Tower supports integration with Red Hat Insights. Once a host is registered with Insights, it will be continually scanned for vulnerabilities and known configuration conflicts. Each of the found problems may have an associated fix in the form of an Ansible playbook. Insights users create a maintenance plan to group the fixes and, ultimately, create a playbook to mitigate the problems. Tower tracks the maintenance plan playbooks via an Insights project in Tower. Authentication to Insights via Basic Auth, from Tower, is backed by a special Insights Credential, which must first be established in Tower. To ultimately run an Insights Maintenance Plan in Tower, you need an Insights project, an inventory, and a Scan Job template.
To create a new credential for use with Insights:
Click the Credentials () icon from the left navigation bar to access the Credentials page.
Click the button located in the upper right corner of the Credentials screen.
Enter the name of the credential to be used in the Name field.
Optionally enter a description for this credential in the Description field.
In the Organization field, optionally enter the name of the organization with which the credential is associated, or click the button and select it from the pop-up window.
In the Credential Type field, enter Insights or click the button and select it from the credential type pop-up window.
Enter a valid Insights credential in the Username and Password fields. The Insights credential is the user’s Red Hat Customer Portal account username and password.
Click Save when done.
To create a new Insights project:
Click the Projects () icon from the left navigation bar to access the Projects page.
Click the button located in the upper right corner of the Projects screen.
Enter the appropriate details into the required fields, at minimum. Note the following fields requiring specific Insights-related entries:
Name: Enter the name for your Insights project.
Organization: Enter the name of the organization associated with this project, or click the button and select it from the pop-up window.
SCM Type: Select Red Hat Insights.
Upon selecting the SCM type, the Source Details field expands.
The Credential field is pre-populated with the Insights credential you previously created. If not, enter the the credential, or click the button and select it from the pop-up window.
Click to select the update option(s) for this project from the Options field, and provide any additional values, if applicable. For information about each option, click the Help button next to the options.
Click Save when done.
All SCM/Project syncs occur automatically the first time you save a new project. However, if you want them to be updated to what is current in Insights, manually update the SCM-based project by clicking the button under the project’s available Actions.
This process syncs your Tower Insights project with your Insights account solution. Notice that the status dot beside the name of the project updates once the sync has run.
The Insights playbook contains a hosts: line where the value is the hostname that Insights itself knows about, which may be different than the hostname that Tower knows about. Therefore, make sure that the hostnames in the Tower inventory match up with the system in the Red Hat Insights Portal.
To create a new inventory for use with Insights:
Click the Inventories () icon from the left navigation bar to access the Inventories page.
Click the button and select Inventory from the drop-down menu list to launch a New Inventory window.
Enter the name and organization to be used in their respective fields.
In the Insights Credential field, enter the name of the Insights credential you previously created, or click the button and select it from the pop-up window.
Click Save and proceed to add a host.
Note
Typically, your inventory already contains Insights hosts. Tower just doesn’t know about them yet. The Insights credential allows Tower to get information from Insights about an Insights host. Tower identifying a host as an Insights host can occur without an Insights credential with the help of scan_facts.yml
file. For instructions, refer to the Create a Scan Job Template section.
Click the Hosts tab and click the button to open the Create Host dialog.
Enter the name in the Host Name field associated with the Insights host that will be used.
Click Save when done.
In order for Tower to utilize Insights Maintenance Plans, it must have visibility to them. Create and run a scan job against the inventory using a stock manual scan playbook.
Click the Projects () icon from the left navigation bar to access the Projects page.
Click the button located in the upper right corner of the Projects screen.
Enter the appropriate details into the required fields, at minimum. Note the following fields requiring specific Insights-related entries:
Name: Enter the name for your scan project.
Organization: The name of the organization is pre-populated with the organization you chose from creating the inventory.
SCM Type: Select Git.
Upon selecting the SCM type, the Source Details field expands.
In the SCM URL field, enter https://github.com/ansible/awx-facts-playbooks
. This is the location where the scan job template is stored.
Click to select the update option(s) for this project from the Options field, and provide any additional values, if applicable. For information about each option, click the Help button next to the options.
Click Save when done.
All SCM/Project syncs occur automatically the first time you save a new project. However, if you want them to be updated to what is current in Insights, manually update the SCM-based project by clicking the button under the project’s available Actions.
Syncing imports into Tower any Maintenance Plans in your Insights account that has a playbook solution. It will use the default Plan resolution. Notice that the status dot beside the name of the project updates once the sync has run.
Create a scan job template that uses the fact scan playbook:
Click the Templates () icon from the left navigation bar to access the Templates page.
Click the button and select Job Template from the drop-down menu list to launch a New Job Template window.
Enter the appropriate details into the required fields, at minimum. Note the following fields requiring specific Insights-related entries:
Name: Enter the name of your scan job.
Job Type: Choose Run from the drop-down menu list.
Inventory: Enter the name of the Insights inventory, or click the button and select it from the pop-up window.
Project: Enter the name of the Scan project you previously created, or click the button and select it from the pop-up window.
Playbook: Select scan_facts.yml
from the drop-down menu list. This is the playbook associated with the Scan project you previously set up.
Credential: Enter the credential to use for this project or click the button and select it from the pop-up window. The credential does not have to be an Insights credential.
Verbosity: Keep the default setting, or select the desired verbosity from the drop-down menu list.
Click to select Enable Privilege Escalation and Enable Fact Cache from the Options field.
A scan job template for Insights should be launched with the Privilege Escalation option enabled to allow the job to access
/etc/redhat-access-insights/machine-id
as a root user in order to obtain the value ofsystem_id
from the target host. What this does is activate the Insights button from the Host, which is needed to remediate the Insights inventory. Otherwise, thesystem_id
parameter in the result of your scan job is set to null and the Insights button will not appear.
Click Save when done.
Click the icon to launch the scan job template.
Once complete, the job results display in the Job Details page.
Remediation of an Insights inventory allows Tower to run Insights playbooks with a single click.
Click the Inventories () icon from the left navigation bar to access the Inventories page.
In the list of inventories, click to open the details of your Insights inventory.
Click the Hosts tab to access the Insights hosts that have been loaded from the scan process.
Click to open the host that was loaded from Insights.
Notice the Insights tab is now shown on Hosts page. This indicates that Insights and Tower have reconciled the inventories and is now set up for one-click Insights playbook runs.
Click Insights.
The screen below populates with a list of issues and whether or not the issues can be resolved with a playbook is shown.
Scroll down to the bottom of the Insights inventory page, and click the Remediate Inventory button to update hosts in the inventory.
Upon remediation, the New Job Template window opens. Notice the Inventory and Project fields are pre-populated.
Use this new job template to create a job template that pulls Maintenance Plans from Insights.
Enter the appropriate details into the required fields, at minimum. Note the following fields requiring specific Insights-related entries:
Name: Enter the name of your Maintenance Plan.
Job Type: If not already populated, select Run from the drop-down menu list.
Inventory: This field is pre-populated with the Insights inventory you previously created.
Project: This field is pre-populated with the Insights project you previously created.
Playbook: Select a playbook associated with the Maintenance Plan you want to run from the drop-down menu list.
Credential: Enter the credential to use for this project or click the button and select it from the pop-up window. The credential does not have to be an Insights credential.
Verbosity: Keep the default setting, or select the desired verbosity from the drop-down menu list.
Click Save when done.
Click the icon to launch the job template.
Once complete, the job results display in the Job Details page.