[00:35] <mup> PR snapcraft#1043 closed: tests: fix the CLA launchpadlib install in travis <Created by elopio> <Closed by elopio> <https://github.com/snapcore/snapcraft/pull/1043>
[00:38] <mup> PR snapcraft#1043 opened: tests: fix the CLA launchpadlib install in travis <Created by elopio> <https://github.com/snapcore/snapcraft/pull/1043>
[01:10] <snappy_irc> anybody know the localhost login details for ubuntu snap core ?
[01:10] <snappy_irc> I downloaded the ova from here http://cloud-images.ubuntu.com/snappy/devel/core/current/devel-core-amd64-cloud.ova?_ga=1.214375895.1790561723.1484162457
[03:23] <mup> PR snapcraft#1043 closed: tests: fix the CLA launchpadlib install in travis <Created by elopio> <Closed by elopio> <https://github.com/snapcore/snapcraft/pull/1043>
[03:29] <mup> PR snapcraft#1044 opened: tests: use python2 to check the CLA <Created by elopio> <https://github.com/snapcore/snapcraft/pull/1044>
[06:13] <mup> Bug #1655834 opened: Support factory reset <Snappy:New> <https://launchpad.net/bugs/1655834>
[07:11] <mup> PR snapd#2544 closed: interfaces: implement login-control interface <Created by morphis> <Closed by morphis> <https://github.com/snapcore/snapd/pull/2544>
[07:47] <zyga> o/
[07:49] <zyga> hey mvo
[07:50] <mvo> hey zyga
[08:57] <mup> PR snapd#2554 closed: tests: add end-to-end store test for classic confinement <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2554>
[08:57] <mup> PR snapd#2605 closed: overlord,overlord/snapstate: have UpdateMany retire/enable auto-aliases even without new revision <Created by pedronis> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2605>
[09:11] <mup> PR snapd#2469 closed: interfaces: upower-observe: refactor to allow snaps to provide a slot <Created by morphis> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2469>
[09:14] <mup> PR snapd#2616 opened: tests: test classic confinement `snap list` and  `snap info` output <Created by mvo5> <https://github.com/snapcore/snapd/pull/2616>
[09:26] <mup> PR snapd#2617 opened: tests: switch more tests to MATCH <Created by zyga> <https://github.com/snapcore/snapd/pull/2617>
[09:38] <sergiusens> stokachu https://github.com/snapcore/snapcraft/blob/master/snaps_tests/__init__.py#L180
[09:46] <stokachu> sergiusens, https://github.com/juju/juju/blob/staging/snapcraft.yaml
[09:50] <mup> PR snapcraft#1038 closed: misc: delete bzr ignore <Created by elopio> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1038>
[10:03] <sergiusens> icey https://bugs.launchpad.net/bugs/1655832
[10:03] <mup> Bug #1655832: App name in snapcraft.yaml must match case of .desktop file <Snapcraft:New> <https://launchpad.net/bugs/1655832>
[10:05] <icey> yeah sergiusens?
[10:47] <mup> PR snapd#2618 opened: tests: run all spread tests with SNAP_REEXEC={0,1} <Created by mvo5> <https://github.com/snapcore/snapd/pull/2618>
[11:30] <mup> PR snapd#2606 closed: overlord/snapstate: share code between Update and UpdateMany, so that it deals with auto-aliases correctly <Created by pedronis> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2606>
[11:48] <icey> sergiusens: I think I got the linker flags in
[11:51] <mup> PR snapcraft#928 closed: Add missing dependencies to install_requires <Created by javacruft> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/928>
[12:02] <zyga> jdstrand: FYI, snap-alter-ns won't be setuid root, it will just be started by snapd (like snap-discard-ns)
[12:02] <zyga> jdstrand: we can choose to confine it but I wanted to make sure you know this
[12:03] <mup> PR snapd#2567 closed: debian: skip snap-confine unit tests on nocheck <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2567>
[12:04] <mup> PR snapd#2619 opened: many: update 14.04 branch to top of master <Created by zyga> <https://github.com/snapcore/snapd/pull/2619>
[12:05] <mup> PR snapd#2616 closed: tests: test classic confinement `snap list` and  `snap info` output <Created by mvo5> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/2616>
[12:06] <mup> PR snapd#2620 opened: store: export userAgent. daemon: print store.UserAgent() on startup <Created by chipaca> <https://github.com/snapcore/snapd/pull/2620>
[12:25] <stokachu> how do i get into the shell of a snap again?
[12:25] <stokachu> snap run --shell conjure-up doesn't seem to do what i need
[12:42] <Chipaca> stokachu: `snap run --shell the-snap` should do what you need
[12:42] <Chipaca> stokachu: how is it not?
[12:42] <Chipaca> that is, what do you need, and what are you getting?
[12:43] <stokachu> so im building juju inside my snap but I think the problem is hte juju binary isn't getting copied into the snap
[12:43] <stokachu> still working that out
[12:43] <Chipaca> stokachu: that gives me more questions, but doesn't answer mine :-D
[12:44] <stokachu> yea sorry still trying to understand what im doing
[12:46] <stokachu> Chipaca: http://dpaste.com/361CKWW basically trying to expose the juju binary alongside conjure-up
[12:47] <morphis> mvo: do you know if there is a clear reason why every systemd service unit snapd generates wants the network-online.target?
[12:47] <Chipaca> stokachu: you did "snap run --shell conjure-up"
[12:47] <stokachu> Chipaca, yea
[12:47] <Chipaca> stokachu: what did that do? and what did you expect it to do?
[12:47] <stokachu> it brought me into a new shell and i was looking for the juju binary that wasn't there
[12:49] <Chipaca> stokachu: i'm missing somemething, i fear
[12:50] <stokachu> Chipaca, sorry, i built my conjure-up snap while pulling in the juju part from the wiki, in the end i want to be able to run both conjure-up and juju binaries from that single snap
[12:51] <Chipaca> stokachu: "snap run --shell conjure-up" is giving you a shell in the environment that apps in the conjure-up snap would see
[12:51] <Chipaca> stokachu: (modulo connections)
[12:51] <stokachu> Chipaca, ok, now im trying to figure out why that juju one isn't showing up in the file list
[12:51] <stokachu> Chipaca, using --classic
[12:51] <mvo> morphis: no clear reason
[12:51] <mvo> morphis: if that is a problem we can kill it
[12:51] <Chipaca> stokachu: when you say "in the file list", you mean in the snap?
[12:52] <stokachu> Chipaca, yea
[12:53] <stokachu> should it be conjure-up.juju as the command name?
[12:53] <Chipaca> yes
[12:53] <stokachu> how can i make it just juju? with an alias?
[12:53] <Chipaca> stokachu: yes
[12:54] <Chipaca> stokachu: but: is juju in conjure-up something users are expected to interact with?
