Managing devices
Managing Red Hat Edge Manager devices
Abstract
Preface
Enroll, label, update, and configure devices and related repositories in Red Hat Edge Manager.
Chapter 1. Managing devices
You can manage your devices individually or in a fleet. The Red Hat Edge Manager allows you to manage a whole fleet of devices as a single object instead of managing many devices individually.
You only need to specify the desired configuration once and then the Red Hat Edge Manager applies the configuration to all devices in the fleet.
Understanding individual device management is the foundation for managing devices in a fleet. You might want to manage your devices individually in the following scenarios:
- If a few devices have significantly different configurations.
- If you use external automation for updating the devices.
Required access: Cluster administrator
The following documentation focuses on managing individual devices:
- Enrolling devices
- Reporting system information from the agent
- Device alias and enrollment labels
- View device inventory and device details
- Viewing, streaming, and downloading device logs in the web console
- Decommissioning devices
- Labels and label selectors
- Updating labels using the CLI
- Updating the operating system
- Operating system configuration for edge devices
- Automatic synchronization of external configuration
- Using the Software Catalog
- Publishing an image build to the Software Catalog
- Image and artifact pruning
- Vulnerability management
- Configuring a device to auto-register MicroShift clusters
To learn more about managing your devices in a fleet, see Managing device fleets in the Additional resources section.
Additional resources
- Enrolling devices
- Reporting system information from the agent
- Device alias and enrollment labels
- View device inventory and device details
- Viewing, streaming, and downloading device logs in the web console
- Decommissioning devices
- Labels and label selectors
- Updating labels using the CLI
- Updating the operating system
- Operating system configuration for edge devices
- Automatic synchronization of external configuration
- Using the Software Catalog
- Publishing an image build to the Software Catalog
- Image and artifact pruning
- Vulnerability management
- Configuring a device to auto-register MicroShift clusters
- Managing device fleets
1.1. Enrolling devices
To manage your devices with Red Hat Edge Manager, you must enroll the devices to the Red Hat Edge Manager service.
The first time Red Hat Edge Manager agents runs on a device, the agent prepares for the enrollment process by generating a cryptographic key pair. The cryptographic key pair of the device consists of a public and a private key. The private key never leaves the device, so that the device cannot be duplicated or impersonated. The key pair is registered with the Red Hat Edge Manager service during enrollment and is deleted during decommissioning of the device.
When the device is not yet enrolled, the agent performs service discovery to find its Red Hat Edge Manager service instance. Then, the device establishes a secure, mTLS-protected network connection to the service. The device uses its X.509 enrollment certificate that the device acquired during image building or device provisioning. The device submits an enrollment request to the service that includes the following:
- a description of the device hardware and operating system
- an X.509 Certificate Signing Request which includes the cryptographic identity of the device to obtain the initial management certificate
- labels proposed by the agent, including a default device alias when the agent configuration does not specify otherwise
The device is not considered trusted and remains quarantined in a device lobby until an authorized user approves or denies the request.
For more information, read the following sections:
- Reporting system information from the agent
- Device alias and enrollment labels
- Device enrollment
- Optional: Requesting an enrollment certificate for early binding
Prerequisites
- You must install the Flight Control CLI. See Installing the Flight Control CLI in the Additional resources section.
- You must log in to the Red Hat Edge Manager service.
Enrolling devices using the Flight Control CLI
You must enroll devices into the Red Hat Edge Manager service before you can manage them. Complete the following steps:
List all devices that are currently waiting for approval by running the following command:
flightctl get enrollmentrequests --field-selector="status.approval.approved != true"
See the following example output:
NAME APPROVAL APPROVER APPROVED LABELS <device_name> Pending <none> <none>
Note: The unique device name is generated by the agent and cannot be changed. The agent chooses a base32-encoded hash of its public key as device name.
Approve an enrollment request by specifying the name of the enrollment request. The agent typically includes a default
aliaslabel and any labels configured in the agentconfig.yaml. Optionally, you can add labels to the device by using the--labelor-lflags. By default, approval labels are merged with agent-provided labels; use--replace-labelsto apply only the labels you specify.Note: This merge behavior applies to CLI approval only. In the web console, the enrolled device receives exactly the alias and labels shown in the approval modal. For more information, see Approving with the Flight Control web console in the Additional resources section.
For more information about system information reporting, enrollment labels, and approval behavior, see Reporting system information from the agent and Device alias and enrollment labels in the Additional resources section. See the following example:
flightctl approve -l region=eu-west-1 -l site=factory-berlin enrollmentrequest/54shovu028bvj6stkovjcvovjgo0r48618khdd5huhdjfn6raskg
See the following example output:
NAME APPROVAL APPROVER APPROVED LABELS <device_name> Approved user region=eu-west-1,site=factory-berlin
After you approve the enrollment request, the service issues the management certificate and registers the device in the inventory. The device appears in the inventory with its alias in the ALIAS column when the agent assigned an alias label during enrollment. The device is now ready to be managed.
1.2. Reporting system information from the agent
The Red Hat Edge Manager agent collects built-in and custom system information from each device and reports it in device status under status.systemInfo. You configure which fields are collected independently of device labels. Labels are optional consumers of that data at enrollment time.
System information and device labels
System information collection and enrollment labels are configured independently:
-
System information (
system-info,system-info-custom): Controls what the agent collects and reports instatus.systemInfo(includingcustomInfofor user-defined collectors). -
Enrollment labels (
default-labels,label-from-systeminfo): Controls which labels the agent requests when it enrolls the device. Mapping withlabel-from-systeminforeads values that you have already enabled for collection.
You do not need to map system information to labels for the agent to report it in device status. For enrollment-time labels, including the device alias, see Device alias and enrollment labels in the Additional resources section.
Agent configuration for system information
The agent reads system information settings from /etc/flightctl/config.yaml. You can override supported keys with drop-in files under /etc/flightctl/conf.d/. Drop-in files currently support log-level, system-info, system-info-custom, system-info-timeout, and label-from-systeminfo.
The following parameters control system information collection:
| Parameter | Description |
|---|---|
|
|
Built-in and managed system information fields to include in device status updates beyond the always-reported core fields ( |
|
|
Keys for custom collectors whose executables live under |
|
|
Maximum time allowed to collect system information. Default: |
Inspecting collected system information
On the device, list the values that built-in and custom collectors return:
sudo flightctl-agent system-info | jq '.'
After enrollment, view reported system information in the device resource. For example:
flightctl get device/<device_name> -o yaml
The status.systemInfo section includes core fields and any fields you enabled with system-info or system-info-custom. For more information about viewing device status, see View device inventory and device details in the Additional resources section.
Built-in system information fields
You can enable additional built-in collectors by listing their keys under system-info in config.yaml.
| Field | Description |
|---|---|
|
| System hostname |
|
| Running Linux kernel version |
|
| Operating system distribution name |
|
| Operating system distribution version |
|
| Product or model name (from DMI data) |
|
| Hardware serial number (if available) |
|
| UUID of the system board or chassis |
|
| BIOS or firmware vendor |
|
| BIOS or firmware version |
|
| Default network interface name |
|
| First usable IP address on the default network interface |
|
| MAC address of the default network interface |
|
| Detected GPU devices |
|
| Total RAM in kilobytes |
|
| Number of physical CPU cores |
|
| Number of logical processors |
|
| CPU vendor and model name |
The following example enables a subset of built-in fields:
system-info: [hostname, kernel, distroName, distroVersion]
Managed system information collectors
The agent populates the following fields internally. They reflect agent lifecycle state and update only when the underlying state changes, such as certificate rotation or TPM initialization:
| Field | Description |
|---|---|
|
| Serial number of the active device management certificate |
|
|
Expiration time ( |
|
| TPM vendor information derived from the device TPM manufacturer data |
These fields follow the same configuration and reporting semantics as built-in collectors. Include or exclude them from device status by listing them under system-info in config.yaml. They are included in the default system-info list.
Custom system information collectors
Custom collectors let you report site-specific or application-specific values under status.systemInfo.customInfo.
To add a custom field:
-
Create an executable script named after the collector key in
/usr/lib/flightctl/custom-info.d/. The script must print a single line of output (the value). -
Add the key to
system-info-customin/etc/flightctl/config.yaml.
Custom keys must be camelCase with no spaces or special characters. Script file names may be camelCase or lowercase.
The following example reports FIPS mode status:
Create
/usr/lib/flightctl/custom-info.d/fipswith executable permissions:#!/bin/sh fips-mode-setup --is-enabled case $? in 0) echo "enabled";; 1) echo "inconsistent";; 2) echo "disabled";; *) echo "unknown";; esacEnable the collector in
config.yaml:system-info-custom: [fips]
Reported device status includes:
status:
systemInfo:
customInfo:
fips: disabled
To map custom values to enrollment labels, enable the collector first, then use the customInfo.<key> syntax in label-from-systeminfo. For more information, see Enrollment-time label mapping in the Additional resources section.
1.3. Device alias and enrollment labels
During enrollment, the Red Hat Edge Manager agent can assign a human-readable device alias and other labels automatically. You can configure how the alias is derived before enrollment, view the proposed alias when approving a device, and change the alias after the device is enrolled.
Device alias and device name
Each enrolled device has two identifiers:
-
Device name (
metadata.name): A unique, immutable name that the agent generates from its public key. You cannot change the device name. -
Device alias (
aliaslabel): A human-readable name shown in theALIAScolumn of the Flight Control CLI and web console. The alias is stored as thealiaslabel on the device and must follow Kubernetes label value rules.
If you do not configure the agent to set the alias explicitly, the agent assigns alias from the device hostname when it submits the enrollment request.
Enrollment-time labels on the agent
The agent reads optional label settings from /etc/flightctl/config.yaml. You can also override supported keys with drop-in files under /etc/flightctl/conf.d/; see Agent configuration for system information in the Additional resources section. During enrollment, the agent includes requested labels in the enrollment request.
Enrollment labels are separate from system information collection. The agent reports system information in device status regardless of label configuration. When you use label-from-systeminfo, the agent reads values from fields that you enabled with system-info or system-info-custom. For more information, see Reporting system information from the agent in the Additional resources section.
The following configuration parameters control enrollment labels:
| Parameter | Description |
|---|---|
|
|
Labels ( |
|
|
Maps system information fields to device labels at enrollment time. Values from system info are sanitized to meet Kubernetes label requirements (invalid characters become hyphens; values longer than 63 characters are truncated). The source fields must be enabled under |
Default alias behavior
The agent sets the alias label at enrollment using the first applicable source in the following order:
-
default-labels— setaliasto a fixed value (highest precedence) -
label-from-systeminfo— mapaliasto a system information field -
Device hostname — if you do not set
aliasindefault-labelsorlabel-from-systeminfo, the agent uses the device hostname
The alias appears in the device inventory after enrollment approval.
To set a fixed alias, add it to default-labels:
default-labels: alias: edge-factory-01
To set the alias from a system information field, map alias in label-from-systeminfo. For example, to use a custom product name collector:
system-info-custom: [productName] label-from-systeminfo: alias: customInfo.productName
Ensure productName is enabled in system-info-custom and the collector exists under /usr/lib/flightctl/custom-info.d/ before you map it to a label.
