Blog posts
Cockpit with Docker Restart Policy
Cockpit is the modern Linux admin interface. There’s a new release every week. Here are the highlights from this weeks 0.102 release.
Docker Restart Policy
When running a Docker container in Cockpit, you can now set the restart policy, so when the docker daemon restarts the containers will be restarted too. Justin Robertson contributed this feature. Take a look.
Single Dialog for Creating Logical Volumes
The storage interface in Cockpit now has a single combined dialog when creating logical volumes. This is a first tiny step towards advanced LVM2 features such as RAID layouts and caches. The dialog will get more fields and more interesting behavior as we implement more of the features offered by LVM2, such as the various RAID levels, as indicated by the hidden options for the “Purpose” and “Layout” fields.
Storage interface now available on Debian
The storage interface in Cockpit has been enabled and built on Debian. The storaged API is now available on Debian too.
Don’t Distribute jshint due to License
We stopped distributing jshint or requiring it as a build dependency due to its controversial license.
Try it out
Cockpit 0.102 is available now:
Cockpit does Kubernetes Data Volumes
Cockpit is the modern Linux admin interface. There’s a new release every week. Here are the highlights from this weeks 0.101 release.
Kubernetes Volumes
You can now set up Kubernetes persistent volume claims through the Cockpit cluster admin interface. These volumes are used to store persistent container data and possibly share them between containers. Each container pod declares the volumes it needs, and when deploying such an application admins configure the locations to store the data in those volumes.
Take a look:
Show SELinux failure messages properly
As a follow up from last week, several bug fixes landed in the new SELinux troubleshooting support.
Try it out
Cockpit 0.101 is available now:
Cockpit 0.100 Released
Cockpit is the modern Linux admin interface. There’s a new release every week. Here are the highlights from this weeks 0.100 release. Even though 0.100 may seem to be a magical number … it’s really just the number after 0.99 :D
SELinux Troubleshooting
Cockpit can now help you troubleshoot SELinux problems, and show you fixes for repairing the various issues. This is pretty amazing for system admins who really would rather be secure, but keep bumping into stuff that SELinux is blocking. There’s more to come on both SELinux and troubleshooting in the future. Take a look at what landed in this release:
Image Registry Interface
There’s a new Image Registry user interface. It works with Atomic Platform or Openshift clusters. By default this shows up in the Cockpit “Cluster” admin dashboard.
But more importantly you can deploy this as a standalone image registry, complete with storage, authentication and an interface. See www.projectatomic.io/registry for more info.
Here’s a quick demo:
Storage sliders and more
Marius has been working on cleaning up the storage UI. One of the changes you’ll notice is that you can now use a slider to choose a size for new volumes or file systems, and specify the size units you want to use:
Debian builds now also include the Storage page.
From the future
Peter worked on adding Cluster storage configuration to the Kubernetes admin dashboard. Basic support will be in the next release. Here’s a screenshot:
Try it out
Cockpit 0.100 is available now:
Cockpit 0.99 Released
Cockpit is the modern Linux admin interface. There’s a new release every week. Here are the highlights from 0.96 through 0.99.
Kubernetes Cockpit Pod
The Kubernetes cluster admin interface is now deployable as a Kubernetes pod. Peter did a lot of work to make this happen. It’s a good example of taking just one part Cockpit, containerizing it and running it in a completely different environment.
You can use the commands listed in the documentation to run the pod. Here’s a demo:
Locking down Cockpit with Content-Security-Policy
Content-Security-Policy is like SELinux in your browser. You declare what your application is allowed to do, and the browser prevents other things from happening, like cross site scripting attacks. Because the Cockpit javascript code has as much access to the system as the logged in user, Cockpit needs to make sure that attackers cannot sneak in javascript code into the browser session.
In the last few releases, a strict policy was applied to the network, Kubernetes, Docker, storage, and accounts parts of the interface, just a few more remaining before all of Cockpit is locked down in this way.
Debian packages
Cockpit has been testing each change and release against Debian during continuous integration for a while. Lars recently added installable Debian binary packages for each release. We’re still looking for a DD maintainer to help take those tested packages and include them in Debian proper.
See the documentation for how to use the Cockpit Debian packages.
From the future
The ability to troubleshoot SELinux in Cockpit is pretty exciting. Dominik has lots of the work in this area and it’s nearly ready. Watch the video below. Once it’s finished you’ll be able to just click a button to resolve many (most?) SELinux issues found on a server.
Garret designed a UI for using Docker with an LVM pool as you would on Atomic Host. That is: A UI for docker-storage-setup. I’m looking forward to this in Cockpit. Sneak peak here:
Try it out
Cockpit 0.99 is available now:
Cockpit 0.95 Released
Cockpit releases every week. Here are the highlights from 0.90 through 0.95.
Set CPU performance profile via tuned
Cockpit can now talk to tuned and set the CPU performance profile of the system. Thanks to Ryan Barry for doing the initial prototype, and Jaroslav Škarvada for fixing up tuned to include profile descriptions.
iSCSI initiator support
The iSCSI support that Marius worked on with the storaged folks has finally landed in a Cockpit release. It was waiting on fixes in some dependencies. Have a look:
Support for WebSocket client in cockpit-bridge
In order to better talk to services like Kubernetes or the Atomic Docker Registry we’ve added WebSocket support to the cockpit-bridge. It can now connect to local WebSockets on the system.
But here’s an example of what you can do with that: The demo below shows GTK+ 3 apps running inside of Cockpit. GTK+ 3 supports HTML5 as a display mode, and Cockpit can wrap that in authentication and a real Linux login session:
Debian Source Packages
As a step towards working getting Cockpit into Debian we now create Debian source packages during our continuous delivery process. These end up here for now:
deb-src https://fedorapeople.org/groups/cockpit/debian-unstable ./
Content Security Policy
Because the Cockpit javascript code has as much access to the system as the logged in user, Cockpit needs to make sure that attackers cannot sneak in javascript code into the browser session.
Obviously we do this by escaping HTML output carefully and other best practices. But in addition to that we’ve started to deploy Content Security Policy.
If you’re unfamiliar with Content Security Policy it’s a bit like SELinux for a browser session. It tells the browser we explicitly don’t want to execute any code, styling or other resources that get loaded from Cockpit itself.
We haven’t turned on the strict policy for all of Cockpit yet, and we’re doing it component by component.
Fix cockpit-ws start while reading from /dev/urandom
Previously when there were interruptions during reading from /dev/urandom while starting cockpit-ws, then initialization would fail. This has now been fixed.
OAuth login support
Cockpit now has OAuth login support. It doesn’t exactly work out of the box for logging into a local Linux system, but it can be used to create custom dashboards or containers based on Cockpit components that use OAuth to authenticate.
See the documentation for more info.
Running RHEL QE Tests
When you open a Cockpit pull request, take a look at the test suites that are run against it.
This week we finished work to run the Cockpit RHEL QE tests upstream git pull request. Rather than catching issues on the backend of things, we’ll be ahead of the game.
Vagrant without NFS
Cockpit’s Vagrantfile used to use NFS to keep the git checkout in sync with the image. This caused many folks to have a hard time using Vagrant to hack on Cockpit, so the NFS stuff is now dropped. You can still bring up the vagrant VM as before:
$ sudo vagrant up
And then access Cockpit on https://localhost:9090
However if you make changes to the stuff in the git repo, you need to run an extra vagrant command before the running VM will pick it up:
$ sudo vagrant rsync
See HACKING.md in the git repo for more details.
Try it out
Cockpit 0.95 is available now:
Cockpit 0.89 Released
Cockpit releases every week. Here’s a summary of the 0.87, 0.88 and 0.89 releases.
OSTree upgrades and rollbacks
Peter worked to finish the basic OSTree UI has been merged into Cockpit. This lets the admin perform upgrades and rollbacks on Atomic Host.
Colin, Peter and the OSTree guys worked together to build a DBus interface in rpm-ostree so that callers can interact with the update system.
Demo: https://youtu.be/Tmj0Nrkasmk
Before this is usable by users, the cockpit-ostree package will need to (be included in Atomic Host, first on Fedora)[https://bugzilla.redhat.com/show_bug.cgi?id=1292826].
Custom login authentication scripts
The Cockpit WebService cockpit-ws component now supports custom authenticators for various auth mechanisms. Some assembly required.
Peter has implemented this as part of containerizing the kubernetes and docker registry admin dashboards.
https://github.com/cockpit-project/cockpit/blob/master/doc/authentication.md
Stubbed out bridge for non-local users
This means that the Cockpit parts can be customized to that we can allow non-local users to log in and interact with certain Cockpit components that don’t interact with the local system. Again this is part of containerizing the kubernetes and docker registry admin dashboards.
Specific dashboards can now be shown as default
A specific Cockpit dashboard can now be shown as the default when logging in, by specifying a lower “order” than default dashboard.
https://github.com/cockpit-project/cockpit/pull/3317
Fix login on Windows
Cockpit no longer prompts for a strange second login (which had to do with SSO) on Windows. There are some remaining issues with how Cockpit works on Internet Explorer, but most have been solved.
https://github.com/cockpit-project/cockpit/issues/2164
Host name in self-signed certificate
In order to make life easier, when generating a self-signed certificate, Cockpit now includes the local host name. Self-signed certificates remain a stop gap. Real world deployments should replace them with properly signed certificates from a certificate authority:
http://cockpit-project.org/guide/latest/https.html
Routine Debian testing
The Cockpit Project has started routinely testing each Cockpit pull request on Debian Unstable using real Debian packaging. Marius did some great work here. This means we’re are close to doing real continuous delivery to Debian. Next step, a repo, and a maintainer.
https://fedorapeople.org/groups/cockpit/status/debian-unstable.html
Case insensitive cockpit.conf
The cockpit.conf file is now case insensitive for options and headings. This should make editing it less error prone.
http://cockpit-project.org/guide/latest/cockpit.conf.5.html
Reorder graphs on server summary page
Thijs reordered the resource graphs on the server summary page in the same order as GNOME, Windows, and elsewhere.
Syncing of users when adding a server
Cockpit no longer requires or suggests that the admin accounts be synced between servers when adding another server to the dashboard. This feature is still available when editing the server options on the dashboard.
Weak dependencies on Fedora 24+
On Fedora 24 and later, one can have ‘Suggests’ and ‘Recommends’ dependencies between packages. Cockpit now takes advantage of these for its ‘cockpit’ meta package making certain parts removable without removing ‘cockpit’.
Vagrantfile working again
The Vagrant file now pulls from the correct lastest binary builds of Cockpit. To use it:
$ git clone https://github.com/cockpit-project/cockpit
$ cd cockpit
$ sudo vagrant up
SOS Reporting
Users can now prepare an SOS Report containing information about the system and send it to their support representative.
From the future
Stef has done work to cleanup the Javascript dependencies of Cockpit. Broadly these fall into two categories:
-
Development dependencies: only used while developing Cockpit, not even used while building the tarball. These are
node_modules -
Runtime dependencies: used while Cockpit is running and built into the various Cockpit packages. These are
bower_components
The latter should be replaceable at build-time. The cleanup work moves in this direction, but it’s not complete yet.
From the future
Ryan Barry has posted a pull request adding tuned (system performance profile) support to Cockpit:
https://github.com/cockpit-project/cockpit/pull/3279
Try it out
Cockpit 0.86 is available now:
Cockpit 0.86 Released
Cockpit releases every week. This week it was 0.86.
SOS Reporting
Users can now prepare an SOS Report containing information about the system and send it to their support representative.
From the future
Stef has done work to cleanup the Javascript dependencies of Cockpit. Broadly these fall into two categories:
-
Development dependencies: only used while developing Cockpit, not even used while building the tarball. These are
node_modules -
Runtime dependencies: used while Cockpit is running and built into the various Cockpit packages. These are
bower_components
The latter should be replaceable at build-time. The cleanup work moves in this direction, but it’s not complete yet.