[12:54] <stokachu> Chipaca, yea, juju needs to talk to the agent installed inside that snap
[12:54] <mup> PR snapd#2619 closed: many: update 14.04 branch to top of master <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2619>
[12:55] <morphis> mvo: not a urgent thing to fix but it conflicts with network-manager when I add a Alias=NetworkManager.Service in the generated unit file
[12:55] <morphis> as it then has a cycle of dependencies
[13:19] <stokachu> trying to get this juju binary include but hitting http://dpaste.com/2XNXGRW
[13:20] <stokachu> the part im pulling in is https://github.com/juju/juju/blob/juju-2.0.2/snapcraft.yaml
[13:35] <morphis> zyga: any idea about https://paste.ubuntu.com/23786689/? I am using a 3.4 kernel here so could be something not well supported by that ancient kernel but would like to understand this a bit more
[13:54] <mup> PR snapd#2620 closed: store: export userAgent. daemon: print store.UserAgent() on startup <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/2620>
[14:04] <zyga> morphis: looking
[14:04] <zyga> morphis: 3.4
[14:04] <zyga> morphis: mount namespaces
[14:05] <zyga> morphis: do you see /proc/self/ns ?
[14:05] <zyga> morphis: if not then 3.4 is too old
[14:05] <zyga> I honestly don't expect 3.4 to work
[14:11] <morphis> https://paste.ubuntu.com/23786828/
[14:12] <mup> PR snapd#2618 closed: tests: run some spread tests with SNAP_REEXEC={0,1} <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/2618>
[14:12] <zyga> morphis: there's no mnt entry there
[14:12] <zyga> morphis: the error is confusing but 3.4 is too old
[14:12] <zyga> morphis: and there's no way to solve it easily without a major feature in snap-confine
[14:13] <zyga> (I discussed this a while ago but this is 2-3 weeks to do)
[14:13] <zyga> morphis: what is the HW if you can disclose this?
[14:13] <morphis> zyga: I see
[14:14] <zyga> morphis: if I end up writing this I'd like to know if I have it on my desk
[14:20] <morphis> zyga: see PM
[14:28] <zyga> morphis: got it now
[14:28] <zyga> morphis: if we chat on rocket I get better notification
[14:53] <stokachu> zyga, snapstore supports delta downloads now right?
[14:59] <mup> PR snapd#2617 closed: tests: switch more tests to MATCH <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2617>
[15:00] <morphis> zyga: :-)
[15:03] <zyga> stokachu: yes but the client needs a special variable to enable that
[15:04] <stokachu> zyga, when will that get enabled by default?
[15:04] <zyga> stokachu: I don't know, that's a question to chipaca (not on IRC now) and nessita
[15:04] <stokachu> ok thanks
[15:04] <Chipaca> zyga, no, *you're* not on irc
[15:04] <zyga> oh
[15:04] <zyga> odd
[15:04] <zyga> tab tab gave me nothing, sorry about that
[15:04] <zyga> :)
[15:05] <Chipaca> we don't have delta downloads enabled by default
[15:05] <Chipaca> because of the xdelta3 dependency
[15:05] <stokachu> Chipaca, is that something that is in the works to be done soon?
[15:06] <Chipaca> stokachu, it's paperwork
[15:06] <Chipaca> but afaik it's moving forwards
[15:06] <Chipaca> so it'll get done in time
[15:06] <Chipaca> i mean: the code is there
[15:06] <stokachu> Chipaca, ah ok awesome
[15:06] <Chipaca> and you can even use it if you set the right env var
[15:07] <stokachu> cool is it documented anywhere?
[15:07] <Chipaca> dunno. SNAPD_USE_DELTAS_EXPERIMENTAL=1 in snapd's environ will do it
[15:07] <stokachu> cool thanks
[15:08] <Chipaca> and, you need xdelta3
[15:10] <zyga> jdstrand: hey
[15:12] <zyga> jdstrand: did you read about the new BFP attachments to cgroups?
[15:19] <jdstrand> zyga: yes. I assume you are refering to the comment in the 'ip netns' PR. I just commented there
[15:19] <zyga> jdstrand: actually no, I read the article on LWN
[15:19] <zyga> jdstrand: I'll check the PR
[15:21] <jdstrand> zyga: the pr doesn't mention bpf, but it was talking about network mediation, so I thought you were going there
[15:24] <stokachu> hi could i get someone to take a look at https://myapps.developer.ubuntu.com/dev/click-apps/5479/rev/26/?
[15:25] <jdstrand> stokachu: I will
[15:25] <stokachu> jdstrand, ty!
[15:28] <mup> PR snapd#2621 opened: osutil.GetenvBool now takes an extra, optional, argument <Created by chipaca> <https://github.com/snapcore/snapd/pull/2621>
[15:29] <jdstrand> stokachu: done. you need to press the release button
[15:29] <stokachu> jdstrand, perfect ty, do i need to worry about getting additional reviews if i need to push a new snap?
[15:30] <jdstrand> stokachu: not now (I granted that). check your email
[15:30] <stokachu> jdstrand, ok great, thank you again
[15:30] <jdstrand> np
[15:36] <stokachu> jdstrand,  sudo snap install conjure-up --edge --classic <- am i missing anything here?
[15:36] <stokachu> says snap isn't found
[15:37] <stokachu> oh isee
[15:37] <stokachu> release button at the bottom
[15:38] <stokachu> hmm not sure what im missing now
[15:41] <stokachu> maybe there is a delay
[15:44] <stokachu> http://paste.ubuntu.com/23787291/ snap info does show it in the edge channel as well
[15:52] <pedronis> stokachu: some confusion but installing classic snaps from the store doesn't work in 2.20 or before (we are fixing it in 2.21)
[15:53] <stokachu> pedronis, ah
[15:53] <stokachu> pedronis, np i can just work with the blob itself for now
[15:55] <pedronis> stokachu: the workaround to try it is to use "snap download   snap-name"   "snap ack *.assert" "snap install *.snap"
[15:55] <stokachu> pedronis, ah perfect, that'll work
[15:55] <pedronis> sorry for the incovenience
[15:56] <stokachu> np i know it's very new
[15:59] <jdstrand> stokachu: there is an issue with snapd and the store when using --classic. I don't recall the details. I think sergiusens has a workaround
[16:00] <jdstrand> ah, I see you already got an answer to that :)
[16:00] <stokachu> jdstrand, :D
[16:00] <stokachu> i can still corner sergiusens tomorrow unless he's hiding from me
[16:03] <jdstrand> roadmr: hi! can you pull r824 of the tools? this is just updates to data/ for 2.21 interfaces and whitelisting some approved kernel and gadget snaps
[16:04] <roadmr> jdstrand: sure thing
[16:04] <jdstrand> roadmr: thanks! I *think* this will be it for a while (famous last words)
[16:05] <mup> PR snapd#2520 closed: many: fix abbreviated forms of disconnect <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2520>
[16:15] <mup> PR snapd#2622 opened: asserts: Improve error message when key is not valid at the given time <Created by mvo5> <https://github.com/snapcore/snapd/pull/2622>
[16:28] <Cust0sLim3n> hi
[16:28] <Cust0sLim3n> when will rhel/centos be supported
[16:30] <mup> PR snapd#2621 closed: osutil.GetenvBool now takes an extra, optional, argument <Created by chipaca> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2621>
[16:34] <ogra_> Cust0sLim3n, perhaps SamYaple or zyga know if thats actually planned ... fedora is surely supported (with limitiations in the confinement)
[16:34] <elopio> hello Cust0sLim3n: https://github.com/snapcore/snapd/wiki/Distributions
[16:36] <Cust0sLim3n> thanks elopio
[16:39] <zyga> Cust0sLim3n: hey
[16:39] <zyga> Cust0sLim3n: CentOS needs some packaging work
[16:39] <zyga> Cust0sLim3n: Fedora has two blocking issues that we've struggled with
[16:39] <zyga> Cust0sLim3n: both are on the backlog but I expect ~1-2 weeks before I start working on that
[16:40] <Cust0sLim3n> zyga, is there some repo with stuff for CentOS / Fedora builds ?
