First-time usage problem: "Enter new password for systemtap server certificate/key database"

First-time usage problem: "Enter new password for systemtap server certificate/key database"

[Elijah Newren]

Hi,

I finally got around to trying out systemtap today.  It looks really
nice.  However, there was one minor snag when I was trying to get it
installed.  After installing the relevant rpms on Fedora 11 and
running the first example suggested in the System Tap Beginner's
Guide, I saw the following:


# stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
Pass 1: parsed user script and 59 library script(s) in 170usr/20sys/210real ms.
Pass 2: analyzed script: 1 probe(s), 11 function(s), 2 embed(s), 1
global(s) in 360usr/160sys/551real ms.
Pass 3: translated to C into
"/tmp/stap3MwYIW/stap_a361f9cac28b917909da3d13c68e9b8c_4882.c" in
360usr/120sys/513real ms.
Enter new password for systemtap server certificate/key database:


I tried googling on that error message, but found nothing other than
the git commit that introduced that message.  It doesn't appear to be
in the documentation anywhere, even though the beginner's guide shows
the expected output from that command.  I don't know what this is for
or what I should enter.  I eventually hit Ctrl-C, and things seemed to
continue on fine (though I get occasional errors such as "Could not
obtain information on certificate database file
/etc/systemtap/ssl/server/cert8.db.").


Anyway, other than this minor snag, things looked really cool.  I
tried out the disktop.stp example from the manual for fun...and
happened to notice that metacity was sporadically reading from the
disk for no reason (?!?).  Further investigation (using strace, since
I was impatient and don't know systemtap well enough yet) showed it to
be reloading theme files frequently.  Now I just need to figure out
how to attach a debugger to a process when an event like this is
detected in systemtap...

Thanks!
Elijah

Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"

[Frank Ch. Eigler]

Elijah Newren <newren@gmail.com> writes:

> I finally got around to trying out systemtap today.  

Great.

> # stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
> [...]
> Enter new password for systemtap server certificate/key database:

Dave Brolley should address this.  The certificate widget is supposed
to be invisible in normal usage.


> [...]  Further investigation (using strace, since
> I was impatient and don't know systemtap well enough yet) showed it to
> be reloading theme files frequently.  Now I just need to figure out
> how to attach a debugger to a process when an event like this is
> detected in systemtap...

system (sprintf ("gdb metacity %d", pid() /* or some other numerical expression */))

- FChE

Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"

[Dave Brolley]

Hi Elijah,

Thanks for trying systemtap! Let me try to address the problems you are 
having with certificates.

Elijah Newren wrote:
> # stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
> Pass 1: parsed user script and 59 library script(s) in 170usr/20sys/210real ms.
> Pass 2: analyzed script: 1 probe(s), 11 function(s), 2 embed(s), 1
> global(s) in 360usr/160sys/551real ms.
> Pass 3: translated to C into
> "/tmp/stap3MwYIW/stap_a361f9cac28b917909da3d13c68e9b8c_4882.c" in
> 360usr/120sys/513real ms.
> Enter new password for systemtap server certificate/key database:
>   
This prompt error occurs when systemtap tries to sign the generated 
kernel module for the first time but is unable to generate a password to 
protect the private key for its signing certificate. This should not be 
happening with the latest release (or the latest git) unless you have 
used the --unprivileged option. However some previous systemtap releases 
did attempt to sign all modules. What version of systemtap are you using?

In order to sign the module, systemtap generates its own signing 
certificate with a private key that is password protected. Normally the 
password is self-generated and random, since only systemtap ever needs 
it. The following two methods are tried

mkpasswd -l 20

and

apg -a 1 -n 1 -m 20 -x 20

If these fail, then systemtap prompts for a password. I'm interested in 
the response to the above two commands on your system. Can you please 
try them and post the responses?

If systemtap does prompt for a password, then any old psuedo random 
string will do. You will never need to remember it (in fact, it's 
probably best if you don't!).


> I eventually hit Ctrl-C, and things seemed to
> continue on fine (though I get occasional errors such as "Could not
> obtain information on certificate database file
> /etc/systemtap/ssl/server/cert8.db.").
>
>   
In order to clear the ongoing errors you can remove the 
/etc/systemtap/ssl/server directory. If systemtap prompts you for a 
password again, just enter some random string and you should not be 
prompted again (although as I said above I'm interested in why you were 
prompted in the first place, i.e. why the two automated attempts at 
password generated failed).


Let me know if you have any additional questions or concerns.

Thanks,
Dave

Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"

[Elijah Newren]

Hi,

Was out for a few days, just now catching back up...

On Mon, Aug 24, 2009 at 9:48 AM, Dave Brolley<brolley@redhat.com> wrote:
> This prompt error occurs when systemtap tries to sign the generated kernel
> module for the first time but is unable to generate a password to protect
> the private key for its signing certificate. This should not be happening
> with the latest release (or the latest git) unless you have used the
> --unprivileged option. However some previous systemtap releases did attempt
> to sign all modules. What version of systemtap are you using?

$ rpm -q systemtap
systemtap-0.9.9-3.fc11.x86_64

> In order to sign the module, systemtap generates its own signing certificate
> with a private key that is password protected. Normally the password is
> self-generated and random, since only systemtap ever needs it. The following
> two methods are tried
>
> mkpasswd -l 20
>
> and
>
> apg -a 1 -n 1 -m 20 -x 20
>
> If these fail, then systemtap prompts for a password. I'm interested in the
> response to the above two commands on your system. Can you please try them
> and post the responses?

# mkpasswd -l 20
-bash: mkpasswd: command not found

# apg -a 1 -n 1 -m 20 -x 20
-bash: apg: command not found

(a quick yum search seems to suggest that mkpasswd comes from the
'expect' package, and that apg comes from the 'apg' package, neither
of which do I have installed.)

> If systemtap does prompt for a password, then any old psuedo random string
> will do. You will never need to remember it (in fact, it's probably best if
> you don't!).

And I'm guessing that <Ctrl-C> doesn't count as a pseudo-random
string.  :-)  Okay, I'll try it out.

> Let me know if you have any additional questions or concerns.
>
> Thanks,
> Dave

I'll do that.  Thank you very much for making this software, and for
taking the time to respond and explain.  You guys run your project
better than I have mine.  Very cool.



Thanks,
Elijah