5. Web Interface¶
- 5.1. Security Overview
- 5.2. Web Authentication
- 5.2.1. Deny All (Default)
- 5.2.2. Digest
- 5.2.3. Defer to Apache / Kerberos
- 5.2.3.1. Passthru
- 5.2.3.2. Bonus
- 5.2.3.3. Configure the Authentication and Authorization Modes
- 5.2.3.4. A Note About Security
- 5.2.3.5. Configure your /etc/krb5.conf
- 5.2.3.6. Modify your Apache configuration file
- 5.2.3.7. Restart Things And test
- 5.2.3.8. A Note About Usernames
- 5.2.3.9. Customizations
- 5.2.3.10. A note about restarting cobblerd
- 5.2.4. LDAP
- 5.2.5. Spacewalk
- 5.2.6. Testing
- 5.2.7. User Supplied
- 5.3. Web Authorization
- 5.4. Locking Down Cobbler
This section of the manual covers the Cobbler Web Interface. With the web user interface (WebUI), you can:
- View all of the cobbler objects and the settings
- Add and delete a system, distro, profile, or system
- Run the equivalent of a “cobbler sync”
- Edit kickstart files (which must be in
/etc/cobblerand/var/lib/cobbler/kickstarts)
You cannnot (yet):
- Auto-Import media
- Do a “cobbler validateks”
The WebUI is intended to be self-explanatory and contains tips and explanations for nearly every field you can edit. It also contains links to additional documentation, including the Cobbler manpage documentation in HTML format.
5.5. Basic Setup¶
- You must have installed the cobbler-web package
- Your
/etc/cobbler/modules.confshould look something like this:
[authentication]
module = authn_configfile
[authorization]
module = authz_allowall
- Change the password for the ‘cobbler’ username:
htdigest /etc/cobbler/users.digest "Cobbler" cobbler
- If this is not a new install, your Apache configuration for Cobbler might not be current.
cp /etc/httpd/conf.d/cobbler.conf.rpmnew /etc/httpd/conf.d/cobbler.conf
- Now restart Apache and Cobblerd
/sbin/service cobblerd restart
/sbin/service httpd restart
- If you use SELinux, you may also need to set the following, so that the WebUI can connect with the [XMLRPC](XMLRPC):
setsebool -P httpd_can_network_connect true
5.6. Basic setup (2.2.x and higher)¶
In addition to the steps above, cobbler 2.2.x has a requirement for mod_wsgi which, when installed via EPEL, will be
disabled by default. Attempting to start httpd will result in:
Invalid command 'WSGIScriptAliasMatch', perhaps misspelled \
or defined by a module not included in the server configuration
You can enable this module by editing /etc/httpd/conf.d/wsgi.conf and un-commenting the
LoadModule wsgi_module modules/mod_wsgi.so line.
5.6.1. Next steps¶
It should be ready to go. From your web browser visit the URL on your bootserver that resembles:
https://bootserver.example.com/cobbler_web and log in with the username (usually cobbler) and password that you
set earlier.
Should you ever need to debug things, see the following log files:
/var/log/httpd/error_log
/var/log/cobbler/cobbler.log
5.6.2. Further setup¶
Cobbler authenticates all WebUI logins through cobblerd, which uses a configurable authentication mechanism. You may
wish to adjust that for your environment. For instance, if in modules.conf above you choose to stay with the
authn_configfile module, you may want to add your system administrator usernames to the digest file:
htdigest /etc/cobbler/users.digest "Cobbler" <username>
You may also want to refine for authorization settings.
5.6.3. Rewrite Rule for secure-http¶
To redirect access to the WebUI via https on an Apache webserver, you can use the following rewrite rule, probably at
the end of Apache’s ssl.conf:
### Force SSL only on the WebUI
<VirtualHost *:80>
<LocationMatch "^/cobbler/web/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}/%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>