Red Hat Bugzilla – 1378462 – systemtap-server SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run.
systemtap-server SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run.
The fix for Bug #1346112 is as follows:
=======
commit be665e77eb7cd88a3d15676945bec7def3eb73d5
Author: Frank Ch. Eigler <fche>
Date: Wed Jun 15 10:58:01 2016 -0400
RHBZ1346112: let stap-server create ssl-cert on first run rather than install
This way different container-images get different certs.
diff --git a/stap-server b/stap-server
index 939c503..c39ae49 100644
--- a/stap-server
+++ b/stap-server
@@ -500,6 +500,19 @@ prepare_stat_dir () {
return 0
}
+prepare_certs () {
+ if [ "$USER" != "`id -un`" ]; then
+ if ! runuser -s /bin/bash - $USER -c 'test -f $HOME/.systemtap/ssl/server/stap.cert'; then
+ runuser -s /bin/bash - $USER -c %{_libexecdir}/systemtap/stap-gen-cert >/dev/null
+ fi
+ else
+ if ! test -f $HOME/.systemtap/ssl/server/stap.cert; then
+ ${PKGLIBEXECDIR}stap-gen-cert
+ fi
+ fi
+}
+
+
prepare_log_dir () {
local log_path=`dirname "$1"`
if [ ! -d "$log_path" ]; then
@@ -859,6 +872,13 @@ start_server () {
fi
fi
+ # Create certificates for this server
+ prepare_certs
+ if [ $? -ne 0 ]; then
+ echo $"Failed to make certificates ($USER .systemtap/ssl/server/stap.cert)" >&2
+ exit 1
+ fi
+
# Create the log directory for this server
prepare_log_dir "$LOG"
if [ $? -ne 0 ]; then
diff --git a/systemtap.spec b/systemtap.spec
index 1630fba..84bf041 100644
--- a/systemtap.spec
+++ b/systemtap.spec
@@ -658,11 +658,6 @@ test -e %{_localstatedir}/log/stap-server/log || {
chmod 644 %{_localstatedir}/log/stap-server/log
chown stap-server:stap-server %{_localstatedir}/log/stap-server/log
}
-# If it does not already exist, as stap-server, generate the certificate
-# used for signing and for ssl.
-if test ! -e ~stap-server/.systemtap/ssl/server/stap.cert; then
- runuser -s /bin/sh - stap-server -c %{_libexecdir}/systemtap/stap-gen-cert >/dev/null
-fi
# Prepare the service
%if %{with_systemd}
# Note, Fedora policy doesn't allow network services enabled by default
=======
It leaves a rpm macro in a shell script, which can't work. Doesn't look like a problem on rhel-7.3 because there the else branch of the prepare_certs() gets called. But using the devtoolset-6-systemtap-3.0-7s.el{6,7}, the "if" branch gets called and that, of course, fails, e.g.:
=======
:: [ BEGIN ] :: Running 'service devtoolset-6-stap-server start'
Starting stap-server -a "x86_64" -r "2.6.32-642.el6.x86_64" -u "stap-server" --log "/opt/rh/devtoolset-6/root/var/log/stap-server/log"
-bash: line 0: fg: no job control
Failed to make certificates (stap-server .systemtap/ssl/server/stap.cert)
:: [ FAIL ] :: Command 'service devtoolset-6-stap-server start' (Expected 0, got 1)
=======
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2746.html