RED HAT TECH UPDATE 2017

Peter GustafssonSolutions Architect

Johan OdellSolutions Architect

INSERT DESIGNATOR, IF NEEDED2

AGENDARed Hat Tech Update

● Engaging Red Hat Support● Red Hat Network (RHN) end of life● Satellite 5.8 and important dates● Red Hat Enterprise Linux 7.4● Red Hat Insights● Cockpit● Performance co-pilot● CloudForms 4.5

ENGAGING WITH RED HAT SUPPORT

INSERT DESIGNATOR, IF NEEDED4

ENGAGING WITH RED HAT SUPPORTThe Red Hat® Customer Portal delivers technical documentation and intelligent tools to help you manage your Red Hat products throughout their life cycle. If you encounter an issue that you cannot resolve using the Customer Portal, you can open a support case online or by calling your region’s technical support hotline. To help minimize impact to your business, open a support case as soon as you discover an issue.

OPEN A TECHNICAL SUPPORT CASE

Red Hat Customer Portal: access.redhat.com/support/cases/

Red Hat technical support contact information by region: access.redhat.com/support/contact/technicalSupport/

TECHNICAL SUPPORT CASE GUIDANCE

Confirm your issue meets the appropriate severity level for technical support: access.redhat.com/site/support/policy/severity/

Review service-level agreement to understand communication process with technical support: access.redhat.com/site/support/offerings/production/sla

Open one case per issue using an individual Customer Portal account (no group accounts).For Severity 1 issues, open a support case online, follow up with a phone call to the technical support hotline, and reference your case number.

INSERT DESIGNATOR, IF NEEDED5

HOW CAN I SPEED UP MY CASE RESOLUTION ?TECHNICAL SUPPORT CASE GUIDANCE

To help ensure efficient resolution of your case, please provide as much detail as possible when opening a support case, and respond promptly if additional details are requested.

Environment details Diagnostic Issue details Multi-vendor details

Platform version SOSreport Time stamps Vendor name

Product version VMcore Error messages Vendor case number

Third party products Log files Steps to reproduce Vendor contact

Attachments cannot be connected to your support case through email. Please upload files to the technical support FTP site: access.redhat.com/solutions/2112

INSERT DESIGNATOR, IF NEEDED6

HOW DO I COLLECT THE INFORMATION ?

Sample diagnostic information:● SOSreport for Red Hat Enterprise Linux®: access.redhat.com/site/solutions/3592● vmcore for system panics: access.redhat.com/site/solutions/6038● sysrq data for hung systems: access.redhat.com/site/solutions/2023● spacewalk-debug for Red Hat Satellite 5.x: access.redhat.com/site/solutions/11047 ● foreman-debug for Red Hat Satellite 6.x: access.redhat.com/solutions/1177823● log collector for Red Hat Enterprise Virtualization: access.redhat.com/site/solutions/61546● JDR for Red Hat JBoss® Enterprise Application Platform 6: access.redhat.com/site/solutions/221103● Log files for Red Hat Enterprise Linux Openstack Platform®

access.redhat.com/site/solutions/2055933

Enabling and testing kdump is strongly advised. Without a vmcore, root cause analysis for system hang/panics is not possible.

INSERT DESIGNATOR, IF NEEDED7

HOW CAN I SPEED UP MY CASE RESOLUTION ?TECHNICAL SUPPORT CASE GUIDANCE

Request a remote support session to help with troubleshooting, which allows collaboration between multiple engineers on a technical support issue: access.redhat.com/articles/255443Please note: Remote support sessions are not covered by our support service level agreement.

Get after-hours support 24x7 for Premium subscription Severity 1 cases by default and Severity 2 cases by request. Please provide contact information for individual(s) working the evening and weekend hours in case the Red Hat support team requires additional information.

If your case is not progressing according to the documented service-level agreement and management attention is required, select the ‘Request Management Escalation’ button within your support case. Follow up with a phone call to the technical support hotline and ask to speak to a Support Delivery Manager: access.redhat.com/site/support/policy/mgt_escalation

RHN => RHSM

INSERT DESIGNATOR, IF NEEDED9

WHY RED HAT SUBSCRIPTION MANAGER?

● RHN was built to support our core subscription for Red Hat Enterprise Linux. As we grew as a company and diversified into more products we needed to support emerging technologies

● RHN used a "pool model" for counting subscriptions, provided the total number of subscriptions a customer has purchased, the total number of the customer's systems that are using subscriptions, and the difference between the two numbers. This model was simple and effective at providing access to content, but had limitations, such as, an inability to link a specific subscription with a specific system, which is vital to subscription management.

● The Red Hat subscription management structure provides more detailed, accurate, and clear representations of the relationships between subscriptions, systems, their parent organizations, and overall usage patterns

INSERT DESIGNATOR, IF NEEDED10

RHN UI shutdown

July 2017Red Hat will prevent all new registrations to RHN

RED HAT NETWORK (RHN) END OF LIFEImportant dates.

October 31 2017

Red Hat will block systems that are still checking in for updates

March 2018RHN API shutdown‘2018

INSERT DESIGNATOR, IF NEEDED11

RECOMMENDED READING● Red Hat Subscription Management Migration FAQ● Preparing Satellite 5 systems for Red Hat Network's End of Life

INSERT DESIGNATOR, IF NEEDED12

RECOMMENDED READING● https://access.redhat.com/documentation/en/red-hat-subscription-management/● Subscription-manager for the former Red Hat Network User: Part 1● Subscription-manager for the former Red Hat Network User: Part 2 - Subscription-manager learns grep● Subscription-manager for the former Red Hat Network User: Part 3 - Understanding virt-who● Subscription-manager for the former Red Hat Network User: Part 4 - Understanding Subscription Manifests● Subscription-manager for the former Red Hat Network user - part 5 - Working with subscriptions that require

virt-who● Subscription-manager for the former Red Hat Network User: Part 6 - understanding and improving the

renewal experience● Subscription-manager for the former Red Hat Network User: Part 7 - understanding the Red Hat Content

Delivery Network● Subscription-manager for the former Red Hat Network User: Part 8 - Product Certificates● Subscription-manager for the former Red Hat Network User: Part 9 - A Case Study with activation keys● Subscription-manager for the former Red Hat Network User: Part 10 - Instance Based Subscriptions● Subscription-manager for the former Red Hat Network User: Part 11 - Identity Certificates● Subscription-manager for the former Red Hat Network User: Part 12 - Subscription Reporting Tools

SATELLITE 5.8 &IMPORTANT DATES

INSERT DESIGNATOR, IF NEEDED14

SATELLITE 5.8Red Hat Satellite 5.8 introduces several new features, enhancements and programs

● Increased speed with channel install and content syncing. For the first time in Satellite 5, customers can now register, activate and update the Satellite server from the Customer Portal, as well as synchronize content via the Red Hat Content Delivery Network

● Improved diagnostics of background tasks and jobs. Red Hat Satellite 5.8 Introduces the Taskotop utility, which monitors Taskomatic activities and provides insights and information on the status of jobs, which can now run background tasks individually or in bulk.

● Updated support of Oracle DB and PostgreSQL. Red Hat Satellite 5.8 offers expanded support for two additional databases -- External Oracle Database 12c and Embedded/Managed PostgreSQL 9.5 DB.

● Extended lifecycle support beginning in 2019. Satellite 5.8 is the only minor release of the Satellite 5 product line to offer an Extended Lifecycle Support option beginning in early 2019.

INSERT DESIGNATOR, IF NEEDED15

SATELLITE 5 SUPPORT LIFE-CYCLE DATESAll versions of Red Hat Satellite 5 will go end-of life on January 31, 2019 with the exception of Satellite 5.8, which will offer an Extended Life Phase until May 31, 2020.

End of Production Phase 3 End of Extended Life Phase

Satellite and Proxy 5.8 Jan 31, 2019 May 31, 2020

Satellite and Proxy 5.7 & 5.6 Jan 31, 2019 Not supported

Proxy 5.x Stand-Alone (No Satellite server)* Oct 31, 2017 Not supported

RED HAT ENTERPRISE LINUX 7.4 WHAT’S NEW

SECURITY & COMPLIANCE

INSERT DESIGNATOR, IF NEEDED18

USBGuardImproving USB security

Policy based access to USB devices on a system● Flexible rules for device description● Whitelist or blacklist by device or class● Change default behavior for unlisted USB

devices● Update access via CLI

INSERT DESIGNATOR, IF NEEDED19

NETWORK BOUND DISK ENCRYPTION

Network Bound Disk Encryption enables encryption and decryption of disks only on a trusted network, making data unusable if removed from the network.

● Network key service (TANG)● Automated decryption client framework

(CLEVIS)● Dracut unlocker: decrypt during early boot

sequence

INSERT DESIGNATOR, IF NEEDED20

IDENTITY MANAGEMENT (IdM)

● Performance improvements across many common workflows

● All IdM workflows available via SmartCard only authentication

● Multiple IdM roles can be linked to SmartCards

● Supported in FIPS mode

INSERT DESIGNATOR, IF NEEDED

CRYPTOGRAPHIC ALGORITHMS

21

Click to add subtitle

DEPRECATIONS

SHA 1 hash

SSL 2.0

EXPORT cipher suites

Diffie-Hellman (DH) parameters shorter than 1024 bits

See Release Notes for complete list and affected subsystems

ADDITIONS

Chacha20

See Release Notes for complete list and affected subsystems

INSERT DESIGNATOR, IF NEEDED

ADDITIONAL FEATURES

22

Click to add subtitle

ENTERPRISE / CLOUD OPPORTUNISTIC IPSEC

● Define MAY, SHOULD, MUST, MUST_NOT on network ranges

● X.509 authentication from common CA● Tunnel created on packet send

AUDIT UPDATES

● New subject and session ID filters● Recording of kernel module names● Recording the user's terminal on login● New "normalizer" to translate audit

events from the current name=value format and translates it to sentence style logs

At 10:09:04 02/13/2017 sgrubb unsuccessfully opened-file /etc/selinux/config using /usr/bin/install

INSERT DESIGNATOR, IF NEEDED23

KASLR (Tech Preview)

Kernel Address Space Randomization [KASLR]

allows kernel to randomize the physical and virtual

address at when vmlinuz is decompressed, as a security feature that deters exploit

attempts relying on knowledge of the location of

kernel internals.

GLIBC Malloc protection

Developers using the glibc malloc family of APIs to

dynamically allocate memory will receive the added benefit

of an almost zero performance cost additional security hardening against

1-byte buffer overflows.

TPM 2.0 (Tech Preview)

TPM 2.0 is an advanced hardware based security and crypto processor. The TPM

2.0 Userspace adds a higher level API making it easier to use the security capabilities

provided by the TPM 2.0 hardware and low level API.

ADDITIONAL FEATURESClick to add subtitle

PERFORMANCE

INSERT DESIGNATOR, IF NEEDED25

NVMe OVER FABRIC

NVMe improves SSD accessNVMe over Fabric extends that access

to storage arrays

INSERT DESIGNATOR, IF NEEDED26

LVM / DM CACHE IMPROVEMENTS

Improvements include:● Better adaptability to changing workloads● Larger cache sizes● Overall performance increases

INSERT DESIGNATOR, IF NEEDED27

REDUCED BOOT TIMES

2x improvement in start up Critical for scaling and

availability

ELASTIC NETWORK ADAPTER SUPPORT

Next-gen network adapter in EC2

Enables up to 20Gbps on certain AWS instance types

ELASTIC VOLUME SUPPORT

AWS EBS volumes can be modified online

IOPS

Volume Type

Size (increase only)

RHEL allows for online resizing

CLOUD PERFORMANCE ENHANCEMENTSClick to add subtitle

MANAGEMENT & AUTOMATION

INSERT DESIGNATOR, IF NEEDED29

COCKPIT

Cockpit provides an easy to use interactive admin interface with minimal footprint

● No state separate from the server● Integrates with tools like Performance

Co-Pilot● Simple management for subsystems like

network or storage via system APIs● Access to multiple tools like diagnostic

reports, logs, and SELinux

INSERT DESIGNATOR, IF NEEDED30

NETWORK MANAGER UPDATES

Network Manager is now more modular● Supports extended route options for firewall

and route table setup● MACsec for L2 VPNs● Improved DNS, DHCP configuration visibility● Dynamic configuration of ethernet interface

options

INTRODUCING RHEL SYSTEM ROLES POWERED BY ANSIBLE

(TECH PREW IN RHEL 7.4)

INSERT DESIGNATOR, IF NEEDED32

Automation is key today

RHEL6

Upstart

Initscript networking

NTPD

yum groupinfo

Iptables

RHEL7

SystemD

Network Manager*

ChronyD

yum group info

FirewallD

TeamD

INSERT DESIGNATOR, IF NEEDED33

Red Hat Enterprise Linux System Roles

Conceptually a “System API” to Linux subsystems

Abstract the configuration from the implementation

Focusing on compatibility with RHEL 6.9+

Useable within other tools

INSERT DESIGNATOR, IF NEEDED

Initial subsystems● kdump● network● postfix● selinux● Timesync

Future targeted subsystems● Subscriptions Manager● Tuned (perf & power tuning)● Firewall● SAP HANA & Applications● Storage● NFS● Kerberos & LDAP Authentication● Bootloader● more...

What can we manage?

A collection of Roles and Modules for Ansible

INSERT DESIGNATOR, IF NEEDED

Example

Available in RHEL 7.4 Extras channel as Technology Preview

● rhel-system-roles-0.2-2.el7.noarch● ansible-2.3.1.0-3.el7.noarch

Red Hat Customer Portal documentation

https://access.redhat.com/articles/3050101

Availability

RED HAT INSIGHTS

“ 85% of critical issues raised to Red Hat® support are already known to Red Hat or

our partners.”

— RED HAT GLOBAL SUPPORT SERVICES

INSERT DESIGNATOR, IF NEEDED38

WHAT IS RED HAT INSIGHTS ?

Red Hat Insights is a predictive IT

analytics service that enables

customers to proactively identify

and automatically resolve

infrastructure risks before they

impact business operations.

No infrastructure cost

Quick setup

Automated,validated, resolutions

Tailored resolution

Real-timerisk assessment

Proactive alerts& executive reporting

SaaS

INSERT DESIGNATOR, IF NEEDED39

I.T. OPERATIONAL ANALYTICS (ITOA)

What happened ?

DESCRIPTIVE ANALYTICS

Why did it happen ?

DIAGNOSTIC ANALYTICS

What will happen ?

PREDICTIVE ANALYTICS

What can we do about it ?

PRESCRIPTIVE ANALYTICS

SplunkSumo Logic

ELKGraylog

dashboardslog filesjournals

r/syslogd

Insights complements existing monitoring solutions and provides expert prescriptive guidance

INSERT DESIGNATOR, IF NEEDED40

PREDICTIVE, HOW ?

DISCOVER1,000,000+

SOLVED CASES

VALIDATE100,000+

UNIQUE SOLUTIONS

RESOLVE

● Continuous identification of new risks.

● Based on real-world results from millions of

enterprise deployments

“ 85% of critical issues raised to Red Hat®

support are already known to Red Hat or

our partners.”

— RED HAT GLOBAL SUPPORT SERVICES

INSERT DESIGNATOR, IF NEEDED41

REMEDIATION MADE SIMPLE● Automatically tailored recommendations

and remediation down to the per-host level.

● Create and share maintenance plans to better coordinate responses within your team.

● Avoid complexity with easy-to-follow issue resolution.

“ 22% of disasters are caused by human error.”

— QUORUM DISASTER RECOVERY REPORT

# Kernel vulnerable to denial of service via Bluetooth stack (CVE-2017-1000251/Blueborne)# Identifier: (CVE_2017_1000251_kernel_blueborne|KERNEL_CVE_2017_1000251_POSSIBLE_DOS,105,mitigate)# Version: 38dfe1c055049012a641f311ecdbee9f8a623b78- name: Disable bluetooth-related kernel modules hosts: "web.example.com,db.example.com,satellite.example.com" become: true vars: modules: - bnep - bluetooth - btusb

tasks: # While modules may already be disabled in a different file, # create a blacklist file explicitly for this issue. - name: Blacklisting bluetooth kernel modules lineinfile: dest: /etc/modprobe.d/disable-bluetooth.conf line: "install {{ item }} /bin/true" owner: root …...

INSERT DESIGNATOR, IF NEEDED42

GET AHEAD OF KEY SECURITY RISKSDon’t wait for your security team to tap you on the shoulder

● Prioritizes security response by analyzing runtime configuration and usage.

● Automates security analysis for customers, beyond just CVEs.

“ In the first year when a vulnerability is released, it’s likely to be exploited within 40-60 days. However, it takes security teams between 100-120 days on average to remediate existing vulnerabilities.”— KENNA SECURITY GROUP

CVE-2017-14491

INSERT DESIGNATOR, IF NEEDED43

HOW DOES INSIGHTS WORK ?INTEGRATED INTO TOOLS YOU ALREADY USE

Minimal Network Impact

Secure HTTPS Traffic

System Data anonymization

Internal Proxy

(optional)

Analytics Engine

Rules Database

Playbook Generation

CUSTOMER PORTAL

INSERT DESIGNATOR, IF NEEDED44

MANAGING INFRASTRUCTURE RISK Insights complements existing monitoring solutions and provides expert prescriptive guidance

ANALYZE IDENTIFY PRIORITIZE RESOLVE

INSERT DESIGNATOR, IF NEEDED45

INTEGRATED INTO TOOLS YOU ALREADY USEWorks on physical, virtual, cloud, and container-based workloads

Integrated into Satellite 5.7, 6.1+, CloudForms4.0+, Ansible Tower, and Red Hat Customer Portal.

API available for custom integration.

Supported Platforms:● Red Hat Enterprise Linux 6.4 and higher,

RHEL 7 and higher● Red Hat OpenStack 7 and higher● Red Hat Virtualization 4 and higher● Red Hat OpenShift Container Platform● Red Hat Cloud Infrastructure 6 and higher,

and Cloud Suite 6 and higher (included in RHCI/RHCS SKU’s)

RED HAT CUSTOMER PORTAL

INSERT DESIGNATOR, IF NEEDED46

CONCERNED ABOUT SECURITY? Very small amount of data and only data that is needed for rule analysis

How does Insights secure customer data?● Data encryption using LUKS● Data sent over TLS● Trusted certificate bundled● Hostname and IP obfuscation available● System information to be tailored

What data does Insights collect?● Red Hat Insights collects metadata about the

runtime configuration of a system. The data collected is 1% of what would be collected via sosreport during a support case.

● Example files:○ /etc/redhat-release○ /proc/meminfo○ /var/log/messages

● Example commands:○ /bin/rpm -qa○ /bin/uname -a○ /usr/sbin/dmidecode

● Subscribers can blacklist any command, file, or piece of metadata that they prefer not be monitored by Red Hat Insights.

● Insights do not collect the entire messages file, but rather the lines that match a potential rule (i.e. page allocation failure)

INSERT DESIGNATOR, IF NEEDED47

CONFIGURATION & LOG FILES

Main configuration file:● /etc/redhat-access-insights/redhat-access-insights.conf● See comments in the configuration file for information about each parameter or run

$ man redhat-access-insights.conf after installation.Log files:● /var/log/redhat-access-insights/redhat-access-insights.log*● Logs are not collected in sosreport but functionality planned for sosreport

Obfuscation (redhat-access-insights.conf file):● Obfuscate IP addresses: obfuscate=True OR● Obfuscate hostnames: obfuscate_hostname=True

Blacklist● Add items using /etc/redhat-access-insights/remove.conf

INSERT DESIGNATOR, IF NEEDED48

GETTING STARTED

ALREADY A RED HAT® ENTERPRISE LINUX® CUSTOMER?Try Insights at no cost:https://access.redhat.com/insights/getting-started

INTERESTED IN A MANAGEMENT SUITE?Insights is included in:Red Hat Cloud Infrastructure + Red Hat Cloud Suite

WOULD YOU LIKE TO LEARN MORE ABOUT INSIGHTS?https://www.redhat.com/en/technologies/management/insightsFor more info, visit: https://access.redhat.com/insights/info

○

INSERT DESIGNATOR, IF NEEDED49

YOUR NO-COST INSIGHTS ASSESSMENT

Run an Insights assessment for 30 days:1. Work with your account team to get an Insights eval subscription.2. Install the Red Hat Insights RPM.3. Register 50+ systems for best view.4. See results immediately.5. Schedule a best practices workshop.

See valuable insights in minutes:1. Activate eval: https://access.redhat.com/insights/evaluation.2. Installation: https://access.redhat.com/insights/getting-started.

QUESTIONS?insights@redhat.com

PERFORMANCE CO-PILOT

INSERT DESIGNATOR, IF NEEDED

What is Performance Co-Pilot (PCP)

● Open source toolkit● System-level analysis● Live and historical● Extensible (monitors, collectors)● Distributed● Cross platform

History● R&D project, started approx 20 years ago

INSERT DESIGNATOR, IF NEEDED52

PCP BasicsAgents and Daemons

At the core we have two basic Components:

1. Performance Metric Domain Agents

● Agents

2. Performance MetricCollection Daemon

● PMCD

INSERT DESIGNATOR, IF NEEDED53

Architecture

App

Mailq

DB

Kernel

Collectors Monitors

PMCD

pmlogger

pmchart

pmie

INSERT DESIGNATOR, IF NEEDED54

Useful reading on PCP

How do I install Performance Co-Pilot (PCP) on my RHEL serverhttps://access.redhat.com/solutions/1137023

Installing and using the pcp-zeroconf package for Performance Co-Pilot (PCP) https://access.redhat.com/articles/3115691

Introduction to storage performance analysis with PCPhttps://access.redhat.com/articles/2450251

Side-by-side comparison of PCP tools with legacy toolshttps://access.redhat.com/articles/2372811

Performance Co-Pilot User’s and Administrator’s Guidehttp://pcp.io/doc/pcp-users-and-administrators-guide.pdf

Index of Performance Co-Pilot (PCP) articles, solutions, tutorials and white papers https://access.redhat.com/articles/1145953

Questions ?

THANK YOUplus.google.com/+RedHat

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHatNews