Installation on RHEL & Rocky Linux
This guide covers installing the PatchCTL agent on Red Hat-based distributions.
Supported Versions
| Distribution | Versions | Package Manager |
|---|---|---|
| RHEL | 8, 9 | dnf |
| Rocky Linux | 8, 9 | dnf |
| CentOS Stream | 8, 9 | dnf |
| AlmaLinux | 8, 9 | dnf |
| Fedora | 38, 39, 40 | dnf |
CentOS 7 (with yum) reached end-of-life. We recommend upgrading to Rocky Linux 8+ or RHEL 8+.
Quick Install
Run the automated installer:
curl -fsSL https://downloads.patchctl.com/install.sh | sudo bash -s -- --key=YOUR_LICENSE_KEY
The installer automatically uses the RHEL-compatible binary.
Manual Installation
Step 1: Download the Binary
# Create directory
sudo mkdir -p /opt/patchctl/bin
# Download the RHEL-compatible binary
sudo curl -fsSL -o /opt/patchctl/bin/patchctl-agent \
https://downloads.patchctl.com/latest/patchctl-agent-linux-amd64-rhel
# Make executable
sudo chmod +x /opt/patchctl/bin/patchctl-agent
Step 2: Create Configuration
# Create config directory
sudo mkdir -p /etc/patchctl
# Create configuration file
sudo tee /etc/patchctl/config.json > /dev/null << 'EOF'
{
"license_key": "YOUR_LICENSE_KEY",
"api_endpoint": "https://api.patchctl.com",
"heartbeat_interval": 300,
"log_level": "info"
}
EOF
# Secure the config file
sudo chmod 600 /etc/patchctl/config.json
Step 3: Create Systemd Service
sudo tee /etc/systemd/system/patchctl.service > /dev/null << 'EOF'
[Unit]
Description=PatchCTL Agent
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/opt/patchctl/bin/patchctl-agent
Restart=always
RestartSec=10
User=root
WorkingDirectory=/opt/patchctl
# Hardening
NoNewPrivileges=no
ProtectSystem=full
ProtectHome=read-only
[Install]
WantedBy=multi-user.target
EOF
Step 4: Configure SELinux (if enabled)
If SELinux is enforcing, you may need to allow the agent:
# Check SELinux status
getenforce
# If "Enforcing", allow the agent binary
sudo chcon -t bin_t /opt/patchctl/bin/patchctl-agent
Step 5: Start the Service
# Reload systemd
sudo systemctl daemon-reload
# Enable and start the agent
sudo systemctl enable patchctl
sudo systemctl start patchctl
# Verify status
sudo systemctl status patchctl
Verification
Check Service Status
sudo systemctl status patchctl
Check Logs
sudo journalctl -u patchctl -f
Verify in Dashboard
Your server should appear in the PatchCTL dashboard within 5 minutes.
RHEL-Specific Notes
DNF Configuration
The agent uses the system's DNF/YUM configuration. Ensure your repositories are properly configured:
# List enabled repositories
sudo dnf repolist
# Check for available updates
sudo dnf check-update
Subscription Manager (RHEL)
For RHEL systems, ensure your subscription is active:
sudo subscription-manager status
Firewall Configuration
If firewalld is enabled, no inbound rules are needed (agent only makes outbound connections). Verify outbound HTTPS is allowed:
# Check firewall status
sudo firewall-cmd --state
# The agent needs outbound HTTPS (usually allowed by default)
Troubleshooting
SELinux Denials
Check for SELinux denials:
sudo ausearch -m avc -ts recent
If you see denials for patchctl-agent, create a custom policy:
# Generate policy from denials
sudo ausearch -c 'patchctl-agent' --raw | audit2allow -M patchctl
# Install the policy
sudo semodule -i patchctl.pp
DNF Lock Issues
If patching fails due to DNF locks:
# Check for running DNF processes
sudo ps aux | grep -E 'dnf|yum'
# Remove stale lock (if safe)
sudo rm -f /var/run/dnf.pid
Repository Errors
If the agent can't check for updates:
# Clean DNF cache
sudo dnf clean all
# Rebuild cache
sudo dnf makecache
Security Considerations
FIPS Mode
PatchCTL agent is compatible with FIPS-enabled systems. The agent uses standard TLS libraries that respect system FIPS settings.
Corporate Certificates
If your organization uses a corporate CA for SSL inspection:
# Add your CA certificate
sudo cp your-ca.crt /etc/pki/ca-trust/source/anchors/
# Update CA trust
sudo update-ca-trust