In this blog post, I will walk you through practical examples on how you can use RHEL 10 Lightspeed AI to simplify Linux administration tasks. Red Hat Enterprise Linux (RHEL) 10 is the latest major release of Red Hat’s enterprise Linux operating system, officially announced at the Red Hat Summit in May 2025. It introduces several advancements, with a key focus on integrating artificial intelligence (AI) and enhanced security to address modern enterprise needs, particularly in hybrid cloud and AI-driven environments. One of its flagship features is Red Hat Enterprise Linux Lightspeed, a generative AI-powered tool designed to simplify Linux administration and enhance productivity for both novice and experienced IT professionals.
Table of Contents
How to Use RHEL 10 Lightspeed AI to Simplify Linux Administration Tasks
What Exactly Is RHEL Lightspeed?
RHEL Lightspeed is an integrated generative AI tool in RHEL 10 that provides context-aware, natural-language assistance for system management tasks. It’s part of Red Hat’s broader “Lightspeed” initiative, which aims to integrate AI into its platforms (including OpenShift) to improve productivity, troubleshooting, and operations.
Lightspeed leverages Red Hat’s extensive enterprise Linux expertise to provide real-time guidance, proactive alerts, and intelligent recommendations directly within the RHEL environment.
Lightspeed is integrated into both RHEL 9.6 and RHEL 10.
Why Lightspeed Matters?
Lightspeed is a game-changer for RHEL Linux administration because it slashes the time and effort needed for complex tasks. Instead of scouring manuals or debugging through trial-and-error, you can ask Lightspeed for precise commands, like resolving SELinux issues in minutes or setting up a container in one query. It minimizes errors with best-practice guidance and supports RHEL 10’s advanced features; Podman 5.0 for containers, post-quantum cryptography for security, and hybrid cloud capabilities, making it indispensable for sysadmins handling single servers or enterprise-scale environments.
It aims to address the Linux skills gap, with 93% of hiring managers reporting difficulties finding qualified Linux professionals, according to a Linux Foundation study.
Lightspeed offers real-time recommendations, such as security advisories or package suggestions, to prevent issues before they impact production.
What are the Key Features of RHEL Lightspeed
Red Hat Lightspeed isn’t just a new tool—it’s a new way to interact with your RHEL environment. Whether you’re troubleshooting production issues or automating routine maintenance, Lightspeed provides intelligent, real-time assistance directly within the tools you already use.
Here’s a breakdown of the key features that make RHEL Lightspeed a game-changer for sysadmins:
- Command Line Assistant:
- Lightspeed is available directly on RHEL CLI
- Users can ask questions in plain language (e.g., “Help me troubleshoot SSHD failing to start?”) and receive actionable, context-aware guidance.
- Draws from thousands of pages of Red Hat documentation and expertise to assist with tasks like troubleshooting configuration issues, analyzing logs, and managing systems.
- Image Builder Package Recommendations:
- Integrated with Red Hat Insights, Lightspeed analyzes selected packages in the RHEL image builder and proactively suggests additional relevant packages.
- Helps optimize system images before deployment, improving operational efficiency and security by reducing post-deployment fixes.
- Accessibility and Efficiency:
- It simplifies complex Linux commands, making RHEL more accessible to new users while enhancing productivity for veterans.
- It tailors release notes and recommendations to specific organizational needs, personalizing the RHEL experience.
Installing RHEL 10
If you are looking at a way to install to RHEL 10 for testing, deploy it on VirtualBox.
How to Install RHEL 10 on VirtualBox
Install Lightspeed on RHEL 10/RHEL 9.6
Lightspeed is provided by command-line-assistant package. Therefore, to make Lightspeed available on RHEL 10/RHEL 9.6, you have to install this package.
The package is provided by the AppStream repos and thus, you need an active Red Hat subscription to access this.
You can register your RHEL 10 to Red Hat Satellite or directly to Red Hat CDN to access the repos.
sudo subscription-manager registerOnce your node is registered, check the availability of the package.
sudo dnf info command-line-assistantSample output;
Updating Subscription Management repositories.
Red Hat Enterprise Linux 10 for x86_64 - BaseOS (RPMs) 2.0 MB/s | 5.0 MB 00:02
Red Hat Enterprise Linux 10 for x86_64 - AppStream (RPMs) 1.2 MB/s | 2.7 MB 00:02
Available Packages
Name : command-line-assistant
Version : 0.3.1
Release : 3.el10_0
Architecture : noarch
Size : 248 k
Source : command-line-assistant-0.3.1-3.el10_0.src.rpm
Repository : rhel-10-for-x86_64-appstream-rpms
Summary : A simple wrapper to interact with RAG
URL : https://github.com/rhel-lightspeed/command-line-assistant
License : Apache-2.0
Description : A simple wrapper to interact with RAG
As you can see, the package is available. Hence, you can simply run the command below to install it.
sudo dnf install command-line-assistantSample installation output;
Updating Subscription Management repositories.
Last metadata expiration check: 0:09:00 ago on Tue 27 May 2025 10:44:36 PM EAT.
Dependencies resolved.
===============================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================
Installing:
command-line-assistant noarch 0.3.1-3.el10_0 rhel-10-for-x86_64-appstream-rpms 248 k
Installing dependencies:
command-line-assistant-selinux noarch 0.3.1-3.el10_0 rhel-10-for-x86_64-appstream-rpms 26 k
python3-greenlet x86_64 3.0.3-5.el10 rhel-10-for-x86_64-appstream-rpms 268 k
python3-sqlalchemy x86_64 2.0.26-6.el10 rhel-10-for-x86_64-appstream-rpms 3.6 M
python3-typing-extensions noarch 4.9.0-6.el10 rhel-10-for-x86_64-baseos-rpms 81 k
Transaction Summary
===============================================================================================================================================
Install 5 Packages
Total download size: 4.2 M
Installed size: 24 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): python3-typing-extensions-4.9.0-6.el10.noarch.rpm 67 kB/s | 81 kB 00:01
(2/5): python3-sqlalchemy-2.0.26-6.el10.x86_64.rpm 1.8 MB/s | 3.6 MB 00:01
(3/5): command-line-assistant-0.3.1-3.el10_0.noarch.rpm 160 kB/s | 248 kB 00:01
(4/5): command-line-assistant-selinux-0.3.1-3.el10_0.noarch.rpm 25 kB/s | 26 kB 00:01
(5/5): python3-greenlet-3.0.3-5.el10.x86_64.rpm 78 kB/s | 268 kB 00:03
-----------------------------------------------------------------------------------------------------------------------------------------------
Total 1.2 MB/s | 4.2 MB 00:03
Red Hat Enterprise Linux 10 for x86_64 - BaseOS (RPMs) 3.6 MB/s | 3.7 kB 00:00
Importing GPG key 0xFD431D51:
Userid : "Red Hat, Inc. (release key 2) "
Fingerprint: 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Key imported successfully
Importing GPG key 0x5A6340B3:
Userid : "Red Hat, Inc. (auxiliary key 3) "
Fingerprint: 7E46 2425 8C40 6535 D56D 6F13 5054 E4A4 5A63 40B3
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: command-line-assistant-selinux-0.3.1-3.el10_0.noarch 1/5
Installing : command-line-assistant-selinux-0.3.1-3.el10_0.noarch 1/5
Running scriptlet: command-line-assistant-selinux-0.3.1-3.el10_0.noarch 1/5
Installing : python3-greenlet-3.0.3-5.el10.x86_64 2/5
Installing : python3-typing-extensions-4.9.0-6.el10.noarch 3/5
Installing : python3-sqlalchemy-2.0.26-6.el10.x86_64 4/5
Installing : command-line-assistant-0.3.1-3.el10_0.noarch 5/5
Running scriptlet: command-line-assistant-0.3.1-3.el10_0.noarch 5/5
Running scriptlet: command-line-assistant-selinux-0.3.1-3.el10_0.noarch 5/5
Running scriptlet: command-line-assistant-0.3.1-3.el10_0.noarch 5/5
Installed products updated.
