=== asac` is now known as asac === morphis__ is now known as morphis [07:31] good morning [07:39] hey zyga-phone [07:39] hey :) [07:54] good morning [08:00] https://github.com/ubuntu-core/snappy/pull/598/files [08:01] good morning dholbach [08:02] hey dholbach :) [08:14] ogra_, you around? [08:16] salut didrocks, hey zyga-phone [08:17] :) [08:22] https://github.com/ubuntu-core/snappy/pull/600 (more confusing names fixed) [08:27] good morning === LarreaMikel1 is now known as LarreaMikel [08:32] https://github.com/ubuntu-core/snappy/pull/601 [08:41] is it possible to update snapcraft? zyga-phone [08:52] mvo, on kernel snap install, are you doing something similar to snap.kernel.split('-')[1] ? [09:02] sergiusens: I don't think so, I think grub even only looks for vmlinuz and nothing else (and initrd.img) so best to have symlink to those [09:02] sergiusens: gustavo was also keen to move this to a convention based install instead of having keys in snap.yaml for the kernel/initrd [09:06] noizer: yes, you can always use the bleeding edge version from source [09:06] zyga-phone https://github.com/ubuntu-core/snapcraft [09:07] mvo, I'm doing hard links; the layout of partition 8 is really weird [09:07] zyga-phone thats this one? [09:07] zyga-phone but what branche then? [09:07] mvo, also, I'm not doing the crazy vmlinuz rename when building for arm64 since it is an uncompressed 'Image' target [09:07] the debbuild for some crazy legacy reason does a blind rename to vmlinuz [09:08] noizer: master, if you don't feel confident in using it then please just wait [09:08] we're all working on the release [09:08] so you will have fresh debs and images soon [09:09] zyga-phone I will just try it if it don't work for me I will wait for the deb packages [09:09] sergiusens: for amd64/i386 right now we hardcode vmlinuz unfortuantely but that is probably a bug. uboot should actually be flexible [09:16] mvo, http://paste.ubuntu.com/15326741/ [09:20] mvo, http://paste.ubuntu.com/15326751/ [09:20] mvo, so I'm not sure what is going on [09:20] mvo, reason I ask if there is some sort of "cut" iin the code [09:21] sergiusens: this looks good, except of course that it does not work [09:21] Bad Linux ARM64 Image magic! [09:21] mvo, well if you look in the `find mnt` there's a plain 'Image' file [09:22] mvo, that plainly does not exist in anything I provide [09:22] I provide Image-something [09:23] sergiusens: indeed, I think there is a split on "-" in the code somewhere [09:24] sergiusens: that explains where it comes from [09:24] mvo, yeah, we should not do that :-) I'm trying to do `kernel: vmlinuz` now [09:24] mvo, although these arm kernels are not gz'ed [09:28] sergiusens: yeah, we need to fix this [09:28] mvo, also I noticed the dtbs are missing [09:28] oh? [09:28] mvo, in the released kernel snap on the store as well [09:29] sergiusens: did you list them in snap.yaml? [09:29] mvo, so the .snap/dtbs is there, but in the root there's a 'dtbs' dir that is empty [09:29] mvo, yeah, check the pastebin :-) [09:29] mvo, doh [09:29] mvo, no I didn't [09:29] sergiusens: I did check the pastebin first ;) [09:30] sergiusens: this is why I asked [09:30] mvo, I need to fix this in my snapcraft as I'm manually adding (I don't want users to do this as it might just go away) [09:31] sergiusens: it will probably go away [09:32] mvo, I hope so :-) [09:32] ppisati, hey, building the kernel for dragon board gets me 2.6GB of kernel modules; how is the one in the snap so small? [09:33] sergiusens: we normally build with debug symbols built-in [09:33] sergiusens: and then strip kernel and modules when creating the .deb [09:33] sergiusens: this way from sthe same build we get the debug .deb and the normal .deb [09:33] sergiusens: so either your build that way and later strip [09:34] sergiusens: or simply turn off DEBUG_INFO [09:34] sergiusens: and thus don't build the debug symbols [09:34] ppisati, ah so it is a config? [09:34] * sergiusens looks [09:34] ppisati, this does make sense [09:35] sergiusens: CONFIG_DEBUG_INFO=y [09:35] ppisati, yeah I see, thanks [09:35] sergiusens: turn that off and your kernel / .ko will go on diet [09:35] ppisati, being on a diet is harsh though, now I don't want to do it :-) [09:36] I'll leave it on as I'm enabling [09:36] sergiusens: +1 [09:36] but thanks for the tip :-) [09:36] sergiusens: any time [09:51] mvo, it boots! [09:51] sergiusens: OMG! [09:51] sadly it seems the resize code is active [09:52] mvo, http://paste.ubuntu.com/15326840/ [09:52] I need the ogra_ :-) [09:52] I'll see if I have a smaller sdcard here [09:54] sergiusens: very impressive [09:59] https://github.com/ubuntu-core/snappy/pull/602 [09:59] sergiusens, did you pick the right dtb ? we need a patched one (in paolos deb it has a -snappy.dtb suffix [10:01] sergiusens, the resize code is moot, parted fails [10:02] mvo, sergiusens thats bug 1553110 ... the resize tools are missing all libs [10:02] bug 1553110 in fakechroot (Ubuntu) "weird output of ldd on arm64" [Undecided,New] https://launchpad.net/bugs/1553110 [10:02] so what it prints is a lie currently ... [10:02] your last paste shows you are missing the modules though [10:02] (no squashfs) [10:02] ogra_, oh, is squashfs a module in the default kernel build? [10:03] yeah [10:03] darn! [10:03] well at least I can go back to my fast sdcard :-) [10:03] if the resize code would kick in you would only notice it at next boot [10:03] (it wipes the bootloader partition types) [10:03] the current boot would just go on [10:27] https://github.com/ubuntu-core/snappy/pull/603 [10:28] ogra_, what about now http://paste.ubuntu.com/15326926/ ? [10:29] sergiusens, still missing squashfs [10:29] ogra_, but it says it loaded right there [10:29] ? [10:29] where [10:31] ogra_, sorry, should of copied more above http://paste.ubuntu.com/15326932/ [10:31] mvo, how about we grep through /proc/filesystems and exiot with a proper error message when we cant find squashfs support in the initrd [10:31] ogra_, line 19 there [10:31] "unsupported RELA relocation: 275" [10:32] ogra_: who would say NO to this suggestion :-D ? +1 [10:32] no idea what that means, but sounds like you are missing features [10:32] ogra_, seems more like a bug https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1533009 [10:32] Launchpad bug 1533009 in gcc-5 (Ubuntu Wily) "arm64: "unsupported RELA relocation"" [Undecided,New] [10:33] sergiusens, ah, yeah [10:33] in any case it seems to prevent the module from loading [10:35] sergiusens, if you build the kernel yourself anyway, just compile it in ;) [10:35] ogra_, hah, but I want the module xp [10:36] I can try going to gcc 4.8 [10:47] ppisati, do you know about "unsupported RELA relocation: 275" ? [10:47] I'm using gcc-aarch64-linux-gnu [10:56] ricmm, http://paste.ubuntu.com/15327015/ [11:02] sergiusens: you mean the qemu warning? in case yes, i saw it, but that didn't stop from building working images using qemu [11:03] ppisati, no, I'm doing cross compilation (ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-) [11:03] sergiusens: are youusing a recent xenial chroot? [11:03] ppisati, and during boot I get http://paste.ubuntu.com/15326932/ [11:04] [ 13.207166] module squashfs: unsupported RELA relocation: 275 [11:04] ppisati, no chroots, just my regular xenial system [11:04] sergiusens: i thought we fixed that [11:04] sergiusens: it was a regression in the xenial toolchain [11:04] sergiusens: but now is fixed [11:05] ppisati, heh, not for me; fixed in gcc? [11:05] sergiusens: fixed in our toolchain [11:05] sergiusens: not sure about upstream [11:05] ppisati, I have http://paste.ubuntu.com/15326932/ [11:06] ppisati, I also see KBUILD_CFLAGS_MODULE += -mcmodel=large -mpc-relative-literal-loads in the arm64 Makefile [11:07] sergiusens: we are carrying a patch too for that [11:07] ppisati, err, I have 1:5.3.1-8ubuntu2cross2 [11:07] sergiusens: hold on [11:09] sergiusens: if you see KBUILD_CFLAGS_MODULE += -mcmodel=large -mpc-relative-literal-loads then you have the two patches [11:11] sergiusens: is that my tree? [11:11] sergiusens: if you cross compile my tree, do you get that too? [11:11] ppisati, no, it's the 96boards one [11:11] sergiusens: try my tree [11:11] sergiusens: if it works, then they are missing some patch [11:12] sergiusens: if you keep getting that, than it's your toolchain [11:12] ppisati, in arch/arm64/Makefile I miss that line completely, not sure what I saw before [11:14] sergiusens: you need [11:14] sergiusens: b6dd8e0719c0d2d01429639a11b7bc2677de240c [11:14] sergiusens: and [11:14] sergiusens: 6113222fa5386433645c7707b4239a9eba444523\ [11:14] without the traliing \ [11:14] thanks, I iwll try [11:22] https://github.com/ubuntu-core/snappy/pull/604 [11:22] * zyga-phone is killing SNAP_FULLNAME [11:41] https://github.com/ubuntu-core/snappy/pull/605 [11:41] * zyga-phone is renaming SNAP_ORIGIN to SNAP_DEVELOPER [12:40] zyga-phone where can i find the last snapcraft version? [12:41] in xenial [12:41] ogra_ but i want to build with some slots but for now it doesn't work (snapcraft 2.3.2) [12:42] you might have to wait a little more, the image and snapcraft are supposed to be released together [12:43] (not sure where we stand with the image release) [12:43] ogra_ Ok i heard about it but will it release today for the raspberry pi? [12:43] no idea [12:44] (i only tested the arm64 rootfs yesterday ... perhaps mvo can tell when the new stuff gets out) [12:49] is he online at this moment? because I think he is very busy at the moment [13:04] noizer: on github.com/ubuntu-core/snapcraft [13:09] noizer: just run from ^ using bin/snapcraft, it will import the correct files [13:15] didrocks does not work :s [13:16] noizer: logs? I'm doing that daily, so I highly doubt it doesn't take the right snapcraft version :p [13:23] davidcalle, didrocks, I put up a branch which has all the relevant bits for a demo (https://code.launchpad.net/~dholbach/developer-ubuntu-com/hero-tour-changes/+merge/287765) - maybe we can merge the template into it? [13:23] didrocks my snapcraft is 2.3.2 [13:23] let me re-push it to the developer site dev team namespace [13:24] didrocks when I do /usr/bin/snapcraft clean i get the error where he don't find slots [13:24] noizer: why are you using /usr/bin/snapcraft? I told you to use the github repo that zyga-phone pointed out and run bin/snapcraft [13:25] didrocks [13:26] thx i will test that [13:26] https://code.launchpad.net/~developer-ubuntu-com-dev/developer-ubuntu-com/hero-tour-changes/+merge/288400 [13:28] sorry, https://code.launchpad.net/~developer-ubuntu-com-dev/developer-ubuntu-com/hero-tour-changes/+merge/288401 [13:28] dholbach: excellent! should we try to assemble something with davidcalle's current work? That way we can have a first result and see how it goes? [13:29] dholbach: want that we catch up? (I've the first markdown pages written) [13:29] didrocks, that's why I pushed to the team namespace [13:29] let's wait for the template - at that point it'll make sense to get together and figure out what's still missing :) [13:29] sure! [13:30] great :) [13:30] nice work :) [13:38] jdstrand: ping [13:40] didrocks it works fine :D is security polity available there? [13:40] *security-policy [13:42] noizer: no idea TBH, I can just tell you it's the freshest and latest :p [13:42] didrocks ok thx a lot :D [13:43] yw ;) [14:00] jdstrand: hey, please ping me when you're around [14:00] jdstrand: we'd like to have a call with you today [14:04] ogra_: I uploaded a new arm64 edge OS snap juts today [14:10] mvo, ok, will test later ... btw ... http://paste.ubuntu.com/15327686/ [14:10] i'm about to push that to the PPA and do some test builds ... if it works i'll upload it [14:11] (and if it works for the os snap, it should be easy to do the same for the kernel tarballs too) [14:16] ogra_: nice [14:16] ogra_: I think you can drop readme.md and package.yaml now [14:16] mvo, do you need the buildds today ? [14:16] is it possible to use security-override? mvo zyga-phone [14:16] in snapcraft [14:16] i dont want to get in your way with a potentially broken livecd-rootfs in case you need to re-build something [14:16] ogra_: probably not, I think I did enough [14:16] ok [14:17] will drop the package.yaml ... [14:17] ogra_: i.e. the current edge OS is good so far [14:17] mvo, what about the gadget dir ? [14:17] ogra_: if it works on amd64 as well I push to rolling/stable [14:17] ogra_: we don't need that anymore too [14:17] noizer: yes [14:17] noizer: through old-security [14:17] ogra_: its all under /snaps now [14:17] cool, dropping that as well [14:17] noizer: as soon as the new release is out [14:17] ogra_: yeah, that should work. nice to see this btw [14:17] but i got now the new snapcraft [14:18] but it don't works on my snappy OS probably [14:18] i'm a bit worried about the apt-get install ... not sure if that works [14:18] but i dont really want to make snappy a hard dep of livecd-rootfs [14:18] zyga-phone [14:18] Hi, how do I allow a syscall in my snapcraft.yaml for an app ? [14:19] an if the app command is a shell script doing an exec, is the syscall autorization OK for the binary which is executed? [14:19] noizer: I'm sorry I cannot help you today, we can either implement snappy or help everyone on the channel trying things out but not both; in a few days I will have more time and things will be in better shape for you to try them out; please wait for the release for now. [14:19] (and say the exec'ed binary is also a shell script doing an exec, etc) [14:19] and if the app* [14:20] ysionneau, there are ways to make syscall exceptions via snapcraft.yaml ... but ask jdstrand which ones will actually be allowed by the store ... (i think fchown is one of the allowed ones, not sure there are others) [14:21] oh, so I cannot do syscalls: [send] ? [14:21] no [14:21] fyi I get this : Mar 8 13:55:33 localhost kernel: [ 794.318819] audit: type=1326 audit(1457445333.541:13): auid=1000 uid=1000 gid=1000 ses=2 pid=1229 comm="ld-linux-armhf." exe="/snaps/wifid.sideload/LSTDgDnSXTSF/lib/ld-linux-armhf.so.3" sig=31 arch=40000028 syscall=289 compat=0 ip=0x76e9a4d6 code=0x0 [14:21] and 289 seems to be "send" [14:21] use 'snappy-debug.security scanlog' [14:21] that will tell you what syscall 289 is on your system [14:22] and will suggest a 'cap' to use [14:22] this tool fails with a permission denied error [14:22] ysionneau: is this on 16.04 or 15.04? [14:22] 16.04 [14:22] http://pastebin.com/nakZUZ6Y [14:22] yeah, developing on 16.04 now is difficult-- all of this is in flux [14:23] it hasn't been converted to the new interfaces yet [14:23] ok [14:24] so what can I do then? [14:24] ogra_, did you ever get the generic initrd package working ? [14:24] ysionneau: do scmp_sys_resolver 289 [14:24] on the machine that has the error [14:24] 15:24 < jdstrand> ysionneau: do scmp_sys_resolver 289 < yes, it prints send [14:24] rtg, yes, but only half way, there are bugs in fakechroot that are kond of blocking atm [14:24] send is part of 'network-client' [14:24] I also already give the network-client caps [14:24] you don't need an override [14:25] rtg, bug 1553110 [14:25] bug 1553110 in fakechroot (Ubuntu) "weird output of ldd on arm64" [Undecided,New] https://launchpad.net/bugs/1553110 [14:25] your yaml is probably not right for the new interfaces stuff [14:25] so maybe the right question was : is the capability kept by the process if it does exec ? [14:25] josepht: hey :-) [14:25] er [14:25] jdstrand: hey :) [14:25] I would say yes since the usual snappy way is to wrap binary calls to export env vars and do 'exec' [14:25] zyga-phone: hey [14:25] ysionneau: yes [14:26] jdstrand: please check out telegram if you can [14:26] but I don't understand here why my capability network-client doesn't allow me to use "send" [14:26] rtg, beyon that the iinitrd should be usable ... it is just that some features like resize do not work atm ... you can just grab ubuntu-core-generic-initrd and pull the img from /usr/lib/ubuntu-core-generic-initrd (and then add modules and stuff) [14:26] ysionneau: I bet it is because your yaml is wrong for the new interfaces work [14:26] it is just using the default policy and ignoring everything else [14:26] ogra_, what package produces the generic initrd ? initramfs-tools-ubuntu-core ? [14:27] hmm at least the yaml does pass the parsing of snapcraft :o [14:27] I think that is what jibel and mvo were talking about earlier [14:27] so it seems OK according to the schema [14:27] rtg, yep [14:27] and it seems OK with the examples I see in snapcraft/examples [14:27] ysionneau: it will only work with unreleased snapcraft + snappy [14:27] so wait :) [14:27] zyga-phone: so, there is an email and tg. I will get to it, but it will be a little bit [14:27] zyga-phone: yes, I'm using unreleased snapcraft :) [14:27] jdstrand: thanks [14:28] ysionneau: and unreleased snappy? [14:28] I'm using snapcraft from git [14:28] but I'm indeed using the "devel" channel of snappy for rpi2 [14:28] ubuntu-core 2016-03-08 16.04.0-15.armhf [14:28] ysionneau: that's not enough [14:29] ysionneau: you have to wait for snappy release (today) [14:29] pindonga: can you pull the review tools if you haven't already-- seems the interface rename is all landing [14:29] allright, thanks! [14:29] jdstrand, ack, no I haven't (so good you reminded me) [14:30] pindonga: thanks! [14:33] jdstrand: Do you have a moment for a call? [14:33] I pushed a new stable OS update with the most recent change described in https://lists.ubuntu.com/archives/snappy-devel/2016-March/001567.html [14:33] sergiusens: you have a stable OS update now with the plugs: changes [14:42] \o/ [14:42] * zyga-phone hugs mvo [14:42] ysionneau, noizer: try out the fresh image and snapcraft after reading the email above ^^ [14:42] jdstrand? [14:43] zyga-phone I updated my ubuntu-core already xD [14:43] saw the good news from mvo :D [14:46] zyga-phone: thx! [14:48] I don't see any update after doing snappy update [14:48] I'm in -15 [14:48] or should I re-generate an image using your ubuntu-image ? [14:49] ysionneau: armhf version -15? that is ok that is the most current one [14:50] ah so I was already on the right one, and with latest snapcraft [14:50] so I don't get what's wrong [14:50] maybe I should use "plugs" and not "slots" [14:51] hmm nop snapcraft refuses it [14:51] dpm: for calculator you need to so sed -i "s/slots:/plugs:/" meta/snap.yaml [14:52] ysionneau: you should use "plugs" for the snapcraft.yaml [14:53] hmmm is github ubuntu-core/snapcraft up to date? [14:54] cause I'm using that, and it refuses to parse my yaml if I use plugs :o [14:57] 15:52 < zyga-phone> ysionneau: you should use "plugs" for the snapcraft.yaml : I get : Issues while validating snapcraft.yaml: Additional properties are not allowed ('plugs' was unexpected) [14:58] o_O [14:58] old snapcraft I guess [14:58] I don't know, it's just out of sync then [14:58] looks like I don't have the right version, yes, I'm on master branche on SHA1 6d17a601d24b7053ffe92e3cb1d58e0bb9415a36 [14:59] branch* [14:59] ysionneau: you have to dig in for yourself for a while [15:03] that's the last commit I see on https://github.com/ubuntu-core/snapcraft/commits/master [15:11] * ogra_ dances around mvo [15:11] https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/xenial/ubuntu-core-system-image/+build/54544 [15:11] livecd.ubuntu-core.ubuntu-core_16.04-20160308-15:04_amd64.snap (75.9 MiB) [15:11] :D [15:11] ogra_: sweeeeeeeet [15:11] * mvo hugs ogra_ [15:11] mvo, i see ou added the arch name to the version in the ones you upload to the store ... should i do the same ? [15:12] (i'm also not sure about the colon in the timestamp) [15:12] ogra_: its not longer needed, I did it because the store broke in a funny way in the past without it [15:12] ah, cool [15:12] ogra_: it was also useful to debug an issue where the store send me a armhf os snap when I was an amd64, I only noticed because of the version string [15:13] ogra_: but all those issues are fixed now [15:13] ok, cool [15:13] what about the colon, can that stay ? [15:13] ogra_: technically its an epoch right now [15:13] oops [15:13] indeed [15:13] ogra_: so a "-" would be nicer [15:14] funnny that the package actually built at 15:04 :) [15:14] ogra_: however very very soon version numbers will have