Security improvements and new distribution method for insights-client

Summary

Updates for both the insights-client and its primary component, insights-core, will be distributed as RPM packages through the official Red Hat Enterprise Linux repositories. The insights-client will cease to automatically update insights-core during runtime.

A new customized SELinux policy will be deployed on the systems to ensure that the insights-client and the insights-core operate within a fully confined SELinux context.

To fully leverage the new features of Red Hat Lightspeed, users are required to ensure their systems receive regular updates. This is essential to maintain a current data collection definition.

Why are we making these changes?

The Insights Client as a whole is composed of two primary elements:

• insights-client: This acts as a wrapper for insights-core.
  Repository: Content from github.com is not included.Content from github.com is not included.https://github.com/RedHatInsights/insights-client

• insights-core: This is the framework responsible for data collection.
  Repository: Content from github.com is not included.Content from github.com is not included.https://github.com/RedHatInsights/insights-core

Historically, the insights-client has been delivered as an RPM package. In contrast, insights-core was delivered as a Python Egg, allowing it to be updated independently of the RHEL release cycle. During execution, the insights-client would check for and update to a newer version of insights-core before proceeding to collect system data and transmit it to Red Hat Lightspeed.

To enhance the security of the update pipeline and standardize the delivery method for client tool updates on Red Hat Enterprise Linux (RHEL) systems, we are transitioning to packaging and updating insights-core as an RPM. Furthermore, the playbook verifier functionality will be distributed with its own package: the rhc-playbook-verifier RPM. These will be distributed through the official RHEL repositories, alongside the existing insights-client RPM.

To enhance the security of the Insights Client's main component during execution, a new customized SELinux policy has been implemented, confining insights-core within a dedicated SELinux context. The utilization of RPM-based update delivery ensures that the SELinux policy is automatically synchronized with new data collection definitions incorporated into insights-core. This mechanism prevents AVC denials while simultaneously maintaining an elevated level of system security.

What changes to expect on the system?

Starting with RHEL 10.2 GA and RHEL 9.8 GA:

• Packaging changes: insights-core and rhc-playbook-verifier are now shipped as separate RPM packages, replacing the previous insights-core Python Egg.

  • insights-core is provided by the insights-core-<version>.el<N>.rpm package.
  • The playbook verifier function is provided by the rhc-playbook-verifier-<version>.el<N>.rpm package.

• SELinux Confinement:

  • insights-core is confined using SELinux policy provided by the separate DSP RPM, insights-core-selinux-<version>.el<N>.rpm.

• Installation Simplification: Installing the main insights-client RPM automatically installs the necessary insights-core RPM and the insights-core-selinux RPM.

For Earlier RHEL Versions (RHEL 7.x, RHEL 8.x, RHEL 9.0 – 9.7, RHEL 10.0 – 10.1):

• No Change:
  • The insights-core Python Egg remains the sole method for collecting Insights archives.
  • The playbook-verifier function remains bundled within the insights-client RPM.
  • There is no SELinux confinement for either insights-core or the playbook verifier function.

What do I need to do?

The new RPM delivery format for insights-core and rhc-playbook-verifier requires no specific action from users for adoption:

• New Installations
  All fresh installations of RHEL 10.2 GA or RHEL 9.8 GA will automatically include the new insights-core and rhc-playbook-verifier RPMs with SELinux confinement enabled by default.

• Upgrades
  Systems upgraded from earlier versions to RHEL 10.2 GA, RHEL 9.8 GA, and later will automatically switch to the new, SELinux-confined insights-core and rhc-playbook-verifier RPMs (provided SELinux is active).

Action required for latest Red Hat Lightspeed (Insights) benefits:

To ensure users receive the most recent benefits from Red Hat Lightspeed (Insights), they must keep the insights-core RPM up-to-date:

How to update

With the new RPM delivery format, customers must maintain the currency of both the insights-core and insights-core-selinux RPMs using one of the following recommended approaches:

Update command:
Upgrading insights-core and insights-core-selinux does not necessitate upgrading insights-client. The update can be performed with:

$ sudo dnf upgrade insights-core

For automating the update of the package, consider implementing a daily cron job.

Best practice

Applying the latest patches to RHEL systems remains a critical best practice. Regular system updates not only protect against vulnerabilities but also ensure the benefit of the latest recommendations provided by Red Hat Lightspeed (Insights) by automatically updating the insights-core and its dependencies.

Important Note for Satellite-managed Hosts

Before updating insights-core and insights-core-selinux to the latest versions on Satellite-managed Insights hosts, the associated Content View must be synchronized beforehand.

What will happen on older versions of RHEL?

For older RHEL versions, specifically RHEL 8, RHEL 9.0–9.7, and RHEL 10.0–10.1, the way the insights-client and the insights-core are updated and packaged remains consistent:

• The insights-core continues to be regularly updated and delivered as a Python Egg
• The playbook-verifier functionality is still included within the insights-client RPM.
• Neither insights-client, the insights-core nor the playbook-verifier function is subject to SELinux confinement.

Related content

• How to update Red Hat Lightspeed(Insights) Client Core manually?
• How to view Insights-client core changelog