/srv/irclogs.ubuntu.com/2016/03/08/#snappy.txt

=== asac` is now known as asac
=== morphis__ is now known as morphis
zyga-phonegood morning07:31
didrockshey zyga-phone07:39
zyga-phonehey :)07:39
dholbachgood morning07:54
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/598/files08:00
didrocksgood morning dholbach08:01
zyga-phonehey dholbach :)08:02
sergiusensogra_, you around?08:14
dholbachsalut didrocks, hey zyga-phone08:16
zyga-phone:)08:17
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/600 (more confusing names fixed)08:22
noizergood morning08:27
=== LarreaMikel1 is now known as LarreaMikel
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/60108:32
noizeris it possible to update snapcraft? zyga-phone08:41
sergiusensmvo, on kernel snap install, are you doing something similar to snap.kernel.split('-')[1] ?08:52
mvosergiusens: I don't think so, I think grub even only looks for vmlinuz and nothing else (and initrd.img) so best to have symlink to those09:02
mvosergiusens: gustavo was also keen to move this to a convention based install instead of having keys in snap.yaml for the kernel/initrd09:02
zyga-phonenoizer: yes, you can always use the bleeding edge version from source09:06
noizerzyga-phone https://github.com/ubuntu-core/snapcraft09:06
sergiusensmvo, I'm doing hard links; the layout of partition 8 is really weird09:07
noizerzyga-phone thats this one?09:07
noizerzyga-phone but what branche then?09:07
sergiusensmvo, also, I'm not doing the crazy vmlinuz rename when building for arm64 since it is an uncompressed 'Image' target09:07
sergiusensthe debbuild for some crazy legacy reason does a blind rename to vmlinuz09:07
zyga-phonenoizer: master, if you don't feel confident in using it then please just wait09:08
zyga-phonewe're all working on the release09:08
zyga-phoneso you will have fresh debs and images soon09:08
noizerzyga-phone I will just try it if it don't work for me I will wait for the deb packages09:09
mvosergiusens: for amd64/i386 right now we hardcode vmlinuz unfortuantely but that is probably a bug. uboot should actually be flexible09:09
sergiusensmvo, http://paste.ubuntu.com/15326741/09:16
sergiusensmvo, http://paste.ubuntu.com/15326751/09:20
sergiusensmvo, so I'm not sure what is going on09:20
sergiusensmvo, reason I ask if there is some sort of "cut" iin the code09:20
mvosergiusens: this looks good, except of course that it does not work09:21
mvoBad Linux ARM64 Image magic!09:21
sergiusensmvo, well if you look in the `find mnt` there's a plain 'Image' file09:21
sergiusensmvo, that plainly does not exist in anything I provide09:22
sergiusensI provide Image-something09:22
mvosergiusens: indeed, I think there is a split on "-" in the code somewhere09:23
mvosergiusens: that explains where it comes from09:24
sergiusensmvo, yeah, we should not do that :-) I'm trying to do `kernel: vmlinuz` now09:24
sergiusensmvo, although these arm kernels are not gz'ed09:24
mvosergiusens: yeah, we need to fix this09:28
sergiusensmvo, also I noticed the dtbs are missing09:28
mvooh?09:28
sergiusensmvo, in the released kernel snap on the store as well09:28
mvosergiusens: did you list them in snap.yaml?09:29
sergiusensmvo, so the <packagename>.snap/dtbs is there, but in the root there's a 'dtbs' dir that is empty09:29
sergiusensmvo, yeah, check the pastebin :-)09:29
sergiusensmvo, doh09:29
sergiusensmvo, no I didn't09:29
mvosergiusens: I did check the pastebin first ;)09:29
mvosergiusens: this is why I asked09:30
sergiusensmvo, I need to fix this in my snapcraft as I'm manually adding (I don't want users to do this as it might just go away)09:30
mvosergiusens: it will probably go away09:31
sergiusensmvo, I hope so :-)09:32
sergiusensppisati, hey, building the kernel for dragon board gets me 2.6GB of kernel modules; how is the one in the snap so small?09:32
ppisatisergiusens: we normally build with debug symbols built-in09:33
ppisatisergiusens: and then strip kernel and modules when creating the .deb09:33
ppisatisergiusens: this way from sthe same build we get the debug .deb and the normal .deb09:33
ppisatisergiusens: so either your build that way and later strip09:33
ppisatisergiusens: or simply turn off DEBUG_INFO09:34
ppisatisergiusens: and thus don't build the debug symbols09:34
sergiusensppisati, ah so it is a config?09:34
* sergiusens looks09:34
sergiusensppisati, this does make sense09:34
ppisatisergiusens: CONFIG_DEBUG_INFO=y09:35
sergiusensppisati, yeah I see, thanks09:35
ppisatisergiusens: turn that off and your kernel / .ko will go on diet09:35
sergiusensppisati, being on a diet is harsh though, now I don't want to do it :-)09:35
sergiusensI'll leave it on as I'm enabling09:36
ppisatisergiusens: +109:36
sergiusensbut thanks for the tip :-)09:36
ppisatisergiusens: any time09:36
sergiusensmvo, it boots!09:51
mvosergiusens: OMG!09:51
sergiusenssadly it seems the resize code is active09:51
sergiusensmvo, http://paste.ubuntu.com/15326840/09:52
sergiusensI need the ogra_ :-)09:52
sergiusensI'll see if I have a smaller sdcard here09:52
mvosergiusens: very impressive09:54
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/60209:59
ogra_sergiusens, did you pick the right dtb ? we need a patched one (in paolos deb it has a -snappy.dtb suffix09:59
ogra_sergiusens, the resize code is moot, parted fails10:01
ogra_mvo, sergiusens thats bug 1553110 ... the resize tools are missing all libs10:02
