Administering SUSE Linux Micro Using Cockpit
- WHAT?
From basic system overview, over storage management to keeping your system up to date, Cockpit enables you to perform a number of administration tasks in a convenient way.
- WHY?
This article is intended to provide a complete overview of tasks that can be performed from the Cockpit Web interface.
- EFFORT
What's the effort one has to put in?
- GOAL
You will be able to administer your system using Cockpit;.
- REQUIREMENTS
To fully administer the system using Cockpit, you must have
root
access orsudo
privileges.
1 About Cockpit #
Cockpit is a Web-based graphical interface that enables you to manage most administration tasks from one place. You do not need to create credentials for Cockpit as, by default, Cockpit uses the same credentials that you use to log in to your server. Cockpit uses APIs that already exist on the system without adding a layer to the system.
Cockpit enables you to perform the following tasks:
download container images and run containers
update the server
inspect and change network settings
manage user accounts
view system logs
inspect and interact with
systemd
servicesuse a terminal on a remote server in your web browser
2 Installing Cockpit #
2.1 Introduction #
Cockpit is included in the delivered pre-built images of the default
type. In the base
type of pre-built images, Cockpit is not installed, so
you have to install it as described in Section 2.3, “Installing Cockpit”.
2.2 Cockpit plug-ins #
In the default
type of images, Cockpit contains a full
set of plug-ins. However, depending on technologies installed on your
system, some plug-ins may not be visible to you. For example,
if NFS is not present, the corresponding NFS panel is not visible.
2.3 Installing Cockpit #
If Cockpit is not present on your system, you can install it by following the procedure below:
Run the following command to install the Cockpit pattern:
#
transactional-update pkg install -t pattern cockpit
Reboot your machine to switch to the latest snapshot.
If the Cockpit instance is intended to serve as a primary one, you need to enable the Cockpit socket in
systemd
by running:#
systemctl enable --now cockpit.socketAfter running the command, the server exposes the default 9090 port and
systemd
starts thecockpit-ws
service that listens on the 9090 port.In case you have enabled the firewall, proceed as follows:
Open the firewall for Cockpit
#
firewall-cmd --permanent --zone=public --add-service=cockpitReload the firewall configuration by running:
#
firewall-cmd --reload
Now you can access the Cockpit Web interface by opening the following address in your Web browser:
https://IP_ADDRESS_OF_MACHINE:9090
3 Accessing Cockpit #
Cockpit enables you to log in directly to each machine that can expose the
9090 port. This machine is sometimes referred to as the primary server. It
is the primary server that runs the cockpit-ws
through
which connections to additional servers are established. By default, Cockpit listens for both
HTTP and HTTPS connections. However, most of the HTTP connections are redirected to HTTPS,
with exceptions like local host access.
If the port cannot be accessed on the particular machine, you can still use Cockpit to administer the machine by using it as a secondary server. For a procedure of adding a server as secondary, refer to Procedure 2, “Adding a server as secondary”.
The number of secondary servers that you can administer from one primary server is limited to 20. If you need to administer more servers, add other primary servers or use another tool for cluster administration.
3.1 TLS certificates #
By default, Cockpit loads .cert
or .crt
certificates from the directory
/etc/cockpit/ws-certs.d
. The corresponding private key must be a
separate file with the
same file name but with the .key
suffix. Make sure the key is not encrypted.
If no certificate is found in the directory, Cockpit generates a self-signed
certificate (0-self-signed.cert
) to establish a secure
connection.
To check which certificate Cockpit uses, run the command:
>
sudo
/usr/libexec/cockpit-certificate-ensure --check
3.2 Authentication #
You do not need separate credentials to log in to Cockpit. Use
the same credentials that you use to log in to SUSE Linux Micro. However,
on new installations, login using root
is not allowed by default. Either enable
root
login with a password as described in Section 3.2.2, “Enabling root
to log in using password”, or
create an unprivileged user to access Cockpit. On instances upgraded from a previous
release, root
login is still allowed.
In all cases, we recommend enhancing the security by adding 2FA as described in Section 3.2.1, “Enabling 2FA authorization”.
Non-privileged users log in to Cockpit with limited access. To perform
administrative tasks, click root
password.
3.2.1 Enabling 2FA authorization #
To set up 2FA on SUSE Linux Micro, you need an available TOTP application of your choice. Then run a command to configure the authorization. The following sections provide details on how to proceed with the configuration of 2FA and also give instructions in situations when your 2FA fails.
3.2.1.1 Applications providing TOTP 2FA #
The following applications providing 2FA are supported on SUSE Linux Micro.
- Using cloud storage
PSONO - available for Firefox, Chrome, Docker, iOS, Android
Google Authenticator - available on Android, iOS and Wear OS
Okta Verify - available on Android, iOS, macOS and Windows
- Using only local storage
Yubico Authenticator - with a hardware key
KeePassXC - available on Linux desktops, Windows and macOS
KeePassDX - available on Android
FreeOTP Plus - for Android
FreeOTP - for iOS
3.2.1.2 Setting up 2FA #
Each user can configure their own 2FA, or root
can configure it
for any regular user on the system. To set up 2FA for a user from a
running system, proceed as follows.
Run the command:
>
sudo
/sbin/jeos-config otp
Scan the code to any TOTP application mentioned above.
Confirm the process by entering an OTP code.
3.2.1.3 Recovering access #
Setting up 2FA is optional. However, once set, the second factor is mandatory to log in to Cockpit. If the second factor becomes unavailable, you can change it or disable it. Even without the second factor, you can still log in to the machine using SSH or directly from a console. After login, you can use the following two options:
- Change the second factor
Run the command either as
root
or with your user name usingsudo
:>
sudo
/sbin/jeos-config otp- Disable the 2FA
Remove the file
.pam_oath_usersfile
from the affected user home directory.
3.2.2 Enabling root
to log in using password #
root
login with password is not secure
We strongly discourage you from enabling root
login with
password for security reasons.
In new SUSE Linux Micro installations, root
login using password is disabled by default
due to security reasons. To allow root
login with password, proceed as follows:
Open the
/etc/cockpit/disallowed-users
file.Remove
root
from the file.
3.3 Logging in to the primary server directly #
Whenever you have a direct network access to the 9090 port, you can directly log in to the server using your credentials. To do so, follow the Procedure 1, “Logging in to the primary server”.
By default, the access is controlled by a Cockpit-specific PAM stack
located at /usr/lib/pam.d/cockpit
. The default
configuration allows logging in with the same user names and passwords
that are used for any local account on the system.
Go to the Cockpit login page by opening the following address in a browser:
https://IP_ADDRESS_OF_MACHINE:9090
Enter the credentials.
3.4 Logging in to secondary servers #
If your machine does not have a direct access to the 9090 port, you can use this machine as a secondary server. Bear in mind that the machine needs to have Cockpit installed.
There are two ways of logging in to a secondary server: you can log in to a secondary server directly or you can use the primary server.
3.4.1 Logging in to secondary servers directly #
You can log in to any secondary server without logging in to the primary server first. This solution can be useful when you do not have credentials for the primary server. The primary server will be used as a bridge, and you will be connected to the secondary server using SSH.
To connect to the secondary server, proceed as follows:
Go to the Cockpit login page by opening the following address in a browser:
https://IP_ADDRESS_OF_MACHINE:9090
Fill in the credentials for the secondary server.
Expand
on the login screen.Fill in the IP address of the secondary server.
Proceed by clicking
.If you are trying to log in for the first time, you are asked to verify the fingerprint. After this, click
.
3.4.2 Accessing secondary servers from the primary server #
If you have credentials for the primary server, you can access secondary servers from the primary one. Bear in mind that you have to add the secondary servers first as described in Procedure 2, “Adding a server as secondary”.
Log in to the primary server using the account with the system administrator role.
Click the USERNAME@HOSTNAME in the upper-left corner.
Click
.Fill in the host identification and optionally user name that will be used to log in to the server. You can assign a color to the machine. When the details are complete, click
.Verify a fingerprint on the server you want to add. If the fingerprint matches or if you have not set up the SSH connection, click
to proceed.Fill in the password and, if needed, check
. Cockpit will generate a new SSH key for the user, and next time you will be logged in automatically.
3.5 Switching to the administration mode #
By default, a regular user can log in to Cockpit with limited access that does not enable the user to perform administration tasks like managing user accounts, updating the system, and so on.
To switch to administrative access, proceed as follows:
Click the
button.Fill in the
root
password.Click
to confirm.
To turn off administrative mode, proceed as follows:
Click
.To confirm, click
.
4 Configuring servers using Cockpit #
Using the Cockpit
part, you can perform changes to the default server configuration or the configuration you provided during the manual installation. In this part you can change the host name or change the system date or time zone.4.1 Changing the sever host name #
To change the host name, proceed as follows:
Navigate to the
page.In the
part, click .Fill in the following:
4.2 Changing the system time or time zone #
To change the system time or time zone, proceed as follows:
Navigate to the
page.Click the
value.In the pop-up window you can change the following:
4.3 Changing the cryptographic policy #
To change the cryptographic policy, proceed as follows:
Navigate to the
page.Click
next to .In the pop-up window, click on one of the following policy types:
- Default
It allows the TLS 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The Diffie-Hellman parameters are accepted if they are at least 2048 bits long. The level provides at least 112-bit security with the exception of allowing SHA-1 signatures in DNSSEC, where they are still prevalent.
