X-Git-Url: https://piware.de/gitweb/?p=talk-cockpit-auth-anywhere.git;a=blobdiff_plain;f=cockpit-auth-anywhere.md;h=3845cdedc961c592d4e32dc0464a765ceb6506ef;hp=8fed3aef7219d21d8e40bebbc45cbb09168ccc23;hb=2ae8623120e5eae4e3c63bf1f8ac55b7709a7886;hpb=13f8517201e472b204f7f8fb7084cbd53a8b3b07 diff --git a/cockpit-auth-anywhere.md b/cockpit-auth-anywhere.md index 8fed3ae..3845cde 100644 --- a/cockpit-auth-anywhere.md +++ b/cockpit-auth-anywhere.md @@ -6,7 +6,7 @@ email: mpitt@redhat.com date: DevConv.CZ 2020 theme: Singapore header-includes: - - \setbeameroption{show notes} + - \setbeameroption{hide notes} ... # Cockpit what? @@ -31,7 +31,7 @@ resize2fs /dev/vg0/data1 ``` :::notes -- for example, adding a new PV to an LV and resizing the file system you can spend some time coming up with these commands +- for example, adding a new PV to an LVM and resizing the file system you can spend some time coming up with these commands - lots of possibilities for screwing up - you can do it simply and safely with Cockpit like this → go to local browser - Storage page, vg0 in Devices (top right), + in Physical Volumes, add sdb2 @@ -69,9 +69,10 @@ resize2fs /dev/vg0/data1 :::notes - for configuring, extending, and embedding Cockpit you need to coarsely understand the components of it - this: simplest structure, what I just showed you and what you will most probably see the first time you try it -- browser only speaks HTTP and WebSocket, so you always need a web server, cockpit-ws - all components in cockpit communicate to each other via a JSON protocol on standard pipes, usually stdio - this provides a lot of flexibility and extensibility, as we'll see shortly +- browsers and JS only speak HTTP and WebSocket, and can't directly talk to Linux system APIs +- so you always need a web server somewhere, cockpit-ws - ws roles: communicate with the browser for getting credentials: login page, krb negotiation, client cert - ws: deliver HTML/js content, connects JSON protocol on the WebSocket to pipes to the other components; runs as unprivileged system user ::: @@ -145,8 +146,6 @@ RequireHost=true - OAuth (external embedding) - Foreman: included cockpit-ws with dynamic configuration -TODO: foreman screenshot - :::notes - Cockpit supports common authentication systems out of the box - IdM is very common; if you have a krb ticket, you get a session immediately @@ -155,6 +154,7 @@ TODO: foreman screenshot present them to the web server; latest Cockpit versions supports that - Foreman has a "Web Console" button; interesting case for seamless transition between Foreman and Cockpit +- Show video - already has ssh to all maintained machines - runs a single cockpit-ws process on its server, and dynamically configures it for selected target machine @@ -180,6 +180,7 @@ TODO: foreman screenshot Linux session, it knows who I am - put the whole auth structure inside out and instead run cockpit-ws as my user inside my session +- open --local-session in shell - open localhost:9999 in firefox - alarm bells: exposes my session to a TCP port without any auth ::: @@ -204,13 +205,14 @@ TODO: foreman screenshot - suddenly you end up with a halfway decent desktop app - just the storage page, replacement for gnome-disks - cockpit-desktop podman +- cockpit-desktop is small shell script, feel free to inspect and bend to your will ::: # Conclusion - Authentication is very flexible - Works with zero configuration -- Can be arbitrarily embedded +- Can be arbitrarily embedded and customized :::notes - Cockpit provides a set of standard auth protocols that are being used in