Add QWT support

[omeg]

QubesOS/qubes-issues#1861

[marmarek]

This isn't a full review yet, but I think I captured main point here already.

[marmarek]

Better not hardcode the path here. Especially, it's convenient to install the RPC files in /usr/local/etc/qubes-rpc in a specific AppVM.
You can use $(dirname "$0") to find the directory.

Similar comment to all the other services too.

[omeg]

Done.

[marmarek]

Why extra cat?

Suggested change

	shell_call "${DISPVM}" "cat ~/win-build.iso" | cat > "${OUTPUT}"
	shell_call "${DISPVM}" "cat ~/win-build.iso" > "${OUTPUT}"

[omeg]

Done.

[marmarek]

If starting dvm fails, this will fail too (UnboundLocalError: cannot access local variable 'dvm' where it is not associated with a value). Either move starting dvm before the try part, or initialize the variable early (with None?) and check for it here.
But also, it looks like the dvm start can be moved much later? Currently it's at the start of the build, but it's used only after the build - so, if you move it later, you can save starting it in case of build failure.

[omeg]

Done.

[marmarek]

Missing policy for the timestamp service

[omeg]

Done.

[marmarek]

Generally for builder-specific services we use qubesbuilder. prefix.

[omeg]

Done.

[marmarek]

To support building in DispVM, this should be able to create and start new DispVM first and kill it at the end.
It does mean fresh DispVM for each component - is that a problem? In other words - are there some hidden assumption about reusing the same VM (like, depending on some files being present from previous build)?

For development builds it probably make sense to retain option to reuse the same VM over and over, so the DispVM case can be under some config option.

[omeg]

I think it can be a DispVM all the time, for development I usually just do local builds without the builder.

[marmarek]

It should be possible to use qubes-builderv2 outside of Qubes VM too. It doesn't need to support building Windows code there, but it shouldn't crash on ImportError. I think there need to be try / except ImportError somewhere, that will catch it nicely. I have an idea where - see separate comment.

[marmarek]

You can catch ImportError here, and set some variable like windows_executor_available = False

[marmarek]

And here throw an exception if windows_executor_available is false.

[marmarek]

And similarly this (and the qubesadmin imports above) can be problematic. It wants either some wrapping here (and raise an exception early in run if qubesadmin is not available), or changing PluginManager so that plugin import error is not fatal. IMO the first option is better if wouldn't clutter the code too much.

[marmarek]

FWIW several CI tests that are unrelated to QWT fail due to importing qubesadmin. That could be a good check if it works as expected - tests not related to QWT should pass even if qubesadmin cannot be imported.

[omeg]

I removed the qubesadmin dependency.

[marmarek]

It has conflicts now... @fepitre in the meantime added most of the cross-distribution dependencies that will be needed for building iso+rpm (remaining part is in #185, but that shouldn't conflict anymore, I hope).

[codecov]

Codecov Report

Attention: Patch coverage is 34.53510% with 345 lines in your changes missing coverage. Please review.

Project coverage is 74.79%. Comparing base (1987baa) to head (4916714).
Report is 54 commits behind head on main.

Files with missing lines	Patch %	Lines
qubesbuilder/plugins/build_windows/__init__.py	21.93%	153 Missing ⚠️
qubesbuilder/executors/windows.py	22.60%	89 Missing ⚠️
qubesbuilder/executors/qubes.py	44.31%	49 Missing ⚠️
qubesbuilder/plugins/source_windows/__init__.py	42.10%	22 Missing ⚠️
qubesbuilder/executors/qrexec.py	70.68%	17 Missing ⚠️
qubesbuilder/plugins/__init__.py	46.15%	7 Missing ⚠️
qubesbuilder/config.py	33.33%	4 Missing ⚠️
qubesbuilder/distribution.py	60.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #181      +/-   ##
==========================================
- Coverage   78.74%   74.79%   -3.95%     
==========================================
  Files          47       51       +4     
  Lines        5388     5865     +477     
==========================================
+ Hits         4243     4387     +144     
- Misses       1145     1478     +333     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marmarek]

Can you squash the fixup commits (just do git rebase -i --autosquash)

[tlaurion]

Amazing work @omeg ! Can't wait to test testing packages. Also really interesting piece of work in terms of complex qubes-builderv2 for a learner. Thanks!

