search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.06k stars 1.1k forks source link

Reaching Cockpit through reverse SSH tunnel #5828

Closed lrusak closed 7 years ago

lrusak commented 7 years ago

Hey guys,

I searched around a bit and asked in #cockpit in the IRC but no one seems to be around.

I have fedora server running behind a firewall which I use a reverse SSH tunnel to reach from a vps running fedora cloud. The ssh tunnel changes the port so I can reach it from say fedora-cloud.domain.com:12345. I can ssh from fedora-cloud to fedora-server via ssh -p 12345 0.0.0.0 or ssh -p 12345 fedora-cloud.domain.com.

The problem I am having is I can't seem to reach the cockpit instance I have on fedora-server. Cockpit just reports:

Cockpit could not contact the given host fedora-cloud.domain.com:12345. Make sure it has ssh running on port 12345, or specify another port in the address.

Yet I am able to ssh via the CLI. I've looked into the cockpit code and it looks to me like it supports different ports, however I cannot get it to work.

Any suggestions would be great as it most likely is some simple error on my part.

petervo commented 7 years ago

Ports are expected to work, so I would expect what you are doing to be supported. I would check the journal, it's possible there is some sort of permissions or selinux error blocking things. You might also want to turn debug logs on. (https://github.com/cockpit-project/cockpit/blob/master/HACKING.md#debug-logging-of-cockpit-processes) That might help track down exactly what is happening.

lrusak commented 7 years ago

Ugh, you're right it was selinux

Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0: setting up agent pipe 8 9
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: /usr/libexec/cockpit-ssh: setting up auth pipe 10 11
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: spawning /usr/libexec/cockpit-ssh
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0:12345: new session
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0:12345: added channel 1:2!16 to session
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 1: added channel 1:2!16 to socket
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: channel ssh-agent0:10 does not exist
Feb 01 20:46:02 vps.domain.com audit[2137]: AVC avc:  denied  { name_connect } for  pid=2137 comm="cockpit-ssh" dest=12345 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Feb 01 20:46:02 vps.domain.com cockpit-ssh[2137]: cockpit-ssh lukas@0.0.0.0:12345: -1 couldn't connect: Failed to connect: Permission denied '0.0.0.0' '12345'

so grep name_connect /var/log/audit/audit.log | tail -1

type=AVC msg=audit(1486010762.335:276745): avc:  denied  { name_connect } for  pid=2137 comm="cockpit-ssh" dest=12345 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
grep name_connect /var/log/audit/audit.log | tail -1 | audit2allow -M cockpitreversessh

and

semodule -i cockpitreversessh.pp

So it seems to work, however, when I try and visit any page I get the following until I refresh the browser Imgur

The url looks like https://vps.domain.com/@0.0.0.0/system/services

The debug logs don't show anything so I have a feeling the error isn't with cockpit. I think the error is somewhere with with nginx and websockets as I am using it as a reverse proxy.

petervo commented 7 years ago

When you refresh the browser does everything work normally? If you open the browser console (often ctrl-shift-i) you should able to see the url that is failing. Are there any other errors in the console?

lrusak commented 7 years ago

Yes if I refresh the browser it seems to work properly half the time, but only for that page/tab, if I switch to services from logs it says not found again.

In the console log I can see this

jquery.js:2976 GET https://vps.domain.com/cockpit/W/%22$05a6c8735d151d956e35a2aafa75dc93642640d4%22/system/services.html 404 ()

this is the nginx conf for that host, http://sprunge.us/NQeP

stefwalter commented 7 years ago

@petervo I believe this will be solved by your port of cockpit-ssh to be invoked by cockpit-bridge. That's why I'm not filing SELinux bugs about this. Does that make sense?

lrusak commented 7 years ago

is the url https://vps.domain.com/cockpit/W/%22$05a6c8735d151d956e35a2aafa75dc93642640d4%22/system/services.html an internal one?

I don't see anything in my webserver error log about this

also how is $05a6c8735d151d956e35a2aafa75dc93642640d4 generated?

lrusak commented 7 years ago

This solved my issue

https://github.com/cockpit-project/cockpit/issues/5239

Sorry for the noise.