[00:09] PR snapd#1682 opened: interfaces/hardware-observe.go: re-add /run/udev/data === chihchun_afk is now known as chihchun [04:29] PR snapd#1663 closed: osutil: fix create-user on classic systems === LiX is now known as Guest15496 [06:40] good morning [06:42] so only the gadget or os snap is allowed to use gpio? === ljp is now known as lpotter [06:49] Hi everyone! [06:49] I am getting this Apparmor issue: [06:49] Aug 15 23:44:25 haswell16 kernel: [18612.885097] audit: type=1400 audit(1471329865.428:185): apparmor="DENIED" operation="create" profile="snap.sensortag.sensortag" pid=24904 comm="bluepy-helper" family="bluetooth" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create" [06:49] And I am using the plugs: [bluez] on my snapcraft.yaml [06:50] https://github.com/pedrococa/sensortag/blob/master/snapcraft.yaml [06:50] Is there any additional interface that I should use? [06:52] looks like the mir interface can allow seqpacket [06:57] lpotter, so plugs: [mir, bluez] would do the trick? [07:01] lpotter, I am afraid it is not working. [07:01] lpotter: hey [07:02] lpotter: let me check if seqpacket is allowed [07:03] zyga, lpotter, is used by a BTLE device [07:04] zyga, lpotter, otherwise I got the apparmor issue and the snap failed with an error of BTLE addresses. [07:05] it seems not to be [07:06] essentially the apparmor denail you got above said you cannot create a seqpacket socket, try network-bind as a quick workaround [07:07] pstolowski: cześć :) [07:08] zyga, czołem! [07:09] pcoca: let me know if that workaround works for you [07:09] zyga, sure, snapping it up now :) [07:10] :-) [07:11] PR snapd#1683 opened: osutil: fix create-user on classic [07:12] zyga, It does not work :/ [07:12] I still got the same error with Apparmor [07:12] using plugs: [bluez, network-bind] [07:18] pcoca: can you please report the bug and give some background on the library/system calls you are using [07:19] pcoca: please report teh bug on launchpad.net/snappy with snapd-interface tag [07:21] PR snapd#1684 opened: many: drop ubuntu-core-snapd-units package, use release.OnClassic instead [07:26] zyga, here is: https://bugs.launchpad.net/snappy/+bug/1613572 [07:26] Bug #1613572: apparmor denial with sock_type="seqpacket" using a BTLE device [07:28] Bug #1613572 opened: apparmor denial with sock_type="seqpacket" using a BTLE device [07:29] PR snapd#1685 opened: snap-exec: Fix broken `snap run --shell` and add test [07:30] pcoca: I saw, thank you [07:30] mwhudson: good morning [07:31] mwhudson: I've applied to be a DM, if you'd like you can consider adding your advocacy for me: https://nm.debian.org/process/74/advocate [07:44] PR snapd#1686 opened: boot: add support for "devmode: {true,false}" in seed.yaml [07:56] PR snapd#1687 opened: release: Remove "UBUNTU_CODENAME" from the test data [08:35] Bug #1613609 opened: Can't register name for snap package [08:38] hi. I created my first snappy package: https://github.com/tarantool/tarantool/blob/snappy/snapcraft.yaml How I can register "tarantool" name for it? [08:44] Bug #1613609 changed: Can't register name for snap package [08:45] ogra@anubis:~/datengrab/images/snappy$ /snap/bin/vlc [08:45] multiple nvidia drivers detected, this is not supported [08:45] bah ! [08:45] (it isnt really like i need the nvidia drivers for music playback ) [08:45] ogra_: fwiw, I'm testing the fix for the boot problem you noticed on friday right now [08:46] ogra_: zyga maybe able to help with snap-confine [08:46] mvo, awesome, is it in the edge channel already ? [08:46] (i can manually update when setting snap_try_kernel) [08:47] ogra_: not yet, I sideloaded for now to double check that I did not mess up uboot.env but if it boots I will upload [08:48] cool, ping me then, i'll do test upgrades without sideloading [08:49] ogra_: pi2 is published now, please let me know how it goes, I'm updating the dragonboard now [08:50] hmpf ... i cant really find the code in vlc that prevents the starting with nvidia drivers ... this is really evil ... [08:50] didrocks, is that check in the launcher code ? [08:51] ogra_: that is snap-confine that shows this message [08:51] bah [08:51] ogra_: no, it's not in the launcher [08:51] on what conditions ? [08:52] didrocks, yeah, seems snap-confine [08:52] yeah ;) [08:52] zyga, on what conditions does snap-confine block executions with nvidia drivers ... [08:52] seems it is rather overzealous [08:55] ogra_: dragonboard is also uploaded, let me know if you notice any issues please [08:56] PR snapd#1687 closed: release: Remove "UBUNTU_CODENAME" from the test data [08:57] mvo, oh [08:57] i got a new gadget too [08:57] ogra_: the fix is entirely in there [08:58] oh [08:58] ogra_: its also in bzr if you want to double check, once sec, I look for the diff [09:00] wow ... seems my pi2 auto upgraded to 254 already [09:00] (not rebooted though) [09:01] mvo, btw, we need some scriptery in the uboot.env to reboot when it cant load the files [09:01] that would have prevebted the hang [09:01] *prevented [09:03] ok, dragonboard is proper at v3 and ubuntu-core v253 [09:03] ogra_: http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-systems/revision/45 and 46 [09:03] ogra_: +1 for magic in uboot [09:04] and pi2 at 14 and 254 ... [09:04] but both had snap_try_kernel set [09:05] i guess i should trigger quickly another ubuntu-core to test without it set [09:05] build kicked ... [09:06] cjwatson, i see very often timeouts when triggering a snap buikld through the LP UI ... current one is OOPS-a9d5e8c47cb69641674e12dd57721fc9 [09:06] *build [09:07] (the build gets triggered fine, just the reload after triggering does time out) [09:12] ogra_: Thanks. That one could be fixed with a bit of property caching; please file a bug with the OOPS ID. [09:13] against launchpad itself ? [09:14] ogra_: yes [09:14] thx [09:16] ogra_: regression in r18036, apparently [09:16] aha [09:27] jaymell: hey, thank a bunch for your nice branch jaymell:createUserOnClassic, really cool that you are working on this! I got a bit carried away while reviewing and created a small tweaks commit https://github.com/mvo5/snappy/commit/52a572a90a3979b37eb7bcda73db1d61cef6b735 - would you mind reviewing and merging into your branch? it addresses the bits that zyga mentioned. I hope you like it and don't mind me doing this, but I was quite excited tha [09:27] t create-user now works on classic :) === vrruiz_ is now known as rvr [09:32] ** Unable to read file /kernel.img ** [09:32] reading /dtbs/apq8016-sbc.dtb [09:32] ** Unable to read file /dtbs/apq8016-sbc.dtb ** [09:32] reading /initrd.img [09:32] ** Unable to read file /initrd.img ** [09:32] Bad Linux ARM64 Image magic! [09:32] => [09:32] mvo, ^^^ :/ [09:33] (after refresh to the new ubuntu-core that finished a few mins ago) [09:36] ogra_: hm, dragonboard? if it is not a fresh flash you will need to manually copy uboot.env to /boot/uboot, its not happening automatically iirc (but please double check using md5sum, maybe I misremember) [09:36] PR snapd#1680 closed: overlord/assertstate,daemon: reorg how the assert manager exposes the assertion db and adding to it [09:41] is it possible to have snapcraft put the parts/prime/stage folders in a different place? I'm currently building a project that I have stored inside a Dropbox folder, and this appears to be a Bad Idea™ [09:41] dragly: A temporary workaround might be to use `snapcraft cleanbuild`, which builds inside a lxd container (though this does mean that you can't easily examine each of the stages). [09:42] Odd_Bloke: thanks, I'll try that out [09:52] PR snapd#1688 opened: interfaces: add fwupd interface [10:08] mvo, well, md5 is moot after one boot attempt since it saves vars during boot ... but let me try [10:09] ogra_: you could dump the entire text and patebinit and I check [10:09] mvo, yeah, the script line differs ... [10:11] ogra_: meh, ok [10:11] * ogra_ copies manually and transfers all the variables needed [10:12] ok, now it works again [10:16] same for rpi [10:17] so i guess the gadget needs some upgrade hook [10:17] ogra_: yes, I guess short term I need to create new base images [10:17] that too [10:26] mvo, triggering a new ubuntu-core build to test with the new gadget in place now [10:28] ogra_: ta [10:28] * mvo considers lunch [10:30] cjwatson, Bug #1613652 (sorry, took a bit) [10:30] Bug #1613652: timeouts when triggering snap builds [10:34] ta [11:02] Son_Goku: hey, I've updated snap-confine and I'll need another golang package before snapd 2.11 [11:02] Son_Goku: I've uploaded everything to people.fedoraproject.org, I'll start working on the paperwork for this [11:04] mvo, upgrade works now \o/ ... what i dont get though ... the image should have been built from the edge channel .. but snap refresh always tries to get ubuntu-core from stable, i have to explicitly call "sudo snap refresh ubuntu-core --edge" ... dont we store the default channel in the image config anywhere ? [11:10] zyga, have you made any progress on selinux support in snap-confine? [11:15] Son_Goku: https://bugzilla.redhat.com/show_bug.cgi?id=1367407 [11:15] Son_Goku: some, I'm working on toy version of snap-confine that fiddles with libselinux [11:15] macaroons?! [11:15] Son_Goku: upstream firefighting is over now, I'm just waiting for reviews and I'll do 1.0.40 release [11:16] Son_Goku: I'm back to my regular tasks [11:16] Son_Goku: yeah, part of snapd auth code [11:16] Son_Goku: (I was surprised that macaroon is not "pasta" but instead is "fancy cookie" [11:16] Son_Goku: the polish word for "pasta" is makaron [11:17] oh dear god [11:17] I feel stupid now [11:18] Son_Goku: I'd like to make snap-confine apply selinux context/labels/thing to the mounted snaps [11:18] Son_Goku: haha, why? Did you also think it is about pasta? [11:18] that, and apparently we should have never importing check [11:18] it already exists: http://koji.fedoraproject.org/koji/packageinfo?packageID=19283 [11:18] hmmm [11:18] that's odd [11:18] I did gofed checks [11:19] that's good though [11:19] Son_Goku: wait, that's gopkg.in/check.v1 [11:20] Son_Goku: so there are two packages for the same thing? [11:20] yep [11:20] you just added exactly the same package to Fedora [11:20] http://koji.fedoraproject.org/koji/buildinfo?buildID=785266 [11:20] Son_Goku: I'll email the maintainer, maybe those should be merged [11:20] yeah [11:20] it's clearly an accident [11:21] Son_Goku: yeah, the provides for common name could be a way to find those [11:21] Son_Goku: golang is still young and packaging guidelines are incomplete and weak, the package I added follows the more strict naming convention [11:21] yeah [11:22] well, the biggest problem is because golang is all statically done, there's no easy way to identify everything [11:22] and apparently the provides didn't even exist on that go-check package until Feb of this year [11:22] which shows how difficult golang can get [11:23] yeah, I agree [11:23] I think upstream import path/common name should be the only way to map packages [11:23] everything else is wrong [11:23] including github repo checks (like in this case) [11:24] Hello, I'm trying to build a snap, but I'm getting this error: "Can't convert 'float' object to str implicitly" anyone know what that means? [11:24] what I'm surprised about is that gofed didn't catch this [11:24] or did you never run gofed on snapd itself? [11:25] Son_Goku: I think I didn't run it on snapd [11:25] Son_Goku: though at the time the common name import didn't exist [11:25] Son_Goku: or .... perhaps I didn't use the common name then [11:25] you probably didn't use the common name [11:25] Son_Goku: in any case, I'm writing to the maintainer now [11:25] cool [11:26] you might want to ask if his version is up to date, and if you can be comaintainer of the package, too [11:26] you can request the ACLs here: https://admin.fedoraproject.org/pkgdb/package/rpms/golang-gopkg-check/ [11:26] yep, good idea [11:27] Son_Goku: how have you been? [11:27] I've been alright [11:27] Son_Goku: for me the summer is over, it's cold and wet all week [11:27] haha [11:27] it's still hot here [11:27] it's a bit rainy at the moment, but still very hot [11:28] Son_Goku: it was 10C in the morning today [11:28] it's 73F / 23C right now [11:29] the high will be 86F / 30C [11:29] I really envy you, I sometimes question the logic of moving away from spain *for summer* so that we can spend it in a cold forest in the north [11:30] haha [11:36] Son_Goku: sent! [11:36] Son_Goku: you're on CC [11:36] Son_Goku: I'll look at snapd 2.11, I need to fix something in systemd units (seems like upstream change) [11:37] Son_Goku: oh, btw, I'm almost done removing snap-confine debian packaging from the upstream tree, I will be able to run end-to-end integration tests, made against fedora packaging, on each pull request soon [11:37] cool [11:38] Son_Goku: https://github.com/snapcore/snap-confine/pull/103/files [11:38] PR snap-confine#103: Use downstream packaging in spread tests [11:38] btw, if you wanted to set up some kind of thing to monitor snapd, snap-confine, and its deps in fedora, you can use this: https://apps.fedoraproject.org/mdapi [11:38] Son_Goku: I support debian and ubuntu, fedora and arch are up next, I just need to land this first [11:38] it's a RESTful API that emits a JSON form of the RPM XML repodata [11:39] ogra_: that sounds like a bug, it should store the channel, let me double check that [11:39] Son_Goku: I have that bookmarked, I need to spend some time on that cross distro monitoring [11:39] Son_Goku: I'm really glad most of snap-confine firefighting is over and I can pick up stuff form my backlog again [11:40] both the Debian guy and myself would really like to see the SELinux integration asap :) [11:42] Son_Goku: it is capped by my capacity to learn selinux and spend time on it; if you know anyone who'd like to hack on this with me that would help a lot [11:42] did you learn anything from selinux guys at flock that could help? [11:42] Son_Goku: yes, I asked a lot of questions over lunch [11:42] Son_Goku: I also got the idea that everything I want to do is doable [11:43] Son_Goku: but most importantly, we just had a good time and exchanged contacts [11:43] that's good [11:46] * zyga away for 45 min [11:50] niemeyer: Hi. I saw that you wrote that you published patched version for this bug in your ppa https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1606212 - is it possible to use your ppa? [11:50] Bug #1606212: getpwuid is failing on classic image [11:52] mvo, might be related to me manually tinkering with snap_try_kernel before (and according broken boot attempts alongside) [11:56] ogra_: maybe, smeels like a bug, if you mail me (privately) /var/lib/snapd/state.json I can check if the DB is correct about it [11:56] will do [11:56] ogra_: thanks [12:12] Bug #1613686 opened: Consider allowing access to @{PROC}/@{pid}/limits [12:58] PR snapd#1681 closed: tests: test `snap run --hook` using in-tree snap-exec [12:59] Son_Goku: snap-confine updated again [12:59] Son_Goku: I'd love if you can set the reviewed bit now :) [12:59] haha [12:59] Son_Goku: if you want, all the changes are kept in git for easier review too [13:00] https://github.com/zyga/snapcore-fedora/commits/master [13:02] :) [13:02] package approved [13:03] wooot [13:03] thank you [13:05] macaroon is approved too [13:05] contingent on your fixes [13:06] yep, I saw; I'm on a call now but I'll continue with this as the next thing [13:06] Son_Goku: I'll push my selinux hacks today, maybe at least to get some feedback from others [13:06] cool [13:06] having something is better than nothing, imo === chihchun is now known as chihchun_afk [13:20] * zyga requested snap-confine and the macaroon package in fedora [13:20] next up: snapd :) [13:22] ogra_, who's responsible for the config of the rpi2-kernel snap? [13:22] awe, the config ? [13:23] you mean the build configuration ? [13:23] yup [13:23] looks like there aren't any audio devices configured by default [13:23] (the snap just uses the linux-raspi2 and linux-image-raspi2 packages from the archive) [13:23] which makes testing pulse rather difficult [13:23] ;D [13:23] pfft, excuses :P [13:24] ppisati_, ^^^ can we have audio devices on the pi's ? [13:24] * ogra_ has no idea which config options we need though) [13:24] * awe has never toyed with rpi audio before, but the doc says there are two output devices ( HDMI, and headphone out ) [13:25] * ppisati_ checks [13:43] morphis: hi! can you look at https://bugs.launchpad.net/snappy/+bug/1613572/comments/2? [13:43] Bug #1613572: apparmor denial with sock_type="seqpacket" using a BTLE device [13:43] morphis: with the addition of bluetooth-control, I'm not sure where to put the fix [14:02] PR snapd#1682 closed: interfaces/hardware-observe.go: re-add /run/udev/data [14:06] jamiebennett: ping [14:07] pong [14:09] jamiebennett: question about this bug - https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1606212 So Manik asked us if we could use what's described in this bug to workaround our issue. From what I read it seems niemeyer has some kind of build with patch for this? Can we use that ppa with the built ubuntu-core? I checked out his user profile and ppa there has last update from 270 weeks ago ) [14:09] Bug #1606212: getpwuid is failing on classic image [14:15] sborovkov: We keep the code on GitHub, let me see if I can find the branch [14:15] niemeyer: ^ [14:17] thanks [14:17] sborovkov: I don't have anything other than what's described there [14:17] sborovkov: The issue mentioned describes why the problem is likely happening, and what the fix is [14:18] niemeyer: so should I write a similar patch for my app like the one you attached for plymouth [14:18] sborovkov: Not clear if this needs to be in your app or in snapd itself [14:18] sborovkov: It might be a file that we're not shipping in /etc that we could ship and would solve all similar issues [14:18] Yes, that's why I asked. I though you patched snapd. And it would be in ubuntu-core [14:19] sborovkov: Someone needs to dig down and test this theory out [14:19] didrocks: do you want to hangout to get over with this docker hub thing? [14:19] sborovkov: Can you give it a shot? [14:20] niemeyer: but that patch should work, right? I checked /var/snap/ubuntu-core... and nsswitch.conf was present along with libnss files? [14:20] sborovkov: Even if the fix is in ubuntu-core, having someone verify it would be useful [14:20] jdstrand, Hi Jamie! Just updated https://bugs.launchpad.net/snappy/+bug/1613572. Is the path different in the classic subsystem? I cannot do the workaround. [14:20] Bug #1613572: apparmor denial with sock_type="seqpacket" using a BTLE device [14:20] niemeyer: I'll test the patch on the side of my app then [14:21] sborovkov: Thanks, please let me know how it goes [14:21] sure [14:22] pcoca: /var/lib/snapd/apparmor/profiles/snap.sensortag.sensortag [14:22] pcoca: I left out 'snapd' [14:25] jdstrand, after the line: [14:25] profile "snap.sensortag.sensortag" (attach_disconnected) { [14:26] ? [14:26] pcoca: anywhere in between the {}. I typically add workarounds before the final '}' [14:27] jdstrand, OK [14:30] Odd_Bloke: you bug 1607710 is not prioritized afaict. if you need it escalated, I suggest talking to jamiebennett [14:30] Bug #1607710: Home directories listed in /etc/passwd should be honoured [14:30] your* [14:32] jdstrand, Done it. Thanks Jamie. I got now a different error :/ I just updated the bug info. [14:35] jdstrand: will have a look [14:36] jamiebennett: Getting https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1607710 fixed would be super-cool, because then we could start snapping up tools we use in Jenkins. :) [14:36] Bug #1607710: Home directories listed in /etc/passwd should be honoured [14:37] Sounds like zyga may know more on this bug [14:41] morphis: basically I wondering about the intent of the bluez interface-- is that only for talking to bluez now or should it give network bluetooth [14:42] jdstrand: on the plug side it should only allow dbus api access for bluez [14:42] all low level BT stuff should go into bluetooth-control [14:42] morphis: ok, so we should add network bluetooth to bluetooth-control [14:42] yeah [14:42] gotcha, thanks! [14:42] jdstrand: however its the question if we want to give any app access to that [14:43] a new build app should definitely go with bluez rather than bluetooth-control [14:43] pcoca: do you have time to iterate here? [14:44] morphis: 'a new build app'? [14:45] jdstrand: for those building new Apps especially for Ubuntu Core [14:45] morphis: note that bluetooth-control is not auto-connected [14:45] I see what you mean [14:45] as it stands, both bluez and bluetooth-control do not autoconnect [14:45] jdstrand: especially for bluetooth low energy a lot people tend to use the raw kernel APIs today because bluez had it api just experimental for a long time [14:46] PR snapcraft#715 closed: Add artifacts option to make plugin [14:46] that seems to be the case with sensortag [14:47] so this migh have the potential to conflict with a running bluez and also gets privileged access to the whole bluetooth subsystem [14:49] this may need an architects discussion. we've not had a situation where one interface might conflict with a slot implementation [14:55] Bug #1610292 opened: Snap installed with --devmode can't use sudo [15:04] awe: append "dtparam=audio=on" to config.txt and reboot [15:04] thanks ppisati_!!! [15:04] awe: i tested it rhtough the 3.5jack (and i had to disconnect the hdmi cable) [15:04] or i didn't hear anything [15:04] ubuntu@raspi3:~$ cat /proc/asound/cards [15:04] 0 [ALSA ]: bcm2835 - bcm2835 ALSA [15:04] bcm2835 ALSA [15:04] right, in theory as long as both outputs are available [15:05] after appending that line and rebooting [15:05] you can switch using amixer [15:05] cool [15:05] awe: can you? [15:05] no idea [15:05] i found that, pulled out the hdmi cable, installed mpg123 and played an .mp3 file [15:05] ogra_: FYI ^ [15:05] https://www.raspberrypi.org/documentation/configuration/audio-config.md [15:05] awe: :O [15:08] ppisati_, ah, cool ... is that true for both pi's ? [15:09] ogra_: tested only on the pi3, but i betit works the same on pi2 [15:09] yeah [15:09] so i guess we should ste that by default in our config.txt [15:09] makes sense [15:12] jdstrand, do you have any idea about bug #1610292 (there is also https://lists.ubuntu.com/archives/snapcraft/2016-August/000655.html discussing that) [15:12] Bug #1610292: Snap installed with --devmode can't use sudo [15:12] i'm not sure we want snaps to randomly ship /etc/sudoers.d snippets [15:12] ogra_: what do you mean be 'any idea'? [15:12] how to solve it in a secure way [15:13] in the ML discussion zyga proposed to have a service that runs as root that the user driven app can attach to instead of using sudo for example [15:14] otoh it is really thorny [15:14] that service would be attacked like crazy [15:14] i find the whole idea of a sudo interface a bit horrid TBH [15:14] would it ? if it only allows connections from within the snap ? [15:15] yes [15:15] (so only the shiped user app can attach to it) [15:15] "here, I'll run things for you as root" [15:15] elopio: I'm quite busy (focusing on finishing some things for a demo before going on holidays tomorrow), so maybe once I'm back? [15:15] well, but every service does that anyway [15:15] what are you referring to? [15:15] daemons run as root ... [15:16] what we allow in interfaces is talking to services that do certain things [15:16] if i ship a daemon that only allows a shipped enduser app from the same snap to attach to it, i effectively dont need sudo [15:16] we don't have any services that run arbitrary commands as root [15:16] you don't need sudo to talk to the service, but the service doesn't just do what you want [15:17] this service is "connect to me and I'll do anything you ask" [15:17] well, in devmode it would [15:17] didrocks: sure, ping me when you have the time. [15:17] the bug is about using sudo with devmode snaps (which currently doesnt work) [15:18] is it though? as soon as devmode works people will want it for strict [15:18] hah [15:18] I also don't see his response in my inbox... [15:18] so your opinion is "no sudo at all" ? [15:18] whose ? zyga's ? [15:19] that was from august 8th [15:20] my opinion is that it is very thorny and it needs to be thought through extremely carefully [15:20] yeah, i'm not a fan of it at all [15:20] * jdstrand notes that the subject is "Using sudo from within a snap" -- there is no mention of devmode in that snap. mark my words, people will immediately ask for it [15:20] in strict mode [15:21] let me read zyga's response' [15:21] especially since we will get into awful situations with the passwd db and libnss-extrausers inside the core snap too [15:21] "Using sudo from within a snap" refers to two bugs ... one is the above one [15:21] yes [15:22] the other is the secure_path fix that mvo landed yesterday [15:23] I suppose something along the lines of gksudo that works more like pkexec could possibly work. ie, you have a service that can pop up a dialog. but how does that work with cli? it is very messy [15:24] I see zyga's response on the 8th but I don't see where he is suggesting a sudo service [15:24] oh, I think I see what you mean [15:24] an app could ship a root daemon that the cli could talk to [15:24] zyga: hm, bug #1607710 is interessting, [15:24] Bug #1607710: Home directories listed in /etc/passwd should be honoured [15:25] that isn't sudo. sudo is 'let me run this outside of confinement' [15:25] jdstrand: ogra_ would using pkexec be preferable to sudo? [15:25] pkexec isn't allowed either, so not at this time [15:25] the impetus