Red Hat SummitChapter 1. Getting started with the RHEL web console
Learn how to install, configure, and monitor systems by using the RHEL web console. This graphical interface simplifies common administration tasks, such as managing logs, storage, and remote hosts.
1.1. What is the RHEL web console
The RHEL web console is a web-based graphical interface for managing and monitoring your local system and Linux servers in your network environment.
In the RHEL web console, you can perform a wide range of administration tasks, including:
- Managing services
- Managing user accounts
- Managing and monitoring system services
- Configuring network interfaces and firewall
- Reviewing system logs
- Managing virtual machines
- Creating diagnostic reports
- Setting kernel dump configuration
- Configuring SELinux
- Updating software
- Managing system subscriptions
The web console uses the same system tools as the command line. If you change a setting in the terminal, the web console updates instantly. You can switch between the web interface and the terminal at any time.
You can also monitor the logs and performance of systems in the network environment in a graphical form. In addition, you can change the settings directly in the web console or through the terminal.
1.2. Installing and enabling the web console
To access the RHEL web console, enable the cockpit.socket service first. RHEL 10 includes the web console installed by default in many installation variants. If this is not the case on your system, install the cockpit package before enabling the cockpit.socket service.
Procedure
If the web console is not installed by default on your installation variant, manually install the
cockpitpackage:dnf install cockpit
# dnf install cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow Enable and start the
cockpit.socketservice, which runs a web server:systemctl enable --now cockpit.socket
# systemctl enable --now cockpit.socketCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the web console was not installed by default on your installation variant and you are using a custom firewall profile, add the
cockpitservice tofirewalldto open port 9090 in the firewall:firewall-cmd --add-service=cockpit --permanent firewall-cmd --reload
# firewall-cmd --add-service=cockpit --permanent # firewall-cmd --reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
- To verify the previous installation and configuration, open the web console.
1.3. Logging in to the web console
When the cockpit.socket service is running and the corresponding firewall port is open, you can log in to the web console in your browser for the first time.
Prerequisites
Use one of the following browsers to open the web console:
- Mozilla Firefox 52 and later
- Google Chrome 57 and later
- Microsoft Edge 16 and later
System user account credentials
The RHEL web console uses a specific pluggable authentication modules (PAM) stack at
/etc/pam.d/cockpit. The default configuration allows logging in with the user name and password of any local account on the system.- Port 9090 is open in your firewall.
Procedure
In your web browser, enter the following address to access the web console:
https://localhost:9090
https://localhost:9090Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteThis provides a web-console login on your local machine. If you want to log in to the web console of a remote system, see the Connecting to the web console from a remote machine section.
If you use a self-signed certificate, the browser displays a warning. Check the certificate, and accept the security exception to proceed with the login.
The console loads a certificate from the
/etc/cockpit/ws-certs.ddirectory and uses the last file with a.certextension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).- In the login screen, enter your system user name and password.
Click Log In.
After successful authentication, the RHEL web console interface opens.
1.4. Administrative access in the web console
You can gain administrative access in the RHEL web console to perform privileged tasks, such as managing services, users, and networking, which require elevated permissions.
After you log in for the first time with a regular user account, the web console starts with limited access. When you have limited access, you can view the settings, but you cannot perform actions that require administrative privileges, such as installing packages.
To perform administrative tasks, click Limited access in the top panel of the web console page. You must have sudo access to the system and provide your user password to gain administrative access. From that point, the web console provides administrative access and preserves this setting across user sessions.
To switch back to limited access, click Administrative access in the top panel of the web console page.
The RHEL web console disallows root account logins by default for security reasons. Instead of logging in as root, use administrative access. If your scenario requires logging in as root, see Connecting to the web console from a remote machine as a root user
1.5. Disabling basic authentication in the web console
Disable basic authentication for the RHEL web console to enforce stronger authentication methods, such as Kerberos. You can configure this setting in the cockpit.conf file to override default security behavior.
