[07:08] <dholbach> good morning
[08:10] <fgimenez> good morning
[09:00] <liuxg> dholbach, sorry, my network is not stable. did you see my question?
[09:00] <dholbach> liuxg: no, I didn't
[09:00] <liuxg> dholbach, do you if there is anyway to create a ramdisk in snappy? for the webcam example, I want to capture the image into memory instead of beng into the disk, which is a slow operation.
[09:00] <dholbach> I have no idea
[09:01] <dholbach> maybe lool or asac or somebody else knows?
[09:01] <liuxg> dholbach, the above was my question. alright! thanks!
[09:02] <liuxg> dholbach, lool asac I have tried to create a ramdisk in the code, but "mount" seems not successful.
[09:02] <dholbach> I'm sorry -I have no idea
[09:03] <liuxg> dholbach, I have posted it to the mailinglist, hopefully, there is a reply for it :)
[09:03] <dholbach> ok cool
[09:25] <asac> liuxg: in the webcam code? you need special permissions for that i assume due to sandboxing. check syslog for errors related
[09:31] <Guest23806> sergiusens: /Volumes/
[11:15]  * Chipaca quietly puts the kettle on
[12:29] <kyrofa> Good morning everyone
[12:50]  * davmor2 changes Chipaca nick to polly (https://en.wikipedia.org/wiki/Polly_Put_the_Kettle_On)
[13:08] <liuxg> lool, ping
[13:08] <liuxg> kyrofa, ping
[13:08] <kyrofa> liuxg, pong
[13:09] <liuxg> kyrofa, I just saw that you got the fix for the broken symlink. does it mean that I can pull the latest source to get it working?
[13:10] <kyrofa> liuxg, if you clone the github repo and use the 1.x branch, yes, that will work like you're used to AND have the bugfix. It'll be officially released soon as well
[13:11] <liuxg> kyrofa, ok. then I wait for the fix. by the way, I recently tried the license example, and I found it not working. https://bugs.launchpad.net/snapcraft/+bug/1527453
[13:11] <kyrofa> liuxg, don't quote me on this, but I think that's not implemented yet
[13:12] <kyrofa> liuxg, but I'll look into it a bit further once I finish backporting a few more things for 1.x
[13:13] <liuxg> kyrofa, OK. thanks! I just tried it since it was documented there. By the way, do you if there is any way to mount a ramdisk in snappy system? I find that I/O operation is slow, and I want to use a ramdisk for my webcam picture capturing.
[13:16] <kyrofa> liuxg, not sure about that one
[13:17] <liuxg> kyrofa, it is OK. thanks for helping
[13:18] <kyrofa> liuxg, can you explain the use-case a little more though?
[13:19] <liuxg> kyrofa, in the current example https://github.com/ubuntu-core/snapcraft/tree/master/examples/webcam-webui, it saves the picture into disk every 10 second. currently, I implement a client to access the picture to display it on my ubuntu phone. I want to have higher frequency. The I/O to disk is slow compared to the ramdisk.
[13:20] <liuxg> kyrofa, a file in the memory is better in this sense. the sample uses fswebcam to capture the picture.
[13:21] <kyrofa> liuxg, ah, okay. Agreed that with the way this works putting the picture in memory would be faster, but there are better ways to accomplish what you're wanting without requiring it
[13:22] <liuxg> kyrofa, really? I am all your ears :) what is the better solution?
[13:23] <kyrofa> liuxg, first of all, I'm assuming that since the webcam demo saves to a directory it does not display video. You need to refresh to see a new picture?
[13:23] <kyrofa> (I've not run it myself)
[13:24] <liuxg> kyrofa, in its way, it just captures the picture every 10 seconds. In my own implementation, I can initiation a http request to get a picture, and I can control the frequency to get the picture. it
[13:24] <kyrofa> liuxg, gotcha, so YOU want video
[13:25] <sturmflut> Why not directly take the webcam picture inside the HTTP request, and never store it
[13:25] <liuxg> kyrofa, yeah, some kind of the that effect, like home security though frame rates not so high.
[13:25] <kyrofa> sturmflut, quit stealing my thunder!