- DEFAULT:SHA1
Is a subpolicy of the
default
that enables using the SHA-1 algorithm.- LEGACY
This policy ensures maximum compatibility with legacy systems. It is less secure and includes support for TLS 1.0, TLS 1.1 and SSH2 protocols or later. The algorithms DSA, 3DES and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023 bits. The level provides at least 64-bit security.
- LEGACY:AD-SUPPORT
Is a subpolicy of
LEGACY
with Active Directory interoperability.- FIPS
A level that conforms to the FIPS 140-2 requirements. This policy is used internally by the
fips-mode-setup
tool that can switch the system into the FIPS 140-2 compliance mode. The level provides at least 112-bit security.- FIPS:OSPP
A subpolicy of FIPS with further Common Criteria restrictions.
- FUTURE
A conservative security level that is believed to withstand any near-term future attacks. This level does not allow the use of SHA-1 in signature algorithms. The level also provides some (not complete) preparation for post-quantum encryption support as a 256-bit symmetric encryption requirement. The RSA and Diffie-Hellman parameters are accepted if larger than 3071 bits. This level provides at least 128-bit security.
To apply the changes, click
.
5 Filtering Cockpit logs #
You can filter the logs according to the following criteria:
Time. For details, refer to Section 5.1, “Filtering according to time”.
Priority. For details, refer to Section 5.2, “Filtering according to priority”.
Identifier. You can filter logs for a particular service, daemon or process. Available identifiers are parsed from the logs currently displayed according to the set filters.
Free-form filters. For details, refer to Section 5.3, “Logs filters”.
Bear in mind that when changing any of the time, priority or identifier criteria, the other ones are still applied. For example, if you change the time criterion to
, the priority and identifier criteria remain the same.5.1 Filtering according to time #
To filter the logs according to a specific time, you can choose from the following values:
- Current boot
Displays logs for the current boot only. The
button enables continuous refreshing of currently displayed logs.- Previous boot
Displays logs relevant to the previous boot.
- Last 24 hours
Displays logs that were recorded within the last 24 hours.
- Last 7 days
Displays logs that were recorded within the last 7 days.
5.2 Filtering according to priority #
The standard syslog
severity levels are used (sorted
from most to least severe):
- Only emergency
The system is unusable. This is a panic condition.
- Alert and above
This log requires your immediate action.
- Critical and above
Failures in primary systems. You should correct the problem immediately.
- Error and above
Not an urgent error but should be handled within a specific time.
- Warning and above
Not an error but indicates that an error might occur if no action is taken.
- Notice and above
Unusual events that are not errors. No immediate actions are required.
- Info and above
Normal operational messages that serve as a confirmation that the system is working properly.
- Debug and above
These messages are used just to debug the system.
5.3 Logs filters #
You can refine the logs view here according to the following criteria:
- Since
Logs for the specified date or newer will be displayed. You can specify the time in the following way:
using the absolute date in the format YYYY-MM-DD
using any of the terms:
yesterday
,today
,tomorrow
andnow
using relative time by prefixing the value with - or + and specifying units. You can use the following units:
seconds
ors
,minutes
ormin
,hours
orh
,days
ord
,weeks
orw
,months
orm
, andyears
ory
.
- Until
Logs for the specified date or older will be displayed. You can specify the time in the following way:
using the absolute date in the format YYYY-MM-DD
using any of the terms:
yesterday
,today
,tomorrow
andnow
using relative time by prefixing the value with - or + and specifying units. You can use the following units:
seconds
ors
,minutes
ormin
,hours
orh
,days
ord
,weeks
orw
,months
orm
, andyears
ory
.
- Boot
Enter an integer: 0 means the current boot, -1 is for the previous boot, 1 for the first boot, 2 for the second, etc.
- Unit
Specify a
systemd
unit for which you want to display logs. Use one of the formats:_SYSTEMD_UNIT=NAME.service
COREDUMP_UNIT=NAME.service
UNIT=NAME.service
- Free-form search
Enter a string that you want to find in the log messages. You can also use PERL-compatible regular expressions. Alternatively, you can filter messages according to message log fields in the format FIELD=VALUE. For example,
CODE_LINE=349
displays logs with this value.
6 Managing storage using Cockpit #
The
page enables you to monitor traffic on your drives, repartition your system, manage NFS mount, view storage logs, and create RAIDs or LVM.6.1 Monitoring data flow on disks #
The graphs on the
page display reading and writing data flow to devices. Each device in the graph has a different color. Hover over the displayed data flow peak to identify the device name.6.2 Managing file systems #
The
view enables you to create a partition table and to format or mount file systems. You can sort the mounted partition according to or .6.2.1 Formatting partitions using Cockpit #
To format the partition, proceed as follows:
Navigate to the
page.In the
view click the partition you want to format.Click
next to the particular partition description to open the format window.Enter a unique name of the partition.
In
, specify to which directory the partition will be mounted. Bear in mind that the field is mandatory.In
, select the file system type. Btrfs is mandatory for the/
partition.If needed, configure the encryption:
- Passphrase and Confirm
Enter a passphrase to unlock the encrypted partition.
- Store passphrase
The passphrase is stored in
/etc/luks-keys
and you are not asked for the passphrase on next boot.- Encryption options
You can pass a list of options described in supported encrypted options.
Select the File system Independent Mount Options. Those options are used in the
. In the text field, you can enter a comma-separated list of options. For common options, refer tooptions
part of the/etc/fstab
file.
6.2.2 Mounting partitions using Cockpit #
Before you try to mount a partition or disk, you need to format the device first. For details, refer to Procedure 5, “Formatting partitions”.
To mount a partition, proceed as follows:
Navigate to the
page.In the
view, click the device to mount.Click
to open the window.Specify the
.Select the mount options in the File system Independent Mount Options. Those options are used in the
text field, you can enter a comma-separated list of options. For common options, refer tooptions
part of the/etc/fstab
file.Select at which booting stage the partition must be mounted.
Click
to proceed.
6.3 Managing NFS mount points #
The
view under the page enables you to add, edit or delete NFS mounts.6.3.1 Adding an NFS mount point #
To add an NFS mount point, proceed as follows:
Navigate to the
page.From the three-line menu, select
view.Specify the following values:
- Server address
Provide the IP address or name of the NFS server.
- Path on server
Select the available path on the NFS server that can be mounted.
- Local mount point
Specify a directory on the local system where the path will be mounted to.
- Mount options
Check any of the options:
mount
command options.
6.3.2 Editing existing NFS mount points #
To edit an NFS mount, proceed as follows:
Navigate to the
page.In the
view, click on the particular NFS mount.On the next screen, click NFS mount details.
and specify the details described in
6.4 Managing RAIDS using Cockpit #
Using Cockpit you can create or modify software RAIDS of different levels.
6.4.1 Creating RAIDs using Cockpit #
Make sure that you have enough disks available according to the RAID level.
To create a software RAID, proceed as follows:
Navigate to the
page.Select the
option in the three-line menu in the view.Enter the following parameters of the RAID:
- Name
Enter a unique name of the RAID.
- RAID level
Select one of the RAID levels. For more details about RAID leves, refer to RAID levels.
- Chunk size
The size of chunks in KBs. A chunk is the minimum amount of data read or written to each data disk in the array during a single read/write operation.
- Disks
Select the disks that should be included in the RAID. The required number of disks depends on the selected RAID level.
Confirm the parameters by clicking
. The RAID then appears in the part.
6.4.2 Modifying RAIDs #
Using the
plugin of Cockpit you can stop or delete a RAID. Here you can also remove or add disk to the array.To modify an existing RAID, proceed as follows:
Navigate to the
page.Click the RAID in
to open the RAID details view.In the detailed view, you can stop or delete the RAID, add or remove disks and format the device.
With certain RAID levels, you can switch on the
option that enables you to synchronize only the changes after a disk is temporarily disconnected. If the is off, all data on the disk will be synchronized.
After any change to the disks number of the array, the system undergoes resynchronization that may take some time. Keep in mind that each RAID level requires a minimum number of disks, therefore, Cockpit does not allow removing the disks that are required by the particular RAID level.
6.5 Managing volume groups and LVM #
6.5.1 Creating volume groups #
To create a volume group of disks, proceed as follows:
Click
.Under the three-line menu in
, select .Enter the volume group name.
Select disks that will be part of the volume group.
Confirm the data with
. The volume group appears in the view.
6.5.2 Creating logical block volumes #
If you have a volume group, you can create a logical block volume from it. To do so, proceed as follows:
Navigate to the
page.In the
, click the volume group you want to use.Click
Specify a logical volume name. select a block device and select the size to use.
Select the
.Select the size to use.
Click
to confirm the details.Format the block volume by clicking Step 4.
and filling the details as described in
6.5.3 Creating a thin logical volumes #
If you have a volume group, you can create a thin logical volume as described below:
Navigate to the
page.Click the volume group in
.In the volume group details, click
.Specify a logical volume name.
Select a pool of thinly provisioned volumes.
Select the size to use.
Click
to confirm the details.Create a thin volume by clicking
.Enter a unique name.
Select the size of the volume.
