otter cli: Rename --ssh-proxy-command option

This is shorter and more consistent.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

apitest: Provide OTTER_APITEST_START_DIR

Nothing uses this yet, nor, it appears, is going to, but it may come
in useful in the future, so let's keep it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Makefile, ssh proxy: Install a symlink

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Shut down CookedStdout before bundle data

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Shut down CookedStdout before proxying responses

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Tiny fixes to stdout handling

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter: Introduce SubCommandSubArgs

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Completely redo stdout handling

Replace all println.  Use a common stdout buffer for everything.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Switch to CookedStdout for set-link

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Switch to CookedStdout for list-ssh-keys

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: mgmtchannel proxy needs to exit on server conn eof

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Switch to RawStdout for mgmtchannel proxy stdout

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Use copy_interactive for mgmtchannel proxy

Fixes a buffering-induced deadlock.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Switch to CookedStdout for arg parsing

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Switch to RawStdout for bundle download to stdout

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

utils: Provide CookedStdout, buffered and with die on flush fail

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

utils: Provide RawStdout and the associated SigPipeWriter

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

utils: Provide io_copy_interactive

stdlib io::copy insists on buffering.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

debugreader: Make generic over D

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannel: Insist that client connections are Debug

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Do not SelectAccount when we are mgmtchannel-proxy

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Break out connect_chan

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannel: Tiny error message improvement

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: Rework main loop error handling

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: Display account in log messages

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

ssh: Forbid SetRestrictedSshScope after SelectAccount

SelectAccount generates an Authorisation in the stream state.  We
don't want to preserve that after we drop privs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Slight error message tweaks

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Implement remote ssh connection

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

config: Break out some variables etc.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Rename SL::Socket from a daft long name

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Prep for new kind of server connection

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: provide set-list-keys

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: provide set-ssh-keys

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

otter cli: Provide mgmtchannel-proxy subcommand

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

utils: error end_process: Do not print duplicate messages

Sometimes we use thiserror to put {0} of an inner error in our Display
impl.  If that happens, just skip the repetition.

This is a slight bodge.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannel: Improve Display of MgmtChannelReadError

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Break out end_process ext method on anyhow::Error

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Rework hex parsing

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannels: Make ClientMgmtChannel's read be Send too

We are about to need this

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Provide more traits for our types

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make KeySpec fields pub (!)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make MgmtKeyReport fields pub (!)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Change authorized_keys command to what we are going to impl

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Provide parsing for sshkey::Id and Nonce and so on

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Rename STATUS_1 from vague name

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Add some dbgs to tests

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Add a test case to simulate the Linux kernel race

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: When getting EOF when reading, wait blockingly for child

The t_false read test was flaky.  It would sometimes panic at the
"unwrap_err".

This is because on Linux we can get EOF on a pipe which is being
closed by the kernel as a result of process termination, and then
still find that wait4 returns 0 meaning the child cannot be reaped.

I think this is quite undesirable, and I regard it as a kernel bug.
It is certainly untraditional.  For example, it is conventional for a
process that is coredumpting to finish dumping core before its fds
show up as closed.

However, the spec I have here does not appear to give a clear
guarentee that this sequence of events is impossible.  And whatever,
we have to live with it.  Bah.

In our situation we can generally expect that it is sensible to assume
that EOF means the child is in the process of exiting, and to reap it
blockingly.

Emprically I can no longer reproduce the race now.

The sequence of events as seen from the parent looks like this:

  pipe2([5, 6], O_CLOEXEC)                = 0

This is the stdin pipe.  We don't use it in this test.

  pipe2([7, 8], O_CLOEXEC)                = 0

This is the stdout pipe for the child.