ubottubug 1553110 in fakechroot (Ubuntu) "weird output of ldd on arm64" [Undecided,New] https://launchpad.net/bugs/155311010:02
ogra_so what it prints is a lie currently ...10:02
ogra_your last paste shows you are missing the modules though10:02
ogra_(no squashfs)10:02
sergiusensogra_, oh, is squashfs a module in the default kernel build?10:02
ogra_yeah10:03
sergiusensdarn!10:03
sergiusenswell at least I can go back to my fast sdcard :-)10:03
ogra_if the resize code would kick in you would only notice it at next boot10:03
ogra_(it wipes the bootloader partition types)10:03
ogra_the current boot would just go on10:03
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/60310:27
sergiusensogra_, what about now http://paste.ubuntu.com/15326926/ ?10:28
ogra_sergiusens, still missing squashfs10:29
sergiusensogra_, but it says it loaded right there10:29
ogra_?10:29
ogra_where10:29
sergiusensogra_, sorry, should of copied more above http://paste.ubuntu.com/15326932/10:31
ogra_mvo, how about we grep through /proc/filesystems and exiot with a proper error message when we cant find squashfs support in the initrd10:31
sergiusensogra_, line 19 there10:31
ogra_"unsupported RELA relocation: 275"10:31
mvoogra_: who would say NO to this suggestion  :-D ? +110:32
ogra_no idea what that means, but sounds like you are missing features10:32
sergiusensogra_, seems more like a bug https://bugs.launchpad.net/ubuntu/+source/linux/+bug/153300910:32
ubottuLaunchpad bug 1533009 in gcc-5 (Ubuntu Wily) "arm64: "unsupported RELA relocation"" [Undecided,New]10:32
ogra_sergiusens, ah, yeah10:33
ogra_in any case it seems to prevent the module from loading10:33
ogra_sergiusens, if you build the kernel yourself anyway, just compile it in ;)10:35
sergiusensogra_, hah, but I want the module xp10:35
sergiusensI can try going to gcc 4.810:36
sergiusensppisati, do you know about "unsupported RELA relocation: 275" ?10:47
sergiusensI'm using gcc-aarch64-linux-gnu10:47
sergiusensricmm, http://paste.ubuntu.com/15327015/10:56
ppisatisergiusens: you mean the qemu warning? in case yes, i saw it, but that didn't stop from building working images using qemu11:02
sergiusensppisati, no, I'm doing cross compilation (ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-)11:03
ppisatisergiusens: are youusing a recent xenial chroot?11:03
sergiusensppisati, and during boot I get http://paste.ubuntu.com/15326932/11:03
sergiusens[   13.207166] module squashfs: unsupported RELA relocation: 27511:04
sergiusensppisati, no chroots, just my regular xenial system11:04
ppisatisergiusens: i thought we fixed that11:04
ppisatisergiusens: it was a regression in the xenial toolchain11:04
ppisatisergiusens: but now is fixed11:04
sergiusensppisati, heh, not for me; fixed in gcc?11:05
ppisatisergiusens: fixed in our toolchain11:05
ppisatisergiusens: not sure about upstream11:05
sergiusensppisati, I have http://paste.ubuntu.com/15326932/11:05
sergiusensppisati, I also see  KBUILD_CFLAGS_MODULE += -mcmodel=large -mpc-relative-literal-loads in the arm64 Makefile11:06
ppisatisergiusens: we are carrying a patch too for that11:07
sergiusensppisati, err, I have 1:5.3.1-8ubuntu2cross211:07
ppisatisergiusens: hold on11:07
ppisatisergiusens: if you see KBUILD_CFLAGS_MODULE += -mcmodel=large -mpc-relative-literal-loads then you have the two patches11:09
ppisatisergiusens: is that my tree?11:11
ppisatisergiusens: if you cross compile my tree, do you get that too?11:11
sergiusensppisati, no, it's the 96boards one11:11
ppisatisergiusens: try my tree11:11
ppisatisergiusens: if it works, then they are missing some patch11:11
ppisatisergiusens: if you keep getting that, than it's your toolchain11:12
sergiusensppisati, in arch/arm64/Makefile I miss that line completely, not sure what I saw before11:12
ppisatisergiusens: you need11:14
ppisatisergiusens: b6dd8e0719c0d2d01429639a11b7bc2677de240c11:14
ppisatisergiusens: and11:14
ppisatisergiusens: 6113222fa5386433645c7707b4239a9eba444523\11:14
ppisatiwithout the traliing \11:14
sergiusensthanks, I iwll try11:14
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/60411:22
* zyga-phone is killing SNAP_FULLNAME 11:22
zyga-phonehttps://github.com/ubuntu-core/snappy/pull/60511:41
* zyga-phone is renaming SNAP_ORIGIN to SNAP_DEVELOPER11:41
noizerzyga-phone where can i find the last snapcraft version?12:40
ogra_in xenial12:41
noizerogra_ but i want to build with some slots but for now it doesn't work (snapcraft 2.3.2)12:41
ogra_you might have to wait a little more, the image and snapcraft are supposed to be released together12:42
ogra_(not sure where we stand with the image release)12:43
noizerogra_ Ok i heard about it but will it release today for the raspberry pi?12:43
ogra_no idea12:43
ogra_(i only tested the arm64 rootfs yesterday ... perhaps mvo can tell when the new stuff gets out)12:44
noizeris he online at this moment? because I think he is very busy at the moment12:49
zyga-phonenoizer: on github.com/ubuntu-core/snapcraft13:04
didrocksnoizer: just run from ^ using bin/snapcraft, it will import the correct files13:09
noizerdidrocks does not work :s13:15
didrocksnoizer: logs? I'm doing that daily, so I highly doubt it doesn't take the right snapcraft version :p13:16
dholbachdavidcalle, didrocks, I put up a branch which has all the relevant bits for a demo (https://code.launchpad.net/~dholbach/developer-ubuntu-com/hero-tour-changes/+merge/287765) - maybe we can merge the template into it?13:23
noizerdidrocks my snapcraft is 2.3.213:23
