Managing Linux servers with Cockpit
Cockpit is an interesting project for web-based Linux administration that has received relatively little attention over the years. Part of that may be due to the project's strategy of minor releases roughly every two weeks, rather than larger releases with many new features. While the strategy has done little to garner headlines, it has delivered a useful and extensible tool to observe, manage, and troubleshoot Linux servers.
Overview
The Cockpit project started in 2013, sponsored by Red Hat. It was primarily targeted at system administrators new to Linux, such as Windows administrators who were having to adapt to Linux's increasing presence in the server market. It is designed to be distribution-independent, and is available for and tested on many popular Linux distributions including Arch Linux, Debian, Fedora, openSUSE Tumbleweed, and Red Hat Enterprise Linux (RHEL) and its derivatives. See the full list on the running Cockpit page.
The project's goal is to provide a coherent, discoverable GUI to manage systems and make use of tools already present on the system without getting in the way of or conflicting with other tools. Cockpit doesn't save configuration state independently of the system; that is, if an administrator uses Cockpit to make changes to a system firewall and then makes further changes to the firewall using another tool like Ansible, Cockpit won't try to automatically revert Ansible's changes down the road.
One of the project's ideals is that
people should "feel they are interacting with the underlying Server
OS
", and that its user interface should show the server name or
operating system name rather than Cockpit branding. As a matter of
fact, users are interacting with the underlying
operating system when using Cockpit: it uses standard system tools
behind the scenes for its tasks if they are available.
While Cockpit is meant to be distribution-independent, its heritage does show through a bit in its choices of default tools. Cockpit uses NetworkManager to manage network configurations, firewalld to manage a system's firewall, storaged for working with system storage, SOS report for creating diagnostic reports, and so forth if they're present on the system. If a distribution defaults to networkd instead of NetworkManager, then the options are to install NetworkManager, forego using Cockpit for network administration, or do the work and contribute the feature to the Cockpit project. For the most part, though, few users contribute features to the project—the majority of contributions to Cockpit come from a handful of Red Hat employees.
If one looks at the past two years of activity in the main Cockpit repository, the majority of commits come from Martin Pitt, Allison Karlitskaya, Jelle van der Waa, Marius Vollmer, and Katerina Koukiou, who are all Red Hat employees. This is not to say that contributions are unwelcome. The project has made a respectable attempt to encourage contributions, or at least make it possible for others to reuse its work. Cockpit has a detailed contribution guide and a developer guide for those interested in contributing to or reusing Cockpit's components.
Cockpit architecture
Cockpit is licensed under the LGPL v2.1 (or later) and consists of the web frontend, along with a web service for communication between the frontend and cockpit-bridge. The cockpit-bridge program is responsible for relaying commands via DBus to systemd, storaged, NetworkManager, and the other system tools used by Cockpit. Its web components are written in JavaScript, with the other components largely written in C or Python. The cockpit-bridge component has implementations in C and Python. The Python bridge was introduced in June 2023, in the Cockpit 294 release. Recent RHEL-based distributions and Fedora have switched to the Python implementation, while Debian 12 and Ubuntu 22.04 are still on the C version of cockpit-bridge.
Once Cockpit is installed and running on a system, its web interface is available on port 9090 by default. The port can be changed, if needed, or the web service can be turned off entirely and Cockpit clients can connect over SSH by using a desktop client, a container that runs the Cockpit web service, or by logging into another server running Cockpit and then connecting to a secondary server.
One might expect problems when mixing and matching versions of Cockpit, but because it is used on so many Linux distributions with varying release schedules, backward compatibility is another of the project's ideals. If a user is running Cockpit on Debian Bookworm, they should be still be able to connect to a server running Fedora Rawhide without problems, or vice versa. Having used Cockpit for years on a variety of systems running Alma Linux, CentOS, Debian, Fedora, RHEL, and Ubuntu, I can confirm that the project does a fine job of maintaining compatibility between releases.
