Skip to content

Support for source domain in RPC service#182

Merged
marmarek merged 10 commits into
QubesOS:mainfrom
fepitre:source-domain
Apr 22, 2025
Merged

Support for source domain in RPC service#182
marmarek merged 10 commits into
QubesOS:mainfrom
fepitre:source-domain

Conversation

@fepitre
Copy link
Copy Markdown
Member

@fepitre fepitre commented Oct 15, 2024
edited
Loading

fepitre
fepitre commented Oct 15, 2024
View reviewed changes
Comment thread run-tests
case $0 in (/*) cd "${0%/*}/";; (*/*) cd "./${0%/*}";; esac
if command -v dnf >/dev/null; then
sudo dnf install python3dist\({coverage,pytest,gbulb,pyinotify,pytest-asyncio}\) || :
sudo dnf install python3dist\({coverage,pytest,gbulb,pyinotify,pytest-asyncio}\) qubes-libvchan-xen-devel pam-devel || :
Copy link
Copy Markdown
Member Author

@fepitre fepitre Oct 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keeping it here for now to not forget packages to install ..

marmarek
marmarek requested changes Dec 3, 2024
View reviewed changes
Comment thread daemon/qrexec-daemon-common.c Outdated
}

if (info.version != QREXEC_PROTOCOL_VERSION) {
if (info.version < QREXEC_PROTOCOL_V3) {
Copy link
Copy Markdown
Member

@marmarek marmarek Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, it's not enough to just relax this check. You need to also save which version the daemon is using (V4 is just adding a message that isn't relevant for the qrexec-client, but still). And similarly change in handle_client_hello and also save which client is using what version.

Alternatively, you can keep using V3 for daemon<->client communication, since new message is not needed at this place (right?). This will be also easier to test. But relaxing the check is a good idea for the future anyway (but can be done in a separate PR if you prefer).

@qubesos-bot
Copy link
Copy Markdown

qubesos-bot commented Dec 3, 2024
edited
Loading

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025041703-4.3&flavor=pull-requests

Test run included the following:

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025031804-4.3&flavor=update

  • system_tests_whonix@hw7

  • system_tests_qwt_win11@hw13

    • windows_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/dcWzE-\d+-/...

    • windows_install: Failed (test died + timed out)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_whonix

  • system_tests_kde_gui_interactive

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

    • gui_keyboard_layout: Failed (test died)
      # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-website' matche...

Failed tests

14 failures

  • system_tests_whonix@hw7

    • whonixcheck: fail (unknown)
      Whonixcheck for anon-whonix failed...

    • whonixcheck: unnamed test (unknown)

    • whonixcheck: fail (unknown)
      Whonixcheck for sys-whonix failed...

    • whonixcheck: unnamed test (unknown)

  • system_tests_qwt_win11@hw13

    • windows_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/dcWzE-\d+-/...

    • windows_install: Failed (test died + timed out)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_whonix

    • whonixcheck: fail (unknown)
      Whonixcheck for anon-whonix failed...

    • whonixcheck: unnamed test (unknown)

    • whonixcheck: fail (unknown)
      Whonixcheck for whonix-gateway-17 failed...

    • whonixcheck: unnamed test (unknown)

  • system_tests_kde_gui_interactive

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

    • gui_keyboard_layout: Failed (test died)
      # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-website' matche...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/132953#dependencies

12 fixed

  • system_tests_whonix@hw7

  • system_tests_whonix

  • system_tests_basic_vm_qrexec_gui

  • system_tests_qrexec

  • system_tests_guivm_vnc_gui_interactive

    • gui_filecopy: unnamed test (unknown)
    • gui_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'files-work' matched...

  • system_tests_audio

  • system_tests_kde_gui_interactive

    • clipboard_and_web: unnamed test (unknown)

    • clipboard_and_web: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-website' matche...

    • clipboard_and_web: wait_serial (wait serial expected)
      # wait_serial expected: "lspci; echo 2E8vz-\$?-"...

  • system_tests_suspend

    • suspend: unnamed test (unknown)
    • suspend: Failed (test died)
      # Test died: no candidate needle with tag(s) 'SUSPEND-FAILED' match...

