Closed Bug 178806 Opened 22 years ago Closed 15 years ago

provide IPC mechanism for profile sharing, etc.

Categories

(Core :: IPC, enhancement)

Product:
Core
Component:
IPC
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: darin.moz, Unassigned)

References

Details

(Keywords: topembed+, Whiteboard: [adt2] [ETA: June 12, 2003])

Attachments

(5 files, 1 obsolete file)

response to timeless (comment #4)
(deleted), text/plain
Details
response to timeless (comment #6)
(deleted), text/plain
Details
patch for allmakefiles.sh and Makefile.in
(deleted), patch
Details | Diff | Splinter Review
review comments from brendan
(deleted), text/html
Details
[beos] updated patch to fix Deskbar issue
(deleted), application/zip
Details 
provide IPC mechanism for profile sharing, etc.

the requirement in a nutshell is to provide an out-of-process daemon and
messaging system.  client applications can connect to the daemon and send
messages to particular "daemon modules" identified by UUID.  daemon modules can
send messages to any client connected to the daemon.  clients may have several
message handlers, each identified by UUID.  hence, messages from the client
contain the UUID of the target module, and messages from the module contain the
UUID of the target message handler for a given client.

the daemon must support plug-in modules.  this requirement is meant to allow PSM
the option to implement a module that would host a shared cert database, for
example.

the daemon can also provide a mechanism for client discovery.  this may be
accomplished by allowing clients to register themselves under common names.  the
daemon can then be used "like a DNS server" to resolve a name like "browser"
into the client ID (the "address") of the client registered under that name.

the daemon can then also provide a simple mechanism for forwarding messages from
one client to another.  for example, a "browser" app might request something
from the "addressbook" app and vice versa.  this forwarding mechanism also makes
possible a form of d-xpcom (which dougt has prototyped).

lastly, this IPC mechanism should not get in the way of mozilla doing its normal
thing.  if the IPC mechanism should fail for whatever reason, it must not bring
down the rest of mozilla! ;-)

so, i've been developing this "patch" on the trunk under modules/ipc (not pulled
by default), but the plan is ultimately to move it out of modules/ since that is
a deprecated part of the tree.  mozilla/ipc may become its new home.

please check out the code in modules/ipc, and let me know what you think.
oh, i forgot to mention: i've tested the code under rh7.3, rh8.0, win2k, and
osx10.1.5 (mach-o).  the windows impl uses WM_COPYDATA messages, and the others
use TCP/UNIX sockets (leveraging necko heavily).  the windows impl introduces a
new thread for the hidden window's message pump (in order to not block the main
thread when sending/receiving messages).
Severity: normal → major
Status: NEW → ASSIGNED
Keywords: mozilla1.3, topembed
Priority: -- → P1
Target Milestone: --- → mozilla1.3alpha
Blocks: 135137
Marking as topembed+ per EDT triage, as this is needed for GRE, and desired by a
major embedding customer.
Keywords: topembedtopembed+
Whiteboard: [adt2] [ETA Needed]
Target Milestone: mozilla1.3alpha → mozilla1.3beta
Blocks: 185706
looks fine.  r=dougt.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/build/Makefile.in&rev=1.2&mark=49,50,53#45
i don't think a module should ever need to require itself.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/build/ipcCID.h&rev=1.1&mark=44#41
here's a quick survey:
[timeless@viper mozilla-1.3a]$ ./run-mozilla.sh ./xpcshell
js> const C=Components.classes,I=Components.interfaces;
js> b=0; for (a in C) if (/\/service/.test(a)) ++b;
6
js> b=0; for (a in C) if (/-service/.test(a)) ++b;
39
js> b=0; for (a in C) if (/[^-\/]service/.test(a)) ++b;
30
- is the most common, / is very rare. (no delim is more common.) please use -.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/build/ipcModule.cpp&rev=1.5&mark=52,85,101,102,104-105
please either remove the code or make it so that it could be consistently
flipped on, right now changing from #if 0 to #if 1 and then removing the /* and
*/ would result in compile errors. At the very least remove the /**/ notation.

as directories go, /common/ doesn't match *any* convention present in the
mozilla tree.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcConfig.h&rev=1.8&mark=72#68
is this absolutely safe? what happens if user timely creates /tmp/.mozilla-ipc
and then user timeless tries to use a mozilla-ipc app? can timely prevent
timeless's app from working or otherwise interfere?

Is there any serious documentation which explains why these classes exist as
they do? I'd like to know why we need the string classes you're creating, we
already have a bunch of datastructures in xpcom including a deque, some arrays
with deletion/insertion capabilities.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcStringList.h&rev=1.3&mark=64#62
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcMessage.h&rev=1.4&mark=177#176
that's a great comment, could someone please flesh it out?

http://lxr.mozilla.org/mozilla/source/modules/ipc/common/ipcLog.cpp
there's no os/2 impl (mkaply), and there's no macos impl, and who else did you
miss? please give those people a heads up before you break them.

sys/types.h, are you sure there isn't a configure test that looks for this? (cls)
> do any of these files ever live in interesting places:
> sys/types.h, sys/stat.h, unistd.h, fnctl.h, signal.h?
<cls> sometimes they don't exist at all
<cls> fcntl.h & signal.h in particular (and sometimes you want sys/signal.h)

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcMessage.h&rev=1.4&mark=114-115#112
I don't think you mean what you wrote. I think 'only' should be dropped.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcMessagePrimitives.cpp&rev=1.2&mark=45#40
should this be PRInt32?

unsigned int + 2 > max unsigned int 
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcIDList.cpp&rev=1.1&mark=48,54,61
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcList.h&rev=1.2&mark=61-62,82,162,169
<and many others>
don't use NULL. use nsnull or 0.

ipcMessage::Clone() and ipcMessage::ipcMessage(const ipcMessage&)
1. you don't declare the later illegal which means someone could mess up and use it.
2. Clone isn't virtual, so why not just change Clone() to be a copy constructor
and do things that way?

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcList.h&rev=1.2&mark=66-68,77-79,91-93,102-104,111-113,124-126,136-138,148-150
<and many others>
please use doxygen friendly /**\n * comments\n */

please use doxygen friendly @param and @return and ...

 52 // XXX ipcMessageCast is probably not the best name for this class.
hrm, this class looks like syntactic sugar. 

IPCM_MSG_TYPE_CLIENT_DEL_TARGET
there's no documentation for this.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcm.h&rev=1.9&mark=270,254,272
there are typos/minor errors in the documentation

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/daemon/Makefile.in&rev=1.7&mark=56,58-59#55
this doesn't scale nicely for OS/2 and Mac ...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/daemon/Makefile.in&rev=1.7&mark=78#75
why don't you link against the version in common?

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/daemon/ipcCommandModule.cpp&rev=1.18&mark=68,74,75#59
your calloc could be a malloc w/ a null assignment for str[count] on line 75

http://lxr.mozilla.org/mozilla/source/modules/ipc/daemon/ipcModule.h
should struct ipcDaemonMethods be extern C? ah, it can't be. the only change
required would be from nsID& to nsID*.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/daemon/ipcModuleReg.h&rev=1.6&mark=44-45#43
so, if i call IPC_InitModuleReg, IPC_ShutdownModuleReg, IPC_InitModuleReg,
IPC_ShutdownModuleReg, then i can't call IPC_InitModuleReg again? :)

If you want to allow that next call, then something like this would work:
IPC_InitModuleReg can not be called more than once before calling
IPC_ShutdownModuleReg.

http://lxr.mozilla.org/mozilla/source/modules/ipc/daemon/ipcModuleUtil.h
<and others>
Don't use PR_ASSERT. you require XPCOM, so use NS_ASSERTION.

 64 PRStatus
 65 IPC_SendMsg(ipcClient *client, ipcMessage *msg)
 75         delete msg;
This transfer of ownership worries me, it is documented, but i don't think it's
a good idea. is there some real benefit to capturing ownership on success? why
not always leave it to the caller?

104     // we use fcntl for locking.  assumption: filesystem should be local.
you can't make these assumptions. and again /tmp seems evil.

123     // write our PID into the lock file (this just seems like a good idea...
124     // no real purpose otherwise).
instead of reinventing locking, why don't you use the profile lock code? it
should live in xpcom, if it doesn't then you can file a bug and get that fixed.

http://lxr.mozilla.org/mozilla/source/modules/ipc/daemon/ipcdUnix.cpp
402     listenFD = PR_OpenTCPSocket(PR_AF_LOCAL);
403     if (!listenFD) {
404         LOG(("PR_OpenUDPSocket failed [%d]\n", PR_GetError()));
right... fix the message :)

i was pretty sure that we wanted files to have modelines to help editors out.
the file i'm looking at doesn't ...

There once was a generic ban on adding templates randomly.  you've added this
stringlist template which imo could have been handled by a simple base class.  
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/common/ipcList.h&rev=1.2&mark=47-51
is a contract which your template doesn't actually enforce but which could
_easily_ have been enforced by a baseclass.

Please have scc or someone take a _serious_ look at this module before you land
it somewhere proper.

more later.
--
concerns, what prevents user timely from sending data to a mozilla-ipc process
timeless is running? (w32, unix)

as for directory names, mozilla/geckoipc seems reasonable, and something can be
done like this for the contracts too. this ipc is designed for ipc w/in mozilla
clients not ipc w/ the rest of the os, and i'd like to reserve
@mozilla.org/ipc-* for that.
Attached file response to timeless (comment #4) (deleted) — 

    
    

    
  
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcService.cpp&rev=1.18&mark=202,366,378#179

the callee will complain about null. in almost all other instances you avoid
calling it w/ null.

in the second instance you could and probably should return outofmemory

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcService.cpp&rev=1.18&mark=297-299,323-325,#296
you crash if the query creation fails


http://lxr.mozilla.org/mozilla/source/modules/ipc/src/ipcSocketProviderUnix.cpp&rev=1.4&mark=42#41
traditionally nspr yells and screams when people use nspr private methods... (wtc)

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransport.cpp&rev=1.13&mark=190-192#189
you could be nice to the processor and skip the math and compare
mConnectionAttemptCount with 6 instead of ms w/ 1000

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransport.h&rev=1.9&mark=71,75#68
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransport.cpp&rev=1.13&mark=205#204
This looks like NS_IMPL_THREADSAFE_ISUPPORTS1 to me...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransportUnix.cpp&rev=1.8&mark=145,146#135
the sent hello assignment is optimistic and will be incorrect if the new fails.

theoretical nit, a box could run ipv6 w/o ipv4. or someone could be using
browser+mail w/o any version of ip...

minor perf warning, PR_GetEnv can be expensive on some platforms, and since its
value shouldn't change you might want to consider caching it (static)

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransportWin.cpp&rev=1.9&mark=123,126
you crash if new fails

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/ipc/src/ipcTransportWin.cpp&rev=1.9&mark=263
you aren't supposed to do explicit comparisons w/ PRBools. use if (foo) or if (!foo)

-- more later, i'm catching a bus to toledo and then i'm traveling until  late
tomorrow. i'll get the last dirs next week. (i skimmed your responses just now
but am out of time)

    
    

    
  

      
      
      
      

        Attached file
          
        response to timeless (comment #6) (deleted)
        — 
      

    


  

    
    

    
  
nevermind my comment about using a randomly generated directory in /tmp... other
processes need to be able to locate the directory, so it must have a well known
location.

    
    

    
  
Darin: will there be steps I can use to verify this when it is implemented, or
should I get an API tester for this bug?

    
    

    
  
it might be good to have an API tester look at this.  there won't be any
application to test (other than the TestIPC application).

    
  
QA Contact: benc → depstein

    
  
QA Contact: depstein → ashishbhatt

    
    

    
  
1.4 is the big embedding milestone.  hoping to finalize the ipc module by 1.4 alpha.
Keywords: mozilla1.3
Target Milestone: mozilla1.3beta → mozilla1.4alpha

    
    

    
  


  
you'll need to set MOZ_IPC=1 as an environment variable before building.

    
    

    
  
latest bits now reside on the branch "IPC_BRANCH_20030304" and live under
mozilla/ipc/ipcd/.  this directory structure was approved by brendan.  there's
now an extensions directory that currently just contains a lock service.  we
will be adding the transaction manager component as an extension.

    
  
Target Milestone: mozilla1.4alpha → mozilla1.4beta

    
  
Severity: major → enhancement

    
    

    
  

      
      
      
      

        Attached file
          
        review comments from brendan (deleted)
        — 
      

    


  

    
    

    
  
it seems we need special implementation if it for BeOS or disabling all related
things by default.
Maybe it should be based on BMessages, not on sockets

    
    

    
  
should this be marked fixed now?

    
    

    
  
saari: no, because i still need to work in brendan's review comments and
finally, i need to land the IPC service on the trunk.  it currently just lives
on a branch, and that is what the trunk is pulling.  i'd like to keep this bug
open to finish up the nitty gritty.

    
    

    
  
I need to figure out what to do on OpenVMS. We don't have local (UNIX domain)
sockets. If I need to replace the use of local sockets with something else, what
is the set of routines I need to implement?

    
    

    
  
colin: you would need to implement ipcTransport for VMS.  please see
ipcTransportUnix and ipcTransportWin for examples.  in the meantime, we should
probably disable profilesharing for VMS builds.

    
    

    
  
Disabling it in configure.in for VMS, along with the platforms without
implementations, would probably be bug 204177.

    
    

    
  
Colin Blake wrote:
> I need to figure out what to do on OpenVMS. We don't have local (UNIX domain)
> sockets. If I need to replace the use of local sockets with something else, 
> what is the set of routines I need to implement?

Maybe the best solution would be to use libICE (which should be preferred on X11
platforms in general over the home-grown code which is currently be used for
Mozilla IPC) ...
Component: Networking → IPC

    
    

    
  
Is there any interest in an ICE solution for X11 platforms? Or should I just
make the existing UNIX code use regular sockets for OpenVMS (daemon could write
address and port into the lock file, clients can connect using the information
they read from the lock file)?

    
    

    
  
colin: that sounds like a great plan.  the only issue is that be sure to verify
that the existing ownership checks on the lock file are kept in place.  it is
crucial that the lock file be owned by the user and be accessible only be the
user.  of course, i think you still would have a security hole if someone were
doing port scanning.  the problem being that any process owned by any user could
technically connect to the TCP port.  you could of course limit access to only
those users with a local account, but that doesn't prevent the port scanning
exploit.  basically, this is the reason why i didn't just use TCP/IP under windows.

    
    

    
  
Sorry for jumping uninvited and without looking at the code, but if the windows
implementation is using the WM_COPYDATA, then there might be a problem when
using the IPC with the windows XP fast user switching feature.

When fast user switcing is used FindWindow can not find the mozilla window only
which was opened for another user. This will imply that a deamon will be run for
each user, which is not what I think of as a deamon.

IMHO a better implementation for XP will be to use named pipes.

    
    

    
  
re: comment 24
To prevent port scanning the daemon could write a random number along with the
address and port into the lock file. Then when a client connects it has to first
send the random number, and if the daemon doesn't receive this, then it
disconnects. As long as the lock file is owned by the correct user and protected
accordingly, only that user will be able to successfully communicate with the
daemon. Getting a little kludgy, isn't it. I wish OpenVMS has named pipes. We do
have other IPC mechanisms on OpenVMS, but I was hoping to get by with as little
change as possible.

    
    

    
  
colin: yeah, that sounds like it would basically work.

    
    

    
  
Mark: there is meant to be exactly one daemon per user.  this corresponds nicely
with the fact that the user's mozilla profile is typically stored under
"Documents And Settings\%USERNAME%\Application Data\Mozilla\..."

    
  
Target Milestone: mozilla1.4beta → mozilla1.4final

    
    

    
  
I need to understand profile sharing a little better than I currently do. Darin,
over in bug 205765 you say:

"My assumption was that profile sharing would simply not be a feature available
on the ports until sometime later.  Anyways, it will not be used by Mozilla
until some distant milestone.  As is, it is just a feature of the GRE that may
find a home in some embedding applications in the future."

I thought the current plan was to break "Mozilla the suite" into "Mozilla the
components" in 1.5. And when that happens, if I want to run Moz Mail and Moz
Browser together then won't I NEED profile sharing? This hardly makes profile
sharing a feature that can wait "until sometime later".

Or am I misunderstanding what profile sharing is and how it will be used?

    
    

    
  
Darin, is comment 26 something that some other (currently without a profile
sharing solution) platforms could use? Everyone has IP sockets and files, right?
Could it be generic enough to be the default implementation for platforms which
don't have something better? If so, is this something you could code up quickly?
You could certainly do it a lot quicker than me!

    
    

    
  
colin:

so, actually a lot of things about mozilla 1.5 remain up in the air.  as i
understand it, browser and mail could end up being completely separate apps with
completely separate profiles (in the beginning).  this is the state of things
today.  we've been thinking that profile sharing would be important for those
two apps since it would enable sharing of wallet data, certs, and other things
that may be important to both mail and browser.  but, for the most part, it is
possible for 1.5 to not use profile sharing.  of course, there will be loss of
usability relative to 1.4, but that might be a reasonable tradeoff given the
complexity of the transition.  also, 1.5 is going to be a longer than usual
development cycle because of all the scary changes happening.  so, i think i'm
correct in saying that there isn't a huge hurry at the moment to finish off the
IPC service cross-platform.  that said, it is of course a good thing that we get
started sooner than later ;-)

so, as for your thoughts about a general purpose local-TCP/IP solution... i
think that that is probably the right way to go as a third IPC mechanism that
ports may choose to utilize.  like i suspect BeOS probably supports named
pipes.. in which case, it can probably share the XP_UNIX impl.  so, maybe VMS
will be the only platform using this TCP/IP solution.  i'm busy w/ 1.4 final
stuff right now and have a vacation coming up shortly... so maybe we should hash
something out soon.  do you want to take a stab at a patch or i can try to whip
something up for you to test?