Enrollment-time label mapping
During enrollment, the agent applies configured default-labels and maps collected system information to labels with label-from-systeminfo, then includes the resulting labels in the enrollment request. After approval, those labels become part of the device metadata. You can use them in fleet selectors and fleet template placeholders the same way as manually assigned labels. For more information, see Example: fleet selection from system information and Device selection into a fleet in the Additional resources section.
You can map built-in system information fields to labels by using the field name on the right side of the mapping. The label name on the left can be any valid Kubernetes label key. Enable the field under system-info if it is not in the default collection list. For built-in field names, see Built-in system information fields in the Additional resources section.
label-from-systeminfo: arch: architecture os-name: distroName os-version: distroVersion
Label values come from the mapped system information fields on each device. Values that contain spaces or special characters are sanitized automatically before enrollment. See Label validation and sanitization for an example using distroName.
You can map custom system information by using the customInfo. prefix. Enable each key under system-info-custom first. For more information, see Custom system information collectors in the Additional resources section.
system-info-custom: [region, siteId] label-from-systeminfo: region: customInfo.region site: customInfo.siteId
Example: fleet selection from system information
The following example assigns devices to fleets based on a custom protocol collector and CPU architecture. First, create /usr/lib/flightctl/custom-info.d/waysideProtocol with executable permissions:
#!/bin/bash cat /etc/wayside/protocol.txt
Then configure the agent to collect the custom field and map it to labels at enrollment:
system-info-custom: [waysideProtocol] label-from-systeminfo: protocol: customInfo.waysideProtocol arch: architecture default-labels: env: production
With this configuration, each device receives labels such as protocol=Wayside-Protocol-A, arch=amd64, and env=production. When you do not set alias in default-labels or map it in label-from-systeminfo, the agent also requests alias from the device hostname (for example, alias=edge-host-01). Define a fleet that selects devices by protocol:
apiVersion: flightctl.io/v1beta1
kind: Fleet
metadata:
name: wayside-protocol-a
spec:
selector:
matchLabels:
protocol: Wayside-Protocol-A
[...]Before you apply the fleet, verify that the selector returns the expected devices:
flightctl get devices -l protocol=Wayside-Protocol-A -l env=production
For more information about fleet selectors, see Selecting devices into a fleet by using the CLI in the Additional resources section.
Label precedence at enrollment
When the same label key is defined in more than one place, labels are applied in the following order (highest to lowest precedence):
-
default-labels -
label-from-systeminfo -
Default
alias=hostname(only whenaliasis not set indefault-labelsorlabel-from-systeminfo)
default-labels: env: production label-from-systeminfo: env: customInfo.env region: customInfo.region
In this example, the device has env=production from default-labels. The env mapping from label-from-systeminfo is ignored. The device still receives region from custom info and alias from the hostname unless you set alias in default-labels or map it in label-from-systeminfo.
Label validation and sanitization
Values mapped with label-from-systeminfo are sanitized automatically so they meet Kubernetes label requirements. Spaces and special characters become hyphens, leading and trailing non-alphanumeric characters are removed, and values longer than 63 characters are truncated. For example, a distroName value of Red Hat Enterprise Linux becomes the label value Red-Hat-Enterprise-Linux.
Values in default-labels are validated but not modified. Invalid default-labels values are skipped and logged so enrollment can continue; fix the agent configuration if labels are missing after enrollment.
Long hostnames or other source values can exceed the 63-character label limit. The agent truncates or sanitizes values so the alias label remains valid. If a value cannot be sanitized into a valid label, the label is skipped and a warning is logged.
Alias and labels during enrollment approval
The enrollment request includes labels that the agent proposed, including the default or configured alias.
Approving with the Flight Control CLI
When you approve an enrollment request with the Flight Control CLI, you can add labels with the --label or -l flags.
By default, labels you specify at approval are merged with agent-provided labels (from default-labels, label-from-systeminfo, and the default hostname alias). Approval labels take precedence when the same key is defined in both places. For example:
flightctl approve -l region=eu-west-1 -l site=factory-berlin enrollmentrequest/<enrollment_request_name>
To set the exact label set on the device and ignore all agent-provided labels, use the --replace-labels flag. To apply no labels at approval, use --replace-labels without -l. For example:
flightctl approve -l env=production --replace-labels enrollmentrequest/<enrollment_request_name> flightctl approve --replace-labels enrollmentrequest/<enrollment_request_name>
After approval, verify the device alias in the inventory:
flightctl get devices
See the following example output:
NAME ALIAS OWNER SYSTEM UPDATED APPLICATIONS LAST SEEN <device_name> edge-host-01 <none> Online Up-to-date <none> 3 seconds ago
Approving with the Flight Control web console
In the Flight Control web console, open pending enrollment requests to review device metadata in the Approve pending device modal. The modal shows the alias in its own field and any other labels from the enrollment request in the Labels section. You can edit or remove those labels and add additional labels before you approve. When you approve the request, the enrolled device receives exactly the alias and labels shown in the modal. Label merging does not apply in the console; this behavior matches the CLI --replace-labels flag, not the default CLI merge behavior.
Changing the alias after enrollment
To change a device alias after enrollment, update the alias label on the device. For more information, see Updating labels using the CLI in the Additional resources section.
To search devices by alias or device name, use the metadata.nameOrAlias or metadata.alias field selectors. For more information, see Field selectors in the Additional resources section.
Including enrollment label configuration in an image
When you build an operating system image with early binding, you can add label-from-systeminfo, default-labels, system-info, system-info-custom, and related settings to the agent config.yaml that you embed in the image. For more information, see Optional: Requesting an enrollment certificate for early binding in the Additional resources section.
Additional resources
- Agent configuration for system information
- Reporting system information from the agent
- Enrollment-time label mapping
- Example: fleet selection from system information
- Device selection into a fleet
- Built-in system information fields
- Custom system information collectors
- Selecting devices into a fleet by using the CLI
- Updating labels using the CLI
- Field selectors
- Optional: Requesting an enrollment certificate for early binding
1.4. Viewing devices
To obtain more information about the devices in your inventory, you can use the Flight Control CLI or the Flight Control web console.
Each device has a unique device name and when configured at enrollment, a human-readable alias shown in the ALIAS column.
In the web console, open a device from the inventory to review status and to access the Logs tab for journal and file-based device logs. For log viewing, streaming, and download steps, see Viewing, streaming, and downloading device logs in the web console in the Additional resources section.
Prerequisites
- You must install the Flight Control CLI. See Installing the Red Hat Edge Manager CLI in the Additional resources section.
- You must log in to the Red Hat Edge Manager service.
- You must enroll at least one device.
View device inventory and device details
When vulnerability reporting is enabled, you can review a paginated table of CVEs affecting the device in the Security overview card on the device details page. For more information, see View vulnerabilities on a device in the Additional resources section.
View devices in your device inventory. Complete the following steps:
View the devices in the device inventory by running the following command:
flightctl get devices
See the following example output:
NAME ALIAS OWNER SYSTEM UPDATED APPLICATIONS LAST SEEN <device_name> edge-host-01 <none> Online Up-to-date <none> 3 seconds ago
The ALIAS column shows the device alias label. If no alias was assigned, the column shows <none>. For more information about how aliases are set during enrollment, see Device alias and enrollment labels in the Additional resources section.
View the details of this device in YAML format by running the following command:
flightctl get device/<device_name> -o yaml
See the following example output:
apiVersion: flightctl.io/v1alpha1 kind: Device metadata: name: <device_name> labels: alias: edge-host-01 region: eu-west-1 site: factory-berlin spec: os: image: registry.example.com/edge/rhel:9.5 config: - name: my-os-configuration gitRef: path: /configuration repository: my-configuration-repo targetRevision: production status: os: image: registry.example.com/edge/rhel:9.5 config: renderedVersion: "1" applications: [] applicationsSummary: status: Unknown resources: cpu: Healthy disk: Healthy memory: Healthy systemInfo: architecture: amd64 bootID: 037750f7-f293-4c5b-b06e-481eef4e883f operatingSystem: linux summary: info: "" status: Online updated: status: UpToDate dependencySync: configRefs: - configProviderName: my-os-configuration fingerprint: abc123def4567890 lastUpdatedAt: "2026-05-21T10:00:00Z" [...]
The status.systemInfo section always includes core fields such as architecture and operatingSystem. Additional built-in and custom fields appear when you enable them in the agent system-info and system-info-custom configuration. For more information, see Reporting system information from the agent in the Additional resources section.
When the device references Git, HTTP, or Kubernetes secret configuration providers, status.dependencySync.configRefs shows the upstream fingerprint last applied to the device. For more information, see Sync status on devices in the Additional resources section.
Device update status and update state
The status.updated.status field indicates whether the device’s running OS and configuration match the device spec. It can have the following values:
| Value | Description |
|---|---|
|
| The device matches its device spec (and, if in a fleet, the fleet template version). |
|
| The device is currently applying an update. |
|
| The device is not updating and does not match its device spec, or (if in a fleet) is not yet on the fleet template version. |
|
|
The agent has not reported status, or the last reported status was |
When an update is in progress, status.conditions includes an Updating condition whose reason field indicates the current phase. After a failed update and rollback, the reason is Error; the device has returned to the previous OS version and the agent will not retry that failed version automatically. The following update states can appear:
| Update state | Description |
|---|---|
|
| The agent is validating the spec and downloading dependencies. |
|
| Dependencies are ready; the agent has not yet applied changes. |
|
| The agent is writing the update to disk. |
|
| The device is rebooting to activate the new OS or configuration. |
|
| The agent detected a failure and is rolling back to the previous OS and configuration. |
|
| The update completed successfully. |
|
| The update failed. The device has rolled back to the pre-update version and will not automatically retry the failed version. |
The status.updated.info field may contain a short message about the last transition. For troubleshooting a rollback or failed update, see Troubleshooting OS update rollback in the Additional resources section.
1.5. Device logs in the Flight Control web console
You can search, view, stream, and download logs from enrolled devices in the Flight Control web console without SSH access to the device. Log data is retrieved over the existing gRPC connection between the Red Hat Edge Manager agent and the Red Hat Edge Manager service, so operators on a different network than the device can troubleshoot when the device is reachable only through the management plane.
When to use console log access
Use the Logs view on a device when you need to inspect agent or system journal output, or files under /var/log, during day-2 operations, for example:
- Verifying that the agent applied a configuration change
- Following activity during an OS update or application deployment
-
Reading a log file under
/var/logwhen the output you need is not in the journal - Collecting recent log lines to share with your team before opening a support case
How log access uses the agent connection
The web console does not open a new inbound port on the edge device. Requests to retrieve, view, stream, and download logs use a device console session over the agent’s outbound gRPC connection to the Red Hat Edge Manager service. The agent runs commands on the device as the flightctl-console user to retrieve and stream log output through that session, similar to other agent-mediated operations.
Plan firewall rules so that enrolled devices can reach the agent API endpoint. For port numbers and deployment context, see Network ports for Red Hat Edge Manager and Red Hat Edge Manager API server in the Additional resources section.
Additional resources
1.6. Viewing, streaming, and downloading device logs in the web console
Use the Logs tab on a device in the Flight Control web console to retrieve journal or file log output, stream new log lines in real time, and download a log file from the device.
For background on connectivity, see Device logs in the Flight Control web console in the Additional resources section.
Prerequisites
- You are logged in to the Flight Control web console.
