Description of problem:
In a Workstation install, launching Subscription Manager's GUI client from gnome opens a firefox window and attempts to load the cockpit interface. The browser throws an error with zero indication as to why. People unfamiliar with cockpit (as it's new as a default in RHEL 8), will have no idea that port 9090 is cockpit.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login to gnome session
2. Run Red Hat Subscription Manager from app menu
Error with page unable to load
Visibility of the subscription manager ui in cockpit
cockpit.socket could be enabled by default, but locked to locahost. This would be a better experience for users. Documentation for enabling remote management should also be included.
Steps I took to provide a better OOTB experience without sacrificing security by opening 9090 to the world:
# systemctl enable cockpit.socket
Modify /usr/lib/systemd/system/cockpit.socket and replace the line:
# systemctl daemon-reload
# systemctl restart cockpit.socket
Additionally, the need to turn on cockpit is supposed to be documented in /etc/issue, to be seen when a customer logs into the CONSOLE of the system.
HOWEVER, this file is not displayed for a customer of a Workstation or GUI Server installation. Thus, there is no way for a user to know that they must turn on cockpit.
Hence, Scott's suggestion very solution seems very valid : Enable cockpit on the localhost interface to allow immediate first-boot use of the subscription manager Cockpit GUI.
(In reply to Scott Herold from comment #1)
> Steps I took to provide a better OOTB experience without sacrificing
> security by opening 9090 to the world:
> # systemctl enable cockpit.socket
> Modify /usr/lib/systemd/system/cockpit.socket and replace the line:
> ListenStream=9090 with
> # systemctl daemon-reload
> # systemctl restart cockpit.socket
OK, so apparently using an override is the right way to resolve this AFTER the fact.
# systemctl edit cockpit.socket
Save and exit
If you use the .override approach: You need to first reset the existing ListenStream=. Like the above (comment #3) you *additionally* open it on localhost, which doesn't work (the .socket unit will fail to start, as it's already listening everywhere).
Indeed cockpit.socket not enabled by default as it opens a port. Also, services are generally not enabled by default in RHEL (or Fedora), they need to get into that central list of services that do (using systemd presets, I figure?).
I feel like this touches a fairly rigid policy, and I can't decide this by myself. If there's consensus (and maybe even precedent) for this approach, we can certainly do this, although this requires some pondering how exactly to set this up: e. g. cockpit should not ship an override file in /etc by itself, and the dynamic motd/issue message needs to be changed, and we need to document how to enable cockpit on remote interfaces.
I'll start a thread on rhel8-devel@.
*** Bug 1651621 has been marked as a duplicate of this bug. ***
For everyone following along here: I have a first proof of concept of how this could look like: http://post-office.corp.redhat.com/archives/rhel8-devel/2018-November/msg00331.html
I now installed RHEL 8 beta desktop, and I see subscription-manager-cockpit.desktop (shipped by subscription-manager-cockpit RPM). So after the cockpit-desktop work lands, subscription-manager needs to adjust this desktop file to make this all work.
I got a resounding silence on the ML to my post...
Anyway, https://github.com/cockpit-project/cockpit/pull/10684 provides the mechanics for that. Once that is released, I'll provide a bug and proposed patch for subscription-manager.