RED HAT TECH UPDATE 2017images.engage.redhat.com/Web/RedHat/{ccd703bf-b3e1-43d6-be76... ·...
Transcript of RED HAT TECH UPDATE 2017images.engage.redhat.com/Web/RedHat/{ccd703bf-b3e1-43d6-be76... ·...
RED HAT TECH UPDATE 2017
Peter GustafssonSolutions Architect
Johan OdellSolutions Architect
INSERT DESIGNATOR, IF NEEDED2
AGENDARed Hat Tech Update
● Engaging Red Hat Support● Red Hat Network (RHN) end of life● Satellite 5.8 and important dates● Red Hat Enterprise Linux 7.4● Red Hat Insights● Cockpit● Performance co-pilot● CloudForms 4.5
ENGAGING WITH RED HAT SUPPORT
INSERT DESIGNATOR, IF NEEDED4
ENGAGING WITH RED HAT SUPPORTThe Red Hat® Customer Portal delivers technical documentation and intelligent tools to help you manage your Red Hat products throughout their life cycle. If you encounter an issue that you cannot resolve using the Customer Portal, you can open a support case online or by calling your region’s technical support hotline. To help minimize impact to your business, open a support case as soon as you discover an issue.
OPEN A TECHNICAL SUPPORT CASE
Red Hat Customer Portal: access.redhat.com/support/cases/
Red Hat technical support contact information by region: access.redhat.com/support/contact/technicalSupport/
TECHNICAL SUPPORT CASE GUIDANCE
Confirm your issue meets the appropriate severity level for technical support: access.redhat.com/site/support/policy/severity/
Review service-level agreement to understand communication process with technical support: access.redhat.com/site/support/offerings/production/sla
Open one case per issue using an individual Customer Portal account (no group accounts).For Severity 1 issues, open a support case online, follow up with a phone call to the technical support hotline, and reference your case number.
INSERT DESIGNATOR, IF NEEDED5
HOW CAN I SPEED UP MY CASE RESOLUTION ?TECHNICAL SUPPORT CASE GUIDANCE
To help ensure efficient resolution of your case, please provide as much detail as possible when opening a support case, and respond promptly if additional details are requested.
Environment details Diagnostic Issue details Multi-vendor details
Platform version SOSreport Time stamps Vendor name
Product version VMcore Error messages Vendor case number
Third party products Log files Steps to reproduce Vendor contact
Attachments cannot be connected to your support case through email. Please upload files to the technical support FTP site: access.redhat.com/solutions/2112
INSERT DESIGNATOR, IF NEEDED6
HOW DO I COLLECT THE INFORMATION ?
Sample diagnostic information:● SOSreport for Red Hat Enterprise Linux®: access.redhat.com/site/solutions/3592● vmcore for system panics: access.redhat.com/site/solutions/6038● sysrq data for hung systems: access.redhat.com/site/solutions/2023● spacewalk-debug for Red Hat Satellite 5.x: access.redhat.com/site/solutions/11047 ● foreman-debug for Red Hat Satellite 6.x: access.redhat.com/solutions/1177823● log collector for Red Hat Enterprise Virtualization: access.redhat.com/site/solutions/61546● JDR for Red Hat JBoss® Enterprise Application Platform 6: access.redhat.com/site/solutions/221103● Log files for Red Hat Enterprise Linux Openstack Platform®
access.redhat.com/site/solutions/2055933
Enabling and testing kdump is strongly advised. Without a vmcore, root cause analysis for system hang/panics is not possible.
INSERT DESIGNATOR, IF NEEDED7
HOW CAN I SPEED UP MY CASE RESOLUTION ?TECHNICAL SUPPORT CASE GUIDANCE
Request a remote support session to help with troubleshooting, which allows collaboration between multiple engineers on a technical support issue: access.redhat.com/articles/255443Please note: Remote support sessions are not covered by our support service level agreement.
Get after-hours support 24x7 for Premium subscription Severity 1 cases by default and Severity 2 cases by request. Please provide contact information for individual(s) working the evening and weekend hours in case the Red Hat support team requires additional information.
If your case is not progressing according to the documented service-level agreement and management attention is required, select the ‘Request Management Escalation’ button within your support case. Follow up with a phone call to the technical support hotline and ask to speak to a Support Delivery Manager: access.redhat.com/site/support/policy/mgt_escalation
RHN => RHSM
INSERT DESIGNATOR, IF NEEDED9
WHY RED HAT SUBSCRIPTION MANAGER?