- The device is enrolled and shows as online in the device inventory.
- The Red Hat Edge Manager agent on the device is connected to the Red Hat Edge Manager service.
1.6.1. Opening the Logs view
Open the Logs tab on a device in the Flight Control web console to access log retrieval, streaming, and download actions.
Procedure
- In the Flight Control web console, open Devices.
- Select the device you want to troubleshoot.
- Open the Logs tab.
1.6.2. Log types
Choose a log type before you retrieve or stream logs:
-
Agent: Journal output for the Red Hat Edge Manager agent service,
flightctl-agent. Useful for enrollment, updates, configuration, and application lifecycle issues. -
System: Journal output from
systemdon the device. Use optional Unit, Time and Level fields to narrow output to a specific unit or to specific time ranges or log level priorities. When you troubleshoot OS update rollback, entergreenboot-healthcheck.servicein Unit to retrievegreenboothealth check output. For more information, see Viewing greenboot and rollback logs. -
File path: Contents of a log file on the device. Enter a path under
/var/login the File path field to view arbitrary log files that are not available through journal-based Agent or System logs.
1.6.3. Filters
You can narrow logs before you retrieve or stream them:
- Log level: Restrict output to a severity level, or use All levels to include every level.
- Time: The default is All times. You can also limit logs to Last 1 hour, Last 24 hours, or Last 7 days; a custom From and To range; Current boot; or Previous boot when those options apply to the selected log type.
When you change the log type (for example, from Agent to File path), filters are reset to allow you to define your new search. Adjust filters to the search you want to do next before you retrieve logs again.
1.6.4. Viewing logs
Retrieve log output from a device by setting the log type and filters, then loading the logs.
Procedure
- Set the log type and any filters you need.
Select the action to retrieve or load logs for the current selection.
The console shows a loading state while logs are fetched from the device. When retrieval completes, log lines appear in the viewer. If no lines match the filters, the view indicates that no logs are available for the selection.
If retrieval fails or times out, check that the device is still online and that the agent connection is healthy, then try again with a narrower time range or log level.
1.6.5. Streaming logs
Stream new log lines in real time from a device to the Flight Control web console.
After you have opened the Logs tab and chosen a log type and filters, start log streaming from the console.
New log lines appear in the viewer as they are generated on the device. Stop streaming when you no longer need live output.
Log streaming and log retrieval utilize the same agent gRPC connection. If this connection is interrupted, the web console displays a banner with a "Retry" button. Clicking "Retry" re-establishes the connection and re-initiates log retrieval, provided that the flight-control agent is accepting new connections and there are no active network connectivity issues.
1.6.6. Downloading a log file
Download the current log output from the Flight Control web console as a plain text file.
Procedure
- Retrieve or stream logs for the selection you need.
Use the download action in the Logs view to save the current log output as a plain text file on your workstation. The browser assigns a file name that includes the log type and a timestamp.
You can share the downloaded file with your team or attach it to a support case.
1.7. Decommissioning devices
Decommissioning a device is the supported way to unenroll it and permanently remove it from Red Hat Edge Manager management. When you request decommissioning, the Red Hat Edge Manager service instructs the agent on the device to run a decommissioning process. That process removes the agent’s management certificate and private key, which erases the device’s Red Hat Edge Manager identity. You cannot undo this action. Always decommission a device before you delete its device resource from the service.
After decommissioning completes, the device no longer has a management identity with the service. Deleting the device resource without decommissioning first can leave the agent in an inconsistent state relative to your operational expectations.
1.7.1. Decommissioning a device using the Flight Control CLI
You can decommission a device by using the Flight Control CLI to request that the Red Hat Edge Manager service unenroll it and permanently remove its management identity.
Prerequisites
- You must install the Flight Control CLI. See Installing the Flight Control CLI in the Additional resources section.
- You must log in to the Red Hat Edge Manager service.
- You must know the device name in the inventory. See View device inventory and device details in the Additional resources section.
Procedure
Request decommissioning for the device by running the following command:
flightctl decommission devices/<device_name>
Verify that the service accepted the request by retrieving the device in YAML format:
flightctl get devices/<device_name> -o yaml
The specification must include a decommissioning target, and
status.lifecycle.statusmust move toDecommissioning. For example:spec: decommissioning: target: Unenroll status: lifecycle: status: DecommissioningWait until the device acknowledges decommissioning. In the device YAML, confirm a condition with
type: DeviceDecommissioning,reason: Completed, and a message that the device completed decommissioning and will wipe its management certificate. When decommissioning ends on the device, the agent removes its local status files from the agent data directory (by default/var/lib/flightctl), includingdesired.json,current.json, androllback.json. The agent then wipes its management certificate and private key and reboots.status: conditions: - lastTransitionTime: "2025-03-05T20:40:48.443917332Z" message: The device has completed decommissioning and will wipe its management certificate reason: Completed status: "True" type: DeviceDecommissioningWhen
status.lifecycle.statusshowsDecommissioned, delete the device resource:flightctl delete devices/<device_name>
1.7.2. Re-enrolling a device after decommissioning
Decommissioning erases the device’s cryptographic management identity (management certificate and private key). To enroll again, the device must still have a valid enrollment certificate from the original operating system image or from your provisioning process.
After you restart the agent on the device, it goes through the enrollment flow again and appears as a new device in the inventory (typically with a new generated device name). For approval and labeling steps, see Enrolling devices in the Additional resources section.
Additional resources
1.8. Labels and label selectors
You can organize your resources, including individual devices, fleets and any other resources, by assigning them labels. For example, you can use labels to record location, hardware type, or purpose. The Red Hat Edge Manager labels follow the same syntax, principles, and operators as Kubernetes labels and label selectors.
You can select devices with labels when viewing the device inventory or applying operations to the devices.
Labels follow the key=value format, where you want to use the key to group devices. For example, if your labels follow the site=<location> naming convention, you can group your devices by site.
You can also use labels that only consist of keys.
Labels must adhere to the following rules to be valid:
- Keys and value must each be 63 characters or less.
-
Keys and values can consist of alphanumeric characters (
a-z,A-Z,0-9). -
Keys and values can also contain dashes (
-), underscores (_), dots (.) but not as the first or last character. - Value can be omitted.
You can apply labels to resources in the following ways:
- Define a set of default labels during image building that are automatically applied to all devices during deployment.
-
Assign initial labels during enrollment, including the device
aliaslabel. For more information, see Device alias and enrollment labels in the Additional resources section. - Assign labels post-enrollment.
The device alias label
The alias label provides a human-readable name for a device. The Flight Control CLI and web console display this value in the ALIAS column. The alias is distinct from the device name (metadata.name), which the agent generates and cannot be changed.
By default, the agent sets alias from the device hostname at enrollment unless you map alias from another system information field in the agent configuration. For system information collection and label mapping, see Reporting system information from the agent and Device alias and enrollment labels in the Additional resources section. You can change the alias label after enrollment using the same procedures as other device labels. The alias value must follow the Kubernetes label rules described in this section.
When resources are labeled, you can select a subset of resources by writing a label selector. A label selector is a comma-separated list of labels for selecting resources that have the same set of labels.
See the following examples:
| Example label selector | Selected devices |
|---|---|
|
|
All devices with a |
|
|
All devices with a |
|
|
All devices with a |
For more information, see Labels and Selectors in the Additional resources section.
1.9. Using labels
You can organize your devices by using labels.
Viewing devices and their labels using the Flight Control CLI
View devices and their associated labels. You can use labels to organize your devices and device fleets.
Complete the following steps:
View devices in your inventory by using the
-o wideoption:flightctl get devices -o wide
See the following example output:
NAME ALIAS OWNER SYSTEM UPDATED APPLICATIONS LAST SEEN LABELS <device1_name> <none> <none> Online Up-to-date <none> 3 seconds ago region=eu-west-1,site=factory-berlin <device2_name> <none> <none> Online Up-to-date <none> 1 minute ago region=eu-west-1,site=factory-madrid
View devices in your inventory with a specific label or set of labels by using the
-l <key=value>option:flightctl get devices -l site=factory-berlin -o wide
See the following example output:
NAME ALIAS OWNER SYSTEM UPDATED APPLICATIONS LAST SEEN LABELS <device1_name> <none> <none> Online Up-to-date <none> 3 seconds ago region=eu-west-1,site=factory-berlin
Updating labels using the CLI
Update labels on your devices using the CLI. Complete the following steps:
Export the current definition of the device into a file by running the following command:
flightctl get device/<device1_name> -o yaml > my_device.yaml
Use your preferred editor to edit the
my_device.yamlfile. See the following example:apiVersion: flightctl.io/v1alpha1 kind: Device metadata: labels: some_key: some_value some_other_key: some_other_value name: <device1_name> spec: [id="..."]Save the file and apply the updated device definition by running the following command:
flightctl apply -f my_device.yaml
Verify that the changes are applied by running the following command
NAME ALIAS OWNER SYSTEM UPDATED APPLICATIONS LAST SEEN LABELS <device1_name> <none> <none> Online Up-to-date <none> 3 minutes ago some_key=some_value,some_other_key=some_other_value <device2_name> <none> <none> Online Up-to-date <none> 4 minutes ago region=eu-west-1,site=factory-madrid
1.10. Field selectors
Field selectors filter a list of Red Hat Edge Manager resources, including individual devices, fleets and any other resources, based on specific resource field values.
Field selectors follow the same syntax, principles, and operators as Kubernetes field and label selectors with additional operators available for more advanced search use cases.
Supported fields
The Red Hat Edge Manager resources give a set of metadata fields that you can select.
Each resource supports the following metadata fields:
-
metadata.name -
metadata.owner -
metadata.creationTimestamp
Note: To query labels, use label selectors for advanced and flexible label filtering.
For more information, see Labels and label selectors in the Additional resources section.
List of additional supported fields
In addition to the metadata fields, each resource has its own unique set of fields that you can select, offering further flexibility in filtering and selection based on resource-specific attributes.
The following table lists the fields supported for filtering for each resource kind:
| Kind | Fields |
| Certificate Signing Request |
|
| Device |
|
| Enrollment Request |
|
| Fleet |
|
| Repository |
|
| Resource Sync |
|
For Device resources, status.updated.status can be one of: UpToDate, Updating, OutOfDate, or Unknown. After a failed OS update and rollback, a device is typically OutOfDate (running the previous version). For more information, see Device update status and update state in the Additional resources section.
When vulnerability reporting is enabled, you can filter devices by CVE with the --cve-id option on flightctl get devices. For more information, see List devices affected by a CVE in the Additional resources section.
Field discovery
Some Red Hat Edge Manager resources might expose additional supported fields. You can discover the supported fields by using the flightctl command with the --field-selector option. If you try to use an unsupported field, the error message lists the available supported fields.
See the following examples:
flightctl get device --field-selector='text'
Error: listing devices: 400, message: unknown or unsupported selector: unable to resolve selector name "text". Supported selectors are: [metadata.alias metadata.creationTimestamp metadata.name metadata.nameOrAlias metadata.owner status.applicationsSummary.status status.lifecycle.status status.summary.status status.updated.status]
The field text is not a valid field for filtering. The error message provides a list of supported fields that you can use with --field-selector for the Device resource.
