Red Hat SummitChapter 4. Using the command-line assistant to debug or troubleshoot system issues
You can use the command-line assistant powered by RHEL Lightspeed to request information on how to troubleshoot the issues that you face on your system.
The following are examples of questions that you can ask to troubleshoot your system. Ask a question by using the following syntax: c + "question". For example:
-
$ c “how to troubleshoot network errors” -
$ c “I cannot access my server with SSH. Can you give me a list of things to troubleshoot?” -
$ c "I am failing to start sssd process" -
$ c “I need to boot into a different kernel” -
$ c “how to troubleshoot SSHD failing to start” -
$ c “how do I find all the files in the /etc that have been modified in the last hour” -
$ c "I am failing to start sssd process"
4.1. Using the command-line assistant to troubleshoot SSHD service failing to start
The following example shows how to troubleshoot an SSHD service failing to start by using the following command-line assistant features:
- Optional terminal capture feature in the command-line assistant to reference the output of previous commands when interacting with the command-line assistant.
- Piping data into the command-line assistant.
Prerequisites
- You have enabled the command-line assistant.
- You have root access to your system.
Procedure
Check the SSHD status and restart it.
sudo systemctl status ssh sudo systemctl restart ssh
$ sudo systemctl status ssh $ sudo systemctl restart sshCopy to Clipboard Copied! Enable the optional command-line assistant terminal capture feature:
c shell --enable-capture
$ c shell --enable-captureCopy to Clipboard Copied! Use the
-w 1 "your-question"option to specify to include the output from the last command that was run.c -w 1 "what_is_this"
$ c -w 1 "what_is_this"Copy to Clipboard Copied! - If you specify the number 2, that references the output from the second previous 2 commands. This is also true for the additional numbers.
You can also specify a prompt to run with the command and ask “help me understand the output”, and reference the output with the error, so that the command my assistant understands that you are asking for more details on what is the error.
The command-line assistant takes some time to process the request, and provide several possible solutions. In the example, you can use the suggestion to run the
journalctl -xeucommand, so that you can usesshd.serviceto check the log files.
Run that
journalctlcommand. Add the tail command to get the last 30 lines, pipe that output into the command-line assistant, and add a query to understand the error.journalctl -xeu sshd.service | tail -n 30 | c “here are the logs, please help me understand this”
$ journalctl -xeu sshd.service | tail -n 30 | c “here are the logs, please help me understand this”Copy to Clipboard Copied! The command-line assistant checks the log files and indicates some potential issues. typing error in the
configfile.Ask the command-line assistant to generate a command on how to fix this typing error.
c “what is the command that I can use to change “Porrt ”to “Port” in the /etc/ssh/sshd_config file?”
$ c “what is the command that I can use to change “Porrt ”to “Port” in the /etc/ssh/sshd_config file?”Copy to Clipboard Copied! Use the command suggested by the command-line assistant.
Run the command suggested by the command-line assistant. For example:
sed -i s/Porrt/Port/g /etc/ssh/sshd_config
$ sed -i s/Porrt/Port/g /etc/ssh/sshd_configCopy to Clipboard Copied! The output found a permission denied error to edit that file. Rerun the previous command as a sudo user.
sudo sed -i s/Porrt/Port/g /etc/ssh/sshd_config
$ sudo sed -i s/Porrt/Port/g /etc/ssh/sshd_configCopy to Clipboard Copied! Restart the SSHD service and check the status of the SSHD.
sudo systemctl restart sshd sudo systemctl status sshd
$ sudo systemctl restart sshd $ sudo systemctl status sshdCopy to Clipboard Copied!
4.2. Using the command-line assistant to troubleshoot SELinux issues
The following example provides steps to troubleshoot an SELinux problem with the command-line assistant.
Prerequisites
- You have enabled the command-line assistant.
- You have root access to your system.
Procedure
On your terminal, enter the following command to list the
httpdpackage version that you have installed in your system:sudo rpm -qa httpd
$ sudo rpm -qa httpd httpd-2.4.62-2.fc40.x86_64Copy to Clipboard Copied! Show the
httpd.conffile content.sudo cat /etc/httpd/conf/httpd.conf This is the main Apache HTTP server configuration file. It contains the configuration directives that give the server its instructions. See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. In particular, see<URL:http://httpd.apache.org/docs/2.4/mod/directives.html> for a discussion of each configuration directive.
$ sudo cat /etc/httpd/conf/httpd.conf # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. # In particular, see<URL:http://httpd.apache.org/docs/2.4/mod/directives.html> # for a discussion of each configuration directive.Copy to Clipboard Copied! Query all
httpdqpackages:sudo rpm -qa httpdq
$ sudo rpm -qa httpdqCopy to Clipboard Copied! Identify the ports on which the web server accepts incoming requests:
cat /etc/httpd/conf/httpd.conf | grep Listen Listen: Allows you to bind Apache to specific IP addresses and/or Change this to Listen on a specific IP address, but note that if #Listen 12.34.56.78:80 Listen 80
$ cat /etc/httpd/conf/httpd.conf | grep Listen # Listen: Allows you to bind Apache to specific IP addresses and/or # Change this to Listen on a specific IP address, but note that if #Listen 12.34.56.78:80 Listen 80Copy to Clipboard Copied! Restart the
httpdservice:systemctl restart httpd
$ systemctl restart httpd Job for httpd. Service failed because the control process exited with error code. See “systemctl status httpd.service" and “journalctl -xeu httpd.service” for details.Copy to Clipboard Copied! Run the
journalctlcommand for more details on the failed service:sudo journalctl -xeu httpd.service
$ sudo journalctl -xeu httpd.serviceCopy to Clipboard Copied!
Use the command-line assistant to troubleshoot the issue and ask why the service is failing:
sudo c “why did httpd fail to start”
$ sudo c “why did httpd fail to start”Copy to Clipboard Copied! One of the suggestions from the assistant is to query audit logs by using the
ausearchtool, and use theAVCandUSER_AVCvalues for the message type parameter. For that, run the following command:sudo ausearch -m AVC,USER_AVC -ts recent
$ sudo ausearch -m AVC,USER_AVC -ts recentCopy to Clipboard Copied! Ask the command-line assistant about the
selinux httpdport:c “selinux httpd port”
$ c “selinux httpd port”Copy to Clipboard Copied! The assistant advises to use the
sestatuscommand to check the current SELinux status and the content of the httpd services with the following command:sudo sestatus
$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33Copy to Clipboard Copied! View the specific SELinux policy for the httpd services by running the following command:
sudo cat /usr/share/selinux/targeted/contexts/httpd_var_run_t No such file or directory
$ sudo cat /usr/share/selinux/targeted/contexts/httpd_var_run_t No such file or directoryCopy to Clipboard Copied! Ask the command-line assistant about contexts.
c “i don't have a httpd_var_run_t contexts”
$ c “i don't have a httpd_var_run_t contexts”Copy to Clipboard Copied! The command-line assistant takes some time to process the request, then provides several possible suggestions.
The assistant says that you might not have context and need to set it with the following command:
sudo chcon -R -t httpd_var_run_t
$ sudo chcon -R -t httpd_var_run_tCopy to Clipboard Copied! Ask the CLA about the port:
c “selinux won't let httpd listen on port 12345”
$ c “selinux won't let httpd listen on port 12345”Copy to Clipboard Copied! Try the following suggestion, run the command:
sudo semage port -a -t httpd_port_t -p tcp 12345
$ sudo semage port -a -t httpd_port_t -p tcp 12345 ValueError: Type httpd_port_t is invalid, must be a port typeCopy to Clipboard Copied! Ask the CLA about the error you see in the output:
c “how do I fix ValueError: Type httpd_port_t is invalid, must be a port type”
$ c “how do I fix ValueError: Type httpd_port_t is invalid, must be a port type”Copy to Clipboard Copied!
Run the steps provided by the CLA:
sudo getenforce setenforce 0 sudo systemctl restart httpd sudo systemctl status httpd sudo ls -Z /usr/sbin/httpd chcon -t httpd_exec_t /usr/sbin/httpd sudo setenforce 1
$ sudo getenforce Enforcing $ setenforce 0 $ sudo systemctl restart httpd $ sudo systemctl status httpd $ sudo ls -Z /usr/sbin/httpd system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd $ chcon -t httpd_exec_t /usr/sbin/httpd $ sudo setenforce 1Copy to Clipboard Copied! Restart the
httpdservice and check the status ofhttpd.service:sudo systemctl restart httpd sudo systemctl status httpd.service
$ sudo systemctl restart httpd Job failed $ sudo systemctl status httpd.service Failed to start the Apache ServerCopy to Clipboard Copied!
Ask the CLA how to enable
httpdto listen onport12345:c “how do I enable httpd to listen on port 12345 selinux”
$ c “how do I enable httpd to listen on port 12345 selinux”Copy to Clipboard Copied! Run the command advised by the CLA:
sudo setsebool -P httpd_can_network_connect=1
$ sudo setsebool -P httpd_can_network_connect=1Copy to Clipboard Copied!
Restart the
httpdservice and check the status ofhttpd.serviceagain:sudo systemctl status htppd sudo systemctl restart httpd
$ sudo systemctl status htppd $ sudo systemctl restart httpd Job failed, see journalctlCopy to Clipboard Copied! Check the
journalctlservice:journalctl -xeu httpd
$ journalctl -xeu httpd Output: An ExecStart= process belonging to unit httpd.service has exited.Copy to Clipboard Copied! Use the output to ask the CLA to troubleshoot:
c “An ExecStart= process belonging to unit httpd.service has exited.”
$ c “An ExecStart= process belonging to unit httpd.service has exited.”Copy to Clipboard Copied! Run the command that the CLA responds with:
sudo ausearch -m AVC,USER_AVC -ts recent
$ sudo ausearch -m AVC,USER_AVC -ts recent Output: “avc: denied {name_bind} for pid=7184 comm=”httpd” src=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r: unreserved_port_t:s0 tclas=tcp_socket permissive=0"Copy to Clipboard Copied! Copy the output of the previous command:
sudo c ““avc: denied {name_bind} for pid=7184 comm=”httpd” src=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r: unreserved_port_t:s0 tclas=tcp_socket permissive=0”$ sudo c ““avc: denied {name_bind} for pid=7184 comm=”httpd” src=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r: unreserved_port_t:s0 tclas=tcp_socket permissive=0”Copy to Clipboard Copied! Run the following command to resolve the error “SELinux is preventing Apache Server (httpd) from binding to port 12345”.
sudo semage port -a -t http_port_t -p tcp 12345
$ sudo semage port -a -t http_port_t -p tcp 12345Copy to Clipboard Copied!
Restart the httpd service and check the status of
httpd.service:sudo systemctl restart httpd sudo systemctl status httpd.service
$ sudo systemctl restart httpd No error $ sudo systemctl status httpd.serviceCopy to Clipboard Copied! The server is configured, up and running, and listening on
port 443,port 12345.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}