Unstable tests

Details

Performance Tests

Performance degradation:

14 performance degradations
  • whonix-gateway-17_exec: 7.76 :small_red_triangle_up: ( previous job: 6.82, degradation: 113.82%)
  • whonix-workstation-17_socket: 9.22 :small_red_triangle_up: ( previous job: 8.19, degradation: 112.46%)
  • dom0_root_seq1m_q8t1_read 3:read_bandwidth_kb: 358487.00 :small_red_triangle_up: ( previous job: 446963.00, degradation: 80.21%)
  • dom0_root_seq1m_q1t1_read 3:read_bandwidth_kb: 192268.00 :small_red_triangle_up: ( previous job: 294295.00, degradation: 65.33%)
  • dom0_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 4086.00 :small_red_triangle_up: ( previous job: 4826.00, degradation: 84.67%)
  • dom0_varlibqubes_seq1m_q8t1_write 3:write_bandwidth_kb: 92729.00 :small_red_triangle_up: ( previous job: 250795.00, degradation: 36.97%)
  • dom0_varlibqubes_seq1m_q1t1_write 3:write_bandwidth_kb: 164739.00 :small_red_triangle_up: ( previous job: 184752.00, degradation: 89.17%)
  • dom0_varlibqubes_rnd4k_q32t1_write 3:write_bandwidth_kb: 3429.00 :small_red_triangle_up: ( previous job: 6479.00, degradation: 52.92%)
  • dom0_varlibqubes_rnd4k_q1t1_write 3:write_bandwidth_kb: 4308.00 :small_red_triangle_up: ( previous job: 4903.00, degradation: 87.86%)
  • fedora-41-xfce_root_seq1m_q1t1_write 3:write_bandwidth_kb: 45565.00 :small_red_triangle_up: ( previous job: 87940.00, degradation: 51.81%)
  • fedora-41-xfce_private_seq1m_q1t1_read 3:read_bandwidth_kb: 295706.00 :small_red_triangle_up: ( previous job: 334687.00, degradation: 88.35%)
  • fedora-41-xfce_volatile_seq1m_q8t1_write 3:write_bandwidth_kb: 115682.00 :small_red_triangle_up: ( previous job: 179949.00, degradation: 64.29%)
  • fedora-41-xfce_volatile_rnd4k_q32t1_write 3:write_bandwidth_kb: 3590.00 :small_red_triangle_up: ( previous job: 5672.00, degradation: 63.29%)
  • fedora-41-xfce_volatile_rnd4k_q1t1_write 3:write_bandwidth_kb: 1316.00 :small_red_triangle_up: ( previous job: 1953.00, degradation: 67.38%)

Remaining performance tests:

58 tests
  • debian-12-xfce_exec: 6.66 🟢 ( previous job: 7.12, improvement: 93.61%)
  • debian-12-xfce_exec-root: 28.55 🟢 ( previous job: 28.65, improvement: 99.63%)
  • debian-12-xfce_socket: 8.85 :small_red_triangle_up: ( previous job: 8.60, degradation: 102.93%)
  • debian-12-xfce_socket-root: 8.31 🟢 ( previous job: 8.52, improvement: 97.42%)
  • debian-12-xfce_exec-data-simplex: 71.96 :small_red_triangle_up: ( previous job: 71.62, degradation: 100.48%)
  • debian-12-xfce_exec-data-duplex: 69.88 🟢 ( previous job: 70.34, improvement: 99.35%)
  • debian-12-xfce_exec-data-duplex-root: 86.04 :small_red_triangle_up: ( previous job: 82.72, degradation: 104.01%)
  • debian-12-xfce_socket-data-duplex: 162.58 :small_red_triangle_up: ( previous job: 156.96, degradation: 103.58%)
  • fedora-41-xfce_exec: 9.08 🟢 ( previous job: 9.27, improvement: 98.03%)
  • fedora-41-xfce_exec-root: 60.88 🟢 ( previous job: 61.51, improvement: 98.98%)
  • fedora-41-xfce_socket: 8.74 :small_red_triangle_up: ( previous job: 8.63, degradation: 101.34%)
  • fedora-41-xfce_socket-root: 8.54 🟢 ( previous job: 8.71, improvement: 98.11%)
  • fedora-41-xfce_exec-data-simplex: 64.58 🟢 ( previous job: 75.53, improvement: 85.50%)
  • fedora-41-xfce_exec-data-duplex: 73.68 :small_red_triangle_up: ( previous job: 71.56, degradation: 102.96%)
  • fedora-41-xfce_exec-data-duplex-root: 106.82 🟢 ( previous job: 109.13, improvement: 97.88%)
  • fedora-41-xfce_socket-data-duplex: 152.99 :small_red_triangle_up: ( previous job: 150.61, degradation: 101.58%)
  • whonix-gateway-17_exec-root: 38.80 🟢 ( previous job: 40.43, improvement: 95.97%)
  • whonix-gateway-17_socket: 7.26 :small_red_triangle_up: ( previous job: 7.24, degradation: 100.31%)
  • whonix-gateway-17_socket-root: 8.37 :small_red_triangle_up: ( previous job: 7.65, degradation: 109.45%)
  • whonix-gateway-17_exec-data-simplex: 73.75 🟢 ( previous job: 78.32, improvement: 94.16%)
  • whonix-gateway-17_exec-data-duplex: 77.62 :small_red_triangle_up: ( previous job: 76.65, degradation: 101.26%)
  • whonix-gateway-17_exec-data-duplex-root: 84.33 🟢 ( previous job: 88.52, improvement: 95.26%)
  • whonix-gateway-17_socket-data-duplex: 169.79 🟢 ( previous job: 171.76, improvement: 98.85%)
  • whonix-workstation-17_exec: 8.25 :small_red_triangle_up: ( previous job: 7.67, degradation: 107.51%)
  • whonix-workstation-17_exec-root: 55.89 🟢 ( previous job: 58.26, improvement: 95.93%)
  • whonix-workstation-17_socket-root: 8.78 :small_red_triangle_up: ( previous job: 8.13, degradation: 107.94%)
  • whonix-workstation-17_exec-data-simplex: 62.77 🟢 ( previous job: 74.99, improvement: 83.69%)
  • whonix-workstation-17_exec-data-duplex: 65.13 🟢 ( previous job: 72.71, improvement: 89.57%)
  • whonix-workstation-17_exec-data-duplex-root: 107.57 :small_red_triangle_up: ( previous job: 99.82, degradation: 107.76%)
  • whonix-workstation-17_socket-data-duplex: 172.94 :small_red_triangle_up: ( previous job: 169.50, degradation: 102.02%)
  • dom0_root_seq1m_q8t1_write 3:write_bandwidth_kb: 198376.00 :green_circle: ( previous job: 129298.00, improvement: 153.43%)
  • dom0_root_seq1m_q1t1_write 3:write_bandwidth_kb: 165800.00 :green_circle: ( previous job: 95454.00, improvement: 173.70%)
  • dom0_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 80400.00 :green_circle: ( previous job: 79803.00, improvement: 100.75%)
  • dom0_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 9322.00 :green_circle: ( previous job: 6149.00, improvement: 151.60%)
  • dom0_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 10548.00 :small_red_triangle_up: ( previous job: 10795.00, degradation: 97.71%)
  • dom0_varlibqubes_seq1m_q8t1_read 3:read_bandwidth_kb: 441505.00 :green_circle: ( previous job: 382273.00, improvement: 115.49%)
  • dom0_varlibqubes_seq1m_q1t1_read 3:read_bandwidth_kb: 409280.00 :small_red_triangle_up: ( previous job: 437636.00, degradation: 93.52%)
  • dom0_varlibqubes_rnd4k_q32t1_read 3:read_bandwidth_kb: 102188.00 :green_circle: ( previous job: 62195.00, improvement: 164.30%)
  • dom0_varlibqubes_rnd4k_q1t1_read 3:read_bandwidth_kb: 10338.00 :green_circle: ( previous job: 7669.00, improvement: 134.80%)
  • fedora-41-xfce_root_seq1m_q8t1_read 3:read_bandwidth_kb: 388649.00 :green_circle: ( previous job: 368309.00, improvement: 105.52%)
  • fedora-41-xfce_root_seq1m_q8t1_write 3:write_bandwidth_kb: 261490.00 :green_circle: ( previous job: 162081.00, improvement: 161.33%)
  • fedora-41-xfce_root_seq1m_q1t1_read 3:read_bandwidth_kb: 338032.00 :green_circle: ( previous job: 318716.00, improvement: 106.06%)
  • fedora-41-xfce_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 87316.00 :green_circle: ( previous job: 82694.00, improvement: 105.59%)
  • fedora-41-xfce_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 3408.00 :small_red_triangle_up: ( previous job: 3599.00, degradation: 94.69%)
  • fedora-41-xfce_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 8220.00 :small_red_triangle_up: ( previous job: 8485.00, degradation: 96.88%)
  • fedora-41-xfce_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 1304.00 :green_circle: ( previous job: 542.00, improvement: 240.59%)
  • fedora-41-xfce_private_seq1m_q8t1_read 3:read_bandwidth_kb: 359470.00 :small_red_triangle_up: ( previous job: 373957.00, degradation: 96.13%)
  • fedora-41-xfce_private_seq1m_q8t1_write 3:write_bandwidth_kb: 217908.00 :green_circle: ( previous job: 170062.00, improvement: 128.13%)
  • fedora-41-xfce_private_seq1m_q1t1_write 3:write_bandwidth_kb: 59104.00 :small_red_triangle_up: ( previous job: 61534.00, degradation: 96.05%)
  • fedora-41-xfce_private_rnd4k_q32t1_read 3:read_bandwidth_kb: 74326.00 :small_red_triangle_up: ( previous job: 80283.00, degradation: 92.58%)
  • fedora-41-xfce_private_rnd4k_q32t1_write 3:write_bandwidth_kb: 2851.00 :green_circle: ( previous job: 2215.00, improvement: 128.71%)
  • fedora-41-xfce_private_rnd4k_q1t1_read 3:read_bandwidth_kb: 8342.00 :green_circle: ( previous job: 7540.00, improvement: 110.64%)
  • fedora-41-xfce_private_rnd4k_q1t1_write 3:write_bandwidth_kb: 1327.00 :green_circle: ( previous job: 1130.00, improvement: 117.43%)
  • fedora-41-xfce_volatile_seq1m_q8t1_read 3:read_bandwidth_kb: 337814.00 :small_red_triangle_up: ( previous job: 369868.00, degradation: 91.33%)
  • fedora-41-xfce_volatile_seq1m_q1t1_read 3:read_bandwidth_kb: 294709.00 :small_red_triangle_up: ( previous job: 324737.00, degradation: 90.75%)
  • fedora-41-xfce_volatile_seq1m_q1t1_write 3:write_bandwidth_kb: 62159.00 :green_circle: ( previous job: 17567.00, improvement: 353.84%)
  • fedora-41-xfce_volatile_rnd4k_q32t1_read 3:read_bandwidth_kb: 79999.00 :green_circle: ( previous job: 79021.00, improvement: 101.24%)
  • fedora-41-xfce_volatile_rnd4k_q1t1_read 3:read_bandwidth_kb: 9072.00 :green_circle: ( previous job: 7867.00, improvement: 115.32%)

@qubesos-bot qubesos-bot mentioned this pull request Dec 3, 2024
Merged
@fepitre fepitre force-pushed the source-domain branch 3 times, most recently from edb805b to 809e50a Compare January 22, 2025 16:39
@fepitre fepitre force-pushed the source-domain branch 2 times, most recently from d284843 to d7869df Compare March 17, 2025 14:00
@marmarek
Copy link
Copy Markdown
Member

marmarek commented Mar 18, 2025

The update fails due to mismatch between qrexec-client and qrexec-daemon versions for already running VMs:

2025-03-18 14:39:37.659 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)
2025-03-18 14:39:38.162 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)
2025-03-18 14:39:38.866 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)

See my earlier comment here about possible solution.

@qubesos-bot qubesos-bot mentioned this pull request Mar 18, 2025
Merged
@fepitre
Copy link
Copy Markdown
Member Author

fepitre commented Mar 19, 2025

The update fails due to mismatch between qrexec-client and qrexec-daemon versions for already running VMs:

2025-03-18 14:39:37.659 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)
2025-03-18 14:39:38.162 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)
2025-03-18 14:39:38.866 qrexec-daemon[2760]: qrexec-daemon.c:732:handle_client_hello: Incompatible client protocol version (remote 4, local 3)

See my earlier comment here about possible solution.

I thought this were solved..

@fepitre fepitre force-pushed the source-domain branch 2 times, most recently from d579e8d to 8d113b1 Compare March 26, 2025 17:28
marmarek
marmarek reviewed Mar 27, 2025
View reviewed changes
Comment thread qrexec/tests/socket/qrexec.py Outdated
self.send_message(MSG_HELLO, struct.pack("<L", QREXEC_PROTOCOL_VERSION))
def handshake(self, protocol_version=None):
if not protocol_version:
protocol_version = QREXEC_CLIENT_PROTOCOL_VERSION
Copy link
Copy Markdown
Member

@marmarek marmarek Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make more sense to do the other way around? Default to version QREXEC_PROTOCOL_VERSION (set as 4?), only in cases where older version is required provide the parameter. I think you'll need to use the parameter in less places then.

And also, there is no need for =None and then the if - simply put default value in the function header.

Copy link
Copy Markdown
Member Author

@fepitre fepitre Mar 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes multiple iterations and removing of code. I did it the way around.

@marmarek marmarek mentioned this pull request Mar 27, 2025
Merged
@marmarek
Copy link
Copy Markdown
Member

marmarek commented Mar 27, 2025

Something went wrong with version negotiation between qrexec-daemon and qrexec-agent. With new daemon in dom0 and old agent in VM all is fine. But after updating agent in VM it fails:

2025-03-27 10:41:39.121 qrexec-daemon[12796]: qrexec-daemon.c:1773:main: qrexec-agent has disconnected
2025-03-27 10:41:39.178 qrexec-daemon[12796]: qrexec-daemon.c:1638:handle_agent_restart: qrexec-agent has reconnected
2025-03-27 10:41:42.871 qrexec-daemon[12796]: qrexec-daemon.c:1354:sanitize_message_from_agent: agent sent (new) MSG_TRIGGER_SERVICE4 although it uses protocol 3
2025-03-27 10:42:18.018 qrexec-daemon[12984]: process_io.c:250:qrexec_process_io: vchan connection closed early (fds: 4 4 -1, status: -1 -1)

Hopefully #182 will fix it (and hopefully it won't result in merge conflict...

marmarek
marmarek reviewed Mar 29, 2025
View reviewed changes
Comment thread qrexec/tests/socket/agent.py
def test_handshake(self):
self.start_agent()

dom0 = self.connect_dom0()
Copy link
Copy Markdown
Member

@marmarek marmarek Mar 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like unintentional removal

Copy link
Copy Markdown
Member Author

@fepitre fepitre Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

@fepitre fepitre force-pushed the source-domain branch 2 times, most recently from 366a0dc to 0364711 Compare April 1, 2025 10:00
@fepitre fepitre changed the title WIP: Support for source domain in RPC service Support for source domain in RPC service Apr 1, 2025
@fepitre fepitre marked this pull request as ready for review April 1, 2025 10:02
@fepitre fepitre force-pushed the source-domain branch 2 times, most recently from bd0179f to be3c98f Compare April 1, 2025 14:32
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 1, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 91.83099% with 29 lines in your changes missing coverage. Please review.

Project coverage is 78.71%. Comparing base (ff08a14) to head (df12829).
Report is 40 commits behind head on main.

Files with missing lines Patch % Lines
daemon/qrexec-daemon.c 65.38% 27 Missing ⚠️
agent/qrexec-client-vm.c 84.61% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #182      +/-   ##
==========================================
- Coverage   78.78%   78.71%   -0.08%     
==========================================
  Files          55       55              
  Lines       10160    10373     +213     
==========================================
+ Hits         8005     8165     +160     
- Misses       2155     2208      +53

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

marmarek
marmarek requested changes Apr 14, 2025
View reviewed changes
Comment thread qrexec/policy/parser.py
Comment thread qrexec/policy/parser.py Outdated
@fepitre fepitre force-pushed the source-domain branch 8 times, most recently from 2e9bfd8 to 792c4c6 Compare April 16, 2025 13:00
@marmarek
Copy link
Copy Markdown
Member

marmarek commented Apr 16, 2025

This is a good description of the whole process, but there should be also a section with just the information how transport rpc needs to be written. This needs to include specific information what such service gets and how (call arguments, env variables, qubesdb entries etc). And maybe a simple example with explanation of each step?

@fepitre
Copy link
Copy Markdown
Member Author

fepitre commented Apr 18, 2025

This is a good description of the whole process, but there should be also a section with just the information how transport rpc needs to be written. This needs to include specific information what such service gets and how (call arguments, env variables, qubesdb entries etc). And maybe a simple example with explanation of each step?

