Qubes Air: Introduce RemoteVM

doc/qubes-vm/remotevm.rst

@@ -0,0 +1,8 @@
+:py:mod:`qubes.vm.remotevm` -- Remote VM
+==========================================
+
+.. automodule:: qubes.vm.remotevm
+   :members:
+   :show-inheritance:
+
+.. vim: ts=3 sw=3 et

qubes/api/admin.py

@@ -370,7 +370,11 @@ def _property_reset(self, dest):
     async def vm_volume_list(self):
         self.enforce(not self.arg)
 
-        volume_names = self.fire_event_for_filter(self.dest.volumes.keys())
+        volume_names = (
+            self.fire_event_for_filter(self.dest.volumes.keys())
+            if isinstance(self.dest, qubes.vm.qubesvm.QubesVM)
+            else []
+        )
         return "".join("{}\n".format(name) for name in volume_names)
 
     @qubes.api.method(
@@ -1262,7 +1266,8 @@ async def _vm_create(
         vm.tags.add("created-by-" + str(self.src))
 
         try:
-            await vm.create_on_disk(pool=pool, pools=pools)
+            if isinstance(vm, qubes.vm.qubesvm.QubesVM):
+                await vm.create_on_disk(pool=pool, pools=pools)
         except:
             del self.app.domains[vm]
             raise
@@ -1310,7 +1315,10 @@ async def vm_remove(self):
             if not self.dest.is_halted():
                 raise qubes.exc.QubesVMNotHaltedError(self.dest)
 
-            if self.dest.installed_by_rpm:
+            if (
+                isinstance(self.dest, qubes.vm.qubesvm.QubesVM)
+                and self.dest.installed_by_rpm
+            ):
                 raise qubes.exc.QubesVMInUseError(
                     self.dest,
                     "VM installed by package manager: " + self.dest.name,

qubes/api/internal.py

@@ -49,6 +49,10 @@ class SystemInfoCache:
         "property-reset:icon",
         "property-set:guivm",
         "property-reset:guivm",
+        "property-set:relayvm",
+        "property-reset:relayvm",
+        "property-set:transport_rpc",
+        "property-reset:transport_rpc",
         # technically not changeable, but keep for consistency
         "property-set:uuid",
         "property-reset:uuid",
@@ -125,6 +129,16 @@ def get_system_info(cls, app):
                         if getattr(domain, "guivm", None)
                         else None
                     ),
+                    "relayvm": (
+                        domain.relayvm.name
+                        if getattr(domain, "relayvm", None)
+                        else None
+                    ),
+                    "transport_rpc": (
+                        domain.transport_rpc
+                        if getattr(domain, "transport_rpc", None)
+                        else None
+                    ),
                     "power_state": domain.get_power_state(),
                     "uuid": str(domain.uuid),
                 }

qubes/app.py

@@ -503,15 +503,15 @@ def vms(self):
     def add(self, value, _enable_events=True):
         """Add VM to collection
 
-        :param qubes.vm.LocalVM value: VM to add
+        :param qubes.vm.BaseVM value: VM to add
         :param _enable_events:
         :raises TypeError: when value is of wrong type
         :raises ValueError: when there is already VM which has equal ``qid``
         """
 
         # this violates duck typing, but is needed
         # for VMProperty to function correctly
-        if not isinstance(value, qubes.vm.LocalVM):
+        if not isinstance(value, qubes.vm.BaseVM):
             raise TypeError(
                 "{} holds only LocalVM instances".format(
                     self.__class__.__name__
@@ -545,7 +545,7 @@ def __getitem__(self, key):
                     return vm
             raise KeyError(key)
 
-        if isinstance(key, qubes.vm.LocalVM):
+        if isinstance(key, qubes.vm.BaseVM):
             key = key.uuid
 
         if isinstance(key, uuid.UUID):
@@ -559,10 +559,11 @@ def __getitem__(self, key):
 
     def __delitem__(self, key):
         vm = self[key]
-        if not vm.is_halted():
+        if isinstance(vm, qubes.vm.qubesvm.QubesVM) and not vm.is_halted():
             raise qubes.exc.QubesVMNotHaltedError(vm)
         self.app.fire_event("domain-pre-delete", pre_event=True, vm=vm)
-        vm.libvirt_undefine()
+        if isinstance(vm, qubes.vm.qubesvm.QubesVM):
+            vm.libvirt_undefine()
         del self._dict[vm.qid]
         self.app.fire_event("domain-delete", vm=vm)
         if getattr(vm, "dispid", None):
@@ -1654,8 +1655,10 @@ def on_domain_pre_deleted(self, event, vm):
                             "see 'journalctl -u qubesd -e' in dom0 for "
                             "details".format(vm.name),
                         )
-
-        assignments = vm.get_provided_assignments()
+        if isinstance(vm, qubes.vm.qubesvm.QubesVM):
+            assignments = vm.get_provided_assignments()
+        else:
+            assignments = []
         if assignments:
             desc = ", ".join(assignment.port_id for assignment in assignments)
             raise qubes.exc.QubesVMInUseError(

qubes/ext/block.py

@@ -31,10 +31,11 @@
 import qubes.device_protocol
 import qubes.devices
 import qubes.ext
+from qubes.devices import Port
 from qubes.ext import utils
 from qubes.storage import Storage
 from qubes.vm.qubesvm import QubesVM
-from qubes.devices import Port
+from qubes.vm.remotevm import RemoteVM
 
 name_re = re.compile(r"\A[a-z0-9-]{1,12}\Z")
 device_re = re.compile(r"\A[a-z0-9/-]{1,64}\Z")
@@ -346,7 +347,7 @@ def on_qdb_change(self, vm, event, path):
     def get_device_attachments(vm_):
         result = {}
         for vm in vm_.app.domains:
-            if not vm.is_running():
+            if not vm.is_running() or isinstance(vm, RemoteVM):
                 continue
 
             if vm.app.vmm.offline_mode:

qubes/ext/relay.py

@@ -0,0 +1,65 @@
+#
+# The Qubes OS Project, https://www.qubes-os.org/
+#
+# Copyright (C) 2024 Frédéric Pierret <frederic.pierret@qubes-os.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <https://www.gnu.org/licenses/>.
+#
+
+import qubes.ext
+import qubes.vm.remotevm
+
+
+class Relay(qubes.ext.Extension):
+    # pylint: disable=unused-argument
+    @qubes.ext.handler("domain-init", "domain-load")
+    def on_domain_init_load(self, vm, event):
+        if (
+            getattr(vm, "relayvm", None)
+            and "relayvm-" + vm.relayvm.name not in vm.tags
+        ):
+            self.on_property_set(vm, event, name="relayvm", newvalue=vm.relayvm)
+
+    @qubes.ext.handler("domain-start")
+    def on_domain_start(self, vm, event, **kwargs):
+        if not vm.untrusted_qdb:
+            return
+        for domain in vm.app.domains:
+            if getattr(domain, "relayvm", None) == vm:
+                vm.untrusted_qdb.write(
+                    f"/remote/{domain.name}", domain.remote_name or domain.name
+                )
+
+    @qubes.ext.handler("property-reset:relayvm", vm=qubes.vm.remotevm.RemoteVM)
+    def on_property_reset(self, subject, event, name, oldvalue=None):
+        newvalue = getattr(subject, "relayvm", None)
+        self.on_property_set(subject, event, name, newvalue, oldvalue)
+
+    @qubes.ext.handler("property-set:relayvm", vm=qubes.vm.remotevm.RemoteVM)
+    def on_property_set(self, subject, event, name, newvalue, oldvalue=None):
+        # Clean other 'relayvm-XXX' tags.
+        # qrexec-client-vm can connect to only one domain
+        tags_list = list(subject.tags)
+        for tag in tags_list:
+            if tag.startswith("relayvm-"):
+                subject.tags.remove(tag)
+
+        if newvalue:
+            relayvm_tag = "relayvm-" + newvalue.name
+            subject.tags.add(relayvm_tag)
+            if newvalue.untrusted_qdb:
+                remote_name = subject.remote_name or subject.name
+                newvalue.untrusted_qdb.write(
+                    f"/remote/{subject.name}", remote_name
+                )

qubes/tests/api_internal.py

@@ -37,6 +37,8 @@ async def coro_f(*args, **kwargs):
 
 
 class TC_00_API_Misc(qubes.tests.QubesTestCase):
+    maxDiff = None
+
     def setUp(self):
         super().setUp()
         self.app = mock.NonCallableMock()
@@ -195,6 +197,8 @@ def test_010_get_system_info(self):
                     "icon": "icon-dom0",
                     "guivm": None,
                     "power_state": "Running",
+                    "relayvm": None,
+                    "transport_rpc": None,
                     "uuid": "00000000-0000-0000-0000-000000000000",
                 },
                 "vm": {
@@ -205,6 +209,8 @@ def test_010_get_system_info(self):
                     "icon": "icon-vm",
                     "guivm": "vm",
                     "power_state": "Halted",
+                    "relayvm": None,
+                    "transport_rpc": None,
                     "uuid": str(TEST_UUID),
                 },
             }

qubes/tests/app.py

@@ -21,6 +21,7 @@
 #
 
 import os
+import unittest
 import unittest.mock as mock
 
 import lxml.etree
@@ -35,6 +36,8 @@
 import logging
 import time
 
+from qubes.tests.vm.qubesvm import TestQubesDB
+
 
 class TestApp(qubes.tests.TestEmitter):
     pass
@@ -915,6 +918,87 @@ class MyTestHolder(qubes.tests.TestEmitter, qubes.PropertyHolder):
         self.assertNotIn("audiovm-sys-audio", appvm.tags)
         self.assertNotIn("audiovm-", appvm.tags)
 
+    def test_116_remotevm_add_and_remove(self):
+        remotevm1 = self.app.add_new_vm(
+            "RemoteVM", name="remote-vm1", label="blue"
+        )
+        self.app.add_new_vm("RemoteVM", name="remote-vm2", label="gray")
+        self.app.add_new_vm(
+            "AppVM",
+            name="test-vm",
+            template=self.template,
+            label="red",
+        )
+
+        assert remotevm1 in self.app.domains
+        del self.app.domains["remote-vm1"]
+
+        self.assertCountEqual(
+            {d.name for d in self.app.domains},
+            {"dom0", "test-template", "test-vm", "remote-vm2"},
+        )
+
+    def test_117_remotevm_status(self):
+        remotevm1 = self.app.add_new_vm(
+            "RemoteVM", name="remote-vm1", label="blue"
+        )
+        assert [
+            remotevm1.get_power_state(),
+            remotevm1.get_cputime(),
+            remotevm1.get_mem(),
+        ] == ["Running", 0, 0]
+
+    @unittest.mock.patch("qubes.vm.qubesvm.QubesVM.untrusted_qdb")
+    def test_118_remotevm_set_relayvm(self, mock_qubesdb):
+        class MyTestHolder(qubes.tests.TestEmitter, qubes.PropertyHolder):
+            relayvm = qubes.property("relayvm")
+            transport_rpc = qubes.property("transport_rpc")
+
+        localrelay = self.app.add_new_vm(
+            "AppVM",
+            name="local-relay",
+            template=self.template,
+            label="red",
+        )
+        # add QDB to localrelay
+        test_qubesdb = TestQubesDB()
+        mock_qubesdb.write.side_effect = test_qubesdb.write
+        mock_qubesdb.rm.side_effect = test_qubesdb.rm
+        localrelay.untrusted_qdb = test_qubesdb
+
+        remotevm = self.app.add_new_vm(
+            "RemoteVM", name="remote-vm", label="blue"
+        )
+        remotevm.remote_name = "myawesomevm"
+
+        holder = MyTestHolder(None)
+        holder.relayvm = "local-relay"
+        holder.transport_rpc = "qubesair.SSHProxy"
+        self.assertEqual(holder.relayvm, "local-relay")
+        self.assertEqual(holder.transport_rpc, "qubesair.SSHProxy")
+
+        self.assertEventFired(
+            holder,
+            "property-set:relayvm",
+            kwargs={"name": "relayvm", "newvalue": "local-relay"},
+        )
+
+        self.assertEventFired(
+            holder,
+            "property-set:transport_rpc",
+            kwargs={"name": "transport_rpc", "newvalue": "qubesair.SSHProxy"},
+        )
+
+        # Set RelayVM
+        remotevm.relayvm = localrelay
+        self.assertIn("relayvm-local-relay", remotevm.tags)
+
+        # Read QDB path
+        self.assertEqual(
+            localrelay.untrusted_qdb.read("/remote/remote-vm"),
+            remotevm.remote_name,
+        )
+
     def test_200_remove_template(self):
         appvm = self.app.add_new_vm(
             "AppVM", name="test-vm", template=self.template, label="red"

qubes/vm/__init__.py

@@ -269,6 +269,21 @@
         if hasattr(self, "name"):
             self.init_log()
 
+        #: operations which shouldn't happen simultaneously with qube startup
+        #  (including another startup of the same qube)
+        self.startup_lock = asyncio.Lock()
+
+    def __str__(self):
+        return self.name
+
+    def __hash__(self):
+        return self.qid
+
+    def __lt__(self, other):
+        if not isinstance(other, qubes.vm.BaseVM):
+            return NotImplemented
+        return self.name < other.name
+
     @qubes.stateless_property
     def klass(self):
         """Domain class name"""
@@ -342,6 +357,13 @@
             " ".join(proprepr),
         )
 
+    @qubes.events.handler("domain-init", "domain-load")
+    def on_domain_init_loaded(self, event):
+        # pylint: disable=unused-argument
+        if not hasattr(self, "uuid"):
+            # pylint: disable=attribute-defined-outside-init
+            self.uuid = uuid.uuid4()
+
 
 class LocalVM(BaseVM):
     """Base class for all local VMs
@@ -478,6 +500,8 @@
         for domain in self.app.domains:
             if domain == self:
                 continue
+            if getattr(domain, "klass") == "RemoteVM":
+                continue
             for device_collection in domain.devices.values():
                 for assignment in device_collection.get_assigned_devices(
                     required_only