Red Hat SummitRelease notes
New features, deprecated and removed features, Technology Previews, known issues, and bug fixes
Abstract
Chapter 1. Overview
Release notes include links to the original tickets. Private tickets have no links and instead feature the following footnote[1].
1.1. Advisories
You can view all advisories, including security and bug fixes, for major and minor versions of this release on the Red Hat Customer Portal.
1.2. Major changes in Red Hat Satellite 6.18
Red Hat Satellite 6.18 introduces the following major changes:
- Red Hat Lightspeed advisor in Satellite is fully supported (SAT-30364).
- Flatpak content receives enhanced support (SAT-33259, SAT-29736).
- Rolling content views are available as a convenient method for providing the latest content (SAT-28495).
- Model Context Protocol (MCP) server for Satellite is available as a Technology Preview (SAT-35530).
- The Red Hat Lightspeed vulnerability service in Satellite is available as a Technology Preview (SAT-30762).
- Multiple documentation enhancements are available (Documentation).
1.3. Red Hat Satellite
With Red Hat Satellite, you can deploy, configure, and maintain your systems across physical, virtual, and cloud environments. Red Hat Satellite provides provisioning, remote management and monitoring of multiple Red Hat Enterprise Linux deployments with a single, centralized tool.
- Red Hat Satellite Server synchronizes content from the Red Hat Customer Portal and other sources. It provides detailed lifecycle management, user and group role-based access control, integrated subscription management, and advanced GUI, CLI, and API access.
- Red Hat Satellite Capsule Server mirrors content from the Red Hat Satellite Server and distributes it to different geographical locations. Host systems pull content and configurations from the Capsule Server in their location instead of the central Satellite Server. The Capsule Server also provides localized services such as Puppet server, DHCP, DNS, or TFTP, assisting in scaling Red Hat Satellite as the number of managed systems in your environment grows.
1.4. Red Hat Customer Portal Labs
Red Hat Customer Portal Labs provide applications to improve performance, troubleshoot issues, identify security problems, and quickly deploy and configure complex applications.
The following applications are available for Red Hat Satellite:
1.5. Additional resources
- Red Hat Satellite product life cycle describes the time period for each major version and its level of maintenance.
- Satellite 6 component versions describes upstream core components, Foreman plugins, and integrated projects.
- Overview, concepts, and deployment considerations describes Red Hat Satellite concepts, components, tools, and deployment planning.
- Supported usage and versions of Satellite components in Overview, concepts, and deployment considerations describes supported client architectures for content management, host provisioning, and configuration management.
Chapter 2. New features
This section describes new features and major enhancements introduced in Red Hat Satellite 6.18.
2.1. Host provisioning and management
Discovery image updated with RHEL 9.6.0
With this update, the Discovery image is based on Red Hat Enterprise Linux 9.6.0.
Ansible check mode in Ansible job templates
With this update, you can enable Ansible check mode per job, instead of per host, in Ansible job templates. This streamlines workflows, improves flexibility, and reduces manual configuration, allowing validation of changes before application.
Satellite validates snippets in provisioning templates
With this update, a validation check validates all provisioning templates, including all snippets during host build submission. As a result, Satellite validates templates before submission, preventing errors during provisioning.
Satellite server accepts additional key algorithms for ISC DHCP
Satellite uses the Object Management Application Programming Interface (OMAPI) protocol when connecting to ISC DHCP. With this update, you can configure the hash-based message authentication code (HMAC) algorithm used in the connection. As a result, you can use more secure algorithms than before this update, including algorithms that are compatible with the Federal Information Processing Standards (FIPS) if your Satellite server connects to ISC DHCP.
http_proxy encrypts URL credentials
With this update, URL-embedded credentials, for example, https://user:password@proxy.example.com, are automatically encrypted in the http_proxy setting. By preventing the exposure of sensitive authentication information in plain text, this update enhances security and prevents credential exposure while maintaining functionality.
Support for remote execution of package and errata installation on image mode hosts
With this update, you can run existing package and errata installation remote execution jobs on image mode hosts by using the dnf install --transient command instead of running the bootc usr-overlay command manually. In earlier versions, these operations failed because image mode systems restricted write access to certain directories by default.
As a result, Satellite handles the required configuration automatically so transient package installation completes successfully without additional user intervention.
2.2. Red Hat Lightspeed
Red Hat Lightspeed advisor in Satellite is fully supported
Red Hat Lightspeed advisor in Satellite, introduced in Satellite 6.17 as a Technology Preview, is fully supported with this release.
Jira:SAT-30364[1]
Insights rebranded as Red Hat Lightspeed in the Satellite UI
In the Satellite UI, Red Hat Insights is rebranded to Red Hat Lightspeed in menus, tabs, and action links. This update ensures the UI reflects the current service name.
Jira:SAT-34946[1]
Minimal data collection for Red Hat Lightspeed
With this update, you can configure Satellite to use minimal data collection when you upload host data to Red Hat Lightspeed.
