Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 3. Using Cockpit

3.1. Getting to know the Cockpit interface

Once you have logged in, you will see the main Cockpit interface. It has the Dashboard tab on the top and a side menu with details for the selected system on the left. The Dashboard shows a list of all systems added to the Cockpit server with graphs for their CPU usage, memory usage, disk I/O, and network traffic.


From Dashboard, you can select a system name, in this case primary-host, and have a look at the side menu:

System: Shows information about the system that Cockpit is running on. This includes CPU usage, memory usage, disk I/O, and network traffic, as well as hardware and operating system details.


Logs: See messages produced by the systemd journal, including errors, warnings, and notices. The log is similar to the output of the journalctl command. The log displays newest entries first, with options to filter by type.


Networking: See networking interfaces (for example, eth0) and active graphs of sent and received data.


Accounts: Shows which administrative (root) and other users (for example, alan, djohnson) have accounts on the system.


Services: Shows the systemd services running on the Cockpit server. You can see which are active/enabled or inactive. You can also see other systemd features: Targets, sockets, timers, and paths.


Select a service to view its details:


Diagnostic reports: Collects system configuration and diagnostics information and prepares a report in the .xz compressed format.


You can then download the report locally to your system:

diagnostics report download

Kernel dump configuration: Shows kdump status and configuration and allows to crash the kernel to test kdump.


SELinux: Shows whether SELinux is enabled and lists access control errors.


Click on an error to see detailed information about it, proposed solution, and audit log:


Subscriptions: Displays installed Red Hat products and subscriptions.


Terminal: Opens an in-browser terminal with a command line session to the Cockpit system. In this terminal, you can run commands from your signed-in user account. For example, as root, you could run the systemctl start or dnf install commands.


For Red Hat Enterprise Linux Atomic Host systems, there are additional features in the Cockpit interface. See Cockpit Interface Specific to Atomic Host.

3.1.1. Adding secondary systems

Once you log in to the primary server, you will be able to connect to secondary servers. These secondary systems need to have:

  • The cockpit packages installed.
  • An SSH server running and available on port 22 that supports password or key-based authentication.

To add a new secondary server:

  1. From the "Dashboard" tab next to the system name, click the plus button.
  2. Enter IP of the server you are adding and choose a color label for it.
  3. Click the "Add" button.


  4. Log in to the system with a user name and password:

    add host passwd

Configuring Key-Based Authentication

If you have keys generated on the primary server, you need to add them to the target server, in the ~/.ssh/authorized_keys file. If you do not have keys, use the following command:

$ ssh-keygen

Next, copy the contents of the ~/.ssh/ file to the ~/.ssh/authorized_keys file on the target server. Then, return to the user interface on the primary server, click the top right corner menu with the user name on it, choose Authentication, and enable the preloaded key.


After you type in the IP when adding the new system to the Dashboard, change the Authentication type to Use available credentials.

3.1.2. Logging into other systems through Cockpit

On the login screen, you can also choose an alternate host to connect to.

The alternate host needs to have:

  • SSH listening on port 443
  • the cockpit-bridge package and all relevant subpackages to interact with the system, such as cockpit-system, installed. The packages should be the same version as in the Cockpit server.

To connect to an alternate host:

  1. Type in your user name and password from that alternate host and click Other Options.
  2. In the entry field type the IP address of the new host and click Log In.
  3. Provide the SSH fingerprint and click Log In again.

Now you are able to browse the new system. Cockpit uses SSH to authenticate you against that host, so you do not need to configure anything else on the new system.


If the new machine is not known to Cockpit, and you get the Refusing to connect. Host is unknown error, use the following command to allow connections from unknown hosts:

ssh-keyscan -H [ip_address] >> /var/lib/cockpit/known_hosts

3.1.3. Logging into a system via a Bastion Host

On the Cockpit login screen you can choose an alternate host to connect to. Cockpit uses SSH to authenticate you against that host and to display the admin interface for that host.

Although browsers cannot use SSH directly to connect to machines or authenticate against them, Cockpit can make this happen. Only one host needs to have Cockpit listen on port 9090 available to browsers over TLS. Other hosts only need to have SSH accessible on the usual port 22.

3.2. Changing the Cockpit port

To change the Cockpit port:

  1. If required, create the /etc/systemd/system/websocket.cockpit.d/ directory and its parent directories:

    # mkdir -p /etc/systemd/system/websocket.cockpit.d/
  2. Create the /etc/systemd/system/websocket.cockpit.d/listen.conf file with these contents:

  3. Allow the new port through the firewall:

    # firewall-cmd --add-port=9898/tcp
    # firewall-cmd --permanent --add-port=9898/tcp
  4. If you have SELinux enabled, change the default SELinux policy to allow the websm_port_t domain to listen on the TCP 9898 port:

    $ sudo semanage port -a -t websm_port_t -p tcp 9898

    If the port is already defined by some other part of the SELinux policy, use the -m argument instead of -a to modify the definition:

    $ sudo semanage port -m -t websm_port_t -p tcp 9898
    1. To make the changes take effect, run the following commands:

      $ sudo systemctl daemon-reload
      $ sudo systemctl restart cockpit.socket

You can now use the address with the newly assigned port in the web browser.

For changing port on a Red Hat Enterprise Linux Atomic Host system, see Changing the Cockpit port on Atomic Host.

3.3. Enabling more Cockpit features

You can add more Cockpit features by installing additional cockpit-* packages using yum.