Server administration using Cockpit
Control Center
Cockpit [1] lets you manage a remote Linux system through a browser window. An administrator can take a look at the systemd journal, check the load, and start and stop services. Thanks to responsive design, the user interface automatically adapts to different screen sizes which, in turn, facilitates easy access via smartphones.
You can also easily switch to the command line, start web servers there, and create new user accounts at any time. They then appear in the web application, and you can use them to manage multiple Linux systems. To this end, just draw attention to Cockpit on the remaining servers, on which the software must also be running.
This functionality makes Cockpit – developed by Red Hat – similar to the well-known Webmin [2]. The user interface which, according to self-promotion, is easy to use and "very lightweight" especially appeals to less experienced administrators. However, Cockpit is also suitable for managing a home server or smaller business networks. Users should not mistake the tool licensed under LGPL 2.1 for the similarly named openITCOCKPIT [3].
All Inclusive
Red Hat has not even been working on Cockpit for a full two years. The work on it can now be done openly on GitHub [4], but those who observe the project will note its closeness to Red Hat (e.g., the distribution used). Also, Fedora 21 Server, CentOS Atomic, and RHEL Atomic are already preinstalling the tool for server management. Fedora 21 Workstation and Arch Linux only have finished packages. In Fedora 21 Workstation, the command
yum install cockpit
installs the control center.
Users of Arch Linux can install the cockpit package via the Arch User Repository (AUR). The Cockpit version accompanying Fedora 21 still reports as version 0.27 from autumn 2014, although the current version was already 0.52 at the time of writing. However, except for cosmetics, it has not particularly changed.
Those who want to use a different distribution, such as Ubuntu or Debian, will need to compile the source code themselves. Because Cockpit is strongly attached to Fedora, and especially systemd, commissioning turns out to be only a small hurdle. You first need to collect the numerous dependencies in the cockpit.spec
file. The "Vivid Vervet" box describes how to compile the software for Ubuntu 15.04.
Vivid Vervet
You first need to install all required packages [5] to install Cockpit in Ubuntu 4.15:
sudo apt-get install xsltproc \ libglib2.0-dev libjson-glib-dev \ libpolkit-agent-1-dev libkrb5-dev \ liblvm2-dev libgudev-1.0-dev \ libssh-dev libpam0g-dev libkeyutils-dev \ libpcp3-dev libpcp-import1-dev \ libpcp-pmda3-dev intltool xmlto \ libsystemd-journal-dev libsystemd-daemon-dev \ libxslt1-dev npm nodejs selinux-policy-dev \ checkpolicy selinux-policy-doc libdbus-1-dev
You then need to fish the .tar.bz2
archive out of the latest stable Cockpit version from the GitHub repository [6], unzip it, and then compile Cockpit using the well-known rule of three:
./configure make make install
You then need to give the almighty user root a password via
sudo passwd root
so you can log on to Cockpit later.
Cockpit cannot even be put into operation on distributions without systemd. This relates to earlier versions of both Ubuntu and Debian systems up to and including version 7. Those who manually installed Cockpit must finally start it using the systemctl
systemd tool:
systemctl enable cockpit.socket systemctl start cockpit.socket
This happens automatically in Fedora 21 Server, CentOS Atomic, and RHEL Atomic.
Access
Cockpit can be accessed via HTTPS through the browser on TCP port 9090. If, for example, the server has the IP address 192.168.100.11, you can accordingly call up the URL https://192.168.100.11:9090 , although you might sometimes still need to drill a hole in the firewall. In Fedora 21 Workstation, this is applied by two commands:
firewall-cmd --reload firewall-cmd --add-service=cockpit
The firewall in Fedora 21 Server innately accepts connections on port 9090. You should especially bear this in mind if you want to prevent access to Cockpit. Those who prefer a different port must customize the ListenStream
setting in the configuration file cockpit.socket
designated for systemd. This file is usually located in the /usr/lib/systemd/system/
folder; systemd must then apply the changes:
systemctl daemon-reload systemctl restart cockpit.socket
Cockpit forces a secure connection via HTTPS and automatically redirects the HTTP request. A self-signed certificate is used here, which the operator must accept when first accessing Cockpit in the browser. Access to the server itself via http://localhost:9090 is an exception. Here, Cockpit also allows unencrypted connections.
If you want to use your own certificate, you must store it as a cert
file with precisely this extension in the directory /etc/cockpit/ws-certs.d
. If there are multiple certificates, Cockpit always uses the first file in alphabetical order. The certificate a.cert
is therefore preferred over z.cert
. If there is no certificate in the said directory, Cockpit automatically creates one. A self-signed certificate /etc/cockpit/ws-certs.d/~self-signed.cert
is enclosed with Fedora 21.
Cockpit encrypts communication with the browser via TLS and current encryption methods. The standards SSLv3.0 and RC4, which are considered insecure, are disabled.
Logging On
You can log on to Cockpit using the same username and password pair you use to log directly onto the server. If the managed Linux system prevents you from setting up a user account, for example, Cockpit will also block this action. For full access to the system, the system administrator must therefore approach Cockpit as a root user.
Buy this article as PDF
(incl. VAT)