GitLab

* Ensure that certificate renewals always use the original credentials source
* Include file system ID in all client TLS certificates
* Updates to man page and README

Fixes the mount issue with full DNS name in the AWS China Regions; Upgrades unit test coverage version dependency to enable accurate python3.8 coverage test

Added region localization, Integrate repository with CircleCI to enable package build visualization, Unit tests bug fixes for python3.5

This reverts the commits:
880da73a
b6b0d993

The default stunnel idle timeout is many hours. By setting it to a value based
on the NFS lease length we can recover from network partitions sooner.

- Fixes Python shebangs to work on systems without a default "python" version.
- Fixes watchdog process not being properly started on systemd systems.

To use OCSP, the client accessing EFS must be able to reach the Amazon Certificate
Authority (CA). To maximize file system availability in the event that the CA is
not reachable from your VPC, the EFS mount helper no longer enables OCSP by default.

See here for more info:

https://aws.amazon.com/about-aws/whats-new/2019/07/configuration-update-for-amazon-efs-encryption-data-in-transit/

While a bit exotic there can exist mounts of locally exported nfs
shares that aren't related to EFS. In this case the watchdog fails,
because it tries to access the port option that is not present in these
unrelated mount entries.

To fix this discard entries from /proc/mounts that don't carry a port
option.

This function only closes the socket on success, i.e. for each
unsuccessful bind attempt a socket "leaks". It does not actually leak,
because the Python interface implements reference counting. Still it is
unclean, because after successful bind the socket is explicitly closed.
So either the application is responsible for closing the socket, or not.
Since it is better not to rely on the implementation of the Python
interpreter and the socket module it should be prefered to always
explicitly close the socket.

Also this function opens a new socket for each port to try. This is
inefficient, since the same socket can be reused for testing. Therefore
only open and close a single socket.

`os.makedirs()` uses default mode 0777 in Python2. Therefore the
protection level of the state_file_dir depends on the inherited umask. A
default mode of 0750 is a good conservative default for this. To allow
admins and system integrators to tune this setting it is configurable
via the new config file setting 'state_file_dir_mode'.

This also requires to adjust test_bootstrap_tls to cover the new config
option.

In python2 the default for `close_fds` is still False, therefore it is
possible that open file descriptors like the logfile are inherited to
child processes. This is prevented by explicitly passing this parameter
to all subprocess invocations.

Fix for additional unexpected arguments

add test for additional unexpected arguments

increment version number

This prevents waiting for a close_notify when shutting down a connection.

Make "delay = yes" a default stunnel option. Also permit non-root users to view
the help text again.

This includes the following changes:

* Reduce inline comments that were mostly redundant to the code it
described

* Added another example to the man-page to make clear that TLS is
supported for CNAMEs. For that matter, all other options will also work
without change, given that internally the CNAME will only be resolved to
an FS-ID before handing back over to the same logic that is already in
place.

* Small modifications to better adhere to the given codestyle.

* Adjusted log messages as suggested.

This change introduces additional logic which allows the user to specify
either a fully-qualified EFS DNS name, or a custom DNS name that
resolves to a fully-qualified EFS DNS name via a CNAME record.

The EFS DNS name will then be compared to the EFS name we would have
expected for the given EFS ID. If it doesn't match, we'll show the user
a readable error message for this to aid in troubleshooting.

Once the EFS DNS name has been verified, the rest of the logic is
untouched. This means that this change only impacts the parameter logic
at the very start and does not touch anything of the already tested,
more critical logic.

Important: the usage and internal logic to mount by EFS ID is unchanged,
making this change fully backwards compatible.

Fixes #9.

* Add a manpage for mount.efs
* Improve warning messages in the mount helper
* Improve stunnel cleanup functionality

* Improve detection of root user
* Require OCSPaia and checkHost options for stunnel
* Install and use a hand-managed trust store

Includes a mount helper utility (mount.efs), an associated watchdog
process, unit tests, and build scripts.

The utility simplifies mounting and using EFS file systems and
optionally enables clients to mount over a TLS tunnel.