Foreman Cockpit integration - first release!

Hi Foreman users,

foreman_cockpit https://github.com/theforeman/foreman_cockpit is a
plugin to get access to Cockpit in case you have it enabled on your
hosts.

See a demo here:
https://camo.githubusercontent.com/dd327f958993d60ecefbe4e1fc26bc45ad63cf9c/687474703a2f2f692e696d6775722e636f6d2f527a64735239622e676966

We presented it at the Community demo yesterday:

It is extremely simple to use, just install it and it will auto
recognize which of your hosts use Cockpit.
See installation details on the README. It is compatible with all Foreman
versions after 1.7. Older versions are probably compatible too, you can
try installing from source or gem, it's just there are no packages for
them.

In case you don't know what is Cockpit, see http://cockpit-project.org/.
The project is zero-footprint and it remains off until a connection to
it is requested. I highly recommend it as a way to get more info about
your hosts through Foreman.

Let me know if you have problems, you want more features, or anything
else. Thank you!

Hi Daniel,

below my first inputs on a Katello 2.3.1/Foreman 1.9.2 Setup, I´m now
stucked with issue #3, see below:

Problem1: TCP 9090 Issue for local host "katello" inside the Hosts
Overview
Root Cause:
Katello is using already Port 9090 for the Proxy, so it will fail now as
foreman_cockpit tries to access this port as well (Errno::ECONNRESET:
Connection reset by peer, Completed 404 Not Found)

Workaround for Katello:
change under /etc/foreman-proxy/settings.yml the Proxy Port from 9090 to
9000 and update url in gui (8443 like on Foreman can not be used because
its port is used already by Candlepin on Katello, if I´m correct)

Problem2: Dependency Issue for Cockpit Install on CentOS-7 Client
Root Cause:
"Package: cockpit-storaged-0.71-1.el7.x86_64 => Requires: storaged >= 2.1.1"

Workaround:
install Repo from https://copr.fedoraproject.org/coprs/phatina/storaged/repo/epel-7/phatina-storaged-epel-7.repo

Problem3: Certificate Issue by accessing Cockpit GUI for Remote client
Root Cause:
Cockpit generates a self signed certificate with "CN = localhost", when
clicking on Foreman now on the Cockpit Button for a remote host it shows
the expected warning about self signed certificate, however you cannot
trust the self signed certificate there…

Workaround with "–no-tls" does not work, Result => "cockpit-protocol-Message:
received invalid HTTP request line", any ideas how to fix this issue ???

br,
Christian

This is great. I'd really like to work with you to take this to the next
step. I've outlined some possibilities here:

In particular, would it make sense to run cockpit-ws very close to Foreman.
And then have Foreman do TLS, pre-authenticate and proxy HTTP requests,
including WebSocket requests to the cockpit-ws running next to Foreman? We
have the capability for a single cockpit-ws instance to connect to multiple
hosts. There are probably a few changes necessary to make this work, but
I'm interested if you think it's a viable solution.

There are much more complex alternatives, including proxying the cockpit
protocol stream
<http://stef.thewalter.net/protocol-for-web-access-to-system-apis.html> …
But I think we should look at the simpler solution first.

Stef

Hi guys,

Though I'm not very familiar with cockpit yet, I know this is a great move
to get more host information and capabilities into Katello.
I'm going to get hands on this plugin by Q1 2016.
Regards

Hi all,

workaround for problem#3:
you can accept the certificate by right-click on the browser iframe ->
"This Frame" => "Show Only This Frame or Open Frame" or "View Frame
Source", then you will be able to add the exception.

br,
Christian

> Hi Daniel,
>
> below my first inputs on a Katello 2.3.1/Foreman 1.9.2 Setup, I´m now
> stucked with issue #3, see below:
>
> Problem1: TCP 9090 Issue for local host "katello" inside the Hosts
> Overview
> Root Cause:
> Katello is using already Port 9090 for the Proxy, so it will fail now as
> foreman_cockpit tries to access this port as well (Errno::ECONNRESET:
> Connection reset by peer, Completed 404 Not Found)
>
> Workaround for Katello:
> change under /etc/foreman-proxy/settings.yml the Proxy Port from 9090 to
> 9000 and update url in gui (8443 like on Foreman can not be used because
> its port is used already by Candlepin on Katello, if I´m correct)

We're aware of this and there's a thread of foreman-dev about reworking
where Katello puts all these things. You're exactly right about
candlepin being the reason.

>
> Problem2: Dependency Issue for Cockpit Install on CentOS-7 Client
> Root Cause:
> "Package: cockpit-storaged-0.71-1.el7.x86_64 => Requires: storaged >= 2.1.1"
>
> Workaround:
> install Repo from https://copr.fedoraproject.org/coprs/phatina/storaged/repo/epel-7/phatina-storaged-epel-7.repo
>
>
> Problem3: Certificate Issue by accessing Cockpit GUI for Remote client
> Root Cause:
> Cockpit generates a self signed certificate with "CN = localhost", when
> clicking on Foreman now on the Cockpit Button for a remote host it shows
> the expected warning about self signed certificate, however you cannot
> trust the self signed certificate there…
>
> Workaround with "–no-tls" does not work, Result => "cockpit-protocol-Message:
> received invalid HTTP request line", any ideas how to fix this issue ???

Visiting the URL outside of Foreman to accept the certificate
(on https://cockpit-host:9090/) worked for me.

> This is great. I'd really like to work with you to take this to the next
> step. I've outlined some possibilities here:
>
> https://trello.com/c/YbCrUHtA/180-embedding-foreman-and-or-satellite
>
> In particular, would it make sense to run cockpit-ws very close to Foreman.
> And then have Foreman do TLS, pre-authenticate and proxy HTTP requests,
> including WebSocket requests to the cockpit-ws running next to Foreman?

If I run cockpit-ws on Foreman or the smart-proxy, how could I route
requests from the User to cockpit and viceversa through Foreman?

I don't quite follow the GSSAPI part either, it requires setting up
Kerberos on Foreman & Cockpit so that somehow we can auto authenticate?
I'd prefer to wait and see if this gains popularity before getting
involved with this kind of complexities.

I imagine this scenario is interesting for users that don't have direct
access to the Cockpit interfaces on their hosts but they have access to
Foreman. Is there any other use case you're thinking of?

>
> We have the capability for a single cockpit-ws instance to connect to multiple
> hosts. There are probably a few changes necessary to make this work, but
> I'm interested if you think it's a viable solution.
>
> There are much more complex alternatives, including proxying the cockpit
> protocol stream
> <http://stef.thewalter.net/protocol-for-web-access-to-system-apis.html> …
> But I think we should look at the simpler solution first.

That'd be actually awesome and it was what I was looking for at the
beginning, but found it a bit too much to start with. It'd enable live
editing of hosts on Foreman. Since we can already proxy the Cockpit
components that's a valid solution and easier to maintain… on our end
at least.