Port tunneling for the Cockpit web service

[afbjorklund]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

The port for the cockpit web interface (9090) is not tunneled in machine, only ssh (22)

There needs to be a similar port opened, either the real one or some random local port.

Steps to reproduce the issue:

1. Install Cockpit and reboot the VM

podman machine ssh sudo rpm-ostree install cockpit-system cockpit-ostree cockpit-podman cockpit-pcp
podman machine ssh sudo systemctl reboot

2. Start the cockpit web service

podman machine ssh sudo podman container runlabel --name cockpit-ws RUN docker.io/cockpit/ws
podman machine ssh sudo podman container runlabel INSTALL docker.io/cockpit/ws
podman machine ssh sudo systemctl enable --now cockpit.service

3. https://localhost:9090

Describe the results you received:

"Unable to connect"

Describe the results you expected:

"Fedora CoreOS: Log in"

Additional information you deem important (e.g. issue happens only occasionally):

Using ssh is a workaround, similar to how to set up the compatibility unix socket for docker.

-L 9090:localhost:9090

But maybe there should be an option to set up tunneling for Cockpit, and output the URL ?

Note: I did have to set up a password for the "core" user, according to the instructions.

$ podman machine ssh
...
[core@linux ~]$ echo 'PasswordAuthentication yes' | sudo tee /etc/ssh/sshd_config.d/02-enable-passwords.conf
PasswordAuthentication yes
[core@linux ~]$ sudo systemctl try-restart sshd
[core@linux ~]$ sudo passwd core
Changing password for user core.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

And I did have to accept the self-signed certificate in the web browser (for the https)...

Output of podman version:

3.3.1

Output of podman info --debug:

(paste your output here)

Package info (e.g. output of rpm -q podman or apt list podman):

(paste your output here)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Ubuntu 20.04

[afbjorklund]

According to the somewhat missing documentation (mostly gathered from https://github.com/containers/gvisor-tap-vsock)
it is possible to use gvproxy instead of ssh -L :

start tunneling

curl http://localhost:7777/services/forwarder/expose \
     -X POST -d '{"local":":9090","remote":"192.168.127.2:9090"}'

stop tunneling

curl http://localhost:7777/services/forwarder/unexpose \
     -X POST -d '{"local":":9090"}'

This command is run on the host, after the machine is started...

$ podman machine init
Downloading VM image: fedora-coreos-35.20211017.1.0-qemu.x86_64.qcow2.xz: done  
Extracting compressed file
WARN[0050] Failed to decode the keys ["machine"] from "/home/anders/.config/containers/containers.conf". 
$ podman machine start
INFO[0000] waiting for clients...                       
INFO[0000] listening tcp://0.0.0.0:7777                 
INFO[0000] new connection from @ to /run/user/1000/podman/qemu_podman-machine-default.sock 
Waiting for VM ...
Machine "podman-machine-default" started successfully

There it shows the address (7777) to use for the HTTP API.

$ curl http://localhost:7777/services/forwarder/all
[{"local":":45315","remote":"192.168.127.2:22"},{"local":":9090","remote":"192.168.127.2:9090"}]

The IP address seems to be hardcoded for now, though ?

-device virtio-net-pci,netdev=vlan,mac=5a:94:ef:e4:0c:ee

                DHCPStaticLeases: map[string]string{
                        "192.168.127.2": "5a:94:ef:e4:0c:ee",
                },

[mheon]

@baude @cevich Weren't you two working on this?

[baude]

yes, i was altering gvproxy to do this without ssh. i was also trying to do this without the password setup. we have some possibilities here too.

[afbjorklund]

Sorry, didn't see the other issue about cockpit support

[afbjorklund]

Note that gvproxy no longer exposes 7777, so you have to do it some other way.

• PR podman machine improve port forwarding #12283

[afbjorklund]

This will be done internally in podman and gvproxy instead, with authentication.

• RFE: Provide a Podman Desktop for Linux, Windows and Mac podman-desktop/podman-desktop#158

[Luap99]

Note that gvproxy no longer exposes 7777, so you have to do it some other way.

* PR [podman machine improve port forwarding containers/podman#12283](https://github.com/containers/podman/pull/12283)

You can use podman machine ssh curl http://gateway.containers.internal/services/forwarder/expose -X POST -d '{"local":":9090","remote":":9090"}'

[afbjorklund]

But it seemed like the preferred approach for cockpit was to use ssh, anyway ?

• How to run cockpit UI in macos-podman? cockpit-project/cockpit-podman#807