You can then use one of the supported fields:
flightctl get devices --field-selector 'metadata.alias contains cluster'
The metadata.alias field is checked with the containment operator contains to see if it has the value cluster.
The metadata.alias field reflects the device alias label. For more information about how the alias is set, see Device alias and enrollment labels in the Additional resources section.
Search by device name or alias
The metadata.nameOrAlias field matches either the device name or the alias. Use it when you know a human-readable alias but not the generated device name:
flightctl get devices --field-selector 'metadata.nameOrAlias=edge-host-01'
Examples
Excluding a specific device by name
The following command filters out a specific device by its name:
flightctl get devices --field-selector 'metadata.name!=<device_name>'
Filter by owner, labels, and creation timestamp
The following command retrieves devices that are owned by Fleet/pos-fleet, are located in the us region, and are created in 2024:
flightctl get devices --field-selector 'metadata.owner=Fleet/pos-fleet, metadata.creationTimestamp >= 2024-01-01T00:00:00Z, metadata.creationTimestamp < 2025-01-01T00:00:00Z' -l 'region=us'
Filter by owner, labels, and device status
The following command retrieves devices that are owned by Fleet/pos-fleet, are located in the us region, and have a status.updated.status of either Unknown or OutOfDate:
flightctl get devices --field-selector 'metadata.owner=Fleet/pos-fleet, status.updated.status in (Unknown, OutOfDate)' -l 'region=us'
Supported operators
| Operator | Symbol | Description |
| Exists |
|
Checks if a field exists. For example, the |
| DoesNotExist |
| Checks if a field does not exist. |
| Equals |
| Checks if a field is equal to a value. |
| DoubleEquals |
| Another form of equality check. |
| NotEquals |
| Checks if a field is not equal to a value. |
| GreaterThan |
| Checks if a field is greater than a value. |
| GreaterThanOrEquals |
| Checks if a field is greater than or equal to a value. |
| LessThan |
| Checks if a field is less than a value. |
| LessThanOrEquals |
| Checks if a field is less than or equal to a value. |
| In |
| Checks if a field is within a list of values. |
| NotIn |
| Checks if a field is not in a list of values. |
| Contains |
| Checks if a field has a value. |
| NotContains |
| Checks if a field does not contain a value. |
Operators usage by field type
Each field type supports a specific subset of operators:
| Field Type | Supported Operators | Value |
| String |
| Text string |
| Timestamp |
| RFC 3339 format |
| Number |
| Number format |
| Boolean |
|
Boolean format ( |
| Array |
| Array element |
1.11. Updating the operating system
You can update the operating system of a device by updating the target operating system image name or version in the device specification. Alternatively, you can choose an OS image from the Software Catalog in the Flight Control web console and install or update from there without entering an OCI image reference manually.
Catalog-driven OS updates follow the upgrade graph that your administrator publishes for that image (allowed versions and transitions), as described in Validated upgrade paths and compatibility in the Additional resources section.
When the Red Hat Edge Manager agent communicates with the service, the agent detects the requested update. Then, the agent automatically starts downloading and verifying the new operating system version in the background.
The Red Hat Edge Manager agent schedules the actual system update according to the update policy. At the scheduled update time, the agent installs the new version without disrupting the currently running operating system.
Finally, the device reboots into the new version.
If the new OS version fails health checks after reboot, the device automatically rolls back to the previous working version. During a failed update, the device may reboot several times (greenboot retries) before the rollback completes; multiple reboots in quick succession are expected and do not indicate a separate problem. No manual intervention is required. For more information, see Automatic rollback when an OS update fails and Troubleshooting OS update rollback in the Additional resources section.
The Red Hat Edge Manager currently supports the following image type and image reference format:
| Image Type | Image Reference |
|
|
An OCI image reference to a container registry. Example: |
During the process, the agent sends status updates to the service. You can monitor the update process by viewing the device status. For more information, see Viewing devices in the Additional resources section.
Updating the operating system of a device using the Flight Control CLI
To update the operating system of a device using the flightctl, complete the following steps:
Get the current resource manifest of the device by running the following command:
flightctl get device/<device_name> -o yaml > my_device.yaml
Edit the
Deviceresource to specify the new operating system name and version target.apiVersion: flightctl.io/v1alpha1 kind: Device metadata: name: <device_name> spec: [id="..."] os: image: registry.example.com/edge/rhel:9.5 [id="..."]Apply the updated
Deviceresource by running the following command:flightctl apply -f <device_name>.yaml
Chapter 2. Managing devices in disconnected environments
After an air-gapped installation, enroll devices and update operating systems using internal registries and network paths only. Fleet management and approval workflows are unchanged; see Managing device fleets in the Additional resources section.
2.1. Device enrollment
- Enrolling devices in disconnected environments
- Provisioning devices
2.2. Enrolling devices in disconnected environments
Prepare enrollment credentials and agent configuration at a disconnected site. Approval, device lobby behavior, and post-enrollment management use the same workflow as a connected deployment.
Prerequisites
- Red Hat Edge Manager is installed and services are running at the disconnected site. See Installing Red Hat Edge Manager on Red Hat Enterprise Linux in disconnected environments or Installing Red Hat Edge Manager on Red Hat OpenShift Container Platform in disconnected environments.
-
DNS inside the site resolves the management host name you configured as
global.baseDomain(for exampleedge.example.com). -
Edge devices can reach TCP port
7443on that management host name or IP address. See Agent API and telemetry on dedicated ports. -
The
flightctl-agentpackage is installed on each edge device. For hosts that receive the agent RPM outside an OS image build, see Installing the agent and CLI on air-gapped edge devices. - You can authenticate to the local Red Hat Edge Manager API with the Flight Control CLI or web console from a workstation on the internal network.
Procedure
Authenticate the Flight Control CLI on a workstation that can reach the management host inside the site. Administrators run enrollment commands against the local user API on port
443.If Red Hat Edge Manager uses certificates from the built-in generator or a private CA, trust the deployment CA on the workstation, or use
--insecure-skip-tls-verifyonly for non-production testing. On standalone Red Hat Enterprise Linux deployments, the CA file is/etc/flightctl/pki/ca.crton the management host. See Installing the Red Hat Edge Manager RPM package.sudo cp ca.crt /etc/pki/ca-trust/source/anchors/rhem-ca.crt sudo update-ca-trust
Log in to the local Red Hat Edge Manager instance:
flightctl login https://<baseDomain> --username <user_name> --password <password>
Replace
<baseDomain>with the same value asglobal.baseDomainin/etc/flightctl/service-config.yaml.Request an enrollment configuration file from the local Red Hat Edge Manager service:
flightctl certificate request \ --signer=enrollment \ --expiration=365d \ --output=embedded > config.yaml
The command returns a complete agent configuration. The
enrollment-service.service.serverfield points at the agent API on port7443using your local management host name. The file also embeds the certificate authority bundle and a short-lived enrollment client certificate and key.Review the generated file. The structure matches the following example (values are truncated):
enrollment-service: authentication: client-certificate-data: LS0tLS1CRUdJTiBD... client-key-data: LS0tLS1CRUdJTiBF... service: certificate-authority-data: LS0tLS1CRUdJTiBD... server: https://<baseDomain>:7443 enrollment-ui-endpoint: https://<baseDomain>/The agent uses
certificate-authority-datato verify the management server during enrollment mTLS. The enrollment client certificate inauthenticationsecures the initial connection only; after approval, Red Hat Edge Manager issues a device-specific management certificate.
-
Copy
config.yamlto the edge device using your internal transfer method (for examplescpon the site network or USB). See Transferring an offline installation bundle or Transferring an offline RPM repository. Install the configuration and restrict permissions because the file contains a private key:
sudo install -m 600 -o root -g root config.yaml /etc/flightctl/config.yaml
Restart the agent so it loads the configuration:
sudo systemctl restart flightctl-agent
The agent connects to
Content from <basedomain> is not included.https://<baseDomain>:7443, establishes an mTLS session, and submits an enrollment request. The device remains in the enrollment lobby until an administrator approves the request.NoteTo enroll many devices, embed
config.yamlin an operating system image (early binding) or inject it at provisioning time (late binding) instead of copying the file manually. For image-based workflows in disconnected sites, see Building a bootc operating system image for the Red Hat Edge Manager and Provisioning devices.- Approve the pending request on your local Red Hat Edge Manager instance using the same CLI or web console workflow as a connected deployment. See Enrolling devices using the Flight Control CLI and Approving with the Flight Control web console.
Verification
-
flightctl get devicesshows the device with statusOnlineand the expected alias in theALIAScolumn. -
On the edge device,
sudo systemctl status flightctl-agentreportsactive (running).
Troubleshooting
Agent logs show connection or certificate errors
Verify the device can reach the management host on port
7443:curl -k https://<baseDomain>:7443/
-
Verify the CA embedded in
/etc/flightctl/config.yamlmatches the server CA for your deployment. Review agent logs on the device:
sudo journalctl -u flightctl-agent --no-pager | tail -30
2.3. Operating system updates
- Updating device operating systems in disconnected environments
- Building a bootc operating system image for the Red Hat Edge Manager
2.4. Updating device operating systems in disconnected environments
Publish OS images to a registry inside the air-gapped site, configure pull authentication on bootc devices when required, then stage updates in Red Hat Edge Manager using the same device and fleet workflows as a connected deployment.
Prerequisites
- Red Hat Edge Manager is running at the disconnected site and target devices are enrolled. See Enrolling devices in disconnected environments.
-
Devices run a
bootcoperating system image managed by Red Hat Edge Manager. See Operating system images for the Red Hat Edge Manager. -
The updated OS image is published to a registry that edge devices can reach on the internal network (for example
registry.internal.example.com:5000). - You can authenticate to the local Red Hat Edge Manager API with the Flight Control CLI or web console.
Procedure
-
Build or mirror the target
bootcimage on a connected staging host, then push or copy it to a registry inside the site. See Building a bootc operating system image for the Red Hat Edge Manager or Building images with the simplified workflow, and Transferring an offline installation bundle or Transferring an offline RPM repository. Confirm the image is pullable from a host on the device network:
skopeo inspect docker://<local-registry>/flightctl/rhel:<version>
Replace
<local-registry>and<version>with your internal registry path and tag.
Configure registry authentication on each
bootcdevice when your local registry requires credentials. Skip this step when your registry allows anonymous pulls.Create or update
/etc/ostree/auth.jsonbefore the agent pulls the image. OS updates read credentials from this path; application containers use/root/.config/containers/auth.jsonseparately.{ "auths": { "<local-registry>": { "auth": "<base64-encoded-username:password>" } } }Generate the
authvalue withecho -n 'username:password' | base64.-
To persist credentials across reprovisioning, embed
auth.jsonin the operating system image during build. See Optional: Using image pull secrets. Stage the update by changing
spec.os.imagein the device or fleet specification. Use your internal registry reference (for example<local-registry>/flightctl/rhel:<version>) instead of a public registry URL.Follow Updating the operating system of a device using the Flight Control CLI for a single device, or update fleet device templates as described in Device templates.
The agent pull, apply, reboot, and status reporting workflow is the same as a connected deployment. See Updating the operating system and Device update status and update state.
