Essential Zentyal files for troubleshooting and tweaking

Introduction

The objective of the Zentyal GUI is to be an easy, yet powerful interface to perform all our system administration. Even then, is not always possible to do everything for everyone. In this document we are going to study the main configuration files and zentyal CLI commands for those who want to go a little deeper under the hood. Our goal will be the troubleshooting, lower level configuration review to gain better understanding on how Zentyal works and minor tweaks that we will be able to perform editing those files.

Zentyal specific configuration files

Let's start with the files located under /etc/zentyal, listing this directory, we will be able to see a bunch of .conf files

core.conf    firewall.conf  network.conf  ppa.gpg     zentyal.conf
dns.conf     hooks/         openvpn.conf  pre-save/
events.conf  logs.conf      post-save/    users.conf

And also some directories (hooks, post-save, pre-save) related with customs hooks, which will be covered in a different how-to.

If you manually change this files, they won't be overwritten by default since dpkg will use the force-confold option by default (although you can manually replace them with the package maintainer's version if you want.

the basic instructions for the formatting of this .conf are contained at the beginning of the file:

# Everything after a '#' character is ignored
#
# All whitespace is ignored
#
# Config keys are set this way:
#
# key = value
#
# They may contain comments at the end:
#
# key = value # this is ignored

Let's review some of these configurations

File: core.conf

redis_port = 6380  # Redis is an in-memory key-value data store for the zentyal configuration (a configuration database to say it roughly), by default the redis server only listens in the loopback interface, here you can change in which port.

widget_ignore_updates = yes # If you don't want to see the possible software updates in the Dashboard, you can choose 'no'.

desktop_services_enabled = yes
desktop_services_port = 6895   # Auto-configuration of desktop clients for the services provided by Zentyal (mail, samba, Jabber, VoIP, ...), is implemented as a webservice which listens on all interfaces (0.0.0.0:6895). The associated service ''Desktop Services'' is allowed by default in the firewall section ''Internal networks to Zentyal''.

File: firewall.conf

iptables_log_limit = 50 # Sometimes the firewall generates a huge amount of information, you can limit the maximum number of packages logged per minute.

iptables_log_burst = 10 # You may also want to avoid logging a lot of times the exact same event, this will limit the bursts of identical packets appearing in your logs.

iptables_log_drops = yes # Whether or not create logs of the dropped packets.

nat_enabled = yes # The default behavior is to NAT the internal networks when redirecting to external, but we may have a router in charge of this, or we may want a different behavior, like different external address assigned to different internal networks.

File: network.conf

ifaces_to_ignore = sit,tun,tap,lo,irda,ppp,virbr,vboxnet,vnet  # Types of interfaces that won't be displayed to be configured explicitly by Zentyal on the ''network'' section.

File: users.conf

mk_home = yes # whether to create user homes or not

dir_umask = 0077 # default mode for home directory (umask mode)

enable_quota = yes # enable quota support

slave_time = 5 # number of minutes between master pushes of LDAP changes to its slaves

multiple_ous = yes # This option allows you to have more than one organizational unit in the same ldap. This may be used, for example, to have multiple Zarafa domains.

File: zentyal.conf

debug = yes # Whether to enable the DEBUG> logs in ''/var/log/zentyal/zentyal.log'', this file will be commented below in this document. It's a good idea to enable it if we want to perform basic Zentyal troubleshooting.

dump_exceptions = yes # Show full stack trace in the Zentyal interface when you hit a bug, also very interesting for diagnosis.

Zentyal output and debugging files

As we did in the first section, let's have a look at the Zentyal log directory /var/log/zentyal:

  access.log  error.log  redis-server.log  software.log  zentyal.log

Fist of all, as a general tip to reproduce a suspected problem, it's generally a good idea to execute tail -f <logfile> and then hit the Enter key a few times, this way you can see the last log and clearly see the new log lines appearing in real time.

Example:

tail -f zentyal.log 


2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: cat /var/run/clamav/clamd.pid
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: status 'ebox.bind9'
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: LANG=C /usr/sbin/ejabberdctl status
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: status 'ebox.ntpd'
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: status 'ebox.openvpn.server.vpnserver'
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: status 'ebox.slapd'
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: cat /var/run/heimdal-kdc.pid
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: cat /var/run/kpasswdd.pid
2012/07/11 18:05:10 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: cat /var/run/apache2.pid








2012/07/11 18:06:14 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: status 'ebox.redis'
2012/07/11 18:06:15 INFO> GlobalImpl.pm:551 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: network antivirus dns openvpn firewall
2012/07/11 18:06:15 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: network
2012/07/11 18:06:15 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: set -e
/sbin/modprobe 8021q
/sbin/vconfig set_name_type VLAN_PLUS_VID_NO_PAD
2012/07/11 18:06:15 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: cp /var/lib/zentyal/tmp//interfaces /etc/network/interfaces
2012/07/11 18:06:16 DEBUG> Sudo.pm:164 EBox::Sudo::_root - sudo commands: set -e
/bin/mv /var/lib/zentyal/tmp/sjtCvBGY6U '/etc/ppp/pap-secrets'

access.log: Accesses to the Zentyal GUI, time, user, browser and requested URL, security forensics.

error.log: Apache error log, may be useful to detect invalid URL's or JavaScript errors (sometimes derived from deeper errors in the perl modules).

192.168.100.155 - - [19/Jun/2012:15:01:17 +0200] "POST /remoteservices/subscribe/ HTTP/1.1" 200 87 "-" "python-requests/0.8.1" "-"
192.168.100.155 - - [19/Jun/2012:15:08:15 +0200] "POST /remoteservices/subscribe/ HTTP/1.1" 200 87 "-" "python-requests/0.8.1" "-"
192.168.100.155 - - [19/Jun/2012:15:38:15 +0200] "POST /remoteservices/subscribe/ HTTP/1.1" 200 87 "-" "python-requests/0.8.1" "-"

redis-server.log: redis database consolidation logs

[22275] 12 Jul 18:02:52 * DB saved on disk
[1946] 12 Jul 18:02:52 * Background saving terminated with success

software.log: Software packages managing information

2012-07-12 17:35:47> Setting up sshpass (1.05-1) ...
2012-07-12 17:35:47> Setting up zentyal-ebackup (2.3.5) ...
2012-07-12 17:35:49> Processing triggers for libc-bin ...
2012-07-12 17:35:49> ldconfig deferred processing now taking place
2012-07-12 17:35:50> Processing triggers for zentyal-core ...
2012-07-12 17:35:51> Zentyal apt-wrapper install finished

zentyal.log: Possibly the most important one to diagnose and correctly report an error, it contains general, debug and error information provided by the different Zentyal modules. Remember to enable the "debug = yes" key in /etc/zentyal/zentyal.conf, use the tail -f trick to try and reproduce the error live or try grep'ing around using the "ERROR>" string to gather error information. After changing this key, if you are trying to reproduce an error you get on the Zentyal web interface, you will need to restart it to reload the configuration:

# service zentyal apache restart
*Restarting Zentyal module: apache                                     [ OK ] 

# cat /var/log/zentyal/zentyal.log | grep ERROR\> -B 5

2012/07/12 17:19:14 DEBUG> Backup.pm:146 EBox::Backup::<u>ANON</u> - Dumping audit backup data
2012/07/12 17:19:14 DEBUG> Backup.pm:146 EBox::Backup::<u>ANON</u> - Dumping ca backup data
2012/07/12 17:19:14 DEBUG> Sudo.pm:165 EBox::Sudo::_root - ./make-backup (pid: 18788) - tar cf /var/lib/zentyal/conf//backup.s2sK0S/aux/ca.bak/srvCerts.tar /var/lib/zentyal/conf/ssl/ssl.pem /etc/apache2/ssl/ssl.pem
2012/07/12 17:19:14 DEBUG> Backup.pm:146 EBox::Backup::<u>ANON</u> - Dumping dns backup data
2012/07/12 17:19:14 DEBUG> Backup.pm:146 EBox::Backup::<u>ANON</u> - Dumping events backup data
2012/07/12 17:19:14 ERROR> Backup.pm:151 EBox::Backup::<u>ANON</u> - model LogWatcherFiltering_audit_sessions does not exist.

Generic daemon output files

This is a list of logfiles used by all Zentyal modules.

Useful commands and scripts

managing modules' status from the CLI

You can always stop, start or restart a given Zentyal module using the special /etc/init.d service zentyal.

Example:

# service zentyal firewall stop
*Stopping Zentyal module: firewall                                     [ OK ]

This may be useful is the GUI is temporarily unresponsive, or you have lost access to it.

slapcat

This command will display all your LDAP information as a file in your CLI, very useful for debugging and grep'ing if you master LDAP format.

# slapcat | head
dn: dc=test,dc=org
objectClass: organization
objectClass: dcObject
objectClass: top
dc: test
o: test
structuralObjectClass: organization
entryUUID: fdcde9be-4c09-1031-990f-bd2fd6edbea5
creatorsName: cn=zentyal,dc=test,dc=org
createTimestamp: 20120616141913Z

Zentyal specific scripts

You will find some utility scripts under several directories named /usr/share/zentyal(*)

zentyal/           zentyal-firewall/  zentyal-objects/   zentyal-users/
zentyal-antivirus/ zentyal-jabber/    zentyal-openvpn/   zentyal-webserver/
zentyal-ca/        zentyal-network/   zentyal-services/  
zentyal-dns/       zentyal-ntp/       zentyal-software/  

Let's review some of them

zentyal/clean-conf : Delete the redis configuration associated with one of the zentyal modules.

Example:

./clean-conf openvpn

This will erase all the redis keys associated with that module. Useful when you reach an inconsistent configuration state during beta testing and you are not able to return to a safe point using the GUI, for example. Be careful, take into account that redis doesn't check relational integrity, so you may end with an incoherent DB.

zentyal/configuration-report : This script will create a configuration and associated files report and will leave it under /tmp. This report contains the essential system files needed to produce a diagnosis of an existing bug in your system.

zentyal/grep-redis: Inspect the redis configuration DB.

Example

./grep-redis section9
dns/conf/DomainTable/keys/dmn1/hostnames/keys/hstn1: {"hostname":"section9"}
dns/ro/DomainTable/keys/dmn1/hostnames/keys/hstn1: {"hostname":"section9"}

zentyal/initial-setup: Useful in combination with clean-conf, restores the default configuration keys of a given zentyal module.

zentyal/redisvi: Display the full redis key-value information, in an editable file format. Deep knowledge of the source code is required to safely tweak this database, handle with care.

zentyal/shell: Spawn the Zentyal shell, you can interactively use Zentyal's API using perl.

Example:

./shell 
zentyal> instance network
$network
zentyal> $network->allIfaces()
$VAR1 = [
          'eth0'
        ];

zentyal-software/unlock-software: Sometime you may have a problem with the software repositories of your Internet connection and several process may die before releasing the software lock, making it impossible to update using the GUI. This script will kill the locking processes.

zentyal-ebackup/backup-tool: Performs a data backup according to the GUI configuration. Very useful when you want to test backup config, but don't want to wait until the scheduled backup time. Default is a full backup, passing a --incremental you can perform an incremental one.

Template:TracNotice