21 Examples To Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors



In Linux and UNIX system services are configured using various text files located in /etc/ or /usr/local/etc/ directory tree. A typical server system could have dozens of configuration files. You can check your configuration files for syntax errors without starting the server and validate all settings. In some cases, it is possible to check the sanity of specific data/config options and directories. Text files are easier to manage remotely. You can use ssh and a text editor. If there is an error in configuration, the server may not start. It may result in a disaster. This post explains how to quickly find out a syntax error for popular servers and test configuration file for syntax errors.



ADVERTISEMENTS



Stop! Test Your Server Configuration Before Restarting Unix and Linux Services

The thing about Linux or Unix server is that the smallest typo such as missing semicolon or white space in config file can cause the greatest grief.

The following command-line option will not run the daemon or stop running server services; it will just test the configuration file and then exit. It will check the configuration for correct syntax and then try to open files referred in configuration. The config file is parsed and checked for syntax errors, along with all files included config file(s) by the server. In most case you can also specify which configuration file server should use instead of the default. Once you have verified your configuration files and fixed any errors you can go ahead and reload or restart the server.

A Note About Reloading Servers

The syntax is as follows under Linux depending upon your version:

/sbin/service SERVICE-NAME [reload|restart] /etc/init.d/SERVICE-NAME [reload|restart] systemctl reload SERVICE-NAME-HERE

The reload option reloads the config file without interrupting pending operations. For example the following command will reload Apache web server after the config file changes:

# /sbin/service httpd reload

OR

# systemctl reload httpd

However, most Linux and Unix-like daemon programs sometimes use SIGHUP as a signal to restart themselves, the most frequent reason for this being to re-read a configuration file that has been changed. The syntax is as follows for the cat command and kill command:

kill -HUP $(cat /var/run/SERVICE.pid)

OR

kill -HUP `cat /var/run/SERVICE.pid`

Let us see how to test the syntax for various Linux and Unix services.

1. OpenSSH Server

You can use the following syntax to test OpenSSH config file, type:

# /usr/sbin/sshd -t && echo $?

A sample configuration error session:

# usr/sbin/sshd -t

Sample outputs:

/etc/ssh/sshd_config line 26: Bad yes/without-password/forced-commands-only/no argument: Naa

To print line # 26, enter:

# sed -n '26p' /etc/ssh/sshd_config

Sample outputs:

PermitRootLogin Naa

Use a text editor such as vi to edit the file, enter:

# vi +26 /etc/ssh/sshd_config

Finally update the syntax, enter:

PermitRootLogin No

Save and close the file. Test it again:

# /usr/sbin/sshd -t

OpenSSH Extended Test Mode

Use the -T option to check the validity of the configuration file, output the effective configuration to stdout (screen) and then exit:

# /usr/sbin/sshd -T

See also: Openssh server security best practices for more information.

2. Apache Web Server

The syntax is as follows to run syntax tests for configuration files only:

# /usr/sbin/apache2 -t

Sample error reporting:

apache2: Syntax error on line 50 of /etc/apache2/apache2.conf: ServerRoot must be a valid directory

On RHEL and friend, enter:

# /usr/sbin/httpd -t

Sample outputs:

Syntax OK

You can also use the apachectl command (pass the configtest or -t option). It will run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about the particular syntax error:

# apachectl configtest

OR

# apachectl -t

Reload Apache server, enter:

# apachectl -k graceful

3. Nginx Web Server

To run syntax tests for nginx configuration files, enter:

# /usr/local/nginx/sbin/nginx -t

# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf

Sample outputs:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Where,

-c /path/to/file : Specify which configuration file Nginx should use instead of the default.

: Specify which configuration file Nginx should use instead of the default. -t : Just test the configuration file.

See also: Howto set nginx as a reverse proxy server and top 20 nginx best security practices for more information.

4. Lighttpd Web Server

To test the config-file, and exit, enter:

# /usr/local/sbin/lighttpd -t -f /usr/local/etc/lighttpd/cyberciti.biz/lighttpd.conf

Sample outputs:

Syntax OK

Where,

-f filename : Use filename of the config-file.

: Use filename of the config-file. -t : Test config-file.

5. BIND (named) DNS Server

Use named-checkconf command to check the syntax, but not the semantics. The file is parsed and checked for syntax errors, along with all files included by it

# named-checkconf /etc/named.conf

You can also check bind zone files, enter:

# named-checkzone cyberciti.biz /var/named/zone.cyberciti.biz

6. Squid Proxy Server

To parse and test configuration file, enter:

# /usr/sbin/squid -k check

# /usr/sbin/squid -k parse

Sample outputs:

2012/03/30 07:44:35| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2012/03/30 07:44:35| Initializing https proxy context

7. MySQL (mysqld) Database Server

Type the following command:

# mysqld --verbose --help

The above will produce too much output. I recommend redirecting output to /dev/null and only display error/warning on the screen

# /usr/libexec/mysqld --verbose --help 1>/dev/null

Sample outputs:

120330 7:52:43 [Warning] '--log_slow_queries' is deprecated and will be removed in a future release. Please use ''--slow_query_log'/'--slow_query_log_file'' instead.

You can specify a new configuration file such as /root/test-my.cnf

# mysqld --defaults-file=/root/test-my.cnf --verbose --help 1>/dev/null

8. Postfix Mail Server (MTA)

Use the following syntax. To warn about bad directory/file ownership or permissions, and create missing directories, enter:

# postfix check

OR

# postfix -vvv

Sample outputs:

postfix: dict_register: mail_dict 1 postfix: dict_update: config_directory = /etc/postfix postfix: dict_update: queue_directory = /var/spool/postfix postfix: dict_update: command_directory = /usr/sbin postfix: dict_update: daemon_directory = /usr/libexec/postfix postfix: dict_update: data_directory = /var/lib/postfix postfix: dict_update: mail_owner = postfix postfix: dict_update: inet_interfaces = localhost postfix: dict_update: inet_protocols = all postfix: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost postfix: dict_update: unknown_local_recipient_reject_code = 550 postfix: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"

You can see errors in maillog log file, enter:

# tail -f /var/log/maillog

Sample outputs:

And it'll run mysqld (or drizzled), parse tMar 30 08:01:34 mx421 postfix[2284]: dict_update: command_directory = /usr/sbin Mar 30 08:01:34 mx421 postfix[2284]: dict_update: daemon_directory = /usr/libexec/postfix Mar 30 08:01:34 mx421 postfix[2284]: dict_update: data_directory = /var/lib/postfix Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mail_owner = postfix Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_interfaces = localhost Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_protocols = all Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost Mar 30 08:01:34 mx421 postfix[2284]: dict_update: unknown_local_recipient_reject_code = 550 Mar 30 08:01:34 mx421 postfix[2284]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss" Mar 30 08:01:42 mx421 postfix[2285]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"he config, report any problems, print help, and exit without initializing storage engines or trying to

9. Samba (SMB/CIFS) File Server

Type the following command:

# testparm -v

10. tcpd

The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services that have a one-to-one mapping onto executable files. The tcpdchk command examines your tcp wrapper configuration and reports all potential and real problems it can find:

# tcpdchk

# tcpdchk -a

# tcpdchk -d

# tcpdchk -i /path/to/inetd.conf

# tcpdchk -v

Where,

-a : Report access control rules that permit access without an explicit ALLOW keyword.

: Report access control rules that permit access without an explicit ALLOW keyword. -d : Examine hosts.allow and hosts.deny files in the current directory instead of the default ones.

: Examine hosts.allow and hosts.deny files in the current directory instead of the default ones. -i inet_conf : Specify this option when tcpdchk is unable to find your inetd.conf network configuration file, or when you suspect that the program uses the wrong one.

inet_conf : Specify this option when tcpdchk is unable to find your inetd.conf network configuration file, or when you suspect that the program uses the wrong one. -v : Display the contents of each access control rule. Daemon lists, client lists, shell commands and options are shown in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands.

11. dhcpd Server

The Internet Systems Consortium DHCP Server, dhcpd, implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached. BOOTP provides similar functionality, with certain restrictions. To test syntax pass the following option:

# dhcpd -t

OR

# dhcpd -t -cf /path/to/dhcpd.testing.conf

OR

# dhcpd -T

OR

# dhcpd -T -lf /path/to/dhcpd.lease.file

Where,

-t : The -t flag is specified, the server will simply test the configuration file for correct syntax, but will not attempt to perform any network operations. This can be used to test the a new configuration file automatically before installing it.

: The -t flag is specified, the server will simply test the configuration file for correct syntax, but will not attempt to perform any network operations. This can be used to test the a new configuration file automatically before installing it. -T : This flag can be used to test the lease database file in a similar way.

: This flag can be used to test the lease database file in a similar way. -cf /path/to/dhcpd.testing.conf : Use an alternate configuration file called /path/to/dhcpd.testing.conf.

: Use an alternate configuration file called /path/to/dhcpd.testing.conf. -lf /path/to/dhcpd.lease.file : an alternate lease file called -lf /path/to/dhcpd.lease.file

12. vsftpd FTP Server

vsftpd is the Very Secure File Transfer Protocol daemon. Use the following command to make sure configuration file is free from syntax errors:

# vsftpd

OR

# vsftpd -olisten=NO /path/to/vsftpd.testing.conf

That example overrides vsftpd’s built-in default for the “listen” option to be NO, but then loads settings from /path/to/vsftpd.testing.conf.

13. Nagios

Nagios is a popular open source computer system monitor, network monitoring and infrastructure monitoring software application. Use the following syntax to run a sanity check on nagios.cfg as follows:

# nagios -v /path/to/testing/nagios.cfg

Where,

-v : Verify your configuration.

14. Openntpd Server

The ntpd daemon synchronizes the local clock to one or more remote NTP servers or local timedelta sensors. ntpd can also act as an NTP server itself, redistributing the local time. Use the following syntax to run a sanity check on ntpd.conf:

# ntpd -n

# ntpd -f /usr/local/etc/ntpd.conf -n

# ntpd -d -f /usr/local/etc/ntpd.conf -n

Where,

-n : Only check the configuration file for validity.

: Only check the configuration file for validity. -f /usr/local/etc/ntpd.conf : Use /usr/local/etc/ntpd.conf file as the configuration file, instead of the default /etc/ntpd.conf.

: Use /usr/local/etc/ntpd.conf file as the configuration file, instead of the default /etc/ntpd.conf. -d : Do not daemonize and ntpd will run in the foreground and log to stderr.

15. Xorg – The X11 Server

Linux and Unix like operating systems uses X11 to provide users with a powerful graphical user interface. X11 is a freely available version of the X Window System that is implemented in Xorg. The default xorg.conf is located in /etc/X11 directory. You can build an initial configuration file by simply running the following command:

# Xorg -configure

To test the existing configuration to verify that Xorg can work with the graphics hardware on the target system, enter:

# Xorg -config /path/to/xorg.conf.new -retro

Please note that the new Xorg is largely self-configuring and doesn’t need one. But, if you use proprietary (say Nvidia) or other drives you need to test Xorg syntax using the above described method.

16. syslogd / rsyslogd

syslogd is Unix / Linux system logging server. rsyslogd is reliable and extended syslogd for modern Linux distros. Rsyslogd is derived from the sysklogd package which in turn is derived from the stock BSD sources. To check for syntax error, type:

# syslogd -f /etc/rsyslog.testing.conf -d

OR

# rsyslogd -c4 -f /etc/rsyslog.testing.conf -N 1

Sample outputs:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] rsyslogd: the last error occured in /etc/rsyslog.conf, line 11:"$FilesOnwer root" rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.testing.conf'. [try http://www.rsyslog.com/e/2124 ]

A sanity check without any errors:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.testing.conf rsyslogd: End of config validation run. Bye.

Where,

-c4 : Selects the desired backward compatibility mode (in this example it is # 4).

: Selects the desired backward compatibility mode (in this example it is # 4). -f /etc/rsyslog.testing.conf : Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default.

: Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default. -d : Debug mode (only use with syslogd)

: Debug mode (only use with syslogd) -N 1 : Do a config file check. Do NOT run in regular mode, just check configuration file correctness. This option is meant to verify a config file. The level argument modifies behaviour. Currently, 0 is the same as not specifying the -N option at all (so this makes limited sense) and 1 actually activates the code. Later, higher levels will mean more verbosity (this is a forward-compatibility option).

17. CUPS Printing System

CUPS is the standards-based, open source printing system developed by Apple, for Mac OS X and other UNIX/Linux-like operating systems. cupsd is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. To test config files for error type:

# cupsd -f -c /path/to/cupsd.testing.conf -t

Sample outputs:

Unknown directive Loggslevel on line 6. /etc/cups/cupsd.conf is OK

A sanity check without any errors:

/etc/cups/cupsd.conf is OK

Where,

-f : Run cupsd in the foreground; the default is to run in the background as a “daemon”.

: Run cupsd in the foreground; the default is to run in the background as a “daemon”. -c /path/to/cupsd.testing.conf : Uses the /path/to/cupsd.testing.conf configuration file.

: Uses the /path/to/cupsd.testing.conf configuration file. -t :

Test the configuration file for syntax errors.

18. slapd Stand-alone LDAP Daemon

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. To test whether the configuration file is correct or not, type:

# slapd -Tt

OR

# slapd -Tt -f /path/to/slapd-config.conf

Where,

-Tt : Test for config file errors.

: Test for config file errors. -f /path/to/slapd-config.conf : Specifies the slapd configuration file. The default is /etc/openldap/slapd.conf.

19. varnishd – HTTP Accelerator Daemon

To test varnishd vlc syntax, enter:

# varnishd -C -f /path/to/wordpress.vlc

Where,

-C : Print VCL code compiled to C language and exit. Specify the VCL file to compile with the -f option.

: Print VCL code compiled to C language and exit. Specify the VCL file to compile with the -f option. -F /path/to/wordpress.vlc : Use the specified VCL configuration file instead of the builtin default.

20. exim MTA

Pass the -bV option to exim. If there are any errors in the configuration file, Exim outputs error messages. Otherwise it outputs the version number and build date, the DBM library that is being used, and information about which drivers and other optional code modules are included in the binary.

# exim -bV

Some simple routing tests can be done by using the address testing option. For example,

# exim -bt <local username>

Admin users can test the malware scanning configuration (in Exim >= 4.73) with the -bmalware option:

# exim -bmalware <filename>

Another source of information is running Exim with debugging turned on, by specifying the -d option. If a message is stuck on Exim’s spool, you can force a delivery with debugging turned on by a command of the form

# exim -d -M <exim-message-id>

21. monit

Pass the -t option:

# monit -t

Sample outputs:

Control file syntax OK

22. Bonus tips

Some additional tips:

Bash / KSH Shell Scripts