CP-54393: VNC console idle timeout

[stephenchengCloud]

This commit adds idle timeout feature for vnc console connections.

Key changes:

• Add idle timeout detection by monitoring RFB keyEvent and pointerEvent.
• Add callback function to proxy to parse the RFB messages and determine if the connection is idle or not.

[stephenchengCloud]

This is a re-open PR of #6667 based on the rfb parser.
Tested:
Set idletimeout = 60s

Sep 26 07:23:22 eu1-dt094 xapi: [debug||621 HTTPS 10.70.0.164->:::80|Connection to VM console R:b967a8c7f944|console] Connected; running proxy (between fds: 55 a        nd 56)
Sep 26 07:23:22 eu1-dt094 xenopsd-xc: [debug||7 ||device] Got QMP event, domain-20: VNC_CONNECTED
…

Sep 26 07:24:28 eu1-dt094 xapi: [debug||621 HTTPS 10.70.0.164->:::80|Connection to VM console R:b967a8c7f944|console] Idle timeout exceeded! (timeout: 60.0s)
Sep 26 07:24:28 eu1-dt094 xapi: [debug||621 HTTPS 10.70.0.164->:::80|Connection to VM console R:b967a8c7f944|console] Proxy exited
Sep 26 07:24:28 eu1-dt094 xenopsd-xc: [debug||7 ||device] Got QMP event, domain-20: VNC_DISCONNECTED

[lindig]

The parameter poll_timeout is optional. Should we not need special values to indicate that we have no timeout?

[robhoes]

This seems to be a consequence of the interface of polly, which expects a -1 for "no timeout".

[robhoes]

However, you can define should_close without option = None (as the ? makes it an option type already). Then you don't need to use Some when you call the function in console.ml.

[lindig]

Yes. This should be a parameter with a default but it should not be an optional value.

[stephenchengCloud]

proxy is not only used by console. I made poll_timeout as optional because I don't want to modify the code that calls proxy in other places before.

[lindig]

Should this not be a float value?

[stephenchengCloud]

This timeout value is for polly.wait_fold. It should be an int.
Check:
https://github.com/lindig/polly/blob/master/lib/polly.mli#L127

[lindig]

The expected value at the Polly API is an int in milliseconds - so we could take a float in seconds and convert it to milliseconds when we pass it to Polly.

[psafont]

This should be an Mtime.Span.t, also the current name doesn't make it clear it's for a proxy

Suggested change

	let poll_timeout_sec = ref 5
	let proxy_poll_period_timeout = ref Mtime.Span.(5 * s)

[lindig]

I would use a float.

[robhoes]

This seems to be a consequence of the interface of polly, which expects a -1 for "no timeout".

[robhoes]

This shorter version should work too:

let data = CBuf.read b' b in
Option.iter (fun cb ->
  if cb data then close_proxy ()
) should_close

[robhoes]

Option.iter (fun cb ->
    if cb (Bytes.empty, 0, 0) then close_proxy ()
) should_close

[robhoes]

I guess this is to handle the case where polly returned after a timeout? Could it then go in an else branch?

[stephenchengCloud]

Modified the code to call the callback only once by providing a init value(Bytes.empty, 0, 0) to Polly.wait_fold

[robhoes]

Or:

max (-1) (!Xapi_globs.poll_timeout_sec * 1000) (* convert to milliseconds *)

[stephenchengCloud]

Now I changed poll_timeout_sec to a float type. The max (-1) ... can not work, say poll_timeout_sec is set to -0.00001 (though it's unlikely to set like this).
So I changed the logic back to the original one.

[robhoes]

Looks like this triggers several DB calls every 5 seconds for every console. If the VM is running on a pool member, then that means several calls to the coordinator. I understand that we want to be responsive to timeout changes, with we should reduce this to at most one DB call.
Several of these values are static for given VM and can be captured in the closure before the line with fun (buf, read_len, offset) -> below.

[stephenchengCloud]

Yes. Good point.

[robhoes]

Make it an option please.

[stephenchengCloud]

Done.

[robhoes]

Note that this still creates a copy. I had hoped that we could avoid that and pass buf+offset+len straight to the parser. Perhaps not worth doing, but I can't remember how the parser processes this.

[stephenchengCloud]

The parser calls Angstrom.Buffered.feed which needs a string type.
So there must be a copy.

[psafont]

Unfortunately, not even with the unsafe functions the copy can be avoided, as Bytes.subfamily of functions always allocates

[robhoes]

Would be handy to say that this is about a console connection and for which VM.

[lindig]

Yes. This should be a parameter with a default but it should not be an optional value.

[lindig]

The expected value at the Polly API is an int in milliseconds - so we could take a float in seconds and convert it to milliseconds when we pass it to Polly.

[psafont]

This should be defined as part of the xapi_globs_spec_with_descriptions list, in line 1259:

  ; ( "proxy_poll_period_timeout"
    , ShortDurationFromSeconds proxy_poll_period_timeout
    , "Timeout (in seconds) for event polling in network proxy loops. When \
       positive, the proxy will wake up periodically to check tasks like vnc \
       idle timeouts or perform other maintenance tasks. Set to -1 to wait \
       indefinitely for network events without periodic wake-ups."
    )

use ShortDurationFromSeconds to have the conf value as float, or LongDurationFromSeconds for int. Because polly accepts milliseconds and the polling loop is bound to timeout in a matter of seconds at most, I recommend the float.

[stephenchengCloud]

Thanks. I didn't know this before. But I checked the code, it seems ShortDurationFromSeconds cannot be negative, while epoll can take -1 as input. So I'll use float as Lindig suggested, and it'll be simpler to covert it to milliseconds.

val s_to_span : float -> Mtime.Span.t option
(** [s_to_span seconds] converts a float representing seconds to a timespan.
    Returns None when [seconds] is negative, is not a number or larger than
    ~104 days. Avoid whenever possible, some RPC function already use this so
    it needs to be available. *)

[minglumlu]

I think the callback function is performance critical. We may have to give up on this. Specifically, I think we need to avoid any DB operations within this callback.

[stephenchengCloud]

OK. It's a design choice. In that way, the timeout config change only applys to the new connections.
I can add this to the design doc.

[robhoes]

If we need it to apply to current connections, then another option is to have a separate thread watch the DB field using event.from and set a local ref that all console proxies can use. Then DB calls are outside of the critical path. But even simpler to not do it at all...

[stephenchengCloud]

Yes, better to not do it.
If users want the idle timeout config applys to old connections, it's easy to reconnect the connections.

[minglumlu]

It's unlikely that it would get timed out after this.

[stephenchengCloud]

You are right. We should not call timed_out function if is_active is true.

[minglumlu]

Will the parsing raise any exception? Will the result return have covered all the error cases? It is the point of result.

[stephenchengCloud]

Checking the parser code, it'll return Error when parsing FAIL.
I'll remove the exception.

[minglumlu]

It could be

if idle_timeout > 0. then Some (Int64.to_float idle_timeout) else None

[stephenchengCloud]

Updated and tested

[minglumlu]

This checking is not needed anymore.

[minglumlu]

Hello, @stephenchengCloud
Could you please have a test for the performance? For example, for the case that several consoles keep refreshing the display, like scrolling the screen.
It would be good to compare the performance between with and without the change.

[stephenchengCloud]

Hello, @stephenchengCloud Could you please have a test for the performance? For example, for the case that several consoles keep refreshing the display, like scrolling the screen. It would be good to compare the performance between with and without the change.

Will do.