Skip to main content

RHEL Patch Management for Air Gap Networks

Keep RHEL endpoints patched in completely isolated networks by syncing Red Hat Satellite metadata through a secure offline transfer process, without exposing your closed network to the internet.

This guide shows you how to use the RHEL Patch Management Utility to sync Red Hat Satellite metadata and deploy RHEL patches to endpoints in an air-gapped ServiceOps environment.

How Does RHEL Patch Management Work in Air-Gapped Networks?

Air-gapped networks have no direct internet connectivity. Patch distribution relies on a Red Hat Satellite Server that sits on the internet-connected side. The RHEL Patch Management Utility runs on the Satellite Server to export metadata and patch binaries. You transfer those files to the ServiceOps server using physical media, trigger a database sync, and then deploy patches to managed RHEL endpoints from within the closed network.

Prerequisites

Before you start, confirm the following:

  • Your Red Hat Satellite Server has internet connectivity
  • All required RHEL OS repositories are synced on the Satellite Server before running the metadata sync
  • You have Admin access in ServiceOps
  • A USB drive or other physical transfer media is available
  • Sufficient free disk space is available on the Satellite Server (space depends on the patches you plan to download)

Procedure

Follow these steps in order. Start on the internet-connected Red Hat Satellite Server, then move to the ServiceOps server when indicated.

1. Download the Utility

Download and prepare the RHEL Patch Management Utility on the Satellite Server before running any sync operations.

  1. Download the RHELPatchManagementUtility file on the Red Hat Satellite Server.

  2. Give the file execute permissions:

    chmod 777 RHELPatchManagementUtility

    Terminal showing chmod 777 applied to RHELPatchManagementUtility on the Satellite Server

  3. Run the utility with sudo privileges:

    sudo ./RHELPatchManagementUtility

    Terminal showing RHELPatchManagementUtility running with sudo on the Satellite Server

After execution, the utility shows three options: Red Hat Satellite Metadata Sync, Download Patch, and Exit. Run the metadata sync first, then download patches.

2. Sync Red Hat Satellite Metadata

Sync the Red Hat Satellite metadata to generate the patch database ZIP file for transfer to the ServiceOps server.

  1. Enter 1 to select Red Hat Satellite Metadata Sync.

    Terminal showing option 1 selected for Red Hat Satellite Metadata Sync

  2. When prompted to reuse credentials, enter y to use saved credentials or n to enter new credentials.

  3. Enter the Satellite Server URL when prompted.

    Terminal showing the Satellite Server URL prompt during metadata sync

  4. Enter the Username and Password when prompted.

    Admin Credentials Required

    Use the credentials of a user with full administrative privileges on the Satellite Server GUI.

    Terminal showing the username and password prompts during metadata sync

The utility fetches the available repositories and creates a ZIP file in the directory where the utility is located.

Terminal showing the ZIP file creation complete after metadata sync finishes

File system view showing the location of the generated ZIP file on the Satellite Server

3. Transfer Metadata to ServiceOps Server

Copy the generated ZIP file to the ServiceOps server and prepare it for the patch database sync.

  1. Copy the ZIP file to a physical drive and transfer it to the ServiceOps server.
  2. Move the file to the following path on the ServiceOps server:
    /opt/flotomate/main-server/config
  3. Extract the file:
    7z x {filename}
  4. Assign fmt user permissions:
    chown -R fmtuser:fmtusergroup {filename}

4. Configure Red Hat Patch Preference in ServiceOps

Set the patch source to Red Hat Satellite Server in ServiceOps before triggering the database sync.

  1. Navigate to Admin > Patch Management > RedHat Patch Settings > RedHat Satellite Server tab.

  2. Set Red Hat Patch Preference to Red Hat Satellite Server.

    No Existing Satellite Server

    Confirm that no satellite server is already configured before applying this setting.

    Admin panel showing Red Hat Patch Settings with Red Hat Satellite Server selected as the patch preference

5. Sync Patch Database

Trigger a manual patch database sync in ServiceOps to process the transferred metadata and identify missing patches.

  1. Navigate to Admin > Patch Management > Patch Settings > Update Patch Database.

  2. Click Update Now to start the sync.

    ServiceOps Update Patch Database page showing the Update Now button

  3. After the sync completes, add computers to the End Points Scope.

    ServiceOps Endpoints Scope page showing computers added after patch database sync

  4. Navigate to Patch Management > Patches. Locate the missing patches and click the Download Patch icon to export a JSON file containing the patch list.

    ServiceOps Patches page showing missing patches with the Download Patch icon highlighted

6. Download Patches Using the Air-Gap Utility

Return to the Satellite Server and use the exported JSON file to download the actual patch binaries.