[16:40] <zyga> Cust0sLim3n: please have a look at http://www.opera.com/pl/computer/neon
[16:40] <zyga> er
[16:40] <zyga> paste fail
[16:40] <zyga> http://github.com/snapcore/snapd/wiki/Distributions
[16:40] <zyga> Cust0sLim3n: there was COPR but it is no longer used as development moved to Fedora git
[16:41] <Cust0sLim3n> zyga, cool thanks
[16:41] <zyga> Cust0sLim3n: CentOS should be easier (no selinux on services by default) but it needs separate packaging permissions
[16:41] <zyga> Cust0sLim3n: if you are interested we could work together to revive copr and build a centos package there
[16:41] <zyga> Cust0sLim3n: I cannot commit 100% of my time to it this or next week but I will help you out
[16:42] <Cust0sLim3n> zyga, don't really have time - really need it for RHEL though - but I think in meantime I will just use software collections on rhel or something - still have to see
[16:42] <Cust0sLim3n> zyga, just thought it would be nice to use snappy instead of SCL
[16:43] <zyga> Cust0sLim3n: what software are you most interested in?
[16:43] <zyga> Cust0sLim3n: we'll get there, it's just a busy schedule all the time
[16:44] <Cust0sLim3n> zyga, its for commercial use with our C/C++ software on linux that I want it
[16:46] <Cust0sLim3n> zyga, but its not critical enough for us to dedicate allot of time to it - so it was mainly just if I somehow missed it being available it would have been nice - but otherwise we will just use SCL or package directly
[16:46] <zyga> Cust0sLim3n: how do software collections help you?
[16:50] <zyga> jdstrand: hey - new interfaces API: https://github.com/snapcore/snapd/pull/2613/files
[16:50] <mup> PR snapd#2613: interfaces: add new interface API <Created by zyga> <https://github.com/snapcore/snapd/pull/2613>
[16:51] <zyga> jdstrand: with initial review from gustavvo
[16:51] <zyga> jdstrand: I think it is likely to land soon
[16:51] <zyga> jdstrand: once it does expect a flag day where all the interfaces and backends are ported to provisional APIs like spec.AddSnippet() (that directly replaces returning a snippet)
[16:52] <jdstrand> I'll be looking at that in a little bit
[16:52] <zyga> jdstrand: and then dedicated changes to backends like mount, kmod, systemd that are well defined and have just a few interfaces
[16:52] <zyga> jdstrand: then we can discuss apparmor/seccomp
[16:52] <zyga> jdstrand: I think there's no rush on aa/sc but we can see what we'd like to do by porting one or two interfaces over to more semantic APIs
[16:53] <zyga> jdstrand: e.g. in seccomp we could do spec.Allow(seccomp.open) rather spec.AddSnippet("open")
[16:53] <zyga> jdstrand: in apparmor we could do (but in short cases IMHO) spec.Allow("/path/to/file", "r") or even spec.Allow("/path/to/file", apparmor.Read)
[16:54] <zyga> jdstrand: thanks!
[16:55] <Cust0sLim3n> zyga, makes it easier to work with multiple library and application versions and allows us to be less dependent on library versions shipping with OS - so if we want newer boost version for building with than is available on RHEL by default we can package it with SCL
[16:56] <jdstrand> zyga: keep in mind, I've not looked at this at all yet, but please, please, please keep in mind that the resulting security policy needs to be auditable. that means policy, structure and comments all need to be in place. I maintain my concerns that this will impede security audits since the review will have to do profile dumps to see what is happening
[16:56] <zyga> jdstrand: I keep this in mind and keep reminding everyone about it :-)
[16:56] <jdstrand> tyhicks: fyi ^
[17:00] <mup> PR snapd#2623 opened: tests: add test ensuring manual pages are shipped <Created by zyga> <https://github.com/snapcore/snapd/pull/2623>
[18:00] <jdstrand> ogra_: hi! I noticed that the bbb kernel is a few versions behind the most recent USNs
[18:01] <jdstrand> ogra_: is your automated script not working right?
[18:14] <ogra_> jdstrand, that one isnt automated ...  i'll kick off a new build
[18:16] <jdstrand> ogra_: fyi, you can automate it if you want. I just added an exception for it in the review tools (though this upload will need a review, when the store syncs it won't any more)
[18:16] <ogra_> ok
[18:41] <mup> PR snapd#2624 opened: Re-associate with pid-1 mount namespace if required <Created by zyga> <https://github.com/snapcore/snapd/pull/2624>
[18:46] <zyga> tyhicks: good news, I think I know what the kernel bug is about :)
[18:46] <zyga> (the one with oops on one thing I did a while ago)
[18:46] <zyga> well, fingers crossed
[18:46] <zyga> at the very least I can give you a way to reproduce easily
[18:47] <zyga> jdstrand, jjohansen:  ^^
[18:47] <zyga> (oops in apparmor)
[18:47] <zyga> on the up side it is *not* Friday yet
[18:48] <kgunn> ogra_: thanks for the pi image...one question, anyway we could change pi3 console config to not require ethernet cable?
[18:49] <kgunn> i set up wifi fine, but then it loops back and demands i set up via ethernet
[18:49] <ogra_> kgunn, i think there is an old bug open for this ...
[18:49] <kgunn> ah
[18:49]  * kgunn thot pi2 didn't have wifi chip
[18:49] <kgunn> and that was the reason
[18:50] <ogra_> you can set it up initially with eth0, then reboot, ssh in and run "sudo console-conf" and disabe eth0 and switch to wlan0 ... that works fine for me
[18:50] <ogra_> it is only the very first boot where it fails
[18:50] <davmor2> ogra_: out of interest why are we use pi2 kernel on pi3 are there phyiscally no differences between then?
[18:50] <ogra_> (but indeed you need network on the very first boot to set up the user)
[18:51] <zyga> ogra_: you can use the serial console
[18:51] <zyga> ogra_: on a pi :)
[18:51] <ogra_> davmor2, the kernel is identical ... but th ebootloaders are not (namely there is a different u-boot.bin )
[18:51] <jdstrand> jjohansen: this is not what we talked about yesterday, but zyga is seeing an oops with https://github.com/snapcore/snapd/pull/2624. I have a feeling many of your concerns about changing the mount namespace would apply to this pr
[18:51] <mup> PR snapd#2624: Re-associate with pid-1 mount namespace if required <Created by zyga> <https://github.com/snapcore/snapd/pull/2624>
[18:51] <ogra_> zyga, for what ?
[18:51] <zyga> ogra_: to do the 1st boot dance
[18:51] <zyga> jdstrand: that branch is buggy but perhaps this is causing the oops
[18:51] <ogra_> zyga, and that magically pulls the login data via serial ?
[18:51] <zyga> jdstrand: testing again with the fix
[18:51] <zyga> ogra_: oooooho
[18:51] <ogra_> :D
[18:52] <zyga> ogra_: I should have gotten that beer
[18:52] <ogra_> you need network to be able to finish console-conf once
[18:52] <ogra_> hah
[18:52] <zyga> jdstrand: anything I should know about?
[18:52] <ogra_> once it is finished, switching networks is easy
[18:53] <jdstrand> zyga: you should wait for jjohansen. he had concerns regarding changing namespaces and open fds and likely some other concerns
[18:54] <zyga> jdstrand: will he be around today?
[18:55] <jdstrand> zyga: this came up in the context of snap-alter-ns, but I think they would apply to this
[18:55] <zyga> jdstrand: hmm hmm, can you tell me how would snap-alter-ns be affected? we could presumably do all the open() calls after we re-associate
[18:55] <zyga> (just worried if I should be worried)
[18:55] <jdstrand> zyga: he should be. he has been sick though. not sure when he'll be online
[18:56] <jdstrand> zyga: need to wait for jjohansen. we were going to chat today. may as well make it all 3 of us
[18:56] <jdstrand> (or maybe tomorrow)
[18:56] <zyga> jjohansen: I'm sorry to hear that, I hope you get better
[18:57] <zyga> jdstrand: if he's around can you please PM me on telegram (I get notifications on my phone this way)
[18:57] <zyga> I'd like to listen to understnad this problem better
[18:57] <jdstrand> zyga: you can listen to irc then?
[18:59] <zyga> jdstrand: if the converstation is on IRC then that's much easier :)
[19:00] <jdstrand> zyga: it will be, yes
[19:02] <zyga> jdstrand: somewhat offtopic, I think there's a separate bug, kernel doesn't let me bind() the mount namespace FD if I don't run as root despite having all the capabilities; I will need to investigate that in ~10 days. Do you know if this is by design (by any chance)?
[19:04] <jdstrand> zyga: I don't, sorry
[19:04]  * zyga will dig through the kernel then
[19:05] <alvarolb> hi there! How I can submit a snap package both for armhf and amd64? I have both snaps already built.
[19:05] <zyga> alvarolb: just send them to the store
[19:05] <zyga> alvarolb: you can use snapcraft for that
[19:05] <zyga> alvarolb: or use the web UI
[19:05] <zyga> alvarolb: both snaps need to have the same snap name / snap id
[19:05] <zyga> alvarolb: and (hopefully) different architecture entries
[19:06] <alvarolb> yes, but if I upload the amd64
[19:06] <kyrofa> alvarolb, they will both be assigned different revisions and the store will know what arch they are. And snapd won't let a snap for the wrong arch be installed
[19:06] <alvarolb> then it replaces the armhf
[19:06] <zyga> alvarolb: it doesn't really replace them
[19:06] <zyga> alvarolb: just try it, you will have to publish each one
[19:06] <zyga> alvarolb: then you should be able to install them :)
[19:07] <alvarolb> Ok, so I upload both versions to the same snap package, and it should work
[19:07] <kgunn> ogra_: re eth, ack...except i don't have eth cable access here at my communal office space :-P
[19:07] <alvarolb> it does not show that the snap is available for both platforms
[19:07] <kyrofa> alvarolb, then run `snapcraft status <snapname>` and you'll see where each arch has its own channel map
[19:08] <ogra_> kgunn, ah, damned
[19:09] <ogra_> kgunn, well, we dont have a solution beyond this yet
[19:10] <ogra_> you could try a wifi dongle, perhaps that works better
[19:10] <alvarolb> ok, thanks for the support!
[19:15] <mup> PR snapd#2433 closed: tests: run all snap-confine tests in c-unit-tests task <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2433>
[19:36] <mhall119> jdstrand: can you take a look at this error for me? http://paste.ubuntu.com/23788349/
[19:36] <mhall119> I suspect that it's not really a problem with the limits, but rather the snap's inability to check what the limits are, due to confinement
[19:38] <zyga> mhall119: Jan 12 14:31:59 mhall-thinkpad snap[5671]: /snap/couchbase-server-community/x1/couchbase-server-snap: line 166: exec: erl: not found
[19:38] <zyga> mhall119: limits seem to be a separate issue
[19:39] <zyga> mhall119: look at dmesg | DENIED please
[19:39] <zyga> er
[19:39] <zyga> dmesg | grep DENIED
[19:40] <mhall119> zyga: nothing from couchbase there, I have another issue with it not finding the 'erl' binary that I need to fix
[19:49] <stokachu> so in a classic snap how would i copy a file to my HOME dir?
[19:49] <zyga> mhall119: then I'd say it dies on that problem now
[19:49] <stokachu> not the home dir of the snap
[19:50] <zyga> stokachu: classic snap or in the classic confinement of some snap/
[19:50] <stokachu> zyga, in the classic confinement
[19:50] <zyga> stokachu: snaps that have confinement: classic don't get HOME redirection
[19:50] <zyga> stokachu: HOME is real :)
[19:51] <zyga> stokachu: try it,
[19:51] <stokachu> hmm so if i do a cp file ~/test from the snap it doesn't show up in my HOME dir
[19:51] <zyga> stokachu: https://github.com/snapcore/snapd/wiki/Environment-Variables#home
[19:51] <zyga> stokachu: can you use "snap run --shell $SNAP_NAME.appname" and go to $HOME
[19:52] <zyga> stokachu: or just echo $HOME
[19:52] <zyga> stokachu: if that's a bug I can (still) fix it
[19:53] <stokachu> zyga, hmm ok $HOME shows my user (ubuntu) /home/ubuntu when i do a snap run --shell conjure-up
[19:53] <stokachu> need to check out my code then, because things like os.expanduser in python should work as normal correct?
[19:54] <stokachu> yea must be something in my code
[19:54]  * stokachu back to drawing board
[19:58] <AlbertA> ogra_: this may be a different bug (wifi), I ran console-conf after first boot like you mentioned but
[19:58] <AlbertA> wlan0 option dissapears
[20:00] <zyga> stokachu: I hope so, we don't change anything else
[20:00] <AlbertA> ogra_: I guess a reboot fixed that :)
[20:00] <stokachu> zyga, hah
[20:05] <zyga> jdstrand: hey, so I made some progress but got stuck; I don't see any apparmor denials (the process is in devmode), I don't see anything in the kernel log but when I open /proc/1/ns/mnt I get EACCES
[20:05] <zyga> jdstrand: I did an experiment where I just nsenter around and this worked OK
[20:05] <zyga> jdstrand: I suspect apparmor is causing this
[20:06] <zyga> jdstrand: can you please have a look at https://github.com/snapcore/snapd/pull/2624/files#diff-5f1642833244a655796f5f4230f68fdbR207
[20:06] <mup> PR snapd#2624: Re-associate with pid-1 mount namespace if required <Created by zyga> <https://github.com/snapcore/snapd/pull/2624>
[20:06] <zyga> jdstrand: and tell me if I need to adjust the apparmor profile in some special way (in the same pull request)
[20:06] <mup> PR snapcraft#1045 opened: Handle parser errors better <Created by josepht> <https://github.com/snapcore/snapcraft/pull/1045>
[20:06] <zyga> jdstrand: note, I *don't* get a DENIED anywhere :-(
[20:06] <zyga> jdstrand: (thinking about it now I want to point out that while the process running snap-confine is in devmode, snap-confine itself is obviously confined)
[20:07] <zyga> jdstrand: perhaps my change is not applied to the snap-confine I'm runnning from the (repackaged) core snap?
[20:08] <zyga> jdstrand: still thinking aloud, looking at /sys/kernel/security/apparmor/profiles I see
[20:08] <zyga> http://paste.ubuntu.com/23788499/
[20:10] <zyga> jdstrand: should snap confine reset the policy (maybe this should be done in the base apparmor template, running snap confine doesn't inerhit the profile but replaces it with the profile for snap-confine)
[20:10] <zyga> jdstrand: insight appreciated, I'll check back later
[20:19] <zyga> jdstrand: I've added some more facts here: https://github.com/snapcore/snapd/pull/2624#issuecomment-272270130
[20:19] <mup> PR snapd#2624: Re-associate with pid-1 mount namespace if required <Created by zyga> <https://github.com/snapcore/snapd/pull/2624>
[20:19]  * zyga EODs
[20:22] <ogra_> AlbertA, yeah, wla0 is there and you can even attempt to configure it but it will always fail in the end
[20:22] <ogra_> second attempt is stable
[20:29] <roadmr> jdstrand: you got lucky and we had a clear store deployment pipeline; tools r824 is now in production
[20:30] <jdstrand> \o/
[20:30] <jdstrand> roadmr: thanks :)
[20:41] <lazyPower> o/ heyo, trying to use snapcraft from MASTER. My tests pass save for some subclass issues (about 7 failures that seem unrelated) - however when attempting to use snapcraft, i get the following message: Issues while validating snapcraft.yaml: snapcraft validation file is missing from installation path
[20:45] <kyrofa> lazyPower, how are you running snapcraft?
[20:49] <lazyPower> kyrofa - i followed the hacking guide to install it (isolated in a lxd container)
[20:50] <lazyPower> kyrofa - after the predep steps, python setup.py install && cd $my-snaps-path && snapcraft
[20:50] <lazyPower> s/python/python3/
[20:50] <kyrofa> lazyPower, the hacking guide only discusses dependencies, not snapcraft itself
[20:51] <kyrofa> lazyPower, when it comes time to run it, simply run bin/snapcraft (or add it to your PATH)
[21:21] <jdstrand> mhall119: your system seems to have 'nofile' set somewhere. you can see your limits by typing 'ulimit'. I did just now on classic, in hello-world on classic and hello-world on all snaps and they all say 'unlimited'. see man limits.conf and /etc/security/limits.conf
[21:21] <jdstrand> mhall119: are you seeing any security denials?
[21:23] <jdstrand> zyga: re https://github.com/snapcore/snapd/pull/2624/file if there is no denial, it shouldn't be apparmor. the kernel might be telling you EACCES for another reason. that said, I think we should ask jjohansen about it
[21:23] <mup> PR snapd#2624: Re-associate with pid-1 mount namespace if required <Created by zyga> <https://github.com/snapcore/snapd/pull/2624>
[21:24] <jjohansen> looking
[21:26] <jdstrand> zyga: when you use nsenter, are you doing it from within snap-confine at the point that it is getting the EACCES? ie, nsenter from global namespace to pid 1 namespace is one thing, some snap app running anohter snap app that triggers snap-confine to have it go to pid 1 is another thing
[21:27] <jdstrand> jjohansen: ^ that is the summary of the issue
[21:27] <jjohansen> right
[21:30] <jdstrand> jjohansen: let's wait for zyga to respond on that. do you have time to discuss snap-alter-ns? (what we discussed yesterday)
[21:30] <jjohansen> we discusssed it?
[21:30] <jdstrand> well
[21:31] <jdstrand> we referenced it?
[21:31] <jdstrand> the thing from yesterday :)
[21:31] <jjohansen> right
[21:31] <jdstrand> (which isn't the same thing as the above pr)
[21:31] <jdstrand> jjohansen: you have time now?
[21:32] <jjohansen> sure, I guess
[21:33] <jdstrand> jjohansen: ok. so let me give you the problem and a simple description of what the propsed solution is, then the url for the din depth description of the fix
[21:34] <jdstrand> jjohansen: today snaps can ship multiple commands. those commands may be daemons or manually started. all commands within a snap share the same mount namespace, so the all see the same /tmp and things that snapd might mount into the namespace
[21:36] <jdstrand> jjohansen: this is done by when a snap command is first started, a nsfs magic file is checked. it is isn't magic, the full mount namespace is setup, then the magic file is saved. the next command that runs see the magic file and snap-confine enters that mount namespace instead of generating it anew
[21:38] <jdstrand> jjohansen: on top of that, there is an interface called 'content'. this allows a providing snap to 'export' something in its area so that another snap may 'import' it. this is done via a file that maps the export dir to the import dir that snap-confine reads and it will perform a mount of the exported dir into the calling snaps mount namespace
[21:41] <jdstrand> jjohansen: iirc, things work fine if the interfaces are connected (ie, snap-confine is supposed to do this mount operation) and the mount namespace is not setup (eg, after a reboot). there have been some issues with if the mount namespace is setup already iirc and adding it after the mount namespace is already setup. (eg, start the command, then connect the interface, etc)
[21:41] <jdstrand> jjohansen: so zyga came up the the idea of 'live modification of mount namesapces'
[21:42] <jdstrand> jjohansen: in essence, that is meant to robustly perform the mount of the imported directory on a namespace that is already setup, and remove mounts that have been disconnected
[21:43] <jdstrand> jjohansen: I mentioned that removing mounts will cause problems with daemons most likely-- I think he will counter that they'll lazy umount.
