Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Managing system content and patch updates on RHEL systems with FedRAMP

Red Hat Lightspeed 1-latest

How to review applicable advisories and affected systems, manage system content, and remediate issues

Red Hat Customer Content Services

Abstract

This document demonstrates how to review applicable advisories and affected systems in your environment with FedRAMP®, manage system content and updates, and perform remediations.

Chapter 1. Content patching overview
Copy link

Patching leverages Red Hat software and management automation expertise to enable consistent patch workflows for Red Hat Enterprise Linux (RHEL) systems across the open hybrid cloud. It provides a single canonical view of applicable advisories across all of your deployments, whether they be Red Hat Satellite, hosted Red Hat Subscription Management (RHSM), or the public cloud.

Use content patching in Red Hat Lightspeed to

  • see all of the applicable Red Hat and Extra Packages for Enterprise Linux (EPEL) advisories for your RHEL systems checking into Red Hat Lightspeed.
  • patch any system with one or more advisories by using remediation plans.
  • see package updates available for Red Hat and non-Red Hat repositories as of the last system checkin. Your host must be running Red Hat Enterprise Linux (RHEL) 7, RHEL 8.6+ or RHEL 9 and it must maintain a fresh yum/dnf cache.
Note

1.1. Criteria for patch and vulnerability errata
Copy link

The content patching function collects a variety of data to create meaningful and actionable errata for your systems. The Red Hat Lightspeed client collects the following data on each checkin:

  • List of installed packages, including name, epoch, version, release, and architecture (NEVRA)
  • List of enabled modules (RHEL 8 and later)
  • List of enabled repositories
  • Output of yum updateinfo -C or dnf updateinfo -C
  • Release version from systems with a version lock
  • System architecture (eg. x86_64)

Additionally, Red Hat Lightspeed collects metadata from the following data sources:

  • Product repositories delivered by the Red Hat Content Delivery Network (CDN)
  • Extra Packages for Enterprise Linux (EPEL) repositories
  • Common Security Advisory Framework (CSAF)
  • Vulnerability Exploitability eXchange (VEX)

Red Hat Lightspeed compares the set of system data to the collected errata and vulnerability metadata in order to generate a set of available updates for each system. These updates include package updates, Red Hat errata, and Common Vulnerabilities and Exposures (CVEs).

Important

Unlike the patch service, the vulnerability service supports only official Red Hat source repositories and does not support custom repositories. Red Hat Lightspeed vulnerability can find CVEs in local mirrors of official Red Hat repositories, but only if the original Red Hat designated name is preserved. If your infrastructure uses custom or renamed Red Hat local mirror repositories, CVEs or errata from those sources will not appear in the Red Hat Lightspeed vulnerability results.

Additional resources

For more information about Common Vulnerabilities and Exposures (CVEs), refer to the following resources:

You can see all of the applicable advisories and installed packages for systems checking into Red Hat Lightspeed.

Procedure

  1. On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.

  2. You can also search for advisories by name using the search box, and filter advisories by:

    1. Type - Security, Bugfix, Enhancement, Unknown
    2. Publish date - Last 7 days, 30 days, 90 days, Last year, or More than 1 year ago
  3. Navigate to Content > Systems to see a list of affected systems you can patch with applicable advisories. You can also search for specific systems using the search box.
  4. Navigate to Content > Packages to see a list of packages with updates available in your environment. You can also search for specific packages using the search box.

The following steps demonstrate the patching workflow from the Content > Advisories page in Red Hat Lightspeed:

Procedure

  1. On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
  2. Click the advisory you want to apply to affected systems. You will see a description of the advisory, a link to view packages and errata at access.redhat.com, and a list of affected systems. The total number of applicable advisories of each type (Security, Bugfix, Enhancement) against each system are also displayed.
  3. Select the system(s) for which you want to create a playbook, then click Plan remediation.
  4. You can choose to modify an existing Playbook or create a new one. Accordingly, select Existing Playbook and the playbook name from the drop-down list, then click Next. Or, select Create new Playbook and enter a name for your playbook, then click Next.
  5. On the left navigation, click on Remediations.
  6. Click on the playbook name to see the playbook details, or simply select and click Download playbook.

Red Hat Lightspeed calculates applicable updates based on the packages, repositories, and modules that a system reports when it checks in. Red Hat Lightspeed combines these results with a client-side evaluation, and stores the resulting superset of updates as applicable updates.

