Linux Fu: System Administration Made Easier

Linux can have a somewhat split personality. If you use it as a desktop OS, it has a lot of GUI tools, although sometimes you still need to access the command line. If you use it as a headless server, though, you probably ought to know your way around the command line pretty well. This is especially true if you don’t want to litter up your hard drive (and CPU) with X servers and other peculiarities of the graphical user interface.

Personally, I like the command line, but I am realistic enough to know that not everyone shares that feeling. I’ll also admit that for some tasks — especially those you don’t do very often — it is nice to have some helpful buttons and menus. There are several administration tools that you might be interested in using to handle administration tasks on your Linux machines. I’m going to look at two of them you might want to experiment with that both use a Web browser to provide their interface.

Why two? Well, first, it is certainly in the Linux tradition that there is more than one way to do any particular thing. On top of that — again, sort of a Linux tradition — each tool has its plusses and minuses. The Webmin tool has a huge number of plugins to manage lots and lots of different things. However, Cockpit is more modern and, assuming it supports what you need, probably more usable.

Disclaimer

Oh, and just to get it out of the way. Yes, there are some people who think tools like this are an abomination. I think it depends on your goals. If you are administering a highly-secure server for a giant corporation, maybe these tools shouldn’t be your first stop. As I mentioned, I don’t mind the command line, but I do use Webmin only because it provides Usermin which lets me provide a GUI to my friends who have accounts on my machine so they can do basic administration tasks related to their accounts. I’ve found Cockpit’s system monitoring to be nice even though I don’t do much in the way of changes using the system.

Even if you like using tools like this you really should get comfortable with the command line, at least for common tasks. One interesting tidbit though. Both tools allow you to launch a command line in your browser, at least to some extent.

Webmin

Webmin is probably not going to win any user interface awards. It is really a series of Perl modules that have a common user interface and share some infrastructure. The good news is that Webmin has an open interface and has been around long enough that if you want to manage some obscure piece of software, it is a fair bet that there is a Webmin module for that. You can also disable any modules you don’t want.

As I mentioned, you can also set up Usermin which allows ordinary users to do things via GUI. You can control what they can and can’t do, of course.

Despite being a little clunky, you can issue commands and even use an odd Web browser-based terminal. There are a few things that require Java, and that’s getting harder to find in modern Web browsers. However, most of these have alternatives (for example, there is an HTML file manager and a Java-based one).

Depending on the distribution you use, you can probably just install Webmin using your package manager. There are also plenty of tutorials for installing Webmin on the Raspberry Pi. You can always find the official release on the project’s web site.

Cockpit

Cockpit is from RedHat and is certainly the more modern looking tool. It has graphs and is very responsive. However, there’s just not the range of plugins available for it that you can get for Webmin. However, if you are using Docker, Cockpit has great integration for managing containers.

As you can see below, you can connect to one machine and then have it connect to other machines and monitor them all at one time. The figure shows two boxes, but you can add many more.

Once you drill into a specific box, you have lots of management and monitoring options including access to a shell in the browser.

There are ARM backports of Cockpit available, so depending on the distribution you run your Pi on, you should be able to get it running easily.

Tip

To get the most out of Cockpit, you need to log in as root. However, many systems now don’t have a root password at all. When you log in, you can ask Cockpit to use your password to elevate privileges when necessary. If you don’t check the box, then doing some operations (notably adding a new server) will fail.

This sort of negates the idea of using sudo, to some degree. The whole idea is to force you to reauthenticate from time to time. If you let Cockpit provide your password to sudo, you aren’t really giving yourself that protection. I get the idea that if you don’t check the box, Cockpit should prompt you for a password just like sudo would. However, when adding a new server — at least — it doesn’t. It just fails.

The solution is to check the box when you log in to let it reuse your password. Just be aware that essentially makes using sudo for privileged access meaningless.

Security

Speaking of security. Both tools contain their own SSL servers with a self-signed certificate. Presumably, you know you are connecting to your machine so the self-signed part shouldn’t bother you — you only need the encryption. However, it does mean the browser will give you a scary warning about the certificate not being trusted.

You can, of course, change out the certificate. Let’s Encrypt is a good source for a “real” certificate at no cost.

However, opening up these interfaces to the outside world is pretty scary. After all, if someone does get it, they could do just about anything. You should consider changing the port numbers, using two-factor authentication (both tools support Google Authenticator), and, if possible, keep the tools listening only on your network and use VPN or an SSH tunnel to access it.

