Rexec client and server

[reynir]

This PR adds functionality to the qrexec implementation such that receiving and sending qrexec rpc calls concurrently is possible.

I will need to review this myself again, but it seems to work provided mirage/ocaml-vchan#132 is merged.

[reynir]

Added @yomimono as co-author since a lot of the code was based on theirs (thanks!!)

[yomimono]

please add @linse also :)

[reynir]

Done! :-)

[reynir]

I had a discussion with @cfcs regarding RExec.Client_flow.writef. It differs from RExec.Flow.writef in that it doesn't add a newline. We discussed renaming it RExec.Client_flow.writefmt and adding a RExec.Flow.writefmt with equivalent semantics.

[cfcs]

leaving a note here about concatenating printf format6 values to avoid first evaluating, then string concatenating (for the \n thing)

# open CamlinternalFormatBasics ;;
# let f (Format (fmt, n)) =
  let joined = Format (concat_fmt fmt (Char_literal ('z', End_of_format)), "") in
  Printf.sprintf joined
in f "a %s " "b";;
- : string = "a b z"

So @hannesm suggested this instead:

let f fmt = Printf.sprintf (fmt ^^ "z") in f "a %s " "b";;
- : string = "a b z"

[cfcs]

I think the Cstruct.append here is superfluous since next_msg is only called in read when Cstruct.len t.stdout_buf = 0 && Cstruct.len t.stderr_buf = 0 ?

Is the append here to prevent making a reference to the data buffer or can we do t.stdout_buf <- data ;?

(ping @reynir @yomimono @linse )

[reynir]

I've reviewed it, and it seems to be a leftover from #36 which has read_line that would require buffering. I opted to not implement read_line when writing Client_flow. It should be safe to return directly from next_msg. I can also implement read_line if it's desired.

[cfcs]

I think read_line might make sense as a utility function for the line-based protocols, but let's not let that block this PR :)

[cfcs]

Maybe we should err on the side of caution here and terminate? Do we anticipate any unhandled messages, or would this only happen in qrexec upgrades?

[reynir]

Qrexec version is negotiated when connecting, so I think this would only happen if the other end is misbehaving. How do you suggest we terminate?

[cfcs]

I would kill the flow from here if that makes sense?

[reynir]

See reynir#1 for a suggested implementation

[cfcs]

Looks good to me. Do we need to QV.disconnect t.dstream on Eof?

[reynir]

The CI fails at OCaml 4.04.0. I use Hashtbl.find_opt which is from OCaml 4.05.0. Mirage requires OCaml >= 4.05.0, so I think the CI should be updated to reflect this. :-)

[cfcs]

Had some more uncommitted comments

[hannesm]

from what I understand (please correct me if I'm wrong)

• this superseeds implement an rexec_client; move previous rexec code to rexec_server #36 (@yomimono @linse ?)
• there are some outstanding comments by @cfcs in this PR (which could be addressed in here or in a subsequent PR)
  • read_line Rexec client and server #39 (comment)
  • kill the flow Rexec client and server #39 (comment)
  • surround if/then/else with begin .. end Rexec client and server #39 (comment)
  • handle dom0 closing the control channel properly (remove stuff from hashtable) Rexec client and server #39 (comment)
  • Logs.warn for unsoiicited answers Rexec client and server #39 (comment)
• CI fails with older compilers (but we can and should safely update to 4.05+)
  • this can easily be done by updating .travis.yml

thanks for reading, maybe we can converge to get this merged (and a mirage-qubes release)!?

[reynir]

@hannesm sorry, I have been travelling with little opportunity for computer time. Yes, that is correct. I have adapted some of the suggestions made by @cfcs, and #44 ups the OCaml compiler version. What is still outstanding is:

• read_line Rexec client and server #39 (comment)
• kill the flow Rexec client and server #39 (comment)
• surround if/then/else with begin .. end Rexec client and server #39 (comment)

I don't find the latter an issue personally, but I'm open for adding begin .. end. I am personally not interested in adding read_line, so I think it would be better as a separate PR. Regarding killing the flow I've made a PR to my own PR with an implementation that I'm considering reynir#1.

I would love to see this merged and released soon.

[cfcs]

@reynir I'm happy with your kill flow implementation. I haven't tested it, but I think it looks reasonable, and I think we should get this merged.
My comments aside, all of which I consider addressed, are we ready to merge?

[hannesm]

a rebase onto master would be great (than CI should pass AFAICT)!

[cfcs]

Looks like CI is happy :)

[hannesm]

for me, the remaining question is about kill flow implementation -- reynir#1 (on unexpected message?, and EOF?) -- which is not part of this PR!?

[reynir]

I was considering doing kill flow in a separate PR. I noticed the existing server implementation did not close the flow either, but rereading the code now I noticed that it raises an exception (by Lwt.fail) on unexpected message types. It seems to me that a misbehaving client can then take down the whole unikernel?!

[hannesm]

I agree with @reynir that the kill behaviour can be improved in a future PR (there are other components, such as qubesdb, which lead to Lwt.fail if they receive unexpected messages). Merging after review and ok from @cfcs to include into the next release. Thanks for your patience and submitting this PR!