From 142d22967bc2789b9a1bd82cedc99f11353d1fef Mon Sep 17 00:00:00 2001 From: ikrispin Date: Wed, 25 Feb 2026 16:00:48 +0200 Subject: [PATCH] integrate lightspeed MCP into selected skills to increase 'Red Hat' footprint and utilize the tools it provides --- rh-developer/.mcp.json | 23 ++++++++ rh-developer/README.md | 2 + rh-developer/skills/debug-rhel/SKILL.md | 71 +++++++++++++++++++++++- rh-developer/skills/rhel-deploy/SKILL.md | 43 +++++++++++++- 4 files changed, 136 insertions(+), 3 deletions(-) diff --git a/rh-developer/.mcp.json b/rh-developer/.mcp.json index 3221f5e7..644cfe91 100644 --- a/rh-developer/.mcp.json +++ b/rh-developer/.mcp.json @@ -51,6 +51,29 @@ "network": "local", "credentials": "env-only" } + }, + "lightspeed-mcp": { + "command": "podman", + "args": [ + "run", + "--rm", + "-i", + "--env", + "LIGHTSPEED_CLIENT_ID", + "--env", + "LIGHTSPEED_CLIENT_SECRET", + "quay.io/redhat-services-prod/insights-management-tenant/insights-mcp/red-hat-lightspeed-mcp:latest" + ], + "env": { + "LIGHTSPEED_CLIENT_ID": "${LIGHTSPEED_CLIENT_ID}", + "LIGHTSPEED_CLIENT_SECRET": "${LIGHTSPEED_CLIENT_SECRET}" + }, + "description": "Red Hat Lightspeed MCP server for vulnerability, advisor, inventory, and planning data from Red Hat Insights (optional, used by /debug-rhel and /rhel-deploy)", + "security": { + "isolation": "container", + "network": "local", + "credentials": "env-only" + } } } } diff --git a/rh-developer/README.md b/rh-developer/README.md index 3e2e7c56..14d152e5 100644 --- a/rh-developer/README.md +++ b/rh-developer/README.md @@ -35,12 +35,14 @@ A Claude Code plugin for building and deploying applications on Red Hat platform - OpenShift cluster access (for S2I and OpenShift deployments) - Podman installed locally - GitHub personal access token (for GitHub integration) +- Red Hat Insights service account with Client ID and Secret (optional, for vulnerability and advisor data in `/debug-rhel` and `/rhel-deploy`) ## MCP Servers - **openshift** - OpenShift cluster management and Helm deployments - **podman** - Container image management and local builds - **github** - Repository browsing and code analysis +- **lightspeed** - Red Hat Insights data (vulnerability, advisor, inventory, planning) — optional ## Supported Languages diff --git a/rh-developer/skills/debug-rhel/SKILL.md b/rh-developer/skills/debug-rhel/SKILL.md index cd580999..e62ca0e1 100644 --- a/rh-developer/skills/debug-rhel/SKILL.md +++ b/rh-developer/skills/debug-rhel/SKILL.md @@ -327,7 +327,59 @@ Continue to diagnosis summary? (yes/no) **WAIT for user confirmation before proceeding.** -### Phase 7: Present Diagnosis Summary +### Phase 7: Red Hat Insights Check (Optional) + +**This phase runs only if the `lightspeed-mcp` server is available.** Use `ToolSearch` to check for Lightspeed MCP tools. If not available, skip this phase silently and proceed to Phase 8. + +**Step 1:** Use `find_host_by_name` with the hostname from `RHEL_HOST` to look up the system in Red Hat Insights. + +**Step 2:** If system found, use `get_system_cves` with the system ID to check for known CVEs affecting this system. + +**Step 3:** Use `get_active_rules` to get advisor configuration recommendations. Optionally use `get_rule_by_text_search` with error text found in Phase 4 logs to find relevant advisor recommendations. + +```markdown +## Red Hat Insights Check + +**System in Insights:** [Found / Not registered] + +[If found:] +**System Details:** +| Field | Value | +|-------|-------| +| Display Name | [hostname] | +| RHEL Version | [version] | +| Last Check-in | [timestamp] | +| Stale | [yes/no] | + +**Known Vulnerabilities:** +| CVE | CVSS | Severity | Remediation | +|-----|------|----------|-------------| +| [CVE-ID] | [score] | [severity] | [Available/None] | + +**Advisor Recommendations:** +| Rule | Category | Risk | Description | +|------|----------|------|-------------| +| [rule-id] | [Security/Performance/Availability/Stability] | [Critical/Important/Moderate/Low] | [description] | + +[If any CVE or advisor rule matches the symptoms from earlier phases:] +**Potentially Related to Current Issue:** +- [CVE or advisor rule that matches the symptoms] + +Continue to diagnosis summary? (yes/no) +``` + +**WAIT for user confirmation before proceeding.