Installed:
command-line-assistant-0.3.1-3.el10_0.noarch command-line-assistant-selinux-0.3.1-3.el10_0.noarch python3-greenlet-3.0.3-5.el10.x86_64
python3-sqlalchemy-2.0.26-6.el10.x86_64 python3-typing-extensions-4.9.0-6.el10.noarch
Complete!
Using the Lightspeed Assistant on RHEL 10/RHEL 9.6
⚠️ Important Reminder:
Always review and verify the commands or configurations suggested by Lightspeed AI before applying them, especially in production environments. While the assistant is designed to be helpful and accurate, human oversight remains essential.
Let’s verify the installation by checking the version of installed CLA;
c -vOr
cla -vSample output;
0.3.1
So, how exactly can you interact with CLA? You can interact with the assistant using the c or cla command followed by your query in quotes.
So, let’s a have look at some of the use case for light seed.
1. Install and Configure a Service
Let assume you need to install and configure a web server (Apache) with self signed SSL certificates.
You could then ask it like this:
c "Install and configure Apache with HTTPS (self signed) on RHEL 10"Sample output;
Here you go!
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To install and configure Apache with HTTPS (using a self-signed certificate) on RHEL 10, follow these steps:
1. Install Apache HTTP Server
Open a terminal and run the following command to install the Apache HTTP Server:
``
sudo dnf install httpd
`
2. Start and Enable Apache Service
Start the Apache service and enable it to start on boot:
`
sudo systemctl start httpd
sudo systemctl enable httpd
`
3. Create a Self-Signed Certificate
Generate a private key and a self-signed certificate using OpenSSL:
`
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/example.com.key -out /etc/pki/tls/certs/example.com.crt
`
You will be prompted to enter details for the certificate. Fill in the required information.
4. Configure Apache for HTTPS
Open the Apache configuration file for your site using a text editor. For this example, let's assume you're configuring it for example.com:
`
sudo nano /etc/httpd/conf.d/ssl.conf
`
Add the following content to the file, replacing example.com with your domain name:
`
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
`
Save and close the file.
5. Restart Apache Service
Restart the Apache service to apply the changes:
`
sudo systemctl restart httpd
`
6. Test the Configuration
Verify that the Apache service is running and configured correctly:
`
sudo apachectl configtest
`
If there are no errors, you should see a message indicating that the configuration test was successful.
7. Access Your Website Over HTTPS
Open a web browser and navigate to https://example.com`. You should see your website served over HTTPS using the self-signed certificate.
Remember, since this is a self-signed certificate, your browser will display a security warning. To proceed, you'll need to accept the security exception. For production environments, it's recommended to use a certificate issued by a trusted Certificate Authority (CA).
For more information or assistance, consult the official Red Hat Enterprise Linux documentation or seek help from the Red Hat Support team.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
Let’s go further to ask it for more configurations;
c "Tune Apache for 1000 concurrent users and ensure the port is opened on firewall"Sample response:
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To tune Apache for handling 1000 concurrent users and ensure the port is opened on the firewall, follow these steps:
1. Adjust Apache Configuration:
Open the Apache configuration file using a text editor. You can use vi or nano for this purpose. Here, we'll use nano:
``
sudo nano /etc/httpd/conf/httpd.conf
`
Look for the MPM (Multi-Processing Module) section. For handling a high number of concurrent connections, you should use the event MPM. If it's not already set, change the following lines:
`
StartServers 5
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 0
`
These settings are tailored for a system with 1000 concurrent users. Adjust them according to your system's resources and requirements.
Save and close the file, then restart Apache to apply the changes:
`
sudo systemctl restart httpd
`
2. Tune TCP Settings:
To handle a large number of incoming requests, you need to adjust the TCP settings. Edit the /etc/sysctl.conf file:
`
sudo nano /etc/sysctl.conf
`
Add or modify the following lines:
`
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 5
net.core.somaxconn = 65535
`
Apply the new settings:
`
sudo sysctl -p
`
3. Open Port on Firewall:
Ensure that the port used by Apache (usually 80 for HTTP or 443 for HTTPS) is open on the firewall. You can use firewalld to manage the firewall settings:
`
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
`
If you're using a different port, replace http and https with the appropriate service name or port number.
Reload the firewall to apply the changes:
`
sudo firewall-cmd --reload
`
4. Verify Configuration:
Use apachectl to test your Apache configuration:
`
sudo apachectl configtest
``
If there are no errors, your Apache server should be ready to handle 1000 concurrent users.
Remember to monitor your server's performance and adjust the settings as needed to optimize for your specific workload.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
2. Troubleshoot System Issues
For example, let’s ask it a random issue on slow OS performance:
c "Diagnose slow RHEL 10 performance"It will give you a handful commands that you can use to check and TS the issue.
Sample output;
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To diagnose slow performance in Red Hat Enterprise Linux (RHEL) 10, you can use a combination of tools and utilities. Here are some steps and commands you can follow:
1. mCheck System Load:
Use the uptime command to get a quick overview of the system load averages over the last 1, 5, and 15 minutes. High load averages can indicate that your system is overloaded.
``bash
uptime
`
2. Monitor CPU Usage:
Use the top or htop command to monitor real-time CPU usage. This can help identify processes that are consuming a lot of CPU resources.
`bash
top
`
or
`bash
htop
`
3. Check Memory Usage:
Use the free -h command to check the current memory usage. High memory usage can also cause performance issues.
`bash
free -h
`
4. Use SAR (System Activity Reporter):
SAR is a powerful utility from the sysstat package that collects and reports system activity data. It can help you analyze historical performance metrics.
First, ensure the sysstat package is installed:
`bash
dnf install sysstat
`
Then, configure SAR to start on boot:
`bash
systemctl enable sysstat
systemctl start sysstat
`
You can use SAR to collect various statistics, including CPU, IO, system, nice, idle percentages, network traffic, errors, load average, run queue, interrupts, memory free, cached, buffered, swapped, and device usage. For example, to get a daily report:
`bash
sar -u -f /var/log/sa/saDD
`
Replace DD with the day of the month.
5. Analyze I/O Performance:
Tools like filelife, fileslower, filetop, ext4slower, nfsslower, and xfsslower can help trace slow file system operations. These tools are part of the BPF Compiler Collection (BCC) and can be used to identify slow I/O operations.
For example, to trace slow synchronous file reads and writes:
`bash
fileslower -X 10
`
This command traces operations slower than 10ms by default.
6. Use bpftace:
bpftace is a tracing language for eBPF used for analyzing performance issues. It provides trace utilities like BCC for system observation, which is useful for investigating I/O performance issues.
7. SystemTap Scripts:
SystemTap scripts can also be useful in diagnosing storage or file system performance problems. For example, the disktop.stp` script checks the status of disk reads and writes.
Remember to review the [Analyzing system performance with BPF Compiler Collection (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/analyzing-system-performance-with-bpf-compiler_collection_managing-monitoring-and-updating-the-kernel) documentation for more detailed information and additional tools.
If the performance issues persist after analyzing these metrics, consider reaching out to Red Hat Support for further assistance.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
Even more:
c "Configured Apache with port 8080 and i cannot start it."Sample response:
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
It seems like you've configured Apache to run on port 8080, but you're having trouble starting it. This issue might be related to SELinux policy, which restricts services to run on certain port numbers.
To resolve this, you can follow these steps:
1. First, check the SELinux policy for Apache's allowed ports:
Snippet ────────────────
# semanage port -l | grep http
────────────────────────
This command will list the ports associated with the http service.
2. If port 8080 is not listed, you'll need to add it to the http_port_t type. To do this, run:
Snippet ────────────────
# semanage port -a -t http_port_t -p tcp 8080
────────────────────────
This command adds port 8080 to the http_port_t type, allowing Apache to listen on it.
3. After updating the SELinux policy, try starting Apache again:
Snippet ────────────────
# systemctl start httpd
────────────────────────
If you still encounter issues, please provide the output of the systemctl start httpd command, as well as any error messages, so I can better assist you.
Remember, always ensure that your SELinux policy is correctly configured to avoid such issues.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
Even more;
c "Fix Podman container created as a service but it cannot start on system boot"Sample response:
⁻₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To address the issue of a Podman container created as a service that cannot start on system boot, follow these steps:
1. mVerify the service status: First, ensure that the service is enabled to start at user login. You can do this by checking the status of the service:
``
$ systemctl is-enabled pod-systemd-pod.service
`
If the output is enabled, proceed to the next step. If it's disabled, enable it using:
`
$ systemctl enable --user pod-systemd-pod.service
`
2. Check the service configuration: Verify that the service file for your Podman container is correctly configured. The service file should be located at /home/user1/.config/systemd/user/pod-systemd-pod.service. Ensure that it contains the necessary details for Podman to manage the container.
3. Inspect the container logs: If the service is enabled and correctly configured, inspect the logs for any error messages that might indicate why the container is failing to start. You can view the logs using:
`
$ journalctl -u pod-systemd-pod.service
`
4. Ensure the container image is correctly specified: Make sure that the container image is correctly specified in the service file and that the image exists on the registry. You can check the image details using:
`
$ podman inspect
`
5. Update the container: If the image has been updated on the registry, ensure that the container is configured to auto-update. Containers must be created with the --label "io.containers.autoupdate=image" label and run in a systemd unit generated by the podman generate systemd --new command.
6. Restart the service: If all the above steps are verified and correct, try restarting the service to apply any changes:
`
$ systemctl --user restart pod-systemd-pod.service
`
7. Check the service status again: After restarting, verify that the service is active and running:
`
$ systemctl --user status pod-systemd-pod.service
``
If the container still fails to start on system boot after following these steps, consider reviewing the [Running containers with Podman and shareable systemd services (https://www.redhat.com/sysadmin/podman-shareable-systemd-services) guide for additional troubleshooting tips.
For more detailed information, refer to the Enabling a system service to start at boot (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_basic_system_settings/managing-systemd_configuring-basic-system-settings#enabling-a-system-service_managing-system-services-with-systemctl) documentation.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
3. Deploy Containers with Podman
You can ask it anything around containers and Podman:
c "Create Nginx container on RHEL 10 with volume and quadlet"Sample output;
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To create an Nginx container on RHEL 10 with a volume and Quadlet, follow these steps:
1. Install necessary tools: Ensure you have the podman and quadlet tools installed. You can install them using the following commands:
[bash] Snippet ────────────────
sudo dnf install podman
sudo dnf install quadlet
────────────────────────
2. Create a directory for the Nginx configuration and data:
[bash] Snippet ────────────────
sudo mkdir -p /etc/nginx/conf.d
sudo mkdir -p /var/lib/nginx
────────────────────────
3. Create a simple Nginx configuration file (e.g., /etc/nginx/conf.d/default.conf):
[nginx] Snippet ────────────────
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
────────────────────────
4. Create a Quadlet service file (e.g., /etc/quadlet/nginx.quadlet):
[ini] Snippet ────────────────
[Unit]
Description=Nginx HTTP and reverse proxy server
[Service]
ExecStart=/usr/bin/podman run --name nginx -d -p 80:80 -v /etc/nginx/conf.d:/etc/nginx/conf.d -v /var/lib/nginx:/var/lib/nginx nginx
Restart=always
[Install]
WantedBy=multi-user.target
────────────────────────
5. Enable and start the Quadlet service:
[bash] Snippet ────────────────
sudo quadlet enable nginx.quadlet
sudo quadlet apply nginx.quadlet
────────────────────────
6. Verify the Nginx container is running:
[bash] Snippet ────────────────
sudo podman ps
────────────────────────
You should see the Nginx container running with the specified volume and port mappings.
For more information on managing containers with Podman, refer to the official documentation (https://podman.io/getting-started/installation/). For Quadlet, consult the official documentation (https://github.com/projectquadrant/quadlet).
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
4. Implementing System Security Hardening
If you have a CIS benchmark report for securing your system, you can ask CLA on how to implement the suggested controls.
For example:
c "Ensure all users change their passwords every 90 days on RHEL"Sample output;
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To ensure all users change their passwords every 90 days on RHEL, you can follow these steps:
1. Configure Password Expiry:
- Open the terminal.