Yes this is to be added. I can add either SSH example or a dummy version (understanding here on the same host) based on the core admin test?

@marmarek
Copy link
Copy Markdown
Member

marmarek commented Apr 18, 2025 via email

marmarek
marmarek requested changes Apr 22, 2025
View reviewed changes
Comment thread doc/qrexec-remotevm.rst Outdated
# Forward the qrexec call via SSH
ssh "$remote_qube" qrexec-client-vm --source-qube="$QREXEC_REMOTE_DOMAIN" "$remote_qube" "$service"

Workflow Overview
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO better to put description before the example. The description is (should be) what the service should do, and then example based on SSH. It should be possible to write also other services based on this description.

Comment thread doc/qrexec-remotevm.rst Outdated
Workflow Overview
"""""""""""""""""

1. **Local-Qube to Local-Relay**: A Qubes RPC call is made from Local-Qube to Local-Relay with arguments of the form:
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add info that this is what the transport_rpc property is about.

Comment thread doc/qrexec-remotevm.rst Outdated

where `<service>` contains the original service with argument that has been processed by policies.

2. **Destination lookup**: The RPC script extracts `Remote-Qube` and queries QubesDB on Local‑Relay to verify and translate it into the actual qube name in `Remote-QubesOS` (in this example it is assumed to be the same).
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include exact qubesdb path in this description.

Comment thread doc/qrexec-remotevm.rst Outdated
SSH Client Configuration Hint
+++++++++++++++++++++++++++++

To ensure that any SSH connection to a given host actually lands on the corresponding `Remote‑Relay`, add an entry like the following to your ``/etc/ssh/ssh_config``:
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe better ~/.ssh/config? It will persist without extra bind-dirs then.

As for the hints - on the remote site /etc/ssh better be made persistent with bind-dirs (and the host key re-generated there), otherwise host key will be shared across all VMs based on the same template, so not a secret anymore...

Copy link
Copy Markdown
Member Author

@fepitre fepitre Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know but for me it's up to the user to know that's configuring host key at system level (ofc we would document it in qubes-doc at the end). Also for home path, is RPC using user home?

Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Services are called as the default user normally, so yes, it will be user.

Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, there may be a corner case when policy specify user=. Normally it would affect the final target, but here it would affect the transport rpc. I think that's undesired. IMO either using user= should be prohibited with RemoteVM, or maybe ignored (with a warning)?

Copy link
Copy Markdown
Member Author

@fepitre fepitre Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes let's ignore with a warning.

Comment thread doc/qrexec-remotevm.rst
fi

# Forward the qrexec call via SSH
ssh "$remote_qube" qrexec-client-vm --source-qube="$QREXEC_REMOTE_DOMAIN" "$remote_qube" "$service"
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theoretically, --source-qube="$QREXEC_REMOTE_DOMAIN" on remote side may need a similar lookup via qubesdb (on remote side) too. But IMO it's ok to simplify it here, just leave a comment that using QREXEC_REMOTE_DOMAIN directly here assumes the remote name matches the local one.

Comment thread doc/qrexec-remotevm.rst Outdated
HostName <Remote-Relay_ip>

Adjust the pattern, hostname, and jump host settings to match your environment.
This guarantees that SSH connections intended for a RemoteVM are transparently proxied through Remote‑Relay./
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stray / at the end.

marmarek
marmarek reviewed Apr 22, 2025
View reviewed changes
Comment thread doc/qrexec-remotevm.rst Outdated
Workflow Overview
^^^^^^^^^^^^^^^^^

1. **Local-Qube to Local-Relay**: The `transport_rpc` property of `Remote‑Relay` is used to refer to RPC call to be made from Local-Qube to Local-Relay with arguments of the form:
Copy link
Copy Markdown
Member

@marmarek marmarek Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

of Remote-Relay? not Remote-Qube?

Copy link
Copy Markdown
Member Author

@fepitre fepitre Apr 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remote-Qube, yes. My bad, I start being fooled by all these prefix/suffix.

@marmarek marmarek merged commit df12829 into QubesOS:main Apr 22, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marmarek marmarek marmarek approved these changes

Assignees

No one assigned

Labels

openqa-group-1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fepitre @qubesos-bot @marmarek