[00:46] is the fix for the fact that GtkStatusIcon does not work with Unity included in Utopic? [00:51] desrt: so mbiebl_ has reopened Debian bug #756076, saying that systemd-shim 8-1 doesn't actually work with logind [00:51] Debian bug 756076 in systemd-shim "does not cleanup sessions when user logs out: No such interface 'org.freedesktop.systemd1.Scope'" [Important,Open] http://bugs.debian.org/756076 [00:58] hallyn: cgmanager 0.32-2 uploaded [01:00] So is phone a long term fork of the regular distro now? [01:01] (trying to figure out how Oli's email relates to other stuff) [01:05] no [01:06] the exact release cycle alignment is TBD [01:06] this merely stipulates the cycle by which updates are made available to phone end users [01:13] OK. Given the content of the updates, I don't see alignment with distro release/updates. [01:14] Maybe someone that understands both could propose how they might relate. [01:53] slangasek: thanks. (the other bug is just the recursive proxy fn calling the on-recursive main fn) [02:11] slangasek: 0.32-3 pushed to mentors, but if you want to wait on that that should be fine. it can probably wait until 0.33 for that matter [02:12] (which should have the listkeys method stgraber needs) [02:26] hallyn: uploaded [02:36] slangasek: thanks! [02:39] will sync into utopic tomorrow. [02:40] that's where i expect some bug reports through systemd-shim in containers [04:46] if there's a core-dev around wanting to help, there'd be a packaging ack to ack or nack which changes a funny build-dep to a useful build-dep now that they apparently use it https://ci-train.ubuntu.com/job/ubuntu-landing-010-2-publish/19/artifact/packaging_changes_ubuntu-ui-toolkit_1.1.1239+14.10.20140908-0ubuntu1.diff [04:47] Good morning [04:47] slangasek: yes, I understand it (bit of a long story); I added an ugly workaround last night and will now fix that properly [04:52] slangasek: can you please push systemd-shim to bzr? I'll do an 8-1exp1 upload now to rebuild against 215 [04:52] pitti: yep, pushed [04:53] slangasek: cheers; mbiebl wants to upload 215 to unstable RSN, so that double-upload won't be necessary any more [04:54] Mirv: looking at this diff, I'm more concerned about the dropping of qml files from a package that's part of the SDK - are we sure this isn't an API break? [04:57] bzoltan: http://pastebin.ubuntu.com/8315784/ [04:57] bzoltan: so that's regarding the Colors/*.qml [04:58] bzoltan: what about apps that use them? [04:58] Mirv: none of the System and Core apps are using that, but let m check [05:03] Mirv: slangasek: the Colors/*.qml is not the part of the API offering. No apps should directly use those files. === doko_ is now known as doko [05:43] Mirv, bzoltan: ok, packaging changes acked [05:44] slangasek: thank you :) and thanks for being alert [05:48] thanks! [06:33] jamespage, jamespage_: is lp:~james-page/software-properties/juno-support stillrelevant? if so, I have a look now [06:42] good morning === Sweetsha1k is now known as Sweetshark [07:19] stgraber, zul: looking at the python-lxc package in NEW. is there a reason that you don't build a python3-lxc package? === marcoceppi is now known as rosales === rosales is now known as marcoceppi [08:41] pitti, jibel: please give back the python3.4 autopkg test on i386 [08:41] doko: already done [08:41] thanks [08:54] NBS empty \o/ [08:55] hooray! and so much before release! [08:55] s/much/long/ [09:17] stgraber: hey, so I was able to open qtcreator running in the lxc :) I used pretty much the same config you used for google chrome. [09:18] stgraber: I am running into 2 issues which I couldn't fix, the first being able to detect a connected N4 phone (/dev/usb doesn't seem to exist) and second being able to create a schroot inside qtcreator. [09:18] stgraber: On trying to create a schroot, I get the following message http://paste.ubuntu.com/8317272/ [09:19] stgraber: in particular the line "E: Cannot install into target '/var/lib/schroot/chroots/click-ubuntu-sdk-14.10-armhf' mounted with noexec or nodev" seems interesting. I don't see any lxc.mount statement which does this. Anyway I can change that to allow creating a schroot [09:31] stgraber: sry, I meant can I change that to allow creating a schroot? [09:36] robru, dbus-test-runner autopkg tests fail after your recent upload [09:38] glance (1:2014.2~b2-0ubuntu2 to 1:2014.2~b3-0ubuntu1) [09:38] Maintainer: Ubuntu OpenStack [09:38] 4 days old [09:38] python-glance/i386 unsatisfiable Depends: pyhton-osprofiler [09:38] python-glance/i386 unsatisfiable Depends: python-ordereddict [09:38] Not considered [09:38] zul, jamespage: just another typo, don't know about python-ordereddict [09:40] mvo_: poke [09:42] popey, ping [09:44] hello victorp [09:45] hey shadeslayer_ - I'm about to leave for lunch, but I will read scrollback and can answer when I'm back [09:45] shadeslayer_: unless its quick in which case I can answer right away :) [09:46] mvo_: any ideas if appstream in lp is something you will be working on? [09:47] shadeslayer_: I plan to work on client side support in apt to make the content fetching a (optional) part of apt-get update. but nothing more is planed on my part right now [09:51] mvo_: right, but how would content generation work ? [09:51] I.e. extract appstream data from packages [09:52] pitti, infinity: is the glibc/langpack merge still scheduled for 14.10? === dholbach_ is now known as dholbach [10:03] doko,stgraber,zul: there's already a python3-lxc in the archive, built from separate source [10:05] ahh, ok [10:05] then I'll accept the one in NEW [10:24] jamespage, zul: python-oslo.utils MIR is incomplete [10:26] doko: I got datetime - module not found with python 2.7 on utopic. downgrading to 2.7.8-6ubuntu1 fixed my issue. [10:26] running lp:click-toolbelt [10:28] Mirv, works here [10:30] Mirv, so please be more specific [10:31] there was a change, it is now a builtin instead of an extension [10:33] doko: yes, I filed bug #1368144 about it now. maybe I'd need to recompile it or something, but at least that's what happens when executing the old ./click-toolbelt with new python. I must admit that click-toolbelt is a bit confusing beast to build for me, so I've tended to use the existing one when possible. [10:33] bug 1368144 in python2.7 (Ubuntu) "ImportError: No module named datetime with lp:click-toolbelt" [Undecided,New] https://launchpad.net/bugs/1368144 [10:34] I know that simple import datetime still works [10:34] python-saharaclient needs an MIR from somebody who cares about python-heat [10:38] Mirv, is there a virtualenv involved? === dholbach_ is now known as dholbach [10:42] doko: yes. so, if this is expected, feel free to mark as invalid. just reporting the oddity. [10:42] doko, ack - will followup with zul when he starts [10:42] looking at oslo.utils now [10:42] Mirv, I guess the python executable is copied into it, but not the standard extensions. [10:49] jamespage, just fyi, https://launchpad.net/ubuntu/+source/tuskar/0.4.2-2/+build/6072038, requires new nova [10:50] shadeslayer_,Riddell: somebody needs to refresh the kubuntu-plasma5 PPA for the libav11 transition, it seems [10:50] libkf5filemetadata-bin : Depends: libavformat55 (>= 6:10~beta1~) but it is not installable [10:50] Depends: libavutil53 (>= 6:10~beta1~) but it is not installable [10:50] that's the root of the current image build failure [10:50] cjwatson: we're all at Akademy, with shit internet [10:50] so it's going to be hard to get to it before Monday [10:51] looks like just that one package [10:51] I'll try [10:51] it's probably just a straight rebuild of kfilemetadata-kf5 [10:52] shadeslayer_: oh wait, I apparently have upload privileges [10:52] ack [10:52] cjwatson: oh awesome :D [10:52] things I did not know. I'll sort it out then [10:53] and I'll not bother with next-staging since it's uninstallable right now anyway ... === MacSlow is now known as MacSlow|lunch [11:05] doko, ack [11:12] mlankhorst, are there still some xserver binaries to remove? === brendand is now known as brendand-afk [11:28] mlankhorst, should x11-xfs-utils really be demoted? [11:28] doko/jamespage: ack [11:30] @pilot in === udevbot_ changed the topic of #ubuntu-devel to: Archive: Feature Freeze | Devel of Ubuntu (not support or app devel) | build failures -> http://qa.ubuntuwire.com/ftbfs/ | #ubuntu for support and discussion of lucid -> trusty | #ubuntu-app-devel for app development on Ubuntu http://wiki.ubuntu.com/UbuntuDevelopment | See #ubuntu-bugs for http://bit.ly/lv8soi | Patch Pilots: sil2100 [11:31] cjwatson: what was the trick again to tell "apt-get -o Dir::Etc::sourcelist=/dev/null" to not remove already downloaded indexes again from /var/lib/apt/lists? [11:31] or mvo_ ^ [11:31] pitti: --no-list-cleanup [11:31] I'd like to only download the indexes from one added source (a local file:// or a PPA), for efficiency [11:31] cjwatson: ah, cheers! [11:31] pitti: APT::Get::List-Cleanup=false [11:31] aha, or the other one :) === _salem is now known as salem_ [11:32] but I'm not sure whether that still forgets that the packages from the other sources exist [11:32] mvo_: ah thanks, "apt-config dump|grep -i clean" (or "grep -i list") didn't give anything, but it's indeed in the manpage === udevbot_ is now known as udevbot [11:33] cjwatson: at least apt-cache policy seems happy [11:34] cool [11:36] sudo apt-get --no-list-cleanup -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/canonical-x-x-staging-utopic.list -o Dir::Etc::sourceparts=/dev/null update [11:36] that seems to by and large do what I want [11:36] and like 50 times faster :) [11:37] pitti: great [11:37] * pitti puts that into autopkgtest and checks whether all the tests are still happy === dholbach_ is now known as dholbach [11:41] @pilot out === udevbot changed the topic of #ubuntu-devel to: Archive: Feature Freeze | Devel of Ubuntu (not support or app devel) | build failures -> http://qa.ubuntuwire.com/ftbfs/ | #ubuntu for support and discussion of lucid -> trusty | #ubuntu-app-devel for app development on Ubuntu http://wiki.ubuntu.com/UbuntuDevelopment | See #ubuntu-bugs for http://bit.ly/lv8soi | Patch Pilots: [11:42] * sil2100 lunch o/ [12:10] * dholbach hugs sil2100 [12:13] * sil2100 hugs dholbach back [12:13] :) [12:15] dpm: could you please add http://people.canonical.com/~dpm/data/ubuntu-l10n/ for 14.09 (ubuntu-rtm)? [12:17] ;) === MacSlow|lunch is now known as MacSlow [12:25] pitti, yes, I'll have to talk to wgrant on how to do it. It requires setting up a cron job for an exporter script in LP, and I'm assuming we can do it for ubuntu-rtm/14.09 in the same way we can do it for ubuntu series [12:25] yeah, it's pretty well the same === brendand-afk is now known as brendand [12:33] wgrant: I just filed bug 1368209, I can't explain that myself [12:33] bug 1368209 in Launchpad itself "RTM langpack export is missing some domains" [Undecided,New] https://launchpad.net/bugs/1368209 [12:34] dpm: I added a WI to https://blueprints.launchpad.net/ubuntu/+spec/qa-u-spanish-translations FYI [12:35] thanks pitti, I'm on it [12:35] dpm: cheers [12:35] (just for tracking stuff) [12:38] pitti, replied to that bug [12:41] dpm: yes, unity8's domain is indeed "unity8"; I just diffed our current langpacks with some extra "directly from trunk" imports, I wondered about that too [12:41] pitti, yeah, I was surprised that we pull unity as well [12:41] along unity8, I mean [12:42] @pilot in === udevbot changed the topic of #ubuntu-devel to: Archive: Feature Freeze | Devel of Ubuntu (not support or app devel) | build failures -> http://qa.ubuntuwire.com/ftbfs/ | #ubuntu for support and discussion of lucid -> trusty | #ubuntu-app-devel for app development on Ubuntu http://wiki.ubuntu.com/UbuntuDevelopment | See #ubuntu-bugs for http://bit.ly/lv8soi | Patch Pilots: sil2100 [12:42] dpm: yeah, it's in the package list, apparenlty something still keeps it in the seeds [12:42] dpm: but yeah, that one can probably go [12:44] dpm, wgrant: closed bug then, thanks! [12:44] pitti, sent the RT, updated BP [12:44] dpm: it's great to have you back :) [12:45] pitti, thanks, it's great to have you, and I expect it to be for 10 more years at least! ;) [12:46] Oh [12:46] I was just going through them all to work out why you were wrong :P [12:46] wgrant: I expected that I was, but I wanted to understand why :) [12:52] cjwatson, dholbach is helping get some of the Ubuntu MATE package cleaned up. [12:53] cjwatson, I am also wondering what format I should provide Ubuntu MATE SYSLINUX themes in? I have theme, just not sure if they should be packaged as debs? === iulian_ is now known as iulian [13:13] hallyn: looks like we have troubles :( [13:18] seb128, quick question: the translations for indicator-transfer for the RTM distro don't seem to be enabled, and I don't see any templates in its import queue: https://translations.launchpad.net/ubuntu-rtm/14.09/+source/indicator-transfer/, whereas you showed me that the ones on ubuntu/utopic are: https://translations.launchpad.net/ubuntu/utopic/+source/indicator-transfer/ - any ideas why? I'm not quite sure how the upload workflow works between the two [13:18] distros [13:19] dpm, hey, no idea how those imports work with pocket copies [13:20] pitti, perhaps you know? ^ [13:20] dpm, pitti, oh [13:21] it seems like that version just didn't get uploaded to rtm [13:21] https://launchpad.net/ubuntu-rtm/+source/indicator-transfer [13:21] dpm, let me file a sync request for it [13:21] ah, that'd explain it, thanks seb128 [13:31] dpm, seb128: ATM I'm still syncing ubuntu langpacks to RTM [13:32] as ubuntu-rtm langpacks are still blocked by some small things [13:34] pitti, blocked? [13:35] seb128: main thing for now is getting dpm's translation stats for RTM [13:35] I think everything else is sorted out, I did some import queue approvals etc. [13:35] pitti, how are stats blocking package copies? [13:35] seb128: oh, they don't [13:35] seb128: I mean RTM specific langpack builds [13:36] oh, ok [13:36] seb128: right now I do package copies as we haven't diverted too much [13:36] right [13:57] doko, cjwatson: correct, we ship a python3-only binding as part of the upstream source and don't want to be backward compatible to python2 there. However openstack and some other distros (RHEL) don't ship or don't support python3 quite completely yet so we have that separate source tree with a python2 part of our binding. The main reason for the separation is that we support the python3 binding for 5 years whereas we have absolutely no inte [13:59] nik90: so schroot is going to be tricky I suspect. The reason is that this is an unprivileged container so it's restricted in what it can do since it's not real root. One thing it can't do is create device nodes and that may be what's upsettin schroot. [14:00] nik90: try adding lxc.aa_profile = unconfined to your config and see if that does the trick for schroot, but I doubt that'll be enough :( [14:00] nik90: as for /dev/usb, you did put "lxc.mount.entry = /dev/usb dev/usb none bind,create=dir" in your container's config right? [14:12] @pilot out === udevbot changed the topic of #ubuntu-devel to: Archive: Feature Freeze | Devel of Ubuntu (not support or app devel) | build failures -> http://qa.ubuntuwire.com/ftbfs/ | #ubuntu for support and discussion of lucid -> trusty | #ubuntu-app-devel for app development on Ubuntu http://wiki.ubuntu.com/UbuntuDevelopment | See #ubuntu-bugs for http://bit.ly/lv8soi | Patch Pilots: [14:24] flexiondotorg: just send the updated images, in formats that match the Ubuntu ones [14:26] cjwatson, So for Ubiquity I should submit a merge proposal to ubquity-slideshow. [14:26] cjwatson, Where do I "send" the SYSLINUX theme too? [14:26] stgraber: I tried "lxc.mount.entry = /dev/usb dev/usb none bind,create=dir" but the container does not start anymore since /dev/usb doesnt exist [14:27] stgraber: may be I should instead create a container as root [14:27] stgraber: although everytime I open the gui app, it will ask for sudo priviledges I suppose [14:28] flexiondotorg: ideally, a merge proposal against lp:~ubuntu-cdimage/debian-cd/ubuntu - the files go in data/utopic/ [14:28] you should see the layout there, such as it is [14:28] cjwatson, Perfect. Thanks. [14:29] nik90: hmm, the point of create=dir is that it should be creating it... anyway, you can just mkdir /dev/usb and try again, that should work [14:30] stgraber: ok === roadmr is now known as roadmr_afk [14:47] desrt: i don't see any bug reports [14:49] zul: just drop argparse everywhere. it's included in 2.7 and 3.4 [14:51] mlankhorst, xorg-server ping [14:55] hallyn: slangasek said that we got the original report reopen [14:55] http://bugs.debian.org/756076 [14:55] Debian bug 756076 in systemd-shim "does not cleanup sessions when user logs out: No such interface 'org.freedesktop.systemd1.Scope'" [Important,Open] [14:56] hm. is there some 'we're done with this method' signal shim needs to send? [14:56] ya. the method return message :p [14:56] * hallyn starts to suspect that comcast is anti-net-neutrality-ing the ubuntu archive [14:57] hm, no, i guess it is ipv6 70% [Connecting to us.archive.ubuntu.com (2001:67c:1562::15)] [Connecting to se [14:57] desrt: i'm trying ot update my system so i can test here [14:57] me too [15:02] there we go, disalbed ipv6 in sysctl and now it works [15:02] maybe it's comcast. i hope it's comcast [15:03] stgraber: ^ any known ipv6 bugs in the utopic kenrel right now? [15:03] stgraber: has the openvsiwtch support made it to utopic yet for lxc? [15:04] hallyn: nothing that I've noticed [15:04] zul: no [15:04] stgraber: is it? [15:04] stgraber: when will you be merging lxc into utopic? [15:04] stgraber: and ok, thx, i assume comcast is messing around then [15:05] cjwatson, I'm looking for where I should inject the Ubuntu MATE gfxboot.cfg settings. Looks like in tools/boot/utopic/boot-*. Correct? [15:05] hallyn: once we're done getting the regressions out of master so I can finally tag alpha2 [15:05] regressions? pshaw [15:10] flexiondotorg: yes [15:14] hallyn, desrt: note specifically that mbiebl says this problem was with logind from 215 after a rebuild of systemd-shim [15:15] slangasek: not sure i understand why that would make a difference.. [15:15] desrt: I'm merely pointing out the difference, in case anyone has difficulty reproducing it [15:16] i just installed the update and am now rebooting... [15:18] hmm... i have 208 here [15:19] so he's right [15:19] the cgroup gets cleaned up, but logind doesn't know about it [15:19] i'll take a look [15:19] maybe there should be a signal or something, indeed === roadmr_afk is now known as roadmr [15:39] zul: python-cliff has the same argparse problem [15:39] doko: ack [15:52] cjwatson, Please could you cast an eye over my changes? If all looks good to you I'll submit a merge proposal - http://bazaar.launchpad.net/~ubuntu-mate-dev/ubuntu-cdimage/ubuntu-mate/revision/1898 [15:52] flexiondotorg: it's much easier for me to review after you submit a merge proposal - that's what they're for [15:52] cjwatson, OK. [15:52] you can always commit fixes on top after review (you don't need to resubmit the MP or anything) [15:53] well, assuming you branched from the right place [15:53] but looks like you did [15:56] cjwatson, Merge proposal submitted. Thanks for your help. [16:00] doko: pong? [16:01] mlankhorst, are there still some xserver binaries to remove? [16:04] nvidia-173, glamor-egl, xserver-xorg-video-sis xserver-xorg-video-msm need to be gone [16:05] I've asked on #ubuntu-release, no reply yet afaik [16:05] cjwatson, OK, that Merge proposal looks awfully wrong. [16:06] cjwatson, I've submitted it against the wrong branch. I'll resubmit. [16:07] oops, xf86-video-msm (source package) [16:07] but after that it should migrate [16:10] cjwatson, I don't appear to be able to submit a merge prospal against lp:~ubuntu-cdimage/debian-cd/ubuntu [16:11] doko: http://people.canonical.com/~ubuntu-archive/proposed-migration/update_output.txt (near the bottom) [16:12] flexiondotorg: just mail me the URL then, I'm firefighting something else and can't look now. [16:12] cjwatson, Will do. Thanks. [16:12] mlankhorst, please can you file a bug and add ubuntu-archive to the subscribers [16:13] ok [16:13] actually that's going to be a bit hard from here... don't have sso access and won't work until monday [16:14] lets see.. [16:58] Is it possible to enable ppc and ppc64 build for PPAs? It doesn't seem so ( https://help.launchpad.net/Packaging/PPA#Supported_architectures ), but we got a bug report that the official package doesn't build for it and would like to add ppc to our PPA repository [16:59] no [17:01] Elv1313: we may do so in future once we have virtualisation working, but it's not available yet [17:01] ok thanks [17:01] arm64 would also be nice [17:02] arm64 is possible now, file a ticket on answers.launchpad.net/launchpad [17:02] although it'll have to build through qemu [17:02] (but we already have hardware to test that) [17:02] qemu-user-static that is [17:02] or cross compile [17:03] PPAs don't do cross compiling [17:03] * Elv1313 would not want to be the one setuping that [17:05] dobey: (yet; I have been thinking about how to do that ...) [17:05] Another question, is it totally too late to get an upgraded package into 14.10? We (sflphone) have made a release in July that fix all issues reported by errors.ubuntu.com and then some. The changes are too large to be considered a stable update. We have enough PPA users to have confirmation that this version is much more stable then the one currently in 14.10 [17:05] mlankhorst, there are still reverse dependencies [17:06] Elv1313: is it in main or universe? [17:07] dobey: https://launchpad.net/ubuntu/utopic/+package/sflphone-daemon [17:08] Elv1313: it's in universe, so it should be pretty easy to get a newer version in. [17:08] it would be very helpful to get the new version into Debian first [17:09] much easier then for us to just merge, and it helps more people that way [17:09] dobey: Ok, thanks. If there any protocol to follow? I only pushed stable updates before, never totally new versions [17:09] indeed. especially if it's already there, and the new version can drop the ubuntu-specific changes [17:09] so email debian guys first? [17:11] whoever maintains it in debian, yeah [17:11] then, ask again or #ubuntu-devel or fill a launchpad bug? [17:12] LP + here [17:16] ok thanks [17:35] https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/1364091 is this being worked on? [17:35] Launchpad bug 1364091 in mdadm (Ubuntu) "Possible RAID-6 corruption" [Undecided,New] === roadmr is now known as roadmr_afk [18:06] hey. [18:06] i have a upstart quesiton [18:06] it seems from experimenting that a pre-start script does not get a kill on 'stop'. is that right ? [18:29] smoser: that doesn't sound "right", but perhaps there's a bug. Maybe check the open bug list to see if it's a known issue? [18:47] doko: nvidia-173 still seems to be a possible fullfilment as dependency for boinc-nvidia-cuda in debian [18:47] but it works fine without [18:51] and -ati was fixed in -proposed to not need glamor-egl [18:51] slangasek: i think this might actually be vaguely something like a logind bug [18:51] slangasek: but it's a bug that wouldn't be a problem in normal circumstances, so that makes it our bug again.... [18:51] desrt: bug-for-bug compatibility [18:51] welcome to Windows [18:52] the problem is that we never properly signal the _start_ of the session, which leaves a stale job in the 'scope_job' field of the session in logind [18:52] at logout time, logind sees this and assumes that it's the _stop_ job still in progress [18:52] whereas abandon doesn't signal completion [18:52] logind for this reason doesn't properly clear the scope_job field when issuing Abandon [18:53] should have a test to fix soon... [18:54] er... a fix to test :) [18:54] oh, I assumed you were being TDD ;) [18:54] tests? in systemd-shim? surely you kid :p [19:07] slangasek, http://paste.ubuntu.com/8321182/ [19:08] i think that illustrates my point. [19:08] and now i'll bother you with what i was trying to do [19:08] i was trying to block bringing up of network interfaces until some event had occurred. [19:09] smoser: are you expecting upstart to kill the sleep process? that's not the main process of the job; the main process of the job is the shell [19:09] it kills neither [19:10] so I would expect one of two things: 1) upstart kills the script, making it the shell's job to clean up the child process; or 2) upstart kills all related processes via cgroupy magic, and the shell doesn't get a chance to tell you what happened [19:10] well, its neither :) [19:10] sure, understood [19:10] I just don't think your script here illustrates that particularly well :) [19:10] i would have expected it to send SIGTERM to the script [19:11] well, i avoided the handling of traps to simplify [19:11] http://paste.ubuntu.com/8321199/ [19:11] smoser: anyway, perhaps compare with wait-for-state, which does exactly this sort of thing with a main script instead of a pre-start script - I don't see that a pre-start gives you anything here (except, apparently, some bugs) [19:11] ^ that one is what i was actually trying to do. [19:11] pre-start allows you to block starting [19:11] i dont think starting does [19:11] er.. i dont think main script does [19:11] it does if you mark the job 'task' [19:11] at least per comments in /etc/init/network-interface-security.conf [19:11] IIRC [19:12] # Since we need these profiles to be loaded before any of the above services [19:12] # begin running, this service must be a pre-start so that its pre-start [19:12] # script finishes before the above services' start scripts begin. [19:12] smoser: see documentation of 'task' in init(5), which agrees [19:12] that may be out of date. [19:12] or it may have never been true ;) [19:13] well, for the specific case of n-i-security, it applies because we care about those jobs ending in a 'started' state [19:13] you may care about that here also, in which case yeah, you can't 'task' it to work around a bug in pre-start handling [19:14] where do you see information about task that you're pointing me at ? [19:14] I would say that at that point, the only workaround would be polling (ick) [19:14] smoser: the init(5) manpage? [19:14] task This stanza may be used to specify that the job is a task [19:14] instead. This means that the act of starting the job is not [19:14] right. [19:14] considered to be finished until the job itself has been run and [19:14] stopped again, but that exiting with a zero exit status means [19:14] the task has completed successfully and will not be respawned. [19:14] i didn't understand that to mean exactly what you said. [19:14] i'll try that. [19:14] implied is that, until the task is 'started', it doesn't release the starting event [19:15] you're aying make my job a task [19:15] yes [19:15] and make it 'script' instead of 'pre-script' [19:15] * slangasek nods [19:15] and if you /still/ aren't getting signalled, then... ick [19:16] hm.. === _TJ_ is now known as TJ- [19:54] urg... every further step i take requires me to take one more === ken__ is now known as kenvandine === roadmr_afk is now known as roadmr [20:11] slangasek, http://paste.ubuntu.com/8321639/ [20:12] thats my cloud-init-blocknet.conf . [20:12] does not seem to block networking. [20:13] as i can ssh in, and see a blocker running (cloud-init-blocknet (network-interface/eth0) start/running, process 465) [20:16] smoser: er, of course it doesn't block it, where's the word 'task'? :) [20:17] bah [20:18] ok. [20:18] well that fixed that... now to figure out why it wasn't getting stopped. [20:19] jdstrand: oh hurray! i've got apparmor-confined libvirt-lxc containers. [20:19] hallyn: oh nice! [20:19] now, do we want to make these default? i think we do, but maybe we'll break someone? [20:20] I would say 'yes' [20:23] ok. i'm going to add this to the libvirt 1.2.8 proposed package, then ping here on the FFE we're waiting on to push 1.2.8 [20:25] jdstrand: one more thing, i notice that upstream libvirt-qemu abstraction has a sub-policy for running qemu-bridge-helper. i'll add that to ours (in debian/apparmor/lbivirt-qemu) unless you say that's a bad idea [20:25] no, that's good [20:26] I think I reviewed it [20:28] cool [20:30] hi, I'm running into bug 1124250, would someone be able to push this bug forward? [20:30] bug 1124250 in nfs-utils (Ubuntu) "Partially incorrect uid mapping with nfs4/idmapd/ldap-auth" [Undecided,Confirmed] https://launchpad.net/bugs/1124250 [20:33] blkperl: it doesn't appear that a fix is known, right? does changing the settings in /proc/sys/kernel/keys, as discussed in the linked RH bug, have any effect? [20:37] slangasek: ok ill try that === cmagina_ is now known as cmagina === StevenK_ is now known as StevenK [21:50] jdstrand: apparmor policy will need a few tweaks though to let an ubuntu container run. :( [21:56] hallyn: that's ok. that is thankfully not difficult [22:01] jdstrand: yeah but i suppose i ought to do it before uploading 1.2.8 (with default=on :) [22:02] heh, yes :) [22:06] pretty [22:06] peer_addr="@/tmp/.X11-unix/X0��عg#" peer="unconfined" [22:06] ooo [22:07] jjohansen: fyi, it happens with peer_addr to (not surprising with shared code) [22:08] jjohansen: this is what lsof gives me: http://paste.ubuntu.com/8322328/ [22:09] jjohansen: with my policy updates: http://paste.ubuntu.com/8322337/ [22:09] ok, wandering off for quite a while [22:14] jjohansen: oh, hah, didn't mean to past that here [22:14] paste [22:17] all right think i've got it [22:17] now who to ping about the FFE [22:17] oh. i was wrong. still hanging at /dev populating [22:21] sarnold: hey, so i'm getting this denial message: [22:21] type=1400 audit(1410473999.866:25): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="libvirt-4b477da6-28c4-4497-87f1-bafeb853f90b" name="/sys/" pid=1711 comm="mount" flags="rw, nosuid, nodev, noexec, remount" [22:21] my policy does have 'mount fstype=sysfs -> /sys/', [22:21] what am i missing? i need a separate remount rule? [22:22] hallyn: maybe? (at this point you've used the mount rules far more than I have.. :) [22:23] heh, yeah but at such long intervals tha ti don't remember anything from one instnace to the next :) [22:23] just allowing 'mount,' allows full container boot, so it's something lik ehtat... [22:24] hallyn: ah! this might explain it, "Specifically fstype matching currently only works when creating a new mount and not remount, bind, etc." [22:24] hallyn: hehe [22:25] oh, hm, then maybe th eproblem is our rule ot avoid remounting / ro ? [22:25] drat, [22:25] well i may just allow 'mount,' right now just to get this out the door [22:25] bc as it stands you can't stop a container once you start one :) [22:25] (bc of dnsmasq policy) [22:26] haha [22:26] that's .. awesome :) [22:26] watch out oracle, we've got our own "unstoppable linux" :) [22:26] well that was my concern with the way the new unix class was written [22:26] it'll have the same sort of implications, but worse [22:27] hallyn: can you get away with a 'remount /sys/ -> /sys/, rule? [22:27] (bc any confined daemon will have to be given the right to talk to another daemon over unix sock, aiui) [22:27] i'll try! [22:29] sarnold: holy schnickities. that inexplicably makes the container instantly crash [22:29] hallyn: yikes [22:30] oh, i guess it doesn't like the rule, [22:30] 2014-09-11 22:28:58.685+0000: 1: error : AppArmorSetSecurityProcessLabel:617 : internal error: error calling aa_change_profile() [22:31] :( [22:31] sorry, I thoght that would work [22:31]