From cb2b5efc6e923a71ba1c7ea1024ad62d2e1ce668 Mon Sep 17 00:00:00 2001 From: Andras Banki-Horvath Date: Mon, 21 Dec 2020 16:18:13 +0100 Subject: [PATCH 1/2] etcd: add (dev only) disabletls option for etcd --- channeldb/kvdb/config.go | 2 ++ channeldb/kvdb/etcd/db.go | 36 ++++++++++++++++++++++-------------- channeldb/kvdb/kvdb_etcd.go | 1 + sample-lnd.conf | 3 +++ 4 files changed, 28 insertions(+), 14 deletions(-) diff --git a/channeldb/kvdb/config.go b/channeldb/kvdb/config.go index 73c1a303..784a1ffd 100644 --- a/channeldb/kvdb/config.go +++ b/channeldb/kvdb/config.go @@ -46,6 +46,8 @@ type EtcdConfig struct { Namespace string `long:"namespace" description:"The etcd namespace to use."` + DisableTLS bool `long:"disabletls" description:"Disable TLS for etcd connection. Caution: use for development only."` + CertFile string `long:"cert_file" description:"Path to the TLS certificate for etcd RPC."` KeyFile string `long:"key_file" description:"Path to the TLS private key for etcd RPC."` diff --git a/channeldb/kvdb/etcd/db.go b/channeldb/kvdb/etcd/db.go index 81835ef0..d5544cf8 100644 --- a/channeldb/kvdb/etcd/db.go +++ b/channeldb/kvdb/etcd/db.go @@ -139,6 +139,9 @@ type BackendConfig struct { // Pass is the password for the etcd peer. Pass string + // DisableTLS disables the use of TLS for etcd connections. + DisableTLS bool + // CertFile holds the path to the TLS certificate for etcd RPC. CertFile string @@ -168,26 +171,31 @@ func newEtcdBackend(config BackendConfig) (*db, error) { config.Ctx = context.Background() } - tlsInfo := transport.TLSInfo{ - CertFile: config.CertFile, - KeyFile: config.KeyFile, - InsecureSkipVerify: config.InsecureSkipVerify, - } - - tlsConfig, err := tlsInfo.ClientConfig() - if err != nil { - return nil, err - } - - cli, err := clientv3.New(clientv3.Config{ + clientCfg := clientv3.Config{ Context: config.Ctx, Endpoints: []string{config.Host}, DialTimeout: etcdConnectionTimeout, Username: config.User, Password: config.Pass, - TLS: tlsConfig, MaxCallSendMsgSize: 16384*1024 - 1, - }) + } + + if !config.DisableTLS { + tlsInfo := transport.TLSInfo{ + CertFile: config.CertFile, + KeyFile: config.KeyFile, + InsecureSkipVerify: config.InsecureSkipVerify, + } + + tlsConfig, err := tlsInfo.ClientConfig() + if err != nil { + return nil, err + } + + clientCfg.TLS = tlsConfig + } + + cli, err := clientv3.New(clientCfg) if err != nil { return nil, err } diff --git a/channeldb/kvdb/kvdb_etcd.go b/channeldb/kvdb/kvdb_etcd.go index 32791bf6..fa8b9b6d 100644 --- a/channeldb/kvdb/kvdb_etcd.go +++ b/channeldb/kvdb/kvdb_etcd.go @@ -24,6 +24,7 @@ func GetEtcdBackend(ctx context.Context, prefix string, Host: etcdConfig.Host, User: etcdConfig.User, Pass: etcdConfig.Pass, + DisableTLS: etcdConfig.DisableTLS, CertFile: etcdConfig.CertFile, KeyFile: etcdConfig.KeyFile, InsecureSkipVerify: etcdConfig.InsecureSkipVerify, diff --git a/sample-lnd.conf b/sample-lnd.conf index db84a01f..28b48892 100644 --- a/sample-lnd.conf +++ b/sample-lnd.conf @@ -968,6 +968,9 @@ litecoin.node=ltcd ; Etcd namespace to use. ; db.etcd.namespace=lnd +; Whether to disable the use of TLS for etcd. +; db.etcd.disabletls=false + ; Path to the TLS certificate for etcd RPC. ; db.etcd.cert_file=/key/path From a9ba5af9fd978ed9c1f5cdcfc54a90ea9f02401f Mon Sep 17 00:00:00 2001 From: Andras Banki-Horvath Date: Mon, 21 Dec 2020 16:20:25 +0100 Subject: [PATCH 2/2] etcd: fix config in docs and extend with new options --- docs/etcd.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/etcd.md b/docs/etcd.md index cc107639..ec9af10a 100644 --- a/docs/etcd.md +++ b/docs/etcd.md @@ -64,15 +64,18 @@ Sample `lnd.conf` (with other setting omitted): ``` [db] -backend=etcd -etcd.host=127.0.0.1:2379 -etcd.cerfile=/home/user/etcd/bin/default.etcd/fixtures/client/cert.pem -etcd.keyfile=/home/user/etcd/bin/default.etcd/fixtures/client/key.pem -etcd.insecure_skip_verify=true +db.backend=etcd +db.etcd.host=127.0.0.1:2379 +db.etcd.cerfile=/home/user/etcd/bin/default.etcd/fixtures/client/cert.pem +db.etcd.keyfile=/home/user/etcd/bin/default.etcd/fixtures/client/key.pem +db.etcd.insecure_skip_verify=true ``` Optionally users can specifiy `db.etcd.user` and `db.etcd.pass` for db user -authentication. +authentication. If the database is shared, it is possible to separate our data +from other users by setting `db.etcd.namespace` to an (already existing) etcd +namespace. In order to test without TLS, users are able to set `db.etcd.disabletls` +flag to `true`. ## Migrating existing channel.db to etcd