/srv/irclogs.ubuntu.com/2014/07/07/#ubuntu-devel.txt

RAOFmwhudson: You could add that amd64 as a foreign arch to dpkg?00:23
RAOFmwhudson: I think?00:24
mwhudsonRAOF: how do i do that again?00:33
mwhudsonoh dpkg add-architecture00:34
mwhudsonbut no00:34
mwhudsonW: Failed to fetch http://www.apache.org/dist/cassandra/debian/dists/20x/InRelease  Unable to find expected entry 'main/binary-arm64/Packages' in Release file (Wrong sources.list entry or malformed file)00:34
tarpmanmwhudson: you can arch-qualify the sources.list entry... I think [amd64] is the syntax, forget where it goes :)00:40
mwhudsondeb arch=amd64 i think maybe?00:41
mwhudsoner00:42
mwhudsondeb [arch=amd64] http://www.apache.org/dist/cassandra/debian 20x main00:43
mwhudsonapparently00:43
mwhudsontarpman: thanks :)00:43
=== yuning is now known as yuning-lunch
=== yuning-lunch is now known as yuning
pittiGood morning05:41
dholbachgood morning06:39
mvohey dholbach06:42
dholbachhey mvo06:43
michagogoHey, any SRU team members (other than cjwa tson) around?07:35
=== timrc-afk is now known as timrc
=== dholbach_ is now known as dholbach
xnoxpitti: on http://dep.debian.net/deps/dep8/ "current specification" link is 404.10:37
xnoxpitti: can you update it to point to the right place? And what is the right place these days?10:38
pittixnox: indeed, should be http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests.rst;hb=HEAD10:38
pittixnox: I renamed the files to *.rst10:38
pittixnox: I can't update it myself, but I'll find out who can10:38
xnoxpitti: ok. Are you setting up read-the-docs for autopkgtest? it could process rst to make it look all dandy and stuff.10:39
pittixnox: the package builds nice *.html files from those now and ships them in /usr/share/doc/10:39
xnoxpitti: ah, cool.10:39
pittixnox: I haven't felt a strong urge to put them elsewhere, but if there's demand why not10:39
xnoxpitti: hm, i think dep8 website can parse RST as well, no? Would be nice if that was the thing directly.10:43
pittioh, http://dep.debian.net/recentchanges/ looks like some svn10:43
pittixnox: I'll check out http://dep.debian.net/depdn-howto/ after I'm done with my current multi-thread unwrangling (sorry, too much brain state)10:44
xnox=))))10:45
ogra_xnox, do you happen to know if anyone in foundations works on bug 1323732 (did you discuss it in a meeting perhaps) ?10:49
ubottubug 1323732 in adduser (Ubuntu) "adduser should support managing additional password/shadow/group files from libnss-extrausers" [High,Confirmed] https://launchpad.net/bugs/132373210:49
ogra_(see my last mail to ubuntu-phone)10:49
ogra_steve asked me to initially assign it to hi so he could hand it to someone after malta ... looks a bit like it was forgotten10:50
ogra_*him10:50
xnoxogra_: there is no confirmation that slangasek has recovered after 4th of july yet. Since it is still assigned to Steve, I believe you should be poking him.10:54
xnoxogra_: typically he changes assignee when he hands stuff over.10:54
=== MacSlow is now known as MacSlow|lunch
ogra_xnox, right, just wanted to know if it came up in some team discussion or so11:03
ogra_thanks11:03
pittixnox: so I committed http://lists.alioth.debian.org/pipermail/dep-commits/2014-July/000316.html but I guess it'll take a bit to propagate to the website12:20
=== MacSlow|lunch is now known as MacSlow
=== _salem is now known as salem_
=== ubott2 is now known as ubottu
=== Trevinho_ is now known as Trevinho
=== Adri2000 is now known as Guest67185
=== ming is now known as Guest65048
pittimvo: FYI, $USER is now set for root tests in CI12:51
mvopitti: thanks !12:53
=== iulian_ is now known as iulian
=== Guest67185 is now known as Adri2000_
mino_corehello :)13:56
mino_coreis there a way to install the grub deb in a none interactive way, he is askin "Continue without installing GRUB?" and i want to answer with yes13:57
mlankhorstsetting question priority lower13:58
mino_corei need that for an automated build of ubuntu, but havent found yet a solution for it13:58
mlankhorstmaybe apt-get -qq ?14:01
gesershouldn't setting the debconf frontend to non-interactive help?14:03
mlankhorstoh that one :-)14:03
ogra_Laney, hmm, did you see my latest meta upload ? seems desktop-next inhertis some stuff from somewhere that touch doesnt have ...14:07
ogra_(i added all the entries equally to touch and desktop ... but only tcptraceroute was pulled into desktop)14:07
Laneylink?14:08
ogra_Laney, https://launchpad.net/ubuntu/utopic/+source/ubuntu-touch-meta/1.16214:09
ogra_Laney, bah, ignore me ... i'm blind14:09
Laneyright... was wondering :)14:09
ogra_(somehow the evolution formatting made me miss "desktop" in all these lines)14:10
=== desrt_ is now known as desrt
=== doko_ is now known as doko
=== tarpman_ is now known as tarpman
slangasekxnox: I suppose we /can/ keep startpar disabled, but is there a specific reason you want to?  I hadn't heard about any problems in this regard15:05
michagogoslangasek: hey, you're SRU team, right?15:19
michagogoJust wanted to make sure you saw my email to the ubuntu-devel mailing list15:20
michagogoIt would be very much appreciated if you could comment, do whatever is needed to move this along15:20
xnoxslangasek: reasons to keep startpar disabled are as follows -> generally unreliable startpar-bridge integration. (a) task jobs hanging boot/shutdown (b) jobs set to manual (e.g. via override file) hanging boot/shutdown (c) little interim gain in resolution of a/b, taking away time to better support systemd (d) startpar is not used under systemd15:21
Shockpitti: hi, any idea of a time frame on LP: #1247584 ?16:43
ubottuLaunchpad bug 1247584 in systemd (Ubuntu) "[keymap] Since upgrade to Ubuntu 13.10, udev doesn't map middle mouse button." [Undecided,In progress] https://launchpad.net/bugs/124758416:43
ShockI'm unable to find a branch in LP that contains the release of package systemd (204-5ubuntu20.3). Am I not searching where I should, or was that package generated outside of LP/bzr?16:46
Shockdistro is trusty16:46
dokojamespage, is this server-team stuff? https://jenkins.qa.ubuntu.com/view/Utopic/view/AutoPkgTest/job/utopic-adt-mongodb/lastBuild/? blocks gcc-4-9, although it is not used17:46
=== alexisb is now known as alexisb_lunch
xnoxShock: there is no branch for it, the upload is here however https://launchpad.net/ubuntu/+source/systemd/204-5ubuntu20.3 which also has links to build-records (and thus debs) and a diff against previous upload (20.2)18:27
xnoxShock: it's been released to updates pocket last thursday.18:27
Shockxnox: thanks, is there a way to create a daily build if there's no branch for it?18:35
dobeyxnox, Shock: looks like there's a branch for it to me18:36
Shockdobey: how did you find the branch?18:36
dobeyoh, i guess it didn't import18:38
dobeyShock: why would you want to create a daily build for a specific version anyway?18:38
Shockdobey: I want to build udev automatically (with a patch) whenever a new version is released18:39
dobeyShock: in general, or only to trusty-updates?18:40
dobeyin general, i don't see why you wouldn't use lp:ubuntu/systemd to do that18:41
Shockdobey: I'm not sure what that means; I'm only interested in trusty atm18:41
dobeythough i don't know how you plan on adding the additional patch exactly18:42
Shockdobey: I couldn't find the changes that were in https://launchpad.net/ubuntu/+source/systemd/204-5ubuntu20.3 in lp:ubuntu/systemd18:42
Shockdobey: I plan to use build recipes in launchpad18:42
dobeyyeah i'm not sure why they aren't in utopic there18:42
dobeystgraber: ^^ why is that? :)18:42
dobeyShock: i don't see how you will add another patch though18:43
Shockdobey: merge from a personal branch?18:43
dobeyShock: you're going to have to manually resolve conflicts every time there's an update, most likely18:43
stgraberdobey: probably because the importer is broken somehow, that happens.18:44
stgraberdobey: IIRC the Ubuntu systemd packaging is maintained in a git branch on alioth, so I usually just upload to the archive and let pitti deal with the VCS18:44
Shockdobey: the only conflict would be in debian/patches/series18:44
dobeystgraber: i mean, why are those changes from the trusty update, not in utopic?18:44
Shockdobey: and I'm pretty sure I can avoid the conflict by putting my patch as the first line in the series18:45
stgraberdobey: they are in utopic18:45
dobeystgraber: hmm, Shock said he couldn't find them in the utopic package.18:46
stgraberthose fixes were uploaded in 204-10ubuntu9 or earlier18:46
dobeyah ok18:46
stgraberthe whole point of the SRU to trusty was to get all the fixes of utopic in there so the cgmanager integration patch is now identical in both18:47
dobeyShock: what does your additional patch do exactly, anyway? why not just get it into debian/ubuntu?18:47
Shockdobey: it makes my mouse work :). it's taking too long to get it in ubuntu/upstream LP: #124758418:48
ubottuLaunchpad bug 1247584 in systemd (Ubuntu) "[keymap] Since upgrade to Ubuntu 13.10, udev doesn't map middle mouse button." [Undecided,In progress] https://launchpad.net/bugs/124758418:48
dobeypitti: ^^ get that in already. :)18:49
Shockdobey: in any case, knowing how to build a package with changes wrt official package would help me in other situations18:50
Shockdobey: I'd rather not go through the whole manual ordeal every time the package is updated in the oficial repos18:51
dobeyShock: i'd suggest doing it against trying to build against lp:ubuntu/systemd then18:51
Shockdobey: is there a way I can target the trusty version in a lp build recipe?18:52
dokodirecthex, mono ping18:52
xnoxShock: in the recipe config you specify target distributions to build against....18:53
dobeyShock: you mean build it on trusty, or you mean patch against the trusty version?18:53
xnoxShock: hence yes, you control which distribution(s) a given recipe will be build.18:53
Shockdobey: patch against the trusty version18:53
dobeyShock: use the trusty branch, but i don't see why you need to use that specific branch, versus just using the actual newest version18:53
dobeyunless the utopic version outright fails to build on trusty or causes it to explode or something18:54
xnoxShock: lp:ubuntu/* branches are never guaranteed to be up-to-date, as the archive is authoritative source, not the bzr branches. Thus e.g. kubuntu folks maintain automated rebuilds outside of bzr branches & recipes.18:54
dobeyimport failures are pretty common too18:55
Shockdobey: I had planned to build against lp:ubuntu/trusty/systemd but I couldn't find the latest changes in there18:55
xnoxShock: instead they automate $ pull-lp-sources; wget -O /tmp/my.patch ....; quilt import /tmp/my.patch; debuild -S; dput ppa:....18:55
dobeyShock: no, they should appear in trusty-updates and trusty-proposed, once imported18:55
dobeyassuming a successful import18:55
xnoxShock: once trusty is released, it's release pocket is frozen. Thus lp:ubuntu/trusty/systemd will never update.18:55
Shockxnox: hmm, that would work. thanks18:55
xnoxShock: the pockets which are updated are trusty-updates, trusty-proposed and trusty-security, iff the import succeeds.18:56
Shockxnox: the latest udev release was in the trusty pocket18:56
xnoxShock: it's been attempted to fully automate merging builds, but it ultimately fails. Just because your patch still applies, doesn't mean that it will build, or if it builds, it doesn't mean it will be operating correctly.18:57
ShockI also looked at lp:ubuntu/trusty-proposed/systemd18:57
xnoxShock: branches are not up to date....18:57
xnox$ rmadison -S systemd | grep source18:57
xnox systemd                | 204-0ubuntu18     | saucy                                | source18:57
xnox systemd                | 204-0ubuntu19.2   | saucy-updates                        | source18:57
xnox systemd                | 204-5ubuntu20     | trusty                               | source18:57
xnox systemd                | 204-5ubuntu20.3   | trusty-updates                       | source18:57
xnox systemd                | 204-12ubuntu1     | utopic                               | source, amd64, arm64, armhf, i386, powerpc, ppc64el18:57
Shockit seems I'm misunderstanding something :(18:57
xnox$ bzr branch lp:ubuntu/trusty-proposed/systemd18:59
xnoxMost recent Ubuntu Utopic version: 204-12ubuntu118:59
xnoxPackaging branch version: 204-10ubuntu118:59
xnoxPackaging branch status: OUT-OF-DATE18:59
Shockare the packages in trusty generated from lp:ubuntu/systemd? it seems not19:00
xnoxShock: Manual source builds are uploaded and published into the archive, once published binaries are build, after that importer walks the archive trying to create bzr branches lp:ubuntu/* if it manages to sucseed.19:00
xnoxShock: no, ubuntu is not build from bzr branches.19:00
Shockxnox: ok, that clears up a lot19:00
xnoxShock: pull-lp-source systemd trusty -> will fetch the latest trusty sources (including security, updates and proposed-updates)19:01
xnoxShock: if you want at most security -> specify trusty-security; for at most released updates -> specify trusty-updates19:01
hallyninfinity: hey, we're having the grooviest of times looking at the SRU for docker.io.  Looking at rmadison output for golang-context-dev, the source pkg version is older than the package version...  i'm confused.19:01
hallynxnox: ^  or you probably know offhand what's going on :)19:02
xnoxhallyn: looking. infinity is on hooligans.19:03
xnox* holidays19:03
Shockxnox: ok, that helps. There's no equivalent for "pull-lp-source systemd trusty" in a build recipe, correct?19:03
xnoxShock: no19:03
hallynxnox: ah, thanks :)19:03
xnoxShock: not, inside launchpad that is.19:03
xnoxhallyn: yeah, that looks very very odd.19:04
xnoxhallyn: i'm guessying there was a partial / timed-out copy, and or partial delete/removal.19:04
* hallyn quickly checks the others i'll be depending on,19:05
directhexdoko, pong19:05
xnoxhallyn: which release are you enquiring about? utopic?19:05
hallynxnox: golang-pty-dev too19:05
directhexdoko, although i'm about to go to the supermarket19:05
hallynxnox: yeah, utopic, we'll need those SRUd to trusty <cringe>19:06
dokodirecthex, could you upload a mono version using my pretty printers patch?19:06
xnoxhallyn: golang-context-dev in utopic looks insane. ditto golang-pyt-dev19:06
hallynxnox: AND golang-mus-dev too19:06
hallyngolang-mux-dev that is19:06
directhexdoko, where is that patch? LP?19:07
hallynxnox: so what, we grab the .dsc from lp and re-push with a 'b1' version extension?19:08
dokodirecthex, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=75266119:08
ubottuDebian bug 752661 in src:mono "make the -gdb.py file compatible with python3" [Normal,Open]19:08
Shockxnox, dobey: thanks19:08
directhexoh fuck me, i totally forgot about that one19:08
hallynchangelog "rebulid bc solar flares" ?19:08
directhexdoko, yes, totally will do that later today19:08
dokodirecthex, I would appreciate it if you could do a trusty SRU too19:08
xnoxcjohnston: wgrant: slangasek: looking at $ rmadison -S golang-context-dev -> and then inspecting launchpad looks crazy inconsistent. http://archive.ubuntu.com/ubuntu/pool/universe/g/golang-context/golang-context-dev_0.0~git20140522.1.1f3e8a4-2_all.deb is Available to download, yet launchpad has no idea about such a source version number, nor binary version number.19:09
xnoxcjwatson: ^19:09
dokocjohnston seems to be a problem ;-P19:09
xnoxhallyn: it looks beyond my powers. I believe you need people with powers as above, sans s/cjohnston/cjwatson/ (thanks doko ;-PPPPP it's not like i didn't notice ;-) )19:10
jdstrandmdeslaur, pitti (and tyhicks): https://code.launchpad.net/~ubuntu-core-dev/apparmor/master being out of date is just an oversight19:10
xnoxdoko: or e.g. do you have special launchpad powers?19:10
jdstrandmdeslaur, pitti (and tyhicks): lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain is an experiment19:10
mdeslaurjdstrand: oh, hrm, ok19:11
jdstrandmdeslaur: we talked about this before with your last upload19:11
hallynxnox: thanks :)19:11
mdeslaurwell, my memory of that talk was that we were switching to the other one :P19:11
jdstrandwe don't have a resolution yet cause we haven't done enough experimenting yet19:11
xnoxhallyn: so the source and binary are in the archive, as seen here http://archive.ubuntu.com/ubuntu/pool/universe/g/golang-context/ yet launchpad has no recollection of building of publishing that.19:12
jdstrandmy resolution was you said that you wanted to always use https://code.launchpad.net/~ubuntu-core-dev/apparmor/master19:12
Shockxnox: would pull-lp-source, patch locally then bzr push to personal branch that has build recipe work?19:12
hallynxnox: and same with the other two i assume?19:12
jdstrands/resolution/recollection/19:12
mdeslaurjdstrand: heh :)19:12
hallynShock: no, pull-lp-source won't grab it19:12
mdeslaurjdstrand: I'll update it, thanks19:12
jdstrandand that I said, "well, it isn't important enough to be distracted by it now, so let's wait"19:12
hallyn(which was why i suggested dget on the .dsc)19:12
jdstrands/that/then/19:12
Shockhallyn: pull-lp-source to get archive version of package19:13
hallynShock: it will grab the old version19:13
jdstrandmdeslaur: you had reservations about all the apparmor devs having commit access. I think that is a valid concern worth discussing19:13
desrtjdstrand: mdeslaur, hallyn: now that i have you all in one place: libvirt + qemu + apparmor was giving me quite some grief yesterday19:13
mdeslaurdesrt: how so?19:14
desrtit seems that adding custom commandline arguments to a libvirt vm config is a really great way of triggering apparmor violations19:14
xnoxShock: it may. pull-lp-source gives you an unpacked debian source package. It's not a branch. You can e.g. bzr init; bzr commit; bzr push as you wish, etc.19:14
jdstrandyes, I would think it would be19:14
desrtwhich i responded to in the usual way: uninstall apparmor19:14
* jdstrand shakes head19:14
mdeslaurdesrt: yes, if you customize configs, you need to customize the profile19:14
desrtbut once you do this, libvirt can no longer start qemu instances at all19:14
jdstrandwhy not just update the profile?19:14
desrtbecause i don't know how19:15
jdstrandso, you should be able to uninstall apparmor and have it work, but you need to restart it19:15
mdeslaurdesrt: so you're looking for a link to the documentation? :)19:15
desrtuninstalling apparmor shouldn't cause libvirt to stop working in any case...19:15
hallyndesrt: if libvirt thinks it should be able to confine the vm and now it can't, it'd be unsafe for it to do so19:16
desrtjdstrand: restart libvirt?  i did try that.... didn't help.19:16
hallyndesrt: but here, #ubuntu-hardened ,and #ubuntu-servrer are good places to ask how to update the profile :)  do you have DENIED messages in syslog?19:16
xnoxhallyn: how do you know about those uploads and binaries? and where are they actually coming from? Since those version numbers do not exist in debian and are mysteriously published19:16
xnoxhallyn: who/where/what uploaded them?19:16
hallynxnox: i looked at the dpkg-checkbuilddeps for docker.io19:16
desrthallyn: yes.  finally figured out why my disk image which was owned by the right person (and set 666 out of desperation) was getting me "Permission denied" errors when i checked dmesg19:16
hallynxnox: i have no idea.  lemme try one thing,19:16
jdstrandyou can also adjust /etc/libvirt/qemu.conf to have: security_driver = "none"19:17
desrtafter an hour and a half of wasting my time...19:17
desrtjdstrand: great advice.  thanks!19:17
xnoxhallyn: scary they happened on 13th of June. I'm not supersticious but still.19:17
hallynsacre bleu!19:17
* desrt will try that tonight once home again19:17
hallynxnox: wow, i see.  i figured 'full publishing history' on lp would show the 2014 version19:18
hallynxnox: do you know who synced docker.io?19:19
hallyni would bet that person at least knows who did golang-context-dev19:19
jdstranddesrt: I maintain adjusting the policy is the safest option. also, libvirtd should be able to run with apparmor uninstalled. I can't really debug what happened over the weekend, but uninstalling apparmor may have left the profile loaded in the kernel. if you uninstalled and rebooted and it didn't start, then there is a bug (it used to work)19:19
desrtfwiw, i think i discovered a big part of what makes me hate on apparmor so much, and it would not be too hard to fix it:19:19
desrtreturning EACCES on apparmor errors is extremely user-unfriendly19:20
jdstrandit is EACCES and not EPERM?19:20
desrtsome new ESECURITY with corresponding "access denied by security framework" or so would mean i don't spend so long pulling my hair out19:21
desrtmay have been EPERM.19:21
jdstrandthat isn't how the kernel LSM works aiui. perhaps jjohansen could comment19:21
xnoxhallyn: no. actually everything is fine.19:22
desrtno... it was EACCES -- "Permission denied" (i remember the error message)19:22
desrtEPERM would have been "Operation not permitted"19:22
hallynxnox: oh?19:22
xnoxhallyn: golang-context-dev source package got renamed to golang-context in utopic19:22
xnoxhallyn: rmadison -S golang-context19:22
xnoxhallyn: rmadison -S golang-context-dev19:22
xnoxhallyn: and read sanity from that =)19:22
hallynoh for pete's sake19:23
jjohansenjdstrand, desrt: yep mostly we return EACCES that is there error the security frame work is supposed to use19:23
hallynso same with the others i assume;  checking19:23
jjohansenyes19:23
xnoxhallyn: yes.19:23
desrtseems weird to mix "error that happens under normal circumstances" with "error that should only fire if something very very bad has happened"19:23
mdeslaurdesrt: yeah, more info would be nice...Dan Walsh wanted to do that at some point: http://thread.gmane.org/gmane.comp.lib.glibc.alpha/2823919:24
* desrt assumes apparmor is in place here to mitigate (for example) the VM guest attacking one of the device drivers in qemu and breaking out of isolation19:24
xnoxcjwatson: wgrant: slangasek: never mind. hallyn and I got confused about golang-*-dev source packages renamed to golang-* whilst keeping all binary names same.19:24
hallynxnox: and yet not for golang-gocapability-dev :)19:24
xnoxhallyn: for SRU, you'd need to rename them back I believe. as in golang-mux SRU will be for golang-mux-dev, cause it's insane to rename source packages in stable releases =)19:25
hallynxnox: thanks :)19:25
* xnox goes out for dinner19:25
desrtmdeslaur: big +1 on this email from me....19:25
hallynxnox: that's gonna hurt - but thanks19:25
jdstranddesrt: it is about protecting vms from each other and vms having various resources on the host. it doesn't do anything for hypervisor (which are in kernel)19:26
desrthis words about "lucky enough or skilled enough to know where to look..." is completely true.... (not to mention adding on "connects the dots and remembers....")19:26
desrtjdstrand: ya... but the various device drivers are implemented in the qemu binary... if you figured out a way to buffer-overflow one of those (for example) then you could run code as the qemu binary19:27
desrtand for example, open files on the host and pass their contents into the guest...19:27
mdeslauryes, the qemu device drivers are an attack vector19:27
jdstranddesrt: the qemu binary is run under confinement. what you describe is one thing apparmor protects19:28
desrti've noticed that libvirt goes out of its way to pass most things into qemu via file descriptors.... that's nice.19:30
jdstrandyeah19:30
desrtseems like a good usecase for seccomp :)19:32
mdeslauryep19:32
tyhicksthat has been something qemu upstream has wanted for quite a while19:34
=== alexisb_lunch is now known as alexisb
tyhickslooks like they do utilize seccomp nowadays, but the syscall whitelist is pretty large19:36
* desrt waits until capsicum is completely reimplemented19:37
hallynpackage versioning question :)  from trusty to utopic, source package was renamed from golang-pty-dev to golang-pty.19:39
hallynto sru that back to trusty, we need to change the source name back.  what to call the version number?19:39
hallynin utopic, it's now 0.0~git20140315.1.67e2db2-119:39
hallynshould we call it 0.0~git20140315.1.67e2db2-1ubuntu1.14.04.1 ?19:39
mdeslaurhopefully someone will fix LSM stacking before capsicum gets implemented19:40
hallynmdeslaur: har har19:40
mdeslauryeah, exactly :)19:40
=== salem_ is now known as _salem
=== mwhudson_ is now known as mwhudson
slangasekmichagogo: yes, I did see that mail and it's in my queue to answer20:45
michagogoslangasek: Great, thanks.20:46
michagogo(I just want to avoid it stagnating again)20:46
slangasekxnox: so if we don't enable startpar, what happens to an init script that has a dependency on a script that shadows an upstart job?  Are we force-starting the upstart job from the init script hooks, ignoring the upstart job's own dependency declarations?  Or are we letting the dependent init script start without its dependencies guaranteed to be satisfied?  Or are we assuming this case is negligible?20:47
xnoxslangasek: it must source /lib/lsb/init-functions and if there is matching /etc/init/foo.conf and we are running under upstart it gets short-cirtuited in favor of upstart.20:49
slangasekwhat does "short circuited" mean in this context?  pass-through, or no-op?20:50
xnox(this is not present in debian, where instead startpar & startpar-bridge is envofrced)20:50
slangasekbecause both have implications for reverse-dep init scripts20:50
xnoxslangasek: if called as /etc/rc?.d/[KS]??* -> no-op. If called as /etc/init.d/$foo -> pass through.20:50
xnoxslangasek: imho we should be removing init.d scripts where both systemd unit & upstart jobs exist.20:51
slangasekxnox: "we" being Ubuntu, I guess, since that's a non-starter for Debian?  That implies more divergence where we would like less20:52
xnoxslangasek: and all "key dependency" init.d scripts -> are either no-op upstart jobs on some arbitrary events (always satisfied before going into a particular runlevel) or symlinked to /dev/null on systemd side.20:52
xnoxslangasek: yes, "we" being Ubuntu.20:52
slangasekwell, what's a key dependency here?20:52
xnoxslangasek: non-LSB defined dependencies currently used by debian scripts.  "umountroot checkfs unmountfs" etc.20:53
xnoxmountall20:54
xnoxslangasek: does startpar enforce dependencies? apart from ordering based on dependencies?20:54
slangasekxnox: what I mean is, have you reviewed all such dependencies provided by packages that also ship an upstart job and confirmed that only ones in /etc/rcS.d matter?20:54
directhexdoko, building, for sid. SRU will take longer20:55
xnoxslangasek: i have not. But isn't my fastest path to systemd by default to (a) write systemd units for packages that have upstart jobs only (b) keep init.d scripts as they are, or if they need event ordering replace them by systemd units20:57
xnoxthus all non-trivial init.d scripts, and upstart-only should get systemd treatment and job's done.20:58
xnoxnon-trivial init.d scripts are those that e.g. currently depend on upstart-tasks.20:58
xnoxor are in rcS etc.20:59
xnoxslangasek: we have insserv enabled today, without startpar. And that's enough for correct behaviour under systemd, and is correct enough under upstart with our lsb-initfunctions.d hook.21:00
slangasekxnox: fastest path> we definitely have to have the boot working correctly for our users under either of upstart or systemd for 14.10; it sounds like you're proposing to sacrifice correctness under upstart in order to speed up the transition21:01
slangasekI'm not convinced of the "correct enough" without seeing the data to back this up21:02
xnoxslangasek: enabling startpar will regress boot under upstart for user in 14.10. I would like to avoid regressions under upstart (e.g. boot hangs for whatever reason, and didn't previously)21:03
slangasekxnox: my doubt is whether reintroducing the init scripts (which were previously stripped from Ubuntu packages) is enough on its own to regress boot for some overlapping set of users21:04
xnoxintroducing init.d scripts, as we have to this point, is also regressing boot under upstart.21:04
xnoxtrue.21:04
slangasekyes21:04
xnoxbut we do want inserv support, given that there are packages in debian today that don't support non-inservv installation.21:05
xnoxthat's necessary.21:05
slangasekwhere insserv gives us the symlink ordering on disk, but does not do the dependency-based boot of init.d21:07
xnoxso, if I do a diff of sid vs utopic: if an init.d script is missing in utopic, but present in sid, it must have both upstart+systemd jobs in utopic.21:07
xnoxslangasek: well, insserv gives us on-disk correct ordering - same as we have to date with upstart, and it works well enough. (no regression)21:08
slangasekif we're not using startpar, and the initscript is a no-op at boot, I don't see any reason to remove the init script in Ubuntu21:08
xnoxslangasek: and systemd parses lsb-headers itself and can do dependencies without startpar et.al.21:08
xnoxslangasek: true.21:08
xnoxslangasek: it's just we need to identify them correctly.21:09
slangasekidentify them for what purpose?21:09
xnoxfor removal in ubuntu =)21:09
xnoxwe re-introduced a bunch of them by now.21:09
xnox*we have re-introduced a bunch of them by now.21:10
slangasekbut removing them doesn't improve anything21:10
slangasekso we should just not remove them, in which case we also don't need to identify them21:10
xnox=))))21:10
slangasekthe one impact this *will* have is on boot speed under upstart21:11
slangasekwhich was part of what startpar was meant to address21:11
slangasekthe fork+exec+source for each reinstated init script will be non-negligible21:11
xnoxslangasek: true, boot speed will regress under upstart. And we will no longer have fair comparison against systemd to spot regressions.21:11
xnoxslangasek: how do I make startpar bridge reliable for real? one suggestion, is to make upstart-startpar-bridge instances write out files in /run, which startpar can inspect to get complete cold-boot picture, in addition to interractive notifications.21:12
xnox(b) how to properly "pass" init.d scripts that bailed-out in pre-start21:13
xnox(c) how to properly "pass" init.d scripts for which upstart job got "manual"-ed21:13
xnox(a) above was, how to get correct state from before startpar is executed (i.e. catch tasks)21:14
slangasekxnox: "reliable for real"> so requiring all upstart jobs that map to existing init scripts be non-task non-instance jobs was insufficient to make it reliable?21:16
slangasekthe /run trick wouldn't help for c)21:17
xnoxslangasek: that resolves (a). It doesn't resolve (b) nor (c). And doesn't help to resolve (a) for sysadmin/3-rd party vendor installed system upstart job & init.d script  (e.g. plex server)21:18
xnoxi.e. making upstart jobs non-task/non-instance in distro, only resolves it in distro.21:18
slangasekxnox: plex server both has a task/instance upstart job, and reverse-dependencies of its init script?21:18
slangasekbearing in mind that otherwise, the failure scenario here should be "startpar never finishes", not "system hangs on boot"21:19
xnoxslangasek: [and reverse-dependencies] is redundant.21:19
slangasekno21:19
slangasekbecause nothing else should care if startpar hangs waiting for a single job that will never finish21:19
xnoxslangasek: starpar hangs on instance/tasks that are in TARGETS = without any reverse-depends.21:19
slangasekyes, but "startpar hangs" doesn't break the system, it just leaves an annoying startpar process running21:20
=== _salem is now known as salem_
slangasekunless this has changed?21:20
xnoxhanging startpar => fail to reach runlevel 2 => fail to run tty1 => fail to start startpar for shutdown.21:20
slangasekno21:20
slangasekstartpar is run twice, once for rcS and once for rc221:20
xnoxthat's what pitti and I have seen.21:20
slangasekwe need startpar for rcS to be reliable, if it's used21:20
slangasekbut there should be no third-party init scripts in rcS21:20
xnoxok.21:21
slangasekand for rc2, startpar is called *after* the runlevel event is emitted; and nothing else cares if startpar finishes21:21
xnoxslangasek: i beg to differ.21:21
slangasekthe 'rc' job will never finish, until another 'runlevel' event is sent21:21
slangasekxnox: for runlevel 2, the runlevel event is emitted by rc-sysinit; startpar is invoked from rc21:22
xnoxslangasek: tty1.conf is start on stopped runlevel [2345], hanging rc runlevel 2 job, prevents tty1.conf from running.21:22
xnoxsorry21:22
xnoxtty1.conf is start on stopped *rc RUNLEVEL=[2345]*21:22
slangasekright, tty1 is a special case21:22
slangasekspecifically because we want the prompt to wait until all our startup jobs have finished outputting21:22
xnoxand not-starting tty1 imho is a critical regression.21:22
slangasekhmm, I don't agree21:23
slangasekanyone who cares about the prompt on tty1 should certainly also know how to switch VTs to log in on tty221:23
slangasekand everyone who doesn't care about the prompt on tty1 is looking at lightdm anyway, which has no such dependency21:23
xnoxclouds don't know how to switch ttys =)21:23
xnoxyou just broke cloud-init21:23
slangasekthe cloud's console isn't on tty1 either, is it?21:24
xnoxsome of them are21:24
xnoxI have used crappy clouds though =)21:24
slangasekhmm21:24
* xnox being Latvian and all that shady torrent-boxes of mine21:24
slangasekI know there was talk about supporting consoles in the cloud images, but I thought they were serial console21:24