dholbachlet me re-push it to the developer site dev team namespace13:23
noizerdidrocks when I do /usr/bin/snapcraft clean i get the error where he don't find slots13:24
didrocksnoizer: why are you using /usr/bin/snapcraft? I told you to use the github repo that zyga-phone pointed out and run bin/snapcraft13:24
noizerdidrocks13:25
noizerthx i will test that13:26
dholbachhttps://code.launchpad.net/~developer-ubuntu-com-dev/developer-ubuntu-com/hero-tour-changes/+merge/28840013:26
dholbachsorry, https://code.launchpad.net/~developer-ubuntu-com-dev/developer-ubuntu-com/hero-tour-changes/+merge/28840113:28
didrocksdholbach: excellent! should we try to assemble something with davidcalle's current work? That way we can have a first result and see how it goes?13:28
didrocksdholbach: want that we catch up? (I've the first markdown pages written)13:29
dholbachdidrocks, that's why I pushed to the team namespace13:29
dholbachlet's wait for the template - at that point it'll make sense to get together and figure out what's still missing :)13:29
didrockssure!13:29
dholbachgreat :)13:30
didrocksnice work :)13:30
niemeyerjdstrand: ping13:38
noizerdidrocks it works fine :D is security polity available there?13:40
noizer*security-policy13:40
didrocksnoizer: no idea TBH, I can just tell you it's the freshest and latest :p13:42
noizerdidrocks ok thx a lot :D13:42
didrocksyw ;)13:43
zyga-phonejdstrand: hey, please ping me when you're around14:00
zyga-phonejdstrand: we'd like to have a call with you today14:00
mvoogra_: I uploaded a new arm64 edge OS snap juts today14:04
ogra_mvo, ok, will test later ... btw ... http://paste.ubuntu.com/15327686/14:10
ogra_i'm about to push that to the PPA and do some test builds ... if it works i'll upload it14:10
ogra_(and if it works for the os snap, it should be easy to do the same for the kernel tarballs too)14:11
mvoogra_: nice14:16
mvoogra_: I think you can drop readme.md and package.yaml now14:16
ogra_mvo, do you need the buildds today ?14:16
noizeris it possible to use security-override? mvo zyga-phone14:16
noizerin snapcraft14:16
ogra_i dont want to get in your way with a potentially broken livecd-rootfs in case you need to re-build something14:16
mvoogra_: probably not, I think I did enough14:16
ogra_ok14:16
ogra_will drop the package.yaml ...14:17
mvoogra_: i.e. the current edge OS is good so far14:17
ogra_mvo, what about the gadget dir ?14:17
mvoogra_: if it works on amd64 as well I push to rolling/stable14:17
mvoogra_: we don't need that anymore too14:17
zyga-phonenoizer: yes14:17
zyga-phonenoizer: through old-security14:17
mvoogra_: its all under /snaps now14:17
ogra_cool, dropping that as well14:17
zyga-phonenoizer: as soon as the new release is out14:17
mvoogra_: yeah, that should work. nice to see this btw14:17
noizerbut i got now the new snapcraft14:17
noizerbut it don't works on my snappy OS probably14:18
ogra_i'm a bit worried about the apt-get install ... not sure if that works14:18
ogra_but i dont really want to make snappy a hard dep of livecd-rootfs14:18
noizerzyga-phone14:18
ysionneauHi, how do I allow a syscall in my snapcraft.yaml for an app ?14:18
ysionneauan if the app command is a shell script doing an exec, is the syscall autorization OK for the binary which is executed?14:19
zyga-phonenoizer: I'm sorry I cannot help you today, we can either implement snappy or help everyone on the channel trying things out but not both; in a few days I will have more time and things will be in better shape for you to try them out; please wait for the release for now.14:19
ysionneau(and say the exec'ed binary is also a shell script doing an exec, etc)14:19
ysionneauand if the app*14:19
ogra_ysionneau, there are ways to make syscall exceptions via snapcraft.yaml ... but ask jdstrand which ones will actually be allowed by the store ... (i think fchown is one of the allowed ones, not sure there are others)14:20
ysionneauoh, so I cannot do syscalls: [send] ?14:21
jdstrandno14:21
ysionneaufyi I get this : Mar  8 13:55:33 localhost kernel: [  794.318819] audit: type=1326 audit(1457445333.541:13): auid=1000 uid=1000 gid=1000 ses=2 pid=1229 comm="ld-linux-armhf." exe="/snaps/wifid.sideload/LSTDgDnSXTSF/lib/ld-linux-armhf.so.3" sig=31 arch=40000028 syscall=289 compat=0 ip=0x76e9a4d6 code=0x014:21
ysionneauand 289 seems to be "send"14:21
jdstranduse 'snappy-debug.security scanlog'14:21
jdstrandthat will tell you what syscall 289 is on your system14:21
jdstrandand will suggest a 'cap' to use14:22
ysionneauthis tool fails with a permission denied error14:22
jdstrandysionneau: is this on 16.04 or 15.04?14:22
ysionneau16.0414:22
ysionneauhttp://pastebin.com/nakZUZ6Y14:22
jdstrandyeah, developing on 16.04 now is difficult-- all of this is in flux14:22
jdstrandit hasn't been converted to the new interfaces yet14:23
ysionneauok14:23
ysionneauso what can I do then?14:24
rtgogra_, did you ever get the generic initrd package working ?14:24
jdstrandysionneau: do scmp_sys_resolver 28914:24
jdstrandon the machine that has the error14:24
ysionneau15:24 < jdstrand> ysionneau: do scmp_sys_resolver 289 < yes, it prints send14:24
ogra_rtg, yes, but only half way, there are bugs in fakechroot that are kond of blocking atm14:24
jdstrandsend is part of 'network-client'14:24
ysionneauI also already give the network-client caps14:24
jdstrandyou don't need an override14:24
ogra_rtg, bug 155311014:25
