cockpit
Cockpit
Installs and configures the Cockpit Web Console for distributions that support it, such as RHEL, CentOS, Fedora, Debian, and Ubuntu.
Requirements
RHEL/CentOS 7.x depend on the Extras repository being enabled.
Collection requirements
The role requires the firewall
role and the selinux
role from the
fedora.linux_system_roles
collection, if cockpit_manage_firewall
and
cockpit_manage_selinux
are set to true
, respectively. Please see also
cockpit_manage_firewall
and cockpit_manage_selinux
in
Role Variables
.
If cockpit
is a role from the fedora.linux_system_roles
collection
or from the Fedora RPM package, the requirement is already satisfied.
If you want to manage rpm-ostree
systems with this role, you will need to
install additional collections. Please run the following command line to
install the collection.
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
Role Variables
Available variables per distribution are listed below, along with default values (see defaults/main.yml
):
cockpit_packages
The primary variable is cockpit_packages
which allows you to specify your own selection of cockpit packages you want to install, or allows you to choose one of three predefined package sets: default, minimal, or full
. Obviously default
is selected if you do not define this variable. Not that the packages installed may vary depending on the distribution and version as different packages of cockpit functionality have been provided over time. Also, some may not be available on all distributions, such as cockpit-docker
which was deprecated on RHEL in favor of cockpit-podman
.
Example of explicit cockpit packages to install. Dependencies should pull in the minimal cockpit packages so that they work.
cockpit_packages:
- cockpit-storaged
- cockpit-podman
Example of using the predefined package sets. This is the recommended method for installation.
cockpit_packages: default
# equivalent to
# - cockpit
# - cockpit-networkmanager
# - cockpit-packagekit
# - cockpit-selinux
# - cockpit-storaged
cockpit_packages: minimal
# equivalent to
# - cockpit-system
# - cockpit-ws
cockpit_packages: full
# equivalent to globbing all of them
# - cockpit-*
# This is will pull in many packages such as
# - cockpit ## Default list
# - cockpit-bridge
# - cockpit-networkmanager
# - cockpit-packagekit
# - cockpit-selinux
# - cockpit-storaged
# - cockpit-system
# - cockpit-ws
## and all the rest
# - cockpit-389-ds
# - cockpit-composer
# - cockpit-dashboard
# - cockpit-doc
# - cockpit-kdump
# - cockpit-machines
# - cockpit-pcp
# - cockpit-podman
# - cockpit-session-recording
# - cockpit-sosreport
cockpit_enabled
cockpit_enabled: true
Boolean variable to control if Cockpit is enabled to start automatically at boot (default true
).
cockpit_started
cockpit_started: true
Boolean variable to control if Cockpit should be started/running (default true
).
cockpit_config
cockpit_config: #Configure /etc/cockpit/cockpit.conf
WebService: #Specify "WebService" config section
LoginTitle: "custom login screen title" #Set "LoginTitle" in "WebService" section
MaxStartups: 20 #Set "MaxStartups" in "WebService" section
Session: #Specify "Session" config section
IdleTimeout: 15 #Set "IdleTimeout" in "Session" section
Banner: "/etc/motd" #Set "Banner" in "Session" section
Configure settings in the /etc/cockpit/cockpit.conf file. See man cockpit.conf
for a list of available settings. Previous settings will be lost, even if they are not specified in the role variable (no attempt is made to preserve or merge the previous settings, the configuration file is replaced entirely).
cockpit_port
cockpit_port: 9090
Cockpit runs on port 9090 by default. You can change the port with this option.
cockpit_manage_firewall
cockpit_manage_firewall: false
Boolean variable to control the cockpit
firewall service with the firewall
role.
If the variable is set to false
, the cockpit
role does not manage the firewall.
Default to false
.
NOTE: cockpit_manage_firewall
is limited to adding ports.
It cannot be used for removing ports.
If you want to remove ports, you will need to use the firewall system
role directly.