- Edit the /etc/login.defs file using a text editor like vi or nano. For example, using nano:
``
sudo nano /etc/login.defs
`
- Locate the PASS_MAX_DAYS parameter. If it's not present, add it. Set the value to 90:
`
PASS_MAX_DAYS 90
`
- Save and close the file.
2. Enforce Password Expiry:
- Ensure the USE_LDAP_PASSWD parameter is set to yes in /etc/login.defs if you are using LDAP for user management.
- Restart the sssd service to apply the changes:
`
sudo systemctl restart sssd
`
3. Expiring Password Notification (EPN) Tool:
- Install the EPN tool if it's not already installed:
`
sudo yum install ipa-epn
`
- Configure the EPN tool to send password expiry notifications to users. This involves setting up the ipa-epn.timer to run daily and send emails to users whose passwords are expiring within the defined future date ranges.
- You can customize the email template if needed.
4. Verify Configuration:
- To verify that the password expiry policy is correctly set, you can check the /etc/pam.d/system-auth file. Ensure that the pam_unix.so line includes use_authtok and md5_stretch_encoding:
`
auth required pam_unix.so use_authtok md5_stretch_encoding
``
5. User Notification:
- Users will receive notifications 14 days before their password expires and again 7 days before. They will be required to change their password at login.
Remember to test this setup on a non-production environment before deploying it to production to ensure it meets your organization's requirements.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
Or Controlling SSH access:
c "Allow SSH and HTTP in firewalld"⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To allow SSH and HTTP traffic in firewalld on your Red Hat Enterprise Linux system, follow these steps:
1. Enable IP forwarding:
First, ensure that IP forwarding is enabled in the kernel. Create the /etc/sysctl.d/90-enable-IP-forwarding.conf file with the following content:
``
net.ipv4.ip_forward=1
`
Then, load the setting:
`
sudo sysctl -p /etc/sysctl.d/90-enable-IP-forwarding.conf
`
2. Add SSH service to the public zone:
Add the SSH service to the public zone to allow incoming SSH traffic:
`
sudo firewall-cmd --zone=public --add-service=ssh --permanent
`
3. Add HTTP service to the public zone:
Add the HTTP service to the public zone to allow incoming HTTP traffic:
`
sudo firewall-cmd --zone=public --add-service=http --permanent
`
4. Make the new settings persistent:
Apply the changes permanently:
`
sudo firewall-cmd --runtime-to-permanent
`
5. Verify the settings:
Check that the public zone is active and that the services are allowed in it:
`
sudo firewall-cmd --zone=public --list-all
`
You should see ssh and http listed under the services section.
By following these steps, you will have successfully configured firewalld` to allow SSH and HTTP traffic on your Red Hat Enterprise Linux system.
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
For deeper security controls:
c "Harden RHEL 10 system as per CIS benchmark"Sample output;
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To harden your RHEL 10 system according to the CIS (Center for Internet Security) benchmark, follow these steps:
1. mEnable FIPS Mode: As mentioned in the context, FIPS mode is crucial for compliance. You can enable FIPS mode during the installation or post-installation. Here's how to do it post-installation:
``bash
sudo fips-mode-setup --enable
`
After enabling FIPS mode, reboot your system for the changes to take effect.
2. Update Your System: Ensure your system is up-to-date:
`bash
sudo dnf update -y
`
3. Configure Firewall: Use firewalld to configure your firewall settings. The CIS benchmark recommends a strict firewall configuration. Here's an example of how to set it up:
`bash
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
`
4. Disable Unnecessary Services: Identify and disable any unnecessary services. You can use the systemctl command to manage services. For example, to disable the telnet service:
`bash
sudo systemctl disable telnet
sudo systemctl stop telnet
`
5. Secure SSH: Configure SSH securely by editing the /etc/ssh/sshd_config file. Some recommended settings include:
- Disabling root login
- Disabling password authentication
- Using key-based authentication
After making changes, restart the SSH service:
`bash
sudo systemctl restart sshd
`
6. Set Strong Password Policy: Use the pam_pwquality module to enforce strong password policies. Edit the /etc/pam.d/system-auth file and ensure the following lines are present:
`bash
password requisite pam_pwquality.so retry=3 minlen=14 difok=3
password sufficient pam_unix.so use_authtok
password required pam_deny.so
`
7. Implement SELinux: SELinux is a powerful security feature in RHEL. Ensure it's enabled and configured according to the CIS benchmark. You can check its status with:
`bash
sestatus
`
If it's not enabled, enable it with:
`bash
sudo setenforce 1
`
To make this change permanent, edit the /etc/selinux/config file and set SELINUX=enforcing.
