Fix for creating child elements for a parent element

client/cmake/sources.cmake

@@ -22,6 +22,7 @@ set(HEADERS ${HEADERS}
     ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.h
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.h
     ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshExecutor.h
     ${CLIENT_ROOT_DIR}/core/controllers/serversController.h
     ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.h
     ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.h
@@ -99,6 +100,7 @@ set(SOURCES ${SOURCES}
     ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.cpp
     ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshExecutor.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/serversController.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.cpp

client/core/controllers/coreSignalHandlers.cpp

@@ -3,6 +3,7 @@
 #include <QTimer>
 
 #include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/sshExecutor.h"
 #include "core/utils/errorCodes.h"
 #include "core/utils/routeModes.h"
 #include "core/controllers/coreController.h"
@@ -144,7 +145,9 @@ void CoreSignalHandlers::initExportControllerHandler()
             });
     connect(m_coreController->m_exportController, &ExportController::revokeClientRequested, this,
             [this](const QString &serverId, int row, DockerContainer container) {
-                m_coreController->m_usersController->revokeClient(serverId, row, container);
+                SshExecutor::instance().run(serverId, [this, serverId, row, container]() {
+                    m_coreController->m_usersController->revokeClient(serverId, row, container);
+                });
             });
     connect(m_coreController->m_exportController, &ExportController::renameClientRequested, this,
             [this](const QString &serverId, int row, const QString &clientName, DockerContainer container) {
@@ -202,7 +205,9 @@ void CoreSignalHandlers::initAdminConfigRevokedHandler()
 {
     connect(m_coreController->m_installController, &InstallController::clientRevocationRequested, this,
             [this](const QString &serverId, const ContainerConfig &containerConfig, DockerContainer container) {
-                m_coreController->m_usersController->revokeClient(serverId, containerConfig, container);
+                SshExecutor::instance().run(serverId, [this, serverId, containerConfig, container]() {
+                    m_coreController->m_usersController->revokeClient(serverId, containerConfig, container);
+                });
             });
 
     connect(m_coreController->m_installController, &InstallController::clientAppendRequested, this,

client/core/controllers/selfhosted/installController.cpp

@@ -14,6 +14,7 @@
 #include "core/utils/containers/containerUtils.h"
 #include "core/utils/protocolEnum.h"
 #include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/sshExecutor.h"
 #include "core/installers/awgInstaller.h"
 #include "core/installers/installerBase.h"
 #include "core/installers/openvpnInstaller.h"
@@ -103,7 +104,7 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
                                             bool isUpdate)
 {
     qDebug().noquote() << "InstallController::setupContainer" << ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode e = ErrorCode::NoError;
 
     e = isUserInSudo(credentials, sshSession);
@@ -168,11 +169,11 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
         }
         if (container == DockerContainer::MtProxy) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             MtProxyInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         } else if (container == DockerContainer::Telemt) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             TelemtInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         }
         adminConfig->updateContainerConfig(container, newConfig);
@@ -188,7 +189,7 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
     qDebug() << "InstallController::updateServerConfig for container" << container << "reinstall required is" << reinstallRequired;
@@ -372,7 +373,7 @@ ErrorCode InstallController::validateAndPrepareConfig(const QString &serverId)
 
 void InstallController::validateConfig(const QString &serverId)
 {
-    QFuture<ErrorCode> future = QtConcurrent::run([this, serverId]() {
+    QFuture<ErrorCode> future = SshExecutor::instance().run(serverId, [this, serverId]() {
         return validateAndPrepareConfig(serverId);
     });
 
@@ -970,7 +971,7 @@ ErrorCode InstallController::rebootServer(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QString script = QString("sudo reboot");
 
@@ -998,7 +999,7 @@ ErrorCode InstallController::removeAllContainers(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = sshSession.runScript(credentials, amnezia::scriptData(SharedScriptType::remove_all_containers));
 
     if (errorCode == ErrorCode::NoError) {
@@ -1020,7 +1021,7 @@ ErrorCode InstallController::removeContainer(const QString &serverId, DockerCont
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     const amnezia::ScriptVars removeContainerVars =
             amnezia::genBaseVars(credentials, container, QString(), QString());
     const bool removeDataVolume = (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
@@ -1129,7 +1130,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1172,7 +1173,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
 ErrorCode InstallController::installServer(const ServerCredentials &credentials, DockerContainer container, int port,
                                            TransportProto transportProto, bool &wasContainerInstalled)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
     if (errorCode) {
@@ -1241,7 +1242,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1283,7 +1284,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
 ErrorCode InstallController::checkSshConnection(ServerCredentials &credentials, QString &output,
                                                 std::function<QString()> passphraseCallback)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = ErrorCode::NoError;
 
     if (credentials.secretData.contains("BEGIN") && credentials.secretData.contains("PRIVATE KEY")) {
@@ -1564,7 +1565,7 @@ ErrorCode InstallController::setDockerContainerEnabledState(const QString &serve
         return ErrorCode::InternalError;
     }
     const QString containerName = ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = enabled ? QStringLiteral("sudo docker start %1").arg(containerName)
                                    : QStringLiteral("sudo docker stop %1").arg(containerName);
     const ErrorCode runError = sshSession.runScript(credentials, script);
@@ -1604,7 +1605,7 @@ ErrorCode InstallController::queryDockerContainerStatus(const QString &serverId,
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = QStringLiteral(
             "sudo docker inspect --format '{{.State.Status}}' %1 2>/dev/null || echo 'not_found'")
             .arg(containerName);
@@ -1638,7 +1639,7 @@ ErrorCode InstallController::queryMtProxyDiagnostics(const QString &serverId, Do
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     return MtProxyInstaller::queryDiagnostics(sshSession, credentials, container, listenPort, out);
 }
 
@@ -1661,7 +1662,7 @@ QString InstallController::fetchDockerContainerSecret(const QString &serverId, D
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString path = QStringLiteral("/data/secret");
     const QString cmd = QStringLiteral("sudo docker exec %1 cat %2").arg(containerName, path);
     const ErrorCode errorCode = sshSession.runScript(credentials, cmd, cbReadStdOut);

client/core/utils/selfhosted/sshExecutor.cpp

@@ -0,0 +1,33 @@
+#include "sshExecutor.h"
+
+SshExecutor &SshExecutor::instance()
+{
+    static SshExecutor executor;
+    return executor;
+}
+
+SshExecutor::~SshExecutor()
+{
+    QMutexLocker lock(&m_mutex);
+    for (QThreadPool *pool : std::as_const(m_pools)) {
+        pool->waitForDone();
+        delete pool;
+    }
+    m_pools.clear();
+}
+
+QThreadPool *SshExecutor::poolFor(const QString &serverId)
+{
+    QMutexLocker lock(&m_mutex);
+
+    auto it = m_pools.find(serverId);
+    if (it != m_pools.end()) {
+        return it.value();
+    }
+
+    auto *pool = new QThreadPool();
+    pool->setMaxThreadCount(1);   // serialize all SSH ops for this server
+    pool->setExpiryTimeout(-1);   // keep the single worker thread alive between ops
+    m_pools.insert(serverId, pool);
+    return pool;
+}

client/core/utils/selfhosted/sshExecutor.h

@@ -0,0 +1,47 @@
+#ifndef SSHEXECUTOR_H
+#define SSHEXECUTOR_H
+
+#include <QHash>
+#include <QMutex>
+#include <QString>
+#include <QThreadPool>
+#include <QtConcurrent>
+
+#include <utility>
+
+// Per-server serial executor for long-running self-hosted SSH operations.
+//
+// All SSH work for a given serverId is queued onto a dedicated single-thread
+// pool, so operations to the same server run strictly one at a time (no
+// concurrent SSH sessions to one host => no races, and a natural guard against
+// double-run). Operations to different servers still run in parallel.
+//
+// NOTE: do NOT route nested workers that are awaited from within an already
+// queued operation (e.g. InstallController::isServerDpkgBusy) through the same
+// per-server pool — the single worker thread would block waiting on itself.
+// Such nested helpers must keep using the global QThreadPool.
+class SshExecutor
+{
+public:
+    static SshExecutor &instance();
+
+    SshExecutor(const SshExecutor &) = delete;
+    SshExecutor &operator=(const SshExecutor &) = delete;
+
+    template <typename Functor>
+    auto run(const QString &serverId, Functor &&functor)
+    {
+        return QtConcurrent::run(poolFor(serverId), std::forward<Functor>(functor));
+    }
+
+private:
+    SshExecutor() = default;
+    ~SshExecutor();
+
+    QThreadPool *poolFor(const QString &serverId);
+
+    QHash<QString, QThreadPool *> m_pools;
+    QMutex m_mutex;
+};
+
+#endif // SSHEXECUTOR_H

client/ui/controllers/selfhosted/installUiController.cpp

@@ -11,6 +11,7 @@
 #include <QtConcurrent>
 
 #include "core/utils/api/apiUtils.h"
+#include "core/utils/selfhosted/sshExecutor.h"
 #include "core/controllers/selfhosted/installController.h"
 #include "core/controllers/connectionController.h"
 #include "core/utils/networkUtilities.h"
@@ -330,7 +331,7 @@ void InstallUiController::updateServerConfig(const QString &serverId, int contai
         ContainerConfig oldConfigCopy = oldContainerConfig;
         InstallController *installController = m_installController;
         QFuture<ErrorCode> future =
-                QtConcurrent::run([installController, serverId, container, oldConfigCopy,
+                SshExecutor::instance().run(serverId, [installController, serverId, container, oldConfigCopy,
                                    newConfigCopy]() mutable -> ErrorCode {
                     return installController->updateServerConfig(serverId, container, oldConfigCopy, newConfigCopy);
                 });
@@ -478,7 +479,7 @@ void InstallUiController::removeContainer(const QString &serverId, int container
                          });
 
         InstallController *installController = m_installController;
-        QFuture<ErrorCode> future = QtConcurrent::run(
+        QFuture<ErrorCode> future = SshExecutor::instance().run(serverId,
                 [installController, serverId, container]() -> ErrorCode {
                     return installController->removeContainer(serverId, container);
                 });

service/server/killswitch.cpp

@@ -318,7 +318,7 @@ bool KillSwitch::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIn
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);
     LinuxFirewall::updateAllowNets(allownets);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), blockNets);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), blockAll);
     LinuxFirewall::updateBlockNets(blocknets);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("130.allowMarkedXray"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);