for sending out that mail is that checkbox runs some tests as root, and its currently trying to just use sudo and failing [15:25] this is a fundamental issue [15:25] snaps are by definition tightly confined [15:25] yyeah [15:26] allowing them to use sudo to break out of confinement as root doesn't really work [15:26] well its not necessarily trying to break out of confinement, some confined things need root (like bluez-tests) [15:27] that is different [15:27] snap commands should be able to talk to their daemons [15:28] we shouldn't block that (but that is largely up to the snap daemon to set up things in a way for that to happen [15:28] niemeyer: that plymouth patch works, thanks! [15:28] ) [15:28] but the example in the bug is checkbox. checkbox wants to run things outside of itself [15:29] it really wants to have an unconfined interface [15:29] I suppose an argument could be made that devmode snaps should be able to use sudo. but the mailing doesn't say that [15:30] mailing list* [15:30] and reading the bug more closely-- it should work [15:31] the problem in the bug is "Any call to sudo fails with the error "pkexec must be setuid root"" [15:31] why is sudo calling pkexec? [15:31] the problem here is that pkexec is not installed in the core snap [15:33] https://www.irccloud.com/pastebin/8j0nZM46/ [15:33] jdstrand, well, it seesm to be shipped with the checkbox snap ... [15:33] spineau: ^ for context [15:33] else it wouldnt print the error [15:34] (unless the sudo error is simply misleading) [15:35] ogra_: yes, but as the bug said, the setuid bit is stripped [15:35] as always in snaps :) [15:35] I guess what is happening is sudo pkexec ... [15:35] uuuh [15:35] kind of overzealous :) [15:35] or sudo wrapper.that.calls.pkexec ... [15:36] cwayne, is pkexec inside your snap ? [15:36] cause sudo itself won't call pkexec [15:36] * jdstrand just grep the sudo source code [15:37] grepped* [15:37] i wonder if they could just ship gksudo instead [15:37] iirc that only acts as frontend ... so wont need to be suid root [15:39] cwayne: do you have the bug id jdstrand is referring to? [15:39] Bug #1610292 [15:39] Bug #1610292: Snap installed with --devmode can't use sudo [15:39] thx [15:40] well, gksudo pkexec won't work either :) [15:40] note that most of the discussion around it was on the mailing list though [15:40] jdstrand, heh ... no, but gksudo /path/to/binary will [15:40] as long as it has access to sudo [15:41] I know that plainbox as the deb package depends on pkexec/policykit but since we're now pulling it from pypi I'm wondering which parts pulls in pkexec into the snap [15:41] I commented in the bug [15:42] * jdstrand suspects that sudo /path/to/binary will too [15:42] mvo: I saw that bug, it is the evolution of the jenkins-cannot-run-snaps-bug [15:43] jdstrand: checkbox is a different thing [15:43] jdstrand: it's not about running unconfined [15:43] ogra_: it seems to, not sure where its from though [15:43] jdstrand: the idea is to precisely run confined because the tests will exercise the interface [15:43] jdstrand: root or user is another angle, it's not the unconfined root that is needed [15:43] zyga: the bug very clearly references 'checkbox-snappy' [15:44] Bug #1613775 opened: Symlinks in home directory doesn't work with snap home plugin [15:44] jdstrand: checkbox also wants to do profile transitions so tha checkbox can run two tests, each with different plugs (for example) but this is another story [15:44] I know [15:44] jdstrand: I think we should let checkbox use sudo-to-be-confined-root [15:44] I decided to focus on the devmode not working angle [15:45] jdstrand: oh! [15:45] jdstrand: that's the glibc bug, right? [15:45] instead of trying to shove checkbox into a strict mode snap or to let arbitrary snaps run sudo [15:45] no [15:45] cwayne: https://git.launchpad.net/~checkbox-dev/checkbox/+git/checkbox-parts/tree/snapcraft.yaml#n22 [15:45] it is that pkexec is not in the core snap and that pkexec in the app snap gets its setuid bit stripped [15:46] and something in the snap ends up calling pkexec [15:46] jdstrand: ah, I see [15:46] but the error makes it look like sudo is complaing [15:46] yes [15:46] I know, I wrote that code [15:46] joc_, spineau: I know exactly what calls pkexec [15:46] i have no doubt :) [15:47] zyga: the warmup? [15:47] there's a execution controller for pkexec and sudo, if sudo doesn't work we do use pkexed [15:47] pkexec [15:47] spineau: not even warmup, any tests that wants to run as root [15:48] sudo not able to work right in devmode is something that can be worked through [15:48] would just need more details (and to be assigned to look at it) [15:49] spineau: ^ would you be able to provide those details (as in what plainbox is actually trying to do when it gets denied) [15:49] zyga: we have two controllers which should return a negative score then, RootViaPTL1ExecutionController and RootViaPkexecExecutionController [15:50] if both return -1 then only sudo remains possible [15:52] cwayne: I'd like first to remove pkexec from the problem to have plainbox running jobs as root only with sudo and see what breaks exactly [15:53] cwayne: context here is devmode + sudo, not our second issue with sudo + confinement [15:54] right [15:54] we have so many issues :) [15:54] * spineau should turn sentences is in a more positive way [15:56] spineau: we have so many issues but we used to have more and we are healthy! [15:57] cwayne: zyga: I can update plainbox to return -1 for the two controllers using pkexec as a backend. Once merged I can update plainbox on pypi so that future snap builds can just use sudo. From there we will be able to iterate. [15:57] I don't want to bother our snappy experts with plainbox internals [15:58] if we can make sure that we are no longer call pkexec internally it will help diagnosing the problem [16:06] +1 [16:07] PR snapcraft#725 closed: Support having the snapcraft.yaml in a subdir [16:36] I need help with Python2 plugin, getting this error [16:36] /usr/bin/env: 'python2': No such file or directory [16:37] when running python scripts from inside my snap [16:41] marcoceppi, are you actually exporting the scripts using the `apps` in the YAML? [16:41] kyrofa: I guess so? [16:41] marcoceppi, or are you calling them directly? [16:42] kyrofa: http://paste.ubuntu.com/23062172/ [16:42] there's a golang tool that uses $PATH to find plugins [16:42] charm-tools, provides a suite of plugins in Python [16:48] marcoceppi, hmm... and bin/charm seems to be provided by the go part, not python? [16:48] kyrofa: yes, and that works [16:48] but running any of the subcommands which are pythjon result in the aforementioned error [16:49] marcoceppi, can you pastebin the contents of /snap/charm/current/charm.command (I think)? [16:49] Or charm-command... something like that [16:50] kyrofa: /snap/charm/current/command-charm.wrapper: http://paste.ubuntu.com/23062186/ [16:51] marcoceppi, ohhhhhh [16:51] I know what's happening [16:51] I am so ready for thsi [16:51] marcoceppi, your use of the `snap` keyword on the charm-tools part is a whitelist [16:51] marcoceppi, you're not actually including python :P [16:51] marcoceppi, perhaps you want to turn it into a blacklist instead? [16:52] no, I want those included [16:52] they weren't being included before [16:52] well I want like EVERYTHING included [16:52] everything I need to make this work [16:52] PR snapcraft#732 opened: Remove store dispute logic [16:53] kyrofa: so I need to inlucde like $SNAP/usr/lib/python2.7/* in my whitelist? [16:54] marcoceppi, hmm... it should include everything placed by the setup.py [16:54] marcoceppi, in addition to python and other prereqs of the plugin [16:55] kyrofa: redherring, I found the issue [16:58] PR snapcraft#730 closed: Clarification of make plugin help text [17:00] marcoceppi, okay, good deal [17:10] PR snapcraft#658 closed: parser - Return non-zero code for wiki errors === JanC is now known as Guest86015 [17:58] how can i make snap refresh keep the --devmode flag? [18:01] I'm an upstream developer, and my project name isn't available [18:01] no one has answered my dispute yet [18:02] marcoceppi, talk to nessita [18:04] marcoceppi, hi! what's your project name? [18:12] nessita: charm [18:22] PR snapd#1681 opened: tests: test `snap run --hook` using in-tree snap-exec [18:28] PR snapd#1689 opened: spread: disable re-exec to always test development tree [18:29] jdstrand, did the new snap-confine restrict things further? I can't seem to use lxd with the juju snap anymore, despite --devmode [18:34] balloons: it switched how bind mounts are applied, which might break devmode for you. can you file a bug against snap-confine? zyga, fyi ^ [18:35] jdstrand, I certainly can. I was just going a bit crazy feeling like I'd done something wrong. Good to know [18:36] nessita: is there anything else I need to do? [18:40] zyga, jdstrand, file here https://github.com/snapcore/snap-confine/issues? Also as a side note, would we consider this a regression? I'm curious how long the package will be broken [18:41] marcoceppi, checking the status [18:41] marcoceppi, I only see charm-tools and not charm [18:41] marcoceppi, and the comment you added sounds like is a temporary name? you still need it? [18:42] nessita: I see this: [18:42] marcoceppi, hum, sorry, found charm in another queue [18:42] balloons: https://bugs.launchpad.net/snap-confine/+filebug [18:42] nessita: charm Pending name dispute review [18:42] marcoceppi, yeah, dispute review was a different queue, checking now [18:42] charm-tools was my attempt to register a name while waiting for charm to be reviewed [18:43] balloons: as for a regression, probably, and I would expect it to be fixed reasonably soon [18:43] balloons: but when would be up to zyga (he is preparing a new release now and may or may not want to include this fix in it) [18:45] jdstrand, interesting.. small diff that broke things; https://launchpadlibrarian.net/276007118/snap-confine_1.0.38-0ubuntu0.16.04.3_1.0.38-0ubuntu0.16.04.4.diff.gz [18:46] marcoceppi, see u1-internal please [18:52] balloons: that's curious. 1.0.38-0ubuntu0.16.04.3 worked for you and 1.0.38-0ubuntu0.16.04.4 does not? Definitely worth mentioning in the bug [18:53] are there any docs or pointers floating around with info on how to get around "make install" needing root permissions when using the autotools plugin? [18:57] It is building successfully, but then tries to do a make install and fails changing permissions: http://paste.ubuntu.com/23062496/ [19:00] are there any snap examples where it tries to create it's own network bridge? [19:01] bladernr, why does it need root:root there? [19:01] basically this https://lists.ubuntu.com/archives/snappy-app-devel/2015-November/000477.html [19:01] That doesn't seem like a normal thing [19:02] kyrofa, no idea... (*I'm not a C guy, I can basically read makefiles, but am not an expert. I see what you're talking about now, I didn't notice that before). [19:03] I have a feeling it's because on a regular system, its make install copies to /bin, which does need root permissions to copy into [19:03] thanks, I didn't notice that before though, I'll play with that some more [19:10] balloons: do you have more details [19:11] zyga, hey. I can play with the setup as much as you'd like right now. What are you curious about? [19:12] balloons: what broke [19:12] balloons: is there a bug report? [19:12] zyga, basically as the bug says my old juju snaps don't bootstrap with LXD anymore. Essentially the socket isn't found I gues [19:12] zyga, https://bugs.launchpad.net/snap-confine/+bug/1613845. [19:12] Bug #1613845: Juju snap can no longer interact with LXD in devmode [19:13] balloons: where is the lxd socket? [19:13] zyga, I was starting to play with versions to try and pinpoint which exact version broke it. My initial description highlighted a version, but I'm not positive it was the first one to break [19:15] zyga, /var/lib/lxd/unix.socket [19:15] balloons: thank you [19:23] balloons: /var/lib is not bind mounted so you get what you'd get in an all-snap system (read only content of the core snap) [19:23] zyga, and this presumably has changed from before right? [19:23] balloons: services should use /run or for sockets AFAIR (sadly we cannot support arbitrary locations) [19:23] balloons: not directly, the change is the use of chroot, in the past we bind mounted a few directories from the core snap to the root fs [19:24] balloons: now we chroot to the core snap and bind mount some things from there [19:24] balloons: this is consistent with all-snap images and works on any distribution [19:24] balloons: can lxd use another location for the socket? [19:26] slangasek, mwhudson; https://github.com/snapcore/snap-confine/pull/108/files [19:26] PR snap-confine#108: Remove packaging [19:27] zyga, in theory yes. In practice, I've no real