title | subtitle | author | date |
---|---|---|---|
8. Troubleshooting, SSH |
Linux<br/>HOGENT toegepaste informatica |
Thomas Parmentier, Andy Van Maele, Bert Van Vreckem |
2024-2025 |
Set up the test environment:
- clone your Github repo for lab assignments
- on your physical system!
- open terminal in directory
troubleshooting
- start the VMs
dbt
- a working database serverwebt
- a web server with faulty configuration
$ cd trouble-demo
$ vagrant up
[...]
- Bottom-up approach
- Network access (Link) layer
- Internet layer
- Transport
- Application Layer
- SELinux
Interrupt me if you have remarks/questions!
Two VirtualBox VMs, set up with Vagrant
Host | IP | Service |
---|---|---|
webt |
192.168.76.72 | http, https (Apache) |
dbt |
192.168.76.73 | mysql (MariaDB) |
- On
webt
, a PHP app runs a query on thedbt
dbt
is set up correctly,webt
is not
$ ./query_db.sh
+ mysql --host=192.168.76.73 --user=demo_user \
+: --password=ArfovWap_OwkUfeaf4 demo \
+ '--execute=SELECT * FROM demo_tbl;'
+----+-------------------+
| id | name |
+----+-------------------+
| 1 | Tuxedo T. Penguin |
| 2 | Bobby Tables |
+----+-------------------+
+ set +x
Should work from
- your Linux Mint GUI VM (if it is connected to
intnet
sudo apt install mysql-client
- from demo VMs (
/vagrant/query_db.sh
)
TCP/IP protocol stack
Layer | Protocols | Keywords |
---|---|---|
Application | HTTP, DNS, SMB, FTP, ... | |
Transport | TCP, UDP | sockets, port numbers |
Internet | IP, ICMP | routing, IP address |
Network access | Ethernet | switch, MAC address |
Physical | cables |
- bare metal:
- test the cable(s)
- check switch/NIC LEDs
- VM (e.g. VirtualBox):
- check virtual network adapter type & settings
ip link
- Local network configuration
- Routing within the LAN
Know the expected values!
Checking Local network configuration:
- IP address:
ip a
- Default gateway:
ip r
- DNS service:
- RHEL:
/etc/resolv.conf
- Fedora, Debian, etc.:
resolvectl dns
- RHEL:
- IP address?
- In correct subnet?
- DHCP or fixed IP?
- Check configuration:
/etc/sysconfig/network-scripts/ifcfg-*
Example: DHCP
[vagrant@db ~]$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=Ethernet
BOOTPROTO=dhcp
NAME=enp0s3
DEVICE=enp0s3
ONBOOT=yes
[...]
Example: Static IP
$ cat /etc/sysconfig/network-scripts/ifcfg-enp0s8
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.76.73
NETMASK=255.255.255.0
DEVICE=enp0s8
[...]
- No IP
- DHCP unreachable
- DHCP won't give an IP
- 169.254.x.x
- No DHCP offer, "link-local" address
- Unexpected subnet
- Bad config (fixed IP set?)
Watch the logs: sudo journalctl -f
- Unexpected subnet
- Check config
- Correct IP, "network unreachable"
- Check network mask
- Default GW present?
- In correct subnet?
- Check network configuration
nameserver
option present?- Expected IP?
Checking routing within the LAN:
- Ping between hosts
- Ping default GW/DNS
- Query DNS (
dig
,nslookup
,getent
)
- GUI-VM-> VM:
ping 192.168.76.72
- VM -> GUI-VM:
ping 192.168.76.101
- VM -> NAT-GW:
ping 10.0.2.2
- VM -> NAT-DNS:
ping 10.0.2.3
Remark: some routers block ICMP!
dig icanhazip.com
nslookup icanhazip.com
getent ahosts icanhazip.com
Next step: routing beyond GW
- Service running?
sudo systemctl status SERVICE
- Correct port/inteface?
sudo ss -tulpn
- Firewall settings:
sudo firewall-cmd --list-all
systemctl status httpd.service
active (running)
vs.inactive (dead)
systemctl start httpd
- Fail? See below (Application layer)
- Start at boot:
enabled
vs.disabled
systemctl enable httpd
sudo firewall-cmd --list-all
- Is the service or port listed?
- Use
--add-service
if possible- Supported:
--get-services
- Supported:
- Don't use both
--add-service
and--add-port
- Add
--permanent
--reload
firewall rules
$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --add-service=https --permanent
$ sudo firewall-cmd --reload
- Use
ss
(notnetstat
)- TCP service:
sudo ss -tlnp
- UDP service:
sudo ss -ulnp
- TCP service:
- Correct port number?
- See
/etc/services
- See
- Correct interface?
- Only loopback?
- Check the logs:
journalctl
- Validate config file syntax
- Use (command line) client tools
- e.g.
curl
,smbclient
(Samba),dig
(DNS), etc. - Netcat (
ncat
,nc
)
- e.g.
- Other checks are application dependent
- Read the reference manuals!
- Either
journalctl
:journalctl -f -u httpd.service
- Or
/var/log/
:tail -f /var/log/httpd/error_log
- Application dependent, for Apache:
apachectl configtest
- RedHat Manuals:
- System Administrator's Guide
- Networking guide
- SELinux guide
- Reference manuals, e.g.:
- Man pages
- smb.conf(5), dhcpd.conf(5), named.conf(5), ...
- SELinux is Mandatory Access Control in the Linux kernel
- Settings:
- Booleans:
getsebool
,setsebool
- Contexts, labels:
ls -Z
,chcon
,restorecon
- Policy modules:
sepolicy
- Booleans:
- Is the file context as expected?
ls -Z /var/www/html
- Set file context to default value
sudo restorecon -R /var/www/
- Set file context to specified value
sudo chcon -t httpd_sys_content_t test.php
getsebool -a | grep http
- Know the relevant booleans! (RedHat manuals)
- Enable boolean:
sudo setsebool -P httpd_can_network_connect_db on
E.g. https://github.com/bertvv/cheat-sheets
E.g. https://github.com/HoGentTIN/elnx-sme/blob/master/test/pu001/lamp.bats
Why?