Click
to confirm the thin volume.You can create several volumes of the particular volume group by clicking
again and repeating the steps above.Format the volumes by clicking Step 4.
and filling the details as described in
6.5.4 Managing logical volumes #
To perform any administration task on an existing logical volume, perform the following steps:
Navigate to the
page.In the
view, click the logical volume.Here you can perform the following actions with existing logical volumes:
- Deactivate/Activate
In the three-dot menu, select
or .- Mount
By clicking
and filling in the mount point and options, the volume will be mounted.- Shrink/Grow
Bear in mind that the shrink/grow function is not available for all file systems.
In the expanded details about the volume, click
or .- Delete
In the three-dot menu, select
.
7 Managing networking using Cockpit #
After clicking
, you can view traffic on your system, manage firewall, manage network interfaces, or view network logs.7.1 Managing firewall rules and zones #
Cockpit enables you to create new zones or update the existing ones. In the firewall settings, you can add services to a zone or allow access to ports.
Do not remove the Cockpit service from the default firewall zone as the Cockpit service may get blocked, and you may get disconnected from the server.
7.1.1 Adding firewall zones #
The
is the default firewall zone. To add a new zone, proceed as follows:Navigate to the
page.Click
.Click
.Select
. Each trust level of network connections has a predefined set of included services (the Cockpit service is included in all trust levels).Define allowed addresses within the zone. Select one of the values:
Proceed with
.
7.1.2 Adding allowed services and ports to a zone #
You can add services to an existing firewall zone as described below:
Navigate to the
page.Click
.Click
.To add a service, check
and select the services from the list.To allow custom ports, check
and specify the port value for UDP and/or TCP. You can assign an identifier to this port.To confirm the changes, click
or , respectively.
7.2 About network bonds #
A bond interface is a combination of several network interfaces into one bond. Depending on the
(described further), network bonding can improve performance by increasing the network throughput and bandwidth. Network bonding can also increase fault tolerance by keeping overall connectivity even if some of the bonded interfaces stopped working.7.2.1 Managing bonds #
7.2.1.1 Adding bonds #
To add a bond, proceed as follows:
Navigate to the
page.Click
.Specify the following parameters of the bond interface:
- Name
Enter a unique name of the interface.
- Interfaces
Select which network interfaces should be grouped in the bond.
- MAC
You can either select a specific MAC address of the underlying interface, or you can use any of the following options:
- Permanent
Use the permanent hardware address if the device has a MAC address.
- Preserve
During the bond activation, the MAC address is not changed.
- Random
A random MAC address is created on each connection attempt.
- Stable
Creates a hashed MAC address.
- Mode
Keep the default mode or select any of the following modes:
- Round Robin
Transfers packets from the first available interface to the last. The mode offers fault tolerance and load balancing.
- Active Backup
Only one interface in the bonding is active. If the active interface fails, the backup will be activated.
- XOR
Balancing using a transmit hash policy. The default is a modulo device count. To select a different policy, specify the
xmit_hash_policy
option in the field.- Broadcast
Everything is transmitted on all interfaces.
- Adaptive Transmit Load Balancing
A channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load on each interface.
- Adaptive Load Balancing
Includes adaptive transmit load balancing and receive load balancing, no special switch support is required.
- Primary
This selection is available only for the Active Backup mode. You can select a particular interface that will be used as primary, while other interfaces in the bond are used as secondary.
- Link monitoring
Select the type of link monitoring.
- Monitoring interval
Specifies the intervals at which the particular link monitor performs checks. The value is in ms.
- Link up delay
Define the time in ms for how long the bond is disabled after a link has been activated. The value should be a multiple of the
value, otherwise it will be rounded to the nearest value. Available only for the MII link monitor.- Link down delay
Define the time in ms for how long the bond is disabled if a link failure has been detected. The value should be a multiple of the
value, otherwise it will be rounded to the nearest value. Available only for the MII link monitor.- Monitoring targets
Specify the list of host IP addresses that you want to monitor. Available only for the ARP link monitor.
Proceed with
.
7.2.1.2 Modifying bonds #
To modify a bond, proceed as follows:
Navigate to the
page.Click on the particular bond name to open the details.
You can modify the following bond parameters:
- Bond
Select a MAC address from the list.
- Connect automatically
The bond connects automatically by default. Uncheck the box to disable the automatic connection.
- IPv4 and IPv6
After clicking
, you can set an IP address and configure a specific DNS, DNS search domain and Routes.- MTU
After clicking
, you can specify a particular value of the maximum transmission unit in bytes.- Bond
After clicking
, you can edit the same parameters as when you were creating the bond interface.
7.3 Managing network bridges #
A network bridge is a device that creates a single aggregated network from multiple networks.
7.3.1 Creating network bridges #
To create a network bridge, proceed as follows:
Navigate to the
page.In the
view, clickSpecify the following:
- Name
Specify a unique name of the bridge.
- Ports
Select interfaces to be included in the bridge.
