From a32ed785e042fc3b9030f8664f1feb1f582e98b6 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 8 Jan 2020 17:34:50 +0100 Subject: [PATCH] More presentation --- cockpit-auth-anywhere.md | 8 ++++++-- demo.sh | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/cockpit-auth-anywhere.md b/cockpit-auth-anywhere.md index 05298e2..b5a53c2 100644 --- a/cockpit-auth-anywhere.md +++ b/cockpit-auth-anywhere.md @@ -50,6 +50,7 @@ resize2fs /dev/vg0/data1 :::notes - Switch to Windows virt-viewer, open Edge, show Cockpit - Quit virt-viewer +- Move to local browser, enable mobile mode (Ctrl+Shift+M) - Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket - In larger environments it's impractical to install cockpit server on hundreds of machines and using the login web page @@ -70,7 +71,7 @@ resize2fs /dev/vg0/data1 - all components in cockpit communicate to each other via a JSON protocol on standard pipes, usually stdio - this provides a lot of flexibility and extensibility, as we'll see shortly - ws roles: communicate with the browser for getting credentials: login page, krb negotiation, client cert -- ws: deliver HTML/js content, translate WebSocket to JSON protocol; runs as unprivileged system user +- ws: deliver HTML/js content, connects JSON protocol on the WebSocket to pipes to the other components; runs as unprivileged system user ::: # Anatomy: cockpit-session @@ -141,6 +142,8 @@ RequireHost=true - OAuth (Kubernetes) - Foreman: included cockpit-ws with dynamic configuration +TODO: foreman screenshot + :::notes - Cockpit supports common authentication systems out of the box - IdM is very common; if you have a krb ticket, you get a session immediately @@ -151,7 +154,8 @@ RequireHost=true machines - runs a single cockpit-ws process on its server, and dynamically configures it for selected target machine, seamless transition between Foreman and Cockpit -- not enough time to demo all of this +- not enough time to demo and explain all of this; just keep in mind that it's + possible ::: # Custom authentication example diff --git a/demo.sh b/demo.sh index b63f4d9..0ae8844 100755 --- a/demo.sh +++ b/demo.sh @@ -11,6 +11,9 @@ sudo systemctl stop cockpit echo '127.0.0.2 cockpit.dev' | sudo tee -a /etc/hosts +# FIXME: AVC avc: denied { name_connect } for pid=52827 comm="cockpit-ssh" dest=2209 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 +sudo setenforce 0 + # LV resizing demo sudo modprobe scsi_debug dev_size_mb=512 # sanity check -- 2.39.5