Closed lrusak closed 7 years ago
Ports are expected to work, so I would expect what you are doing to be supported. I would check the journal, it's possible there is some sort of permissions or selinux error blocking things. You might also want to turn debug logs on. (https://github.com/cockpit-project/cockpit/blob/master/HACKING.md#debug-logging-of-cockpit-processes) That might help track down exactly what is happening.
Ugh, you're right it was selinux
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0: setting up agent pipe 8 9
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: /usr/libexec/cockpit-ssh: setting up auth pipe 10 11
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: spawning /usr/libexec/cockpit-ssh
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0:12345: new session
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 0.0.0.0:12345: added channel 1:2!16 to session
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: 1: added channel 1:2!16 to socket
Feb 01 20:46:02 vps.domain.com cockpit-ws[29231]: channel ssh-agent0:10 does not exist
Feb 01 20:46:02 vps.domain.com audit[2137]: AVC avc: denied { name_connect } for pid=2137 comm="cockpit-ssh" dest=12345 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Feb 01 20:46:02 vps.domain.com cockpit-ssh[2137]: cockpit-ssh lukas@0.0.0.0:12345: -1 couldn't connect: Failed to connect: Permission denied '0.0.0.0' '12345'
so
grep name_connect /var/log/audit/audit.log | tail -1
type=AVC msg=audit(1486010762.335:276745): avc: denied { name_connect } for pid=2137 comm="cockpit-ssh" dest=12345 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
grep name_connect /var/log/audit/audit.log | tail -1 | audit2allow -M cockpitreversessh
and
semodule -i cockpitreversessh.pp
So it seems to work, however, when I try and visit any page I get the following until I refresh the browser
The url looks like https://vps.domain.com/@0.0.0.0/system/services
The debug logs don't show anything so I have a feeling the error isn't with cockpit. I think the error is somewhere with with nginx and websockets as I am using it as a reverse proxy.
When you refresh the browser does everything work normally? If you open the browser console (often ctrl-shift-i) you should able to see the url that is failing. Are there any other errors in the console?
Yes if I refresh the browser it seems to work properly half the time, but only for that page/tab, if I switch to services from logs it says not found again.
In the console log I can see this
jquery.js:2976 GET https://vps.domain.com/cockpit/W/%22$05a6c8735d151d956e35a2aafa75dc93642640d4%22/system/services.html 404 ()
this is the nginx conf for that host, http://sprunge.us/NQeP
@petervo I believe this will be solved by your port of cockpit-ssh to be invoked by cockpit-bridge. That's why I'm not filing SELinux bugs about this. Does that make sense?
is the url https://vps.domain.com/cockpit/W/%22$05a6c8735d151d956e35a2aafa75dc93642640d4%22/system/services.html
an internal one?
I don't see anything in my webserver error log about this
also how is $05a6c8735d151d956e35a2aafa75dc93642640d4
generated?
Hey guys,
I searched around a bit and asked in #cockpit in the IRC but no one seems to be around.
I have fedora server running behind a firewall which I use a reverse SSH tunnel to reach from a vps running fedora cloud. The ssh tunnel changes the port so I can reach it from say
fedora-cloud.domain.com:12345
. I can ssh from fedora-cloud to fedora-server viassh -p 12345 0.0.0.0
orssh -p 12345 fedora-cloud.domain.com
.The problem I am having is I can't seem to reach the cockpit instance I have on fedora-server. Cockpit just reports:
Yet I am able to ssh via the CLI. I've looked into the cockpit code and it looks to me like it supports different ports, however I cannot get it to work.
Any suggestions would be great as it most likely is some simple error on my part.