Minimal reports exclude host names, IP addresses, and installed packages. As a result, the Red Hat Lightspeed advisor, remediations, and vulnerability services, and any other service that requires package data, are disabled.
The subscriptions service remains active and reports continue to run daily during the midnight synchronization cycle.
Obfuscating host names and IP addresses during Red Hat Lightspeed data upload
You can configure Red Hat Satellite to obfuscate host names and IP addresses to prevent sensitive information from being exposed when you upload host data to Red Hat Lightspeed.
By default, Red Hat Satellite applies obfuscation settings globally, but it also respects obfuscation preferences configured for individual hosts. As a result, you can protect sensitive data while maintaining flexibility to manage obfuscation on a per-host basis.
2.3. Web UI
Enhanced Red Hat subscription usage tracking and reporting
With this update, you can manage Red Hat subscription manifests more effectively in Satellite. Each organization requires its own subscription allocation, which enables multiple organizations to maintain separate subscriptions. Satellite also supports future-dated subscriptions in a manifest, ensuring uninterrupted access to repositories.
Additionally, you can track subscription usage through the subscriptions service on the Red Hat Hybrid Cloud Console. Connected deployments can upload usage data automatically by using the foreman_rh_cloud plugin, while disconnected deployments can generate and export usage reports in JSON, YAML, HTML, or CSV formats for analysis and compliance.
Patternfly designs in the Satellite web UI are modernized
Satellite upgraded its Patternfly 4 designs to Patternfly 5. Additionally, some Patternfly 3 designs are upgraded to Patternfly 5.
Jira:SAT-24085, Jira:SAT-31947, Jira:SAT-33490
Job details page is redesigned
The Job details page is enhanced for improved usability and performance. The web UI displays the new design by default. You can switch to the previous design by clicking Legacy UI on the Job details page.
New Hosts overview page is fully supported
The new Hosts overview page, introduced in Satellite 6.16 as a Technology Preview, is fully supported with this release. The new Hosts overview UI is the default. You can still disable it in Settings or switch to the legacy UI from the local menu.
This release adds the following actions:
- Change organization or location
- Change owner
- Disassociate hosts
- Manage repository sets
With this release, you can display the following new columns in the table of hosts:
- Virtual in the Reported data category.
- Recommendations in the Red Hat Lightspeed category.
- Total CVEs in the Red Hat Lightspeed category. You can enable this column only if you use Red Hat Lightspeed in Satellite.
All of the above columns are disabled by default. You can enable them from Manage columns.
This release also reorganizes the menu above the table for improved clarity.
2.4. Installation and upgrade
Dual-stack networks partially supported
With this update, Satellite deployment and operation in dual-stack (IPv4 and IPv6) networks is partially supported. You can register hosts, manage content, and patch your hosts in dual-stack networks. Other features are not yet tested and are not supported with this release.
Satellite web UI links to Red Hat Satellite Upgrade Helper
The new Administer > Satellite Upgrade item in the vertical navigation contains a link to the Red Hat Satellite Upgrade Helper application. You can use Red Hat Satellite Upgrade Helper to obtain upgrade instructions customized for your current version number of Red Hat Satellite. As a result, you receive instructions that are specific to your upgrade path, as well as steps to prevent known issues. For more information, see Red Hat Satellite Upgrade Helper on the Red Hat Customer Portal.
2.5. Security and authentication
Mosquitto follows the system-wide cryptographic policy
Mosquitto, the service used by the remote execution (REX) pull mode, follows the system-wide cryptographic policy. As a result, you can configure the supported Transport Layer Security (TLS) protocols and ciphers in the system-wide policy and Mosquitto uses them.
2.6. Content management
Default mirroring policy settings for repositories
With this update, you can set the default mirroring policy for custom repositories in Settings:
- Default custom yum repository mirroring policy
- Default custom non-yum repository mirroring policy
When you create a new custom repository, Satellite applies the default value automatically, which removes the need for manual adjustments.
Increased efficiency in publication tasks of Yum repositories
This release improves the pulp-rpm plugin to increase the performance of publication tasks of Yum repositories. As a result, you might see a modest speed increase in publication tasks, such as repository synchronization, publication, and promotion.
Rolling content views
With this update, you can create rolling content views in Satellite to provide hosts with a continuous stream of the latest synchronized content from a defined subset of repositories.
Unlike standard or composite content views, rolling content views are automatically updated whenever their repositories are synchronized, so there is no need to publish or promote them.
You can create rolling content views in the Satellite web UI or CLI and then assign them to activation keys to make the content available to registered hosts.
Support for consuming Capsule container content from a load-balanced Capsule
With this update, you can consume container content from Capsules that are behind a load balancer. Before this update, this capability was not supported, which created a gap in load-balanced container workflows.
After upgrading Capsule, you can access container content without additional configuration by running podman commands against the load balancer host.
