The fix for Bug #1346112 is as follows: ======= commit be665e77eb7cd88a3d15676945bec7def3eb73d5 Author: Frank Ch. Eigler <fche> Date: Wed Jun 15 10:58:01 2016 -0400 RHBZ1346112: let stap-server create ssl-cert on first run rather than install This way different container-images get different certs. diff --git a/stap-server b/stap-server index 939c503..c39ae49 100644 --- a/stap-server +++ b/stap-server @@ -500,6 +500,19 @@ prepare_stat_dir () { return 0 } +prepare_certs () { + if [ "$USER" != "`id -un`" ]; then + if ! runuser -s /bin/bash - $USER -c 'test -f $HOME/.systemtap/ssl/server/stap.cert'; then + runuser -s /bin/bash - $USER -c %{_libexecdir}/systemtap/stap-gen-cert >/dev/null + fi + else + if ! test -f $HOME/.systemtap/ssl/server/stap.cert; then + ${PKGLIBEXECDIR}stap-gen-cert + fi + fi +} + + prepare_log_dir () { local log_path=`dirname "$1"` if [ ! -d "$log_path" ]; then @@ -859,6 +872,13 @@ start_server () { fi fi + # Create certificates for this server + prepare_certs + if [ $? -ne 0 ]; then + echo $"Failed to make certificates ($USER .systemtap/ssl/server/stap.cert)" >&2 + exit 1 + fi + # Create the log directory for this server prepare_log_dir "$LOG" if [ $? -ne 0 ]; then diff --git a/systemtap.spec b/systemtap.spec index 1630fba..84bf041 100644 --- a/systemtap.spec +++ b/systemtap.spec @@ -658,11 +658,6 @@ test -e %{_localstatedir}/log/stap-server/log || { chmod 644 %{_localstatedir}/log/stap-server/log chown stap-server:stap-server %{_localstatedir}/log/stap-server/log } -# If it does not already exist, as stap-server, generate the certificate -# used for signing and for ssl. -if test ! -e ~stap-server/.systemtap/ssl/server/stap.cert; then - runuser -s /bin/sh - stap-server -c %{_libexecdir}/systemtap/stap-gen-cert >/dev/null -fi # Prepare the service %if %{with_systemd} # Note, Fedora policy doesn't allow network services enabled by default ======= It leaves a rpm macro in a shell script, which can't work. Doesn't look like a problem on rhel-7.3 because there the else branch of the prepare_certs() gets called. But using the devtoolset-6-systemtap-3.0-7s.el{6,7}, the "if" branch gets called and that, of course, fails, e.g.: ======= :: [ BEGIN ] :: Running 'service devtoolset-6-stap-server start' Starting stap-server -a "x86_64" -r "2.6.32-642.el6.x86_64" -u "stap-server" --log "/opt/rh/devtoolset-6/root/var/log/stap-server/log" -bash: line 0: fg: no job control Failed to make certificates (stap-server .systemtap/ssl/server/stap.cert) :: [ FAIL ] :: Command 'service devtoolset-6-stap-server start' (Expected 0, got 1) =======
I've successfully tested following patch: ======= $ git diff diff --git a/stap-server b/stap-server index c39ae49..7cb75d6 100644 --- a/stap-server +++ b/stap-server @@ -503,7 +503,7 @@ prepare_stat_dir () { prepare_certs () { if [ "$USER" != "`id -un`" ]; then if ! runuser -s /bin/bash - $USER -c 'test -f $HOME/.systemtap/ssl/server/stap.cert'; then - runuser -s /bin/bash - $USER -c %{_libexecdir}/systemtap/stap-gen-cert >/dev/null + runuser -s /bin/bash - $USER -c ${PKGLIBEXECDIR}stap-gen-cert >/dev/null fi else if ! test -f $HOME/.systemtap/ssl/server/stap.cert; then $ ======= in the DTS environment.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2746.html