Cockpit



Installs and configures the Cockpit Web Console for distributions that support it, such as RHEL, CentOS, Fedora, Debian, and Ubuntu.

Requirements

RHEL/CentOS 7.x depend on the Extras repository being enabled.

Collection requirements

The role requires the firewall role and the selinux role from the fedora.linux_system_roles collection, if cockpit_manage_firewall and cockpit_manage_selinux are set to true, respectively. Please see also cockpit_manage_firewall and cockpit_manage_selinux in Role Variables.

If cockpit is a role from the fedora.linux_system_roles collection or from the Fedora RPM package, the requirement is already satisfied.

If you want to manage rpm-ostree systems with this role, you will need to install additional collections. Please run the following command line to install the collection.

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Role Variables

Available variables per distribution are listed below, along with default values (see defaults/main.yml):

cockpit_packages

The primary variable is cockpit_packages which allows you to specify your own selection of cockpit packages you want to install, or allows you to choose one of three predefined package sets: default, minimal, or full. Obviously default is selected if you do not define this variable. Not that the packages installed may vary depending on the distribution and version as different packages of cockpit functionality have been provided over time. Also, some may not be available on all distributions, such as cockpit-docker which was deprecated on RHEL in favor of cockpit-podman.

Example of explicit cockpit packages to install. Dependencies should pull in the minimal cockpit packages so that they work.

cockpit_packages:
  - cockpit-storaged
  - cockpit-podman

Example of using the predefined package sets. This is the recommended method for installation.

cockpit_packages: default
    # equivalent to
    #  - cockpit
    #  - cockpit-networkmanager
    #  - cockpit-packagekit
    #  - cockpit-selinux
    #  - cockpit-storaged

cockpit_packages: minimal
    # equivalent to
    #  - cockpit-system
    #  - cockpit-ws

cockpit_packages: full
    # equivalent to globbing all of them
    #  - cockpit-*
    # This is will pull in many packages such as
        #  - cockpit    ## Default list
        #  - cockpit-bridge
        #  - cockpit-networkmanager
        #  - cockpit-packagekit
        #  - cockpit-selinux
        #  - cockpit-storaged
        #  - cockpit-system
        #  - cockpit-ws
        ## and all the rest
        #  - cockpit-389-ds
        #  - cockpit-composer
        #  - cockpit-dashboard
        #  - cockpit-doc
        #  - cockpit-kdump
        #  - cockpit-machines
        #  - cockpit-pcp
        #  - cockpit-podman
        #  - cockpit-session-recording
        #  - cockpit-sosreport

cockpit_enabled

cockpit_enabled: true

Boolean variable to control if Cockpit is enabled to start automatically at boot (default true).

cockpit_started

cockpit_started: true

Boolean variable to control if Cockpit should be started/running (default true).

cockpit_config

cockpit_config:                               #Configure /etc/cockpit/cockpit.conf
  WebService:                                 #Specify "WebService" config section
    LoginTitle: "custom login screen title"   #Set "LoginTitle" in "WebService" section
    MaxStartups: 20                           #Set "MaxStartups" in "WebService" section
  Session:                                    #Specify "Session" config section
    IdleTimeout: 15                           #Set "IdleTimeout" in "Session" section
    Banner: "/etc/motd"                       #Set "Banner" in "Session" section

Configure settings in the /etc/cockpit/cockpit.conf file. See man cockpit.conf for a list of available settings. Previous settings will be lost, even if they are not specified in the role variable (no attempt is made to preserve or merge the previous settings, the configuration file is replaced entirely).

cockpit_port

cockpit_port: 9090

Cockpit runs on port 9090 by default. You can change the port with this option.

cockpit_manage_firewall

cockpit_manage_firewall: false

Boolean variable to control the cockpit firewall service with the firewall role. If the variable is set to false, the cockpit role does not manage the firewall. Default to false.

NOTE: cockpit_manage_firewall is limited to adding ports. It cannot be used for removing ports. If you want to remove ports, you will need to use the firewall system role directly.