Support for managing Flatpak remotes in Satellite
You can manage Flatpak remotes directly in Satellite. You can create Flatpak remotes to access and manage repositories, scan them to fetch metadata and discover available content, mirror repositories into existing products for synchronization and content management, and view remote details, including the list of provided repositories.
Configure Capsule to distribute Flatpak repositories
With this update, you can configure Capsule Servers to synchronize and distribute Flatpak repositories to managed hosts by using certificate authentication. You can add Capsule as a container registry or a Flatpak remote to a host, authenticate with the registry by using certificates, and install applications such as Mozilla Firefox directly from the synchronized repositories. Lifecycle management of Flatpak and container content is supported only when using certificate authentication.
2.7. Server administration
satellite-usage-metrics-condense.timer to collect usage metrics
This release adds a systemd timer named satellite-usage-metrics-condense.timer that collects condensed usage metrics from Satellite deployments. The resulting report is stored in the /etc/rhsm/facts/foreman.facts file and uploaded as custom Red Hat Subscription Manager facts. You can use the satellite-maintain report condense command to review the list of condensed usage metrics.
For more information on usage metrics collection, see Usage metrics collection in Satellite in Administering Red Hat Satellite.
Jira:SAT-30439[1]
2.8. Ansible Collection
Modules from Satellite Ansible Collection support Kerberos authentication
When using Ansible modules from the Satellite Ansible Collection, you can use a Kerberos ticket to connect to the Satellite API. Using a Kerberos ticket is supported for deployments where the Satellite Server is configured to use Identity Management as an external authentication source.
For more information, see Creating a playbook with modules from Satellite Ansible Collection in Using the Satellite Ansible Collection.
2.9. Documentation
Provisioning hosts improved
The Provisioning hosts guide is reorganized. Major changes include the following:
- Large chapters, such as Configuring provisioning resources and Using PXE to provision hosts, are split into more and better structured chapters.
- Security settings are moved into the Security settings chapter.
These improvements help make the guide better organized and more accessible to beginners.
Improved upgrading and updating documentation
The Upgrading connected Red Hat Satellite to 6.18, Upgrading disconnected Red Hat Satellite to 6.18, and Updating Red Hat Satellite guides are updated. Major changes include removing out-of-date steps and eliminating duplication. These improvements help make the guides shorter and easier to follow during upgrading and updating.
Jira:SAT-29153, Jira:SAT-24751
Improved Integrating provisioning infrastructure services
The Integrating provisioning infrastructure services guide is updated. Major changes include optimizing the procedures to make the instructions clearer and up-to-date. These improvements help make the guide better organized and easier to follow.
Improved documentation on using Satellite Ansible Collection
Documentation on using modules from the Satellite Ansible Collection is updated and expanded. Satellite Ansible Collection is a set of Ansible modules that interact with the Satellite API. You can use the modules to automate many aspects of Satellite administration. See the new Using the Satellite Ansible Collection guide.
Chapter 3. Removed functionalities
This section lists functionalities that are removed in Red Hat Satellite 6.18.
3.1. Host provisioning and management
Red Hat Virtualization compute resource
The Red Hat Virtualization (RHV) compute resource is removed in Satellite 6.18.
All hosts in RHV compute resources will be automatically dissociated from the compute resource and host entries kept in the Satellite database during an upgrade to Satellite 6.18.
Chapter 4. Deprecated functionalities
This section provides an overview of functionalities that are deprecated in Red Hat Satellite 6.18.
Deprecated functionalities will likely not be supported in future releases of this product and are not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
The support status of deprecated functionality remains unchanged within Red Hat Satellite 6.18. For information about the length of support, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Application Streams Life Cycle.
Deprecated hardware components are not recommended for new deployments on the current or future releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
GRUB Legacy is deprecated in provisioning
GRUB Legacy, also known as GRUB version 1, is deprecated in provisioning and will be removed in a future release. GRUB 1 was used by end of life distributions such as RHEL 6. Current applications use GRUB 2 and are not affected by the deprecation.
First deprecated in Satellite 6.18.
Puppet packages included in Satellite are deprecated
The puppet-agent and puppetserver packages, which are currently included in Satellite, are deprecated. In a future release, Satellite will stop providing these packages. Satellite will continue providing integration with OpenVox or Puppet packages that customers implement in their environment.
First deprecated in Satellite 6.18.
Jira:SAT-39110[1]
Sendmail is deprecated for delivering email
Delivering email by calling the sendmail binary on the system is problematic in many cases. Therefore, it is deprecated and will be removed in a future version. As an alternative, use the SMTP mail delivery method. For more information, see Configuring Satellite Server for outgoing emails.
First deprecated in Satellite 6.18.
Legacy content host UI pages are deprecated
The legacy content host pages in the UI are deprecated and will be removed in a future release.
This deprecation includes the legacy content host list page, accessible from the main navigation Hosts > Content Hosts, and the legacy content host details page, accessible from the Content Hosts list page or from the Legacy UI menu item on the host details page.
As an alternative, use the new All Hosts UI, which is the default.
