beiboot: Enable beiboot feature for distro packages for same OS #21121
Conversation
martinpitt
force-pushed
the
beiboot-same-os
branch
from
ebcbf6a
to
6786f23
Compare
|
@jelly @mvollmer please treat the review requests as an "AND" (usually it's an "OR"). I've already talked this over with @allisonkarlitskaya but I'd value both of your opinions here. |
src/cockpit/beiboot.py
Outdated
| logger.debug("cockpit.check-os-release: local: %r", local_os) | ||
| # for now, just support the same OS | ||
| if remote_os.get('ID') != local_os.get('ID') or remote_os.get('VERSION_ID') != local_os.get('VERSION_ID'): | ||
| msg = f'Unsupported OS {remote_os.get("ID", "?")} {remote_os.get("VERSION_ID", "?")}' |
There was a problem hiding this comment.
Do we need to give the user a tiny bit more information? In theory their OS is supported if they install the relevant cockpit packages (but then it is no longer beiboot).
Just wondering in general if it makes sense to expand the error message a bit as currently it is not really actionable.
There was a problem hiding this comment.
Yeah, good point -- the previous error message (i.e. from main) isn't great either. It's not translated/translatable and has the "no-cockpit" error code in it, and doesn't give you anything actionable either. I think we need to handle this error code properly on the login page, and find a way to convey the os-release information in an extra error field. I can work on that, either as a prerequisite (and block this), or as a follow-up.
There was a problem hiding this comment.
This can be a follow up (as long as it makes next week's release)
There was a problem hiding this comment.
There was a problem hiding this comment.
.. and in the next step it could look like this:
A compatible version of Cockpit is not installed on HOST. This is only supported for the following operating systems on the target machine:
- fedora 40
- fedora 41
- rhel 10
... and so on.
martinpitt
added
the
blocked
martinpitt
force-pushed
the
beiboot-same-os
branch
4 times, most recently
from
9390083
to
a74fe38
Compare
martinpitt
removed
the
blocked
|
I'm redesigning the login page alerts in #21130, but that (1) is a lot of work, and (2) needs some iteration. This PR is otherwise ready, and I'd like to unblock the next step to open it up for more OSes. |
src/cockpit/beiboot.py
Outdated
| help="How to run cockpit-bridge from the remote host: auto: if installed (default), " | ||
| "never: always copy the local one; " | ||
| "supported: copy local one for compatible OSes, fail otherwise; " |
There was a problem hiding this comment.
I think supported will use the installed cockpit-bridge if there is one, right? This isn't clear from the docs here, they make it sound like it's a variant of never, while it is actually a variant of auto.
There was a problem hiding this comment.
Right, it prefers the remote bridge if installed. I fixed the help. Thanks for spotting!
We want to re-use it in beiboot.py.
We recently eliminated all on-demand installations of cockpit-* packages in beiboot mode, which prevents accidentally moving from a beiboot to a distro package scenario. This means we can now carefully open up the beiboot feature for distro packages. However, we need to be careful here: While we can reasonably assume an ever-green flatpak and cockpit/ws container, distro packages may be arbitrarily old, and hence incompatible with APIs from newer OSes. So start small and only allow connecting to the same target OS as the host. This should already cover a lot of use cases in homogenous environments. Note that this only applies to direct logins (bastion host). The code path for the (deprecated) host switcher is completely different and doesn't support beiboot at all. Drop the `no-cockpit` part of TestLoopback.testBasic. Removing /usr/bin/cockpit-bridge now just enables beiboot mode, the OS is always compatible (as it's localhost), and we already check this in TestMultiMachine. Part of https://issues.redhat.com/browse/COCKPIT-1178
martinpitt
force-pushed
the
beiboot-same-os
branch
from
a74fe38
to
180cd87
Compare
| @@ -1037,7 +1037,13 @@ function debug(...args) { | |||
| } else if (xhr.status == 403) { | |||
| login_failure(_(decodeURIComponent(xhr.statusText)) || _("Permission denied")); | |||
| } else if (xhr.status == 500 && xhr.statusText.indexOf("no-cockpit") > -1) { | |||
| login_failure(format(_("A compatible version of Cockpit is not installed on $0."), login_machine || "localhost")); | |||
| // always show what's going on | |||
| let message = format(_("A compatible version of Cockpit is not installed on $0."), login_machine || "localhost"); | |||
There was a problem hiding this comment.
This added line is not executed by any test.
We recently eliminated all on-demand installations of cockpit-* packages in beiboot mode, which prevents accidentally moving from a beiboot to a distro package scenario.
This means we can now carefully open up the beiboot feature for distro packages. However, we need to be careful here: While we can reasonably assume an ever-green flatpak and cockpit/ws container, distro packages may be arbitrarily old, and hence incompatible with APIs from newer OSes. So start small and only allow connecting to the same target OS as the host. This should already cover a lot of use cases in homogenous environments.
Note that this only applies to direct logins (bastion host). The code path for the (deprecated) host switcher is completely different and doesn't support beiboot at all.
Drop the
no-cockpitpart of TestLoopback.testBasic. Removing /usr/bin/cockpit-bridge now just enables beiboot mode, the OS is always compatible (as it's localhost), and we already check this in TestMultiMachine.Part of https://issues.redhat.com/browse/COCKPIT-1178
Note that this is an initial step -- we can extend this by translating our bots testmap into a list of allowed OSes, if/when we want to.
Depends on:
Follow-ups:
Connect to similar servers without Cockpit installed
The Cockpit Client flatpak has been capable of connecting to remote machines without Cockpit installed since its beginning in release 295. Recently in version 326, the cockpit/ws container got the same feature.
With this release Cockpit gradually introduces this feature to the standard Linux distribution packages (rpm/deb/Arch). Initially you can connect to a remote machine without installed Cockpit if it runs the same operating system version as the host from which you make the connection. This ensures compatibility and safety: The flatpak and ws container can be assumed to be always up to date in production, and hence can connect to any OS. But distribution packages can be quite old, and thus not be compatible when connecting to newer OS versions.