qrexec-policy-graph: add qube colors

[notmuchtohide]

Fixes QubesOS/qubes-issues#3007. I have not fixed the tests yet, but I believe the rest is ready for feedback.

Code decisions:

1. Node styling is not organized: Node styling is added as nodes are found instead of being grouped together. It should have no impact on the final graph and was considered as a potentially acceptable trade-off for implementation simplicity.
2. qubesadmin vs. system_info: The already used system_info did not provide qube colors, therefore it was obtained from qubesadmin.

Styling decisions:

1. Qube color was added to node borders in case of a literal qube (one that doesn't start with "@"). On non-literal qubes, nodes are dotted because it's not necessarily an individual qube.
2. The chosen style of coloring borders instead of solid filling made it easier to deal with the inner text (example: black text on black colored qubes).

Before

After

[ben-grande]

2. qubesadmin vs. system_info: The already used system_info did not provide qube colors, therefore it was obtained from qubesadmin.

Then I believe that you could add label to system_info in qubes-core-admin instead of adding a dependency in qubesadmin.

Styling decisions:

1. Qube color was added to node borders in case of a literal qube (one that doesn't start with "@"). On non-literal qubes, nodes are dotted because it's not necessarily an individual qube.

I think that is okay.

2. The chosen style of coloring borders instead of solid filling made it easier to deal with the inner text (example: black text on black colored qubes).

I think that the border is too big with penwidth = 5. Without that, are the colors hard to distinguish because of being too thin?

[notmuchtohide]

2. qubesadmin vs. system_info: The already used system_info did not provide qube colors, therefore it was obtained from qubesadmin.

Then I believe that you could add label to system_info in qubes-core-admin instead of adding a dependency in qubesadmin.

Done: QubesOS/qubes-core-admin#786

I think that the border is too big with penwidth = 5. Without that, are the colors hard to distinguish because of being too thin?

I believe the colors also look nice on thinner borders. I have now changed the width to 3.
This is how it looks now:

[ben-grande]

PipelineRetryFailed

[ben-grande]

PipelineRetryFailed

---

cairo-gobject at it again... will retry pipeline until it gets a functional runner.

[ben-grande]

CI failure seems to be related to missing the PR on core-admin. I believe that will be run by the gitlab runner when creating the openqa job.

[marmarek]

CI failure seems to be related to missing the PR on core-admin.

Tests have mockup system info structure, see qrexec/tests/policy_graph.py. And I'm pretty sure some of the tests will need an update to include the label too.

[notmuchtohide]

CI failure seems to be related to missing the PR on core-admin.

Tests have mockup system info structure, see qrexec/tests/policy_graph.py. And I'm pretty sure some of the tests will need an update to include the label too.

I believe I fixed the tests now.

The pipeline seems to be failing with the cairo-gobject that @ben-grande mentioned but the tests and lint are passing locally.

[ben-grande]

PipelineRetryFailed

[ben-grande]

Passed CI: https://gitlab.com/QubesOS/qubes-core-qrexec/-/pipelines/2373959020

gi problem for pylint, will ignore that and let this PR be scheduled for openqa.

[ben-grande]

PipelineRetryFailed

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 78.90%. Comparing base (cc801b8) to head (f4e05be).

Files with missing lines	Patch %	Lines
qrexec/tools/qrexec_policy_graph.py	94.73%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #222      +/-   ##
==========================================
+ Coverage   78.88%   78.90%   +0.02%     
==========================================
  Files          55       55              
  Lines       10531    10542      +11     
==========================================
+ Hits         8307     8318      +11     
  Misses       2224     2224              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[qubesos-bot]

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2026031319-4.3-debian&flavor=pull-requests

Test run included the following:

• splitgpg2: allow xauthority OPTION for Flatpak clients qubes-app-linux-split-gpg2#33 (QubesOS/qubes-app-linux-split-gpg2@db1c458)
• Introduce audio-volume feature qubes-core-admin-client#405 (QubesOS/qubes-core-admin-client@791d573)
• Integration tests for audio-initial-volume feature qubes-core-admin#768 (QubesOS/qubes-core-admin@6a38ab0)
• Add label to system_info qubes-core-admin#786 (QubesOS/qubes-core-admin@76e3517)
• Speed disposable performance tests without a GUI qubes-core-admin#787 (QubesOS/qubes-core-admin@3b7a41a)
• qrexec-policy-graph: add qube colors #222 (f4e05be)
• qvm-appmenus: remove unstable-format gate for --get-available qubes-desktop-linux-common#72 (QubesOS/qubes-desktop-linux-common@e4cb94a)
• appmenus: update menus when template_for_dispvms changes qubes-desktop-linux-common#74 (QubesOS/qubes-desktop-linux-common@9789d4f)
• global config: fix unclickable dom0 file access link qubes-desktop-linux-manager#303 (QubesOS/qubes-desktop-linux-manager@dbb4d8b)
• Don't hang is-system-running when GUI is disabled qubes-gui-agent-linux#255 (QubesOS/qubes-gui-agent-linux@9129d1c)
• Allow user to set qube audio volume qubes-gui-daemon#174 (QubesOS/qubes-gui-daemon@c4faa21)
• Fix odict deprecation warnings qubes-mgmt-salt-base-topd#16 (QubesOS/qubes-mgmt-salt-base-topd@e07e6fd)

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2026020304-devel&flavor=update

Failed tests

No failures!

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/166096#dependencies
Nothing fixed

Unstable tests

Details

Performance Tests

Performance degradation:

No issues

Remaining performance tests:

13 tests

• debian-13-xfce_dom0-dispvm-api (mean:6.539): 78.47 🟢 ( previous job: 79.83, improvement: 98.29%)
• debian-13-xfce_dom0-dispvm-gui-api (mean:7.827): 93.92 🔻 ( previous job: 92.49, degradation: 101.55%)
• debian-13-xfce_dom0-dispvm-preload-2-api (mean:3.149): 37.79 🟢 ( previous job: 44.94, improvement: 84.08%)
• debian-13-xfce_dom0-dispvm-preload-2-delay-0-api (mean:2.917): 35.00 🟢 ( previous job: 41.46, improvement: 84.42%)
• debian-13-xfce_dom0-dispvm-preload-2-delay-minus-1d2-api (mean:3.307): 39.69 🟢 ( previous job: 47.01, improvement: 84.43%)
• debian-13-xfce_dom0-dispvm-preload-4-api (mean:2.284): 27.41 🟢 ( previous job: 37.67, improvement: 72.75%)
• debian-13-xfce_dom0-dispvm-preload-4-delay-0-api (mean:2.809): 33.71 🟢 ( previous job: 36.76, improvement: 91.71%)
• debian-13-xfce_dom0-dispvm-preload-4-delay-minus-1d2-api (mean:2.441): 29.29 🟢 ( previous job: 37.87, improvement: 77.36%)
• debian-13-xfce_dom0-dispvm-preload-2-gui-api (mean:4.989): 59.87 🔻 ( previous job: 55.58, degradation: 107.71%)
• debian-13-xfce_dom0-dispvm-preload-4-gui-api (mean:4.135): 49.62 🔻 ( previous job: 47.73, degradation: 103.97%)
• debian-13-xfce_dom0-dispvm-preload-6-gui-api (mean:4.198): 50.38 🔻 ( previous job: 47.11, degradation: 106.93%)
• debian-13-xfce_dom0-vm-api (mean:0.038): 0.45 🔻 ( previous job: 0.41, degradation: 109.93%)
• debian-13-xfce_dom0-vm-gui-api (mean:0.039): 0.47 🟢 ( previous job: 0.48, improvement: 96.67%)

[marmarek]

This needs a rebase now...