=== JanC is now known as Guest84922 === JanC_ is now known as JanC [07:36] PR snapcraft#868 closed: Parametrize call args for pluginhandler [13:23] Son_Goku: hey [13:23] Son_Goku: greetings from bucharest [13:23] Son_Goku: how's stuff? [13:23] you're alive! [13:23] *\o/* [13:23] gee, dude, shave ;-) [13:24] this is the last week of my journes [13:24] I saw some warnings that snap-confine doesn't build in master [13:25] Son_Goku: how are you doing? [13:26] I'm alright [13:26] I've been getting pings about snapd for Fedora though [13:26] and you missed me getting the policy working [13:27] Son_Goku: \o/ [13:27] Son_Goku: wooot, what's next? [13:27] * zyga hugs Son_Goku :) [13:27] https://github.com/zyga/snapcore-fedora/pull/10 [13:27] PR zyga/snapcore-fedora#10: Refresh patches for snapd spec [13:27] first, merge that [13:27] Son_Goku: I was broken during wekeend and partially last week, trying to get some health back [13:28] checking that out now :) [13:28] then update https://bugzilla.redhat.com/show_bug.cgi?id=1367825 with a new spec [13:28] and SRPM [13:28] yep, with pleasure! [13:29] and since the service files have changed a bit, check to be sure if additional services need to be requested for the preset: https://bugzilla.redhat.com/show_bug.cgi?id=1367932 [13:29] Son_Goku: yeah, I was just thinking about that [13:29] I think snapd.autoimport.service needs to be enabled as well [13:29] Son_Goku: no, not really, it's just for core AFAIK [13:29] Son_Goku: I need to check with mvo when he's here today but I don't think we need it [13:29] well. think :) [13:30] Did you get it to work all the way? [13:30] with snaps installing and stuff? [13:30] `+2.8.4 (Apple Git-73) [13:30] well, I need to retest on a fresh VM to be certain, but yes [13:30] was that you or me? :) [13:30] https://github.com/snapcore/snapd/blob/master/debian/rules#L66 [13:30] that's amazing :) [13:31] that's where I checked to see the services that should be enabled [13:31] yeah, I know we run them everywhere [13:31] but I think this was just us hurrying with image readiness [13:31] I'll double check with mvo [13:31] ah [13:31] I'd rather not enable that service unless we have to [13:31] right [13:31] if it's not necessary, then leave it be [13:32] I've already updated the patches to have new versions of the services :) [13:34] O.o [13:34] ffs [13:34] the store doesn't work now! [13:34] because it uses port 53 [13:34] nowhere was that documented :( [13:34] Son_Goku: what's the .foo syntax in %patchN === pedronis` is now known as pedronis [13:35] what?!? [13:35] zyga, if the patch fails, the buildroot maintains a backup copy of the original with that prefix [13:35] port 53? [13:35] ah, nice [13:35] makes it easier for rediffing [13:35] wtf is it using port 53 for?! [13:36] Son_Goku: DNS? [13:36] Son_Goku: can you point me to some code that does this? [13:36] I just tried to do "sudo snap install hello" [13:36] try it in a Fedora VM with the package and latest stuff [13:36] ah, I think it is DNS lookup [13:37] why is snapd doing its own DNS lookup? [13:37] Son_Goku: probably because it's golang but I'm checking [13:39] Son_Goku: yes, internal DNS [13:39] Son_Goku: does that need selinxu tweaks? [13:39] yes [13:39] are there any other TCP/UDP things that I need to do as well? [13:41] I don't know of any [13:41] just https and DNS [13:42] Son_Goku: as a side comment, working on confinement of any kind makes you re-learn how the stack _really_ works [13:42] Son_Goku: I find that refreshing [13:46] Son_Goku: merged [13:46] I'm working on adding rules for dns and http cache ports [13:46] I have a feeling it'd be a good idea to add cache ports too [13:47] Son_Goku: http cache? [13:47] * zyga is starving, had u-breakfast only [13:47] ports like 8080, etc. [13:48] often used by proxies and stuff [13:48] ah, I understand [13:48] sure [13:51] Son_Goku: ok, we don't want autoimport [13:51] Son_Goku: I'll ript it out (both the service and udev) [13:51] okay [13:51] Son_Goku: this means the approvals are okay now [13:51] just don't install the files, but leave the patches alone [13:51] Son_Goku: I'll do this and redo the SRPM :) [13:51] OK [13:51] what are they used for, btw? [13:52] they are used to claim a headless device [13:52] plug a drive with stuff you made elsewhere [13:52] ah [13:52] useless then [13:52] it sucks assertions [13:52] yes [13:52] and "acks" them [13:52] but yeah, leave the patch alone [13:52] (imports and checks signatures and cross-signatures and stuff) [13:52] as it can eventually be applied to snapd once the debian packaging is gutted from the package [13:53] technically, it could be applied now, as it doesn't conflict [13:53] but... meh [13:57] Son_Goku: pushed a small patch, please look at it [13:59] Son_Goku: this week I'll try to merge snap-confine into snapd and we _may_ finally get dist tarballs [14:00] neh [14:00] not particularly enthused about that *shrugs* [14:00] well, it will simplify a lot though [14:00] one package [14:01] at least from my point of view, not really [14:01] if we really wanted to build everything as one thing, we could have, since rpmspec supports multiple sources [14:02] technically, so does dsc built debian packages [14:02] Son_Goku: yeah, that's true, this is more of an upstream change though, it will make changes easier [14:02] close coupling between the two packages [14:08] zyga, you know, I'm surprised you guys don't just use systemd presets in the packaging of snapd for Debian/Ubuntu [14:08] it makes things a lot simpler [14:08] then you don't even *need* dh-systemd to do much [14:09] Son_Goku: I suspect because those are not used in debian but I don't know [14:10] Son_Goku: the first time I even realized this feature existed was when I started working with fedora [14:11] Son_Goku: I'm building everything locally for testing [14:11] Son_Goku: I'll do a small release of snap-confine to fix some issues and integrate patches with packaging, probably 1.0.44.1 [14:11] Son_Goku: but only after this works :) [14:11] Son_Goku: I think we should do f24+ only for now [14:11] Son_Goku: until 23 is resolved [14:12] Son_Goku: right now I think I broke 23 because of older libc (trivial patch already merged into master) [14:13] Son_Goku: and we need to update something (still unsure what) to get store interaction to work [14:13] well, Fedora 23 is EOL in December [14:13] Son_Goku: but again, I'll focus on 23 when 24+ is done [14:13] Son_Goku: are there any stats available to know how many users moved to 24 already? [14:13] * Son_Goku shrugs [14:13] OK [14:14] well, I think 23 shoudl be easy-ish [14:14] fingers crossed :) [14:16] Son_Goku: what should I say for bodhi type= when there's just a new upstream release? [14:16] use bugfix as the type unless it's an enhancement [14:16] Son_Goku: I want to update snap-confine in f24 with the new patches and snap runtime layout [14:16] or a security fix [14:16] bugfix [14:16] use bugfix [14:16] Son_Goku: is there a bug? I think we can only refer to snapd tracking bug itself (/snap change) [14:17] bugfix doesn't require a bug [14:17] Son_Goku: do I need a bug number or will it ignore it? [14:17] ah, OK [14:17] it'll ignore it if no bugs are listed [14:17] Son_Goku: any karma tweaks I should apply? [14:17] change the positive karma version from 3 to 1 [14:18] thanks, done [14:18] though I hadn't been pushing snap-confine updates through bodhi because I figured we'd want to ship snap-confine and snapd in the same update [14:18] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c579dae0b4 [14:19] well, not today :) [14:19] today I just want both out [14:20] well, fortunately, we can edit an existing update :) [14:21] and this is 25 [14:21] https://bodhi.fedoraproject.org/updates/FEDORA-2016-f3b947ec5d [14:21] * zyga reboots with enforcing policy :) [14:21] "make selinux enforcing again" [14:24] I'll bump snap-confine dependeny to .44 [14:25] Son_Goku: more selinxu denials [14:26] paź 30 15:25:38 fedora24 setroubleshoot[3400]: SELinux is preventing snapd from read access on the directory /etc/systemd/system. For complete SELinux messages. run sealert -l 3dc56126-a462-4305-8495-d9bb54be3740 [14:26] Son_Goku: can you please include that in the policy? [14:26] why does it need to read /etc/systemd/system? [14:26] Son_Goku: you made it :) [14:26] ah [14:26] well, sorry [14:26] my bad :) [14:26] it needs to because it looks there for systemd units [14:27] and knows which one to make and which to remove [14:27] (snap specific untis) [14:27] so it needs read/write access to /etc/systemd/system [14:27] Son_Goku: correct [14:27] Son_Goku: one more denial [14:27] paź 30 15:25:29 fedora24 setroubleshoot[3400]: SELinux is preventing snapd from node_bind access on the tcp_socket port None. For complete SELinux messages. run sealert -l 73e31352-953f-4156-8ab0-7b67ce1db019 [14:28] paź 30 15:25:29 fedora24 python3[3400]: SELinux is preventing snapd from node_bind access on the tcp_socket port None. [14:28] that's internal golang thing that probes for ipv6 [14:35] Son_Goku: does this look ok? http://paste.ubuntu.com/23402604/ [14:35] that's fine [14:35] (I switched to ubuntu pastebin as the one on fedora didn't work for some reason) [14:36] Son_Goku: pushed [14:36] Son_Goku: if you fix the policy I think we can get this in now :) [14:36] Son_Goku: can I help you in any way? [14:39] hmm [14:39] this is annoying [14:39] I may have to grant access to unlabeled files because snaps don't have the label applied to them :( [14:40] Son_Goku: can you be more specifc? [14:40] Son_Goku: snapd doesn't touch (I think) snap files, just systemd units it creates, udev rules it creates and a few other similar things (dbus xml stuff) [14:40] Son_Goku: can those inherit the label from snapd somehow? [14:41] not sure [14:41] I wonder if systemd mounts can be set up to mount with a label? [14:41] Son_Goku: maybe, let me look [14:42] Son_Goku: nothing in systemd.mount [14:42] er, systemd.unit [14:47] morphis: hey [14:47] morphis: are you working today? [14:50] * zyga inspects failures on f26 and ppc64 [14:51] DEBUG util.py:421: Error: nothing provides kernel-headers >= 2.2.1 needed by glibc-headers-2.24.90-13.fc26.ppc64. [14:51] DEBUG util.py:421: nothing provides kernel-headers >= 2.2.1 needed by glibc-headers-2.24.90-13.fc26.ppc64 [14:51] looks like something that's more general [14:53] Son_Goku: I'll step outside to have a snack === chihchun_afk is now known as chihchun [16:01] urgh [16:01] Ubuntu Core does way too much [17:13] I am trying to figure out how to get the following to happen: ./configure; make world [17:14] I have configure working just fine [17:14] and make without world just fine [17:14] I figured out that if I use the make plugin, I can use a parent make file that can call world [17:14] but that is outside of the source tree as it is part of the snapcraft build system, not the software I am actually trying to build [17:47] linuxhiker: Is that "configure" autoconf? [17:49] linuxhiker: That "world" bit seems weird. Does it have a "install" target? [17:53] qengho: yes the configure is autoconf (that part works) and in fact the basic build works fine [17:54] qengho: but "world" is needed to build a secondary part of the source tree that only builds with either "world" or something like make -C contrib/Makefile [19:24] Son_Goku: hey [19:24] Son_Goku: so what did you manage to do with the policy? [19:24] I hate Ubuntu Core [19:25] I got enough for snapd, but apparently ubuntu-core wants to stick its fingers everywhere [19:26] Son_Goku: can you be more specific and less dramatic [19:26] also, is ~/snap a directory created by snapd? [19:26] indirectly, through snap run or snap-confine [19:26] zyga, ubuntu-core installs udev rules, etc. [19:26] (currently both do) [19:26] okay, so I need to define a snap_home_t [19:26] Son_Goku: yes, it manages the system [19:27] * zyga pats Son_Goku on the back [19:27] you can do it :) [19:27] * Son_Goku sighs [19:27] also, apparently something wants to talk to NetworkManager [19:28] * Son_Goku is tired [19:29] I'm taking a break from playing whack-a-mole [19:29] zyga, are there any specific directories I need to know about for the home directory? [19:32] Son_Goku: no, just ~/snap === JanC_ is now known as JanC