no semantic meaning whatsoever [15:14] ok [15:14] ogra_: lol [15:14] ogra_: nice [15:14] * ogra_ changes to a dash [15:14] ogra_: so if its trivial, please just fix the ":" for now, soon it won't matter :) [15:14] i386 looks fine too ... waiting for the arms then i'll push that to the archive [15:14] yeah, totally trivial [15:15] nice, great work! [15:16] heh, only the start ... the tricky part is to teack cdimage about .snap now [15:16] mvo, ok, thanks! Will do it in a couple of hours and let you know. Any news on the upload of the snapcraft version that supports these changes? [15:17] *teach [15:20] dpm: ups, I forgot, the last I heard from sergiusens was that he wants a stable os snap first that supports it. he is in a eastern timezone now I think so probably will read this tomorrow [15:20] yeah, he's probably already drowning in beer [15:22] :) [15:22] ok, thanks mvo [15:30] niemeyer: I will have a moment for a call yes, but I haven't yet had a moment to catch up on the thread [15:30] niemeyer: I'm going through this now. can I ping you in a few minutes? [15:31] niemeyer: can I rely on the email thread as everything I need to know or should I read through the (long) tg discussion? [15:32] jdstrand: The email thread+document is much better than the tg thread for context [15:32] ok, let me get through that and ping you [15:32] jdstrand: I'll step out for lunch now.. we can catch up in a couple of hours [15:32] that works for me as well [15:39] niemeyer: fyi, I left a comment on https://github.com/ubuntu-core/snappy/pull/606#issuecomment-193820189https://github.com/ubuntu-core/snappy/pull/606#issuecomment-193820189 which I'm not sure if it will affect your judgement on if it should be closed or not [15:43] jdstrand: https://github.com/ubuntu-core/snappy/pull/608/files [15:43] jdstrand: I'm working on cleaning up patches that take this and splice the interface snippets inside in the right places [15:44] cool [15:44] zyga-phone: fyi, I came up with a very compelling use case for the policy being in files [15:45] zyga-phone: the developer experience is supposed to be: snappy try (or similar) [15:45] zyga-phone: that puts the snap in complain mode where everything is allowed, but violations to policy are logged [15:45] zyga-phone: then another tool is supposed to take those violations and suggest things [15:46] zyga-phone: that tool can't suggest things without having access to the policy files [15:46] jdstrand: I see, how does that tool work today? [15:47] zyga-phone: well, there are several tools that are going to need to be combined to support the way this is supposed to work (ie, snappy try doesn't do any of the above-- it has to be implemented) [15:47] zyga-phone: but essentially, the tools would all use libapparmor to parse the log [15:48] zyga-phone: then they examine the policy files [15:48] then they say 'add network to your plugs', etc [15:48] jdstrand: snappy can easily expose those over the API [15:48] jdstrand: this way the tool can actually work without changes later [15:48] what api? [15:48] jdstrand: the rest api [15:49] jdstrand: we could simply expose all of the text verbatim [15:49] zyga-phone: so you're saying that the tool asks the rest api to dump all of the policy for it to then examine? [15:49] jdstrand: so you could essentially wget each of the text files [15:50] jdstrand: something like it, the advantage is that you could work with the tool remotely as well (nice dev UX) [15:50] jdstrand: and locally it would not get out of date/out of sync [15:50] using files it wouldn't get out of sync either-- it would only use the files on the system [15:50] but yes, this is an option [15:51] I guess it is also an answer to the auditing problem I mentioned [15:51] jdstrand: well, it'd be more complex to test consistent sets IMHO [15:51] I don't see how [15:51] jdstrand: yeah, I think we can easily expose each snippet as plain text [15:51] "give me all the files" vs "open all the files" [15:51] jdstrand: (you just need snappy, not any other package, to be consistent) [15:51] jdstrand: they come from different places [15:52] I know you guys are excited about all the policy in go. I am not blocking, but I am not [15:52] jdstrand: this will also look more complex as snappy moves beyond 16.04 [15:53] cause looking at https://github.com/ubuntu-core/snappy/pull/608/files it would be just as easy for 'const defaultAppArmorTemplate = ' to be a read on a file in a known location, but I won't beat this horse any more [15:54] jdstrand: I though about that and have this implemented (for a few weeks) [15:54] jdstrand: but it's still more complex, e.g. on the desktop that package can be updated [15:54] jdstrand: so then you now must do invalidation properly [15:55] jdstrand: you have to do parsing (I'll break the template into parts so that parsing is not required) [15:55] I don't consider policy updates a bad thing [15:55] anyway, we shouldn't rehash this. you guys won [15:55] jdstrand: neither do I, but in this model you restart snapd and you're consistent [15:55] jdstrand: I'm not trying to