It probably sounds too good to be true: the ability to manage remote systems using an easy to use, intuitive graphical interface – without the need to install extra software on the remote systems, enable additional services, or make any other changes on the remote systems. This functionality, however, is now available with a combination of the recently introduced Python bridge for Cockpit and the Cockpit Client Flatpak! This allows Cockpit to manage remote systems, assuming only SSH access and that Python is installed on the remote host. Read on for more information on how this works and how to get started.
If you are not familiar with Cockpit, it is described on the project’s web site as a web-based graphical interface for servers. Cockpit is intended for everyone, especially those who are:
- new to Linux (including Windows admins)
- familiar with Linux and want an easy, graphical way to administer servers
- expert admins who mainly use other tools but want an overview on individual systems
You can easily and intuitively complete a variety of tasks from Cockpit. These including tasks such as:
- expanding the size of a filesystem
- creating a network bond
- modifying the firewall
- viewing log entries
- viewing real time and historical performance information
- managing Podman containers
- managing KVM virtual machines
and many additional tasks.
Objections to using Cockpit on systems
In the past, I’ve heard two main objections to using Cockpit on systems:
- I don’t want to run the Cockpit web server on my systems. Additional network services like this increase the attack surface. I don’t want to open another port in the firewall. I don’t want more HTTPS certificates in my environment to manage and maintain.
- I don’t want to install additional packages on my systems. I don’t even have access to install additional packages). The more packages installed, the larger my footprint is, and the more attack surface there is. For me to install additional packages in a production environment, I have to go through a change management process, etc. What a hassle!
Let’s address these one at a time. For the first concern, you have actually had several options for connecting to Cockpit over SSH, without running the Cockpit web server, for quite some time. These options include:
- The ability to set up a bastion host, which is a host that has the Cockpit web server running on it. You can then connect to Cockpit on the bastion host using a web browser. From the Cockpit login screen on the bastion host you can use the Connect to option to specify an alternate host to login to (refer to the LoginTo cockpit.conf configuration option). Another option is to authenticate to Cockpit on the bastion host, and use the Add new host option. In either case, the bastion Cockpit host will connect to these additional remote hosts over SSH (so only the bastion host in your environment needs to be running the Cockpit web server).
- You can use the Cockpit integration available with the upstream Foreman, or downstream Red Hat Satellite, to connect to Cockpit on systems in your environment over SSH.
- You can use the Cockpit Client Flatpak, which will connect to systems over SSH.
- You can use the cockpit/ws container image. This is a containerized version of the Cockpit web server that acts as a containerized bastion host
For more information on these options, refer to the Connecting to the RHEL web console, part 1: SSH access methods blog post. This blog post focuses on the downstream RHEL web console, however, the information also applies to the upstream Cockpit available in Fedora.
This brings me to the second concern, and the main focus of this article. This is the concern that I don’t want to install additional packages on the remote systems I am managing. While there are several options for using the web console without the Cockpit web server, all of these options previously had a prerequisite that the remote systems needed to have at least the cockpit-system package installed. For example, previously if you tried to use the Cockpit Client Flatpak to connect to a remote system that didn’t have Cockpit installed, you’d see an error message stating that the remote system doesn’t have cockpit-bridge installed.
The Cockpit team has replaced the previous Cockpit bridge (implemented using C) with a new bridge written in Python. For a technical overview of the function of the Cockpit bridge, and how the new Python bridge was implemented, refer to the recent Monty Python’s Flying Cockpit DevConf presentation by Allison Karlitskaya and Martin Pitt.
This new Python bridge overcomes the previous limitation requiring Cockpit to be installed on the remote hosts.
Using the Cockpit Client Flatpak
With the Cockpit Client Flatpak application installed on a workstation, we can connect to remote systems over SSH and manage them using Cockpit.
Installation
In the following example, I’m using a Fedora 38 workstation. Install the Cockpit Client Flatpak by simply opening the GNOME Software application and searching for Cockpit. Note that you’ll need to have Flathub enabled in GNOME Software.
Using the Cockpit Client
Once installed, you’ll see the following when opening the Cockpit Client:
You can type in a hostname or IP address that you would like to connect to. To authenticate as a user other than the user you are currently using, you can use the user@hostname syntax. A list of recent hosts that you’ve connected to will appear, if this is not the first time using the Cockpit Client. In that case, you can simply click on a host name to reconnect
If you have SSH key based authentication setup, you’ll be logged in to the remote host using the key based authentication. With out SSH keys setup, you’ll be prompted to authenticate with a password. In either case, if it is your first time connecting to the host over SSH, you’ll be prompted to accept the host key fingerprint.
As a special case, you can log into your currently running local session by connecting to localhost, without authentication.
Once connected, you’ll see the Cockpit Overview page:
Select the Terminal menu item in Cockpit to show that the remote system that I’m logged in to does not have any Cockpit packages installed:
Prerequisites for connecting to systems with Cockpit Client
There are several prerequisites for utilizing Cockpit Client to connect to a remote system. If you are familiar with managing remote hosts with Ansible, you’ll likely already be familiar with the prerequisites. They are the same:
- You must have connectivity to the remote system over SSH.
- You must have a valid user account on the remote system that you can authenticate with.
- If you need the ability to complete privileged operations in Cockpit, the user account on the remote system will need sudo privileges.
If you are connecting to a remote system that doesn’t have Cockpit installed, there are a couple of additional prerequisites:
- Python 3.6 or later must be installed on the remote host. This is not usually an issue, with some exceptions, such as Fedora CoreOS which does not include Python by default.
- An older version of Cockpit Client can not be used to connect to a newer operating system version. For example, if I installed Cockpit Client on my Fedora 38 workstation today and never updated it, it may not work properly to manage a Fedora 39 or Fedora 40 server in the future.
Frequently asked questions
Here are some frequently asked questions about this functionality:
Question: Cockpit is extendable via additional Applications. Which Cockpit applications are available if I use the Cockpit Client to connect to a remote system that doesn’t have Cockpit installed?
Answer: Currently, Cockpit Client includes
- cockpit-machines (virtual machine management)
- cockpit-podman (Podman container management)
- cockpit-ostree (used to manage rpm-ostree based systems)
- cockpit-storaged (storage management)
- cockpit-sosreport (for generating diagnostic reports)
- cockpit-selinux (for managing SELinux)
- cockpit-packagekit (for managing software updates)
- cockpit-networkmanager (network management)
- cockpit-kdump (kernel dump configuration)
The Cockpit team is looking for feedback on what Cockpit applications you’d like to see included in the Cockpit Client. Post a comment below with your feedback.
Question: I connected to a remote system that doesn’t have Cockpit installed, but I don’t see Virtual Machines or one of the other applications listed in the menu. I thought you just said these were included in the Cockpit Client Flatpak?
Answer: When you login to a remote system that doesn’t have Cockpit packages installed, you’ll only see the menu options for underlying functionality available on the remote system. For example, you’ll only see Virtual Machines in the Cockpit menu if the remote host has the libvirt-dbus package installed.
Question: Can Cockpit applications available in the Cockpit Client be used with locally installed Cockpit applications on the remote host? In other words, if I need a Cockpit application not included in the Cockpit Client, can I install just that single package on the remote host?
Answer: No, you cannot mix and match applications included in the Cockpit Client flatpak and those installed locally on the remote host. For a remote host that has the cockpit-bridge package installed, Cockpit Client will exclusively use the applications that are installed locally on the remote host. If the remote host does not have the cockpit-bridge package installed, Cockpit Client will exclusively use the applications bundled in the Cockpit Client Flatpak.
Question: Can I use Cockpit Client to connect to the local host?
Answer: Yes! Simply open Cockpit Client and type in localhost and you’ll be able to manage the local host. You don’t need to have any Cockpit packages installed on the local host if you use this method. You only need the Cockpit Client Flatpak.
Question: What Linux distributions can I connect to using the Cockpit Client?
Answer: Cockpit is compatible with a number of different Linux distributions. For more information, see the Running Cockpit page. If connecting to a remote system that doesn’t have Cockpit installed, keep in mind the previously mentioned requirements regarding not connecting to newer OS’s from an older Cockpit Client.
Question: Does the Cockpit team have any future plans regarding this functionality?
Answer: The Cockpit team is planning on adding the ability to connect to remote hosts without Cockpit packages installed to the cockpit-ws container image. See COCKPIT-954 ticket for more info.
Have more questions not covered here? Ask them in the comments section below!
Conclusion
The new Python bridge, and the corresponding ability to use the Cockpit Client to connect to remote systems without installing Cockpit, makes it incredibly easy to use Cockpit in almost any circumstance.
Try this out! It’s easy to do. Simply install the Cockpit Client Flatpak, and use it to connect to either your localhost or a remote system. Once you’ve tried it, let us know what you think in the comments below.
Dirk
Will there be a native RPM package for cockpit-client?
I do not use flatpak on any of my systems for various reasons so this would be nice to have as an RPM package.
Darvond
Same here. I’d no sooner use Flatpaks than I’d sooner use Gnome.
Martin Pitt
Cockpit has been available as native RPM (or deb) in Fedora, CentOS, RHEL, Debian, Ubuntu, and other Linux distros for a long time already. From the login screen you can directly log into a remote SSH host. However, if you run this from the RPMs, then the remote system must at least have cockpit-system installed, as the article says.
The “beam the bridge to the remote system” functionality is deliberately disabled in that scenario, due to some conceptual difficulties. We want, and may eventually, enable that, but there is no timeline at the moment.
Allison Karlitskaya
To clarify and extend on that Martin said, there are currently two reasons that we only provide this functionality as a Flatpak:
the way that Cockpit Client has been implemented involves (essentially) running a copy of the Cockpit webserver component listening on a TCP port locally and connecting to it from the web view inside of the client application. As noted in the article, it’s possible to login to remote servers using the SSH keys available in the user’s account, without further authentication. For this reason, we isolate the communication of the UI with the webserver inside of the network namespace created by Flatpak (and verify this isolation) to prevent other users on the same system from connecting. We then use Flatpak’s portals mechanism to escape the confinement when executing ssh, effectively running ssh on the host, allowing it to access the user’s credentials and the network. We’ve tried to find a better way to get WebKit to communicate with the webserver (a unix socket for example) but this isn’t currently possible on the WebKit side. It would also be possible to implement the namespace tricks (or something similar) using our own confinement and portal system, but we haven’t implemented it and don’t have plans to do so, going forward, because of the next point;
the article mentions “An older version of Cockpit Client can not be used to connect to a newer operating system version. For example, if I installed Cockpit Client on my Fedora 38 workstation today and never updated it, it may not work properly to manage a Fedora 39 or Fedora 40 server in the future.”. This might sound a bit arbitrary, but it’s a fairly serious concern for us and something that we’ve discussed extensively inside the team. System level APIs (such as those to manage containers and virtual machines) sometimes change in incompatible ways. We currently try to be compatible with the latest versions we know about and maintain backwards compatibility with older versions. We can’t know about future versions, but we can know that we are committed to tracking these changes in the future and releasing compatible new Cockpit versions. In order for that to work out, we need an application delivery mechanism that ensures that the user is always kept up to date with our latest release. We do push new Cockpit versions to the current Fedora release, but many distributions frown on this sort of “stable release update” and prefer to stay on older versions, which would break our assumptions about the user being kept up to date. We’ve discussed some mitigation ideas such as maintaining a list of known-compatible target system versions for each Cockpit release, but have so far dismissed these ideas. Note also that our future plans for expanding this functionality involve other delivery mechanisms that are easy to always keep up to date, such as containers.
Stephen Snow
Hello Brian,
Good article. I use cockpit on my system for managing my VM’s and containers. It is a very useful bit of software with some interesting reports available to the administer of a system.
Mike
The first thing I do after I have installed a new Fedora VM is install cockpit-navigator and then I enable root access in /etc/cockpit/disallowed-users.
I would like to suggest that this add-on is automatically installed. I would also like to suggest adding some additional functionality to this like the ability to unzip. Also the navigator box at the top only works for directories making it difficult to quickly go to a file and finally the selected file’s name is not displayed anywhere.
Martin Pitt
The current cockpit-navigator does not have the quality that our team is comfortable with for a default install. However, it is currently being improved in the ongoing Google Summer of Code project; after that, this will indeed be an excellent addition to the flatpak!
Zoltan
I think Cockpit UI should be the default UI for Gnome control Center. Much more detailed, visible, and combines everything that needs to have in details. Even software updates can be unified under the option, and could be followable on workstation installs too. Apps, Development (can be the jump point if I want to set my own git sync and my developed or under testing apps). I think it could fit nicely, and we can have a much better and detailed overall control system.
sten
will there be windows/mac releases of the client app? I know a handful of people who might benefit from that.
Martin Pitt
Flatpak is a Linux technology. For non-Linux clients like Win/Mac/Android, you need to run the Cockpit web server on some Linux machine or a cloud instance. We plan to enable this “remote bridge” and “bundled packages” feature for https://quay.io/repository/cockpit/ws/ soon (but the current version still requires cockpit-system to be installed on the target machine).
Renich Bon Ćirić
I just learned of the Cockpit Client and it seems pretty cool.
It would be good to have a “backup” app in cockpit. Something that made it easy either to snapshot or just tar.zst whichever files you require; with sensible defaults.
Ondrej Kolin
It’s not that hard to write an app for cockpit if you want to. It’s quite extensible – https://cockpit-project.org/blog/cockpit-starter-kit.html
Renich Bon Ćirić
Indeed. 🙂
M
I like cockpit. However, at work, we use systemd extensively but only as a non-root user on several servers. Last I checked, there was no way to use cockpit to manage services run by a non-root user. Has this changed? Can I manage services run by user “operational”, ie. those I can see by logging in by “operational@server” and running “systemctl –user” or “journalctl –user prefix_service”?