The project recommends using Firefox or Chrome, and has automated
tests to ensure compatibility with both browsers. The project also states that it
"periodically
" tests Edge, Safari, and GNOME's Epiphany web
browser. Users trying to connect to Cockpit with Safari on iOS,
iPadOS, and Arm-based Macs (at least of this writing), may have a bit
of difficulty. Safari on those platforms is missing
support for the self-signed certificates that Cockpit uses by
default. Users can work around this, or just use a supported browser.
Releases come out roughly every two weeks. The release numbering
for the project is somewhat unusual. In 2016 Cockpit adopted
a new scheme and started with version 118, with subsequent
versions being 119, 120, etc. Note that some releases receive
subsequent bugfix releases of their own, such as the 310 release that
received a 310.1
release to fix a race condition, and 310.2
with fixes for curl and SELinux. The most recent release
as of this writing is Cockpit
313, which comes with a note saying that it contains "assorted bug fixes and
improvements
" on its release page. The project's blog usually has more
descriptive posts that advertise new features such as Btrfs
support for 309 or the addition of LVM2 RAID layout support
in 304.
The project has a mailing list for development but it is not a lively list. Two messages have been sent in 2024, one in January and one in February. The GitHub discussions page is more lively, and most of the work happens in Cockpit's issue tracker on GitHub.
The fast pace of releases means that the upstream version of Cockpit may be significantly newer than the version packaged for stable or long-term support (LTS) versions of Debian and Ubuntu. The project recommends installing from the Debian backports or Ubuntu backports repositories to use a more up-to-date version if possible.
Taking the controls
Cockpit can be set up to use standard system password or Kerberos authentication when logging in directly. It can use SSH key-based authentication when connecting over SSH to secondary servers. Unlike tools like Webmin, Cockpit doesn't maintain a set of users independently of the system, users log in as themselves, and have the same permissions and privileges as if they had connected via SSH or logged in at the console. Users can also gain administrative access if they have sudo privileges on the host.
After logging in, users will see a system overview page with a dashboard displaying system health, CPU and memory usage, basic system information, and navigation to pages for working with user accounts, system logs, system services, networking, and other tools. The exact services available via Cockpit will vary based on the services available on the host OS and which optional components are installed. This makes it simple to log in and see, at a glance, whether a system has any pending software updates, whether it has logged any errors to be concerned about, and much more.
![[The Cockpit
dashboard]](https://static.lwn.net/images/2024/cockpit-dashboard-sm.png "The Cockpit dashboard")
Drilling down into the metrics and history page, Cockpit offers a more detailed set of metrics about the system's load, which applications are consuming the most memory, the disk usage and throughput, and network interfaces and bandwidth consumption. Note that Cockpit's memory-usage information comes from control groups (cgroups) to provide a quick overview of system usage rather than a full accounting of resident set and virtual memory by process. For historical data, Cockpit uses Performance Co-Pilot (PCP) if it's available. If it isn't available, Cockpit provides an option to install PCP to begin collecting metrics and then display system usage and load over time. Cockpit will even note spikes in load or I/O, with links to logs from that timeframe that might help shed light on the cause.
The services tab allows an administrator to browse the available systemd services, targets, timers, sockets, or paths. From there, administrators can manage the various systemd services, see their relationships with other services, and view their logs. If relevant to a service, Cockpit will also show its memory usage. As an example, browsing the apache2.service on my Debian server running a few WordPress blogs shows 628MB memory in use.
As one might expect, Cockpit's accounts tab will let administrators view users on the system and work with users and groups. In addition to the basic operations like adding or removing users, changing passwords, managing a users' groups, administrators can also browse a users' login history and manage authorized SSH keys.
Extending Cockpit
Cockpit also has number of additional applications one might want to install, depending on what workloads a system is running. For instance, the Cockpit project has applications for working with virtual machines, managing containers with Podman, managing OSTree updates, working with SELinux, and a number of others. There are also third-party application add-ons like the Navigator file browser for Cockpit, another to manage Samba and NFS file sharing, a ZFS on Linux administration utility, and more. If none of the available applications fit the bill, users can create their own custom applications and add them to Cockpit's navigation.
