RHEL Advanced #6: Subscription, Satellite, Insights — Operations Infrastructure
If #5 Security Hardening was about operating one machine, this post is about the moment you start running many at once. A single RHEL machine works without these tools, but with tens or hundreds of machines, patch management, content consistency, and vulnerability monitoring are impossible without tooling. Three Red Hat tools fill that gap — subscription-manager (subscription registration), Satellite (on-prem unified platform), and Insights (SaaS analytics).
Position of this post in the RHEL Advanced series:
- #1 Boot Process — GRUB2, dracut, Recovery Mode
- #2 Kernel Tuning — sysctl, tuned, kdump
- #3 Performance Analysis — sar, top/htop, iostat, vmstat, perf
- #4 SELinux Advanced — Writing Policy and audit2allow
- #5 Security Hardening — auditd, OpenSCAP, FIPS
- #6 Subscription, Satellite, Insights — Operations Infrastructure ← this post
- #7 Cockpit for GUI Management and Web Console
How the Three Tools Relate #
1 ~ 10 : subscription-manager + Insights (enough)
│
10 ~ 50 : same + Ansible / automation scripts
│
50 ~ many : Satellite (on-prem single entry point)
│
+ isolated : Satellite + Capsule (branch / DMZ)| Tool | Where it runs | What it does |
|---|---|---|
subscription-manager | Each RHEL machine | Register the machine with a Red Hat subscription, enable repositories |
| Satellite | A single on-prem server (or cluster) | Mirror content, manage lifecycle, run hosts in one place |
| Insights | Red Hat SaaS (cloud.redhat.com) | Analyze registered machines for vulnerability, stability, performance |
subscription-manager is the basic tool every RHEL machine ships with. Satellite is the on-prem unified platform that sits on top, and Insights is a separate SaaS analytics service.
subscription-manager #
The first command you meet after installing RHEL 9. For dnf to see Red Hat repositories, the machine must be registered with a Red Hat subscription.
$ sudo subscription-manager register --username <user> --password <pass>
The system has been registered with ID: 12345678-1234-...Registration status and subscriptions #
# registration status
$ sudo subscription-manager status
+-------------------------------------------+
System Status Details
+-------------------------------------------+
Overall Status: Current
# active subscriptions
$ sudo subscription-manager list --consumed
# unregister
$ sudo subscription-manager unregisterRepository activation #
When you need an additional repository (CodeReady Builder, Supplementary, etc.) beyond the default BaseOS / AppStream:
# list available repos
$ sudo subscription-manager repos --list
# enable
$ sudo subscription-manager repos \
--enable=codeready-builder-for-rhel-9-x86_64-rpms
# disable
$ sudo subscription-manager repos \
--disable=rhel-9-for-x86_64-supplementary-rpmsEnabling it updates /etc/yum.repos.d/redhat.repo, and dnf starts seeing that repo’s packages.
Subscription kinds #
Subscription types you meet most often in operations:
| Kind | Where it fits |
|---|---|
| Standard | General production RHEL (8x5 or 24x7 support) |
| Premium | Production + 24x7 support |
| Developer Subscription for Individuals | Free for individual developers (up to 16 machines) |
| Developer Subscription for Teams | Free for team developers |
| BYOS (Bring Your Own Subscription) | Use your own subscription on AWS/Azure/GCP RHEL instances |
| PAYG (Pay As You Go) | Hourly billing via the cloud marketplace |
For personal study and development, Red Hat Developer free signup lets you install RHEL 9 legally.
Simple Content Access (SCA) #
Traditionally a RHEL subscription needed one entitlement per machine (entitlement = subscription slot). Past a few dozen machines, tracking entitlements becomes a burden. Simple Content Access simplifies that model — activate it once at the org level and you no longer track per-machine entitlements; registration alone unlocks content access.
$ sudo subscription-manager register --username <u> --password <p>
# no need for attachFrom RHEL 9 on, SCA is effectively the standard. In larger orgs, check it is enabled on the Red Hat Hybrid Cloud Console.
Activation Key #
The way to register from automation without putting username/password in a script.
$ sudo subscription-manager register \
--org=<org-name> \
--activationkey=<key-name>Generate keys at Red Hat Hybrid Cloud Console → Activation Keys. Embed in Kickstart or cloud-init user-data and the machine auto-registers at boot.
Red Hat Satellite — On-Prem Unified Platform #
Enters the picture once you’re managing tens to hundreds of machines. Core roles:
- Content mirror — mirror Red Hat repositories on-site. Run RHEL in air-gapped environments
- Lifecycle management — separate content versions per Dev → QA → Prod environments
- Unified host operations — manage every RHEL machine from one console (patch, provisioning, config)
- Capsule — proxy role for branches / DMZs
Core concepts #
┌─────────────────────────┐
│ Red Hat CDN │
│ (cdn.redhat.com) │
└────────────┬────────────┘
│ sync
┌────────────▼────────────┐
│ Satellite Server │
│ (HQ) │
│ - Content Sync │
│ - Lifecycle Env │
│ - Content Views │
│ - Host Inventory │
└────┬────────────────┬───┘
│ │
┌────────▼─────┐ ┌───────▼──────┐
│ Capsule (A) │ │ Capsule (B) │
│ (Branch 1) │ │ (DMZ) │
└──────┬───────┘ └──────┬───────┘
│ │
[content host] [content host]
[content host] [content host]Lifecycle environments #
Library (everything synced) → Dev → QA → ProdYou publish a Content View (a bundle of repositories and packages to use) into each environment, then promote to the next. A patch bundle validated in Dev for a few days promotes to QA, then after another validation to Prod — the standard flow.
Content View #
A unit that bundles and filters multiple repositories. The same name can hold different versions in different environments.
Content View: rhel9-base
- rhel-9-for-x86_64-baseos-rpms
- rhel-9-for-x86_64-appstream-rpms
- rhel-9-for-x86_64-supplementary-rpms
Lifecycle:
Dev: Version 5 (published today)
QA: Version 4 (published a week ago)
Prod: Version 3 (published a month ago)If a problem appears, halt the promote or roll back to the previous version.
Host registration and operations #
Once a content host registers with Satellite, the following can be managed from a single console.
| Area | What |
|---|---|
| Errata | Security / bug / feature patches — auto-identify applicable errata per environment |
| Patch | Run dnf update per host or per group at scale |
| Provisioning | Bare-metal / VM boot → Kickstart → automated install |
| Configuration | Config management via Ansible / Puppet integration |
| Subscriptions | Unified subscription management (simplified under SCA) |
| Reports | Per-host patch status, compliance |
Capsule #
A child node of a Satellite Server. In places like a branch office or DMZ where machines cannot reach the main server directly, the Capsule caches content and handles host operations on its behalf. Content syncs from the main server to the Capsule, and the local content hosts only see the Capsule — network efficiency and security isolation at once.
Install — sizing #
| Criterion | Recommended |
|---|---|
| Host count | ~ 5,000 / Satellite; beyond that, distribute via Capsules |
| Specs | CPU 8+, RAM 32GB+, disk 200GB+ (large disk for content sync) |
| OS | RHEL 9 |
| Licensing | Separate subscription required |
Install with satellite-installer in one shot. Detailed steps are a separate post — here we just place it.
Red Hat Insights — SaaS Analytics #
A service that requires no installation infrastructure: registered RHEL machines send data to the Red Hat cloud and you receive analysis back. Included by default with a RHEL subscription.
Enabling #
$ sudo dnf install -y insights-client
$ sudo insights-client --register
# status
$ sudo insights-client --status
$ sudo insights-client --display-name "web-prod-01"Once registered, the machine ships parts of its system info, configuration, and logs to the analysis backend daily (preview the data with insights-client --offline --output-file= first).
What you receive #
At console.redhat.com/insights, you get recommendations in these categories.
| Category | What |
|---|---|
| Vulnerability | Known CVEs, affected machines, errata mapping |
| Advisor | Stability / performance / security best-practice violations |
| Compliance | OpenSCAP scan results aggregated (CIS, PCI-DSS, etc.) |
| Patch | Applicable errata and affected packages |
| Drift | Track configuration differences between machines |
| Policies | Alerts on user-defined policy violations |
| Subscriptions | Subscription usage status |
| Inventory | Unified inventory of every registered machine |
Each recommendation comes with why this matters, how to fix (concrete actions, downloadable Ansible playbook), and affected systems (machine list). From the recommendations page you can bundle multiple fixes into one Ansible playbook to download and apply — the Remediation Plans feature.
Insights and Satellite #
If Satellite is in place, you can integrate Insights data with Satellite and view it in one screen. Satellite operates the infrastructure, Insights analyzes it — that is the one-line summary.
Data privacy #
Uploaded data may contain sensitive material, so you can define redaction rules in /etc/insights-client/file-content-redaction.yaml and /etc/insights-client/file-redaction.yaml. In government and financial environments, review before registering.
patterns:
regex:
- "password\\s*=\\s*\\S+"
- "api[_-]?key\\s*[:=]\\s*\\S+"
keywords:
- secret
- credentialA Unified Operational Flow #
| Moment | Tool |
|---|---|
| Spin up one machine | subscription-manager register + insights-client --register |
| Automate 10+ | activation key for Kickstart / cloud-init auto-registration |
| Unify 50+ | Adopt Satellite, design Content Views + lifecycle environments |
| Isolated environments | Add Capsules (branch / DMZ) |
| Periodic operations | Insights recommendations → Remediation Plan → apply via Ansible |
| Periodic patching | Satellite errata → promote to Dev → QA → Prod |
Common Pitfalls #
- Using a Developer Subscription in production — license violation. Production must be Standard / Premium or BYOS / PAYG.
- Running
subscription-manager attach --autounder SCA — meaningless and sometimes warns. Under SCA, only register. - One Satellite for too many hosts at once — plan Capsule distribution before crossing 5,000.
- Wiring Library directly to Prod — the lifecycle environments lose their meaning. Sync content into Library, publish a Content View, then promote Dev → QA → Prod.
- Insights without redaction — passwords / API keys may be uploaded if
/etc/insights-client/*-redaction.yamlis unset. Review before registration. - Applying every Insights recommendation blindly — a recommendation may not match your environment (e.g., a service intentionally disabled). Review before applying — same principle as OpenSCAP
--remediate. - Capsule running out of disk — content sync is heavy. RHEL 9 BaseOS + AppStream alone can take 100GB+. Disk monitoring is mandatory.
Commands Worth Remembering #
| Task | Command |
|---|---|
| Register a machine | sudo subscription-manager register --username <u> |
| Register with activation key | sudo subscription-manager register --org <o> --activationkey <k> |
| Registration status | sudo subscription-manager status |
| Repo list / change | sudo subscription-manager repos --list / --enable=<id> |
| Unregister | sudo subscription-manager unregister && sudo subscription-manager clean |
| Register Insights | sudo dnf install -y insights-client && sudo insights-client --register |
| Preview Insights data | sudo insights-client --offline --output-file=/tmp/insights.tar.gz |
| Register host with Satellite | curl <satellite>/register | sudo bash (official one-line registration) |
Wrap-up #
- subscription-manager — the basic tool on every RHEL machine. In the SCA era, register only. Activation keys for automation.
- Satellite — the on-prem unified platform once you cross 50 ~ 100 machines. Control the content flow with Library → Content View → Dev/QA/Prod lifecycles. Distribute branches / DMZs with Capsules.
- Insights — SaaS analytics you get just by registering, no separate infra. Vulnerability / stability / performance / compliance recommendations + Ansible Remediation Plans. Always review redaction settings.
- The roles — one machine (subscription-manager + Insights), many machines (add Satellite). Three separate tools but unified in one console (console.redhat.com).
The next post is the series finale. Everything so far has been CLI-centric, but a lightweight GUI has its place too. We close the series with Cockpit, managing RHEL from the browser.