6.1. Web-Interface¶
Please be patient until we have time to rework this section or please file a PR for this section.
The standard login for the WebUI can be read below. We would recommend to change this as soon as possible!
Username: cobbler
Password: cobbler
6.1.1. Old Release 2.8.x¶
https://cobbler.readthedocs.io/en/release28/web-interface.html
6.1.2. Old GitHub-Wiki Entry¶
Most of the day-to-day actions in cobbler’s command line can be performed in Cobbler’s Web UI.
With the web user interface (WebUI), you can:
- View all of the cobbler objects and the settings
- Add and delete a system, distro, profile, or system
- Run the equivalent of a
cobbler sync
- Edit kickstart files (which must be in
/etc/cobbler
and/var/lib/cobbler/kickstarts
)
You cannot (yet):
- Auto-Import media
- Auto-Import a rsync mirror of install trees
- Do a
cobbler reposync
to mirror or update yum content - Do a
cobbler validateks
The WebUI can be very good for day-to-day configuring activities, but the CLI is still required for basic bootstrapping and certain other activities.
The WebUI is intended to be self-explanatory and contains tips and explanations for nearly every field you can edit. It also contains links to additional documentation, including the Cobbler manpage documentation in HTML format.
Who logs in and what they can access is controlled by [Web Authentication](Web Authentication) and [Web Authorization](Web Authorization). The default options are mostly good for getting started, but for safety reasons the default authentication is “denyall” so you will at least need to address that.
6.1.2.1. Basic Setup¶
- You must have installed the cobbler-web package
- Your
/etc/httpd/conf.d/cobbler_web.conf
should look something like this:
# This configuration file enables the cobbler web interface (django version)
# Force everything to go to https
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/cobbler_web
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
WSGIScriptAlias /cobbler_web /usr/share/cobbler/web/cobbler.wsgi
# The following Directory Entry in Apache Configs solves 403 Forbidden errors.
<Directory "/usr/share/cobbler/web">
Order allow,deny
Allow from all
</Directory>
# Display Cobbler Themes + Logo graphics.
<Directory "/var/www/cobbler_webui_content">
Order allow,deny
Allow from all
</Directory>
- Your
/etc/cobbler/modules.conf
should look something like this:
[authentication]
module = authn_configfile
[authorization]
module = authz_allowall
- You should change the password for the ‘cobbler’ username, see Managing users.digest.
- If this is not a new install, your Apache configuration for Cobbler might not be current.
cp /etc/httpd/conf.d/cobbler.conf.rpmnew /etc/httpd/conf.d/cobbler.conf
- Now restart Apache and
cobblerd
.
/sbin/service cobblerd restart
/sbin/service httpd restart
- If you use SELinux, you may also need to set the following, so that the WebUI can connect with the [XMLRPC](XMLRPC):
setsebool -P httpd_can_network_connect true
6.1.2.2. Basic setup (2.2.x and higher)¶
In addition to the steps above, cobbler 2.2.x has a requirement for mod_wsgi
which, when installed via EPEL, will be
disabled by default. Attempting to start httpd will result in:
Invalid command 'WSGIScriptAliasMatch', perhaps misspelled \
or defined by a module not included in the server configuration
You can enable this module by editing /etc/httpd/conf.d/wsgi.conf
and un-commenting the
“LoadModule wsgi_module modules/mod_wsgi.so” line.
6.1.2.3. Next steps¶
It should be ready to go. From your web browser visit the URL on your bootserver that resembles:
https://bootserver.example.com/cobbler_web
and log in with the username (usually cobbler) and password that you set earlier.
Should you ever need to debug things, see the following log files:
/var/log/httpd/error_log
/var/log/cobbler/cobbler.log
6.1.2.4. Managing users.digest¶
Cobbler authenticates all WebUI logins through cobblerd
, which uses a configurable authentication mechanism. You may
wish to adjust that for your environment. For instance, if in modules.conf
above you choose to stay with the
authentication.configfile
module, you may want to add your system administrator usernames to the digest file.
Because the generated password isn’t supported by the htdigest
command you have to generate the entries yourself, and
to generate the password hashes it is recommended to use either openssl
or Python directly.
The entry format should be, where Cobbler
is the realm:
username:realm:hash
Example using openssl 1.1.1
or later:
printf "foobar" | openssl dgst -sha3-512
It is possible with openssl
to generate hashes for the following hash algorithms which are configurable: blake2b512,
blake2s256, shake128, shake256, sha3-224m sha3-256, sha3-384, sha3-512
Example using Python (using the python interactive shell):
import hashlib
hashlib.sha3_512("<PASSWORD>".encode('utf-8')).hexdigest()
Python of course will always have all possible hash algorithms available which are valid in the context of Cobbler.
Both examples return the same result when executed with the same password. The file itself is structured according to
the following: <USERNAME>:<REALM>:<PASSWORDHASH>
. Normally <REALM>
will be Cobbler
. Other values are
currently not valid. Please add the user, realm and passwordhash with your preferred editor. Normally there should be
no need to restart cobbler when a new user is added, removed or the password is changed. The authentication process
reads the file every time a user is authenticated.
You may also want to refine for authorization settings.
Before Cobbler 3.1.2 it was recommended to do edit the file users.digest
with the following command. Since md5
is not FIPS compatible from Cobbler 3.1.3 and onwards this is not possible anymore. The file was also just read once per
Cobbler start and thus a change of the data requires that Cobbler is restarted that it picks up these changes.
htdigest /etc/cobbler/users.digest "Cobbler" <username>
6.1.2.5. Rewrite Rule for secure-http¶
To redirect access to the WebUI via HTTPS on an Apache webserver, you can use the following rewrite rule, probably at
the end of Apache’s ssl.conf
:
### Force SSL only on the WebUI
<VirtualHost *:80>
<LocationMatch "^/cobbler_web/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}/%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>