Red Hat Satellite synchronization with Insights

Red Hat Satellite and Red Hat Insights are powerful tools that help you to keep your systems more secure and up-to-date, simply and at scale. With Red Hat Satellite, you have the option of integrating the analytical capabilities of the Insights service to gain a better understanding of your security posture.

Insights provides an Advisor service to assess and monitor the health of your Red Hat Enterprise Linux (RHEL) infrastructure. Whether you're concerned with individual or groups of systems or with your whole infrastructure, Advisor will help you be more aware of the exposure of your systems to configuration issues that can affect availability, stability, performance and security.

Insights generates Advisor recommendations and remediations when it detects a host’s configuration has broken specific rules. You can run a remediation on that host, whether directly connected to Insights or through Satellite.

In this article we describe the technical details behind how the interface between Satellite and Insights works.

Insights also provides a method for connecting Red Hat Enterprise Linux hosts directly with the Remote Host Configurator (RHC) client. We will not cover any details on the operation of RHC in this article.

The sequence of operations

Here’s the sequence of operations for Satellite and Insights synchronization. 

Now I’ll explain what all of that means.

What happens when you register a Satellite-connected host with Insights

Satellite users are familiar with registering a newly provisioned host to the Satellite server. The registration process also allows registering the host with Insights simultaneously with the insights-client command.

During Satellite host registration, hosts are registered to Satellite with the subscription-manager command. There is an option to run the insights-client --register command during the registration process. The command also generates an insights-client archive that is proxied through the Satellite to console.redhat.com.

Your Red Hat Enterprise Linux subscription includes Insights services and features. Executing the insights-client --register command allows a host to use Insights services and features, including remediations.

Synchronizing Insights Advisor recommendations to Satellite

As soon as console.redhat.com services process the insights-client archive payload, Satellite can synchronize Insights Advisor recommendations. Satellite can then also initiate remediation execution on the hosts registered to it.

To receive the recommendations from Insights, the user can force a synchronization or let Satellite automatically synchronize.

To force a synchronization, first navigate to Insights.

Then 1) click on the kebab button next to the Remediate button and then 2) click on Sync Recommendations. 

When Satellite has synchronized Insights recommendations, Remediations can be run directly from Satellite. The Sync recommendations job downloads rule hits from Insights Advisor, matching recommendations from Insights to hosts registered to Satellite and Insights. The Satellite server then requests remediations from Insights and generates playbooks to run against its hosts.

Below we can see a list of remediations available for the host. ip-172-31-20-178.us-west-1.compute.internal. 

Remediation of hosts from Satellite

You can run Insights remediations within the Satellite Web UI-- simply select the remediation you want and run it.

Here's what the remediation operation looks like in action.

Remediating Satellite hosts from Insights

Here is the full sequence of operations required to enable the remediation of Satellite hosts from the console.redhat.com website. These instructions assume that you have already registered hosts to Satellite and Insights as per the instructions above.

Configure Cloud Connector

The Satellite Cloud Connector integrates Satellite with Insights. 

Recall that Satellite can receive Insights Advisor recommendations, and you may run remediations from Satellite after a host has run insights-client --register. 

The Cloud Connector configuration job has to be run before you can run remediations on the host from Insights. Below is a table showing the relationship between Cloud Connector and remediations from Insights and Satellite.

The Cloud Connector configuration tells Satellite to start communicating with Insights on a regular basis as well as which hosts in Insights are managed by your Satellite server. This configuration creates a “Source” entry in Insights.

For more information on configuring Cloud Connector, please see the official documentation.

Upload the inventory

Inventory Upload uploads an archive of host information to console.redhat.com. This archive populates the satellite_instance_id fact of hosts in the console.redhat.com inventory. When Remediations (in console.redhat.com) initiates the execution of a remediation, it looks up the satellite_instance_id recorded to the host and sends a playbook to the corresponding Satellite server.

To do this, first navigate to the Inventory Upload menu.

Click on the organization menu bar.

Click on the Restart button (if it’s the first time, it will display Start) to upload the inventory. 

Synchronize inventory statuses

Sync inventory status downloads information about hosts from console.redhat.com to Satellite. This information is used by Satellite to create a mapping between Insights inventory host IDs and Satellite inventory host IDs. 

Run remediations from Insights

I won’t go into full detail here. You can find the documentation on how to run a remediation in Insights here.

When Remediations (in console.redhat.com) initiates the execution of a remediation playbook, it sends a playbook to the Satellite server and runs it against the host registered with the Satellite server matching the recorded satellite_instance_id.

What does this mean about other Insights services, such as Compliance and Malware detection?

Other Insights services like Compliance and malware detection are available as long as your host is connected to Insights (through the insights-client --register command) and managed by Satellite. At this time, there is no support for the use of Compliance and malware detection within the Satellite Web Interface, but this support is on the product roadmap. Please contact your Red Hat account manager or Solutions Architect for more information.

Conclusion

There you have it; all the details about how Satellite and Insights interact and bring remediations directly to your hosts so they’re protected (as much as possible) from unforeseen problems. 

Acknowledgments

Many thanks to Jeremy Audet, Derek Horton, and Shimon Shtein for their help in writing this blog.