Managing devices

Red Hat Edge Manager 1.2

Managing Red Hat Edge Manager devices

Red Hat Edge Manager Documentation Team

Abstract

This document provides information about managing Red Hat Edge Manager devices

Preface

Enroll, label, update, and configure devices and related repositories in Red Hat Edge Manager.

Chapter 1. Managing devices

You can manage your devices individually or in a fleet. The Red Hat Edge Manager allows you to manage a whole fleet of devices as a single object instead of managing many devices individually.

You only need to specify the desired configuration once and then the Red Hat Edge Manager applies the configuration to all devices in the fleet.

Understanding individual device management is the foundation for managing devices in a fleet. You might want to manage your devices individually in the following scenarios:

  • If a few devices have significantly different configurations.
  • If you use external automation for updating the devices.

Required access: Cluster administrator

The following documentation focuses on managing individual devices:

  • Enrolling devices
  • Reporting system information from the agent
  • Device alias and enrollment labels
  • View device inventory and device details
  • Viewing, streaming, and downloading device logs in the web console
  • Decommissioning devices
  • Labels and label selectors
  • Updating labels using the CLI
  • Updating the operating system
  • Operating system configuration for edge devices
  • Automatic synchronization of external configuration
  • Using the Software Catalog
  • Publishing an image build to the Software Catalog
  • Image and artifact pruning
  • Vulnerability management
  • Configuring a device to auto-register MicroShift clusters

To learn more about managing your devices in a fleet, see Managing device fleets in the Additional resources section.

1.1. Enrolling devices

To manage your devices with Red Hat Edge Manager, you must enroll the devices to the Red Hat Edge Manager service.

The first time Red Hat Edge Manager agents runs on a device, the agent prepares for the enrollment process by generating a cryptographic key pair. The cryptographic key pair of the device consists of a public and a private key. The private key never leaves the device, so that the device cannot be duplicated or impersonated. The key pair is registered with the Red Hat Edge Manager service during enrollment and is deleted during decommissioning of the device.

When the device is not yet enrolled, the agent performs service discovery to find its Red Hat Edge Manager service instance. Then, the device establishes a secure, mTLS-protected network connection to the service. The device uses its X.509 enrollment certificate that the device acquired during image building or device provisioning. The device submits an enrollment request to the service that includes the following:

  • a description of the device hardware and operating system
  • an X.509 Certificate Signing Request which includes the cryptographic identity of the device to obtain the initial management certificate
  • labels proposed by the agent, including a default device alias when the agent configuration does not specify otherwise

The device is not considered trusted and remains quarantined in a device lobby until an authorized user approves or denies the request.

For more information, read the following sections:

  • Reporting system information from the agent
  • Device alias and enrollment labels
  • Device enrollment
  • Optional: Requesting an enrollment certificate for early binding

Prerequisites

  • You must install the Flight Control CLI. See Installing the Flight Control CLI in the Additional resources section.
  • You must log in to the Red Hat Edge Manager service.

Enrolling devices using the Flight Control CLI

You must enroll devices into the Red Hat Edge Manager service before you can manage them. Complete the following steps:

  1. List all devices that are currently waiting for approval by running the following command:

    flightctl get enrollmentrequests --field-selector="status.approval.approved != true"

    See the following example output:

    NAME           APPROVAL  APPROVER  APPROVED LABELS
    <device_name>  Pending   <none>    <none>

    Note: The unique device name is generated by the agent and cannot be changed. The agent chooses a base32-encoded hash of its public key as device name.

  2. Approve an enrollment request by specifying the name of the enrollment request. The agent typically includes a default alias label and any labels configured in the agent config.yaml. Optionally, you can add labels to the device by using the --label or -l flags. By default, approval labels are merged with agent-provided labels; use --replace-labels to apply only the labels you specify.

    Note: This merge behavior applies to CLI approval only. In the web console, the enrolled device receives exactly the alias and labels shown in the approval modal. For more information, see Approving with the Flight Control web console in the Additional resources section.

    For more information about system information reporting, enrollment labels, and approval behavior, see Reporting system information from the agent and Device alias and enrollment labels in the Additional resources section. See the following example:

    flightctl approve -l region=eu-west-1 -l site=factory-berlin enrollmentrequest/54shovu028bvj6stkovjcvovjgo0r48618khdd5huhdjfn6raskg

    See the following example output:

    NAME           APPROVAL  APPROVER  APPROVED LABELS
    <device_name>  Approved  user      region=eu-west-1,site=factory-berlin

After you approve the enrollment request, the service issues the management certificate and registers the device in the inventory. The device appears in the inventory with its alias in the ALIAS column when the agent assigned an alias label during enrollment. The device is now ready to be managed.

1.2. Reporting system information from the agent

The Red Hat Edge Manager agent collects built-in and custom system information from each device and reports it in device status under status.systemInfo. You configure which fields are collected independently of device labels. Labels are optional consumers of that data at enrollment time.

System information and device labels

System information collection and enrollment labels are configured independently:

  • System information (system-info, system-info-custom): Controls what the agent collects and reports in status.systemInfo (including customInfo for user-defined collectors).
  • Enrollment labels (default-labels, label-from-systeminfo): Controls which labels the agent requests when it enrolls the device. Mapping with label-from-systeminfo reads values that you have already enabled for collection.

You do not need to map system information to labels for the agent to report it in device status. For enrollment-time labels, including the device alias, see Device alias and enrollment labels in the Additional resources section.

Agent configuration for system information

The agent reads system information settings from /etc/flightctl/config.yaml. You can override supported keys with drop-in files under /etc/flightctl/conf.d/. Drop-in files currently support log-level, system-info, system-info-custom, system-info-timeout, and label-from-systeminfo.

The following parameters control system information collection:

ParameterDescription

system-info

Built-in and managed system information fields to include in device status updates beyond the always-reported core fields (architecture, operatingSystem, agentVersion, bootID). Default: hostname, kernel, distroName, distroVersion, productName, productUuid, productSerial, netInterfaceDefault, netIpDefault, netMacDefault, managementCertNotAfter, managementCertSerial, tpmVendorInfo. See Built-in system information fields and Managed system information collectors in the Additional resources section.

system-info-custom

Keys for custom collectors whose executables live under /usr/lib/flightctl/custom-info.d/. Reported values appear under status.systemInfo.customInfo. See Custom system information collectors in the Additional resources section.

system-info-timeout

Maximum time allowed to collect system information. Default: 2m.

Inspecting collected system information

On the device, list the values that built-in and custom collectors return:

sudo flightctl-agent system-info | jq '.'

After enrollment, view reported system information in the device resource. For example:

flightctl get device/<device_name> -o yaml

The status.systemInfo section includes core fields and any fields you enabled with system-info or system-info-custom. For more information about viewing device status, see View device inventory and device details in the Additional resources section.

Built-in system information fields

You can enable additional built-in collectors by listing their keys under system-info in config.yaml.

FieldDescription

hostname

System hostname

kernel

Running Linux kernel version

distroName

Operating system distribution name

distroVersion

Operating system distribution version

productName

Product or model name (from DMI data)

productSerial

Hardware serial number (if available)

productUuid

UUID of the system board or chassis

biosVendor

BIOS or firmware vendor

biosVersion

BIOS or firmware version

netInterfaceDefault

Default network interface name

netIpDefault

First usable IP address on the default network interface

netMacDefault

MAC address of the default network interface

gpu

Detected GPU devices

memoryTotalKb

Total RAM in kilobytes

cpuCores

Number of physical CPU cores

cpuProcessors

Number of logical processors

cpuModel

CPU vendor and model name

The following example enables a subset of built-in fields:

system-info: [hostname, kernel, distroName, distroVersion]

Managed system information collectors

The agent populates the following fields internally. They reflect agent lifecycle state and update only when the underlying state changes, such as certificate rotation or TPM initialization:

FieldDescription

managementCertSerial

Serial number of the active device management certificate

managementCertNotAfter

Expiration time (NotAfter) of the active device management certificate

tpmVendorInfo

TPM vendor information derived from the device TPM manufacturer data

These fields follow the same configuration and reporting semantics as built-in collectors. Include or exclude them from device status by listing them under system-info in config.yaml. They are included in the default system-info list.

Custom system information collectors

Custom collectors let you report site-specific or application-specific values under status.systemInfo.customInfo.

To add a custom field:

  1. Create an executable script named after the collector key in /usr/lib/flightctl/custom-info.d/. The script must print a single line of output (the value).
  2. Add the key to system-info-custom in /etc/flightctl/config.yaml.

Custom keys must be camelCase with no spaces or special characters. Script file names may be camelCase or lowercase.

The following example reports FIPS mode status:

  1. Create /usr/lib/flightctl/custom-info.d/fips with executable permissions:

    #!/bin/sh
    
    fips-mode-setup --is-enabled
    case $? in
        0) echo "enabled";;
        1) echo "inconsistent";;
        2) echo "disabled";;
        *) echo "unknown";;
    esac
  2. Enable the collector in config.yaml:

    system-info-custom: [fips]

Reported device status includes:

status:
  systemInfo:
    customInfo:
      fips: disabled

To map custom values to enrollment labels, enable the collector first, then use the customInfo.<key> syntax in label-from-systeminfo. For more information, see Enrollment-time label mapping in the Additional resources section.

1.3. Device alias and enrollment labels

During enrollment, the Red Hat Edge Manager agent can assign a human-readable device alias and other labels automatically. You can configure how the alias is derived before enrollment, view the proposed alias when approving a device, and change the alias after the device is enrolled.

Device alias and device name

Each enrolled device has two identifiers:

  • Device name (metadata.name): A unique, immutable name that the agent generates from its public key. You cannot change the device name.
  • Device alias (alias label): A human-readable name shown in the ALIAS column of the Flight Control CLI and web console. The alias is stored as the alias label on the device and must follow Kubernetes label value rules.

If you do not configure the agent to set the alias explicitly, the agent assigns alias from the device hostname when it submits the enrollment request.

Enrollment-time labels on the agent

The agent reads optional label settings from /etc/flightctl/config.yaml. You can also override supported keys with drop-in files under /etc/flightctl/conf.d/; see Agent configuration for system information in the Additional resources section. During enrollment, the agent includes requested labels in the enrollment request.

Enrollment labels are separate from system information collection. The agent reports system information in device status regardless of label configuration. When you use label-from-systeminfo, the agent reads values from fields that you enabled with system-info or system-info-custom. For more information, see Reporting system information from the agent in the Additional resources section.

The following configuration parameters control enrollment labels:

ParameterDescription

default-labels

Labels (key: value pairs) that the agent requests for the device during enrollment. Label values must be valid Kubernetes labels. Invalid values are skipped and logged. Highest precedence when the same key is defined elsewhere.

label-from-systeminfo

Maps system information fields to device labels at enrollment time. Values from system info are sanitized to meet Kubernetes label requirements (invalid characters become hyphens; values longer than 63 characters are truncated). The source fields must be enabled under system-info or system-info-custom. See Enrollment-time label mapping and Reporting system information from the agent in the Additional resources section.

Default alias behavior

The agent sets the alias label at enrollment using the first applicable source in the following order:

  1. default-labels — set alias to a fixed value (highest precedence)
  2. label-from-systeminfo — map alias to a system information field
  3. Device hostname — if you do not set alias in default-labels or label-from-systeminfo, the agent uses the device hostname

The alias appears in the device inventory after enrollment approval.

To set a fixed alias, add it to default-labels:

default-labels:
  alias: edge-factory-01

To set the alias from a system information field, map alias in label-from-systeminfo. For example, to use a custom product name collector:

system-info-custom: [productName]
label-from-systeminfo:
  alias: customInfo.productName

Ensure productName is enabled in system-info-custom and the collector exists under /usr/lib/flightctl/custom-info.d/ before you map it to a label.

Enrollment-time label mapping

During enrollment, the agent applies configured default-labels and maps collected system information to labels with label-from-systeminfo, then includes the resulting labels in the enrollment request. After approval, those labels become part of the device metadata. You can use them in fleet selectors and fleet template placeholders the same way as manually assigned labels. For more information, see Example: fleet selection from system information and Device selection into a fleet in the Additional resources section.

You can map built-in system information fields to labels by using the field name on the right side of the mapping. The label name on the left can be any valid Kubernetes label key. Enable the field under system-info if it is not in the default collection list. For built-in field names, see Built-in system information fields in the Additional resources section.

label-from-systeminfo:
  arch: architecture
  os-name: distroName
  os-version: distroVersion

Label values come from the mapped system information fields on each device. Values that contain spaces or special characters are sanitized automatically before enrollment. See Label validation and sanitization for an example using distroName.

You can map custom system information by using the customInfo. prefix. Enable each key under system-info-custom first. For more information, see Custom system information collectors in the Additional resources section.

system-info-custom: [region, siteId]
label-from-systeminfo:
  region: customInfo.region
  site: customInfo.siteId

Example: fleet selection from system information

The following example assigns devices to fleets based on a custom protocol collector and CPU architecture. First, create /usr/lib/flightctl/custom-info.d/waysideProtocol with executable permissions:

#!/bin/bash
cat /etc/wayside/protocol.txt

Then configure the agent to collect the custom field and map it to labels at enrollment:

system-info-custom: [waysideProtocol]
label-from-systeminfo:
  protocol: customInfo.waysideProtocol
  arch: architecture
default-labels:
  env: production

With this configuration, each device receives labels such as protocol=Wayside-Protocol-A, arch=amd64, and env=production. When you do not set alias in default-labels or map it in label-from-systeminfo, the agent also requests alias from the device hostname (for example, alias=edge-host-01). Define a fleet that selects devices by protocol:

apiVersion: flightctl.io/v1beta1
kind: Fleet
metadata:
  name: wayside-protocol-a
spec:
  selector:
    matchLabels:
      protocol: Wayside-Protocol-A
[...]

Before you apply the fleet, verify that the selector returns the expected devices:

flightctl get devices -l protocol=Wayside-Protocol-A -l env=production

For more information about fleet selectors, see Selecting devices into a fleet by using the CLI in the Additional resources section.

Label precedence at enrollment

When the same label key is defined in more than one place, labels are applied in the following order (highest to lowest precedence):

  1. default-labels
  2. label-from-systeminfo
  3. Default alias=hostname (only when alias is not set in default-labels or label-from-systeminfo)
default-labels:
  env: production
label-from-systeminfo:
  env: customInfo.env
  region: customInfo.region

In this example, the device has env=production from default-labels. The env mapping from label-from-systeminfo is ignored. The device still receives region from custom info and alias from the hostname unless you set alias in default-labels or map it in label-from-systeminfo.

Label validation and sanitization

Values mapped with label-from-systeminfo are sanitized automatically so they meet Kubernetes label requirements. Spaces and special characters become hyphens, leading and trailing non-alphanumeric characters are removed, and values longer than 63 characters are truncated. For example, a distroName value of Red Hat Enterprise Linux becomes the label value Red-Hat-Enterprise-Linux.

Values in default-labels are validated but not modified. Invalid default-labels values are skipped and logged so enrollment can continue; fix the agent configuration if labels are missing after enrollment.

Long hostnames or other source values can exceed the 63-character label limit. The agent truncates or sanitizes values so the alias label remains valid. If a value cannot be sanitized into a valid label, the label is skipped and a warning is logged.

Alias and labels during enrollment approval

The enrollment request includes labels that the agent proposed, including the default or configured alias.

Approving with the Flight Control CLI

When you approve an enrollment request with the Flight Control CLI, you can add labels with the --label or -l flags.

By default, labels you specify at approval are merged with agent-provided labels (from default-labels, label-from-systeminfo, and the default hostname alias). Approval labels take precedence when the same key is defined in both places. For example:

flightctl approve -l region=eu-west-1 -l site=factory-berlin enrollmentrequest/<enrollment_request_name>

To set the exact label set on the device and ignore all agent-provided labels, use the --replace-labels flag. To apply no labels at approval, use --replace-labels without -l. For example:

flightctl approve -l env=production --replace-labels enrollmentrequest/<enrollment_request_name>
flightctl approve --replace-labels enrollmentrequest/<enrollment_request_name>

After approval, verify the device alias in the inventory:

flightctl get devices

See the following example output:

NAME           ALIAS              OWNER   SYSTEM  UPDATED     APPLICATIONS  LAST SEEN
<device_name>  edge-host-01       <none>  Online  Up-to-date  <none>        3 seconds ago

Approving with the Flight Control web console

In the Flight Control web console, open pending enrollment requests to review device metadata in the Approve pending device modal. The modal shows the alias in its own field and any other labels from the enrollment request in the Labels section. You can edit or remove those labels and add additional labels before you approve. When you approve the request, the enrolled device receives exactly the alias and labels shown in the modal. Label merging does not apply in the console; this behavior matches the CLI --replace-labels flag, not the default CLI merge behavior.

Changing the alias after enrollment

To change a device alias after enrollment, update the alias label on the device. For more information, see Updating labels using the CLI in the Additional resources section.

To search devices by alias or device name, use the metadata.nameOrAlias or metadata.alias field selectors. For more information, see Field selectors in the Additional resources section.

Including enrollment label configuration in an image

When you build an operating system image with early binding, you can add label-from-systeminfo, default-labels, system-info, system-info-custom, and related settings to the agent config.yaml that you embed in the image. For more information, see Optional: Requesting an enrollment certificate for early binding in the Additional resources section.

1.4. Viewing devices

To obtain more information about the devices in your inventory, you can use the Flight Control CLI or the Flight Control web console.

Each device has a unique device name and when configured at enrollment, a human-readable alias shown in the ALIAS column.

In the web console, open a device from the inventory to review status and to access the Logs tab for journal and file-based device logs. For log viewing, streaming, and download steps, see Viewing, streaming, and downloading device logs in the web console in the Additional resources section.

Prerequisites

  • You must install the Flight Control CLI. See Installing the Red Hat Edge Manager CLI in the Additional resources section.
  • You must log in to the Red Hat Edge Manager service.
  • You must enroll at least one device.

View device inventory and device details

When vulnerability reporting is enabled, you can review a paginated table of CVEs affecting the device in the Security overview card on the device details page. For more information, see View vulnerabilities on a device in the Additional resources section.

View devices in your device inventory. Complete the following steps:

  1. View the devices in the device inventory by running the following command:

    flightctl get devices

    See the following example output:

    NAME           ALIAS         OWNER   SYSTEM  UPDATED     APPLICATIONS  LAST SEEN
    <device_name>  edge-host-01  <none>  Online  Up-to-date  <none>        3 seconds ago

The ALIAS column shows the device alias label. If no alias was assigned, the column shows <none>. For more information about how aliases are set during enrollment, see Device alias and enrollment labels in the Additional resources section.

  1. View the details of this device in YAML format by running the following command:

    flightctl get device/<device_name> -o yaml

    See the following example output:

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      name: <device_name>
      labels:
        alias: edge-host-01
        region: eu-west-1
        site: factory-berlin
    spec:
      os:
        image: registry.example.com/edge/rhel:9.5
      config:
        - name: my-os-configuration
          gitRef:
            path: /configuration
            repository: my-configuration-repo
            targetRevision: production
    status:
      os:
        image: registry.example.com/edge/rhel:9.5
      config:
        renderedVersion: "1"
      applications: []
      applicationsSummary:
        status: Unknown
      resources:
        cpu: Healthy
        disk: Healthy
        memory: Healthy
      systemInfo:
        architecture: amd64
        bootID: 037750f7-f293-4c5b-b06e-481eef4e883f
        operatingSystem: linux
      summary:
        info: ""
        status: Online
      updated:
        status: UpToDate
      dependencySync:
        configRefs:
        - configProviderName: my-os-configuration
          fingerprint: abc123def4567890
          lastUpdatedAt: "2026-05-21T10:00:00Z"
    [...]

The status.systemInfo section always includes core fields such as architecture and operatingSystem. Additional built-in and custom fields appear when you enable them in the agent system-info and system-info-custom configuration. For more information, see Reporting system information from the agent in the Additional resources section.

When the device references Git, HTTP, or Kubernetes secret configuration providers, status.dependencySync.configRefs shows the upstream fingerprint last applied to the device. For more information, see Sync status on devices in the Additional resources section.

Device update status and update state

The status.updated.status field indicates whether the device’s running OS and configuration match the device spec. It can have the following values:

ValueDescription

UpToDate

The device matches its device spec (and, if in a fleet, the fleet template version).

Updating

The device is currently applying an update.

OutOfDate

The device is not updating and does not match its device spec, or (if in a fleet) is not yet on the fleet template version.

Unknown

The agent has not reported status, or the last reported status was Updating and the device has been disconnected since.

When an update is in progress, status.conditions includes an Updating condition whose reason field indicates the current phase. After a failed update and rollback, the reason is Error; the device has returned to the previous OS version and the agent will not retry that failed version automatically. The following update states can appear:

Update stateDescription

Preparing

The agent is validating the spec and downloading dependencies.

ReadyToUpdate

Dependencies are ready; the agent has not yet applied changes.

ApplyingUpdate

The agent is writing the update to disk.

Rebooting

The device is rebooting to activate the new OS or configuration.

RollingBack

The agent detected a failure and is rolling back to the previous OS and configuration.

Updated

The update completed successfully.

Error

The update failed. The device has rolled back to the pre-update version and will not automatically retry the failed version.

The status.updated.info field may contain a short message about the last transition. For troubleshooting a rollback or failed update, see Troubleshooting OS update rollback in the Additional resources section.

1.5. Device logs in the Flight Control web console

You can search, view, stream, and download logs from enrolled devices in the Flight Control web console without SSH access to the device. Log data is retrieved over the existing gRPC connection between the Red Hat Edge Manager agent and the Red Hat Edge Manager service, so operators on a different network than the device can troubleshoot when the device is reachable only through the management plane.

When to use console log access

Use the Logs view on a device when you need to inspect agent or system journal output, or files under /var/log, during day-2 operations, for example:

  • Verifying that the agent applied a configuration change
  • Following activity during an OS update or application deployment
  • Reading a log file under /var/log when the output you need is not in the journal
  • Collecting recent log lines to share with your team before opening a support case

How log access uses the agent connection

The web console does not open a new inbound port on the edge device. Requests to retrieve, view, stream, and download logs use a device console session over the agent’s outbound gRPC connection to the Red Hat Edge Manager service. The agent runs commands on the device as the flightctl-console user to retrieve and stream log output through that session, similar to other agent-mediated operations.

Plan firewall rules so that enrolled devices can reach the agent API endpoint. For port numbers and deployment context, see Network ports for Red Hat Edge Manager and Red Hat Edge Manager API server in the Additional resources section.

1.6. Viewing, streaming, and downloading device logs in the web console

Use the Logs tab on a device in the Flight Control web console to retrieve journal or file log output, stream new log lines in real time, and download a log file from the device.

For background on connectivity, see Device logs in the Flight Control web console in the Additional resources section.

Prerequisites

  • You are logged in to the Flight Control web console.
  • The device is enrolled and shows as online in the device inventory.
  • The Red Hat Edge Manager agent on the device is connected to the Red Hat Edge Manager service.

1.6.1. Opening the Logs view

Open the Logs tab on a device in the Flight Control web console to access log retrieval, streaming, and download actions.

Procedure

  1. In the Flight Control web console, open Devices.
  2. Select the device you want to troubleshoot.
  3. Open the Logs tab.

1.6.2. Log types

Choose a log type before you retrieve or stream logs:

  • Agent: Journal output for the Red Hat Edge Manager agent service, flightctl-agent. Useful for enrollment, updates, configuration, and application lifecycle issues.
  • System: Journal output from systemd on the device. Use optional Unit, Time and Level fields to narrow output to a specific unit or to specific time ranges or log level priorities. When you troubleshoot OS update rollback, enter greenboot-healthcheck.service in Unit to retrieve greenboot health check output. For more information, see Viewing greenboot and rollback logs.
  • File path: Contents of a log file on the device. Enter a path under /var/log in the File path field to view arbitrary log files that are not available through journal-based Agent or System logs.

1.6.3. Filters

You can narrow logs before you retrieve or stream them:

  • Log level: Restrict output to a severity level, or use All levels to include every level.
  • Time: The default is All times. You can also limit logs to Last 1 hour, Last 24 hours, or Last 7 days; a custom From and To range; Current boot; or Previous boot when those options apply to the selected log type.

When you change the log type (for example, from Agent to File path), filters are reset to allow you to define your new search. Adjust filters to the search you want to do next before you retrieve logs again.

1.6.4. Viewing logs

Retrieve log output from a device by setting the log type and filters, then loading the logs.

Procedure

  1. Set the log type and any filters you need.
  2. Select the action to retrieve or load logs for the current selection.

    The console shows a loading state while logs are fetched from the device. When retrieval completes, log lines appear in the viewer. If no lines match the filters, the view indicates that no logs are available for the selection.

    If retrieval fails or times out, check that the device is still online and that the agent connection is healthy, then try again with a narrower time range or log level.

1.6.5. Streaming logs

Stream new log lines in real time from a device to the Flight Control web console.

After you have opened the Logs tab and chosen a log type and filters, start log streaming from the console.

New log lines appear in the viewer as they are generated on the device. Stop streaming when you no longer need live output.

Log streaming and log retrieval utilize the same agent gRPC connection. If this connection is interrupted, the web console displays a banner with a "Retry" button. Clicking "Retry" re-establishes the connection and re-initiates log retrieval, provided that the flight-control agent is accepting new connections and there are no active network connectivity issues.

1.6.6. Downloading a log file

Download the current log output from the Flight Control web console as a plain text file.

Procedure

  1. Retrieve or stream logs for the selection you need.
  2. Use the download action in the Logs view to save the current log output as a plain text file on your workstation. The browser assigns a file name that includes the log type and a timestamp.

    You can share the downloaded file with your team or attach it to a support case.

1.7. Decommissioning devices

Decommissioning a device is the supported way to unenroll it and permanently remove it from Red Hat Edge Manager management. When you request decommissioning, the Red Hat Edge Manager service instructs the agent on the device to run a decommissioning process. That process removes the agent’s management certificate and private key, which erases the device’s Red Hat Edge Manager identity. You cannot undo this action. Always decommission a device before you delete its device resource from the service.

Important

After decommissioning completes, the device no longer has a management identity with the service. Deleting the device resource without decommissioning first can leave the agent in an inconsistent state relative to your operational expectations.

1.7.1. Decommissioning a device using the Flight Control CLI

You can decommission a device by using the Flight Control CLI to request that the Red Hat Edge Manager service unenroll it and permanently remove its management identity.

Prerequisites

  • You must install the Flight Control CLI. See Installing the Flight Control CLI in the Additional resources section.
  • You must log in to the Red Hat Edge Manager service.
  • You must know the device name in the inventory. See View device inventory and device details in the Additional resources section.

Procedure

  1. Request decommissioning for the device by running the following command:

    flightctl decommission devices/<device_name>
  2. Verify that the service accepted the request by retrieving the device in YAML format:

    flightctl get devices/<device_name> -o yaml

    The specification must include a decommissioning target, and status.lifecycle.status must move to Decommissioning. For example:

    spec:
      decommissioning:
        target: Unenroll
    status:
      lifecycle:
        status: Decommissioning
  3. Wait until the device acknowledges decommissioning. In the device YAML, confirm a condition with type: DeviceDecommissioning, reason: Completed, and a message that the device completed decommissioning and will wipe its management certificate. When decommissioning ends on the device, the agent removes its local status files from the agent data directory (by default /var/lib/flightctl), including desired.json, current.json, and rollback.json. The agent then wipes its management certificate and private key and reboots.

    status:
      conditions:
        - lastTransitionTime: "2025-03-05T20:40:48.443917332Z"
          message: The device has completed decommissioning and will wipe its management
            certificate
          reason: Completed
          status: "True"
          type: DeviceDecommissioning
  4. When status.lifecycle.status shows Decommissioned, delete the device resource:

    flightctl delete devices/<device_name>

1.7.2. Re-enrolling a device after decommissioning

Decommissioning erases the device’s cryptographic management identity (management certificate and private key). To enroll again, the device must still have a valid enrollment certificate from the original operating system image or from your provisioning process.

After you restart the agent on the device, it goes through the enrollment flow again and appears as a new device in the inventory (typically with a new generated device name). For approval and labeling steps, see Enrolling devices in the Additional resources section.

1.8. Labels and label selectors

You can organize your resources, including individual devices, fleets and any other resources, by assigning them labels. For example, you can use labels to record location, hardware type, or purpose. The Red Hat Edge Manager labels follow the same syntax, principles, and operators as Kubernetes labels and label selectors.

You can select devices with labels when viewing the device inventory or applying operations to the devices.

Labels follow the key=value format, where you want to use the key to group devices. For example, if your labels follow the site=<location> naming convention, you can group your devices by site.

You can also use labels that only consist of keys.

Labels must adhere to the following rules to be valid:

  • Keys and value must each be 63 characters or less.
  • Keys and values can consist of alphanumeric characters (a-z, A-Z, 0-9).
  • Keys and values can also contain dashes (-), underscores (_), dots (.) but not as the first or last character.
  • Value can be omitted.

You can apply labels to resources in the following ways:

  • Define a set of default labels during image building that are automatically applied to all devices during deployment.
  • Assign initial labels during enrollment, including the device alias label. For more information, see Device alias and enrollment labels in the Additional resources section.
  • Assign labels post-enrollment.

The device alias label

The alias label provides a human-readable name for a device. The Flight Control CLI and web console display this value in the ALIAS column. The alias is distinct from the device name (metadata.name), which the agent generates and cannot be changed.

By default, the agent sets alias from the device hostname at enrollment unless you map alias from another system information field in the agent configuration. For system information collection and label mapping, see Reporting system information from the agent and Device alias and enrollment labels in the Additional resources section. You can change the alias label after enrollment using the same procedures as other device labels. The alias value must follow the Kubernetes label rules described in this section.

When resources are labeled, you can select a subset of resources by writing a label selector. A label selector is a comma-separated list of labels for selecting resources that have the same set of labels.

See the following examples:

Example label selectorSelected devices

site=factory-berlin

All devices with a site label key and a factory-berlin label value.

site!=factory-berlin

All devices with a site label key but where the label value is not factory-berlin.

site in (factory-berlin,factory-madrid)

All devices with a site label key and where the label value is either factory-berlin or factory-madrid.

For more information, see Labels and Selectors in the Additional resources section.

1.9. Using labels

You can organize your devices by using labels.

Viewing devices and their labels using the Flight Control CLI

View devices and their associated labels. You can use labels to organize your devices and device fleets.

Complete the following steps:

  1. View devices in your inventory by using the -o wide option:

    flightctl get devices -o wide

    See the following example output:

    NAME            ALIAS    OWNER   SYSTEM  UPDATED     APPLICATIONS  LAST SEEN      LABELS
    <device1_name>  <none>   <none>  Online  Up-to-date  <none>        3 seconds ago  region=eu-west-1,site=factory-berlin
    <device2_name>  <none>   <none>  Online  Up-to-date  <none>        1 minute ago   region=eu-west-1,site=factory-madrid
  2. View devices in your inventory with a specific label or set of labels by using the -l <key=value> option:

    flightctl get devices -l site=factory-berlin -o wide

    See the following example output:

    NAME            ALIAS    OWNER   SYSTEM  UPDATED     APPLICATIONS  LAST SEEN      LABELS
    <device1_name>  <none>   <none>  Online  Up-to-date  <none>        3 seconds ago  region=eu-west-1,site=factory-berlin

Updating labels using the CLI

Update labels on your devices using the CLI. Complete the following steps:

  1. Export the current definition of the device into a file by running the following command:

    flightctl get device/<device1_name> -o yaml > my_device.yaml
  2. Use your preferred editor to edit the my_device.yaml file. See the following example:

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      labels:
        some_key: some_value
        some_other_key: some_other_value
      name: <device1_name>
    spec:
    [id="..."]
  3. Save the file and apply the updated device definition by running the following command:

    flightctl apply -f my_device.yaml
  4. Verify that the changes are applied by running the following command

    NAME            ALIAS    OWNER   SYSTEM  UPDATED     APPLICATIONS  LAST SEEN      LABELS
    <device1_name>  <none>   <none>  Online  Up-to-date  <none>        3 minutes ago  some_key=some_value,some_other_key=some_other_value
    <device2_name>  <none>   <none>  Online  Up-to-date  <none>        4 minutes ago  region=eu-west-1,site=factory-madrid

1.10. Field selectors

Field selectors filter a list of Red Hat Edge Manager resources, including individual devices, fleets and any other resources, based on specific resource field values.

Field selectors follow the same syntax, principles, and operators as Kubernetes field and label selectors with additional operators available for more advanced search use cases.

Supported fields

The Red Hat Edge Manager resources give a set of metadata fields that you can select.

Each resource supports the following metadata fields:

  • metadata.name
  • metadata.owner
  • metadata.creationTimestamp

Note: To query labels, use label selectors for advanced and flexible label filtering.

For more information, see Labels and label selectors in the Additional resources section.

List of additional supported fields

In addition to the metadata fields, each resource has its own unique set of fields that you can select, offering further flexibility in filtering and selection based on resource-specific attributes.

The following table lists the fields supported for filtering for each resource kind:

Kind

Fields

Certificate Signing Request

status.certificate

Device

status.summary.status

status.applicationsSummary.status

status.updated.status

status.lifecycle.status

Enrollment Request

status.approval.approved

status.certificate

Fleet

spec.template.spec.os.image

Repository

spec.type

spec.url

Resource Sync

spec.repository

For Device resources, status.updated.status can be one of: UpToDate, Updating, OutOfDate, or Unknown. After a failed OS update and rollback, a device is typically OutOfDate (running the previous version). For more information, see Device update status and update state in the Additional resources section.

When vulnerability reporting is enabled, you can filter devices by CVE with the --cve-id option on flightctl get devices. For more information, see List devices affected by a CVE in the Additional resources section.

Field discovery

Some Red Hat Edge Manager resources might expose additional supported fields. You can discover the supported fields by using the flightctl command with the --field-selector option. If you try to use an unsupported field, the error message lists the available supported fields.

See the following examples:

flightctl get device --field-selector='text'
Error: listing devices: 400, message: unknown or unsupported selector: unable to resolve selector name "text". Supported selectors are: [metadata.alias metadata.creationTimestamp metadata.name metadata.nameOrAlias metadata.owner status.applicationsSummary.status status.lifecycle.status status.summary.status status.updated.status]

The field text is not a valid field for filtering. The error message provides a list of supported fields that you can use with --field-selector for the Device resource.

You can then use one of the supported fields:

flightctl get devices --field-selector 'metadata.alias contains cluster'

The metadata.alias field is checked with the containment operator contains to see if it has the value cluster.

The metadata.alias field reflects the device alias label. For more information about how the alias is set, see Device alias and enrollment labels in the Additional resources section.

Search by device name or alias

The metadata.nameOrAlias field matches either the device name or the alias. Use it when you know a human-readable alias but not the generated device name:

flightctl get devices --field-selector 'metadata.nameOrAlias=edge-host-01'

Examples

Excluding a specific device by name

The following command filters out a specific device by its name:

flightctl get devices --field-selector 'metadata.name!=<device_name>'

Filter by owner, labels, and creation timestamp

The following command retrieves devices that are owned by Fleet/pos-fleet, are located in the us region, and are created in 2024:

flightctl get devices --field-selector 'metadata.owner=Fleet/pos-fleet, metadata.creationTimestamp >= 2024-01-01T00:00:00Z, metadata.creationTimestamp < 2025-01-01T00:00:00Z' -l 'region=us'

Filter by owner, labels, and device status

The following command retrieves devices that are owned by Fleet/pos-fleet, are located in the us region, and have a status.updated.status of either Unknown or OutOfDate:

flightctl get devices --field-selector 'metadata.owner=Fleet/pos-fleet, status.updated.status in (Unknown, OutOfDate)' -l 'region=us'

Supported operators

Operator

Symbol

Description

Exists

--field-selector <field>

Checks if a field exists. For example, the --field-selector 'metadata.owner' field selector returns resources that have the metadata.owner field.

DoesNotExist

!

Checks if a field does not exist.

Equals

=

Checks if a field is equal to a value.

DoubleEquals

==

Another form of equality check.

NotEquals

!=

Checks if a field is not equal to a value.

GreaterThan

>

Checks if a field is greater than a value.

GreaterThanOrEquals

>=

Checks if a field is greater than or equal to a value.

LessThan

<

Checks if a field is less than a value.

LessThanOrEquals

Checks if a field is less than or equal to a value.

In

in

Checks if a field is within a list of values.

NotIn

notin

Checks if a field is not in a list of values.

Contains

contains

Checks if a field has a value.

NotContains

notcontains

Checks if a field does not contain a value.

Operators usage by field type

Each field type supports a specific subset of operators:

Field Type

Supported Operators

Value

String

Equals: Matches if the field value is an exact match to the specified string.

DoubleEquals: Matches if the field value is an exact match to the specified string. Alternative to Equals.

NotEquals: Matches if the field value is not an exact match to the specified string.

In: Matches if the field value matches at least one string in the list.

NotIn: Matches if the field value does not match any of the strings in the list.

Contains: Matches if the field value has the specified substring.

NotContains: Matches if the field value does not contain the specified substring.

Exists: Matches if the field is present.

DoesNotExist: Matches if the field is not present.

Text string

Timestamp

Equals: Matches if the field value is an exact match to the specified timestamp.

DoubleEquals: Matches if the field value is an exact match to the specified timestamp. Alternative to Equals.

NotEquals: Matches if the field value is not an exact match to the specified timestamp.

GreaterThan: Matches if the field value is after the specified timestamp.

GreaterThanOrEquals: Matches if the field value is after or equal to the specified timestamp.

LessThan: Matches if the field value is before the specified timestamp.

LessThanOrEquals: Matches if the field value is before or equal to the specified timestamp.

In: Matches if the field value matches at least one timestamp in the list.

NotIn: Matches if the field value does not match any of the timestamps in the list.

Exists: Matches if the field is present.

DoesNotExist: Matches if the field is not present.

RFC 3339 format

Number

Equals: Matches if the field value equals the specified number.

DoubleEquals: Matches if the field value equals the specified number. Alternative to Equals.

NotEquals: Matches if the field value does not equal to the specified number.

GreaterThan: Matches if the field value is greater than the specified number.

GreaterThanOrEquals: Matches if the field value is greater than or equal to the specified number.

LessThan: Matches if the field value is less than the specified number.

LessThanOrEquals: Matches if the field value is less than or equal to the specified number.

In: Matches if the field value equals at least one number in the list.

NotIn: Matches if the field value does not equal any numbers in the list.

Exists: Matches if the field is present.

DoesNotExist: Matches if the field is not present.

Number format

Boolean

Equals: Matches if the value is true or false.

DoubleEquals: Matches if the value is true or false. Alternative to Equals.

NotEquals: Matches if the value is the opposite of the specified value.

In: Matches if the value, true or false, is in the list. The list can only contain true or false, so this operator is limited in use.

NotIn: Matches if the value is not in the list.

Exists: Matches if the field is present.

DoesNotExist: Matches if the field is not present.

Boolean format (true, false)

Array

Contains: Matches if the array has the specified value.

NotContains: Matches if the array does not contain the specified value.

In: Matches if the array overlaps with the specified values.

NotIn: Matches if the array does not overlap with the specified values. Exists: Matches if the field is present.

DoesNotExist: Matches if the field is not present.

Array element

1.11. Updating the operating system

You can update the operating system of a device by updating the target operating system image name or version in the device specification. Alternatively, you can choose an OS image from the Software Catalog in the Flight Control web console and install or update from there without entering an OCI image reference manually.

Catalog-driven OS updates follow the upgrade graph that your administrator publishes for that image (allowed versions and transitions), as described in Validated upgrade paths and compatibility in the Additional resources section.

When the Red Hat Edge Manager agent communicates with the service, the agent detects the requested update. Then, the agent automatically starts downloading and verifying the new operating system version in the background.

The Red Hat Edge Manager agent schedules the actual system update according to the update policy. At the scheduled update time, the agent installs the new version without disrupting the currently running operating system.

Finally, the device reboots into the new version.

If the new OS version fails health checks after reboot, the device automatically rolls back to the previous working version. During a failed update, the device may reboot several times (greenboot retries) before the rollback completes; multiple reboots in quick succession are expected and do not indicate a separate problem. No manual intervention is required. For more information, see Automatic rollback when an OS update fails and Troubleshooting OS update rollback in the Additional resources section.

The Red Hat Edge Manager currently supports the following image type and image reference format:

Image Type

Image Reference

bootc

An OCI image reference to a container registry. Example: registry.example.com/edge/rhel:9.5

During the process, the agent sends status updates to the service. You can monitor the update process by viewing the device status. For more information, see Viewing devices in the Additional resources section.

Updating the operating system of a device using the Flight Control CLI

To update the operating system of a device using the flightctl, complete the following steps:

  1. Get the current resource manifest of the device by running the following command:

    flightctl get device/<device_name> -o yaml > my_device.yaml
  2. Edit the Device resource to specify the new operating system name and version target.

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      name: <device_name>
    spec:
    [id="..."]
      os:
        image: registry.example.com/edge/rhel:9.5
    [id="..."]
  3. Apply the updated Device resource by running the following command:

    flightctl apply -f <device_name>.yaml

Chapter 2. Managing devices in disconnected environments

After an air-gapped installation, enroll devices and update operating systems using internal registries and network paths only. Fleet management and approval workflows are unchanged; see Managing device fleets in the Additional resources section.

2.1. Device enrollment

  • Enrolling devices in disconnected environments
  • Provisioning devices

2.2. Enrolling devices in disconnected environments

Prepare enrollment credentials and agent configuration at a disconnected site. Approval, device lobby behavior, and post-enrollment management use the same workflow as a connected deployment.

Prerequisites

Procedure

  1. Authenticate the Flight Control CLI on a workstation that can reach the management host inside the site. Administrators run enrollment commands against the local user API on port 443.

    If Red Hat Edge Manager uses certificates from the built-in generator or a private CA, trust the deployment CA on the workstation, or use --insecure-skip-tls-verify only for non-production testing. On standalone Red Hat Enterprise Linux deployments, the CA file is /etc/flightctl/pki/ca.crt on the management host. See Installing the Red Hat Edge Manager RPM package.

    sudo cp ca.crt /etc/pki/ca-trust/source/anchors/rhem-ca.crt
    sudo update-ca-trust
  2. Log in to the local Red Hat Edge Manager instance:

    flightctl login https://<baseDomain> --username <user_name> --password <password>

    Replace <baseDomain> with the same value as global.baseDomain in /etc/flightctl/service-config.yaml.

  3. Request an enrollment configuration file from the local Red Hat Edge Manager service:

    flightctl certificate request \
      --signer=enrollment \
      --expiration=365d \
      --output=embedded > config.yaml

    The command returns a complete agent configuration. The enrollment-service.service.server field points at the agent API on port 7443 using your local management host name. The file also embeds the certificate authority bundle and a short-lived enrollment client certificate and key.

  4. Review the generated file. The structure matches the following example (values are truncated):

    enrollment-service:
      authentication:
        client-certificate-data: LS0tLS1CRUdJTiBD...
        client-key-data: LS0tLS1CRUdJTiBF...
      service:
        certificate-authority-data: LS0tLS1CRUdJTiBD...
        server: https://<baseDomain>:7443
      enrollment-ui-endpoint: https://<baseDomain>/

    The agent uses certificate-authority-data to verify the management server during enrollment mTLS. The enrollment client certificate in authentication secures the initial connection only; after approval, Red Hat Edge Manager issues a device-specific management certificate.

  1. Copy config.yaml to the edge device using your internal transfer method (for example scp on the site network or USB). See Transferring an offline installation bundle or Transferring an offline RPM repository.
  2. Install the configuration and restrict permissions because the file contains a private key:

    sudo install -m 600 -o root -g root config.yaml /etc/flightctl/config.yaml
  3. Restart the agent so it loads the configuration:

    sudo systemctl restart flightctl-agent

    The agent connects to Content from <basedomain> is not included.https://<baseDomain>:7443, establishes an mTLS session, and submits an enrollment request. The device remains in the enrollment lobby until an administrator approves the request.

    Note

    To enroll many devices, embed config.yaml in an operating system image (early binding) or inject it at provisioning time (late binding) instead of copying the file manually. For image-based workflows in disconnected sites, see Building a bootc operating system image for the Red Hat Edge Manager and Provisioning devices.

  4. Approve the pending request on your local Red Hat Edge Manager instance using the same CLI or web console workflow as a connected deployment. See Enrolling devices using the Flight Control CLI and Approving with the Flight Control web console.

Verification

  • flightctl get devices shows the device with status Online and the expected alias in the ALIAS column.
  • On the edge device, sudo systemctl status flightctl-agent reports active (running).

Troubleshooting

Agent logs show connection or certificate errors

  1. Verify the device can reach the management host on port 7443:

    curl -k https://<baseDomain>:7443/
  2. Verify the CA embedded in /etc/flightctl/config.yaml matches the server CA for your deployment.
  3. Review agent logs on the device:

    sudo journalctl -u flightctl-agent --no-pager | tail -30

2.3. Operating system updates

  • Updating device operating systems in disconnected environments
  • Building a bootc operating system image for the Red Hat Edge Manager

2.4. Updating device operating systems in disconnected environments

Publish OS images to a registry inside the air-gapped site, configure pull authentication on bootc devices when required, then stage updates in Red Hat Edge Manager using the same device and fleet workflows as a connected deployment.

Prerequisites

  • Red Hat Edge Manager is running at the disconnected site and target devices are enrolled. See Enrolling devices in disconnected environments.
  • Devices run a bootc operating system image managed by Red Hat Edge Manager. See Operating system images for the Red Hat Edge Manager.
  • The updated OS image is published to a registry that edge devices can reach on the internal network (for example registry.internal.example.com:5000).
  • You can authenticate to the local Red Hat Edge Manager API with the Flight Control CLI or web console.

Procedure

  1. Build or mirror the target bootc image on a connected staging host, then push or copy it to a registry inside the site. See Building a bootc operating system image for the Red Hat Edge Manager or Building images with the simplified workflow, and Transferring an offline installation bundle or Transferring an offline RPM repository.
  2. Confirm the image is pullable from a host on the device network:

    skopeo inspect docker://<local-registry>/flightctl/rhel:<version>

    Replace <local-registry> and <version> with your internal registry path and tag.

  1. Configure registry authentication on each bootc device when your local registry requires credentials. Skip this step when your registry allows anonymous pulls.

    Create or update /etc/ostree/auth.json before the agent pulls the image. OS updates read credentials from this path; application containers use /root/.config/containers/auth.json separately.

    {
      "auths": {
        "<local-registry>": {
          "auth": "<base64-encoded-username:password>"
        }
      }
    }

    Generate the auth value with echo -n 'username:password' | base64.

  2. To persist credentials across reprovisioning, embed auth.json in the operating system image during build. See Optional: Using image pull secrets.
  3. Stage the update by changing spec.os.image in the device or fleet specification. Use your internal registry reference (for example <local-registry>/flightctl/rhel:<version>) instead of a public registry URL.

    Follow Updating the operating system of a device using the Flight Control CLI for a single device, or update fleet device templates as described in Device templates.

    The agent pull, apply, reboot, and status reporting workflow is the same as a connected deployment. See Updating the operating system and Device update status and update state.

  1. Alternative: USB-based image transfer. Use this path when a device cannot reach the local registry during an update window but you can transfer files on removable media. After the manual bootc change, update the device specification in Red Hat Edge Manager so the desired state matches the running image.

    On a prep machine with access to the image, export it to a portable archive:

    skopeo copy \
      docker://<local-registry>/flightctl/rhel:<version> \
      oci-archive:~/rhem-os-<version>.tar
  2. Transfer ~/rhem-os-<version>.tar to the device. See Transferring an offline installation bundle or Transferring an offline RPM repository.
  3. On the device, load the archive into local container storage:

    sudo skopeo copy \
      oci-archive:~/rhem-os-<version>.tar \
      containers-storage:<local-registry>/flightctl/rhel:<version>
  4. Switch the running OS to the staged image:

    sudo bootc switch --transport containers-storage <local-registry>/flightctl/rhel:<version>
    sudo bootc upgrade

    Reboot when bootc or the agent prompts for activation.

  5. Update spec.os.image in Red Hat Edge Manager to the same reference so the control plane matches the device.

Verification

  • On the device, bootc status reports the expected image reference and a healthy staged deployment.

For catalog content in the web console, sync from a Git repository reachable inside the site. See Managing a catalog repository on the CLI in the Additional resources section.

2.5. Automatic rollback when an OS update fails

Red Hat Edge Manager uses greenboot integration to provide autonomous failed upgrade recovery. When an OS update fails after reboot (for example, the new OS image fails health checks—such as the agent not becoming active in time or entering a crash loop), the device automatically rolls back to the previous working OS version. No manual intervention is required.

greenboot rollback operations

When an OS update fails health checks after reboot, greenboot performs rollback through the following sequence:

  1. Deployment and reboot: The agent deploys the new OS image to the device and triggers a reboot.
  2. Health check initiation: After the device comes back up, greenboot runs the flightctl health check. This check has two phases: it waits up to 150 seconds for flightctl-agent.service to become active, then monitors service stability for 60 seconds to detect crash loops. A rollback is triggered if the agent does not become active in time or if it restarts (crash-loops) during the stability window.
  3. Retries and configuration: If health checks fail, greenboot reboots and retries. By default, three retries occur before a rollback is performed. To change this threshold, update the GREENBOOT_MAX_BOOTS value in /etc/greenboot/greenboot.conf.
  4. Triggering the rollback: Once all retry attempts are exhausted, greenboot reverts to the previous OS deployment and reboots the device.
  5. Reporting: The device starts on the previous OS version, and the agent reports the rollback to the Red Hat Edge Manager service.
  6. Version exclusion: That specific OS version is recorded as failed, ensuring the agent skips it during all future reconciliations.
Note

Red Hat Edge Manager automatically disables third-party greenboot health check scripts to ensure that only the Red Hat Edge Manager agent health check controls rollback decisions. The flightctl-configure-greenboot service runs before greenboot-healthcheck on every boot and disables scripts such as MicroShift’s 40_microshift_running_check.sh; only core greenboot scripts and the flightctl health check are preserved. Do not manually edit DISABLED_HEALTHCHECKS in /etc/greenboot/greenboot.conf; it is replaced on every boot.

Note

On systems not using a bootc or OSTree-based image, health checks still run on each boot, but rollback is not possible if an update fails. The device does not revert to a previous OS version in that case.

During the retry phase, the device may reboot multiple times before the final rollback. This is expected behavior, not a separate problem.

This keeps devices operational and avoids repeated failed update attempts.

When automatic rollback applies

Automatic rollback is available for devices that use image-based operating systems (such as bootc images) with greenboot enabled. For more information about image-based OS and transactional updates, see Operating system images for the Red Hat Edge Manager in the Additional resources section.

Observing rollback and update status

You can see whether a device rolled back or is in a failed-update state by viewing the device status. The status.updated.status field indicates whether the device is up to date, updating, or out of date. When an update fails and rollback completes, the update state is reported as Error and the device returns to the previous OS version. For details, see Device update status and update state in the Additional resources section.

If a device has rolled back or you need to diagnose a failed update, see Troubleshooting OS update rollback in the Additional resources section.

2.6. Operating system configuration for edge devices

You can include an operating system-level host configuration in the image to provide maximum consistency and repeatability.

To update the configuration, you create a new operating system image and update devices with the new image.

However, updating devices with a new image can be impractical in the following cases:

  • The configuration is missing in the image.
  • The configuration needs to be specific to a device.
  • The configuration needs to be updateable at runtime without updating the operating system image and rebooting.

For these cases, you can declare a set of configuration files that is present on the file system of the device. The Red Hat Edge Manager agent applies updates to the configuration files while ensuring that either all files are successfully updated in the file system, or rolled back to their pre-update state. If the user updates both an operating system and configuration set of a device at the same time, the Red Hat Edge Manager agent updates the operating system first, then applies the specified set of configuration files.

You can also specify a list of configuration sets that the Red Hat Edge Manager agent applies in sequence. In case of a conflict, the last applied configuration set is valid.

Important: After the Red Hat Edge Manager agent updates the configuration on the disk, the running applications need to reload the new configuration into memory for the configuration to become effective. If the update involves a reboot, systemd automatically restarts the applications with the new configuration and in the correct order. If the update does not involve a reboot, many application can detect changes to their configuration files and automatically reload the files. When an application does not support change detection, you can use device lifecycle hooks to run scripts or commands if certain conditions are met.

Configuration providers

You can provide configuration from multiple sources, called configuration providers, in Red Hat Edge Manager. The Red Hat Edge Manager currently supports the following configuration providers: A repository used by a provider must be set up once and can then be used for multiple devices or fleets.

Git Config Provider
Fetches device configuration files from a Git repository.
Kubernetes Secret Provider
Fetches a secret from a Kubernetes cluster and writes the content to the file system of the device.
HTTP Config Provider
Fetches device configuration files from an HTTP(S) endpoint.
Inline Config Provider
Allows specifying device configuration files inline in the device manifest without querying external systems.

Read more about the configuration providers in the following sections:

  • Configuration from a Git repository
  • Secrets from a Kubernetes cluster
  • Configuration from an HTTP server
  • Configuration inline in the device specification

Configuration from a Git repository

You can store device configuration in a Git repository such as GitHub or GitLab. You can then add a Git Config Provider so that the Red Hat Edge Manager synchronizes the configuration from the repository to the file system of the device.

The Git Config Provider takes the following parameters:

Parameter

Description

Repository

The name of a Repository resource defined in the Red Hat Edge Manager.

TargetRevision

The branch, tag, or commit of the repository to checkout.

Path

The absolute path to the directory in the repository from which files and subdirectories are synchronized to the file system of the device. The Path directory corresponds to the root directory (/) on the device, unless the MountPath parameter is specified.

MountPath

Optional. The absolute path to the directory in the file system of the device to write the content of the repository to. By default, the value is the file system root (/).

The Repository resource defines the Git repository, the protocol and access credentials that the Red Hat Edge Manager must use. After the repository is set up, you can use it to configure individual devices or device fleets.

When a fleet or device references a Git repository, Red Hat Edge Manager can detect new commits on the configured branch or tag and roll out updates automatically. See Automatic synchronization of external configuration in the Additional resources section.

Secrets from a Kubernetes cluster

The Red Hat Edge Manager can query only the Kubernetes cluster that the Red Hat Edge Manager is running on for a Kubernetes secret. The content of that secret can be written to a path on the device file system.

Note

You can manage Kubernetes Secret Provider configurations via the CLI or API. Kubernetes Secret Provider configurations are displayed in the UI as read-only.

The Kubernetes Secret Provider takes the following parameters:

Parameter

Description

Name

The name of the secret.

Namespace

The namespace of the secret.

MountPath

The directory in the file system of the device to write the secret contents to.

To apply a Kubernetes secret to a device, add a config entry with secretRef to the device specification and apply it with the CLI (or API):

The following example shows a device spec with secretRef:

spec:
  config:
    - name: my-secret
      secretRef:
        name: my-secret-name
        namespace: my-secret-namespace
        mountPath: /etc/my-secret

Run flightctl apply -f <file>.yaml to apply the device or fleet manifest.

The Red Hat Edge Manager worker needs permission to read secrets from the cluster. You can either allow cluster-wide access at install time or grant namespace-scoped access with RBAC (least-privilege):

  • Cluster-wide access: Set global.worker.clusterLevelSecretAccess to true in the Helm values when installing Red Hat Edge Manager on OpenShift. See Installing Red Hat Edge Manager on OpenShift in the Additional resources section.
  • Namespace-scoped access: Create a Role and RoleBinding in the namespace where the secrets are stored so the flightctl-worker service account can get secrets in that namespace only. For details, see the OpenShift RBAC documentation.

To detect secret rotation automatically, label secrets for synchronization and configure periodic service RBAC as described in Configuring synchronization in the Additional resources section.

The following example shows a Role and RoleBinding for flightctl-worker secret access:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: <secret_namespace>
  name: flightctl-worker-secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: <secret_namespace>
  name: flightctl-worker-secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: flightctl-worker-secret-reader
subjects:
- kind: ServiceAccount
  name: flightctl-worker
  namespace: <worker_namespace>

Apply the manifest with oc apply -f <file>.yaml.

Configuration from an HTTP server

The Red Hat Edge Manager can query an HTTP server for configuration. The HTTP server can serve static or dynamically generated configuration for a device.

The HTTP Config Provider takes the following parameters:

Parameter

Description

Repository

The name of a Repository resource defined in the Red Hat Edge Manager.

Suffix

The suffix to append to the base URL defined in the Repository resource. The suffix can include path and query parameters, for example /path/to/endpoint?query=param.

FilePath

The absolute path to the file in the file system of the device to write the response of the HTTP server to.

The Repository resource specifies the HTTP server for the Red Hat Edge Manager to connect to, and the protocol and access credentials to use. After the repository is set up, you can use it to configure multiple devices or device fleets.

When content at the referenced URL changes, Red Hat Edge Manager can detect the change and roll out updates to fleets and devices. See Automatic synchronization of external configuration in the Additional resources section.

Configuration inline in the device specification

You can specify configuration inline in a device specification. When using the inline device specification, the Red Hat Edge Manager does not need to connect to external systems to fetch the configuration.

The Inline Config Provider takes a list of file specifications, where each file specification takes the following parameters:

Parameter

Description

Path

The absolute path to the file in the file system of the device to write the content to. If a file already exists in the specified path, the file is overwritten.

Content

The UTF-8 or base64-encoded content of the file.

ContentEncoding

Defines how the contents are encoded. Must be either plain or base64. Default value is set to plain.

Mode

Optional. The permission mode of the file. You can specify the octal with a leading zero, for example 0644, or as a decimal without a leading zero, for example 420. The setuid, setgid, and sticky bits are supported. If not specified, the permission mode for files defaults to 0644.

User

Optional. The owner of the file. Specified either as a name or numeric ID. Default value is set to root.

Group

Optional. The group of the file. Specified either as a name or numeric ID.

For more information about device lifecycle hooks and the default rules used by the Red Hat Edge Manager agent, see Device lifecycle hooks in the Additional resources section.

2.7. Automatic synchronization of external configuration

When a fleet or device references configuration from Git, an HTTP endpoint, or a Kubernetes secret, Red Hat Edge Manager can automatically detect upstream changes and roll out updates without manual edits to the fleet or device specification.

How automatic synchronization works

Fleets and devices can reference external configuration through configuration providers:

  • Git Config Provider (gitRef)
  • HTTP Config Provider (httpRef)
  • Kubernetes Secret Provider (secretRef)

When automatic synchronization is active, the Red Hat Edge Manager service periodically checks those upstream sources (or watches Kubernetes secrets) for changes. When a change is detected:

  • For devices in a fleet, the service creates a new fleet template version and starts a fleet rollout.
  • For standalone devices (not owned by a fleet), the service re-renders the device specification directly without creating a template version.

Automatic synchronization applies only when the specification uses gitRef, secretRef, or httpRef. Inline configuration in the device specification is not synchronized from external systems.

Synchronization is enabled by default when external references are present. You do not add fields to the fleet or device specification to turn it on.

Note

Red Hat Edge Manager does not rotate secrets, write changes back to Git repositories, or manage content at HTTP endpoints. It only reacts when those upstream resources change.

Change detection by provider type

ProviderDetection method

Fingerprint stored

Git

Periodic git ls-remote against the referenced branch or tag

Git commit SHA

Kubernetes secret

In-cluster informer on labeled secrets (in-cluster deployments only)

Secret resourceVersion

HTTP

Conditional HEAD when the server returns ETag or Last-Modified; endpoints without these headers are not actively probed

ETag, Last-Modified value, or sha256: hash (recorded when configuration is rendered)

Note

HTTP endpoints that do not return ETag or Last-Modified are not actively monitored. Changes are detected only when a device specification is re-rendered for another reason (for example, another dependency changes or you update the fleet template). At render time, Red Hat Edge Manager fetches the body, computes a sha256: fingerprint, and updates status.dependencySync.configRefs.

Git and HTTP checks use the global dependenciesSync.pollInterval as the minimum interval between probes for the same upstream resource. Probes for different resources are naturally spread over time because dependencies are registered at different times. Secret changes are detected near real time when the informer is running.

If a Git branch, HTTP suffix, or secret name contains template placeholders (for example {{ index .metadata.labels "target-branch" }}), Red Hat Edge Manager resolves the reference per device and triggers updates only for devices whose resolved upstream value changed.

When a device specification is rendered, Red Hat Edge Manager records the upstream fingerprint for each external configuration provider in status.dependencySync.configRefs. The lastUpdatedAt timestamp changes only when the fingerprint for that provider changes.

Template versions and rollouts

When a fleet-owned dependency changes, Red Hat Edge Manager creates a new template version and rolls it out to matching devices.

  • Spec-driven template versions (after you edit the fleet template) use the name v{generation}.
  • Sync-driven template versions (after an upstream dependency changes without a spec edit) use v{generation}-{short-hash}, where {short-hash} is the first eight characters of the fingerprint that triggered the sync.

Both naming patterns can coexist for the same fleet. List template versions with the following command:

flightctl get templateversions --fleetname <fleet_name>

Sync status on devices

Synchronization state is reported on each device, not on the fleet resource.

The status.dependencySync.configRefs field lists one entry per external configuration provider referenced by the device. Each entry includes:

FieldDescription

configProviderName

Name of the configuration provider in the device specification (for example git-config)

fingerprint

Upstream fingerprint last applied (Git commit SHA, ETag or Last-Modified for HTTP probes, sha256: hash when recorded at render time, or secret resourceVersion)

lastUpdatedAt

Timestamp when the fingerprint last changed on the device

Configuration providers that use only inline content do not appear in configRefs.

In the Red Hat Edge Manager web console, open a device to view dependency sync details in the device detail view.

Events

The following event reasons help you distinguish automatic synchronization from user-initiated specification changes:

ReasonType

Description

DependencyChangeDetected

Normal

An upstream dependency fingerprint changed. For fleet-owned devices, a new template version and rollout are triggered. For standalone devices, the device specification is re-rendered.

DependencySyncProbeFailed

Warning

DependencyChangeDetected events can list a fleet or a device as the involved object, depending on ownership. Event details include resourceKey (for example git:my-repo/main or http:my-config/api/v1/config) and fingerprint. DependencySyncProbeFailed events include resourceKey and errorMessage. Inspect event details in YAML:

flightctl get events --field-selector 'involvedObject.kind=Device,involvedObject.name=<device_name>,reason=DependencyChangeDetected' -o yaml

List events for a device or fleet:

flightctl get events --field-selector 'involvedObject.kind=Device,involvedObject.name=<device_name>'

Configuring synchronization

Global synchronization settings are defined in service-config.yaml on Red Hat Enterprise Linux deployments, or in the equivalent configuration mounted by your Helm release on Red Hat OpenShift Container Platform. These settings are server-side only; you do not configure dependency synchronization in fleet or device specifications.

Polling interval and task schedule

Set the minimum interval between Git and HTTP probes for the same upstream resource:

dependenciesSync:
  pollInterval: 15m

The default is 15m. The interval applies cluster-wide, not per fleet or device.

The dependency sync periodic tasks run on an internal schedule (default every 3 minutes) to discover new dependency references and retry failed probes. That task interval is not configurable in service-config.yaml; only pollInterval is user-configurable under dependenciesSync.

Kubernetes secret auto-sync

Secret synchronization requires Red Hat Edge Manager to run in the cluster where the secrets are stored.

  1. Label each secret that should be watched:

    metadata:
      labels:
        flightctl.io/sync-<release_namespace>: "true"

    Replace <release_namespace> with the namespace where you installed Red Hat Edge Manager (for example flightctl.io/sync-flightctl: "true" when the release namespace is flightctl).

  2. Grant the periodic service permission to list and watch secrets when secrets are not limited to the release namespace:

    On Red Hat OpenShift Container Platform, set both of the following in the Helm install YAML when you need cluster-wide secret access for sync and rendering:

    global:
      worker:
        clusterLevelSecretAccess: true
      periodic:
        clusterLevelSecretAccess: true

    For namespace-scoped access, use Role and RoleBinding resources as described in Secrets from a Kubernetes cluster in the Additional resources section.

Security considerations

  • Store Git and HTTP credentials only in Repository resources or Kubernetes secrets, not in fleet or device specifications.
  • Ensure Repository resources use the minimum access required (read-only Git credentials where possible).
  • Probe failure events (DependencySyncProbeFailed) sanitize error messages so that tokens and passwords are not written to the event log.
  • Secret synchronization uses the Kubernetes secret resourceVersion as a fingerprint; Red Hat Edge Manager does not store secret data in status.dependencySync.
  • Grant clusterLevelSecretAccess to the worker and periodic services only when secrets are distributed across namespaces. Prefer namespace-scoped Role and RoleBinding resources where possible.
Important

Each configuration provider name in a device or fleet template must be unique within that specification. Duplicate names can cause ambiguous dependencySync.configRefs entries.

Viewing sync status with the CLI

Devices

View per-provider sync fingerprints on a device:

flightctl get device/<device_name> -o yaml

Inspect the status.dependencySync.configRefs block.

Fleets

Fleet resources do not include a dependencySync status block in YAML. To assess fleet-wide synchronization:

  1. Review devices in the fleet:

    flightctl get devices --field-selector 'metadata.owner=Fleet/<fleet_name>'
  2. Inspect the fleet resource, template versions, and events:

    flightctl get fleet/<fleet_name> -o yaml
    flightctl get templateversions --fleetname <fleet_name>
    flightctl get events --field-selector 'involvedObject.kind=Fleet,involvedObject.name=<fleet_name>'
  3. For per-dependency fingerprints, inspect devices in the fleet with -o yaml as shown above.

Metrics for cluster administrators

When Prometheus scrapes the Red Hat Edge Manager periodic service, the following metrics relate to dependency synchronization:

MetricDescription

flightctl_dependency_sync_cycles_total

Probe cycles completed, by reference type (git, http, secret)

flightctl_dependency_sync_changes_total

Upstream changes detected

flightctl_dependency_sync_probe_errors_total

Probe failures

flightctl_dependency_sync_probe_latency_seconds

Probe latency histogram

flightctl_dependency_sync_informer_connected

Whether the Kubernetes secret informer is connected (1 or 0)

flightctl_dependency_sync_secrets_watched

Number of secrets watched by the informer

Use flightctl_dependency_sync_informer_connected to detect secret informer disconnects. For troubleshooting, see Secret informer disconnect or not running in the Additional resources section.

For troubleshooting steps, see Troubleshooting dependency synchronization in the Additional resources section.

Additional resources

2.8. Configuring a device to auto-register MicroShift clusters

If you have a device that runs an operating system image that includes MicroShift, you can configure the device to fetch Red Hat Advanced Cluster Management registration manifests with the HTTP Config Provider and auto-register the MicroShift cluster with Red Hat Advanced Cluster Management.

For the HTTP Config Provider parameters, see Configuration from an HTTP server in the Additional resources section.

To apply the same configuration across many devices by using a fleet device template, see Configuring fleets to auto-register MicroShift clusters in the Additional resources section.

Configuring your device

Complete the following steps:

  1. Create a file, for example acm-registration-repo.yaml, that contains an HTTP Repository resource for the Red Hat Advanced Cluster Management agent registration API. Replace the placeholders in the following example. For Role-Based Access Control and how to obtain values such as the token, follow Importing a managed cluster by using agent registration in the Red Hat Advanced Cluster Management documentation up to, but not including, applying the import manifests on a cluster.

    apiVersion: flightctl.io/v1beta1
    kind: Repository
    metadata:
      name: acm-registration
    spec:
      type: http
      url: https://<agent_registration_host>
      validationSuffix: /agent-registration/crds/v1
      httpConfig:
        ca.crt: <base64_encoded_ca_bundle>
        token: <bearer_token>
  2. Create the Repository resource by running the following command:

    flightctl apply -f acm-registration-repo.yaml
  3. Verify that the resource has been created and is accessible by Red Hat Edge Manager by running the following command:

    flightctl get repository/acm-registration
  4. Create or update a Device resource so that its specification matches the same config order as a fleet device template: acm-crd, acm-import, pull-secret, and apply-acm-manifests. MicroShift must authenticate to the container registries that host the Red Hat Advanced Cluster Management images. If the device already has a suitable pull secret for those registries (for example, at /etc/crio/openshift-pull-secret), omit the pull-secret item from the config list. The apply-acm-manifests hook in the following example waits until the kubeadmin kubeconfig file exists and MicroShift pods are ready before it runs kubectl apply. Use those wait steps when MicroShift might not be running when the hook runs, for example if you apply an operating system image update and this registration configuration together in a single device update. See the following example:

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      name: <device_name>
    spec:
      os:
        image: <your os image>
      config:
        - name: acm-crd
          httpRef:
            filePath: /var/local/acm-import/crd.yaml
            repository: acm-registration
            suffix: /agent-registration/crds/v1
        - name: acm-import
          httpRef:
            filePath: /var/local/acm-import/import.yaml
            repository: acm-registration
            suffix: /agent-registration/manifests/{{.metadata.name}}
        - name: pull-secret
          inline:
            - path: "/etc/crio/openshift-pull-secret"
              content: "{\"auths\":{...}}"
        - name: apply-acm-manifests
          inline:
            - path: "/etc/flightctl/hooks.d/afterupdating/50-acm-registration.yaml"
              content: |
                - run: /usr/bin/bash -c "until [ -f $KUBECONFIG ]; do sleep 1; done"
                  timeout: 5m
                  envVars:
                    KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig
                - run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
                  timeout: 5m
                  envVars:
                    KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig
                - if:
                  - path: /var/local/acm-import/crd.yaml
                    op: [created]
                  run: kubectl apply -f /var/local/acm-import/crd.yaml
                  envVars:
                    KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig
                - if:
                  - path: /var/local/acm-import/import.yaml
                    op: [created]
                  run: kubectl apply -f /var/local/acm-import/import.yaml
                  envVars:
                    KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig

    Auto-registration uses the Red Hat Advanced Cluster Management agent registration API: devices fetch the Kubernetes manifests for the klusterlet agent and apply them to MicroShift. The config entries in the previous example do the following:

    • acm-crd uses the HTTP configuration provider to query the agent registration server for manifests that contain the custom resource definition for the Red Hat Advanced Cluster Management klusterlet agent. The Red Hat Edge Manager agent writes those manifests to /var/local/acm-import/crd.yaml on the device.
    • acm-import queries the server for import manifests for a cluster whose name matches the device. The {{.metadata.name}} template variable supplies the device name. The agent writes the returned manifests to /var/local/acm-import/import.yaml.
    • pull-secret adds registry credentials on the device so that MicroShift can pull the Red Hat Advanced Cluster Management agent images. Skip this item if you already provide a suitable pull secret by another method, for example by embedding it in the operating system image or by using another configuration provider.
    • apply-acm-manifests adds an afterupdating lifecycle hook rule file under /etc/flightctl/hooks.d/afterupdating/. The hook runs after the configuration is applied and the crd.yaml and import.yaml files exist; it applies those manifests to MicroShift by using kubectl. For more information, see Device lifecycle hooks in the Additional resources section.
  5. Apply the device by running the following command:

    flightctl apply -f <device_file>.yaml
  6. If the device is not yet enrolled, approve the enrollment request in the Flight Control web console or CLI. Label behavior differs between the console and the CLI; for more information, see Enrolling devices and Alias and labels during enrollment approval in the Additional resources section.

2.9. Managing the device configuration from a Git repository on the CLI

Create and apply a device configuration in a Git repository.

Complete the following steps:

  1. Create a file, for example site-settings-repo.yaml, that contains the following definition for a Repository resource, named site-settings:

    apiVersion: flightctl.io/v1alpha1
    kind: Repository
    metadata:
      name: site-settings
    spec:
      type: git
      url: https://github.com/<your_org>/<your_repo>.git
  2. Create the Repository resource by running the following command:

    flightctl apply -f site-settings-repo.yaml
  3. Verify that the resource has been correctly created and is accessible by Red Hat Edge Manager by running the following command:

    flightctl get repository/site-settings

    See the following example output:

    NAME           TYPE  REPOSITORY URL                                 ACCESSIBLE
    site-settings  git   https://github.com/<your_org>/<your_repo>.git  True
  4. Apply the example-site configuration to a device by update the device specification:

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      name: <device_name>
    spec:
    [id="..."]
      config:
        - name: example-site
          gitRef:
            repository: site-settings
            targetRevision: production
            path: /etc/example-site
    [...]

After the repository is referenced from a fleet or device, Red Hat Edge Manager can poll the repository and roll out new configuration when you push commits to the tracked branch. You do not need to edit the fleet or device specification to pick up Git changes. For details, see Automatic synchronization of external configuration in the Additional resources section.

2.10. Managing a catalog repository on the CLI

You can add catalog content to Flight Control by creating a Repository resource that points to a Git repository containing catalog definitions, and a ResourceSync resource with type catalog that synchronizes those definitions. The Flight Control web console then displays the curated list of OS images, application images, and application data for discovery and deployment.

This procedure covers Git-synchronized catalogs. To publish catalog items from Image Builder instead, see Publishing an image build to the Software Catalog in the Additional resources section.

Default catalog

Every organization receives a default catalog automatically when the organization is first provisioned. You do not create this catalog manually. Image promotions and Git-synchronized catalogs can both target or coexist with the default catalog.

Verify the default catalog:

$ flightctl get catalog/default

Complete the following steps to synchronize catalog definitions from Git:

  1. Create a Repository resource that points to your Git repository. The repository must contain Catalog and CatalogItem YAML definitions. Set type: git and the repository URL:

    apiVersion: flightctl.io/v1beta1
    kind: Repository
    metadata:
      name: <repository_name>
    spec:
      url: <repo_url_with_catalog_definition>
      type: git
  2. Create a ResourceSync resource that imports the catalog from the repository. Set type: catalog, reference the repository name from step 1, and specify the path and branch to sync:

    apiVersion: flightctl.io/v1beta1
    kind: ResourceSync
    metadata:
      name: <resourcesync_name>
    spec:
      repository: <repository_name>
      targetRevision: <git_branch_name>
      path: <path_to_catalog_yaml>
      type: catalog
  3. Apply both resources. For example, if you saved the Repository to my-repo.yaml and the ResourceSync to my-catalog-sync.yaml:

    flightctl apply -f my-repo.yaml
    flightctl apply -f my-catalog-sync.yaml
  4. Verify that the resources were created and that synchronization succeeded:

    flightctl get repository/<repository_name>
    flightctl get resourcesync <resourcesync_name>

Defining catalogs and catalog items in Git

Your Git repository must contain Catalog and CatalogItem resources that describe what appears in the Software Catalog after synchronization. Store them under the directory (or file path) that you set in the ResourceSync spec.path field.

Important

A ResourceSync with spec.type set to catalog accepts only Catalog and CatalogItem definitions in the synchronized path. If that path includes other resource kinds, synchronization reports an error.

Organize files in a layout similar to the following:

catalogs/
  <catalog_name>/
    catalog.yaml
    <catalog_item_name>.yaml
  • catalog.yaml defines the Catalog resource (metadata.name is the catalog identifier).
  • Each additional file in the same directory defines one CatalogItem. Every CatalogItem must set metadata.catalog to the same catalog name as the Catalog resource.

Catalog resource

The following example shows a minimal Catalog resource:

apiVersion: flightctl.io/v1alpha1
kind: Catalog
metadata:
  name: <catalog_name>
spec:
  displayName: <human_readable_catalog_title>
  shortDescription: <one_line_description>

CatalogItem versions, channels, and artifacts

Each CatalogItem declares a spec.type (for example, container for an application image), one or more spec.artifacts entries with a type and a versionless uri, and a spec.versions list. Every version entry must include:

  • version: A semantic version string (for example, 1.2.0).
  • channels: Labels that place the version in an update graph (for example, stable or candidate).
  • references: A map from each artifact type in spec.artifacts to an image tag or digest for that version.

The following example defines two versions in a linear chain:

apiVersion: flightctl.io/v1alpha1
kind: CatalogItem
metadata:
  name: <catalog_item_name>
  catalog: <catalog_name>
spec:
  type: container
  displayName: <human_readable_item_title>
  artifacts:
    - type: container
      uri: quay.io/<namespace>/<image>
  versions:
    - version: "1.0.0"
      channels:
        - stable
      references:
        container: "1.0.0"
    - version: "1.1.0"
      channels:
        - stable
      references:
        container: "1.1.0"
      replaces: "1.0.0"

Defining upgrade paths

Flight Control models relationships between versions using the Cincinnati update protocol. Optional fields on each version entry describe which upgrades are valid:

  • replaces: The single previous version that this version follows in the main chain.
  • skips: A list of older versions that may upgrade directly to this version, bypassing intermediate steps.
  • skipRange: A semantic version range (for example, >=1.0.0 <1.2.0) of older versions that may upgrade directly to this version. Use skipRange when listing every skipped version explicitly would be unwieldy.

If you omit these fields, only the linear replaces chain (when present) defines one-step moves.

API version for catalog resources

Important

Catalog and CatalogItem use the flightctl.io/v1alpha1 API version. Treat them as alpha-stage resources; fields and behavior can change in future Red Hat Edge Manager releases.

Verifying synchronized catalogs on the CLI

After the ResourceSync reports a successful sync, you can list catalogs and items:

flightctl get catalogs
flightctl get catalogitems --catalog <catalog_name>

The catalog contents from the synchronized repository will be available in the Software Catalog in the Flight Control web console. For operator tasks in the console, see Using the Software Catalog in the Additional resources section. For image-build publication, see Publishing an image build to the Software Catalog in the Additional resources section.

2.11. Device lifecycle hooks

The Red Hat Edge Manager agent can run user-defined commands at specific points in the device lifecycle by using device lifecycle hooks. For example, you can add a shell script to your operating system images that backs up your application data. You can then specify that the script must run and complete successfully before the agent can start updating the operating system.

As another example, certain applications or system services do not automatically reload their configuration file when the file changes on the disk. You can manually reload the configuration file by specifying a command as another hook, which is called after the agent completes the update process.

The Red Hat Edge Manager agent discovers hook rules only in subdirectories of /etc/flightctl/hooks.d/ and /usr/lib/flightctl/hooks.d/. Those subdirectory names are case-sensitive and must be all lowercase. For example, afterUpdating is not valid; use afterupdating.

The following subdirectories are supported:

hooks.d subdirectory

Description

beforeupdating

The hook is called after the agent completes preparing for the update, but before changing the operating system. If an action in this hook returns with a failure, the agent cancels the update.

afterupdating

The hook is called after the agent writes the update to disk. If an action in this hook returns with a failure, the agent cancels and rolls back the update.

beforerebooting

The hook is called before the system reboots. The agent blocks the reboot until the action completes or times out. If any action in this hook returns with a failure, the agent cancels and rolls back the update.

afterrebooting

The hook is called when the agent first starts after a reboot. If any action in this hook returns with a failure, the agent reports the failure but continues starting up.

Rule files

You can define device lifecycle hooks by adding rule files under one of the following directory trees on the device:

  • /usr/lib/flightctl/hooks.d/<hook_directory>/ — read-only from the running system; add rules here by baking them into the operating system image.
  • /etc/flightctl/hooks.d/<hook_directory>/ — read-writable at runtime; you can update these rules by several methods.

In both paths, replace <hook_directory> with one of beforeupdating, afterupdating, beforerebooting, or afterrebooting. For example, a custom rule that runs after the update is written to disk belongs in a file such as /etc/flightctl/hooks.d/afterupdating/50-my-hook.yaml.

When creating and placing the files, you must consider the following practices:

  • The name of the rule must be all lower case.
  • The hook subdirectory name under hooks.d/ must be one of the lowercase names in the table; mixed case or camelCase names are ignored by the agent.
  • If you define rules in both locations, the rules are merged.
  • If you add more than one rule files to a lifecycle hook directory, the files are processed in lexical order of the file names.
  • If you define files with identical file names in both locations, the file in the /etc folder takes precedence over the file of the same name in the /usr folder.

A rule file is written in YAML format and contains a list of one or more actions. An action can be an instruction to run an external command.

When you specify many actions for a hook, the actions are performed in sequence, finishing one action before starting the next.

If an action returns with a failure, the following actions are skipped.

A run action takes the following parameters:

Parameter

Description

Run

The command to run, including any flags or arguments. Specify the full path to the executable (for example /usr/bin/nmcli connection reload) or an executable name that resolves through the PATH environment variable of the agent (for example nmcli conn reload), consistent with the built-in rules under /usr/lib/flightctl/hooks.d/. The agent uses the PATH from its runtime environment (for example, as set when the agent runs as a systemd service). The command is not run in a shell: the rule value is not shell-expanded, so you cannot use shell parameter expansion such as $HOME or chain commands with | or ; in the rule text. To use shell features, invoke a shell explicitly, for example /usr/bin/bash -c 'echo $SHELL $HOME $USER'.

EnvVars

Optional. A list of key-value pairs to set as environment variables for the command.

WorkDir

Optional. The directory the command is run from.

Timeout

Optional. The maximum duration that is allowed for the action to complete. Specify the duration as a single positive integer followed by a time unit. The s, m, and h units are supported for seconds, minutes, and hours, respectively.

If

Optional. A list of conditions that must be true for the action to be run. If not provided, actions run unconditionally.

By default, actions are performed every time the hook is triggered. However, for the afterupdating hook, you can use the If parameter to add conditions that must be true for an action to be performed. Otherwise, the action is skipped.

For example, to run an action only if a given file or directory changes during the update, you can define a path condition that takes the following parameters:

Parameter

Description

Path

An absolute path to a file or directory that must change during the update as condition for the action to be performed. Specify paths by using forward slashes (/). If the path is to a directory, it must end with a forward slash (/). If you specify a path to a file, the file must have changed to satisfy the condition. If you specify a path to a directory, a file in that directory or any of its subdirectories must have changed to satisfy the condition.

Op

A list of file operations, such as created, updated, and removed, to limit the type of changes to the specified path as condition for the action to be performed.

If you specify a path condition for an action in the afterupdating hook, you have the following variables that you can include in arguments to your command and are replaced with the absolute paths to the changed files:

Variable

Description

${ Path }

The absolute path to the file or directory specified in the path condition.

${ Files }

A space-separated list of absolute paths of the files that changed during the update and are covered by the path condition.

${ CreatedFiles }

A space-separated list of absolute paths of the files that were created during the update and are covered by the path condition.

${ UpdatedFiles }

A space-separated list of absolute paths of the files that were updated during the update and are covered by the path condition.

${ RemovedFiles }

A space-separated list of absolute paths of the files that were removed during the update and are covered by the path condition.

The Red Hat Edge Manager agent includes a built-in set of rules defined in /usr/lib/flightctl/hooks.d/afterupdating/00-default.yaml. The following commands are executed if certain files are changed:

File

Command

Description

/etc/systemd/system/

systemctl daemon-reload

Changes to systemd units are activated by signaling the systemd daemon to reload the systemd manager configuration. This reruns all generators, reloads all unit files, and re-creates the entire dependency tree.

/etc/NetworkManager/system-connections/

nmcli conn reload

Changes to NetworkManager system connections are activated by signaling the NetworkManager daemon to reload all connections. For more information, see the Additional resources section.

/etc/firewalld/

firewall-cmd --reload

Changes to the permanent configuration of firewalld are activated by signaling firewalld to reload firewall rules as new runtime configuration.

For networking configuration details, see Configuring and managing networking in the Additional resources section.

2.12. Using the Software Catalog

The Red Hat Edge Manager Software Catalog provides a curated list of operating system images, application images, and application data (for example, AI models) that you can discover and deploy from the Flight Control web console. Using the catalog, you can install or update software on a device, or apply catalog software through a fleet device template so that every device selected into the fleet receives the configuration, without entering Open Container Initiative (OCI) image references manually.

Catalog content can come from Git-synchronized catalog definitions managed by administrators, from image builds published through ImagePromotion, or from both sources in the same organization. For the build-to-catalog workflow, see Publishing an image build to the Software Catalog in the Additional resources section.

Catalog content sources

The Software Catalog can display items from the following sources:

  • Git-synchronized definitions: Administrators configure a catalog ResourceSync that imports Catalog and CatalogItem YAML from a Git repository. See Managing a catalog repository on the CLI in the Additional resources section.
  • Image Builder promotions: Operators or administrators publish completed image builds to a catalog by creating an ImagePromotion resource. Each successful promotion adds or updates a catalog item version with registry and export artifact references.

Every organization also has a default catalog that is created automatically. Image promotions can target this catalog without additional administrator setup.

Catalog contents

The catalog can include:

  • Operating system images: Bootable container (bootc) images that you can deploy or update on edge devices.
  • Application images: Containerized applications (Compose, Quadlet, Container, or Helm) that you can deploy to devices.
  • Application data: OCI artifacts such as AI models that applications might require.

Catalog contents are provided by catalog endpoints configured by your administrator. The catalog surface in the web console is analogous to the Software Catalog in the Red Hat OpenShift Container Platform web console.

Configuring catalog endpoints (administrators)

Administrators configure one or more catalog endpoints in Flight Control so that operators see a curated list of software. For Git-backed catalogs, create a catalog Repository and ResourceSync. For image-build content, ensure that OCI repositories and base image lists are configured and that publishers have permission to create ImagePromotion resources. Access to the catalog is controlled by permissions; operators either have access to view the catalog or they do not. The same catalog content is available to every operator who has access, regardless of which devices or fleets they manage; fleet-specific or environment-specific catalog visibility is not supported.

Catalog repository type

Flight Control supports a catalog resource sync in addition to fleet resource syncs. A catalog resource sync points to a catalog endpoint and can use optional authentication. For details, see Managing a catalog repository in the Additional resources section.

Using the Software Catalog (operators)

Browsing the catalog

In the Flight Control web console, open the Software Catalog to browse available OS images, application images, and application data. Filter by catalog when your organization defines more than one catalog (including the automatically provisioned default catalog). Published catalog definitions can organize versions into channels (for example, stable, candidate, or testing) when your administrator or publisher configures them that way. A version can belong to more than one channel. The catalog shows eligible versions and, where applicable, validated upgrade paths so you can choose appropriate updates. When image builds are published to an existing catalog item, version history stays on that item (for example 1.0.0, 1.1.0, 1.2.0) instead of creating unrelated entries.

Update availability and release information

When a device runs catalog software, or devices in a fleet run catalog software that is defined in the fleet device template, and a newer version exists along an allowed update path, the Flight Control web console surfaces that an update is available—for example from the Catalog tab when you open a device or the details for a fleet.

If the catalog publisher includes release notes or change highlights for a version, that information can appear when you review an update so you can decide whether and when to apply it. Which details you see depends on what your administrator publishes in the catalog definitions.

Validated upgrade paths and compatibility

Catalog items can define an upgrade graph. Each published version is a node, and each allowed upgrade path (an edge in the graph) connects one version to the next. That model follows the Cincinnati update protocol, which Red Hat OpenShift Container Platform uses for cluster updates. The graph lets your organization expose tested transitions instead of every tag in a registry.

You might not be offered every newer tag as a direct update from your current version. When the graph does not define a jump, apply the intermediate versions that the console offers first, or ask your administrator to extend the catalog definitions. The console guides you toward allowed targets and avoids disallowed jumps when those guardrails are enforced.

Installing from the catalog

You can install an OS image or application on a single device, or add it to a fleet device template so that all devices in the fleet receive it, directly from the catalog:

  1. In the Flight Control web console, open the Software Catalog.
  2. Select the item you want to deploy (OS image or application).
  3. Choose Deploy and select the target device or fleet (for a fleet, the catalog updates the fleet device template for devices that match the fleet label selector).
  4. For applications, follow the on-screen guidance to provide required parameters. The UI can validate parameters and show help text so you do not need to know the application format or technical details.
  5. Confirm the deployment. The Red Hat Edge Manager agent on the target device or devices will apply the change when it checks in.

Updating from the catalog

When a newer version of an OS image or application is available along an allowed path in the catalog, you can update an individual device or update catalog software configured in a fleet device template from the catalog. Installed catalog software is compared to published versions and upgrade edges; see Validated upgrade paths and compatibility in the Additional resources section. For what you might see before you choose to update, see Update availability and release information in the Additional resources section.

Updates are visible in the Catalog tab of the device details view, or of the fleet details view for fleets whose device template includes catalog-defined software.

  1. In the Flight Control web console, open the details for the device you want to update, or open the fleet whose device template configures the catalog software, then open the Catalog tab.
  2. When an update is available, use the Update action for the relevant device or for the fleet whose device template defines the catalog software.
  3. Confirm the update. The agent will download and apply the new version according to the applicable update policy.

Provisioning guidance when installing a bootc image to a new device

When you choose to install a bootc image from the catalog to a device that is not yet enrolled, the Flight Control web console can provide scenario-specific provisioning guidance, for example:

  • For a physical device: Steps and a link to download the required artifact (ISO or disk image) for bare-metal installation.
  • For a virtual device on OpenShift Virtualization: Steps and a link to download the artifact (for example, QCow2) and guidance for provisioning the virtual machine.

Use that guidance together with the procedures in Provisioning devices to complete enrollment.

2.13. Image and artifact pruning

The Red Hat Edge Manager agent can automatically remove unused container images and OCI artifacts from devices to free disk space. This helps prevent storage exhaustion on edge devices with limited capacity.

How pruning works

Image and artifact pruning uses a "lost reference" model:

  1. Reference tracking: Before each device update, the agent records all images and artifacts referenced in the current and desired device specifications to a file (/var/lib/flightctl/image-artifact-references.json).
  2. Pruning execution: After a successful spec update, the agent compares the previously recorded references with the current device specifications. Any images or artifacts that were previously referenced but are no longer needed are eligible for removal.
  3. Safe pruning: The agent only removes items that:

    • Were previously recorded in the references file
    • Are no longer referenced in the current or desired device specifications
    • Exist locally on the device
  4. Preservation: Images and artifacts required for current operations or potential rollback (desired state) are always preserved, even if they appear in the references file.
Note

Pruning runs automatically after successful device spec updates. The references file is maintained even when pruning is disabled, so pruning behavior is accurate when you enable the feature later.

What gets pruned

The pruning process considers the following types of OCI targets:

  • Application images: Container images referenced by Compose, Quadlet, Container, or Helm applications
  • OS images: Operating system images specified in the device OS configuration
  • Helm charts: Charts referenced by Helm applications

Configuring pruning

Image and artifact pruning is disabled by default. To enable it, configure the agent pruning settings.

Base configuration

Add the pruning configuration to the main agent configuration file at /etc/flightctl/config.yaml:

image-pruning:
  enabled: true

Drop-in configuration

You can also configure pruning using drop-in files in /etc/flightctl/conf.d/. This allows you to enable or disable pruning for specific devices or fleets without changing the base configuration.

Create a drop-in file (for example, /etc/flightctl/conf.d/enable-pruning.yaml):

image-pruning:
  enabled: true

Drop-in files are processed in lexical order and override the base configuration. For example, to disable pruning via a drop-in file:

image-pruning:
  enabled: false
Note

When you use drop-in files in /etc/flightctl/conf.d/, the agent reloads its configuration automatically when those files change. When you change the base configuration file (/etc/flightctl/config.yaml) or need to apply changes immediately, send the flightctl-agent process a SIGHUP signal (for example, run kill -HUP $(pgrep flightctl-agent)) or restart the agent service.

Tip

Consider disabling pruning when you are experimenting with many images that were previously pruned because their references were lost and are now present again. This prevents the agent from immediately pruning images you are actively testing, so you can iterate on configurations without repeatedly re-downloading images.

Pruning behavior

  • Automatic execution: Pruning runs automatically after successful device spec updates. No manual intervention is required.
  • Non-blocking: Pruning errors do not block device reconciliation. If pruning fails, the agent logs a warning and continues normal operation.
  • Reference accumulation: The references file accumulates references over time, even when pruning is disabled. If you enable pruning later, the agent has accurate historical data about what was previously referenced.
  • Incremental updates: The references file is updated before each upgrade to include all currently referenced images and artifacts, so tracking stays current.

Example scenarios

Scenario 1: Application update * Device initially runs application quay.io/myorg/app:v1.0 * Application is updated to quay.io/myorg/app:v2.0 * After successful update, the v1.0 image is pruned (if it was previously recorded)

Scenario 2: Application removal * Device runs multiple applications * One application is removed from the device specification * After successful update, images and artifacts used only by the removed application are pruned

Scenario 3: OS image update * Device OS is updated from registry.example.com/edge/rhel:9.4 to registry.example.com/edge/rhel:9.5 * After successful update, the old OS image (9.4) is pruned (if it was previously recorded)

Monitoring pruning

Pruning operations are logged by the agent. You can monitor pruning activity as follows:

  • Agent logs: Check the agent systemd journal for pruning messages:

    journalctl -u flightctl-agent -f | grep -i pruning
  • Log messages: The agent logs messages such as:

    • "Starting pruning of X eligible images and Y eligible artifacts"
    • "Pruning complete: removed X of Y eligible images, Z of W eligible artifacts"

2.14. Monitoring device resources

You can set up resource monitors for device resources and create alerts when the utilization of resources crosses a defined threshold. When the agent alerts the Red Hat Edge Manager service, the service sets the device status to degraded or error, depending on the severity level.

Resource monitors take the following parameters:

Parameter

Description

MonitorType

The resource to monitor. The CPU, Memory, and Disk resources are currently supported.

SamplingInterval

The interval in which the monitor samples usage, specified as a positive integer followed by a time unit: s for seconds, m for minutes, h for hours.

AlertRules

A list of alert rules.

Path

For Disk monitor only. The absolute path to the directory to monitor. Utilization reflects the file system that contains the path, even if the defined path is not a mount point.

Alert rules take the following parameters:

Parameter

Description

Severity

The severity of the alert rule can be Info, Warning, or Critical. Only one alert rule is allowed for each severity level and monitor.

Duration

The duration that resource usage is measured and averaged over when sampling, specified as a positive integer followed by a time unit: s for seconds, m for minutes, h for hours. The duration must be smaller than the sampling interval.

Percentage

The usage threshold that triggers the alert, as percentage value. The value ranges from 0 to 100 without the % sign.

Description

A human-readable description of the alert. Add details about the alert to help with debugging. By default, the alert description is load is above >% for more than.

Monitoring device resources using the CLI

Monitor the resources of your device through the CLI, providing you with the tools and commands to track performance and troubleshoot issues.

Complete the following steps:

  • Add resource monitors in the spec.resources section of the device specification. For example, add the following monitor for your disk:

    apiVersion: flightctl.io/v1alpha1
    kind: Device
    metadata:
      name: <device_name>
    spec:
    [id="..."]
      resources:
      - monitorType: Disk
        samplingInterval: 5s
        path: /application_data
        alertRules:
        - severity: Warning
          duration: 30m
          percentage: 75
          description: Disk space for application data is >75% full for over 30m.
        - severity: Critical
          duration: 10m
          percentage: 90
          description: Disk space for application data is >90% full over 10m.
    [id="..."]

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.