Thank you Pike, unfortunately, i have no idea how to add this to the shorewall config as it warns not to mess with the config. Im stumped. 
Latest update:
Added:
ACCEPT loc $FW tcp 9090
ACCEPT net $FW tcp 9090
to a new template in /etc/e-smith/templates-custom/etc/shorewall/rules/90newserver
which allows me to go to the webpage but it is bad wrong. Im not sure what to do here:
it says CentOs on the Top instead of Nethserver 7.7
There is the server name in the left side window but no menu options and the dashboard is broken. ?
Hope it’s o.k. to jump in.
There should be already a template/etc/e-smith/templates/etc/shorewall/rules/60cockpit.
=> cat /etc/e-smith/templates/etc/shorewall/rules/60cockpit
#
# 60cockpit
#
?COMMENT cockpit
{
my $port = '9090';
my $access = ${'cockpit.socket'}{'access'} || 'green';
my $limit = ${'cockpit.socket'}{'LimitAccess'} || '';
if ($limit ne '') {
$limit = ":$limit";
}
if ($access =~ 'green') {
$OUT .= "ACCEPT\tloc\t\$FW\ttcp\t$port\n";
}
if ($access =~ 'red') {
$OUT .= "ACCEPT\tnet$limit\t\$FW\ttcp\t$port\n";
}
}
which sould do
#
# 60cockpit
#
?COMMENT cockpit
ACCEPT loc $FW tcp 9090
in /etc/shorewall/rules.
If not try: expand-template /etc/shorewall/rules and signal-event firewall-adjust
1 Like
Thank you for jumping in 
the rules are on the 1st server but not the server in question.
60cockpit
?COMMENT cockpit
ACCEPT loc $FW tcp 9090
ACCEPT net $FW tcp 9090
that is from the 1st server
on the second server that we are talking about:
ad2 log]# ll /etc/e-smith/templates/etc/shorewall/rules/
total 48
-rw-r–r-- 1 root root 560 Oct 28 04:47 10base00header
-rw-r–r-- 1 root root 48 Oct 28 04:47 10base20established
-rw-r–r-- 1 root root 870 Oct 28 04:47 10base20established90nfq
-rw-r–r-- 1 root root 803 Oct 28 04:47 10base50related
-rw-r–r-- 1 root root 32 Oct 28 04:47 10base90new
-rw-r–r-- 1 root root 635 Oct 28 04:47 20ping
-rw-r–r-- 1 root root 251 Oct 28 04:47 30dns
-rw-r–r-- 1 root root 3076 Oct 28 04:47 50pf
-rw-r–r-- 1 root root 414 Nov 12 03:44 60cockpit
-rw-r–r-- 1 root root 1738 Oct 28 04:47 60rules
-rw-r–r-- 1 root root 2284 Oct 28 04:47 70services
-rw-r–r-- 1 root root 259 Oct 28 04:47 90dns_blue
@ad2 log]# cat /etc/e-smith/templates/etc/shorewall/rules/60cockpit
60cockpit
?COMMENT cockpit
{
my $port = ‘9090’;
my access = {‘cockpit.socket’}{‘access’} || ‘green’;
my limit = {‘cockpit.socket’}{‘LimitAccess’} || ‘’;
if ($limit ne '') {
$limit = ":$limit";
}
if ($access =~ 'green') {
$OUT .= "ACCEPT\tloc\t\$FW\ttcp\t$port\n";
}
if ($access =~ 'red') {
$OUT .= "ACCEPT\tnet$limit\t\$FW\ttcp\t$port\n";
}
}
commented my custom rules set and signal-even firewall-adjust then ran your commands. Now i show:
60cockpit
?COMMENT cockpit
ACCEPT loc $FW tcp 9090
60rules
and reloading the …:980 …then launching the …:9090 page it is still not correct:
and logging in shows it further not correct:
there are no menu options … nothing.
As on the 1st server:
thank you all for helping me out
almost as if dependencies did not install with new-server manager ?
You can try if it works after reinstalling these packages:
yum reinstall nethserver-cockpit cockpit cockpit-{bridge,storaged,system,ws}
1 Like
Good morning Marc, i did as you advised and rebooted. The firewall rule is still there:
60cockpit
?COMMENT cockpit
ACCEPT loc $FW tcp 9090
60rules
But the port is not open:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 1949/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:273 0.0.0.0:* LISTEN 2417/stunnel
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2374/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2376/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2379/cupsd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2939/master
tcp6 0 0 :::443 :::* LISTEN 2440/httpd
tcp6 0 0 :::873 :::* LISTEN 1949/rsync
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::80 :::* LISTEN 2440/httpd
tcp6 0 0 :::980 :::* LISTEN 2394/httpd
tcp6 0 0 :::53 :::* LISTEN 2374/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 2376/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2379/cupsd
tcp6 0 0 :::25 :::* LISTEN 2939/master
udp 0 0 0.0.0.0:37649 0.0.0.0:* 1968/avahi-daemon:
udp 0 0 0.0.0.0:53 0.0.0.0:* 2374/dnsmasq
udp 0 0 0.0.0.0:69 0.0.0.0:* 2374/dnsmasq
udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2013/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 2013/chronyd
udp 0 0 0.0.0.0:835 0.0.0.0:* 1938/rpcbind
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1968/avahi-daemon:
udp6 0 0 :::53 :::* 2374/dnsmasq
udp6 0 0 :::69 :::* 2374/dnsmasq
udp6 0 0 :::111 :::* 1/systemd
udp6 0 0 :::123 :::* 2013/chronyd
udp6 0 0 ::1:323 :::* 2013/chronyd
udp6 0 0 :::835 :::* 1938/rpcbind
If i start the cockpit service:
systemctl start cockpit
]# systemctl status cockpit
● cockpit.service - Cockpit Web Service
Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled)
Active: active (running) since Thu 2019-11-14 08:21:16 EST; 5s ago
Docs: man:cockpit-ws(8)
Process: 4142 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type=etc_t (code=exited, status=0/SUCCESS)
Main PID: 4156 (cockpit-ws)
CGroup: /system.slice/cockpit.service
└─4156 /usr/libexec/cockpit-ws
Nov 14 08:21:16 … systemd[1]: Starting Cockpit Web Service…
Nov 14 08:21:16 … remotectl[4142]: /usr/bin/chcon: can’t apply partial context to unlabeled file ‘/etc/cockpi…ed.cert’
Nov 14 08:21:16 … remotectl[4142]: remotectl: couldn’t change SELinux type context ‘etc_t’ for certificate: /…code 1
Nov 14 08:21:16 … systemd[1]: Started Cockpit Web Service.
Nov 14 08:21:16 … cockpit-ws[4156]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
Hint: Some lines were ellipsized, use -l to show in full.
]# systemctl |grep cockpit
cockpit.service loaded active running Cockpit Web Service
cockpit.socket loaded active running Cockpit Web Service Socket
and go to the webpage… it is still the same as above picture… no menus no info
Thank you for your help!
Perhaps there is something missing that cockpit serves?
On a working system it shall start without human intervention.
# systemctl is-enabled cockpit.socket
enabled
# systemctl is-enabled cockpit.service
static
Did you activated the service with:
systemctl enable cockpit
These messages usually are not be relevant (same warnings on a working system).
Did you installed NethServer on top of a CentOS base?
The working server is using bonded interfaces (like the non-working seems to use)?
Thank you for taking time to help.
]# systemctl is-enabled cockpit.service
static
]# systemctl is-enabled cockpit.socket
disabled
]# systemctl enable cockpit.socket
Created symlink from /etc/systemd/system/sockets.target.wants/cockpit.socket to /usr/lib/systemd/system/cockpit.socket.
]# systemctl is-enabled cockpit.socket
enabled
and no i had used the same iso i used with 1st server the nethserver iso: 7.6.1810-x86_64
yes both servers have bonded nics.
You’re probably right. Maybe a yum install/update ended abruptly resulting in a partial transaction or there are missing packages.
You can try if it makes any difference running:
yum update @nethserver-iso
Hi Marc i did as request and only was nethserver-phonehome. If i recall before the latest updates to cockpit on the 1st server i had to install additional “stuff” to make cockpit work there.
Resolving Dependencies
–> Running transaction check
—> Package nethserver-phonehome.noarch 0:1.3.0-1.ns7 will be updated
—> Package nethserver-phonehome.noarch 0:1.4.0-1.ns7 will be an update
–> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================
Package Arch Version Repository Size
Updating:
nethserver-phonehome noarch 1.4.0-1.ns7 nethserver-updates 20 k
Transaction Summary
Upgrade 1 Package
one-liner command:
yum install nethserver-cockpit PackageKit PackageKit-{glib,yum} cockpit cockpit-{bridge,packagekit,storaged,system,ws} device-mapper-multipath device-mapper-multipath-libs dosfstools expect gdisk json-glib libatasmart glib-networking gsettings-desktop-schemas iscsi-initiator-utils iscsi-initiator-utils-iscsiuio libblockdev libblockdev-{crypto,fs,loop,lvm,mdraid,part,swap,utils} libbytesize libgudev1 libudisks2 mpfr perl-String-ShellQuote pygobject2 python-pwquality tcl udisks2 udisks2-{iscsi,lvm2} volume_key-libs nethserver-cockpit-lib
thank you for continuing to help me, i did this command as you wrote and it came back with:
Resolving Dependencies
–> Running transaction check
—> Package PackageKit-glib.x86_64 0:1.1.10-1.el7.centos will be installed
—> Package pygobject2.x86_64 0:2.28.6-11.el7 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================
Package Arch Version Repository Size
Installing:
PackageKit-glib x86_64 1.1.10-1.el7.centos ce-base 127 k
pygobject2 x86_64 2.28.6-11.el7 ce-base 226 k
Transaction Summary
Install 2 Packages
Total download size: 354 k
Installed size: 1.3 M
Is this ok [y/d/N]:
Running transaction
Installing : PackageKit-glib-1.1.10-1.el7.centos.x86_64 1/2
Installing : pygobject2-2.28.6-11.el7.x86_64 2/2
Verifying : pygobject2-2.28.6-11.el7.x86_64 1/2
Verifying : PackageKit-glib-1.1.10-1.el7.centos.x86_64 2/2
Installed:
PackageKit-glib.x86_64 0:1.1.10-1.el7.centos pygobject2.x86_64 0:2.28.6-11.el7
rebooted the server and still shows Centos on the login screen, i log in with root and pass and still shows no menu:
almost as if its not pointing to a config? maybe a default config it is using? but not sure where to check the difference on 1st server compared to 2nd server. If this matters i have the 2nd server configured as hot spare slave.
more info:
when i put in the https://FQDN:9090
the screen i blank with only the windows for login.
when i put in the ip:9090 it is the centos login again.
rpm -Va# capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified:
Maybe… I don’t know.