Alternative: USB-based image transfer. Use this path when a device cannot reach the local registry during an update window but you can transfer files on removable media. After the manual
bootcchange, update the device specification in Red Hat Edge Manager so the desired state matches the running image.On a prep machine with access to the image, export it to a portable archive:
skopeo copy \ docker://<local-registry>/flightctl/rhel:<version> \ oci-archive:~/rhem-os-<version>.tar
-
Transfer
~/rhem-os-<version>.tarto the device. See Transferring an offline installation bundle or Transferring an offline RPM repository. On the device, load the archive into local container storage:
sudo skopeo copy \ oci-archive:~/rhem-os-<version>.tar \ containers-storage:<local-registry>/flightctl/rhel:<version>
Switch the running OS to the staged image:
sudo bootc switch --transport containers-storage <local-registry>/flightctl/rhel:<version> sudo bootc upgrade
Reboot when
bootcor the agent prompts for activation.-
Update
spec.os.imagein Red Hat Edge Manager to the same reference so the control plane matches the device.
Verification
-
On the device,
bootc statusreports the expected image reference and a healthy staged deployment.
For catalog content in the web console, sync from a Git repository reachable inside the site. See Managing a catalog repository on the CLI in the Additional resources section.
2.5. Automatic rollback when an OS update fails
Red Hat Edge Manager uses greenboot integration to provide autonomous failed upgrade recovery. When an OS update fails after reboot (for example, the new OS image fails health checks—such as the agent not becoming active in time or entering a crash loop), the device automatically rolls back to the previous working OS version. No manual intervention is required.
greenboot rollback operations
When an OS update fails health checks after reboot, greenboot performs rollback through the following sequence:
- Deployment and reboot: The agent deploys the new OS image to the device and triggers a reboot.
-
Health check initiation: After the device comes back up,
greenbootruns the flightctl health check. This check has two phases: it waits up to 150 seconds forflightctl-agent.serviceto become active, then monitors service stability for 60 seconds to detect crash loops. A rollback is triggered if the agent does not become active in time or if it restarts (crash-loops) during the stability window. -
Retries and configuration: If health checks fail,
greenbootreboots and retries. By default, three retries occur before a rollback is performed. To change this threshold, update theGREENBOOT_MAX_BOOTSvalue in/etc/greenboot/greenboot.conf. -
Triggering the rollback: Once all retry attempts are exhausted,
greenbootreverts to the previous OS deployment and reboots the device. - Reporting: The device starts on the previous OS version, and the agent reports the rollback to the Red Hat Edge Manager service.
- Version exclusion: That specific OS version is recorded as failed, ensuring the agent skips it during all future reconciliations.
Red Hat Edge Manager automatically disables third-party greenboot health check scripts to ensure that only the Red Hat Edge Manager agent health check controls rollback decisions. The flightctl-configure-greenboot service runs before greenboot-healthcheck on every boot and disables scripts such as MicroShift’s 40_microshift_running_check.sh; only core greenboot scripts and the flightctl health check are preserved. Do not manually edit DISABLED_HEALTHCHECKS in /etc/greenboot/greenboot.conf; it is replaced on every boot.
On systems not using a bootc or OSTree-based image, health checks still run on each boot, but rollback is not possible if an update fails. The device does not revert to a previous OS version in that case.
During the retry phase, the device may reboot multiple times before the final rollback. This is expected behavior, not a separate problem.
This keeps devices operational and avoids repeated failed update attempts.
When automatic rollback applies
Automatic rollback is available for devices that use image-based operating systems (such as bootc images) with greenboot enabled. For more information about image-based OS and transactional updates, see Operating system images for the Red Hat Edge Manager in the Additional resources section.
Observing rollback and update status
You can see whether a device rolled back or is in a failed-update state by viewing the device status. The status.updated.status field indicates whether the device is up to date, updating, or out of date. When an update fails and rollback completes, the update state is reported as Error and the device returns to the previous OS version. For details, see Device update status and update state in the Additional resources section.
If a device has rolled back or you need to diagnose a failed update, see Troubleshooting OS update rollback in the Additional resources section.
2.6. Operating system configuration for edge devices
You can include an operating system-level host configuration in the image to provide maximum consistency and repeatability.
To update the configuration, you create a new operating system image and update devices with the new image.
However, updating devices with a new image can be impractical in the following cases:
- The configuration is missing in the image.
- The configuration needs to be specific to a device.
- The configuration needs to be updateable at runtime without updating the operating system image and rebooting.
For these cases, you can declare a set of configuration files that is present on the file system of the device. The Red Hat Edge Manager agent applies updates to the configuration files while ensuring that either all files are successfully updated in the file system, or rolled back to their pre-update state. If the user updates both an operating system and configuration set of a device at the same time, the Red Hat Edge Manager agent updates the operating system first, then applies the specified set of configuration files.
You can also specify a list of configuration sets that the Red Hat Edge Manager agent applies in sequence. In case of a conflict, the last applied configuration set is valid.
Important: After the Red Hat Edge Manager agent updates the configuration on the disk, the running applications need to reload the new configuration into memory for the configuration to become effective. If the update involves a reboot, systemd automatically restarts the applications with the new configuration and in the correct order. If the update does not involve a reboot, many application can detect changes to their configuration files and automatically reload the files. When an application does not support change detection, you can use device lifecycle hooks to run scripts or commands if certain conditions are met.
Configuration providers
You can provide configuration from multiple sources, called configuration providers, in Red Hat Edge Manager. The Red Hat Edge Manager currently supports the following configuration providers: A repository used by a provider must be set up once and can then be used for multiple devices or fleets.
- Git Config Provider
- Fetches device configuration files from a Git repository.
- Kubernetes Secret Provider
- Fetches a secret from a Kubernetes cluster and writes the content to the file system of the device.
- HTTP Config Provider
- Fetches device configuration files from an HTTP(S) endpoint.
- Inline Config Provider
- Allows specifying device configuration files inline in the device manifest without querying external systems.
Read more about the configuration providers in the following sections:
- Configuration from a Git repository
- Secrets from a Kubernetes cluster
- Configuration from an HTTP server
- Configuration inline in the device specification
Configuration from a Git repository
You can store device configuration in a Git repository such as GitHub or GitLab. You can then add a Git Config Provider so that the Red Hat Edge Manager synchronizes the configuration from the repository to the file system of the device.
The Git Config Provider takes the following parameters:
| Parameter | Description |
|
|
The name of a |
|
| The branch, tag, or commit of the repository to checkout. |
|
|
The absolute path to the directory in the repository from which files and subdirectories are synchronized to the file system of the device. The |
|
|
Optional. The absolute path to the directory in the file system of the device to write the content of the repository to. By default, the value is the file system root ( |
The Repository resource defines the Git repository, the protocol and access credentials that the Red Hat Edge Manager must use. After the repository is set up, you can use it to configure individual devices or device fleets.
When a fleet or device references a Git repository, Red Hat Edge Manager can detect new commits on the configured branch or tag and roll out updates automatically. See Automatic synchronization of external configuration in the Additional resources section.
Secrets from a Kubernetes cluster
The Red Hat Edge Manager can query only the Kubernetes cluster that the Red Hat Edge Manager is running on for a Kubernetes secret. The content of that secret can be written to a path on the device file system.
You can manage Kubernetes Secret Provider configurations via the CLI or API. Kubernetes Secret Provider configurations are displayed in the UI as read-only.
The Kubernetes Secret Provider takes the following parameters:
| Parameter | Description |
|
| The name of the secret. |
|
| The namespace of the secret. |
|
| The directory in the file system of the device to write the secret contents to. |
To apply a Kubernetes secret to a device, add a config entry with secretRef to the device specification and apply it with the CLI (or API):
The following example shows a device spec with secretRef:
spec:
config:
- name: my-secret
secretRef:
name: my-secret-name
namespace: my-secret-namespace
mountPath: /etc/my-secret
Run flightctl apply -f <file>.yaml to apply the device or fleet manifest.
The Red Hat Edge Manager worker needs permission to read secrets from the cluster. You can either allow cluster-wide access at install time or grant namespace-scoped access with RBAC (least-privilege):
-
Cluster-wide access: Set
global.worker.clusterLevelSecretAccesstotruein the Helm values when installing Red Hat Edge Manager on OpenShift. See Installing Red Hat Edge Manager on OpenShift in the Additional resources section. -
Namespace-scoped access: Create a
RoleandRoleBindingin the namespace where the secrets are stored so theflightctl-workerservice account cangetsecrets in that namespace only. For details, see the OpenShift RBAC documentation.
To detect secret rotation automatically, label secrets for synchronization and configure periodic service RBAC as described in Configuring synchronization in the Additional resources section.
The following example shows a Role and RoleBinding for flightctl-worker secret access:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: <secret_namespace> name: flightctl-worker-secret-reader rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: <secret_namespace> name: flightctl-worker-secret-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: flightctl-worker-secret-reader subjects: - kind: ServiceAccount name: flightctl-worker namespace: <worker_namespace>
Apply the manifest with oc apply -f <file>.yaml.
Configuration from an HTTP server
The Red Hat Edge Manager can query an HTTP server for configuration. The HTTP server can serve static or dynamically generated configuration for a device.
The HTTP Config Provider takes the following parameters:
| Parameter | Description |
|
|
The name of a |
|
|
The suffix to append to the base URL defined in the |
|
| The absolute path to the file in the file system of the device to write the response of the HTTP server to. |
The Repository resource specifies the HTTP server for the Red Hat Edge Manager to connect to, and the protocol and access credentials to use. After the repository is set up, you can use it to configure multiple devices or device fleets.
When content at the referenced URL changes, Red Hat Edge Manager can detect the change and roll out updates to fleets and devices. See Automatic synchronization of external configuration in the Additional resources section.
Configuration inline in the device specification
You can specify configuration inline in a device specification. When using the inline device specification, the Red Hat Edge Manager does not need to connect to external systems to fetch the configuration.
The Inline Config Provider takes a list of file specifications, where each file specification takes the following parameters:
| Parameter | Description |
|
| The absolute path to the file in the file system of the device to write the content to. If a file already exists in the specified path, the file is overwritten. |
|
| The UTF-8 or base64-encoded content of the file. |
|
|
Defines how the contents are encoded. Must be either |
|
|
Optional. The permission mode of the file. You can specify the octal with a leading zero, for example |
|
|
Optional. The owner of the file. Specified either as a name or numeric ID. Default value is set to |
|
| Optional. The group of the file. Specified either as a name or numeric ID. |
For more information about device lifecycle hooks and the default rules used by the Red Hat Edge Manager agent, see Device lifecycle hooks in the Additional resources section.
2.7. Automatic synchronization of external configuration
When a fleet or device references configuration from Git, an HTTP endpoint, or a Kubernetes secret, Red Hat Edge Manager can automatically detect upstream changes and roll out updates without manual edits to the fleet or device specification.
How automatic synchronization works
Fleets and devices can reference external configuration through configuration providers:
-
Git Config Provider (
gitRef) -
HTTP Config Provider (
httpRef) -
Kubernetes Secret Provider (
secretRef)
When automatic synchronization is active, the Red Hat Edge Manager service periodically checks those upstream sources (or watches Kubernetes secrets) for changes. When a change is detected:
- For devices in a fleet, the service creates a new fleet template version and starts a fleet rollout.
- For standalone devices (not owned by a fleet), the service re-renders the device specification directly without creating a template version.
Automatic synchronization applies only when the specification uses gitRef, secretRef, or httpRef. Inline configuration in the device specification is not synchronized from external systems.