** + +[If system not registered in Insights, just note it:] +```markdown +## Red Hat Insights Check + +System [hostname] is not registered in Red Hat Insights. Skipping vulnerability and advisor checks. + +Continue to diagnosis summary? (yes/no) +``` + +### Phase 8: Present Diagnosis Summary ```markdown ## Diagnosis Summary: [service-name] on [host] @@ -344,6 +396,7 @@ Continue to diagnosis summary? (yes/no) | Firewall | [OK/BLOCKED] | [port status] | | Permissions | [OK/FAIL] | [file/dir issues] | | Resources | [OK/FAIL] | [memory/cpu/disk] | +| Insights/CVE | [OK/WARN/N/A] | [CVE count or "Not registered"] | ### Detailed Findings @@ -438,7 +491,16 @@ See [docs/selinux-troubleshooting.md](../../docs/selinux-troubleshooting.md) for ## MCP Tools Used -This skill uses Bash (SSH commands) instead of MCP tools since it operates on remote RHEL hosts. +This skill primarily uses Bash (SSH commands) since it operates on remote RHEL hosts. + +**Optional Lightspeed MCP tools** (used in Phase 7 if `lightspeed-mcp` is available): + +| Tool | Purpose | +|------|---------| +| `find_host_by_name` | Look up the target system in Red Hat Insights inventory | +| `get_system_cves` | Get CVEs affecting the specific system | +| `get_active_rules` | Get advisor configuration recommendations | +| `get_rule_by_text_search` | Search advisor recommendations by error text from logs | ## Output Variables @@ -450,6 +512,8 @@ This skill uses Bash (SSH commands) instead of MCP tools since it operates on re | `SELINUX_DENIALS` | AVC denial count | `3` | | `FIREWALL_BLOCKING` | Port blocked | `true` / `false` | | `ROOT_CAUSE` | Identified root cause | `SELinux port binding denied` | +| `INSIGHTS_SYSTEM_ID` | Insights system ID (if registered) | `abc-def-123` | +| `CVE_COUNT` | Number of CVEs affecting system | `3` | ## Dependencies @@ -457,6 +521,9 @@ This skill uses Bash (SSH commands) instead of MCP tools since it operates on re - SSH client with key-based authentication - sudo access on target host +### Optional MCP Servers +- `lightspeed-mcp` - Red Hat Insights vulnerability, advisor, and inventory data (Phase 7) + ### Related Skills - `/rhel-deploy` - To redeploy after fixing issues - `/debug-container` - To debug Podman containers on the host diff --git a/rh-developer/skills/rhel-deploy/SKILL.md b/rh-developer/skills/rhel-deploy/SKILL.md index ae293fc4..d9b62cff 100644 --- a/rh-developer/skills/rhel-deploy/SKILL.md +++ b/rh-developer/skills/rhel-deploy/SKILL.md @@ -159,6 +159,43 @@ ssh [target] "firewall-cmd --state 2>/dev/null || echo 'Not running'" Store `RHEL_VERSION`, `PODMAN_AVAILABLE`, `SELINUX_STATUS`, `FIREWALL_STATUS` in session state. +### Phase 2b: Red Hat Insights Pre-Deploy Check (Optional) + +**This phase runs only if the `lightspeed-mcp` server is available.** Use `ToolSearch` to check for Lightspeed MCP tools. If not available, skip silently and proceed to Phase 3. + +**Step 1:** Use `find_host_by_name` with the target hostname to look up the system in Red Hat Insights. + +**Step 2:** If found, use `get_system_cves` to check for critical/important CVEs on the target. + +**Step 3:** Use `get_rhel_lifecycle` to verify the target RHEL version is still supported. + +Append to Phase 2 output: + +```markdown +**Red Hat Insights (Optional):** +| Check | Status | Details | +|-------|--------|---------| +| Registered in Insights | [Yes/No] | [system-id or "Not found"] | +| RHEL Lifecycle | [Active/Maintenance/EOL] | [end date] | +| Critical/Important CVEs | [count] | [top 3 CVE IDs] | + +[If critical CVEs found:] +**WARNING:** Target system has [N] critical/important CVEs. Consider remediating before deploying. + +[If RHEL version is EOL:] +**WARNING:** RHEL [version] has reached End of Life ([date]). Consider upgrading before deploying. +``` + +These are informational warnings only — they do not block deployment. + +**MCP tools used:** + +| Tool | Purpose | +|------|---------| +| `find_host_by_name` | Look up target system in Red Hat Insights | +| `get_system_cves` | Check CVEs on target system | +| `get_rhel_lifecycle` | Verify RHEL version support status | + ### Phase 3: Strategy Selection ```markdown @@ -590,9 +627,13 @@ When delegating to `/recommend-image`: | Skill | Use When | |-------|----------| -| `/debug-rhel` | systemd failures, SELinux denials, firewall blocking | +| `/debug-rhel` | systemd failures, SELinux denials, firewall blocking, Insights CVE/advisor analysis | | `/debug-container` | Container startup issues on RHEL host | +## Optional MCP Servers + +- `lightspeed-mcp` - Red Hat Insights vulnerability and planning data (Phase 2b) + ## Reference Documentation For detailed guidance, see: