From 7c9785edef148a363318ef7e61b1d259082d25be Mon Sep 17 00:00:00 2001 From: spmfox Date: Wed, 3 Jul 2024 17:48:10 -0400 Subject: switching to bastion mode for cockpit-ws container, removing centos logos since cockpit-ws bastion cannot use them --- README.md | 5 +++++ deploy.yml | 23 +++++++++++++++++------ templates/bootcblade.containerfile.j2 | 2 +- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 537c0e4..72196db 100644 --- a/README.md +++ b/README.md @@ -120,5 +120,10 @@ There was some advice in that thread about using the containerized version of `` and not baked into the image. [https://quay.io/repository/cockpit/ws](https://quay.io/repository/cockpit/ws) +Using this containerized version of ```cockpit-ws``` also brought problems, using the privileged container caused mount points to be held inside the container. +This meant once the container started, ZFS datasets could not be deleted since they were still "mounted" inside the container. To workaround this bastion mode +is being used instead. That means to login to Cockpit you have to use the host ```host.containers.internal```. SSL certificates can still be added to the +```/etc/cockpit/ws-certs.d``` directory - it is mounted into the container. + This also explains why I'm using rpm vs dnf to install the 45Drives Cockpit packages - they have a dependency on ```cockpit-ws``` that I need to override. Once the official ```cockpit-files``` package is released I will be using that instead of ```cockpit-navigator```. diff --git a/deploy.yml b/deploy.yml index f7583ac..a62e0a4 100644 --- a/deploy.yml +++ b/deploy.yml @@ -103,14 +103,25 @@ - "bootc-fetch-apply-updates.timer" - "bootc-fetch-apply-updates.service" - - name: Install container-based cockpit-ws - ansible.builtin.shell: "podman container runlabel INSTALL quay.io/cockpit/ws systemctl enable cockpit.service" + - name: Generate quadlet file for cockpit-bastion + ansible.builtin.shell: "podman run --rm -it ghcr.io/containers/podlet -i podman run --rm -d --name cockpit-bastion -p 9090:9090 -v /etc/cockpit/ws-certs.d/:/etc/cockpit/ws-certs.d/:rw,Z quay.io/cockpit/ws" + register: cockpit_bastion_quadlet - - name: Enable and start container-based Cockpit - ansible.builtin.systemd: - name: "cockpit.service" + - name: Install quadlet file for cockpit-bastion + ansible.builtin.copy: + content: "{{ cockpit_bastion_quadlet.stdout }}" + dest: "/etc/containers/systemd/cockpit-bastion.container" + + - name: Create SSL certificate directory for cockpit-ws + ansible.builtin.file: + path: "/etc/cockpit/ws-certs.d" + state: directory + + - name: Start cockpit-bastion service + ansible.builtin.systemd_service: + name: "cockpit-bastion.service" state: "started" - enabled: true + daemon-reload: true vars: ansible_user: "root" tags: configure diff --git a/templates/bootcblade.containerfile.j2 b/templates/bootcblade.containerfile.j2 index 3dfdb32..a366bd1 100644 --- a/templates/bootcblade.containerfile.j2 +++ b/templates/bootcblade.containerfile.j2 @@ -16,7 +16,7 @@ RUN dnf -y install epel-release git && \ # KVM & Cockpit RUN echo "qemu:x:107:107:qemu user:/:/sbin/nologin" >> /etc/passwd && \ dnf -y install qemu-kvm libvirt virt-install virt-viewer && \ - dnf -y install cockpit-bridge cockpit-machines cockpit-pcp cockpit-podman cockpit-storaged cockpit-system cockpit-navigator cockpit-selinux cockpit-ostree centos-logos && \ + dnf -y install cockpit-bridge cockpit-machines cockpit-pcp cockpit-podman cockpit-storaged cockpit-system cockpit-navigator cockpit-selinux cockpit-ostree && \ systemctl enable libvirt-guests && \ dnf clean all -- cgit