[00:23] Bug #1610025 opened: snapd fails to start after installing snaps [01:28] Hi all. I'm trying to snappify an electron app that I'm a fan of. I'm following the SimpleNote example, but get an error [01:28] ~/.../parts/.../build/wrapper so such file. [01:28] no such file [01:29] my wrapper file is in the $SNAP directory before I run snapcraft [01:30] any suggestions? [01:46] The only difference is that I'm pulling the tar.gz from the internet instead of untarring it locally [01:47] hi === chihchun_afk is now known as chihchun === chihchun is now known as chihchun_afk [03:54] just did a popey and made a script for running snapcraft on a linode server [05:13] hey hey [07:28] zyga: ping [07:33] does someone know how to fix this issue https://travis-ci.org/snapcore/snapd/jobs/149977843 with the spread tests running on linode? [07:33] looks like they broken with the now landed snapd 2.0.11 in xenial [08:14] PR snapd#1638 opened: interfaces: add uefi-manager interface [08:17] ahoneybun: yay [08:19] dholbach: lemme know if/when you get a chance to try my silly script :) [08:22] popey, probably not today :-/ [08:23] I looked at the team option already though and it looks like what we want :) [08:23] well that's good news! [08:43] hi guys [08:44] I would like to ask you something on IoT project development on Ubuntu Snappy [08:44] if someone could answer I appreciate [08:46] I'm a newbie on Ubuntu Snappy, and I have to develop a project using a gateway (where snappy is installed) and sensors connected to it [08:47] which is the best way, the language that I have to use, etc.. ??? [08:48] you can build your software whichever language you are most comfortable using [08:48] snapcraft (the tool to turn your software into a snap) has a lot of different build plugins, so building it should be easy [08:49] http://snapcraft.io has more info about it [08:50] yes, i've read something on snapcraft [08:50] but in this context, I would like to know if I can test the software during the developing [08:51] I mean, my Ubuntu Snappy is installed on a gateway, so I have no GUI [08:51] and I'm not sure if I can install snapcraft on it [08:52] I'm not sure how you would debug or interact with your software - is it a service you can reach over the network? [08:52] or do you mean building it on an ARM machine while you're on x86? [08:52] nop [08:53] yes, something like that [08:53] i have to build it for a different machine [08:53] PR snapd#1639 opened: tests: allow-downgrades on upgrade test to prevent version errors [08:54] I'm not quite sure what the best way to do this is... I'll leave the question for somebody else [08:55] if nobody responds in time, maybe best send an email snapcraft@lists.snapcraft.io and explain your setup [08:55] I'm sure you're not the only one looking for this :) [08:55] thank you guys [08:55] Launchpad supports building snaps on multiple architectures; there are some restrictions on what architectures are generally available, so I don't know if that helps. [08:56] ah, nice one - of course [08:56] * dholbach clearly needs some more mate tea [08:56] Alternatively, you could try running snapcraft inside a $arch KVM, if you can get one running. [08:57] I see [08:57] I haven't actually done either of these things though (as I lead a blessedly amd64 life ;), so I can't promise they'll work for you. :) [08:59] https://kyrofa.com/posts/building-your-snap-on-device-there-s-a-better-way [08:59] lucalar, ^ [09:01] Hmm, update-alternatives not running when you stage-packages is irritating. [09:01] cool, I will give it a look ;) [09:01] Just spent several iterations of snap/upload/install trying to work out why awk wasn't in my path after installing gawk. >.< [09:12] wow, cool...launchpad is very interesting. Thanks a lot dholbach and Odd_Bloke [09:13] PR snapd#1639 closed: tests: allow-downgrades on upgrade test to prevent version errors [09:14] another question, do you know the existance of a Java API to work with sensors on an OS Ubuntu Snappy installed on an architecture amd64? [09:18] I don't, but I'd recommend just using the java api your sensors work with and bundling that in the snap (snapcraft will help you do that) [09:20] Odd_Bloke: hey, did you figure out the browserify step? [09:21] beowulf: I haven't, no. [09:25] Odd_Bloke: let me know what you come up with :) I think using npm's package.json to define that steps pre and post installing some modules via snapcraft's node plugin is worth exploring, but i haven't had time [09:26] beowulf: I don't really know enough about npm/node to really dig in to it; I was hoping it would Just Work (TM). ;) [09:27] Odd_Bloke: let me try something simple and if it works it might help you :) [09:27] Bug #1610149 opened: writing to the "common" directory needs to have sudo right [09:28] beowulf: :) Thanks! [09:28] ogra_, I assume the answer is yes, but.. does your Pi3 core image include drivers for BT and Wifi? [09:28] willcooke, the answer is no currently [09:29] :) [09:29] sorry ... they will land soon [09:29] ogra_, ah :) Glad I asked then. What about wired ethernet? [09:29] (it includes the drivers, but not the additional firmware) [09:29] wired works fine [09:29] perfect, thanks! [09:29] * willcooke ponders netbooting a pi3 in to core [09:30] unlikely to work ... but try it [09:30] will try and carve out some time to play this afternoon [09:31] (the initrd searches for labels on partitions for the whole system setup ... if the label isnt there or the snaps arent in the right place on the labeled partition it will fall flat on its face) [09:31] Ah, I see [09:32] for netbooting we'd need to add some bits to the scriptery [09:33] Not worth it atm I expect. [09:33] well, there was some desire to do netbooting at some point, i thinnk lool worked on that ... though i also think that was via a special system that puts bits into place first [09:34] I have not but I'd like it too :-) [09:35] in Heidelberg we noted it would be a quite desirable thing ot have [09:35] Is this made any easier by the recent Pi annoncement of netbooting? [09:35] nope [09:36] darn [09:36] in all cases you need an SD to boot the pi ... [09:36] since we default to using uboot for booting, a generic solution would kick in on that level, not in the first stage bootloader [09:37] i.e. you would have an SD with the binary blob plus the uboot binary and config [09:37] (in general the pi isnt realyl a great target given you will always need an SD due to a missing eMMC boot) [09:38] yeah [09:38] (if you need an SD anyway, you could as well do a local boot) [09:38] only use case for netbooting I have is that SD cards don't like getting hot, so industrial applications might want to boot from SD card and load everything else over the network [09:39] plus, people like me who like to play [09:39] well, it is definitely a valid target ... (i guess also for cloud stuff) [09:41] This confuses me: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/net.md [09:42] It says that the boot ROM is "One Time Programmable" [09:42] and then it talks about setting bits in there [09:43] But does suggest that it might be possible to boot without an SD card [09:44] ah, well, try it if you like [09:45] I'll see what I can get working, and then bother you about it next time we meet [09:58] willcooke: prompted by your remark about netbooting, I landed on the exact same page and I have been diving into it; seems quite useful [09:58] willcooke: the OTP seems indeed to be write once; my understanding is that the firmware supports USB netboot and USB mass storage, but that's disabled by default because potentially buggy or unsecure [09:58] so we flip a bit once to enable it forever [09:58] can't disable it [09:59] Hmm https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md says if you remove it it's turned off [10:00] lool, I think there are a few typos in those docs. [10:00] can't find much about this flash except that it holds a bunch of device specific stuff like serial [10:02] https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/net_tutorial.md [10:03] http://www.elinux.org/RPI_vcgencmd_usage is where I found the info on the otp contents === hikiko is now known as hikiko|ln [10:06] willcooke: ah well the net tutorial page is consistent with the hardware behavior I suspect: program_usb_boot_mode=1 is only needed to be present once, and then it's enabled forever [10:06] lool, this page talks about getting involved in the beta of netbooting: https://github.com/raspberrypi/documentation/blob/master/hardware/raspberrypi/bootmodes/README.md [10:06] Bug #1591664 changed: 'snap install' should support --beta, --candidate and --edge options [10:06] lool, @ program_usb_boot_mode - yeah, I think so too [10:07] https://github.com/raspberrypi/documentation/blob/master/hardware/raspberrypi/bootmodes/bootflow.md is pretty nice [10:08] * willcooke reads [10:09] willcooke: if I read the bottom correctly ("By default the USB device boot mode is enabled at manufacture time [...]"), once you switch to netboot you can't ever go back to device mode [10:09] erk [10:10] maybe you can change that with pulling the GPIOs up? [10:10] or down [10:10] or with pliers and a soldering iron :P [10:10] :) [10:18] Bug #1602154 changed: "snap find" command cannot find ubuntu-calculator-app. However, it can be installed on 16.04 [10:21] Bug #1605471 changed: Cannot refresh a devmode snap [10:24] Bug #1606100 changed: "snap revert" command cannot be found [10:36] Bug #1607717 changed: no snaps installed error [10:37] Odd_Bloke: so, the nodejs plugin would probably need a few changes to make my suggestion work :( [10:39] Bug #1590704 changed: "snap interfaces" command doesn't filter by snap === hikiko|ln is now known as hikiko === LarreaMikel1 is now known as LarreaMikel === vrruiz_ is now known as rvr [11:34] on a minor note on http://snapcraft.io/create/ "... the two highlighted files ...", but there is only one highlighted - prime/command-hello-service.wrapper should be bold as well I think [11:42] link https://myapps.developer.ubuntu.com/dev/click-apps/register-name-dispute/ as referred by http://snapcraft.io/create/ is broken as well [11:43] Bug #1610211 opened: Interface to manage block devices === LarreaMikel1 is now known as LarreaMikel === JanC is now known as Guest20161 === JanC_ is now known as JanC [12:16] popey, didrocks: i am currently getting this exact error http://askubuntu.com/q/787258/12435 [12:17] even to the extent that one day later the error changed from failing on the package lists to the deb files [12:17] erk [12:18] i have no idea what I did to fix it [12:18] I think I nuked my lxd config and started again [12:18] i started with a fresh lxd config [12:18] I guess the issue is Err:5 http://archive.ubuntu.com/ubuntu xenial-updates/main Translation-en [12:18] 500 Internal Server Error [12:18] oh, also, I had an apt-cacher-ng which I removed [12:18] installed it yesterday for this purpose [12:18] oh [12:18] it can't update that repo [12:18] no cachers here [12:18] ok [12:18] actually [12:19] yesterday it failed on a en translation file [12:19] today it didn't even try to download that [12:19] http://paste.ubuntu.com/22306053/ is today's error [12:20] didrocks: yes, yesterday that was the error. today the error is different ^ [12:20] i have changed nothing on my end. just gave up yesterday and went to bed... [12:20] weird, and no issue from your host at all? [12:20] apt works fine on the host afaik [12:21] maybe ask stgraber if there is some lxd cache? [12:50] PR snapd#1640 opened: tests: add gsettings interface spread test [13:21] PR snapd#1628 closed: store: refactor newRequest/doRequest to take requestOptions [13:23] kyrofa: hey, now for me to ask you a couple questions :) 1) if I run 'snapcraft' which directory is mksquashfs run on? 2) Let's suppose that I stage-packages and all the debs are unpacked but I want to add/tweak something that was unpacked. is it possible to insert a command at sometime after unpack but before mksquash? [13:42] niemeyer: are you looking at https://github.com/snapcore/snapd/pull/1432 today? jhodapp is waiting already for some days [13:42] PR snapd#1432: interfaces/builtin: improve pulseaudio interface [13:42] morphis: I've been actively going through the queue in the last few days.. will get to it [13:43] aye [13:43] thanks niemeyer [13:45] jhodapp: np, sorry for the delay.. it's obviously been a little hectic after the sprints [13:46] niemeyer, yeah understood [13:47] niemeyer, this PR has been reviewed many times, so it should just be ready to go...an easy merge [13:51] jhodapp: Yeah, this is an epic branch [13:51] jhodapp: What is that line 217 on manual-tests.md? [13:52] niemeyer, that shouldn't be there...slipped through in my conflict resolution [13:52] PR snapd#1641 opened: interfaces: implement systemd-control [13:52] niemeyer, let me get rid of that quickly [13:53] jhodapp: Can you please also take this chance to fix the tab indentation on the yaml snippets? [13:53] jhodapp: It's being improperly tagged red there for good reasons.. yaml can't take tabs [13:53] (not your fault) [13:53] jhodapp: 4 spaces on all of them please [13:53] I mean, four spaces indents [13:53] niemeyer, I can change it but those tabs are not from me [13:54] oh you said that [13:54] jhodapp: You've marked it as yaml in the branch, though (correctly) [13:54] sure I can fix that [13:54] it was bugging me too [13:55] jhodapp: Thanks, the indentation is also pretty broken in that one snippet you touched at least.. it has 8 spaces and 4 spaces, interchangeably [13:55] and then next one has 2 spaces.. indentation party [13:58] niemeyer, fixed that section [14:01] jhodapp: Why were the consts changed to vars on all snippets? [14:02] niemeyer, at least pulseaudioConnectedPlugAppArmor is modified in the code later [14:03] jdstrand: ok, i'm getting a seccomp denial for sendto and it's clearly in my connectedplug snippet [14:03] jhodapp: It's actually not, I think [14:05] kgunn: is it in the resulting policy in /var/lib/snapd/seccomp/snap.your.thing.that.is.failing [14:07] niemeyer, oh you're right it isn't...sorry brand new to Go [14:07] niemeyer, so am I able to just slap "const" back on the front of those? === Tristit1a is now known as Tristitia [14:07] even as byte slices [14:10] jhodapp: No, unfortunately not.. you'll need to move them back to being