[21:44] <jdstrand> jjohansen: the live modification will be done by 'snap-alter-ns', a command that snapd will call when a 'snap connecnt' or 'snap disconnect' is performed. it is meant to mount missing connected imports and unmount ones that are no longer connected
[21:44] <jdstrand> jjohansen: here is the larger proposal: https://github.com/snapcore/snapd/wiki/Live-Modification-Of-Mount-Namespaces
[21:45] <jdstrand> jjohansen: <I'm done>
[21:47] <jdstrand> jjohansen: well, I have one final thought. revocation aside, I thought that simply adding mounts would not be problematic since that isn't really any different than say plugging in a usb key and having it show up. that said, there are many layers of mounts here and that may be a naive way of looking at it
[21:48] <jjohansen> okay, removing mounts can be problematic for any open fd, but it is probably something that isn't a blocker
[21:48] <zyga> re
[21:48] <zyga> hey
[21:48]  * zyga watched 2nd episode of 4th season of Sherlock
[21:48] <zyga> jdstrand: replied on your comment
[21:49] <zyga> jdstrand: according to my experiment this only happens when apparmor is in the loop, I could have made a mistake, I was tired already
[21:49] <zyga> 22:26 < jdstrand> zyga: when you use nsenter, are you doing it from within snap-confine at the point that it is getting the EACCES? ie, nsenter from global namespace to pid 1
[21:49] <zyga>                   namespace is one thing, some snap app running anohter snap app that triggers snap-confine to have it go to pid 1 is another thing
[21:49] <jjohansen> additions at first glance look safer, but have the potential to create aliases and rewrite subtree. If tightly controlled it should be okay, if not it is an attack vector
[21:50] <zyga> jdstrand: to reply to this: when I use nsenter I was doing it from the mount namespace created by snap-confine
[21:50] <zyga> I'm happy to discuss anything
[21:51] <jdstrand> zyga: let's pause on 2624 for a moment and get through snap-alter-ns
[21:51] <zyga> ok
[21:51] <jjohansen> zyga: can you turn on apparmor debug messages
[21:51] <jjohansen>   echo 1 > /sys/modules/apparmor/parameters/debug
[21:51] <jjohansen> and see if that turns anything up, also turn off printk rate limiting to make sure printk isn't dropping something
[21:51] <jjohansen>   echo 0 > /proc/sys/kernel/printk_ratelimit
[21:52] <zyga> jjohansen: ack, I'll do that
[21:52] <jdstrand> jjohansen: wrt aliases and rewrite subtree, how would one trigger that? right now, the snap declares a dir and that is it. is it a malformed dir? a symlink? something in the dir that could trigger it?
[21:52] <jdstrand> oh I forgot rate limiting
[21:52] <jjohansen> apparmor shouldn't be denying something without logging it, hmmm unless explicitly told not to log it, better turn off quieting as well
[21:52] <jjohansen> echo -n noquiet > /sys/module/apparmor/parameters/audit
[21:53] <jdstrand> jjohansen: we don't actually explicitly much in the snappy policy (I think there are two rules otoh)
[21:53] <jdstrand> but noquiet never hurts
[21:55] <jjohansen> just trying to make sure all potential reasons not to log are out of the way
[21:55] <zyga> ok, test in progress
[21:55] <zyga> let's talk about snap-alter-ns
[21:56] <jdstrand> (fyi, you need sys_admin for entering the namespace and snap-confine has that)
[21:56] <zyga> correct
[21:56] <jdstrand> jjohansen: did you see my last question?
[21:58]  * zyga finishes reading backlog
[21:58] <jjohansen> jdstrand: you mount over an existing dir/tree location that isn't a leaf
[21:59] <jjohansen> it just has to be controlled is all
[21:59] <jdstrand> jjohansen: like, twp exported dirs mounted onto the same import dir?
[21:59] <zyga> I'm fine with limiting this so that we can guarantee no "funny" layouts are possible
[21:59] <jdstrand> jjohansen: it is rather tightly controlled right now. I want to make sure we make sure we get all the bits
[21:59] <zyga> you should also be aware with one more thing we're trying to introduce that may complicate this
[22:00] <zyga> the 'overmount' interface, that within the snap's mount namespace, allows it to almost freely do bind mounts from $SNAP to various places across the fileystem; the use case is shoving stuff into /usr/share so that pre-compiled binaries feel more at home
[22:00] <jdstrand> zyga: can you add to your list a check to make sure that you can't mount on an already mounted location? ie, no layering at all
[22:01] <zyga> jdstrand: so essentially the target directory cannot itself be a mount point
[22:01] <jdstrand> zyga: that is how I took jjohansen's comment. let's get his feeback
[22:01] <zyga> jdstrand: will this restriction cause any issues to users?
[22:01] <zyga> ok
[22:02] <jdstrand> zyga: I think blocking that is a good thing despite this. it would be weird to have two content exports mounted over each other. which would win? poor user experience
[22:03] <zyga> agreed
[22:03] <zyga> are we considering *any* mount points or just those that interfaces created?
[22:04] <jdstrand> jjohansen: ^
[22:06] <zyga> /bin/bash: line 44: /sys/modules/apparmor/parameters/debug: No such file or directory
[22:06] <jjohansen> jdstrand: well sure that is one, doesn't really matter any non-leaf mount can result in weirdness, as you have a shadowing affect
[22:06] <zyga> hmm
[22:06] <jjohansen> ie. alias
[22:06] <zyga> ah, module vs modules
[22:07] <jdstrand> with the content interface I think this is ok
[22:08] <zyga> jjohansen: can you give me an example of a mount that would be problematic
[22:08] <jjohansen> whether its good or bad depends on what you are trying to achieve, but it adds to the complexity of what needs to be analyzed and opens the potential for attacks that you don't see. I think you probably okay, the mounts are being done by snapd not the application
[22:08] <zyga> jjohansen: I'd like to understand what to avoid better
[22:08] <jdstrand> we are mounting into a dir that shouldn't have any mounts (well, could be on a dir in a squashfs)
[22:09] <jdstrand> jjohansen: gotcha
[22:09] <jjohansen> zyga: that is a good question, and the answer is it depends
[22:10] <jdstrand> zyga: I think we are ok cause the content interface is mounting into a very specific place-- either in SNAP, SNAP_COMMON or SNAP_DATA. there shouldn't be anything else in there if we employ the outlined restriction
[22:10] <jjohansen> some of it, I just don't know. Aliasing attacks via links etc have been pulled off in the past. I think we largely don't have that problem with snappy
[22:11] <jjohansen> the other thing to worry about the interaction between the different mechanisms providing your policy, which is a combination of namespaces, dac, apparmor, and seccomp
[22:11] <jdstrand> (snaps can't mount (excepting a few super restricted interfaces that are only allowed to trusted apps))
[22:11] <zyga> jdstrand: if the overmount interface lands that comfort will go away, e.g. I can connect overmount and then content and then disconnect overmount, given the right (or evil) interfaces that could do some things we weren't expecting
[22:12] <jdstrand> zyga: I have quite a few concerns with the overmount interface
[22:12] <jjohansen> they each have their own set of expectations, I think the interaction between apparmor path mediation and mount namespacs is the most problematic
[22:12] <jjohansen> again its just a matter of making sure your policy is right for the changes
[22:13] <jdstrand> based on what we said here, I think we are good. we can deal with overmount if/when it comes up for review
[22:14] <zyga> can you wait 5 more minutes, I will have that debug data
[22:14] <jdstrand> it is too difficult to think about the policy ramifications of what it could someday do ("it can do anything!" I can't evaluate the impact on policy for 'anything' :)
[22:14] <zyga> I was looking at loaded profiles and I saw that there were "//null" in the profile names, that made me worries somewhat, are those expected? I don't quite understand how profiles stack or what to make of the profile name
[22:15] <zyga> (after the reassociation test failure)
[22:15] <jdstrand> jjohansen: wrt revocation with snap-alter-ns. today we don't revoke so there isn't an issue. with snap-alter-ns, I suspect that zyga will use a lazy umount. do you see problems there?
[22:15] <jdstrand> zyga: //null is normal when you are in complain mode
[22:16] <jjohansen> zyga: //null should only ever showup for profiles that are auto-generated during complain mode
[22:17] <jjohansen> they will either be //null-#### where #### is unique, or //null-executable name
[22:17] <zyga> dmesg http://paste.ubuntu.com/23789099/
[22:17] <zyga> kern.log http://paste.ubuntu.com/23789105/
[22:17] <jdstrand> we got back to talking about two things at once
[22:18] <zyga> this is the same test with the extra debugging
[22:18] <jdstrand> we can finish snap-alter-ns if the revocation question is answered
[22:18] <zyga> ah, sorry, I'm always too impacient
[22:19] <zyga> [  498.595560] apparmor: clearing unsafe personality bits. /usr/lib/snapd/snap-confine label=snap.test-snapd-tools.cmd//null-/usr/bin/snap//null-/usr/lib/snapd/snap-confine
[22:19] <jjohansen> zyga: so I don't see apparmor directly causing the failure but, it is possible that clearing the unsafe personality bits could lead to an EACCES
[22:19] <zyga> actually
[22:19] <zyga> [  498.616822] audit: type=1400 audit(1484259403.009:67): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="snap.test-snapd-tools.cmd//null-/usr/bin/snap//null-/usr/lib/snapd/snap-confine" name="" pid=25299 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[22:19] <zyga> isn't this exactly what I saw?
[22:20] <zyga> I got errno 13
[22:20] <zyga> jjohansen: I was reading the log in order, this is the last message
[22:20] <jdstrand> can we put that on hold? I have a question regarding it that will require discussion
[22:20] <zyga> sure
[22:20] <jdstrand> there is but one question remainging...
[22:20] <jdstrand> jjohansen: wrt revocation with snap-alter-ns. today we don't revoke so there isn't an issue. with snap-alter-ns, I suspect that zyga will use a lazy umount. do you see problems there?
[22:21] <jjohansen> oh, hrmmm, if there is an ALLOWED it should be toggling the error to 0, the logging does report the initial error
[22:21] <jjohansen> I am not ruling out that there is a bug around complain mode and disconnected paths
[22:22] <jjohansen> jdstrand: sure, lazy unmount tringgers disconnected paths
[22:22] <jdstrand> ah
[22:22] <jdstrand> zyga: so I'm not sure we can do live revocation well with snap-alter-ns
[22:23] <zyga> jdstrand: hmm hmm
[22:23] <jdstrand> zyga: daemons or anything already running in the mount namespace are going to be unhappy
[22:23] <jjohansen> jdstrand: with that said, if the fd label is cached it should be fine
[22:23] <zyga> jdstrand: we could ignore that and just carry on (to some extent)
[22:23] <zyga> jdstrand: we could fail the operation and say "gee, cannot disconnect this thing now" (bad UX perhaps, need to re-do some mounts)
[22:23] <jdstrand> zyga: I think snap-alter-ns will make connect more robust
[22:23] <jjohansen> the issue would rear its head if new lookups (openat, ...) are done based off of it, or policy is replaced
[22:24] <jdstrand> policy gets replaced on connect/disconnect
[22:24] <jjohansen> jdstrand: well, then we are going to have to spend some time looking at it
[22:24] <jdstrand> zyga: I like the idea of trying to umount non-lazy. if it fails, it just doesn't get unmounted. it gets removed from the saved file. eventually it is gone
[22:25] <jjohansen> jdstrand: it will depend on several things, and stacking opens up some avenues that might make it not a problem
[22:25] <jdstrand> zyga: I think more than that will require tyhicks or ratliff in on the conversation so that scope and priority can be discussed
[22:25] <jdstrand> jjohansen: ack
[22:26] <zyga> jdstrand: we could also consider saying "this doesn't work" and having snapd shutdown all the stuff that runs there
[22:26] <zyga> jdstrand: so in the nice case it just works
[22:26] <jdstrand> I'm ready to move past revocation if you guys are
[22:26] <zyga> jdstrand: in the non-nice case it just reliably gets closed
[22:26] <zyga> I think we need to try it and meet again to discuss what kind of warts remain
[22:26] <zyga> jjohansen: what do you think?
[22:26] <jdstrand> zyga: well-- restarting a daemon wouldn't be too bad, but there is no way to restart a non-daemon command that is running
[22:26] <zyga> jdstrand: ah, correct
[22:27] <zyga> jdstrand: I didn't consider this
[22:27] <zyga> jdstrand: we could use cgroups to do this though
[22:27] <zyga> freeze and kill
[22:27] <jdstrand> zyga: that said, snap-alter-ns and its way of managing the saved file sounds fine and will make the connect more robust. we can ponder disconnect and defer
[22:27] <jjohansen> zyga: yeah, meeting again sounds good
[22:27] <jdstrand> eh
[22:27] <zyga> jdstrand: sounds good, I think most people will struggle with connect more :)
[22:27] <jdstrand> I'd be pretty miffed if I lost all my state
[22:28] <jdstrand> zyga: I do too
[22:28] <zyga> jdstrand: connect is interactive
[22:28] <zyga> jdstrand: we could do something smart like "are you *really* sure you want this?"
[22:28] <jjohansen> zyga: so if you add attach_disconnected to your profile, and test again that should tell us whether the failure is a bug in how apparmor is handling disconnected paths wrt complain mode
[22:29] <zyga> jjohansen: this is attach_disconnected already I think
[22:29] <zyga> jjohansen: there are only two profiles at play: (and a hat): snap-confine, base policy all snaps get and the hat in snap-confine
[22:29]  * zyga checks
[22:29] <zyga> I have a debug shell so I can experiment if you have ideas
[22:29] <jjohansen> zyga: nope, you won't get info="Failed name lookup - disconnected path"
[22:30] <jjohansen> well not unless that is a bug too ...
[22:30] <jdstrand> zyga: ok, so now my question-- why is snap-confine calling snap to call snap-confine from within the profile? I think the snap command needs to be the thing that sets everything straight. ie, snap can talk to snapd which can notice if the comamnd is running under confinement, then check if the confinement allows calling the command, then fork/exec to call snap itself
[22:30] <jdstrand> you are focusing on devmode, but I don't know how this is expected to work in strict mode policy-wise
[22:31] <zyga> jjohansen: snap-confine has that, looking at the generated profile now
[22:31] <jdstrand> so snapd is a trusted helper
[22:31] <zyga> jdstrand: this is a feature for CE, in devmode only they need to be able to run a snap command from another snap command, before mount namespace tricks it use to work so they treat it as a regression
[22:32] <jdstrand> I know that has problems with fds, etc, etc, but so does this method
[22:32] <zyga> jdstrand: this is only expected to work in devmode (for them)
[22:32] <zyga> jjohansen: I confirmed that all profiles are attach_disconnected
[22:33] <zyga> I can pastebin them if you like
[22:33] <zyga> qemu:ubuntu-16.04-64 .../tests/regression/lp-1644439# cat /sys/kernel/security/apparmor/profiles |pastebinit
[22:33] <jjohansen> zyga: does /sys/kernel/security/apparmor/policy/raw_data/ exist?
[22:33] <zyga> http://paste.ubuntu.com/23789168/
[22:33] <zyga> checking
[22:34] <zyga> yes
[22:34] <jdstrand> looking at line 91 and the lines after, I feel like maybe snap-confine is trying to transition to the hat but can't find it
[22:34] <zyga> but empty
[22:34] <zyga> jdstrand: note that this is _before_ the hat
[22:34] <jjohansen> gah, never mind. I've got it. The null child profile is not picking up the flags of the parent, so it is not attach_disconnected
[22:34] <zyga> jdstrand: the reassociation is done before we even attempt to fork
[22:35] <jjohansen> zyga: can you open a bug
[22:35] <zyga> jjohansen: sure, just tell me where
[22:35] <jdstrand> this is a funky denial: apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="snap.test-snapd-tools.cmd//null-/usr/bin/snap//null-/usr/lib/snapd/snap-confine" name="" pid=25299 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[22:35] <jdstrand> name=""?
[22:35] <zyga> jjohansen: I can boot other kernels, test anything, this is easy to reproduce
[22:35] <zyga> well, it doesn't know what the name is
[22:35] <jjohansen> zyga: drop your failure and log in the bug, open it again linux or apparmor it doesn't really matter
[22:35] <jdstrand> zyga: do you have a reproducer for jjohansen that doesn't involve spread?
[22:36] <jjohansen> zyga: name="" means that its going to attach to /
[22:36] <zyga> jdstrand: spread just runs those few shell commands, all you need to do is to build s-c from that branch and then you can do it easily
[22:36] <zyga> jjohansen: I'll file one shortly
[22:37] <jjohansen> disconnected paths don't have a leading / and currently the only connection point is /
[22:37] <zyga> jdstrand: and this is in qemu,
[22:37] <zyga> (pretty easy to set up)
[22:37] <jdstrand> zyga: can you make sure that the bug has very clear instructions for reproducing and building s-c?
[22:37] <zyga> jdstrand: sure
[22:37] <zyga> jdstrand: I'll try to simplify it if I can
[22:37] <zyga> but this is pretty robust, just clone that branch and run spread with a given argument
[22:37] <jdstrand> zyga: jjohansen is trying very hard to hit a merge window for upstreaming apparmor and he doesn't hack on snap-confine or snapd :)
[22:37] <zyga> and you have shell in the qemu box :)
[22:38] <zyga> point taken
[22:38] <zyga> btw, how is that progressing?
[22:38] <jjohansen> zyga: I don't need the reproducer, just the bug. I should have a kernel for you in a few hours
[22:38] <jdstrand> zyga: yeah, don't expect that to be fast for him :) he doesn't have any of that setup. a shell script or .c file demontrating the problem is way better than bootstrapping the snapd dev environment
[22:38] <zyga> jjohansen: looking forward to that
[22:39] <jdstrand> sounds like jjohansen has it under control and I've said my bits, so I'm out
[22:39] <zyga> I'll report the bug now
[22:39] <zyga> thanks guys, it was good to talk to you again :)
[22:40] <jdstrand> np
[22:40] <jdstrand> jjohansen: thanks for all your time! :)
[22:47] <wililupy> Question: I have a user that built a custom kernel and they are trying to install it with the snap install command but it fails saying it is not signed. They used the --dangerous and equivilent options to no avail. Is there any other command line flags to use when trying to do this?
[22:47] <zyga> wililupy: you need to build an image with this but I don't believe this option is supported in ubuntu image yet
[22:49] <kyrofa> zyga, is there no way to use a custom kernel, then?
[22:49] <wililupy> zyga: Thats what I thought. I told them that and sent them instructions on building a custom image but I also told them I would get a difinitive answer on this as well. Thanks.
[22:49] <zyga> jmm
[22:49] <zyga> maybe I'm confusing building an image with devmode snaps and building with a unsigned kernel
[22:49]  * zyga doen't know
[22:50] <kyrofa> barry, help?
[22:51] <wililupy> kyrofa: when I build custom images, I use custom kernels and it works. I never tried snap install kernel.snap but they did and told me what happened.
[22:51] <kyrofa> wililupy, ah, so ubuntu image _does_ support this?
[22:52] <kyrofa> wililupy, was the install attempted on classic ubuntu, or in ubuntu core?
[22:52] <wililupy> kyrofa, yes. in the assertion I use my custom kernel's name value and then use --extra-snaps and the kernel.snap and it builds and runs no problems.
[22:53] <wililupy> kyrofa: ubuntu-core.
[22:53] <kyrofa> wililupy, okay good, glad to know that works. barry unping
[22:53] <kyrofa> wililupy, I kinda feel like you should be able to install --dangerous on core though... otherwise testing a custom kernel is rough, no?
[22:54] <kyrofa> I wonder about the reason behind that
[22:54] <wililupy> kyrofa, thats what I thought as well, but they came back saying it didn't work.
[22:54] <kyrofa> zyga, can you think of why that wouldn't work?
[23:03] <zyga> sorry, I'm semi off now
[23:03] <zyga> kyrofa: you probably cannot install a kernel now, not sure
[23:04] <zyga> you may need to build an image with it
[23:04] <zyga> but I'm just throwing ideas at 4 minutes past midnigth
[23:04]  * zyga postpones filing the bug till tomorrow
[23:12] <zyga> jjohansen, jdstrand: https://bugs.launchpad.net/apparmor/+bug/1656121
[23:12] <mup> Bug #1656121: unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount namespace <AppArmor:New> <https://launchpad.net/bugs/1656121>
[23:12] <zyga> please tell me if I should provide more data
[23:13] <jjohansen> zyga: thanks, I'm just kicking off a kernel build
[23:18] <mup> PR snapcraft#1046 opened: godeps plugin: work when GOBIN is set <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/1046>