Merge pull request #693 from mulkieran/develop-2.2.1-2.3.0

Develop 2.2.1 2.3.0

.github/workflows/main.yml

@@ -0,0 +1,75 @@
+---
+name: stratis-cli CI
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - master
+      - develop-2.2.1
+  pull_request:
+    branches:
+      - master
+      - develop-2.2.1
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  python-checks:
+    strategy:
+      matrix:
+        include:
+          # MANDATORY CHECKS USING CURRENT DEVELOPMENT INTERPRETER
+          - python-version: 3.7.9
+            dependencies: >
+              pylint==2.4.4
+              dbus-client-gen==0.4
+              dbus-python-client-gen==0.7
+              justbytes==0.11
+              python-dateutil==2.8.0
+              wcwidth==0.1.9
+              psutil==5.6.7
+              semantic_version==2.6.0
+            task: PYTHONPATH=./src make -f Makefile lint
+          - python-version: 3.7.9
+            dependencies: black==19.10b0 isort==4.3.21
+            task: make -f Makefile fmt-travis
+          - python-version: 3.7.9
+            dependencies: >
+              dbus-client-gen==0.4
+              dbus-python-client-gen==0.7
+              justbytes==0.11
+              python-dateutil==2.8.0
+              wcwidth==0.1.9
+              psutil==5.6.7
+              semantic_version==2.6.0
+            task: PYTHONPATH=./src make -f Makefile test-travis
+          # MANDATORY CHECKS USING LOWEST SUPPORTED INTERPRETER
+          - python-version: 3.6.8
+            dependencies: >
+              pylint==2.4.4
+              dbus-client-gen==0.4
+              dbus-python-client-gen==0.7
+              justbytes==0.11
+              python-dateutil==2.6.1
+              psutil==5.4.3
+              semantic_version==2.6.0
+            task: PYTHONPATH=./src make -f Makefile lint
+          # VERIFICATION OF TEST INFRASTRUCTURE
+          - python-version: 3.7.9
+            dependencies: yamllint==1.23.0
+            task: make -f Makefile yamllint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          sudo apt-get -q update
+          sudo apt-get -y install libdbus-glib-1-dev
+          pip3 install ${{ matrix.dependencies }}
+      - name: Run test
+        run: ${{ matrix.task }}

CHANGES.txt

@@ -1,3 +1,30 @@
+stratis-cli 2.3.0
+=================
+Required stratisd version: 2.3.0
+
+Recommended Python interpreter: 3.7.9
+Lowest supported Python interpreter: 3.6.8
+Python linter: pylint (2.4.4)
+Python auto-formatter: black (19.10b0)
+Python import sorter: isort (4.3.21)
+YAML linter: yamllint (1.23.0)
+
+- Introduce support for Clevis encryption policies:
+  https://github.com/stratis-storage/stratis-cli/pull/690
+  https://github.com/stratis-storage/stratis-cli/pull/686
+  https://github.com/stratis-storage/stratis-cli/pull/685
+  https://github.com/stratis-storage/stratis-cli/pull/684
+
+- Catch exception on missing keyfile:
+  https://github.com/stratis-storage/stratis-cli/issues/680
+  https://github.com/stratis-storage/stratis-cli/pull/681
+
+- Tidies and Maintenance:
+  https://github.com/stratis-storage/stratis-cli/pull/691
+  https://github.com/stratis-storage/stratis-cli/pull/688
+  https://github.com/stratis-storage/stratis-cli/pull/678
+
+
 stratis-cli 2.2.1
 =================
 Required stratisd version: 2.2.1
@@ -27,6 +54,8 @@ YAML linter: yamllint (1.23.0)
   https://github.com/stratis-storage/stratis-cli/pull/672
 
 - Tidies and Maintenance:
+  https://github.com/stratis-storage/stratis-cli/pull/677
+  https://github.com/stratis-storage/stratis-cli/pull/676
   https://github.com/stratis-storage/stratis-cli/pull/673
   https://github.com/stratis-storage/stratis-cli/pull/665
   https://github.com/stratis-storage/stratis-cli/pull/656