● RHN was built to support our core subscription for Red Hat Enterprise Linux. As we grew as a company and diversified into more products we needed to support emerging technologies
● RHN used a "pool model" for counting subscriptions, provided the total number of subscriptions a customer has purchased, the total number of the customer's systems that are using subscriptions, and the difference between the two numbers. This model was simple and effective at providing access to content, but had limitations, such as, an inability to link a specific subscription with a specific system, which is vital to subscription management.
● The Red Hat subscription management structure provides more detailed, accurate, and clear representations of the relationships between subscriptions, systems, their parent organizations, and overall usage patterns
INSERT DESIGNATOR, IF NEEDED10
RHN UI shutdown
July 2017Red Hat will prevent all new registrations to RHN
RED HAT NETWORK (RHN) END OF LIFEImportant dates.
October 31 2017
Red Hat will block systems that are still checking in for updates
March 2018RHN API shutdown‘2018
INSERT DESIGNATOR, IF NEEDED11
RECOMMENDED READING● Red Hat Subscription Management Migration FAQ● Preparing Satellite 5 systems for Red Hat Network's End of Life
INSERT DESIGNATOR, IF NEEDED12
RECOMMENDED READING● https://access.redhat.com/documentation/en/red-hat-subscription-management/● Subscription-manager for the former Red Hat Network User: Part 1● Subscription-manager for the former Red Hat Network User: Part 2 - Subscription-manager learns grep● Subscription-manager for the former Red Hat Network User: Part 3 - Understanding virt-who● Subscription-manager for the former Red Hat Network User: Part 4 - Understanding Subscription Manifests● Subscription-manager for the former Red Hat Network user - part 5 - Working with subscriptions that require
virt-who● Subscription-manager for the former Red Hat Network User: Part 6 - understanding and improving the
renewal experience● Subscription-manager for the former Red Hat Network User: Part 7 - understanding the Red Hat Content
Delivery Network● Subscription-manager for the former Red Hat Network User: Part 8 - Product Certificates● Subscription-manager for the former Red Hat Network User: Part 9 - A Case Study with activation keys● Subscription-manager for the former Red Hat Network User: Part 10 - Instance Based Subscriptions● Subscription-manager for the former Red Hat Network User: Part 11 - Identity Certificates● Subscription-manager for the former Red Hat Network User: Part 12 - Subscription Reporting Tools
SATELLITE 5.8 &IMPORTANT DATES
INSERT DESIGNATOR, IF NEEDED14
SATELLITE 5.8Red Hat Satellite 5.8 introduces several new features, enhancements and programs
● Increased speed with channel install and content syncing. For the first time in Satellite 5, customers can now register, activate and update the Satellite server from the Customer Portal, as well as synchronize content via the Red Hat Content Delivery Network
● Improved diagnostics of background tasks and jobs. Red Hat Satellite 5.8 Introduces the Taskotop utility, which monitors Taskomatic activities and provides insights and information on the status of jobs, which can now run background tasks individually or in bulk.
● Updated support of Oracle DB and PostgreSQL. Red Hat Satellite 5.8 offers expanded support for two additional databases -- External Oracle Database 12c and Embedded/Managed PostgreSQL 9.5 DB.
● Extended lifecycle support beginning in 2019. Satellite 5.8 is the only minor release of the Satellite 5 product line to offer an Extended Lifecycle Support option beginning in early 2019.
INSERT DESIGNATOR, IF NEEDED15
SATELLITE 5 SUPPORT LIFE-CYCLE DATESAll versions of Red Hat Satellite 5 will go end-of life on January 31, 2019 with the exception of Satellite 5.8, which will offer an Extended Life Phase until May 31, 2020.
End of Production Phase 3 End of Extended Life Phase
Satellite and Proxy 5.8 Jan 31, 2019 May 31, 2020
Satellite and Proxy 5.7 & 5.6 Jan 31, 2019 Not supported
Proxy 5.x Stand-Alone (No Satellite server)* Oct 31, 2017 Not supported
RED HAT ENTERPRISE LINUX 7.4 WHAT’S NEW
SECURITY & COMPLIANCE
INSERT DESIGNATOR, IF NEEDED18
USBGuardImproving USB security
Policy based access to USB devices on a system● Flexible rules for device description● Whitelist or blacklist by device or class● Change default behavior for unlisted USB
devices● Update access via CLI
INSERT DESIGNATOR, IF NEEDED19
NETWORK BOUND DISK ENCRYPTION
Network Bound Disk Encryption enables encryption and decryption of disks only on a trusted network, making data unusable if removed from the network.
● Network key service (TANG)● Automated decryption client framework
(CLEVIS)● Dracut unlocker: decrypt during early boot
sequence
INSERT DESIGNATOR, IF NEEDED20
IDENTITY MANAGEMENT (IdM)
● Performance improvements across many common workflows
● All IdM workflows available via SmartCard only authentication
● Multiple IdM roles can be linked to SmartCards
● Supported in FIPS mode
INSERT DESIGNATOR, IF NEEDED
CRYPTOGRAPHIC ALGORITHMS
21
Click to add subtitle
DEPRECATIONS
SHA 1 hash
SSL 2.0
EXPORT cipher suites
Diffie-Hellman (DH) parameters shorter than 1024 bits
See Release Notes for complete list and affected subsystems
ADDITIONS
Chacha20
See Release Notes for complete list and affected subsystems
INSERT DESIGNATOR, IF NEEDED
ADDITIONAL FEATURES
22
Click to add subtitle
ENTERPRISE / CLOUD OPPORTUNISTIC IPSEC
● Define MAY, SHOULD, MUST, MUST_NOT on network ranges
● X.509 authentication from common CA● Tunnel created on packet send
AUDIT UPDATES
● New subject and session ID filters● Recording of kernel module names● Recording the user's terminal on login● New "normalizer" to translate audit
events from the current name=value format and translates it to sentence style logs
At 10:09:04 02/13/2017 sgrubb unsuccessfully opened-file /etc/selinux/config using /usr/bin/install
INSERT DESIGNATOR, IF NEEDED23
KASLR (Tech Preview)
Kernel Address Space Randomization [KASLR]
allows kernel to randomize the physical and virtual
address at when vmlinuz is decompressed, as a security feature that deters exploit
attempts relying on knowledge of the location of
kernel internals.
GLIBC Malloc protection
Developers using the glibc malloc family of APIs to
dynamically allocate memory will receive the added benefit
of an almost zero performance cost additional security hardening against
1-byte buffer overflows.
TPM 2.0 (Tech Preview)
TPM 2.0 is an advanced hardware based security and crypto processor. The TPM
2.0 Userspace adds a higher level API making it easier to use the security capabilities
provided by the TPM 2.0 hardware and low level API.
ADDITIONAL FEATURESClick to add subtitle
PERFORMANCE
INSERT DESIGNATOR, IF NEEDED25
NVMe OVER FABRIC
NVMe improves SSD accessNVMe over Fabric extends that access
to storage arrays
INSERT DESIGNATOR, IF NEEDED26
LVM / DM CACHE IMPROVEMENTS
Improvements include:● Better adaptability to changing workloads● Larger cache sizes● Overall performance increases
INSERT DESIGNATOR, IF NEEDED27
REDUCED BOOT TIMES
2x improvement in start up Critical for scaling and
availability
ELASTIC NETWORK ADAPTER SUPPORT
Next-gen network adapter in EC2
Enables up to 20Gbps on certain AWS instance types
ELASTIC VOLUME SUPPORT
AWS EBS volumes can be modified online
IOPS
Volume Type
Size (increase only)
RHEL allows for online resizing
CLOUD PERFORMANCE ENHANCEMENTSClick to add subtitle
MANAGEMENT & AUTOMATION
INSERT DESIGNATOR, IF NEEDED29
COCKPIT
Cockpit provides an easy to use interactive admin interface with minimal footprint
● No state separate from the server● Integrates with tools like Performance
Co-Pilot● Simple management for subsystems like
network or storage via system APIs● Access to multiple tools like diagnostic
reports, logs, and SELinux
INSERT DESIGNATOR, IF NEEDED30
NETWORK MANAGER UPDATES
Network Manager is now more modular● Supports extended route options for firewall
and route table setup● MACsec for L2 VPNs● Improved DNS, DHCP configuration visibility● Dynamic configuration of ethernet interface
options
INTRODUCING RHEL SYSTEM ROLES POWERED BY ANSIBLE
(TECH PREW IN RHEL 7.4)
INSERT DESIGNATOR, IF NEEDED32
Automation is key today
RHEL6
Upstart
Initscript networking
NTPD
yum groupinfo
Iptables
RHEL7
SystemD
Network Manager*
ChronyD
yum group info
FirewallD
TeamD
INSERT DESIGNATOR, IF NEEDED33
Red Hat Enterprise Linux System Roles
Conceptually a “System API” to Linux subsystems
Abstract the configuration from the implementation
Focusing on compatibility with RHEL 6.9+
Useable within other tools
INSERT DESIGNATOR, IF NEEDED
Initial subsystems● kdump● network● postfix● selinux● Timesync
Future targeted subsystems● Subscriptions Manager● Tuned (perf & power tuning)● Firewall● SAP HANA & Applications● Storage● NFS● Kerberos & LDAP Authentication● Bootloader● more...
What can we manage?
A collection of Roles and Modules for Ansible
INSERT DESIGNATOR, IF NEEDED
Example
Available in RHEL 7.4 Extras channel as Technology Preview
● rhel-system-roles-0.2-2.el7.noarch● ansible-2.3.1.0-3.el7.noarch
Red Hat Customer Portal documentation
https://access.redhat.com/articles/3050101
Availability
RED HAT INSIGHTS
“ 85% of critical issues raised to Red Hat® support are already known to Red Hat or
our partners.”
— RED HAT GLOBAL SUPPORT SERVICES
INSERT DESIGNATOR, IF NEEDED38
WHAT IS RED HAT INSIGHTS ?
Red Hat Insights is a predictive IT
analytics service that enables
customers to proactively identify
and automatically resolve
infrastructure risks before they
impact business operations.
No infrastructure cost
Quick setup
Automated,validated, resolutions
Tailored resolution
Real-timerisk assessment
Proactive alerts& executive reporting
SaaS
INSERT DESIGNATOR, IF NEEDED39
I.T. OPERATIONAL ANALYTICS (ITOA)
What happened ?
DESCRIPTIVE ANALYTICS
Why did it happen ?
DIAGNOSTIC ANALYTICS
What will happen ?
PREDICTIVE ANALYTICS
What can we do about it ?
PRESCRIPTIVE ANALYTICS
SplunkSumo Logic
ELKGraylog
dashboardslog filesjournals
r/syslogd
Insights complements existing monitoring solutions and provides expert prescriptive guidance
INSERT DESIGNATOR, IF NEEDED40
PREDICTIVE, HOW ?
DISCOVER1,000,000+
SOLVED CASES
VALIDATE100,000+
UNIQUE SOLUTIONS
RESOLVE
● Continuous identification of new risks.
● Based on real-world results from millions of
enterprise deployments
“ 85% of critical issues raised to Red Hat®
support are already known to Red Hat or
our partners.”
— RED HAT GLOBAL SUPPORT SERVICES
INSERT DESIGNATOR, IF NEEDED41
REMEDIATION MADE SIMPLE● Automatically tailored recommendations
and remediation down to the per-host level.
● Create and share maintenance plans to better coordinate responses within your team.
● Avoid complexity with easy-to-follow issue resolution.
“ 22% of disasters are caused by human error.”
— QUORUM DISASTER RECOVERY REPORT
# Kernel vulnerable to denial of service via Bluetooth stack (CVE-2017-1000251/Blueborne)# Identifier: (CVE_2017_1000251_kernel_blueborne|KERNEL_CVE_2017_1000251_POSSIBLE_DOS,105,mitigate)# Version: 38dfe1c055049012a641f311ecdbee9f8a623b78- name: Disable bluetooth-related kernel modules hosts: "web.example.com,db.example.com,satellite.example.com" become: true vars: modules: - bnep - bluetooth - btusb
tasks: # While modules may already be disabled in a different file, # create a blacklist file explicitly for this issue. - name: Blacklisting bluetooth kernel modules lineinfile: dest: /etc/modprobe.d/disable-bluetooth.conf line: "install {{ item }} /bin/true" owner: root …...
INSERT DESIGNATOR, IF NEEDED42
GET AHEAD OF KEY SECURITY RISKSDon’t wait for your security team to tap you on the shoulder
● Prioritizes security response by analyzing runtime configuration and usage.
● Automates security analysis for customers, beyond just CVEs.
“ In the first year when a vulnerability is released, it’s likely to be exploited within 40-60 days. However, it takes security teams between 100-120 days on average to remediate existing vulnerabilities.”— KENNA SECURITY GROUP
CVE-2017-14491
INSERT DESIGNATOR, IF NEEDED43
HOW DOES INSIGHTS WORK ?INTEGRATED INTO TOOLS YOU ALREADY USE
Minimal Network Impact
Secure HTTPS Traffic
System Data anonymization
Internal Proxy
(optional)
Analytics Engine
Rules Database
Playbook Generation
CUSTOMER PORTAL
INSERT DESIGNATOR, IF NEEDED44
MANAGING INFRASTRUCTURE RISK Insights complements existing monitoring solutions and provides expert prescriptive guidance
ANALYZE IDENTIFY PRIORITIZE RESOLVE
INSERT DESIGNATOR, IF NEEDED45
INTEGRATED INTO TOOLS YOU ALREADY USEWorks on physical, virtual, cloud, and container-based workloads
Integrated into Satellite 5.7, 6.1+, CloudForms4.0+, Ansible Tower, and Red Hat Customer Portal.
API available for custom integration.
Supported Platforms:● Red Hat Enterprise Linux 6.4 and higher,
RHEL 7 and higher● Red Hat OpenStack 7 and higher● Red Hat Virtualization 4 and higher● Red Hat OpenShift Container Platform● Red Hat Cloud Infrastructure 6 and higher,
and Cloud Suite 6 and higher (included in RHCI/RHCS SKU’s)
RED HAT CUSTOMER PORTAL
INSERT DESIGNATOR, IF NEEDED46
CONCERNED ABOUT SECURITY? Very small amount of data and only data that is needed for rule analysis
How does Insights secure customer data?● Data encryption using LUKS● Data sent over TLS● Trusted certificate bundled● Hostname and IP obfuscation available● System information to be tailored
What data does Insights collect?● Red Hat Insights collects metadata about the
runtime configuration of a system. The data collected is 1% of what would be collected via sosreport during a support case.
● Example files:○ /etc/redhat-release○ /proc/meminfo○ /var/log/messages
● Example commands:○ /bin/rpm -qa○ /bin/uname -a○ /usr/sbin/dmidecode
● Subscribers can blacklist any command, file, or piece of metadata that they prefer not be monitored by Red Hat Insights.
● Insights do not collect the entire messages file, but rather the lines that match a potential rule (i.e. page allocation failure)
INSERT DESIGNATOR, IF NEEDED47
CONFIGURATION & LOG FILES
Main configuration file:● /etc/redhat-access-insights/redhat-access-insights.conf● See comments in the configuration file for information about each parameter or run
$ man redhat-access-insights.conf after installation.Log files:● /var/log/redhat-access-insights/redhat-access-insights.log*● Logs are not collected in sosreport but functionality planned for sosreport
Obfuscation (redhat-access-insights.conf file):● Obfuscate IP addresses: obfuscate=True OR● Obfuscate hostnames: obfuscate_hostname=True
Blacklist● Add items using /etc/redhat-access-insights/remove.conf
INSERT DESIGNATOR, IF NEEDED48
GETTING STARTED
ALREADY A RED HAT® ENTERPRISE LINUX® CUSTOMER?Try Insights at no cost:https://access.redhat.com/insights/getting-started
INTERESTED IN A MANAGEMENT SUITE?Insights is included in:Red Hat Cloud Infrastructure + Red Hat Cloud Suite
WOULD YOU LIKE TO LEARN MORE ABOUT INSIGHTS?https://www.redhat.com/en/technologies/management/insightsFor more info, visit: https://access.redhat.com/insights/info
○
INSERT DESIGNATOR, IF NEEDED49
YOUR NO-COST INSIGHTS ASSESSMENT
Run an Insights assessment for 30 days:1. Work with your account team to get an Insights eval subscription.2. Install the Red Hat Insights RPM.3. Register 50+ systems for best view.4. See results immediately.5. Schedule a best practices workshop.
See valuable insights in minutes:1. Activate eval: https://access.redhat.com/insights/evaluation.2. Installation: https://access.redhat.com/insights/getting-started.
PERFORMANCE CO-PILOT
INSERT DESIGNATOR, IF NEEDED
What is Performance Co-Pilot (PCP)
● Open source toolkit● System-level analysis● Live and historical● Extensible (monitors, collectors)● Distributed● Cross platform
History● R&D project, started approx 20 years ago
INSERT DESIGNATOR, IF NEEDED52
PCP BasicsAgents and Daemons
At the core we have two basic Components:
1. Performance Metric Domain Agents
● Agents
2. Performance MetricCollection Daemon
● PMCD
INSERT DESIGNATOR, IF NEEDED53
Architecture
App
Mailq
DB
Kernel
Collectors Monitors
PMCD
pmlogger
pmchart
pmie
INSERT DESIGNATOR, IF NEEDED54
Useful reading on PCP
How do I install Performance Co-Pilot (PCP) on my RHEL serverhttps://access.redhat.com/solutions/1137023
Installing and using the pcp-zeroconf package for Performance Co-Pilot (PCP) https://access.redhat.com/articles/3115691
Introduction to storage performance analysis with PCPhttps://access.redhat.com/articles/2450251
Side-by-side comparison of PCP tools with legacy toolshttps://access.redhat.com/articles/2372811
Performance Co-Pilot User’s and Administrator’s Guidehttp://pcp.io/doc/pcp-users-and-administrators-guide.pdf
Index of Performance Co-Pilot (PCP) articles, solutions, tutorials and white papers https://access.redhat.com/articles/1145953
Questions ?
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews