Cockpit is a web based system information and management tool for linux, and is in the stock repositories for CentOS, and from rhel-7-server-extras-rpms for RHEL (obviously).  It is rather simple to setup and configure, but a few less than obvious things need to be done for a more full experience.  


Installation is straightforward, with one caveat if you are NOT on SELinux.  Assumption going forward is that you have root privileges. : Install packages

yum install cockpit cockpit-docker tuned

If you have SELinux disabled you need to fix the cockpit systemd unitfile.  Remove the SELinux portion of ExecStartPre

vim /usr/lib/systemd/system/cockpit.service
systemctl daemon-reload

Lets enable some services

systemctl enable tuned 
systemctl start tuned 

systemctl enable cockpit.socket 
systemctl start cockpit

Change this if you are in a VM to virtual-guest.  tuned-adm list will list profiles, and Red Hat's documentation has many more details.

tuned-adm profile throughput-performance

Fix the firewall

firewall-cmd --permanent --add-service=cockpit
firewall-cmd --reload


Thats the basics down.  We use tuned so we can get better performance off of the server.  I personally recommend using tuned on ALL systems, but that is me.   One nice thing that Cockpit can do is change the profile for you (there is a drop down menu on the System Tab)Now here comes the part in which you have to think, rather than copy/paste.  If you have no SSL certificate, Cockpit will generate use a self-generated self-issued certificate.  If you are like me, however, and use a certificate authority, you have to do a wee bit more work. From the SSL section of Cockpit's documentation page:

  • Cockpit will load a certificate from the /etc/cockpit/ws-certs.d directory. It will use the first file with a .certextension in alphabetical order. The .cert file should contain at least two OpenSSL style PEM blocks. First one or more BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities and a last one containing a BEGIN PRIVATE KEY or similar.

Make that .cert file.  As a user, this was rather straightforward.  Here is what I needed to do on my servers:

cd /etc/cockpit/ws-certs.d
cat /etc/letsencrypt/live/ >> schotty.cert
cat /etc/letsencrypt/live/ >> schotty.cert
mv ~self-signed.cert ~self-signed.cert.2
systemctl restart cockpit

Now you should be able to cat that new cert file you just made and see something akin to what is on the documentation page.  And you should also be able to see that cockpit is seeing and using your issued certificate:

[ ~]# sudo remotectl certificate
certificate: /etc/cockpit/ws-certs.d/schotty.cert
[ ~]#

If you wish, you can set this up in a boot script that generates the .cert file.  I personally have it in my ssl cert scripts to regenerate them whence I get issued new keys.   Here is a quick paste-up of a simple update script.  Should be ready to run, but of course modify to suit your own needs.

# Force root 
[ `whoami` = root ] || { sudo "$0" "$@"; exit $?; } 

# Set some variables 
FQDN=`cat /etc/hostname` 

# Fixes cockpit to use the LetsEncrypt SSL cert 
cd /etc/cockpit/ws-certs.d
cat /etc/letsencrypt/live/"$FQDN"/cert.pem >> "$FQDN".cert
cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert 
systemctl restart cockpit cd ~