RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1495506 - Can't access Cockpit UI on RHEL hosts
Summary: Can't access Cockpit UI on RHEL hosts
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cockpit
Version: 7.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: pre-dev-freeze
: ---
Assignee: Martin Pitt
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-26 08:31 UTC by Sarvesh Pandit
Modified: 2019-04-28 13:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-23 12:00:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sarvesh Pandit 2017-09-26 08:31:27 UTC 
Description of problem: Without adding 9090 port, Cockpit UI can't be accessed.

Version-Release number of selected component (if applicable):
cockpit-system-138-9.el7.noarch
cockpit-storaged-148-1.el7.noarch
cockpit-bridge-138-9.el7.x86_64
cockpit-ovirt-dashboard-0.10.8-2.2.ovirt41.el7ev.noarch
cockpit-ws-138-9.el7.x86_64
kernel-3.10.0-693.2.2.el7.x86_64

How reproducible: 100%

Steps to Reproduce:
1. Install RHEL 7.4 and subscribe RHV repos

2. Install cockpit-ovirt-dashboard:
# yum install cockpit-ovirt-dashboard

3. Enable and start cockpit socket:
# systemctl enable cockpit.socket
# systemctl start cockpit.socket

4. Access Cockpit UI

Actual results:
Can't access Cockpit UI via browser

Expected results:
Should be able to access Cockpit UI via browser

Additional info:
There is workaround:

# firewall-cmd --permanent --add-port=9090/tcp
success
# firewall-cmd --permanent --add-port=9090/udp
success
# firewall-cmd --reload
success

Ideally installing package or enabling service should take of adding port to firewall-policy but it is not happening. Either documentation link (https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/installation_guide/installing_cockpit_on_linux_hosts) has to be updated with steps or fix in package.
Comment 2 Peter 2017-09-26 12:35:45 UTC 
The package cockpit-ws adds 

/usr/lib/firewalld/services/cockpit.xml

and then in the post section runs

test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true

Can you run that command and see if maybe there is an error that the || true suppresses.
Comment 3 Sarvesh Pandit 2017-09-26 12:52:17 UTC 
It was beaker system. Now, I have applied the workaround and don't have fresh 7.4 host. Should I still try that command on that host?
Comment 4 Peter 2017-09-26 12:53:56 UTC 
You can, but might be more useful on a system that is actually showing the problem.
Comment 5 Sarvesh Pandit 2017-09-27 05:03:58 UTC 
Here is output:

# test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
# echo $?
0

No error :(
Comment 6 Peter 2017-09-27 05:14:25 UTC 
Did you remove the || true? that makes sure it always returns 0. But if there was no error output it probably succeeded.
Comment 7 Sarvesh Pandit 2017-09-27 06:20:12 UTC 
I didn't remove.

Now, I have removed:

# test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet
# echo $?
1

These 9090 port were manually added:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: ssh dhcpv6-client
  ports: 9090/tcp 9090/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
Comment 8 Martin Pitt 2018-01-22 12:11:51 UTC 
So to confirm, if you run `firewall-cmd --reload` it fails? (Please drop the --quiet). Does it show any output without the --quiet?

If that fails, the bug should be reassigned to firewalld.
Comment 9 Martin Pitt 2018-01-22 12:13:04 UTC 
> # test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet

Note: This doesn't work literally in a shell, as the `{_bindir}` is an rpm macro which is only valid in a spec file and changed during package build. So please just run "firewall-cmd ..." without the `test` command.
Comment 10 Sarvesh Pandit 2018-02-26 15:47:06 UTC 
Hello Martin,

Apology for delay in response.

I don't have that setup with me to try out.
Comment 11 Martin Pitt 2018-03-02 09:34:19 UTC 
Putting needsinfo back. "I don't have that setup with me" sounds like you still have access to it in general? If not, let's just close this bug. Thanks!
Comment 12 Sarvesh Pandit 2018-04-23 11:45:14 UTC 
Yes. you can close this bug, as don't have same setup.
Comment 13 Martin Pitt 2018-04-23 12:00:51 UTC 
OK, closing.
Note You need to log in before you can comment on or make changes to this bug.