Red Hat Lightspeed MCP

(formerly known as Insights MCP)

Red Hat Lightspeed Model Context Protocol (MCP) server is a lightweight, self-hosted solution that connects LLM-based agents - such as Claude Desktop and other MCP-compatible tools - to Red Hat Lightspeed services.

Features

• Supports read-only operations: The server runs in read-only mode by default. Use --all-tools to enable write tools (e.g. create blueprints, run composes). RBAC permissions can also restrict access.
• Provides natural language prompts: provides an ability to use natural language for querying Red Hat Lightspeed services

Supported Lightspeed Services

• advisor
• hosted image builder
• inventory
• planning
• remediations
• vulnerability

Setup and usage

Authentication

Note: Authentication is only required for accessing Red Hat Lightspeed APIs. The MCP server itself does not require authentication.

There are two ways to authenticate:

1. Service Account (client_id + client_secret) — create a service account and provide the credentials via environment variables or HTTP headers.
2. JWT Bearer Token — provide a pre-existing JWT token via the Authorization: Bearer <token> HTTP header (SSE/HTTP transports only).

Service Account Setup

1. Go to https://console.redhat.com → Click Settings (⚙️ Gear Icon) → "Service Accounts"
2. Create a service account and remember Client ID and Client secret for later.
   See below in the integration instructions, there they are respectively referred to as LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET.

Required Permissions by Toolset

Different toolsets require specific roles for your service account:

• Advisor tools: RHEL Advisor viewer
• Inventory tools: Inventory Hosts viewer
• Vulnerability tools: Vulnerability viewer, Inventory Hosts viewer
• Remediation tools: Remediations user

Granting Permissions to Service Accounts

By default, service accounts have no access. An organization administrator must assign permissions. The MCP server will only be able to perform tasks that it has permission to perform. For example, if the user wants to allow read-only operations and deny write operations, this can be accomplished via the permissions system.

For detailed step-by-step instructions, see this video tutorial: Service Account Permissions Setup

1. Log in as Organization Administrator with User Access administrator role

2. Navigate to User Access Settings: Click Settings (⚙️ Gear Icon) → "User Access" → "Groups"

3. Assign permissions (choose one option):

   Option A - Create New Group:

   • Create new group (e.g., mcp-service-accounts)
   • Add required roles (e.g., RHEL Advisor viewer, Inventory Hosts viewer, etc.)
   • Add your service account to this group

   Option B - Use Existing Group:

   • Open existing group with necessary roles
   • Go to "Service accounts" tab
   • Add your service account to the group

Your service account will inherit all roles from the assigned group.

⚠️ Security Remarks ⚠️

If you start this MCP server locally (with podman or docker) make sure the container is not exposed to the internet. In this scenario it's probably fine to use LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET although your MCP Client (e.g. VSCode, Cursor, etc.) can get your LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET.

For a deployment where you connect to this MCP server from a different machine, you should consider that LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET (or your JWT Bearer token) are transferred to the MCP server and you are trusting the remote MCP server not to leak them.

In both cases if you are in doubt, please disable/remove the LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET from your account after you are done using the MCP server.

Security & Incident Response (Emergency Revocation)

To ensure safe AI operations and compliance with security standards, operators must be able to rapidly sever the connected LLM's access to Red Hat Lightspeed in the event of abnormal AI behavior, unexpected data exposure, or suspected token compromise.

Emergency "Kill Switch" Procedure:

If you need to immediately revoke AI access to the toolsets, execute the following steps:

1. Terminate the Server: Stop the MCP container or local process immediately (e.g., run podman ps to find the container, then podman stop <container_id>).
2. Revoke Credentials: Invalidate the Red Hat Client ID used by the MCP server to authenticate with Red Hat services. Go to the "Service Accounts" page and Delete or Reset the credentials.

Additionally you can remove the MCP server entry (e.g., lightspeed-mcp in your client's mcp.json) from your local LLM client's configuration to prevent the client from attempting to restart or reconnect to the server.

If credential compromise or data exposure is suspected, assess breach notification obligations under applicable law (e.g., GDPR). For logging, debug mode, and compliance details, see HACKING.md - Logging and Compliance.

Technical Info

Toolsets

See toolsets.md for the toolsets available in the MCP server.

Integrations

Prerequisites

Make sure you have podman installed.
(Docker is fine too but the commands below have to be adapted accordingly)

You can install it with sudo dnf install podman on Fedora/RHEL/CentOS, or on macOS use either Podman Desktop or brew install podman.

⚠️ Note if you use Podman on macOS, you sometimes need to set the path to podman explicitly. E.g. replace podman with the full path. Should be something like

• /usr/local/bin/podman
• /opt/homebrew/bin/podman
• …

You can find the path by running which podman in your terminal.

VSCode

First check the prerequisites section.

Option 1: One-click installation (easiest)

(Note: this uses the quay.io container image)

Option 2: Manual STDIO installation

For the usage in your project, create a file called .vscode/mcp.json with the following content.

{
    "inputs": [
        {
            "id": "lightspeed_client_id",
            "type": "promptString",
            "description": "Enter the Red Hat Lightspeed Client ID",
            "default": "",
            "password": true
        },
        {
            "id": "lightspeed_client_secret",
            "type": "promptString",
            "description": "Enter the Red Hat Lightspeed Client Secret",
            "default": "",
            "password": true
        }
    ],
    "servers": {
        "lightspeed-mcp": {
            "type": "stdio",
            "command": "podman",
            "args": [
                "run",
                "--env",
                "LIGHTSPEED_CLIENT_ID",
                "--env",
                "LIGHTSPEED_CLIENT_SECRET",
                "--interactive",
                "--rm",
                "ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest"
            ],
            "env": {
                "LIGHTSPEED_CLIENT_ID": "${input:lightspeed_client_id}",
                "LIGHTSPEED_CLIENT_SECRET": "${input:lightspeed_client_secret}"
            }
        }
    }
}

Cursor

First check the prerequisites section.

Option 1: One-click installation (easiest)

⚠️ Use Ctrl/Cmd-click to open in a new tab.
Otherwise the tab will close after installation and you won't see the documentation anymore.

(Note: this uses the quay.io container image)

Option 2: Manual STDIO installation

Cursor doesn't seem to support inputs you need to add your credentials in the config file. To start the integration create a file ~/.cursor/mcp.json with

{
  "mcpServers": {
    "lightspeed-mcp": {
        "type": "stdio",
        "command": "podman",
        "args": [
            "run",
            "--env",
            "LIGHTSPEED_CLIENT_ID",
            "--env",
            "LIGHTSPEED_CLIENT_SECRET",
            "--interactive",
            "--rm",
            "ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest"
        ],
        "env": {
            "LIGHTSPEED_CLIENT_ID": "",
            "LIGHTSPEED_CLIENT_SECRET": ""
        }
    }
  }
}

If you see the error Some tools have naming issues and may be filtered out., see Known Issues.

Option 3: Manual Streamable HTTP installation (advanced)

start the server:

podman run --net host --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest http

then integrate using service account credentials:

{
    "mcpServers": {
        "lightspeed-mcp": {
            "type": "http",
            "url": "http://localhost:8000/mcp",
            "headers": {
                "lightspeed-client-id": "",
                "lightspeed-client-secret": ""
            }
        }
    }
}

or alternatively using a JWT Bearer token:

{
    "mcpServers": {
        "lightspeed-mcp": {
            "type": "http",
            "url": "http://localhost:8000/mcp",
            "headers": {
                "Authorization": "Bearer <YOUR_JWT_TOKEN>"
            }
        }
    }
}

Gemini CLI

First check the prerequisites section.

Option 1: Manual STDIO installation

To start the integration create a file ~/.gemini/settings.json with the following command:

{
    ...
    "mcpServers": {
        "lightspeed-mcp": {
            "type": "stdio",
            "command": "podman",
            "args": [
                "run",
                "--env",
                "LIGHTSPEED_CLIENT_ID=<YOUR_CLIENT_ID>",
                "--env",
                "LIGHTSPEED_CLIENT_SECRET=<YOUR_CLIENT_SECRET>",
                "--interactive",
                "--rm",
                "ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest"
            ]
        }
    }
}

Option 2: Manual Streamable HTTP installation (advanced)

start the server:

podman run --net host --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest http

[!NOTE] For podman machine on a mac you will need to set the host explicitly and expose the port

  podman run -p 8000:8000 --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest http --host 0.0.0.0

then integrate using service account credentials:

{
    ...
    "mcpServers": {
        "lightspeed-mcp": {
            "httpUrl": "http://localhost:8000/mcp",
            "headers": {
                "lightspeed-client-id": "<YOUR_CLIENT_ID>",
                "lightspeed-client-secret": "<YOUR_CLIENT_SECRET>"
            }
        }
    }
}

or alternatively using a JWT Bearer token:

{
    ...
    "mcpServers": {
        "lightspeed-mcp": {
            "httpUrl": "http://localhost:8000/mcp",
            "headers": {
                "Authorization": "Bearer <YOUR_JWT_TOKEN>"
            }
        }
    }
}

Claude Desktop

First check the prerequisites section.