First deprecated in Satellite 6.18.
External authentication with Red Hat Single Sign-On is deprecated
Configuring Satellite with Red Hat Single Sign-On (RH SSO) as an external authentication source is deprecated. The RH SSO 7 product family reached End of Full Support. Instead of RH SSO, you can configure Red Hat build of Keycloak as an external authentication source for Satellite.
To migrate from using RH SSO in your Satellite deployment, reconfigure the authentication source settings on your 6.17 Satellite Server to follow the requirements for Red Hat build of Keycloak. For more information, see Configuring SSO and 2FA with Red Hat build of Keycloak in Satellite.
For information on the current support policy for RH SSO, see Red Hat Application Services Product Update and Support Policy.
First deprecated in Satellite 6.17.
Legacy remote execution job form in the Satellite web UI is deprecated
The option to use the legacy web UI form to run remote execution jobs is deprecated and will be removed in a future version. The new job invocation wizard will be the only available option. Note that the new job invocation wizard is the default method to run remote execution jobs in Satellite 6.13 and later versions.
First deprecated in Satellite 6.17.
iPXE firmware is deprecated
Using iPXE firmware for network-boot provisioning is deprecated. Instead, use HTTP booting for hosts in UEFI mode to reduce provisioning times. Note that iPXE firmware was never officially supported in Red Hat Satellite.
First deprecated in Satellite 6.17
Overriding organizations and locations on the filter level is deprecated
The ability for a filter to override organizations and locations associated with a role is deprecated. When the functionality is removed, filters will respect the organizations and locations set at the role level.
For a related known issue, see Newly created filters do not inherit organizations and locations associated with the role.
First deprecated in Satellite 6.16.
hammer host subscription attach and hammer host subscription auto-attach commands are deprecated
The hammer host subscription attach and hammer host subscription auto-attach commands are deprecated. The commands are non-functional and do not result in attaching a subscription.
First deprecated in Satellite 6.16
Note: Entitlement-based subscription management was removed in Satellite 6.16.
Asynchronous SSH remote execution mode is deprecated
The async-ssh remote execution mode is deprecated. If you have unstable connectivity between Capsules and managed hosts, use the pull mode instead. For more information about pull mode, see Transport Modes for Remote Execution in Managing hosts.
First deprecated in Satellite 6.13.
Package Group Actions is deprecated
The Package Group Actions option in the web UI is deprecated.
First deprecated in Satellite 6.10.
katello-ca-consumer package and katello-rhsm-consumer script is deprecated
The katello-ca-consumer package and katello-rhsm-consumer script are deprecated. You must use the global registration template to register a host.
First deprecated in Satellite 6.9.
Bootstrap.py host registration script is deprecated
The bootstrap.py script for registering a host to Satellite or Capsule is deprecated. It is replaced with the curl command created by using the global registration template.
First deprecated in Satellite 6.9.
Chapter 5. Known issues
This section describes known issues in Red Hat Satellite 6.18.
5.1. Web UI
All Hosts page always links to the new host details UI
The links on the Hosts > All Hosts page always point to the new host details UI, even if the setting New host details UI is set to No.
To work around this problem, display the old host details UI by clicking the vertical ellipsis in the upper right and selecting Legacy UI.
5.2. Installation and upgrade
red-hat-lightspeed-in-satellite not enabled on disconnected Satellite when the Podman Host.NetworkBackend is set as CNI
When the Host.NetworkBackend for Podman is set to CNI on a Satellite Server, satellite-installer fails to enable red-hat-lightspeed-in-satellite. The issue occurs because the Red Hat Enterprise Linux 9.6 ISO provides a version of the container-selinux policy that is earlier than 2.237.0. Later versions are provided with Red Hat Enterprise Linux 9.6.z, which fixes the issue, and is provided with the 9.7 ISO.
To work around this problem, reset the NetworkBackend to netavark by entering the following command:
podman system reset
# podman system reset
This clears the container images, reruns the /media/sat6/setup_containers script and executes the satellite-installer again.
5.3. Red Hat Lightspeed
Red Hat Lightspeed vulnerability CVE map download fails with an HTTP proxy to https://security.access.redhat.com
Satellite servers configured for the Red Hat Lightspeed vulnerability service in Satellite, which is a Technology Preview, fail CVE map downloads if the Satellite server uses an HTTP proxy to reach https://security.access.redhat.com. This issue is caused by the iop-cvemap-download.service service lacking HTTP proxy configuration.
To work around this problem, manually set the HTTPS_PROXY and NO_PROXY environment variables for the iop-cvemap-download service. For more information, see Installing Red Hat Lightspeed in Satellite on a connected Satellite Server.
hammer ping does not list services of Red Hat Lightspeed in Satellite
When Red Hat Lightspeed in Satellite is enabled, the hammer ping command does not display advisor and vulnerability services.
To work around this problem, restart all Satellite services by entering the satellite-maintain service restart command.
