[00:26] PR snapd#1860 opened: misc fixes/tweaks/cleanups [00:56] kyrofa: Nextcloud 9 feels like it came out 7 years ago! [00:57] kyrofa: in any case, your first ownCloud snap was a really cool proof-of-concept, the Nextcloud snap that got SSL support is amazing, and being able to say "Huh, wonder how this is looking now," run "snap install nextcloud" on my laptop, play with it, then delete the snap and not have 200 server packages installed and running is just amazing! [00:58] kyrofa: but I'm glad Nextcloud embraced it (despite constantly saying they're not packaging Nextcloud for distros) and I'm looking forward to migrating my cloud server to the snap. :) [00:59] Also, I tried to snappify the client but failed because of some missing directory and don't have the knowledge to proceed, but for a while it looked promising, hehe. [02:16] what's the best python standard library for dealing with --opts ? [02:37] PR snapd#1855 closed: overlord/boot: have firstboot support assertion files with multiple assertions [02:40] sabdfl argparse is in stdlib https://docs.python.org/3/library/argparse.html [02:41] so no extras needed [02:41] thanks sergiusens, i've so far just copied docopt into my snap, is that considered a bad option? [02:41] i can easily fall back to argparse [02:42] sabdfl docopts is great for simple CLIs, it has gotten out of control for snapcraft and its ever growing options [02:42] i can believe that [02:42] my cli is super simle so i will stick to it for a quick fix [02:43] sabdfl for snapcraft itself I've been pondering on click http://click.pocoo.org/5/why/ ; played with it a bit and felt like a good match [02:44] yeah, docopt solve the simple cli's just great [02:44] it get's tricky when adding too many differing subcommands [02:45] i bet [03:22] nhaines, yeah, I've got the client snapped but I [03:22] nhaines, I'm waiting to publish for indicators to work [03:22] (indicators in snaps are broken right now) [03:25] kgunn, indeed, that's the current state of the art as far as I know, but I've lost track of a bit of the most recent snapcraft features-- it may have gotten better there recently === King_InuYasha is now known as Son_Goku === Son_Goku is now known as Conan_Kudo === Conan_Kudo is now known as Sir_Gallantmon === Sir_Gallantmon is now known as Son_Goku === chihchun_afk is now known as chihchun === vigo is now known as vigo|afk [06:14] PR snapd#1861 opened: tests: fixes to actually run the spread tests inside autopkgtest [07:59] ogra_: small bugreport around classic, it seems like running it twice gives a ugly message that dev/pts is already mounted [07:59] PR snapd#1862 opened: tests: add tests for the classic dimension [08:00] mvo, hmm, weird, shouldnt systemd unmount it ? [08:01] zyga: ping === chihchun is now known as chihchun_afk [08:07] ogra_: it seems not [08:07] mvo: can we already do sth like a factory-reset these days? [08:15] morphis: well, sort of, but you need to be careful [08:15] morphis: do you need a script to do that? how far do you want to go? reset everything ? including kernel/os and remove all data ? [08:16] ogra_: I have not really investigated, more important stuff is still going on, its just cosmetic but I noticed while writing automatic tests for classic [08:16] morphis, can you bring that up in the filesystem layout thread i started on the ML, we will need a partiton that holds the original snaps for this i think [08:17] ogra_: can do that [08:17] thanks [08:17] mvo: thanks, was just wondering [08:18] morphis: so essentially if you keep the stuff that firstboot puts on the image you can wipe everything else [08:21] mvo: ok, I think tim already has something for this in place with his recovery work, but was more thinking about what we're offering for other devices [08:21] morphis: this is probably something for the next sprint, we need a more generalized solution. [08:21] ok [08:32] ogra_: so I debugged why firstboot fails with ubuntu-image. it puts the grub.cfg into a different place than before. i.e. /boot/efi/EFI/ubuntu/grub.cfg (now) vs /boot/efi/EFI/ubuntu/grub/grub.cfg (before). there is a bind mount in the initramfs that assumes the grub/ location, do you know more aobut this change? I can update the initramfs code to use the other location I think, I'm just a bit puzzled [08:36] mvo, that was james code, not really sure why its there ... drop it and lets have some test images ? [08:37] (thats was also in system-ab times) [08:38] ogra_: http://paste.ubuntu.com/23144982/ [08:38] ogra_: its stuff we still need. well, we could avoid the entire bind mount [08:38] ogra_: but that would require changes in the snapd code too, maybe not unreasonable but a bit late [08:40] ogra_: if the debdiff looks correct I will upload and hopefully this unblocks u-i [08:40] u-i generated images [08:43] mvo, looks fine [08:44] PR snapd#1863 opened: image: have prepare-image set devmode correctly [09:18] PR snapd#1863 closed: image: have prepare-image set devmode correctly [09:26] pstolowski: hey! any leads on bug #1620560? (reminder that we need a fix to demo to consumer next week the revert functionality ;)) [09:26] Bug #1620560: Revert command doesn't reset the right apparmor profile

[09:28] sergiusens, when you're around, http://paste.ubuntu.com/23145076/ [09:29] didrocks, you're demo'ing a snap in devmode? [09:32] sergiusens, the issue there more than anything else is the '401 None' and not-too-helpful error message [09:32] sergiusens, dholbach knows more [09:33] Chipaca: has to, the interfaces fixes are in trunk, (and one not done) [09:34] Chipaca: if you have any other way around, I'll gladly take it :) [09:37] didrocks, i've discussed the fix with Chipaca, looks simple, just did it and about to build and test [09:41] pstolowski: excellent! you think it's going to be in this week's release? [09:41] in which context is executed the post-stop-command? [09:42] do I have access to /usr/bin and /bin ? (for instance : ps/awk/grep/kill) [09:43] I compile my go project on my raspberry pi 3, and when I run it on the pi 3 device, I get "runtime: this CPU has no floating point hardware, so it cannot run this GOARM=6 binary. Recompile using GOARM=5." it is a golang project. how to correct this problem. it works well on pi 2 device. thanks [09:43] didrocks, I should have MP ready today, what happens next is not in my hands, but I'll make sure everyone knows it's important [09:45] mvo: FYI ^ [09:45] thanks pstolowski [09:45] how to configure go to compile my go project using GOARM=5. currently on my board, the version of snapcraft is 2.15.1 === hikiko is now known as hikiko|ln [09:56] didrocks: if its straightforward, happy to make sure its in, thank you [09:56] kyrofa: Hmm, indicators seemed to mostly work in the Telegram snap, but I haven't used that for a while because it was always out of date, too. In any case, I'm glad you're working on that, too. It will be good to get Nextcloud-branded stuff into Ubuntu 16.04 LTS. [10:00] ysionneau, in the same context as everything else in the snap [10:03] ysionneau, try "snap run --shell yoursnap" and then you can dig around yourself [10:04] mvo, whats with all these .moved files i always see in bzr branches after you touched them ? do you have some special bzr setup that keeps backups this way ? [10:07] ogra_: eh, no idea, what files are those? [10:07] ogra@anubis:~/datengrab/devel/branches/snappy-systems/dragonboard$ ls -lh|grep moved [10:07] lrwxrwxrwx 1 ogra ogra 9 Sep 6 16:30 uboot.conf.moved -> uboot.env [10:07] -rw-rw-r-- 1 ogra ogra 128K Sep 6 16:30 uboot.env.moved [10:07] ogra@anubis:~/datengrab/devel/branches/snappy-systems/dragonboard$ [10:07] before there also was a pi2.moved that i recently deleted [10:08] i only notice them showing up after you touched the branch ... [10:10] hmm, funnily this time the files dont show up in the LP UI ... the pi2.moved one did [10:30] Chipaca: thanks, how can I find the snap name syntax? i've tried the name in the 1st column of "snap list" and it does not work, I guess I need to append/prepend something === hikiko|ln is now known as hikiko [10:50] ogra_, when I try to run "sudo classic.create" on pi 3, it gives me the error like "runtime: this CPU has no floating point hardware, so it cannot run this GOARM=6 binary. Recompile using GOARM=5." how to correct this problem? thanks [10:53] liuxg, no idea ... thats definitely not related to classic ... classic is a shellscript [10:54] (and classic.create is long gone ... "sudo classic" is all you need) [10:54] ogra_, but I need to run classic.create first, then I run then sudo classic, right? I got this from one your email replies. [10:55] nope [10:55] just sudo classic [10:55] the creation is automatic nowadays [10:55] ogra_, but the "classic classic.create classic.reset" all 3 commands are there.. [10:55] where did you get that classic snap from ? [10:55] you need --devmode --edge [10:56] ogra_, http://paste.ubuntu.com/23145383/, this is what happens here. [10:56] * mwhudson blinks [10:57] pretty sure the pi3 has a FPU :-) [10:57] liuxg, well, no idea what that is ,... there is no go in classic [10:57] ogra_, yes, that is exactly what I got here http://paste.ubuntu.com/23145387/ [10:57] liuxg, --beta != --edge [10:58] ogra_, sorry, I might get wrong. I will try the edge one. [10:58] hmm, trhough looking at the store beta and edge are the same [10:58] liuxg, ogra_: fwiw, go is looking at the AT_HWCAP auxv entry wrt that message [10:59] ogra_, mwhudson, for pi 2, it works well for the "--beta" channel. [10:59] mwhudson, the tty prob is mainly that even if you have it print the issue file, it will not clear the screen and the line will appear somewhere in the middle of the boot messages that are still in the terminal [10:59] ogra_: ah [11:00] we need to find out how to clear the screen i think [11:00] (which is hard ... but i know there are serial apps that can do it) [11:00] ogra_: agetty claims to do it by default :/ [11:01] ogra_, I tried to change to use "edge" channel, and it is the same thing for me http://paste.ubuntu.com/23145394/ [11:01] i guess putting 24 newlines in the issue file would not be considered elegant [11:01] liuxg, yes, as i said, checking the store revealed they are the same [11:03] mwhudson, and pointless if your terminal window is bigger (like mine) [11:04] ogra_: 1 million newlines? [11:04] PR snapd#1864 opened: Apply flags (devmode) on revert [11:04] * mwhudson should just go to bed [11:04] that might work ... even on hidpi displays :P [11:05] i guess it would be a bit of a waste of precious storage space in the embedded case [11:05] * mwhudson zzz [11:05] adding a loop that counts from 1 to 1mio ? nah [11:06] and given how long it takes for python to come up it would also not siginificantly slow it down on arm :P [11:14] PR snapd#1860 closed: overlord/snapstate: misc fixes/tweaks/cleanups [11:27] slangasek, so i fixed the sizes in the dragonboard gadget yaml ... using -w ./workdir to keep the content i see part0-part7.img files under .images/ in there ... all at the right size ... but looking at the resulting image there is only one partition, so i suspect however you invoke sgdisk doesnt do the right thing [11:32] PR snapd#1852 closed: asserts: update trusted account-key asserts with names [11:42] ogra_, elopio, have you tried a usb eth adaptor with the Dragonboard, does that work for console-conf? [11:43] JamieBennett, nope, havent tried that yet ... i guess it depends if you have one that is supported by the mainline kernel without extra firmware [11:47] JamieBennett, there is a console-conf that supports wlan setup from mwhudson that i havent found the time to try yet ... [11:49] ogra_, OK, I don't think it is too much of an issue [11:51] JamieBennett, well, apart from the fact that you cant create a user, yeah [11:52] (no wifi support in console-conf ... no wired nic) [11:52] ogra_, I bet that is possible with USB eth but yes, if is an issue but not for our RTM image [11:53] if you have a supported USB eth key, yes ... else the image is completely unusable since you cant have a user to log in [11:53] * JamieBennett nods [11:55] but all of this is moot ... we dont have a booting image at all yet [11:56] mvo, gave me one that was created with a hacked up u-d-f that doesnt boot ... and the one i'm trying to create with ubuntu-image ends up with only one partition [11:57] I saw Leo had something booting this morning, was that a different image? [11:58] no idea what leo had [11:58] all i got is unbootable stuff [12:03] hmpf ... and for some reason ubuntu-image doesnt pull the latest gadget [12:03] ah, now it does [12:17] slangasek, hmm, i dont see any sgdisk call in ubuntu-image that would set the alignment ... the dragonboard needs an alignem,nt of 1 byte ... (i.e. the -a 1 option) if i remember that right ... http://bazaar.launchpad.net/~ogra/+junk/dragonboard/view/head:/partitioner.sh and http://bazaar.launchpad.net/~ogra/+junk/dragonboard/view/head:/parts.txt create a properly working GPT [12:17] where's the "plugs" docs? I'm looking at https://developer.ubuntu.com/en/snappy/build-apps/snapcraft-syntax/ [12:23] jgdx, http://snapcraft.io/docs/core/interfaces [12:24] whee ! [12:24] Number Start (sector) End (sector) Size Code Name [12:24] 1 2048 4095 1024.0 KiB FFFF sbl1 [12:24] 2 4096 6143 1024.0 KiB FFFF rpm [12:24] 3 6144 8191 1024.0 KiB FFFF tz [12:24] 4 8192 10239 1024.0 KiB FFFF hyp [12:24] 5 10240 7812466 3.7 GiB FFFF sec [12:24] getting better :) [12:24] nice [12:24] (far from ggood but i end up with more than one partition) [12:24] JamieBennett, sorry, more specifically, the plugs snapcraft.yml syntax docs [12:24] hey, its progress ;) [12:24] JamieBennett, and thanks! [12:24] yeah :) [12:25] but i still think the way u-image calls sgdisk is completely wrong [12:25] jgdx, you mean the available interfaces i.e. plug and slots available to snapcraft? [12:26] jgdx, that would be the interfaces that snapd exposes so in the snapd docs at `http://snapcraft.io/docs/reference/interfaces [12:27] JamieBennett, right. Thanks [12:27] jgdx, np [12:28] JamieBennett, to insert one into the snapcraft.yml I guess I'll use http://pastebin.ubuntu.com/23145601/ ? [12:30] jgdx, There are lots of examples in the playpen, let me pick one with plugs for you [12:31] jgdx, https://github.com/ubuntu/snappy-playpen/blob/master/hexchat/snapcraft.yaml [12:34] JamieBennett, cool, I'll look through those as well. Thank you [12:41] PR snapd#1864 closed: overlord/snapstate: apply flags (devmode) on revert [12:45] guys can we set source field in snapcraft file a launchpad branch ?? === bull_ is now known as bulldog [12:48] can we set bzr branch as source in snapcraft ?? [13:16] SUCCESS !!! (nearly ... one little glitch left) [13:16] * ogra_ is looking at console-conf on an ubuntu-image built dragonboard image [13:17] sadly no wlan config ... so i cant really test it ... [13:17] * ogra_ tries to find an USB NIC [13:20] ogra_, I am seeing this error when executing apps in RPi3, I think caused by upgrading ubuntu-core today: [13:21] runtime: this CPU has no floating point hardware, so it cannot run [13:21] this GOARM=6 binary. Recompile using GOARM=5. [13:21] ogra_, any idea why is this? afaik rpi3 has vfp unit [13:21] abeato_, hmm, liuxg reported the same above ... weird [13:21] abeato_, sounds like an issue with snapd ? [13:21] mvo, ^^^^ any idea ? [13:21] ogra_, probably, snapd is running though [13:22] did you guys switch tio a newer go or some such ? [13:22] ogra_: uh [13:22] abeato_, where diod you get that image ? [13:22] ogra_, your image, refreshed [13:22] (we dont really have any working pi3 image atm ... its all in flux this week) [13:23] ooooh, i'm so happy ! [13:23] ogra@localhost:~$ uname -a [13:23] Linux localhost.localdomain 4.4.0-1024-snapdragon #27-Ubuntu SMP Fri Aug 12 11:45:29 UTC 2016 aarch64 aarch64 aarch64 GNU/Linux [13:23] ogra@localhost:~$ snap list [13:23] Name Version Rev Developer Notes [13:23] dragonboard 16.04-0.15 18 canonical - [13:23] dragonboard-kernel 4.4.0-1024-2 8 canonical - [13:23] ubuntu-core 16.04.1 511 canonical - [13:24] ogra@localhost:~$ [13:24] JamieBennett, ^^^ getting there ;) [13:24] :) [13:24] (but needed an USB NIC indeed) [13:28] ogra_, i need help [13:29] plz check this snpcraft http://paste.ubuntu.com/23145789/ [13:30] ogra_, abeato_ yes, exactly, I do not know how to resolve the problem. [13:34] JamieBennett: who is building snapweb snaps currently? I get "runtime: this CPU has no floating point hardware, so it cannot run [13:34] this GOARM=6 binary. Recompile using GOARM=5." [13:34] JamieBennett: when I try to run it [13:35] when ubuntu is upstream, what's the best way to manage the code so that it can be built as both deb and snap? [13:35] mvo, did Steve used to get you to do them? [13:36] JamieBennett: he did but I think I did not do the latest, I figure it out, no worries [13:37] mvo, we have justinmcp_ working on it now but I do not believe he has built the project or made any changes yet [13:43] So I have a snap that is in the store and says it is published on the edge channel, but it seems my local snapd can't install it. [13:43] I tried refreshing the login. [13:43] ogra_, mvo, liuxg found a way to workaround the issue: [13:43] Not sure where to go next. [13:43] sudo snap revert ubuntu-core [13:43] sudo snap remove [13:43] sudo snap install [13:44] the interesting thing is that I found that when I was seeing the error I saw links in /snap/bin like [13:44] lrwxrwxrwx 1 root root 13 Sep 7 13:04 command -> /usr/bin/snap [13:44] and now I get the usual script defining all $SNAP env [13:45] it looks like something goes wrong when installing with latest snap command? [13:49] Chipaca dholbach we have plenty of bugs for this, the store only recently started to support finer grained messages which we need to support [13:49] ok, I see [13:50] cjwatson: we get errors for some snaps like "runtime: this CPU has no floating point hardware, so it cannot run [13:50] this GOARM=6 binary. Recompile using GOARM=5." has anything changed in LP recently when auto-building snaps? [13:53] mvo: https://lists.ubuntu.com/archives/ubuntu-devel/2016-July/039458.html would be the most obvious recent change [13:54] mvo, cjwatson I do not think it is auto-building, it happens with my locally built snap [13:54] abeato_: oh, hm [13:55] in my case the issue was triggered -I think- when ubuntu-core snap refreshed [13:55] it is an error on installation [13:55] weird links appear in /snap/bin instead of the usual scripts [13:56] mvo: maybe it's failing to read hwcap properly? [13:56] abeato_: the links are ok, that is a planned change [13:56] hm.. but those just point to /usr/bin/snap [13:57] abeato_: yeah, `snap run hello-world` is the equivalent to /snap/bin/hello-world -> /usr/bin/snapd [13:57] got it [13:57] cjwatson: hm, could be [13:57] abeato_: but it could still be releated to that change [14:00] PR snapd#1865 opened: overlord/devicestate: POC to parametrise serial-request content/sending [14:06] cjwatson: yeah, it looks like the hwcap set lacks HWCAP_VFP when it is running inside the confinement [14:10] missing apparmor access to /proc/self/auxv or something maybe? [14:10] (not sure if that makes sense) [14:10] cjwatson: it sounds very plausible, let me try [14:13] JamieBennett, http://people.canonical.com/~ogra/snappy/all-snaps/all-snaps-dragonboard.img.xz in case you want to test [14:13] ogra_, my dragonboard is with iftika now [14:14] jdstrand: help, we have a bit of a showstopper on the pi2 image: snap run snapweb [14:14] runtime: this CPU has no floating point hardware, so it cannot run [14:14] this GOARM=6 binary. Recompile using GOARM=5. [14:15] jdstrand: however - apparmor_parser -R /etc/apparmor.d/usr.lib.snapd.snap-confine [14:15] jdstrand: and its all working [14:15] JamieBennett, excuses :P [14:15] jdstrand: I see no denials in the logs [14:15] jdstrand: I tried the suggestion from cjwatson to make /proc/self/auxv readable that seems to not have cut it :/ [14:16] JamieBennett: -^ pi2 showstopper [14:18] hello, i am working on pack a qml to be snap. I need add liboxideqtcore0 in stage-packages to support webview in qml. but my snap will exit since /snap/.../oxide-qt/chrome-sandbox is not owned by root but normal user same as my host. how i can install it with root? [14:19] slangasek, so i have everything working with the dragonboard using ubuntu-image, but the partitioning is pretty wasteful, for the next release we should go over how sgdisk is used in ubuntu-image and see if we can not make that more elegant [14:22] hey folks, has anybody tried the rocketchat-server snap? I installed it and get a 404 when going to http://localhost:3000, sure I'm doing something wrong but there aren't many knobs to tweak [14:23] mvo: this sounds familiar... tyhicks, does that ring a bell? ^ [14:24] mvo: did you disable rate limiting? [14:24] mvo: sudo sysctl -w kernel.printk_ratelimit=0 [14:26] mvo: can you show me the rule you added? [14:27] jdstrand: I added /proc/self/auxv r, [14:27] mvo: this is the rule you want: @{PROC}/@{pid}/auxv r, [14:28] mvo: /proc/self is a symlink [14:28] tyhicks: if it doesn't ring a bell, that is fine [14:29] I think we saw this with java... [14:29] jdstrand: http://paste.ubuntu.com/23146014/ - not quite it seems [14:29] mvo: is this for wnapweb or snap-confine? [14:29] jdstrand: all golang apps it seems [14:30] nap-web, I like that [14:30] +1 ! [14:30] snap-confine is not golang [14:30] mvo: let's backup [14:30] jdstrand: actually I'm not really sure what is going on [14:30] jdstrand: yeah [14:30] jdstrand: so - since very recently we have this issue that when I run a golang app on the pi2 I get the above error [14:30] mvo: can you do 'sudo sysctl -w kernel.printk_ratelimit=0' [14:30] sergiusens, nap-web but only after snap-confect ! [14:31] jdstrand: I did that when you put it in [14:31] mvo: then, can you tell me if hello-world works [14:31] ok [14:31] jdstrand: eh, when you wrote it some minutes ago [14:31] kyrofa, ping [14:31] jdstrand: http://paste.ubuntu.com/23146021/ [14:32] jdstrand: the sequence is now: "snap run" (unconfined) -> "snap-confine" -> snap-exec (golang!) [14:32] mvo: ok. so, snap run is not confined [14:32] jdstrand: hmm... that doesn't ring any bells for me [14:32] mvo: isn't snap run also golang? [14:32] jdstrand: so it might be that this is a bug we had for a longer time but now because we use snap-exec (golang) to actually launch its manifesting itself more [14:32] jdstrand: it is, snap run is golang but unconfined [14:32] jdstrand: and the snap-exec step is then confined [14:33] mvo: can you paste syslog? [14:33] jdstrand: http://paste.ubuntu.com/23146025/ is strace [14:33] ok, so it is snap-exec [14:34] shuduo, pong [14:34] oh I think I remember what this is [14:34] I think there is an env var that is getting stripped out [14:34] hello kyrofa, i am working on pack a qml to be snap. I need add liboxideqtcore0 in stage-packages to support webview in qml. but my snap will exit since /snap/.../oxide-qt/chrome-sandbox is not owned by root but normal user same as my host. how i can install it with root? [14:34] mvo: can you paste me the updated snap-confine profile? [14:35] jdstrand: http://paste.ubuntu.com/23146034/ [14:35] shuduo, jdstrand might have some suggestions for working with that sandbox. I suspect it will be to disable it [14:35] hey [14:35] anything I can help with? [14:35] shuduo, and use snappy's instead [14:35] jdstrand, mvo: anything at all? [14:36] kyrofa, shuduo: morphis just brought this up in another channel [14:36] shuduo: are you part of an email thread on that? [14:37] jdstrand: I don't know exactly when the env var would be getting stripped out but I should you remind you that the non-secureexec change_profile syntax was backported to xenial - let me know if/when you want details on that [14:37] jdstrand: hi, i don't think i'm in th thread since I just search my email and lp to look for if someone meet this issue [14:37] jdstrand: does that mean no solution right now? [14:37] shuduo: the short answer is that you need to disable using the setuid sandbox [14:38] (the non-secureexec change_profile syntax is bug 1584069) [14:38] Bug #1584069: change_profile rules need a modifier to allow non-secureexec transitions