ubottubug 1553110 in fakechroot (Ubuntu) "weird output of ldd on arm64" [Undecided,New] https://launchpad.net/bugs/155311014:25
jdstrandyour yaml is probably not right for the new interfaces stuff14:25
ysionneauso maybe the right question was : is the capability kept by the process if it does exec ?14:25
zyga-phonejosepht: hey :-)14:25
zyga-phoneer14:25
zyga-phonejdstrand: hey :)14:25
ysionneauI would say yes since the usual snappy way is to wrap binary calls to export env vars and do 'exec'14:25
jdstrandzyga-phone: hey14:25
jdstrandysionneau: yes14:25
zyga-phonejdstrand: please check out telegram if you can14:26
ysionneaubut I don't understand here why my capability network-client doesn't allow me to use "send"14:26
ogra_rtg, beyon that the iinitrd should be usable ... it is just that some features like resize do not work atm ... you can just grab ubuntu-core-generic-initrd and pull the img from /usr/lib/ubuntu-core-generic-initrd (and then add modules and stuff)14:26
jdstrandysionneau: I bet it is because your yaml is wrong for the new interfaces work14:26
jdstrandit is just using the default policy and ignoring everything else14:26
rtgogra_, what package produces the generic initrd ? initramfs-tools-ubuntu-core ?14:26
ysionneauhmm at least the yaml does pass the parsing of snapcraft :o14:27
jdstrandI think that is what jibel and mvo were talking about earlier14:27
ysionneauso it seems OK according to the schema14:27
ogra_rtg, yep14:27
ysionneauand it seems OK with the examples I see in snapcraft/examples14:27
zyga-phoneysionneau: it will only work with unreleased snapcraft + snappy14:27
zyga-phoneso wait :)14:27
jdstrandzyga-phone: so, there is an email and tg. I will get to it, but it will be a little bit14:27
ysionneauzyga-phone: yes, I'm using unreleased snapcraft :)14:27
zyga-phonejdstrand: thanks14:27
zyga-phoneysionneau: and unreleased snappy?14:28
ysionneauI'm using snapcraft from git14:28
ysionneaubut I'm indeed using the "devel" channel of snappy for rpi214:28
ysionneauubuntu-core 2016-03-08 16.04.0-15.armhf14:28
zyga-phoneysionneau: that's not enough14:28
zyga-phoneysionneau: you have to wait for snappy release (today)14:29
jdstrandpindonga: can you pull the review tools if you haven't already-- seems the interface rename is all landing14:29
ysionneauallright, thanks!14:29
pindongajdstrand, ack, no I haven't (so good you reminded me)14:29
jdstrandpindonga: thanks!14:30
niemeyerjdstrand: Do you have a moment for a call?14:33
mvoI pushed a new stable OS update with the most recent change described in https://lists.ubuntu.com/archives/snappy-devel/2016-March/001567.html14:33
mvosergiusens: you have a stable OS update now with the plugs: changes14:33
zyga-phone\o/14:42
* zyga-phone hugs mvo14:42
zyga-phoneysionneau, noizer: try out the fresh image and snapcraft after reading the email above ^^14:42
niemeyerjdstrand?14:42
noizerzyga-phone I updated my ubuntu-core already xD14:43
noizersaw the good news from mvo :D14:43
ysionneauzyga-phone: thx!14:46
ysionneauI don't see any update after doing snappy update14:48
ysionneauI'm in -1514:48
ysionneauor should I re-generate an image using your ubuntu-image ?14:48
mvoysionneau: armhf version -15? that is ok that is the most current one14:49
ysionneauah so I was already on the right one, and with latest snapcraft14:50
ysionneauso I don't get what's wrong14:50
ysionneaumaybe I should use "plugs" and not "slots"14:50
ysionneauhmm nop snapcraft refuses it14:51
mvodpm: for calculator you need to so sed -i "s/slots:/plugs:/" meta/snap.yaml14:51
zyga-phoneysionneau: you should use "plugs" for the snapcraft.yaml14:52
ysionneauhmmm is github ubuntu-core/snapcraft up to date?14:53
ysionneaucause I'm using that, and it refuses to parse my yaml if I use plugs :o14:54
ysionneau15:52 < zyga-phone> ysionneau: you should use "plugs" for the snapcraft.yaml : I get : Issues while validating snapcraft.yaml: Additional properties are not allowed ('plugs' was unexpected)14:57
zyga-phoneo_O14:58
zyga-phoneold snapcraft I guess14:58
zyga-phoneI don't know, it's just out of sync then14:58
ysionneaulooks like I don't have the right version, yes, I'm on master branche on SHA1 6d17a601d24b7053ffe92e3cb1d58e0bb9415a3614:58
ysionneaubranch*14:59
zyga-phoneysionneau: you have to dig in for yourself for a while14:59
ysionneauthat's the last commit I see on https://github.com/ubuntu-core/snapcraft/commits/master15:03
* ogra_ dances around mvo 15:11
ogra_https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/xenial/ubuntu-core-system-image/+build/5454415:11
ogra_livecd.ubuntu-core.ubuntu-core_16.04-20160308-15:04_amd64.snap (75.9 MiB)15:11
ogra_:D15:11
mvoogra_: sweeeeeeeet15:11
* mvo hugs ogra_15:11
ogra_mvo, i see ou added the arch name to the version in the ones you upload to the store ... should i do the same ?15:11
ogra_(i'm also not sure about the colon in the timestamp)15:12
mvoogra_: its not longer needed, I did it because the store broke in a funny way in the past without it15:12
ogra_ah, cool15:12
mvoogra_: it was also useful to debug an issue where the store send me a armhf os snap when I was an amd64, I only noticed because of the version string15:12
mvoogra_: but all those issues are fixed now15:13
ogra_ok, cool15:13
ogra_what about the colon, can that stay ?15:13
mvoogra_: technically its an epoch right now15:13
ogra_oops15:13
ogra_indeed15:13
mvoogra_: so a "-" would be nicer15:13
ogra_funnny that the package actually built at 15:04 :)15:14