strings, and use []byte in place [14:11] jhodapp: I'd prefer that in general, as a guideline.. it means those strings are in unchangeable memory, and won't be mutated behind our back [14:11] jhodapp: A bit of paranoia, arguably, but not too crazy given the context [14:11] niemeyer, using []byte in place is a cast, yes? [14:11] jhodapp: Type conversion, not a cast [14:11] jhodapp: Cast means something else if we're pedantic enough [14:12] niemeyer, so it's not the same thing as in C/C++ [14:12] jhodapp: No, it's not.. in those languages you can actually tell the compiler you want to look at that memory under different eyes, whethere that's correct or not [14:13] jhodapp: That's casting [14:13] niemeyer, yeah ok, so this is safer [14:14] jhodapp: On b := []byte(s) you're allocating new memory, copying data over, and converting the type.. [14:14] yeah === matiasb1 is now known as matiasb [14:20] Hey jdstrand!Sorry, I had to switch work locations [14:20] jdstrand, (1) snapcraft (which defaults to snapcraft snap) runs mksquashfs on the prime/ directory [14:22] PR snapd#1642 opened: many: pass device to store [14:23] jdstrand, (2) not by utilizing the default plugins, but you have a few options. You can either write your own plugin that does stuff right after the pull step, or write a Makefile that does stuff in the all: rule (which is run during build, right after pull [14:25] jdstrand, you can ship a local plugin alongside the snapcraft.yaml [14:25] niemeyer, fixed [14:27] jdstrand: This is an interesting point to keep an eye on for future reviews.. the snippets should ideally live as consts rather than var []byte [14:28] kyrofa, ping [14:31] liuxg, pong [14:32] kyrofa, if I want to write to the common directory, do I need to have the root previlege? thanks [14:33] liuxg, there are two common directories: SNAP_COMMON and SNAP_USER_COMMON. Yes, SNAP_COMMON (like SNAP_DATA) is owned by root [14:33] niemeyer: noted [14:34] SNAP_USER_COMMON though is owned by the user. Note however that it's not currently usable as nothing creates it. niemeyer, speaking of that, did you see the email thread about that? [14:34] jhodapp: Just waiting for it to go green [14:34] niemeyer, cool [14:34] kyrofa, I mean the directory SNAP_COMMON [14:34] kyrofa: Nope [14:34] liuxg, then yes [14:34] kyrofa: great, thanks! [14:34] jdstrand, let me know what path you decide to follow and I can give you a few more hints [14:35] kyrofa, do you mean it needs have the root previlege? it is like /home//snap/hello/common [14:35] liuxg, that's SNAP_USER_COMMON [14:35] liuxg, SNAP_COMMON is in /var/snap//common [14:35] But yes [14:36] kyrofa: My vague memories are that with snap run creating that directory becomes trivial [14:36] kyrofa: Not sure what changed since we last discussed this, though [14:37] niemeyer, indeed, that's true. But snap run is taking a while to land and people are starting to get confused by the behavior of not creating them [14:37] kyrofa, right. so, the one SNAP_USER_COMMON a user right is fine, right? [14:37] niemeyer, will that land soon you think? Or should we add that logic back to snap-confine? [14:37] liuxg, right [14:38] kyrofa, thanks for your clarification. By the way, I have shared you a document about core, would you please help to review it, thanks. [14:38] * kgunn has more fun with network [14:38] kgunn, I share your pain [14:38] liuxg, sure! [14:38] jdstrand: sorry had to re-run and yes it is listed in /var/lib/snapd/seccomp/profiles/snap.mir-client.client-start [14:39] the denial signature in syslog appears as [14:39] Aug 5 14:34:56 localhost kernel: [ 267.421706] audit: type=1326 audit(1470407696.839:12): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1383 comm="clocks" exe="/snap/mir-client/x1/clocks" sig=31 arch=c000003e syscall=44 compat=0 ip=0x7fcdea268b7f code=0x0 [14:39] kyrofa: The only blocker for snap run is snap-confine, which I believe is now about to be in updates [14:39] kyrofa, by the way, another developer yesterday met a same problem, and he confirmed it.. https://bugs.launchpad.net/snapcraft/+bug/1601834 [14:39] Bug #1601834: Error "[Errno 21] Is a directory" when building a snap package for a qmake project [14:40] kyrofa: So *maybe* next week [14:43] niemeyer, ah, good deal. Okay, we'll just live with it then [14:43] kgunn: is clocks running under snap.mir-client.client-start? [14:43] kgunn: and it this on amd64? [14:44] kyrofa: Did I miss something else in that conversation? [14:45] niemeyer, no, people seemed to think snap run was already used. I tried to clarify, but asked you and mvo about timeline. It would be great if you could quickly respond just to close the thread, if you have a minute [14:50] what's snap run? test the current snap without installing it? [14:51] kyrofa: Where's the thread? [14:51] PR snapd#1643 opened: many: support interactive payments in snapd, filter from command line [14:51] ali1234: Any app may be run via "snap run snap[.app]" [14:52] ali1234: Instead of /snap/bin/snap[.app] [14:52] oh right, i was thinking of "snapcraft run" [14:52] ali1234: The latter will become just a symlink to /usr/bin/snap [14:53] ali1234: So it's a much nicer pipeline for how things get executed [14:53] Bug #1610149 changed: writing to the "common" directory needs to have sudo right [14:53] yeah, i see. i was thinking of something else entirely [14:53] ali1234: It's coming for a while, but there were several moving parts, so it took a while to get to this point [14:54] * ogra_ grumbles about not being able to use sidloaded kernel snaps anymore with latest u-d-f [14:57] PR snapd#1625 closed: asserts: make account-key's `until` optional to represent a never-expiring key [15:07] niemeyer, looks like CI completed successfully [15:12] jdstrand: sorry, network killing me....not sure if you saw i do have sendto in the seccomp profile for the client [15:13] kgunn: is clocks running under snap.mir-client.client-start? [15:13] kgunn: and it this on amd64? [15:13] is* [15:16] jdstrand: yes, this is on amd64 and clocks is the exe launched by client-start [15:16] http://bazaar.launchpad.net/~mir-team/+junk/snapcraft-mir-client/view/head:/client-start [15:17] kgunn: and you are 100% sure that sendto is listed in /var/lib/snapd/seccomp/snap.mir-client.client-start ? [15:18] kgunn: grep sendto /var/lib/snapd/seccomp/snap.mir-client.client-start [15:19] kgunn: and you are seeing the denial by launching mir-client.client-start ? [15:19] jdstrand: it is literally on line 469 of /var/lib/snapd/seccomp/profiles/snap.mir-client.client-start [15:19] kgunn: is the interface connected? [15:19] jdstrand: the interface is connected manunally [15:19] meh, if it is in there it should be [15:20] jdstrand: so i put a sleep at the top of client-start, then manually connect [15:21] kgunn: can you tail -f /var/log/syslog in one terminal, then sudo systemctl stop your.unit ; sudo systemctl start your.unit [15:21] kgunn: then tell me if you see a new denial in syslog? [15:22] jdstrand: sure will try [15:28] jdstrand: when i call sysctl on snap.mir-client.client-start.service [15:28] it fails with [15:28] Failed to stop snap.mir-client.client-start.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files [15:28] See system logs and 'systemctl status snap.mir-client.client-start.service' for details. [15:30] niemeyer, are you still around? [15:36] hmm I have two snaps that must communicate through unix socket [15:36] where do I put the socket ? [15:36] in /tmp one won't be able to open it [15:37] in home, the home interface isn't autoplug I think ... [15:44] (and I guess I won't be in devmode since I install the snap through webdm) [15:45] kgunn: did you run that with sudo? [15:45] jdstrand: i can try [15:45] so what's the way to communicate between two snaps via unix socket without devmode ? [15:46] kgunn: basically, I don't understand how the sendto denial is being logged. it shouldn't be. I think it is either an old denial or it happens on install before the connection. I'd like to see confirm that a sudo sysctemctl stop ... followed by start triggers it [15:46] kgunn: if it wasn't working, there would be people screaming left and right about it being broken... [15:50] ysionneau: I would recommend using SNAP_DATA if both are running as root, until we get a better answer from jdstrand or niemeyer :) [15:52] hmmm i'm running as root yes [15:52] but I guess one snap does not have access to another snap's SNAP_DATA, right ? [15:52] ah, it's 2 snaps, sorry, I read 2 apps [15:53] so, yeah, question for jdstrand & niemeyer in that case (maybe ask on the ML so that they can catch up later on?) [15:54] I have lool helping me out in fact at the moment :) [15:54] thanks ! [15:55] lool: ysionneau: do you mind keep us posted on the ML? That would be interesting to quite a lot of people I think [15:55] didrocks: at the moment it's a bit hackish with a devmode snap [15:55] didrocks: the docker snap is a good example of how to do this properly, but it requires landing an interface in snapd [15:55] didrocks: https://github.com/snapcore/snapd/pull/1619/files has the interface [15:55] PR snapd#1619: Add initial "docker" interface based on some of 15.04's privileges [15:55] you can see it gives access to /run/docker.sock [15:56] lool: hard for 3rd party apps to land an interface for their specific socket though… [15:56] yep I would prefer to not have to modify snapd, for now at least, even if it's a bit hackish like reusing some interface [15:56] didrocks: well it's the otherway around here [15:57] didrocks: they have a first (devmode) snap with a socket somewhere, and another snap (confined) accessing it, I'm not sure which dir is accessible by default to all snaps though, checking default policy [15:57] yes it would be for out autopilot, that Parrot should land an interface to allow 3rd party apps to connect to our unix ocket [15:57] socket* [15:57] ysionneau: BTW I wanted to tell you about shm [15:57] ah! [15:57] ysionneau: not sure if you saw the exchange on the ML, but shm is open by default with snap.XXX prefix [15:57] ysionneau: https://lists.ubuntu.com/archives/snapcraft/2016-August/000611.html [15:58] /{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix, [15:58] !! [15:58] ah this is for shm, ok thanks! [16:00] ysionneau: damn, I'm out of time, but I think this is the default policy: https://github.com/snapcore/snap-confine/blob/master/debian/usr.bin.snap-confine [16:00] ysionneau: I have to run to a meeting, perhaps you'll find a dir in there [16:01] ah no I still have :30 [16:02] I have updated my fw btw [16:02] I'm using ubuntu-core_148.snap [16:03] usr.bin.ubuntu-core-launcher -> usr.lib.snapd.snap-confine [16:03] I'm not very fluent in apparmor profiles though, where to look for "unix socket rights"? [16:04] jdstrand: sorry otp, but sudo systemctl stop/start worked...and now i get a different denial so that's good [16:04] does not seem to be any unix socket stuff related in the default profile :/ [16:04] ysionneau: I think it's just about read on the socket [16:04] ysionneau: to do open() [16:05] hmmm no special rights for connect listen bind send recv sendmsg ? [16:06] hmm maybe I can use the shm related exception ? [16:06] I think you get these from network [16:06] which is autopluggable [16:06] ysionneau: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/network.go [16:06] ysionneau: so [16:06] ysionneau: just say plugs: [network] [16:07] I already have it === davidcalle is now known as davidcalle|afk [16:11] hey snappy peeps! I'm looking at the snapcraft-daily ppa and it looks like it hasn't been built in a week [16:11] i need the latest so i can try out the rust plugin [16:12] lool: question is, where do I put it (the socket :p) [16:12] ysionneau: ah I was wrong, the default perms are in https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/template.go [16:13] thx [16:13] ysionneau: unfortunately the 3 rw locations seem to be /tmp which is diverted to a per snap tmp, shm, and ptmx [16:13] ysionneau: is this a rw socket you need? [16:14] hmmm [16:14] well you'll need to send messages I guess [16:14] yes [16:14] send and receive [16:14] both sides are going to send/recv [16:15] ysionneau: so I guess your best bet is to use a snap specific location, but avoiding the version; perhaps /snap//common/foo.socket [16:15] that way the confined snap has rw access [16:15] and the dir wont be removed if you ever create it [16:15] hmm so, autopilot snap, would create the socket in /snap/facedetect/common/ so that facedetect snap can open it ? [16:15] didrocks, lool, ysionneau: different snaps aren't allowed to talk to each other. the canonical answer is that the snap that is providing a service should provide a slot implementation of a new interface, then the other snap plugs [ the-new-interface ] [16:16] jdstrand: right, this is just for doing a PoC without rebuilding snapd [16:16] jdstrand: that's the "clean" way, I agree with that (except that I'm not very happy to have to submit a pull request to snapd), but I would need a hackish temporary solution [16:16] ysionneau: that's what I was thinking, haven't tested [16:16] lool: ok let's try that [16:17] lool: I doubt the autopilot snap will be able to create in /snap/facedetect/common (confined), right? [16:17] didrocks: autopilot isn't confined [16:18] ysionneau, lool: I think it might be possible to use the content intreface to export a rw path and then use a named socket [16:18] in that path [16:18] elopio, is snapcraft not building daily? [16:18] (saw cholcombe's question above) [16:18] caused named sockets don't need a unix rule, only a file rule, which is provided by the content interface [16:18] jdstrand: is there a pointer on using content interface and is it landed? I saw it in master but have never used it [16:18] jdstrand: content inteface doesn't enable to expose anything which isn't in $SNAP if I'm right, though? [16:19] elopio, is that only snapd? [16:19] lool: I guess that's not going to fix it for you (as per ^) [16:19] didrocks: not sure what you mean [16:19] lool: you need snapd 2.0.11 and snap-confine from xenial-proposed [16:19] didrocks: sounds like exactly what we'd need: autopilot shares its socket as the contents to the facedetect snap [16:19] you can only expose /snap/// [16:19] so the ro path [16:20] lool: this PR has doc updates that better document the content interface: https://github.com/snapcore/snapd/pull/1409/files [16:20] PR snapd#1409: docs/interfaces.md: improve interfaces documentation [16:20] hmmm maybe I can create the socket in the $SNAP at build time [16:20] no SNAP*_DATA or anything like this [16:20] ah, if you create it at build time, that could work [16:20] didrocks: the exported dir is bind mounted into one of the SNAP dirs [16:20] jdstrand: indeed, but the snap exposing the content interface requires (from the examples I saw) a path under it's $SNAP/ [16:21] jdstrand: +* Auto-Connect: yes for snaps from same publisher, no otherwise [16:21] jdstrand: will it work with a devmode local snap? [16:22] didrocks: suppose the service snap exports a rw path via content interface. that snap then creates a named socket in that rw path. then the plugging snap imports that rw path into its area and accessing that named socket [16:22] lool: I think you can force a manual connection. I didn't implement this feature, not sure without reading the code [16:23] jdstrand: my point is that content interface only expose ro path (under it's $SNAP), you can't export rw path [16:23] no, you can [16:23] that's what zyga told though at the heidelberg sprint [16:23] write (slot): read-write paths from providing snap to expose to the consuming snap [16:23] he was going to remove the write keyword as it didn't work [16:23] oh, well, this is pre-Heidelberg [16:24] hmmm not sure in fact a socket can be created at build time and bind() to at runtime :/ [16:24] maybe the server *has* to create it :/ [16:24] jdstrand: so providing snap would say slot [content:write: [foo.socket]] and consumer [content:target: [foo.socket]] [16:24] if he couldn't get that to work then this technique won't work [16:24] jdstrand: how do you specify autoconnect to a fixed name snap? [16:25] ysionneau: you can probably ship a socket file in the squashfs of the snap and bind it at runtime [16:25] well, that's the thing I'm not sure if it's possible [16:25] lool: I think it needs to be a dir, but yes, that is the idea. as for autoconnect, aiui it is part of snapd's interaction with the store-- if from same publisher it just does it [16:25] there is high chance bind()ing an already existing socket file will say "address already in use" [16:25] lool: note that didrocks said that zyga said that 'write' doesn't work [16:25] jdstrand: but I dont see where one says which snap to connect to [16:25] yeah, write is needed too [16:26] lool: you don't say what can connect, it just does it [16:26] ie, I upload a content snap, so any plugging snap I upload will autoconnect. if you plugged my content, it would not [16:26] jdstrand: how do I say which content I want to autoconnect to? [16:26] lool: http://paste.ubuntu.com/22328522/ [16:26] lool: ysionneau: maybe related?! There seems to be a env-variable called $SNAP_USER_COMMON (which currently not working according to the mailing list's discussion) [16:26] ok let's try the "autopilot creates the socket in /var/snap/facedetect/common" trick then [16:26] for a content slot example [16:26] you get all the exports [16:27] didrocks: ah great [16:27] jdstrand: got it with didrocks' example [16:27] lool: see that you only say "/foo", and this is intended as /snap/content-slot/current/foo (so relative to $SNAP) [16:27] ok [16:27] PR snapcraft#689 closed: kernel plugin: kernel targets depending on debarch [16:27] it's too bad that write doesn't work [16:27] pmp: There's SNAP_COMMON as well; this is the one you want [16:27] lool: the other side is http://paste.ubuntu.com/22328645/ [16:28] pmp: USER_COMMON is per user (in home), a bit ugly IMO [16:28] (you need to ship an empty import/ dir in $SNAP in that case ^) [16:28] I wonder what the issue would be. seems if you picked 'write' you'd look at the slotting snaps SNAP_DATA and if read the slotting snap's SNAP [16:28] jdstrand: that's when I told him that all paths were related to $SNAP, and so, write won't work if you can't specify which env variable you want to be relative to that he told me write is going to be removed [16:29] ----(= (..)----- [16:29] but yeah, write would be relative to SNAP_DATA (if it worked) [16:29] didrocks: sure, but I don't understand why all paths must be relative to SNAP. why not SNAP_DATA? [16:29] jdstrand: that was my question to him when this discussion happened :) [16:30] maybe he or I was jetlag and there is a clear answer and write is going to work [16:30] yeah, I think everything related to SNAP_DATA is more logical [16:30] didrocks: I mean, snapd could even be super smart and create the dir and everything... [16:30] even read-only [16:30] don't know if symlinks would work, but that's much more useful [16:30] e.g. to share read-only view on live files [16:30] lool: not really, read relative to SNAP is great for sharing libs [16:30] you can always expose static contents by copy or symlink [16:30] didrocks: but you can still do it [16:30] jdstrand: +1 (yeah, creating it in the mount namespace) [16:30] from SNAP_DATA [16:31] yeah, so rather read: [SNAP_DATA/foo, SNAP/bar] [16:31] that would be the best [16:31] my takeaway is that today write is probably broken, but that it is probably supportable [16:31] and same for write: (of course, relative to SNAP, that would fail…) [16:31] that would fix a lot of use case and avoid blocking on interface creation [16:32] arggggg [16:32] I forgot something [16:32] tyhicks: so, I think I may have discovered a bug [16:32] boxinit( autopilot snap) is sandboxed (chroot) ... it cannot easily create a socket in another snap's SNAP_DATA [16:32] well, I can still create a mount bind before chrooting [16:32] grrrrr [16:33] tyhicks: just so you have code to look at, https://code.launchpad.net/~jdstrand/+git/snap-userns-test [16:33] tyhicks: the issue is that I can't use clone(CLONE_NEWUSER) inside the sandbox. it doesn't seem related to nnp [16:33] ysionneau: just bind mount when starting your chroot [16:33] ysionneau: ah you've said that already [16:34] tyhicks: I get EPERM and no denials. I'm starting to think it might have something to do with the namespace patches [16:34] ysionneau: or use shm! :-) [16:34] shm ? [16:34] shm_open() etc. [16:34] I'm passing file descriptors via unix sockets etc [16:34] I mean stop using real sockets and files [16:34] to do dmabuf (mmap) [16:34] ah yeah, dont think you can pass fds over shm [16:34] shm_open() paths are mediated between snaps [16:34] to send video buffers [16:35] it seems like you are trying to find a hole in the sandbox (which is great, but if you find it, I will plug it :) [16:36] snaps are by definition isolated from each other except though defined interfaces [16:36] with jdstrand supporting us like this we will need to do a real interface in snapd for our needs [16:36] jdstrand: one of them is unconfined here though [16:36] if all you need it a demo, then drop a rule in /var/lib/snapd/apparmor/profiles/... and run apparmor_parser -r on it after install [16:36] pmp: I can hear you branching github.com/snapcore/snapd already [16:37] oh, well, if you use devmode your fine [16:37] you're [16:37] jdstrand: so far I found no hole, I'm using the help of a devmode snap