  1. Run RHELPatchManagementUtility again on the Satellite Server.

  2. Enter 2 to select Download Patch.

    Terminal showing option 2 selected for Download Patch on the Satellite Server

  3. Enter the path to the JSON file exported from ServiceOps.

    Terminal showing the JSON file path prompt for patch download

  4. Enter y when prompted "Download all patches? (y/n)".

    Terminal showing the download all patches confirmation prompt with y entered

The download process begins. Once complete, the utility creates a file named mtdt-patches.zip in the directory where the utility is located.

Terminal showing the patch download process in progress on the Satellite Server

7. Prepare the Patch Directory in ServiceOps

Copy the downloaded patches to the ServiceOps file server so they are available for deployment to managed endpoints.

Identify Your File Server OS First

Check the operating system of your file server before proceeding. The steps differ for Linux and Windows environments.

Linux Environment

Follow these steps on a Linux-based file server.

  1. Navigate to /opt/flotomate/file-server/filedb on the ServiceOps server. Verify the tenant folder exists. If it doesn't, create it:

    mkdir {tenant-name}

    Example: mkdir apolo

  2. Create the patch folder inside the tenant folder:

    mkdir {patch-folder-name}

    Example: mkdir patch

  3. Copy mtdt-patches.zip to a physical drive, transfer it to the ServiceOps server, and place it at:

    /opt/flotomate/fileserver/filedb/{tenant_name}/patch

    Example: /opt/flotomate/fileserver/filedb/apolo/patch

  4. Extract the file:

    7z x {filename}

  5. Grant fmt user permissions to the tenant folder:

    chown -R fmtuser:fmtusergroup {tenant_name}

Windows Environment

Follow these steps on a Windows-based file server.

  1. Navigate to /fileserver/filedb/ on the Windows machine where the file server is installed. Verify the tenant folder exists. If it doesn't, create one.
  2. Create the patch folder inside the tenant folder.
  3. Copy mtdt-patches.zip to a physical drive and upload it to /fileserver/filedb/{tenant_name}/patch.
  4. Extract the ZIP file.

Best Practices

Follow these recommendations to keep your RHEL air-gap patching process reliable and repeatable.

  • Sync all required repositories on the Satellite Server before running the utility. Missing repositories cause incomplete metadata exports. Verify all RHEL OS repositories are synced on the Satellite Server before starting the metadata sync.
  • Use a dedicated transfer folder with no spaces in the name. The utility and the 7z extraction tools fail silently on paths with spaces. Use short, hyphenated folder names such as rhel-patches.
  • Reapply fmt user permissions after every file transfer. Whenever you copy files to the ServiceOps server, run chown -R fmtuser:fmtusergroup on the target path. Skipping this step is the most common cause of sync and deployment failures.
  • Always click Update Now after transferring metadata. The patch database does not refresh automatically in an air-gapped setup. Trigger the sync manually each time you transfer new metadata.
  • Export a fresh JSON file for each patch cycle. The JSON file reflects the missing patches at the time of export. Reusing an old JSON file causes the utility to download patches that are already installed or no longer relevant.
  • Keep the mtdt-patches.zip filename consistent. The utility always creates the output as mtdt-patches.zip. Renaming it before transfer can cause path mismatches when extracting to the file server.

Troubleshooting

Use this section to resolve common issues when running RHEL patch management in an air-gapped environment.

Metadata sync fails after entering credentials

Cause: The Satellite Server user does not have full administrative privileges, or the Satellite Server URL format is incorrect.

Fix: Verify the user account has full admin rights on the Satellite Server GUI. Confirm the URL includes the protocol prefix, for example https://satellite.example.com. Re-run the utility and enter the corrected credentials.

Missing patches do not appear after patch database sync

Cause: The ZIP file was not extracted to the correct path on the ServiceOps server, or fmt user permissions were not applied after extraction.

Fix: Confirm the file is at /opt/flotomate/main-server/config and run chown -R fmtuser:fmtusergroup {filename} to reapply permissions. Then click Update Now on the Update Patch Database page to re-trigger the sync.

Patch deployment fails after patches are prepared in the file server

Cause: The mtdt-patches.zip file is in the wrong directory path, or the tenant name in the path does not match the tenant configured in ServiceOps.

Fix: Confirm the patch files are at /opt/flotomate/fileserver/filedb/{tenant_name}/patch and that {tenant_name} matches exactly the tenant name in your ServiceOps configuration. Reapply fmt permissions with chown -R fmtuser:fmtusergroup {tenant_name}.

Next Steps