Managing Image Mode for RHEL with Satellite and Insights

Red Hat Insights Image Mode Recommendations

In the previous post – Creating Image Mode for RHEL Servers – we built and registered our development, stage and production servers to Red Hat Satellite and Insights. Let’s see how we can use these tools.


We see that our three Image Mode for RHEL servers are all correctly registered with Red Hat Satellite and are in the correct Lifecycle.

Red Hat Satellite with Image Mode for RHEL servers
Red Hat Satellite with Image Mode for RHEL servers

If we look carefully, we notice that Satellite reports that the development server has a number of installable updates, whereas the production and stage servers have none. We’ve deployed from the same RHEL Image, so why would this be? Well, we have published some updates to the RHEL9-with-products Content View and begun to test them on our traditional package mode RHEL instances. The Lifecycle goes Dev-Test -> Stage -> Prod-DR. We’ve not yet pushed those updates to Stage or Prod-DR.

That explains the difference, but can we actually install those updates? No – as discussed in the Image Mode for RHEL FAQ by default we can’t actually dnf update the packages. The correct course of action is to update our container, synchronise it to Satellite, promote it through the Lifecycle and let bootc perform the upgrade (either automatically or manually).

Having the servers registered in Satellite provides administrators with a useful overview of their Image Mode and Package Mode RHEL installations. We can also setup remote execution from Satellite to connect to the Image Mode servers – a good way to control when updates and reboots are applied.


If we login to and visit the inventory page, we can immediately make use of ‘tags’ to identify the new servers we have built.

Red Hat Insights Image Mode Tag Search
Red Hat Insights Image Mode Tag Search

If we select the tag ‘app_support_team=My Application Support Team’ we’ll now be managing only our three servers in Insights. Here we are at the inventory, systems view:

Red Hat Insights Image Mode for RHEL inventory
Red Hat Insights Image Mode for RHEL inventory

How about we look at recommendations, to see if there are any improvements we can make?

Red Hat Insights Advisor Recommendations for Image Mode servers
Red Hat Insights Advisor Recommendations for Image Mode servers

We see the Advisor has recommended we don’t use unencrypted HTTP traffic. Advisor also mentions we have a decrease in performance as we’re not running a recommended tuned service configuration. As this is just a test container we’ll leave the httpd warning for now, but take a look at the tuned recommendation by clicking on the link.

Red Hat Insights Advisor - tuned recommendation
Red Hat Insights Advisor – tuned recommendation

We see that Red Hat advises that we apply a tuned profile as described in Great – this is a candidate for adding to the next version of our image deployment.

CIS Compliance

Let’s apply the CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 – Server profile to our servers and run a scan. Organisations often have their own security team and use their own security scanning tools. However, using Insights we can empower the sysadmin/operations team to create security profiles and schedule their own scans without taking up the time of the security teams. This allows systems administrators to continually audit their own environment.

We’ve not done any hardening on the system or created custom filesystems (such as /var/log) so we’re expecting some red flags. We visit and apply the policy to our servers.

Red Hat Insights Compliance Benchmarks
Red Hat Insights Compliance Benchmarks

On our servers, we can then run insights-client --compliance. This should not take long run run (around 1 minute on my test server)

[root@bootc-dev ~]# insights-client --compliance
System uses SSG version 0.1.72
Running scan for xccdf_org.ssgproject.content_profile_cis_server_l1... this may take a while
Uploading Insights data.
Successfully uploaded report for

Navigating over to we can immediately see the report for our system and find we scored 71%. As a quick fix, I searched on ‘service’ and noticed that there were some services we can definitely remove. Again, we can add these fixes to the next version of our image.

Red Hat Insights Compliance of Image Mode Hosts
Red Hat Insights Compliance of Image Mode Hosts

Patching Advisories

Red Hat Satellite had already advised us that some errata is outstanding on our container image. This is also reflected in Red Hat Insights at

Red Hat Insights Advisories of Image Mode Hosts
Red Hat Insights Advisories of Image Mode Hosts

As mentioned before, we’ll build a new Container Image with these updates and publish this in our Container Registry. If we are using Satellite, then we can promote the updates through our Lifecycle environments. How we can we then apply those updates? Again Insights can help us!

Remote Updates

Within the Automation Toolkit -> Tasks section of Red Hat Insights there is an option to initiate updates of Image Mode for RHEL servers.

Initiate update of Image Mode for RHEL host.
Initiate update of Image Mode for RHEL host

As well as providing you with a playbook for you to adapt to your own environment, you can select servers and trigger a remote update. Using the Red Hat Insights tags we applied to our images we could identify all our ‘version 1.0.0’ application servers and target them for upgrades. This is a useful option for controlling the server upgrades remotely – we update the images in the container registry and perform the updates in a controlled manner.

You can find this option at

Red Hat Insights Remote Update Image Mode RHEL
Red Hat Insights Remote Update Image Mode RHEL

Next Steps

Now we have a basic environment, we can build upon it:

  • Synchronise the latest RHEL 9 package-mode content and apply it to our Dev-Test Lifecycle so that our build server is able to use it
  • Synchronise the latest bootc and bootc-image-builder containers and apply them to our Dev-Test Lifecycle
  • Update the Containerfile on the build server to include the tuned package and apply a profile, add fixes that apply to the CIS security profile and add in an SSH key for remote execution from Satellite
  • Create a new version (eg 1.0.1) of our container image
  • Synchronise this new update on Red Hat Satellite
  • Publish and promote new content views within Satellite
  • Deploy the updates to our Dev, Stage and Production servers as we make enhancements
  • Consider automating this, as described below.


If you’ve followed from the first post Build and distribute custom Image Mode for RHEL Containers all the way to this one, you’ll notice that the tasks were somewhat manual. However, the process can be automated by creating Ansible roles and/or creating a Workflow in Ansible Automation Platform.

The tasks would be as follows, with automation happening after the first step, perhaps triggered by a webhook:

  • Commit changes to the Containerfile in a git repository
  • Check out the updated changes on the build host, perhaps with some additional checks for your organisation (eg, does the Containerfile contain a specific variable, is it pulling from an approved image, does it contain standard user accounts and keys, mandatory inventory management software, etc)
  • Build a new Container Image using the new file
  • Tag the Container Image with updated tags reflecting the new version of the application
  • Push it to our internal Container registry
  • Synchronise the registry with Satellite
  • Promote the Satellite Content View to the Dev/Test environment
  • Upgrade test servers using bootc upgrade
  • (Optionally) perform testing
  • (Optionally) promote the Content View onto the next environment
  • (Optionally) upgrade servers in the next environments via bootc upgrade


We’ve deployed our custom Image Mode for RHEL Dev-Test, Stage and Production servers using Red Hat Satellite as our container registry. We’ve registered our servers with Red Hat Satellite and Red Hat Insights and we’ve got some immediate feedback of things we can improve on our first Image Mode for RHEL deployment:

  • We can apply a tuned profile to our image
  • We can apply errata to our image
  • We can improve the security profile of our image

Thanks to Red Hat Satellite, Red Hat Insights and Ansible we’re already well on the way to improving our Image Mode deployments!


This post is not endorsed or affiliated with Red Hat – the information provided is based on experience, documentation and publicly available information. Feel free to leave feedback at the end of this page if anything needs correction.
For an up to date roadmap discussion on Image Mode for RHEL please contact your Red Hat Account rep.

Leave a Reply

Your email address will not be published. Required fields are marked *