Skip to content

COCKPIT

Cockpit is a web based system information and management tool for linux, and is in the stock repositories for CentOS, and from rhel-8-for-x86_64-baseos-rpms and rhel-9-for-x86_64-baseos-rpms for RHEL (obviously). It is rather simple to setup and configure, but a few less than obvious things need to be done for a more full experience.

INSTALLATION

Installation is straightforward, with one caveat if you are NOT choosing to use SELinux. Assumption going forward is that you have root privileges. :

Install packages

    sudo dnf install cockpit cockpit-* tuned

If you have SELinux disabled you need to fix the cockpit systemd unitfile. Remove the SELinux portion of ExecStartPre. Otherwise skip this if you are using SELinux.

    sudo vim /usr/lib/systemd/system/cockpit.service
    sudo systemctl daemon-reload

Lets enable some services

    sudo systemctl enable tuned
    sudo systemctl start tuned

    sudo systemctl enable cockpit.socket
    sudo systemctl start cockpit

Change this if you are in a VM to virtual-guest. tuned-adm list will list profiles, and Red Hat's documentation has many more details.

    sudo tuned-adm profile throughput-performance

Fix the firewall

    sudo firewall-cmd --permanent --add-service=cockpit
    sudo firewall-cmd --reload

SSL CERTIFICATE CONFIGURATION

Thats the basics down. We use tuned so we can get better performance off of the server. I personally recommend using tuned on ALL systems, but that is me. One nice thing that Cockpit can do is change the profile for you (there is a drop down menu on the System Tab)Now here comes the part in which you have to think, rather than copy/paste. If you have no SSL certificate, Cockpit will generate use a self-generated self-issued certificate. If you are like me, however, and use a certificate authority, you have to do a wee bit more work. From the SSL section of Cockpit's documentation page:

  • Cockpit will load a certificate from the /etc/cockpit/ws-certs.d directory. It will use the first file with a .certextension in alphabetical order. The .cert file should contain at least two OpenSSL style PEM blocks. First one or more BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities and a last one containing a BEGIN PRIVATE KEY or similar.

Make that .cert file. As a LetsEncrypt.org user, this was rather straightforward. Here is what I needed to do on my servers:

    cd /etc/cockpit/ws-certs.d
    sudo cat /etc/letsencrypt/live/schotty.com/fullchain.pem >> schotty.cert
    sudo cat /etc/letsencrypt/live/schotty.com/privkey.pem >> schotty.key
    sudo mv ~self-signed.cert ~self-signed.cert.2
    sudo systemctl restart cockpit

You should also be able to see that cockpit is seeing and using your issued certificate:

    [andrew@schotty.com ~]# sudo /usr/libexec/cockpit-certificate-ensure --check
    Would use certificate /etc/cockpit/ws-certs.d/schotty.com.cert
    [andrew@schotty.com ~]#

If you wish, you can set this up in a boot script that generates the .cert file. I personally have it in my ssl cert scripts to regenerate them whence I get issued new keys. Here is a quick paste-up of a simple update script. Should be ready to run, but of course modify to suit your own needs.

    #!/bin/bash
    #Force root
    [ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }

    #Set some variables
    FQDN=`cat /etc/hostname`

    #Fixes cockpit to use the LetsEncrypt SSL cert
    cd /etc/cockpit/ws-certs.d
    cat /etc/letsencrypt/live/"$FQDN"/cert.pem >> "$FQDN".cert
    cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert
    systemctl restart cockpit cd ~