cockpit-ws

Start with authentication via SSH at 127.0.0.1 with port 22 enabled

$ cockpit-ws --local-ssh

$ cockpit-ws --port [port]

$ cockpit-ws --address [ip_address]

$ cockpit-ws --no-tls

$ cockpit-ws --help

cockpit-ws [-h] [-V] [-p PORT] [-a ADDRESS] [-c DIR] [--local-session] [--no-tls] [--for-debugger] [--max-instances N]

-h, --help
    Display help and exit

-V, --version
    Display version information

-p PORT, --port PORT
    TCP port to listen on (default: 9090)

-a ADDRESS, --address ADDRESS
    IP address to listen on (default: all interfaces)

-c DIR, --cert DIR
    Directory for TLS certificates (default: /etc/cockpit/ws-certs.d)

--local-session
    Require local login only, no remote WebSocket access

--no-tls
    Disable TLS (not recommended for production)

--for-debugger
    Allow WebSocket debuggers to connect

--max-instances N
    Maximum concurrent instances (default: 128)

cockpit-ws is the core WebSocket server component of the Cockpit web-based administration tool for Linux servers. It handles incoming HTTPS and WebSocket connections, authenticates users via PAM, and manages sessions by spawning per-user cockpit-bridge processes. These bridges interface with system services like systemd, NetworkManager, and storage tools, enabling remote management through a modern web interface.

Typically launched as a systemd service (cockpit.socket), it listens on port 9090 by default and serves the static Cockpit web content. It supports TLS encryption with self-signed or custom certificates stored in /etc/cockpit/ws-certs.d. For production, it's recommended to proxy via Apache or Nginx for advanced TLS features.

cockpit-ws enforces local authentication by default but can be configured for remote access via SSH or Kerberos. It integrates seamlessly with SELinux and firewalld, automatically opening necessary ports. Key features include real-time metrics, terminal access, and package management, making server administration accessible via any modern browser without plugins.

Security-focused design limits privileges, with options for debugging or local-only sessions. It's lightweight, with minimal resource usage even under load.

Requires root privileges or setuid; --no-tls exposes traffic; ensure firewall allows port 9090; SELinux contexts must be correct for custom certs.

Spawned by cockpit.socket systemd unit; pairs with cockpit-bridge for DBus proxying.

Uses PAM for auth; supports SSSD/Kerberos; proxy via httpd or nginx for HSTS/OCSP.

Developed by Red Hat starting 2014 as open-source project; cockpit-ws evolved from atomic cockpit-ws, now integral to RHEL, Fedora, Debian. Major versions track Cockpit releases (e.g., v300+ added WebSocket streaming).

cockpit(1), cockpit-bridge(1), systemctl(1)