Even with the array of third-party applications for Cockpit, the odds are that eventually one will need to do some system task that isn't doable via its interface. Even then, all is not lost: when all else fails, Cockpit has a web-based terminal for quick and easy access to the command line.
As noted, the Cockpit team churns out releases on a regular basis. The developers don't tend to make much noise about the releases, so the project goes unnoticed by a lot of the users who would benefit most from it. It's a handy, deceptively useful tool that's well worth a look as part of a well-balanced administrator's diet.
Posted Mar 20, 2024 18:16 UTC (Wed)
by bferrell (subscriber, #624)
[Link] (12 responses)
Webmin was released a very long time ago, is under active development, updated as needed and has a active, thriving community adding modules to encompass just about anything you can imaging.
Explain to me like I'm 5 why cockpit is even a thing? If you must, go ahead and bring up PERL.
Posted Mar 20, 2024 18:20 UTC (Wed)
by mbunkus (subscriber, #87248)
[Link] (1 responses)
You didn't even do the bare minimum of research. So please explain to me like I'm 5 why you're even posting?
[1] https://cockpit-project.org/running.html
Posted Mar 21, 2024 1:43 UTC (Thu)
by bferrell (subscriber, #624)
[Link]
To address other comments, webmin uses the existing system admin utilities (systemd etc) so if you understand making STANDARD system admin changes, webmin does nothing extra.
I suspect a 5 year old could understand that IS they understand sysadmin tasks
Posted Mar 20, 2024 18:46 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Cockpit is a fairly simple frontend, that integrates with the existing infrastructure. You just install it, and get a couple of additional daemons running, and that's it. Super-easy.
Posted Mar 20, 2024 19:08 UTC (Wed)
by mgb (guest, #3226)
[Link]
Posted Mar 20, 2024 21:03 UTC (Wed)
by adam820 (subscriber, #101353)
[Link]
Fantastic. Glad it exists. Cockpit comes out of the box on some distros without having to install or configure anything, ready to log in immediately after installation, which can be a boon to productivity, especially if you're new to Linux and don't even know how to install a package right away. But the MOTD mentions you can manage your server at this URL... hey, it's clicky buttons! I know how to do that!
> Explain to me like I'm 5 why cockpit is even a thing? If you must, go ahead and bring up PERL.
Why is webmin a thing? Why is any software a thing? Why have 2 of thing, when 1 of thing exist?!
Posted Mar 20, 2024 21:23 UTC (Wed)
by sjj (guest, #2020)
[Link]
FWIW, I want to thank the people working on this. Really nice how it works with existing tools, all you need is ssh access like a regular bastion host.
Posted Mar 21, 2024 2:06 UTC (Thu)
by Kamilion (guest, #42576)
[Link] (3 responses)
"We'll just do it again in laravel, and it'll be okay this time!"
Perl has not been a required component of the platform since python3 effectively took over nearly every instance of it's utility, including becoming the defacto dependancy of nearly every package management system besides openwrt and slackware style tarballs.
This is also why the cockpit-python bridge is "new and interesting" and also, from my perspective, a possible security issue.
"A culture of refusing to learn when taught..."
Can't blame us though. Culture's a massive mix from us old farts that remember IRQ jumper settings to the kids running steamos and mint trying to get away from the MSOffice culture.
Posted Mar 21, 2024 3:02 UTC (Thu)
by Kamilion (guest, #42576)
[Link]
So! In the interest of meeting you in the middle of the ELI5 request, I'll hook you up with my meandering opinion of thirty years of painful mistakes in technology.
First system I had to myself was an Atari ST. All GUI, no commandline. Had TRS80 & C64s around to "learn" basic on, but never leaned on it. Knew basic would be fruitless in the future. DarkBasic and Gambas3 are the last remnants, and are slowly dying as maintainers lose interest.