A system check-in to Red Hat Lightspeed includes the following content-related data:

  • Installed packages
  • Enabled repositories
  • Enabled modules
  • List of updates, which the client determines using the dnf updateinfo -C command. This command primarily captures package updates for non-Red Hat repositories

Red Hat Lightspeed uses this collection of data to calculate applicable updates for the system.

Sometimes Red Hat Lightspeed calculates applicable updates for systems managed by Red Hat Satellite and reports inaccurate results. This issue can manifest in two ways:

  • Red Hat Lightspeed shows installable updates that cannot be installed on the Satellite-managed system.
  • Red Hat Lightspeed shows applicable updates that match what can be installed on the system immediately after patching, but shows outdated or missing updates a day or two later. This can occur when the system is subscribed to RHEL repositories that have been renamed.

Red Hat Lightspeed now provides an optional check-in command to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches and creates a refreshed list of applicable updates for the system.

Note

Satellite-managed systems are not eligible to have Red Hat Lightspeed content templates applied.

Prerequisites

  • Admin-level access to the system

Procedure

  • To rebuild the package caches from the command line, enter the following command: 

    # insights-client --build-packagecache
    Copy to Clipboard Toggle word wrap

The command regenerates the dnf/yum caches and collects the relevant installable errata from Satellite. insights-client then generates a refreshed list of updates and sends it to Red Hat Lightspeed.

Note

The generated list of updates is equivalent to the output from the command dnf updateinfo list.

You can edit the insights-client configuration file on your system (/etc/insights-client/insights-client.conf) to rebuild the package caches automatically each time the system checks in to Red Hat Lightspeed.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file in a text editor.

  2. Look in the file for the following comment: 

    #Set build_packagecache=True to refresh the yum/dnf cache during the insights-client check-in
    Copy to Clipboard Toggle word wrap

  3. Add the following line after the comment: 

    build_packagecache=True
    Copy to Clipboard Toggle word wrap
  4. Save your edits and exit the editor.

When the system next checks in to Satellite, insights-client executes a yum/dnf cache refresh before collecting the output of the client-side evaluation. Red Hat Lightspeed then reports the client-side evaluation output as installable updates. The evaluation output, based on what has been published to the CDN, is reported as applicable updates.

Additional resources

1.5. Enabling notifications
Copy link

You can enable the notifications service on Red Hat Hybrid Cloud Console to send notifications whenever the patch service detects an issue and generates an advisory. Using the notifications service frees you from having to continually check the Red Hat Lightspeed dashboard for advisories.

For example, you can configure the notifications service to automatically send an email message whenever the patch service generates an advisory.

Important

For the patch service, the notification service generates notifications only about updates for the registered Red Hat Enterprise Linux systems. If you want to receive notifications about all updates for every subscription that you have, configure the notifications service for errata events.

Enabling the notifications service requires three main steps:

  • First, an Organization Administrator creates a User Access group with the Notifications administrator role, and then adds account members to the group.
  • Next, a Notifications administrator sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users, or just to Organization Administrators.
  • Finally, users who receive email notifications from events must set their user preferences so that they receive individual emails for each event.

User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):

  • Control user access by organizing roles instead of assigning permissions individually to users.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

All users on your account have access to most of the data in Red Hat Lightspeed.

1.6.1. Predefined User Access groups and roles
Copy link

To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:

  • Predefined groups

    The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.

    Note

    If the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.

    The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.

  • Predefined roles assigned to groups

    The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.

    The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.

    On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.

1.6.2. Access permissions
Copy link

The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.

If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.

Additional resources

For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC) with FedRAMP.

The following roles enable standard or enhanced access to content template features in Red Hat Lightspeed:

  • Content Template viewer. Read any content template resource.
  • Content Template administrator. Perform any available operation on any content template resource.

Content templates filter the errata that can be applied to registered systems in the Hybrid Cloud Console. They also provide filtering and control on the systems themselves. In addition, you can use the same set of content to build custom images in Red Hat Lightspeed.

Content templates include product and architecture attributes. These attributes, plus a date that you select, create a defined set of packages and errata that you can use to build images, report on patching status, and control the content delivered to your registered systems. All content templates include base RHEL repositories, and you can choose to include additional Red Hat and custom repositories.