NOTE: This functionality is supported only when the managed host's os_family
is RedHat
.
cockpit_manage_selinux
cockpit_manage_selinux: false
Boolean flag allowing to configure selinux using the selinux role.
The default SELinux policy does not allow Cockpit to listen to anything else
than port 9090. If you change the port, enable this to use the selinux role
to set the correct port permissions (websm_port_t).
If the variable is set to false
, the cockpit
role does not manage the
SELinux permissions of the cockpit port.
NOTE: cockpit_manage_selinux
is limited to adding policy.
It cannot be used for removing policy.
If you want to remove policy, you will need to use the selinux system
role directly.
NOTE: This functionality is supported only when the managed host's os_family
is RedHat
.
See also the Cockpit guide for details.
cockpit_transactional_update_reboot_ok
cockpit_transactional_update_reboot_ok: true
This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if cockpit_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.
Certificate setup
By default, Cockpit creates a self-signed certificate for itself on first startup. This should be customized for environments which use real certificates.
Use an existing certificate
If your server already has some certificate which you want Cockpit to use as well, point the cockpit_cert
and cockpit_private_key
role options to it:
cockpit_cert: /path/to/server.crt
cockpit_private_key: /path/to/server.key
This will create /etc/cockpit/ws-certs.d/50-system-role.{crt,key}
symlinks.
Note that this functionality requires at least Cockpit version 257, i.e. RHEL ≥ 8.6 or ≥ 9.0, or Fedora ≥ 34.
Generate a new certificate
For generating a new certificate for Cockpit it is recommended to set the
cockpit_certificates
variable. The value of cockpit_certificates
is passed
on to the certificate_requests
variable of the certificate
role called
internally in the cockpit
role and it generates the private key and certificate.
For the supported parameters of cockpit_certificates
, see the
certificate_requests
role documentation section.
When you set cockpit_certificates
, you must not set cockpit_private_key
and cockpit_cert
variables because they are ignored.
This example installs Cockpit with an IdM-issued web server certificate assuming your machines are joined to a FreeIPA domain.
- name: Install cockpit with Cockpit web server certificate
include_role:
name: linux-system-roles.cockpit
vars:
cockpit_certificates:
- name: monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws
Note: Generating a new certificate using the certificate
system role in the playbook remains supported.
This example also installs Cockpit with an IdM-issued web server certificate.
# This step is only necessary for Cockpit version < 255; in particular on RHEL/CentOS 8
- name: Allow certmonger to write into Cockpit's certificate directory
file:
path: /etc/cockpit/ws-certs.d/
state: directory
setype: cert_t
- name: Generate Cockpit web server certificate
include_role:
name: fedora.linux_system_roles.certificate
vars:
certificate_requests:
- name: /etc/cockpit/ws-certs.d/monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws # or cockpit-wsinstance on newer cockpit versions
NOTE: The certificate
role, unless using IPA and joining the systems to an IPA domain,
creates self-signed certificates, so you will need to explicitly configure trust,
which is not currently supported by the system roles. To use ca: self-sign
or
ca: local
, depending on your certmonger usage, see the
linux-system-roles.certificate documentation for details.
NOTE: This creating a self-signed certificate is not supported on RHEL/CentOS-7.
Example Playbooks
The most simple example.
---
- name: Manage cockpit
hosts: fedora, rhel7, rhel8
become: true
roles:
- linux-system-roles.cockpit
Another example, including the role as a task to control when the action is performed. It is also recommended to configure the firewall using the fedora.linux_system_roles.firewall role to make the service accessible.
---
tasks:
- name: Install RHEL/Fedora Web Console (Cockpit)
include_role:
name: linux-system-roles.cockpit
vars:
cockpit_packages: default
#cockpit_packages: minimal
#cockpit_packages: full
- name: Configure Firewall for Web Console
include_role:
name: fedora.linux_system_roles.firewall
vars:
firewall:
service: cockpit
state: enabled
rpm-ostree
See README-ostree.md
License
GPLv3