COCKPIT
Cockpit is a web based system information and management tool for linux, and is in the stock repositories for CentOS, and from rhel-8-for-x86_64-baseos-rpms and rhel-9-for-x86_64-baseos-rpms for RHEL (obviously). It is rather simple to setup and configure, but a few less than obvious things need to be done for a more full experience.
INSTALLATION
Installation is straightforward, with one caveat if you are NOT choosing to use SELinux. Assumption going forward is that you have root privileges. :
Install packages
sudo dnf install cockpit cockpit-* tuned
If you have SELinux disabled you need to fix the cockpit systemd unitfile. Remove the SELinux portion of ExecStartPre. Otherwise skip this if you are using SELinux.
sudo vim /usr/lib/systemd/system/cockpit.service
sudo systemctl daemon-reload
Lets enable some services
sudo systemctl enable tuned
sudo systemctl start tuned
sudo systemctl enable cockpit.socket
sudo systemctl start cockpit
Change this if you are in a VM to virtual-guest. tuned-adm list will list profiles, and Red Hat's documentation has many more details.
sudo tuned-adm profile throughput-performance
Fix the firewall
sudo firewall-cmd --permanent --add-service=cockpit
sudo firewall-cmd --reload
SSL CERTIFICATE CONFIGURATION
Thats the basics down. We use tuned so we can get better performance off of the server. I personally recommend using tuned on ALL systems, but that is me. One nice thing that Cockpit can do is change the profile for you (there is a drop down menu on the System Tab)Now here comes the part in which you have to think, rather than copy/paste. If you have no SSL certificate, Cockpit will generate use a self-generated self-issued certificate. If you are like me, however, and use a certificate authority, you have to do a wee bit more work. From the SSL section of Cockpit's documentation page:
- Cockpit will load a certificate from the
/etc/cockpit/ws-certs.d
directory. It will use the first file with a.cert
extension in alphabetical order. The.cert
file should contain at least two OpenSSL style PEM blocks. First one or moreBEGIN CERTIFICATE
blocks for the server certificate and the intermediate certificate authorities and a last one containing aBEGIN PRIVATE KEY
or similar.
Make that .cert file. As a LetsEncrypt.org user, this was rather straightforward. Here is what I needed to do on my servers:
cd /etc/cockpit/ws-certs.d
sudo cat /etc/letsencrypt/live/schotty.com/fullchain.pem >> schotty.cert
sudo cat /etc/letsencrypt/live/schotty.com/privkey.pem >> schotty.key
sudo mv ~self-signed.cert ~self-signed.cert.2
sudo systemctl restart cockpit
You should also be able to see that cockpit is seeing and using your issued certificate:
[andrew@schotty.com ~]# sudo /usr/libexec/cockpit-certificate-ensure --check
Would use certificate /etc/cockpit/ws-certs.d/schotty.com.cert
[andrew@schotty.com ~]#
If you wish, you can set this up in a boot script that generates the .cert file. I personally have it in my ssl cert scripts to regenerate them whence I get issued new keys. Here is a quick paste-up of a simple update script. Should be ready to run, but of course modify to suit your own needs.
#!/bin/bash
#Force root
[ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }
#Set some variables
FQDN=`cat /etc/hostname`
#Fixes cockpit to use the LetsEncrypt SSL cert
cd /etc/cockpit/ws-certs.d
cat /etc/letsencrypt/live/"$FQDN"/cert.pem >> "$FQDN".cert
cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert
systemctl restart cockpit cd ~