X-Git-Url: https://piware.de/gitweb/?p=talk-cockpit-auth-anywhere.git;a=blobdiff_plain;f=cockpit-auth-anywhere.md;h=68449a00c66c2a3d8a490dcb6584cd7dac65d147;hp=05298e25f34b64ec5032c15f1eaf66ea6e9ae0da;hb=HEAD;hpb=bd259fb46d536be10a3d15210676f7b122427fa7 diff --git a/cockpit-auth-anywhere.md b/cockpit-auth-anywhere.md index 05298e2..68449a0 100644 --- a/cockpit-auth-anywhere.md +++ b/cockpit-auth-anywhere.md @@ -6,8 +6,7 @@ email: mpitt@redhat.com date: DevConv.CZ 2020 theme: Singapore header-includes: - - \setbeameroption{show notes} - - \newcommand{\fullsizeimg}[1]{\makebox[\linewidth]{\includegraphics[width=\paperwidth]{#1}}} + - \setbeameroption{hide notes} ... # Cockpit what? @@ -18,8 +17,7 @@ header-includes: :::notes - Conceptually: Linux session running in a web browser; technically very similar to ssh/VT/GNOME login -- Aimed at admins who are new to Linux, e. g. coming from the Windows world and familiar with the concepts, but not Linux terminology -- but also to experienced ones for infrequent tasks; not just setup, but also investigating “what is wrong with this machine” +- Tool for experimenting, learning, troubleshooting, and doing infrequent tasks ::: @@ -33,7 +31,7 @@ resize2fs /dev/vg0/data1 ``` :::notes -- for example, adding a new PV to an LV and resizing the file system you can spend some time coming up with these commands +- for example, adding a new PV to an LVM and resizing the file system you can spend some time coming up with these commands - lots of possibilities for screwing up - you can do it simply and safely with Cockpit like this → go to local browser - Storage page, vg0 in Devices (top right), + in Physical Volumes, add sdb2 @@ -48,11 +46,16 @@ resize2fs /dev/vg0/data1 - Zero configuration :::notes +- being web based makes this server UI available to places that you + traditionally don't reach with ssh - Switch to Windows virt-viewer, open Edge, show Cockpit - Quit virt-viewer +- Move to local browser, enable mobile mode (Ctrl+Shift+M) - Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket +- But wait, you say -- want to admin that server over there, but not allowed to + open new port and system service? - In larger environments it's impractical to install cockpit server on hundreds - of machines and using the login web page + of machines and using the login web page; explain better solutions - Glimpse of how to customize how cockpit runs and how to authenticate to it ::: @@ -65,12 +68,13 @@ resize2fs /dev/vg0/data1 :::notes - for configuring, extending, and embedding Cockpit you need to coarsely understand the components of it -- this: simplest structure, what I just showed you and what you will most probably see the first time you try it -- browser only speaks HTTP and WebSocket, so you always need a web server, cockpit-ws +- this: default structure, what I just showed you and what you will most probably see the first time you try it - all components in cockpit communicate to each other via a JSON protocol on standard pipes, usually stdio - this provides a lot of flexibility and extensibility, as we'll see shortly -- ws roles: communicate with the browser for getting credentials: login page, krb negotiation, client cert -- ws: deliver HTML/js content, translate WebSocket to JSON protocol; runs as unprivileged system user +- browsers and JS only speak HTTP and WebSocket, and can't directly talk to Linux system APIs +- so you always need a web server somewhere, cockpit-ws +- ws purpose: communicate with the browser for getting credentials: login page, krb negotiation, client cert +- ws: deliver HTML/js content, connects JSON protocol on the WebSocket to pipes to the other components; runs as unprivileged system user ::: # Anatomy: cockpit-session @@ -81,8 +85,8 @@ resize2fs /dev/vg0/data1 - forward JSON pipe to session leader :::notes -- need some root helper to actually start session: use creds from ws to start PAM login session, connect pipe to it -- standard is cockpit-session: very small, auditable +- need some helper to actually start session: use creds from ws to start PAM login session, connect pipe to it +- standard is cockpit-session: very small, auditable suid root helper - but doesn't have to be, that's the flexible part ::: @@ -107,9 +111,8 @@ nothing Cockpit specific running outside of the user session :::notes - ws and the login session don't need to run on the same machine -- cockpit-session is meant to be customizable for your purposes -- most obvious replacement is to let ssh start a session; that already does the - PAM bits and forward its initial stdio to the session lead; it would just +- most obvious replacement of session helper is ssh; that already starts + sessions, does the PAM bits and forwards its initial stdio to the session lead; it would just launch cockpit-bridge instead of bash - browser: go to Dashboard, add cockpit.dev:2201 - interesting property: nothing Cockpit specific running in the system, no ws, @@ -132,13 +135,14 @@ RequireHost=true - can run in container - no ws on critical machines, don't trust cockpit-session - switch to browser; log out, use "connect to" for cockpit.dev:2201 +- finish the demo script, press Enter ::: # Other authentication setups - SSO/Kerberos in Identity Management domains - smart card/client certificate authentication -- OAuth (Kubernetes) +- OAuth (external embedding) - Foreman: included cockpit-ws with dynamic configuration :::notes @@ -147,16 +151,75 @@ RequireHost=true without the login page - browsers can ask for TLS client certificates, commonly with smart cards, and present them to the web server; latest Cockpit versions supports that -- Foreman has a "Web Console" button; already has ssh to all maintained - machines +- Foreman has a "Web Console" button; interesting case for seamless transition + between Foreman and Cockpit +- Show video +- already has ssh to all maintained machines - runs a single cockpit-ws process on its server, and dynamically configures it - for selected target machine, seamless transition between Foreman and Cockpit -- not enough time to demo all of this + for selected target machine +- custom cockpit session helper to do OAuth between Foreman session and + cockpit-ws, and wrap cockpit-ssh session starter +- not enough time to demo and explain all of this; just keep in mind that it's + possible ::: -# Custom authentication example +# Embedding into existing session + +![local-session-unsafe](local-session-unsafe.pdf){height=60%}\ + +\footnotesize \verb!cockpit-ws -p 9999 --no-tls --local-session=/usr/bin/cockpit-bridge! + +`firefox http://localhost:9999` + +:::notes +- what I do want to show: opposite direction; "replace cockpit-session" can + also mean "by nothing" +- due to common JSON protocol, we can connect ws directly to a cockpit-bridge +- take a step back: if I want to admin this very machine, it's in a running + Linux session, it knows who I am +- put the whole auth structure inside out and instead run cockpit-ws as my user + inside my session +- open --local-session in shell +- open localhost:9999 in firefox +- alarm bells: exposes my session to a TCP port without any auth +::: + + +# Embedding into existing session: once more with safety! + +![local-session-unsafe](local-session.pdf){height=60%}\ + +\footnotesize \verb! ! + +`/usr/libexec/cockpit-desktop [page]` + +:::notes +- need to hide that port; put browser and cockpit-ws into network namespace, + then they live in a completely isolated world +- do some work to hide browser chrome, use webkit if available +- cockpit-desktop / +- wants to run priv bridge, can accept or decline +- decline, R/O view +- can show an individual iframe, "page" +- suddenly you end up with a halfway decent desktop app +- just the storage page, replacement for gnome-disks +- cockpit-desktop podman +- cockpit-desktop is small shell script, feel free to inspect and bend to your will +::: + +# Conclusion + +- Authentication is very flexible +- Works with zero configuration +- Can be arbitrarily embedded and customized + +:::notes +- Cockpit provides a set of standard auth protocols that are being used in + today's modern deployments +- Once you know about the structure, you can combine ssh, web servers, reverse + proxies, and custom auth helpers to embed Cockpit anywhere you want +::: -TODO # Q & A