-
Notifications
You must be signed in to change notification settings - Fork 228
/
Copy pathlisten.html
110 lines (110 loc) · 6.13 KB
/
listen.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
layout: guide
---
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TCP Port and Address</title>
<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="https.html" title="SSL/TLS Usage">
<link rel="next" href="startup.html" title="Start up">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="https.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="startup.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="listen"></a>TCP Port and Address</h2></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="listen.html#listen-systemd">Cockpit systemd Socket</a></span></dt>
<dt><span class="section"><a href="listen.html#listen-selinux">SELinux Port</a></span></dt>
<dt><span class="section"><a href="listen.html#listen-firewalld">Firewalld Port</a></span></dt>
</dl></div>
<p>Cockpit's <code class="code">cockpit-ws</code> component is configured by default to accept
connections on port <code class="code">9090</code>. This is the port that is documented for a
"Web-based System Manager" to listen on. It is also relatively memorable.</p>
<p>However there are many reasons you may wish to change the default port. For
example other software may use port <code class="code">9090</code> or you may wish to setup
Cockpit to listen on <code class="code">443</code> instead. It is also possible to have Cockpit
only listen on one specific IP address.</p>
<p>Note that it is only required to have Cockpit listening on a TCP port on
the server that you access with your web browser. If you add multiple servers
with host switcher, Cockpit will connect to those servers via
<code class="code">ssh</code>.</p>
<p>The systems that Cockpit runs on are typically locked down with firewalls,
SELinux, so changing the default port is not as easy as editing a configuration
file.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="listen-systemd"></a>Cockpit systemd Socket</h2></div></div></div>
<p>On servers with
<a class="ulink" href="https://www.freedesktop.org/wiki/Software/systemd/" target="_top"><code class="code">systemd</code></a>
Cockpit starts on demand via socket activation. To change its port and/or address
you should place the following content in the
<code class="code">/etc/systemd/system/cockpit.socket.d/listen.conf</code> file. Create the file
and directories in that path which not already exist. The <code class="code">ListenStream</code>
option specifies the desired address and TCP port.</p>
<pre class="programlisting">
[Socket]
ListenStream=
ListenStream=443
</pre>
<pre class="programlisting">
[Socket]
ListenStream=
ListenStream=7777
ListenStream=192.168.1.1:443
FreeBind=yes
</pre>
<p>NOTE: The first line with an empty value is intentional. <code class="code">systemd</code> allows multiple <code class="code">Listen</code> directives to be declared in a single socket unit; an empty value in a drop-in file resets the list and thus disables the default port 9090 from the original unit.</p>
<p>The <code class="code">FreeBind</code> option is highly recommended when defining specific IP addresses. See the <a class="ulink" href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html" target="_top"><code class="code">systemd.socket</code> manpage</a> for details.</p>
<p>In order for the changes to take effect, run the following commands:</p>
<pre class="programlisting">
$ sudo systemctl daemon-reload
$ sudo systemctl restart cockpit.socket
</pre>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="listen-selinux"></a>SELinux Port</h2></div></div></div>
<p>If <a class="ulink" href="https://selinuxproject.org/page/Main_Page" target="_top">SELinux</a> is
protecting your server, then you will need to tell it to allow Cockpit to listen
on the new port. Run the following command to do so. The last argument specifies
the desired TCP port.</p>
<pre class="programlisting">
$ sudo semanage port -a -t websm_port_t -p tcp 9999
</pre>
<p>If the port is already defined by some other part of the SELinux policy, then
you will need to use the <code class="code">-m</code> argument to modify the definition. That's
the case with the <code class="code">443</code> SSL port, which is typically defined as an
<code class="code">http_port_t</code> port.</p>
<pre class="programlisting">
$ sudo semanage port -m -t websm_port_t -p tcp 443
</pre>
<p>The changes should take effect immediately.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="listen-firewalld"></a>Firewalld Port</h2></div></div></div>
<p>If <a class="ulink" href="https://fedoraproject.org/wiki/FirewallD" target="_top">Firewalld</a> is
configured as your firewall, then you will need to tell it to allow Cockpit to
receive connections on the new port. Run the following commands to do so. The last
options specify the desired TCP port.</p>
<pre class="programlisting">
$ sudo firewall-cmd [--zone=ZONE] --add-port=443/tcp
$ sudo firewall-cmd --permanent [--zone=ZONE] --add-port=443/tcp
</pre>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>