    
    

    
  
Darin, its good to hear that profile sharing isn't going to be mandatory (if you
want a good experience) in 1.5. However, as you said, its better to get started
on a solution for OpenVMS sooner rather than later.

Changing the sockets to be INET instead of LOCAL doesn't seem too difficult, the
part that I'm not so sure about is sending/receiving the randon number which
prevents someone from port scanning. If you could give me some pointers as to
where in the code would be best to handle that, it would help a lot.

Also, what happens if the daemon goes away and there are existing clients? Do
these clients detect that the daemon has died and create a new one? What
prevents multiple daemons from coming up in such a situation, is it just the
directory lock? The new scheme will be a little different since there will be a
window whereby the lock file exists but the port/addr/password hasn't been
written to it yet, so the clients will have to spin their wheels until that data
does appear in the file. Any pointers on how to handle this?

    
    

    
  
A few notes, not in any particular order.

* I'm told the BeOS impl is nearly complete.
* a QNX impl should probably be implemented using something specific to QNX
(perhaps qnet, i'd have to refresh my memory)

The windows impl we have bothers me :)
There are cases where a profile could be shared with the wrong user (which the
unix version is supposed to not do for security reasons), and there are a bunch
of cases where profile sharing will fail for me (these are real for me, and do
occur in large installations/institutions).

I thought i had mentioned terminal services here, but i can't find any record
of it. For this i'm sorry. The topic was mentioned elsewhere under fast user-
switching. (comment 25)

Windows NT like other systems (unix/x11) allows you to do the following things:
1. Have multiple displays and desktops which can contact eachother.
2. Have multiple gui sessions which can't contact eachother.
3. Run gui processes as other users.
4. Host a profile on a unc \\server\username\profiledata
--
Netscape4 used EnumWindows to find itself which means that if you had multiple
desktops it wouldn't find itself which would allow you to run multiple
instances of it (each needed a distinct profile). -1

FindWindow which is used by the win IPC impl has the same limitation.
--
Terminal Services and Fast User Switching.

When I use windows 2000 (raistlin), I run a terminal services client on my
laptop (tardis) and then run mozilla in it. I'm also likely to run mozilla on
raistlin. If some version of mozilla supported profile sharing, then i'd expect
my profile to be shared by these two sessions. However there's no common window
so it can't possibly happen. -2

With Windows XP, microsoft is more aggressively pushing terminal services,
mostly under the fast user switching branding.
--
Suppose that a user is running mozilla (timely) and I need to install software
using mozilla. I might runas /user:timeless /profile mozilla (this is possible
from the gui too). My expectation is that Mozilla will load timeless's profile.

However my reading of the ipcdWin code indicates that's not what will happen. -3
--
This last one is a stretch, but not a very big stretch. Suppose that tardis was
configured to login to raistlin and load timeless's profile. An ideal profile
sharing system would let me share the profile between mozilla running as
timeless on raistlin and mozilla running as timeless on tardis. -4
--

Is there a way to implement ipc for windows which doesn't have these
limitations? I think mailslots would actually handle all 4. FWIW, 3 and 4 also
occur on 9x.

    
    

    
  
timeless, is BeOS using named pipes, do you know?

    
    

    
  
>Changing the sockets to be INET instead of LOCAL doesn't seem too difficult, 
>the part that I'm not so sure about is sending/receiving the randon number 
>which prevents someone from port scanning. If you could give me some pointers 
>as to where in the code would be best to handle that, it would help a lot.
>
>Also, what happens if the daemon goes away and there are existing clients? Do
>these clients detect that the daemon has died and create a new one? What
>prevents multiple daemons from coming up in such a situation, is it just the
>directory lock? The new scheme will be a little different since there will be a
>window whereby the lock file exists but the port/addr/password hasn't been
>written to it yet, so the clients will have to spin their wheels until that 
>data does appear in the file. Any pointers on how to handle this?

well, for starters, the directory and lock file are created by the daemon.  in
the case of LOCAL sockets, the daemon also creates the socket (it calls bind).

startup is currently not optimal.  the client will attempt to connect to the
socket, and if that fails it will spawn a daemon process.  the daemon process
uses the lock file to prevent multiple instances of the daemon in case two are
starting up at the same time.  the one that loses the race to acquire the lock
will simply exit.  while the daemon is starting up the client will sleep for 50
milliseconds.  when that interval expires, it will wake up and try to connect
again.  it only attempts to spawn the daemon once, and will keep trying to
establish a connection to the daemon periodically.  at some point it will give
up.  there is no attempt made to restart a crashed daemon or anything like
that.  for users, loss of the daemon is roughly equivalent to loss of the app.

once a daemon is started, it has an initial client reference count of zero.
upon each accepted connection, the daemon increments its client reference
count.  if that count reaches zero, then the daemon will exit.  care is taken
using the lock file to ensure that once the daemon stops accepting connections
that another daemon instance would be able to take its place.

we probably won't have to worry too much about modifying the client polling
since that happens at a higher layer.  most of the code we'll care about
modifying is in ipcSocketProviderUnix.cpp (not sure yet if we want to create a
new file for this or just #ifdef the existing one).  finally, there is code in
daemon/src/ipcdUnix.cpp that we will need to modify.

one big thing to keep in mind.  to avoid a race condition in the multiple
daemon problem, we currently never delete the lock file.  (we depend on the
typical /tmp cleanup cron jobs that exist on most systems; most linux distros
anyways.)  this is not exactly optimal, but it greatly simplifies the locking,
and it seems to be the norm for many applications on my linux box anyways.
anyhow, because of this, you probably don't want to store the port number and
secret key in the lock file.  instead, you probably want to store it in a
separate file next to the lock file.  before shutting down, the daemon should
probably clear this file.  i think it should be able to do that before
releasing the lock.  if we crash, however, we might end up leaving around stale
info.  that would be bad since if another process were running on that port,
we'd potentially send out the secret to the wrong process.  we could help
minimize that by requiring the daemon to send a secret as well or something
like that.  i still need to think it over some more.

darin

    
    

    
  
timeless:

>* I'm told the BeOS impl is nearly complete.

great!