8. Regularly Audit Your System: Use tools like auditd` to monitor and log security-related events. Ensure that auditing is enabled and configured as per the CIS benchmark.
Remember, the CIS benchmark is comprehensive and covers many more aspects of system hardening. Always refer to the official CIS benchmark for RHEL 10 for detailed instructions.
For more information, refer to the following resources:
- [RHEL CIS Benchmarks (https://www.cisecurity.org/cis-benchmarks/)
- RHEL Compliance Guide (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/index)
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
5. Build Custom Container Images
Create images with Insights image builder:
c "Build RHEL 10 container image with Python 3.12 and firewalld"Sample output;
⁺₊+ Asking RHEL Lightspeed
This feature uses AI technology. Do not include any personal information or other sensitive information in your input. Interactions may be used
to improve Red Hat's products or services.
────────────────────────────────────────────────────────────────────────
To build a RHEL 10 container image with Python 3.12 and firewalld, you can follow these steps:
1. Install necessary tools: First, ensure you have the required tools installed on your RHEL 10 system. You will need podman, buildah, and python3.12. You can install them using the following commands:
[bash] Snippet ────────────────
sudo dnf install -y podman buildah
────────────────────────
2. Install Python 3.12: RHEL 10 comes with Python 3.10 by default. To install Python 3.12, you can use the Software Collections (SCL) tool. Install it with:
[bash] Snippet ────────────────
sudo dnf install -y centos-release-scl
────────────────────────
Then, enable the Python 3.12 SCL:
[bash] Snippet ────────────────
scl enable rh-python312 bash
────────────────────────
3. Create a Dockerfile: Create a Dockerfile in your working directory with the following content:
[Dockerfile] Snippet ────────────────
# Use the RHEL 10 base image
FROM registry.access.redhat.com/ubi9/ubi
# Install Python 3.12
RUN yum install -y rh-python312
# Install firewalld
RUN yum install -y firewalld
# Enable and start firewalld
RUN systemctl enable --now firewalld
# Set the working directory
WORKDIR /app
# Copy the current directory contents into the container at /app
COPY . /app
# Install any needed packages specified in requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
────────────────────────
4. Build the container image: Use buildah to build the container image:
[bash] Snippet ────────────────
buildah bud -t my-python-image:latest .
────────────────────────
5. Run the container: You can now run the container using podman:
[bash] Snippet ────────────────
podman run -it --rm my-python-image:latest
────────────────────────
This will start a container with Python 3.12 and firewalld enabled.
Remember to replace my-python-image:latest with your desired image name and tag. Also, ensure that you have a requirements.txt file in your working directory if you have any Python dependencies.
For more information on using Podman and Buildah, refer to the official documentation:
- Podman Documentation (https://podman.io/getting-started/installation)
- Buildah Documentation (https://buildah.io/getting_started/)
────────────────────────────────────────────────────────────────────────
Always review AI-generated content prior to use.
And those are just but a few. You can use the CLA for literally anything.
The technology is still growing and therefore, you still need to verify and validate the output before implementing on the system.
Conclusion
RHEL 10 Lightspeed AI isn’t just another CLI assistant, it’s a game-changer for Linux system administration. Whether you’re configuring services, troubleshooting issues, deploying containers, or hardening your systems, Lightspeed simplifies complex tasks using natural language, all while staying tightly integrated with Red Hat’s secure ecosystem.
If you haven’t tried Lightspeed yet, now’s the perfect time. With growing support for AI-driven workflows and seamless integration into the RHEL 10 platform, it’s designed to boost efficiency, reduce errors, and empower both new and seasoned sysadmins.