For Claude Desktop there is an extension file in the release section of the project.

Just download the red-hat-lightspeed-mcp*.mcpb file (or red-hat-lightspeed-mcp*.dxt for legacy format) and add this in Claude Desktop with

Settings -> Extensions -> Advanced Extensions Settings -> Install Extension…

CLine with VSCode

First check the prerequisites section.

First off, start the SSE server with sse argument:

export LIGHTSPEED_CLIENT_ID=<YOUR_CLIENT_ID>
export LIGHTSPEED_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
podman run --env LIGHTSPEED_CLIENT_ID --env LIGHTSPEED_CLIENT_SECRET --net host --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest sse

In the CLine -> Manage MCP Servers interface, add a new server name and URL: http://localhost:9000/sse. It shall create the following config:

{
  "mcpServers": {
    "lightspeed-mcp": {
      "disabled": false,
      "type": "sse",
      "url": "http://localhost:9000/sse"
    }
  }
}

Ensure the type is sse as CLine does not support HTTP transport yet.

Generic STDIO

First check the prerequisites section.

For generic integration into other tools via STDIO, you should set the environment variables LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET and use this command for an integration using podman:

export LIGHTSPEED_CLIENT_ID=<YOUR_CLIENT_ID>
export LIGHTSPEED_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
podman run --env LIGHTSPEED_CLIENT_ID --env LIGHTSPEED_CLIENT_SECRET --interactive --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest

It is the MCP API what is exposed through standard input, not a chat interface. You need an MCP client with "agent capabilities" to connect to the red-hat-lightspeed-mcp server and really use it.

Claude Code

First check the prerequisites section.

Claude Code requires a slight change to the podman command, as the host environment is not available when it runs. The credentials must be copied into the configuration instead, which can be done with the following command after setting LIGHTSPEED_CLIENT_ID and LIGHTSPEED_CLIENT_SECRET environment variables:

export LIGHTSPEED_CLIENT_ID=<YOUR_CLIENT_ID>
export LIGHTSPEED_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
claude mcp add red-hat-lightspeed-mcp -- podman run --env LIGHTSPEED_CLIENT_ID=$LIGHTSPEED_CLIENT_ID --env LIGHTSPEED_CLIENT_SECRET=$LIGHTSPEED_CLIENT_SECRET --interactive --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest

or just set the variables in the command directly:

claude mcp add red-hat-lightspeed-mcp -- podman run --env LIGHTSPEED_CLIENT_ID=<YOUR_CLIENT_ID> --env LIGHTSPEED_CLIENT_SECRET=<YOUR_CLIENT_SECRET> --interactive --rm ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest

To verify setup was successful, within the Claude terminal execute the command:

/mcp

If successful, you should see red-hat-lightspeed-mcp listed under Manage MCP servers with a green check mark connected status besides it.

URL overrides

If you are using a non-standard RH Lightspeed URL, set the environment variables

• LIGHTSPEED_BASE_URL
• LIGHTSPEED_SSO_BASE_URL
• LIGHTSPEED_PROXY_URL accordingly.

Examples

This blog post has a few examples on how to use the RH Lightspeed MCP server.

You can also ask LLM you just attached to the MCP server to. e.g.

Please explain red-hat-lightspeed-mcp and what I can do with it?

For example questions specific to each toolset please have a look at the test files:

• image-builder-mcp
• inventory-mcp
• planning-mcp
• remediations-mcp
• advisor-mcp
• vulnerability-mcp

CLI

For some use cases it might be needed to use the MCP server directly from the command line. See usage.md for the usage of the MCP server.

Releases

There are two container images published for this MCP server.

• ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest
• quay.io/redhat-services-prod/insights-management-tenant/insights-mcp/red-hat-lightspeed-mcp:latest

They are both based on main branch and you can use either of them.

Insights-branded images are deprecated but still available for a while but might be removed in the future.

• ghcr.io/redhatinsights/insights-mcp:latest
• quay.io/redhat-services-prod/insights-management-tenant/insights-mcp/insights-mcp:latest

Known Issues

Cursor

When using Cursor with the MCP server, you might encounter the following error:

Some tools have naming issues and may be filtered out.

… exceeds 60 characters…

Please rename your MCP server name in the MCP configuration file (mcp.json) to a shorter name.

{
  "mcpServers": {
    "red-hat-lightspeed-mcp-this-will-be-too-long": { # <--- rename this
…

Disclaimer

This software is provided "as is" without warranty of any kind, either express or implied. Use at your own risk. The authors and contributors are not liable for any damages or issues that may arise from using this software.

Contributing

Please refer to the hacking guide to learn more.