”Any location” produces error in Remediations and Vulnerabilities
When the location is set to “Any location”, accessing the Remediations or Vulnerabilities menu produces an error message. As a consequence, you cannot see a global view of all systems in Remediations or Vulnerabilities.
To work around this problem, filter systems by location before accessing Remediations or Vulnerabilities.
Satellite with Red Hat Lightspeed enabled produces errors in Inventory Upload
The Inventory Upload page was moved to the Administer menu for Red Hat Lightspeed, mainly for troubleshooting. As a consequence, some operations are invalid and may produce an error.
To work around this problem, do not use the Sync all inventory status operation.
Jira:SAT-36556[1]
5.4. Security and authentication
Unable to upload an OpenSCAP report from hosts that run RHEL 9.3 or earlier with FIPS mode enabled
On hosts that run RHEL 9.3 or earlier versions with FIPS mode enabled, uploading an OpenSCAP report fails with the following error:
Unable to load certs Neither PUB key nor PRIV key
Unable to load certs
Neither PUB key nor PRIV keyFor more details, see a related Knowledgebase solution. Note that the problem is fixed for hosts that run RHEL 9.4 or later versions.
No known workaround exists.
Some endpoints bypass user authentication and fail to terminate user sessions
API endpoints that call the add_smart_proxy_filters function bypass user authentication. This is due to improper session termination logic introduced in Satellite 6.18. In addition, user sessions remain active beyond the period specified in the idle_timeout setting. This affects the API endpoints related to the following resources:
- Organizations
- Repositories
- Config reports
- Hosts
As a consequence, removed and nonexistent users fail due to missing required permissions and not due to failed authentication. In addition, user sessions are not terminated and can access endpoints without re-authentication.
No known workaround exists.
5.5. Backup and restore
Restoring from backup fails due to inconsistencies in the data
If the backup is generated from a database with inconsistencies, the restore fails. The satellite-maintain tool uses the PostgreSQL amcheck extension to detect inconsistencies in the data before backup to prevent issues during restore.
To work around this problem, reach out to Red Hat support to fix any detected inconsistencies before proceeding with the backup. For more information, see Restoring Red Hat Satellite 6.16+ fails complaining about db duplicates on CREATE UNIQUE INDEX in the Red Hat Knowledgebase.
5.6. Users and roles
Newly created filters do not inherit organizations and locations associated with the role
When an organization and location are defined for a role, these organizations and locations are not propagated to the filters created within the role. Consequently, users with a role assigned can access resources in any other organization or location that they have sufficient permissions to view instead of only organizations and locations defined for the role.
To work around the problem:
- Create your filter.
- Start editing the filter.
- Save the filter without making any changes. This ensures that organizations and locations defined on the role level are propagated to filters correctly.
This known issue does not affect cloned roles. If you clone an existing role and assign organizations and locations to the cloned role, the organizations and locations are propagated to filters correctly.
Note that defining organizations and locations on the filter level is deprecated. See Overriding organizations and locations on the filter level is deprecated.
5.7. IPv6
virt-who is not supported on IPv6-only networks in Satellite
Satellite does not support the virt-who agent in an IPv6-only network.
No known workaround exists.
Additional configuration is required in IPv6-only networks when using kinit for IdM and AD users
If your Satellite Server runs in an IPv6-only network and also runs on RHEL 9.6 and earlier versions, Kerberos authentication for external users from Identity Management (IdM) and Active Directory (AD) fails. This known issue is caused by a bug in the System Security Services Daemon (SSSD) and occurs when the DNS name of the IdM or AD server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, for example because it is blocked by a firewall.
To work around this problem, configure the lookup_family_order option in the [domain/<domain_name>] in the /etc/sssd/sssd.conf file:
[domain/example.com] lookup_family_order = ipv6_only
[domain/example.com]
lookup_family_order = ipv6_onlyJira:SAT-32530, Jira:SSSD-2511
Mismatch of the IPv6 address entry in Satellite when using a DHCPv6 server
When you use a DHCPv6 server to assign an IP address dynamically and you provision a host in an IPv6 network, Satellite contains an IPv6 address that does not match the actual IPv6 address of the host. This mismatch impairs host management capabilities, such as remote execution.
To work around this problem, perform one of the following steps:
-
Execute
subscription-manager facts --uploadon the host. -
Wait for the next facts upload to resolve the issue. Note that the Ignore interfaces facts for provisioning (
ignore_puppet_facts_for_provisioning) setting can disable updating the interfaces from facts.
Host Discovery fails in an IPv6 network
When you attempt to discover an unknown host in an IPv6 network, the discovery fails with Error: 1001: Failed to open TCP connection to satellite.example.com:443.
No known workaround exists.
Failure to provision hosts in PXE-less Discovery over IPv6
After PXE-less host discovery on an IPv6 Satellite, when the host starts provisioning, it fails to resolve Satellite. As a result, the host fails to fetch Kickstart and the required files.
No known workaround exists.
