[04:02] good morning. [04:02] I have a question about system wrappers. After installation all apps and services should be started only through wrappers, but when one wrapper trying to launch another wrapper I receive errors like this: [04:02] $sudo /usr/bin/ubuntu-core-launcher myapp myapp_service_0.0.1 /apps/myapp/0.0.1/bin/myapp-wrapper [04:02] ubuntu-core-launcher: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied [04:03] even with frameworks [04:05] without ubuntu-core-launcher - everything ok [04:07] Is there proper way to launch one file from another? [07:00] good morning [07:03] good morning [07:18] fgimenez: crazy day here today, but all your branches are +1-ed. Sorry for the delay. [07:18] elopio, hey, np thanks :) [07:19] elopio, i'll apply your suggestion to the config testbed one, i like the boolean value option [07:20] fgimenez: as you prefer. The change would be pretty simple, so if it passes for you also feel free to top-approve. [07:20] I'm leaving now. See you soon. [07:21] elopio, ok see you === erkules_ is now known as erkules === clobrano is now known as c-lob [08:17] pilil, this sounds like a question for the security team, either wait til the US gets up or write a mail to the mailing list [08:20] Moin folks, so is there a place where i can add feature requests for snapcraft? [08:20] file a whishlist bug [08:20] und moin :) [08:20] whishlist bug ok - let me try that [08:22] haha bug #50788 [08:22] Bug #50788: We don't need "Wishlist" [08:22] bug 50788 in Launchpad itself "We don't need "Wishlist"" [Undecided,Invalid] https://launchpad.net/bugs/50788 [08:22] lol [08:23] reported 2006-06-23 :) [08:23] yeah [08:23] and marked invalid [08:23] just was the first hit [08:23] man, these names bring back memories :) [08:23] ogra_, who should I ask it from security team? [08:24] pilil, try jdstrand or tyhicks (i'm not sure who exactly could help here) [08:25] ogra_, I got it, thanks [08:27] ogra_, there is another question. How can we add new extrauser to Snappy, cause tools like passwd or useradd still works with /etc/passwd instead of /var/lib/extrausers? [08:29] pilil, i think that is fixed in the rolling release, it is quite a change so it was not backported afaik [08:29] ogra_: bug #1480144 added, i tagged it with wishlist, not sure if that is the correct way [08:29] Bug #1480144: Snapcraft should be able to run in clean environment with pbuilder/cowbuilder [08:29] bug 1480144 in Snappy "Snapcraft should be able to run in clean environment with pbuilder/cowbuilder" [Undecided,New] https://launchpad.net/bugs/1480144 [08:31] ogra_, thanks [08:35] longsleep, i know cross building is planned, but it will likely still take a bit before it happens [08:35] (not on top of the list) [08:40] hi [08:41] why does the raspberry pi2 snappy image contain an .ssh/authorized_keys entry for ogra@anubis? [08:45] tsthats a fake key ... ubuntu-device-flash needs a valid key if you enable --develper-mode during build [08:45] tasdomas, ^^^ [08:46] tasdomas, i hope to finish a new image today and will make that clearer (calling it dummy@dummy or some such) in that build [08:49] ogra_: yeah - in the meantime i might just create a small tool "debsto [08:49] err [08:50] ogra_: debs2snap or something [08:50] haha [08:50] that way i can just use the existing gear plus one extra step [08:56] ogra_, question about systemd and snaps. In the package.yaml we can specify the type of service (dbus or not), is there a plans to implement other types of services, like forking or other? [09:00] biezpal, hmm, not sure what you mean by type of service ... do you mean the bus-name filed for framework snaps ? [09:00] https://developer.ubuntu.com/en/snappy/guides/package-metadata/ [09:02] Good morning all; happy Friday, and happy System Administrator Appreciation Day! 😃 [09:03] wasnt that yesterday ? [09:04] oh, wasn't :P === vrruiz_ is now known as rvr [09:14] ogra_, I'm talking about systemd service unit Type [09:15] [Unit] [09:15] Description=swamp services management service [09:15] After=syslog.target [09:15] [Service] [09:16] hmm, then i dont see the relation to package.yaml here [09:16] Type=forking [09:16] we want to specify type of service described in package.yaml [09:16] but package.yaml doesnt offer that (at least currently) [09:17] we can describe service from package.yaml, but not the type of it? [09:18] you can put into the description what you want ... but there is no "type" field or anything that would do anything meaningful with it [09:19] (see the linked documentation above) [09:20] forked service is being killed by systemd because systemd is thinking that process is stopped [09:21] now, to get rid of it we are manually edit systemd unit and specify Type = forking [09:21] righ [09:21] t [09:22] and where does the package.yaml come into play here ? thats the bit i dont understand [09:22] we want Type of service to be taken from package.yaml [09:23] oh, so this is a feature request ? [09:23] it's just a question to find the way [09:23] (to extend package.yamnl ?) [09:24] to build unit automatically with additional options [09:25] sorry if I stick my nose in this discussion, but isn't it possible to pack the .service file into the snap? [09:26] right, that doesnt sound like something supported yet ... i'd start a thread on the mailing list [09:26] c-lob, indeed you can do that [09:27] c-lob, where we can read about that option? [09:27] biezpal, well I'm just thinking about now :) [09:27] biezpal, well I'm just thinking about it now :) [09:27] lol [09:28] ogra_, maybe you know?) [09:28] * ogra_ takes a look at webdm [09:32] hmm, so i dont see a way, it uses the generated unit too (which fires up a script that cares for all teh rest). i guess you should try starting a thread on the ML [09:33] (there is probably no way to change the type of the unit, but surely a way to achieve what you wanted to do with setting it via some other mechanism) [09:38] ppisati: just e-mailed you, i'm experiencing some issues with the compiled kernels when booting with the Snappy FS, apparently the "system-boot" partition fails to get mounted. Would be great getting your input here [09:40] vmayoral: i'm looking [09:40] ppisati: thanks [09:40] mount: wrong fs type, bad o [09:40] missing codepage or helper [09:40] vmayoral: can you complete a boot? [09:42] ppisati: i get into emergency mode https://gist.github.com/vmayoral/fc2c7ebbd679ea7d9a9b [09:43] vmayoral: do you see something in dmesg? [09:43] vmayoral: let me check the config [09:44] ppisati: nothing relevant that i can identify https://gist.github.com/vmayoral/193f5c1e71f5cfb9bd67 [09:44] FAT-fs (mmcblk0p1): IO charset iso8859-1 not found [09:44] that config is missing the option [09:44] two things: [09:45] 1) did you check that the resulting config are the same? [09:45] 2) you are using an old version #18 while we are at... [09:45] 23? [09:45] something like that [09:45] let me take a closer look at that tree [09:47] ah [09:47] ok [09:47] to compile that tree and get a debian package, you have to do this: [09:48] export $(dpkg-architecture -aarmhf); export CROSS_COMPILE=arm-linux-gnueabihf- [09:48] fdr clean; debian/rules build; fdr binary-generic [09:48] the config is store in: [09:48] *stored [09:49] master/debian.master/config [09:49] split among [09:49] config.common.ubuntu [09:49] and the other snippets in debian.master/config/armhf* [09:50] if you did as i read in the REAME.md of that git tree: [09:50] ARCH=arm ./scripts/kconfig/merge_config.sh arch/arm/configs/omap2plus_defconfig arch/arm/configs/snappy/*.config [09:50] make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- uImage dtbs -j4 [09:50] you are missing some options [09:50] so, it's up to you [09:50] i see [09:50] regarding the kernel [09:50] either you add that charset in your config [09:50] i fetched it from http://kernel.ubuntu.com/git/ubuntu/ubuntu-vivid.git/ a few days ago [09:51] will rebase it now to get up to date [09:51] i think your config is quite good [09:51] the way you build the kernel is correct [09:51] it is how it's done when you are developing [09:51] it's faster [09:51] it easier if you just made a change and you want to test it [09:51] etc [09:52] but if you want exactly our kernel packages [09:52] you should follow the 'fdr *' instructions up here [09:52] where fdr is an alias for [09:52] 'fakeroot debian/rules' [09:52] just in case [09:53] thanks a lot for explaining, is this documented somewhere? [09:53] vmayoral: yep [09:53] vmayoral: hold on [09:54] https://wiki.ubuntu.com/KernelTeam/ARMKernelCrossCompile [09:54] ok, this is a bit old [09:54] since it covers the omap4 kernel [09:54] and back then i was suggesting: [09:54] export $(dpkg-architecture -aarmhf); export CROSS_COMPILE=arm-linux-gnueabihf- [09:54] fakeroot debian/rules clean [09:54] fakeroot debian/rules binary-omap4 [09:54] but the stuff that i pasted here is faster [09:55] and works for generic [09:55] (instead of binary-omap4 you use binary-generic) [09:55] and it tells you how to change the config too [09:55] fakeroot debian/rules editconfigs [09:56] in your case it's the generic flavour that you are interested [09:56] great, I'll go ahead and reproduce it all. If it adds some value, I'll be happy to document it and maybe this way i can contribute. [09:57] ppisati: thanks a lot for your time. [10:00] ogra_, thanks for answer [10:02] ppisati: it'll be great if you guys could also consider including the PRU patches in the vivid tree. Many BBB users make use of these units on the SOC. [10:04] also, ppisati, what's you opinion on changing the kernel released on snappy images to be preemptible (pretty match activating the PREEMPT option)?. IOT devices could make good use of this kind of kernels [10:05] vmayoral: ATM the BBB is the same kernel that we use across all ubuntu armhf devices [10:05] current OEM snap allows to change the kernel (i believe) so that should be manageable [10:05] vmayoral: but we are having a discussion about it, where to take it, the direction we want to give it, etc [10:05] right [10:06] vmayoral: question - i now that you use the PRUs for the sensors on your drone, right? [10:06] ppisati: great hearing that. I don't mind compiling the kernels with PREEMPT or PREEMPT_RT options but it'll be great for many avoiding this and going straight into the official images [10:06] ppisati: yes, we use it for fast PWM generation and PPM signal processing [10:07] vmayoral: ok [10:07] but there's a lot happening in the PRU world [10:07] vmayoral: so, you load a binary into PRUs, right? [10:07] yes, every year, there're GSOC project that build on top [10:07] vmayoral: did you try to "port" your code to the remoteproc facility? [10:08] no we have not. What i'm most concerned about is the maintainability if we were to do so. [10:08] Current Dronecode Foundation helps a lot with that [10:08] if we were to move to the PRUs... [10:08] vmayoral: what you mean? [10:11] i mean that there's an existing community supporting the code based on a single (or multiple) core symmetric processors based on userspace drivers. If we were to port a part of the code to an assymetric arch. (e.g. the PRUs) we would loose the community support [10:11] with our current size and dev. force we can't afford it [10:12] nevertheless, i'm seeing how the PRU-world grows every year and there's even people bit-banging protocols on them [10:13] vmayoral: ok, sorry i'm confused now [10:13] vmayoral: i asked you if you were using the PRU and you told that you were using it [10:14] 12:06 < vmayoral> ppisati: yes, we use it for fast PWM generation and PPM signal processing [10:14] yes, we are [10:14] for PWM and PPM generation/processing [10:14] ok [10:14] probably i misunderstood it at some point. [10:15] vmayoral: so, there's are two ways to interact with the hw PRUs AFAIK [10:15] vmayoral: the PRU patches that you applied [10:16] vmayoral: unsupported by TI [10:16] vmayoral: of their supported mechanism, the remoteproc [10:16] *or [10:16] since you applied thse patches to your kernel, i assume you are using the userspace driver [10:17] and i was wondering if you have ever tried/considered to move it to remoteproc [10:17] that's beause, part of the TI BSP kernel requires the remoteproc facility for some of its features [10:17] e.g. the power management code has a requirement on it [10:21] i see, i don't have much understanding about how remoteproc works but i was assuming that any interaction with the PRUs was done through the remoteproc framework. [10:22] the patches came originally from a tree maintained by Robert Nelson who is working tightly with TI and BeagleBoard https://github.com/RobertCNelson/bb-kernel/tree/am33x-rt-v4.1/patches/pru [10:24] (AFAIK) === andyrock_ is now known as andyrock [10:52] is there a way to launch a shell in the environment of a snap? [10:53] my snap fails to start, and the systemd log is not very helpful [10:54] i had a nodejs based terminal once, running the shell inside teh snap env, but the snap isnt functional currently [10:55] i think there was another one in the examples or some such, but i cant remember exactly [10:55] well i guess i could just set the environment variables manually [10:56] do you have a start script ? [10:56] you could just make it print the env to some logfile [10:56] yes [10:56] aha [10:56] the error is cp: cannot create regular file ‘/server.conf’: Read-only file system [10:57] looks like an unset variable [10:57] SNAP_APP_PATH ? [10:57] or SNAP_APP_DATA_PATH [10:57] yes CONF=$SNAP_APP_DATA_PATH/server.conf [10:58] weird, that should definitely be set [10:58] yes it is not set when i run it manually [10:58] for testing [10:58] found the error now [10:58] heh, indeed not [10:58] sed: -e expression #1, char 88: unterminated `s' command [10:58] narf [10:58] heh [10:59] but it would be really helpful if one would see these errors in systemd [10:59] +1 [11:00] they used to show up when we used journald ... not sure why they dont end up in syslog now [11:01] mhm let me check syslog, i was using systemctl [11:01] ah [11:04] ogra_: you are right, it is in syslog [11:04] Jul 31 11:04:22 odroid ubuntu-core-launcher[1327]: sed: -e expression #1, char 88: unterminated `s' command [11:05] thats good enough i think [11:05] ah, cool [11:05] longsleep: should also be in journalctl [11:06] Chipaca, do you knwo why we use both ? [11:06] but i admit to not being proficient in journalctl usage [11:06] smells bloated [11:06] ogra_: because that's how we roll? :-p [11:06] ogra_: i think we want to drop syslogd, but had to bring it back for [11:06] happened before i got on board [11:06] ah [11:06] ogra_: but aiui it's wanted to go away [11:06] ok [11:07] that is, we want to drop syslogd, but something or other depends on it still [11:07] * ogra_ doesnt care which one goes away, i just dont like the duplication :) [11:07] and it's bloated but not super critical [11:07] yeah [11:09] hmm [11:10] on my BBB snappy list -v shows ubuntu-core 9 active ... webdm only shows 8 [11:14] mhm now i get Jul 31 11:12:02 odroid ubuntu-core-launcher[1734]: Bad system call when running sed :/ [11:14] time for lunch [11:23] longsleep: ooh! check syslog again, in particular for seccomp or apparmor issues [11:23] longsleep: bad system call is probably seccomp [11:24] longsleep: sc-logresolve should help you if that's the case [11:38] longsleep: super interested in what you find [11:38] but alas, lunch calls === JamesTai1 is now known as JamesTait === guest42345 is now known as guest00|AFK [12:25] Chipaca: yeah i will investigate now - i just returned from lunch and finishing up my ice cream :P [12:28] yummy [12:28] * Chipaca having a big cool fizzy drink instead [12:28] (no it's not beer, shaddup) [12:29] * ogra_ slurps a hot espresso :) [12:29] you and your frozen stuff [12:43] Chipaca: so, this is all in syslog: http://paste.ubuntu.com/11973062/ [12:43] Chipaca: and my start script is this (for testing) http://paste.ubuntu.com/11973068/ [12:56] sergiusens, ogra_: how do you build a base image with a custom kernel using ubuntu-device-flash? [12:57] you need your own device tarball [12:59] jjohansen, this is the script i use to create the rpi device tarball from ppisati's PPA builds http://paste.ubuntu.com/11973145/ [13:00] ogra_: how much of that applies to generating something for generic-amd64? [13:00] well, the format is the same in both [13:01] the paths might differ though [13:01] (since x86 doesnt use uboot indeed) [13:01] longsleep, I saw that calling the binary directly from its folder (like /apps/appname/ver/binary) give more information than "bad system call" [13:02] I saw dtb too [13:02] c-lob: all right [13:02] jdstrand, jjohansen, you can ignore the System.-map, config and dtb stuff though [13:02] c-lob, Chipaca : I narrowed it down to the -i parameter in sed. sed works just fine without -i [13:03] oops, missed your syslog [13:03] sorry was pulled into a different thing [13:03] * Chipaca reads now [13:03] Chipaca: yeah there is not much in syslog [13:03] c-lob: no further details with callling /bin/sed instead just sed [13:03] longsleep: and sed -i works outside of a script? [13:04] Chipaca: when i run it as root yes [13:04] let me try again [13:05] jdstrand: an idea what can cause a silent "bad system call" with nothing in syslog, when running something as root under seccomp, but not when running as root wihtout it? [13:05] jdstrand, can you help me with question about system wrappers? After installation all apps and services should be started only through wrappers, but when one wrapper trying to launch another wrapper I receive errors like this: [13:05] Chipaca: yes confirmed, sed -i works fine as root [13:05] $sudo /usr/bin/ubuntu-core-launcher myapp myapp_service_0.0.1 /apps/myapp/0.0.1/bin/myapp-wrapper [13:05] ubuntu-core-launcher: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied [13:05] even with frameworks, without ubuntu-core-launcher - everything ok. Is there proper way to launch one file from another? [13:06] pilil: i don't think you should call one wrapped thing from another [13:07] inside the same app, call your things directly [13:07] outside the same app yes [13:07] pilil: Chipaca is right. if it is in your own snap, just use $SNAP_APP_PATH/path/to/your/thing [13:07] *gasp* [13:08] * Chipaca takes a snapshot and frames it [13:08] Chipaca, if I have framework LXC, how could i run commands like lxc-ls from my app? [13:08] Chipaca: it was bound to happen sometime [13:08] [13:08] * jdstrand hugs Chipaca :) [13:08] pilil: the framework has to expose that via its framework policy [13:09] :) [13:09] pilil: so install the framework, then you can do 'snappy-security list' [13:10] pilil: then have your snap depends on the framework and use either the security-template or caps (for policy groups), or both in your yaml for the service/binary [13:11] Chipaca: yeah, that is one strange error [13:11] jdstrand, even if policy set up to unconfined, we have this error. Or there are some other policy? [13:11] Chipaca: (Bad system call). that isn't a seccomp denial [13:12] pilil: if the policy is unconfined, don't use a wrapper, just go into the install directory of the the you want to execute [13:12] pilil: /apps/foo/current/path/to/binary [13:12] longsleep: do you still get it if you set your policy to unconfined? [13:13] Chipaca: that feels like the launcher was compiled on one system that had that system and run on another that didn't [13:13] Chipaca: how would i do that? Didnt investigate on policies yet [13:13] jdstrand, yes, now we deal with this way, but its look insecure, and we are researching how to improve security [13:13] s/that system/that system call/ [13:13] Chipaca: i have caps: networking and network-service [13:13] pilil: well, you are running unconfined so... :) [13:13] pilil: when you go confined, use the framework policy method I described [13:14] it was just first run, we have plans to use profiles :) [13:14] Chipaca: from my syslog, does it not already run with unconfined? [13:14] Chipaca: operation="profile_replace" profile="unconfined" [13:14] pilil: a framework will express what it is safe to do via its framework-policy [13:15] jdstrand, thanks, now I need addition research about it [13:15] longsleep: no, I don't think that's your app there [13:16] pilil: fyi, https://developer.ubuntu.com/en/snappy/guides/frameworks/ and https://developer.ubuntu.com/en/snappy/guides/security-policy/ [13:16] Chipaca: its not - but it has name="spreed-webrtc.sideload_spreed-webrtc_0.0.1" pid=1718 in the line? [13:16] jdstrand, yeah, already there, thanks [13:17] longsleep: yes; I don't know what that means (jd.strand would know), but i do know that unless you're specifying unconfined in your package.yaml, it'll be confined [13:18] ogra_: I am afraid I am missing some context to get that scipt to work for me. I assume you have mounted the image and are in its root? [13:18] Chipaca: so i just add security-template: unconfined ? [13:18] jjohansen, no [13:19] jjohansen, i create a device tarball fs structure and tar that up after putting the files in place [13:19] jjohansen, then you use it with ubuntu-device-flash to create an image (with the --device-tarball option pointing to it) [13:19] longsleep: yes [13:19] Chipaca, jdstrand: When running unconfined it just works [13:20] longsleep, Chipaca: the STATUS line is just telling you that the profile was reloaded into the kernel [13:20] ta :) [13:20] i knew it was an irreal elephant, but not exactly why [13:20] so, but this cannot be the solution right? [13:20] nope [13:20] i mean we do want to run things confined [13:21] jdstrand: is there an easy way for longsleep to run the service confined, but via strace? [13:21] well there is no strace in my snappy [13:21] longsleep: you can copy strace-the-binary from ubuntu and it'll work [13:22] Right, assuming i find an armhf one somewhere - let me look [13:22] heh [13:22] you don't have an armhf notebook? [13:22] ;-p [13:22] longsleep: i can put one up for you, give me a bit [13:22] longsleep: you based on 15.04? [13:22] Chipaca: look at the line in the systemd service file for the launcher and do 'sudo strace -o /tmp/strace.out -f ubuntu-core-launcher ...' [13:23] ogra_: device-tarball is only available for touch, I am trying to do core? [13:23] jdstrand: or edit the start script similarly :) [13:23] good one [13:24] ogra_: can I just use touch instead of core? [13:24] not the start script, the systemd file [13:24] Chipaca: well, the start script will run strace under confinement. the way I described strace will be out of confinement [13:24] jdstrand: yep yep [13:24] both can be useful [13:24] Chipaca: yes 15.04 [13:24] jdstrand: last i tried, strace wouldn't play well seccomp [13:24] so, the service probably needs to have the cd to the WorkingDirectory and the env setup to what is in Environment [13:25] Chipaca: strace should work with seccomp, if seccomp allows ptrace [13:25] Chipaca: yeah, to run strace under confinement the security policy would have to be modifed, which took us out of 'an easy way' :) [13:25] Chipaca: I mean, I could get you there... :) [13:26] jjohansen: jdstrand: after my holidays, i'll try strace under seccomp [13:26] Chipaca: ok i got strace, hold on a sec [13:26] * Chipaca makes a note [13:26] jjohansen, sorry, --device-part= for core ... not -tarball [13:26] longsleep: ah, ok :) [13:26] * Chipaca had just found it [13:28] http://people.canonical.com/~john/strace_4.8.1ubuntu5_15.04_armhf fwiw [13:28] longsleep: you know what to edit to use that? [13:29] ogra_: what is the best way to mount these images, last touch images I mount were fine, these core images fail [13:29] Chipaca: for your after holidays notes> you can just drop syscalls into /var/lib/snappy/seccomp/profiles/foo. I have a feeling you'll need something for apparmor too (a simple '/path/to/strace' ixr,' and 'ptrace,' in /var/lib/apparmor/profiles/... would probably get you very close) [13:29] jjohansen: https://github.com/longsleep/snappy-odroidc#build-snappy-image-for-odroid-c1 [13:29] jjohansen: kpartx -avs img.img; mount ...; umount ...; kpartx -ds img.img [13:30] sergiusens: hrmm okay, maybe I have a corrupted image [13:30] well .. Jul 31 13:30:10 odroid ubuntu-core-launcher[2762]: /apps/spreed-webrtc.sideload/0.0.1/bin/strace: test_ptrace_setoptions_for_all: unexpected signal 31 [13:30] sergiusens: thanks [13:30] Chipaca: did i do something wrong or strace does not work [13:30] longsleep: what did you edit? [13:31] jjohansen: parted on the img file might tell yo, but if it's x86, it should have 5 partitions [13:31] my start script [13:31] Chipaca: so i have a strace line now in the start script for sed [13:31] longsleep: ah. no :) edit your systemd service file [13:31] longsleep: /etc/systemd/system/somethingobvious [13:31] ah ok [13:32] longsleep: and may i recommend strace -s 999 -f -o /tmp/mytrace [13:32] and then the launcher [13:32] i.e. strace -s 999 -f -o /tmp/mytrace ubuntu-core-launcher yadda yadda [13:33] * Chipaca notes signal 31 is USR2 [13:34] Chipaca: all right http://paste.ubuntu.com/11973341/ [13:34] oh i didnt at the parameters [13:34] hold on [13:36] Chipaca: and here it comes: http://paste.ubuntu.com/11973352/ [13:39] longsleep: can you paste 'sudo grep audit /var/log/syslog'? [13:39] sure [13:40] jdstrand: http://paste.ubuntu.com/11973370/ [13:42] jdstrand: nothing strange there, amirite? [13:42] i think this needs to go to a bug [13:42] i'll see if i can reproduce it, then file it myself [13:43] meanwhile, longsleep, you could do http://pastebin.ubuntu.com/11973383/ [13:43] Chipaca: yeah it could be related to my kernel as well [13:43] longsleep: avoid an extra exec, and an extra file move :) [13:43] Chipaca: yeah, there is no seccomp denial [13:43] Chipaca: yes sure, i can go without -i [13:44] longsleep: you know -i isn't *actually* in place, yes? [13:44] it creates a tmpfile then moves it over [13:44] Chipaca: yes - it creates a tmpfile [13:44] so your .new was dupe effort [13:44]