在ArchLinux安装Cockpit

万古一梦

2023-10-07

archlinux Cockpit

Cockpit
Cockpit介绍：

Cockpit是一个基于Web的系统管理工具，可以帮助管理员轻松地管理多台服务器。它提供了直观的用户界面，可用于监视系统性能、文件系统、网络状态等，并支持远程管理和配置。

起因

昨天服务器一天卡死了三次，都是服务器读写剧增导致的，连腾讯云的VNC都卡住了，只能强制重启服务器解决，但是重启后没多久就又卡死了。看日志也没出现可疑的程序，所以准备装个Cockpit方便观察。

安装

archlinux仓库里面有，可以直接安装，Cockpit还自带了几个插件，按需安装。

pacman -S cockpit cockpit-pcp cockpit-storaged cockpit-packagekit

各个依赖可以自己选择安装，具体依赖信息看下图:
Pasted image 20230307133345

安装后默认使用9090端口，如果端口占用是无法启动的，所以需要手动配置文件，修改启动端口。

配置

端口配置

如果端口没有占用可以忽略这一步。
端口占用问题创建/etc/systemd/system/cockpit.socket.d/listen.conf文件，如果文件夹不存在就自己创建。修改配置文件为：

[Socket]  
ListenStream=  
ListenStream=8090   #8090为你没有占用的端口，可以自己选择

注意：具有空值的第一行是有意的。 systemd允许多个 Listen在单个套接字单元中声明的指令；插入文件中的空值会重置列表，从而禁用原始设备的默认端口 9090。

要使修改生效需要执行：

 systemctl daemon-reload
 systemctl restart cockpit.socket

链接地址：https://cockpit-project.org/guide/latest/listen

nginx配置

修改端口为9080并启动服务后需要配置nginx配置，我的nginx配置在下面：

server {  
	   listen 80;
       server_name cockpit.example.com;  
  
       # security headers  
       add_header X-Frame-Options "SAMEORIGIN" always;  
       add_header X-XSS-Protection "1; mode=block" always;  
       add_header X-Content-Type-Options "nosniff" always;  
       add_header Referrer-Policy "no-referrer-when-downgrade" always;  
       add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;  
  
       # . files  
       location ~ /\.(?!well-known) {  
               deny all;  
       }  
       # gzip  
       gzip on;  
       gzip_vary on;  
       gzip_proxied any;  
       gzip_comp_level 6;  
       gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;  
  
       # logging  
       access_log /var/log/nginx/cockpit.example.com.access.log;  
       error_log /var/log/nginx/cockpit.example.com.error.log warn;  
  
       # reverse proxy  
       location / {  
               proxy_pass http://127.0.0.1:8090;  
  
               proxy_http_version      1.1;  
               proxy_cache_bypass      $http_upgrade;  
               proxy_set_header Upgrade                $http_upgrade;  
               proxy_set_header Connection             "upgrade";  
               proxy_set_header Host                   $host;  
               proxy_set_header X-Real-IP              $remote_addr;  
               proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;  
               proxy_set_header X-Forwarded-Proto      $scheme;  
               proxy_set_header X-Forwarded-Host       $host;  
               proxy_set_header X-Forwarded-Port       $server_port;  
       }  
  
}

重启nginx或重载nginx后即可使用你设置的域名进行访问。

配置TLS证书

如果你要使用TLS证书访问https网址，需要继续修改配置，首先需要创建证书，推荐使用certbot创建，因为可以设置timer进行自动续订。
使用certbot创建后的nginx配置文件：

server {  
  
       server_name cockpit.example.com;  
  
       # security headers  
       add_header X-Frame-Options "SAMEORIGIN" always;  
       add_header X-XSS-Protection "1; mode=block" always;  
       add_header X-Content-Type-Options "nosniff" always;  
       add_header Referrer-Policy "no-referrer-when-downgrade" always;  
       add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;  
  
       # . files  
       location ~ /\.(?!well-known) {  
               deny all;  
       }  
       # gzip  
       gzip on;  
       gzip_vary on;  
       gzip_proxied any;  
       gzip_comp_level 6;  
       gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;  
  
       # logging  
       access_log /var/log/nginx/cockpit.example.com.access.log;  
       error_log /var/log/nginx/cockpit.example.com.log warn;  
  
  
       # reverse proxy  
       location / {  
               proxy_pass https://127.0.0.1:8090;  
  
               proxy_http_version      1.1;  
               proxy_cache_bypass      $http_upgrade;  
  
               proxy_set_header Upgrade                $http_upgrade;  
               proxy_set_header Connection             "upgrade";  
               proxy_set_header Host                   $host;  
               proxy_set_header X-Real-IP              $remote_addr;  
               proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;  
               proxy_set_header X-Forwarded-Proto      $scheme;  
               proxy_set_header X-Forwarded-Host       $host;  
               proxy_set_header X-Forwarded-Port       $server_port;  
       }  
  
  
   listen [::]:443 ssl ipv6only=on; # managed by Certbot  
   listen 443 ssl; # managed by Certbot  
   ssl_certificate /etc/letsencrypt/live/cockpit.example.com/fullchain.pem; # managed by Certbot  
   ssl_certificate_key /etc/letsencrypt/live/cockpit.example.com/privkey.pem; # managed by Certbot  
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot  
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot  
  
}  
  
  
server {  
   if ($host = cockpit.example.com) {  
       return 301 https://$host$request_uri;  
   } # managed by Certbot  
  
  
       listen 80;  
       listen [::]:80;  
  
       server_name cockpit.example.com;  
   return 404; # managed by Certbot  
  
  
}

配置文件就类似这样，但是要注意proxy_pass https://127.0.0.1:8090; 这一行，这里写的是https，不改不能访问，修改后还需要进行操作。
需要在/etc/cockpit/cockpit.conf文件里添加配置，如果没有该文件就手动创建。

[WebService]  
Origins = https://cockpit.example.com wss://cockpit.example.com  
ProtocolHeader = X-Forwarded-Proto

修改配置后重启cockpit和nginx即可使用root账号和密码登录网页。
参考：https://cockpit-project.org/external/wiki/Proxying-Cockpit-over-NGINX

后记

等我登录网页版后才发现我的硬盘只剩下 2G 多一点，难怪一直卡死，我使用gdu分析了硬盘占用，发现很早之前搭建的宝塔的docker镜像占用了 30G ，清理后再也没卡死。
gdu也在源里可以使用pacman进行安装，类似的软件还有ncdu，使用方法就是gdu 要扫描的目录，相比ncdu，gdu速度更快一点。