Sometimes I just like a test-box with a GUI or two. Tossing some notes here on running Cockpit with virtual machines (KVM) and Docker with Portainer on Ubuntu 20.04 LTS. On a quick machine it’s a nice setup for testing all-kinds-of-stuff.
The trouble can be, if you just “apt install cockpit” you’ll get a really really really old version and in any case there’s some tweaks needed to get working well anyway.
Start with a fresh install…
Once we’ve got a system to boot, hostname configured and do the usual update & upgrade, the process can be broken it down into a few chunks here for ease of reading.
Especially handy stuff first and how to get the new version of cockpit, backports. Plus some little why-nots.
(apt get install):
- screen (probably there already)
- htop (recently not installed by default)
- tuned tuned-utils tuned-utils-systemtap (I don’t think it works but do plan to test eventually)
- cracklib-runtime (check your passwords)
- ufw (it’s easy!)
- certbot
- for some reason at the end I like to snap install bpytop.
Get cockpit-project backport:
apt install -t focal-backports cockpit cockpit-networkmanager cockpit-storaged cockpit-pcp cockpit-packagekit
My process:
This will get things installed and running. you can start by creating “cert.sh” below, I like to have handy for just tossing a cert on a machine based on it’s hostname. The one command line input is your email address for Let’s Encrypt, as required. May as well create the script first so it’s there when needed:
vi cert.sh:
#!/bin/bash
EMAIL=$1
certbot --agree-tos -m $EMAIL certonly -n -d $HOSTNAME --standalone
cp /etc/letsencrypt/live/$HOSTNAME/fullchain.pem /etc/cockpit/ws-certs.d/cert.crt
cp /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/cockpit/ws-certs.d/cert.key
## First installs
#
apt clean; apt update; apt -y upgrade; apt install screen htop tuned cracklib-runtime certbot; apt install -t focal-backports cockpit cockpit-networkmanager cockpit-storaged cockpit-pcp cockpit-packagekit cockpit-machines net-tools
## Get the cert
#
./cert.sh your@email.example
## Set a cron job to auto copy the latest version to cockpit
#
echo "cp /etc/letsencrypt/live/$HOSTNAME/fullchain.pem /etc/cockpit/ws-certs.d/cert.crt" >>/etc/cron.daily/certcopy; echo "cp /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/cockpit/ws-certs.d/cert.key" >> /etc/cron.daily/certcopy
## Run that to get the first copy, because why not.
bash /etc/cron.daily/certcopy
## Prep for docker
apt install apt-transport-https ca-certificates curl software-properties-common
## Set the apt source
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -; add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"; apt update;
service NetworkManager restart; netplan generate; netplan apply
## By the way a good time to install and disable firewalld for later use
#
apt install firewalld; systemctl disable firewalld
## ...aaannnd back to installing docker
apt install docker-ce
#
#
docker run -d -p 9000:9000 -p 10000:10000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer-data:/data -v /etc/letsencrypt/live/$HOSTNAME:/certs/live/$HOSTNAME:ro -v /etc/letsencrypt/archive/$HOSTNAME:/certs/archive/$HOSTNAME:ro portainer/portainer --ssl --sslcert /certs/live/$HOSTNAME/cert.pem --sslkey /certs/live/$HOSTNAME/privkey.pem
#
#
#################################
## Then because I love extensive visuals & metrics
## most of which I'll not need...
#################################
#
#
apt install -y netdata-web netdata-apache2 netdata-web netdata-plugins-bash netdata-plugins-python python3-certbot-apache
## For easy viewing we'll add an SSL virtualhost with a reverse proxy
#
#
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/001-netdata-ssl.conf; a2ensite 001-netdata-ssl
## Tweak your confs, I like to add a virtualhost just for netdata
## Then before adding proxy confs I like to SSL it & test
certbot -d $HOSTNAME
## Start netdata & see where it binds, then-
## Add the following lines to your apache site conf...
/etc/init.d/netdata start; netstat -anp | grep 999
## For me I see: 127.0.0.1:19999
# ProxyPass / http://127.0.0.1:19999/
# ProxyPassReverse / http://127.0.0.1:19999/
## I toss the above in directly under the ServerAdmin line
## Reload apache and you're set.
## Bonus: Include Fail2Ban data in Netdata:
chown root:netdata /var/log/fail2ban.log
chmod 640 /var/log/fail2ban.log
## At the bottom of /etc/logrotate.d/fail2ban, change:
# create 640 root adm
create 640 root netdata
## Then update Netdata:
cd /etc/netdata
# Replace above path with your Netdata config directory, if different
./edit-config python.d/fail2ban.conf
## At the bottom, add:
local:
log_path: '/var/log/fail2ban.log'
conf_path: '/etc/fail2ban/jail.local'
exclude: 'dropbear apache'
## Save, exit & restart netdata.
The networking changes adjust the system so that cockpit can manage the network interfaces.
So the network will be ready on restart:
# cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=true# cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: NetworkManager
ethernets:(desired changes in bold)
SSL as you can see above, you just want to copy the SSL files and set up a cron to do it regularly – because symlinks don’t work for services like cockpit and I’m not going to spend time futzing with it. This assumes your install has a working FQDN in place or you’ll need to manually replace $HOSTNAME.
When cockpit is restarted you should have a fully functional SSL certificate installed. Same for the above installed Portainer docker. Also don’t forget to hit the portainer login page & set your admin password before some random passer-by does it for you. (//hostname:9000/)
I’m forgetting a step.
Note that the PCP metrics can also be exported to grafana via flip of a switch. I’m going to look into that eventually.
Usually afterward I also end up rebooting to start the upff:
Install netdata & dependencies: apt install netdata-core netdata-apache2 netdata-plugins-bash netdata-web
Install certbot’s apache plugin: python3-certbot-apache
Enable apache’s SSL site: a2ensite default-ssl
Set the certificate to be used in apache with port 80 redirect, quick way. Run: certbot
You may also want to restart apache with something like: systemctl reload apache2
You can install livepatch, automatic updates, and you’re ready to test all the KVMs & dockers you can handle.