NOTE: This functionality is supported only when the managed host's os_family is RedHat.

cockpit_manage_selinux

cockpit_manage_selinux: false

Boolean flag allowing to configure selinux using the selinux role. The default SELinux policy does not allow Cockpit to listen to anything else than port 9090. If you change the port, enable this to use the selinux role to set the correct port permissions (websm_port_t). If the variable is set to false, the cockpit role does not manage the SELinux permissions of the cockpit port.

NOTE: cockpit_manage_selinux is limited to adding policy. It cannot be used for removing policy. If you want to remove policy, you will need to use the selinux system role directly.

NOTE: This functionality is supported only when the managed host's os_family is RedHat.

See also the Cockpit guide for details.

cockpit_transactional_update_reboot_ok

cockpit_transactional_update_reboot_ok: true

This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if cockpit_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.

Certificate setup

By default, Cockpit creates a self-signed certificate for itself on first startup. This should be customized for environments which use real certificates.

Use an existing certificate

If your server already has some certificate which you want Cockpit to use as well, point the cockpit_cert and cockpit_private_key role options to it:

cockpit_cert: /path/to/server.crt
cockpit_private_key: /path/to/server.key

This will create /etc/cockpit/ws-certs.d/50-system-role.{crt,key} symlinks.

Note that this functionality requires at least Cockpit version 257, i.e. RHEL ≥ 8.6 or ≥ 9.0, or Fedora ≥ 34.

Generate a new certificate

For generating a new certificate for Cockpit it is recommended to set the cockpit_certificates variable. The value of cockpit_certificates is passed on to the certificate_requests variable of the certificate role called internally in the cockpit role and it generates the private key and certificate. For the supported parameters of cockpit_certificates, see the certificate_requests role documentation section.

When you set cockpit_certificates, you must not set cockpit_private_key and cockpit_cert variables because they are ignored.

This example installs Cockpit with an IdM-issued web server certificate assuming your machines are joined to a FreeIPA domain.

    - name: Install cockpit with Cockpit web server certificate
      include_role:
        name: linux-system-roles.cockpit
      vars:
        cockpit_certificates:
          - name: monger-cockpit
            dns: ['localhost', 'www.example.com']
            ca: ipa
            group: cockpit-ws

Note: Generating a new certificate using the certificate system role in the playbook remains supported.

This example also installs Cockpit with an IdM-issued web server certificate.

    # This step is only necessary for Cockpit version < 255; in particular on RHEL/CentOS 8
    - name: Allow certmonger to write into Cockpit's certificate directory
      file:
        path: /etc/cockpit/ws-certs.d/
        state: directory
        setype: cert_t

    - name: Generate Cockpit web server certificate
      include_role:
        name: fedora.linux_system_roles.certificate
      vars:
        certificate_requests:
          - name: /etc/cockpit/ws-certs.d/monger-cockpit
            dns: ['localhost', 'www.example.com']
            ca: ipa
            group: cockpit-ws  # or cockpit-wsinstance on newer cockpit versions

NOTE: The certificate role, unless using IPA and joining the systems to an IPA domain, creates self-signed certificates, so you will need to explicitly configure trust, which is not currently supported by the system roles. To use ca: self-sign or ca: local, depending on your certmonger usage, see the linux-system-roles.certificate documentation for details.

NOTE: This creating a self-signed certificate is not supported on RHEL/CentOS-7.

Example Playbooks

The most simple example.

---
- name: Manage cockpit
  hosts: fedora, rhel7, rhel8
  become: true
  roles:
    - linux-system-roles.cockpit

Another example, including the role as a task to control when the action is performed. It is also recommended to configure the firewall using the fedora.linux_system_roles.firewall role to make the service accessible.

---
tasks:
  - name: Install RHEL/Fedora Web Console (Cockpit)
    include_role:
      name: linux-system-roles.cockpit
    vars:
      cockpit_packages: default
      #cockpit_packages: minimal
      #cockpit_packages: full

  - name: Configure Firewall for Web Console
    include_role:
      name: fedora.linux_system_roles.firewall
    vars:
      firewall:
        service: cockpit
        state: enabled

rpm-ostree

See README-ostree.md

License

GPLv3