mvoogra_: however very very soon version numbers will have no semantic meaning whatsoever15:14
ogra_ok15:14
mvoogra_: lol15:14
mvoogra_: nice15:14
* ogra_ changes to a dash 15:14
mvoogra_: so if its trivial, please just fix the ":" for now, soon it won't matter :)15:14
ogra_i386 looks fine too ... waiting for the arms then i'll push that to the archive15:14
ogra_yeah, totally trivial15:14
mvonice, great work!15:15
ogra_heh, only the start ... the tricky part is to teack cdimage about .snap now15:16
dpmmvo, ok, thanks! Will do it in a couple of hours and let you know. Any news on the upload of the snapcraft version that supports these changes?15:16
ogra_*teach15:17
mvodpm: ups, I forgot, the last I heard from sergiusens was that he wants a stable os snap first that supports it. he is in a eastern timezone now I think so probably will read this tomorrow15:20
ogra_yeah, he's probably already drowning in beer15:20
dpm:)15:22
dpmok, thanks mvo15:22
jdstrandniemeyer: I will have a moment for a call yes, but I haven't yet had a moment to catch up on the thread15:30
jdstrandniemeyer: I'm going through this now. can I ping you in a few minutes?15:30
jdstrandniemeyer: can I rely on the email thread as everything I need to know or should I read through the (long) tg discussion?15:31
niemeyerjdstrand: The email thread+document is much better than the tg thread for context15:32
jdstrandok, let me get through that and ping you15:32
niemeyerjdstrand: I'll step out for lunch now.. we can catch up in a couple of hours15:32
jdstrandthat works for me as well15:32
jdstrandniemeyer: fyi, I left a comment on https://github.com/ubuntu-core/snappy/pull/606#issuecomment-193820189https://github.com/ubuntu-core/snappy/pull/606#issuecomment-193820189 which I'm not sure if it will affect your judgement on if it should be closed or not15:39
zyga-phonejdstrand: https://github.com/ubuntu-core/snappy/pull/608/files15:43
zyga-phonejdstrand: I'm working on cleaning up patches that take this and splice the interface snippets inside in the right places15:43
jdstrandcool15:44
jdstrandzyga-phone: fyi, I came up with a very compelling use case for the policy being in files15:44
jdstrandzyga-phone: the developer experience is supposed to be: snappy try <snap> (or similar)15:45
jdstrandzyga-phone: that puts the snap in complain mode where everything is allowed, but violations to policy are logged15:45
jdstrandzyga-phone: then another tool is supposed to take those violations and suggest things15:45
jdstrandzyga-phone: that tool can't suggest things without having access to the policy files15:46
zyga-phonejdstrand: I see, how does that tool work today?15:46
jdstrandzyga-phone: well, there are several tools that are going to need to be combined to support the way this is supposed to work (ie, snappy try doesn't do any of the above-- it has to be implemented)15:47
jdstrandzyga-phone: but essentially, the tools would all use libapparmor to parse the log15:47
jdstrandzyga-phone: then they examine the policy files15:48
jdstrandthen they say 'add network to your plugs', etc15:48
zyga-phonejdstrand: snappy can easily expose those over the API15:48
zyga-phonejdstrand: this way the tool can actually work without changes later15:48
jdstrandwhat api?15:48
zyga-phonejdstrand: the rest api15:48
zyga-phonejdstrand: we could simply expose all of the text verbatim15:49
jdstrandzyga-phone: so you're saying that the tool asks the rest api to dump all of the policy for it to then examine?15:49
zyga-phonejdstrand: so you could essentially wget each of the text files15:49
zyga-phonejdstrand: something like it, the advantage is that you could work with the tool remotely as well (nice dev UX)15:50
zyga-phonejdstrand: and locally it would not get out of date/out of sync15:50
jdstrandusing files it wouldn't get out of sync either-- it would only use the files on the system15:50
jdstrandbut yes, this is an option15:50
jdstrandI guess it is also an answer to the auditing problem I mentioned15:51
zyga-phonejdstrand: well, it'd be more complex to test consistent sets IMHO15:51
jdstrandI don't see how15:51
zyga-phonejdstrand: yeah, I think we can easily expose each snippet as plain text15:51
jdstrand"give me all the files" vs "open all the files"15:51
zyga-phonejdstrand: (you just need snappy, not any other package, to be consistent)15:51
zyga-phonejdstrand: they come from different places15:51
jdstrandI know you guys are excited about all the policy in go. I am not blocking, but I am not15:52
zyga-phonejdstrand: this will also look more complex as snappy moves beyond 16.0415:52
jdstrandcause looking at https://github.com/ubuntu-core/snappy/pull/608/files it would be just as easy for 'const defaultAppArmorTemplate = ' to be a read on a file in a known location, but I won't beat this horse any more15:53
zyga-phonejdstrand: I though about that and have this implemented (for a few weeks)15:54
zyga-phonejdstrand: but it's still more complex, e.g. on the desktop that package can be updated15:54
zyga-phonejdstrand: so then you now must do invalidation properly15:54
zyga-phonejdstrand: you have to do parsing (I'll break the template into parts so that parsing is not required)15:55
jdstrandI don't consider policy updates a bad thing15:55
jdstrandanyway, we shouldn't rehash this. you guys won15:55
zyga-phonejdstrand: neither do I, but in this model you restart snapd and you're consistent15:55