Synchronization is enabled by default when external references are present. You do not add fields to the fleet or device specification to turn it on.
Red Hat Edge Manager does not rotate secrets, write changes back to Git repositories, or manage content at HTTP endpoints. It only reacts when those upstream resources change.
Change detection by provider type
| Provider | Detection method |
|---|---|
| Fingerprint stored | Git |
|
Periodic | Git commit SHA |
| Kubernetes secret | In-cluster informer on labeled secrets (in-cluster deployments only) |
|
Secret | HTTP |
|
Conditional HEAD when the server returns |
|
HTTP endpoints that do not return ETag or Last-Modified are not actively monitored. Changes are detected only when a device specification is re-rendered for another reason (for example, another dependency changes or you update the fleet template). At render time, Red Hat Edge Manager fetches the body, computes a sha256: fingerprint, and updates status.dependencySync.configRefs.
Git and HTTP checks use the global dependenciesSync.pollInterval as the minimum interval between probes for the same upstream resource. Probes for different resources are naturally spread over time because dependencies are registered at different times. Secret changes are detected near real time when the informer is running.
If a Git branch, HTTP suffix, or secret name contains template placeholders (for example {{ index .metadata.labels "target-branch" }}), Red Hat Edge Manager resolves the reference per device and triggers updates only for devices whose resolved upstream value changed.
When a device specification is rendered, Red Hat Edge Manager records the upstream fingerprint for each external configuration provider in status.dependencySync.configRefs. The lastUpdatedAt timestamp changes only when the fingerprint for that provider changes.
Template versions and rollouts
When a fleet-owned dependency changes, Red Hat Edge Manager creates a new template version and rolls it out to matching devices.
-
Spec-driven template versions (after you edit the fleet template) use the name
v{generation}. -
Sync-driven template versions (after an upstream dependency changes without a spec edit) use
v{generation}-{short-hash}, where{short-hash}is the first eight characters of the fingerprint that triggered the sync.
Both naming patterns can coexist for the same fleet. List template versions with the following command:
flightctl get templateversions --fleetname <fleet_name>
Sync status on devices
Synchronization state is reported on each device, not on the fleet resource.
The status.dependencySync.configRefs field lists one entry per external configuration provider referenced by the device. Each entry includes:
| Field | Description |
|---|---|
|
|
Name of the configuration provider in the device specification (for example |
|
|
Upstream fingerprint last applied (Git commit SHA, |
|
| Timestamp when the fingerprint last changed on the device |
Configuration providers that use only inline content do not appear in configRefs.
In the Red Hat Edge Manager web console, open a device to view dependency sync details in the device detail view.
Events
The following event reasons help you distinguish automatic synchronization from user-initiated specification changes:
| Reason | Type |
|---|---|
| Description |
|
| Normal | An upstream dependency fingerprint changed. For fleet-owned devices, a new template version and rollout are triggered. For standalone devices, the device specification is re-rendered. |
|
| Warning |
DependencyChangeDetected events can list a fleet or a device as the involved object, depending on ownership. Event details include resourceKey (for example git:my-repo/main or http:my-config/api/v1/config) and fingerprint. DependencySyncProbeFailed events include resourceKey and errorMessage. Inspect event details in YAML:
flightctl get events --field-selector 'involvedObject.kind=Device,involvedObject.name=<device_name>,reason=DependencyChangeDetected' -o yaml
List events for a device or fleet:
flightctl get events --field-selector 'involvedObject.kind=Device,involvedObject.name=<device_name>'
Configuring synchronization
Global synchronization settings are defined in service-config.yaml on Red Hat Enterprise Linux deployments, or in the equivalent configuration mounted by your Helm release on Red Hat OpenShift Container Platform. These settings are server-side only; you do not configure dependency synchronization in fleet or device specifications.
Polling interval and task schedule
Set the minimum interval between Git and HTTP probes for the same upstream resource:
dependenciesSync: pollInterval: 15m
The default is 15m. The interval applies cluster-wide, not per fleet or device.
The dependency sync periodic tasks run on an internal schedule (default every 3 minutes) to discover new dependency references and retry failed probes. That task interval is not configurable in service-config.yaml; only pollInterval is user-configurable under dependenciesSync.
Kubernetes secret auto-sync
Secret synchronization requires Red Hat Edge Manager to run in the cluster where the secrets are stored.
Label each secret that should be watched:
metadata: labels: flightctl.io/sync-<release_namespace>: "true"Replace
<release_namespace>with the namespace where you installed Red Hat Edge Manager (for exampleflightctl.io/sync-flightctl: "true"when the release namespace isflightctl).Grant the periodic service permission to list and watch secrets when secrets are not limited to the release namespace:
On Red Hat OpenShift Container Platform, set both of the following in the Helm install YAML when you need cluster-wide secret access for sync and rendering:
global: worker: clusterLevelSecretAccess: true periodic: clusterLevelSecretAccess: trueFor namespace-scoped access, use
RoleandRoleBindingresources as described in Secrets from a Kubernetes cluster in the Additional resources section.
Security considerations
-
Store Git and HTTP credentials only in
Repositoryresources or Kubernetes secrets, not in fleet or device specifications. -
Ensure
Repositoryresources use the minimum access required (read-only Git credentials where possible). -
Probe failure events (
DependencySyncProbeFailed) sanitize error messages so that tokens and passwords are not written to the event log. -
Secret synchronization uses the Kubernetes secret
resourceVersionas a fingerprint; Red Hat Edge Manager does not store secret data instatus.dependencySync. -
Grant
clusterLevelSecretAccessto the worker and periodic services only when secrets are distributed across namespaces. Prefer namespace-scopedRoleandRoleBindingresources where possible.
Each configuration provider name in a device or fleet template must be unique within that specification. Duplicate names can cause ambiguous dependencySync.configRefs entries.
Viewing sync status with the CLI
Devices
View per-provider sync fingerprints on a device:
flightctl get device/<device_name> -o yaml
Inspect the status.dependencySync.configRefs block.
Fleets
Fleet resources do not include a dependencySync status block in YAML. To assess fleet-wide synchronization:
Review devices in the fleet:
flightctl get devices --field-selector 'metadata.owner=Fleet/<fleet_name>'
Inspect the fleet resource, template versions, and events:
flightctl get fleet/<fleet_name> -o yaml flightctl get templateversions --fleetname <fleet_name> flightctl get events --field-selector 'involvedObject.kind=Fleet,involvedObject.name=<fleet_name>'
-
For per-dependency fingerprints, inspect devices in the fleet with
-o yamlas shown above.
Metrics for cluster administrators
When Prometheus scrapes the Red Hat Edge Manager periodic service, the following metrics relate to dependency synchronization:
| Metric | Description |
|---|---|
|
|
Probe cycles completed, by reference type ( |
|
| Upstream changes detected |
|
| Probe failures |
|
| Probe latency histogram |
|
|
Whether the Kubernetes secret informer is connected ( |
|
| Number of secrets watched by the informer |
Use flightctl_dependency_sync_informer_connected to detect secret informer disconnects. For troubleshooting, see Secret informer disconnect or not running in the Additional resources section.
For troubleshooting steps, see Troubleshooting dependency synchronization in the Additional resources section.
Additional resources
Additional resources
2.8. Configuring a device to auto-register MicroShift clusters
If you have a device that runs an operating system image that includes MicroShift, you can configure the device to fetch Red Hat Advanced Cluster Management registration manifests with the HTTP Config Provider and auto-register the MicroShift cluster with Red Hat Advanced Cluster Management.
For the HTTP Config Provider parameters, see Configuration from an HTTP server in the Additional resources section.
To apply the same configuration across many devices by using a fleet device template, see Configuring fleets to auto-register MicroShift clusters in the Additional resources section.
Configuring your device
Complete the following steps:
Create a file, for example
acm-registration-repo.yaml, that contains an HTTPRepositoryresource for the Red Hat Advanced Cluster Management agent registration API. Replace the placeholders in the following example. For Role-Based Access Control and how to obtain values such as the token, follow Importing a managed cluster by using agent registration in the Red Hat Advanced Cluster Management documentation up to, but not including, applying the import manifests on a cluster.apiVersion: flightctl.io/v1beta1 kind: Repository metadata: name: acm-registration spec: type: http url: https://<agent_registration_host> validationSuffix: /agent-registration/crds/v1 httpConfig: ca.crt: <base64_encoded_ca_bundle> token: <bearer_token>Create the
Repositoryresource by running the following command:flightctl apply -f acm-registration-repo.yaml
Verify that the resource has been created and is accessible by Red Hat Edge Manager by running the following command:
flightctl get repository/acm-registration
Create or update a
Deviceresource so that its specification matches the sameconfigorder as a fleet device template:acm-crd,acm-import,pull-secret, andapply-acm-manifests. MicroShift must authenticate to the container registries that host the Red Hat Advanced Cluster Management images. If the device already has a suitable pull secret for those registries (for example, at/etc/crio/openshift-pull-secret), omit thepull-secretitem from theconfiglist. Theapply-acm-manifestshook in the following example waits until the kubeadmin kubeconfig file exists and MicroShift pods are ready before it runskubectl apply. Use those wait steps when MicroShift might not be running when the hook runs, for example if you apply an operating system image update and this registration configuration together in a single device update. See the following example:apiVersion: flightctl.io/v1alpha1 kind: Device metadata: name: <device_name> spec: os: image: <your os image> config: - name: acm-crd httpRef: filePath: /var/local/acm-import/crd.yaml repository: acm-registration suffix: /agent-registration/crds/v1 - name: acm-import httpRef: filePath: /var/local/acm-import/import.yaml repository: acm-registration suffix: /agent-registration/manifests/{{.metadata.name}} - name: pull-secret inline: - path: "/etc/crio/openshift-pull-secret" content: "{\"auths\":{...}}" - name: apply-acm-manifests inline: - path: "/etc/flightctl/hooks.d/afterupdating/50-acm-registration.yaml" content: | - run: /usr/bin/bash -c "until [ -f $KUBECONFIG ]; do sleep 1; done" timeout: 5m envVars: KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig - run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s timeout: 5m envVars: KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig - if: - path: /var/local/acm-import/crd.yaml op: [created] run: kubectl apply -f /var/local/acm-import/crd.yaml envVars: KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfig - if: - path: /var/local/acm-import/import.yaml op: [created] run: kubectl apply -f /var/local/acm-import/import.yaml envVars: KUBECONFIG: /var/lib/microshift/resources/kubeadmin/kubeconfigAuto-registration uses the Red Hat Advanced Cluster Management agent registration API: devices fetch the Kubernetes manifests for the klusterlet agent and apply them to MicroShift. The
configentries in the previous example do the following:-
acm-crduses the HTTP configuration provider to query the agent registration server for manifests that contain the custom resource definition for the Red Hat Advanced Cluster Management klusterlet agent. The Red Hat Edge Manager agent writes those manifests to/var/local/acm-import/crd.yamlon the device. -
acm-importqueries the server for import manifests for a cluster whose name matches the device. The{{.metadata.name}}template variable supplies the device name. The agent writes the returned manifests to/var/local/acm-import/import.yaml. -
pull-secretadds registry credentials on the device so that MicroShift can pull the Red Hat Advanced Cluster Management agent images. Skip this item if you already provide a suitable pull secret by another method, for example by embedding it in the operating system image or by using another configuration provider. -
apply-acm-manifestsadds anafterupdatinglifecycle hook rule file under/etc/flightctl/hooks.d/afterupdating/. The hook runs after the configuration is applied and thecrd.yamlandimport.yamlfiles exist; it applies those manifests to MicroShift by usingkubectl. For more information, see Device lifecycle hooks in the Additional resources section.