idea. But I can't imagine it would be a quick or even desirable change. LXD is stable now and the socket is where I told you it was [19:27] balloons: looking at the core snap, I don't see /var/lib/lxd there, we'd have to bind-mount all of /var/lib [19:27] balloons: but it cannot be there because that's a read only location for the core snap [19:28] balloons: even in devmode [19:28] zyga: but it worked before [19:28] balloons: while it may be stable snapd cannot support random locations that particular package can wish because there's no way to do that without adding all those locations to hte core snap [19:28] zyga: and since snap is GA this is considered a regression, no? [19:29] stokachu: read what I said above, that didn't work on all snap images and the way we worked on classic was problematic for other reasons, there's no good change but I believe that this change is better as it is consistent in behavior across systems [19:29] stokachu: I don't think so [19:29] zyga: except it breaks our ability to use lxd inside a snap [19:29] where we could before [19:29] zyga, I think the is part of the crux of the matter. It kills the story if we can't fix it [19:29] stokachu: it breaks lxd as a snap in all-snap systems, it would never work there :/ [19:30] balloons: it's all software, we can fix it [19:30] balloons: the question is how [19:30] zyga: right but it *worked* before [19:30] juju could access lxd inside a snap [19:30] stokachu: but other things did not [19:30] zyga, right. I'm saying insomuch as stokachu points out, you've SRU'd this and broken existing snaps [19:30] right so you've introduced a regression [19:30] so I don't think you can make this change until you've fixed it -- if that means in LXD or wherever [19:31] balloons: I understand that; I'm saying that we cannot always keep things working, in this case lxd worked beause it relied on something that is not a feature [19:31] balloons: if we revert the chroot we'll break every other distribution and a few things on ubuntu [19:31] zyga: uhm no [19:31] zyga, right. And I feel like for xenial the right thing to do is let it stay the same. Is that not possible? [19:32] balloons: no [19:32] balloons: can we talk to stgraber to find a solution please [19:32] zyga: you can't just introduce a regression in a LTS release [19:32] stokachu: even if something worked because it relied on a bug? [19:32] zyga: you introduced a regression in a LTS release [19:32] bottom line [19:32] stokachu: lets not spin this this way, let's find a way for lxd ot work [19:33] zyga, yes finding a more permanent solution with LXD is a good idea. However, I'm worried about other snaps that may be broken for similar reasons [19:33] also thinking about https://bugs.launchpad.net/snappy/+bug/1604967 [19:33] Bug #1604967: Apparmor denies bind to abstract unix sockets such as @/var/lib/juju/mutex-/store-lock [19:33] stokachu: fixing a bug regresses software that relied on the bug, we're making many changes to snapd, we're hoping to keep software compatible but it's not always possible [19:33] zyga: how can you call this GA then? [19:34] you give us no guarantee [19:34] stokachu: does GA say "it is not changing ever"? [19:34] LTS does [19:34] dont introduce regressions in an LTS release [19:34] this is not a constructive discussion, let's find a way to fix the problem [19:34] not discuss acronyms [19:35] stokachu: is https://bugs.launchpad.net/snappy/+bug/1604967 a regression? [19:35] Bug #1604967: Apparmor denies bind to abstract unix sockets such as @/var/lib/juju/mutex-/store-lock [19:35] that never worked in strict mode [19:35] so no.. it's not a regression [19:35] stokachu: ok [19:36] you've broken things that run in --devmode [19:36] stokachu: as for /var/lib/lxd, I need to investigate options [19:36] zyga, that bug is talking about strict mode indeed. But the idea is, lxd is hardly the only bit of software to use an abstract socket. And they are not going to be in /run [19:36] stokachu: the old way to run snaps was not sustainable, this was done many releases ago, it was never released via SRU becasue of other issues, I'm sorry that it broke lxd and I will look for solutions [19:37] zyga: thank you [19:37] balloons: how would that snap work in all-snap device where that location is read only? [19:37] (worse, that location doesn't exist) [19:37] zyga: you seem to be forgetting about people who needs to run snaps on servers [19:38] zyga, the way I see it is that, that problem of everything running under strict mode and with a read-only core is something to work towards [19:38] if you go down that path too early for --devmode, we can't begin adoption [19:39] stokachu: I'm saying that yes, the snap was running in a particular distribution with a particual layout but would not work elsewhere, that's not hte promise of snaps, while I don't want to break anything the change was made to improve support in general [19:39] zyga: then break it in yakkety [19:39] not in xenial [19:39] zyga, can we not differentiate breaking it under --strict mode, but not under --devmode? [19:39] stokachu: that's not as simple as that, this is a fundamental way that in which snaps work [19:40] balloons: snap-confine doesn't do anything differntly in devmode [19:40] stokachu, balloons: FYI: http://www.zygoon.pl/2016/08/snap-execution-environment.html [19:41] I know this change is somehing that you don't like because it broke the software you want to use but I'm saying that we had to make the change [19:41] I'll stop arguing because it seems to lead nowhere [19:41] I will look for solutions [19:42] zyga, I'm asking for snap-confine to treat dev-mode differently. To allow it to make poor choices so that all the other good parts of snappy can be used. It's about keeping the initial adoption barrier as low as possible [19:43] balloons: read my blog post first, what you are asking for is not something that can be done, if we go back to the old way of constructing the filesystem we will just break other things again [19:43] balloons: let me discuss this with the team and get back to you with solutions [19:43] zyga, ok. And presumably everything must change at the same time -- xenial cannot be treated differently? [19:44] balloons: that's another story, we can explore that [19:45] zyga, so it sounds like there may be solutions on your end. Good. It's worth thinking very carefully about raising the barrier for --devmode [19:45] zyga, please do keep me in the loop -- I'm happy to talk about it [19:45] balloons: note that before there were also read-only locations [19:45] balloons: devmode never affected that [19:52] stokachu: FYI, yakkety uses 'series 16' so it shares the same snap and snapd as xenial, in fact they are exactly the same and share the same core snap which contains snapd and snap-confine (so while we might want to do something special in xenial only the design of snap makes it really tricky). I'm looking at a solution that will fix it everywhere (including on all the other supported distributions) [19:52] k thanks [19:57] ogra_: ping [19:57] zyga, moop [20:18] Ok... so I built a snap... put it in the store, and published. How do I find it? [20:18] How do I install it? [20:18] snap find returns nothing, even after logging into the store [20:19] bladernr: How did you upload? [20:19] uhhh... snapcraft upload [20:20] https://myapps.developer.ubuntu.com/dev/click-apps/ [20:20] http://snapcraft.io/docs/build-snaps/publish following this [20:21] Oh wait... why is it listed as a click app? [20:21] bladernr: So, at myapps, you see your app? If you click on a release, do you see "Status: Published" and "Channels: ...Stable" and "Supported releases: 16"? [20:21] https://myapps.developer.ubuntu.com/dev/click-apps/5728/rev/1/ or do both click apps and snaps go into the clic-apps dir [20:21] bladernr: did you publish it into the stable channel [20:22] it is now [20:23] I thought I did that before, but its targeted to all [20:23] ahhh, ok. there she be [20:26] so I have a snap in the edge channel, but when I got to install it [20:26] error: cannot perform the following tasks: [20:26] - Download snap "charm" (1) from channel "edge" (received an unexpected http response code (401) when trying to download https://public.apps.ubuntu.com/download-snap/2Rryoc2ylScfbFl4eQtpntHD9iuZuMvt_1.snap) [20:26] I get a 401? the item is public and published [20:29] had to log into the store, that error is super unhelpful [20:30] 4nn is client-side error, asserted from the server. Doesn't sound like your package is the problem. [20:31] marcoceppi: Oh, did it work then? [20:32] qengho: yes [20:32] $ ubuntu-bug snapd #file a bug report! === mup_ is now known as mup [20:50] stokachu: I talked to jdstrand and we have a plan for the fix that can be rolled out quickly; I'm working on the fix now [20:50] balloons: ^^ [20:51] zyga, ty! [20:53] I've got a problem with temp directories in Python not being created? within a snap [20:54] http://paste.ubuntu.com/23062754/ [20:54] marcoceppi: can you report a bug with some more details (tracebacks, denials, etc) [20:54] I wonder if this is just an issue with git in snaps? has anyone had any problems with athat? [20:55] marcoceppi: remmeber that /tmp is a fresh tmpfs when you start a snap application [20:55] zyga: where do aarmor messages pop up? [20:55] zyga: sure, which is fine(?) or should be for this [20:55] marcoceppi: I think so [20:55] marcoceppi: try journalctl -f [20:56] marcoceppi: and run your app again [20:56] marcoceppi: FYI: http://www.zygoon.pl/2016/08/snap-execution-environment.html (and grep for /tmp) [20:56] marcoceppi: nothing new but perhaps you'll get an idea why it failed [20:57] zyga: so I'm getting a denial, but for /etc/apt/apt.conf.d which is for an apt look up, but it hsouldn't affect this git clone attempt [20:58] I agree [20:59] zyga: per process? so if I run a command, /snap/bin/charm create, for example, which then has a few subprocess calls, one being git clone to /tmp - does that mean that subsequent subprocess calls or file operations during the execution of /snap/bin/charm would get fresh tmp? or is it per invocation of /snap/bin/charm ? [20:59] marcoceppi: yes, per process [21:00] marcoceppi: ah, not per per process [21:00] marcoceppi: per top-level snap application [21:00] cool, so that should be fine [21:00] (process) [21:00] it is per invocation of /snap/bin/charm [21:01] so, maybe it's really git that's failing, it seems to complain about /usr/share/git-core/templates even though that's in the prime [21:07] when do they get cleaned up? [21:10] marcoceppi: is it reading it from /snap/$SNAP_NAME/current/usr/share/git-core/templates or from /usr/share/git-core/templates [21:10] marcoceppi: the prime directory is not the root filesystem [21:11] marcoceppi: if it opens /usr/share/git-core/tempates those are not going to be there [21:11] zyga: well, considering aa hasn't yelled at me, I assume it's from $SNAP [21:11] jdstrand: ^^ another thing we could actually map with the quirk code [21:11] marcoceppi: I doubt it is from $SNAP [21:11] marcoceppi: unless git is configured to do so in some way [21:12] zyga: well, isn't it all chrooted? [21:12] git is installed in my snap, etc [21:12] /snap/charm/current/usr/share/git-core/templates exists [21:12] marcoceppi: no the way you think IMHO [21:12] marcoceppi: please read my blog post (the one I linked to) [21:16] PR snapd#1322 closed: daemon, overlord/auth: refactor auth in preparation for other credential types [21:19] okay [21:19] so how do I troubleshoot this [21:20] because aa isn't complaining, the software isn't working, and I'm left without a real clear way to poke things [21:21] marcoceppi: I bet that what I said above is true, if git can be configured in some way then as a trick, use --prefix of /snap/$SNAP_NAME/current/usr and then use organize so that the prime directory has just the final /usr directory in the snap [21:21] so, the snap has the /usr directory it needs already in there, what you seem to suggest is that I will have to compile git from source to get this t work? [21:25] zyga: i don't think i can advocate you as a DM [21:36] mwhudson: that's okay, thanks [21:37] marcoceppi: yes [21:38] well,that's really unfortuantely. [21:43] this seems ridiculous that I have to compile git to get it to work in my snap [21:43] I'm not a git expert, I just depend on the damn thing, and my stabs at getting it to compile have failed thus far [21:46] zyga: interesting [22:36] stokachu: i have a patch that fixes it locally (I didn't try with lxd yet but /var/lib/lxd is now writable in devmode and shows my real hostfs /var/lib/lxd) [23:57] balloons, stokachu: https://bugs.launchpad.net/snap-confine/+bug/1613845 is now fixed [23:57] Bug #1613845: Juju snap can no longer interact with LXD in devmode [23:57] I will work on the SRU process tomorrow [23:57] good night :)