theme: Singapore
header-includes:
- \setbeameroption{show notes}
- - \newcommand{\fullsizeimg}[1]{\makebox[\linewidth]{\includegraphics[width=\paperwidth]{#1}}}
...
# Cockpit what?
:::notes
- Conceptually: Linux session running in a web browser; technically very similar to ssh/VT/GNOME login
-- Aimed at admins who are new to Linux, e. g. coming from the Windows world and familiar with the concepts, but not Linux terminology
-- but also to experienced ones for infrequent tasks; not just setup, but also investigating “what is wrong with this machine”
+- Tool for experimenting, learning, troubleshooting, and doing infrequent tasks
:::
- Zero configuration
:::notes
-- TODO: check out bots in "make deps", add ./vm-run windows-10 to prep.sh
+- being web based makes this server UI available to places that you
+ traditionally don't reach with ssh
- Switch to Windows virt-viewer, open Edge, show Cockpit
- Quit virt-viewer
+- Move to local browser, enable mobile mode (Ctrl+Shift+M)
- Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket
+- But wait, you say -- want to admin that server over there, but not allowed to
+ open new port and system service?
- In larger environments it's impractical to install cockpit server on hundreds
- of machines and using the login web page
+ of machines and using the login web page; better solution: piggyback on ssh
- Glimpse of how to customize how cockpit runs and how to authenticate to it
:::
- all components in cockpit communicate to each other via a JSON protocol on standard pipes, usually stdio
- this provides a lot of flexibility and extensibility, as we'll see shortly
- ws roles: communicate with the browser for getting credentials: login page, krb negotiation, client cert
-- ws: deliver HTML/js content, translate WebSocket to JSON protocol; runs as unprivileged system user
+- ws: deliver HTML/js content, connects JSON protocol on the WebSocket to pipes to the other components; runs as unprivileged system user
:::
# Anatomy: cockpit-session
nothing Cockpit specific running outside of the user session
:::notes
-- TODO: start rhel7 VM in prep.sh, set hostname
- ws and the login session don't need to run on the same machine
- cockpit-session is meant to be customizable for your purposes
- most obvious replacement is to let ssh start a session; that already does the
- can run in container
- no ws on critical machines, don't trust cockpit-session
- switch to browser; log out, use "connect to" for cockpit.dev:2201
+- finish the demo script, press Enter
:::
# Other authentication setups
- SSO/Kerberos in Identity Management domains
- smart card/client certificate authentication
-- OAuth (Kubernetes)
+- OAuth (external embedding)
- Foreman: included cockpit-ws with dynamic configuration
+TODO: foreman screenshot
+
:::notes
- Cockpit supports common authentication systems out of the box
- IdM is very common; if you have a krb ticket, you get a session immediately
without the login page
- browsers can ask for TLS client certificates, commonly with smart cards, and
present them to the web server; latest Cockpit versions supports that
-- Foreman has a "Web Console" button; already has ssh to all maintained
- machines
+- Foreman has a "Web Console" button; interesting case for seamless transition
+ between Foreman and Cockpit
+- already has ssh to all maintained machines
- runs a single cockpit-ws process on its server, and dynamically configures it
- for selected target machine, seamless transition between Foreman and Cockpit
-- not enough time to demo all of this
+ for selected target machine
+- custom cockpit session helper to do OAuth between Foreman session and
+ cockpit-ws, and wrap cockpit-ssh session starter
+- not enough time to demo and explain all of this; just keep in mind that it's
+ possible
+:::
+
+# Embedding into existing session
+
+{height=60%}\
+
+\footnotesize \verb!cockpit-ws -p 9999 --no-tls --local-session=/usr/bin/cockpit-bridge!
+
+`firefox http://localhost:9999`
+
+:::notes
+- what I do want to show: opposite direction; "replace cockpit-session" can
+ also mean "by nothing"
+- due to common JSON protocol, we can connect ws directly to a cockpit-bridge
+- take a step back: if I want to admin this very machine, it's in a running
+ Linux session, it knows who I am
+- put the whole auth structure inside out and instead run cockpit-ws as my user
+ inside my session
+- open localhost:9999 in firefox
+- alarm bells: exposes my session to a TCP port without any auth
+:::
+
+
+# Embedding into existing session: once more with safety!
+
+{height=60%}\
+
+\footnotesize \verb! !
+
+`/usr/libexec/cockpit-desktop [page]`
+
+:::notes
+- need to hide that port; put browser and cockpit-ws into network namespace,
+ then they live in a completely isolated world
+- do some work to hide browser chrome, use webkit if available
+- cockpit-desktop /
+- wants to run priv bridge, can accept or decline
+- decline, R/O view
+- can show an individual iframe, "page"
+- suddenly you end up with a halfway decent desktop app
+- just the storage page, replacement for gnome-disks
+- cockpit-desktop podman
:::
-# Custom authentication example
+# Conclusion
+
+- Authentication is very flexible
+- Works with zero configuration
+- Can be arbitrarily embedded
+
+:::notes
+- Cockpit provides a set of standard auth protocols that are being used in
+ today's modern deployments
+- Once you know about the structure, you can combine ssh, web servers, reverse
+ proxies, and custom auth helpers to embed Cockpit anywhere you want
+:::
-TODO
# Q & A
projects / talk-cockpit-auth-anywhere.git / blobdiff