>* a QNX impl should probably be implemented using something specific to QNX
>(perhaps qnet, i'd have to refresh my memory)

why?  surely it supports at least TCP/IP, in which case it can share the impl
we are developing for OpenVMS.


>The windows impl we have bothers me :)
>There are cases where a profile could be shared with the wrong user (which the
>unix version is supposed to not do for security reasons), and there are a bunch
>of cases where profile sharing will fail for me (these are real for me, and do
>occur in large installations/institutions).
>
>I thought i had mentioned terminal services here, but i can't find any record
>of it. For this i'm sorry. The topic was mentioned elsewhere under fast user-
>switching. (comment 25)
>
>Windows NT like other systems (unix/x11) allows you to do the following things:
>1. Have multiple displays and desktops which can contact eachother.
>2. Have multiple gui sessions which can't contact eachother.
>3. Run gui processes as other users.
>4. Host a profile on a unc \\server\username\profiledata
>--
>Netscape4 used EnumWindows to find itself which means that if you had multiple
>desktops it wouldn't find itself which would allow you to run multiple
>instances of it (each needed a distinct profile). -1
>
>FindWindow which is used by the win IPC impl has the same limitation.
>--
>Terminal Services and Fast User Switching.
>
>When I use windows 2000 (raistlin), I run a terminal services client on my
>laptop (tardis) and then run mozilla in it. I'm also likely to run mozilla on
>raistlin. If some version of mozilla supported profile sharing, then i'd expect
>my profile to be shared by these two sessions. However there's no common window
>so it can't possibly happen. -2

the "profile sharing" feature, despite its name, is not meant to allow two
instances of the same application access to the same profile instance.  it is
meant to support a suite of applications (different executables) sharing the
same profile data.  e.g, standalone mail and browser.  the problem with
multiple instances of the same product is that the profile will actually be
partitioned into shared content and app specific content.  the app specific
content will contain the non-shared data.  today, that includes everything but
the set of shared prefs.  the profile lock that exists today will be moved into
the per-app directory.  so, what you are trying to do here is still
(unfortunately) going to require a separate profile just as it does today.

way way way in the future when we maybe have everything shared, we might be
in a position to support a fully shared profile.  but that goal is so distant
at this point.


>--
>Suppose that a user is running mozilla (timely) and I need to install software
>using mozilla. I might runas /user:timeless /profile mozilla (this is possible
>from the gui too). My expectation is that Mozilla will load timeless's profile.
>
>However my reading of the ipcdWin code indicates that's not what will happen. -3

hmm... i'm not sure i completely follow your example here.  can you please
spell out the steps more completely.  i don't understand the arguments you
mentioned... or at least i don't get what application would have those
areguments passed to it.  please clarify so i don't misunderstand your point.


>--
>This last one is a stretch, but not a very big stretch. Suppose that tardis was
>configured to login to raistlin and load timeless's profile. An ideal profile
>sharing system would let me share the profile between mozilla running as
>timeless on raistlin and mozilla running as timeless on tardis. -4
>--

yeah, might be nice, but that's not a goal.  we are really mostly concerned
about supporting an app suite run as a whole on one desktop under one user.
that is the primary goal.  i don't have the means to test anything else.  if
you want to implement an alternate IPC solution for windows, then by all means
feel free.  patches are always welcome.

darin

    
    

    
  
The current code for IPC builds under BeOS, but, I am not completely sure on how
to test it, though, I admit, I haven't looked into testing it too much yet, but
I will be soon.  It uses the Unix code for its implementation.

I do have, however, the beginnings of a BeOS implementation based on BMessages,
which, is a LOT simpler than the Unix impl.  I stopped working on it, once
timeless got the Unix code building under BeOS.  I may try to complete it at
somepoint anyway.

    
    

    
  
I see there are some test modules. Do they actually build and work?

    
    

    
  
login as timely (mortal)
run mozilla as timely
suppose java isn't installed, but needs to be, and needs to be done by an admin

runas is like sudo. it lets you run a process as another user. (requires auth)
runas mozilla as timeless (power user) with profile
the expectation is that the mozilla launched at this point would access
the profile of the user which ran it (timeless), not the profile that happens
to be running (timely's).

That should be enough to describe the problem, but unfortunately because of
the fact that the current impl is only for sharing a profile among unlike
applications, i'll have to make one modification:

for some reason timeless runs mozilla-browser first to install something.
timeless doesn't close it.
timely runs mozillamail.
profile sharing kicks in and gives timely access to timeless's mail prefs,
possibly its accounts.

(this depends on how passwords are handled, both by profile sharing and by
timeless - did timeless configure mozilla to know the mail passwords?)

the use of timely/timeless is to make the situation hypothetical.
you could read them as darin/administrator, or darin/root.

as for lack of means, i'll give you a url for switcher so you can at least test
multiple desktops.

about QNX,... well, it depends on the goal. if the goal is as you're describing
it and not as i envision the feature or as it could be in the future, then
it's mostly pointless. QNX6.2 can simply use the domain version, and
anyone else can simply have a profile MDefault for mail and a profile BDefault
for browser and be done with it.

Do you have a list of preferences for which the user gains some benefit when
they're shared between distinct applications?

To me this seems like a very large amount of effort for a very limited and
entirely unknown win. Where's the problem description and where are the design
docs?

--
Colin: I'm told that BeOS is using BMessages.
--

Back to my problem scenarios in windows.

Suppose I have one profile and one account on a terminal server.
suppose i login twice, the first time i run mozillaBrowser
the second time i try to run mozillaMail.

Since i originally configured my profile as owning my mail, i'm now locked out
of my mail for the foreseeable future(probably until 1.8) because we decided to
use profile sharing with this implementation instead of simply forking
unrelated profiles for unrelated applications.

It seems to me that I'd be much happier having a profile for mail and a profile
for browser. And no, your average me doesn't get a choice, profile sharing if
implemented would only show a profile manager dialog after the first profile
data was locked, not when the user first configured mail and browser.

Forking has the additional benefit of not burdenning a Browser with pref data
for a mail client and vice versa. (And it's a great opportunity to discard
unused legacy prefs.)

As for the current code that builds on BeOS, that's supposed to just build
enough so that it can return a failure message if something tried to use it.
I don't think it would actually work.

    
    

    
  
> Do you have a list of preferences for which the user gains some benefit when
> they're shared between distinct applications?
>
> To me this seems like a very large amount of effort for a very limited and
> entirely unknown win. Where's the problem description and where are the design
> docs?

Now we're getting somewhere. 

Startup time is already an issue on most/all platforms. Profile sharing will
adversely affect startup time since we have to fork a daemon, wait for it to
fire up, and then communicate with it. I don't think people are going to want a
slowdown, not unless there's some other huge benefit for them. And at this
point, I don't see it.

Add to that the fact that if the daemon dies then all the apps are toast, and I
think you have a "feature" that no one is going to want.

So tell me again, why do we need this? What are the benefits?

    
    

    
  
You want to use TestIPC to verify that things work.  In a debug build enable the
IPC_LOG_ENABLE environment variable and check the output (against a build from
another unixy platform).

the test code should all work.


>Add to that the fact that if the daemon dies then all the apps are toast, and I
>think you have a "feature" that no one is going to want.

if the app dies, the app is toast.  what's the difference if the daemon is the
one to die?  anyways, the app will continue in some manner... maybe the users
shared settings will either not be persisted or not be accessible in some
manner.  it shouldn't be looked at any differently than if mozilla crashed.  we
don't try to recover from a mozilla crash, right?


>So tell me again, why do we need this? What are the benefits?

please see the documents on profile sharing... IPC is a feature that supports
profile sharing.  in addition it can be used to support remote xpcom, explicit
discovery of other apps on the system under generic names like "browser", "mail"
or "addrbook".  it helps solve a lot of problems that i anticipate will come up
once the moz apps are split up.  the profile sharing docs are here:

http://www.mozilla.org/projects/embedding/profileSharing/

there are many many things that we need to share above and beyond prefs.  true
that is all that is currently working, but we needed to start somewhere.

    
    

    
  
paul:

are you sure you want to maintain a fork of the IPC code specifically for BeOS?
 is it really worth it if UNIX domain sockets work?


timeless: 

while true you could use this IPC mechanism to have two user accounts (with
access to the same GUI) share information, that does not automatically mean that
the profile sharing system will have user A access user B's profile data.  in
fact, the IPC daemon is capable of supporting multiple profiles.  each
application when it starts up is going to tell the daemon (actually the
transaction manager in the daemon) that it is interested in changes for specific
"queues" which really represent specific files on the system.  so, in your
example the runas command would indeed use the proper profile.

    
    

    
  
darin:  No, not really.  I had started work on a BeOS impl. before I knew
timeless was working on this.  If the UNIX socket code works under BeOS, I don't
see a point in using the work I started.

    
    

    
  
err, let's try to be clear about this...
i don't think classic BeOS has domain sockets (google showed random configure
scripts list QNX and BeOS together in that category). My changes enable ipc to
compile (presumably) without any functionality. It's a stopgap so people don't
have to add a flag --disable-whatever while they wait for Paul to write the
BMessage impl.

Darin: I've read those pages. I still don't see any benefit.
We have lots of security concerns about mail and cookies.
It seems to me that *not* sharing cookies between mail and browser would be a
*good* thing.  As for cache, I'm not sure how often people get large amounts of
content via email which requires them to use a cache. If it happens a lot then
I think I'd want to worry about the state of the world.

So here's a list:
prefs
 - most of the preferences are either dead or unrelated to a given application
   as such I'd want to fork prefs and only migrate relevant ones.
bookmarks
 - I don't think people need them outside of browser.
   I can see uses for them, but we never implemented them.
history
 - Mozilla/5 hasn't had the ability to handle 'alt-left' in recent memory.
   I used this feature a lot when I used Netscape 4's Messenger.
   Since the feature didn't make it into the new world, I have to conclude that
   it wasn't really important to anyone, which means that at least one kind of
   history wasn't useful to mail. (That's session)
 - The other kind of history (global) is like cookies, we support it, but it
   probably doesn't add much value although with css it allows certain privacy
   attacks, and if people really want the benefit of global history they'd
   probably benefit from loading the url in the browser of their choice.
cookies
 - See various bugs on cookies from mail. I don't think I know of any good uses
   for cookies in mail. A distinct cookie jar for mail seems better to me.
plugins
 - I don't need plugins in my email. I suppose some people might.*
   I'd rather see plugins be a browser only thing. like history if they really
   want the benefit of plugins then we should enable them to load the email in
   a browser sandbox.
  * I'd love to hear a justification for supporting plugins in mail, but that's
    offtopic so it can be made privately.
password manager/form fill
 - Yes both mail and browser have forms, but do they actually need to share
   any of their form data? in fact IMO the user interface for the two things
   should probably not be the same. And the data being stored is generally
   distinct.
certificates
 - This is the only item where i see some use for a daemon, and in fact PSM1
   was such an animal.  The old code probably still exists, although people
   didn't like it much.
 - I'm not sure how useful this item is either.  If you receive a certificate
   for your web server in email, then you can either save it and import it into
   your browser, or open it with your browser. In fact, such a certificate
   would probably be for a web server, not a browser...
 - If you receive a certificate for your email account from a web server then
   you can save it and import it into your email client, or open it with your
   email client. -- You have to do this anyway if your client isn't some GRE
   item.

Again, what problem are you really trying to solve and do you really see it as
a problem worth solving in this manner?