zyga-phonejdstrand: I'm not trying to convince you over random stuff, IMHO this is really easier to work with15:55
zyga-phonejdstrand: from a purely technical POV15:55
jdstrandplease remember our caching discussion thouch15:55
jdstrandthough15:55
jdstrandcause there are very important performance considerations15:56
zyga-phoneyeah, I know15:56
zyga-phoneI'll get to caching15:56
jdstrandok, cool15:56
jdstrandthat is the most important thing15:56
jdstrandif we handle that right, we can see how the policy stuff goes and adjust15:56
zyga-phonejdstrand: I'll try to make snap connect write all the security files today15:58
zyga-phonewon't reload aa profiles but will do 90% of the work15:58
jdstrandcool15:59
zyga-phoneit's a big change with the state engine but the primitives are ready15:59
zyga-phonejust need to finish this real aa policy text to be there15:59
=== chihchun is now known as chihchun_afk
zyga-phonejdstrand: https://github.com/ubuntu-core/snappy/pull/61116:03
zyga-phoneseccomp side16:03
jdstrandzyga-phone: so, in addition to inserting snippets in the right place, you are aware in the apparmor template that you need to also set ###VAR### and ###PROFILEATTACH###, right?16:11
zyga-phonejdstrand: yeah, I have that code for a few weeks16:11
jdstrandok16:11
zyga-phone(my piglow demo behind me is a proof of that :)16:11
jdstrandthat's fine16:11
zyga-phone:)16:11
zyga-phoneI'll ask you for review though16:12
jdstrandjust wanted to be sure16:12
* jdstrand nods16:12
zyga-phonejdstrand: can you have a look at: https://github.com/ubuntu-core/snappy/pull/61216:13
zyga-phonejdstrand: this changes how we call ubuntu-core-launcher16:13
jdstrandyes, that is the thread I am trying to get to reading16:14
zyga-phonejdstrand: oh, sorry16:14
zyga-phoneok16:14
jdstrandnot your fault16:14
jdstrandmy inbox and irc backscroll is quite a lot today16:15
niemeyerjdstrand: ping16:21
niemeyerjdstrand: Can we have it now?16:21
niemeyerjdstrand: ? :-016:24
niemeyer:-)16:24
jdstrandstill reading16:24
jdstrandI thought I had two hours :)16:24
jdstrandso I tended to other pressing things16:24
jdstrandI'm almost through it16:24
niemeyerjdstrand: Can you please join the hangout? mvo will be off in 40 mins16:26
* jdstrand notes this also requires a bit of research, which I'm also doing16:26
niemeyerhttps://plus.google.com/hangouts/_/canonical.com/snappy-devel16:26
jdstrandok, forgive me if my opinion isn't as well-thought out as I'd like it to be16:26
niemeyerjdstrand: Don't worry, that's a friendly call to sort it out.. we can discuss questions live16:27
elopiofgimenez: I thikn this panics when the config is not present: https://github.com/ubuntu-core/snappy/blob/master/integration-tests/tests/base_test.go#L5416:44
elopiohttps://www.irccloud.com/pastebin/kZ8l9nLL/16:44
elopiofgimenez: what if I os.Stat the file, and put all this inside an if?16:45
fgimenezelopio, yes, that can work and keeps all very clear16:49
elopioplars: can you try this one please?17:19
jdstrandzyga-phone: you asked me to look at https://github.com/ubuntu-core/snappy/pull/612/files. is that still needed in light of the meeting we just had?17:23
zyga-phonejdstrand: I think not anymore :)17:23
jdstrandok, that's what I thought17:23
zyga-phonejdstrand: thanks!17:23
zyga-phonejdstrand: so I see you reviewed the seccomp blob, that's great, I'll merge it17:24
jdstrandzyga-phone: I reviewed 611 (seccomp), do you need me to look at 608 (apparmor)?17:24
zyga-phoneplease do the same for .. .yes :D17:24
zyga-phonefanstastic17:24
jdstrandhehe17:24
zyga-phoneI'll get this to work all the way today17:24
zyga-phonejdstrand: I was looking at one extra thing but that can wait for tomorrow (even for discussion)17:26
zyga-phonejdstrand: to have a know to switch a single snap to development mode17:26
zyga-phonejdstrand: so we get advisory logs, not denials17:26
zyga-phonejdstrand: I think I know how to do it but I'll tell you about what I think I know tomorrow :)17:26
zyga-phonejdstrand: when t hat is available, we can remove hw-assign17:26
jdstrandzyga-phone: that is actually quite easy. let me get that for you17:28
zyga-phonejdstrand: is that just one extra flag in the "header" of the profile?17:28
zyga-phonejdstrand: I read the python code that does aa-{stuff-i-forgot} from apparmor-utils17:28
jdstrandit is17:28
zyga-phonejdstrand: if that's the case I can just bake support for that right into the tooling17:29
plarselopio: what is it you want me to try?17:29
zyga-phonejdstrand: lovely, we need to think how to remember that in the state though (persistent, etc) but I think this will fly17:29
elopioplars: this should fix your panic.17:29
jdstrandzyga-phone: change this: '(attach_disconnected)' to 'flags=(attach_disconnected,complain)'17:29
jdstrandzyga-phone: feel free to change '(attach_disconnected)' to 'flags=(attach_disconnected' in the normal case17:30
zyga-phonejdstrand: noted, thanks17:30
* zyga-phone really writes this down on paper17:30
jdstranderr17:30
jdstrand'flags=(attach_disconnected)'17:30
=== vrruiz_ is now known as rvr
jdstrandzyga-phone: unfortunately for seccomp the launcher is going to need to be updated17:31
zyga-phonejdstrand: seccomp doesn't have anything like that, right?17:31
jdstrandzyga-phone: (since it is effectively the seccomp policy parser)17:31
jdstrandthere is no parser like with apparmor17:31
jdstrandthe launcher is the parser17:31
zyga-phonejdstrand: so how do you want that to work?17:31
zyga-phonejdstrand: right, righth17:32
jdstrandso the launcher needs to be updated17:32
zyga-phonejdstrand: ah, the wrapper script17:32
zyga-phonejdstrand: or the actual ubuntu-core-launcher17:32
zyga-phone?17:32
jdstrandubuntu-core-launcher17:32
elopiomterry: can I bother you for a moment? I need help with the pipeline test you wrote ages ago.17:32
jdstrandit is what takes the list of syscalls from our generated file, parses the file and then adds each syscall via a C api17:32
mterryelopio, hello17:33
jdstrandzyga-phone: and right now it only does enforce mode17:33
zyga-phoneyeah, I know, let's draft the minimum required change to the launcher to support developer mode17:33
elopiomterry: hi. How are you?17:33
elopiomterry: could you first explain to me what's the idea of this test?17:33
zyga-phoneand let's see what we can make with that17:33
jdstrandthe good news is this all happens after dropping privs17:33
mterryelopio, uh...  can you point me where in the code we're talking about?17:33
elopiomterry: https://github.com/ubuntu-core/snapcraft/blob/578fd4657218ce3e1900155a5742436b4757c8a2/examples/libpipeline/test.c17:33
elopiooh, wait, that's an old revision.17:34
elopiomterry: https://github.com/ubuntu-core/snapcraft/blob/master/examples/libpipeline/test.c17:34
jdstrandzyga-phone: for this to work well we need to also patch the kernel to log the security label of the process seccomp is killing/auditing17:36
zyga-phonejdstrand: ok, it seems that full developer mode is still a few days away then; do you have someone to do this work?17:36
mterryelopio, um, if I recall, it was to demonstrate that snapcraft could integrate with your locally built project too.  Like you have your source tree.  And then you had snapcraft grab all the dependencies and build them.  And then you could run "snapcraft shell make" to build your local project pointing at the snapcraft built files.   I don't know whether that concept meshes with the snapcraft of today anymore17:38
mterryelopio, (i.e. to demonstrate that you could build that local test.c against snapcraft's copy of libpipeline)17:38
jdstrandzyga-phone: I will be doing the dev mode stuff from the security team. This will not land this week. I will be focusing on enabling you to move fast on interfaces, the framework migrations and snappy on classic policies before developer mode17:39
zyga-phoneokay17:40
zyga-phonekiling hw-assign is not important, I just fixed it locally17:40
zyga-phoneso it now has $snap.$app IDs17:40
zyga-phoneI'll follow up with one more consolidation branch that makes $snap.$app just $snap when $app == $snap17:40
zyga-phoneI want to take a stab at Connect() today17:41
jdstrandsince it is implemented, that sounds fine, though I'd personally like to see what the interface equivalant of hw-assign will be once the old-security/caps is migrated and old-security/security-template is gone17:41
jdstrandcool17:42
elopiomterry: well, that makes sense today too. Now I'm wondering what should be the output of the test.17:42
mterryelopio, I think it was designed to be run in that folder itself.  And it uses a different grep pipeline than http://bazaar.launchpad.net/~mterry/+junk/pipelinetest/view/head:/test.c does, so that the test knows it's using the local test, not the remote test17:43
elopiomterry: it used to print https://paste.ubuntu.com/15329134/17:43
elopionow it prints just the two first lines.17:43
elopioand I don't understand why it prints grep c when this line shows grep s: https://github.com/ubuntu-core/snapcraft/blob/master/examples/libpipeline/test.c#L917:44
mterryelopio, grep c is because you're calling the test code from lp:~mterry/+junk/pipelinetest, not the locally built test17:45
mterryelopio, http://bazaar.launchpad.net/~mterry/+junk/pipelinetest/view/head:/test.c17:45
elopiomterry: ok, so it should print grep s. Not grep c. And it should print the contents of the snap, not of your junk.17:48
elopioI think didrocks changed the cwd, so that explains ls not showing anything.17:49
mterryelopio, well the idea is that we can run both, to show that snapcraft can build a local project and a remote project against an internally built libpipeline17:49
mterryelopio, but yeah the cwd change would explain a new failure17:49
zyga-phoneoho17:52
* zyga-phone realized we need udevadm control --reload-rules17:52
zyga-phonejdstrand: ^^ added to my todo17:52
zyga-phonealong with udevadm trigger17:52
=== chihchun_afk is now known as chihchun
elopiomterry: thanks. That was a tangled test you wrote in there :)17:57
elopioI'm happy for now that we are getting the "custom libpipeline called" message for now. I think we are calling the wrong test.c, but I'll dig more about it.17:57
elopiowe might need a better command than grep to test it now that the dir is empty.17:58
mterryelopio, yeah that test probably could have been better documented  :)17:58
jdstrandzyga-phone: nice17:59
=== chihchun is now known as chihchun_afk
FacuHi all!18:14
FacuI'm trying to flash a device, but ubuntu-device-flash just hangs :/18:14
Facuthis is the third time I run it, now I left it a couple of hours18:14
Facusee http://pastebin.ubuntu.com/15329318/18:14
Facuis there any way to make it show progress or something?18:15
ogra_Facu, you probably want the #ubuntu-touch channel18:16
Facuogra_, err, you right18:18
ogra_:)18:18
plarselopio: what is the change to make?18:22
Facuogra_, thanks!18:24
elopioplars: https://github.com/ubuntu-core/snappy/pull/614/files18:26