[13:25] <kyrofa> liuxg, no streaming video ever caches each frame anywhere, not even in a ramdisk
[13:26] <liuxg> sturmflut, the things fswebcam app captures picture into a file. that is what i know. if it captures into memory, that is definitely better.
[13:26] <kyrofa> liuxg, you should probably be accessing the camera directly
[13:26] <sturmflut> liuxg: The manpage for fswebcam says 'The PNG or JPEG image can be sent to stdio using the filename "-"'
[13:26] <liuxg> kyrofa, yes, you are right. video streaming is another option. vlc could be one for the purpose. I have not tried it yet.
[13:27] <kyrofa> liuxg, grab a frame from it, and fire the frame off via some UDP-based protocol, e.g. rtp
[13:27] <sturmflut> So have your HTTP server call it like that and pipe the output
[13:28] <liuxg> kyrofa, hmm, I have not tried it yet, and I do not know how it goes.
[13:28] <kyrofa> liuxg, if you really want to use fswebcam, sturmflut's suggestion would work as well
[13:29] <kyrofa> liuxg, but using a ramdisk with your use-case is layering hacks upon hacks
[13:30] <liuxg> kyrofa, it seems that "mount" is not supported due to security. http://paste.ubuntu.com/14127715/
[13:31] <kyrofa> liuxg, indeed, that doesn't surprise me
[13:31] <liuxg> sturmflut, thanks for your tip. in that case, how can the command look like?
[13:32] <kyrofa> liuxg, you can exec fswebcam from your app and setup the pipes in code if you want it all in the project rather than a script
[13:34] <liuxg> kyrofa, yeah, I can do it in golang to exec fswebcam
[13:34] <kyrofa> liuxg, that would probably be the slickest way
[13:35] <kyrofa> liuxg, but you can also write your server to read from stdin and pipe them together using the shell as normal
[13:35] <kyrofa> liuxg, `command1 | command2`
[13:37] <liuxg> kyrofa, sounds interesting though I have never tried it.
[13:38] <lool> liuxg: pong
[13:39] <liuxg> lool, thanks. yeah, just now, discussed with kyrofa about whether it is possible to make a ramdisk in a snap app.
[13:40] <lool> it is possible, but if you need the mount() syscall, you'll need an unconfined snap or a custom apparmor policy
[13:40] <lool> you can create ramdisks without the mount syscall though
[13:40] <lool> (or if you need chroot())
[13:41] <liuxg> lool, how can I do that? currently, in my script, I do it like http://paste.ubuntu.com/14127715/, it gives me the error.
[13:42] <liuxg> lool, how to create a custom policy for an app? it would be good to have an example for it.  thanks
[13:42] <lool> liuxg: there are examples, but I'm trying to find a recent one given the syntax has changed a bit in the last months
[13:45] <liuxg> lool, this example seems to have the one, but it is not based on the snapcraft http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-examples/files/head:/framework-template/. By the way, if an app uses custom apparmor policy, can the app be uploaded to store?
[13:46] <lool> liuxg: right exactly
[13:46] <lool> liuxg: typically an app with a custom policy is going to trigger manual review, so we'll need some way to audit that it's legit to use these permissions
[13:46] <liuxg> lool, I do not know how the syntax looks like in the snapcraft syntax.
[13:47] <lool> liuxg: in snapcraft, you basically have the package.yaml in the main snapcraft.yaml file
[13:47] <lool> liuxg: basically snapcraft.yaml contains the template copied into meta/package.yaml before snappy build
[13:47] <liuxg> lool, so, the syntax for them are the same?
[13:48] <lool> liuxg: well most of the package.yaml is expressed in a subset of the snapcraft.yaml -- snapcraft.yaml also lists e.g. parts
[13:48] <liuxg> lool, for my case, I need to customize a file like http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-examples/view/head:/framework-template/meta/framework-policy/seccomp/policygroups/client, add the mount system call, right?
[13:49] <lool> liuxg: yes
[13:49] <lool> liuxg: if you're confident this is the only thing, you can go ahead and do that; if you need to debug, there are snappy-security tools to help you do this (or look in dmesg); if you want to get your app running first, and then tune the permissions, you can set it to unconfined
[13:50] <liuxg> lool, do you have a complete example for custom security policy based on snapcraft? I think a lot of developers are interested to know this.
[13:50] <lool> liuxg: not handy
[13:51] <liuxg> lool, by the way, how to set an app to "unconfined" in snapcraft.yaml file?
[13:51] <lool> liuxg: http://bazaar.launchpad.net/~lool/+junk/quagga-snap/files is a snapcraft based snap which sets custom caps (but no custom apparmor policy)
[13:51] <kyrofa> liuxg, remember that anything with custom security policies will require manual review
[13:51] <lool> liuxg: instead of "networking", put "unconfined" there
[13:53] <liuxg> kyrofa, thanks for reminding that. lool just mentioned that.
[13:54] <liuxg> lool, do you mean that we can change the "networking" there to "unconfined", then it is done?
[13:54] <liuxg> lool, I mean this is the file http://bazaar.launchpad.net/~lool/+junk/quagga-snap/view/head:/snapcraft.yaml
[13:55] <lool> liuxg: this is just to point you the spot where caps are set
[13:55] <lool> liuxg: you can remove all of networking, network-admin etc. and just list unconfined
[13:56] <liuxg> lool, I know. the snap still uses the default security template, right? for custom one, we need to define something like "unconfined"
[13:56] <sturmflut> liuxg: I just did it for fun, but it can even be solved in one line of bash
[13:56] <sturmflut> while /bin/true; do (echo -ne "HTTP/1.1 200 OK\nContent-type: image/jpeg\n\n"; fswebcam -) | nc -l 12345; done
[13:57] <sturmflut> With a proper version of netcat you can even avoid the short period required to re-open the socket
[13:58] <liuxg> sturmflut, sounds an interesting hack. do you try this on your destkop?
[13:58] <sturmflut> liuxg: On my notebook
[14:00] <liuxg> sturmflut, I have been trying the example on my RaspBerry pi. it may not have a display yet. Anyway, it is good to see it works. I will try to your way to do it in the code.
[14:00] <sturmflut> liuxg: It is pretty slow, fswebcam takes a long time to fetch the picture each time
[14:01] <lool> liuxg: unconfined is a template which means give me all permissions
[14:01] <liuxg> sturmflut, it depends on the resolution as well.
[14:01] <lool> liuxg: if you want your own template, you can't use caps; rather you'll have to pass a .apparmor and a .seccomp file under your meta/ dir
[14:01] <lool> liuxg: but I haven't done that in snapcraft myself
[14:01] <lool> so I can't provide a recent example
[14:03] <liuxg> lool, thanks. so if I want to make my snap an unconfined, I just do sth like http://paste.ubuntu.com/14127918/, it should be fine, right?
[14:03] <lool> liuxg: yeah, seems about right
[14:04] <liuxg> lool, perfect. It is good to know. I have been reading Snappy Ubuntu Core - Application Developer Manual 15.04, but it is not so clear to me at all :)
[14:05] <lool> liuxg: ah, perhaps we need to improve some sections then  :-)
[14:06] <lool> liuxg: if you would like to suggest changes, we'd be happy to take them; there is definitely room for improvement
[14:06] <liuxg> lool, in fact, more working examples will be very beneficial to the developers. Sometimes, it is hard to explain without examples. I have fed back some problems in the documents, and they are corrected!
[14:08] <liuxg> lool, debugging is important for developing snaps. It would be good to have more contents to show how to debug security issues.
[14:09] <liuxg> lool, from developers point of view, it would be good to have a graphic tools to generate a useful snapcraft.yaml file. that would be very useful.
[14:11] <lool> ack; there are specific tools to help debugging security issues
[14:11] <lool> "Security policy debugging commands reference" in the manual
[14:13] <liuxg> lool, in fact, in the ubuntu phone development, I also met the same problem. the log does not say the missing caps. it is hard to interpret the the messages there. I would expect a clear messaging like "networking is missing in your app".
[14:14] <lool> liuxg: right, fair point
[14:15] <lool> the latest version for snappy tries to make suggestions, but it's never perfect
[14:16] <liuxg> lool, in fact, android is doing this way and it is very easy to debug. For us, it is just a kind of try and try.
[14:17] <liuxg> lool, it could be possible that an app grant all of the caps just purely want to make it work. In fact, maybe some of them are not needed at all.