Diego

Live as if you were to die tomorrow. Learn as if you were to live forever. Mahatma Gandhi

2 minute read

Presentation of Cockpit

Cockpit is a very lightweight system administration tool that provides a user interface for monitoring and administering servers through a web browser. It allows you to monitor current values and adjust limits on system resources through Systemd and the DBUS APIs.

Cockpit is made up of several components:

  • cockpit-ws is the web service used for communication between the browser application and various configuration tools and services; it listens on the network and authenticates users,
  • cockpit-bridge is used to relay messages and commands from the web front end to the server; it spawns processes on behalf of the web user interface,
  • cockpit-system contains the shell and system configuration interfaces.

Access control to Cockpit is done via PolicyKit. In addition, any user in the wheel group gets full access.

Cockpit application

Cockpit has zero memory and process footprint on the server when not in use: it exits after 90 seconds if nobody logs in, or after the last user is disconnected. It is a good example of a socket-activated service:

# cat /usr/lib/systemd/system/cockpit.socket
[Unit]
Description=Cockpit Web Service Socket

[Socket]
ListenStream=9090
...

# cat /usr/lib/systemd/system/cockpit.service
[Unit]
Description=Cockpit Web Service
Requires=cockpit.socket

[Service]
...
ExecStart=/usr/libexec/cockpit-ws
...

Installation Procedure

Install the EPEL repository:

# yum install -y epel-release

Install the cockpit package:

# yum install -y cockpit

Start and enable the Cockpit service:

# systemctl start cockpit && systemctl enable cockpit

Add a new rule to the firewall:

# firewall-cmd --permanent --add-port=9090/tcp
# firewall-cmd --reload

You can now point your browser at https://127.0.0.1:9090 (change the IP address accordingly).

Certificate Configuration

By default, Cockpit creates a self-signed certificate called 0-self-signed.cert during the installation process in the /etc/cockpit/ws-cert.d directory. If it’s not a concern for you, you will have to add a security exception through your browser.

Otherwise, you will need to create a certificate in the /etc/cockpit/ws-cert.d directory (Cockpit uses the last file with a .cert extension in alphabetical order).

This certificate should contain two parts (see additional details here):

  • one or more BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities
  • followed by a block containing a BEGIN PRIVATE KEY.

If you use a Let’sEncrypt certificate, type:

# cat fullchain.pem privkey.pem > /etc/cockpit/ws-cert.d/1.cert

At any time, you can check what certificate Cockpit is using:

# remotectl certificate
certificate: /etc/cockpit/ws-certs.d/1.cert

Multiple Machines

Cockpit can connect to multiple machines from a single Cockpit session.

To do this, create a file called 05-remotemachines.json in the /etc/cockpit/machines.d directory and paste the following lines (see more details here):

{
   "mymachine": {
      "address": "x.y.t.z",
      "visible": true,
      "color": "green",
      "user": "root"
   }
}

where x.y.t.z is the IP address or the full qualified domain name of the machine you want to add to the Cockpit dashboard.

Sources: RHEL Atomic Host 7 and Cockpit website.

Leave a comment

You may also enjoy