RHEL Advanced #6: Subscription, Satellite, Insights — Operations Infrastructure

If #5 Security Hardening was about operating one machine, this post is about the moment you start running many at once. A single RHEL machine works without these tools, but with tens or hundreds of machines, patch management, content consistency, and vulnerability monitoring are impossible without tooling. Three Red Hat tools fill that gap — subscription-manager (subscription registration), Satellite (on-prem unified platform), and Insights (SaaS analytics).

Position of this post in the RHEL Advanced series:

How the Three Tools Relate #

scale → tooling
1 ~ 10        : subscription-manager + Insights (enough)
10 ~ 50       : same + Ansible / automation scripts
50 ~ many     : Satellite (on-prem single entry point)
+ isolated    : Satellite + Capsule (branch / DMZ)
ToolWhere it runsWhat it does
subscription-managerEach RHEL machineRegister the machine with a Red Hat subscription, enable repositories
SatelliteA single on-prem server (or cluster)Mirror content, manage lifecycle, run hosts in one place
InsightsRed Hat SaaS (cloud.redhat.com)Analyze registered machines for vulnerability, stability, performance

subscription-manager is the basic tool every RHEL machine ships with. Satellite is the on-prem unified platform that sits on top, and Insights is a separate SaaS analytics service.

subscription-manager #

The first command you meet after installing RHEL 9. For dnf to see Red Hat repositories, the machine must be registered with a Red Hat subscription.

registering
$ sudo subscription-manager register --username <user> --password <pass>
The system has been registered with ID: 12345678-1234-...

Registration status and subscriptions #

checking
# registration status
$ sudo subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Current

# active subscriptions
$ sudo subscription-manager list --consumed

# unregister
$ sudo subscription-manager unregister

Repository activation #

When you need an additional repository (CodeReady Builder, Supplementary, etc.) beyond the default BaseOS / AppStream:

repo management
# list available repos
$ sudo subscription-manager repos --list

# enable
$ sudo subscription-manager repos \
    --enable=codeready-builder-for-rhel-9-x86_64-rpms

# disable
$ sudo subscription-manager repos \
    --disable=rhel-9-for-x86_64-supplementary-rpms

Enabling it updates /etc/yum.repos.d/redhat.repo, and dnf starts seeing that repo’s packages.

Subscription kinds #

Subscription types you meet most often in operations:

KindWhere it fits
StandardGeneral production RHEL (8x5 or 24x7 support)
PremiumProduction + 24x7 support
Developer Subscription for IndividualsFree for individual developers (up to 16 machines)
Developer Subscription for TeamsFree for team developers
BYOS (Bring Your Own Subscription)Use your own subscription on AWS/Azure/GCP RHEL instances
PAYG (Pay As You Go)Hourly billing via the cloud marketplace

For personal study and development, Red Hat Developer free signup lets you install RHEL 9 legally.

Simple Content Access (SCA) #

Traditionally a RHEL subscription needed one entitlement per machine (entitlement = subscription slot). Past a few dozen machines, tracking entitlements becomes a burden. Simple Content Access simplifies that model — activate it once at the org level and you no longer track per-machine entitlements; registration alone unlocks content access.

register flow under SCA
$ sudo subscription-manager register --username <u> --password <p>
# no need for attach

From RHEL 9 on, SCA is effectively the standard. In larger orgs, check it is enabled on the Red Hat Hybrid Cloud Console.

Activation Key #

The way to register from automation without putting username/password in a script.

activation key
$ sudo subscription-manager register \
    --org=<org-name> \
    --activationkey=<key-name>

Generate keys at Red Hat Hybrid Cloud Console → Activation Keys. Embed in Kickstart or cloud-init user-data and the machine auto-registers at boot.

Red Hat Satellite — On-Prem Unified Platform #

Enters the picture once you’re managing tens to hundreds of machines. Core roles:

  1. Content mirror — mirror Red Hat repositories on-site. Run RHEL in air-gapped environments
  2. Lifecycle management — separate content versions per Dev → QA → Prod environments
  3. Unified host operations — manage every RHEL machine from one console (patch, provisioning, config)
  4. Capsule — proxy role for branches / DMZs

Core concepts #

structure
                      ┌─────────────────────────┐
                      │   Red Hat CDN           │
                      │   (cdn.redhat.com)      │
                      └────────────┬────────────┘
                                   │ sync
                      ┌────────────▼────────────┐
                      │   Satellite Server      │
                      │   (HQ)                  │
                      │  - Content Sync         │
                      │  - Lifecycle Env        │
                      │  - Content Views        │
                      │  - Host Inventory       │
                      └────┬────────────────┬───┘
                           │                │
                  ┌────────▼─────┐  ┌───────▼──────┐
                  │ Capsule (A)  │  │ Capsule (B)  │
                  │ (Branch 1)   │  │ (DMZ)        │
                  └──────┬───────┘  └──────┬───────┘
                         │                 │
                    [content host]    [content host]
                    [content host]    [content host]

Lifecycle environments #

content flow
Library (everything synced) → Dev → QA → Prod

You publish a Content View (a bundle of repositories and packages to use) into each environment, then promote to the next. A patch bundle validated in Dev for a few days promotes to QA, then after another validation to Prod — the standard flow.

Content View #

A unit that bundles and filters multiple repositories. The same name can hold different versions in different environments.

example
Content View: rhel9-base
  - rhel-9-for-x86_64-baseos-rpms
  - rhel-9-for-x86_64-appstream-rpms
  - rhel-9-for-x86_64-supplementary-rpms

Lifecycle:
  Dev:  Version 5  (published today)
  QA:   Version 4  (published a week ago)
  Prod: Version 3  (published a month ago)

If a problem appears, halt the promote or roll back to the previous version.