2.1. About repository snapshots
Copy link

Repository snapshots capture the state of your repository at a point in time. Repositories are collections of Red Hat Package Manager files (RPMs) and metadata.

A content template consists of a set of repository snapshots that have the same version of Red Hat Enterprise Linux and the same system architecture. You select the snapshots to ensure that your systems have access only to specific package versions. Using the content templates, you can establish date-based patch baselines for your systems, and then use yum or dnf to perform updates to the systems.

2.2. About snapshots
Copy link

Snapshots are daily reference copies of the state of your repository at specified points in time. Red Hat Lightspeed takes snapshots of the common RHEL repositories as well as your custom repositories.

You can view the list of snapshots for the repositories that you select, as well as the changes that occur in time between one snapshot and the next. For example, you can see when new packages have been added between snapshots.

2.3. About content templates
Copy link

A content template consists of an explicit set of packages and errata that can be installed or updated on any associated system. It contains a set of repository snapshots that have the same RHEL product/version, system architecture, and template creation date.

When you associate a system with a content template, Red Hat Lightspeed overwrites the repository definitions on the system to point to the repository snapshots in the template. These are the same repository snapshots that appear on the Repositories page in the Hybrid Cloud Console. Once you associate a system with a content template, any yum or dnf commands that you run on that system are constrained to the updates included in those repository snapshots. For more information about the Repositories page, see Managing repositories to build your customized operating systems.

For example, you can create or edit a content template to contain only snapshots of Red Hat Enterprise Linux 9 for x86_64 repositories. You can use that content template to apply consistent patches to other systems in your inventory that match the product/version and architecture. Once you associate a content template with a set of systems, you can run dnf at the command line to easily perform consistent updates to all systems associated with that template.

Systems in your inventory that are not associated with that template do not receive the update packages and errata.

Systems that you can associate with a content template must meet the following criteria:

  • Must run RHEL 8 or later. The RHEL version must match the version specified in the template.
  • Registered with Red Hat Lightspeed, but not managed by Red Hat Satellite or Red Hat Update Infrastructure (RHUI).
  • Must have a system architecture that matches that specified in the template.

  • Must not have a release version set. To ensure that the release version is not set, run the following command as root: 

    subscription-manager release --unset
    Copy to Clipboard Toggle word wrap

2.4. Patching RHEL systems with content templates
Copy link

Content templates help you to apply consistent updates to all the systems assigned to the same template. This approach separates content management from remediation, and allows for more flexibility in patching. You can even use automation tools, such as Ansible Automation Platform, to perform patching operations for you.

You need the following administrator permissions to use content templates:

  • Repositories administrator (read, write, upload)
  • Content template administrator (read repositories, read and write templates)

To view your permissions, navigate to your profile > My User Access > Users. Click your account name. The list of groups for which you have permission displays.

To see the permissions you have within a group, click the group name. The group page displays and shows the types of permissions available (for example, read and write).

For more information about administrator permissions, refer to Predefined User Access roles in the User Access configuration guide for role-based access control (RBAC)

2.4.1. How patching works with content templates
Copy link

The workflow for patching with content templates follows these steps:

  1. You create the content template in Red Hat Lightspeed. The template includes the RHEL version, system architecture, template creation date, and other criteria. Systems that use the content template must match these criteria.
  2. You associate systems with the template. The template points the repositories to snapshots for system updates. Note that the systems can only receive updates through the content template after you associate them.
  3. When a system checks in to Red Hat Lightspeed, it can discover installable updates. The updates match the criteria in the content template. All systems that are associated with the template discover the same updates. This ensures that all the systems using the template receive consistent updates.
Note

A system can be associated to only one content template at a time.

2.5. Managing content templates
Copy link

A content template is a set of repository snapshots you have selected to ensure your systems only have access to specific package versions. Using the content templates, you can establish date-based patch baselines for your systems and perform updates of your systems using yum or dnf.

2.5.1. Creating a content template
Copy link

You can create a content template to ensure your system retains access to specific package versions.

Important

Content templates currently support only major RHEL versions (RHEL 8, 9, or 10). When you create or edit a content template, select a major RHEL version from the drop-down menu for OS Version. Extended support (EUS) subscriptions can show minor RHEL versions in the drop-down menu. However, content templates do not support minor RHEL versions at this time.