Makefile

@@ -77,4 +77,4 @@ test-travis: unittest-tests
 
 .PHONY: yamllint
 yamllint:
-	yamllint --strict .travis.yml
+	yamllint --strict .github/workflows/main.yml

developer_tools/update_introspection_data

@@ -76,11 +76,11 @@ Pool = make_class("Pool", ET.fromstring(SPECS[_POOL_IFACE]), _TIMEOUT)
 # EDIT these fields to get the interfaces and revisions desired
 TOP_OBJECT_INTERFACES = [
     "org.freedesktop.DBus.ObjectManager",
-    "org.storage.stratis2.FetchProperties.r2",
-    "org.storage.stratis2.Manager.r2",
+    "org.storage.stratis2.FetchProperties.r3",
+    "org.storage.stratis2.Manager.r3",
     "org.storage.stratis2.Report.r1",
 ]
-POOL_OBJECT_INTERFACES = ["org.storage.stratis2.pool.r1"]
+POOL_OBJECT_INTERFACES = ["org.storage.stratis2.pool.r3"]
 BLOCKDEV_OBJECT_INTERFACES = ["org.storage.stratis2.blockdev.r2"]
 FILESYSTEM_OBJECT_INTERFACES = ["org.storage.stratis2.filesystem"]
 

docs/stratis.txt

@@ -52,9 +52,23 @@ pool init-cache <pool_name> <blockdev> [<blockdev>..]::
 	 drives, such as SSDs, are used for this purpose.
 pool add-cache <pool_name> <blockdev> [<blockdev>..]::
 	 Add one or more blockdevs to an existing pool with an initialized cache.
-pool unlock::
+pool unlock <(keyring | clevis)>::
      Unlock all devices that are part of an encrypted pool registered with stratisd
-     but that have not yet been opened.
+     but that have not yet been opened. The available unlock methods are
+     *keyring* or *clevis*.
+pool bind <(nbde|tang)> <pool name> <key description> <url> <(--thumbprint <thp> | --trust-url)>::
+     Bind the devices in the specified pool to a supplementary encryption
+     mechanism that uses NBDE (Network-Bound Disc Encryption). *tang* is
+     an alias for *nbde*. The description of the key in the kernel keyring
+     used to encrypt the devices must be supplied.
+pool bind tpm2 <pool name> <key description>::
+     Bind the devices in the specified pool to a supplementary encryption
+     mechanism that uses TPM 2.0 (Trusted Platform Module). The description of
+     the key in the kernel keyring used to encrypt the devices must be supplied.
+pool unbind <pool name>::
+     Unbind the devices in the specified pool from an existing supplementary
+     encryption mechanism. Unbinding leaves the primary encryption mechanism,
+     which uses a key in the kernel keyring, unaffected.
 filesystem create <pool_name> <fs_name> [<fs_name>..]::
 	   Create one or more filesystems from the specified pool.
            NOTE: There is a temporary restriction on the number of filesystems
@@ -109,6 +123,11 @@ OPTIONS
         character. On the other hand, if the file specified as an argument for
         the *--keyfile-path* option contains a newline character anywhere, the
         newline character will be included in the key value.
+--thumbprint <thp> | --trust-url::
+        These mutually exclusive options allow a user to specify that a tang
+        server's URL should be trusted and the server's credentials accepted
+        without verification, or to supply a previously provided thumbprint for
+        verification.
 
 ENVIRONMENT VARIABLES
 ---------------------
@@ -202,6 +221,10 @@ stratis pool create --key-desc someKeyDescription mypool /dev/sdb /dev/sdc
 ====
 stratis filesystem create mypool data1
 ====
+.Binding a pool's devices to use an NBDE policy for decryption
+====
+stratis pool bind nbde --trust-url mypool someKeyDescription someTangServerUrl
+====
 
 SEE ALSO
 --------

src/stratis_cli/_actions/_constants.py

@@ -22,12 +22,12 @@
 
 SECTOR_SIZE = 512
 
-FETCH_PROPERTIES_INTERFACE = "org.storage.stratis2.FetchProperties.r2"
+FETCH_PROPERTIES_INTERFACE = "org.storage.stratis2.FetchProperties.r3"
 FILESYSTEM_INTERFACE = "org.storage.stratis2.filesystem"
-POOL_INTERFACE = "org.storage.stratis2.pool.r1"
+POOL_INTERFACE = "org.storage.stratis2.pool.r3"
 BLOCKDEV_INTERFACE = "org.storage.stratis2.blockdev.r2"
 REPORT_INTERFACE = "org.storage.stratis2.Report.r1"
 
 MAXIMUM_STRATISD_VERSION = "3.0.0"
-MINIMUM_STRATISD_VERSION = "2.2.1"
+MINIMUM_STRATISD_VERSION = "2.3.0"
 assert Version(MINIMUM_STRATISD_VERSION) < Version(MAXIMUM_STRATISD_VERSION)

src/stratis_cli/_actions/_data.py

@@ -43,7 +43,7 @@
     "deferred until after the stratis_cli module has been fully loaded."
 )
 
-_MANAGER_INTERFACE = "org.storage.stratis2.Manager.r2"
+_MANAGER_INTERFACE = "org.storage.stratis2.Manager.r3"
 
 DBUS_TIMEOUT_SECONDS = 120
 

src/stratis_cli/_actions/_introspect.py

@@ -6,8 +6,8 @@
     </method>
   </interface>
 """,
-    "org.storage.stratis2.FetchProperties.r2": """
-<interface name="org.storage.stratis2.FetchProperties.r2">
+    "org.storage.stratis2.FetchProperties.r3": """
+<interface name="org.storage.stratis2.FetchProperties.r3">
     <method name="GetAllProperties">
       <arg direction="out" name="results" type="a{s(bv)}" />
     </method>
@@ -17,8 +17,8 @@
     </method>
   </interface>
 """,
-    "org.storage.stratis2.Manager.r2": """
-<interface name="org.storage.stratis2.Manager.r2">
+    "org.storage.stratis2.Manager.r3": """
+<interface name="org.storage.stratis2.Manager.r3">
     <method name="ConfigureSimulator">
       <arg direction="in" name="denominator" type="u" />
       <arg direction="out" name="return_code" type="q" />
@@ -49,6 +49,7 @@
     </method>
     <method name="UnlockPool">
       <arg direction="in" name="pool_uuid" type="s" />
+      <arg direction="in" name="unlock_method" type="s" />
       <arg direction="out" name="result" type="(bas)" />
       <arg direction="out" name="return_code" type="q" />
       <arg direction="out" name="return_string" type="s" />
@@ -131,8 +132,8 @@
     </property>
   </interface>
 """,
-    "org.storage.stratis2.pool.r1": """
-<interface name="org.storage.stratis2.pool.r1">
+    "org.storage.stratis2.pool.r3": """
+<interface name="org.storage.stratis2.pool.r3">
     <method name="AddCacheDevs">
       <arg direction="in" name="devices" type="as" />
       <arg direction="out" name="results" type="(bao)" />
@@ -145,6 +146,13 @@
       <arg direction="out" name="return_code" type="q" />
       <arg direction="out" name="return_string" type="s" />
     </method>
+    <method name="Bind">
+      <arg direction="in" name="pin" type="s" />
+      <arg direction="in" name="json" type="s" />
+      <arg direction="out" name="results" type="b" />
+      <arg direction="out" name="return_code" type="q" />
+      <arg direction="out" name="return_string" type="s" />
+    </method>
     <method name="CreateFilesystems">
       <arg direction="in" name="specs" type="as" />
       <arg direction="out" name="results" type="(ba(os))" />
@@ -176,6 +184,11 @@
       <arg direction="out" name="return_code" type="q" />
       <arg direction="out" name="return_string" type="s" />
     </method>
+    <method name="Unbind">
+      <arg direction="out" name="results" type="b" />
+      <arg direction="out" name="return_code" type="q" />
+      <arg direction="out" name="return_string" type="s" />
+    </method>
     <property access="read" name="Encrypted" type="b">
       <annotation name="org.freedesktop.DBus.Property.EmitsChangedSignal" value="const" />
     </property>