implement an rexec_client; move previous rexec code to rexec_server

[yomimono]

Here's another attempt at #35, which tries to implement a more sensible API.

[yomimono]

/cc @linse

[talex5]

Thanks for doing this! It looks good to me.

There's one bit I'm not sure about though: I see that the client and server both end up running a vchan service on the same port and waiting for dom0 to connect. Does that mean that a unikernel can either be a client or be a server, but not both? If outgoing client and incoming service requests go over the same vchan (I hadn't thought of that before), maybe there should be a single vchan server with a single listen loop, and RExec_client.connect ... should just be RExec.request_service t ..., returning an RExec_client.Flow.t? Apart from the that, the new API looks perfect to me :-)

[cfcs]

I think it would be super nice to get this merged, thanks for writing this!
I left some comments, but none that I feel should block the merging of this.

@yomimono do you have an opinion about @talex5's question?

[cfcs]

Seems like documenting the trailing \n being added here would make sense, if we want to keep it.

It seems confusing to me that write would not add a newline, while writef does.
This behavior is in line with the [current implementation of RExec.writef]https://github.com/mirage/mirage-qubes/blob/master/lib/rExec.ml#L66-L83) which is documented in the mli interface (which I also find confusing). :)

[cfcs]

if we wrapped the body in a recursive function we could avoid an allocation of Cstruct.create sizeof_msg_header by reusing it (necessitating only the set_msg_header_len hdr (Cstruct.len data |> Int32.of_int); in the loop).
Since max_data_chunk = 4096 this might make sense for large sends like file transfers?

[cfcs]

XXX Not related to this PR, but I went looking for the receiving side of this, and fell over qubes-core-agent-linux/qrexec/qrexec-agent.c:handle_server_exec_request which seems to assume that buf is 0-terminated:

    if ((hdr->type == MSG_EXEC_CMDLINE || hdr->type == MSG_JUST_EXEC) &&
            !strstr(buf, ":nogui:")) {
   /* seems to me this strstr() should probably be a memmem() bounded to buf_len */

[cfcs]

Any reason this doesn't use the [%struct] accessors functions like set_trigger_service_parameters_service_name? (Well that is a ridiculously long function name, but it does spare us the trouble of having to be careful to get the offsets and lengths right)

In the definition they seem to suggest these should be 0-terminated, so maybe we should pass max_len:whatever-1, or validate + fail if the application decides to pass us garbage input?

[reynir]

The code in QubesOS does add a zero byte at the very end of the char array in any case. But I agree that we should ensure it's also zero-terminated on our end because otherwise we potentially lose one byte of the identifier. https://github.com/QubesOS/qubes-core-qrexec/blob/master/daemon/qrexec-daemon.c#L817

[reynir]

I noticed in qrexec-client-vm that they just pass SOCKET every time as the identifier. Maybe we should do the same and remove identifier from the arguments making it simpler.

[cfcs]

I was about to pose the cheeky question of whether converting both to string on each call was necessary, but to my surprise I found that Cstruct doesn't seem to have a index function. That sucks.

Perhaps we can do something like storing the length of the previously examined stdout_buf and stderr_buf so we can avoid checking the same bytes on long lines over and over?

I'd still prefer if we could avoid converting both buffers if we know we are always going to go with the first if there's a match; would it be OK with you to serialize these so the second conversion only happens when newline stdout is None?

[cfcs]

Not sure this is a problem, but as long as there's stdout_buf newlines we will never return anything from `Stderr.
It doesn't seem entirely fair, but I guess not an issue in real life.

[reynir]

This is similar to how read works FWIW. Stdout has priority over stderr.

[cfcs]

I think it would make sense to preserve the these should be \0-terminated comments from the original header file?

[cfcs]

I think we could avoid exceptions with something like:

let split chr s =
  match String.index_opt s chr with
  | None -> None
  | Some i -> Some (String.sub s 0 i, String.sub s (i + 1) (String.length s - i - 1))

[reynir]

String.index_opt was added in 4.05.0 and that's our new minimum, so I concur.

[reynir]

I think this doesn't take account for qrexec calls can be to and from the VM during the same session - so the server part will eat client messages, and/or the client part will eat server messages. I may be wrong, but I remember thinking of how to solve this when I wanted to implement this myself. I will dig some further...

[reynir]

String.index_opt was added in 4.05.0 and that's our new minimum, so I concur.

[reynir]

Where does this constant come from?

[reynir]

Do we really want to return `Eof when we haven't sent all data?

[reynir]

This is similar to how read works FWIW. Stdout has priority over stderr.

[reynir]

The code in QubesOS does add a zero byte at the very end of the char array in any case. But I agree that we should ensure it's also zero-terminated on our end because otherwise we potentially lose one byte of the identifier. https://github.com/QubesOS/qubes-core-qrexec/blob/master/daemon/qrexec-daemon.c#L817

[reynir]

I noticed in qrexec-client-vm that they just pass SOCKET every time as the identifier. Maybe we should do the same and remove identifier from the arguments making it simpler.

[reynir]

Oh, sorry. I meant to submit pending review in #39 and not these old comments

[talex5]

Closing this as it appears to be superseded by #39.