cockpit-ws
Run the Cockpit web service
TLDR
Start with authentication via SSH at 127.0.0.1 with port 22 enabled
Start an HTTP server on a specific port
Start and bind to a specific IP address (defaults to 0.0.0.0)
Start without TLS
Display help
SYNOPSIS
cockpit-ws [OPTIONS...]
PARAMETERS
--port=PORT
Specifies the TCP port that cockpit-ws listens on (default 9090).
--listen-address=ADDRESS
Specifies the IP address cockpit-ws binds to. By default, it listens on all configured network interfaces.
--local-ssh
Forces cockpit-ws to connect to cockpit-bridge via SSH on localhost instead of directly. Useful in certain proxy setups.
--no-tls
Disables HTTPS (TLS) encryption. Highly insecure and should only be used for debugging on trusted networks.
--no-pam
Disables PAM authentication. Extremely insecure and should never be used in production environments.
--help
Displays a brief help message and exits.
--version
Displays the cockpit-ws version information and exits.
DESCRIPTION
cockpit-ws is the core web server component of the Cockpit project, an open-source, web-based graphical interface for managing Linux servers. It typically listens on TCP port 9090 (by default) for HTTPS connections, serving the necessary web assets (HTML, CSS, JavaScript) to the user's browser. Furthermore, it establishes WebSocket connections that facilitate real-time communication with the underlying system through the cockpit-bridge process.
cockpit-ws handles user authentication, often via PAM, and manages web sessions, making it indispensable for providing a secure and interactive web-based administration experience. It allows users to monitor performance, manage services, view logs, configure networking, and perform various administrative tasks directly from a web browser without needing a separate client application.
CAVEATS
Normally, cockpit-ws is started and managed by the systemd socket activation service (cockpit.socket), meaning it's rarely invoked directly by users. Disabling TLS (--no-tls) or PAM authentication (--no-pam) makes the server highly insecure and should only be done for debugging purposes in controlled environments. Ensure port 9090 (or custom port) is open in the firewall for external access.
DEFAULT PORT AND SECURITY
cockpit-ws defaults to listening on TCP port 9090, exclusively using HTTPS (TLS) for secure communication. It integrates with the system's Pluggable Authentication Modules (PAM) for user authentication, ensuring that only authenticated users with sufficient privileges can access the server.
ARCHITECTURE OVERVIEW
cockpit-ws serves the static web assets (HTML, CSS, JavaScript) to your browser and establishes WebSocket connections. These WebSockets communicate with the cockpit-bridge process, which in turn interacts with system services, D-Bus, and the shell to execute commands and retrieve system information, providing a real-time interactive experience.
HISTORY
The Cockpit project, including cockpit-ws, was initiated by Red Hat and first publicly released around 2014. Its primary goal was to provide a modern, web-based interface for managing Linux servers without abstracting away underlying system tools and concepts. cockpit-ws has been a core component since its inception, responsible for the web interface and secure communication, evolving alongside web technologies and Linux distribution features like systemd and Podman.
SEE ALSO
cockpit(1), cockpit-bridge(8), systemd(1), sshd(8), firewalld(8)