-
Notifications
You must be signed in to change notification settings - Fork 217
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
964a342
commit e95186f
Showing
1 changed file
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| title: Cockpit 330 | ||
| author: martinpitt | ||
| date: '2024-12-04' | ||
| tags: cockpit | ||
| slug: cockpit-330 | ||
| category: release | ||
| summary: 'bootc support, sysext development mode' | ||
| --- | ||
|
|
||
| Cockpit is the [modern Linux admin interface](https://cockpit-project.org/). | ||
| We release regularly. | ||
|
|
||
| Here are the release notes from Cockpit 330: | ||
|
|
||
|
|
||
| ## Web server: Increased sandboxing, `setuid` removal, `bootc` support | ||
|
|
||
| Cockpit's web server already had low privilege levels, but previously used a [setuid](https://en.wikipedia.org/wiki/Setuid) helper program `cockpit-session` for user logins. That helper had restricted permissions and was only executable by Cockpit (through group ownership). Its sole purpose was to run at the system level and immediately drop permissions to log in to a specific user account. However, the binary was still `setuid`, and `setuid` should be avoided for security reasons. | ||
|
|
||
| This release removes the `setuid` flag from the helper. `cockpit-session` now starts via systemd socket activation, with the Cockpit web server connecting to it using a protected UNIX socket in the `/run` directory. This approach enables tighter sandbox security by preventing the login session from being a direct descendant of the web server process. It also [fixes Cockpit on bootc images](https://github.com/cockpit-project/cockpit/issues/21201). | ||
|
|
||
| All Cockpit components now run as dynamic users created at startup using the `DynamicUser=` systemd feature. Existing systems may still have a `cockpit-ws` user (and very old systems might even have associated TLS certificates). However, this `cockpit-ws` user is no longer required and can be safely deleted. | ||
|
|
||
| ## Development: New install mode using `systemd-sysext` | ||
|
|
||
| To simplify development, a new build tool can install Cockpit as a [systemd-sysext](https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html) (system extension). This enables testing all parts of Cockpit (web server, login page, systemd units, and bridge) directly on the host system, safely and quickly, without modifying the disk or having to use a virtual machine. Installation is temporary in `/run/extensions/` and cleared on reboot. | ||
|
|
||
| Read [the documentation for detailed instructions](https://github.com/cockpit-project/cockpit/blob/main/HACKING.md#working-on-your-local-machine-systemd-sysext). | ||
|
|
||
|
|
||
| ## Try it out | ||
|
|
||
| Cockpit 330 is available now: | ||
|
|
||
| * [For your Linux system](https://cockpit-project.org/running.html) | ||
| * [Cockpit Client](https://flathub.org/apps/details/org.cockpit_project.CockpitClient) | ||
|
|
||
| * [Cockpit Source Tarball](https://github.com/cockpit-project/cockpit/releases/tag/330) | ||
| * [Cockpit Fedora 41](https://bodhi.fedoraproject.org/updates/FEDORA-2024-60684a3b16) | ||
| * [Cockpit Fedora 40](https://bodhi.fedoraproject.org/updates/FEDORA-2024-ba2375d278) | ||
|
|
||
| *[TLS]: Transport Layer Security |