convince you over random stuff, IMHO this is really easier to work with [15:55] jdstrand: from a purely technical POV [15:55] please remember our caching discussion thouch [15:55] though [15:56] cause there are very important performance considerations [15:56] yeah, I know [15:56] I'll get to caching [15:56] ok, cool [15:56] that is the most important thing [15:56] if we handle that right, we can see how the policy stuff goes and adjust [15:58] jdstrand: I'll try to make snap connect write all the security files today [15:58] won't reload aa profiles but will do 90% of the work [15:59] cool [15:59] it's a big change with the state engine but the primitives are ready [15:59] just need to finish this real aa policy text to be there === chihchun is now known as chihchun_afk [16:03] jdstrand: https://github.com/ubuntu-core/snappy/pull/611 [16:03] seccomp side [16:11] zyga-phone: so, in addition to inserting snippets in the right place, you are aware in the apparmor template that you need to also set ###VAR### and ###PROFILEATTACH###, right? [16:11] jdstrand: yeah, I have that code for a few weeks [16:11] ok [16:11] (my piglow demo behind me is a proof of that :) [16:11] that's fine [16:11] :) [16:12] I'll ask you for review though [16:12] just wanted to be sure [16:12] * jdstrand nods [16:13] jdstrand: can you have a look at: https://github.com/ubuntu-core/snappy/pull/612 [16:13] jdstrand: this changes how we call ubuntu-core-launcher [16:14] yes, that is the thread I am trying to get to reading [16:14] jdstrand: oh, sorry [16:14] ok [16:14] not your fault [16:15] my inbox and irc backscroll is quite a lot today [16:21] jdstrand: ping [16:21] jdstrand: Can we have it now? [16:24] jdstrand: ? :-0 [16:24] :-) [16:24] still reading [16:24] I thought I had two hours :) [16:24] so I tended to other pressing things [16:24] I'm almost through it [16:26] jdstrand: Can you please join the hangout? mvo will be off in 40 mins [16:26] * jdstrand notes this also requires a bit of research, which I'm also doing [16:26] https://plus.google.com/hangouts/_/canonical.com/snappy-devel [16:26] ok, forgive me if my opinion isn't as well-thought out as I'd like it to be [16:27] jdstrand: Don't worry, that's a friendly call to sort it out.. we can discuss questions live [16:44] fgimenez: I thikn this panics when the config is not present: https://github.com/ubuntu-core/snappy/blob/master/integration-tests/tests/base_test.go#L54 [16:44] https://www.irccloud.com/pastebin/kZ8l9nLL/ [16:45] fgimenez: what if I os.Stat the file, and put all this inside an if? [16:49] elopio, yes, that can work and keeps all very clear [17:19] plars: can you try this one please? [17:23] zyga-phone: you asked me to look at https://github.com/ubuntu-core/snappy/pull/612/files. is that still needed in light of the meeting we just had? [17:23] jdstrand: I think not anymore :) [17:23] ok, that's what I thought [17:23] jdstrand: thanks! [17:24] jdstrand: so I see you reviewed the seccomp blob, that's great, I'll merge it [17:24] zyga-phone: I reviewed 611 (seccomp), do you need me to look at 608 (apparmor)? [17:24] please do the same for .. .yes :D [17:24] fanstastic [17:24] hehe [17:24] I'll get this to work all the way today [17:26] jdstrand: I was looking at one extra thing but that can wait for tomorrow (even for discussion) [17:26] jdstrand: to have a know to switch a single snap to development mode [17:26] jdstrand: so we get advisory logs, not denials [17:26] jdstrand: I think I know how to do it but I'll tell you about what I think I know tomorrow :) [17:26] jdstrand: when t hat is available, we can remove hw-assign [17:28] zyga-phone: that is actually quite easy. let me get that for you [17:28] jdstrand: is that just one extra flag in the "header" of the profile? [17:28] jdstrand: I read the python code that does aa-{stuff-i-forgot} from apparmor-utils [17:28] it is [17:29] jdstrand: if that's the case I can just bake support for that right into the tooling [17:29] elopio: what is it you want me to try? [17:29] jdstrand: lovely, we need to think how to remember that in the state though (persistent, etc) but I think this will fly [17:29] plars: this should fix your panic. [17:29] zyga-phone: change this: '(attach_disconnected)' to 'flags=(attach_disconnected,complain)' [17:30] zyga-phone: feel free to change '(attach_disconnected)' to 'flags=(attach_disconnected' in the normal case [17:30] jdstrand: noted, thanks [17:30] * zyga-phone really writes this down on paper [17:30] err [17:30] 'flags=(attach_disconnected)' === vrruiz_ is now known as rvr [17:31] zyga-phone: unfortunately for seccomp the launcher is going to need to be updated [17:31] jdstrand: seccomp doesn't have anything like that, right? [17:31] zyga-phone: (since it is effectively the seccomp policy parser) [17:31] there is no parser like with apparmor [17:31] the launcher is the parser [17:31] jdstrand: so how do you want that to work? [17:32] jdstrand: right, righth [17:32] so the launcher needs to be updated [17:32] jdstrand: ah, the wrapper script [17:32] jdstrand: or the actual ubuntu-core-launcher [17:32] ? [17:32] ubuntu-core-launcher [17:32] mterry: can I bother you for a moment? I need help with the pipeline test you wrote ages ago. [17:32] it is what takes the list of syscalls from our generated file, parses the file and then adds each syscall via a C api [17:33] elopio, hello [17:33] zyga-phone: and right now it only does enforce mode [17:33] yeah, I know, let's draft the minimum required change to the launcher to support developer mode [17:33] mterry: hi. How are you? [17:33] mterry: could you first explain to me what's the idea of this test? [17:33] and let's see what we can make with that [17:33] the good news is this all happens after dropping privs [17:33] elopio, uh... can you point me where in the code we're talking about? [17:33] mterry: https://github.com/ubuntu-core/snapcraft/blob/578fd4657218ce3e1900155a5742436b4757c8a2/examples/libpipeline/test.c [17:34] oh, wait, that's an old revision. [17:34] mterry: https://github.com/ubuntu-core/snapcraft/blob/master/examples/libpipeline/test.c [17:36] zyga-phone: for this to work well we need to also patch the kernel to log the security label of the process seccomp is killing/auditing [17:36] jdstrand: ok, it seems that full developer mode is still a few days away then; do you have someone to do this work? [17:38] elopio, um, if I recall, it was to demonstrate that snapcraft could integrate with your locally built project too. Like you have your source tree. And then you had snapcraft grab all the dependencies and build them. And then you could run "snapcraft shell make" to build your local project pointing at the snapcraft built files. I don't know whether that concept meshes with the snapcraft of today anymore [17:38] elopio, (i.e. to demonstrate that you could build that local test.c against snapcraft's copy of libpipeline) [17:39] zyga-phone: I will be doing the dev mode stuff from the security team. This will not land this week. I will be focusing on enabling you to move fast on interfaces, the framework migrations and snappy on classic policies before developer mode [17:40] okay [17:40] kiling hw-assign is not important, I just fixed it locally [17:40] so it now has $snap.$app IDs [17:40] I'll follow up with one more consolidation branch that makes $snap.$app just $snap when $app == $snap [17:41] I want to take a stab at Connect() today [17:41] since it is implemented, that sounds fine, though I'd personally like to see what the interface equivalant of hw-assign will be once the old-security/caps is migrated and old-security/security-template is gone [17:42] cool [17:42] mterry: well, that makes sense today too. Now I'm wondering what should be the output of the test. [17:43] elopio, I think it was designed to be run in that folder itself. And it uses a different grep pipeline than http://bazaar.launchpad.net/~mterry/+junk/pipelinetest/view/head:/test.c does, so that the test knows it's using the local test, not the remote test [17:43] mterry: it used to print https://paste.ubuntu.com/15329134/ [17:43] now it prints just the two first lines. [17:44] and I don't understand why it prints grep c when this line shows grep s: https://github.com/ubuntu-core/snapcraft/blob/master/examples/libpipeline/test.c#L9 [17:45] elopio, grep c is because you're calling the test code from lp:~mterry/+junk/pipelinetest, not the locally built test [17:45] elopio, http://bazaar.launchpad.net/~mterry/+junk/pipelinetest/view/head:/test.c [17:48] mterry: ok, so it should print grep s. Not grep c. And it should print the contents of the snap, not of your junk. [17:49] I think didrocks changed the cwd, so that explains ls not showing anything. [17:49] elopio, well the idea is that we can run both, to show that snapcraft can build a local project and a remote project against an internally built libpipeline [17:49] elopio, but yeah the cwd change would explain a new failure [17:52] oho [17:52] * zyga-phone realized we need udevadm control --reload-rules [17:52] jdstrand: ^^ added to my todo [17:52] along with udevadm trigger === chihchun_afk is now known as chihchun [17:57] mterry: thanks. That was a tangled test you wrote in there :) [17:57] I'm happy for now that we are getting the "custom libpipeline called" message for now. I think we are calling the wrong test.c, but I'll dig more about it. [17:58] we might need a better command than grep to test it now that the dir is empty. [17:58] elopio, yeah that test probably could have been better documented :) [17:59] zyga-phone: nice === chihchun is now known as chihchun_afk [18:14] Hi all! [18:14] I'm trying to flash a device, but ubuntu-device-flash just hangs :/ [18:14] this is the third time I run it, now I left it a couple of hours [18:14] see http://pastebin.ubuntu.com/15329318/ [18:15] is there any way to make it show progress or something? [18:16] Facu, you probably want the #ubuntu-touch channel [18:18] ogra_, err, you right [18:18] :) [18:22] elopio: what is the change to make? [18:24] ogra_, thanks! [18:26] plars: https://github.com/ubuntu-core/snappy/pull/614/files [18:27] ogra_: hey [18:27] elopio: yeah, I thought that might be it from the backlog and had just tried it locally... doesn't *seem* to work [18:27] zyga-phone, yo [18:27] ogra_: how can I help to update firmware and other bits needed for pi2 camera? [18:27] (as in, how can I fix the problem for everyone) [18:28] elopio: wait, maybe... one sec [18:28] plars: still panics? [18:28] hey plars, long time no see :) [18:28] zyga-phone, i need to update the firmware anyway (for rpi3 support), i'll try to get to it this week [18:28] ogra_: do you think you could show me how you do it [18:28] ogra_: I know you can do it but I'd love to learn how this works [18:28] elopio: it fails differently at least. I can get -h output now, but -check.list doesn't work. One sec and I will pastebing [18:28] *pastebin [18:29] zyga-phone, well, i pull the upstream binary blobs from github and replace the ones in the snap ... then buuild an image with that and see if it boots [18:29] in the kernel snap? check [18:29] no magic in that [18:29] ok [18:29] no [18:29] gadget [18:29] elopio: it still seems to try to run the setups [18:29] and if they work, where do you commit this back? [18:29] elopio: https://www.irccloud.com/pastebin/p58PGbaJ/ [18:29] oh, gadget? [18:29] ok [18:30] zyga-phone, https://github.com/raspberrypi/firmware/tree/master/boot [18:31] the gadget source is in the snappy-hub branch [18:31] ogra_: I mean about our side, I know where the upstream blobs are [18:31] ah [18:31] ok [18:31] ogra_: if I do it, will you review my changes? [18:31] it is binaries ... there is nothing to review :) [18:32] ogra_: well, you can tell me that I did it right and land it :) [18:32] ogra_: I just want to 1) help 2) learn [18:32] if you replace the binaries and manage to still boot, i'm happy to nod it off [18:32] (maby 2), 1), because I'm a selfish dude) [18:32] perfect [18:33] (essentially bootcode.bin and the dtb's, the start* files we ship and the fixup* ones we ship need replacing) [18:33] and make sure to use the latest license files just to be sure they are not out of date [18:34] hmmmmm .... [18:34] so i have the livefs builder spit out ubuntu-core snaps now [18:34] 0o [18:34] but cdimage doesnt allow wildcards ... and the snap needs a version string in the name [18:34] plars: the list command shouldn't be running the set up suite. [18:35] tricky [18:35] plars: my pr seems to fix the init. So now I'll resurrect the list PR. [18:36] beuno, does the store care how my snap is named ? or does only the meta/snap.yaml data count ? [18:36] ogra_, it totally ignores i [18:36] it [18:36] beuno, so the snap at https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/xenial/ubuntu-core-system-image/+build/54560 could be totally unversioned ? [18:37] (and the store would happily accept) [18:37] ogra_, yeap [18:37] yay [18:37] * ogra_ changes the code to rip out the version string ... perfect [18:38] so tomorrow we'll have all os snaps on cdimage then :) [18:38] (and tomorrow evening also the kernel snaps ) [18:38] woooo [18:40] elopio: I can try just cherry-picking it again in a bit, tied up with something else at the moment [19:08] elopio: ok, I pulled the list fix in and it's getting better: [19:08] https://www.irccloud.com/pastebin/NhcJ5PrG/ [19:09] elopio: also, I think the systemctl calls should also be skipped but this is still pretty hacky as it just checks for that file. I need to check on something, but at some point we *have* to set up that file to run the tests. If that happens before we generate the list of tests, then we're back to the original troubles [19:17] wesleymason: I see you have the errbot charm. Are you using it somewhere? [19:18] plars: yes, we know we shouldn't be doing any calls in init. [19:18] the systemclt calls are easy to move, but I need to discuss with Federico because he moved them here first. [19:18] elopio: sure, np [19:18] Will be using it in the online services channel when I have chance to build a mojo spec for it. [19:18] the others are not so easy. The wait is a workaround, so we could ignore it. [19:19] the setup snappy from branch is going to be though, but with this simple if we can push the problem for later. [19:20] The reactive framework has been both a pleasure and a pain. Like Fifty Shades of Juju. [19:20] wesleymason: if you have patience with me while I learn juju, I can help. [19:20] I will deploy it in my canonistack to check it out. [19:23] elopio: after working with juju for so long patience is all I have left ;-) [19:24] I accept the challenge leave you without even that! [19:24] *to [19:25] is there a guide on how to secure a snappy core? would like to replace the ubuntu account and switch from dhcp to static. is it the same process as normal ubunutu or is there a specific process to make sure the config sticks? [19:31] orby, http://paste.ubuntu.com/15329884/ [19:31] thats a script i use to set up machines [19:49] ogra_: thank you [19:50] google dns eh? :) [19:54] i'm lazy :) [20:14] what is the correct way to refer to the system, snappy, snappy core, ubuntu core?