Skip to content

EL7 Cockpit

Cockpit is a web based system information and management tool for linux, and is in the stock repositories for CentOS, and from rhel-7-server-extras-rpms for RHEL (obviously). It is rather simple to setup and configure, but a few less than obvious things need to be done for a more full experience.


Installation is straightforward, with one caveat if you are NOT on SELinux. Assumption going forward is that you have root privileges. :

Install packages

    sudo yum install cockpit cockpit-docker tuned

If you have SELinux disabled you need to fix the cockpit systemd unitfile. Remove the SELinux portion of ExecStartPre

    sudo vim /usr/lib/systemd/system/cockpit.service
    sudo systemctl daemon-reload

Lets enable some services

    sudo systemctl enable tuned
    sudo systemctl start tuned

    sudo systemctl enable cockpit.socket 
    sudo systemctl start cockpit

Change this if you are in a VM to virtual-guest. tuned-adm list will list profiles, and Red Hat's documentation has many more details.

    sudo tuned-adm profile throughput-performance

Fix the firewall

    sudo firewall-cmd --permanent --add-service=cockpit
    sudo firewall-cmd --reload


Thats the basics down. We use tuned so we can get better performance off of the server. I personally recommend using tuned on ALL systems, but that is me. One nice thing that Cockpit can do is change the profile for you (there is a drop down menu on the System Tab)Now here comes the part in which you have to think, rather than copy/paste. If you have no SSL certificate, Cockpit will generate use a self-generated self-issued certificate. If you are like me, however, and use a certificate authority, you have to do a wee bit more work. From the SSL section of Cockpit's documentation page:

  • Cockpit will load a certificate from the /etc/cockpit/ws-certs.d directory. It will use the first file with a .certextension in alphabetical order. The .cert file should contain at least two OpenSSL style PEM blocks. First one or more BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities and a last one containing a BEGIN PRIVATE KEY or similar.

Make that .cert file. As a user, this was rather straightforward. Here is what I needed to do on my servers:

    cd /etc/cockpit/ws-certs.d
    sudo cat /etc/letsencrypt/live/ >> schotty.cert
    sudo cat /etc/letsencrypt/live/ >> schotty.cert
    sudo mv ~self-signed.cert ~self-signed.cert.2
    sudo systemctl restart cockpit

Now you should be able to cat that new cert file you just made and see something akin to what is on the documentation page.  And you should also be able to see that cockpit is seeing and using your issued certificate:

    [ ~]# sudo remotectl certificate
    certificate: /etc/cockpit/ws-certs.d/schotty.cert
    [ ~]#

If you wish, you can set this up in a boot script that generates the .cert file. I personally have it in my ssl cert scripts to regenerate them whence I get issued new keys. Here is a quick paste-up of a simple update script. Should be ready to run, but of course modify to suit your own needs.

    # Force root 
    [ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }

    # Set some variables 
    FQDN=`cat /etc/hostname`

    # Fixes cockpit to use the LetsEncrypt SSL cert 
    cd /etc/cockpit/ws-certs.d
    cat /etc/letsencrypt/live/"$FQDN"/cert.pem >> "$FQDN".cert
    cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert 
    systemctl restart cockpit cd ~