In Closing

Personally? I keep waiting for the whole WIMP (Windows/Icons/Mouse/Pointer) fad to die out leaving us to work on the command line as nature intended. However, that doesn’t seem like its going to happen until after the apocalypse. In all seriousness, for some obscure tasks, having some menu items and dialogs can be a great help. If you don’t do much administration, these tools can be great training wheels. And like I said earlier, Usermin is especially useful if you have users that are not Linux-savvy.

Besides, like it or not, Linux is about choice. I like KDE, but I’m glad people who want to use Cinnamon or other desktop environments have that option. For that matter, when I am running on a small machine, sometimes I’m glad to have other options, too.

41 thoughts on “Linux Fu: System Administration Made Easier

  1. Webmin is a great tool. Sometimes I need to manage something on a server when I don’t have easy access to SSH.

    Also, it adds discoverability (a real word?) to learning how to run you server. I love the command line, but it’s really cool to accidentally see an option in a form or a menu that is helpful, that I didn’t know to even look for.

    I also rely on the super server experts to run this, keep it updated and the server patched, not a job for amateurs. :P

  2. -1 for Webmin.
    More problems in the long run. Take each action webmin can do and learn how to use it in the terminal. If you take the lazy shortcut gui way out, you won’t take the time to learn what you’re actually doing/configuring, and could end up with more problems in the future.

        1. Ha ha, yeah I’ll put up with your feelings related BS if and only if you can deliver what is needed — until the pending burn out occurs.
          The trouble with this industry is it is full of people who only care about money and their ego.

          You only have to worry if your skill set learned on campus is shared by 50000 other desperate, poor, and gullible lamers.
          If you really mattered to a company: https://en.wikipedia.org/wiki/Mutual_assured_destruction

          I love .NET and wh-Oracle for the money, but I am sure the data mining HaD does on its readers would be more interesting.

        2. My past issues with GUIs for this stuff has been that they tended to be buggy, and mixed very poorly with any manual configuration of the same files. This has probably gotten a little better over time I just remember the bad old days when everything was crap. On the other hand safe and secure access to stuff like Webmin or SWAT is probably a heck of a lot more difficult now that these servers are more likely to be at Amazon than in your closet. They were usually intended to be accessed by loopback from the machine itself and not neccessarily to be trusted to be on the open internet. I’m not even sure how I’d get a browser to run through an SSH port tunnel.

    1. I generally agree sort of. However, for someone running a Pi on their home network and that’s their entire interest in Linux, I’m not opposed to this kind of tool. Also, in my case, I let users that use one of my servers have access to usermin so I don’t have to do a lot of common tasks. Also, the monitoring and shell access on Cockpit are very nice although I’m not actually using it anywhere yet.

    2. I would say that if your production environment is small enough (say 5 machines or less) to never require a pre-production environment to simulate and test changes (and simulate roll back out of failed changes) before implementing them on the production environment then yea gui tools are probably acceptable, but once you reach any kind of scale at all they are a major hindrance.

      1. Playing devil’s advocate I’d like to disagree. Seeing as it’s Linux and there are multiple ways to perform the same task I’d say it is scale able it just needs to be done in a clever way. Thats what makes Linux fun.

    3. Ah. Someone for whom “command line” is code for “are you worthy?”. Sort of like learning a secret Masonic handshake.

      Not everyone needs or wants to be a server admin. If you’re a dev who occasionally needs to spin up a test server, or tweak the office dev server… what’s wrong with a GUI? The other option is to save up common CLI commands on a text doc that you can cut and paste from, but that’s a potential security hole in itself, as well as a source of repeated errors, if the saved commands are flawed.

      A GUI is not only convenient, it can also have built-in protections, prompts and warnings that the command line doesn’t. You wanna lose the AWS admin GUIs too?

      I’m a little bit proud that I mainly do admin and setup on my Linux boxen using a terminal; it’s taken me a while to get there. A GUI would have made me productive a little more quickly, and I’m not going to belittle other folks because they want a simplified way to tweak a personal server.

      In conclusion, vim sux.
      – cringe –

      1. You say “A GUI is not only convenient, it can also have built-in protections”
        Article says “To get the most out of Cockpit, you need to log in as root.”

        You may take my AWS GUI anytime, aws-cli works just fine and saves me a lot of time since I included it in my deployment scripts.