I thought it would be a good idea to learn some scripting skills around the turn of the century. Grabbed myself the newest shinest book about it: Perl 6 and Parrot Essentials, first edition.
I cannot possibly explain to you exactly how bad of a mistake this was.
Okay, I said, it can't be as bad as I think, this Ruby on Rails thing seems popular...
I'm not even sure where Rails went after they removed the 'scaffold' system around 3.0.
At that point, I started learning PHP4/5. Now, with the context of what I had touched before? This was a hot garbagefire. Get a line of code wrong? white page render. Wanna debug stuff? throw random prints in. Logging framework? Objects? Nope. you *could* but nobody did yet. But I tried. I found OOP packages, worked my way up into getting deep into WHMCS billing package for a VPS provider, and have dived unfortunately deep into the invision files over the years.
PHP leaves nothing but sadness in your heart. Sometimes it leaves money in your wallet.
Hark, what say thee, stack exchange, forsooth shall i continue my quest for sanity in templated web tooling?
Soon, I found joy in scripting again. Grand python class trees with flask-classy/classful.
The code made sense, the output looked... better than my early scaffolded rails projects...
There were no pickles, I refused to apply financial SQL databases to plain content that a filesystem could address behind nginx better.
So when I say "python's pretty alright from a security perspective so long as you don't step on the big five landmines", I mean it.
But still, I'll rewind back to 2012 for a moment more; I don't buy raspberry pis because I personally dislike how broadcom has treated the linux community for two decades. I inherit them from others, but my collection of SBCs has only expanded because of that personal opinion. Allwinners, Amlogics, Mediateks, Rockchips, *anybody that will support linux more than broadcom used to*... Well, not allwinnner *anymore* but that's here nor there. The other three are visibly working hard in the community.
As such I've been exposed to a *lot* of arm distro roots, way back to the NSLU2 and rootfs endianness.
Cockpit's actually been around on more of them than I expected. I've found bits and pieces of it all over the place, since about 2017.
So it's clear that python is winning out for a significant number of reasons:
Meanwhile, PHP had admittedly improved by leaps and bounds by version 8, but it still hurts me inside every time I see ?php tags.
I honestly hate to say this, but there's some software packages that are better off dead.
I guess that was more like ELI17, but that's probably more the sort of "what happened while I was asleep under this pi hat" you were after ?
Posted Mar 21, 2024 8:16 UTC (Thu)
by lis (subscriber, #141132)
[Link]
Neither the C nor Python bridge acts as a security boundary in any way whatsoever. The protocol is "run this command", "write this file", "make this dbus call", with no restrictions. Keep in mind that once you're logged in to Cockpit, you can easily flip over to the terminal window and do whatever you want as the account you're logged in to, and this is by design. The bridge is in the business of doing *anything* you ask it to do. It's up to the kernel to impose the restrictions (as the currently logged in user).
The bridge only starts running after you've successfully logged in. The actual security transition there is managed by a very small C program (cockpit-session). In many cases (and increasing) we actually use ssh as the way to log in before running the bridge, in which case the security is down to ssh.
Posted Mar 23, 2024 17:45 UTC (Sat)
by ballombe (subscriber, #9523)
[Link]
You forget Debian and Ubuntu... perl-base is Essential: yes.
Also in shell scripts, having to rewrite perl one-liners as awk one-liners is not a progress.
Posted Mar 21, 2024 7:28 UTC (Thu)
by andreashappe (subscriber, #4810)
[Link]
Why not webmin? Because I don't want it to manage my system but prefer a slim and minimal add-on (that not even has it's own user database) that reuses as much of the system as possible.
Oh, the home-server is running debian, not fedora or redhat BTW.
Posted Mar 21, 2024 19:15 UTC (Thu)
by dsommers (subscriber, #55274)
[Link]
When you log in, you have the same privileges as if you logged in via ssh or on a physical console. This goes through the standard authentication and authorisation steps as any login on the system. Cockpit is this way more or less just a graphical view of what you can do with command line tools.
In a setup with distributed authentication (SSO, ssh keys, etc), you can log into the web portal on one host and manage other hosts from that single point.
These days Cockpit is has packages available on the majority of larger Linux distributions. And the user experience will be pretty much the same across all distributions, even across versions. Naturally, if one version on one host lacks features available in a newer version, that feature won't be available.
Using Cockpit is an instant experience. Changes can happen in the moment you click a button, not when the web server has parsed a request and done some operations on the server side. How? The webview you see is essentially a D-Bus client which interacts instantly with the service you really want to modify.
D-Bus policies and polkit handles the authorisation, so unprivileged users will not be allowed to do operations they are restricted from. That means, the "web channel" between your browser and the "web server" merely passes data. It does not do any security checks itself; that is handled by the standard authentication and authorisation stack which the console logins, GUI desktop logins, ssh, etc already depends on. Cockpit itself does not need to start any privileged support service on its own; it leverages from what is already on the system from before.
Webmin is an entirely different beast. Last time I used it (which is veeeery long ago, though), it started with needing to set up a web server capable of running PHP. And that PHP code would run commands, some which would require sudo-type run environment. And that was started from PHP code on a web server with its own authentication and authorisation approach. So, an attacker capable of tricking that with whatever PHP or web server vulnerabilities available, could pass all security checks and run arbitrary executables with privileges from an unprivileged account.
Because Cockpit doesn't need to run the web portal with any kind of privileges, it's not vulnerable to those type of attacks, since the authentication and authorisation is only triggered, not performed, by Cockpit.
Posted Mar 21, 2024 14:08 UTC (Thu)
by jnabasny (subscriber, #157304)
[Link] (1 responses)
Posted Mar 21, 2024 14:25 UTC (Thu)
by corbet (editor, #1)
[Link]
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
The old bridge was C, but written mostly defensively.
Now I'm recalling the bad old days of Xen's configuration being executable python files.
Managing Linux servers with Cockpit
I'll put it this way: there is a reason perl5 is still a package in most distributions, and there is not a perl6 package.
Now ruby has kind of a... not so great reputation. It's "still around" but, after twitter dropped it, it "popped like a zit".
"hey, if you messed with sinatra for ruby, try this flask joke for python, it's just one file."
Flask and jinja have truly stood the test of time for me -- nearly a decade in production and the only failures we've had has been uplink related.
As an authentication service against the machine accounts, it seems to be pretty popular.
It's also used in that context for openSUSE's agama although it's most likely on it's way out, if it's not been extracted already.
https://github.com/openSUSE/agama/discussions/1000#discus...
And in that comment, it's alluded to the fact that future releases of the Anaconda installer will be rebased on top of cockpit's functionality.
* Most of the other competitors had a sharp spike of popularity, jumped the shark, and calmed
* It has stood against the hostile internet about as well as rust or golang, the two current golden children of memory safety and concurrency, respectively.
* Erlang and elixir are not well known enough to be recognized outside of a few large public services like Discord
* It has gained extreme popularity in the machine learning space
A lot of PHP code couldn't upgrade to PHP6... so I still have to scream and cry every time I see a living php5 installation in the wild.
And every time someone chooses to start off learning PHP, the cycle of destruction only continues.
Cpanel, Webmin, and WHMCS are some of those. But they just won't die. Because someone's still making money off their corpse.
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
Managing Linux servers with Cockpit
but the only new developments mentioned were bug fixes. Moreover the entire article reads like a plea from RedHat for community contributions or a sales pitch for Cockpit. No wonder it was written by a publicist at RedHat. I've come to admire the deeply technical and community-focused articles in LWN over the years. Unfortunately this article does not fit that mold and I hope it is not a sign of more to come.
The article was written by an LWN staff member — one who has been involved with the site in various ways for for over 20 years — with no involvement by any other company. If you did not enjoy it then I am sorry, and we would be happy to hear about how you think it could have been done better. But please do not suggest that it was some sort of paid placement; LWN has never done that in its history.
Authorship