This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

stap-server initscript now available


Hi,

I've pushed the implementation of a stap-server initscript. It gets installed with the systemtap-server rpm. It should make management of systemtap servers a lot easier and this is critical to enabling unprivileged user support.

There are some enhancements coming, but if you're not cross compiling, it's ready to use now. Please report problems concerns or ideas for improvement using PR 10905.

I've attached a usage tutorial to this announcement. I hope that it is helpful. Also see initscript/README.stap-server for complete details.

Dave
stap-server initscript Usage
============================
This document outlines

o the basic use of the stap-server system service (initscript)
o the corresponding use of the systemtap client (stap-client) for accessing the
  server
o using the --unprivileged feature with the client/server for unprivileged
  users.

Unprivileged users are users who are not root, and are not members of the groups
stapdev or stapusr. The systemtap compile server provides a secure environment
for verifying and compiling systemtap scripts for these users and provides a
trusted signer for the resulting kernel module, allowing it to be verified by
staprun on the client host.

Requirements
------------
In order to use the stap-server service, the systemtap and systemtap-server
packages must be installed. You must also have root access on the host
on which the server will be run.

In order to use stap-client, the systemtap-runtime and systemtap-client packages
must be installed. You must also have root access on the host on stap-client
will be used.

Starting the stap-server Service
--------------------------------
To start the stap-server service, as root, execute the following

 /sbin/service stap-server start

You should see a message indicating that the server is starting, some
information about the target that the server is for (should match the
kernel release and architecture of the host) and a status of OK.

To check that the server is indeed running, run

 /sbin/service stap-server status

You should see a message indicating that the server is running with details
about the target and the server's process id. You need not be root to run this
command.

Using the Server to Compile a Systemtap Script
----------------------------------------------
One purpose of the systemtap server is to provide a centralized environment for
the compilation of systemtap scripts. For example, this would allow a system
administrator to install kernel debuginfo packages on one host with a
server running. Other users on the local network could then compile and run
their scripts using stap-client on compatible hosts which do not have the
debuginfo installed.

Authorizing the Server as a Trusted Server
------------------------------------------
Before we can allow stap-client to attempt to load a module returned by
a systemtap server, we need to assert that the server is an actual systemtap
server and can be trusted to compile the script correctly. This is done by
using an ssl connection verified by the server's certificate and public key.
For servers started by the stap-server service, these can be found in the file

  /var/lib/stap-server/.systemtap/ssl/server/stap.cert

on the host on which the server is running.

In order to authorize this server as trusted, copy this file to some location
on the client host (which may be the same host as the server host) and, as root,
on the client host, run

  stap-authorize-server-cert <file>

All users on the client host may now use stap-client to access that server. To
test this, as root, on the client host, run

  stap-client -e 'probe begin { printf ("Hello\n"); exit (); }'

This should print

  Hello

As any other user on the client host, run

  stap-client -e 'probe begin { printf ("Hello\n"); exit (); }'

If this prints

  Hello

then this user is a member of stapdev and is, therefore, a privileged user.

Try running the command again as an unprivileged user. You should get a message
indicating the you are an unprivileged user and that your module has not been\
signed by a trusted signer.

Using the Server to Facilitate Use of systemtap by Unprivileged Users
---------------------------------------------------------------------
The loading of modules created by systemtap is generally restricted to
privileged users because of the wide scope of capabilities possible. However,
a subset of systemtap's capabilities are benign to the system and would not
allow users to gain access to normally restricted information. Certainly our
"Hello" script falls into this subset.

Systemtap provides an option (--unprivileged) which, when used by stap-client
in conjunction with a trusted server allows these scripts to be compiled and
run by unprivileged users.

When specified on the invocation of stap-client, the --unprivileged option
instructs the server to check that the features used by the script fall within
the subset of "safe" features. If so, the server will compile the script and
digitally sign the resulting module. Successfull verification of the signature
by the client asserts that the script which produced the module was checked
for safety by a trusted installation of systemtap (the server) and that the
module has not been tampered with since it was signed.

Authorizing the Server as a Trusted Signer
------------------------------------------
Verification of a module's signature requires the signer's certificate and
public key. For servers started using the stap-server service, this is the
same certificate and key which was used to verify the ssl connection between the
client and server.

In order to authorize this server as a trusted signer, copy this file to some
location on the client host and, as root, on the client host, run

  stap-authorize-signing-cert <file>

An unprivileged user should now be able to compile and run a benign script
using stap-client with --unprivileged specfied and this server. To test this,
as an unprivileged user, on the client host, run

  stap-client -e 'probe begin { printf ("Hello\n"); exit (); }' --unprivileged

This should print

  Hello

Stopping the stap-server Service
--------------------------------
To stop the stap-server service, as root, on the server host, execute the
following

 /sbin/service stap-server stop

You should see a message indicating that the server is stopping, some
information about the target that the server is for (should match the
kernel release and architecture of the server host) and a status of OK.

To check that the server is indeed stopped

 /sbin/service stap-server status

You should see a message indicating that no servers are running. You need not
be root to run this command.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]