Try it out
Cockpit 0.86 is available now:
Cockpit 0.85 Released
Cockpit releases every week. This week it was 0.85.
Varying users on dashboard machines
Cockpit now supports adding machines to the dashboard with different user logins for each one. This can be useful in cases where you’re adding cloud instances to your dashboard, and they require logging in with a cloud-user and not the same user as your other servers.
Non standard SSH ports
When Cockpit connects to a machine that was added to the dashboard, it does so over SSH. Cockpit can now connect on non-standard SSH ports.
See the video above.
Troubleshooting machine connectivity
Cockpit now allows you to fix connectivity issues for servers that are added to the dashboard. This includes adjusting authentication, checking on host keys and more.
Fix SELinux certificate file type bug
Cockpit 0.84 failed to start on certain distros because SELinux wasn’t available or couldn’t be used to reset the certificate file context. This bug has been fixed.
Work around bug in Firefox 42
A bug in Firefox 42 caused Cockpit to often load with a blank screen, due to layout calculation issues. The layout code has been changed to work around this issue.
Docker restart container timeout
Previously Cockpit called the Docker API without a timeout when restarting containers. This caused Docker to immediately kill the container without waiting for it to shutdown cleanly. Cockpit now passes a timeout.
From the future
Marius has made progress getting the Cockpit integration test suite to run on Debian. Without the integration tests running for a certain distro, there’s no way to ensure Cockpit actually works there.
Try it out
Cockpit 0.85 is available now:
Cockpit 0.83 and 0.84 Released
Cockpit releases every week. This week it was 0.84. I’ll also include notes from 0.83 here.
Building Cockpit on Debian
At systemd.conf Dominik worked with Michael Biebl one of the Debian systemd maintainers on packaging Cockpit for Debian. We’re still looking for a maintainer long term.
Here’s a blog post with more details.
Cross Distro Integration Tests
In Cockpit we run hundreds of tests on real operating systems for each pull request. Without running these tests on an OS it’s impossible to know that the features of Cockpit actually works. So far we’ve been running these tests on Fedora, Atomic, and RHEL. But we’d really like to run them on Debian as well. That’ll make Cockpit much more well rounded.
Marius worked on the first steps toward running the tests on Debian, by doing the Cockpit build inside of our test VM images. Hopefully we’ll see more progress on this.
SELinux certificate file type
The cockpit.service helpfully sets the appropriate user and group on the certificates that cockpit-ws will use for TLS. Now it also sets the SELinux file context type properly, so this is one less things to break for an admin.
Cockpit manual page
There is now a man cockpit overview manual page that links to the guide and elsewhere.
From the future
Marius has done work on an SOS reporting view. Needs some further backend work, but should be ready soon:
Peter has mostly completed the work to add machines with alternate users, and non-standard SSH ports. Among other things, this is useful for cloud instances. I’m looking forward to seeing this in Cockpit 0.85.
Try it out
Cockpit 0.84 is available now:
Cockpit 0.82 Released
Cockpit releases every week. This week it was 0.82
Distributed Tests
In Cockpit we run thousands of integration tests per day against pull requests and git master. Each test brings up up Cockpit in a full operating system VM, and hammers on it in some way. Without these tests it’s impossible to validate that Cockpit actually works.
Last week, the server doing this testing work broke down. I’ve been working over the last week to fix that, along with others.
But we’ve done more, instead of just putting this on another server, we’ve worked to make these integration tests run in a distributed manner across several machines each doing a part of the tests.
The tests are staged via privileged containers, and run in libvirt VMs.
Here’s some documentation on how to use the new tests.
Certificate Chains
Cockpit has supported using certificate chains for its cockpit-ws component, but only when the underying GLib (2.44+) supported it. In this release we start to support running TLS with proper certificate chains even on older GLib versions. The documentation and appropriate tests were updated.
Try it out
Cockpit 0.82 is available now: