Investigative tasks (e.g. searching for users as server admin)¶
This page requires that you have root access to the machines where kubernetes runs on, or have kubernetes permissions allowing you to port-forward arbitrary pods and services.
If you have the backoffice pod installed, see also the backoffice README.
If you don’t have backoffice, see below for some options:
Manually searching for users in cassandra¶
Terminal one:
Terminal two: Search for your user by email:
You can also search by handle (unique username) or by phone:
Which should give you output like:
The interesting part is the id (in the example case 9122e5de-b4fb-40fa-99ad-1b5d7d07bae5):
Deleting a user which is not a team user¶
The following will completely delete a user, its conversations, assets, etc. The only thing remaining will be an entry in cassandra indicating that this user existed in the past (only the UUID remains, all other attributes like name etc are purged)
You can now delete that user by double-checking that the user you wish to delete is really the correct user:
Afterwards, the previous command (to search for a user in cassandra) should return an empty list ([]).
When done, on terminal 1, ctrl+c to cancel the port-forwarding.
Searching and deleting users with no team¶
If you require users to be part of a team, or for some other reason you need to delete all users who are not part of a team, you need to first find all such users, and then delete them.
To find users that are not part of a team, first you need to connect via SSH to the machine where cassandra is running, and then run the following command:
This will give you a list of handles and IDs with no team associated:
You can then delete each user with these instructions.
Manual search on elasticsearch (via brig, recommended)¶
This should only be necessary in the case of some (suspected) data inconsistency between cassandra and elasticsearch.
Terminal one:
Terminal two: Search for your user by name or handle or a prefix of that handle or name:
If no match is found, expect a query like this:
If matches are found, the result should look like this:
How to manually search for a user on elasticsearh directly (not recommended)¶
First, ssh to an elasticsearch instance.
Then run the following:
The id (UUID) returned can be used when deleting (see below).
How to manually delete a user from elasticsearch only¶
WARNING¶
This is NOT RECOMMENDED. Be sure you know what you’re doing. This only deletes the user from elasticsearch, but not from cassandra. Any change of e.g. the username or displayname of that user means this user will re-appear in the elasticsearch database. Instead, either fully delete a user: Deleting a user which is not a team user or make use of the internal GET/PUT /i/searchable endpoint on brig to make this user prefix-unsearchable.
If, despite the warning, you wish to continue?
First, ssh to an elasticsearch instance:
Next, check that the user exists:
That should return a "found": true, like this:
Then delete it:
Mass-invite users to a team¶
If you need to invite members to a specific given team, you can use the create_team_members.sh Bash script, located here.
This script does not create users or causes them to join a team by itself, instead, it sends invites to potential users via email, and when users accept the invitation, they create their account, set their password, and are added to the team as team members.
Input is a CSV file, in comma-separated format, in the form 'Email,Suggested User Name'.
You also need to specify the inviting admin user, the team, the URI for the Brig (API) service (Host), and finally the input (CSV) file containing the users to invite.
The exact format for the parameters passed to the script is as follows:
-a <admin uuid>: User ID in UUID format of the inviting admin. For example9122e5de-b4fb-40fa-99ad-1b5d7d07bae5.-t <team uuid>: ID of the inviting team, same format.-h <host>: Base URI of brig’s internal endpoint.-c <input file>: file containing info on the invitees in format ‘Email,UserName’.
For example, one such execution of the script could look like:
Note: the ‘http://localhost:9999’ implies you are running the ‘kubectl port-forward’ given at the top of this document . Once the script is run, invitations will be sent to each user in the file every second until all invitations have been sent.
If you have a lot of invitations to send and this is too slow, you can speed things up by commenting this line.
How to obtain logs from an Android client to investigate issues¶
Wire clients communicate with Wire servers (backend).
Sometimes to investigate server issues, you (or the Wire team) will need client information, in the form of client logs.
In order to obtain client logs on the Android Wire client, follow this procedure:
- Open the Wire app (client) on your Android device
- Click on the round user icon in the top left of the screen, leading to your user Profile.
- Click on “Settings” at the bottom of the screen
- Click on “Advanced” in the menu
- Check/activate “Collect usage data”
- Now go back to using your client normally, so usage data is generated. If you have been asked to follow a specific testing regime, or log a specific problem, this is the time to do so.
- Once enough usage data is generated, go back to the “Advanced” screen (User profile > Settings > Advanced)
- Click on “Create debug report”
- A menu will open allowing you to share the debug report, you can now save it or send it via email/any other means to the Wire team.
How to obtain logs from an iOS client to investigate issues¶
Wire clients communicate with Wire servers (backend).
Sometimes to investigate server issues, you (or the Wire team) will need client information, in the form of client logs.
In order to obtain client logs on the iOS Wire client, follow this procedure:
- Open the Wire app (client) on your iOS device
- Click on the round user icon in the top left of the screen, leading to your user Profile.
- Click on “Settings” at the bottom of the screen
- Click on “Advanced” in the menu
- Check/activate “Collect usage data”
- Now go back to using your client normally, so usage data is generated. If you have been asked to follow a specific testing regime, or log a specific problem, this is the time to do so.
- Once enough usage data is generated, go back to the “Advanced” screen (User profile > Settings > Advanced)
- Click on “Send report to wire”
- A menu will open to share the debug report via email, allowing you to send it to the Wire team.
How to retrieve metric values manually¶
Metric values are sets of data points about services, such as status and other measures, that can be retrieved at specific endpoints, typically by a monitoring system (such as Prometheus) for monitoring, diagnosis and graphing.
Sometimes, you will want to manually obtain this data that is normally automatically grabbed by Prometheus.
Some of the pods allow you to grab metrics by accessing their /i/metrics endpoint, in particular:
brig: User management APIcannon: WebSockets APIcargohold: Assets storage APIgalley: Conversations and Teams APIgundeck: Push Notifications APIspar: Single-Sign-ON and SCIM
For more details on the various services/pods, you can check out this link.
Before you can grab metrics from a pod, you need to find its IP address. You do this by running the following command:
(this presumes you are already in your normal Wire environment, which you obtain by running source ./bin/offline-env.sh)
Which will give you an output that looks something like this:
Here presuming we need to get metrics from gundeck, we can see the IP of one of the gundeck pods is 10.233.110.6.
We can therefore connect to node kubenode2 on which this pod runs with ssh kubenode2.your-domain.com, and run the following:
Alternatively, if you don’t want to, or can’t for some reason, connect to kubenode2, you can use port redirect instead:
Output will look something like this (truncated):
This example is for Gundeck, but you can also get metrics for other services. All k8s services are listed at this link.
This is an example adapted for Cannon:
In the output of this command, net_websocket_clients is roughly the number of connected clients.
Reset session cookies¶
Remove session cookies on your system to force users to login again within the next 15 minutes (or whenever they come back online):
WARNING¶
This will cause interruptions to ongoing calls and should be timed properly.
Reset cookies of all users¶
Reset cookies for a defined list of users¶
(Keep reading if you want to find out which users on your system are using SSO.)
Identify all users using SSO¶
Collect all teams configured with an IdP:
Close the session and proceed locally:
And use this list to get all team members in these teams:
Close the session and proceed locally to generate the list of all users from teams with IdP:
NOTE¶
Don’t forget to dellete the created csv files after you have downloaded/processed them.
Create a team using the SCIM API¶
If you need to create a team manually, maybe because team creation was blocked in the “teams” interface, follow this procedure:
First download or locate this bash script: wire-server/hack/bin/create_test_team_scim.sh <https://github.com/wireapp/wire-server/blob/develop/hack/bin/create_test_team_scim.sh>
Then, run it the following way:
Where:
- In
-h <brig host>, replace<brig host>with the base URL for your brig host (for example:https://brig-host.your-domain.com, defaults tohttp://localhost:8082) - In
-s <spar host>, replace<spar host>with the base URL for your spar host (for example:https://spar-host.your-domain.com, defaults tohttp://localhost:8088)
You might also need to edit the admin email and admin passwords at lines 48 and 49 of the script.
To learn more about the different pods and how to identify them, see this page.
You can list your pods with kubectl get pods --namespace wire.
Alternatively, you can run the series of commands manually with curl, like this:
Where:
$BRIG_HOSTis the base URL for your brig host$ADMIN_EMAILis the email for the admin account for the new team$ADMIN_PASSWORDis the password for the admin account for the new team$NAME_OF_TEAMis the name of the team newly created
Out of the result of this command, you will be able to extract an Admin UUID, and a Team UUID, which you will need later.
Then run:
Where the values to replace are the same as the command above.
This command should output an access token, take note of it.
Then run:
Where the values to replace are the same as the first command, plus $ACCESS_TOKEN is access token you just took note of in the previous command.
Out of the JSON output of this command, you should be able to extract:
- A SCIM token (
tokenvalue in the JSON). - A SCIM token ID (
idvalue in theinfovalue in the JSON)
Equiped with those tokens, we move on to the next script, wire-server/hack/bin/create_team.sh <https://github.com/wireapp/wire-server/blob/develop/hack/bin/create_team.sh>
This script can be run the following way:
Where:
- -h
: Base URI of brig. default: http://localhost:8080 - -o
: user display name of the owner of the team to be created. default: “owner name n/a” - -e
: email address of the owner of the team to be created. default: “owner email n/a” - -p
: owner password. default: “owner pass n/a” - -v
: validation code received by email after running the previous script/commands. default: “email code n/a” - -t
: default: “team name n/a” - -c
: default: “USD”
Alternatively, you can manually run the command:
Where:
$BRIG_HOSTis the base URL for your brig service$OWNER_NAMEis the name of the of the team to be created$OWNER_PASSWORDis the password of the owner of the team to be created$EMAIL_CODEis the validation code received by email after running the previous script/command$TEAM_CURRENCYis the currency of the team$TEAM_NAMEis the name of the team