Configurable viewport

[hiroTamada]

<!-- mesa-description-start -->
<!-- mesa-description-start -->
<!-- mesa-description-start -->
<!-- mesa-description-start -->
Initially

After running

➜  ~ curl -X PATCH http://localhost:444/display \
  -H "Content-Type: application/json" \
  -d '{"width": 1920, "height": 1080}'
{"height":1080,"width":1920}

---

For headless, I exec-ed into the running docker, and I confirmed the xvfb config by

root@18f971b11d5d:/# ps aux | grep Xvfb
root      1675  0.0  0.8 203536 69648 ?        S    18:31   0:00 Xvfb :1 -ac -screen 0 1920x1080x24 -retro -dpi 96 -nolisten tcp -nolisten unix
root      2195  0.0  0.0   2904  1532 pts/1    S+   18:34   0:00 grep --color=auto Xvfb

TL;DR

This PR introduces a PATCH /display API endpoint to dynamically change the browser's viewport resolution without restarting the container.

Why we made these changes

This allows users to programmatically control the browser's viewport size, which is crucial for testing responsive designs, simulating different device screens, and tailoring the resolution for various automation tasks.

What changed?

• API: Added a PATCH /display endpoint in server/cmd/api/api/display.go to allow dynamic resolution changes for both headful (Xorg) and headless (Xvfb) modes.
• Resolution Logic: The new handler uses xrandr for Xorg and supervisor restarts for Xvfb. It includes a require_idle safety check and restarts Chromium to apply the new viewport.
• Neko Integration: Added an authenticated Neko client (server/lib/nekoclient/client.go) to manage headful sessions.
• Dependencies: Added the x11-xserver-utils package to the images/chromium-headful/Dockerfile to provide xrandr.
• Configuration: Updated images/chromium-headful/xorg.conf to include additional display modes.
• API Spec: Updated openapi.yaml with the new display endpoint and regenerated the Go client.
• Scripts: Modified run-docker.sh and run-unikernel.sh to pass Chromium flags as a JSON array instead of a space-separated string.
• Testing: Added a new e2e test, TestDisplayResolutionChange, to validate the functionality.

Validation

• Manually tested resolution change with the curl command.
• Verified Chromium restarts and fits the new resolution.
• Ensured require_idle flag prevents changes during an active session.

^{Description generated by Mesa. Update settings}
<!-- mesa-description-end -->

^{Description generated by Mesa. Update settings}
<!-- mesa-description-end -->

^{Description generated by Mesa. Update settings}
<!-- mesa-description-end -->

^{Description generated by Mesa. Update settings}

[mesa-dot-dev]

Performed full review of 2d73dc8...fc57289

Analysis

1. Session Disruption Risk: The requirement to restart Chromium after resolution changes could negatively impact user experience and session continuity.

2. Deployment Infrastructure Coupling: Direct modification of supervisor configuration files for Xvfb creates tight coupling between the application and deployment infrastructure.

3. System Component Coordination Complexity: The implementation requires orchestrating multiple system components (X server, supervisor, Chromium), increasing the number of potential failure points and making the system more brittle.

4. Runtime Flexibility vs. Stability Tradeoff: While the configurable viewport adds runtime flexibility, it also introduces additional complexity that could impact system stability.

Tip

⚡ Quick Actions

This review was generated by Mesa.

Actions:

• Configure your agents

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{4 files reviewed | 0 comments | Review on Mesa | Edit Reviewer Settings}

[hiroTamada]

need this for xrandr

[rgarcia]

this logic is sufficiently intricate where an e2e test might be beneficial. See https://github.com/onkernel/kernel-images/blob/main/server/e2e/e2e_chromium_test.go#L102-L219

[Sayan-]

great stuff!

two general thoughts for neko:

1. instead of raw http requests I wonder if it would be easier to generate an oapi client of their spec (e.g. https://github.com/onkernel/neko/blob/aa0487f68ebbff1056d7355ec2da127986e5be5f/server/openapi.yaml#L146-L170 +
2. It might be helpful to pull out the neko bits into their own client that internally manages the token rather than that being a responsibility of the ApiService

[Sayan-]

double checking - did we also run numbers on impact of refresh rate in benchmarking? I don't see anything in https://docs.google.com/spreadsheets/d/1VBhIEoNTJoD95gKsalM3XUH2lDnz2XwFlyVwECV-45I/edit?gid=0#gid=0

namely, I'd think higher refresh rates would consume more resources for the gstreamer pipeline backing live views, so I'm curious on the numbers there

[hiroTamada]

on the api side, we are only going to allow these following configurations

1024x768x60
1920x1080x60
2560x1440x30
1920 x 1200x60
1440 x 900x30

On the images side, I think we can leave it flexible?

[Sayan-]

did we also want 10 in here?

[Sayan-]

do we still need all these bits?

[hiroTamada]

I guess not... I can just return the current width, height and refresh_rate

[Sayan-]

is this droppable?

[hiroTamada]

This was my thought process.

We can make the images api to be flexible to accommodate both cases where it requires no active sessions or not.

If the request says requireIdle, then we reject the request if there are active sessions

[Sayan-]

ah sorry this was in reference to isReplaying. I think it's just a dupe of isRecording and it's not implemented

[hiroTamada]

ah I see. Yeah, I will do that. Good thanks!!

[Sayan-]

checking my understanding - why don't we restart for headful?

[hiroTamada]

we use this flag to --start-maximized to start chromium.

So when x.org expands, the chromium expands. But, we can optionally override this through the request. chromium restarts take time, so we want to avoid it as much as possible

[Sayan-]

honestly wonder if this is easier as an env var

[hiroTamada]

Yeah.... good point. Let me research this. I talked about this with Raf as well. He was more comfortable with this approach

[Sayan-]

do we need this wrapper?

[Sayan-]

nit - we should pull the neko port / url from the env instead of hardcoding

[Sayan-]

how long do these tokens last for? do they survive neko restarts? mainly wondering if we could just do it at API start up time so it's always ready but can see there could be problems with that approach

[hiroTamada]

I think the token lifetime is technically infinite. But you can manually expire it or rotate it. Maybe it is safer to maintain the current implementation?

[cursor]

Bug: Environment Variable Injection Vulnerability

The use of eval "FLAGS_ARRAY=($CHROMIUM_FLAGS)" in both scripts introduces a command injection vulnerability. Since CHROMIUM_FLAGS can be set via environment variables, malicious input could lead to arbitrary shell code execution.

Additional Locations (1)

• images/chromium-headful/run-docker.sh#L27-L32

 

[hiroTamada]

that is fine. It is not for production use case

[cursor]

Bug: Shell Code Injection via User-Controlled Flags

The eval "FLAGS_ARRAY=($CHROMIUM_FLAGS)" command in both scripts introduces a command injection vulnerability. Since CHROMIUM_FLAGS can be user-controlled, malicious input could lead to arbitrary shell code execution.

Additional Locations (1)

• images/chromium-headful/run-unikernel.sh#L33-L52

 

[hiroTamada]

again, not user facing and this is fine

[cursor]

Bug: Insecure Command Execution in Resolution Fetching

The getCurrentResolution function directly uses exec.CommandContext with bash -c instead of the ProcessExec API. This approach is fragile and vulnerable to command injection due to unescaped DISPLAY and xrandr output parsing. It also bypasses internal process controls and logging, and handles the DISPLAY environment variable inconsistently.

 

[hiroTamada]

not user facing path. This is fine

[cursor]

Bug: API URL Mismatch After Network Change

The runContainer function switched from --network=host to explicit port mapping (-p 10001:10001). This means the hardcoded apiBaseURL (http://127.0.0.1:10001) no longer correctly points to the container's API server from the host, causing API calls in tests that use runContainer to fail.

 

[hiroTamada]

I had to do this to run this on Mac. I will revert if this is not necessary

[cursor]

Bug: Vulnerability in sed Command Injection

The sed commands in setResolutionXvfb use fmt.Sprintf to inject width and height into shell commands without escaping. This allows for command injection. The direct string manipulation of the supervisor config is also fragile, risking breakage if the format changes.

 

[hiroTamada]

that is fine. Not user facing

[cursor]

Bug: Shell Injection via CHROMIUM_FLAGS

The eval command in run-unikernel.sh and run-docker.sh parses CHROMIUM_FLAGS. This creates a security vulnerability, allowing arbitrary command injection if CHROMIUM_FLAGS contains malicious shell code, as it can be controlled by user input or environment variables.

Additional Locations (1)

• images/chromium-headful/run-docker.sh#L27-L32

 

[Sayan-]

overall lgtm! last couple of q's

[Sayan-]

why do we prefer to initial this here instead of passing it in?

[hiroTamada]

no reasons lol

[Sayan-]

did we also want 10 in here?

[Sayan-]

this is way easier to read, thanks for iterating!

[cursor]

Bug: Missing Enum Value Causes Validation Errors

The generated PatchDisplayRequestRefreshRate enum constants are incomplete. The value 10 is missing from the generated Go code, despite being defined in the OpenAPI spec. This prevents clients from using 10 Hz and may lead to validation issues.

 

[cursor]

Bug: Shell Command Injection via eval

The eval command used to parse CHROMIUM_FLAGS in both run-unikernel.sh and run-docker.sh introduces a command injection vulnerability. If CHROMIUM_FLAGS contains malicious shell commands, eval will execute them, potentially leading to arbitrary code execution.

Additional Locations (1)

• images/chromium-headful/run-docker.sh#L27-L34

 

[cursor]

Bug: JSON Flag Parsing Fails on Special Characters

The JSON generation for Chromium flags doesn't escape special characters within flag values. If a flag contains double quotes, backslashes, or other JSON special characters, the resulting JSON will be invalid. This could cause the downstream flag parsing system to fail or misinterpret flags.

Additional Locations (1)

• images/chromium-headful/run-unikernel.sh#L44-L47