A daemon which actually let me run multiple Browsers against a shared cache/
cookie/history profile might be useful, but that's clearly not in the current
cards.

> IPC mechanism to have two user accounts (with
> access to the same GUI) share information,
eek. i'm pointing out that by default it looks like this bleeding *would*
happen.
> that does not automatically mean that
> the profile sharing system will have user A access user B's profile data.
It won't. the profile sharing system will have one of A or Bs data, and will
improperly give that data to an application which should have gotten data
from a different profile which should have been managed by a *different*
daemon.
> so, in your example the runas command would indeed use the proper profile.

I tried to make this clear.
w2k user:timely. has one mozilla profile 'default'
w2k user:timeless. has one mozilla profile 'tluafed'

The first sharing application runs as timely and starts sharing 'default'.
When an application run as timeless on the same desktop starts, it finds
timely's daemon and asks it for profile data ('default'). There's no
reason for the sharing application running as timeless to know that the
daemon it found for 'default' is for the wrong user (timely) /
profile (something that is not 'tluafed').

The code doesn't seem to do any check.

    
    

    
  
timeless:

this is not the place for a discussion about the worth of the current profile
sharing plan.  if you wish to discuss that take it elsewhere... like try a
newsgroup.  i'm not interested in arguing the merits of profile sharing with you
in this bug.

>A daemon which actually let me run multiple Browsers against a shared cache/
>cookie/history profile might be useful, but that's clearly not in the current
>cards.

hello!  i never said this wasn't a goal.  i only said that the inital goal is to
support an application suite.  do you not understand the concept of small steps?


>I tried to make this clear.
>w2k user:timely. has one mozilla profile 'default'
>w2k user:timeless. has one mozilla profile 'tluafed'
>
>The first sharing application runs as timely and starts sharing 'default'.
>When an application run as timeless on the same desktop starts, it finds
>timely's daemon and asks it for profile data ('default'). There's no

given what i said, this is incorrect.  the second instance of mozilla run by
timeless would ask the daemon (run by timely) to share the 'tluafed' profile.
think of the profile name as a namespace.  each application tells the daemon
what profile it will be using.  get it?

darin

    
    

    
  
Ok, so what happens when a daemon running as the wrong user tries to make
changes to a profile?

my point is that the code that looks for a daemon *must* not look for a daemon
owner by anyone else.

it could screw up permissions (including resulting in encrypted files which the
user can no longer access) or simple dataloss if it has the ability to delete 
a file but not replace it. it's actually possible under windows xp for drive
letters to be restricted to a given user's credentials). it could just fail.
it could create a profile with the wrong owner.

    
    

    
  
>Ok, so what happens when a daemon running as the wrong user tries to make
>changes to a profile?
>
>my point is that the code that looks for a daemon *must* not look for a daemon
>owner by anyone else.
>
>it could screw up permissions (including resulting in encrypted files which the
>user can no longer access) or simple dataloss if it has the ability to delete 
>a file but not replace it. it's actually possible under windows xp for drive
>letters to be restricted to a given user's credentials). it could just fail.
>it could create a profile with the wrong owner.

only a broken application could fall into this category.  it won't even be
possible for a user to make one of the mozilla apps behave this badly unless of
course the second user truly has access (file access) to the first user's
profile.  but, even then... the user would have to explicitly add the other
user's profile to the mozilla profile registry.  so, i really think this is a
non-issue.  clearly both user accounts are under the control of the same human
being or else you'd be talking about a breach of security in windows.

    
    

    
  
timeless: let me spell it out with an example...

consider these two user accounts (Win32 profiles):

  \\Host\UserA
  \\Host\UserB

mozilla applications are going to look in 

  \\Host\%USER%\Application Data\Mozilla\registry.dat

to find the list of profiles belonging to %USER%.  mozilla apps will only select
a profile from that set.  therefore any profiles belonging to UserB will not be
accessible to UserA unless one hacks the registry and gives UserA sufficient
file permissions to access profiles under \\Host\UserB\.

make sense?

    
    

    
  
Paul, BeOS still crashes because of IPC if --disable-profilesharing is left out of the mozconfig. Build attempt 5-16-2003 using current cvs checkout.

    
    

    
  
Well, I have most of IPC implemented for BeOS.  Currently, there is a crash in ipcStringList, when the test tries to run a query by name.  I am doing a full update of my tree right now, and will be doing a full re-build.  Once done, I will finish off the port, and submit my patch.  If the current code in CVS does not work, well, just wait until I submit my patch, as I see no point in me fixing anything w/o a proper impl.darin:While working on the port, I noticed that in the ipcMessage class, the WriteTo and ReadFrom methods can only be called once per instance.  I guess that makes sense for ReadFrom, but, for WriteTo, shouldn't the mMsgOffset be reset, once the write has been completed, so, the method can be called a second time?  Or, I could be completely missing something. ;-)

    
    

    
  
It seems I getting the make errors on older src. I pulled todays src, 
20030518, and MozFB compiled without an error and the browser works well. 
Sorry to have caused any problems.

    
    

    
  
Ok, I finished off an initial port to BeOS.  The TestIPC program runs, and seems
to be successful, though, I am not completely sure.  Plus, some of the code in
the test is commented out, which, keeps the TestIPC programming running in a
loop on the event queue.

I do have a question though, before I submit a patch:  Will there be only one
client per application instance?  In other words, would Mozilla, Firebird and
Thunderbird, if setup to use IPC, only create one ipc client each for a total of
three client instances?  Or, could, say, Mozilla create multiple instances of
the ipcClient?

    
    

    
  
Paul: ipcClient is just a class representing each client connection, and each
application need only establish one connection to the IPC daemon.  so, in your
example there would be a total of 3 ipcClient classes allocated.

    
    

    
  
That was my guess, but I wanted to make sure, as my code would require some
additional changes if it were any other way.  I should be submitting a patch soon.