[marmarek]

I reviewed this as of 5f3210a, and generally looks good, I'll re-test it again and if all good should be good for merging. There are a couple of TODO comments - are planning to handle them now, or leave for later (I'm fine with either)?

[omeg]

I reviewed this as of 5f3210a, and generally looks good, I'll re-test it again and if all good should be good for merging. There are a couple of TODO comments - are planning to handle them now, or leave for later (I'm fine with either)?

I think we can merge, the remaining TODOs are minor improvements that don't impact functionality.

[marmarek]

With this version, using window-ssh executor I needed to attach EWDK myself. I think it was done automatically before. Since the lifetime of this VM is outside of the builder control (right?) this step needs to be documented. In theory it's one time thing (persistent attach), but the loop device needs to be re-created after each work-qubesos VM restart (or added to rc.local...). But if it can be automated, even better.

[marmarek]

Suggested change

	DISPVM=$(qrexec_call "$dispvm_template" admin.vm.CreateDisposable)
	DISPVM=$(qrexec_call "dom0" admin.vm.CreateDisposable)

Doing the call to dom0 makes it use default_dispvm, so you can save one call. And admin.vm.property.Get in the policy.

[omeg]

Done.

[marmarek]

Suggested change

	. "$(dirname "$0")/qubes.WinSign.common"
	. "$(dirname "$0")/qubesbuilder.WinSign.common"

[omeg]

Done.

[marmarek]

This appears to be unused.

[omeg]

Removed.

[marmarek]

Missing policy for qubesbuilder.WinFileCopyIn and qubesbuilder.WinFileCopyOut

[omeg]

Added.

[marmarek]

I'd suggest for windows adding --ignore-symlinks, or ignore them at the receiver side. At least for me it choked on them (I did have some in one of the repos).

[omeg]

Done.

[marmarek]

you added the parameter, but it isn't actually used in the command...

[omeg]

Oops, fixed.

[marmarek]

Kill on a DispVM implicitly remove it already. In practice this one is harmless, but results in a warning, as the target VM doesn't exist at this point anymore.

[omeg]

The dispvm is created in a stopped state (to attach EWDK) so Kill doesn't do anything if there's some error during this phase. I guess I can only call Remove if Kill fails...

[marmarek]

I see. Yes, doing Remove if Kill fails with QubesVMNotStartedError (or maybe simply any error) is a good idea.

[omeg]

Improved dispvm removal.

[omeg]

With this version, using window-ssh executor I needed to attach EWDK myself. I think it was done automatically before. Since the lifetime of this VM is outside of the builder control (right?) this step needs to be documented. In theory it's one time thing (persistent attach), but the loop device needs to be re-created after each work-qubesos VM restart (or added to rc.local...). But if it can be automated, even better.

I followed @fepitre suggestion that in the SSH case the Windows worker could be any (even non-Qubes) Windows machine. Maybe I should add a config option to auto attach EWDK in the common (Qubes VM) case?

[omeg]

Or even better, try to attach EWDK if the current ewdk path option is specified.

[omeg]

I've added ssh-vm parameter in the config that, if set, will cause the SSH executor to auto-start the vm and auto-attach EWDK to it. If the parameter is not present, it's assumed all configuration was done manually.

[marmarek]

Suggested change

	if ! OPTS=$(getopt -o hi:o: --long help,iso,output: -n "$0" -- "$@"); then
	if ! OPTS=$(getopt -o hi:o: --long help,iso:,output: -n "$0" -- "$@"); then

[omeg]

Done.

[marmarek]

and also this sometimes needs sudo (if there are no free devices and one needs to be created)

[omeg]

Fixed.