good morning Marc, I ran the rpm -Va but have no idea what the results mean LOL i tried research examples but was not successful. Thank you for you continuing help
rpm -Va
.M… g /boot/initramfs-3.10.0-957.21.3.el7.x86_64.img
S.5…T. c /etc/yum.conf
S.5…T. c /etc/selinux/targeted/contexts/files/file_contexts.subs
S.5…T. c /etc/yum/yum-cron.conf
.M… g /boot/initramfs-3.10.0-957.21.2.el7.x86_64.img
S.5…T. c /etc/ppp/chap-secrets
S.5…T. c /etc/ppp/pap-secrets
S.5…T. c /etc/krb5.conf
.M… /var/lib/nethserver/ibay
…UG… g /var/run/avahi-daemon
S.5…T. c /etc/samba/smb.conf
…5…T. c /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
S.5…T. c /etc/ssh/sshd_config
S.5…T. c /etc/logrotate.conf
.M… g /etc/pki/ca-trust/extracted/java/cacerts
.M… g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.M… g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M… g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M… g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
…T. c /var/log/smbaudit.log
S.5…T. c /etc/nethserver/eorepo.conf
S.5…T. c /etc/nethserver/pkginfo.conf
…L… c /etc/pam.d/fingerprint-auth
…L… c /etc/pam.d/password-auth
…L… c /etc/pam.d/postlogin
…L… c /etc/pam.d/smartcard-auth
…L… c /etc/pam.d/system-auth
…5…T. c /etc/yum/pluginconf.d/nethserver_events.conf
S.5…T. c /etc/sysconfig/authconfig
S.5…T. c /etc/yum.repos.d/NethServer.repo
.M… g /boot/initramfs-3.10.0-957.el7.x86_64.img
…UG… /var/lib/nethserver/vmail
S.5…T. /usr/share/arp-scan/ieee-iab.txt
S.5…T. /usr/share/arp-scan/ieee-oui.txt
S.5…T. c /etc/openldap/ldap.conf
S.5…T. c /etc/sysconfig/run-parts
…T. /boot/efi/EFI/BOOT/BOOTX64.EFI
…T. /boot/efi/EFI/BOOT/fallback.efi
…T. /boot/efi/EFI/BOOT/fbx64.efi
…T. /boot/efi/EFI/centos/BOOT.CSV
…T. /boot/efi/EFI/centos/BOOTX64.CSV
…T. /boot/efi/EFI/centos/MokManager.efi
…T. /boot/efi/EFI/centos/mmx64.efi
…T. /boot/efi/EFI/centos/shim.efi
…T. /boot/efi/EFI/centos/shimx64-centos.efi
…T. /boot/efi/EFI/centos/shimx64.efi
S.5…T. c /etc/collectd.d/ping.conf
S.5…T. c /etc/rsyncd.conf
S.5…T. c /etc/lsm/lsm.conf
S.5…T. c /etc/firehol/fireqos.conf
S.5…T. c /etc/issue
S.5…T. c /etc/yum.repos.d/CentOS-Base.repo
.M… g /var/lock/iscsi
.M… g /var/lock/iscsi/lock
S.5…T. c /etc/cups/cups-browsed.conf
S.5…T. c /etc/collectd.d/filter.conf
S.5…T. c /etc/chrony.conf
SM5…T. c /etc/shorewall/actions
SM5…T. c /etc/shorewall/findgw
SM5…T. c /etc/shorewall/hosts
SM5…T. c /etc/shorewall/interfaces
SM5…T. c /etc/shorewall/maclist
SM5…T. c /etc/shorewall/mangle
SM5…T. c /etc/shorewall/nat
SM5…T. c /etc/shorewall/policy
SM5…T. c /etc/shorewall/providers
SM5…T. c /etc/shorewall/rtrules
SM5…T. c /etc/shorewall/rules
SM5…T. c /etc/shorewall/shorewall.conf
SM5…T. c /etc/shorewall/snat
SM5…T. c /etc/shorewall/stoppedrules
SM5…T. c /etc/shorewall/tcinterfaces
SM5…T. c /etc/shorewall/tcpri
SM5…T. c /etc/shorewall/tunnels
SM5…T. c /etc/shorewall/zones
S.5…T. c /etc/davfs2/davfs2.conf
S.5…T. c /etc/davfs2/secrets
…G… /var/lib/nethserver/sieve-scripts
S.5…T. c /etc/httpd/conf.d/welcome.conf
S.5…T. c /etc/collectd.conf
…5…T. c /etc/yum.repos.d/CentOS-SCLo-scl.repo
S.5…T. c /etc/dnsmasq.conf
S.5…T. c /etc/postfix/main.cf
https://linux.die.net/man/8/rpm
S file Size differs
M Mode differs (includes permissions and file type)
5 digest (formerly MD5 sum) differs
D Device major/minor number mismatch
L readlink (2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ
Just wanted to check if some files were marked as missing, but nothing useful after all.
If anyone else can jump in to help, it will be appreciated.
Hi, try to exec:
/usr/libexec/cockpit-ws
and if an error like this appears:
/usr/libexec/cockpit-ws: error while loading shared libraries: /lib64/libjson-glib-1.0.so.0: file too short
run:
yum reinstall json-glib
then
systemctl restart cockpit
1 Like