/srv/irclogs.ubuntu.com/2016/05/06/#snappy.txt

=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
zygao/07:00
commander_hi snappers08:02
commander_i need help08:02
commander_am trying to pack my qt app for snap store08:03
commander_anyone here ??08:03
commander_my app is precompiled with qmake can i snap it ??08:09
commander_who is on ??08:09
commander_i need help08:09
didrockshey commander_! I don't think we have a qmake plugin, but kyrofa and sergiusens would be able to help you in a few hours (they are US-based)08:11
didrocksah, snap08:11
wsnipexhi. I'm working on packaging kodi as snap package and have problems getting opengl to work08:44
wsnipexit trying to load the intel driver i965_dri.so, but claims the file doesn't exist, while it IS in the snap at the correct location08:46
wsnipexhere is the console output with LIBGL_DEBUG=verbose: http://paste.ubuntu.com/16252748/08:47
wsnipexany pointers would be much appreciated08:48
zygawsnipex: hey09:39
zygawsnipex: looking at your output the thing that jumps at me is this:09:40
zygalibEGL warning: DRI2: failed to open i965 (search paths /usr/lib/x86_64-linux-gnu/dri:${ORIGIN}/dri:/usr/lib/dri)09:40
zygalibEGL warning: DRI2: failed to open swrast (search paths /usr/lib/x86_64-linux-gnu/dri:${ORIGIN}/dri:/usr/lib/dri)09:40
wsnipexyeah, the lib is there though09:40
zyganote that snaps do not chroot, so your search path has to understand $SNAP09:40
zygaalso note (play with hello-world.sh) that snap apps don't see your normal /09:40
zygaas they get the ubuntu-core snap bind-mounted in various places09:41
zygaso you don't see your normal /usr09:41
zygayou see the very same ubuntu-core snap /usr09:41
zygathe same on desktop and "devices"09:41
zygawsnipex: does this make sense? do you see what I mean?09:41
wsnipexthats what I thought. How can I modify the command wrapper that sets LD_LIBRARY_PATH? its always overwritten09:41
zygawsnipex: you can just add one more wrapper09:41
zygawsnipex: we also have SNAP_LIBRARY_PATH but we don't use it for intal AFAIR, it is used for nvidia09:42
wsnipexI'm completely new to snaps, so pleae bear with me09:42
zygano worries, we all are :)09:42
* zyga should publish the next article about snap runtime environment and confinement details09:42
wsnipexso, how/where do I add another wrapper?09:43
zygawsnipex: add a new app, say 'sh' and run shell there09:43
zygain that shell experiment with various LD_LIBRARY_PATH values09:43
zygaonce you know what you want09:43
wsnipexalbeit I can do it in our own wrapper script, I'd like to change as little in kodi as possible09:43
zygaadd a new file in the build tree, make sure it gets copied with snapcraft.yaml (using the copy plugin)09:43
zygaand change the command of the app you were running originally to run the wrapper09:44
wsnipexah, I see, thanks09:44
zygawsnipex: but first experiment with just a shell, look at how the environment looks like there09:45
wsnipexso currently there is no way to directly influence the default wrapper09:45
zygathere are two "wrappers"09:45
zygathe one in /snap/bin/ made by snappy on install09:45
zygayou cannot influence that one09:45
wsnipexheh, yes. I mean command-kodi.wrapper09:45
zygaand one by snapcraft (command-foo.*)09:45
zygayou can freely change that one though that's something snapcraft makes09:45
zygait's just part of snapcraft implementation detail09:45
wsnipexI tried that, but my changes were overwritten on snapcraft snap09:46
zygayes, I know, the solution is to add your own wrapper :)09:46
zygarun it as the 3rd wrapper09:46
zygasorry, we'll get it more streamlined over time09:46
zygajust didn't have the time for 16.04 :)09:46
wsnipexno worries09:47
wsnipexalso the plugins could be more flexible, specially autotools and cmake ;)09:47
zygathose are extensible09:48
zygayou can have your own local plugins in your tree09:48
zygaand snapcraft picks them up09:48
zygait's all python so it is pretty flexible09:48
wsnipexyeah, I saw that, just didn't have time to look further into it09:49
wsnipexzyga, http://paste.ubuntu.com/16254300/09:56
zygalibEGL warning: DRI2: failed to open i965 (search paths /usr/lib/x86_64-linux-gnu/dri:${ORIGIN}/dri:/usr/lib/dri)09:57
zygasame search path?09:57
wsnipexI've exported and printed LD_LIBRARY_PATH09:57
wsnipexfirst line, 1st entry09:57
zygaI saw that but look at the "search paths" part being indifferent09:57
zygamaybe something different09:57
wsnipex-rw-r--r-- 5 root root 6561728 Apr 14 21:08 /snap/kodi/100001/usr/lib/x86_64-linux-gnu/dri/i965_dri.so09:57
zygaEGL specific probably09:58
zyganothing is looking at that directory09:58