Prerequisites

Procedure

  1. Access Red Hat Lightspeed in the Hybrid Cloud Console. Click ContentTemplates.
  2. Click Add content template. The Create content template wizard opens.

  3. In the Content section complete the following:

    1. On the Define content page, select the architecture and the major OS version of your system. Click Next.
    2. On the Red Hat repositories page, select repositories you want to include in the template. Click Next.

    3. On the Custom Repositories page, select repositories you want to include in the template. Click Next.

      Note

      Only repositories with enabled snapshot functionality are displayed in the list of repositories.

  4. On the Set snapshot date page, select:

    Use latest content
    To use the latest content from the repository during image building. Click Next.
    Use a snapshot

    To use a repository snapshot. Select the date and then click Next.

    Note, if your repository does not have the required snapshot, it chooses the earliest possible snapshot to the date of your choice.

  5. On the Detail page, provide a name for your template. Optionally, provide a description of your template. Click Next.

  6. On the Review page, verify the details about the template and click Create template and add to systems. Assign template to systems opens.

    Optional: Click Create template only if you want to assign this template to systems later.

  7. Select all the systems you want to assign the template to and click Assign.

    This change updates the /etc/yum.repos.d/redhat.repo file on the selected systems. All changes affect your systems every four hours. If you want this change to affect your systems immediately, you must manually refresh subscription-manager on the selected system: 

    # subscription-manager refresh
    Copy to Clipboard Toggle word wrap

Verification

  1. Go to ServicesRed Hat Enterprise LinuxContentTemplates and verify your template is added to the list of templates.
  2. On your system, check that the /etc/yum.repos.d/redhat.repo file contains https://cert.console.redhat.com.

2.5.2. Editing a content template
Copy link

You can modify the snapshot date for your content template, assign your content template to more systems, and delete your content template.

Important

Content templates currently support only major RHEL versions (RHEL 8, 9, or 10). When you create or edit a content template, select a major RHEL version from the drop-down menu for OS Version. Extended support (EUS) subscriptions can show minor RHEL versions in the drop-down menu. However, content templates do not support minor RHEL versions at this time.

Prerequisites

  • You have a RHEL subscription.
  • You have Organization Administrator or Content Template administrator permissions.
  • The custom repositories that you want to include in the template have snapshots.

Procedure

  1. Access Red Hat Lightspeed on the Hybrid Cloud Console. Click ContentTemplates.

  2. Select the content template you want to edit and choose an action from the following options:

    • To edit repositories, snapshot date, and the name of your content template, go to ActionsEdit and follow the Edit content template wizard.

      Note, if you edit a snapshot date for the template, it sets a new baseline for patching, and the systems start using the new snapshot.

    • To assign this template to more systems, go to Systems, click Assign template to systems and select the systems you want to assign this template to. Click Assign.
    • To delete the content template, go to ActionsDelete.

Procedure

  1. Navigate to Content > Templates and select a content template from the list. The information page for the template displays.
  2. Select Advisories under the Content tab. The list contains all advisories that apply to systems associated with that content template.
  3. Optional: To filter advisories, select the criterion you want to use from the drop-down menu (Name/Synopsis, Type, or Severity), and then use the second drop-down to select the filter. For example, you can view advisories by severity, and then filter the list to show only the Critical and Important advisories.

2.7. Installing updates
Copy link

Content templates help you to apply consistent updates to all the systems assigned to the same template. This approach separates content management from remediation, and allows for more flexibility in patching. You can even use automation tools, such as Ansible Automation Platform, to perform patching operations for you.

Note

RHEL 8 supports both the dnf and yum update commands. RHEL 9 and later support only dnf for updates.

Prerequisites

  • You have root access to the system (or systems) that you want to update.
  • You have set up your repositories and snapshots.
  • You have created content templates and assigned systems to them.
  • Updates are available for systems associated with the content template.

Procedure

  1. At the command line, type dnf update. 

    # dnf update
    Copy to Clipboard Toggle word wrap

    This installs the updates to the system. The system receives only the updates associated with the content template. For example, if your content template has systems running RHEL 9, then the updates install only on RHEL 9 systems. Systems in your inventory that have different operating system versions or system architectures remain unaffected.

  2. Repeat the update on each of the other systems associated with the same content template.

Providing feedback on Red Hat documentation
Copy link

We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

To provide feedback, perform the following steps:

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat