[00:10] Chipaca: whats that? [00:10] :) [00:10] from the docs? [00:11] just a commit message [00:11] asac: a card, a description of a task, a branch, and a commit message [00:11] asac: i was in a maze of so many deferreds for a moment i thought i was programming twisted again [00:11] oha [00:11] Chipaca: was that your card :)? [00:11] hehe [00:11] you could have reworded it [00:12] guess its hard to convey what that should do :) [00:12] asac: maybe :) [00:12] asac: maybe it was fun, also === c74d is now known as Guest21388 [02:41] lool: okay, wpasupplicant has always been primitive and tricky, in my experience [07:08] good morning === erkules_ is now known as erkules === kickinz1|afk is now known as kickinz1 [08:42] mvo: does the PPA listed on https://developer.ubuntu.com/en/snappy/start/ need to be changed? [08:42] didrocks tells me the beta PPA actually has an old version of snappy [08:45] mhall119: indeed, utopic and trusty are outdated, I updated them now, so that shold be fine. we may still want to use a different one when snappy gets released (i.e. the beta name sounds wrong then). asac has the final say here [08:47] dholbach, ^ [08:48] asac, lool, slangasek: ^ [08:48] I asked at least 5-10 times which PPA to use :) [08:48] which are we going to use? :) [08:48] I'm obviously happy to change it, but I'm a bit confused [08:51] mvo, ^ were there any discussions about changing the ppa setup and nomenclature? [08:57] good question [08:57] i think we will be using a new ppa :) [08:57] lol [08:58] dholbach: only asac knows that :) I think it should be staging -> beta -> tools and we use tools for the final and stable PPA, but iirc asac wnated a different ordering. I personally don't mind either way is fine as long as its documented [08:58] but if I would decide, that how I would do it [09:01] we should just use the archive if you ask me personally :-P [09:05] good point, we could use the backports archive [09:07] Good morning all; happy Kindergarten Day! :-D [09:10] kickinz1: whats a good way to test docker? your tdocker snap? [09:11] mvo: For now I would say either direct command line or tdocker, yes. I need to finish owncloud snap package. [09:14] kickinz1: where is the docker snap? I think I need to add some caps for the seccomp stuff or make it unrestricted there (thats probably the best option for now until jdstrand is around) [09:15] mvo: launchpad.net/~snappy-dev/snappy-hub/docker/ [09:16] ta [09:24] kickinz1, jdstrand: please pardon if this diff is stupid, it seems with seccomp enable I need to do at least http://paste.ubuntu.com/10860613/ in the docker-client or it won't even talk to docker (i.e. the docker command will just hang) [09:30] mvo: is it with new seccomp code in the image? (it was working yesterday) [09:31] kickinz1: it landed during the night [09:31] mvo: ok, I'm downloading it right now. [09:34] kickinz1: you will need to apply the pasted patch to make it work at all, dmesg will indicate if something goes wrong, the kernel message starts with "audit:" [09:36] mvo thanks [09:38] Chipaca: hm, hm, this should not be possible, right? http://paste.ubuntu.com/10860659/ - note the two pastebinit packages I managed to install first I installed it via the store and then sideloaded it and that worked :/ [09:39] mvo: sideload always works [09:40] oh [09:40] oooh [09:40] ouch [09:40] mvo: i thought it was going to be about versions, not about namespaces [09:40] ouch [09:40] mvo: i'll look into it as soon as i get this branch up [09:41] Chipaca: thanks ,you rock! [09:41] much much appreciated [09:41] * mvo dives back into seccomp land [09:42] mvo: before you're in too deep [09:42] mvo: sideload install of an already installed package is ok, yes? [09:42] that is, we don't want to force devs to bump revno or uninstall to test their packages [09:42] ? [09:42] FWIW, I sort of think that what distinguishes sideloading from not is whether it's signed by the store [09:43] Chipaca: oh, sideload again a already sideloaded one? yeah, I guess, but we will probably run into the textfile-busy problem we had earlier when we allowed reinstall. its a problem worth fixing and maybe its ok for sideload [09:44] mvo: textfile busy should be sorted now that we stop things properly, mehtinks [09:46] yay [09:46] then go for it [09:46] excellent news [09:47] dholbach: so are we waiting to hear from asac about which PPA to use in our docs? [09:47] mhall119: we are talking :) [09:47] about that [09:47] mhall119: if you want to participate join the call on my calendar right now [09:47] ok, cool, I'll leave that in your hands then [09:48] asac: as long as I can tell didrocks it's being done, I'm happy :) [09:50] mhall119: why is didrocks so worried? [09:50] is he depending on us? [09:50] asac: because he saw that it was wrong and he's sitting across the table from me [09:51] asac: he's working on a prototype with it this week I think [09:51] I don't think he's blocked, just noticed an error in our docs === c74d is now known as Guest61567 [10:06] mhall119: is he willing to join this channel :)? === kickinz1 is now known as kickinz1|afk [10:12] hey [10:13] asac, oh, the PPA was via me. I was reading the docs and assumed it was wrong. You guys were all asleep when I was asking from .nz :) [10:14] asac: so not blocked on that, but we just posted an email to snappy-devel ML with a simple example (even if we have way more questions/wonderings), so as soon as you get some time to look at it… that would be appreciated! [10:15] hey didrocks :) [10:15] welcome to the snappy world [10:17] * beuno hands didrocks the standard-issue goggles [10:17] :) === kickinz1|afk is now known as kickinz1 [10:27] mvo: fix for sideload & namespaces messing things up: https://code.launchpad.net/~chipaca/snappy/check-namespaces-on-sideload/+merge/256904 [10:44] jodh: how is self test going? [10:44] asac: we're now blocked on a store issue. [10:44] beuno: ^ [10:44] jodh: whats the issue in one line? [10:45] asac: installing a framework breaks 'snappy search' [10:46] thats a store problem> [10:46] hmm [10:46] nessita: ^^ [10:46] JamesTait: ^ [10:46] asac: Chipaca has raised a MP which is now approved, but needs to be merged + included in an image. [10:46] asac, mvo and Chipaca know about it, not a store issue, really [10:46] jodh: an MP against the store? [10:46] :) [10:46] jodh: ok, please be more precise :) [10:47] so its a snappy bug [10:47] Chipaca: mvo: i guess you are on it? [10:47] asac: it's a store issue or a snappy issue :) [10:47] it's a bug in the system, which includes the client and the store. We've decided to fix it on the client. [10:48] it keeps the parts consistent [10:48] ok [10:48] that is: the store is self-consistent on this matter, the client is not [10:48] so it made sense to fix it in the client [10:48] yeah [10:48] even if we could have also fixed it from the store [10:48] * JamesTait grabs popcorn [10:48] makes sense [10:48] thanks [10:49] JamesTait: sorry to disappoint :) [10:50] * ogra_ steals JamesTait's popcorn bucket [10:50] Not at all, Chipaca, happy to help if it's needed, happy to stand aside otherwise. [10:50] JamesTait: i meant wrt popcorn :) [10:51] * JamesTait throws unpopped kernels at ogra_ and Chipaca. [10:51] * JamesTait whistles innocently, points at beuno. [10:53] * Chipaca feels he's already thrown enough mock abuse at beuno for a few more minutes still [10:55] Chipaca: you mean there is a limit to the mock abuse you can throw at beuno, why am I the last to learn of this? [10:56] davmor2: that depends on the acerbity of your abuse [10:56] davmor2: with me having slept so little, i don't trust myself [10:56] Chipaca: hahahaha [10:56] davmor2: also, beuno is within range for a lot more weapons than normally [10:57] I don't think he's within the record sniper 'confirmed kill' range, but it's close [11:16] Trying to build a lightdm snap here. First blocker - LightDM needs PAM configuration to work. This requires installing files into /etc/pam.d. How do we do this? Does ubuntu-core need some sort of hook to pull PAM configuration from frameworks that require it? [11:36] didrocks: you have to subscribe using your @canonical.com [11:36] the other will be unsubscribed [11:42] carzy annoyances :P [11:43] davidcalle, dpm: I'll look into amending the snappy internal docs for use as guides next [11:43] davidcalle, dpm: feel free to take any of the other work items [11:43] dholbach, dpm, I'm on the architecure page + diagram [11:44] davidcalle, excellent - are you going to import any content for that? [11:44] asac: hum, ok :) [11:44] dholbach, from the slides? [11:44] ok cool [11:45] thanks a lot [11:45] asac: done [11:45] didrocks, i was pondering to set up a petition to get the (10 years well working) old scheme back for MLs :) [11:45] * ogra_ is seriously annoyed by getting half his mails back because he forgets to swithc to the other account [11:49] mterry: will you be in standup today? [11:49] davidcalle, I was going to pick the WI of modifying the diagram to add the enablement bit. Are you planning on taking that one too? If so, I'll leave it up to you :) [11:49] dpm, I've just finished :) [11:49] \o/ [11:57] * dholbach relocates to the office, brb [11:58] dpm, what do you think? (to me, it works well) https://developer.ubuntu.com/en/snappy/guides/architecture/ [12:02] davidcalle, good work. Seems like the "How does it work" row is both on the landing page and the architecture one. Would it not make sense to have it only in one place? [12:03] dpm, right, removing it from architecture [12:05] dpm: davidcalle you can have an app directly on top of ubuntu core too [12:05] davidcalle, I think after release it might be work redrawing the "Stack examples" diagrams so that they are more inline with the rest of the site, and have a

section for each one of them [12:07] sergiusens, davidcalle, then perhaps we can say "an optional layer of frameworks" in the text? [12:25] davidcalle, dpm, I'll drop the snappy internals for now [12:25] asac said it'd be good to look at the image channels and stuff first [12:25] dholbach, ok [12:25] and the ./start page [12:26] I'll look into writing the content for the channels page [12:26] and then we can take it from there [12:26] dholbach, what's there to do in the start page? [12:26] ? [12:26] ah ok [12:26] well, the start page contains all the links to all kinds of images [12:26] there will have to be links or at least mentions of other releases/channels [12:28] slangasek: would be great if we could get the first prebuilt images done early today so davidcalle and dholbach can put together our nice page to find the right bits and pieces [12:31] dholbach, ah, got it now, I wasn't thinking to it in relationship with the image channel links [12:34] dholbach, if you need the diagram, here's where I created it back in the day for the devices page: https://docs.google.com/drawings/d/1CxoxNsWGA3r5IS9ZavfSR_QbhlAKE2D9KaCtvL-zM88/edit [12:36] thanks - that's greta [12:36] great [12:38] asac, I can make sure to be, yeah [12:39] mterry: great. woudl be nice to get an update and coordinate what and how to bring stuff togethher for release [12:39] thanks [12:42] mvo: re docker-- yeah, that's fine, though I'm starting to feel like network-service isn't a useful group-- docker client is not a server yet it needs bind [12:44] jdstrand: mvo: apps can depend on multiple frameworks right now, correct? [12:44] they should be allowed to, yes [12:45] yes [13:16] davidcalle, do you know why there are no margins on https://developer.ubuntu.com/en/snappy/guides/channels/? [13:17] * dholbach surely broke something :-P [14:02] do we have something like -proposed in terms of image creation? [14:02] or is that just 'edge'? [14:02] slangasek, ^ [14:02] dholbach: edge, was previously called -proposed [14:03] thanks [14:04] slangasek: can you look at my man generation mp? [14:05] sergiusens: otp, will be able to later [14:05] stgraber: btw, if I'm on trusty, is there a ppa for lxc where the download template would have vivid images? [14:05] ty steve [14:06] sergiusens: what still needs landing before we can featuure freeze? [14:06] mvo: ? [14:06] asac: I need some u-d-f stuff; just finished the oem bug work and now moving to autopilot autoreboot [14:06] asac: the security stuff is still in the works [14:06] sergiusens: ppa:ubuntu-lxc/stable should get you a recent enough lxc for that [14:06] asac: blocking sideloaded updates [14:06] stgraber: thanks! [14:07] asac: and some fixes from Chipaca [14:09] sergiusens: ok you think we can get those in before EOD and still have a good image to start freeze? [14:10] asac: well, the security stuff doesn't depend on the team [14:10] dholbach: so i assume those stack pics will not stay on the channels guides? [14:11] i think i can use them in the appliance guide ... and maybe we can improve the thing on the architecture inspired by these [14:12] asac: we are mostly good, two unapproved branches left, not critical IMO, the launcher needs some further work and discussion with the security team, some real concerns here. worst case is that we need to disable the hardware: assign: feature if there is no solution found [14:12] asac, sure... it's not done yet [14:12] asac, once it is, I'll let you know :) [14:13] asac: we also don't hvae a image with the latest ubuntu-snappy, I don't know why, there should be at least one since 418, I wonder if its because of arm64 :/ [14:15] slangasek: ^^ [14:16] dpm, davidcalle, can you help me with the styling of https://developer.ubuntu.com/en/snappy/guides/channels/? [14:16] mvo: 418? i dont have that high numbers [14:16] i am on 18 or something witjh the new channel names [14:16] mvo: maybe you are leeching on the old channels? [14:17] dholbach, on it [14:17] * dholbach hugs dpm [14:17] jdstrand: can you please think hard how we can make it so that we dont need to disable the hwassign feature? [14:17] asac: this is the amd64 image number [14:17] I'll invite tyhicks to the standup, he did the review [14:18] i really would prefer a solution than a discussion though. [14:18] jdstrand: I'm happy to fix it, I just need some input what the best aproach is, maybe we need to brainstorm it from what we need instead of what we have right now [14:20] dpm, nice work - how did you do it? [14:20] dpm, davidcalle: does the text generally make sense to you? :) [14:20] dholbach, for Raw HTML, you need to enclose the whole page in
[14:20] ohoh ok! [14:21] dholbach, and then within that row, you can choose how many columns with
[14:21] gotcha [14:21] I'll attend the standup [14:21] unfortunately, I don't have a solution atm [14:21] mvo: are you planning another ubuntu-snappy upload? I'd like to drop the reference to apparmor-easyprof-ubuntu-snappy in debian/control. that is gone. easiest is to replace it with ubuntu-core-security-apparmor [14:22] (note, nothing is broken because ubuntu-core-security-apparmor Provides apparmor-easyprof-ubuntu-snappy) [14:22] jdstrand: I think I did that already, let me check [14:23] jdstrand: yep, trunk has no easyprof string anymore AFAICS [14:23] ok, thanks [14:26] mvo, asac: is http://paste.ubuntu.com/10861645/ what we want documented for the ppa? [14:26] just to be sure :) [14:51] dholbach: so all tools will be available for trusty,vivid [14:51] 15.04/stable = {trusty,utopic,vivid}/tools [14:51] as an example [14:52] asac, ok - what is "tools" in this nomenclature - what kind of stability can be expected there - how often is it updated? [14:54] asac, is the note on the right hand side of the webdm page (https://developer.ubuntu.com/en/snappy/guides/webdm/) what you were looking for? [14:59] dpm, davidcalle: do you think we should try to separate the links on https://developer.ubuntu.com/en/snappy/participate/? ie, "articles for hardware enablement", "articles on snappyfication" or "articles about snappy in general" [15:00] mvo: which channel are you looking for the import to happen on? [15:02] slangasek: devel-proposed, is that the wrong one? [15:03] I don't know [15:03] I'm asking so I can check :) [15:05] mvo: ubuntu-core/15.04/edge/, last import was Apr 21 9:41 - same as devel-proposed. So it's not that [15:33] mvo: I updated the auto reboot branch [15:36] thanks sergiusens! [16:43] tyhicks: fyi, r35 for ubuntu-core-security [16:43] tyhicks: (makes the network-* changes we discussed) [16:58] jdstrand: sorry for the delay - I'm just thinking through that change a little more [16:59] jdstrand: I thought that you weren't going to add all the permissions to network-client until the socket params were filtered [17:00] mvo: fyi - I verified that not doing setgroups() is fine in this case [17:13] tyhicks: heh, obviously I thought they'd be the same except for socketpair [17:14] tyhicks: that said, if you think there are things that should be in one and not the other, that's fine with me. my understanding coming out of there was that only socketpair is actually server related [17:14] err [17:14] server only [17:15] jdstrand: what I was trying to say was that an app doing AF_UNIX communication may need many of the things that are in network-service [17:15] right, which is why I added them to client [17:15] ok [17:15] I thought that was going to happen after the arg filtering [17:15] because this separation is meant for inet/inet6 [17:16] I don't think it makes a big difference though since we plan to do the arg filtering [17:16] right [17:16] really, there is AF_UNIX and AF_INET/AF_INET6 [17:16] it is tough to split on client and server since those terms mean different things between those 3 domains [17:17] tyhicks: the are essentially the same now because I don't want people to ask for network-service now when they don't need it. that way people can add in network-service once we support arg filtering [17:17] ok [17:17] re tough split> exactly [17:17] wfm [17:17] I realize there is no practical difference now [17:17] I'm reviewing the seccomp filter now [17:17] this is for establishing the groups for the future [17:17] * tyhicks nods [17:19] tyhicks: re review, thanks [17:29] thanks tyhicks [17:30] pitti: is there a API to figure from a libudev device to get if its a block or char device? I'm overlooking something silly probably [17:30] mvo: no, this is curiously hard to determine [17:31] mvo: that's why in the PoC I was checking for "/block/" in the device path, otherwise it's a char [17:33] pitti: ok, thats all I need to know, thanks [17:33] mvo: that should be pretty safe [17:42] tyhicks, mvo: fyi, http://paste.ubuntu.com/10862547/ [17:42] updating the packaging now and will request an MP [17:43] I think I am going to be more lenient on the uevent rule [17:43] /sys/devices/**/uevent r, [17:43] we can finetune that later if needed [17:47] jdstrand: wow - nice profile [17:47] (minus having to include cap_sys_admin) [17:47] yeah [17:48] it is what it is [17:48] jdstrand: oh, were you going to deny transitioning to unconfined? [17:48] Chipaca: that comment was for you ^ [17:48] tyhicks: oh yes, thanks for reminding me [17:48] jdstrand: which comment? [17:48] Chipaca: 'it is what it is' [17:48] Chipaca: I know how much you like that phrase ;) [17:49] [17:49] in my defence it was a long week and i was somewhat sleep deprived [17:49] I liked what you had to say about it [17:50] :) [17:54] * Chipaca hopes the memories will come back someday [17:54] * Chipaca also hopes he wasn't rude [17:55] stgraber, tyhicks: hrm, hrm, so after some refactoring it seems like devices.allow is too clever and just having the FD is not good enough, it will deny access, from looking at the source it appears its checking if the task has CAP__SYS_ADIM so the open fd and then do the rest with thta seems to not work (which is really disappointing) [17:55] Chipaca: it was something along the lines of, "Have you ever noticed that when someone says 'it is what it is' it usually means it is sh!+" [17:56] hehe [17:56] awesome [17:56] mvo: gah, I hate it when checks are done on write rather than open... [17:58] jjohansen: heh, can you look at this: http://paste.ubuntu.com/10862602/ [17:58] jdstrand: well, i wasn't wrong :) [17:58] jjohansen: s/heh/hey/ [17:58] Chipaca: you weren't! :) [17:58] jdstrand: sure [17:58] jjohansen: clearly, that says that I don't want to allow transitioning to unconfined [17:59] jjohansen: I was thinking I wanted to say "not to unconfined and not to a profile that starts with '/'" [18:00] jjohansen: but I wasn't sure how to express the alternation [18:00] jdstrand: yeah that should do it, by why that instead of using a deny? [18:00] jjohansen: oh heh, yes, that would be considerably cleaner, haha [18:00] jjohansen: thanks! [18:00] * jdstrand grabs brown bag [18:00] deny change_profile -> {unconfined,/**}, [18:00] change_profile -> **, [18:01] jdstrand: so this is one area of the language that could really use some improvements [18:01] yeah [18:01] there are just some things that are really hard to express [18:01] in this case, the deny rules do a great job [18:02] jjohansen: change_profile -> **, why the '**'? [18:02] yeah but if you start doing stuff like that in the deny rule ... [18:02] * will stop at / just as with file paths [18:02] stgraber: yeah, unless there are more smart ideas I think I can not make the critical section smaller [18:02] you may not care as they shouldn't be in the names you are allowing [18:03] jjohansen: so, 'foo' ok, but 'foo/bar', no [18:03] right [18:03] that makes sense [18:03] ok, thanks again [18:03] tyhicks: did you see mvo's last comment? ^ [18:03] oh, no [18:04] what if we dropped all caps except sys_admin until after the cgroups? [18:04] jdstrand: let me try that [18:04] well, its terrible but better than full root [18:05] (well, maybe not, I need to check what is allowed with that) [18:05] dropping all except sys_admin doesn't gain us much [18:06] let me look back at the launcher code to see if I have any other ideas [18:09] jjohansen: hrm, seems we have a parser bug [18:10] jdstrand: ? [18:10] jjohansen: all of these give a parser error: [18:10] # deny change_profile -> {unconfined,/**}, [18:10] # deny change_profile -> unconfined, [18:10] # deny change_profile -> /**, [18:10] AppArmor parser error for /home/ubuntu/usr.bin.ubuntu-core-launcher in /home/ubuntu/usr.bin.ubuntu-core-launcher at line 32: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR [18:12] jdstrand: indeed, and ouch [18:12] jjohansen: my previous paste works [18:12] I'll get right on it [18:12] jjohansen: so, I guess I am back to my previous question on the alternation [18:12] right, its complaining about deny with change_profile [18:12] * jdstrand nods [18:12] jjohansen: I don't think it is worth an emergency upload. we can SRU the fix [18:13] jjohansen: I'll file a bug and reference it in the profile [18:13] sure not worth an emergency upload but something to get done [18:13] I imagine it is a pretty easy fix [18:13] jdstrand: give me a sec, to paste you it [18:14] mvo: bummer... I don't see another obvious idea [18:15] jdstrand: http://paste.ubuntu.com/10862679/ [18:16] mvo: we could temporarily drop, do the udev stuff, regain, write the devices lists, then permanently drop [18:16] mvo: but I don't know that it gains us much [18:16] mvo: I'll look at the udev code to see if it is a concern [18:18] jjohansen: ok, that was what I was thinking. thanks [18:18] jjohansen: fyi, https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1446794 [18:18] thanks [18:26] tyhicks: well, drop and regain is not that helpful (from my limited understanding about the security I have). I am playing with libcap right now, but again limited success, I will get the kernel source next to see what its actually checking [18:26] "it" being the devices.allow write of course [18:26] mvo: ah, I'll do that "it" [18:34] If I want to upload a package to the Snappy store, but like on behalf of a team (for example, ~mir-team), how do I do that? I'm not sure how to not upload just as me [18:37] mvo: ah, just noticed one more thing - the fclose() ret val needs to be checked in write_string_to_file() since there's not an explicit fflush() === mcaley_ is now known as mcaley [18:41] mvo: when writing to the device cgroup files, devcgroup_update_access() does the real work and it immediately returns an error if 'current' does not have CAP_SYS_ADMIN: http://lxr.free-electrons.com/source/security/device_cgroup.c#L603 [18:41] mvo: there's no way around it :/ [18:57] tyhicks: yeah, I found that too, thanks! I have http://bazaar.launchpad.net/~mvo/ubuntu-core-launcher/drop-root-early-use-caps/revision/45 that drops root earlier, the code is not clean (enough) yet but my brain is a bit fried right now not sure if this is worth it or not [19:00] looking now [19:00] mvo: fyi, I'm just about to do a MP for the apparmor profile for ucl [19:00] (ubuntu-core-launcher) [19:02] jdstrand: nice, does it work with exotic apps like docker? [19:03] (I assume it does :) still curious) [19:03] I am trying docker right now [19:07] I missed one rule [19:07] * jdstrand is testing now [19:11] docker itself has an issue: [19:11] Apr 21 19:10:35 localhost kernel: [22039.617003] audit: type=1400 audit(1429643435.305:104): apparmor="DENIED" operation="file_mprotect" profile="docker_docker-daemon_1.6.0.001" name="/bin/bash" pid=1886 comm="docker.start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [19:13] mvo: I think that patch does help [19:14] * jdstrand fixes docker [19:14] mvo: I haven't went through all of the cap_*() calls closely but I understand what you're doing [19:15] tyhicks: ok, I will take a break and either do the cleanup now or tomorrow morning, plus new tests, the old approach is no longer working but I have a plan for new tests [19:16] tyhicks: and THANKS for your help with this! [19:16] much appreciate the feedback I got [19:16] mvo: thanks for the quick turnaround on everything! :) [19:16] mvo: https://code.launchpad.net/~jdstrand/ubuntu-core-launcher/ubuntu-core-launcher.aa-profile/+merge/256992 [19:16] mvo: if you are using libcap, the profile will need to be updated [19:16] mvo: I'll go back through the list and verify that everything has been done and, if necessary, propose some changes for you [19:17] s/everything/everything important/ [19:17] mvo: (it should be easy to see what needs to be done, but I/tyhicks can also help) [19:17] ah meh, conflict [19:17] * jdstrand resolves [19:17] these branches are moving to fast :) [19:18] (it's just the changelog) [19:22] tyhicks: here is the final profile: https://code.launchpad.net/~jdstrand/ubuntu-core-launcher/ubuntu-core-launcher.aa-profile/+merge/256992 [19:23] mvo: ok, that ^ is ready to pull in (obviously update as necessary for your changes) [19:25] jdstrand: looks good [19:31] * jdstrand uploads docker with the small profile change [19:32] kickinz1: fyi ^ [19:32] kickinz1: committed to the branch [19:33] kickinz1: can you delete ./package-dir/meta/docker-daemon.*priv now that they are no longer needed? [19:50] jdstrand: thanks, uploaded! hints what the libcap branch needs for apparmor would be great (ideally by mail). I will check in my morning (in +8h) and continue on the capability branch [20:02] jdstrand: I'll do [20:04] lool: still around? [20:04] lool: do you have the code for the demo that displays stuff on the mini LED screen still? [20:09] kickinz1: thanks! [20:19] tyhicks: fyi, r37 of ubuntu-core-security [20:19] (added capget) [20:22] jdstrand: done, but I will try uploading when owncloud package is somehow working, caus I think it will need some apparmor adjustment (bind mounts). [20:22] jdstrand: ack - are you ok with me explicitly denying umount and umount2? [20:23] tyhicks: yes [20:23] pushed [20:24] tyhicks: are you ok with my doing the same in apparmor? :) [20:24] jdstrand: yes :) [20:24] jdstrand: don't forget about remount in apparmor (it is a separate rule) [20:27] right, done [20:27] and pushed [20:32] ubuntu-core-security 15.04.6 pushed to the image ppa [20:32] kickinz1: you are going to need that ^ for docker to work correctly [20:35] jdstrand: ok, thanks. [20:35] jdstrand: you know what is left still? [20:35] for mvo : [20:36] asac: a few finish touches on the launcher [20:36] finishing* [20:36] hmm [20:36] what needs doing? [20:36] the last bits from the security review [20:36] aiui [20:37] there was a snag with passing fds (it didn't work), so an alternate implementation that wasn't as comprehensive is being done [20:37] the apparmor profile bits are in the image ppa [20:37] ok, what hints is he waiting for> [20:37] ? [20:37] (ie, ubuntu-core-launcher runs under the profile) [20:37] none [20:37] 21:50 < mvo> jdstrand: thanks, uploaded! hints what the libcap branch needs for apparmor would be great (ideally by mail). I will check in my morning (in +8h) and continue on the capability branch [20:38] oh, that [20:38] I sent that to him already [20:38] k [20:38] it is just how to update the aforementioned profile for if he uses libcap [20:39] sergiusens: so on my image sshd is not started by default [20:39] sergiusens: ignore... let me recreate [20:39] not 100% sure i --enable-ssh [20:40] jdstrand: so I need a new image? Which revision ? [20:41] asac: if you wait for the publisher to finish maybe try the latest u-d-f? But it does need a new image build as snappy list is broken [20:41] kickinz1: it isn't on the image yet. you can grab a new image, then do: sudo mount -o remount,rw / ; sudo dpkg -i /tmp/*.deb ; sudo mount -o remount,ro / [20:42] kickinz1: pull the 3 ubuntu-core-security packages from https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+packages [20:42] kickinz1: note, I am getting non-apparmor/seccomp error when doing 'docker pull ubuntu:trusty' [20:42] kickinz1: I was going to follow what is in framework-policy/apparmor/policygroups/client, but the docker repo seems broken [20:44] sudo docker pull ubuntu:trusty [20:44] ... [20:44] sergiusens: from trusty [20:44] Error pulling image (trusty) from ubuntu, Untar exit status 1 operation not permitted Untar exit status 1 operation not permitted [20:44] maybe it isn't their repo [20:44] sergiusens: ppa? [20:44] but no denials of any kind [20:45] kickinz1: anyway, I have to step away for a little while. I'll be back later [20:45] sergiusens: getting 0.20snappy7-0ubuntu1 and will redo the flash [20:45] jdstrand, trying locally (out of snappy) to check (pull ubuntu:trusty) [20:46] sergiusens: which channel? [20:46] sergiusens: 15.04 edge? [20:46] * asac thinks we still work on rolling/edge until we cut it [20:47] sergiusens: this is what i am now dd'ing https://pastebin.canonical.com/130045/ [20:47] or open paste: http://paste.ubuntu.com/10863294/ [20:47] jdstrand: ubuntu-core-{launcher,meta,security}? [20:48] jdstrand: ok, sorry [20:54] sergiusens: still have invalid package on system :/ [20:55] sergiusens: system-image-cli -i [20:55] current build number: 18 [20:55] device name: generic_armhf [20:55] channel: ubuntu-core/rolling/edge [20:55] last update: 2015-04-21 18:27:44 [20:55] version version: 18 [20:55] version ubuntu: 20150421.A [20:55] version raw-device: 20150421.A [20:56] sergiusens: this doesnt help me much [20:56] sergiusens: yuou say w eneed a new image build>? [20:56] do we have the fix landed? [20:58] slangasek: https://launchpad.net/~snappy-dev/+archive/ubuntu/image this ppa is in theory in image? [20:59] in practice, not just in theory [21:00] the next scheduled image livecd-rootfs build is in 56 minutes; after which we need to again mangle for importing [21:00] ok copied the snappy binary :) [21:00] it works [21:00] i love go :P [21:01] ok the launcher seems to be old style [21:06] jdstrand: hello-world.env [21:06] Bad system call [21:06] thats the problem? [21:06] * asac reboots [21:07] asac: yes; you need snappy trunk [21:07] asac: and your u-d-f command was good [21:07] slangasek: asac can we trigger a build sooner? [21:08] i would love to see whats in [21:08] right now i feel its broken [21:08] but maybe my copying didnt do the good thing [21:08] slangasek: sergiusens: ok if we kick an image? [21:09] given that we have to mangle once anyway :) [21:09] it would help us getting answers sooner [21:09] yes [21:09] triggered [21:09] gratias [21:10] hmm. guess i need the new -security package [21:10] to get the syscall problem above eliminated [21:11] ok, i am sure all is fine its relly just installing that swecuerity stuff [21:31] jdstrand: on r404, installed debs + install docker, seems to work. r419: no way, same error as you. [21:31] jdstrand: put docker in debug mode, not much more info... [21:33] jdstrand: seems related to auplink. Does auplink need some seccomp profile? [21:42] kickinz1: whats the error you see? [21:47] asac; same as jdstrand: FATA[0016] Error pulling image (latest) from cirros, Untar exit status 1 operation not permitted [21:48] asac: I put docker on debug mode, same message, I'm trying to strace, no better info... [21:48] asac: last traces from strace: [21:48] asac: http://paste.ubuntu.com/10863526/ [21:50] asac: on, r404, all clear... [21:53] kickinz1: i am on r22 :/ [21:53] kickinz1: how do you produce the image? [21:54] I made a little script. [21:54] asac; r22 on amd64? [21:54] asac: r22 -> bbb? [21:55] no on amd64 [21:55] kickinz1: how do you produce the image? [21:55] or is it an upgraded one? [21:55] asac: generated one: http://paste.ubuntu.com/10863556/ [21:56] kickinz1: heh, keyboard layout is killed on the latest images [21:56] kickinz1: are you using ppa:snappy-dev/tools? [21:57] sergiusens, for building? [21:57] kickinz1: yeah [21:57] slangasek: ready for a manual mangling? [21:57] sergiusens, no I'm using snappy bin from images (I may not use the r419 though) [21:57] * asac hopes new image is ready now [21:57] kickinz1: sorry, I meant u-d-f [21:58] asac: yes, doing [21:58] kickinz1: this is revision for snappy tool? [21:58] * asac confused... i cannot install anything with that high numbers after our channel redo [21:58] great [21:58] asac: they are using --channel ubuntu-core/devel-proposed [21:59] asac: I take snappy from images for building, I think the last one I took was from r404. [21:59] sergiusens: that doesnt even work for me [21:59] sergiusens: guess only in beta ppa that works? [21:59] asac: they are using an old u-d-f [21:59] asac: yeah or no apt update [21:59] well, lets wait for next image [21:59] hope thats useful [21:59] guess we can only hope that things really came together [22:00] * asac reboots [22:00] sergiusens, I use dnappy-dev/beta yes [22:01] sergiusens, ok, I update... [22:03] slangasek: I think this is what we need https://code.launchpad.net/~sergiusens/snappy/conflictsPackaging/+merge/257008 [22:06] so if updated, I can build without getting snappy from images? [22:06] sergiusens, ^ [22:13] sergiusens, I have updated I still get r419... What am I doing wrong? [22:19] kickinz1: add-apt-repository ppa:snappy-dev/tools ? [22:22] sergiusens, sorry... [22:24] kickinz1: you should see seccomp denials if that was it. besides, you are using @unrestricted in the docker-daemon seccomp filter so no seccomp filters (ie, it shouldn't be seccomp) [22:24] ok getting 23 it seems [22:24] lets see [22:24] kickinz1: thinking about it, I bet it is the cgroups [22:25] a) docker hasn't been assigned any hardware and b) I doubt it would work with our cgroups implementation [22:25] because docker already does stuff with cgroups [22:26] (docker really is not a great first framework-- literally everything is an exception) [22:26] kickinz1: ok i think 23 might be better... :) lets see [22:26] at least i can install docker [22:27] the pb is to docker run -it ubuntu. [22:27] kickinz1: my feeling is we either need a way to flag the launcher that it shouldn't do anything but aa_change_onexec (ie, aa-exec) or special case docker in bin-path so it uses the old aa-exec [22:28] * jdstrand tests by modifying the systemd unit [22:31] it's the launcher [22:31] I'm going to send mvo an email and CC you guys [22:31] jdstrand: thanks [22:32] jdstrand: still get bad system call [22:32] on 23 [22:32] latest image [22:32] asac: is that capget? [22:33] you need ubuntu-core-security-seccomp 15.04.6 [22:33] jdstrand: ok good news is that the apps seems to work now [22:33] at least the hello-world.echo [22:33] docker images fails with bad system call though [22:33] right [22:33] yes, that is fixed [22:33] jdstrand: docker? [22:33] what kickinz1 and I are talking about is something different [22:33] line 11: 1218 Bad system call ... [22:33] select_bin ddocker [22:33] yes, 15.04.6 fixes the syscall [22:33] etc. [22:33] jdstrand: thats fixed? [22:33] hmm [22:34] so we need yet another image? [22:34] select_bin? [22:34] jdstrand: which package? [22:34] what arch is that? [22:34] amd64 [22:34] jdstrand: we spun an image after the most reent ppa upload [22:34] can I see the syslog entry? [22:34] ok [22:34] hmm [22:34] have to forward port [22:36] jdstrand: Apr 21 22:36:43 localhost kernel: [ 66.568721] audit_printk_skb: 12 callbacks suppressed [22:36] Apr 21 22:36:43 localhost kernel: [ 66.568724] audit: type=1326 audit(1429655803.718:15): auid=1000 uid=1000 gid=1000 ses=1 pid=905 comm="docker.x86_64" exe="/apps/docker/1.6.0.002/bin/docker.x86_64" sig=31 arch=c000003e syscall=228 compat=0 ip=0x7ffc8e52cb4d code=0x0 [22:36] thats the thing i get when i run docker iamges [22:37] 228 [22:37] probably select_bin [22:37] hehe [22:41] syscall=228(clock_gettime) [22:42] I can adjust that [22:42] fyi, sudo sc-logresolve /var/log/syslog [22:44] email on docker sent [22:44] jdstrand: ? [22:44] I will fix that ^ seccomp denial a bit later [22:44] asac: I sent it to you too [22:44] I have to step away again for a few minutes [22:52] kickinz1: what /dev nodes does docker access? [22:52] kickinz1: can you strace the command on a normal ubuntu system? [22:52] vivid? [22:52] to see? [22:52] asac: ok [22:55] asac: [22:55] asac, http://paste.ubuntu.com/10863741/ [22:59] jdstrand: its not clear to me why you have no problems [23:00] * kickinz1 going to bed... [23:00] kickinz1: i mean i have the latest image i think [23:00] asac: ok, do you want me to test? [23:00] orr [23:00] err [23:00] sorry [23:00] kickinz1: no [23:01] i meant jdstrand [23:01] sleep well [23:01] and see you tomnorrow [23:01] slangasek: do you know if ubuntu-core-security15.04.6 is on latest image? [23:01] asac: ok, will be around for a few minutes still but not too long (pb with uploading owncloud image armhf to docker registry) [23:02] jdstrand: i clearly have 15.04.6 [23:02] asac: for now I've created a docker image for ubuntu:trusty for armhf (I'll change to vivid as soon as everything else works) [23:02] guess you say its working on bbb? [23:03] asac: yes, ubuntu-core-security 15.04.6 is in the latest images on edge (except arm64) [23:09] ok i did my first seccomp hackery [23:09] enabled clocktime [23:09] and now i can runn docker iamges [23:10] and i am docker pulling [23:10] kickinz1: any idea what it untars at the end? [23:11] FATA[0032] Error pulling image (trusty) from ubuntu, Untar exit status 1 operation not permitted [23:13] asac: that's fine. it is interesting that you are seeing that seccomp denial in the client where I didn't, but I didn't have a chance to test a lot of it due to the daemon not working well with the launcher [23:13] asac: it downloads layers of the image, and then it untar it. It is pulling fgood from registry, and tars are in /var/lib/apps/docker/.tmp/..../xxx/xxx.tar, then it decompresses it, and it must populate /var/lib/apps/docker/aufs with them [23:13] I will prepare 15.04.7 [23:14] ls [23:14] we need to not try to fix the launcher for docker at this time and just special case it [23:15] if someone wrote a framework for snappy that needed the kinds of perms and did the kinds of things that docker is doing we would almost certainly say 'no'. this is a special case. let's special case it in the easiest way possible now and then see how to deal with this sort of thing going forward [23:17] yeah maybe [23:17] kickinz1: how can i get logs for docker? [23:18] asac, just systemctl stop docker_.... then sudo vi /apps/docker/current/bin/docker.start and uncomment the DEBUG="-D" line [23:18] asac, then restart daemon, it will logs to journalctl [23:18] asac: really going [23:19] bye === kickinz1 is now known as kickinz1|afk [23:32] jdstrand: what does docker appamrmor get access to in /dev ? [23:35] asac: in 'unprivileged' mode: http://paste.ubuntu.com/10863849/ [23:35] asac: note, most of those are directories, it is just the first 6 lines and the last that are actual files [23:35] asac: however, in 'privileged' mode, it has all of /dev [23:36] it defaults to unprivileged. there is a command to toggle privileged [23:36] docker has the ability to assign hardware to app containers [23:37] (which in our snap is reserved for privileged mode) [23:50] jdstrand: right. so still dont get whats going on here... do we know that the devnodes that you pasted are really avail there? [23:51] asac: what we know is that docker fails to run without them [23:52] docker was not designed for snappy and we are shoehorning it into a framework [23:52] jdstrand: hmm [23:52] jdstrand: so with new launcher those defaults are not getting mapped in? [23:52] don't get me wrong, it is useful for people, but its design is not in line with snappy [23:52] asac: I don't know why the launcher is breaking docker [23:53] asac: I imagine that it is going to be whack-a-mole [23:53] jdstrand: right, but do the devnodes get mapped into the launcher cgroup? [23:53] ie, we give the devices then it breaks cause of how it uses cgroups [23:54] asac: nothing is doing that mapping atm because there is no oem snap that sets those up. even if it did, the udev rule for docker privileged mode would be 'tag everything for docker' [23:54] jdstrand: right i get that [23:54] jdstrand: can i use hwassign to try doing those dev nodes? [23:54] http://paste.ubuntu.com/10863849/ [23:54] those [23:55] i guess i would have to do a find on all those directories :) [23:55] as it turns out, no. the command line hw-assign works only with templated policy atm, not hand-crafted policy like docker-daemon has [23:56] this is in my personal backlog (there is no trello card) [23:56] if that is deemed important, it can be SRUd [23:57] * jdstrand adds a trello card [23:59] asac: but, cli hw-assign doesn't do the udev stuff. it only adds rules to apparmor policy. as such, with the cgroups implementation, it is currently broken [23:59] * jdstrand just realizes that and adds a trello card