wsnipexyeah, it seems to ignore the ld_library_path09:58
zygathere's no chroot /usr/lib/x86_64-linux-gnu/dri is _not_ the same as $SNAP/usr/lib/x86_64-linux-gnu/dri09:58
wsnipexsure, I get that09:58
zygasorry, this is new ground to me09:58
zygaI wish I knew where this is hardcoded09:59
wsnipexmight have to take this up with intel mesa devs09:59
zygastrace it, grep for PATH in sources, look at gdb, poke around09:59
wsnipexwill do10:00
wsnipexand thanks for your help!10:00
zygagood luck, ping me back when you get it running10:00
zygaI think this should be handled better by the opengl interface10:00
zygajust not sure how exactly just yet10:00
wsnipexyeah, probably dlopen is not the optimal way10:01
commander_hi10:21
commander_i snapped a package but didn't got .snap file after successful compilation10:22
commander_am using ubuntu 14.0410:22
commander_anyone to help here ??10:25
wsnipexzyga, got a step further: LIBGL_DRIVERS_PATH: /snap/kodi/100001/usr/lib/x86_64-linux-gnu/dri10:26
zygacooool10:26
wsnipexlooking at the mesa code brought up this var10:26
zygaI'll write this down, perhaps something we should set in snapcraft/snappy by default10:27
commander_i snapped a package but didn't got .snap file after successful compilation'10:27
commander_guys10:27
commander_help me please10:27
zygawsnipex: does it load now?10:27
wsnipexso, I now briefly see kodi starting... before it cores :)10:27
zygacommander_: please share the log/output in a pastebin10:27
zygawsnipex: strace/gdb helps10:27
commander_okay zyga10:27
zygawsnipex: add gdb,strace as parts to your snap10:27
zyga(and busybox)10:27
zygashell inside and poke around10:28
zygause: ulimit -c unlimited10:28
zygaand cd $HOME to make the core there10:28
zygayou can inspect that core later10:28
zygaI went through this experience yesterday10:28
zygawhat helped a lot was fetching specifc libraries with apt-get source10:28
zygaand building them with DEB_BUILD_OPTIONS=nostrip10:28
zygaso that I would have symbols for gdb10:28
zygathis helped me zero on the issue10:29
zygaif you want I can also show you a trick that will let you skip snapcract snap part10:29
zygaand just work live10:29
wsnipexits still something with gfx10:29
zygawith a "writable" snap10:29
zygawsnipex: after you install your snap the first time, unmount it (assuming there are no services runing)10:29
commander_zyga, http://pastebin.com/cEyUbB5R10:29
wsnipexthat'd be cool10:29
zygaand sudo mount --bind /path/to/your/build/tree/snap /snap/$SNAP_NAME/10000* (the largest revision)10:30
zygathen you can run your snap and you can compile/edit/change stuff10:30
zygaa bit hacky but nice before we finish $ snap try10:30
commander_i got no .snap file10:30
zygacommander_: is this with snapcraft on ubuntu 16.04?10:30
commander_its on 14.0410:30
zygacommander_: can you do snapcraft clean; snapcraft | pastebinit10:31
commander_okay wait10:31
zygacommander_: show that output to kyrofa or sergiusens though we're a bit busy with sprint prep (me included) so no promises10:31
commander_zyga, i cleaned and run snapcraft10:32
* zyga has to dig out some ram from his 2nd PC, brb10:32
commander_okay10:32
wsnipexnice trick :)10:32
commander_zyga, it is downloading everything again10:32
commander_i mean libraries and other stuffs10:33
commander_please look and my yaml file once plz10:33
commander_zyga,  here it is http://pastebin.com/kbpyv3Y110:34
popeyzyga: do we support it on 14.04?10:34
zygapopey: no10:34
commander_kyrofa,  here is my yaml http://pastebin.com/kbpyv3Y110:34
commander_popey,10:35
popeyzyga: so.. the fact that commander_ is on 14.04....10:35
commander_am keshav bhatt @keshavmail68 from twitter10:35
zygacommander_: you need to use 16.0410:35
commander_i also unable to upgrade to 16.04 from ubuntu 14.0410:35
zygasergiusens: it would be nice if we could SRU snapcraft to 14.04 that says "use xenial" if it sees plugs/slots10:36
commander_popey, i logged in to my dev account on developer portal and it said its disabled , whats the matter ???10:36
zygaor something similar to version snapcraft support properly10:36
popeycommander_: I don't know.10:36
commander_zyga, what about my yaml file bro is it  okay ???10:36
commander_popey, i mean why will they disable my account for no reason ??10:37
zygacommander_: on xenial it might build, the icon is no longer something you set in the yaml, put it in setup/gui10:37
proteusguydoes snappy use systemd?10:37
zygaproteusguy: yes10:37
proteusguyzyga, thanx. I don't suppose there's any simple way to eliminate systemd from snappy and use something else?10:38
commander_zyga,  i also noticed a bug in snapcraft10:38
zygaproteusguy: i don't know, you'd have to explore, I doubt that would be accepted upstream though10:39
zygaproteusguy: systemd is used for a number of things10:39
commander_zyga, it is unable to build example from launchpad , if it will try do download untrusted packages , i mean if gpg signature is missing for a package it will simply skip download with some apt-get errors .10:40
zygaproteusguy: look at the source, there's a lot of things happening there with various places10:40
zygacommander_: sorry I cannot help you with 14.04 and snapcraft issues10:40
commander_okay i will install ubuntu 16.04 tonight10:41
commander_i will talk to you later okay :) thanks for your time bro10:41
commander_zyga, bro snap file appeared this time10:42
commander_haha10:42
commander_its working now10:42
commander_thanks10:42
proteusguyzyga, that's what I figured. thanx for your reply.10:42
commander_it saying snapping \10:43
commander_my 2mb app is now 80mb wts that ???10:47
commander_is it okay ??10:47
Chipacacommander_, what libraries does it use?10:48
commander_qt libs10:48
Chipacacommander_, only 80mb? quite good10:48
commander_its a qt app uses qml and c++10:48
Chipaca:-)10:48
commander_what ! :D10:49
Chipacacommander_, so the 80mb is all of qt and c++ libs10:49
davmor2commander_: that's about right then, look at the clock and calculator apps and see how big they are :)10:49
commander_and whats the issue with debian packaging it make only a 2mb package10:49
commander_haha10:50
commander_guys here is my app www.ktechpit.com/ubuntu/ktechpit-com-released-ubuntu-play-store-ubuntu-14-04/10:50
commander_if you wana check it out you can download a trial version .10:50
wsnipexbefore I forget:  it might be nice to document how to use snap behind a proxy somewhere, took me a bit to find that overriding systemd config with Environment=http_proxy10:51
commander_bye guys i will join later10:56
zygawsnipex: there's an open bug about proxy support11:01
zygawsnipex: we'll have to look at how that should work properly11:01
wsnipexwell, go supports the http_proxy env var ootb11:02
wsnipexbut systemd doesn't allow reading those11:02
zygayes but it's tricky because this is the daemon that has to know this :)11:02
zygaexactly11:02
wsnipexso you have to set it in the systemd.service11:03
wsnipexthe real issue with systemd is: you cannot have real variables in the systemd environmet11:03
wsnipexso you can't do: Environment=http_proxy=$http_proxy11:03
wsnipexwhich is a real pita11:04
zygawell that cannot obviously work11:04
zygathe reality is that proxy support is more complex than a single global settinhg11:05
wsnipexit could, if it was set in /etc/environment and systemd would read that11:05
zygareal proxies often require more elaborate setup, if we're fixing proxy we should really make it work11:05
zyganot just more work11:05
wsnipexbest option might be to have snap read it and pass it on to the deamon, if thats possible11:06
zygawhat if each user has different proxy?11:06
wsnipexif snap reads the users env, that'd be no issue11:06
zygawhat if both users want a different proxy?11:06
wsnipexnot snapd11:06
zygaone snapd services many users11:07
zygaanyway all I'm saying is that there's a bug and this is not a trivial thing to solve11:07
wsnipexyes, have snap (not snapd) read it11:07
zygabrb11:07
Chipacawsnipex, whats the problem with proxies? without making me read all the backlog :-)11:18
Chipacawsnipex, do you have a particular issue that needs addressing?11:19
Chipacaor is it a more generic "we should support this" thig11:19
Chipacathing11:19
wsnipexsnap won't use a system configured proxy11:19
wsnipexunless you override the snapd systemd service11:20
Chipacawsnipex, i ask you again, are you having a problem you need solving, or is it an on-principle issue?11:20
wsnipexI solved it for me, so the latter11:21
Chipacawsnipex, how did you solve it? editing the .service file?11:21
wsnipexI created /etc/systemd/system/snapd.service.d/proxy.conf11:22
wsnipex[Service]11:22
wsnipexEnvironment=http_proxy=....11:22
Chipacawsnipex, question for you: would doing, instead, `EnvironmentFile=/etc/environment` solve it for you?11:23
wsnipexa little cleaner then editing the actual service file11:23
wsnipexthat might actually work, let me try11:23
Chipacaah, yes, copying to /etc/ is what i meant by editing (on a snappy core it's your only option)11:23
Chipacawsnipex, followup question is whether instead of that, PassEnvironment=<space-separated list of proxy env vars> works for you11:24
Chipacathen we can talk about which approach is best of these two, if they both work11:25
