search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.36k stars 1.13k forks source link

Blank Page after adding another host with CIS-Level 1 benchmark policy #21308

Open yokhoe opened 1 week ago

yokhoe commented 1 week ago

Explain what happens

  1. Cockpit :9090 can login and dashboard is accessible to manage the local machine.
  2. I add another host to manage it on this installation of cockpit.
  3. Upon logout and logging back in, it's showing a blank page.

Version of Cockpit

323.1-1.el9_5

Where is the problem in Cockpit?

Overview

Server operating system

Red Hat Enterprise Linux

Server operating system version

9.5

What browsers are you using?

Firefox, Chrome, Edge

System log

journalctl did not capture anything critical, even after my attempt of enabling the debug mode for cockpit

-- Boot 01bdf8a78272433e8e458e511f960fb6 --
Nov 22 10:31:55 private01.cvad.unt.edu systemd[1]: Starting Cockpit Web Service...
Nov 22 10:31:55 private01.cvad.unt.edu systemd[1]: Started Cockpit Web Service.

Content of /etc/systemd/system/cockpit-wsinstance-https@.service 

[Unit]
Description=Cockpit Web Service https instance %I
Documentation=man:cockpit-ws(8)
BindsTo=cockpit.service

[Service]
Environment=G_MESSAGES_DEBUG=cockpit-ws,cockpit-bridge
Slice=system-cockpithttps.slice
ExecStart=/usr/libexec/cockpit-ws --for-tls-proxy --port=0
User=cockpit-wsinstance
Group=cockpit-wsinstance

https://github.com/user-attachments/assets/51beb7ca-6ec8-4eb5-92fa-37d541b8490a

yokhoe commented 1 week ago

I came to discover that this issue is caused by a custom build of RHEL 9(.5) with a CIS-Server Level 1 benchmark policy. I tested a RHEL 9.5 with no policy and it works. Unfortunately, I can't trace anything useful with the Cockpit debug logs.

martinpitt commented 1 week ago

I don't know what a "CIS-Level 1 benchmark policy" is -- can you roughly describe what that is? I suppose https://www.cisecurity.org/cis-benchmarks but that is very abstract. A kernel change, a browser plugin, some security restrictions, etc?

In the video, what's the difference between the left and right browser? they seem roughly equivalent, and at least talk to the same host IPs/names, but the right one is called "ScreenConnect" - some kind of remote desktop?

I think the bug happens at 2:27, right? The journal spits out a lot of TLS errors, and one more when you login. That may just be browser dependant, but it's worth taking a look at the browser console (Ctrl+Shift+J) -- open it on the login page, then log in, and see what happens. Can you please copy the messages here?