Bug 1110711 - Open Cockpit port by default on Fedora Server
Summary: Open Cockpit port by default on Fedora Server
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: cockpit-F21-tracker 1108258
TreeView+ depends on / blocked
Reported: 2014-06-18 10:07 UTC by Stef Walter
Modified: 2014-07-11 09:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-11 09:48:56 UTC
Type: Bug

Attachments (Terms of Use)

Description Stef Walter 2014-06-18 10:07:36 UTC
The Cockpit port 1001 should be open by default on a freshly installed Fedora 21 Server, according to the release criteria for Fedora Server.

Comment 1 Stef Walter 2014-06-18 10:07:54 UTC
The component of this may need to be tweaked? Does the default firewall come from anaconda? How does Fedora Server differentiate its firewall?

Comment 2 Stephen Gallagher 2014-06-18 11:54:34 UTC
As an additional note, we may want to change this port to something we can get reserved for Cockpit's use with IANA. This would help us avoid future conflicts. The problem of course is finding an unused-but-memorable port.

The other idea that struck me just now would be to make it "Dealer's Choice": set Cockpit up to run on port 80/443 at initial boot and allow users to configure it to a port of their choice after that.

Comment 3 Thomas Woerner 2014-06-18 12:25:00 UTC
The default firewalld configuration is provided by firewalld, but anaconda is enabling the ssh service in the default zone of firewalld - if it is not enabled already. Additionally anaconda is changing the default zone according to the firewall configuration in kickstart installations.

For Cockpit I would suggest to provide a service configuration file for firewalld with the proper port to be able to add it for example at installation time. It would also be possible to provide a special zone with all the needed things added for the use in the server. Or to provide a set of zones for the server that are replacing the upstream zone files.

If Cockpit is using port 80 or 443, we can simply use the http and https services that are already available in firewalld.

Comment 4 Adam Williamson 2014-06-18 22:33:05 UTC
Just as a note: I'd be more comfortable if the initial report read "according to the Fedora Server product design". The release criteria are a mechanism for doing quality assurance on a product, they are not an aspect of product design.

Comment 5 Stef Walter 2014-06-27 12:23:52 UTC
Upstream Cockpit firewall service definition is here: https://github.com/cockpit-project/cockpit/pull/806

Comment 6 Thomas Woerner 2014-07-07 17:28:07 UTC
firewalld-0.3.10-3: Added new fedora-server zone with cockpit enabled.

Comment 7 Thomas Woerner 2014-07-11 09:48:56 UTC
Fixed in rawhide in package firewalld-0.3.10-3 or newer.

Note You need to log in before you can comment on or make changes to this bug.