- Spanning tree protocol (STP)
STP is a network protocol used for Ethernet networks that prevents bridge loops by setting a preferred link whenever network switches are connected with several links. This preferred link is used for all Ethernet traffic unless it fails. In that case, a redundant link is used instead. For details regarding STP, see STP.
If you enable the STP protocol, you can edit the following settings:
- STP priority
The lower the priority, the higher the probability of the switch to become the root switch.
- STP forward delay
Specify the time spent in the listening and learning state (in seconds). The default value is 15 s, but you can use any value between 4 and 30 s.
- STP hello time
Specify the time between each bridge protocol data unit (BDPU) that is sent on a port (in seconds). The default value is 2 s, but the recommended range is 1 to 10 s.
- STP maximum message age
Specify the maximum length of time that passes before a bridge port saves its configuration BPDU information.
7.3.2 Modifying or deleting existing bridges #
To modify or delete a bridge, proceed as follows:
Navigate to the
page.In the
view, click the bridge name to open the details.There you can delete the bridge by clicking
, or modify it by changing any of the following details:- General
The bridge connects automatically by default. To disable the automatic connection, uncheck the option.
- IPv4 and IPv6
After clicking
, you can set the IP address and configure a specific DNS, DNS search domain and Routes.- Bridge
By clicking
, you can edit all parameters of the bridge.
7.4 Managing VLANs using Cockpit #
A virtual local area network is a logical subnetwork that groups devices from different physical LANs.
7.4.1 Creating virtual local area network #
To add a VLAN, proceed as follows:
Navigate to the
page.In the
view, click .Fill in the VLAN details:
- Parent
Select the parent network interface.
- VLAN ID
Specify an ID in the range 1–4094.
- Name
Enter the name of the VLAN.
7.4.2 Modifying or deleting existing VLANs #
To modify or delete an existing VLAN, proceed as follows:
Navigate to the
page.In the
view, click the VLAN name.Either delete the VLAN by clicking
, or change any of the VLAN details:- Parent
Select the parent network interface.
- VLAN ID
Specify an ID in the range 1–4094.
- Name
Enter the name of the VLAN.
8 Working with containers #
After the first login to Cockpit, you need to start Podman. Keep the default check box selected to start Podman automatically on each boot.
The
page enables you to pull images from registries and manage your container. You can also filter the view by entering a filter criterion into the filter field.8.1 Managing container images #
The openSUSE registry and Docker Hub are not configured in the default installation. To download container
images from those registries, you need to add the registries to the
/etc/containers/registries.conf
file as follows:
unqualified-search-registries = ["registry.suse.com", "registry.opensuse.org", "docker.io"]
In the
view, you can download, update or delete already pulled images. Each function is available under the three-dot menu. After clicking the menu, there are the following options:- : How to proceed with downloading an image is described in
In the Images view, open the three-dot menu and select .
›Select the
to define who can see the downloaded image. The restricts the image visibility to users with administrative access. The image downloaded under the owner is visible to the regular user and also to all other users with the administrative access.Choose a preferred image registry or proceed with
All registries
.Define the
. The default value islatest
.Fill in the image name or description in the
field to start the search.Cockpit suggests possible images according to the entered name, registry and tag.
Select the desired image and click
.
8.2 Managing containers using Cockpit #
8.2.1 Running new containers from images #
To run a container, you need a container image. The image can be pulled using Podman or Cockpit. When using Cockpit, you can pull an image in advance as described in Procedure 10, “Downloading a new image”, or you can pull the image directly from the form as described below. When using Podman, refer to the Podman guide.
To run a new container, proceed as follows:
Navigate to the
page.If you pulled an image in advance:
In the
view, click .Click
next to the image you want to use.
If you do not have the image, click
in the view.In the
window, enter the container details as described below. Bear in mind that some options are available only for system administrators.In the
tab, enter the following details:- Owner
Select whether the container will be visible only for users with
sudo
privileges by selecting . The defines that the container is visible to privileged users and regular users.- Name
Specify a unique name for the container.
- Image
This field is enabled if you do not have the image. After you start typing the image name, Cockpit makes suggestions of images in the configured registries.
- Pull the latest image
The checkbox is available if you are creating the container from an already downloaded image. If selected, the latest image version is pulled before the container is started.
- Command
You can specify a command to run in the container.
- With terminal
Select the option to have access to the container using a terminal. If not selected, the container will be in the detached state.
- Memory limit
You can limit maximum memory consumption of the container by checking the box and specifying the limit.
- CPU shares
Specify the weight of the container to use CPU time. The default weight is 1024. The weight applies only if containers are under high load. If the tasks in one container are idle, other containers may use its CPU time.
If you have four containers, two of them have CPU shares of 512 and the other two have 1024. Thus, under high load, the containers with lower CPU shares get only 16,5% of CPU time, while those with 1024 CPU shares get 33% of CPU time.
- Restart policy
Specify when the container is restarted after it exits.
In the
tab, you can enter the following parameters:- Port mapping
After you click the
button, specify the host IP address, the host port to map the container port onto, the container port and select the protocol. If you do not set the host IP address or set the value to 0.0.0.0, the port is bound to ALL host IP addresses. If you omit the host port, a random one is used for the mapping.- Volumes
This field maps a path in a container onto a path on the host machine. Fill in the host path, the container path and select the SELinux label.
The SELinux label
defines that the volume is accessible only from the particular container. The label means that all containers can access the volume.- Environment variables
To define environment variables in the container, click
and fill in and . You can enter multiple variables by adding more lines.
In the
tab, you can set a time period of commands triggering to check the status of the container. Fill in the following parameters:- Command
Specify the command that is triggered to check the container status.
- Interval
Specify the interval of checks in seconds.
- Timeout
The maximum time in seconds to wait before the interval is considered failed.
- Start period
The time interval after the container is started when the health check is not performed.
- Retries
Specify how many times the check can be performed before the status is considered as unhealthy.
- When unhealthy
Select the action to take after a container is considered unhealthy.
To create the container, click
or to create and start the container.
8.2.2 Further actions with running containers #
Under the three-dot menu, you can perform the following actions:
delete the container
pause the container
commit changes performed to the container, for example, installing packages to the container
checkpoint the container—write the state of the container to disk and stop the container
restart the container, either by regular
, where processes running inside the container are stopped, or by , where the processes are killed, and you may lose datastop the container, either by regular
, or . When using , the state of all processes in the container is written to the disk, and after the next start, the container is restored to the same point before stopping.
By expanding the container details, you can access the container's terminal in the
tab and view its information in other tabs.8.3 Pods management #
8.3.1 Creating pods #
Cockpit enables you to create pods in which you can then create containers. To create a pod, follow the steps:
Navigate to the
page.Click
.Fill in the pod details:
- Name
Enter a unique name of the pod.
- Owner
Specify whether the pod will be visible only under
root
privileges or also to regular users.- Port mapping
After clicking
, you can map a pod port onto a host port. Specify the containers port, assign the desired host port and IP address. If the host IP address is not set or set to 0.0.0.0, the port is bonded to all host IP addresses. If you omit the host port number, a random port number is assigned to the mapping.- Volumes
After clicking
, you can map a directory on the host onto a containers' volume. Select the host path, enter the path in containers and select the SELinux labeling.
Click
to confirm the pod creation.
8.3.2 Creating containers in pods #
During the planning, bear in mind that only new containers can be run in a pod. You cannot add an already created container that has not been run under a pod to any pod.
To create containers in a pod, follow the steps:
Navigate to the
page.In the desired pod group, click
.Fill in the container details as described in Section 8.2.1, “Running new containers from images”. Remember that the owner of new containers is the same as the owner of the particular pod.
9 Users administration using Cockpit #
Only users with
can edit other users.Using the
Cockpit screen, you can perform the following tasks:Creating new users of the system as described in Section 9.2, “Creating user accounts using Cockpit”
Creating new user groups as described in Section 9.3, “Creating user groups”.
Assigning
sudo
privileges to user accounts as described in Section 9.1, “Modifying existing user accounts”Forcing a change of a user's password as described in Section 9.1, “Modifying existing user accounts”
Locking a particular user account as described in Section 9.1, “Modifying existing user accounts”.
9.1 Modifying existing user accounts #
To modify a user account, proceed as follows:
Navigate to the
page.Click the account you want to modify.
In the user details view, you can perform the following actions:
- Delete the user
Click
to remove the user from the system.- Terminate user's session
By clicking
, you can log a particular user out of the system.- Manage access to the account
You can set a date when the account will expire. The default is to never expire.
You can disallow the user to use their password to log in. The user then must use a different method of authentication.
- Manage the user's password
Click
to set a new password for the account.By clicking
, the user will have to change the password on the next login.Click
to set whether or when the password expires.- Add SSH key
You can add an SSH key for passwordless authentication via SSH. Click
, paste the contents of the public SSH key and confirm it by clicking .
9.2 Creating user accounts using Cockpit #
Cockpit enables you to add users to a running system and assign system administrator privileges to accounts.
To add a new user to the system, proceed as follows:
Navigate to the
page.Click
to open the window that enables you to add a new user.Fill in the user account details. You can assign a different home directory to the user in the drop-down
menu. If you do not specify a directory, the standard/home/USERNAME
path is used.If you select
, the user will have to use an authentication method other than filling in password, for example, SSH login.Click
to confirm the account.To add an SSH key to the account, you need to modify the account as described in Section 9.1, “Modifying existing user accounts”.
9.3 Creating user groups #
The topic covers the creation of user groups.
To create a user group, proceed as follows:
Navigate to the
page.Click
.Enter a unique name of the group and specify or leave the default one.
NoteThe already existing group ID cannot be overwritten. Group IDs under 1000 are usually reserved for system accounts, services, and so on. If you create a group with an ID less than 1000, the group cannot be later deleted using Cockpit.
10 Managing services using Cockpit #
The following sections describe how to start, stop and restart a service, target, socket, timer or path.
10.1 Managing systemd
units #
To manage a systemd
unit, proceed as follows:
Click the
page.Select the appropriate tab (
, , , or ).Click the unit you want to administer.
In the unit details, you can view relations to other
systemd
units, the status of the unit, or you can perform the following actions that can be found in the three-dot menu:
10.2 Creating new timers #
systemd
timers help you to automate recurring tasks. A systemd
timer can control triggering of systemd
services and handling of
events.
The default set of systemd
timers is stored in
/usr/lib/systemd
. If you create a timer with already
existing names, the default unit file is not overwritten, but a new one
is created in /etc/systemd/system/
that overrides
the default unit file. To restore the timer to the default
one, delete the timer unit file in
/etc/systemd/system/
.
If you try to create a timer that already exists in the
/etc/systemd/system/
directory, the unit file will
be overwritten, and the previous changes are lost.
To create a systemd
timer using Cockpit, proceed as follows:
Navigate to
.In the
tab, click .Fill in the details:
- Name
The name of the timer that will be used in the unit name and in the service unit name as well. For example, specifying the name example will create the following unit files:
/etc/systemd/system/example.timer
and/etc/systemd/system/example.service
.- Description
You can provide a short description of the timer.
- Command
The command to be invoked when the timer is triggered.
- Trigger
The timer can be triggered each time you reboot your machine or at a specific time. For the
option, you can define the delay of the service invocation. For the option, specify when the service should be invoked.
11 SELinux mode and policy #
The SELinux tool enables you to switch between SELinux modes and view current modifications of the SELinux policy.
The SELinux Cockpit module is visible only if SELinux is enabled on the system. If you cannot access the module, SELinux is probably disabled. To check that SELinux is enabled, run:
>
sestatus
On SUSE Linux Micro, SELinux is in the enforcing mode by default. To temporarily
switch to the permissive mode, click the button with the
Enforcing
label. Bear in mind that the change persists
only until the next boot. If you need to perform a persistent change of the
mode, edit the configuration file /etc/selinux/config
.
For details, refer to the
security
guide.
The
lists all modifications performed on the default SELinux policy. If you want to export the modifications and reuse them on different servers, click . In the new window, you can copy a shell script or the ansible configuration file that can be applied on other servers.11.1 Solving SELinux access issues #
In the
page, you can view access denial messages from the audit log. On top of that, Cockpit provides possible ways of solving the access denial. To do so, follow the steps:Navigate to the
page.In
, expand the details regarding access denial.To view the audit log record, click
.To view possible solutions, click
. Some solutions may be applied directly through Cockpit by clicking .
12 Updates and snapshots #
You can use Cockpit to search for new system updates and then apply them directly from the Web interface. On top of that, Cockpit enables you to perform a rollback to a previous snapshot.
If your system is not registered, the updates are not available and the check for updates fails. Therefore, register your system to view available updates.
Only users with the
role can update the system or perform a rollback to another snapshot.
Cockpit enables you to update your SUSE Linux Micro instance or perform a
rollback from the Software Updates
menu.
12.1 Updating SUSE Linux Micro using Cockpit #
To update your system, proceed as follows:
Navigate to the
page.Click
to get a list of new package updates and patches available for your system. We recommend installing the patches marked as important as soon as possible.Now you can update your system either with immediate reboot, or the reboot might be postponed:
Click
to apply patches and updates. After the update is complete, your system will be restarted and will boot into the new snapshot.To postpone reboot after the update, select
from the three-dot menu. Bear in mind that you need to reboot the system to activate the snapshot with updates. If you perform further changes without rebooting the system beforehand, a new snapshot will be created from the same point as the snapshots with updates. Therefore, the new snapshot will not include the updates.
12.2 Performing rollbacks #
To perform a rollback of your system, proceed as follows:
Navigate to the
page.Click
, or in the three-dot menu next to the snapshot you want to perform a rollback to.
After rebooting the system, the snapshot you rolled back to will be set as active. Do not make any changes (install updates, packages, etc.) before rebooting your system as the snapshot you rolled back to is not active. Any changes performed before you reboot your system will start from the currently active snapshot.
13 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.