zyga-phoneogra_: hey18:27
plarselopio: yeah, I thought that might be it from the backlog and had just tried it locally... doesn't *seem* to work18:27
ogra_zyga-phone, yo18:27
zyga-phoneogra_: how can I help to update firmware and other bits needed for pi2 camera?18:27
zyga-phone(as in, how can I fix the problem for everyone)18:27
plarselopio: wait, maybe... one sec18:28
elopioplars: still panics?18:28
zyga-phonehey plars, long time no see :)18:28
ogra_zyga-phone, i need to update the firmware anyway (for rpi3 support), i'll try to get to it this week18:28
zyga-phoneogra_: do you think you could show me how you do it18:28
zyga-phoneogra_: I know you can do it but I'd love to learn how this works18:28
plarselopio: it fails differently at least. I can get -h output now, but -check.list doesn't work. One sec and I will pastebing18:28
plars*pastebin18:28
ogra_zyga-phone, well, i pull the upstream binary blobs from github and replace the ones in the snap ... then buuild an image with that and see if it boots18:29
zyga-phonein the kernel snap? check18:29
ogra_no magic in that18:29
zyga-phoneok18:29
ogra_no18:29
ogra_gadget18:29
plarselopio: it still seems to try to run the setups18:29
zyga-phoneand if they work, where do you commit this back?18:29
plarselopio: https://www.irccloud.com/pastebin/p58PGbaJ/18:29
zyga-phoneoh, gadget?18:29
zyga-phoneok18:29
ogra_zyga-phone, https://github.com/raspberrypi/firmware/tree/master/boot18:30
ogra_the gadget source is in the snappy-hub branch18:31
zyga-phoneogra_: I mean about our side, I know where the upstream blobs are18:31
zyga-phoneah18:31
zyga-phoneok18:31
zyga-phoneogra_: if I do it, will you review my changes?18:31
ogra_it is binaries ... there is nothing to review :)18:31
zyga-phoneogra_: well, you can tell me that I did it right and land it :)18:32
zyga-phoneogra_: I just want to 1) help 2) learn18:32
ogra_if you replace the binaries and manage to still boot, i'm happy to nod it off18:32
zyga-phone(maby 2), 1), because I'm a selfish dude)18:32
zyga-phoneperfect18:32
ogra_(essentially bootcode.bin and the dtb's, the start* files we ship and the fixup* ones we ship need replacing)18:33
ogra_and make sure to use the latest license files just to be sure they are not out of date18:33
ogra_hmmmmm ....18:34
ogra_so i have the livefs builder spit out ubuntu-core snaps now18:34
zyga-phone0o18:34
ogra_but cdimage doesnt allow wildcards ... and the snap needs a version string in the name18:34
elopioplars: the list command shouldn't be running the set up suite.18:34
ogra_tricky18:35
elopioplars: my pr seems to fix the init. So now I'll resurrect the list PR.18:35
ogra_beuno, does the store care how my snap is named ? or does only the meta/snap.yaml data count ?18:36
beunoogra_, it totally ignores i18:36
beunoit18:36
ogra_beuno, so the snap at https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/xenial/ubuntu-core-system-image/+build/54560 could be totally unversioned ?18:36
ogra_(and the store would happily accept)18:37
beunoogra_, yeap18:37
ogra_yay18:37
* ogra_ changes the code to rip out the version string ... perfect 18:37
ogra_so tomorrow we'll have all os snaps on cdimage then :)18:38
ogra_(and tomorrow evening also the kernel snaps )18:38
beunowoooo18:38
plarselopio: I can try just cherry-picking it again in a bit, tied up with something else at the moment18:40
plarselopio: ok, I pulled the list fix in and it's getting better:19:08
plarshttps://www.irccloud.com/pastebin/NhcJ5PrG/19:08
plarselopio: also, I think the systemctl calls should also be skipped but this is still pretty hacky as it just checks for that file. I need to check on something, but at some point we *have* to set up that file to run the tests. If that happens before we generate the list of tests, then we're back to the original troubles19:09
elopiowesleymason: I see you have the errbot charm. Are you using it somewhere?19:17
elopioplars: yes, we know we shouldn't be doing any calls in init.19:18
elopiothe systemclt calls are easy to move, but I need to discuss with Federico because he moved them here first.19:18
plarselopio: sure, np19:18
wesleymasonWill be using it in the online services channel when I have chance to build a mojo spec for it.19:18
elopiothe others are not so easy. The wait is a workaround, so we could ignore it.19:18
elopiothe setup snappy from branch is going to be though, but with this simple if we can push the problem for later.19:19
wesleymasonThe reactive framework has been both a pleasure and a pain. Like Fifty Shades of Juju.19:20
elopiowesleymason: if you have patience with me while I learn juju, I can help.19:20
elopioI will deploy it in my canonistack to check it out.19:20
wesleymasonelopio: after working with juju for so long patience is all I have left ;-)19:23
elopioI accept the challenge leave you without even that!19:24
elopio*to19:24
orbyis there a guide on how to secure a snappy core?  would like to replace the ubuntu account and switch from dhcp to static.  is it the same process as normal ubunutu or is there a specific process to make sure the config sticks?19:25
ogra_orby, http://paste.ubuntu.com/15329884/19:31
ogra_thats a script i use to set up machines19:31
orbyogra_: thank you19:49
orbygoogle dns eh? :)19:50
ogra_i'm lazy :)19:54
orbywhat is the correct way to refer to the system, snappy, snappy core, ubuntu core?20:14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!