Host registration and operations #

Once a content host registers with Satellite, the following can be managed from a single console.

AreaWhat
ErrataSecurity / bug / feature patches — auto-identify applicable errata per environment
PatchRun dnf update per host or per group at scale
ProvisioningBare-metal / VM boot → Kickstart → automated install
ConfigurationConfig management via Ansible / Puppet integration
SubscriptionsUnified subscription management (simplified under SCA)
ReportsPer-host patch status, compliance

Capsule #

A child node of a Satellite Server. In places like a branch office or DMZ where machines cannot reach the main server directly, the Capsule caches content and handles host operations on its behalf. Content syncs from the main server to the Capsule, and the local content hosts only see the Capsule — network efficiency and security isolation at once.

Install — sizing #

CriterionRecommended
Host count~ 5,000 / Satellite; beyond that, distribute via Capsules
SpecsCPU 8+, RAM 32GB+, disk 200GB+ (large disk for content sync)
OSRHEL 9
LicensingSeparate subscription required

Install with satellite-installer in one shot. Detailed steps are a separate post — here we just place it.

Red Hat Insights — SaaS Analytics #

A service that requires no installation infrastructure: registered RHEL machines send data to the Red Hat cloud and you receive analysis back. Included by default with a RHEL subscription.

Enabling #

install and register insights-client
$ sudo dnf install -y insights-client
$ sudo insights-client --register

# status
$ sudo insights-client --status
$ sudo insights-client --display-name "web-prod-01"

Once registered, the machine ships parts of its system info, configuration, and logs to the analysis backend daily (preview the data with insights-client --offline --output-file= first).

What you receive #

At console.redhat.com/insights, you get recommendations in these categories.

CategoryWhat
VulnerabilityKnown CVEs, affected machines, errata mapping
AdvisorStability / performance / security best-practice violations
ComplianceOpenSCAP scan results aggregated (CIS, PCI-DSS, etc.)
PatchApplicable errata and affected packages
DriftTrack configuration differences between machines
PoliciesAlerts on user-defined policy violations
SubscriptionsSubscription usage status
InventoryUnified inventory of every registered machine

Each recommendation comes with why this matters, how to fix (concrete actions, downloadable Ansible playbook), and affected systems (machine list). From the recommendations page you can bundle multiple fixes into one Ansible playbook to download and apply — the Remediation Plans feature.

Insights and Satellite #

If Satellite is in place, you can integrate Insights data with Satellite and view it in one screen. Satellite operates the infrastructure, Insights analyzes it — that is the one-line summary.

Data privacy #

Uploaded data may contain sensitive material, so you can define redaction rules in /etc/insights-client/file-content-redaction.yaml and /etc/insights-client/file-redaction.yaml. In government and financial environments, review before registering.

/etc/insights-client/file-content-redaction.yaml example
patterns:
    regex:
        - "password\\s*=\\s*\\S+"
        - "api[_-]?key\\s*[:=]\\s*\\S+"
keywords:
    - secret
    - credential

A Unified Operational Flow #

MomentTool
Spin up one machinesubscription-manager register + insights-client --register
Automate 10+activation key for Kickstart / cloud-init auto-registration
Unify 50+Adopt Satellite, design Content Views + lifecycle environments
Isolated environmentsAdd Capsules (branch / DMZ)
Periodic operationsInsights recommendations → Remediation Plan → apply via Ansible
Periodic patchingSatellite errata → promote to Dev → QA → Prod

Common Pitfalls #

  • Using a Developer Subscription in production — license violation. Production must be Standard / Premium or BYOS / PAYG.
  • Running subscription-manager attach --auto under SCA — meaningless and sometimes warns. Under SCA, only register.
  • One Satellite for too many hosts at once — plan Capsule distribution before crossing 5,000.
  • Wiring Library directly to Prod — the lifecycle environments lose their meaning. Sync content into Library, publish a Content View, then promote Dev → QA → Prod.
  • Insights without redaction — passwords / API keys may be uploaded if /etc/insights-client/*-redaction.yaml is unset. Review before registration.
  • Applying every Insights recommendation blindly — a recommendation may not match your environment (e.g., a service intentionally disabled). Review before applying — same principle as OpenSCAP --remediate.
  • Capsule running out of disk — content sync is heavy. RHEL 9 BaseOS + AppStream alone can take 100GB+. Disk monitoring is mandatory.

Commands Worth Remembering #

TaskCommand
Register a machinesudo subscription-manager register --username <u>
Register with activation keysudo subscription-manager register --org <o> --activationkey <k>
Registration statussudo subscription-manager status
Repo list / changesudo subscription-manager repos --list / --enable=<id>
Unregistersudo subscription-manager unregister && sudo subscription-manager clean
Register Insightssudo dnf install -y insights-client && sudo insights-client --register
Preview Insights datasudo insights-client --offline --output-file=/tmp/insights.tar.gz
Register host with Satellitecurl <satellite>/register | sudo bash (official one-line registration)

Wrap-up #

  • subscription-manager — the basic tool on every RHEL machine. In the SCA era, register only. Activation keys for automation.
  • Satellite — the on-prem unified platform once you cross 50 ~ 100 machines. Control the content flow with Library → Content View → Dev/QA/Prod lifecycles. Distribute branches / DMZs with Capsules.
  • Insights — SaaS analytics you get just by registering, no separate infra. Vulnerability / stability / performance / compliance recommendations + Ansible Remediation Plans. Always review redaction settings.
  • The roles — one machine (subscription-manager + Insights), many machines (add Satellite). Three separate tools but unified in one console (console.redhat.com).

The next post is the series finale. Everything so far has been CLI-centric, but a lightweight GUI has its place too. We close the series with Cockpit, managing RHEL from the browser.

X