[00:02] time to publish the new image :-) [00:02] and finalize the release [00:04] rsalveti: I'll be here for another hour. Let me know when it's done, to try an update from stable -1. [00:04] elopio: great [00:19] \o/ [00:20] generic_amd64 should have image 3 already [00:23] sergiusens: elopio: image 3 should be available for both archs now [00:25] man, I hate this issue when using --install webdm [00:26] need to open a bug for that [00:26] rsalveti: this one also references beta: https://developer.ubuntu.com/en/snappy/tutorials/build-snaps/ [00:26] I'll update it, but it would be nice to somehow reference the ppa only from one page. [00:27] elopio: I already updated it [00:27] hit f5 [00:27] rsalveti: great. [00:28] rsalveti: weird, it should happen always (since oem snaps are also installed). [00:29] can only reproduce when using --install [00:29] rsalveti: right, --install just appends to the slice (as does --oem) [00:30] rsalveti: in any case, I think I may know what it is, and can solve it by serializing a bit instead of so much parallelism [00:30] right [00:32] rsalveti: kvm happily updated, rolled back and updated again. [00:32] beagle in progress... [00:33] awesome, mine is still downloading [00:38] * rsalveti kicks launchpad [00:38] giving a lot of errors when copying packages around [00:38] sigh [00:39] rsalveti: use the python lp libs [00:39] sergiusens: that works, but then the interface says it failed [00:39] like https://launchpad.net/~snappy-dev/+archive/ubuntu/beta/+packages [00:40] Launchpad encountered an internal error while copying this package. It was logged with id OOPS-c5d363b745138ca15db2f2fff68342c9. Sorry for the inconvenience. [00:40] failed for 2 packages [00:40] goget-ubuntu-touch and ubuntu-snappy, both for vivid [00:40] bummer [00:40] for other series it all worked fine [00:41] well, at least we're killing this PPA [00:41] so that's fine [00:42] * rsalveti now kicks ubuntu-device-flash [00:42] tried 5 times, failed every single time [00:42] with --install [00:42] hahah [00:46] and now store gave up on me [00:47] 10k/s [00:53] rsalveti: did you copy package already? [00:54] sergiusens: yup [00:54] sergiusens: tools and tools-proposed are all in sync with latest [00:54] and beta as well [00:54] sergiusens: are we missing anything? [00:54] crap, I can't using --install! [00:54] rsalveti: nope, but I'm going to update and build some images [00:54] *use [00:55] rsalveti: what if you --install hello-world instead of webdm? [00:55] sergiusens: any quick hack or workaround I can use? [00:55] let me try [00:56] trying: sudo ubuntu-device-flash core 15.04 --channel stable --oem beagleblack --install=hello-world --enable-ssh --output ubuntu-15.04-snappy-armhf-bbb.img [00:56] sergiusens: same issue [00:56] http://paste.ubuntu.com/11693333/ [00:56] let me open a bug [00:57] rsalveti: only with --install? [00:57] sergiusens: yup [00:57] rsalveti: if you don't it all works? [00:57] sergiusens: yup [00:57] no issue [00:58] rsalveti: the problem with that statement is that even if there isn't an --install, there is always at least one install called (and this is serialized) [00:59] sergiusens: https://bugs.launchpad.net/ubuntu/+source/goget-ubuntu-touch/+bug/1464054 [00:59] Ubuntu bug 1464054 in goget-ubuntu-touch (Ubuntu) "Fails to create a snappy image when using --install" [Undecided,New] [01:00] let me try to create the image on another computer I have around [01:04] elopio: sergiusens: https://launchpad.net/snappy/+milestone/15.04.1 [01:04] trying to update the pre-built images now, then upload and release to snappy-devel [01:06] rsalveti: oh wow, you can upload files directly to lp! [01:06] yup, when making releases [01:06] rsalveti: I run in a loop and I get this over and over http://paste.ubuntu.com/11693360/ [01:07] rsalveti: it might be a race and easy for you to trigger as your machine is faster... not sure [01:07] interesting [01:07] maybe, also using vivid [01:07] rsalveti: nice. [01:07] rsalveti: in my xp, when talking go it usually doesn't matter; what is elopio using? [01:08] sergiusens: right, but I don't think go is the issue here [01:08] sergiusens: as in what distro? vivid. [01:08] maybe the external environment is helping causing the race [01:08] oh, and he got the same machine [01:08] elopio: rsalveti and you guys have the same computer [01:08] rsalveti: yeah ;-) [01:08] elopio: mind trying to reproduce 1464054 ? [01:08] bug 1464054 [01:08] bug 1464054 in goget-ubuntu-touch (Ubuntu) "Fails to create a snappy image when using --install" [Undecided,Incomplete] https://launchpad.net/bugs/1464054 [01:09] on it... [01:12] rsalveti: can you remove the channel part from First stable release for the 15.04 channel. ? [01:12] Making it "First stable release for 15.04"? since channels in the future represent something else [01:12] sure [01:13] oh, I think I can change that too :-P [01:13] sergiusens: yup [01:13] already did [01:14] rsalveti: I can reproduce slowing down the download ;-) [01:15] sergiusens: hahaha [01:15] sergiusens: rsalveti: http://paste.ubuntu.com/11693402/ [01:15] https://bugs.launchpad.net/ubuntu/+source/goget-ubuntu-touch/+bug/1464054/comments/3 [01:15] Ubuntu bug 1464054 in goget-ubuntu-touch (Ubuntu) "Fails to create a snappy image when using --install" [Undecided,Incomplete] [01:15] for what you asked [01:15] this is from my desktop. [01:15] well not exactly reproduce, but something similar [01:15] yeah, same issue [01:15] at least it's consistent [01:16] hum, my beagle could update and rollback. But after the second update, I am now in emergency mode. [01:16] rsalveti: oh, it is the same issue [01:16] this happened to me last week too. Not sure how. [01:16] elopio: not good [01:16] yeah [01:16] we could really use some automated tests for beagle [01:17] to stress it [01:17] rsalveti: I slow down the download by installing a bigger package, there some semaphore missing somewhere [01:17] cool [01:18] rsalveti: did you also forget to push the tag for lp:goget-ubuntu-touch? [01:18] sergiusens: did I? [01:18] * rsalveti looks [01:19] sergiusens: maybe it's launchpad, hit f5 and it should show the correct rev :P [01:20] rsalveti: I'm bzr pulling [01:20] damn [01:20] journalctl -xb is not particularly easy to read, but can you make sense of any of these errors? http://paste.ubuntu.com/11693431/ [01:22] elopio: fat partition is busted [01:22] elopio: how sane is your sdcard? [01:23] sergiusens: I got it in austin, that's like a month ago. I have flashed it less than 20 times. [01:23] I can switch to a different one to see if it happens again during the week. [01:23] elopio: hmm, then that's not it; something is writing incorrectly or unmounting uncleanly and just being bad [01:30] https://bugs.launchpad.net/snappy/+bug/1464057 [01:30] Ubuntu bug 1464057 in Snappy "snappy rebooted into emergency mode after update" [Undecided,New] [01:30] I attached the journal in there. [01:31] elopio: I think we already have a bug with this... [01:31] but we can search for it tomorrow [01:31] slangasek: one interesting question, how to update something at releases.ubuntu.com? [01:31] I thought it was also at nukasan [01:32] *nusakan [01:32] sergiusens: I found two similar, but the error messages they have don't appear in my journal. [01:34] sergiusens: yeah, also reproduced on trusty (my older machine) [01:34] problem is indeed the connection speed I guess === devil is now known as Guest47334 [01:37] I'm going to the gym. bbl. [01:53] rsalveti: releases.u.c is the /srv/cdimage.u.c/www/simple tree, as opposed to www/full [01:54] slangasek: oh, got it [02:31] rsalveti: so I'm seeing "install fails", returns an error, triggers the unmount path and for some reason the same process is still "using" it and blocking the unmount [02:31] I see it with docker only [02:32] docker failed to install: unable to create /var/lib/snappy/apparmor/policygroups/docker_client: open /var/lib/snappy/apparmor/policygroups/docker_client: file exists [02:32] hm, here I don't get a failure when installing it [02:32] sergiusens: was able to create the images with the uk vpn [02:32] rsalveti: there is no chance to print it out [02:32] store is a bit faster with the vpn [02:32] yeah, true [03:14] rsalveti: can you give this a quick try? https://code.launchpad.net/~sergiusens/goget-ubuntu-touch/BeLazy/+merge/261679 [03:15] sergiusens: sure [03:15] rsalveti: no need to approve or anything, I've been playing a bit to get rid of my self induced panic call in the code [03:15] rsalveti: so far, now docker fails to install here and errors out correctly [03:16] great, let me check [03:16] going to sleep now to be able to get some prep work for webdm topics tomorrow [03:17] sergiusens: great [03:17] will put the feedback in the MR [03:17] just waiting releases.ubuntu.com and cdimage to show my pre-built image and will send the announcement [03:22] sergiusens: ops, just found a bug =\ [03:22] (amd64)ubuntu@localhost:~$ snappy info [03:22] release: ubuntu-core/15.04/stable [03:22] architecture: amd64 [03:22] frameworks: webdm [03:22] apps: [03:22] webdm as a framework [03:35] rsalveti: I see the same. Not a regression though, same output on #2. [03:35] wonder if this is a tool issue [03:36] we were testing only snappy list -v. One more reason to get the selftests extended. [03:37] even when using snappy install it is still showing as framework [03:37] did we change it to be a framework? [03:38] failing to login now, weird [03:39] after installing webdm and rebooting [03:39] http://bazaar.launchpad.net/~snappy-dev/webdm/trunk/view/head:/pkg/meta/package.yaml#L5 [03:39] yeah, then the doc is wrong [03:39] it is a framework. Now I'm really confused about what are frameworks. [03:39] maybe because it's exporting apis now [03:40] might be replaced for an app once we implement the rest api [03:40] shouldn't we allow apt-cache policy ? [03:41] how do I know the version of the snappy installed? [03:42] elopio: use /usr/bin/apt-cache [03:43] good trick. But it says: Installed: (none) [03:43] /usr/bin/apt-cache policy ubuntu-snappy [03:43] :D [03:44] that's right. [03:45] slangasek: how long does it usually take for something under /srv/cdimage.ubuntu.com/www/full to show up at http://cdimage.ubuntu.com ? [03:47] elopio: can you update https://developer.ubuntu.com/en/snappy/tutorials/using-snappy tomorrow with the proper output we get from image 3? [03:47] rsalveti: I can do it now. [03:48] elopio: great, thanks! [03:48] np [03:51] elopio: http://cdimage.ubuntu.com/ubuntu-snappy/15.04/stable/20150609/ [03:52] elopio: http://releases.ubuntu.com/15.04/ was also updated [03:53] yep. Downloading because my sdcard got busted. [03:54] I should start keeping all the images, instead of overwriting them. [04:08] elopio: https://lists.ubuntu.com/archives/snappy-devel/2015-June/000789.html [04:08] \o\ |o| /o/ [04:09] rsalveti: nice job. [04:09] as usual it took way more work than expected :-) [04:09] guess we learned a lot as well [04:09] I'm sure I did. [04:10] yeah [04:10] I will send a testing report now. [04:15] great [04:18] utlemming: now just need your side to update the cloud images ^ [05:27] ogra_: avahi> I roughly know what it is for and what it's supposed to do, yes :) [05:42] what's the deal with the +generic and +bbb filenames here? http://releases.ubuntu.com/vivid/ [05:44] ahh just keep reading the list sars, just keep reading the list :) [05:45] heh, I was about to point you to https://lists.ubuntu.com/archives/snappy-devel/2015-June/000787.html , but sounds like you found it :) [05:50] indeed :) thanks [07:05] slangasek, "ubuntu-personal/rolling/edge" looks fine to me as well, but yeah willcooke should validate it I guess [07:10] seb128: ok - can you check it with him today, perhaps? I'm heading off to bed now; but if we have the channel name I can set it up in the morning [07:10] slangasek, sure, waiting for him to get online [07:10] slangasek, have a good night! [07:10] thanks, have a good day :) [07:10] slangasek, I guess I should wait on that rather than try to hack an image build locally ;-) [07:10] thanks [07:11] pitti, so do you have any clue how a avahi reply could return a real external IP ? [07:11] ogra@anubis:~/datengrab/rpi$ ping webdm.local [07:11] PING webdm.local (254.193.204.33) 56(84) bytes of data. [07:11] i thought that was impossible [07:12] ogra_: why? isn't that the point? [07:12] you have a machine --> over there which offers a service, like ssh, or cups or whatnot [07:12] pitti, you mean returning internet IPs in a lan ? [07:12] or in this case, .local host names [07:13] isn't that a local LAN address? [07:13] indeed not :) [07:13] and at times i actually get 192.168.2.25 ... which is the right IP [07:14] 169.254.* would also be plausible (ipv4ll), but I suppose we don't use that [07:14] right [07:14] it should either return a non-routable local IP or something in the reserved 169.254 range [07:15] good morning [07:15] s/non-routable/not externally routable/ [07:15] i'm very confused how it can return the above [07:46] hey willcooke [07:46] hey seb128 [07:47] willcooke, sergiusens proposed to use "ubuntu-personal/rolling/edge" as the channel name for the personal image, slangasek asked for somebody to "ack the name product-wise" before setting that up ... can you do that? (or suggest something better if you have some other idea about that) [07:51] seb128, sergiusens - name sounds fine to me. I'll confirm with kgunn and report back asap [07:52] willcooke, thanks, slangasek went to bed and said he could set up the channel during his tomorrow, so I guess it let you the day to check with Kevin ;-) [07:55] :) [08:36] mvo, sergiusens http://paste.ubuntu.com/11694984/ i cant create images on trusty anymore with the recent u-d-f [08:36] * ogra_ wanted to build a final image for the rpi from the stable channel [08:39] ogra_: how does it fail? [08:39] see the paste :) [08:39] you know what [08:39] if i didn't see the url in your question [08:39] it seems to try to mount an already mounted disk image [08:39] maybe i should finish my coffee first [08:40] err ... or rather ... it tries to unmount one that is in use [08:40] ogra_: isn't that the partx race ? [08:40] * ogra_ cant read today it seems [08:40] ogra_: for some people it seems to help to remove the sd card when creating the image [08:40] is there a workaround ? [08:40] mvo, which sd card ? [08:41] ogra_: oh, no sd card or anything else removable in your system :/ ? [08:41] (my SD sits in the rpi ... i would only use it after i have an image :) ) [08:41] ogra_: meh, sorry, thats the best I have, maybe reboot :( [08:41] sigh ... thats my work desktop ... takes me 30min to start all work scripts after a reboot ... [08:42] * ogra_ would prefer to not have to :P [08:42] i guess i'll do my monthly dist upgrade then :P [08:43] mvo, u-d-f worked fine until the upgrade fwiw [08:43] ogra_: silly quesiton [08:43] ogra_: meh, best to talk to sergiusens then [08:43] ogra_: does it happen every time? [08:43] Chipaca, 3 out of three tries, yes [08:43] dang [08:43] and there is no loopback device left once it stopped [08:44] err [08:44] no, i'm lying [08:44] /dev/mapper/loop0p2 on /tmp/diskimage643565256/system type ext4 (rw) [08:44] /dev/mapper/loop0p3 on /tmp/diskimage643565256/system-b type ext4 (rw) [08:44] /dev/mapper/loop0p4 on /tmp/diskimage643565256/writable type ext4 (rw) [08:45] a lying liar of lies! [08:47] ogra@anubis:~/datengrab/rpi$ mount|grep loop [08:47] ogra@anubis:~/datengrab/rpi$ sudo losetup -a [08:47] /dev/loop0: [0811]:66982244 (pi2.img) [08:47] ogra@anubis:~/datengrab/rpi$ sudo losetup -d /dev/loop0 [08:47] ogra@anubis:~/datengrab/rpi$ sudo losetup -a [08:47] /dev/loop0: [0811]:66982244 (pi2.img) [08:47] hmm ... [08:48] mvo: i've got more weirdness for you [08:48] mvo: in case you're bored [08:48] mvo: ubuntu-core-launcher failing to run because it can't find librt.so.1 on image 69 [08:48] no [08:48] i mean ubuntu-core 69 [08:49] this is on my wily image, which is rolling edge [08:50] and it's because of an apparmor denied? [08:51] [Thu Jun 11 08:47:20 2015] audit: type=1400 audit(1434012441.158:15): apparmor="DENIED" operation="open" profile="/usr/bin/ubuntu-core-launcher" name="/lib/x86_64-linux-gnu/librt-2.21.so" pid=779 comm="ubuntu-core-lau" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [08:53] and indeed, that's not in the profile [08:55] ... and it isn't using librt when i build it locally [08:55] maybe this is wily -specific? [08:59] Good morning all; happy Ferris Bueller Day! 😃 [09:01] Bueller ... !!!! [09:03] * ogra_ thinks he has 80s day today ... someone on G+ injected a huey lewis song in my brain that i cant get rid of and now *that* ! [09:04] Chipaca: oh, interessting. let me try to reproduce [09:04] mvo: if you ldd /usr/bin/ubuntu-core-launcher on wily, it uses librt [09:04] mvo: but not on vivid [09:05] adding librt to the profile fixes it [09:05] but, i don't see why we now need librt [09:18] Chipaca: sounds a bit like a question for doko, but let me poke, I bet its gcc5 [09:19] so the reboot was useless [09:19] same error after fresh boot and dist-upgrade [09:22] * ogra_ sighs [09:28] Chipaca: ha! I blame libudev [09:29] Chipaca: if I update that I get the new librt dependency [09:30] * ogra_ downgrades to u-d-f 0.23-0ubuntu1 [09:30] sigh ... same issue [09:37] mvo: needing a commit message on https://code.launchpad.net/~mvo/snappy/snappy-remove-bin-path-compat/+merge/261596 [09:39] Chipaca: thanks a bunch [09:39] Chipaca: I have some huge branches soon, but I think I get lunch first :) [09:45] sounds good [09:45] i'm figuring out what "other snappy" is running during boot, which is blocking regen from running [09:46] * ogra_ looks at the u-d-f diff and finds ... [09:46] // create /boot/uboot [09:46] - if err := os.MkdirAll(filepath.Join(img.System(), "boot", "uboot"), 755); err != nil { [09:46] + if err := os.MkdirAll(filepath.Join(img.System(), "boot", "uboot"), 0755); err != nil { [09:46] that seems to be the only change in core_uboot.go [09:48] * ogra_ would just patch it and try it out, but obviously i cant fulfill even the build-deps on trusty :( [09:49] well... 755 is obviously wrong, so [09:50] :) [09:54] so guys, there is a noticeable lag 4-5s in webdm 0.9 (15.04 ubuntu core 3) [09:55] conyoo, that is why the spinner was added to the page i guess [09:57] :D [10:02] rollback worked ubuntu-core 3 -> ubuntu-core 2 \o/ [10:03] now how do i get back to 3? snappy update? [10:03] yes [10:03] thanks ogra_ :D [10:04] grah, "booted" and "internal-run-hooks" run at the same time [10:05] hey [10:05] morning [10:06] I just updated bb to -3 [10:06] and rebooted [10:06] and http://pastebin.ubuntu.com/11695375/ [10:06] (it doesn't boot, stops on nandboot not defined [10:07] pitti: can a service unit file have an ExecStartPre and no ExecStart? [10:07] Chipaca: I believe a Type=oneshot can; a Type={simple,forking,notify}, i. e. a real "service" needs to have an ExecStart [10:08] yeah, this is a oneshot [10:08] and i have other things depending on it [10:08] but they'll start before the oneshot is done [10:08] zyga, hold the user button down, thats not a snappy boot at all, looks like the board boots from eMMC [10:08] Chipaca: yeah, then this only matters if you want to override parts of it with drop-ins [10:08] ogra_: oh [10:08] seb128, quick question: will the snappy personal image be writable? [10:08] ogra_: thanks, I'll wipe emmc [10:08] dpm: no [10:09] Chipaca: err, a Type=oneshot isn't "done" until after ExecStart* all have finished [10:09] at least that kernel version doesnt look like any ubuntu kernel to me [10:09] pitti: well then something's awry [10:09] pitti: do you have five to look at it? [10:09] Chipaca: does that other unit have a proper After= (directly or indirectly) on the oneshot? [10:10] Chipaca: yes, sure [10:10] * pitti just quickly finishes his open-iscsi fix [10:10] pitti: oh [10:10] pitti: it's got an After on the wrong one :) [10:10] Chipaca: that might be related :) [10:10] pitti: thanks :) [10:11] Chipaca, so it's going to be the same in terms of writability as the phone, then? [10:11] Chipaca: After=YKWIM.service ! [10:11] JFDI=true [10:11] pitti: i prefer After=YFDWIM.already [10:12] Chipaca: computers are sooo picky [10:12] pitti: inorite [10:12] WOW ... http://paste.ubuntu.com/11695398/ [10:12] dpm: maybe. Do you consider the "writable" phone to be supported? [10:12] no [10:12] since when does tar call mknod when extracting a tarball [10:12] dpm: then yes :) [10:13] * ogra_ has never seen such an error [10:13] ogra_: whenever the tarball has special files in it? [10:13] Chipaca, it doesnt just extract them ? [10:14] i have never had something like this happen to me and i tend use chroot tarballs a lot ... [10:14] ogra_: filesystem mounted with nodev? [10:14] zyga, not on purpose at least :) [10:14] * ogra_ checks [10:14] but still, why would tar call mkdnod instead of just blindly unpacking whats there [10:15] um [10:15] ogra_: and besides, mknod is priviledged, no? [10:15] ogra_: sudo [10:15] ogra_: how would it unpack a special file? [10:15] zyga, i know how to work around it [10:15] i want to know why it suddenly happens [10:15] ogra_: it creates files with open, directories with mkdir, ... etc [10:15] Chipaca, and how did it do that before ? [10:16] ogra_: same way? [10:16] ogra_: i mean, there's no other way [10:16] well, i usually only start using sudo when i enter my chroots [10:16] ogra_: maybe fakeroot wrapper made mknod a fake mknod [10:16] ogra_: and you just didn't notice (wild guess) [10:16] hmm [10:17] nops :P [10:17] /dev/sdb1 on /home/ogra/datengrab type ext4 (rw,nodev,noatime,nodiratime,acl,user_xattr) [10:17] WTF ... [10:17] ogra_: systemd? :) [10:17] trusty [10:17] hmm! [10:17] indeed [10:18] ogra@anubis:~/datengrab/rpi/udf/chroot$ grep /home/ogra/datengrab /etc/fstab [10:18] UUID=a3818c99-93e5-4596-bc93-f058a2daa60d /home/ogra/datengrab ext4 user,acl,user_xattr,noatime,nodiratime,exec,suid 1 2 [10:18] and no "nodev" in fstab [10:19] ogra_: blame sergiusens [10:20] ogra_: works for me :-p [10:20] offtopic, I haven't tried yet so feel free to bash me, can I use docker to get a normal debian chroot with snappy [10:21] zyga: aiui, yes [10:21] * zyga erased emmc, boot still tries to go from it [10:21] hmm [10:22] just boot from the sd card [10:23] http://pastebin.ubuntu.com/11695445/ [10:23] hmm [10:25] zyga, hmm, corrupt fat ? [10:25] Hello. :) I like to configure Ubuntu Snappy as a Router with some docker features. But I can't find any information which is the best way to install something like ufw or firewalld on snappy? [10:25] but http://pastebin.ubuntu.com/11695460/ [10:25] ogra_: I'll check on my host, I just love sd cards [10:34] Norbell: i don't know of a snap that does that yet, but it's doable [10:36] @Chipaca Okay, thanks. Do you think it's possible to use something like deb2snap to convert firewalld into a snappy app? [10:36] Norbell: No such command! [10:38] * ogra_ sighs ... no lick for me today ... [10:38] so running u-d-f in a wily chroot doesnt work either [10:38] * ogra_ only wants this rpi image done ... dmaned [10:38] *damned even [10:39] s/lick/luck/ [10:39] what a wasted day :( [10:39] Norbell: I don't know, sorry [10:40] * ogra_ decides to rather wait for sergiusens or rsalveti to make u-d-f work again [10:48] Since a firewall is something you un only once on a linux installation. What is the appropriate snappy component for a firewall? There a frameworks and apps. But both app-types allow multiple instances of one app. In one news Canonical mentioned that some companies plan to install snappy on their routers. [10:49] Norbell: i'd expect it to be a regular snap [10:50] Norbell: ie an app, not a framework [10:50] Norbell: frameworks are for mediating access to hardware [10:54] @Chipaca And what about applications that configure Wi-Fi? [10:54] Norbell: No such command! [10:54] Norbell: same [10:56] Chipaca: thank you. Now I have at least an idea of what I have to do :) [10:57] ogra_: is modprobe still available on the snappy image? [10:58] ppisati: yes [10:58] GRRR ! [10:58] exactly the same issue on my vivid laptop [10:58] so u-d-f is officially completely broken for me :( [11:05] ogra_: here, de-grrr with http://i.imgur.com/vXO0HyH.jpg [11:06] it's my background image today (by random rotation), and has been making me smile all morning [11:06] ogra_: that's “derelict at-at among the sierra nevada” by oliver wetter, fwiw [11:11] lovely ! [11:15] pitti: FYI, running systemctl start from within the exec of a (oneshot) service hangs [11:16] so i guess generators are the only way forward for this [11:26] rsalveti, ridiculously smooth update on my Beagle Bone [11:26] nice work everyone [11:29] ogra_: with some extra checks I'm sure the fat is working [11:29] ogra_: any advice on what I can use to debug why it doesn't boot after upgrade? [11:43] ogra_: yeah, that no change rebuild caused a bunch of issues I'm trying to track down since last night [11:45] dpm, hey, base OS is a readonly image, then apps are snaps, a bit similar to the phone yes, ro fs and clicks in their own space [11:47] thanks seb128, that's what I was after [11:47] dpm, yw! [11:48] seb128, another question: I've seen some talk on the channel about how the final image will be delivered, but I haven't followed it up. Have you guys figured it out? [11:48] as an ISO, or as an image channel... [11:51] dpm, as a snappy image [11:52] seb128, as an image I can e.g. dd into a USB stick, such as the ones for BBB and RPi2? [11:53] mvo: mostly +1 on https://code.launchpad.net/~mvo/snappy/snappy-improved-developer-mode2/+merge/261692 ; just a stray comment to fix [11:53] mvo: a couple of non-blocking questions also :) [11:53] dpm, what's the difference? [11:53] dpm, the rpi can't be dd-ed? [11:54] oh, you meant those are dd-able [11:54] seb128, I'm not trying to point any differences, just trying to make sure I understand [11:54] dpm, not sure if there are several type of snappy images? [11:54] dpm, dunno, for me there was only one type of snappy images [11:54] and they can be dd-ed [11:54] but I didn't investigate much so maybe I'm wrong [11:55] others here can probably reply better to that [11:55] seb128, I'm not implying there are different types, I just wanted to figure out and understand how the initial installation would work [11:56] dpm, not figured yet [11:56] dpm, the snappy team has that in their backlog [11:57] ack [11:57] snappy images are divided in: (a) signed by canonical, (b) deprecated, (c) working, (d) for quadcopters, (e) firewalls, (f) fabulous, (g) odds and ends, (h) included in this classification, (i) that break all the time, (j) innumerable, (k) maintained by ogra_, (1) etcetera, (m) that break the hardware when booted, (n) that look ok when squinting. [11:58] sounds about right [11:58] images are like appliances [11:58] up to each product to define how to best install it [11:58] dpm, my understanding is that next steps for personnal are for willcooke to confirm the channel name [11:59] then sergiusens/slangasek to set up that image/channel [11:59] then we should be able to use u-d-f to build a personal image [11:59] seb128: the channel name I suggested is on par with 'core' and makes the transition to pure snaps easier [12:00] seb128, ok, I think that answers all of my questions, thanks [12:01] Chipaca: you really prefer syscall.Mount? [12:01] dpm, yw! [12:01] sergiusens, great, waiting on willcooke to confirm with kgunn that the name is ok I think [12:01] Chipaca: wasn't syscall in deprecation mode? [12:02] sergiusens: moved elsewhere, but not deprecated per se [12:02] sergiusens: I don't know if I prefer it or not. If it were C, would we still be exec'ing /bin/mount ? [12:02] sergiusens: I don't know :) [12:03] /bin/mount does a bunch of things around mount(2), which might make it worth just exec'ing [12:05] Chipaca: thanks a lot [12:06] Chipaca: there is no syscall.Umount or it's too early for me [12:07] sergiusens: https://golang.org/pkg/syscall/#Unmount [12:07] sergiusens: they added a random n in there [12:07] :-p [12:12] Chipaca: ah [12:15] nice, the raspi2 modfies the dtb on the fly before passing it to the kernel to make the i2c devices visible [12:15] very nice [12:15] except that since we use uboot to boot the syste, [12:15] and thus we pass the dtb file from the filesystem [12:16] we don't give a sh*t about the modified dtb that start.elf is prepping for us [12:16] becuause uboot != kernel [12:20] * Chipaca ~> lunch [12:23] Chipaca: yes, never use systemctl start without --no-block in a systemd unit [12:24] Chipaca: it's best to avoid calling systemctl altogether, it's usually a hack (you rather shold use Wants=, Requires=, etc.) [12:24] Chipaca: calling systemctl start in an unit causes a deadlock [12:30] sergiusens, let me know once you have something to test, i really want to get that final rpi2 imae out [12:30] *imae [12:30] bah [12:30] * ogra_ needs new kbd [12:30] morning folks [12:30] how are we doing? did something explode because of the update? :-) [12:30] ogra_: you can try the branch I told rsalveti to try [12:30] rsalveti: no, just the u-d-f rebuild [12:30] :-/ [12:31] sergiusens, how do i build it ? i cant even get the build-deps installed here [12:31] ogra_: bzr bd --builder='sbuild -c wily ...' [12:32] without deps ? [12:32] sbuild or pbuilder or what suits you [12:32] a plain chroot ... or even better just my main system :) [12:32] ogra_: on wily, mk-builddeps -i [12:33] i dont run wily on any of my prod machines [12:33] trusty and vivid are what i can offer [12:33] sergiusens: hm, that I tried but didn't help me at least [12:34] unless you updated it again, let me check [12:34] sergiusens: will try it again in a few minutes [12:36] rsalveti: you got a different error due to something else [12:37] sergiusens: yup, still mount related, but will give it another shot soon [12:47] ogra_: I frlashed the image from instructions on the website just now, clean card, clean emmc, it doesn't boot [12:48] ogra_: something is wrong there [12:48] zyga, well, QA tested it ... [12:48] ogra_: well, is the thing they tested uploaded? [12:48] * ogra_ hasnt tried the BBB, i'm focused on the rpi [12:48] ogra_: I can sha the image (uncompressed) that I have [12:49] well, compare the MD5 with the one on the server then [12:54] uh, weird [12:54] rsalveti, that cdimage fs structure is super confusing ... (for the actual img's) [12:55] why is 15.04 snappy under preview and not under releases ... [12:55] and there is also an ancient "alpha 3" in the scratch dir [12:56] ogra_: is there anything on emmc that can influence the boot if I hold the user key? [12:56] not if you hold the key, no [12:56] then it should always boot from SD [12:56] ogra_: I'm re-downloading from this URL http://releases.ubuntu.com/15.04/ubuntu-15.04-snappy-armhf-bbb.img.xz [12:56] ogra_: what I see now is: [12:57] http://pastebin.ubuntu.com/11696123/ [12:57] shouldnt it try mmc1? [12:57] mmc1 is sd, mmc0 is emmc [12:57] right? [12:58] no idea [12:58] * zyga wonders if qa images worked just because someone had good bits of bootloader on their board [12:58] and actual images don't work [12:58] ogra_: I have a second bone with normal ubuntu and that's how it works there [12:58] sd is on mmc1 [12:58] well, then the above is right [12:59] wait for elopio, he can surely tell you how he tested [12:59] thanks [12:59] * ogra_ grins about the latest mail to ubuntu-phone [13:02] ogra_: from Linn Error? ;-) [13:02] yeah :) [13:07] \o/ [13:07] sergiusens, thanks so much, the MP helped [13:07] ogra_: great [13:08] ogra_: I don't like the MP though :-P [13:08] yeah, its just hiding the prob [13:08] * jdstrand didn't get to respond to Norbell on how he is going to have trouble with a firewall snap since the security policy doesn't allow it and the kernel isn't autoloading iptable_filter and ip6table_filter and probably other things [13:09] I'm trying to get ufw going in my spare time and collecting data that I will present to the architects group. I sorta think we need something like hw-assign but for net-admin [13:09] ogra_: what I think is happening is that snappy.Install is returning but some thread is still running and so when I try to unmount I get a device under use unmount error and boom [13:09] but we'll see [13:09] sergiusens, well, then a sleep would do the same [13:09] I had some test code with fuser and the only process using the mount was u-d-f [13:09] but with clean unmount [13:10] ogra_: both ugly, but I can do some sort of sync and wait [13:10] sergiusens, both ugly, but the sleep would prove that whatever holds the lock actually returns after a while [13:10] the lazy unmount wont [13:11] ogra_: yeah, will give it a go in a bit [13:12] ogra_: which path is the one containing alpha 3 and so on? [13:12] but yeah, there is some duplication in there [13:12] rsalveti, http://cdimage.ubuntu.com/ubuntu-core/scratch/ [13:12] too a while to find out the right place to dump new images [13:12] and there is http://cdimage.ubuntu.com/ubuntu-core/preview/ [13:13] ogra_: right, but we're using http://cdimage.ubuntu.com/ubuntu-snappy/ [13:13] :-) [13:13] just to help causing more confusion [13:13] lol [13:13] rsalveti: we should just upload to launchpad ;-) [13:13] sergiusens: yeah [13:13] well, we should wipe the ubuntu-cpre ones [13:13] old and useless anyway [13:13] rsalveti: zx'ing gives a 156MB image [13:14] [ 0.001750] Calibrating delay loop (skipped), value calculated using timer frequency.. 38.40 BogoMIPS (lpj=192000) [13:14] heh [13:15] i never noticed rpi had such a low BogoMIPS value [13:15] maybe early boot only? [13:15] yeah [13:15] it surely doesnt act like 38.40 :) [13:15] hmm [13:16] even though ... cpuinfo has the same [13:16] funny [13:17] great, image seems to work [13:17] * ogra_ installs a few snaps [13:17] ogra_: tried again, yep, it's broken [13:18] ogra_: md5sums match [13:18] ogra_: user key pressed [13:18] ogra_: my problem with udf is only when using it with --install [13:18] ogra_: shall I file a bug on lp:snappy? [13:18] rsalveti, your prob with udf is with using grub ;) [13:18] for me it fell over when enabling developer mode [13:18] weird [13:19] the MP from sergiusens fixes that bit here [13:19] ogra_: did you try sergiusens's mr? [13:19] yes [13:19] just commented on it [13:19] this was my error this morning http://paste.ubuntu.com/11694984/ [13:20] k, now the ultimate test ... [13:20] * ogra_ installs docker and owncloud ... (via webdm this time :) ) [13:21] once that passes i'll push the stable RPi image up [13:22] elopio: ping [13:23] sergiusens, bladernr_, do we have any plans to refresh the store page when the user installed a framework package ? [13:23] ogra_: installing docker fails for me [13:23] just fyi [13:23] sergiusens, works fine here [13:23] ogra_: :( [13:24] i'm just installing owncloud now [13:24] ogra_: oh, on a prebuilt I mean [13:24] well, at least webdm didnt spill any error [13:24] oh, you mean via --install ... got it [13:25] ogra_: yup [13:25] Chipaca: fyi docker failed to install: unable to create /var/lib/snappy/apparmor/policygroups/docker_client: open /var/lib/snappy/apparmor/policygroups/docker_client: file exists [13:25] Chipaca: that's the exit 1 we used to see ;-) [13:26] ogra_, sergiusens: are you mostly working on hardware or qemu? [13:26] zyga: both [13:26] Chipaca: thanks a lot for your review marathon! if you have further suggestion for improvements, I'm all ears, I will probably continue tomorrow or so, I'm a bit tired now :) [13:27] zyga, only HW currently [13:27] (myself that is) [13:27] * zyga goes to try qemu image [13:27] pitti: is it intentional that libudev now requires librt.so? just curious [13:27] sergiusens: do you have the whole error output? [13:27] Chipaca: I will add a apparmor ok rule for ubuntu-core-launcher if you don't have that already [13:28] Chipaca: it's just that, it's the err returned from snappy.Install [13:28] mvo: i don't [13:28] sergiusens: lies! you've got a line number somewhere, surely? [13:28] sergiusens: in syslog? [13:28] sergiusens: do we actually want webdm to be a framework? [13:30] mvo: kind of -- new libudev is now internally using the sd-device library, and some bits in the internal systemd libs use mq_getattr and friends [13:31] ok [13:32] sergiusens: sorry for nagging, you mentioned you already did a static grub.cfg (similar to uboot) is that available somewhere? I would love to look at it at some point [13:33] mvo: Chipaca: is there any major issue to be fixed still for wily? [13:33] * rsalveti is checking the create wily/rolling images [13:34] rsalveti: well, ubuntu-core-launcher doesn't [13:34] rsalveti: so that's fairly major :) [13:34] https://code.launchpad.net/~mvo/ubuntu-core-launcher/apparmor-plus-librt/+merge/261726 [13:34] rsalveti: -^ [13:34] :D [13:34] maybe more, this blocks the testing right now, I need to check if the apparmor fix is in wily already [13:34] right, awesome [13:34] the proper one from john [13:35] mvo: one of the pending questions we have is how we're going to maintain the ubuntu-snappy package [13:35] mvo: I just now approved it [13:35] mvo: since we now have the desktop guys also creating the ubuntu-personal images [13:35] jdstrand: \o/ should I cherry pick it into our ppa or will there be a upload soon(ish)? [13:35] so in general I believe it would be good to land everything in the archive and avoid using the ppa [13:35] rsalveti: meh, I really really the auto-build of that package :/ [13:36] but since we can't auto land in there, maybe we can do a weekly release in the archive or such [13:36] mvo: I wasn't planning on fixing it, but I can if you want. I was just rying to expedite the proces for you :) [13:36] mvo: yeah [13:36] ie, just gave my blessing to upload [13:36] jdstrand: its fine, I can do it, I just did not want to duplicate work [13:36] mvo: maybe syncing once a week is fine, what do you think? [13:36] sync ppa -> archive [13:36] * jdstrand nods [13:37] rsalveti: yeah, I guess. Iwould love to automate this as much as possible (which is tricky, I understand that) [13:38] rsalveti: I mean, if we have super strong auto-testing (and we are on a good way) I don't see why releasing would be manual, if all tests are good it should go in automatically [13:38] jdstrand: where is that branch you just approved :) ? [13:38] https://code.launchpad.net/~mvo/ubuntu-core-launcher/apparmor-plus-librt/+merge/261726 [13:38] jdstrand: aha, thanks [13:39] mvo: yeah, the only tricky thing is uploading to the archive [13:39] jdstrand: hm, maybe there is a misunderstanding, I was wondering if there was a plan for a new apparmor release with the fixes from john for https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1460152 [13:39] Ubuntu bug 1460152 in Snappy "apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates)" [Critical,In progress] [13:40] rsalveti: indeed [13:40] mvo: maybe we can convince the personal guys to also use our ppa? [13:40] until we find a better way [13:40] mvo: oh that was a misunderstanding [13:40] jdstrand: don't get me wrong, I don't want to give you work, just double check that I don't do stuff that is already in progress [13:41] mvo: let me check [13:41] happy to cherry pick it myself and push to the PPA for now [13:41] mvo: what is that bug number? [13:41] rsalveti: +1 from me and we put it on the list of things to do [13:41] jdstrand: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1460152 [13:41] Ubuntu bug 1460152 in Snappy "apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates)" [Critical,In progress] [13:41] (this one?) [13:41] mvo: is the workaround in wily already? [13:41] mvo: sure [13:42] jdstrand: I don't think so, iirc I did not upload it because I hoped for a better fix (and I was lucky :) [13:42] did not upload it to wily [13:42] mvo: ok, so, we are planning a new apparmor upstream release and a corresponding apparmor upload to wily. that won't happen for 2-3 weeks. do you need it in wily before then? [13:43] jdstrand: so I could apply the two patches from john against the wily apparmor and upload to the PPA and your team can upload the real wily at your convinience? [13:43] sounds ok? [13:43] seb128: hey, regarding personal images, we're currently auto deploying ubuntu-snappy in our ppa and using that when creating the core images since we can't easily automate the upload to the archive [13:44] mvo: that does sound ok. it would also be ok for vivid. that said, before you upload can you double check with jjohansen that this is the final patch? [13:44] seb128: and our auto-deploy is awesome :P [13:44] seb128: so there could be an out-of-sync issue with the version you guys end up using if you're also not using our ppa [13:44] rsalveti, hey, unsure how to parse that bit of info [13:44] ah ok [13:44] mvo: and if you do vivid, you would remove the workaround systemd unit? [13:44] seb128: would you mind also adding our ppa to your builds at least for now? [13:44] jdstrand: sure, will do. vivid is not super critical right now I'm ok with the worakaround there for now. but yeah, if vivid then the workaround will go [13:44] until we find a better way to automate the publishing in the archive [13:45] rsalveti, mvo: I'm unsure to understand why you can't regularly land updates to wily? [13:45] seb128: we can, but we're landing stuff more than daily in our ppa [13:45] ok. I'm not super excited about the workaround (you may have gathered that from the bug comment), but so long as it gets there eventually, that's ok [13:45] jjohansen: hi, jdstrand suggested to double check with you that the two patches for https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1460152 are the final ones or if there is more in your git repo that I should cherry pick? [13:45] Ubuntu bug 1460152 in Snappy "apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates)" [Critical,In progress] [13:45] and we want to automate that to be something for every commit [13:45] rsalveti, you could land more than daily in the archive [13:45] mvo: thanks! [13:45] we want to always release our trunk [13:45] seb128: because its a manual bzr-buildpackage; dput that a bzr build recipe can also do [13:46] seb128, not during freezes [13:46] ogra_, why not? [13:46] yeah, but requires a manual step, and also not during freezes [13:46] yeah [13:46] I though we didn't freeze proposed [13:46] if I can have my way each commit to trunk will be a upload :P automatically [13:46] even if we freezed migrations [13:46] but we don't build from proposed [13:46] seb128, we dont build images from proposed [13:46] do you need to use packages? [13:46] can't you just lp:ubuntu-snappy then? [13:47] atm, yes [13:47] live-build uses packages [13:47] (and we need binaries indeed) [13:47] ogra_, you could make it branch & bzr bd & dpkg [13:48] seb128, yeah, or just use a PPA :) [13:48] SUBPROJECT=system-image EXTRA_PPAS=snappy-dev/image for-project ubuntu-core cron.daily-preinstalled --live [13:48] how we're building our images [13:48] right [13:48] so I'd suggest you guys to use the same ppa for now when building the snappy personal one [13:48] just needs the "EXTRA_PPAS" var set [13:48] until we find a better way [13:49] we're working on it [13:49] I'm sure Laney isn't going to like that :p [13:49] divergence... [13:49] we should converge, not diverge [13:49] nah, convergence [13:49] by not using our standard archive & infra [13:49] you move closer to snappy :) [13:49] lol [13:50] I think that if nobody push back to reduce the divergence it never happens [13:50] let's keep personnal off that, it's going to create the motivation to resolve the issue [13:50] the problem is the archive and having uploads for every commit [13:50] if the solution is moving away from the archive [13:50] then we're not going to converge *in* the archive [13:50] that's not a solution [13:50] our archive/infra should be fit for our needs [13:50] if it's not we need to fix/change it [13:50] well, following your suggestion to build the package in livebuild [13:51] yeah, that was a stupid workaround suggestion [13:51] sergiusens, mvo, is the content in http://people.canonical.com/~platform/snappy/ used by anything or could i wipe it and create a RPi2 subdir [13:51] sure, we need to fix it, all I'm saying is that while it's not fixed, it's better to just using the ppa [13:52] what sort of issues do we have using the archive versions? [13:52] those should be usable now? [13:52] mvo: re Chipaca's comment on the apparmor rule. try: /lib/@{multiarch}/librt{,-[0-9]*}.so* mr, [13:52] even if they lag a bit behind [13:52] you are behind on fixes [13:52] seb128: it's usable, just lagging behind [13:52] that's fine [13:52] it can be really bad [13:52] at least we experience what our users experience [13:52] if that's fine, then fine :-) [13:52] (see the recent u-d-f issues) [13:52] jdstrand: ok, do you prefer that over librt-*.so* (same as libc?) [13:52] well, if the archive version is that bad, let's not have that package in the archive [13:52] so nobody uses it [13:52] let's keep it in a ppa where it's rolling [13:52] the udf issue is a different one [13:53] we don't expect the archive one to be broken [13:53] since we don't even want our package in the ppa to be broken [13:53] sure, i'm just trying to point out that there can indeed be fatal bugs [13:53] in the ppa as well [13:53] sure, but that can happen for any package that gets uploaded [13:53] right [13:54] you would expect a every commit snapshot to have more issues than one that is manually tested and uploaded to the archive [13:54] but due to the extra iteration throuh the PPA it will take longer til it reaches the archive [13:54] thats what i meant [13:54] right [13:54] it's fine, we're going to improve our automated testing to verify it better as we go [13:54] the only issue is that you guys might end up using an older version [13:55] in my ideal world there is no need for manual testing everything that would be done manual is run automatic [13:55] mvo: either is ok. I see I did use -* before. if I were to do it again, I would use what I suggested for all [13:55] yeah, the only missing piece in that ideal world is having a permission to upload to the archive [13:55] rsalveti, thanks for the heads up [13:55] we need to discuss it [13:55] but, we're still uploading packages in a ftp server [13:55] in 2015 [13:55] jdstrand: ok, so I will uses the suggestion from john and update libc too for consitency(?) [13:55] but I would prefer to keep personnal on the archive [13:56] seb128: sure [13:56] would it only because it helps to keep the motivation to fix our infra for our need [13:56] rather that paperover in a specific way [13:57] mvo: I don't understand that statement. I mean, I do, but I'm confused by it. if you are choosing to update all of them, please do: [13:57] /lib/@{multiarch}/librt{,-[0-9]*}.so* mr, [13:57] /lib/@{multiarch}/libc{,-[0-9]*}.so* mr, [13:57] /lib/@{multiarch}/libpthread{,-[0-9]*}.so* mr, [13:57] that is more precise while still allowing for good maintenance [13:59] hola [14:00] elopio: hey [14:00] elopio: so you've tested the last beagle image? [14:00] elopio: I tried to install it today, it doesn't boot for me [14:00] zyga: hello. stable #3, yes. [14:00] elopio: maybe I did something terribly wrong [14:00] zyga: maybe. Can you connect to the serial console and see what it says? [14:00] elopio: do you think you can tell me what I might have done wrong [14:00] elopio: I did that [14:00] elopio: its says... [14:00] http://pastebin.ubuntu.com/11696123/ [14:03] jdstrand: yeah, sorry, I'm not expressing myself well today. branch updated [14:03] elopio: it also failed on upgrade [14:03] elopio: I was running previous version [14:03] mvo: hehe, np. I probably made this harder than required [14:03] elopio: up until this morning when I updated [14:03] jdstrand: :) all good [14:03] elopio: then tried a clean flash from ... [14:03] but it's all good now :) [14:03] hehe [14:03] elopio: stuff listed here http://developer.ubuntu.com/en/snappy/start/ [14:03] elopio: (md5sums match what I've downloaded) [14:03] elopio: one question, when you test a new image [14:03] elopio: do you have anything on emmc? [14:05] zyga: I'm about to start a meeting. [14:05] on the emmc I have debian. [14:06] elopio: is there any chance that is helping you to boot [14:06] elopio: otherwise, I'm not sure what happens to me [14:06] elopio: my emmc is wiped clean [14:06] zyga: I doubt it. But maybe... [14:06] hiya [14:06] hangout? [14:06] elopio: by default the boot order is nand > sd [14:06] ah, ww [14:06] elopio: so perhaps that would explain why it works for you [14:06] sabdfl, wrong channel ? [14:06] indeed :) [14:07] :-D [14:07] zyga: how did you wiped the emmc? [14:07] elopio: from uboot [14:07] ironically, an invitation to talk snappy though! [14:07] elopio: mmc erase ... [14:07] haha [14:08] elopio: mmc dev 0 # or something like that to pick the right mmc [14:08] elopio: mmc erase something something # 0 size or the reverse, [14:08] elopio: without the sd card with the image (that fails to boot into the kernel) I just see 'C' on the serial line [14:09] mvo: the grub.cfg I use is just from the image, using a u-d-f branch I have with some modifications, I'll get it up as soon as all these criticals go away [14:11] Chipaca: feel free to try yourself ;-) [14:11] rsalveti: webdm a framework was a requirement not imposed by me [14:12] sergiusens: push now, or I will die from curiosity ;) [14:12] elopio: ao anyway, any help is appreciated [14:16] elopio, ogra_: https://bugs.launchpad.net/snappy/+bug/1464275 FYI [14:16] Ubuntu bug 1464275 in Snappy "Unable to boot beagle bone black from prebuilt image #3" [Undecided,New] [14:17] mvo: okie dokie [14:17] sergiusens: lets talk after the meeting if you have a minute [14:17] sure [14:24] sergiusens, mvo, is the content in http://people.canonical.com/~platform/snappy/ used by anything or could i wipe it and create a RPi2 subdir [14:24] * ogra_ just re-cycles the last question :) [14:25] ogra_: I have no idea [14:25] sergiusens, ? ^^^ [14:26] sergiusens, seb128 - kgunn is +1 on the name - let's roll! [14:26] willcooke, thanks [14:26] slangasek, ^ [14:28] seb128, willcooke: nice, thanks [14:30] ogra_: mvo that's dead [14:30] seb128: i tried to read thru scrollback, is the summary, we need to use core ppa to build on ? not archive, in order to stay in sync with core guys? [14:30] sergiusens, awesome, deleting ... there are other snappy dirs that look dead as well one levelk up [14:30] willcooke: WOT you got away with sheworeanitsybitsyteenyweenyyellowpokerdotbikini? [14:31] ogra_: .NEW and .ORIG, yeah good to go as well [14:31] sergiusens, http://people.canonical.com/~platform/snappy.NEW/ and http://people.canonical.com/~platform/snappy.ORIG/ [14:31] cool [14:31] ogra@anubis:~/datengrab/rpi$ ssh people.canonical.com [14:31] Agent admitted failure to sign using the key. [14:31] Permission denied (publickey). [14:31] ssh_exchange_identification: Connection closed by remote host [14:31] oh come on ! [14:32] so mv'ing my ~/.ssh dir away and back in place gets me this ? ... [14:32] funnily i can ssh localhos and then it works [14:33] kgunn, define "stay in sync", things keep changing, so depending on where you start your build and how often you build things are going to be slightly "out of sync" anyway [14:34] kgunn, if wily is *that outdated* then we have an issue [14:34] * ogra_ wonders what caches the ssh key ... i cant find any process with ssh or agent in the name :/ [14:37] ogra_, on what system? [14:37] seb128: thanks...so the "how out of date is wily" is still an unknown [14:37] ? [14:38] kgunn, well, I don't know about that, rsalveti & mvo claim we should use ppa because wily is outdated [14:38] seb128, sergiusens: what are the device types that we expect on personal? generic_$arch ? [14:38] seb128, on my trusty desktop ... to create the rpi image i needs to create a fake ssh key ... for which is moved my .ssh dir out of the way ... moving it back gets me key errors (it works after i ssh localhost so i guess something in the UI session cached the wrong key somehow) [14:38] kgunn, but it wily is outdated/has versions our users should not use I say we have an issue, because our users are on wily and are going to get things from there [14:38] slangasek: the intent is any/all devices that use the full shell [14:38] ogra_, likely gnome-keyring-agent [14:39] -deamon ... but yeah [14:39] right, sorry [14:39] * ogra_ hugs seb128 [14:39] * seb128 hugs ogra_ back [14:39] works, thanks :) [14:39] kgunn: right, this is more a technical question of how the devices are named so that they can be consumed properly by whatever's being done on the udf side [14:40] slangasek, define "device types"? any i386/amd64/armhf config we can boot on? [14:40] I would /assume/ that 'generic_armhf', 'generic_i386', [...] gives the right result, but I'd rather have it confirmed [14:42] seb128: system-image has a channel, and within the channel are devices, and each device has a set of tarballs to deliver (rootfs, tarball, etc). u-d-f does some wrapping of this to map it into the snappy design, I want to make sure the device names I work are going to be compatible with whatever udf and/or your gadget snap expect [14:42] I work? I use [14:42] seb128: btw I see that only armhf and i386 are built so far, is amd64 ftbfs or not yet added? [14:42] slangasek, ftbfs, a do armhf [14:43] or, armhf built today [14:43] slangasek, amd64 fails with [14:43] "+ cp -ar boot/vmlinuz-3.19.0-20-generic boot/vmlinuz-3.19.0-20-generic.efi.signed /tmp/tmp.zew1ZPxIai/assets/vmlinuz [14:43] cp: target '/tmp/tmp.zew1ZPxIai/assets/vmlinuz' is not a directory [14:43] E: config/hooks/500-move-kernel-to-device-tar.binary failed (exit non-zero). You should check for errors." [14:43] fun fun [14:43] ok [14:44] rsalveti, so i moved the stable Pi image to http://people.canonical.com/~platform/snappy/raspberrypi2/ ... will announce it and update developer.ubuntu.com docs to point to that [14:44] slangasek, the code does " cp -ar boot/vmlinu?-* $TMPDIR/assets/vmlinuz" [14:44] slangasek, that regexp doesn't play nicely with the .signed [14:44] yep [14:45] unsure how to change that though [14:45] do you have any suggestion? ;-) [14:45] check for the presence of a .efi.signed first, if presence, use it; otherwise fall back to the current command [14:45] present [14:45] words, today [14:45] I'm even unsure why we have a .signed here and why ubuntu-core doesn't [14:45] slangasek: I need to create the personal subcommand, but in the meantime using a full channel path with 'core' should work [14:46] asac, just confirming twice before i write an announcement, http://people.canonical.com/~platform/snappy/raspberrypi2/ is ok as url for the Pi image ? [14:46] seb128: I don't know why ubuntu-core doesn't currently have the .signed; but it should, so that's a separate bug [14:46] sergiusens: ok, that doesn't tell me what device names I should use though [14:48] Chipaca, ping [14:49] slangasek: generic_amd64 and so on or are we thinking phone targets here too? [14:49] I guess you are not the target for that question [14:49] and I can't decide on that either, what are the requirements? :-) [14:50] sergiusens: just the generics for now [14:51] slangasek: i see what you mean, and yeah, generics i think makes sense atm [14:57] kyrofa: pong [14:59] Chipaca, so I've been trying to use go-dbus, and I ran into a problem with it: anything dealing with messages is impossible to test because the serial numbers aren't exported [14:59] kyrofa: yes, go-dbus sucks at testability [15:00] fgimenez: I didn't touch your branch yesterday, I'm sorry. That's the only thing I will do today. [15:00] Chipaca, so I found github.com/godbus/dbus which is a lot more testable, but before I jumped to it I wanted to make sure I learned any lessons you learned-- is there a reason you didn't use that one? [15:00] fgimenez: can you please make the merge proposal, with status in progress, to nicely see the changes? [15:00] zyga: sorry, one more meeting. Thanks for reporting the bug. [15:01] elopio, np, it's already working now, ok i'll make the mp [15:01] zyga: I'm now afraid to reproduce it and break my beagle. But I guess I can always reflash debian in there. [15:01] elopio: :D [15:02] elopio: yeah [15:02] elopio: I have two [15:02] elopio: one runs ubuntu, the other snappy ubuntu core [15:02] elopio: it's a very useful arrangement [15:02] elopio: btw, when you do testing, do you boot with the user key pressed? [15:02] oh, and btw, elopio, we need to talk :D [15:02] (I didn't realize it was you) [15:03] elopio: about what you do for testing, so that we don't duplicate work in the cert process [15:03] elopio: and which tools you use [15:03] zyga: yes! [15:03] elopio: quick idea: get a different SD card [15:03] elopio: flash that [15:03] do you want to emet in 30 minutes? [15:03] elopio: and hold the user key while booting [15:03] elopio: sure [15:03] elopio: just ping me, I'll be around [15:04] zyga: I don't press the button, my board doesn't require that. I can try. [15:05] Chipaca, the only significant limitation (as far as I can tell) is its inability to use lower-case dbus method names [15:05] elopio: then the test process is wrong [15:05] elopio: as this means the test depends on what you have on emmc [15:05] elopio: and you really boot the emmc boot loader [15:05] elopio: not the one on the card [15:05] I see. [15:05] elopio: let's talk about that and everything else in a hangout [15:05] elopio: when you can [15:07] kyrofa: that looks nice (godbus) [15:08] sergiusens, I've been really happy with my limited testing, but I wanted to see if there was a reason most Canonical projects were using go-dbus on launchpad (the similar naming is unfortunate, but I'm not sure what else I'd choose) [15:09] kyrofa: maintained by someone in Canonical was one of the reasons [15:09] sergiusens, that makes sense [15:09] kyrofa: the other one I saw was the one coreos guys wrote, but I don't think we have any strong criteria [15:10] sergiusens, I just... must write tests. I feel so dirty when I have a huge chunk of completely untested code [15:15] sergiusens, Chipaca: If you were starting another go project that used dbus, would you use go-dbus again? [15:15] kyrofa: for that dbus code base? [15:15] kyrofa: I would try not to use dbus at all :-P [15:16] sergiusens, ah, yes, that :P [15:21] sergiusens: heh [15:21] sergiusens: I know that from somewhere [15:21] sergiusens: dbus is good, but ramps complexity a lot [15:22] I just received my first set of bug reports for the ODRIDDC image builder - one is '"sudo: unable to resolve host odroid"' - is that a problem i can solve with some yaml options? [15:29] ogra_: whine, whine, whine :-p [15:29] longsleep: that's a snappy bug afaik as /etc/host is not updated [15:30] slangasek, in the vmlinuz .signed case, should that be "vmlinuz" or does the .signed matters in the naming? [15:36] zyga: fgimenez: the meeting is running late. Lets better do it tomorrow, I'll schedule it for 14:00 utc. [15:36] zyga: is it a good time for you? [15:36] elopio, fine with me [15:37] sergiusens: All right thanks - i will add it to launchpad if not already there [15:38] elopio: let's see [15:38] elopio: yes [15:39] elopio: well [15:39] elopio: maybe not, I have a snappy meeting on 15:00 my time which is probably 14:00 utc [15:39] elopio: let's do it next week [15:39] elopio: I'll know more [15:39] jdstrand: here is another approach I was remembering https://lists.debian.org/debian-dpkg/2014/08/msg00006.html about signatures [15:40] elopio: can you tell me where you have a list of tests to perform on new images? [15:40] kyrofa: i'm not sure that dbus binding was there when we went looking for one [15:40] elopio: and I'll send a quick agenda for next week [15:40] kyrofa: give it a try and let us know :) [15:40] zyga: this is what we are using as a starting poing. [15:40] Chipaca, alright, good to know :) [15:40] *point [15:41] mvo: yes, ima is captured as well. that is an interesting idea for snaps [15:41] zyga: we can do the meeting on tuesday at 13:00, I'll just get up a little earlier. Otherwise your standup and our standup are in the way. [15:41] * jdstrand updates doc [15:41] zyga: also, confirmed that when I boot with the button pressed, I get into debian. [15:41] without the button, snappy. [15:42] elopio: I can skip my standup [15:42] elopio: that's really weird, that should be entirely reverse [15:42] kyrofa: places where dbus bindings struggle is in complicated variants (like some of the ones we use for menues and such), and services with dynamic paths [15:42] 17:40 < elopio> zyga: this is what we are using as a starting poing. [15:42] elopio: ^^ what? [15:42] kyrofa: so keep a look out for those [15:42] zyga: https://docs.google.com/document/d/1R_Tw0N0QbEpjFeYf9XnVV8Gp8ldT2Ig0PO6MfR-kuSM/edit#heading=h.2sakiuiw8x0b [15:43] elopio: thanks [15:43] kyrofa: also, async is hard; look for races [15:43] elopio: I think we will cooperate on those a lot [15:43] kyrofa: (on amd64, go build -race is your friend) [15:43] jdstrand: cool, thanks. I only glanced over your doc so far (sorry) so I missed that its already covered [15:43] zyga: the idea is to get all of that and more automated here: http://bazaar.launchpad.net/~snappy-dev/snappy/snappy/files/head:/integration-tests/run-in-image/tests/ [15:43] elopio: do you know about plainbox/checkbox? [15:44] zyga: moar hands! :) [15:44] Chipaca, yeah I've been wanting to play with that race detector! [15:44] zyga: yes, you told me the basics about it some months ago. [15:44] slangasek, http://paste.ubuntu.com/11696900/ looks fine to you? [15:44] elopio: ok, [15:44] kyrofa: keep in mind the race detector is racy :) [15:44] Chipaca, thanks for the list of trouble-spots-- exactly what I was looking for :) [15:45] zyga: atm, we don't really have any tests that need manual intervention. This month we'll attempt at automating them and run them with adt-run. [15:45] elopio: ok, lots of things to check and think, let's talk next week, we'll definitely need to automate those tests too but in a way that runs with plainbox, let's think about how we can share those [15:45] mvo: no, that thread wasn't covered (I just added it now), but IMA in general was [15:45] elopio: adt-run over ssh against a deployed machine? [15:45] mvo: thanks for the link [15:45] zyga: yes. [15:45] elopio: ok [15:46] zyga: and +1. Lets share our ideas next week, and see how to join the effort. [15:46] elopio: ok [15:46] jdstrand: cool, thank you [15:46] sergiusens: hey, you said you wanted some information for my bbb situation? [15:47] * jdstrand reboots it [15:47] somehow it keeps getting stuck [15:49] zyga: this is our playground: https://code.launchpad.net/~fgimenez/snappy/go-functional-tests. A wrapper that provisions a machine, then adt-run deploys the go end-to-end tests, runs them and collects the results. [15:49] jdstrand: snappy-system.txt in /boot/uboot and OS versions so if nothing works channel.ini from each partition [15:49] zyga: still a prototype, so any suggestions are welcome. [15:50] elopio: I sent out an invite [15:50] elopio: correct the time, I'm not sure what time suits you [15:50] elopio: should I look at the merge request or at the whole tree [15:50] zyga: it suits me but fgimenez EODs in the middle of the meeting. [15:51] fgimenez: what time would work for you? earlier than stand up? [15:51] elopio, zyga here's the mp, maybe better to see the changes https://code.launchpad.net/~fgimenez/snappy/go-functional-tests/+merge/261748 [15:51] elopio: I'm not faimilar with snappy codebase, I don't know where to look basically [15:51] seb128: the .signed doesn't matter in the naming, it's just to disambiguate on the source filesystem when both are installed; and the tooling expects the filename of 'vmlinuz' so 'vmlinuz' it shall be [15:52] seb128: yes that diff looks ok to me [15:52] slangasek, k, so that diff ... thanks [15:52] zyga, elopio yep, 14:00 utc would be fine [15:52] sergiusens: http://paste.ubuntu.com/11696954/ (I think that is what you need wrt /writable/cache/system) [15:53] * zyga wonders how to show utc in google calendar [15:54] sergiusens: do not, this is not the 'some weird image issue' we discussed a week or two ago-- I reflashed after asking you if udf was new enough (and you said yes) [15:54] s/do not/do note/ [15:54] zyga: settings -> additional time zone. [15:55] sergiusens: so, snappy_ab=b but: [15:55] /dev/mmcblk0p2 999320 553640 376868 60% /writable/cache/system [15:55] /dev/mmcblk0p1 64511 39328 25183 61% /boot/uboot [15:55] it seems that 'a' booted? (guessing that p1 is 'a' and p2 is 'b') [15:55] p2 is a [15:56] p1 is boot ;-) [15:56] oh [15:56] that doesnt look like mounted on "a" [15:56] elopio: thanks! [15:56] well, /writable/cache/system/etc/system-image/channel.ini has 'build_number: 82' [15:56] but snappy list says I am on 79 [15:57] elopio, fgimenez: ok, I think it's moved to 14:00 utc now [15:57] sergiusens: ^ [15:57] * jdstrand doesn't really know anything about this part of snappy [15:57] so, please advise [15:58] jdstrand: snappy list --verbose [15:58] /dev/disk/by-label/system-b 999320 462180 468328 50% / [15:59] sergiusens: http://paste.ubuntu.com/11697005/ [15:59] zyga: what happens to you if you boot without holding the button? [15:59] elopio: the console just streams 'C' 'C' 'C' [15:59] elopio: probably boot-over-serial handshake [15:59] elopio: er, wait [15:59] elopio: without the card [15:59] elopio: holding the button has no effect for me [15:59] thats the ROM then [15:59] elopio: as emmc is empty [15:59] ogra_: right [15:59] jdstrand: if you manually run snappy update, before rebooting can you give me snappy-system.txt and reboot [16:00] telling you it cant find a boot sector [16:00] yep [16:00] ogra_: with the card in I get uboot and the pastebin earlier (snappy_boot not defined) [16:00] * jdstrand runs sudo shutdown -c [16:01] sergiusens: fyi, here is an updated paste that has df at the bottom: http://paste.ubuntu.com/11697009/ [16:02] sergiusens: so the bottom of: http://paste.ubuntu.com/11697014/ [16:02] see* [16:03] elopio, the branch is under my user, maybe we can put it elsewhere so that the team can collaborate? [16:04] fgimenez: I [16:04] fgimenez: as you prefer. We can do the same proposing branches to merge against yours. [16:04] elopio, fgimenez: use git! [16:04] :) [16:04] sergiusens: I have not rebooted [16:04] fgimenez: the qa policy of the shared branch was nice, but not sure this team needs it. [16:06] zyga, yep :) elopio ok, merging of other branches sounds good [16:10] fgimenez: and from now until the game ends, we are enemies. [16:10] I might talk to you again when Navas is the goalkeeper of Real Madrid. [16:11] oh, who plays ? [16:11] ogra_: Costa Rica - Spain. [16:11] something erious or just a freinds game ? [16:11] *serious [16:11] elopio, casillas is free to be hired too i think :) [16:12] * ogra_ guesses everthing will be better than ger - usa was :P [16:12] jdstrand: it seems consistent, so you updated, a is selected which has 82 [16:12] it's friendly. [16:13] ah, a relaxed one then :) [16:13] jdstrand: it would interesting to view what happens during the reboot (u-boot failing to find the files, corrupted, kernel crashing, systemd causing a reboot) and if that is the reason you get sent back to 'b' and 79 [16:20] leaving, nice evening everyone, elopio don't be too worry about the result, maybe next time.. :D [16:21] sergiusens: how would I see that? I don't have a serial console [16:23] jdstrand: oh, yeah that makes it hard... /proc/last_kmsg for the kernel but not sure how to see anything else [16:23] jdstrand: oh, hdmi out from the bbb [16:24] but you need one of those mini plugs [16:24] yeah, I don't have one [16:25] well, I'll reboot and see what happens [16:26] sergiusens: is there a way that the logging can be improved for debugging this sort of thing? [16:28] sergiusens: it can up in 79 [16:28] jdstrand: well you won't be able to see what happens at the bootloader level though [16:29] jdstrand: 'find /boot/uboot -ls' (and checksum maybe) [16:29] I don't have /proc/last_kmsg [16:29] seems I'm stuck [16:30] jdstrand: in theory /boot/uboot/a/* should be the same as /boot/uboot/b/* [16:30] ppisati, ^^^^ could we enable the ram console for our arm builds ? [16:30] * ogra_ wanted to ask that before ... now jdstrand reminded me :) [16:30] $ diff -Naur /boot/uboot/a/ /boot/uboot/b/ && echo yes [16:31] yes [16:31] /proc/last_kmsg is one of the most helpful things [16:31] $ cat /proc/last_kmsg [16:31] cat: /proc/last_kmsg: No such file or directory [16:31] yeah [16:31] is that the 'ram console' ? [16:31] not enabled in the kernel [16:32] hmm [16:32] i think it is called that in the kernel config [16:32] jdstrand: snappy-system.txt is back to snappy_ab=b and snappy_mode=regular, right? [16:33] so, I'm not sure autopilot has ever worked right on my device. every time I try to log into it it is either telling me it is going to reboot or is wedged somehow and I can't ssh in [16:33] snappy_ab=b [16:33] snappy_mode=regular [16:33] yes [16:35] sergiusens: as it happens, I have the image from Jun 1 that I used to flash the device [16:35] it was r72 [16:35] I know I did a snappy update/reboot manually at least once [16:36] jdstrand: mind creating a new image with --revision=-1? [16:36] I'm not sure if autopilots worked or that did [16:36] jdstrand: autopilot is just something that runs snappy update [16:38] sergiusens: sure. I'm using this: sudo ubuntu-device-flash core --channel=edge --oem=beagleblack --enable-ssh --output=15.04-edge.bbb 15.04 [16:38] sergiusens: with udf 0.23-0ubuntu2 [16:38] sergiusens: it will take me a while to flash the card [16:39] sergiusens: actually, I forget --revision=-1. so I'll use that. isn't that going to give me the lastest version? [16:40] jdstrand: latest minus 1 [16:44] ah, cool [16:46] sergiusens: ok, I'll ping you [16:46] jdstrand: so sudo ubuntu-device-flash --revision=-1 core --channel=edge --oem=beagleblack --enable-ssh --output=15.04-edge.bbb 15.04 [16:46] jdstrand: and i'm going for lunch now :-) [16:47] that is the command I run ftr [16:48] ran* [17:00] elopio: if you want, I can pastebin the contents of my files on the boot partition [17:00] elopio: still not sure what's going on [17:01] zyga: please do that, but attach them in the bug. [17:01] elopio: k [17:01] I'm learning here, so I won't be able to make a lot of sense of the files. [17:01] somebody else from the team will look at your bug and triage it. [17:06] elopio: updated, thanks for your help [17:06] np. [17:50] sergiusens: ok, the system is running r81 [17:51] http://paste.ubuntu.com/11697548/ [18:01] sergiusens: fyi, "snappy autopilot triggered a reboot to boot into an up to date system" [18:01] sergiusens: so waiting for that to happen automatically [18:02] sergiusens: also, just noticed a typo: "snappy autopilot triggered a reboot to boot into an up to date system-- temprorarily" [18:02] sergiusens: s/temprorarily/temporarily/ [18:07] hum, now there's something wrong with the selftests from trunk. [18:07] it asks for password, and never connects to the ssh. [18:21] now it works. weird. [18:22] sergiusens: ok, ir upgraded and rebooted into 82 fine. for somereason I have a feeling it is the 2nd update. eg 80 -> 81 -> 82, but I have no evidence to support that [18:33] jdstrand: if it's the second update b would have 81 and you'd be on a with 82 [18:36] sergiusens: well, I'll keep an eye out for what happens with 83 [18:36] sergiusens: did you see the typo comment above? [18:39] * zyga bought a new card to try [18:48] sergiusens: thanks for helping me with that. I wish we had a better resolution, but like I said, I'll keep an eye on it [18:48] jdstrand: yup, saw the typo :-) [18:49] jdstrand: and yes, we need to track the upgrades better, elopio raised a bug on something similar to what you saw (but different). [18:50] yeah, that prompted me to bring it up. wasn't sure if it was the same or not === alexabreu is now known as alex-abreu [18:56] Norbell: hey, fyi I in my spare time looked at packaging ufw as a snap [18:57] Norbell: there are several issues that prevent it from working correctly. I am jotting those down and will be filing bugs/bringing the issues up to the snappy architects [18:59] @jdstrand Awesome. Thats realy realy cool. :) [18:59] Norbell: No such command! [18:59] Norbell: the two most major ones were that iptable_filter and ip6table_filter didn't autoload (so it can't work on reboot) and that extending privileges are needed to run it (eg, capability net-admin) [19:00] Norbell: since obviously routers, firewalls, etc are interesting to snappy, I'll be presenting the problems and propose a solution to the architects [19:00] this won't be fixed really soon, but we'll get it to the point where it can be done [19:02] jdstrand: Interesting. I thought Canonical had Routers and Firewall in mind during the process of creating snappy. I mean, they advertise this feature [19:02] Norbell: however, these can be worked around now-- if you adjust /etc/modules to load iptable_filter and ip6table_filter you should then be able to use 'security-policy' in your app yaml for handcrafted policy and have something that works on your system [19:03] Norbell: well, yes, which is why I want to bring this up :) [19:05] I don't think it is a ton of work. the kernel module autoloading is just a bug and the other just needs a bit of design and small implementation [19:06] jdstrand: Thank you. ;) Tomorrow i will try to get it running on my pi 2. This would be a great feature for my bachelor thesis ;) [19:07] Norbell: actually, you could probably get away with adjusting /etc/modules and then use 'security-teamplte: unconfined' in you app yaml [19:08] Norbell: it won't be confined, but it should run until we get this bit worked out [19:08] Norbell: you can also look at the webdm packaging for how to use 'security-policy' if you wanted it to run confined with custom policy [19:09] note: neither of those will be allowed in the snappy store, but it should unblock you [19:09] sergiusens: btw, did you ever update your seccomp policy in webdm? [19:13] jdstrand: Okay. Thank you for the great advises. I will try it. for the first time its enough to get it running on my pi. Hopefully it will get available in the main release ;) [19:14] jdstrand: no, not yet [19:14] sorry no easy link to link to :-) [19:15] sergiusens: is it in bzr? [19:16] sergiusens: I can give an MP [19:16] sergiusens: at least, the start of one :) [19:18] jdstrand: lp:webdm [19:23] sergiusens: is it known that removing an app via webdm fails with: ERROR: hook command /usr/bin/aa-clickhook failed with exit status 2 [19:24] jdstrand: no [19:24] jdstrand: and I wasn't seeing that with my testing yesterday [19:24] hmm [19:25] jdstrand: the only one that fails is the one I asked about yesterday (dbus fw and ReleaseName being allowed or not) [19:25] no seccomp denial, but ERROR snappy logger.go:199 hook command /usr/bin/aa-clickhook failed with exit status 2 [19:26] jdstrand: any specific app? [19:26] hello-dbus-app [19:26] but running webdm under seccomp [19:26] jdstrand: hmm, that's the one I asked about yesterday [19:26] jdstrand: I guess my question got lost [19:26] * sergiusens searches [19:26] did you ask me about it? [19:27] cause if yes, then yes, it got lost [19:27] irclogs/Freenode/#snappy.log:11:19 < sergiusens> jdstrand: not sure it's my image, but is ReleaseName allowed? [ 3993.417227] audit: type=1107 audit(1433945875.311:61): pid=604 uid=100 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ReleaseName" mask="send" name="org.freedesktop.DBus" pid=1439 label="hello-dbus-fwk_srv_1.0.0" peer_lab [19:27] there [19:27] interesting [19:28] jdstrand: that happens when uninstalling and causes an error on remove (it ends up removing anyways in the end) [19:28] I wonder what changed that prompted that [19:28] sergiusens: which were you uninstalling? [19:29] jdstrand: hello dbus fwk [19:29] ok, let me look into this [19:30] alright, so running under seccomp there was an issue, but no logging [19:30] I keep feeling like logging isn't fantastic on the bbb [19:31] as in, messages getting dropped [19:31] sergiusens: is hello-dbus-fwk removal via webdm? [19:31] jdstrand: yeah [19:32] jdstrand: let me setup; just finished tracking down an unreleased file descriptor that blocked unmounting and will get more details [19:32] sergiusens: I can confirm that [19:32] no need [19:32] sergiusens: I got it from here [19:32] I just need to decide how to fix it [19:33] Chipaca: rsalveti: ogra_ I found the root cause of the unmounting issues https://code.launchpad.net/~sergiusens/snappy/releaseDaReadme/+merge/261778 [19:33] ha ! [19:33] sergiusens: how big is the dent in your forehead (after hitting the desk with it)? [19:34] Chipaca: lol; bigger when figuring out lsof gives more information than fuser :-) [19:34] Chipaca: this can explain why long running webdm instances can all of the sudden block too, so I'll need to rebuild webdm after this is out [19:36] Chipaca: also http://paste.ubuntu.com/11698150/ [19:36] Chipaca: it's not logged, reason for no line number [19:36] sergiusens: nice [19:36] wow, that's an interesting root cause [19:37] rsalveti: well it blocks an unmount; I'm making u-d-f not try to unmap if mounting fails and not obfuscate the real error now [19:37] *unmounting [19:37] right [19:38] sergiusens: then guess we need another round of releases [19:38] rsalveti: well snappy in core doesn't use this [19:38] I mean, tools releases [19:38] rsalveti: so it's not important; tools, yes [19:38] push ubuntu-snappy and then rebuild udf [19:38] rsalveti: yup [19:38] great [19:39] rsalveti: and webdm, webdm does open (indirectly) that readme file [19:39] alright [19:39] so I'll push that to the store today too [19:39] awesome [19:39] another reason to kill that useless readme.md :-P [19:40] sergiusens: fyi, I'll have a fix for hello-dbus-fwk in a few minutes [19:40] jdstrand: oh, it's in hello-dbus-fwk itself? [19:40] yes [19:40] it is a framework so it ships its own policy [19:40] right [19:41] it RequestName()s to bind t the well-known connection name, but isn't allowed to ReleaseName() it [19:41] jdstrand: writing policies takes some iterating I've discovered :-) [19:41] it can, yes [19:44] sergiusens: going back to my previous question, what happend, or who asked for webdm to be a framework? [19:44] and the following up question, would it just be an app once we provide the rest api? [19:45] rsalveti: mark; and I asked the same question you did [19:46] right, guess we'll go over this again eventually [19:47] rsalveti: yeah, you can bring it up end of June or start of July ;-) [19:47] right :-) [20:03] jdstrand: hey, so i had a chance to toy with mir snap, i just changed the security-template to nondefault [20:04] which i thot i could do to basically get networking groups....thot that might be enough to hit the next hurdle [20:04] but i'm failing to install [20:04] that was the only thing i changed [20:05] any ideas ? or...how to debug? (i bascially know nothing :) [20:06] sergiusens: ok, hello-dbus-fwk 1.0.1 uploaded. there is no apparmor denial now (so I tink my part is done), but if I remove it via webdm 'Removing...' never goes away [20:06] sergiusens: now that is on a system where I was removing/adding/sideloading before removing and install again from the store [20:07] sergiusens: so not sure if there is another issue or if it is a local issue [20:07] gooooool! [20:07] kgunn: is there a bzr branch somewhere? [20:08] jdstrand: lemme push.... [20:11] jdstrand: lp:~mir-team/mir/snappy-packaging [20:11] just cd into snappy-packaging and run make [20:12] sergiusens: it says 'Sorry something went wrong', but it is removed from the list if I reload [20:14] kgunn: there are 2 package.yamls. one in overlay/meta and one in snappy-packaging/overlay/meta [20:15] kgunn: I guess I should be looking at the one in snappy-packaging/overlay/meta ? [20:16] jdstrand: should only be the one [20:16] http://bazaar.launchpad.net/~mir-team/mir/snappy-packaging/files/head:/overlay/meta/ [20:16] heh, well, I promise there are two :) [20:16] what the heck [20:17] and they have different contents [20:17] one has your security-template change, and the other uses security-policy [20:17] so I don't really know what to comment on [20:18] except to say that the security-template change won't work. 'nondefault' isn't a valid template [20:18] on a device or in a kvm you can do 'snappy-security list' and see the available templates [20:18] jdstrand: let me check the logs [20:21] sergiusens: is that your logs or my logs? [20:23] jdstrand: so i just pulled a clean lp branch and i only see one yaml ? [20:23] kgunn: since you said you aren't familiar with this, you might want to read these: [20:23] https://developer.ubuntu.com/en/snappy/guides/security-policy/ [20:23] also...wrt nondefault... [20:23] https://developer.ubuntu.com/en/snappy/guides/frameworks/ [20:23] jdstrand: I'll setup [20:23] jdstrand: so i did specifcally on [20:23] https://developer.ubuntu.com/en/snappy/guides/security-policy/ [20:23] there's an example there... [20:23] which uses nondefault [20:23] and indicated in the text it would get network-client [20:24] am i just interpreting the example in the wiki incorrectly? [20:24] kgunn: yes, that is just trying to say 'anything else that is on the device that isn't 'default'' [20:24] you are [20:24] k [20:25] kgunn: in the example yaml, 'qux' does get 'network-client' since 'caps' isn't specified for 'qux' [20:25] jdstrand: so i see from the core i'm running it has network-client, network-services, networking [20:25] so i can pick from those... [20:25] kgunn: but 'nondefault' isn't a usable template in real-life [20:25] but what do you do if you want some capability not in those 3 ? [20:26] there is a trello card for the community team to get a tutorial going so people don't have to read thick guides [20:27] kgunn: to answer that question, you write your own policy (security-policy) or provide an override (security-override, which is akin to the click security manifest). but let's back up. what are you trying to accomplish here? [20:28] kgunn: note, framework snaps, which mir is, will almost use 'security-policy' since they are extending the system or need privileged access [20:28] s/almost/almost always/ [20:28] https://developer.ubuntu.com/en/snappy/guides/frameworks/ [20:28] "Frameworks are tightly coupled with separately maintained security policies that extend the security policy available to apps consuming a framework" [20:28] "Frameworks are developed and iterated by parties that have a contractual relationship with Canonical" [20:29] "Unlike apps, frameworks have special permissions which allow them elevated access to the system. For the official Ubuntu store, a contract will include terms to ensure framework safety and maintenance" [20:30] kgunn: so an *app* developer focuses on simple templates and caps whereas a *framework* developer uses security-policy and provides framework-policy [20:30] (typically) [20:31] kgunn: ok, I think I see what happened to my bzr branch. I already had one and I accidentally moved the one I pulled today into the other one [20:32] heheh, funny [20:33] kgunn: so at some point in the past I guess someone was using security policy [20:33] security-policy [20:33] but it was removed [20:36] kgunn: this also is what I reviewed [20:36] err [20:36] kgunn: this also isn't what I reviewd in the store [20:37] can someone point me to some document that explains how to add things like python libraries to a snap? The tutorials and such all seem based on stand alone apps and already included libararies, and I've not found an example yet that shows adding thigns like custom or externally created libraries to a snap [20:44] kgunn: so, what are you trying to achieve when you changed 'unconfined' to 'nondefault' [20:45] kgunn: fyi, I was wrong about it not being what I reviewed. I see now that what is in the store used the 'unconfined' template [21:01] jjohansen: hey, can you think of a reason what a process running under seccomp can't unload an apparmor profile? [21:02] jjohansen: I'm not getting a log message [21:06] bladernr_, We don't have something like that yet, we're working on a tool to help with it. But there's a lot of good information on mostly using the Python that is there today here: http://www.wefearchange.org/2015/04/creating-python-snaps.html [21:06] jjohansen: does it have something to do with MAC_ADMIN? [21:07] jdstrand: not that I know of [21:07] ok, I'll keep investigating [21:08] jdstrand: sorry, distracted, thanks for all that....so with a framework, i figure you need priviledges to access system stuff...and then capabilities to express what an app might want to use (in your fmwk) [21:08] so the security-policy is the means for the fmwk to access system stuff ? [21:08] just making sure i got it right [21:10] kgunn: a framework is there to provide a service to apps. a framework most often needs privileged access to something on the system. that privileged access is *not* expressed with security-templates and caps because *apps* don't need that access [21:10] kgunn: therefore, "security-policy" exists for framework authors to write their own apparmor policy for their service [21:11] kgunn: framework-policy is what your framework app ships. that *will* ship one or more caps and zero or more templates that *apps* can use [21:12] kgunn: the framework-policy caps ans template give apps access to your framework service(s) [21:12] got that...that part makes sense now, e.g. when we build a gui snap on top, it'll use that cap from that fmwk policy [21:12] exactly [21:12] so the bit you were fiddling with is the framework service [21:12] it was using the 'unconfined' template [21:13] right...so i can "use what i want" :) on the system..."i" being the fmwk [21:13] that is 'ok' for a demo, but it really should instead use "security-policy" [21:13] got it [21:13] yes [21:13] secuiryt-policy is where you say "here is my handcrafted apparmor policy, and here is my handcrafted seccomp policy" [21:14] for my fmwk...in order to access xyz on the system ? [21:14] yes [21:14] got it now [21:14] so, you might go from this: [21:14] security-template: unconfined [21:14] to this: [21:14] security-policy: [21:14] apparmor: meta/mir.apparmor [21:15] seccomp: meta/mir.seccomp [21:15] and those will contain a bunch of paths to bins and stuff ? [21:15] then you write your apparmor rules in meta/mir.apparmor and put the syscalls you need in meta/mir.seccomp [21:15] right [21:15] and examples in wikis of seccomp file ? [21:16] i think i kinda get the apparmor stuff [21:16] kgunn: kgunn you might want to see: https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Debugging [21:17] * longsleep has fixed the system-boot fat corruption for ODROIDC by cherry-picking a bunch of U-Boot fixes === dstokes_ is now known as dstokes [21:17] jdstrand: thanks...i'll go tinker [21:17] kgunn: the seccomp policy is just a text file that is a list of syscalls [21:18] kgunn: you might start by installing the hello-world.canonical snap, then looking at /var/lib/snappy/seccomp/profiles/hello-world.canonical_env_1.0.17 [21:18] kgunn: that just uses what is in the default template [21:19] k [21:19] kgunn: a fun quality of seccomp is that it will kill your the process if it violates policy [21:19] i saw that [21:19] sigkill how great [21:19] kgunn: so watch your logs and see that Debugging page [21:19] it would be nice to do something different, but there isn't a safe way to do that [21:20] (eg, deny and log) [21:20] i think it's kinda awesome [21:20] annyhoo [21:20] violent [21:20] it is fun [21:20] :) [21:20] and apparmor could do it too, but we choose not to :) [21:20] kgunn: so, couple of things-- [21:21] kgunn: 1. do note that regular app developers aren't supposed to have to worry about apparmor rules and syscalls [21:21] kgunn: they just use templates and caps [21:22] right [21:22] i'm special that way [21:22] kgunn: 2. frameworks are quite special since they mediate access to a shared resource. mir falls into this category-- it is supposed to mediate access to the graphics card [21:22] kgunn: (that said I know that things aren't perfect there, but that is ok-- I know tvoss said that is a longer term goal) [21:23] kgunn: 3. framework authors should engage with Canonical on framework policy. so please ask questions, have us review the policy [21:24] kgunn: (but depending on how many frameworks come in, this might have to move to another team) [21:25] kgunn: 4. the framework should be designed in a way that the access the it gives out to apps via its framework-policy is safe for all apps to use, potentially simultaneously. ie, the framework should provide the same isolation and protect the system from attack [21:25] kgunn: (which is why framework authors engage with us) [21:26] we've been through all those talks wrt mir already for touch [21:26] but just trying to give context [21:26] that's it from my unless you have questions :) [21:27] oh, addendum to '4' - if the policy isn't safe for everyone, then the policy should include '# Usage: restricted' at the top of its framework-policy file [21:29] kgunn: hopefully this was useful to you :) [21:30] very jdstrand, thanks, sorry i'm very elementary atm [21:32] no worries. snappy is pretty new :) [21:36] jdstrand: one last one, i wondered....what would constitute a "policy isn't safe for everyone" situtation ? [21:43] kgunn: that is kinda discretionary, but giving out access to files in /dev, write access to areas outside of the app's area, granting capabilities, etc [21:44] which now you may understand why I mentioned hw-assign/oem in the review [21:45] jjohansen: fyi, if I run aa-clickhook under its own seccomp profile, it is fine, so I don't think it is an interaction between seccomp and apparmor at this time === j12t_ is now known as j12t [21:52] sergiusens: I think what is happening is that snappy is running under the same seccomp policy that I am trying to give to webdm which is making it very grumpy. seccomp doesn't have the concept of an exec transition with a new profile === utlemming is now known as utlemming_away === blahdeblah_ is now known as blahdeblah