slangaseksmoser: ^^ can you set me straight here?21:25
utlemmingslangasek: it depends on the cloud. There are clouds with all sorts of console. OpenStack clouds tend to offer consoles.21:25
slangasekutlemming: a console in the form of tty1 with no VT switching?21:26
xnoxslangasek: easier than that. "cloud-final is start on (stopped rc RUNLEVEL=[2345] and stopped cloud-config)21:26
xnox"21:26
slangasekman21:26
xnoxslangasek: thus without a complete rc, we don't have complete cloud-init, thus all instances stuck in initialising states.21:26
utlemmingslangasek: yeah, you don't get a VT to switch between21:26
xnoxslangasek: which kind of brings us to another point. How do I see us supporting systemd for cloud images? Install systemd & reboot? publish a (limited) image flavour which boots with systemd?21:28
xnoxslangasek: hanging rc, means hanging startpar, and two startpars don't like to run in-parallel to each other. Which is what pitti found out, but i didn't reproduce/investigate yet.21:28
slangasekxnox: so that brings us back to /run; that addresses your a), but doesn't seem to address either b) or c).  But the alternative to making startpar reliable is just to not enable it at all21:29
slangasek"don't like to run in parallel" - doesn't the previous one die when the rc job dies on 'stop on runlevel [!$RUNLEVEL]'?21:29
xnoxslangasek: it should. Hence I say, didn't investigate yet.21:30
slangasekok21:30
xnoxslangasek: would you agree, that things that have no reverse depends in .depends.* files, and are listed in TARGETS, should be simply skipped without any notifications from starting, if they happen to have an equivalent upstart job?21:31
smoserxnox, for 15.04, or whenver we fully cut over21:31
smoserit will just be /sbin/init and work as expected21:31
smoserprior to that, my goal was to create a cloud-config syntax that cloud-init would see21:31
xnoxsmoser: ok. and before that, we test/develop it however we need/like/can.21:31
smoserand then would change the init system of the image and reboot21:32
xnoxsmoser: ack.21:32
smoserthats why I asked about dpkg-divert21:32
xnoxsmoser: i'm sure slangasek would cringe over dpkg-diverting /sbin/init =)))21:32
smoserit is orders of magnitude easier if i can switch the init system by simply replacing /sbin/init21:32
slangasekwut21:33
slangasekyou do not need to dpkg-divert anything.  You install systemd-sysv and remove upstart.21:33
slangasekif you need to tinker locally prior to that, you can either pass init=/lib/systemd/systemd on the kernel commandline, or you can dpkg-divert *locally*; but please don't distribute images that use dpkg-divert21:34
smoserit would be locally.21:34
smoserwe're not distributing different images.21:34
slangasekok21:35
smoseri'm fairly adverse to that.21:35
slangasekthen that's fine, feel free to trash your local filesystem any which way ;)21:35
xnoxslangasek: $ apt-cache show systemd-sysv21:35
xnoxNikTh: Can't select versions from package 'systemd-sysv' as it is purely virtual21:35
xnoxhm...?21:35
smoserwhat i was saying was that you create an lxc cloud iamge container or cloud image via kvm21:35
smoserby passing cloud-config like:21:35
smoser http://paste.ubuntu.com/7762188/21:35
xnoxNikTh: unping -> stupid xchat expanding "N:" in the paste.21:35
smoserthe init system that is already present (upstart) would run to the point where cloud-init got that data.21:36
NikThhaha, no worries xnox :)21:36
smosercloud-init would replace init (however that is supposed to happen) and reboot21:36
slangasekxnox: yes, until that package is introduced in Ubuntu, nobody should be building any images defaulting to systemd ;)21:36
smoserand replacing init via:21:36
smoser dpkg --divert ... i dont remember syntax /sbin/init /lib/system/systemd21:36
smoseris much easier than21:36
smoser sed /etc/grub/ && update-grub21:37
slangaseksmoser: maybe you just want 'cp -a /lib/systemd/systemd /sbin/init'21:37
smoser(which wouldn't work on lxc anyway)21:37
smoseri'm not opposed to that.21:37
slangaseksince, ah, you would need to do that part *anyway* in addition to the dpkg-divert21:37
slangasek(all the dpkg-divert does is let the change persist across upgrades of the upstart package)21:37
xnoxslangasek: what do you think about https://code.launchpad.net/~xnox/ubuntu-seeds/platform-init/+merge/225850 ? cause currently systemd is not available everywhere.21:38
slangasekxnox: why does it need to be available everywhere?  People can apt-get install it for experimentation, and the thing we ultimately want seeded is systemd-sysv in place of upstart21:39
xnoxslangasek: ok.21:39
xnoxslangasek: can we go ahead and merge new sysvinit with split startpar, at this current state of affairs?21:40
xnoxslangasek: (aka pitti's prepared merge of doom)21:40
slangasekxnox: hum.  I had asked to review that merge before it was uploaded, and I haven't seen an MP or anything for this yet?21:42
xnoxslangasek: it has not been uploaded. I thought there is an MP for it. Let me check.21:43
xnoxslangasek: thought it would be in https://launchpad.net/~pitti/+archive/systemd, but it isn't.21:44
smoserslangasek, why would i need that part too ?21:44
xnoxslangasek: will poke pitti tomorrow.21:44
slangasekxnox: yes please :)21:44
smoseroh. i see. yeah, i was going to just link it.21:44
slangaseksmoser: yeah, you would need cp or ln, the dpkg-divert is only relevant for the upgrades and is probably not worth futzing with here :)21:45
slangasekxnox: there's a lot of history in the terribleness of the Debian sysvinit package, it's really best if I review this before it gets uploaded21:45
* xnox goes for a cup of tea and biscuits.21:51
jtaylordoko: you merged blt to utopic will you also take care of its now broken rdepends?22:42
=== salem_ is now known as _salem
slangasekmterry: I'm puzzled by your response on ubuntu-phone23:32
mterryslangasek, oh how?23:32
slangasekmterry: specifically: why should the lock screen behavior be tied to whether the user account has a password set?23:32
mterryslangasek, why wouldn't it be?  Would you use nopasswdlogin group membership to determing swiping of lock screen, or would you use an out-of-PAM method of storing the lock screen passphrase?23:34
slangasekmterry: the choice of authentication method is a separate thing from whether the user has a password23:35
slangasekmterry: as in my example, I want to require a password for risky things like getting root privs over adb, but that doesn't mean I want to be typing a password on an OSK every time I unlock my phone23:35
mterryslangasek, design doesn't want to have a user set 'just swipe to unlock' and then also have to remember a password23:35
slangasekwhy does this hypothetical user have to remember a password at all?23:36
mterryAt least that's how mpt designed it23:36
mterryslangasek, well who is setting the root privs password then?23:36
slangasekerm23:37
slangasekthe user23:37
slangasekI understood that you wouldn't have sudo *unless* you set a password23:37
mterryslangasek, so he does have to remember a password23:37
slangasekonly the user who wants to allow sudo access over adb!23:37
sarnold.. or the local Terminal app, right?23:37
mterrysarnold, right23:38
slangasekok, and?23:38
slangaseka normal user doesn't need root privs at all23:38
slangasekthis is a developer-only feature23:38
mterryslangasek, so you want to set a password in the UI.  Then also say only swipe?  And have it remember the password you entered before?23:39
mterryThe UI doesn't allow that, which is by design23:39
slangasekif I don't set a password, what happens when I type 'sudo -s'?23:39
slangasekif I do set a password, what happens when I lock my phone and then want to unlock it?23:40
slangasekif the answer is that I have to type a password on the OSK each time, there's some table-flippin' on the horizon23:40
mterryslangasek, if you don't set a password, sudo only authenticates you if your tty is listed in /etc/securetty23:40
slangasekand which ttys are we listing there?23:40
mterryslangasek, if you do set a password, you enter your password on the OSK23:40
mterryslangasek, Touch doesn't customize it.  But nothing with pts/* is in it (i.e. nothing remote, nothing in X/Mir)23:41
slangasekand the security team was happy with this design?23:41
mterryThis is long-standing behavior23:41
slangasekthe long-standing behavior is broken, we're supposed to be making adb secure :)23:42
slangasekbut it also needs to remain usable23:42
mterrythose two are always at odds  :)23:42
slangasekno, they aren't23:42
sarnoldslangasek: working with mterry on a reasonable sudo strategy in the face of no pin is on my todo for this week :)23:43
slangasekdesign may have said to do it this way, but I don't understand why the security team would have signed off on a design that gives people a false dichotomy between "always type a password everywhere" and "no sudo for you"23:43
slangaseksarnold: ok23:43
sarnoldI don't immediately see any problems with allowing a blank passwd at sudo if that was configured for login, too23:43
sarnoldit could be that the securetty PAM module we're using needs to be extended or replaced to allow local logins via Mir-originated applications, or something similar23:44
sarnoldslangasek: what's the goal with "make adb secure"?23:45
slangasekI'm not sure "let Mir apps get in without a password" is an interesting security model23:46
slangaseksarnold: AIUI the goal is to not let a rogue USB host adb in and screw around with things without the user's awareness - which I think implies: "non-root by default", "no adb when screen is locked", "adb disabled by default"23:47
mterryslangasek, do you envision an exception for terminal-app or just not allowing sudo in Terminal?23:47
mterryBut you do want to make an exception for adb23:47
slangaseksarnold: however, I'm not driving this - I thought this was all mdeslaur's design, which is why my question on the list was addressed to him :)23:47
slangasekmterry: I think we're talking past each other here23:48
slangasekmterry: passwordless sudo is uninteresting to me as a dogfooding developer; I prefer that root access come with a password prompt23:48
slangasekmterry: but I do not want "require password for root access" to translate to "require password to unlock my phone"23:48
slangasekbecause I expect the security requirements for a password that gives you root access to dramatically differ from the security requirements for an unlock "password" that I will use on a routine basis23:50
slangasek(PIN vs. password)23:50
mterryslangasek, my apologies, right.  Well for that, I can only say that the last time I spoke to mpt about it, he didn't want a separate password beyond the one set in the UI for locking the screen23:52
=== Ursinha is now known as Ursinha-afk
slangasekok, so who's the security team's stakeholder for this design :-)23:52
slangasekI'll route through them23:52
sarnoldslangasek: probably mdeslaur would be best. I had hoped to handle this one myself but I'm obviously missing too much context to provide reasonable answers :)23:53
slangasekok :)23:54

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!