wsnipexyes, works11:25
wsnipexcould be a decent solution11:25
Chipacaogra_, on snappy core is /etc/environment writable?11:25
wsnipexbut it won't work for users having different proxies11:26
ogra_Chipaca, i dont think so ...11:26
ogra_(and we should find some other mechanism ... if you need global vars)11:26
Chipacawsnipex, i hear you. Not sure there's much we can do for users with different proxies at this point.11:27
ChipacaI mean, passing the info from the user to the server is incredibly tricky11:27
Chipacaand most of the time is going to be the wrong thing to do anyway11:28
wsnipexPassEnvironment doesn't work11:28
Chipacanoted11:28
Chipacata11:28
ogra_per user stuff should come from /etc/profile.d11:28
wsnipexdidn't even know this11:28
wsnipexwhere should PassEnvironment take the env from?11:28
Chipacawsnipex, systemd11:28
Chipacawsnipex, it's "pass these env vars from systemd to the child"11:29
Chipacaogra_, isn't /etc/profile.d (ba)shist?11:29
Chipacaogra_, ie not something like /etc/environ11:29
ogra_well, pam parses it iirc11:30
ogra_so it is "loginish" :)11:30
ogra_it is where per-user stuff should go :)11:31
Chipacaogra_, /etc/profile.d is parsed by pam? things like /etc/profile.d/bash_completion.sh ?11:31
Chipacathat sounds wrong11:31
ogra_well, by shell logins11:32
wsnipexits parsed by the shell11:33
wsnipexuh, maybe pam_env reads them11:35
ogra_no, i think that reads ~/.pam_environment only11:36
ogra_thats probably the best place to use then :)11:37
kyrofaGood morning11:38
wsnipexhow can I get around: Mount snap "kodi" (cannot find mounted snap "kodi" at revision 100001)11:43
wsnipexcan I force install somehow?11:43
ogra_how did you build it ?11:44
ogra_snapcraft ?11:45
wsnipexyes, but I had it installed before already11:45
wsnipexthen following zyga's advice to debug it, umounted it manually11:46
wsnipexnow I cannot get it to install anymore11:46
ogra_hmm, zyga might know a way out then :)11:46
ogra_since he got you into this11:46
wsnipexwhere does snapd store its state?11:46
wsnipexit clearly thinks its already installed, so if I could purge this somehow..11:47
kyrofawsnipex, may I suggest the reset-state script in https://github.com/zyga/devtools/ ?11:52
wsnipexkyrofa, thanks!12:04
wsnipexworked12:04
kyrofawsnipex, hopefully once the next release makes it through the SRU process that won't be necessary anymore12:05
wsnipexnice12:06
oparozHey guys, can we use ZFS snapshots in Ubuntu Core to keep track of changes when doing updates/rollbacks?12:26
ogra_no12:28
oparoz;(12:28
oparozWhy ogra_ ? ZFS isn't available?12:28
ogra_Perhaps in the future....12:28
kyrofaogra_, will ZFS be supported at all now that it's in xenial?12:28
ogra_right12:28
kyrofaAh12:28
ogra_kyrofa, I still don't see it as a good default for embedded.... Beyond that we would indeed need to have support for that in all usespace tools12:29
ogra_*user12:29
ogra_(and it is only available on 64 bit arches afaik)12:30
kyrofaogra_, ah, right, now I remember a conversation you had with someone else about this a few weeks back12:30
oparozAh yeah, I kind of forgot the memory requirements...12:30
oparozARC is super hungry12:30
ogra_I think it is a good idea to support it long term... Optionally12:31
ogra_but definitely out of scope for the first image12:31
oparozThanks ogra_12:33
wsnipexhmm, how can I disable binary stipping in snapcraft?12:37
=== JanC is now known as Guest26117
=== JanC_ is now known as JanC
=== chihchun is now known as chihchun_afk
sergiusensdidrocks if commander comes back, tell him to watch the UOS workshop session  :-)13:08
kyrofawsnipex, what bad stuff is happening?13:09
sergiusenswsnipex we don't do binary stripping just yet13:10
sergiusenswe will, we don't :-)13:11
=== oparoz is now known as Guest66429
=== oparoz_ is now known as oparoz
wsnipexright, I simply misinterpreted the snap output. Once I disabled stripping in the applikation build, its ok13:18
wsnipexnow I at least get a gdb trace of my crash: http://paste.ubuntu.com/16258222/13:18
kyrofawsnipex, indeed, as sergiusens mentioned, we will eventually strip (which is why it's named "strip"), so you didn't really misinterpret :)13:19
wsnipexis snap restricting access to set locale?13:19
kyrofawsnipex, ah, I know that error!13:19
kyrofawsnipex, are you running this in Ubuntu Core or the desktop?13:20
wsnipexdesktop13:20
kyrofawsnipex, I'm far from a locale expert so I don't actually know the problem, but one of my snaps had that problem as well and I ended up setting LC_ALL=C.UTF-8 in its wrapper to get around it. I couldn't use anything but C or C.UTF-8. I haven't investigated enough to know who to blame for it though-- the project I was snapping, or something to do with snappy13:21
kyrofawsnipex, sergiusens might have some suggestions, though13:21
kyrofawsnipex, note that ubuntu core _only_ has C and C.UTF-8 locales13:22
wsnipexI'm assuming its snappy, since this code is perfectly fine outside of it13:22
kyrofawsnipex, any denials in the syslog?13:22
wsnipexI'm running in devmode13:23
kyrofawsnipex, ah, then no :P13:23
kyrofawsnipex, yeah wait for sergiusens. ogra_ might have some suggestions as well13:23
wsnipexotherwise it'd hang up way before that ;)13:23
wsnipexI'll try setting the locale in the meantime13:24
didrockssergiusens: will do! :)13:26
wsnipexoh wow, setting the locale to LC_ALL=C.UTF-8 works :)13:27
wsnipexkodi now starts :D13:27
wsnipexthanks kyrofa13:27
kyrofawsnipex, sure thing. Sorry for a workaround instead of a solution there-- I want one as well13:28
wsnipexyeah, this needs fixing of course, but its great to have it working for now13:30
wsnipexI still have a long road with app-armor...13:30
vilasergiusens, kyrofa: coverage fixed in the macaroons branch (using ~130 recorded responses), hope that address your concerns14:33
jdstrandelopio: hey-- I have a few ideas for integration tests and wanted to pass them along so they could end up on someone's queue somewhere? should I CC others?14:35
jdstrands/somewhere?/somewhere./14:36
plarsfgimenez: elopio: Hi, I have some more info about that issue I was seeing14:54
plarsfgimenez: elopio: on that test that hits a kernel bug for me, but seems to work for you - I can make it work, but only if I run it by hand from *outside* the snap. When I try to run it from the snappy-tests snap that I built, I hit the problem. Maybe there's some permission/isolation issue here? (I did install with --devmode)14:55
fgimenezplars, elopio mmm not sure, you only hit the problem with one of the tests?15:14
plarsfgimenez: so far, just that one. I haven't tried going further yet15:14
fgimenezplars, that tests exercises the home interface by creating and installing test snap with that plug defined, maybe when you try to install that snap from another one without the plug it might cause problems15:18
plarsfgimenez:  --devmode doesn't help me here?15:19
fgimenezplars, not sure, can you try the networkInterfaceSuite?15:20
plarsfgimenez: some of them seemed to work, but then I got a bug here:15:22
plarssudo snap disconnect network-consumer:network ubuntu-core:network15:23
plars[82096.043981] BUG: unable to handle kernel NULL pointer dereference at 000000000000003815:23
plarsso as soon as it tried to disconnect it15:23
fgimenezplars, that's from the snappy-test snap, right?15:24
plarsfgimenez: yes15:24
plarsfgimenez: can I just connect somehow to everything once the snap is installed? or do I need to go rebuild with more plugs defined in my snapcraft yaml?15:41
fgimenezplars, maybe you can regenerate snappy-test defining all the plugs used by snaps created in the tests (currently home and network)15:41
fgimenezplars, yes, once it's generated afaik you cannot connect to additional slots15:41
plarsfgimenez: I actually already have home defined - is that all the first one should have needed?15:42
plars-                    snappy-tests:home15:43
fgimenezplars, yes, the home-consumer snap only needs the home plug to be available, but i'm not sure of the behaviour calling it from another snap15:43
plarsbut I also see this in snap interfaces output:15:43
plars:home                -15:43
ogra_i think you need to manually connect the interfaces15:44
fgimenezplars, if you have it already defined and it is failing then that's not the solution of course15:44
fgimenezplars, yes, home doesn't autoconnect15:44
plarsogra_: fgimenez: so something like: sudo snap connect snappy-tests:home ubuntu-core:home15:45
ogra_yeah15:45
fgimenezplars, ogra_ yes, that should do, you can check snap interfaces after15:45
plarslet me retry homeInterfaceSuite.TestPlugDisconnectionDisablesCreate with that set up15:46
plarsnope, still hit but on disconnect :(15:46
plarssudo snap disconnect home-consumer:home ubuntu-core:home15:46
plars[  657.125253] BUG: unable to handle kernel NULL pointer dereference at 000000000000003815:46
* ogra_ guesses you are better off asking zyga or jdstrand here15:48
fgimenezplars, maybe zyga can help here ^15:48
fgimenezogra_, yep :)15:48
jdstrandplars: can you paste the full trace?15:48
plarsjdstrand: the original one was here: http://paste.ubuntu.com/16227643/15:49
plarsjdstrand: but that looks slightly different from what I got now15:49
plarshttps://www.irccloud.com/pastebin/isX3KDXU/15:49
jdstrandplars: can you file a bug? jjohansen1, you may want to look at that ^15:50
jdstrandplars: in your bug report, can you tar up everything in /var/lib/snapd/apparmor/profiles and /var/cache/apparmor ?15:51
plarsjdstrand: I'll have to reboot/retry - it's in a snapshotted qemu session right now, and it hangs when I hit this so hopefully there will be something useful there. Where's the best place to file this?15:52
ogra_interesting that systemctl doesnt complain about the autopilot stuff ... iirc we dont ship that anymore15:52
jdstrandplars: oh, and home-consumer_1.0_all.snap. if that has sensitive stuff in it, feel free to strip out the sensitive stuff (only need the yaml)15:52
plarsjdstrand: that's all from the snappy integration tests15:52
jdstrandplars: https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug15:53
fgimenezjdstrand, home-consumer comes from here https://github.com/ubuntu-core/snappy/tree/master/integration-tests/data/snaps/home-consumer15:53
* jdstrand hopes that /var/lib/snapd/apparmor/profiles has the snap.home-consumer.reader and .writer policy15:55
plarsjdstrand: you want me to run this like I did before, or after connecting to ubuntu-core:home slot manually?15:56
jdstrandwhatever gets the kernel bug15:56
oparoz_Does security-override works to give access to /proc ?15:58
plarsjdstrand: they both do :)15:59
plarsI'll do both15:59
plars!16:00
plarsit's working now - every single time I've run it so far I hit that kernel bug, and now it works16:00
plarsI wonder if running it as a snapshot made a difference16:01
jdstrandplars: its possible sometimes the bug is a crasher and sometimes not. it is clear there shouldn't be a bug and the bug if it doesn't crash now may cause instability and other problems16:01
plarsok, I got it to reproduce this time16:02
plarsby running the whole suite16:03
plarsjdstrand: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/157913516:18
ubottuLaunchpad bug 1579135 in apparmor (Ubuntu) "kernel BUG on snap disconnect from within a snap" [Undecided,New]16:18
plarsjjohansen1: also ^ https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/157913516:18
jdstrandplars: awesome, thanks!16:18
jdstrandplars: I left a couple of questions for you in the bug17:24
jdstrand(fyi)17:24
ssweenyjdstrand, any chance of a review for https://github.com/ubuntu-core/snappy/pull/1118 today? I'm going on holiday next week and I'd like to have this resolved if we can17:36
jdstrandssweeny: I might be able to. I'm working on something else but I think I can get it done before eod. note, the snappy guys are sprinting next week and seem to be traveling today, so not sure how all that will impact your plans17:44
ssweenyjdstrand, fair enough17:45
blackout24I have snappy working on Arch Linux now. Kind of. The problem was that after implementing another check to see if snappy is used on a classic system it tries to do some bootloader stuff upon installing ubuntu-core. Since I didn't use grub it always just exited at that point. For simplicity I just installed grub without actually using it. Now it downloads and installs all the snaps.18:45
blackout24apparmor_status even shows that there are some profiles loaded now.18:46
blackout24Only problem is that a) for some reason /snap/bin isn't in my PATH despite installing apps-bin-path.sh in my profile.d and b) when I try to run ubuntu-calculator-app.calculator it wants root, while on a 16.04 test machine it doesn't. It also fails with "aa_change_onexec failed with -1. errmsg: No such file or directory"18:48
blackout24Adding support for systemd-boot is a little tricky since it's so minimalistic that it doesn't have an env file for variables. You'd probably have to implement a lot of string manipulation magic to essentially emulate that. Also the actual boot entry is a *.conf file in /boot/loader/entries. It can be named however you want. There is no sdboot.cfg for this or something.18:50
blackout24Ahh I see on 16.04 /usr/bin/ubuntu-core-launcher has different permissions18:56
ssweenyjdstrand, thanks for the review! I'm looking at adding the label=###PLUG_SECURITY_TAGS### string and it needs a new helper function. My question is what should that string look like at the end. The function for slots includes all the bound apps but that doesn't seem right to me for this19:34
jdstrandssweeny: the plugs side gets all the connected slots. the slots side (what you are looking to add) are all the connected plugs19:35
ssweenyjdstrand, ok, so it would still be something like "snap.name.app" or "snap.name.{app1..appn}" or "snap.name.*"?19:37
jdstrandthe actual format of that string should be like what ###SLOT_SECURITY_TAGS### is. if one snap/app, then no alternation, if all apps within a snap, then a glob (.*) and it multiple snaps, alternations with globs as needed19:37
jdstrandyes19:37
jdstrandbut in this case you might end up with {snap.name1.{app1..appn},snap.name2.*,snap.name3.app}19:38
jdstranddoes that make sense?19:39
jdstrandit is because multiple snaps can plug into a slot. the other way there was only the one slot provider19:39
ssweenyah19:40
ssweenyok19:40
plarsjdstrand: I'm not sure I understand your comment - I'm not trying to simply install that snap, I'm trying to run one of the integration tests in snappy, which I've packaged in another snap. The integration test does install that home-consumer snap as part of it, but that's just one piece of what it's doing. And it doesn't seem to be the installation of the19:41
plarssnap that's causing the problem19:41
jdstrandI was trying to get at a simple reproducer. perhaps it would help if jjohansen1 was involved19:42
jjohansen1blackout24: what is logged in dmesg?19:43
jjohansen1what kernel, and which apparmor patchset (if any)?19:45
plarsjdstrand: I'll see if I can come up with something simpler19:45
jjohansen1a dump of apparmor/features would be good too19:46
ssweenyjdstrand, from what I can tell the ConnectedSlotSnippet only gets a reference to one plug, so I guess there will be multiple snippets, one for each attached plug?19:46
jjohansen1jdstrand: uhm which of the 3 issues did you want me to jump in on?19:46
ssweenyjdstrand, so each snippet will only have one snap with 1..n possible apps19:46
blackout24jjohansen1, I just rebuilt the stock ARCH kernel with CONFIG_AUDIT and and apparmor Kconfig flags. The version is 4.5.1 so it should be the latest upstream apparmor.19:47
blackout24I also packaged the latest upstream libapparmor and libseccomp19:48
jjohansen1blackout24: okay, I think there is a bug fix for change_profile that is needed for that kernel19:49
* jjohansen1 goes digging19:49
jdstrandssweeny: I'm not sure. I'm not sure this subtlety was considered19:49
ssweenyinteresting19:49
ssweenyI can't see any difference in the way the snippets go into the FS19:50
jdstrandssweeny: if it helps, you could treat it like ###SLOT_SECURITY_TAGS### for now and then ask the question in the PR for zyga to pick up when he is back online19:50
ssweenythey're all just appended to the slot profile19:50
ssweenyjdstrand, I'll give that a go19:50
jdstrandand I'll jump in and help guide that discussion19:51
blackout24I stepped through ubuntu-core-launcher and it fails in line number  562 where it uses aa_profile as parameter, which is taken from the second parameter when the app is launched through the helper script. The Apparmor profiles all seem to be in place.19:52
jdstrandblackout24: that suggests the profile isn't loaded19:54
blackout24Yes because  "aa_change_onexec failed with -1. errmsg: No such file or directory", but the profile should be there if it wants to load it.19:54
jdstrandblackout24: that error is somewhat misleading. it isn't able to change_onexec because the profile isn't loaded into the kernel. the launcher doesn't load the profile into the kernel, snap install does19:55
jdstrandblackout24: what is the output of apparmor_parser -QTK /var/lib/snapd/apparmor/profiles/snap.your.profile?19:56
ssweenyjdstrand, ok, the line I end up with is peer=(label="snap.location-service.{example-client,example-service,location-service-cli}") and apparmor doesn't like that: 5Z ERROR cannot setup apparmor for snap "location-service": cannot load apparmor profile "snap.location-service.location-service": cannot load apparmor profile: exit status 119:56
ssweeny                                                               apparmor_parser output:19:56
ssweeny                                                               AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap.location-service.location-service in /var/lib/snapd/apparmor/profiles/snap.location-service.location-service at line 309: dbus rule contains message conditionals and service conditionals19:56
jjohansen1blackout24: hrmmm, I didn't find what I was looking for yet. It could have been a userspace error, I will keep looking19:57
jdstrandssweeny: can you paste the full rule?19:57
blackout24jdstrand, this command just returns without printing anything. apparmor_status says module is loaded and 1 profiles are loaded.19:57
blackout24snap.notes.notes is in enforce mode, but I try to run the calculator app at the moment. notes doesn't work, yet either.19:58
jdstrandblackout24: ok so the userspace is ok. what is the output of apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.your.profile? (that shoudl be run as root)19:58
jdstrandssweeny: you can paste the whole profile if you want19:59
blackout24Also returns without printing anything19:59
blackout24But apparmor status now says that 2 profiles are loaded19:59
jdstrandblackout24: and aa-status shows that 'snap.your.profile' is loaded in the kernel?19:59
blackout24And lists the calc app profile which I used for your command19:59
ssweenyjdstrand, nevermind, I had the replacement string in one too many places. It seems to work now19:59
blackout242 profiles are loaded. 2 profiles are in enforce mode. <lists the notes profile and calculator profile now>20:00
jdstrandblackout24: I suspect the launcher will get farther along now20:00
jdstrandblackout24: assuming what you are trying to launch corresponds to one of those two profiles20:01
jdstrand:)20:01
jdstrandssweeny: ack20:01
blackout24Yes. Now it fails with execv failed: No such file or directory. Will have to strace or ltrace that.20:01
jdstrandblackout24: ok-- note there is a problem with snapd not loading the profile into the kernel during snap install that you'll have to debug20:02
jdstrandblackout24: look at interfaces/apparmor/apparmor.go for details on what it is doing20:03
jjohansen1blackout24: that could be a different bug where apparmor is returning -ENOENT when the target profile is not found (I have patch in the upstream queue for that)20:04
jjohansen1blackout24: what is the message from apparmor in dmesg?20:04
blackout24jjohansen1, http://pastebin.com/8Y1diFRJ20:06
jdstrandblackout24: are you using an upstream kernel or one with newer apparmor patches?20:07
jjohansen1upstream20:07
blackout244.5.1 without any patches. I rebuilt it from the official PKGBUILD on ARCH and just changed 4 Kconfig switches20:07
jjohansen1blackout24: thts it? It is missing at least one message20:08
jdstrandblackout24: I very much doubt you are going to have success with a pure upstream kernel at this time20:08
jjohansen1there should be something from change_profile or exec20:08
jdstrandbeyond apparmor20:08
jdstrandwell, maybe with 4.5.1 it is primarily apparmor20:09
blackout24Packaging a new kernel with a handful of extra patches would not be a problem. I would adopt linux-apparmor in the Arch User Repo which is currently unmaintained and ship the extra patch to also make snappy run20:10
jdstrandbut assuming you can get it to work, you won't have dbus, ptrace, signal and unix mediation20:10
jdstrandI see20:10
jdstrandwell, there are patches for 4.4 (Ubuntu has 4.4), I don't know the status of the 4.5 patchset20:10
jdstrandand we're working to get these bits upstream20:11
jdstrandbut that'll take a while20:11
blackout24I could easily just set the package version to 4.4.0 and download the 4.4.0 kernel sources and apply the patchset.20:11
jdstrandI'll let jjohansen1 comment on how to get the patches. they are in a git tree somewhere20:11
blackout24The kernel doesn't have to be as recent as the official ARCH kernel, which will remain untouched on the system anyway.20:11
jjohansen1blackout24: for the apparmor bits git://kernel.ubuntu.com/~jj/linux-apparmor-backports20:13
jjohansen1you are looking for the v4.X-aa3.5-beta1 branches20:14
blackout24jjohansen1, thanks20:14
ssweenyjdstrand, I believe I've addressed all of your comments20:14
blackout24jjohansen1, it doesn't let me clone it for some reason. fatal: remote error: access denied or repository not exported: ~jj/linux-apparmor-backports20:18
jjohansen1blackout24: oops I stuck a ~ in there, thats only for the http version of the url20:19
jjohansen1git://kernel.ubuntu.com/jj/jj/linux-apparmor-backports20:19
jjohansen1urgg20:19
blackout24thanks20:19
jjohansen1lets try again20:19
jjohansen1git://kernel.ubuntu.com/jj/linux-apparmor-backports20:20
blackout24jjohansen1, something is still not working fatal: remote error: access denied or repository not exported: /jj/jj/linux-apparmor-backports20:20
jjohansen1blackout24: see that last url, I managed to double up the jj/ in the one you just tried20:21
jjohansen1the weekend can't come soon enough20:21
blackout24haha yeah I know that feeling20:22
blackout24cloning...20:22
=== Aria is now known as Aria|away
=== Aria|away is now known as Aria
=== Aria is now known as Aria|away
qenghoubuntu-device-flash says "expected a gadget snaps: snap not found". Specified "canonical-pi2". What gives?23:18
=== Aria|away is now known as Aria

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!