From 19bb8ae1c7e1bc3ac047fd23c475d17dbca8e0b9 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Tue, 7 Jan 2020 17:01:08 +0100 Subject: [PATCH] Add initial outline --- outline.md | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 outline.md diff --git a/outline.md b/outline.md new file mode 100644 index 0000000..9a265ff --- /dev/null +++ b/outline.md @@ -0,0 +1,68 @@ += Talk summary = + +Cockpit is primarily known as a graphical, browser-based, reactive, and non-intrusive interface for configuring and troubleshooting your servers. But it also makes these accessible from a lot more places like computers with Windows or mobile devices. You can log into Cockpit using classic passwords, single-sign on in an Identity Management domain, seamlessly from Foreman/Satellite, through SSH keys, or even a local smart card. This talk explains how all these standard Linux authentication schemas transcend through a web browser while keeping them trustworthy. It also shows briefly how you can write your own authentication plugin tailored to your environment. + += Outline = + +- Introduction + + Cockpit as graphical UI to interact with your server, complementing ssh + + Configure LVM or RAID once a year? Simpler and safer to do it like this + (Storage page demo) than this (shell commands below) → add PV, resize partition + sudo lvresize-prep.sh and lvresize-cleanup.sh + +```sh +pvcreate /dev/sdb2 +vgextend vg0 /dev/sdb2 +lvresize --extents '+100%FREE' vg0/data1 +resize2fs /dev/vg0/data1 +``` + + + Makes server accessible from a lot more places + + Integrates into authentication setups beyond simple user/password login page + +- Devices demo + + Win10 VM, Edge browser (./vm-run windows-10, [[https://10.0.2.2:9090]], preload that) + + Firefox mobile emulation ([[http://localhost:9090/storage]]) + + So far zero configuration except for enabling cockpit.socket + +- Anatomy of a Cockpit session + + ws-session.drawio + + ws: http+WebSocket on TCP ←→ cockpit JSON protocol (auth and session) on a pipe; + ask for/collect credentials (password, oauth token, krb negotiation, client + cert); unprivileged + + session/auth: use creds from ws to start a login session, connect pipe to + it; standard is cockpit-session (suid root helper) that starts PAM (password, krb) + but it doesn't have to be: ssh or custom plugins + + cockpit-bridge: session leader, role of bash; JSON protocol on stdio ←→ system + APIs (exec programs, call D-Bus, use files or sockets); runs as target user + +- Alternative session launcher: ssh + + ws and session do not need to run on the same machine + + ssh-session.drawio + + ssh key login with dashboard to older RHEL machine + + bastion-host.drawio + + bastion host (no ws on critical machines, don't trust cockpit-session, even to localhost) + config option to only use this mode, can be run from container + +- Alternative authentication: smart card + + most interesting mechanism as it's rather browser specific; moral equivalent of ssh with key + + demo + + cert-auth.png + +- Other auth setups: + + SSO with Identity Management + + OAuth (for Kubernetes/OpenShift integration) + +- Custom auth plugin + + TODO + += Unsorted = + +- foreman demo (custom auth plugin) https://www.youtube.com/watch?v=Ua3b79UG9JM 5:35 ~ 10s +- [ManageIQ](https://github.com/ManageIQ/manageiq/blob/master/lib/miq_cockpit.rb) + += Links = + + * [authentication protocol](https://github.com/cockpit-project/cockpit/blob/master/doc/authentication.md) + * [Authentication configuration](https://cockpit-project.org/guide/latest/authentication.html) + -- 2.39.2