8 hosts

Previously, the kickstart_kernel_options provisioning snippet used deprecated legacy syntax for Anaconda options when provisioning RHEL 8 hosts. With this release, the snippet uses the current syntax for Anaconda options. As a result, provisioning RHEL 8 hosts does not produce that warning.

use-ntp installs chrony when provisioning RHEL 7 hosts

Previously, the use-ntp parameter installed the ntpdate package to configure an NTP client on RHEL 7 hosts. With this release, the Kickstart default provisioning template and ntp snippet install the chrony suite on RHEL 7 hosts. As a result, time synchronization is more accurate and robust.

Improved customization of host registration

The Global Registration template can now include user-defined snippets before_registration and after_registration. You can create these snippets to add custom commands to registration without editing the original template.

VMware vCenter Server 8 support

You can now provision virtual machines by using a VMware compute resource with vCenter Server 8.

Improved error message for missing VMware datastore

Previously, when you attempted to provision a host on a VMware datastore cluster by using the API, it might fail with an ambiguous InvalidDatastorePath error. With this release, the API produces a specific ArgumentError with a descriptive message when the datastore is missing. As a result, you can easily debug the problem.

Provisioning supports NVMe

Previously, you could only provision VMware machines with SCSI controllers. With this release, you can provision VMware machines with non-volatile memory express (NVMe) storage options. As a result, your virtual machines can access data faster and you have more flexibility for storage solutions.

SCSI storage connection for VMware ESXi Quick Boot enabled by default

Previously, when performing a VMware ESXi Quick Boot with GRUB2 chainloading, you had to enable the connectefi scsi command in the pxegrub2_chainload snippet and the provisioning templates in which it is included. With this release, the command is enabled by default and you can disable it with the grub2-connectefi host parameter. As a result, you do not have to edit the provisioning templates to enable the feature. For more information, see the snippet.

Active Directory login with user name only

Active Directory (AD) users can now log in to the web UI or use the kinit utility by entering only a user name without specifying a domain. You can set a default AD domain name by using the foreman-ipa-sssd-default-realm option in the satellite-installer utility.

New Hammer subcommands and options

The following Hammer command has been added:

New API endpoints

The following API endpoints have been added: