The Satellite server itself is not yet supported on RHEL 9.x.

@@RedHatEnterpriseLinux Thanks, that was my last info too. Can you / are you permitted to disclose, what is the reason for it ?

@@szpl moving satellite to run on a new version of RHEL takes time and engineering resources, but does it change how satellite functions? We’d rather put that time and effort into the product. Plus, RHEL8 has about 5 years left on its lifecycle and RHEL10 is expected in mid-2025.

@@RedHatEnterpriseLinux Totally agree, just asking ... because our customers ask sometimes. I work at a RH partner, and this comes up sometimes. Thanks for the quality content!

There is this guide on virtualization management? docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/index

Sorry, these labs only last for 2 hours, but once that time expires, you can relaunch it again but your progress will be reset. If you need more in-depth help you can sign up for the Red Hat Learning course RH403 Red Hat Satellite 6 Administration! www.redhat.com/en/services/training/rh403-red-hat-satellite-6-administration

red.ht/rhel-discord

/etc/hosts.deny is a component of the tcpwrappers security mechanism. As far as I know, it's not used by apache. Apache has it's own directives for controlling access by IP, Network, hostname, or domain name that you can put in it's configuration files. That said, if you're interested in filtering traffic to the machine, firewalld may be a better route. It will globally apply limits to *ALL* services because it makes choices at the kernel/interface layer rather than at the application layer. But firewalld uses IPs and Network addresses. You can also use hostnames, but firewalld will rely on doing a DNS lookup on that hostname to then use an IP based rule. But IP based blocks sounds like what you're after.

Thank you for the feedback!

Maybe? But is it really the Hypervisor you're looking to restrict in this scenario or is it the other VMs running on it? If you're looking to route all your traffic through a specific VM, I'd suggest something more like connecting your VMs to a KVM specific defined network, then having one of the VMs act as the router for that network, configured with an additional connection to the hypervisor.

@@scottmcbrien6535 Yes, I'm looking to restrick my entire machine - including hypervisor. I know, that better solution will be hardware way - buy better network gear, but I need a budget for that ;-)

We used a very simple, native RHEL8 system to perform the leapp to RHEL9. The purpose of the video is to provide an overview of the process of performing an upgrade with Leapp. At the time-code you mention, Eric does reference that there could be inhibitors or other conditions you may want to address prior to progressing the upgrade, which occur after the pre-upgrade analysis. Have you considered opening a support case to assist with addressing the issues highlighted by the pre-upgrade analysis? Additionally, having upgraded from RHEL6, this sounds like it's an extremely old system. At some point you may not be able to in-place upgrade it any further due to a variety of factors: software changes in the RHEL distro, hardware support changes, requirements of other installed software or applications, etc. However, RHEL8 has recently entered it's Lifecycle Maintenance Phase, which means it has approximately 5 years of normal lifecycle support (included with RHEL). You can find more lifecycle information here: access.redhat.com/support/policy/updates/errata

Indeed we did! I've set it up a variety of different ways, using the network system role has been my most favorite way. Especially because I can pull from the /usr/share/doc/rhel-system-roles/network example-bond_simple* file to use as a template for my playbook 🙂

The Red Hat Developer for Individuals subscription is free. Any Red Hat subscription (including the Developer for Individuals) also includes access to Beta software. If you want to remove the subscription, possibly contact Customer Service? access.redhat.com/support/customer-service

@@maikcat9723 RHEL8 still has ~5 years left on its normal 10 year lifecycle, then it will get some extended lifecycle as well (at least 2 years with an add-on subscription). So it’s still going to be supported by satellite for “a while”.

I think the first stop is reviewing and reconciling the pre-upgrade analysis report. Those highlighted concerns are there for a reason. You can also use leapp with --verbose or if that's not enough information --debug. This also logs into several locations. There's a documented list of things you can use for troubleshooting here: docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/upgrading_from_rhel_7_to_rhel_8/troubleshooting_upgrading-from-rhel-7-to-rhel-8#troubleshooting-resources_troubleshooting The doc talks about 7->8 upgrades, but the leapp tool uses the same resources for 8->9, which is the video on which this comment resides.

