Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 1. Content patching overview
Patching leverages Red Hat software and management automation expertise to enable consistent patch workflows for Red Hat Enterprise Linux (RHEL) systems across the open hybrid cloud. It provides a single canonical view of applicable advisories across all of your deployments, whether they be Red Hat Satellite, hosted Red Hat Subscription Management (RHSM), or the public cloud.
Use content patching in Red Hat Lightspeed to
- see all of the applicable Red Hat and Extra Packages for Enterprise Linux (EPEL) advisories for your RHEL systems checking into Red Hat Lightspeed.
- patch any system with one or more advisories by using remediation plans.
-
see package updates available for Red Hat and non-Red Hat repositories as of the last system checkin. Your host must be running Red Hat Enterprise Linux (RHEL) 7, RHEL 8.6+ or RHEL 9 and it must maintain a fresh
yum/dnfcache.
- Configure role-based access control (RBAC) in Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Users.
- See User Access configuration guide for role-based access control (RBAC) with FedRAMP for more information about this feature and example use cases.
1.1. Criteria for patch and vulnerability errata
The content patching function collects a variety of data to create meaningful and actionable errata for your systems. The insights-client collects the following data on each checkin:
- List of installed packages, including name, epoch, version, release, and architecture (NEVRA)
- List of enabled modules (RHEL 8 and later)
- List of enabled repositories
-
Output of
yum updateinfo -Cordnf updateinfo -C - Release version from systems with a version lock
-
System architecture (eg.
x86_64)
Additionally, Red Hat Lightspeed collects metadata from the following data sources:
- Product repositories delivered by the Red Hat Content Delivery Network (CDN)
- Extra Packages for Enterprise Linux (EPEL) repositories
- Common Security Advisory Framework (CSAF)
- Vulnerability Exploitability eXchange (VEX)
Red Hat Lightspeed compares the set of system data to the collected errata and vulnerability metadata in order to generate a set of available updates for each system. These updates include package updates, Red Hat errata, and Common Vulnerabilities and Exposures (CVEs).
Unlike the patch service, the vulnerability service supports only official Red Hat source repositories and does not support custom repositories. Red Hat Lightspeed vulnerability can find CVEs in local mirrors of official Red Hat repositories, but only if the original Red Hat designated name is preserved. If your infrastructure uses custom or renamed Red Hat local mirror repositories, CVEs or errata from those sources will not appear in the Red Hat Lightspeed vulnerability results.
Additional resources
For more information about Common Vulnerabilities and Exposures (CVEs), refer to the following resources:
1.2. Reviewing and filtering applicable advisories and systems in the inventory
You can see all of the applicable advisories and installed packages for systems checking into Red Hat Lightspeed.
Procedure
- On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
You can also search for advisories by name using the search box, and filter advisories by:
- Type - Security, Bugfix, Enhancement, Unknown
- Publish date - Last 7 days, 30 days, 90 days, Last year, or More than 1 year ago
- Navigate to Content > Systems to see a list of affected systems you can patch with applicable advisories. You can also search for specific systems using the search box.
- Navigate to Content > Packages to see a list of packages with updates available in your environment. You can also search for specific packages using the search box.
1.3. System patching using Red Hat Lightspeed remediation plans
The following steps demonstrate the patching workflow from the Content > Advisories page in Red Hat Lightspeed:
Procedure
- On Red Hat Hybrid Cloud Console, navigate to Content > Advisories.
- Click the advisory you want to apply to affected systems. You will see a description of the advisory, a link to view packages and errata at access.redhat.com, and a list of affected systems. The total number of applicable advisories of each type (Security, Bugfix, Enhancement) against each system are also displayed.
- Select the system(s) for which you want to create a playbook, then click Plan remediation.
- You can choose to modify an existing Playbook or create a new one. Accordingly, select Existing Playbook and the playbook name from the drop-down list, then click Next. Or, select Create new Playbook and enter a name for your playbook, then click Next.
- On the left navigation, click on Remediations.
- Click on the playbook name to see the playbook details, or simply select and click Download playbook.
1.4. Updating errata for systems managed by Red Hat Satellite
Red Hat Lightspeed calculates applicable updates based on the packages, repositories, and modules that a system reports when it checks in. Red Hat Lightspeed combines these results with a client-side evaluation, and stores the resulting superset of updates as applicable updates.
A system check-in to Red Hat Lightspeed includes the following content-related data:
- Installed packages
- Enabled repositories
- Enabled modules
-
List of updates, which the client determines using the
dnf updateinfo -Ccommand. This command primarily captures package updates for non-Red Hat repositories
Red Hat Lightspeed uses this collection of data to calculate applicable updates for the system.
Sometimes Red Hat Lightspeed calculates applicable updates for systems managed by Red Hat Satellite and reports inaccurate results. This issue can manifest in two ways:
- Red Hat Lightspeed shows installable updates that cannot be installed on the Satellite-managed system.
- Red Hat Lightspeed shows applicable updates that match what can be installed on the system immediately after patching, but shows outdated or missing updates a day or two later. This can occur when the system is subscribed to RHEL repositories that have been renamed.
Red Hat Lightspeed now provides an optional check-in command to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches and creates a refreshed list of applicable updates for the system.
Satellite-managed systems are not eligible to have Red Hat Lightspeed content templates applied.
Prerequisites
- Admin-level access to the system
Procedure
To rebuild the package caches from the command line, enter the following command:
# insights-client --build-packagecache
The command regenerates the dnf/yum caches and collects the relevant installable errata from Satellite. The insights-client then generates a refreshed list of updates and sends it to Red Hat Lightspeed.
The generated list of updates is equivalent to the output from the command dnf updateinfo list.
1.4.1. Configuring automatic check-in for insights-client
You can edit the insights-client configuration file on your system (/etc/insights-client/insights-client.conf) to rebuild the package caches automatically each time the system checks in to Red Hat Lightspeed.
Procedure
-
Open the
/etc/insights-client/insights-client.conffile in a text editor. Look in the file for the following comment:
#Set build_packagecache=True to refresh the yum/dnf cache during the insights-client check-inAdd the following line after the comment:
build_packagecache=True- Save your edits and exit the editor.
When the system next checks in to Satellite, insights-client executes a yum/dnf cache refresh before collecting the output of the client-side evaluation. Red Hat Lightspeed then reports the client-side evaluation output as installable updates. The evaluation output, based on what has been published to the CDN, is reported as applicable updates.
Additional resources
-
For more information about the
--build-packagecacheoptions, see Red Hat Lightspeed shows incorrect patch reporting for Satellite-managed systems. - For more information about managing errata in Red Hat Satellite, see Managing errata.
1.5. Enabling notifications
You can enable the notifications service on Red Hat Hybrid Cloud Console to send notifications whenever the patch service detects an issue and generates an advisory. Using the notifications service frees you from having to continually check the Red Hat Lightspeed dashboard for advisories.
For example, you can configure the notifications service to automatically send an email message whenever the patch service generates an advisory.
Notifications for Red Hat Lightspeed services are triggered based on service-specific criteria.
For the patch service, the notification service generates notifications only about updates for the registered Red Hat Enterprise Linux systems. To receive notifications about all updates for every subscription that you have, configure the notifications service for errata events.
Enabling the notifications service requires three main steps:
- First, an Organization Administrator creates a User Access group that includes at least the Notifications administrator role, and then adds account members to the group.
- Next, a user with the correct notifications administrator role permissions sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users or just to Organization Administrators.
- Finally, users who receive email notifications from events must set their user preferences to receive individual emails for each event.
1.6. Manage user permissions for Red Hat Lightspeed services
Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.
1.6.1. User Access overview
Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.
You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.
If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:
- Control user permissions and organize roles.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
All users on your account have access to most of the data in Red Hat Lightspeed.
1.6.2. Predefined groups in User Access
Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.
- The Default access group
- By default, the Default access group is assigned many granular predefined roles, such as Remediations viewer and Inventory Hosts viewer, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
If your Organization Administrator modifies the Default access group, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.
- The Default admin access group
- The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.
1.6.3. Predefined roles assigned to groups
Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.
The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.
Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.
1.6.4. Check your permissions
Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.
Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
- If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, contact your Organization Administrator or the a user with the User Access administrator role to request the permissions required to access those features and complete the actions you want to perform.
Results
All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.
You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.
1.6.5. Configure user permissions
If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.
If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.
Prerequisites
- You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to Identity & Access Management > User Access.
Results
From here, you can create and manage:
1.6.6. User Access roles for permissions to system content templates and patch updates
Understand the predefined roles that control access to content templates and patch features in Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.
The following roles enable standard or enhanced access to the content template and patch features:
| User Access role | Grants permissions to … | Included in the Default access group |
|---|---|---|
| Content Template administrator |
| |
| Content Template viewer |
| X |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}