New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qrexec-policy daemon #5125

Closed

marmarek opened this issue Jun 26, 2019 · 5 comments · Fixed by QubesOS/qubes-core-qrexec#6

Labels

C: core P: major r4.1-bullseye-cur-test r4.1-buster-cur-test r4.1-centos7-cur-test r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test r4.1-stretch-cur-test release notes

Milestone

Member

marmarek commented Jun 26, 2019

The most time of opening qrexec call is spent on qrexec-policy process, called to evaluate policy at each call. Each time new (python) process is started, libraries imported etc. In extreme situation it can take up to 300ms per call...

Create policy handling daemon, instead of per-call process. This daemon should:

be independent process from qubesd (for stability and isolation reasons), only query qubesd when needed
listen on some local unix socket - qrexec-daemon should connect to that socket, instead of spawning separate qrexec-policy process
handle multiple requests simultaneously (so one qrexec confirmation prompt do not block other call) - this in practice means usage of asyncio python module

In initial version, it's ok to load policy files at each call, query qubesd about existing VMs etc. Basically, the same thing that current qrexec-policy process do, but avoiding python startup overhead. If further optimizations will be needed, we can do that later.

Originally posted by @marmarek in #3293 (comment)

The text was updated successfully, but these errors were encountered:

marmarek added C: core P: major release notes T: enhancement labels

marmarek added this to the Release 4.1 milestone

Member

marmarta commented Aug 8, 2019

The daemon should also notify user if policy was denied, see #3904

Member

marmarta commented Aug 9, 2019

TODO: do something with unknown/duplicated responses/qrexec client calls (for example ignore them instead of crashing)

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

e97c5a6

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

1919a86

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta mentioned this issue

Qrexec policy daemon QubesOS/qubes-core-qrexec#6

Merged

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

aa0f3c8

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

e3e8707

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

c51372a

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

967118f

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

acce571

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

89605d3

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

3a632f3

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

cf256f5

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

a46630d

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

1ff0b14

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

31de73d

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

d88a0da

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

f532ee3

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

5016d82

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

4586fc6

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

12f048f

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarek mentioned this issue

[WIP] Rewrite qrexec documentation (Phase 1) QubesOS/qubes-doc#847

Merged

marmarta added a commit to marmarta/qubes-core-admin-linux that referenced this issue


          Added enabling of qrexec-policy-daemon.service

761b5b1

used by QubesOS/qubes-core-qrexec#6
references QubesOS/qubes-issues#5125

marmarta mentioned this issue

Added enabling of qrexec-policy-daemon.service QubesOS/qubes-core-admin-linux#53

Merged

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

4d7dfbb

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

c7fcfc1

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

666e8c5

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

b76a42f

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

75e6802

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Working qrexec-policy-daemon

2e8b342

Rewritten qrexec-daemon to use policy daemon instead of running
policy-exec separately for each call. If daemon fails, falls back
to old solution.

fixes QubesOS/qubes-issues#5125

marmarta added a commit to marmarta/qubes-core-qrexec that referenced this issue


          Qrexec policy daemon and tests

703f6cd

Also includes rudimentary protocol documentation.
Contains only pure policy daemon that's not used
by anything yet.
references QubesOS/qubes-issues#5125

qubesos-bot mentioned this issue

core-admin-linux v4.1.3 (r4.1) QubesOS/updates-status#1540

Closed

marmarek closed this as completed in


      QubesOS/qubes-core-qrexec@de23776

qubesos-bot added the r4.1-bullseye-cur-test label

qubesos-bot mentioned this issue

core-qrexec v4.1.4 (r4.1) QubesOS/updates-status#1712

Closed

qubesos-bot added the r4.1-buster-cur-test label

qubesos-bot commented Mar 25, 2020

Automated announcement from builder-github

The package qubes-core-qrexec_4.1.4-1 has been pushed to the r4.1 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot added the r4.1-stretch-cur-test label

qubesos-bot commented Mar 25, 2020

Automated announcement from builder-github

The package core-qrexec has been pushed to the r4.1 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

qubesos-bot added the r4.1-centos7-cur-test label

qubesos-bot commented Mar 25, 2020

Automated announcement from builder-github

The package qubes-core-qrexec-4.1.5-1.fc31 has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot added r4.1-dom0-cur-test r4.1-fc29-cur-test r4.1-fc30-cur-test r4.1-fc31-cur-test labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment