Add section about desktop session embedding

diff --git a/cockpit-auth-anywhere.md b/cockpit-auth-anywhere.md
index b5a53c27f70e77f33144550773449f7da814dff4..bc8783d7f8c4e8b4e86425826f6c7f29e0bff1af 100644 (file)
--- a/cockpit-auth-anywhere.md
+++ b/cockpit-auth-anywhere.md
@@ -7,7 +7,6 @@ date: DevConv.CZ 2020
 theme: Singapore
 header-includes:
  - \setbeameroption{show notes}
 theme: Singapore
 header-includes:
  - \setbeameroption{show notes}

- - \newcommand{\fullsizeimg}[1]{\makebox[\linewidth]{\includegraphics[width=\paperwidth]{#1}}}

 ...
 
 # Cockpit what?
 ...
 
 # Cockpit what?


@@ -52,8 +51,10 @@ resize2fs /dev/vg0/data1
 - Quit virt-viewer
 - Move to local browser, enable mobile mode (Ctrl+Shift+M)
 - Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket
 - Quit virt-viewer
 - Move to local browser, enable mobile mode (Ctrl+Shift+M)
 - Zero configuration so far, other than possibly installing cockpit pkg and enabling cockpit.socket

+- But wait, you say -- want to admin that server over there, but not allowed to
+  open new port and system service?

 - In larger environments it's impractical to install cockpit server on hundreds
 - In larger environments it's impractical to install cockpit server on hundreds

-  of machines and using the login web page
+  of machines and using the login web page; better solution: piggyback on ssh

 - Glimpse of how to customize how cockpit runs and how to authenticate to it
 :::
 
 - Glimpse of how to customize how cockpit runs and how to authenticate to it
 :::
 


@@ -139,7 +140,7 @@ RequireHost=true
 
 - SSO/Kerberos in Identity Management domains
 - smart card/client certificate authentication
 
 - SSO/Kerberos in Identity Management domains
 - smart card/client certificate authentication

-- OAuth (Kubernetes)
+- OAuth (external embedding)

 - Foreman: included cockpit-ws with dynamic configuration
 
 TODO: foreman screenshot
 - Foreman: included cockpit-ws with dynamic configuration
 
 TODO: foreman screenshot


@@ -150,17 +151,72 @@ TODO: foreman screenshot
   without the login page
 - browsers can ask for TLS client certificates, commonly with smart cards, and
   present them to the web server; latest Cockpit versions supports that
   without the login page
 - browsers can ask for TLS client certificates, commonly with smart cards, and
   present them to the web server; latest Cockpit versions supports that

-- Foreman has a "Web Console" button; already has ssh to all maintained
-  machines
+- Foreman has a "Web Console" button; interesting case for seamless transition
+  between Foreman and Cockpit
+- already has ssh to all maintained machines

 - runs a single cockpit-ws process on its server, and dynamically configures it
 - runs a single cockpit-ws process on its server, and dynamically configures it

-  for selected target machine, seamless transition between Foreman and Cockpit
+  for selected target machine
+- custom cockpit session helper to do OAuth between Foreman session and
+  cockpit-ws, and wrap cockpit-ssh session starter

 - not enough time to demo and explain all of this; just keep in mind that it's
   possible
 :::
 
 - not enough time to demo and explain all of this; just keep in mind that it's
   possible
 :::
 

-# Custom authentication example
+# Embedding into existing session
+
+![local-session-unsafe](local-session-unsafe.pdf){height=60%}\ 
+
+\footnotesize \verb!cockpit-ws -p 9999 --no-tls --local-session=/usr/bin/cockpit-bridge!
+
+`firefox http://localhost:9999`
+
+:::notes
+- what I do want to show: opposite direction; "replace cockpit-session" can
+  also mean "by nothing"
+- due to common JSON protocol, we can connect ws directly to a cockpit-bridge
+- take a step back: if I want to admin this very machine, it's in a running
+  Linux session, it knows who I am
+- put the whole auth structure inside out and instead run cockpit-ws as my user
+  inside my session
+- open localhost:9999 in firefox
+- alarm bells: exposes my session to a TCP port without any auth
+:::
+
+
+# Embedding into existing session: once more with safety!
+
+![local-session-unsafe](local-session.pdf){height=60%}\ 
+
+\footnotesize \verb! !
+
+`/usr/libexec/cockpit-desktop [page]`
+
+:::notes
+- need to hide that port; put browser and cockpit-ws into network namespace,
+  then they live in a completely isolated world
+- do some work to hide browser chrome, use webkit if available
+- cockpit-desktop /
+- wants to run priv bridge, can accept or decline
+- decline, R/O view
+- can show an individual iframe, "page"
+- suddenly you end up with a halfway decent desktop app
+- just the storage page, replacement for gnome-disks
+- cockpit-desktop podman
+:::
+
+# Conclusion
+
+- Authentication is very flexible
+- Works with zero configuration
+- Can be arbitrarily embedded
+
+:::notes
+- Cockpit provides a set of standard auth protocols that are being used in
+  today's modern deployments
+- Once you know about the structure, you can combine ssh, web servers, reverse
+  proxies, and custom auth helpers to embed Cockpit anywhere you want
+:::

 
 

-TODO

 
 # Q & A
 
 
 # Q & A
 

diff --git a/local-session-unsafe.drawio b/local-session-unsafe.drawio
new file mode 100644 (file)
index 0000000..2aabb57
--- /dev/null
+++ b/local-session-unsafe.drawio
@@ -0,0 +1 @@
+<mxfile host="www.draw.io" modified="2020-01-16T14:53:11.296Z" agent="Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" etag="W_WxOFuKHNQF8omIlyeB" version="12.5.5" type="device"><diagram id="WpU2nV0nbisVXbfxBrzP" name="Page-1">zVhdc9o4FP01POLBlm3MY4A0O+2y25lkupu+ZIwtjBrZ8soimP76Xtnyh2wnkCx0mMwQ3aPvc44uEiO0iPM77qfbFQsxHVmTMB+h5ciybBPBpwQOJWAi0y6RiJNQYQ1wT35iBU4UuiMhzrSGgjEqSKqDAUsSHAgN8zlne73ZhlF91tSPcA+4D3zaR/8hodiWqOdMGvwPTKJtNbM5UTWxXzVWQLb1Q7ZvQeh2hBacMVGW4nyBqSSv4qXs9+mV2nphHCfilA5fPofOlx/503xBPLFyHlLr+/exGuXFpzu1YbVYcagY4GyXhFgOYo7QfL8lAt+nfiBr96A5YFsRU1XdX1Q1A+YC5y1ILfIOsxgLfoAmVS1ShCnLjGcq3jf8I09h2xb3qKLeV5pH9dgNLVBQzAyztDRXiE1/fuPOQ7TcP05Wq8fkFJb8LC3ttyG5JGueYk5gdswBgynAr/hrA7U58ymJEigHwFlRVztlAkHoZ9uCfRlkQDxJogcGtC8RACQu/Fv9X5I4gh1SsoZPPxDkBT+FhMPKmKThE/VTwdKngBKYy8heojNJNnV0yby+ZLbTV8w5g2CDtrYGBHOpkHSSFyhGoth4Ca0r4E+S7HLotsTZM9AkBcZZRlhStYS1rLu9AdPG7PgCGBS63Jng7BkvGGXSGglLpH4bQmkH6tlC6kEgM92oipiEoZxm8Ew2p1b6ZsMSoXKr6ZxH8zqvvaG5ORs8phcSHb0t+qQiFND/djLrzineiCaqNLz76+/V7WvyfmRAwzB+m1uKFVybV3r5wep7ZTqQH2aXsop9JqsELHhOiRiv4e4C+fe4Z0ooft5kJzdejue7TN5wfEpP79Xy3Jr/9px1nS709IxVX9XaGWsykLHci90rnFd9KPevqVJZT1aMs4KZG2hgOmne9+VcXnwxb+ldjnfVX1JnkBiZrmF6HZX7IltTw0V9na2L6eweyTfvlvndGWr/auq4wsN/DifY+mEfeEQMvSHMmYG8S7nAO/6MwEl4I1+t8khRHy6fga4FEMIP/0qaDKcKHxVrRbDMtehQRTkRrW4QPVYjQrnpJIPDMRUytuMBPiGvCZ9HWJxwMHCovcL7qrZkcwZkqzCOqS8fPdpyh4RUM3xlpEizlWmmtmaa7vuk3Ljq1H5qd8YxkWfM7ClyPRvyj2O5rjasbYEM4Mj6T5+lZK03S+G5mpKP333ME16zx2zY/Xau7dUyV2O1YXvVVjbfY+T/YUq3b8q3LodX4klzqiey3m3kVFOizoPNsjsDfdh3EDY/Y5XNmx8D0e0v</diagram></mxfile>
\ No newline at end of file

diff --git a/local-session-unsafe.pdf b/local-session-unsafe.pdf
new file mode 100644 (file)
index 0000000..c456b9f
Binary files /dev/null and b/local-session-unsafe.pdf differ

diff --git a/local-session.drawio b/local-session.drawio
new file mode 100644 (file)
index 0000000..2a6a1de
--- /dev/null
+++ b/local-session.drawio
@@ -0,0 +1 @@
+<mxfile host="www.draw.io" modified="2020-01-16T14:52:24.397Z" agent="Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" etag="Fv8vwQXVR8F4kbz22hXh" version="12.5.5" type="device"><diagram id="WpU2nV0nbisVXbfxBrzP" name="Page-1">7Vhdc6M2FP01fjRjENj4Mbaz2enW251Jpm32JYNBxmoEokKO8f76XoH4EOCEZO0dPzSZSdDRJ+fce5A0Qssou+NesluzANORNQmyEVqNLMs2EfyVwLEATGTaBRJyEiisBu7JD6zAiUL3JMCp1lAwRgVJdNBncYx9oWEe5+ygN9syqs+aeCHuAPe+R7voXyQQuwJ1nUmNf8Yk3JUzmxNVE3llYwWkOy9ghwaEbkdoyRkTxVOULTGV5JW8FP0+naitFsZxLIZ0+PJb4Hz5J3taLIkr1s5DYn3/PlajvHh0r15YLVYcSwY428cBloOYI7Q47IjA94nny9oDaA7YTkRUVXcXVc6AucBZA1KLvMMswoIfoUlZixRhKmTGc1U+1PwjV2G7BveopN5TmofV2DUt8KCY6WdpZa4Rm/34kzsP4erwOFmvH+MhLHlpUoTflmSSrEWCOYHZMQcMpoB4xd9qqMmZR0kYw7MPnOV1VaRMoBB46S5nXxZSIJ7E4QMD2lcIABLl8Vv+X5EohDekZAN/PV+QF/wUEA4rY5KGT9RLBEuefEpgLiN9Cc8k2czRJXO7ktlOVzHnDIL1hrXVI9iUCkkneYHHUOQvXkCbEvidxPsMuq1w+gw0SYFxmhIWly1hLZt2b8C0MVtxAQwKXe5UcPaMl4wyGRoxi6V+W0JpC+qEhdSDgDPdqIqIBIGcpjcn66yVcbNlsVDeajrn0bzytVc0N+e9aXoh0dHrok9KQgH9dy9dd0HxVtSlUsO7r3+sb0/J+5EBDcP4ZdGSr+DaYqXjD1Y3VmY9/jC/VKjYZwoVn/nPCRHjDexdwH/fjpkCip636eDGq/Fin8odjkfp8F6NmNvwX+5Z1xmFru5Y1Vat6ViTHseaXmpfMb2+3RcyW7ZuOgZgjR+rS5rTQ5p5Dp/v3405J7NXRo3GX5mwsmKc5vF0Aw1MJ8m62byQxwXMG1lSjHfVn/azaD41TLeVG12VrZkxRV2hrYvp3JceTZd+t8zv9vXDScO9Qss8RyTYevb3HL36Tl7m3EDupaLAfdskcRzcyLO+TCnqwZbd17UAQvjxb0mT4ZTFR8VaXlhlWulYljIiGt2g9FiOCM91J1k4vqVCyvbcxwN8TXg8xGJAYuBAu7voqtqQrc+iS4xj6smjorbcPiHVDN8YyW22DJqZrQVN+1RXvLjq1LygaI1jIteY2zM0dW3wH8eaTrVhbQtkgIisfvVZCtY6s+QxV1Hy8R3j6W/O+3aMnUPnVywpiL0Ip3lyv3LU/H8jpwLOah0ner9WPQF/jk9V/zXagBuit0yqTVRlPg3rqY2o33wqo6tcb4jN/YRlTbuW9dqB60ocy5zpn7nODn+oZaHWJYhltwb6sCtBsb4aLprXF+zo9j8=</diagram></mxfile>
\ No newline at end of file

diff --git a/local-session.pdf b/local-session.pdf
new file mode 100644 (file)
index 0000000..c3f29f8
Binary files /dev/null and b/local-session.pdf differ