I'm sorry you feel that way. Even if you're not a RHEL user or don't intend to ever be one, I hope you find the content we make for Into the Terminal informative and practical for whatever distribution you end up choosing. Though I must disagree with the notion of a 'pay wall' as Red Hat has a free Developer for Individuals subscription (developers.redhat.com/articles/faqs-no-cost-red-hat-enterprise-linux) which gives you a subscription for 16 RHEL systems. I routinely talk with the management team for RHEL and they consistently want to increase access to RHEL, not decrease it. Additionally, I would point out that a "bug for bug compatible" rebuild of RHEL is silly. What you're really saying is: "I want RHEL, but won't support the people that actually do all the work to make it happen." Red Hat does TONS AND TONS of work across the open source ecosystem, if you're using any Linux distro for virtualization in your home lab, that KVM you're using is being mainly engineered and maintained by developers at Red Hat. Systemd? Red Hat. Wayland? Red Hat. Pacemaker? Red Hat. Podman? Red Hat. Ansible? Red Hat. There's tons of other examples of this as well. Red Hat freely contributes this work to the community at large where it's used by all sorts of other distros. But a rebuild distribution that in their core tenants state that they will refuse to improve, in any way, the thing on which they are rebuilding sounds very opposite of the community values we espouse in Open Source.

@@scottmcbrien6535 "Even if you're not a RHEL user or don't intend to ever be one, I hope you find the content we make for Into the Terminal informative and practical for whatever distribution you end up choosing. " I actually looked into trying to use RHEL for personal/homelab systems. I am not a developer, and therefore; signing up for the "free Developer for individuals" subscription would be, admittedly, a gross misrepresentation (as I am not a developer), and therefore; per the legal terms of the service, I will not qualify. (But I am certain that you can check with your in-house Office of General Counsel for advice about the applicability and enforceability of the terms of service for this subscription as to whether non-developers will be eligible for the "developers for individuals" subscription as you mentioned.) Again, suffice it to say that I did look into trying to get RHEL for personal use, but as of this writing, outside of the "developer for individual" subscription that you mentioned, if you're NOT a developer, then there isn't an option. This is where CentOS filled in that void, which IBM and RedHat, pulled the plug on, by shifting the focus away from CentOS and instead, focus on CentOS Stream in the annoucement that was published on December 8th, 2020. (Source: www.redhat.com/en/blog/centos-stream-building-innovative-future-enterprise-linux?extIdCarryOver=true&sc_cid=701f2000001OH7JAAW) "I routinely talk with the management team for RHEL and they consistently want to increase access to RHEL, not decrease it." If you go to the RHEL website (cf. www.redhat.com/en/technologies/linux-platforms/enterprise-linux), there is LITERALLY not an immediately visible option for personal uses of RHEL. Therefore; given your statement above, the evidence found on the RHEL website LITERALLY does not support your statement above. In fact, the second last question in the FAQ section under "trial" (cf. www.redhat.com/en/technologies/linux-platforms/enterprise-linux/server/trial), literally states: "Can I renew the product trial after it has expired? There are limits to how many product trials are allowed for each product over a given time period. If you need to extend your product trial or request more trials, please contact Red Hat Sales." Again, does not support your statement. For personal/homelab use, pursuant to this response in the FAQ section, this would mean that I would have to contact Red Hat Sales to extend the trial, which doesn't really help quote "increase access to RHEL" and rather, "decrease access to RHEL". (Contacting Red Hat Sales is at least an extra step that I would have to take to extend the trial, vs. CentOS or other distros where I don't have to do anything extra, to keep the system running.) "Additionally, I would point out that a "bug for bug compatible" rebuild of RHEL is silly." CentOS used to have a relatively short lag behind commerical RHEL. And it worked. "What you're really saying is: "I want RHEL, but won't support the people that actually do all the work to make it happen...But a rebuild distribution that in their core tenants state that they will refuse to improve, in any way, the thing on which they are rebuilding sounds very opposite of the community values we espouse in Open Source." LOL...LMAO.... Sorry -- but I have to laugh out loud in regards to this statement. The title of this video is LITERALLY geared towards Home Labbers. Your second sentence in that paragraph, when juxtaposed against the very last sentence in your paragraph, is a little bit paradoxical, at minimum. The nature of open source is that you can download said (open) source code, often times, for free. To your point those, I am aware of and recognise the contributions that Red Hat contributes to the Linux and the open source community as-a-whole. I've seen the reports in terms of the number of commits that are being made, and I recognise that there is a SIGNIFICANT work that Red Hat does, in the open source space. (Last time I looked, it was almost like 40% of the commits comes from Red Hat.) Conversely though, again -- note the target audience that comes directly from the title of this video: Home Lab. Therefore; typically, there is, at least in my view, at least some kind of an implied meaning that Home Labbers typically are of limited financial means. (My current "do-it-all" Proxmox server was purchased for $1100 USD. My mini PC that also runs Proxmox, but also is responsible for running Windows AD DC, DNS, and AdGuard Home -- I bought that system for ~$150.) Thus, to the second sentence in your last paragraph, when you're working with a TOTAL budget of $150 for the mini PC, that doesn't leave a lot of room for financial and/or monetary contributions to support the work that Red Hat does (pursuant to your specific sentence). From the way that you wrote that, I can only surmise that if you aren't comfortable with the reality in terms of what and how Home Labbers use FOSS, then it sounds like that staying out of the Home Lab space may be the better course of action, if that's one of your gripes. I agree that people SHOULD be compensated for their work. There is no disagreement with that. But again, there is always this tension that exists with the open source community, where a LARGE portion are available for free, which results in the developers NOT being compensated for the work that they've put in vs. the principle that people SHOULD be compensated for their work. Again -- the evidence that have before us, shows that Red Hat ended CentOS because they wanted to push people to CentOS Stream, and then ultimately to RHEL, which, again, as I have shown above, have very limited free option (which WASN'T the case with CentOS). In other words, Red Hat wanted money. That's what that move was about. Red Hat took away the free, CentOS option, and wanted people to move into (and pay for) RHEL. Thus, Red Hat "paywalled" the free CentOS option behind the paid RHEL option (again, especially if you're NOT a developer). Thanks for your comment.

Thank you for your insights, Scott and Ewan.

Indeed. Piping it into cut, sort -u would get you a list of just individual IPs, which you could pass as the list of operands for a for loop. Ultimately, if you're looking for a specific pattern in text, Regular Expressions are the thing. Regular Expressions are supported in a variety of programming languages as well as shell commands like grep, sed, and awk (which is a programming language). What you choose is probably determined by how complex you want it to be and how complex the actions you're going to take on that data is going to be. The more complex your actions, the more you'd probably tilt towards a programming language like Python as there's a ton of libraries for performing all kinds of tasks. If you don't have much complexity, like just wanting to inspect a list or do a couple of transforms on it (reverse looking up, for example), maybe bash or a shell script works because it's relatively simple to write and maintain and provides the functionality you're looking for. The second you think to yourself "maybe I should store this for later in like, a database..." nope, higher order programming language with modules to interact with your database of choice 🙂

I think there would be two challenges to overcome. First, which you've identified, is keeping consistent UIDs across all devices that access the NFS share. That can be managed with something like Identity Manager (IdM), AD, LDAP, or another SSO mechanism as long as the accounting is consistently applied. The second is write access. NFS doesn't natively do any file locking, which if all the applications are reading data, isn't a problem. But if they're writing data, multiple different clients could be writing at the same time to the same file. Again, you could manage this at the application level, but that's a lot of extra code to write into the application when you could choose a different filesystem format that does manage distributed locking.

Luckily there are tons of resources available to get started with Ansible including the upstream project's getting started guide: docs.ansible.com/ansible/latest/getting_started/index.html Be sure to check it out!

Glad it was helpful!

The Red Hat GPG keys are likely installed on your machine at install time, but all of them may not be automatically added to your dnf/rpm GPG keyring. Usually you're asked to import them (or accept them) on your very first package transaction that uses one. If you look at the repo definitions, you should see the gpgkey that's specified for each individual repo. Now to the second part of the question, how to verify what you have already. rpm -q gpg-pubkey This will list all the gpg public keys imported into your RPM keyring. You can then introspect them a bit more by using an rpm -qi gpg-pubkey-<keyid> on individual ones. or you might prefer this format: rpm -q --queryformat "%{SUMMARY} " $(rpm -q gpg-pubkey) That said, when you're creating a gpg key, you can really put anything you want into it's metadata, so you then need to take the keyID and cross check it with public information from the packager or maybe a gpg key server.

They track different information. You should use whatever technology is required by your compliance standard (otherwise you may not be in compliance). auditd tracks all kinds of system information, like file operations and other stuff, which session recording does not. That said, I think if you're required to use auditd, you should probably also be using session recording. The recorded sessions can put into context some of the activities you observe in the audit log. Neither technology is perfect. auditd keeps a huge list of events, but often lacks the context of what was happening on the system at the time of the activity. Conversely, session recording shows you what users are doing on their shell sessions, but doesn't track daemons and other non-terminal bound applications.

Noah is definitely good people! We'll make sure he gets your message.

Good point :)

You should be able to, but you'll have to change the repositories on the machine to point to the updated location for the retired packages as RHEL6 is now End of Maintenance and has moved to the Extended Life Phase of the RHEL Lifecycle. This article describes the updated repos you need: access.redhat.com/articles/4665701 That said, you know that RHEL7 is now End of Maintenance as well, and while it does have Extended Life Support available for the next 4 years as an add-on, you should consider figuring out how to migrate the work being done on this machine to something in the normal lifecycle. Otherwise you're going to continue to chase after End of Maintenance things and run into issues like this one...

@@scottmcbrien6535 Hello friend Show, I'll give it a read, although I currently need to configure rhel 6.10 to be able to install the RedHat upgrade tool, but I can't find a repository that can do this procedure. Is there any way without needing an active subscription?

@@marcussilva9650 Not that I know of as you'll need that active subscription in order to access the RHEL 7 stuff you'll need for the upgrade as well.

@@zympf The Ansible team also creates video content! It’s in their KZbin channel: youtube.com/@ansibleautomation?si=BPYgbvs2wjaZBgwV

Unfortunately, that's not how swapping is implemented in the Linux kernel. vm.swappiness is a setting that adjusts the aggressiveness or preference that the kernel has for utilizing swap space. It is not a %. So setting your swappiness to 1 means that the kernel is going to be not aggressively utilizing swap. That does not mean it won't use it. It just won't try super hard *TO* use it. That said, the kernel on your machine is likely utilizing swap space because it wants to keep that 'plenty of memory available' for the system and processes that might want to consume it instead of using that memory to store things that are not actively being used by the processes and services running. I would argue that the fact that it's utilizing swap in this way is a GOOD thing because it means that you can use the system memory for applications as needed, but also for things like caching and buffers, which are a proven method of improving various system activities (e.g. helping system performance). Conversely, if there was such a setting as you describe (there is not) that would trigger swapping at a certain threshold, that would be very, very bad for system performance as it would create a situation where at a specific moment, the kernel would have to stop what it was doing to spend time on culling through memory, then kick off a bunch of disk-intensive operations to swapout content. During this period, all the other programs on your machine would likely be severely impacted as the compute is actively being pulled away from them to attend to this 'event' that the kernel would need to handle.

@@scottmcbrien6535 Thanks , receiving alert swap space often on servers, cpu usage hits high due to kswapd0 process often. do we have any limitations, what size of swap is needed for ram on server

@@ImranKhan-zu6qv I'd look at vmstat. What does si [swap-in] and so [swap-out] show? Is there a bunch of activity happening (meaning the swap space is pretty active)? If your swap space is generally active, it means your system is putting things in and out of it with some frequency. Adding additional swap space isn't going to change that, but it could affect the % of swap used on the system and potentially alleviate monitoring alerts. However, based on the very limited description, I would suggest the only real way to resolve this would be to add more RAM to the machine. How much swap should a machine have? That's a really hard question to answer. Personally, I run my machines with really small swaps and really large amounts of memory. But I run the risk of having out of memory issues when I use all the virtual memory (RAM+swap) on the system. Additionally, as the system becomes more memory constrained, caches and buffers will be smaller which can adversely affect disk operations and network operations. Conversely, having large swap spaces allows for more memory in the virtual memory management system, but realize that swap is not great for system and application performance. Having a large swap can keep you from having Out of Memory (OOM) issues, but as you start consuming swap and si and so operations are happening, you lose system performance due to increased disk I/O requests and wait times for applications waiting on data they need to operate. It also may depend on your hardware. For example, laptops use swap for writing memory information prior to hibernating. I've seen recommendations around the Internet for 1x RAM or 2x RAM or some that are a % of RAM. Red Hat currently recommends a scale based on RAM sized swap space. You may need more if you're using laptops to accommodate for hibernation. access.redhat.com/solutions/15244 Something else to check on the system, are you using a lot of tmpfs formatted filesystems? How big are they? tmpfs is stored in virtual memory (RAM+swap) and is a swappable type of content, so if you've got a bunch of applications that are storing their state this way, all that 'file' data they have stored in memory could be causing your swapping woes. You might want to open a support case with Red Hat, they may be able to better diagnose things since they capture a bunch of system information through the sos application for the Technical Support Engineers to review about the state of your system, which you probably don't want to provide to randos on the Internet.

I think you want to start with: semange boolean -l It will list both the current value and the default value in the policy. That said, it will change the 'default' if you use the -P option when setting the boolean as you've now made the policy reflect the new value of the boolean setting as well. I suppose you could make a copy of the unmodified policy file (to keep as a reference) then use something like sedispol -a 5 <file1> and sedispol -a 5 <file2> to compare the two?

As mentioned Satellite server isn’t supported on RHEL 9.x yet. We’re so excited though that you have Satellite up and running. Be sure to catch the next episode this Thursday!

foreman 3.11 supports installation on rhel9 , i guess its a matter of time before satellite also supports rhel9...

No GUI required. In fact, its probably best you don't have a desktop environment installed.

Thank you! Be sure to join us next week for Episode 2!