-
Apply the device by running the following command:
flightctl apply -f <device_file>.yaml
- If the device is not yet enrolled, approve the enrollment request in the Flight Control web console or CLI. Label behavior differs between the console and the CLI; for more information, see Enrolling devices and Alias and labels during enrollment approval in the Additional resources section.
2.9. Managing the device configuration from a Git repository on the CLI
Create and apply a device configuration in a Git repository.
Complete the following steps:
Create a file, for example
site-settings-repo.yaml, that contains the following definition for aRepositoryresource, namedsite-settings:apiVersion: flightctl.io/v1alpha1 kind: Repository metadata: name: site-settings spec: type: git url: https://github.com/<your_org>/<your_repo>.git
Create the
Repositoryresource by running the following command:flightctl apply -f site-settings-repo.yaml
Verify that the resource has been correctly created and is accessible by Red Hat Edge Manager by running the following command:
flightctl get repository/site-settings
See the following example output:
NAME TYPE REPOSITORY URL ACCESSIBLE site-settings git https://github.com/<your_org>/<your_repo>.git True
Apply the
example-siteconfiguration to a device by update the device specification:apiVersion: flightctl.io/v1alpha1 kind: Device metadata: name: <device_name> spec: [id="..."] config: - name: example-site gitRef: repository: site-settings targetRevision: production path: /etc/example-site [...]
After the repository is referenced from a fleet or device, Red Hat Edge Manager can poll the repository and roll out new configuration when you push commits to the tracked branch. You do not need to edit the fleet or device specification to pick up Git changes. For details, see Automatic synchronization of external configuration in the Additional resources section.
Additional resources
2.10. Managing a catalog repository on the CLI
You can add catalog content to Flight Control by creating a Repository resource that points to a Git repository containing catalog definitions, and a ResourceSync resource with type catalog that synchronizes those definitions. The Flight Control web console then displays the curated list of OS images, application images, and application data for discovery and deployment.
This procedure covers Git-synchronized catalogs. To publish catalog items from Image Builder instead, see Publishing an image build to the Software Catalog in the Additional resources section.
Default catalog
Every organization receives a default catalog automatically when the organization is first provisioned. You do not create this catalog manually. Image promotions and Git-synchronized catalogs can both target or coexist with the default catalog.
Verify the default catalog:
$ flightctl get catalog/default
Complete the following steps to synchronize catalog definitions from Git:
Create a
Repositoryresource that points to your Git repository. The repository must contain Catalog and CatalogItem YAML definitions. Settype: gitand the repository URL:apiVersion: flightctl.io/v1beta1 kind: Repository metadata: name: <repository_name> spec: url: <repo_url_with_catalog_definition> type: git
Create a
ResourceSyncresource that imports the catalog from the repository. Settype: catalog, reference the repository name from step 1, and specify the path and branch to sync:apiVersion: flightctl.io/v1beta1 kind: ResourceSync metadata: name: <resourcesync_name> spec: repository: <repository_name> targetRevision: <git_branch_name> path: <path_to_catalog_yaml> type: catalog
Apply both resources. For example, if you saved the Repository to
my-repo.yamland the ResourceSync tomy-catalog-sync.yaml:flightctl apply -f my-repo.yaml flightctl apply -f my-catalog-sync.yaml
Verify that the resources were created and that synchronization succeeded:
flightctl get repository/<repository_name> flightctl get resourcesync <resourcesync_name>
Defining catalogs and catalog items in Git
Your Git repository must contain Catalog and CatalogItem resources that describe what appears in the Software Catalog after synchronization. Store them under the directory (or file path) that you set in the ResourceSync spec.path field.
A ResourceSync with spec.type set to catalog accepts only Catalog and CatalogItem definitions in the synchronized path. If that path includes other resource kinds, synchronization reports an error.
Organize files in a layout similar to the following:
catalogs/
<catalog_name>/
catalog.yaml
<catalog_item_name>.yaml-
catalog.yamldefines theCatalogresource (metadata.nameis the catalog identifier). -
Each additional file in the same directory defines one
CatalogItem. EveryCatalogItemmust setmetadata.catalogto the same catalog name as theCatalogresource.
Catalog resource
The following example shows a minimal Catalog resource:
apiVersion: flightctl.io/v1alpha1 kind: Catalog metadata: name: <catalog_name> spec: displayName: <human_readable_catalog_title> shortDescription: <one_line_description>
CatalogItem versions, channels, and artifacts
Each CatalogItem declares a spec.type (for example, container for an application image), one or more spec.artifacts entries with a type and a versionless uri, and a spec.versions list. Every version entry must include:
-
version: A semantic version string (for example,1.2.0). -
channels: Labels that place the version in an update graph (for example,stableorcandidate). -
references: A map from each artifacttypeinspec.artifactsto an image tag or digest for that version.
The following example defines two versions in a linear chain:
apiVersion: flightctl.io/v1alpha1
kind: CatalogItem
metadata:
name: <catalog_item_name>
catalog: <catalog_name>
spec:
type: container
displayName: <human_readable_item_title>
artifacts:
- type: container
uri: quay.io/<namespace>/<image>
versions:
- version: "1.0.0"
channels:
- stable
references:
container: "1.0.0"
- version: "1.1.0"
channels:
- stable
references:
container: "1.1.0"
replaces: "1.0.0"Defining upgrade paths
Flight Control models relationships between versions using the Cincinnati update protocol. Optional fields on each version entry describe which upgrades are valid:
-
replaces: The single previous version that this version follows in the main chain. -
skips: A list of older versions that may upgrade directly to this version, bypassing intermediate steps. -
skipRange: A semantic version range (for example,>=1.0.0 <1.2.0) of older versions that may upgrade directly to this version. UseskipRangewhen listing every skipped version explicitly would be unwieldy.
If you omit these fields, only the linear replaces chain (when present) defines one-step moves.
API version for catalog resources
Catalog and CatalogItem use the flightctl.io/v1alpha1 API version. Treat them as alpha-stage resources; fields and behavior can change in future Red Hat Edge Manager releases.
Verifying synchronized catalogs on the CLI
After the ResourceSync reports a successful sync, you can list catalogs and items:
flightctl get catalogs flightctl get catalogitems --catalog <catalog_name>
The catalog contents from the synchronized repository will be available in the Software Catalog in the Flight Control web console. For operator tasks in the console, see Using the Software Catalog in the Additional resources section. For image-build publication, see Publishing an image build to the Software Catalog in the Additional resources section.
2.11. Device lifecycle hooks
The Red Hat Edge Manager agent can run user-defined commands at specific points in the device lifecycle by using device lifecycle hooks. For example, you can add a shell script to your operating system images that backs up your application data. You can then specify that the script must run and complete successfully before the agent can start updating the operating system.
As another example, certain applications or system services do not automatically reload their configuration file when the file changes on the disk. You can manually reload the configuration file by specifying a command as another hook, which is called after the agent completes the update process.
The Red Hat Edge Manager agent discovers hook rules only in subdirectories of /etc/flightctl/hooks.d/ and /usr/lib/flightctl/hooks.d/. Those subdirectory names are case-sensitive and must be all lowercase. For example, afterUpdating is not valid; use afterupdating.
The following subdirectories are supported:
|
| Description |
|
| The hook is called after the agent completes preparing for the update, but before changing the operating system. If an action in this hook returns with a failure, the agent cancels the update. |
|
| The hook is called after the agent writes the update to disk. If an action in this hook returns with a failure, the agent cancels and rolls back the update. |
|
| The hook is called before the system reboots. The agent blocks the reboot until the action completes or times out. If any action in this hook returns with a failure, the agent cancels and rolls back the update. |
|
| The hook is called when the agent first starts after a reboot. If any action in this hook returns with a failure, the agent reports the failure but continues starting up. |
Rule files
You can define device lifecycle hooks by adding rule files under one of the following directory trees on the device:
-
/usr/lib/flightctl/hooks.d/<hook_directory>/— read-only from the running system; add rules here by baking them into the operating system image. -
/etc/flightctl/hooks.d/<hook_directory>/— read-writable at runtime; you can update these rules by several methods.
In both paths, replace <hook_directory> with one of beforeupdating, afterupdating, beforerebooting, or afterrebooting. For example, a custom rule that runs after the update is written to disk belongs in a file such as /etc/flightctl/hooks.d/afterupdating/50-my-hook.yaml.
When creating and placing the files, you must consider the following practices:
- The name of the rule must be all lower case.
-
The hook subdirectory name under
hooks.d/must be one of the lowercase names in the table; mixed case or camelCase names are ignored by the agent. - If you define rules in both locations, the rules are merged.
- If you add more than one rule files to a lifecycle hook directory, the files are processed in lexical order of the file names.
-
If you define files with identical file names in both locations, the file in the
/etcfolder takes precedence over the file of the same name in the/usrfolder.
A rule file is written in YAML format and contains a list of one or more actions. An action can be an instruction to run an external command.
When you specify many actions for a hook, the actions are performed in sequence, finishing one action before starting the next.
If an action returns with a failure, the following actions are skipped.
A run action takes the following parameters:
| Parameter | Description |
|
|
The command to run, including any flags or arguments. Specify the full path to the executable (for example |
|
| Optional. A list of key-value pairs to set as environment variables for the command. |
|
| Optional. The directory the command is run from. |
|
|
Optional. The maximum duration that is allowed for the action to complete. Specify the duration as a single positive integer followed by a time unit. The |
|
| Optional. A list of conditions that must be true for the action to be run. If not provided, actions run unconditionally. |
By default, actions are performed every time the hook is triggered. However, for the afterupdating hook, you can use the If parameter to add conditions that must be true for an action to be performed. Otherwise, the action is skipped.
For example, to run an action only if a given file or directory changes during the update, you can define a path condition that takes the following parameters:
| Parameter | Description |
|
|
An absolute path to a file or directory that must change during the update as condition for the action to be performed. Specify paths by using forward slashes ( |
|
|
A list of file operations, such as |
If you specify a path condition for an action in the afterupdating hook, you have the following variables that you can include in arguments to your command and are replaced with the absolute paths to the changed files:
| Variable | Description |
|
| The absolute path to the file or directory specified in the path condition. |
|
| A space-separated list of absolute paths of the files that changed during the update and are covered by the path condition. |
|
| A space-separated list of absolute paths of the files that were created during the update and are covered by the path condition. |
|
| A space-separated list of absolute paths of the files that were updated during the update and are covered by the path condition. |
|
| A space-separated list of absolute paths of the files that were removed during the update and are covered by the path condition. |
The Red Hat Edge Manager agent includes a built-in set of rules defined in /usr/lib/flightctl/hooks.d/afterupdating/00-default.yaml. The following commands are executed if certain files are changed:
| File | Command | Description |
|
|
|
Changes to |
|
|
|
Changes to |
|
|
|
Changes to the permanent configuration of |
For networking configuration details, see Configuring and managing networking in the Additional resources section.