5.8. Localization and internationalization
Incomplete translation of Satellite UI and CLI
If you are using a supported translation, that is French, Japanese, Korean, or Simplified Chinese, you might see some messages in English.
No known workaround exists.
Chapter 6. Bug fixes
This section describes bugs fixed in Red Hat Satellite 6.18 that have a significant impact on users.
6.1. Installation and upgrade
Satellite follows the --foreman-foreman-url option
Before this update, if you executed the satellite-installer command with the --foreman-foreman-url option, the Foreman URL setting was not set. With this fix, the Foreman URL setting is set correctly when passed with the --foreman-foreman-url option. If you configured the Foreman URL setting before this update by using the WebUI, API, or Hammer, you must use the --foreman-foreman-url option when you run satellite-installer to preserve it. Otherwise, it is overwritten by the Foreman URL value from the answers file.
Idle Redis connections are closed after timeout
Before this update, idle Redis connections persisted because the timeout was not set for the Redis service on the Satellite Server. This led to the Pulp content workers not accepting any new connections as the open file limit was reached. Pulp content workers would fail with the Too many open files error resulting in DNF connection timeouts on the client systems. With this release, the default timeout for idle Redis connections is set to 60 seconds, after which the idle connections are closed. This prevents DNF timeouts on client systems due to Pulp reaching the open file limit.
Satellite installer no longer uses local plugins
Before this update, Puppet loaded plugins from the /opt/puppetlabs/puppet/cache/lib/ directory. As a consequence, the Satellite installer used plugins that did not match the rest of the installer modules. This update changes how the installer uses Puppet and no longer loads plugins from /opt/puppetlabs/puppet/cache/lib/. As a result, the installer only uses plugins provided by the installer, and no other plugins that could be present on the system.
6.2. Security and authentication
Satellite preserves group membership when groupOfUniqueNames is used
Before this update, Satellite did not properly handle the groupOfUniqueNames LDAP attribute. As a consequence, user accounts from groups that were based on the groupOfUniqueNames attribute were removed from these groups upon login. This release adds support for the groupOfUniqueNames attribute. As a result, these users no longer lose group membership when logging in.
Long WebUI footer messages render correctly
Before this update, long footer messages resulted in a white block on the webUI login page. With this release, the footer message length limit is removed, which allows dynamic display. As a result, long footer messages are rendered correctly.
6.3. Content management
Alternate Content Sources with Capsule refresh content smoothly
Before this update, excessive memory consumption during Alternate Content Source (ACS) usage with Capsule led to Out of memory errors preventing ACS refresh of larger content. With this release, the ACS memory consumption issue is resolved, which allows smooth ACS refreshing of larger content.
Capsule sync does not get stuck
Before this update, wrong aiohttp session timeouts caused Capsule sync failures and incomplete downloads. With this release, the default aiohttp session timeouts are applied in Pulp when user-defined ones are not provided, preventing sync issues and enhancing user experience.
6.4. Host provisioning and management
Job Template imports include all assigned organizations and locations
Before this update, some organizations and locations were missing after users imported a Job Template. With this release, when users import a Job Template, all organizations and locations that were assigned to the Job Template are imported correctly.
Lookup of images in Azure Image Gallery
Before this update, a change in the Azure Image Gallery URL format led Satellite to use a wrong URL format for image lookup. Because of this, users could not find images in the Gallery by using the gallery:// schema. Instead, they had to use the full resource URL. With this release, the Azure Image Gallery URL format is updated, and the code is changed to find images by using the new format. As a result, end users can efficiently find images in Azure Image Gallery by using the gallery:// URL schema.
Satellite removes old host keys properly when re-registering hosts
Before this update, Satellite failed to remove old host keys for re-registered hosts. As a consequence, after host re-registration, users were unable to run remote execution jobs due to host key inconsistency. With this release, host key cleanup occurs as expected in this situation. As a result, re-registered hosts no longer fail to connect during remote execution jobs due to old host keys.
Full host boot disks include mmx64.efi
Before this update, full host boot disks did not include the mmx64.efi file, leading to boot failures in specific scenarios. With this release, the boot disks include the mmx64.efi file for certain hardware boot scenarios, ensuring successful booting for users.
Consistent firmware type in compute profiles
Before this update, the Hammer command to display compute profile information failed after a Satellite upgrade. The failure occurred because the firmware type changed from EFI (Extensible Firmware Interface) to UEFI (Unified Extensible Firmware Interface), impacting VMware users. With this release, a fix ensures the consistency of the firmware type in compute profiles after Satellite upgrade. As a result, compute profile information is displayed correctly, which prevents errors in VMware environments.
Virtual TPM no longer fails in image-based provisioning on VMware
Before this update, image-based provisioning conflicted with the Virtual TPM option, causing firmware reset to BIOS and Virtual TPM disabling on hosts. As a consequence, Virtual TPM functionality failed during image-based provisioning on VMware. With this release, Virtual TPM works with image-based provisioning and firmware remains set to UEFI on the host. As a result, users can successfully enable Virtual TPM with image-based provisioning on VMware.
CloudInit default generates valid YAML output when Realm is in use
This update corrects improper indentation in the freeipa_register snippet to ensure valid YAML output. This fix ensures proper cloud-init processing, thereby resolving issues with provisioning.
Error message when discovered hosts are filtered with invalid filter fields
Before this update, when users filtered discovered hosts by using an invalid field, such as hostgroup, the browser produced infinite redirects and failed. This release fixes the infinite redirect issue in discovered hosts for invalid filter fields. As a result, discovered hosts display no hosts and log an error message with a reason.
Deprecated dict replaced with list in Cloudinit default template
Before this update, a cloud-init provisioning failure occurred due to the deprecated dict type in the Cloudinit default template. As a consequence, cloud-init provisioning failed in RHEL 9.6 due to deprecation warnings. With this release, the deprecated dict type in users configuration is replaced with the list type, and this resolves the deprecation warning. As a result, cloud-init provisioning for RHEL 9.6 and later versions is functional.
UEFI hosts redeployed automatically in PXE-boot provisioning
Before this update, redeployment of provisioned hosts could not chainload the boot loader from the hard disk correctly after subsequent PXE reboot. As a consequence, you had to modify UEFI configuration manually to redeploy the system. This release fixes the pxegrub2_chainload snippet so that the GRUB2 configuration includes paths to shimx64.efi files. As a result, you can redeploy hosts automatically.
6.5. Ansible Collection
redhat.satellite.host can update content view and lifecycle environment separately
Before this update, using the redhat.satellite.host Ansible module to update the content view or the lifecycle environment of a host resulted in an error when only one of the two parameters was changed because only changed parameters were sent to the API. With this fix, the content view and lifecycle environment are always provided together to the API. As a result, you can update the content view and lifecycle environment of the host separately.
6.6. Server administration
Satellite validates the Hostname prefix Discovery setting
Before this update, the Hostname prefix (discovery_prefix) input in Satellite settings was insufficiently validated and allowed non-conforming characters. As a consequence, invalid hostnames could cause unexpected system behavior. With this release, Satellite enforces the following format for the Hostname prefix:
- The prefix must start with a letter.
-
Allowed characters are
a-z,A-Z,0-9and-(hyphen). - Maximum length is 62 characters.
As a result, discovered hosts have proper hostnames.
Chapter 7. Technology Preview features
This section provides a list of all Technology Previews available in Red Hat Satellite 6.18.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.1. Red Hat Lightspeed
Red Hat Lightspeed vulnerability in Satellite (Technology Preview)
You can view and examine Common Vulnerabilities and Exposures (CVE) of hosts provided by Red Hat Lightspeed in Satellite from multiple places in the Satellite web UI:
- Total CVEs column on the Hosts index page; the column is hidden by default
- Vulnerabilities tab on the Host details page
- a CVE list by navigating to Red Hat Lightspeed > Vulnerability; click the CVE ID to view CVE details.
Jira:SAT-30762[1]
7.2. Host provisioning and management
OpenShift Virtualization plugin (Technology Preview)
You can provision virtual machines by using the OpenShift Virtualization plugin. For more information, see Provisioning hosts.
Jira:SAT-18663[1]
Kernel execution template (Technology Preview)
You can use the kernel execution (kexec) provisioning template for PXE-less boot methods. For more information, see Discovery in PXE-less mode.
MCP server is available for Satellite (Technology Preview)
Satellite provides a container image that you can use to run a Model Context Protocol (MPC) server locally. The MCP server for Satellite is designed for advanced reporting and data analysis that leverages AI capabilities. You can use it to generate dynamic and comprehensive reports from your Satellite inventory.
For more information, see Using the MCP server for Satellite.
7.3. Content management
Support for Multiple Content View Environments in Hosts and Activation Keys in Hammer CLI (Technology Preview)
Hosts and activation keys support multiple content view environments instead of being limited to a single content view and lifecycle environment. This is done in the Hammer CLI.
For more information, see Managing content view environments in Managing content.
Chapter 8. Changes in satellite-installer parameters, Hammer CLI, REST API, and usage metrics
8.1. satellite-installer parameters
New satellite-installer parameters
This release adds the following satellite-installer parameters:
-
--[no-]enable-foreman-cli-bootdisk -
--[no-]enable-iop -
--foreman-proxy-dhcp-key-algorithm
Removed satellite-installer parameters
This release removes the following satellite-installer parameters:
-
--[no-]enable-foreman-compute-ovirt -
--foreman-plugin-rh-cloud-enable-iop-advisor-engine
8.2. Hammer CLI
New Hammer commands and subcommands
This release adds the following Hammer commands and subcommands:
hammer insights, including the following subcommands:-
hammer insights cloud-connector -
hammer insights cloud-connector enable -
hammer insights inventory -
hammer insights inventory download-report -
hammer insights inventory generate-report -
hammer insights inventory sync
-
New Hammer options
This release adds the following Hammer options:
--ldap-group-membershipis added to the following commands:-
hammer auth-source ldap create -
hammer auth-source ldap update
-
-
--rollingis added to thehammer content-view createsubcommand -
--product-nameis added to thehammer flatpak-remote remote-repository mirrorsubcommand -
--setup-container-registry-certsis added to thehammer host-registration generate-commandsubcommand --location,--location-id,--location-title,--organization,--organization-id, and--organization-titleare added to the following subcommands:-
hammer insights cloud-connector enable -
hammer insights inventory download-report -
hammer insights inventory generate-report -
hammer insights inventory sync
-
-
--no-uploadis added to thehammer insights inventory generate-reportsubcommand -
--pathis added to thehammer insights inventory download-reportsubcommand -
--searchis added to thehammer job-invocation cancelsubcommand --ansible-check-modeis added to the following subcommands:-
hammer job-template create -
hammer job-template update
-
-
--default,--lock,--force, and--associateare added to thehammer job-template importsubcommand
Removed Hammer commands and subcommands
This release removes the following Hammer commands and subcommands:
-
vnic-profilessubcommand is removed from thehammer compute-resourcecommand
Removed Hammer options
This release removes the following Hammer options:
--public-key,--keyboard-layout,--public-key-path,--ovirt-quotaare removed from the following commands:-
hammer compute-resource create -
hammer compute-resource update
-
Additional resources
For more information, see Using the Hammer CLI tool or enter the commands with the --help option.
8.3. REST API
New API endpoints
This release adds the following API endpoints:
Hosts_bulk_actions endpoints:
-
/api/hosts/bulk/change_owner -
/api/hosts/bulk/disassociate -
/api/hosts/bulk/assign_organization -
/api/hosts/bulk/assign_location
-
Organizations endpoints:
-
/katello/api/organizations/:id/cancel_repo_discover -
/katello/api/organizations/:id/download_debug_certificate
-
Removed API endpoints
This release remoes the following API endpoints:
Compute_resources endpoints
-
/api/compute_resources/:id/available_vnic_profiles
-
Organizations endpoints:
-
/katello/api/organizations/:label/cancel_repo_discover -
/katello/api/organizations/:label/download_debug_certificate
-
8.4. Ansible modules
This release performs the following changes in the Satellite Ansible Collection.
New Ansible modules
This release adds yhe following Ansible modules:
-
redhat.satellite.flatpak_remote -
redhat.satellite.flatpak_remote_repository_mirror -
redhat.satellite.flatpak_remote_scan
Removed Ansible modules
This release does not remove any Ansible modules.
8.5. Collected usage metrics
New usage metrics
Satellite collects these additional usage metrics:
-
bookmarks_custom_count -
bookmarks_custom_private_count -
bookmarks_custom_public_count -
custom_alternate_content_sources_count -
custom_library_yum_repositories_count -
disconnected_environment -
file_alternate_content_sources_count -
foreman_interfaces_dualstack_count -
foreman_interfaces_ipv4only_count -
foreman_interfaces_ipv6only_count -
hosts_by_family_count|RedHat -
hosts_with_dualstack_interface_count -
hosts_with_ipv4only_interface_count -
hosts_with_ipv6only_interface_count -
iop_remediations_count -
iop_remediations_enabled -
library_ansible_collection_repositories_count -
library_container_repositories_count -
library_debian_repositories_count -
library_file_repositories_count -
library_ostree_repositories_count -
library_python_repositories_count -
pat_counts -
pat_recently_used_count -
redhat_library_yum_repositories_count -
remote_execution_transient_package_actions_count -
revoked_pats_count -
rhel_ai_workload_host_count -
rhui_alternate_content_sources_count -
selinux_enforced -
setting_discovery_prefer_ipv6 -
setting_remote_execution_connect_by_ip_prefer_ipv6 -
shell_hooks_count -
simplified_alternate_content_sources_count -
subnet_ipv4_count -
subnet_ipv6_count -
user_group_roles_max_count -
user_group_roles_min_count -
usergroup_max_nesting_level -
webhooks_enabled_count -
webhooks_subscribed_events -
yum_alternate_content_sources_count
Additional resources
For more information, see Usage metrics collection in Satellite in Administering Red Hat Satellite.
Appendix A. Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Use the Create Issue form in Red Hat Jira to provide your feedback. The Jira issue is created in the Red Hat Satellite Jira project, where you can track its progress.
Prerequisites
- Ensure you have registered a Red Hat account.
Procedure
- Click the following link: Create Issue. If Jira displays a login error, log in and proceed after you are redirected to the form.
- Complete the Summary and Description fields. In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue. Do not modify any other fields in the form.
- Click Create.
Appendix B. Revision history
0.0-0Tue Nov 4 2025, Jan Fiala (jafiala@redhat.com)
- Release of the Red Hat Satellite 6.18 Release Notes.
Appendix C. List of tickets by component
Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes in this document that describe the tickets.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}