summaryrefslogtreecommitdiffstats
path: root/stap-server.8.in
blob: 1976b6eace3e29378ce5639abef56746a1257ee8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
.\" -*- nroff -*-
.TH STAP-SERVER 8 @DATE@ "Red Hat"
.SH NAME
stap-server \- systemtap server and related utilities

.SH SYNOPSIS

.br
.B stap\-start\-server
.br
.B stap\-find\-servers
[
.B \-\-all
]
.br
.B stap\-find\-or\-start\-server
.br
.B stap\-stop\-server
.I PID
.br
.B stap\-add\-server\-cert \fICERTFILE\fR  \fIDIRNAME\fR
.br
.B stap\-client
[
.B \-\-server=\fIHOSTNAME\fR|\fIIP_ADDRESS\fR[\fB:\fIPORT\fR]
]
[
.B \-\-ssl=\fIDIRNAME
]
[
.I ARGUMENTS
]

.SH DESCRIPTION

The systemtap server listens for connections from
.I stap\-client
on a secure SLL network port and accepts requests to run the
.I stap
front end.

.PP
The
.I stap\-start\-server
program attempts to start a systemtap server (\fIstap-serverd\fP)
on the local host. Upon
successful startup, the server listens for connections on a random port and
advertises its presence on the local network using the
.I avahi
daemon. If the server is successfully started, its process id is
echoed to stdout and the exit code is 0. Otherwise, nothing is echoed and the
exit code is 1.

.PP
The
.I stap\-find\-servers
program attempts to find systemtap servers running on the local network.
The details of any servers found are echoed to stdout.
If servers are found, then the exit code is 0, otherwise it is 1.

.PP
The
.I stap\-find\-or\-start\-server
program attempts to find a compatible systemtap server running on the local network
using
.IR stap\-find\-servers .
If a compatible server is found,
.I stap\-find\-or\-start\-server
echoes \[aq]0\[aq] to stdout and the exit code is 0. Otherwise
.I stap\-find\-or\-start\-server
attempts to start a server on the local network using
.IR stap\-start\-server .
If successful, the process id of the new server is echoed to stdout and the
exit code is 0. If no server can be found or started, \[aq]-1\[aq] is echoed
to stdout and the exit code is 1.

.PP
The
.I stap\-stop\-server
program verifies that the given process id is that of a running systemtap server
on the local host and, if so, attempts to shut down the server by sending it the
SIGTERM signal. If a process id is provided and it is that of a running systemtap
server, the exit code is 0. Otherwise the exit code is 1.
.I stap\-stop\-server
does not verify that the server actually shuts down.

.PP
The
.I stap\-add\-server\-cert
program adds the given server certificate to the given client\-side
certificate database, making that server a trusted server for clients using that database.

.PP
The
.I stap\-client
program is analagous to the
.I stap
front end except that it attempts to find a compatible systemtap server on the
local network and then attempts to use that server for actions related to
passes 1 through 4. Pass 5 actions, if requested, are performed on the local
host using
.IR staprun .
Upon successful completion, the exit code is 0. Otherwise the exit code
is 1.

.SH OPTIONS
The
.I stap\-find\-servers
program supports the following option.  Any other option
is ignored.
.TP
.B \-\-all
Instructs
.I stap\-find\-servers
to report all systemtap servers on the local network regardless of compatibility.
The default behavior is to report only servers which are compatible with
systemtap on the local host.

.PP
In addition to the options accepted by the
.I stap
front end,
.I stap\-client
accepts the following:

.TP
.B \-\-server=\fIHOSTNAME\fR|\fIIP_ADDRESS\fR[\fB:\fIPORT\fR]
This option intructs
.I stap\-client
to use the named server instead of looking for one automatically. The server may
be specified using a valid host name or ip address. If no port is specified, then
.I stap\-client
searches for the server among the servers advertizing their presence on the
local network and uses the port which is being advertized. This is useful for
connecting to a specific server on the local network. If a port is specified,
then
.I stap\-client
will attempt to connect to the named host on the specified port. This is useful
for connecting to non\-local servers. If
.B \-\-server
is specified,
.I stap\-client
will make no attempt to contact other servers. If more than one
.B \-\-server
option is specified,
.I stap\-client
will attempt to use the servers in the order specified.

.TP
.B \-\-ssl=\fIDIRNAME
.I stap\-client
uses certificate databases in default locations (see
.I SERVER MANAGEMENT
below) in order to authenticate each server which is contacted. The
.B \-\-ssl
option is used to specify additional databases to search. Databases specified
using
.B \-\-ssl
are searched before the default databases. If more than one
.B \-\-ssl
option is specified, then the databases are searched in the order specified on
the command line followed by the default locations.

.SH ARGUMENTS
The
.I stap\-stop\-server
program requires a process id argument which identifies the server to be stopped.

.PP
The
.I stap\-add\-server\-cert
program accepts two arguments:

.TP
.B CERTFILE
This is the name of the file containing the certificate of the new trusted
server. This is the file named \fIstap-server.cert\fR which can be found in the
server\[aq]s certificate database.

.TP
.B DIRNAME
This is the name of the directory containing the client\-side certificate database to which
the certificate is to be added.

.PP
The
.I stap\-client
program accepts the same arguments as
.I stap\fP.
See \fIstap\fP(1) for details.

.SH SERVER MANAGEMENT
The security of the SSL network connection between the client and server and
of the signing and verification of the server\[aq]s response depend on the proper
management of server certificates and the public and private key pairs with which
they are signed and verified.

