управление сервером компиляции systemtap (systemtap compile server management)
SERVER AUTHENTICATION
The security of the SSL network connection between the client and
server depends on the proper management of server certificates.
The trustworthiness of a given systemtap compile server can not
be determined automatically without a trusted certificate
authority issuing systemtap compile server certificates. This is
not practical in everyday use and so, clients must authenticate
servers against their own database of trusted server
certificates. In this context, establishing a given server as
trusted by a given client means adding that server's certificate
to the client's database of trusted servers.
For the stap-server initscript, on the local host, this is
handled automatically. When the systemtap-server package is
installed, the server's certificate for the default user
(stap-server) is automatically generated and installed. This
means that servers started by the stap-server initscript, with
the default user, are automatically trusted by clients on the
local host, both as an SSL peer and as a systemtap module signer.
Furthermore, when stap is invoked by an unprivileged user (not
root, not a member of the group stapdev, but a member of the
group stapusr and possibly the group stapsys), the options
--use-server and --privilege are automatically added to the
specified options. This means that unprivileged users on the
local host can use a server on the local host in unprivileged
mode with no further setup or options required. Normal users
(those in none of the SystemTap groups) can also use compile-
servers through the --use-server and --privilege options. But
they will of course be unable to load the module (the -p4 option
can be used to stop short of loading).
In order to use a server running on another host, that server's
certificate must be installed on the client's host. See the
--trust-servers option in the stap(1) manual page for more
details and README.unprivileged in the systemtap sources for more
details.