I have verified in another strace that these descriptors are right,
since the post-fork child does this:
  23597 dup2(5, 0)                        = 0
  23597 dup2(8, 1)                        = 1

So, continuing with the parent:

  prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
  prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
  prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
  prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
  mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f14d9a56000
  rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0

  clone(child_stack=0x7f14d9a5eff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 12678

Here we fork.  The child runs in parallel, and is going to exit.

  munmap(0x7f14d9a56000, 36864)           = 0
  rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
  close(5)                                = 0
  close(8)                                = 0

We close our copies of the child's ends of the pipes.

  read(7, "", 10)                         = 0

We read EOF from the child's stdout.

  write(2, "[src/childio.rs:103] self.rw.rea"..., 45) = 45

This is a dbg print I put in.

  wait4(12678, 0x7fff03c3d16c, WNOHANG, NULL) = 0

Here wait4 returns 0 meaning "child has not terminated".

  write(2, "[src/childio.rs:36] self.child.l"..., 64) = 64

  write(2, "[", 1)                        = 1
  write(2, "src/childio.rs", 14)          = 14
  write(2, ":", 1)                        = 1
  write(2, "209", 3)                      = 3
  write(2, "] ", 2)                       = 2

Again some dbg print.

  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12678, si_uid=1001, si_status=1, si_utime=0, si_stime=0} ---

Finally we get a signal about the child but it is too late.

  write(2, "r.read(&mut buf)", 16)        = 16
  write(2, " = ", 3)                      = 3
  write(2, "Ok", 2)                       = 2
  write(2, "(\n", 2)                      = 2
  write(2, "    ", 4)                     = 4
  write(2, "0", 1)                        = 1
  write(2, ",\n", 2)                      = 2
  write(2, ")", 1)                        = 1
  write(2, "\n", 1)                       = 1

Another dbg print.

  write(2, "thread '", 8)                 = 8
  write(2, "main", 4)                     = 4
  write(2, "' panicked at '", 15)         = 15
  write(2, "called `Result::unwrap_err()` on"..., 50) = 50

And here we are panicking.

(NB that source code line numbers here and debug output are different
because this strace was not made with the exact code you find in this
commit's parent.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Break out assert_is_status_1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

packetframe: Provide methods for (partial) disassembly

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannels: Change type of ClientMgmtChannel

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannels: Break out new()

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

mgmtchannels: Genericise again

Client wants to be Box<dyn Read> etc. so it can be ssh pipes.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

timefd: Make Timed a trait

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: tests: Properly indent mod test

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: t_cat: Test leak

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Fix spurious error from leak drop when SIGTERMed

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: tests: Test leaked false

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: tests: Break out ENDING

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: tests: Provide warning capture machinery

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: tests: refactoring

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: t_false: use type aliases

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: t_false: break out setup

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: Some type aliases

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: t_false test case, test writing

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: t_false test case, introduce one()

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: test cases

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

childio: new facility, will be used for ssh child

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make MgktKeyReport contain Nonce via KeySpec

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Provide MC::ThisConnAuthBy

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Rename MR::SshKeyAdded

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authproofs: Rename methods with proof obligation to "promise"

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Introduce KeySpec

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Add key management commands

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Add AccountScope and AuthState variants

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: Make space AuthState::Ssh variant

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Fix Authorisation handling etc. in PerScope.check()

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: Pass AccountsGuard into authorise_scope_*

ssh key check is going to need it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authproofs: Add some inline annotations

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: authorise_by_account

Do not re-authorise the account.  Instead, check what we got from
previous SelectAccount.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authproofs: Make map generic rather than taking fn

This will lets us feed context into the mapper.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Fix name of sshkeys_remove

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Notes about checking for non-ssh: accounts

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make the access/update functions take an Authorisation

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cmdlistener: Tidy up MC::SetSuperusr slightly

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Rework calling conventions of sshkeys

We can't pass this &mut AccountsGuard and &mut PerScope since the
latter is inside the former.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make module sub-module of accounts

This will let it deal with the data structures directly.

This is good because it avoids lifetime problems with borrowing the
whole of Accounts and it is OK because sshkeys takes care over save
orderig, etc.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: Make methods methods on AccountsGuard

More global things first seems best.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

sshkeys: module for trackng auth keys, still unfinished

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

utils: Break out format_by_fmt_hex

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

config: Rename in_libexec and reformat

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

config: Break out libexec closure

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Add openssh-keys as a dependency, prep for ssh key auth

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

accounts: Break out pct closure

We're going to want to reuse it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authorisation: Move euid info into AuthState

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authorisation: Introduce AuthState

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

ConnectionEuidDiscoverError: Fix typo in type name

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

CHANGELOG: Start a new section

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

docs: Expand on penultima game description

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

docs/bundles.rst: fix typos and copy-paste-os.

Signed-off-by: Simon Tatham <anakin@pobox.com>