Bug 1173342 - Can't configure a different port
Summary: Can't configure a different port
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cockpit
Version: 21
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Stef Walter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-11 21:52 UTC by Ferry Huberts
Modified: 2015-03-16 09:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-16 09:33:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ferry Huberts 2014-12-11 21:52:09 UTC
Description of problem:
Can't configure a different port than 9090

I need a different port than 9090 since many existing programs that I run
on various servers already claim port 9090.

I've searched and searched but I can't find how to do this.
This forces me to uninstall cockpit....



Version-Release number of selected component (if applicable):
cockpit-0.27-2.fc21.x86_64

How reproducible:
always

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Stef Walter 2014-12-11 21:57:25 UTC
We should document this better, but you can change in the standard systemd manner:

# sudo cp /lib/systemd/system/cockpit.socket /etc/systemd/system
# sudo vi /etc/systemd/system/cockpit.socket # and edit the ListenStream line
# sudo systemctl daemon-reload
# sudo systemctl restart cockpit.socket

Comment 2 Ferry Huberts 2014-12-11 22:04:44 UTC
yeah, tried that. didn't work.
changing the listenstream appears to have no effect

Comment 3 Ferry Huberts 2014-12-11 22:05:24 UTC
this is on a fresh install of F21 Server 64

Comment 4 Ferry Huberts 2014-12-11 22:08:14 UTC
(In reply to Stef Walter from comment #1)
> We should document this better, but you can change in the standard systemd
> manner:
> 
> # sudo cp /lib/systemd/system/cockpit.socket /etc/systemd/system
> # sudo vi /etc/systemd/system/cockpit.socket # and edit the ListenStream line
> # sudo systemctl daemon-reload
> # sudo systemctl restart cockpit.socket

# systemctl status cockpit.socket
● cockpit.socket - Cockpit Web Server Socket
   Loaded: loaded (/etc/systemd/system/cockpit.socket; enabled)
   Active: failed (Result: resources)
     Docs: man:cockpit-ws(8)
   Listen: [::]:9091 (Stream)

Dec 11 23:06:57 my.server systemd[1]: cockpit.socket failed to listen on sockets: Permission denied
Dec 11 23:06:57 my.server systemd[1]: Failed to listen on Cockpit Web Server Socket.
Dec 11 23:06:57 my.server systemd[1]: Unit cockpit.socket entered failed state.

Comment 5 Ferry Huberts 2014-12-11 22:21:45 UTC
ah, it needs a setenforce 0, so there is an AVC:

type=AVC msg=audit(1418335714.981:372): avc:  denied  { name_bind } for  pid=1 comm="systemd" src=9091 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1

I've now worked around this all.
But still, very unfriendly.

I'm in 'luck' because I put it on port 9091 which I can enable by setting the nis_enabled selinux boolean.

Comment 6 Ferry Huberts 2014-12-11 22:22:55 UTC
As in the comment I added on bug #1129645:

Port 9090 is a _very_ bad idea.
That is already taken by a _lot_ of applications.
Now I have to go a de-conflict the cockpit port.

Comment 7 Stef Walter 2014-12-12 02:29:40 UTC
Dan, Mirek, how do we make it so we can easily change the Cockpit port without the selinux policy complaining?

Can we just derestrict the port that Cockpit listens on, if it's a high port? How do you do this for apache, what does its SELinux policy look like?

Comment 8 Stef Walter 2014-12-12 02:32:16 UTC
(In reply to Ferry Huberts from comment #6)
> Port 9090 is a _very_ bad idea.
> That is already taken by a _lot_ of applications.

Any memorable port will have this problem for someone somewhere. Lets make it easier to change the port.

Comment 9 Stef Walter 2014-12-12 06:49:24 UTC
So the three aspects to changing the port are:
 * Updating the systemd socket file
 * Fixing SELinux policy so we can listen on another port
 * Updating the firewall for the new port

Thomas, what is the firewall-cmd command to locally override a port for the cockpit service? Or would we just instruct people to open another port with --add-port?

Comment 10 Stef Walter 2014-12-12 11:27:05 UTC
Documentation update written here: https://github.com/cockpit-project/cockpit/pull/1584

Comment 11 Fedora Admin XMLRPC Client 2015-03-03 15:11:46 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 12 Stef Walter 2015-03-16 09:33:46 UTC
Documentation for this released and available.


Note You need to log in before you can comment on or make changes to this bug.