Additional resources
Additional resources
2.12. Using the Software Catalog
The Red Hat Edge Manager Software Catalog provides a curated list of operating system images, application images, and application data (for example, AI models) that you can discover and deploy from the Flight Control web console. Using the catalog, you can install or update software on a device, or apply catalog software through a fleet device template so that every device selected into the fleet receives the configuration, without entering Open Container Initiative (OCI) image references manually.
Catalog content can come from Git-synchronized catalog definitions managed by administrators, from image builds published through ImagePromotion, or from both sources in the same organization. For the build-to-catalog workflow, see Publishing an image build to the Software Catalog in the Additional resources section.
Catalog content sources
The Software Catalog can display items from the following sources:
-
Git-synchronized definitions: Administrators configure a catalog
ResourceSyncthat importsCatalogandCatalogItemYAML from a Git repository. See Managing a catalog repository on the CLI in the Additional resources section. -
Image Builder promotions: Operators or administrators publish completed image builds to a catalog by creating an
ImagePromotionresource. Each successful promotion adds or updates a catalog item version with registry and export artifact references.
Every organization also has a default catalog that is created automatically. Image promotions can target this catalog without additional administrator setup.
Catalog contents
The catalog can include:
-
Operating system images: Bootable container (
bootc) images that you can deploy or update on edge devices. - Application images: Containerized applications (Compose, Quadlet, Container, or Helm) that you can deploy to devices.
- Application data: OCI artifacts such as AI models that applications might require.
Catalog contents are provided by catalog endpoints configured by your administrator. The catalog surface in the web console is analogous to the Software Catalog in the Red Hat OpenShift Container Platform web console.
Configuring catalog endpoints (administrators)
Administrators configure one or more catalog endpoints in Flight Control so that operators see a curated list of software. For Git-backed catalogs, create a catalog Repository and ResourceSync. For image-build content, ensure that OCI repositories and base image lists are configured and that publishers have permission to create ImagePromotion resources. Access to the catalog is controlled by permissions; operators either have access to view the catalog or they do not. The same catalog content is available to every operator who has access, regardless of which devices or fleets they manage; fleet-specific or environment-specific catalog visibility is not supported.
Catalog repository type
Flight Control supports a catalog resource sync in addition to fleet resource syncs. A catalog resource sync points to a catalog endpoint and can use optional authentication. For details, see Managing a catalog repository in the Additional resources section.
Using the Software Catalog (operators)
Browsing the catalog
In the Flight Control web console, open the Software Catalog to browse available OS images, application images, and application data. Filter by catalog when your organization defines more than one catalog (including the automatically provisioned default catalog). Published catalog definitions can organize versions into channels (for example, stable, candidate, or testing) when your administrator or publisher configures them that way. A version can belong to more than one channel. The catalog shows eligible versions and, where applicable, validated upgrade paths so you can choose appropriate updates. When image builds are published to an existing catalog item, version history stays on that item (for example 1.0.0, 1.1.0, 1.2.0) instead of creating unrelated entries.
Update availability and release information
When a device runs catalog software, or devices in a fleet run catalog software that is defined in the fleet device template, and a newer version exists along an allowed update path, the Flight Control web console surfaces that an update is available—for example from the Catalog tab when you open a device or the details for a fleet.
If the catalog publisher includes release notes or change highlights for a version, that information can appear when you review an update so you can decide whether and when to apply it. Which details you see depends on what your administrator publishes in the catalog definitions.
Validated upgrade paths and compatibility
Catalog items can define an upgrade graph. Each published version is a node, and each allowed upgrade path (an edge in the graph) connects one version to the next. That model follows the Cincinnati update protocol, which Red Hat OpenShift Container Platform uses for cluster updates. The graph lets your organization expose tested transitions instead of every tag in a registry.
You might not be offered every newer tag as a direct update from your current version. When the graph does not define a jump, apply the intermediate versions that the console offers first, or ask your administrator to extend the catalog definitions. The console guides you toward allowed targets and avoids disallowed jumps when those guardrails are enforced.
Installing from the catalog
You can install an OS image or application on a single device, or add it to a fleet device template so that all devices in the fleet receive it, directly from the catalog:
- In the Flight Control web console, open the Software Catalog.
- Select the item you want to deploy (OS image or application).
- Choose Deploy and select the target device or fleet (for a fleet, the catalog updates the fleet device template for devices that match the fleet label selector).
- For applications, follow the on-screen guidance to provide required parameters. The UI can validate parameters and show help text so you do not need to know the application format or technical details.
- Confirm the deployment. The Red Hat Edge Manager agent on the target device or devices will apply the change when it checks in.
Updating from the catalog
When a newer version of an OS image or application is available along an allowed path in the catalog, you can update an individual device or update catalog software configured in a fleet device template from the catalog. Installed catalog software is compared to published versions and upgrade edges; see Validated upgrade paths and compatibility in the Additional resources section. For what you might see before you choose to update, see Update availability and release information in the Additional resources section.
Updates are visible in the Catalog tab of the device details view, or of the fleet details view for fleets whose device template includes catalog-defined software.
- In the Flight Control web console, open the details for the device you want to update, or open the fleet whose device template configures the catalog software, then open the Catalog tab.
- When an update is available, use the Update action for the relevant device or for the fleet whose device template defines the catalog software.
- Confirm the update. The agent will download and apply the new version according to the applicable update policy.
Provisioning guidance when installing a bootc image to a new device
When you choose to install a bootc image from the catalog to a device that is not yet enrolled, the Flight Control web console can provide scenario-specific provisioning guidance, for example:
- For a physical device: Steps and a link to download the required artifact (ISO or disk image) for bare-metal installation.
-
For a virtual device on OpenShift Virtualization: Steps and a link to download the artifact (for example,
QCow2) and guidance for provisioning the virtual machine.
Use that guidance together with the procedures in Provisioning devices to complete enrollment.
2.13. Image and artifact pruning
The Red Hat Edge Manager agent can automatically remove unused container images and OCI artifacts from devices to free disk space. This helps prevent storage exhaustion on edge devices with limited capacity.
How pruning works
Image and artifact pruning uses a "lost reference" model:
-
Reference tracking: Before each device update, the agent records all images and artifacts referenced in the current and desired device specifications to a file (
/var/lib/flightctl/image-artifact-references.json). - Pruning execution: After a successful spec update, the agent compares the previously recorded references with the current device specifications. Any images or artifacts that were previously referenced but are no longer needed are eligible for removal.
Safe pruning: The agent only removes items that:
- Were previously recorded in the references file
- Are no longer referenced in the current or desired device specifications
- Exist locally on the device
- Preservation: Images and artifacts required for current operations or potential rollback (desired state) are always preserved, even if they appear in the references file.
Pruning runs automatically after successful device spec updates. The references file is maintained even when pruning is disabled, so pruning behavior is accurate when you enable the feature later.
What gets pruned
The pruning process considers the following types of OCI targets:
- Application images: Container images referenced by Compose, Quadlet, Container, or Helm applications
- OS images: Operating system images specified in the device OS configuration
- Helm charts: Charts referenced by Helm applications
Configuring pruning
Image and artifact pruning is disabled by default. To enable it, configure the agent pruning settings.
Base configuration
Add the pruning configuration to the main agent configuration file at /etc/flightctl/config.yaml:
image-pruning: enabled: true
Drop-in configuration
You can also configure pruning using drop-in files in /etc/flightctl/conf.d/. This allows you to enable or disable pruning for specific devices or fleets without changing the base configuration.
Create a drop-in file (for example, /etc/flightctl/conf.d/enable-pruning.yaml):
image-pruning: enabled: true
Drop-in files are processed in lexical order and override the base configuration. For example, to disable pruning via a drop-in file:
image-pruning: enabled: false
When you use drop-in files in /etc/flightctl/conf.d/, the agent reloads its configuration automatically when those files change. When you change the base configuration file (/etc/flightctl/config.yaml) or need to apply changes immediately, send the flightctl-agent process a SIGHUP signal (for example, run kill -HUP $(pgrep flightctl-agent)) or restart the agent service.
Consider disabling pruning when you are experimenting with many images that were previously pruned because their references were lost and are now present again. This prevents the agent from immediately pruning images you are actively testing, so you can iterate on configurations without repeatedly re-downloading images.
Pruning behavior
- Automatic execution: Pruning runs automatically after successful device spec updates. No manual intervention is required.
- Non-blocking: Pruning errors do not block device reconciliation. If pruning fails, the agent logs a warning and continues normal operation.
- Reference accumulation: The references file accumulates references over time, even when pruning is disabled. If you enable pruning later, the agent has accurate historical data about what was previously referenced.
- Incremental updates: The references file is updated before each upgrade to include all currently referenced images and artifacts, so tracking stays current.
Example scenarios
Scenario 1: Application update * Device initially runs application quay.io/myorg/app:v1.0 * Application is updated to quay.io/myorg/app:v2.0 * After successful update, the v1.0 image is pruned (if it was previously recorded)
Scenario 2: Application removal * Device runs multiple applications * One application is removed from the device specification * After successful update, images and artifacts used only by the removed application are pruned
Scenario 3: OS image update * Device OS is updated from registry.example.com/edge/rhel:9.4 to registry.example.com/edge/rhel:9.5 * After successful update, the old OS image (9.4) is pruned (if it was previously recorded)
Monitoring pruning
Pruning operations are logged by the agent. You can monitor pruning activity as follows:
Agent logs: Check the agent systemd journal for pruning messages:
journalctl -u flightctl-agent -f | grep -i pruning
Log messages: The agent logs messages such as:
-
"Starting pruning of X eligible images and Y eligible artifacts" -
"Pruning complete: removed X of Y eligible images, Z of W eligible artifacts"
-
2.14. Monitoring device resources
You can set up resource monitors for device resources and create alerts when the utilization of resources crosses a defined threshold. When the agent alerts the Red Hat Edge Manager service, the service sets the device status to degraded or error, depending on the severity level.
Resource monitors take the following parameters:
| Parameter | Description |
|
|
The resource to monitor. The |
|
|
The interval in which the monitor samples usage, specified as a positive integer followed by a time unit: |
|
| A list of alert rules. |
|
|
For |
Alert rules take the following parameters:
| Parameter | Description |
|
|
The severity of the alert rule can be |
|
|
The duration that resource usage is measured and averaged over when sampling, specified as a positive integer followed by a time unit: |
|
| The usage threshold that triggers the alert, as percentage value. The value ranges from 0 to 100 without the % sign. |
|
|
A human-readable description of the alert. Add details about the alert to help with debugging. By default, the alert description is |
Monitoring device resources using the CLI
Monitor the resources of your device through the CLI, providing you with the tools and commands to track performance and troubleshoot issues.
Complete the following steps:
Add resource monitors in the
spec.resourcessection of the device specification. For example, add the following monitor for your disk:apiVersion: flightctl.io/v1alpha1 kind: Device metadata: name: <device_name> spec: [id="..."] resources: - monitorType: Disk samplingInterval: 5s path: /application_data alertRules: - severity: Warning duration: 30m percentage: 75 description: Disk space for application data is >75% full for over 30m. - severity: Critical duration: 10m percentage: 90 description: Disk space for application data is >90% full over 10m. [id="..."]