  3. +1 for webmin, saved me hours of work setting up apache virtual hosts, mysql databases and sftp users. I will try cockpit for docker, I much prefer a GUI like kitematic over cutting and pasting image ids in the console.

  4. +1 for webmin. When I experimented with Linux lamp servers it always got me out of the pickle I had got myself into. I no longer use it, have became familiar enough to do it with the command prompt but it really was very helpful. And to anyone looking to get up and running as fast as possible I’d recommend it. But do everything by commands having webmin as a get out of jail free card.

    I’m not in the business professionally tho, just my own machines, got to say I’d be a little concerned if a professional relied on such tools.

  5. Tools like webmin are fine for home gamers who run a internal server on a raspberry pi or a old system in the corner. It gets a bit more dubious with servers connected to the intarwebs. With home servers often performing many roles, an extra exposed service to the big bad world isn’t that great. A possible attack vector and an indication that possibly not all services are being maintained as rigorously as one might wish.

    It certainly has no place on the work floor.

  6. What about Vim? It is the only tool I need (apart from the shell) for linux sysadmin. Learn which file under /etc to monkey with and which service to restart, and Fred is your uncle! This is of course partly tongue in cheek — but it is how I do things, but I have been doing unix since before linux or even before window systems. In real embedded systems where you are only going to have a serial console this is still the only way to get things done. So bite the bullet. I view time spent with a GUI admin tool as wasted effort. There are some common things they will make easy, but there will always be something that the GUI tool can’t do and you will have to go to the command line.

  7. I’m not opposed to these tools for configuration but having them out on the ‘net isn’t a good idea. My Apache logs are hit regularly looking for phpadmin and webmin URLs. This tool puts a web server where one maybe shouldn’t be. If you forget to firewall that…

    That said, they DO speed initial configuration sometimes and can be much easier to understand off the bat. Not a subst for CLI but definitely useful.

    The thought that does come to mind is that in theory you could set things up to temp install the package and then uninstall it after you’re done. A bit clunky but it would work with most modern distros.

    1. Well there are a lot of things you can do. First, move it off the default ports. You can enable two factor. You can even use port knocking if you like. Or… keep it firewalled out and use an ssh tunnel to penetrate the firewall.

  8. I haven’t needed webmin for over 15 years but it is a good way of acquiring a big picture view of all of a server, so a good way to learn. I guess you can always have it only expose the web interface to localhost and then use X11 forwarding over ssh to run the GUI/Browser locally after you have opened the ssh port via port knocking, because you are paranoid security conscious.

  9. This is a shift, thirty years ago for most computers running Unix, the system administrator was a full time job. You’d see that, books about administrating, and books about using Unix. Once Linux came along, the two integrated, and the books became mostly about installing Linux, with bit of room set aside to discuss administration, and a small section about using Linux.

    One local sysadmin set up Linux for his grandmother, and administered it remotely, just like in the old days.

    A sysadmin is good at it because they do it all the time, having to handle everyone’s problems. For the rest of us, it’s only an end to using Linux. I’ve just moved to a new (well new to me) computer, and I have to remember things I’ve not done in some years. Plus lots of new things, because of a newer release of Linux, but also the hardware is a big leap forward. It’s familiar 16 years after switching to Linux, but also unfamiliar because some of it is not done often. At the same time, I feel in control because I have done the installation, and what’s underneath is at least somewhat familiar.

    Michael

  10. Sryously?? webmin?! lets propose other crap like cpanel & plesk ! honestly to give some of this functionality to end-users i’d suggest ispconfig but still… just do it with a terminal…

  11. I am just using SSH with MC as the first command entered. That is the way i think its the best experience for managing servers. No clunky web interface with unknown security and not enough options, but on the other side not entering silly amounts of ls, cd, cp, mv, or bouncing inside vi or emacs ancient and human hostile user interface. i am not octopus with IQ >9000, so i use MC internal editor or nano. If i need to manage X, i tunnel VNC through SSH. That way i get ridiculions in factory idle game :-D

    1. What would we do without Midnight Commander??
      It’s a life saver.
      CLI is so 70ies and not very efficient. You have to have 1000’s of commands and parameters in your head to mange it well.
      GUI is much better but granted X11 is HEAVY and SLOW on RAM and CPU restricted machines. MC is the perfect balance between the two.
      Especially if you the kind of guy or gal that grew up with Norton Commander. Funny how the commands just is in your subconscious mind and your fingers just flies over the F-ketys to copy, delete, create folder etc. 😊

  12. Webmin is still a thing?!?!

    Wow! i remember encountering Webmin back when I first started playing with Linux. It was probably 1998 or so and I installed RedHat 1 or 2 or something ancient like that from a CD that came in a book. That was the way to do it back then because downloading from the internet would have taken forever and even CD burners were a high end expensive item that few people had.

    i remember thinking Webmin was pretty cool because it could turn an old PC into some sort of “internet appliance” usable by non-techies. This was back before things like routers and NAS were professional IT items only, not black boxes that grandma could buy right off the shelf of the local Best Buy.

    I could have swore I remembered reading that Webmin had died. I thought it’s developers dropped it because the distro’s own config methods were departing to far from one another and whatever scripts Webmin expected to write to. Am I remembering wrong? Or did someone else resurrect it somewhere along the way.

    Who actually uses Webmin today?!?!

    Another thing that kind of blows my mind. Webmin is written in Perl. Perl! There is still a live Perl project out there! I was just wondering if anyone actually writes stuff in Perl anymore. I guess there it is!

    Ok, now I am in full nostalgia mode and I have to ask. Does anyone else remember NetMAX?

  13. I’d just like to interject for a moment. What you’re referring to as Linux,
    is in fact, GNU/Linux, or as I’ve recently taken to calling it, GNU plus Linux.
    Linux is not an operating system unto itself, but rather another free component
    of a fully functioning GNU system made useful by the GNU corelibs, shell
    utilities and vital system components comprising a full OS as defined by POSIX.

    Many computer users run a modified version of the GNU system every day,
    without realizing it. Through a peculiar turn of events, the version of GNU
    which is widely used today is often called “Linux”, and many of its users are
    not aware that it is basically the GNU system, developed by the GNU Project.

    There really is a Linux, and these people are using it, but it is just a
    part of the system they use. Linux is the kernel: the program in the system
    that allocates the machine’s resources to the other programs that you run.
    The kernel is an essential part of an operating system, but useless by itself;
    it can only function in the context of a complete operating system. Linux is
    normally used in combination with the GNU operating system: the whole system
    is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux”
    distributions are really distributions of GNU/Linux.

    1. Wow, we go through this every time. You know, honestly, I’m tired of the conversation about this, so I’m only going to answer this one more time. GNU is great. I love GNU. I use emacs. I like Richard Stallman. However. My computer also has an AMD processor in it. I don’t refer to any of my machines as GNU/Linux/AMD/NVidia/Seagate machines. What’s more is, “Linux” as an OS is a common usage. You know what? The “Space Shuttle” was really the “Space Transporation System.” The “Space Station” is really the “International Space Station.” But when I worked on those, I knew that most people called them “Space Shuttle” and “Space Station” and I didn’t feel like being obnoxious about it. Bell labs wanted the # key to be called an octothorpe and very few people call it that or even know that’s the name for it.

      When Xerox complains about people making xerox copies on a non-Xerox copier, at least they are carping to protect their trademark. Come to think of it, I designed a communications board that went into postal machines made by Burroughs years ago. And you know… that machine wouldn’t do jack without that comm board because it needed it to talk to the scale and the slip printer, etc. But I don’t think they were going to ever call it the Burroughs/Al Williams machine.

      So despite this comment coming up EVERY SINGLE TIME WE USE LINUX in the vernacular, I’m not going to start calling out all the pieces. I mean, hey. How about the distributions? I didn’t say it was the KDE/Neon/Linux/GNU/AMD/NVidia/Seagate/Western Digital….

      The fact is that however you want to call it, people understand what the term “Linux system” means to the extent that it is necessary for this kind of discussion.

      I am going to promise myself that next time someone decides to point this out to me I’m just going to ignore it. You know, at least the Velcro people have a good sense of humor about people not using their terms the way they like (and, again, that’s a trademark protection issue):

  14. With Webmin you’d need to install each server manually. Using Configuration Management like Ansible is way more consistent. That’s quite important for business continuity. The entire company in a single (or multiple) Git repository(/ies) (excluding backups/data). This also ensures that everything is properly documented, and can be handed to anyone. Restoring (reinstalling) an entire company (incl hardware like switches) from scratch can be handy in case of a cyberattack.

Leave a Reply to Al Williams Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s