Description of problem: Can't configure a different port than 9090 I need a different port than 9090 since many existing programs that I run on various servers already claim port 9090. I've searched and searched but I can't find how to do this. This forces me to uninstall cockpit.... Version-Release number of selected component (if applicable): cockpit-0.27-2.fc21.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
We should document this better, but you can change in the standard systemd manner: # sudo cp /lib/systemd/system/cockpit.socket /etc/systemd/system # sudo vi /etc/systemd/system/cockpit.socket # and edit the ListenStream line # sudo systemctl daemon-reload # sudo systemctl restart cockpit.socket
yeah, tried that. didn't work. changing the listenstream appears to have no effect
this is on a fresh install of F21 Server 64
(In reply to Stef Walter from comment #1) > We should document this better, but you can change in the standard systemd > manner: > > # sudo cp /lib/systemd/system/cockpit.socket /etc/systemd/system > # sudo vi /etc/systemd/system/cockpit.socket # and edit the ListenStream line > # sudo systemctl daemon-reload > # sudo systemctl restart cockpit.socket # systemctl status cockpit.socket ● cockpit.socket - Cockpit Web Server Socket Loaded: loaded (/etc/systemd/system/cockpit.socket; enabled) Active: failed (Result: resources) Docs: man:cockpit-ws(8) Listen: [::]:9091 (Stream) Dec 11 23:06:57 my.server systemd[1]: cockpit.socket failed to listen on sockets: Permission denied Dec 11 23:06:57 my.server systemd[1]: Failed to listen on Cockpit Web Server Socket. Dec 11 23:06:57 my.server systemd[1]: Unit cockpit.socket entered failed state.
ah, it needs a setenforce 0, so there is an AVC: type=AVC msg=audit(1418335714.981:372): avc: denied { name_bind } for pid=1 comm="systemd" src=9091 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 I've now worked around this all. But still, very unfriendly. I'm in 'luck' because I put it on port 9091 which I can enable by setting the nis_enabled selinux boolean.
As in the comment I added on bug #1129645: Port 9090 is a _very_ bad idea. That is already taken by a _lot_ of applications. Now I have to go a de-conflict the cockpit port.
Dan, Mirek, how do we make it so we can easily change the Cockpit port without the selinux policy complaining? Can we just derestrict the port that Cockpit listens on, if it's a high port? How do you do this for apache, what does its SELinux policy look like?
(In reply to Ferry Huberts from comment #6) > Port 9090 is a _very_ bad idea. > That is already taken by a _lot_ of applications. Any memorable port will have this problem for someone somewhere. Lets make it easier to change the port.
So the three aspects to changing the port are: * Updating the systemd socket file * Fixing SELinux policy so we can listen on another port * Updating the firewall for the new port Thomas, what is the firewall-cmd command to locally override a port for the cockpit service? Or would we just instruct people to open another port with --add-port?
Documentation update written here: https://github.com/cockpit-project/cockpit/pull/1584
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Documentation for this released and available.