to create the hole =) [16:37] couldn't we add an shared-files-interfaces, or shared unix-socket interfaces - where the providing snap defines a filename and users of this snap can get this filename somehow [16:37] put the file in SNAP_DATA on one and the then one in devmode can access it [16:38] an alternative for us would be to load the snap via the market in devmode [16:39] pmp: technically, sure, we could code that, however niemeyer won't approve generic interfaces like that because they are by definition not well-defined and interfaces should be well-defined [16:39] jdstrand: ack [16:39] jdstrand: yes, SNAP_DATA is exactly what I suggest, but with COMMON to have a stable nam [16:39] name [16:40] and also a place you can use even if the snap is being removed/added [16:40] jdstrand: any thots on why the sendto denial happens on the first start attempt? [16:41] jdstrand: another alternative would be to have snap implement/provide new interfaces [16:41] jdstrand: custom ones [16:41] jdstrand: but this won't help us for the POC [16:41] kgunn: presumably because the interface isn't connected yet [16:42] really, can't we convince webdm to load all snaps with --devmode? [16:42] pmp: I'm curious what the service is-- is it public? [16:42] pmp: is it webdm? [16:43] how do you list which plugs are available? [16:43] jdstrand: for the poc it is just that we'd like to have a snap insert something into our gstreamer-video-pipeline [16:43] cholcombe: snap interfaces [16:43] jdstrand, thanks. i get no interfaces found :( [16:43] jdstrand: we decided to do a face-detection [16:43] pmp: this is for webdm? [16:43] jdstrand: no [16:44] hmm [16:44] inserting something into a gstreamer pipeline, that sounds tricky [16:44] so, ehm, yes, well, how to explain?... [16:45] anyway, for a demo, I think one in --devmode is your best shot [16:45] we have 2 snaps, one which contains "everything" - including a video-processing-pipeline [16:45] we want to install the second snap, which modifies the video-stream, via the market [16:46] this is essentially the plugin problem [16:46] the market installed is done via webdm and webdm is not installing snap in devmode [16:46] yes, I wasn't aware, but the "plugin-problem" sounds like it [16:47] jdstrand: does it work in devmode? [16:47] anyway, I don't mean to distract you. we won't solve the problem now [16:47] tyhicks: oh, it works if I launch directly but not in strict mode. let me try devmode (silly me) [16:47] jdstrand: every input is welcome [16:48] just thinking, how is webdm installing snaps, if itself is a snap? [16:48] well, I can promise you I will be a part of the conversation as these things are submitted :) [16:48] pmp: it has access to snapd-control [16:49] the snapd-control interface [16:49] ok, logic, could it request an install in devmode? [16:49] I don't see why not [16:49] * jdstrand is not a webdm developer [16:50] tyhicks: huh, it doesn't seem to work in devmode either. let me test something. gimme a sec [16:50] PR snapd#1644 opened: A gpio interface for os and gadget snap [16:50] ok I made progress but it still does not work, I will have a look on monday, thanks guys for the help ! [16:50] see you ! [16:50] see you on monday pmp [16:50] ysionneau: yep, bon week-end [16:51] thx [16:52] jdstrand: ok, I'm going to step away for a short bit and will check in when I get back [16:53] tyhicks: ok, I confirmed the security policy is in complain mode and it doesn't work [16:54] tyhicks: guessing it is something with snap-confine and the bind mounts then [16:54] tyhicks: let me play with it [16:54] tyhicks: thanks for that idea [16:58] jdstrand: sounds good but don't rule out the possibility of a bug that affects complain mode, as well [17:02] tyhicks: yes, but I don't want to distract you while I (dis)prove that [17:03] PR snapd#1432 closed: interfaces/builtin: improve pulseaudio interface [17:05] PR snapd#1642 closed: many: pass device to store [17:06] jhodapp, morphis: ^^^ [17:06] niemeyer: what a weekend present :-D [17:06] morphis: Just in time! ;) [17:07] is it approved? :) [17:08] jhodapp: better, merged :-) [17:24] silly question but how do i give my snap a configuration file? I'm looking through the docs and I don't see where that's mentioned [17:27] cholcombe, what do you mean? [17:27] kyrofa, i need to give my daemon a config file to start up properly. where do i put that in that snap? [17:27] kyrofa I think cholcombe is talking about configuration hooks ;-) [17:27] cholcombe, you mean how do you get a config file into the snap itself using snapcraft? Or provide it at runtime? [17:28] * sergiusens goes for lunch [17:28] cholcombe, does the config file need to be altered at runtime, or is it something you can distribute in the snap yourself? [17:28] kyrofa, well ideally it should be user provided. i don't know the credentials to their database, etc [17:28] kyrofa, no i can't distribute it [17:28] cholcombe, ah, indeed, then sergiusens is right [17:28] kyrofa, are there docs for the config hooks? :) [17:29] cholcombe, heh, they don't exist yet. I'm writing them right now :P [17:29] haha [17:29] cholcombe, the hooks themselves, I mean [17:29] cholcombe, but, you said something a little concerning [17:30] oh yeah? [17:30] cholcombe, snaps are supposed to bundle their dependencies. But it sounds like you haven't-- what database are you connecting to? [17:30] i'm connecting to influxdb [17:30] i assume that will be provided by the end user [17:30] is that a bad thing to assume? [17:30] i don't want influxdb to live on the same host as i'm installing this snap on [17:31] cholcombe, no, that sounds reasonable [17:31] this snap i'm building collects metrics and sends them off [17:32] kyrofa: no, it seems we lost the daily snapcraft job in one of the reboots. [17:32] cholcombe, actually, before we go anything further-- are you using 15.04, or the in-progress 16 series? [17:32] kyrofa: do you need it? It's really easy to set up. [17:32] kyrofa, i'm on 16.04 [17:32] elopio, cholcombe wanted to try out the rust plugin [17:32] kyrofa, yeah the rust plugin works great [17:32] that's all fine. i built snapcraft from the source tree and i'm using that [17:33] it's the config file business i'm stuck on now [17:33] cholcombe, okay, so you know snapd is still being developed for 16, right? Obviously you're free to use it, but you'll run into this type of thing (e.g. config not being completed) [17:33] cholcombe, if you're okay with that, you have a few options [17:33] kyrofa, oh i didn't know that [17:33] i mean i'm fine using whatever [17:33] cholcombe, you're on the cutting edge! [17:34] i can back off to 15.10. that's no problem [17:34] cholcombe, it's up to you. If you can deal with the current limitations you might be happier sticking with 16 since 15 is pretty much end-of-life [17:34] kyrofa, i just thought 16.04 was the stable one to use. [17:35] cholcombe, 16.04 desktop, definitely. But the snap side is still being developed [17:35] kyrofa, that's fine [17:35] Okay, so here's what you can do [17:35] i'm basically just kicking the tires here. [17:35] Rather, let's talk about how this WILL work real quick [17:36] sure [17:36] cholcombe, when I'm done, your users will be able to call `snap set username= password=` [17:36] interesting [17:36] That will end up calling an executable contained within your snap located at meta/hooks/apply-config [17:37] That's all snapd will do for you. The apply-config executable you provide will need to handle those parameters and write them to the config file you intend [17:38] ok that's no problem [17:38] hum, all the slaves died. How lucky. [17:38] cholcombe, so: that doesn't exist yet. What I suggest you do is write something that fits similar logic though, and expose it via the apps: keyword like everything else [17:38] kyrofa, ok [17:38] Then your users can just call it directly for the time-being, and once config hooks land, the amount of work you have to do is minimal [17:39] kyrofa, cool. that sounds fine [17:40] cholcombe, remember the snap only has a few places it can write (I'm not sure how long you've been kicking the tires) [17:40] kyrofa, for about a week :) [17:41] cholcombe, so you know about SNAP_DATA, SNAP_USER_DATA, etc.? [17:41] kyrofa, i do yeah [17:42] cholcombe, you're set then. Let me know if I can help any more! [17:42] kyrofa, thanks :) [17:42] ogra_: do you have a reliable rpi3 classic image? [17:42] ogra_: I used a community one a while back, but it had misinstalled .debs and such, and relied on a PPA [17:45] lool: the official rpi2 classic image has misinstalled debs and relies on a ppa, so i doubt you'll find anything for the rpi3 [17:45] ali1234: oh wow really? I don't remember hitting this with our official rpi2 server image [17:46] lool: yeah, it's broken [17:46] lool: dist-upgrade breaks networking [17:46] you can't use hats because the dt overlays are missing [17:46] ali1234: crap, is there a workaround for the dist-upgrade? [17:46] and you need a ppa to do anything with opengl [17:46] I dont care about hats that much [17:46] nor opengl [17:47] lool: yes, hack the /etc/netowkr/interfaces manually until it works [17:47] the issue is systemd persistent interface names [17:47] Ah [17:48] the base image expects that disabled. after dist-upgrade you cant disable them [17:48] and yes i reported these bugs on launchpad [17:59] kyrofa: cholcombe: https://launchpad.net/~snappy-dev/+archive/ubuntu/snapcraft-daily it's enabled again. [17:59] Thanks elopio! [18:00] elopio, nice :) [18:00] I can't help thinking this is a question that must have been asked before, but I haven't found an answer: I'm pretty sure my (cuberite) snap is hitting some seccomp constraint when running confined which results in the process being killed. How can I trace the call that's causing that? [18:01] JamesTait: look in /var/log/syslog. easiest is to install snappy-debug then do: sudo /snap/bin/snappy-debug.security scanlog [18:02] Ah - I thought that only gave output for apparmor-related stuff? [18:02] JamesTait: if you look just in /var/log/syslog, you'll need to use scmp_sys_resolver NN to resolve the syscall number [18:02] JamesTait: nope, seccomp too (it will resolve syscalls for you) [18:02] Then I think it's the fchown call, which I think comes from libsqlite3. 🙁 [18:03] But armed with the knowledge, I'll have a more thorough dig into the problem this evening. Thanks jdstrand! [18:04] once the snap-confine in xenial-proposed finally lands, I'll be able to make some changes to allow fchown to your own uid [18:04] jdstrand: success! fully confined....will do final clean ups [18:05] jdstrand, that sounds great, can't wait! [18:05] kgunn: nice! [18:05] Have a great weekend, folks! [18:05] * JamesTait waves [18:35] sergiusens: when's the next release planned? [18:39] tsimonq2 almost today [18:39] why? [18:39] just curious [18:40] and what does almost mean? [18:40] :P [18:40] I guess my question is, do I have a chance of getting stuff in before the next release? [18:42] lool only a snappy one from yesterady, no classic ... [18:44] lool, http://people.canonical.com/~ogra/snappy/all-snaps/all-snaps-pi3.img.xz in case that helps in any way ("sudo snap install classi --devmode --edge" works fine as well in case you need a classic env ... (use "sudo classic.create" and classic.shell with it ) [18:45] * ogra_ vanishes back into the hight [18:46] Hight. Must be a German word [18:46] pretty short for a German word [18:46] tsimonq2, probably not [18:46] ssweeny, haha, no kidding! [18:47] kyrofa: alright thanks [18:55] kyrofa: nice catch re: bug 1586423 [18:55] Bug #1586423: File-based sources (.tar, .zip, etc.) should show a progress bar when downloading [18:55] how does snap contain programs? [18:56] nvm [19:08] sergiusens: i just thot of an interesting feature for snap ...remove-all, or has someone already asked for this ? [19:08] kgunn I am totally out of context [19:09] sergiusens: was just thinking, as developers may pull down a clean core...then install a bunch of snaps, they may want to take it back to a clean core [19:09] e.g. i've got 2 snaps...now and was just thinking it'd be nice to have one shot wipe them both [19:09] and i suspect over time people will load more than 2 and have the same feelig [19:13] kgunn, https://github.com/zyga/devtools/blob/master/reset-state ? [19:15] kyrofa: ah nice...does that work with vm's? or just local [19:15] kgunn, I've only run it local [19:18] I have a question, why does snap need to duplicate libraries, couldn't libraries be isolated separately from applications so duplicates of the same library version don't exist [19:36] PR snapcraft#712 opened: New plugin: dump [19:57] jdstrand: just letting you know, i'm trying to go back through all the confinement one more time...i'm noticing there's a variety of denials that occur BUT i can still launch my app [19:57] so i'm guessing those are errant [20:01] PR snapd#1645 opened: interface: add transitional browser interface [20:04] kgunn: if you collect them in a paste, I can have a look [20:30] jdstrand: ping [20:34] niemeyer: hey [20:34] jdstrand: Heya [20:34] jdstrand: Trying to get to some quick agreements on the browser interface so we can land it [20:35] tyhicks: fyi, the CLONE_NEWUSER is resolved if I use the ubuntu-core-launcher in the archive. seems like a problem with snap-confine [20:35] niemeyer: ok [20:35] jdstrand: We need a new suffix for interfaces which say "this is what I need from the system to work" [20:35] yeah. it's weird cause that is kinda true for all of them [20:37] access... but that doesn't really cut it [20:38] tbh, I picked browser cause it was sorta like 'home' [20:38] in that it was a pure perm === evanmeag_ is now known as evanmeagher [20:40] Yeah.. harness, although not quite.. hmm [20:42] -support! [20:42] oh [20:42] that is pretty good [20:43] niemeyer: I think that is good [20:44] Let's do it [20:44] ok [20:44] About hte sandbox option [20:44] niemeyer: thoughts on allow-browser-sandbox vs sandbox? [20:44] heh [20:44] jdstrand: How does chrome call the feature internally? [20:44] Is it "sandbox" simply? [20:44] sandbox [20:44] they have different sandboxes [20:45] setuid, usernamespace, seccomp [20:45] but I didn't want to expose all that [20:45] firefox also calls it a sandbox [20:45] use-internal-sandbox? [20:45] Ok, so we can't avoid the term.. hmm [20:46] Seems too much like the sandbox is about snapd [20:46] yeah [20:46] use-browser-sandbox? [20:46] we're pretty close to what I initially suggested :) [20:46] browser-sandbox? [20:47] can-sandbox feels okayish, I think [20:47] browser-support... can-sandbox.. [20:47] allow-sandbox isn't bad either [20:48] (which was your first term suggestion) [20:48] Alternatively, we might break that down [20:48] jdstrand: How specific to browser are those bits? [20:49] jdstrand: Would sandbox-support make sense on its own? [20:49] mm wonder about that dbus-bind [20:49] ahoneybun: What are your wonders? :) [20:49] in this transitional interface, right this second, not very. but I'd like to use a child profile at some point that would be [20:50] when it's coming [20:50] Soon! [20:50] ahoneybun: What are your needs? [20:50] Pithos can't run without a service [20:50] niemeyer: so, I was trying to avoid a general sandbox-support right now, cause I don't yet understand how we can make it general [20:51] I know what the browsers need, right this second, so was trying to just do it all there with an attribute [20:51] of course, I guess there is nothing saying the attribute itself can't be 'sandbox-support' [20:51] niemeyer: http://pastebin.ubuntu.com/21338511/ [20:52] that would look slightly weird [20:52] niemeyer: I could just use 'sandbox: true' and handle it in the documentation [20:52] trying to run 'snapcraft cleanbuild' on my snap, but I'm getting "500 Internal Server Error"... here's the log ---> http://pastebin.ubuntu.com/22354532/ [20:52] jdstrand: If browsers need it and we know they need it, why is it behind an attribute, considering the only purpose of said interface is the browsers who need it? [20:52] this is really only meant for the major vendors in the short-medium term, not everyone in the world and not forever [20:53] niemeyer: well, not all browsers need it. did you see my rather long description? [20:53] my lxd otherwise appears sane... anyone have an idea? [20:53] eg, electron doesn't need that [20:55] niemeyer: in other words, I expect only google and mozilla to use (and be able to use) sandbox: true. people just embedding webviews don't need it [20:55] jdstrand: I see.. let met review the sandbox-specific code once more [20:56] niemeyer: do read my (I know its lengthy) description though-- it gives justification for the implementation, talks about the store, etc [20:57] jdstrand: I skimmed through it all, but need to re-read enough to understand it [20:58] niemeyer: this also isn't the 'forever interface'. this is the 'today interface'. as we implement more and more we can move stuff out of the browser-support interface into non-transitional interfaces. I suspect one of those is user-namespace-support [20:58] (for example) [20:58] jdstrand: I have a feeling we'll live with this interface for a long time :) [20:58] but I was asked to unblock all this with a transitional interface [20:59] eh [20:59] jdstrand: It's responable, not complaining.. just being realistic [20:59] I don't know. we can get rid of all but oom_score_adj in the medium term for 'sandbox: false'. then most of sandbox: true is in 'user-namespace-support' [21:00] reasonable [21:00] jdstrand: Reading through the code, I'm not sure.. it feels like there's a lot of stuff that is there just because the browser happens to do it rather than being specific to sandboxes [21:00] yes [21:00] but we can fix that with various things [21:01] like the preload library [21:01] jdstrand: It seems better to be honest and have a wildcard browser interface that fixes the problem at hand than to generalize it poorly with unclear settings [21:01] or a kernel patch to allow safe use of ptrace [21:01] (which is exactly what you're doing there) [21:01] (the being honest part :) [21:02] jdstrand: Okay, let's go with browser-support + allow-sandbox [21:02] right, I didn't want to generalize poorly, which is why user-namespace-support is not a thing yet [21:02] ok [21:04] jdstrand: Hold fire, let me add a couple more comments and we can try to merge the next push [21:12] niemeyer: note that zyga once dinged my for your suggestion of 'allowSandbox, _ := plug.Attrs["allow-sandbox"].(bool)' [21:12] s/my/me/ [21:12] niemeyer: he said I should use the method I am since I want to test for the presence of the attribute first and then test if the bool or not [21:12] well [21:12] I already did that in SanitizePlug [21:12] niemeyer: ok, nm [21:13] jdstrand: Ok, done [21:14] jdstrand: Just trivials.. [21:21] niemeyer: the unity7 change was in fact needed for chrome. do you want another PR? [21:21] jdstrand: If it's related it's fine [21:21] jdstrand: Let me know when you're done [21:22] just running ./run-tests [21:24] github has a much nicer way of showing the changes after a git mv than 'git show' [21:28] ok, pushed but let me double check twith real snaps [21:31] jdstrand: Thanks! [21:31] jdstrand: renames in git are a bit weird [21:31] jdstrand: It's all detection based [21:32] Sometimes github shows really awkward "renames", when files are too small.. it thinks it's a move as the license header remains the same [21:34] jdstrand: One of the trivial code improvement suggestions didn't land.. no biggie though [21:37] PR snapd#1637 closed: cmd/snap,cmd/snap-exec: support hooks again [21:39] ahoneybun: Sorry for the trouble there.. will try to get the dbus iface in sooner rather than later [21:40] jdstrand: On those topics, we need to find a good name for that general dbus interface [21:42] * jdstrand notes running 5 snapcraft's in parallel on big snaps is probably not the best idea [21:44] jdstrand, pshh. Half the time is pulling anyway [21:45] jdstrand, perhaps you should start them staggered, though [21:45] not on these snaps :) [21:45] Oh :P [21:45] jdstrand, what is a big snap that doesn't involve pulling? [21:46] jdstrand, also, why aren't you using launchpad to build them? [21:46] it involves pulling [21:46] it is just the other bits take a long time too [21:46] jdstrand snap try! [21:46] chrome, chromium, firefox, electron and vscode all in parallel [21:46] no, I needed real snaps [21:46] anyway [21:46] Ah, very nice [21:47] it's done [21:47] niemeyer: ok, I pushed the simplification. things are good on my end [21:53] jdstrand: Cool, will just wait for tests [21:53] jdstrand: dbus-object is an interesting candidate for that other interface [21:57] niemeyer: hmm, it is. I've got a hard stop in 4 minutes. I'll think about that and maybe we can pick up on Monday? [21:57] * jdstrand used dbus-app since it had mild acceptance on the list, but is happy to change it [21:58] jdstrand: Yeah, let's talk on Monday [22:01] jdstrand: Have a good weekend [22:01] niemeyer: have a nice weekend :) [22:01] heh [22:01] ! [22:01] :) [22:01] Thanks [22:01] niemeyer: something with freedesktop in the name might be interesting too (it is af.d.o spec) [22:01] thank you [22:01] too :) [22:01] gotta run! :) [22:19] PR snapd#1636 closed: snap: don't load unsupported implicit hooks [22:24] PR snapd#1645 closed: interface: add transitional browser-support interface [23:38] PR snapd#1646 opened: cmd/snap,overlord/hookstate: support hook data transfer