    
  
Whiteboard: [adt2] [ETA Needed] → [adt2] [ETA: June 12, 2003]

    
    

    
  
retargeting to 1.5 alpha... remaining work is mostly cleanup and moving the code
onto the trunk.  1.4 final can be happy pulling the IPC branch i think.
Target Milestone: mozilla1.4final → mozilla1.5alpha

    
    

    
  


  
Ok, here is a BeOS impl. for the IPC mechanism.

Client: Creates a BHandler and attaches it to the current be_app to process
messages coming from the daemon
(had to modify TestIPC.cpp to have it spawn a BApplication, like
nsAppRunner.cpp in xpfe/bootstrap)

Daemon: A simple BApplication for receiving/sending messages to/from clients
- spawns a BMessageRunner to periodically send Purge messages to itself for
removing stale clients

Currently, when the last client is removed, the ipcLockModule crashes the
daemon in ipcLockModule_ClientDown while enumerating the hash.	Not completely
sure why, yet, but will investigate
Also, the daemon creates an entry on the DeskBar (do to the fact that it is a
BApplication), which, I would like to see if I can prevent from happenning.
Other than that, it seems to work, at least, the TestIPC doesn't complain about
anything.

    
    

    
  


  
This fixes the DeskBar issue I mentioned in the last patch by adding a resource
file for the daemon, which indicates that the app is background only.

There still is an issue with the Test crashing, though, sometimes it works,
sometimes its the daemon, and sometimes the TestIPC app itself.  This indicates
to me that there is a threading issue involved.  One place I can think of, is
that the Client's MessageReceived code is running in the BApplication's thread,
so, for the client, we will need a way to have the BApplication communicate
with the proper thread within the test.  This will also be needed once
Mozilla/Firebird/etc. all become actuall clients, and this code is used.
I am still unsure about the daemon crashing, though, as there is only one
thread for the daemon ever spawned (everything runs in the daemon's
BApplication thread)

        Attachment #124132 -
        Attachment is obsolete: true

    
    

    
  
bumping target milestone... not sure what the real target for this should be.
Target Milestone: mozilla1.5alpha → mozilla1.5beta

    
    

    
  
Can someone confirm that having IPC is NOT required for 1.5 (no significant
functionality will be lost). This is what I was told a couple of months ago, I
just want to make sure that it still holds.

    
    

    
  
colin: like i said in my previous comment, i don't know what the real target of
this is or should be.  it doesn't seem like profile sharing will be in use by
firebird and thunderbird during the mozilla 1.5 milestone, but i could be wrong.

    
    

    
  
this is off the radar now...  it doesn't look like firebird and thunderbird want
to share profile data.  -> future
Target Milestone: mozilla1.5beta → Future

    
    

    
  
This may make a comeback for cert-sharing among the 'birds, unless someone makes
Thunderbird an add-on to Firebird that runs in-process.  We'll want something
for certain customers who use both 'birds and care about PKI.

/be

    
    

    
  
why not go back to psm1 ;-?

    
    

    
  
timeless: because PSM1 was slow.  all data was passed over the IPC connection. 
in the case of sharing certs, all we really need to do is share the certs.  NSS
is already setup to optionally access the cert db through a special interface. 
all we need to do is implement that interface in terms of the ipcIService and
implement a module for the IPC daemon that access the .db file(s).

    
    

    
  
sorry, I didn't follow the profilesharing thing in the past.
According to the bugs and the discussion profilesharing is not ready yet?
So Moz 1.6 actually don't use it?
If so, why are the components in mozilla.org's packages?
Is it possible to build mozilla with --disable-profilesharing without loosing
features at this time?

    
    

    
  
> sorry, I didn't follow the profilesharing thing in the past.
> According to the bugs and the discussion profilesharing is not ready yet?

right, it is not ready yet.


> So Moz 1.6 actually don't use it?

right


> If so, why are the components in mozilla.org's packages?

good question.  we don't need to be shipping the components; however, they are
relatively small :-/


> Is it possible to build mozilla with --disable-profilesharing without loosing
> features at this time?

yes


i think firefox is built with that option.

    
    

    
  
FYI ports maintainers: there is new discussion about profile sharing going on
again.  It might very well translate to enabling some of the profile sharing
implementation in an upcoming milestone.

    
    

    
  
(In reply to comment #64)
> NSS is already setup to optionally access the cert db through a special 
> interface. all we need to do is implement that interface in terms of the 
> ipcIService and implement a module for the IPC daemon that access the .db 
> file(s).

I'm interested in this; where can I find information about this NSS interface?



    
    

    
  
chpe: you should talk to wtchang.

    
  
Assignee: darin → nobody
Status: ASSIGNED → NEW
Priority: P1 → --
Target Milestone: Future → ---

    
    

    
  
Oh hell, why do you alway make such easy things that complicated ?!

Why not simply utilize an the widely supported OS feature called "filesystem" ?
Nearly all filesystems support locking - for those which dont, dot-locking should do the trick.

The key is to use an well-suited storage format, which models every autonomous record (ie. an bookmark) as its own inode. Concurrent access (between several applications as well as different users) would be as trivial as things like bookmarks from external sources, ie. collaborative bookmarks or rss-feeds. By using an an (separate) userland filesystem layer, those things could simply be mounted-in. 

I really suggest you to do some little studies on how Plan9 handles those things.
It's the perfection of good-old Unix' philosophy "evrything's an file". 

IMHO, 9p2000 would be an good mechanism for talking to the filesystems:
An simple userland client library handles the connections 9p2000 servers and supplies an clean and simple API for evrything else. On application startup, we run an init-routine which mounts the required datasources and starts servers when necessary. After that point, we just use an filesystem - nothing more. 

Bookmarks, Cookies, Certs, etc are all stored in that filesystem. 

If someone wants some non-standard setting (ie. get profile data from some server like ldap, collaborative bookmarking, rss-bookmarks, ...), all he has to do is choose the right 9p2000 server (or write one if necessary) and mount it in.

All these problems are immediately off the scope of mozilla at this point.


    
  
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX

    
  
QA Contact: ashshbhatt → ipc

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: