/srv/irclogs.ubuntu.com/2016/02/08/#snappy.txt

=== laza_ is now known as laza
zlowredhi there, I'm having troubles using 1-wire on Raspberry Pi 2 using latest Ubuntu Snappy Core, I did 'modprobe w1-gpio' which looks ok and adds w1 into /sys/bus, but /sys/bus/w1/devices is empty. Same hw works well under Raspbian. Are there any manuals/hints on getting it running? thanks05:49
Tenacious-TechhuGood luck, zlowred; every time I ask a question here, I get nothing. :P06:04
zlowreddidn't want to dive  into kernel sources... but afraid choices are only that or switching back to raspbian06:06
Tenacious-Techhuzlowred, you know anything about how secure by default Snappy is?06:10
zlowrednot really worried about this as my device is supposed to run on local network06:12
Tenacious-TechhuThat's the question I've been asking... I'm the one that cares. XD06:18
pittielopio: sure, call it with --copy to copy a file into the testbed, or pass it via --setup-commands07:08
pittielopio: you can't do that on the production infrastructure of course07:08
pittibut locally is fine07:08
Tenacious-Techhupitti, how secure by default is Snappy, and in what ways isn't it secure by default?07:31
pittiTenacious-Techhu: I'm not working on snappy, sorry; but this is a very fuzzy question, you need to get more specific07:32
pitti(I. e. I can't answer details about snappy)07:32
Tenacious-TechhuIt's not a fuzzy question. "Secure by default" is a practice in which the attack surface of a system is completely minimized at the time of initial install and startup, until the "system administrator" changes it in order to enable features.07:34
fgimenezgood morning08:04
Tenacious-TechhuHello!08:05
Tenacious-TechhuHow secure by default is Snappy?08:05
anpokTenacious-Techhu: hm i guess this question is best aked on the mailing list.. But snappy by default is very minimal.. and it requires you to enable access for applications via app armor08:05
Tenacious-TechhuBeing secure by default isn't necessarily about minimality; that's more about how insecure things are after they've been turned on. But thanks for the info.08:06
anpoki.e. installing common linux software is all about making sure it does not touch anything on the file system and figuring out what profile might be suitable for the applicatiohn08:07
anpok-h08:07
anpokyou dont turn on things globally.. you do that per application..08:07
Tenacious-TechhuRight; but if I were to install everything, would those things start off turned off or not?08:08
Tenacious-TechhuThey should be disabled even though they've been installed.08:08
anpoktake a lot at the security wiki page .. hmm here:08:10
anpokhttps://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement08:10
anpoksome the yaml settings have been renamed already08:10
anpokif you install a snap its package yaml is scanned for requires security profiles, those are then used to confine the application.. and yes if the snap contains a service that one will be started.08:14
anpok*required..08:14
anpoknote i am not one of the devs, just someone that tries to use it.08:14
Tenacious-TechhuMore answers than I was getting anpok. XD08:36
dholbachgood morning09:07
Tenacious-TechhuGood morning!09:09
Tenacious-Techhudholbach, how secure by default is Snappy?09:09
noizergood morning :D09:10
dholbachTenacious-Techhu: https://github.com/ubuntu-core/snappy/blob/master/docs/security.md should give you a good idea09:11
Tenacious-TechhuSo... it's not.09:12
dholbach?09:13
Tenacious-Techhu"If unspecified, default confinement allows the snap to run as a network client."09:14
Tenacious-TechhuIt's not.09:14
dholbach...09:20
Tenacious-Techhudholbach, do you disagree with my assessment?09:28
seb128kyrofa, hey, could you comment on bug #1542451? is that scope deprecated or is it going to be fixed/updated?09:29
ubottubug 1542451 in unity-scope-snappy (Ubuntu) "RM: unity-scope-snappy" [Critical,Triaged] https://launchpad.net/bugs/154245109:29
seb128willcooke, ^ just fyi, since our team was assigned to reply on it09:30
willcookethanks seb12809:31
* willcooke subscribes 09:31
seb128yw09:32
seb128willcooke, you should get emails through desktop team assignement09:32
willcookehrm09:32
* willcooke searches09:32
willcookein spam09:33
willcookeod09:33
willcooked09:33
Tenacious-TechhuAnyone else have anything to say about whether Snappy is secure by default?09:34
JamesTaitGood morning all!  Happy Monday, and happy Chinese New Year! šŸ˜ƒ09:53
Tenacious-Techhudholbach, do you disagree with my assessment?10:04
=== vrruiz_ is now known as rvr
noizerHi, I got a short question can i start other snaps from my snap?10:37
Tenacious-Techhunoizer, good luck getting your question asked.10:42
beunonoizer, hi. No, you can't10:43
beunoit breaks confinement, essentially10:43
Tenacious-Techhubeuno, is Snappy secure by default?10:43
beunoTenacious-Techhu, I think that's been answered already10:44
Tenacious-TechhuNo, it hasn't; they just pointed at documents. But if you would be so kind as to elaborate, that would be very helpful.10:44
noizerbeuno hmm will there be something to start an other app later?10:44
beunoit seems like you are fishing for something, I'd prefer you to ask specific questions10:44
Tenacious-TechhuI am looking for a linux distribution that is secure by default.10:45
beunoTenacious-Techhu, maybe you need to expand on what secure to you means?10:45
Tenacious-Techhu"Secure by default" means that all installed software starts with defaults that prevent it from being insecure.10:46
beunonoizer, it's not currently on our radar, given it breaks out of confinement. Can you expand a bit on what you're trying to acheive?10:46
Tenacious-TechhuIt is my impression that, allowing software to be a network client by default goes against that security paradigm. Is that consistent with your perspective on the issue?10:47
beunoTenacious-Techhu, I read through your previous comments on apps that can access the network makes them insecure10:47
Tenacious-TechhuSo your conclusion would be that it isn't?10:48
noizerbeuno We are making a product where people can make snaps for it. This product needs able to start applications just like the webdm or something10:48
beunoTenacious-Techhu, we don't plan on locking down Snappy by default to that extent, Internet of Things without the Internet part is just "things"  :)10:48
BughunterAny one experience the same situation with two ubuntu-core packages installed.10:48
BughunterThe default username and password are ubuntu.10:49
=== beowulf_ is now known as beowulf
Bughuntersnappy list -v Name        Date       Version   Developer   ubuntu-core 2016-01-28 7         ubuntu*     ubuntu-core 2016-01-28 7         ubuntu10:49
beunonoizer, ah, I see. So, we will have special permissions you can request in order to use the same APIs webdm uses10:49
Tenacious-TechhuWell yes, but you also don't want your unwatched "thing" to start running software the user didn't explicitly approve.\10:49
Tenacious-TechhuMalware installed on an IoT device shouldn't be allowed network access by default.10:49
beunoTenacious-Techhu, we do capture that a device uses the network, and there are scenarios where you might be able to lock it down further and/or inspect what snaps have requested network access10:50
Tenacious-TechhuThat would only allow dealing with the problem after-the-fact.10:50
noizerbeuno where can i find the webdm api?10:50
Tenacious-TechhuA piece of software should have to explicitly specify if it wants network access, and be granted that approval.10:50
beunonoizer, it's WIP, but, here it is: https://github.com/ubuntu-core/snappy/blob/master/docs/rest.md10:51
beunoTenacious-Techhu, we might be able to provide a bit further down the line an option to set stricter policies10:51
beunobut it is unlikely going to be the default10:51
noizercan webdm starts an application?10:52
noizerbeuno10:52
beunonoizer, I think it either can now or it will in the near future10:52
beunothe command line and webdm are both moving to the internal rest api10:53
Tenacious-Techhubeuno, that does little good when a device is already out in the field, waiting to be preyed upon.10:53
Tenacious-TechhuBetter to handle it now.10:53
BughunterIssue: after update of ubuntu-core package with command "sudo snappy update ubuntu-core" we end up with two simular versions of ubuntu-core.10:53
noizerthanks for the help beuno :D10:54
beunoBughunter, sorry, I don't understand the issue10:54
beunowhat's going on?10:54
ogra_Tenacious-Techhu, if you are concerned about that, there is a ufw snap that allows you to firewall the whole device by default and thus have full control over network accesses10:54
BughunterStrange things is, why update with simular version. And why is it impossible to remove the duplicate package?10:54
beunoTenacious-Techhu, end users don't understand security and will just approve everything. Additionally, most devices that will ship will require them to have internet access *and* won't have a UI for the user10:55
Tenacious-Techhuogra, that would only be an improvement if that firewall were installed by default on all versions of Snappy.10:55
ogra_no, it wouldnt10:55
Tenacious-TechhuAdditionally, it would still be insufficient for meeting the criteria of "secure by default".10:55
beunoTenacious-Techhu, so, if you want to ship a device that is further locked down, you can with Snappy10:55
ogra_it would mean the everyone who uses a device behind a firewall already would have to set it up10:55
beunowe aren't planning on shipping devices locked down that much10:56
Tenacious-TechhuYes, and that is my objection.10:56
Tenacious-TechhuDon't.10:56
beunoBughunter, sorry, I don't understand the problem. Why update with similar versions?10:56
beunoTenacious-Techhu, ok, noted10:56
ogra_but you are free to create your own gadget snap that pulls in ufw in your default install10:56
Tenacious-TechhuDevices should ship as secure by default, period. Otherwise, they're just going to be exploited under the watch of people who don't know any better.10:57
* ogra_ would say thats up to the device manufacturer10:57
BughunterNow, wy does snappy update ubuntu-core at al with the same version. Seems version checking is bugged?10:57
beunoTenacious-Techhu, that's one way to look at it if you're not actually shipping devices to users, yes10:57
Tenacious-TechhuAnd as such, Snappy should start out that way, so that developers are starting from a state as correct as possible.10:57
beunoTenacious-Techhu, we disagree10:58
Bughunteri just perfomed this command: snappy update ubuntu-core.10:58
Tenacious-TechhuYes, I know.10:58
Tenacious-TechhuI encourage you to take the security of IoT devices more seriously.10:58
beunoBughunter, is this 15.04 or 16.04/rolling?10:58
ogra_*developers* shoudl start as easy as possible .... *manufacturers* should start as safe as possible with pre-defined services10:58
beunoTenacious-Techhu, I think you're misguided. I understand why locking down the network makes it more secure, however, it also makes it useless to users10:59
beunoas a default10:59
ogra_you can go and buy a dell ip gateway with snappy preinstalled ... you will find that this is differently secured than our developer images10:59
BughunterI would expect snappy to update only when there is a later version of the ubuntu-core package. Instead it downloads and install the same packages. Thats odd.10:59
Tenacious-TechhuIt is up to the developers to unlock it, and up to third party software to request that network access be unlocked.10:59
Tenacious-TechhuIf network access is allowed to any third party software that doesn't specify a specific request, it's going to be a nightmare.11:00
BughunterThink ill search the  snappy-devel@lists.ubuntu.com list for answers. Sheers.11:00
Tenacious-TechhuYou'll get a bunch of trojans that call home and such.11:00
ogra_and what do they tell "home" ?11:00
ogra_an app cant really see anything outside of its own box11:01
Tenacious-TechhuWhatever that software was written to. :P11:01
ogra_apart from thinks like CPU architecture and some minor info+11:01
ogra_*things11:01
ogra_apps cant access the OS11:01
Tenacious-TechhuWell no, but the minute one of those pieces of software uses an exploit on an embedded system to gain more access, they can tell them who knows what.11:01
Tenacious-TechhuYou're leaving open an unnecessary security hole that will be a problem later when an exploit for that embedded system is discovered.11:02
ogra_apps cant exploit the system either ... they are checked what they du when uploaded to the store11:02
Tenacious-TechhuAnd it may go unpatched while the device sits wherever the naive users put it.11:02
ogra_*do11:02
Tenacious-TechhuWho says the thing was installed from the store?11:02
ogra_well, then you are on your own11:03
Tenacious-TechhuFrom what I could tell, what I read said anything that was installed had network privileges by default.11:03
ogra_you would have to scp and manually snappy install though11:03
Tenacious-TechhuInstalled from the store or not.11:03
ogra_via ssh11:03
ogra_for which you have the key11:03
Tenacious-TechhuThe point is, it's an unlocked door.11:03
ogra_so that an administrator mistake11:03
ogra_not snappys fault11:03
Tenacious-TechhuThe end user will NEVER be an administrator!11:04
Tenacious-TechhuThat's the point!11:04
ogra_its an unlocked door if you gave some evil guy your ssh key, yes11:04
Tenacious-TechhuLock ALL the doors, and make the devs decide which doors to open, and which not to open.11:04
ChipacaTenacious-Techhu, i don't understand11:04
ChipacaTenacious-Techhu, what's the point you're trying to make11:04
Chipaca?11:05
Tenacious-TechhuThat way, everyone knows whose responsibility it is when malware gets on the device.11:05
ogra_well, you know who has the ssh key ... so you know who leaked it11:05
Tenacious-TechhuThat's not what I'm saying.11:05
Chipacaogra_, if ssh is running the device was in developer mode :-)11:05
Tenacious-TechhuAllowing software network privileges by default is an unlocked door.11:05
ogra_(and to be honest, i wouldnt expect ssh to be enabled on enduser devices .... but again, thats up to the vendor)11:06
ogra_Tenacious-Techhu, to do exactly what ?11:06
Tenacious-TechhuA door that should have never been left unlocked to begin with.11:06
Tenacious-TechhuEvery door that's left unlocked is security that could have prevented disaster.11:06
ogra_Tenacious-Techhu, yozur app runs under confinement, it cant see anything outside of its own system space11:06
anpokTenacious-Techhu: I believe they are talking about network-client11:06
ogra_all it could do would be to exploit its own data11:06
Tenacious-TechhuYou guys need to stop assuming that the rest of the security is going to work.11:06
Tenacious-TechhuLock ALL the doors.11:07
anpokwhich is not unlocked network..11:07
Tenacious-TechhuAssume each one is the thing that is going to keep the bad guys out.11:07
Tenacious-TechhuYes.11:07
Tenacious-TechhuThe software should have to request network access, and the system should be able to deny it.11:07
ChipacaTenacious-Techhu, request to whom?11:07
ChipacaTenacious-Techhu, and which system?11:07
Tenacious-TechhuTo the system that is currently allowing that by default. :P11:08
ChipacaTenacious-Techhu, can you describe exactly how you think things work now, and how you think they should work?11:09
Tenacious-Techhuhttps://github.com/ubuntu-core/snappy/blob/master/docs/security.md11:09
Tenacious-TechhuIf unspecified, default confinement allows the snap to run as a network client.11:09
Tenacious-TechhuBad. Very bad.11:09
Tenacious-TechhuDefault should allow absolutely nothing at all.11:10
Chipacai'm five seconds away from assuming you're trolling11:10
beunoso, by default, the device isn't useful for anything?11:11
Tenacious-TechhuNot until the developers building software for that device specifically unlock it, yes.11:11
Chipacabeuno, either that, or they think we should manually review every app that requests network-client11:11
beunoright11:11
Tenacious-TechhuEverything should be locked until a developer unlocks it.11:11
Tenacious-TechhuAccountability should be squarely placed on the developer's shoulders.11:12
beunoTenacious-Techhu, I think your argument is technically sound, not particulary novel, but sound. It just isn't practical when you actually think about users11:12
Tenacious-TechhuThird party software that makes it onto the device however it may should be able to be soundly rejected, if required.11:12
Tenacious-TechhuWhen I think about users, I think about some teenage girl whose boyfriend slipped a webcam snooper onto her outdated router.11:13
Tenacious-TechhuUnless a piece of software has been whitelisted, or someone has entered an administrator password to allow that software, it should be denied.11:14
Tenacious-TechhuJust because it's found on the device, that doesn't mean it's legitimate software.11:14
Tenacious-TechhuAnd so it shouldn't be granted network access.11:14
beunosnappy devices won't be outdate, they auto-update11:15
Tenacious-TechhuDon't assume where they will be installed.11:15
beunoif you want to lock down the device further and know how to administrate a device, you can11:16
Tenacious-TechhuIf it is on some local network, and not on the internet, it won't update.11:16
Tenacious-TechhuBut it can still do damage there.11:16
Tenacious-TechhuThis is not about what I want to do.11:16
Tenacious-TechhuThis is about what any IoT OS should do by default.11:16
Tenacious-TechhuTo keep the users safe, the onus for unlocking access should be on the software developers.11:17
ChipacaTenacious-Techhu, by default, you won't be able to install software that doesn't have a chain of certs behind it11:17
Chipacaof assertions11:18
Tenacious-TechhuMaybe not, but once it's on the device, how it got there doesn't matter anymore, does it?11:18
Chipacaenabling that software to be on that particular device, and asserting it has been made by who it says it's been made, and etc11:18
ChipacaTenacious-Techhu, the snap won't work unless it has the assertions11:19
Tenacious-TechhuYou don't get to justify leaving one door unlocked just because the others are.11:19
Tenacious-TechhuYou have to lock all of them, because you don't know which one is going to keep the system safe.11:19
Chipacayou don't get to tell me what i have to do11:20
Chipacaespecially when i try to explain why what you think is a problem isn't, and when i've tried to explain that what you think is a solution isn't11:20
Chipacaand have ignored or dismissed those points11:21
Tenacious-TechhuOh? So if your neighbor left your front door open, you wouldn't want me to tell him to shut it?11:21
Tenacious-TechhuI am not dismissing your points out of hand.11:22
anpokTenacious-Techhu: no better analogon would be.. the keys for your house are all opening the door of your house without coming with an extra letter telling you that the keys of your house unlock your doors11:22
Tenacious-TechhuI am dismissing them because they are insufficient.11:22
ChipacaTenacious-Techhu, you're saying the neighbour should have to write "i can open the front door" before they can open the front door11:22
ChipacaTenacious-Techhu, that's all you're saying11:23
Tenacious-TechhuNo, you misunderstand, anpok.11:23
Chipacathat an app dev needs to explicitly write "i can use the network" before they can use the network11:23
Chipacaand that that will somehow stop malware11:23
Tenacious-TechhuIt is not what the app dev writes...11:23
Tenacious-TechhuIt is what the system decides when receiving that request that matters.11:24
Tenacious-TechhuRather than granting that access by default, it has the chance to reject it.11:24
ChipacaTenacious-Techhu, so three options: either always grant that request, always reject it, or always have somebody manually audit it11:24
Tenacious-TechhuAnd right now, you are auditing those requests, except by default.11:25
ChipacaTenacious-Techhu, which of those do you think is sane?11:25
Tenacious-TechhuI'm just saying audit that one too.11:25
ChipacaTenacious-Techhu, we are not auditing all requests, only those that we consider have real security implications11:25
Tenacious-TechhuYes, but internet access DOES have real security implications.11:26
ChipacaTenacious-Techhu, explain11:26
ChipacaTenacious-Techhu, give me an example, even if it's contrived, in which *just* being a network client has security implications for a sandboxed app11:27
Tenacious-TechhuSomeone could find an exploit on the poorly maintained, widely deployed IoT device, write a piece of trojan malware for it, get a bunch of naive idiots to install it, and then when the server it dials home to says "go", it explodes.11:28
Tenacious-TechhuWhereas, if it had to request internet access to begin with, it could be rejected, and thus, never could be installed in the first place.11:28
ChipacaTenacious-Techhu, how could it be rejected?11:30
Tenacious-TechhuThe request for internet access would be denied by the existing mechanisms that deny other things in non-default circumstances.11:31
Tenacious-TechhuMy recommendation is to assign network access, even as a client, to a specific request, and not a default one. That way, it can be denied, just as any other specific request can be.11:42
beunoTenacious-Techhu, as I said an hour ago, noted11:42
Tenacious-TechhuWell, fair enough then.11:43
Tenacious-TechhuGo to a Homeland Security conference some time.11:43
didrocksogra_: argh, no loadkeys in 15.04 Core image! Do you know off hand how to switch to my sweet french kbd layout? :)11:49
ogra_didrocks, i dont, actually :)11:51
ogra_even if loadkeys was there we wouldnt have the keymaps11:52
didrocksogra_: do you know who would have any idea on this? :p11:52
* ogra_ tends to always use ssh so i dont run into this ;)11:52
beunoogra_, where does uboot go in the 16.04 images?11:56
ogra_didrocks, i guess they shoudl be part of some UI  snap in the end ...11:56
didrocksogra_: yeah11:56
ogra_beuno, on disk ? in what snap ? you have to be more precise ;)11:56
beunoogra_, heh, yeah, in what snap11:56
ogra_gadget11:56
ogra_(talking about all-snaps here ... system-image builds still use the 15.04 setup)11:57
beunoogra_, and that's the plan going forward, right?11:57
beunoyeah, all-snaps11:57
ogra_right11:57
beunothanks ogra_11:57
noizerogra_ Hello, I'm trying to use UWSGI in a snap but i got following error: error removing unix socket, unlink(): Read-only file system [core/socket.c line 198]12:04
noizerbut this is some permission issue. If you have any idea how I can solve that12:05
Chipacanoizer, what's in the audit logs?12:05
noizerwhere can i find the audit logs Chipaca?12:06
Chipacanoizer, sudo journalctl | grep audit12:06
ogra_yeah, looks like the socket is created in some dir outside of your box12:06
Chipacanoizer, there's probably a better way, but that one works :-)12:06
* ogra_ prefers syslog :)12:06
noizeroooh ok ogra_ first i will try to change the path of my sock maybe that will hep12:07
noizerChipaca then i will share my log12:08
ogra_noizer, use $TMPDIR ;)12:08
noizerin the ini of the socket?12:08
noizer(ini of uwsgi)12:08
ogra_if that respects the environment vars, yes12:09
Chipacaotherwise /tmp/something should work12:09
ogra_yeah12:09
Chipaca/tmp/foo.sock12:09
Chipacanoizer, it's a private tmp, fwiw12:09
ogra_what a luck Tenacious-Techhu is gone now12:10
* ogra_ bets that would be the next discussion ;)12:10
noizerhahah xD12:10
noizerChipaca and ogra_ thx this error is fix. I think so xD. now the next error12:31
zygajdstrand: hey13:17
zygajdstrand: around?13:17
noizerChipaca ogra_ do you now something about this error? lock engine: pthread robust mutexes13:17
noizeroooh sorry thats the issue Bad system call13:19
ogra_might be seccoomp related13:19
noizersecoomp??13:19
ogra_right, check with ubuntu debug13:19
ogra_*seccomp13:20
ogra_err13:20
ogra_snappy-debug, sorry13:20
zygarobust mutex are used internally to implement parts of the stdlib13:20
zygathey should be allowed by seccomp13:20
zyga(perhaps they are not)13:20
ogra_right13:20
ogra_thats why i asked to check it :)13:20
zygahey ogra_ :)13:20
ogra_yo13:20
zygabusy week ahead13:21
ogra_two of them :)13:21
zygathat's quite true13:21
noizerogra_ what do you mean with ubuntu debug13:21
ogra_snappy-debug was what i meant13:21
ogra_it ships a tool to check the logs for seccomp denials13:22
noizerok and how can i test that because im nog familiar with it13:22
ogra_(i forgot the new name, it used to be called sc-logresolve in 15.04)13:22
noizerogra_ I'm using 16 (xenial)13:22
ogra_install the snappy-debug snap and run sc-logresolve ... IIRC it tells you the new name13:22
ogra_then run whateve it tells you13:23
noizerok i will check it out13:23
noizersnappy-debug failed to install: can not open /tmp/snappy-debug230025468: cannot open snap: unknown header: "!<arch>\ndebian-binar"13:24
noizertried to install it dammed13:24
noizeris that a bug?13:24
ogra_jdstrand, ^^^ hasnt that been updated to the 16.04 format yet ?13:25
ogra_noizer, try snappy install snappy-debug/edge13:25
ogra_if that gets you the same error it hasnt been updated yet (and thats a bug, yes)13:25
noizerhmmm same error13:26
ogra_yeah, thats a bug then13:26
noizerogra_ should I file it or??13:26
ogra_yeah, i'm unsure against what exactly though ... file it against the snappy project itself for now13:27
noizerthis project ? https://bugs.launchpad.net/ubuntu/+source/snappy13:28
ogra_nop, see the channel topic13:28
ogra_("/ubuntu/+source/snappy" would be the snappy package in ubuntu ... not the project)13:29
noizerok sorry xD my mistake13:30
noizernow I will file it now. But how can we debug it then?13:30
ogra_i guess you have to ask tyhicks or jdstrand ... i dont know how you can get seccomp messages without the tool13:31
ogra_(or even if you can)13:31
noizerogra_ ok i will ask them13:32
noizertyhicks and jdstrand Hi i wanted to use UWSGI in xenial but i had some errors. ogra_ said to me its something with the seccomp can we debug it without snappy-debug? (I'm using xenial for my development)13:34
kyrofaGood morning13:36
noizerogra_ they online? or can kyrofa help me?13:36
noizerGood morning13:36
ogra_noizer, perhaps not yet (US timezone ?)13:37
ogra_sergiusens, what are you doing here ? isnt is a holiday in arg. ?13:37
noizerok13:37
kyrofaHey seb128 the scope is out-of-date (using the webdm API instead of the snappy API) and not being used since Personal isn't being used. And as you see on the bug, it sounds like the golang updates have broken it. I think it will probably be updated eventually, but it doesn't make sense to put in the effort right now for something no one is using :)13:39
sergiusensogra_, auto connect; good bye ;-)13:39
ogra_enjoy !13:39
ogra_:)13:39
sergiusensogra_, it's almost 11 and I just got up; I started the day perfectly :-)13:40
* sergiusens waves13:40
ogra_:D13:40
seb128kyrofa, I expect some people are going to want pocketpc or unity8 desktops to be able to install snaps, even if there is no personal image13:40
kyrofaogra_, I believe seccomp denials go into syslog as well13:40
seb128willcooke, ^ do you know?13:41
ogra_kyrofa, oh, right13:41
kyrofaseb128, good question13:41
kyrofaogra_, snappy-debug just parses syslog13:41
ogra_yeah13:42
noizerogra_ are there some other things that i can test?13:43
willcookeseb128, kyrofa - yes, I would expect that people would want to install snaps in a U8 session on a desktop.  But, it's probably not a priority.  Let me see what I can find out.13:43
ogra_noizer, as kyrofa said, check syslog for seccomp lines13:43
noizerow sorry13:44
noizerhow can i do that ogra_ sorry not familiar with some logging of linux13:45
ogra_its a text file :)13:45
ogra_/var7log/syslog13:45
ogra_bah13:45
noizerooh dammed13:45
ogra_/var/log/syslog13:45
noizer:D13:45
noizerty13:45
ogra_run tail -f /var/log/syslog ... in one terminal ... in another terminal start your app/service/whatever ... and see what it logs ... watch for seccomp lines then13:46
ogra_(or just search for former seccomp lines without monitoring live ... as you like)13:46
noizerogra_ that is what i got when im started my application13:50
noizerhttp://pastebin.ubuntu.com/14993207/13:50
kyrofawillcooke, yeah, please let me know. I can talk to alecu again, see if we should give it a higher priority if that's true13:50
ogra_noizer, syscall=282 is blocked then13:50
ogra_noizer, now run: scmp_sys_resolver 28213:51
ogra_that tells you which function it is13:51
noizerits the bind method13:53
noizernow the bind method is that from the ubuntu snappy? or from my uwsgi?13:55
kyrofanoizer, binding to a port, probably. You're using Snappy 16.04 right? What capabilities are you providing to your service/binary?13:56
noizerkyrofa yea i'm using Snappy 16.04. what do you mean by the capabilities of my binary?13:59
kyrofanoizer, pastebin your YAML real quick13:59
noizerok13:59
noizerbut now its not a service I start it from command line (bash file)14:00
kyrofanoizer, alright14:00
noizerHe isnt at the moment a network service if you mean that14:00
noizerI will add something to it14:00
noizerkyrofa does you need then my Yaml file?14:01
noizerkyrofa how can i sea if uwsgi is running then? In normal ubuntu then you can see it with ps -A but in snappy i don't know that14:03
kyrofanoizer, yeah let me take a look. But yeah, you need to give it permission to bind to a port14:03
kyrofanoizer, yeah you can still use ps14:03
noizerOk awesome14:03
noizerMy snap is now building with the network-service. but now an other question seccomp what does it do with snappy?14:04
kyrofanoizer, ahh, so much14:05
kyrofanoizer, snappy has an excellent confinement story, utilizing a number of technologies to get there14:05
noizerkyrofa can i find some information of the complete build of snappy14:06
kyrofanoizer, it uses apparmor to make sure the .snap can only play in its own space on the filesystem, seccomp filters to make sure it can only call a whitelist of syscalls, as well as cgroups14:06
kyrofanoizer, so that one little network-service capability you added results in a different profile being used for apparmor and seccomp14:07
kyrofanoizer, what do you mean by "complete build?"14:10
noizeroooh ok dem so a nice system Snappy14:10
noizerHow snappy is builded14:10
noizerSo i know more about the underlaying things14:10
kyrofanoizer, ah, that's outside of my purview. But here's an overview of the security side of things: https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement14:11
noizerkyrofa ok I will read this. Looks very intresting :D14:14
noizerkyrofa I tried now with ps -A but dont see anything running14:21
kyrofanoizer, probably died then. If it gets a seccomp denial it's always fatal14:22
noizerwill it be in the syslog?14:22
* kyrofa has a flashback to having to modify the mysql code so it wouldn't die14:22
noizerDoes i need do some command to start the services?14:23
kyrofanoizer, not sure what you mean14:23
noizerno uwsgi can run now :D awesome14:25
kyrofanoizer, so it works?14:25
noizernormally yes thanks for you help :D awesome support here :D14:26
=== nyx_ is now known as kjar
kyrofanoizer, very good!14:28
ogra_yay14:28
noizerhahah ogra_14:28
noizernow i need to wait until Skills will be released :D14:29
noizerwhat is the expected release date of the skills?14:37
beunonoizer, I think we have a few more weeks until we reach a testing phase14:37
kyrofanoizer, the only target I know of is "for 16.04" :P14:39
noizerkyrofa lol ok :D14:40
dholbachkyrofa, did you ever see anything like this? http://paste.ubuntu.com/14993445/14:40
kyrofadholbach, uhh14:40
kyrofadholbach, nope. Gross :P14:41
dholbachI'll file a bug :)14:41
kyrofadholbach, does it work on a second try? i.e. store hated you for a sec?14:41
kyrofadholbach, obviously we should handle those errors better14:41
=== zbenjamin_ is now known as zbenjamin
dholbachkyrofa, this time it didn't explode :)14:43
dholbachso maybe intermittent14:43
kyrofadholbach, honestly that's an all-around snapcraft bug (the stack trace)14:43
kyrofadholbach, something I've been very much wanting to make cleaner14:44
dholbach<314:44
=== nyx_ is now known as kjar
kyrofaogra_, can 15.04 run decently on the dragonboard then?14:47
ogra_kyrofa, it might, i dont think anyone works on this beyond some basic demo stuff (i surely am not aware of plans to make official 15.04 images)14:47
kyrofaogra_, alright, does regular-old Ubuntu work?14:49
ogra_it might ... you have to set up the SD in a special way though14:49
ogra_i have scripts for that at http://bazaar.launchpad.net/~ogra/+junk/dragonboard/view/head:/README14:50
elopiofgimenez: tests still fail with http proxy. Could you please check if I'm doing something wrong here: https://github.com/ubuntu-core/snappy/pull/429/files14:50
kyrofaogra_, I'll take a look, maybe I can get the owncloud snap built for arm6414:51
ogra_yay, that would be cool (though it is WLAN only, might have some bootloenecks)14:51
fgimenezelopio, sure, on it14:52
fgimenezelopio, jenkins feels young and strong again! :D14:59
elopiofgimenez: yes! I changed the ip. I'm making a change in this branch to see it run.15:00
fgimenezelopio, last time i tried the http://squid.internal:3128 was only accessible from scalingstack instances15:07
fgimenezelopio, in order to test in jenkins we need to add -httpProxy to snappy-tests-job too15:07
elopiofgimenez: on that last execution, I did the deps manually, got an image, and called main.15:09
zygajdstrand: hi15:26
zygajdstrand: could you have a look at https://github.com/ubuntu-core/snappy/pull/46215:26
zygajdstrand: (hopefully last iteration of this type)15:26
zygatyhicks: ^^15:26
jkridnerhi ogra_!15:40
* jkridner looks for rcn-ee15:40
ogra_hey jkridner !15:40
kyrofaelopio, wait... encrypted variables in travis don't work from forks?15:41
elopiokyrofa: yes, just the main repo.15:47
kyrofaelopio, why? I glanced through that bug but didn't really see one. Maybe the worry is that the third-party can add code to phone the variable's value home to them?15:48
elopiokyrofa: or just echo it and get it from the logs.15:50
kyrofaelopio, that might be easier, yeah15:50
kyrofaelopio, huh. Guess I never thought about it before15:50
kyrofaelopio, how on earth does coveralls work?15:51
ysionneauHi, is it possible to install the snappy-tools on Debian?15:51
jkridnerogra_: can you give rcn-ee and I some pointers on how to easily build a snappy image? The above question about doing it on Debian is also useful.15:55
jkridnerogra_: sorry to ask such a google-able FAQ....15:55
jkridnerogra_: but want to make sure we short-circuit it as much as possible.15:56
noizerkyrofa i have an other question for you15:56
noizeris it possible to launch an other snap from my own snap?15:57
ogra_jkridner, our core tool (for the final assemblement) is called ubuntu-device-flash ... it is written in go with no deps ... that part should definitely run under debian15:57
ogra_not sure about other bits though15:57
jkridnerogra_: cool.15:57
kyrofanoizer, no, snaps can only touch their own stuff, not interfere with each other15:57
jkridnerogra_: /me can't /invite rcn-ee15:57
kyrofanoizer, unless you unconfined it, but I doubt such a thing would accepted in the store15:58
* jkridner notes no channel operators here!15:58
* jkridner goes afk15:58
noizerhmm15:59
noizerkyrofa but we asked ubuntu if that was possible or will be possible and then they said yes. Because we are making something where people can make their own applications and these application needed to be snaps.16:01
noizeror can you start an app from the webdm?16:01
kyrofanoizer, I'm not saying it'll never be possible-- anything is possible with the right skill. There's just no skill that encompasses that functionality that I know of16:02
kyrofanoizer, no, just install/uninstall them16:02
noizerhmmm16:02
kyrofanoizer, and you don't want them to be services that just run upon install?16:02
elopiokyrofa: it doesn't sound hard to allow secure env vars per user, instead of per repo. But the travis team is small, they just close most of the bugs as won't fix :(16:02
kyrofaelopio, sad16:03
elopiokyrofa: and I have no clue about how coveralls work. I started wondering because fgimenez added a coveralls report without token.16:03
noizermaybe but can you hook into an snapp as a developer I dont think so :s16:03
kyrofanoizer, I'm not sure what you mean16:03
elopiothey should have something special between coveralls and travis. As the reports are per branch, it sounds safer than normal tokens.16:03
noizerDo you mean that the people needed to make services so they can run on it?16:04
noizerkyrofa16:04
kyrofanoizer, I'm sorry, I still don't understand. So you have service snap A, upon which client snaps B and C depend. Are you saying that snap A needs to be able to start and stop the programs contained within snaps B and C? Or can the programs contained within B and C simply be running at all times?16:07
zygajdstrand: around?16:07
fgimenezelopio, about the different images reported by the vivid and xenial slaves http://paste.ubuntu.com/14993929/16:07
elopiofgimenez: that's crazy. A bug?16:08
elopioa bug in grep maybe :D16:09
fgimenezelopio, no idea, anyway vivid's version of the client is very old, maybe it's a known issue... "image show" woks even with images that don't appear in the list :D16:13
elopiofgimenez: how do you set up two labels for a slave in this docker run statement?16:15
fgimenezelopio, white-spaced separated according to https://wiki.jenkins-ci.org/display/JENKINS/Swarm+Plugin#SwarmPlugin-AvailableOptions16:17
jdstrandzyga: hey, yes16:25
jdstrandzyga: I got your request to look at the pull request. I haven't gotten to it just yet16:26
zygajdstrand: thanks16:32
elopiofgimenez: common.sh is getting really ugly when I add the snapcraft container. Is there a way to install the dependencies on each test run?16:35
elopiooh, he's gone.16:36
elopiofgimenez: common.sh is getting really ugly when I add the snapcraft container. Is there a way to install the dependencies on each test run?16:38
fgimenezelopio, right now the slave user isn't a sudoer, we can change that. anyway, why not adding the dependencies to the container itself?16:41
elopiofgimenez: I did that. The problem is with the naming. Now we have slave-xenial and slave-xenial-snapcraft. So all the get_name and get_dir functions are getting an extra optional argument.16:42
elopiodoens't look nice.16:42
kyrofanoizer, you're asking questions that may interest others. If you ask them via PM no one else can benefit from them16:42
fgimenezelopio, all that functions are going away with docker-compose, no worries16:43
elopiofgimenez: right, I supposed you were going to say that.16:44
elopio:)16:44
fgimenezfgimenez, yep :)16:44
elopioso I'll dump this branch and wait for you.16:44
elopiopedronis: you merged your last PR with integration errors. Did you check if you could have caused them?16:51
pedroniselopio: they are quite flaky this dies, it was again a vm creation problem16:53
elopiopedronis: I see: sudo snap assert integration-tests/data/dev1.acckey16:54
elopioerror: open : no such file or directory16:54
pedronis?16:54
pedroniswhere what16:54
elopiowhich doesn't make a lot of sense.16:54
elopiopedronis: http://162.213.35.179:8080/job/github-snappy-integration-tests-cloud/725/consoleFull16:55
pedroniselopio: they passed here:  http://162.213.35.179:8080/job/github-snappy-integration-tests-cloud/723/16:58
pedronisI don't think IĀ changed anything significant since16:59
elopiopedronis: that one failed to create the vm.16:59
elopiowrong link?17:00
pedroniselopio: is marked as passed in github17:00
pedronisfascinating17:00
elopiocrazy thing.17:01
elopioit should say no results found.17:01
elopiopedronis: we have a brand new jenkins today. Now that the deploy and the slaves are more stable, we can dig on those weird things.17:01
elopioand add retries for when scalingstack is grumpy.17:01
pedroniselopio: seems there all bunch of green in github that was actually vm not started17:06
pedronisso not sure when they started failing, I see other failures in that run that are not assert related17:06
elopiopedronis: please give me a link.17:07
elopiopedronis: I'll be monitoring today.17:07
pedroniselopio: the runs at the top here: https://github.com/ubuntu-core/snappy/pull/46017:07
pedronismarked as green17:07
pedronisif you click you see they didn't run17:07
fgimenezelopio, pedronis this is probably due to the lack of sync before setting up the new server, this is the successful run that pedronis was talking about http://10.55.32.74:8080/job/github-snappy-integration-tests-cloud/723/17:08
elopiopedronis: hum, that doesn't make sense. Maybe when we redeployed we messed with the history.17:08
pedronisah17:08
elopioit prints 60 successful tests. There's no way to get that message from a failed job.17:08
fgimenezelopio, pedronis and the list of greens http://10.55.32.74:8080/job/github-snappy-integration-tests-cloud/17:09
pedronisok, but if that one passed, no clue what make them fails17:09
pedronisafter17:09
elopioso now the numbers are different.17:09
pedronisbecause nothing substatianl change17:09
pedronisd17:09
pedronisit's all formatting and comments17:10
elopioweird. fgimenez: do you have any idea about that failure to find the file in integration-tests/data?17:10
fgimenezpedronis, something must be different in the new server, probably not related to the code17:10
fgimenezelopio, nope, taking a look now17:10
pedronisalso that message is not super clear, not sure is not finding the file or one of the commands17:11
pedronisor what17:11
elopiopedronis: fgimenez: I also see this: https://paste.ubuntu.com/14994568/17:33
elopiodoesn't seem normal.17:33
fgimenezelopio, this was happening before the server change17:33
pedroniselopio: that's the code John added, is retrying so that's expected I think17:33
pedronisa bit ugly but expected17:33
fgimenezelopio, http://10.55.32.74:8080/job/github-snappy-integration-tests-cloud/723/consoleFull17:33
elopioI'm going to get a testbed kvm.17:34
elopioah, we can make that prettier making more prints in the wait package.17:34
* pedronis needs to go have dinner, will check logs later17:36
fgimenezelopio, pedronis i think that the errors might be related to the recent changes in the testutils/cli package, the server seems to be fine17:36
fgimenezelopio, if you can execute it locally it would be great to confirm, i'm leaving too17:36
elopiofgimenez: pedronis: enjoy. I'll be debugging here, come back tomorrow for the results :)17:37
fgimenezelopio, thx :) i'll keep an eye on telegram o/17:38
pedroniselopio: if I try to run the tests here IĀ crash already in testutil/common.go   GetCurrentVersion18:52
pedronissomething is off with those cli changes, I also don't understand that branch didn't seem to have run the integration tests18:52
pedronisah, no it did18:53
elopiopedronis: I'm bisecting...18:53
* ogra_ wonders why nobody has created a unifi manager snap yet 18:55
ogra_(i know many canonicalers are using unifi APs)18:55
elopiopedronis: nop, I went back to a revision that I know passed all the tests and it still fails. Something else changed, not our repo.18:58
pedronisat least I crash on snappy list not having content19:02
elopioit has to do with the flags, because assertOptions.AssertionFile doesn't get the name from the command line.19:08
elopiozyga: pedronis: ^19:14
elopiozyga: you have been touching the cmds, right? Any idea what could be going on here?19:14
zygaelopio: looking19:17
zygaelopio: I haven't seen GetCurrentVersion, that's not related to my changes19:17
zygaelopio: I was making CLI more testable (ironically!)19:17
pedronisthat is still something else19:17
elopioI don't get any error with GetCurrentVersion. Nor scalingstack.19:18
pedroniselopio: the snap I get compiled here seems to work (it gets the first arg)19:18
pedronisbut my test runs crash before that :/19:18
elopiopedronis: the one I got here doesn't even show the file help in -h19:23
pedronissnap [OPTIONS] assert assertion-file19:25
elopiopedronis: https://paste.ubuntu.com/14995878/19:25
pedronisweird19:25
elopiothis is a pristine all snaps just generated with mvo's udf19:25
elopioasserts -h shows the options.19:26
pedronisbulding it on trunk looks right19:27
pedronisdoes the archive have a go-flags that is older than the dep19:27
elopioahh, no, this is a whole mess. https://paste.ubuntu.com/14995920/19:27
elopioasserts shows options that are not for the asserts command :)19:28
pedronisit's ignoring arg 119:28
pedronisbut yes it seems the snap and snappy in the image are broken19:28
elopioI'm using goflags 0.0~git20150817-0ubuntu119:29
elopiolatest xenial.19:29
elopiopedronis: which one do you have?19:29
pedronisI'm building from the checkouts19:29
pedronisbut yes the snappy snap in ubuntu-core.snap are broken IĀ suppose19:29
pedroniselopio: I double checked the image my tests are trying to use has a broken snappy list19:38
elopiopedronis: I can run snappy list here.19:39
pedronisso weird19:39
elopioyes indeed.19:39
pedroniselopio: this is what I get http://pastebin.ubuntu.com/14996079/19:40
pedronisthis built with u-d-f by running integration tests19:40
elopiopedronis: ah, if you didn't patch your udf with mvo's version, that's not going to work.19:40
pedroniselopio: have mvo versions19:41
pedronisIĀ have been happily running integration tests all last week19:41
elopiooh, I think I know what's the deal.19:41
elopiogive me a second...19:42
elopiopedronis: this made my tests pass.19:44
elopiohttps://paste.ubuntu.com/14996133/19:44
elopionow you have an image that's clearly more broken than mine.19:44
elopioI flashed like this: https://paste.ubuntu.com/14996153/19:45
pedronisdid xenial go-flags change recently?19:46
pedronisstill not understanding what changed since last week19:47
pedroniselopio: was the old testing box also xenial?19:49
elopiopedronis: no, it's the same that we have in the deps since a long time ago.19:49
elopiomaybe something in go changed.19:49
elopiopedronis: yes, also xenial, but we deployed a new one today. That one had old packages, probably.19:49
elopiothis is an important thing that we are not doing. apt-get update && upgrade often on the slaves.19:49
elopiopedronis: can I propose this as a quick fix to get back to green, and let you investigate the reason tomorrow?19:50
elopiohttps://bugs.launchpad.net/snappy/+bug/154326619:57
ubottuLaunchpad bug 1543266 in Snappy "snap assert failing with error: open : no such file or directory" [Critical,Confirmed]19:57
pedroniselopio: yes19:57
pedronisand yes it seems related to go version19:58
elopiopedronis: ok. So this can wait until tomorrow, you don't need to stay so late.19:58
elopiothanks a lot for your debugging.19:58
pedronisso it's probably go-flags that is unprepared/has go 1.6 bugs20:07
pedronisI don't care either way about that code though20:08
pedroniselopio: solved the snappy list, seems IĀ had mvo u-d-f but not the latest20:09
elopiopedronis: phew. One less thing to investigate :D20:09
elopiooh, the asserts tests should be failing too.20:10
elopiolet me upper-case that.20:11
pedronisfound the problematic code in go-flags, in case we want to give them a PR20:12
elopiopedronis: that would be awesome. I want to peek, where is it?20:12
pedroniselopio: it's related to this20:14
pedronishttp://tip.golang.org/doc/go1.6#reflect20:14
pedronisgroup_private.go:72:if field.PkgPath != ""   in go-flags20:14
elopiointeresting. Not a single boring day in the snappy world.20:14
pedronisshould be change like they change encoding/json in go ittself, it seems20:15
elopiokyrofa: is there a way to see the squashed commits after the PR was merged?20:17
kyrofaelopio, not without playing some fun games... that's kinda the point. Why, what happened?20:18
elopiokyrofa: nothing. I want to convince snappy to squash commits.20:18
kyrofaelopio, yeah not really20:19
elopioif there is a way to see all the commits, there's no convincing to do. I'll just tell them to use that.20:19
kyrofaelopio, yeah, you'd have to use the reflog20:21
kyrofaelopio, which is usually more of a "I made a mistake, give me back my stuff" type of thing in my experience20:21
elopiook, it doesn't matter. I have a good argument.20:22
elopiothe discussion history is not lost.20:22
kyrofaelopio, haha, you're brave20:25
elopiobisecting this crazy issue just made it clear that not even with a nice commit message the snappy changelog makes sense.20:27
elopiowe need branches, and we need squashes. QA has spoken! :D20:27
kyrofaelopio, heh, yeah bisecting is key20:29
wigglewormis there a graphical interface for wifi setup in snappy21:51
wigglewormi worry i am staring right at it :)21:51
camakoWhen I change the cmake file 'snapcraft snap' doesn't seem to detect the changes and regenerate cmake config accordingly. Is there a way to do that?22:05
camakoI couldn't find a '--force' option either22:06

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!