Merge tag 'v0.6.0'

Release 0.6.0

This tag marks release 0.6.0.

.docs/about/release-notes.md

@@ -3,6 +3,37 @@
 Release early, release often
 
 ---
+## Version 0.6.0 (2017/05/03)
+This release introduces support for the Cinder storage driver and
+multiple security-related enhancements, including default-to-TLS for
+libStorage client/server communications, and service-scoped
+authentication!
+
+### New Features
+* Client Token Authentication ([#475](https://github.com/codedellemc/libstorage/issues/475))
+* Cinder storage driver ([#182](https://github.com/codedellemc/libstorage/issues/182))
+* Allow customization of default paths ([#509](https://github.com/codedellemc/libstorage/pull/509))
+* TLS Known Hosts support ([#510](https://github.com/codedellemc/libstorage/pull/510))
+
+### Bug Fixes
+* Return HTTP status 400 instead of 500 when attachment mask requires InstanceID or LocalDevices header and it is missing ([#352](https://github.com/codedellemc/libstorage/issues/352))
+* Make sure all drivers return error if VolumeInspect doesn't find volume ([#396](https://github.com/codedellemc/libstorage/issues/396))
+* Ensure all drivers reject size 0 volume creation ([#459](https://github.com/codedellemc/libstorage/issues/459))
+* Prevent possible endless loops in drivers when underlying API does not respond ([#480](https://github.com/codedellemc/libstorage/issues/480))
+* Standardize log levels across libStorage client and server ([#521](https://github.com/codedellemc/libstorage/pull/521))
+
+### Enhancements
+* Digital Ocean Block Storage driver now supports client/server topology ([#432](https://github.com/codedellemc/libstorage/issues/432))
+* Improve error reporting ([#504](https://github.com/codedellemc/libstorage/pull/504), [#128](https://github.com/codedellemc/libstorage/issues/128))
+* Improve driver config examples ([#531](https://github.com/codedellemc/libstorage/issues/531))
+
+### Thank You
+  Name | Blame  
+-------|------
+[Mathieu Velten](https://github.com/MatMaul) | Mr. Velten, as his people alert you to the fact that he insists on being addressed, is a dubious individual. It's apparent he's old money, but it's also not exactly clear from where his fortune originated. There are rumors in the back rooms of the shadiest gambling parlors of Monte Carlo that Mr. Velten was once an employee of an unnamed wing of a shadow government. A "cleaner" if you will. Maybe it was these experiences that make Mr. Velten so apt at slicing up Git commits. Is there really any difference between slicing up a full-grown man and hash series of changes? Mr. Velten is proof there isn't.
+[Joe Topjian](https://github.com/jtopjian) | Joe insisted that we omit this pithy attempt at showing gratitude, but we simply could not do that. Not when Mr. Velten insisted it would be in our best interest to include Joe. Is this okay Mr. Velten? Can our families come home now? We did what you asked. Joe is awesome. We like Joe. See? We're cooperating. Please Mr. Velten, just let them come home!
+
+
 ## Version 0.5.2 (2017/03/28)
 This is a minor release with some bug fixes, enhancements, and simplified
 support for TLS.

.tls/known_hosts

@@ -1 +1,4 @@
+google.com sha256 6C:50:E0:17:09:61:75:22:64:CD:36:B4:6C:37:D0:C4:A6:DA:82:3D:77:F6:21:D5:3A:EC:FE:22:D8:EE:71:B7
+utexas.edu sha256 A3:0E:DA:2D:9B:5F:25:7A:23:5C:D3:7B:A8:94:7D:FD:76:6D:05:F3:F3:D4:1F:05:F9:BA:A1:80:97:E0:8E:91
 127.0.0.1 sha256 52:C7:5D:00:1B:E7:33:66:14:3C:47:07:77:59:9C:94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:69
+dell.com sha256 71:ED:4F:CA:BC:C8:95:A8:10:B1:B5:B4:98:2D:A6:FC:E9:A7:F3:C4:08:56:59:5B:70:45:F2:D8:5D:A1:7C:47

VERSION

@@ -1 +1 @@
-0.5.2
+0.6.0

api/registry/registry_integration.go

@@ -2,6 +2,7 @@ package registry
 
 import (
 	"sync"
+	"time"
 
 	log "github.com/Sirupsen/logrus"
 	gofig "github.com/akutz/gofig/types"
@@ -14,9 +15,11 @@ import (
 type idm struct {
 	types.IntegrationDriver
 	sync.RWMutex
-	ctx    types.Context
-	config gofig.Config
-	used   map[string]int
+	ctx        types.Context
+	config     gofig.Config
+	used       map[string]int
+	retryCount int
+	retryWait  time.Duration
 }
 
 // NewIntegrationDriverManager returns a new integration driver manager.
@@ -37,6 +40,14 @@ func (d *idm) Init(ctx types.Context, config gofig.Config) error {
 	d.ctx = ctx
 	d.config = config
 	d.used = map[string]int{}
+	d.retryCount = config.GetInt(types.ConfigIgVolOpsMountRetryCount)
+	if v := config.GetString(types.ConfigIgVolOpsMountRetryWait); v != "" {
+		var err error
+		d.retryWait, err = time.ParseDuration(v)
+		if err != nil {
+			return err
+		}
+	}
 
 	d.initPathCache(ctx)
 
@@ -143,10 +154,22 @@ func (d *idm) Mount(
 		"opts":       opts}
 	ctx.WithFields(fields).Debug("mounting volume")
 
+	ctx = ctx.Join(d.ctx)
+
 	mp, vol, err := d.IntegrationDriver.Mount(
-		ctx.Join(d.ctx), volumeID, volumeName, opts)
+		ctx, volumeID, volumeName, opts)
 	if err != nil {
-		return "", nil, err
+		for x := 0; x < d.retryCount; x++ {
+			time.Sleep(d.retryWait)
+			mp, vol, err = d.IntegrationDriver.Mount(
+				ctx, volumeID, volumeName, opts)
+			if err == nil {
+				break
+			}
+		}
+		if err != nil {
+			return "", nil, err
+		}
 	}
 
 	// if the volume has attachments assign the new mount point to the

api/server/server_http.go

@@ -9,6 +9,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"strings"
 	"sync"
 
 	log "github.com/Sirupsen/logrus"
@@ -124,15 +125,19 @@ func (s *server) initEndpoints(ctx types.Context) error {
 			"address":  laddr,
 		}
 
-		tlsConfig, err :=
-			utils.ParseTLSConfig(
-				s.ctx,
-				s.config.Scope(endpoint),
-				logFields,
-				types.ConfigServer,
-				endpoint)
-		if err != nil {
-			return err
+		var tlsConfig *types.TLSConfig
+
+		// disable TLS for UNIX sockets
+		if !strings.EqualFold(proto, "unix") {
+			if tlsConfig, err =
+				utils.ParseTLSConfig(
+					s.ctx,
+					s.config.Scope(endpoint),
+					logFields,
+					types.ConfigServer,
+					endpoint); err != nil {
+				return err
+			}
 		}
 
 		ctx.WithFields(logFields).Info("configured endpoint")

api/types/types_config_integration.go

@@ -22,6 +22,12 @@ const (
 	//ConfigIgVolOpsMountRootPath is a config key.
 	ConfigIgVolOpsMountRootPath = ConfigIgVolOpsMount + ".rootPath"
 
+	//ConfigIgVolOpsMountRetryCount is a config key.
+	ConfigIgVolOpsMountRetryCount = ConfigIgVolOpsMount + ".retryCount"
+
+	//ConfigIgVolOpsMountRetryWait is a config key.
+	ConfigIgVolOpsMountRetryWait = ConfigIgVolOpsMount + ".retryWait"
+
 	//ConfigIgVolOpsUnmount is a config key.
 	ConfigIgVolOpsUnmount = ConfigIgVolOps + ".unmount"
 

drivers/storage/libstorage/libstorage_driver.go

@@ -68,10 +68,15 @@ func (d *driver) Init(ctx types.Context, config gofig.Config) error {
 		return err
 	}
 
-	tlsConfig, err := utils.ParseTLSConfig(
-		d.ctx, config, logFields, types.ConfigClient)
-	if err != nil {
-		return err
+	var tlsConfig *types.TLSConfig
+
+	// disable TLS for UNIX sockets
+	if !strings.EqualFold(proto, "unix") {
+		tlsConfig, err = utils.ParseTLSConfig(
+			d.ctx, config, logFields, types.ConfigClient)
+		if err != nil {
+			return err
+		}
 	}
 
 	host := getHost(d.ctx, proto, lAddr, tlsConfig)
@@ -86,6 +91,7 @@ func (d *driver) Init(ctx types.Context, config gofig.Config) error {
 
 	httpTransport := &http.Transport{
 		Dial: func(string, string) (net.Conn, error) {
+
 			if tlsConfig == nil {
 				conn, err := net.Dial(proto, lAddr)
 				if err != nil {

drivers/storage/libstorage/libstorage_driver_tls.go

@@ -26,7 +26,14 @@ func verifyKnownHost(
 		return false, nil
 	}
 
-	return verifyPeerCerts(ctx, host, knownHost, peerCerts)
+	ok, err := verifyPeerCerts(ctx, host, knownHost, peerCerts)
+	if err != nil {
+		return false, err
+	}
+	if ok {
+		return true, nil
+	}
+	return false, newErrKnownHost(host, peerCerts)
 }
 
 func verifyKnownHostFiles(
@@ -128,30 +135,31 @@ func verifyPeerCerts(
 		ctx.WithFields(logFields).Debug(
 			"comparing tls known host information")
 
-		// are the fingerprints equal?
-		if bytes.EqualFold(knownHost.Fingerprint, certFP) {
+		// does the targeted host equal the saved, known host name?
+		if strings.EqualFold(host, knownHost.Host) {
+
+			// are the fingerprints equal? if so this is a validated,
+			// known host
+			if bytes.EqualFold(knownHost.Fingerprint, certFP) {
 
-			// if the targeted host equals the saved, known host name
-			// then this is a validated known host
-			if strings.EqualFold(host, knownHost.Host) {
 				ctx.WithFields(logFields).Debug(
 					"matched tls known host information")
+
 				return true, nil
 			}
 
-			// the targeted host does not equal the saved, known host
-			// name which has an associated signature that matches
-			// the remote, peer's signature. this means there is a
-			// possible mitm attack where a remote host has usurped
-			// another host's identity
+			// the saved fingerprint does not equal the remote, peer
+			// fingerprint meaning there is a possible mitm attack
+			// where a remote host has usurped another host's identity
 			ctx.WithFields(logFields).Error(
 				"known host conflict has occurred")
 
 			return false, newErrKnownHostConflict(host, knownHost)
 		}
+
 	}
 
-	return false, newErrKnownHost(host, peerCerts)
+	return false, nil
 }
 
 func newErrKnownHost(host string, peerCerts []*x509.Certificate) error {

drivers/storage/vfs/tests/vfs_test.go

@@ -154,10 +154,10 @@ func TestClientKnownHostConflict(t *testing.T) {
 	}
 
 	const (
-		host        = "libstorage-server2"
+		host        = "127.0.0.1"
 		alg         = "sha256"
 		fingerprint = `52:C7:5D:00:1B:E7:33:66:14:3C:47:07:77:59:9C:` +
-			`94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:69`
+			`94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:6B`
 		knownHostEntry  = host + " " + alg + " " + fingerprint
 		knownHostConfig = `
 test:

imports/config/imports_config_99_gofig.go

@@ -84,6 +84,8 @@ func init() {
 
 			rk(gofig.Bool, false, "", types.ConfigExecutorNoDownload)
 			rk(gofig.Bool, false, "", types.ConfigIgVolOpsMountPreempt)
+			rk(gofig.Int, 0, "", types.ConfigIgVolOpsMountRetryCount)
+			rk(gofig.String, "5s", "", types.ConfigIgVolOpsMountRetryWait)
 			rk(gofig.Bool, false, "", types.ConfigIgVolOpsCreateDisable)
 			rk(gofig.Bool, false, "", types.ConfigIgVolOpsRemoveDisable)
 			rk(gofig.Bool, false, "", types.ConfigIgVolOpsUnmountIgnoreUsed)
@@ -119,9 +121,9 @@ func init() {
 				"",
 				types.ConfigTLSKnownHosts)
 			rk(gofig.String, "", "", types.ConfigTLSServerName)
-			rk(gofig.Bool, false, "", types.ConfigTLSDisabled)
-			rk(gofig.Bool, false, "", types.ConfigTLSInsecure)
-			rk(gofig.Bool, false, "", types.ConfigTLSClientCertRequired)
+			rk(gofig.String, "", "", types.ConfigTLSDisabled)
+			rk(gofig.String, "", "", types.ConfigTLSInsecure)
+			rk(gofig.String, "", "", types.ConfigTLSClientCertRequired)
 
 			// auth config - client
 			rk(gofig.String, "", "", types.ConfigClientAuthToken)