Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions rh-developer/.mcp.json
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,29 @@
"network": "local",
"credentials": "env-only"
}
},
"lightspeed-mcp": {
"command": "podman",
"args": [
"run",
"--rm",
"-i",
"--env",
"LIGHTSPEED_CLIENT_ID",
"--env",
"LIGHTSPEED_CLIENT_SECRET",
"quay.io/redhat-services-prod/insights-management-tenant/insights-mcp/red-hat-lightspeed-mcp:latest"
],
"env": {
"LIGHTSPEED_CLIENT_ID": "${LIGHTSPEED_CLIENT_ID}",
"LIGHTSPEED_CLIENT_SECRET": "${LIGHTSPEED_CLIENT_SECRET}"
},
"description": "Red Hat Lightspeed MCP server for vulnerability, advisor, inventory, and planning data from Red Hat Insights (optional, used by /debug-rhel and /rhel-deploy)",
"security": {
"isolation": "container",
"network": "local",
"credentials": "env-only"
}
}
}
}
2 changes: 2 additions & 0 deletions rh-developer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,14 @@ A Claude Code plugin for building and deploying applications on Red Hat platform
- OpenShift cluster access (for S2I and OpenShift deployments)
- Podman installed locally
- GitHub personal access token (for GitHub integration)
- Red Hat Insights service account with Client ID and Secret (optional, for vulnerability and advisor data in `/debug-rhel` and `/rhel-deploy`)

## MCP Servers

- **openshift** - OpenShift cluster management and Helm deployments
- **podman** - Container image management and local builds
- **github** - Repository browsing and code analysis
- **lightspeed** - Red Hat Insights data (vulnerability, advisor, inventory, planning) — optional

## Supported Languages

Expand Down
71 changes: 69 additions & 2 deletions rh-developer/skills/debug-rhel/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,59 @@ Continue to diagnosis summary? (yes/no)

**WAIT for user confirmation before proceeding.**

### Phase 7: Present Diagnosis Summary
### Phase 7: Red Hat Insights Check (Optional)

**This phase runs only if the `lightspeed-mcp` server is available.** Use `ToolSearch` to check for Lightspeed MCP tools. If not available, skip this phase silently and proceed to Phase 8.

**Step 1:** Use `find_host_by_name` with the hostname from `RHEL_HOST` to look up the system in Red Hat Insights.

**Step 2:** If system found, use `get_system_cves` with the system ID to check for known CVEs affecting this system.

**Step 3:** Use `get_active_rules` to get advisor configuration recommendations. Optionally use `get_rule_by_text_search` with error text found in Phase 4 logs to find relevant advisor recommendations.

```markdown
## Red Hat Insights Check

**System in Insights:** [Found / Not registered]

[If found:]
**System Details:**
| Field | Value |
|-------|-------|
| Display Name | [hostname] |
| RHEL Version | [version] |
| Last Check-in | [timestamp] |
| Stale | [yes/no] |

**Known Vulnerabilities:**
| CVE | CVSS | Severity | Remediation |
|-----|------|----------|-------------|
| [CVE-ID] | [score] | [severity] | [Available/None] |

**Advisor Recommendations:**
| Rule | Category | Risk | Description |
|------|----------|------|-------------|
| [rule-id] | [Security/Performance/Availability/Stability] | [Critical/Important/Moderate/Low] | [description] |

[If any CVE or advisor rule matches the symptoms from earlier phases:]
**Potentially Related to Current Issue:**
- [CVE or advisor rule that matches the symptoms]

Continue to diagnosis summary? (yes/no)
```

**WAIT for user confirmation before proceeding.**

[If system not registered in Insights, just note it:]
```markdown
## Red Hat Insights Check

System [hostname] is not registered in Red Hat Insights. Skipping vulnerability and advisor checks.

Continue to diagnosis summary? (yes/no)
```