Use the none action to disable an authentication scheme and only allow authentication through GSSAPI and forms.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
-
You have
rootprivileges or permissions to enter administrative commands withsudo.
Procedure
Open or create the
cockpit.conffile in the/etc/cockpit/directory in a text editor of your preference, for example:vi cockpit.conf
# vi cockpit.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the following text:
[basic] action = none
[basic] action = noneCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Save the file.
Restart the web console for changes to take effect.
systemctl try-restart cockpit
# systemctl try-restart cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.6. Connecting to the web console from a remote machine
You can connect to your web console interface from any client operating system and also from mobile phones or tablets.
Prerequisites
A device with a supported internet browser, such as:
- Mozilla Firefox 52 and later
- Google Chrome 57 and later
- Microsoft Edge 16 and later
The RHEL 10 system you want to access with an installed and accessible web console.
For instructions, see Installing and enabling the web console.
Procedure
- Open your web browser.
Type the remote server’s address in one of the following formats:
With the server’s hostname:
https://<server.hostname.example.com>:<port-number>
https://<server.hostname.example.com>:<port-number>Copy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
https://example.com:9090
https://example.com:9090Copy to Clipboard Copied! Toggle word wrap Toggle overflow With the server’s IP address:
https://<server.IP_address>:<port-number>
https://<server.IP_address>:<port-number>Copy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
https://192.0.2.2:9090
https://192.0.2.2:9090Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- After the login interface opens, log in with your RHEL system credentials.
1.7. Connecting to the web console from a remote machine as a root user
You can connect to the RHEL web console as the root user to gain full administrative control of a remote host. Be sure to use SSH keys instead of a password for this privileged connection.
On new installations of RHEL 9.2 or later, the RHEL web console disallows root account logins by default for security reasons. You can allow the root login in the /etc/cockpit/disallowed-users file.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
Procedure
Open the
disallowed-usersfile in the/etc/cockpit/directory in a text editor of your preference, for example:vi /etc/cockpit/disallowed-users
# vi /etc/cockpit/disallowed-usersCopy to Clipboard Copied! Toggle word wrap Toggle overflow Edit the file and remove the line for the
rootuser:List of users which are not allowed to login to Cockpit root
# List of users which are not allowed to login to Cockpit rootCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Save the changes and quit the editor.
Verification
Log in to the web console as a
rootuser.For details, see Logging in to the web console.
1.8. Logging in to the web console using a one-time password
Log in to the RHEL web console by using a one-time password (OTP) to enhance security. You can use this two-factor authentication method in an IdM domain with enabled OTP.
It is possible to log in using a one-time password only if your system is part of an Identity Management (IdM) domain with enabled OTP configuration.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
- An Identity Management server with enabled OTP configuration.
- A configured hardware or software device generating OTP tokens.
Procedure
Open the RHEL web console in your browser:
-
Locally:
https://localhost:9090 -
Remotely with the server hostname:
https://example.com:9090 Remotely with the server IP address:
https://EXAMPLE.SERVER.IP.ADDR:9090If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.
The console loads a certificate from the
/etc/cockpit/ws-certs.ddirectory and uses the last file with a.certextension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).
-
Locally:
- The Login window opens. In the Login window, enter your system user name and password.
- Generate a one-time password on your device.
- Enter the one-time password into a new field that displays in the web console interface after you confirm your password.
- Click Log in.
- Successful login takes you to the Overview page of the web console interface.
1.9. Adding a banner to the login page
You can add a custom banner to the RHEL web console login page. This helps to display important security warnings or legal notices to users before they log in to the system.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
-
You have
rootprivileges or permissions to enter administrative commands withsudo.
Procedure
Open the
/etc/issue.cockpitfile in a text editor of your preference:vi /etc/issue.cockpit
# vi /etc/issue.cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the content you want to display as the banner to the file, for example:
This is an example banner for the RHEL web console login page.
This is an example banner for the RHEL web console login page.Copy to Clipboard Copied! Toggle word wrap Toggle overflow You cannot include any macros in the file, but you can use line breaks and ASCII art.
- Save the file.
Open the
cockpit.conffile in the/etc/cockpit/directory in a text editor of your preference, for example:vi /etc/cockpit/cockpit.conf
# vi /etc/cockpit/cockpit.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the following text to the file:
[Session] Banner=/etc/issue.cockpit
[Session] Banner=/etc/issue.cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Save the file.
Restart the web console for changes to take effect.
systemctl try-restart cockpit
# systemctl try-restart cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Open the web console login screen again to verify that the banner is now visible:
1.10. Configuring automatic idle lock in the web console
You can enable the automatic idle lock and set the idle timeout for your system through the web console interface. This ensures your screen automatically locks after a period of inactivity, protecting the system from unauthorized access.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
-
You have
rootprivileges or permissions to enter administrative commands withsudo.
Procedure
Open the
cockpit.conffile in the/etc/cockpit/directory in a text editor of your preference, for example:vi /etc/cockpit/cockpit.conf
# vi /etc/cockpit/cockpit.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the following text to the file:
[Session] IdleTimeout=<X>
[Session] IdleTimeout=<X>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Substitute <X> with a number for a time period of your choice in minutes.
- Save the file.
Restart the web console for changes to take effect.
systemctl try-restart cockpit
# systemctl try-restart cockpitCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
- Check if the session logs you out after a set period of time.
1.11. Changing the web console listening port
By default, the RHEL web console communicates through TCP port 9090. You can change the port number by overriding the default socket settings. This adjustment is often necessary to meet specific security or network policies.
Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
-
You have
rootprivileges or permissions to enter administrative commands withsudo. -
The
firewalldservice is running.
Procedure
Pick an unoccupied port, for example, <4488/tcp>, and instruct SELinux to allow the
cockpitservice to bind to that port:semanage port -a -t websm_port_t -p tcp <4488>
# semanage port -a -t websm_port_t -p tcp <4488>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that a port can be used only by one service at a time, and thus an attempt to use an already occupied port implies the
ValueError: Port already definederror message.Open the new port and close the former one in the firewall:
firewall-cmd --service cockpit --permanent --add-port=<4488>/tcp firewall-cmd --service cockpit --permanent --remove-port=9090/tcp
# firewall-cmd --service cockpit --permanent --add-port=<4488>/tcp # firewall-cmd --service cockpit --permanent --remove-port=9090/tcpCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create an override file for the
cockpit.socketservice:systemctl edit cockpit.socket
# systemctl edit cockpit.socketCopy to Clipboard Copied! Toggle word wrap Toggle overflow In the following editor screen, which opens an empty
override.conffile located in the/etc/systemd/system/cockpit.socket.d/directory, change the default port for the web console from 9090 to the previously picked number by adding the following lines:[Socket] ListenStream= ListenStream=<4488>
[Socket] ListenStream= ListenStream=<4488>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that the first
ListenStream=directive with an empty value is intentional. You can declare multipleListenStreamdirectives in a single socket unit and the empty value in the drop-in file resets the list and disables the default port 9090 from the original unit.ImportantInsert the previous code snippet between the lines starting with
# Anything between hereand# Lines below this. Otherwise, the system discards your changes.- Save the changes, and exit the editor.
Reload the changed configuration:
systemctl daemon-reload
# systemctl daemon-reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow Check that your configuration is working:
systemctl show cockpit.socket -p Listen Listen=[::]:4488 (Stream)
# systemctl show cockpit.socket -p Listen Listen=[::]:4488 (Stream)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart
cockpit.socket:systemctl restart cockpit.socket
# systemctl restart cockpit.socketCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Open your web browser, and access the web console on the updated port, for example:
https://machine1.example.com:4488
https://machine1.example.com:4488Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}