Bug 1651264

Summary: provide better desktop integration
Product: Red Hat Enterprise Linux 8 Reporter: Scott Herold <sherold>
Component: cockpitAssignee: Martin Pitt <mpitt>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Ščotka <jscotka>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: cdonnell, ignusius, jsefler, jstavel, mabrown, mthacker, redakkan, skallesh, tbowling, tpelka
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-23 11:52:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1635157, 1651621    

Description Scott Herold 2018-11-19 14:57:24 UTC 
Description of problem:
In a Workstation install, launching Subscription Manager's GUI client from gnome opens a firefox window and attempts to load the cockpit interface.  The browser throws an error with zero indication as to why.  People unfamiliar with cockpit (as it's new as a default in RHEL 8), will have no idea that port 9090 is cockpit.

Version-Release number of selected component (if applicable):
8.0 Beta

How reproducible:
Always

Steps to Reproduce:
1. Login to gnome session
2. Run Red Hat Subscription Manager from app menu
3. Error

Actual results:
Error with page unable to load

Expected results:
Visibility of the subscription manager ui in cockpit

Additional info:
cockpit.socket could be enabled by default, but locked to locahost.  This would be a better experience for users.  Documentation for enabling remote management should also be included.
Comment 1 Scott Herold 2018-11-19 15:12:40 UTC 
Steps I took to provide a better OOTB experience without sacrificing security by opening 9090 to the world:

# systemctl enable cockpit.socket
Modify /usr/lib/systemd/system/cockpit.socket and replace the line:
ListenStream=9090     with
ListenStream=127.0.0.1:9090
# systemctl daemon-reload
# systemctl restart cockpit.socket
Comment 2 Mark Thacker 2018-11-19 15:38:01 UTC 
Additionally, the need to turn on cockpit is supposed to be documented in /etc/issue, to be seen when a customer logs into the CONSOLE of the system.

HOWEVER, this file is not displayed for a customer of a Workstation or GUI Server installation. Thus, there is no way for a user to know that they must turn on cockpit.

Hence, Scott's suggestion very solution seems very valid : Enable cockpit on the localhost interface to allow immediate first-boot use of the subscription manager Cockpit GUI.
Comment 3 Scott Herold 2018-11-19 15:59:05 UTC 
(In reply to Scott Herold from comment #1)
> Steps I took to provide a better OOTB experience without sacrificing
> security by opening 9090 to the world:
> 
> # systemctl enable cockpit.socket
> Modify /usr/lib/systemd/system/cockpit.socket and replace the line:
> ListenStream=9090     with
> ListenStream=127.0.0.1:9090
> # systemctl daemon-reload
> # systemctl restart cockpit.socket

OK, so apparently using an override is the right way to resolve this AFTER the fact.  

# systemctl edit cockpit.socket
add:
[Socket]
ListenStream=127.0.0.1:9090

Save and exit
Comment 4 Martin Pitt 2018-11-19 16:18:14 UTC 
If you use the .override approach: You need to first reset the existing ListenStream=. Like the above (comment #3) you *additionally* open it on localhost, which doesn't work (the .socket unit will fail to start, as it's already listening everywhere).

So:

[Socket]
ListenStream=
ListenStream=127.0.0.1:9090


Indeed cockpit.socket not enabled by default as it opens a port. Also, services are generally not enabled by default in RHEL (or Fedora), they need to get into that central list of services that do (using systemd presets, I figure?).

I feel like this touches a fairly rigid policy, and I can't decide this by myself. If there's consensus (and maybe even precedent) for this approach, we can certainly do this, although this requires some pondering how exactly to set this up: e. g. cockpit should not ship an override file in /etc by itself, and the dynamic motd/issue message needs to be changed, and we need to document how to enable cockpit on remote interfaces.

I'll start a thread on rhel8-devel@.
Comment 5 Martin Pitt 2018-11-19 16:39:19 UTC 
http://post-office.corp.redhat.com/archives/rhel8-devel/2018-November/msg00277.html
Comment 6 Martin Pitt 2018-11-21 09:56:34 UTC 
*** Bug 1651621 has been marked as a duplicate of this bug. ***
Comment 7 Martin Pitt 2018-11-23 16:45:22 UTC 
For everyone following along here: I have a first proof of concept of how this could look like: http://post-office.corp.redhat.com/archives/rhel8-devel/2018-November/msg00331.html
Comment 8 Martin Pitt 2018-12-03 12:20:31 UTC 
I now installed RHEL 8 beta desktop, and I see subscription-manager-cockpit.desktop (shipped by subscription-manager-cockpit RPM). So after the cockpit-desktop work lands, subscription-manager needs to adjust this desktop file to make this all work.
Comment 9 Martin Pitt 2018-12-03 20:31:04 UTC 
I got a resounding silence on the ML to my post...

Anyway, https://github.com/cockpit-project/cockpit/pull/10684 provides the mechanics for that. Once that is released, I'll provide a bug and proposed patch for subscription-manager.