### Phase 8: Present Diagnosis Summary

```markdown
## Diagnosis Summary: [service-name] on [host]
Expand All @@ -344,6 +396,7 @@ Continue to diagnosis summary? (yes/no)
| Firewall | [OK/BLOCKED] | [port status] |
| Permissions | [OK/FAIL] | [file/dir issues] |
| Resources | [OK/FAIL] | [memory/cpu/disk] |
| Insights/CVE | [OK/WARN/N/A] | [CVE count or "Not registered"] |

### Detailed Findings

Expand Down Expand Up @@ -438,7 +491,16 @@ See [docs/selinux-troubleshooting.md](../../docs/selinux-troubleshooting.md) for

## MCP Tools Used

This skill uses Bash (SSH commands) instead of MCP tools since it operates on remote RHEL hosts.
This skill primarily uses Bash (SSH commands) since it operates on remote RHEL hosts.

**Optional Lightspeed MCP tools** (used in Phase 7 if `lightspeed-mcp` is available):

| Tool | Purpose |
|------|---------|
| `find_host_by_name` | Look up the target system in Red Hat Insights inventory |
| `get_system_cves` | Get CVEs affecting the specific system |
| `get_active_rules` | Get advisor configuration recommendations |
| `get_rule_by_text_search` | Search advisor recommendations by error text from logs |

## Output Variables

Expand All @@ -450,13 +512,18 @@ This skill uses Bash (SSH commands) instead of MCP tools since it operates on re
| `SELINUX_DENIALS` | AVC denial count | `3` |
| `FIREWALL_BLOCKING` | Port blocked | `true` / `false` |
| `ROOT_CAUSE` | Identified root cause | `SELinux port binding denied` |
| `INSIGHTS_SYSTEM_ID` | Insights system ID (if registered) | `abc-def-123` |
| `CVE_COUNT` | Number of CVEs affecting system | `3` |

## Dependencies

### Required Tools
- SSH client with key-based authentication
- sudo access on target host

### Optional MCP Servers
- `lightspeed-mcp` - Red Hat Insights vulnerability, advisor, and inventory data (Phase 7)

### Related Skills
- `/rhel-deploy` - To redeploy after fixing issues
- `/debug-container` - To debug Podman containers on the host
Expand Down
43 changes: 42 additions & 1 deletion rh-developer/skills/rhel-deploy/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,43 @@ ssh [target] "firewall-cmd --state 2>/dev/null || echo 'Not running'"

Store `RHEL_VERSION`, `PODMAN_AVAILABLE`, `SELINUX_STATUS`, `FIREWALL_STATUS` in session state.

### Phase 2b: Red Hat Insights Pre-Deploy Check (Optional)

**This phase runs only if the `lightspeed-mcp` server is available.** Use `ToolSearch` to check for Lightspeed MCP tools. If not available, skip silently and proceed to Phase 3.

**Step 1:** Use `find_host_by_name` with the target hostname to look up the system in Red Hat Insights.

**Step 2:** If found, use `get_system_cves` to check for critical/important CVEs on the target.

**Step 3:** Use `get_rhel_lifecycle` to verify the target RHEL version is still supported.

Append to Phase 2 output:

```markdown
**Red Hat Insights (Optional):**
| Check | Status | Details |
|-------|--------|---------|
| Registered in Insights | [Yes/No] | [system-id or "Not found"] |
| RHEL Lifecycle | [Active/Maintenance/EOL] | [end date] |
| Critical/Important CVEs | [count] | [top 3 CVE IDs] |

[If critical CVEs found:]
**WARNING:** Target system has [N] critical/important CVEs. Consider remediating before deploying.

[If RHEL version is EOL:]
**WARNING:** RHEL [version] has reached End of Life ([date]). Consider upgrading before deploying.
```

These are informational warnings only — they do not block deployment.

**MCP tools used:**

| Tool | Purpose |
|------|---------|
| `find_host_by_name` | Look up target system in Red Hat Insights |
| `get_system_cves` | Check CVEs on target system |
| `get_rhel_lifecycle` | Verify RHEL version support status |

### Phase 3: Strategy Selection

```markdown
Expand Down Expand Up @@ -590,9 +627,13 @@ When delegating to `/recommend-image`:

| Skill | Use When |
|-------|----------|
| `/debug-rhel` | systemd failures, SELinux denials, firewall blocking |
| `/debug-rhel` | systemd failures, SELinux denials, firewall blocking, Insights CVE/advisor analysis |
| `/debug-container` | Container startup issues on RHEL host |

## Optional MCP Servers

- `lightspeed-mcp` - Red Hat Insights vulnerability and planning data (Phase 2b)

## Reference Documentation

For detailed guidance, see:
Expand Down