[14:38] shuduo: I'm not sure how to do that in oxide. chrisccoulson, is there an env var to set? [14:38] jdstrand: hmm, how? sorry i don't have many knowledge here. [14:39] shuduo: chrisccoulson should be able to say [14:40] jdstrand, OXIDE_NO_SANDBOX=1, but this shouldn't be used by production code (and environment variables aren't considered to be part of the stable API either - they're only really there for testing purposes) [14:41] mvo: can you get the apparmor for xenial-proposed, then do: 's/change_profile/change_profile unsafe/' in snap-confine's profile? [14:41] mvo: that is to test my hypothesis about it being a stripped variable [14:42] mvo: I'm not sure that is the fix though [14:42] jdstrand: so a new apparmor? from xenial-proposed? sure [14:42] mvo: 2.10.95-0ubuntu2.2 in xenial-proposed [14:43] chrisccoulson: so will "command: OXIDE_NO_SANDBOX=1 desktop-launch $SNAP/usr/lib/*/qt5/bin/qmlscene $SNAP/Main.qml" work? [14:43] jdstrand, mvo: please ensure that the patch ends up in snap-confine master too [14:44] chrisccoulson: so, the problem is that we can't safely support the setuid sandbox due to the issues you already know about [14:44] chrisccoulson: ie, all the capabilities, etc [14:44] shuduo, yes, although it means you get no renderer sandbox [14:44] chrisccoulson, shuduo: but the application is already sandboxed [14:44] via snappy [14:45] electron apps for example don't use the renderer sandbox [14:46] jdstrand: this is actually a bit tricky, this is on an all-snap image on the pi2, so installing a snap is tricky, but I can unpack the deb and scp it [14:46] I don't think oxide apps should either while we are in the state we are in wrt snappy policy and oxide sandboxing [14:46] chrisccoulson: sorry what means "get no rendere sandbox"? i need webview to draw a webpage with webgl objects... [14:46] shuduo: it will work. he is saying this disables an internal sandboxing technique [14:47] jdstrand: great. my snap is for demo purpose only. :) [14:47] shuduo: I'm not sure where in the 'command' line you should put the env var, but so long as it is set, oxide should work in strict mode [14:48] mvo: I suspect you will need libapparmor and apparmor [14:49] mvo, jdstrand: you don't need apparmor from -proposed [14:49] actually, yes, I was just going to say that [14:49] this was in 2.2 which is in updates now [14:49] mvo, jdstrand: 2.10.95-0ubuntu2.2 from -updates is good enough [14:49] ok [14:49] * jdstrand was confused by the bug being Fix Committed still [14:49] dpm: hey is this still the only/preferred way to pick arch in snaps [14:49] http://pastebin.ubuntu.com/23146088/ [14:50] mvo: right, so, skip getting a new apparmor and just add 'unsafe' as I described [14:51] * jdstrand is also wondering why there isn't a 'snap-exec' rule in the snap-confine policy. is it just forked and not execd? [14:51] jdstrand: its execed [14:51] (not sure why the bug status didn't update automatically - I've fixed it) [14:52] I have to look at how snap-exec is doing its thing again, clearly [14:52] jdstrand: AppArmor parser error for /tmp/usr.lib.snapd.snap-confine in /tmp/usr.lib.snapd.snap-confine at line 60: Exec condition is required when unsafe or safe keywords are present [14:52] jdstrand: am I doing something wrong? [14:52] kgunn, it's still the only way afaik, yes [14:53] cool [14:55] mvo, jdstrand: you want 's/change_profile/change_profile unsafe \/**/' [14:55] mvo: can I help in any way? [14:55] mvo: perhaps not. I think use 'change_profile unsafe /** -> ...' [14:55] tyhicks: is /** needed with the change_profile rule? [14:55] jdstrand: \o/ works [14:55] zyga: maybe, not yet [14:55] zyga: looks like jdstrand found the right magic [14:55] jdstrand: I guess this is not a permanent solution :) please help me understand what magic you are doing [14:55] mvo: I understand we landed the run/exec branch now [14:55] and this is the fallout? [14:55] tyhicks: yes, we got there. the question I had was if '/**' was needed (and curious why) [14:55] jdstrand, tyhicks: http://paste.ubuntu.com/23146105/ works [14:56]