.PP
The trustworthiness of a given systemtap server can not be determined
automatically without a trusted certificate authority issuing systemtap server
certificates. This is
not practical in everyday use and so, clients must authenticate servers
against their own databases of trusted server certificates. In this context,
establishing a given server as trusted by a given client means adding
that server\[aq]s certificate to the
client\[aq]s database of trusted servers.

.PP
The implementation of the client and server have automated many of the tasks
required. In particular:

.IP \(bu 4
When a user starts a server for the first time, the server will generate its
own certificate and add it to a database local to that user. For non\-root users,
this database will be created in
.I $HOME/.systemtap/ssl/server\fP.
For root users (EUID=0), it will be created in
.I $sysconfdir/systemtap/ssl/server\fP.

.IP \(bu 4
At this time the
server will also create a local client\-side certificate database and add the
server\[aq]s certificate to it. For non\-root users,
this database will be created in
.I $HOME/.systemtap/ssl/client\fP.
For root users (EUID=0), it will be created in
.I $sysconfdir/systemtap/ssl/client\fP.

In this way, a server started by a given user is automatically trusted by
clients run by that user.

.IP \(bu 4
The client\-side certificate database created for root users is also
the global client\-side database for all clients on the host. In this way,
a server started by root is automatically trusted by clients run by any
user on that host.

.PP
The trustworthiness of other servers may be asserted in one of two ways:

.IP \(bu 4
Other existing client\-side certificate databases may be searched by using the
.B \-\-ssl
option one or more times when running the client (see
.I OPTIONS
above). Servers whose certificates are contained in the additional databases
will be considered to be trusted for that invocation of the client.

.IP \(bu 4
A user may add the certificate of a new trusted server to his own local
client\-side certificate database using
\[aq]\fBstap-add-server-cert \fICERTFILE\fR \fIDIRNAME\fR\[aq]
(see above), where \fICERTFILE\fP is the server\[aq]s certificate file
(\fIstap\-server.cert\fP) from the servers certificate database directory and
\fIDIRNAME\fP is the
directory containing the user\[aq]s client\-side certificate database.

The server will trusted by clients run by that user from then on.

.PP
When a root (EUID=0) user adds a server\[aq]s certificate to their client\-side
certificate database, which is also the global database for all users on that
host, they assert the trustworthiness of that server for all users on that
host.

.SH EXAMPLES
See the 
.IR stapex (5)
manual page for a collection of sample scripts.
.PP
Here is a very basic example of how to use
.IR stap\-client .
.PP
To find out if a compatible systemtap server is running on your local network
.PP
.B \& $ stap\-find\-servers
.PP
If no servers are reported, you can start one using
.PP
.B \& $ stap\-start\-server
.PP
You could also have accomplished both of the previous two steps using
.PP
.B \& $ stap\-find\-or\-start\-server
.PP
To compile and execute a simple example using an automatically discovered
server on the local network
.PP
.B \& $ stap\-client \-e \[aq]probe begin { printf("Hello World!\\n"); exit() }\[aq]
.br
\& Hello World!
.PP
To compile and execute a simple example using a server on a specific host
on the local network
.PP
.B \& $ stap\-client \-\-server=\fIHOSTNAME\fP \-e \[aq]probe begin { printf("Hello World!\\n"); exit() }\[aq]
.br
\& Hello World!
.PP
To compile and execute a simple example using a specific server
.PP
.B \& $ stap\-client \-\-server=\fIHOSTNAME\fP:\fIPORT\fP \-e \[aq]probe begin { printf("Hello World!\\n"); exit() }\[aq]
.br
\& Hello World!
.PP
To search additional certificate databases in order to compile and execute a
simple example
.PP
.B \& $ stap\-client \-\-ssl=\fIDIRNAME\fP \-e \[aq]probe begin { printf("Hello World!\\n"); exit() }\[aq]
.br
\& Hello World!
.PP
To permanently trust a given server for your own use
.PP
.B \& $ stap\-add\-server\-cert \fICERTFILE\fP $HOME/.systemtap/ssl/client
.PP
As root, to permanently trust a given server for all users on your host
.PP
.B \& $ stap\-add\-server\-cert \fICERTFILE\fP $sysconfdir/systemtap/ssl/client
.PP
If a process id was echoed by
.I stap\-start\-server
or
.I stap\-find\-or\-start\-server
then you can stop the server using
.PP
.B \& $ stap\-stop\-server \fIPID\fP
.PP
where \fIPID\fR is the process id that was echoed.

.SH SAFETY AND SECURITY
Systemtap is an administrative tool.  It exposes kernel internal data
structures and potentially private user information.  See the 
.IR stap (1)
manual page for additional information on safety and security.

.PP
The systemtap server and its related utilities use the Secure Socket Layer
(SSL) as implemented by Network Security Services (NSS)
for network security and the NSS tools
.I certutil
and
.I signtool
for the generation of certificates and for signing respectively. The related
certificate databases must be protected in order to maintain the security of
the system.
Use of the utilities provided will help to ensure that the proper protection
is maintained. The systemtap client and server will both check for proper
access permissions before making use of any certificate database.

.SH SEE ALSO
.IR stap (1),
.IR staprun (8),
.IR stapprobes (5),
.IR stapfuncs (5),
.IR stapex (5),
.IR NSS ,
.IR certutil ,
.IR signtool

.SH BUGS
Use the Bugzilla link off of the project web page or our mailing list.
.nh
.BR http://sources.redhat.com/systemtap/ ", " <systemtap@sources.redhat.com> .
.hy