Light Display Manager

Add plugin system

Bug #691432 reported by Robert Ancell on 2010-12-17

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Light Display Manager	Triaged	Low	Unassigned

Bug Description

Support plugins so more complex displays can be managed. Move some code out of lightdm into plugins (XDMCP, user switcher)

Plugin types:
- Display type - i.e. this plugin is responsible for creating new displays
- Display servers - have an X server / Wayland plugin
- Authentication systems - move PAM into a plugin

libpeas may make sense, probably start with GModule [1] first at least.

http://library.gnome.org/devel/glib/unstable/glib-Dynamic-Loading-of-Modules.html

Tags:

Robert Ancell (robert-ancell) on 2010-12-17

Changed in lightdm:
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

Brian-cameron-oracle (brian-cameron-oracle) wrote on 2010-12-23:

Download full text (4.8 KiB)

Some thoughts...

A plugin system for handling display type (e.g. console, XDMCP, Xnest, etc.) would be very useful because it would make it easy to enhance the display manager to support new types and would encourage more experimentation. For example, it would be interesting to use Xvfb to map displays in local memory and then attach the Xvfb to actual monitors to support VT-like switching on non-console displays. Such techniques are rather daunting to try to integrate into a display manager, but could become trivial to add if the display manager supported a flexible plugin system.

For many display types, the difference in how displays are managed are fairly trivial - how the display is started, how the display is torn down, and how switching is handled if switching is supported. By moving this code into plugins, the display manager engine should become more clean and abstract and easier to maintain.

One problem with many other display managers out there is that the code turns into spaghetti after it supports a few display types with a lot of odd code to handle state and different cases. Separating this logic into plugins and keeping the engine simple & consistent for all display types should make code management a lot more simple.

I am not sure that a plugin system for "display servers" is really needed. You could treat a different kind of server simply as a different display type. The engine should only be concerned about how to start, how to tear down, and how to handle switching if supported. In other words, the command to run (Xserver or Wayland) could just be handled by different plugins.

An authentication/audit system plugin would be useful since PAM could be moved into a plugin. Users might want to use different PAM modules on different displays (e.g. fingerprint reader on one and normal username/password entry on the other). So it is useful to be able to specify different PAM service names (the 1st argument passed to pam_start) in a per-display fashion. Also extracting authentication into plugins would make it easy to use the LightDM engine to handle different kinds of authentication - not just PAM. For example, it would be neat if LightDM also supported screen locking. To do this properly you really need a plugin system for authentication since the PAM and audit calls for login are different than for screen lock. If you wanted to use LightDM as an engine for handling password entry for other programs (such as gnome-keyring or PolicyKit), then you might want other non-PAM plugins to be used for these situations that pass the password input along to where it is needed in a secure fashion.

Some thoughts...

A plugin system for handling display type (e.g. console, XDMCP, Xnest, etc.) would be very useful because it would make it easy to enhance the display manager to support new types and would encourage more experimentation.  For example, it would be interesting to use Xvfb to map displays in local memory and then attach the Xvfb to actual monitors to support VT-like switching on non-console displays.  Such techniques are rather daunting to try to integrate into a display manager, but could become trivial to add if the display manager supported a flexible plugin system.

For many display types, the difference in how displays are managed are fairly trivial - how the display is started, how the display is torn down, and how switching is handled if switching is supported.  By moving this code into plugins, the display manager engine should become more clean and abstract and easier to maintain.

One problem with many other display managers out there is that the code turns into spaghetti after it supports a few display types with a lot of odd code to handle state and different cases.  Separating this logic into plugins and keeping the engine simple & consistent for all display types should make code management a lot more simple.

I am not sure that a plugin system for "display servers" is really needed.  You could treat a different kind of server simply as a different display type.  The engine should only be concerned about how to start, how to tear down, and how to handle switching if supported.  In other words, the command to run (Xserver or Wayland) could just be handled by different plugins.

An authentication/audit system plugin would be useful since PAM could be moved into a plugin.  Users might want to use different PAM modules on different displays (e.g. fingerprint reader on one and normal username/password entry on the other).  So it is useful to be able to specify different PAM service names (the 1st argument passed to pam_start) in a per-display fashion.  Also extracting authentication into plugins would make it easy to use the LightDM engine to handle different kinds of authentication - not just PAM.  For example, it would be neat if LightDM also supported screen locking.  To do this properly you really need a plugin system for authentication since the PAM and audit calls for login are different than for screen lock.  If you wanted to use LightDM as an engine for handling password entry for other programs (such as gnome-keyring or PolicyKit), then you might want other non-PAM plugins to be used for these situations that pass the password input along to where it is needed in a secure fashion.

The advantage of the display manager providing a service to programs to handle such authentication is that it would make password entry more secure.  One issue with password entry in the user's session is that anybody who is able to access your xauth key can snoop keypresses, for example.  So password entry is only as secure as Xserver xauth security.  Not that secure, really.  However, if LightDM provided a service that a program could ask LightDM to VT switch to a new display, ask for the password and return back to the user session when done, this would use a separate Xauth connection and would run the GUI as a separate user (like the "gdm" user) preventing such exploits.  The authenciation plugin could handle the glue to pass needed data to the program waiting in the user session, perhaps via D-Bus.  gnome-keyring could then provide its own LightDM authentication plugin and make D-Bus calls to make LightDM provide this service.

For LightDM to provide such a generic password entry service, it would be necessary for LightDM to provide external hooks (perhaps D-Bus calls) so that the switching events for a given display type plugin and authentication plugin could be triggered externally.

One issue about figuring out a good plugin system is how to handle configuration.  Each plugin may have its own configuration needs.  May display managers get bogged down trying to store configuration for different display types in a single configuration file, so storing plugin configuration in separate files would be a good idea, I think.  For example, users may want to modify the Xserver command to add arguments to turn on extensions they need or turn off extensions they don't want, or for other purposes.   It probably makes sense to put configuration files for each plugin in a common directory (perhaps the name of the file could match the plugin name), and to use a common format.  Having a common engine for plugins to use to make loading/saving any configuration that is needed could make this easy to manage.  Plugins could probably use the same code that the LightDM engine uses for configuration, just with the ability for the plugin to specify a different filename to use.

Revision history for this message

Brian-cameron-oracle (brian-cameron-oracle) wrote on 2010-12-23:

Download full text (7.1 KiB)

Here is how I think the DisplayType plugin could work. The LightDM engine could provide the following D-Bus interfaces.

Init (char *display_type)
AddDisplay (char *display_type, char *display, char *auth_plugin, char *auth_plugin_data, char *user_data)
RemoveDisplay (char *display_type, char *display, char *user_data)
gboolean SupportsSwitching (char *display_type)
SwitchDisplay (char *display_type, char *from_display, char *to_display, char *user_data)

These D-Bus calls would then call interfaces in the per-display-type plugins. The AddDisplay and RemoveDisplay interface should only be accepted if they are called from a root-running process. The SwitchDisplay interface should be accepted from a user-session. I think the user_data should be a string since that would make it easy to pass in multiple values in a generic way that can be parsed.

As a suggestion, the AddDisplay interface could accept a NULL display and allow the plugin to just figure out the next available display. The SwitchDisplay function could accept a NULL from_display value if the type only manages a single seat (such as VT) and a NULL to_display value would mean to create a new display.

Each display type would be managed by a dynamically loaded plugin specific to that display type. The plugin would support these interfaces:

1) An Init interface. If displays of this type are started or killed on-demand, then the plugin could start a thread to listen for connection requests (e.g. XDMCP). If displays of this type should be started when the login manager starts up via configuration, then the init function could just go ahead and start them. When displays need to be started or stopped, the plugin would call the main daemon AddDisplay or RemoveDisplay D-Bus command, passing any user-data needed to start or stop the display.

2) An interface to start managing a display. This interface would be called when the main daemon receives an AddDisplay request. It would be passed the user-data so it knows any special information it needs to start the display. It would also be useful to have arguments to specify what Authentication plugin to use and any userdata. For example, it would be useful to be able to tell LightDM that I want to start a new display that is using the lock screen PAM stack, or that I want to use some other non-default PAM stack on a given display.

3) An interface to stop managing a display. This interface would be called when the main daemon receives a RemoveDisplay request. Also when GDM shuts down, the main daemon would loop over all running displays and call this interface for each one to shut them down cleanly.

4) An interface that returns whether or not the display type supports display switching.

5) An interface that switches the display to the specified one and is called when the main daemon receives a SwitchDisplay request. It obviously only works if the display type supports display switching.

Here is how I think the DisplayType plugin could work.  The LightDM engine could provide the following D-Bus interfaces.

These D-Bus calls would then call interfaces in the per-display-type plugins.  The AddDisplay and RemoveDisplay interface should only be accepted if they are called from a root-running process.  The SwitchDisplay interface should be accepted from a user-session.  I think the user_data should be a string since that would make it easy to pass in multiple values in a generic way that can be parsed.

As a suggestion, the AddDisplay interface could accept a NULL display and allow the plugin to just figure out the next available display.  The SwitchDisplay function could accept a NULL from_display value if the type only manages a single seat (such as VT) and a NULL to_display value would mean to create a new display.

Each display type would be managed by a dynamically loaded plugin specific to that display type.  The plugin would support these interfaces:

1) An Init interface.  If displays of this type are started or killed on-demand, then the plugin could start a thread to listen for connection requests (e.g. XDMCP).  If displays of this type should be started when the login manager starts up via configuration, then the init function could just go ahead and start them.  When displays need to be started or stopped, the plugin would call the main daemon AddDisplay or RemoveDisplay D-Bus command, passing any user-data needed to start or stop the display.

2) An interface to start managing a display.  This interface would be called when the main daemon receives an AddDisplay request.  It would be passed the user-data so it knows any special information it needs to start the display.  It would also be useful to have arguments to specify what Authentication plugin to use and any userdata.  For example, it would be useful to be able to tell LightDM that I want to start a new display that is using the lock screen PAM stack, or that I want to use some other non-default PAM stack on a given display.

3) An interface to stop managing a display.  This interface would be called when the main daemon receives a RemoveDisplay request.  Also when GDM shuts down, the main daemon would loop over all running displays and call this interface for each one to shut them down cleanly.

4) An interface that returns whether or not the display type supports display switching.

5) An interface that switches the display to the specified one and is called when the main daemon receives a SwitchDisplay request.  It obviously only works if the display type supports display switching.

It would probably make sense for such plug-ins to have a common base class.  The base class could provide some common logic for handling things like generating the Xauth key that many (if not all) plugins would want to use in common.  Also, if you wanted both an Xserver and a Wayland plugin that worked on the console, it might make sense to have a common base-class that knows how to deal with VT switching with subclasses that know how to deal with Xserver versus Wayland.

To illustrate how this could work, I will provide an example.  I would imagine that each display type would have a separate configuration file like this:

-----------------------------------
/usr/share/lightdm/attached.display
-----------------------------------

# The Attached configuration supports managing the console display
# (with and without VT support), and other types of attached displays
# where it is only necessary for the display manager to launch the
# Xserver command with a particular display value and/or vt argument.  # Note that the Xserver must be configured to support Attached
# displays for them to work.
#
[DisplayType]
# Name of this display type.
Name=Attached
# Whether this type of display is enabled or not.  You might disable it on a headless XDMCP server, for example.
Enabled=true
# Plugin to use for this type of display:
Plugin=/usr/lib/lightdm/libconsole.so

# Configuration specific to this DisplayType
[Attached]
# Xserver command to use for this type of display.
Exec=/Xserver/command -args-to-use
# Fallback console display device to be used if VT is not supported on
# the console.  If VT is supported, the actual VT device will be used.
FallbackConsoleDevice=/dev/console
# Attached non-console displays to manage on startup:
ManageAttached=1,2
# VT displays to manage on startup.  This is ignored if the console
# does not support VT.
ManageVT=10,11,12
# PAM Stack to use for this type.  This value is passed into the
# pam_start() function.
PamStack=gdm

[Display1]
# Specify the PAM stack to use for this display if you want to override the default
PamStack=mypamstack
# Other per-display configuration could be added if there is value.
# For example, there are some use-cases where it would be useful to
# be able to override the Exec setting for a specific display.
# An example would be if you want to have two displays that run
# different sessions and they require different and incompatible
# Xserver extensions to use.  In this case, you might want to override
# the "Exec" value for some displays.

[Display2]
...

--------------------------------
/usr/share/lightdm/xdmcp.display
--------------------------------

# The XDMCP display type supports managing XDMCP displays.
[DisplayType]
Name=XDMCP
Enabled=true
Plugin=/usr/lib/lightdm/libxdmcp.so
PamStack=gdm

# XDMCP specific configuration
[xdmcp]
Exec=/Xserver/command
Port=177
MaxSessions=16
...

--------------------------------
/usr/share/lighdm/xephyr.display
--------------------------------

# The Xephyr display type supports managing Xephyr displays.
[DisplayType]
Name=Xephyr
Enabled=true
Plugin=/usr/lib/lightdm/libxephyr.so
PamStack=gdm

# Xephyr specific configuration
[xephyr]
Exec=/Xephyr/command

---

So, with the above configuration, the display manager would loop over all DisplayType configuration files with the ".display" suffix and load the plugins calling the Init function for each.  The Attached plugin init function would read its configuration file to get any information it needs.  Based on the above configuration it would manage the console.  If VT support is available it would also start VT displays on :10, :11, and :12.  Since this configuration specifies 2 additional
graphics cards it would manage displays :1 and :2 on them.  Also, the XDMCP plugin init function would start listening for XDMCP requests and the Xephyr plugin is available to allow Xephyr sessions.

Further, the fact that the daemon supports D-Bus calls to add or remove displays on demand allows people to control LightDM in novel ways.  You could for example, create or remove a new VT session via a D-Bus call if desired.  This would also be useful to support hotpluging light terminals when they are plugged into the network or removed from the network.

This is all just an example to give some ideas of how this could be implemented.

Darxus (darxus) on 2012-04-09

tags:

added: wayland

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.