[02:28] <nacc> stokachu: np
[04:18] <mup> Bug # changed: 1627893, 1632124, 1632306, 1642257
[07:18] <mup> PR snapd#2740 closed: releasing snapd version 2.22 <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2740>
[07:29] <mup> PR snapd#2738 closed: spread: remove state tar on project restore <Created by fgimenez> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2738>
[07:35] <mup> PR snapd#2691 closed: tests: allow to install snapd debs from a ppa instead of building them <Created by fgimenez> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2691>
[08:17] <mup> PR snapd#2693 closed: cmd: rename mountinfo to sc_mountinfo <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2693>
[08:39] <mup> PR snapd#2742 opened: tests: fix typo in systems name <Created by fgimenez> <https://github.com/snapcore/snapd/pull/2742>
[09:59] <mup> PR snapd#2676 closed: cmd: collect string utilities in one module, add missing tests <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2676>
[10:11] <zyga> good morning
[10:11] <zyga> sorry for joinling late, forgot I turned my server off
[10:12] <popey> http://askubuntu.com/questions/877850/error-cannot-deliver-device-serial-request-unexpected-status-400 <- any snappy people can help this person out?
[10:13] <zyga> popey: hey
[10:13] <zyga> popey: most of the time when this happens is when people build their own model
[10:13] <zyga> popey: or use a board outside of the supported set
[10:20] <mup> PR snapd#2742 closed: tests: fix typo in systems name <Created by fgimenez> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/2742>
[10:25] <mup> PR snapd#2713 closed: cmd: fix issues uncovered by valgrind <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2713>
[10:26] <mup> PR snapd#2416 closed: cmd/snap-confine: add snap-confine command line parser module <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2416>
[10:26] <mup> PR snapd#2739 closed: tests: remove (some) garbage files found by restore cleanup analysis <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/2739>
[11:00] <mup> PR snapd#2698 closed: asserts,interfaces/policy: add support for $SLOT()/$PLUG()/$MISSING in *-attributes constraints <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/2698>
[11:02] <mup> PR snapd#2743 opened: debian: move the snap-confine packaging into snapd <Created by mvo5> <https://github.com/snapcore/snapd/pull/2743>
[12:15] <mup> Bug #1648777 changed: writing a (3GB sized) x86 image to a 3GB SD card makes the filesystem resizing being skipped <Snappy:Invalid> <initramfs-tools-ubuntu-core (Ubuntu):Invalid by ogra> <https://launchpad.net/bugs/1648777>
[12:44] <mup> PR snapd#2658 closed: cmd: add mount / unmount helpers <Created by zyga> <Closed by zyga> <https://github.com/snapcore/snapd/pull/2658>
[13:01] <kalikiana> Hrm
[13:01] <kalikiana> Cannot find the definition for part 'desktop-ubuntu-app-platform'.
[13:01] <kalikiana> It may be a remote part, run snapcraft update to refresh the remote parts cache.
[13:02] <kalikiana> ^^ This seems to be a regression? Cloud parts used to be pulled in automatically
[13:02] <kalikiana> I was quite confused and it took me a bit to realize the part name wasn't wrong
[13:04] <didrocks> ogra_: hey! what do you think about adding a configure/install hook on the classic snap running apt update to initialize the apt database for the user?
[13:05] <ogra_> didrocks, not much since that forces you to be online
[13:06] <ogra_> didrocks, well, we could add it with an online check i guess ... but the whole thing is designed so that you can also use it witouth being online at all
[13:10] <didrocks> ogra_: well, when you install the snap, you are online already, correct? :)
[13:10] <ogra_> true indeed
[13:11] <didrocks> and it we can try to make it ran only at that time?
[13:11] <didrocks> I'm happy to have a shot at it
[13:11] <didrocks> (not today)
[13:11] <didrocks> but just wanted to know if you were +1 first on it
[13:11] <ogra_> sure, the script that gets executed is actually shipped in the core snap
[13:11] <ogra_> and is only executed the first time you run "sudo classic"
[13:11] <icey> seems like a snap installed app can't read from the keyboard?
[13:12] <didrocks> ah, I was more thinking as a hook in the classic snap itself
[13:12] <icey> also, can't click on a link in the snapped app and open it in the system browser
[13:12] <ogra_> "read from the keyboard" ?
[13:12] <ogra_> do you have a camera attached ? :P
[13:12] <ogra_> didrocks, nah, it should just become part of the setup script ... the classic snap only calls this
[13:13] <didrocks> ogra_: ok, do you have the repo reference handy? If not, no worry, I'll have a shot later anyway
[13:13] <ogra_> no repo ... it is part of the livecd-rootfs package in the image PPA
[13:13] <icey> ogra_: copying text into a snapped app is weird
[13:14] <didrocks> ogra_: ok, which ppa? (if you prefer to do it yourself, feel free ;))
[13:14] <ogra_> didrocks, http://paste.ubuntu.com/23893526/
[13:15] <ogra_> didrocks, from https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+packages?field.name_filter=&field.status_filter=published&field.series_filter=xenial
[13:15] <didrocks> ogra_: excellent! Thanks a lot :)
[13:15] <ogra_> (note that the pasted one is outdated, use the actual one from the PPA)
[13:17] <didrocks> yeah, I'll be able to find it, I'm sure :)
[13:35] <jdstrand> davidcalle: ping re security whitepaper (I asked a question probably after your eod on friday)
[14:11] <zyga> jdstrand: hey
[14:11] <jdstrand> zyga: hey :)
[14:12] <zyga> jdstrand: I'm working on the kernel bug and also on the string changes you suggested
[14:12] <zyga> jdstrand: I think the outcome will be much safer, thanks for that!
[14:13] <jdstrand> zyga: gret! :)
[14:13] <jdstrand> great even!
[14:19] <davidcalle> jdstrand: I'm on it today, pdf is live already
[14:26] <jdstrand> davidcalle: hi! :) ok, so is https://developer.ubuntu.com/en/snappy/guides/security-whitepaper/ the correct url for the whitepaper? it is out of date, but the pdf it links to is up to date
[14:28] <davidcalle> jdstrand: indeed, I've uploaded the new pdf, updating the page as we speak (will be live in a short moment)
[14:28] <jdstrand> davidcalle: ah, I see. ok, thanks! :)
[14:46] <om26er> what should I do if I want some feedback from the user once a snap is installed ? I am working on a selenium based twitter bot that is going to run on xvfb. For twitter login I need to request username/password from the user to login.
[14:46] <om26er> is there probably a way to run a script once a snap is installed ?
[14:53] <mup> PR snapd#2558 closed: snapstate: move refresh from a systemd timer to the inernal snapstate Ensure() <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/2558>
[14:59] <kirkland> sergiusens: is that perhaps why my snap isn't showing up in the store?  because it's classicly confined?
[15:01] <mup> PR snapd#2744 opened: move configstate.Transaction stuff into configstate.transaction <Created by mvo5> <https://github.com/snapcore/snapd/pull/2744>
[15:04] <stokachu> kirkland, snap find conjure-up works though it returns a bunch of results
[15:04] <kirkland> stokachu: can you "snap find hollywood"?
[15:05] <stokachu> snap find hollywood
[15:05] <stokachu> The search "hollywood" returned 0 snaps
[15:05] <stokachu> kirkland, is our snap published/public in the webui?
[15:05] <stokachu> your*
[15:06] <kirkland> stokachu: yes, it looks like it
[15:11] <stokachu> kirkland, not sure if this helps but here is what mine looks like from the webui: http://imgur.com/a/pEiEp
[15:12] <stokachu> kirkland, oh do you have a stable snap published?
[15:12] <stokachu> i have at least one stable
[15:13] <kirkland> stokachu: ah, maybe that's it?
[15:14] <kirkland> stokachu: so, I need to change "grade: devel" to "grade: stable" in snapcraft.yaml?
[15:14] <kirkland> stokachu: rebuild, reupload?
[15:15] <stokachu> kirkland, try just releasing it to stable channel from the webui
[15:27] <stokachu> jdstrand, is kirkland's hollywood snap not showing up in the snap search results b/c it hasn't been approved?
 00:40:01> kirkland: done. approved but you'll need to release it
[15:28] <kirkland> I got that on Friday
[15:28] <kirkland> and then I did release it
[15:38] <stokachu> kirkland, ah ok
[15:38] <jdstrand> stokachu: it is in beta and edge. 'stable' is the only channel 'snap find' will give results for
[15:39] <jdstrand> kirkland: fyi, I see 1.12 is uploaded but not released anywhere
[15:39] <kirkland> 1 kirkland@x250:/tmp/sandbox.hwgfBlQv/hollywood/snap⟫ snapcraft release hollywood 1 stable
[15:39] <kirkland> Revision 1 (classic) cannot target a stable channel (stable, grade: devel)
[15:39] <kirkland> aha!
[15:39] <kirkland> now that worked
[15:39] <kirkland> (bumped the rev)
[15:40] <stokachu> kirkland, \o/
[15:40] <jdstrand> kirkland: you seem to have specified 'grade: devel' which means it will never go to stable
[15:40] <jdstrand> kirkland: ah, you fixed that in 1.12
[15:41] <jdstrand> and snap find now finds it
[15:42] <stokachu> kirkland, haha nice snap
[15:50] <qengho> What does hollywood do, kirkland?
[15:50] <kirkland> qengho: https://www.youtube.com/watch?v=rVMn3xk5mcY
[15:50] <qengho> Ah! I remember this.
[15:55] <qengho> This reminds me of a tool I remember from my early unix days, when I was just an egg. Our auditory processing is as good or better than visual attention. An app would convert network traffic into sound. You'd start it and maybe hear that something seems a little off today.
[15:55] <cos-> what's the trick to create a desktop launcher with snap? i have desktop: entry in app: but no icon appears in menu
[15:56] <cos-> a working example would be nice
[16:04] <zyga> cos-: it's tricky, ask sergiusens
[16:04] <cos-> also having a desktop in setup/gui doesn't seem to work, as examplified here https://github.com/ubuntu-core/snapcraft-examples/blob/master/03-hello-world-desktop-devmode/setup/gui/hello-world-desktop.desktop
[16:04] <ogra_> cjwatson, hey ... we need some expert opinion ... in the core images we used to use a profile.d snippet to extend the PATH with /snap/bin (we do that in classic still), for remote ssh commands without login shell that didnt work, so we moved the /snap/bin to the global PATH in /etc/environment ... now it turned out that some tests actually use su ...
[16:05] <mup> PR snapd#2745 opened: cmd: add sc_must_stpcpy <Created by zyga> <https://github.com/snapcore/snapd/pull/2745>
[16:05] <zyga> jdstrand: hey, could you please have a look at this pull request: ^^ this is the safe stpcpy we've discussed.
[16:06] <ogra_> cjwatson, i remember you being opposed to change ENV_SUPATH (and i'm slightly reluctant to touch login.defs at all) ... should we or should we not change it there ?
[16:06] <zyga> jdstrand: my only comment was to perhaps use memmove just to be super paranoid safe
[16:06] <ogra_> cjwatson, or rather ... what would be the drawbacks
[16:06] <cjwatson> ogra_: just /etc/environment is supposed to work for su as well; this is basically https://wiki.ubuntu.com/OneTruePath
[16:07] <kirkland> stokachu: okay, we're there now :-)
[16:07] <ogra_> ah, i didnt find the wikipage
[16:07] <cos-> and for qt5 app should i have after: desktop/qt5, desktop-qt5 or qt5conf? all are used in different examples
[16:07] <cjwatson> ogra_: I don't think you should change it there, but rather you should chase down why su's use of pam_env apparently isn't working?
[16:07] <stokachu> kirkland, cool man
[16:07] <ogra_> cjwatson, well, it seems it doesnt
[16:07] <kirkland> stokachu: thanks for your help
[16:07] <cjwatson> ogra_: I'm not arguing with that, but from the config file on my system it seems that it should
[16:07] <stokachu> np anytime
[16:07] <cjwatson> ogra_: so that seems worth tracking down rather than working around and forgetting
[16:07] <ogra_> ok, thanks
[16:18] <mup> PR snapcraft#1092 opened: meta: properly get the icon extension from splitted name <Created by 3v1n0> <https://github.com/snapcore/snapcraft/pull/1092>
[16:24] <cos-> sergiusens: i'd appreciate any help with creating a .desktop launcher. my current code is here https://github.com/vranki/siilihai-client
[16:26] <ogra_> cjwatson, hmm, are you actually sure su should use pam_env for PATH ? the manpage sounds like some vars wont be read from there http://paste.ubuntu.com/23894355/
[16:26] <cos-> hmm, maybe the used files should be in the git repository and having them in the build directory isn't enough.. i'll try recreating the package with files in git
[16:26] <ogra_> cjwatson, note the "Other" in there
[16:28] <cjwatson> ogra_: see /etc/pam.d/su
[16:29] <cjwatson> I see no reason to assume the manual page is up to date with the intended PAM configuration :-)
[16:29] <ogra_> lol
[16:29] <ogra_> ok
[16:54] <mup> PR snapcraft#1093 opened: python plugin: do the right thing with classic <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/1093>
[17:17] <stokachu> sergiusens, ^ will that fix classic install on trusty?
[17:18] <elopio> ogra_: you are scheduled for the linaro open hours on feb 23th, 8am pacific time.
[17:18] <ogra_> elopio, ok, i'll add that to my calendar
[17:18] <elopio> Chipaca: zyga: would you like to join them for an episode and talk about ubuntu core 101? it would be feb 16th.
[17:19] <elopio> ogra_: thanks. Robert will send you an email with the details.
[17:19] <ogra_> great
[17:19] <Chipaca> elopio, can i think about it?
[17:19] <zyga> elopio: yes, gladly
[17:19] <elopio> Chipaca: yes, and you can also say no :) This is the thing: http://www.96boards.org/OpenHours/
[17:19] <zyga> elopio: can you please send me an invite? I forget everything otherwise :)
[17:20] <elopio> thanks zyga.
[17:20] <ogra_> elopio, huh, saying no is an option ?!?
[17:20] <ogra_> :P
[17:20] <elopio> ogra_: it was an option for you last week. Not anymore :p
[17:20] <ogra_> haha
[17:21] <elopio> kgunn: are you around now? I'm not sure if you got my ping, maybe email is better.
[17:22] <elopio> jamiebennett: and this is the thing you signed up for: https://www.youtube.com/watch?v=P1_HjzcnJ-s
[17:22] <kgunn> elopio: what's up
[17:22] <elopio> you will be the main panelist on the march 9th.
[17:22] <kgunn> about to go for a run....but at least i got your most recent ping
[17:23] <jamiebennett> elopio: I did ;)
[17:23] <jamiebennett> ogra_: is also going so maybe we can tag team
[17:23] <elopio> kgunn: hello! go and run. I'm sending you an email to see if you want to show the kiosk on linaro openhours and ubuntu testing days.
[17:23] <kgunn> ah, elopio ok.... cc AlbertA ;)
[17:24] <elopio> will do.
[17:25] <elopio> jamiebennett: ogra_: Robert said rsalveti will be in the panel too. I can only imagine the party afterwards :D
[17:25] <ogra_> elopio, lol
[17:25] <ogra_> and i know in which bar it will happen !
[17:27] <zyga> elopio: my pleasure :-)
[17:27] <zyga> elopio: lol :)
[17:27] <rsalveti> o/
[17:28] <ogra_> hah, the lurker !
[17:28] <zyga> rsalveti: hey :)
[17:28] <zyga> rsalveti: how are you doing?
[17:28] <rsalveti> good :-)
[17:29] <rsalveti> who are going to be at connect?
[17:29] <ogra_> o/
[17:29] <zyga> rsalveti: I think only ogra_
[17:30] <rsalveti> how are things at the snappy land :-)
[17:30] <zyga> connect is in US so I cannot go :/
[17:30] <rsalveti> ogra_: oh! that would be awesome
[17:30] <ogra_> rsalveti, it will !!!
[17:30] <ogra_> zyga, huh ? budapest i thought ...
[17:30] <zyga> rsalveti: reliable little by little
[17:30] <zyga> ogra_: oh
[17:30] <zyga> ogra_: the vegas thing confused me
[17:30] <zyga> then I could go
[17:30] <zyga> (if someone would want me there)
[17:30] <ogra_> i guess the US is dead territory for conferences for the next 4 years
[17:31] <rsalveti> hahah, indeed
[17:31] <rsalveti> ogra_: going to drive there?
[17:31] <ogra_> nah
[17:31] <rsalveti> don't remember if you did that last time
[17:32] <ogra_> i did
[17:32] <rsalveti> right, I had some good memories :-)
[17:32] <zyga> ogra_: or 16
[17:32] <ogra_> but i largely gave up on cars ... so it would be rental or train ...
[17:32] <zyga> ogra_: 4 + 4 then after the war with canada and mexico is over ;)
[17:32] <ogra_> its a lovely ride thogh ...
[17:32] <ogra_> zyga, if it is only canada and mexico, yeah
[17:32] <rsalveti> get a new porsche
[17:33] <ogra_> nah, i still need to get rid of the three others :P
[17:33] <zyga> ogra_: then china invades and all connects will be in china ;-)
[17:33] <ogra_> you mean "berlin - china" or "paris -china" ?
[17:33] <ogra_> :)
[17:33] <zyga> ogra_: just bejning east, west, central, etc...
[17:34] <ogra_> lol ...
[17:34] <zyga> ogra_: on the upside, aliexpres will ship locally
[17:34] <ogra_> everywhere
[17:34] <zyga> from the moon :D
[17:35] <ogra_> apart from UK though ... because of brexit
[17:35] <zyga> I still wait fo brexit for electricity, to stop the immigration of electrons from mainland
[17:35] <ogra_> haha
[17:35] <zyga> UK could switch to 100VCD
[18:41] <mup> PR snapd#2712 closed: interfaces/builtin: refine the content interface rules using $SLOT <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/2712>
[19:16] <blackboxsw> sergiusens
[19:17] <blackboxsw> sorry my bad. was search the responses in the irc term
[19:17] <blackboxsw> was searching*
[19:19] <blackboxsw> was looking for hints as to why "service snap" namespace in trusty doesn't seem to map to a given snap running snap.  For example, "sudo service snapd status" works on xenial, but not on trusty
[20:10] <mup> PR snapd#2746 opened: interfaces: remove some syscalls already in the default policy plus comment cleanups <Created by jdstrand> <https://github.com/snapcore/snapd/pull/2746>
[20:33] <mup> PR snapd#2747 opened: interfaces/mount-observe: add quotactl with arg filtering (LP: #1626359) <Created by jdstrand> <https://github.com/snapcore/snapd/pull/2747>
[20:38] <mup> PR snapd#2748 opened: seccomp-support.c: add PF_* domains which can be used instead of AF_* <Created by jdstrand> <https://github.com/snapcore/snapd/pull/2748>
[20:46] <zyga> jdstrand: hey, still around?
[20:48] <mwhudson> wtf, i think i've found a glibc bug
[20:49] <zyga> mwhudson: hey
[20:49] <zyga> mwhudson: long time, how are you?
[20:49] <mwhudson> zyga: ok!
[20:49] <mwhudson> zyga: well right now i am in a rabbit hole but otherwise :)
[20:50] <zyga> mwhudson: what are you up to? do you need a garden elf assistant? :)
[20:50] <mwhudson> zyga: i'll have a bug comment in a minute
[20:51] <mwhudson> zyga: i hope you didn't say 'elf' there by accident
[20:51] <zyga> hehehe
[20:51] <zyga> such a versatile word :) works both ways
[20:53] <mwhudson> oh heh i commented by email so i can't show it to you yet
[20:54] <mwhudson> zyga: it will be here in a few minutes: https://bugs.launchpad.net/snapd/+bug/1657504/comments/18
[20:54] <mup> Bug #1657504: asciinema 1.3.0 snap is segfaulting on 14.04 <Snapcraft:In Progress by sergiusens> <snapd:New> <https://launchpad.net/bugs/1657504>
[20:55] <mcphail> I could never get dlopen() to work in a snap I was making
[20:56] <mwhudson> zyga: it's there now
[20:56] <mwhudson> mcphail: a classic or strict snap?
[20:56] <mcphail> mwhudson: strict
[20:57] <mwhudson> mcphail: probably something a bit different from this then, i think
[20:57] <mcphail> mwhudson: aah, OK
[20:57] <zyga> mwhudson: oh, intereting
[20:57] <zyga> mwhudson: looking
[20:58] <zyga> I was working on that part so very keen to get to the bottom ofthat
[20:59] <mwhudson> zyga: the code in glibc is around here https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a5318f9c8d1d42745a254479cf6bb1cd2acd516f;hb=HEAD#l2035
[20:59] <mwhudson> zyga: DT_RUNPATH is only like 15 years old, of course there are still loads of obscure bugs when you try to use it
[20:59] <zyga> mwhudson: do you know if nss works by loading modules into the process or by doing IPC to something that loads the modules?
[21:00] <mwhudson> zyga: it just calls dlopen
[21:00] <mwhudson> this is one of the reasons static linking with glibc don't work good
[21:01] <mwhudson> zyga: https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nsswitch.c;h=0a65f6ad0c640ae144cbe9d7c2edf9d67e67a245;hb=HEAD#l358
[21:01] <zyga> mwhudson: that makes sense, I recall a warrning from the linker when one does that to name resolution functions
[21:02] <zyga> mwhudson: so what should we do to have libc load the nss modules from the core snap?
[21:02] <mwhudson> zyga: fix glibc to look at DT_RUNPATH in the executable, i think
[21:02] <mwhudson> zyga: which is of course going to be loads of fun
[21:03] <mwhudson> zyga: you could also try turning off the flags that make ld emit RUNPATH vs RPATH
[21:03] <zyga> mwhudson: and good fun of work
[21:03] <zyga> fun kind of work :)
[21:03] <mwhudson> well at least you don't have to argue with mr drepper any more
[21:03] <zyga> mwhudson: actually I don't know why I suggested to use the newer version of those flags
[21:03] <zyga> mwhudson: for the initial experiment rpath worked just as well
[21:04] <mwhudson> zyga: if you use RPATH, LD_LIBRARY_FLAGS is ignored
[21:04] <zyga> mwhudson: but AFAIK we don't need LD_LIBRARY_FLAGS for classic snaps
[21:04] <zyga> mwhudson: (for those that are linked properly)
[21:04] <mwhudson> oh heh this dude found the same thing as me http://blog.qt.io/blog/2011/10/28/rpath-and-runpath/
[21:05] <mwhudson> (and i'd read that post before too)
[21:05] <zyga> mwhudson: question: would it be possible to invoke the dnyamic linker to ask it to load an executable without rpath/dtrunpath?
[21:05] <zyga> mwhudson: e.g. to load /bin/true from the core snap that is just vanilla /bin/true in an odd location
[21:07] <mwhudson> zyga: i don't understand, sorry
[21:08] <mwhudson> zyga: you don't feel like writing something that adds DT_RUNPATH (and edits the ELF interpreter) to all binaries in the core snap? :)
[21:09] <mwhudson> (i presume in strict snaps the core snap is available at both / and /snap/core/current ?)
[21:09] <zyga> mwhudson: that's the problem actually, it's not
[21:09] <zyga> mwhudson: and we want one core snap, not two (one for classic and one for strict confinement)
[21:09] <zyga> mwhudson: in strict confinement core snap is / and you cannot read /snap/core/*
[21:09] <mwhudson> zyga: ah
[21:09] <mwhudson> zyga: fun times
[21:09] <zyga> mwhudson: in classic confinememt core snap is /snap/core/* and you can read anything
[21:10] <zyga> mwhudson: goal: make it possible to run stuff from the core snap in both cases
[21:10] <zyga> mwhudson: I was thinking about having snap-exec run the dynamic linker (even patched one since it's the one from the core snap)
[21:10] <mwhudson> zyga: don't see how that's possible
[21:10] <zyga> mwhudson: and load the application with some fancy defaults
[21:10] <mwhudson> oh
[21:10] <mwhudson> something like that might work
[21:10] <zyga> mwhudson: but that breaks down when we exec something from the core snap (e.g. we run bin/sh but then we run bin/ls)
[21:11] <zyga> mwhudson: because then the system (wrong) linker gets used
[21:11] <mwhudson> yeah
[21:11] <zyga> mwhudson: I don't know of a way to force "gimme that linker" somehow
[21:11] <zyga> mwhudson: unless
[21:11] <zyga> mwhudson: we do some hackery around exec in the libc that ships in the core snap
[21:11] <zyga> mwhudson: then it might just work allright
[21:11] <zyga> mwhudson: it'd be a simple case of path comparison, if starts with /snap -> use fancy linker mode
[21:12] <zyga> mwhudson: crazy? certainly! possible? maybe
[21:12] <mwhudson> can you bind mount something over /lib/ld-linux.so.2?
[21:12] <mwhudson> uh not that one
[21:12] <zyga> mwhudson: no, because in confinement: classic mode we don't have a mount namespace so everything in the system would sere that
[21:12] <zyga> mwhudson: we can but that's hurt us
[21:12] <mwhudson> yeah
[21:12] <zyga> mwhudson: and distros would be looking at us carefully if we bind mount over /lib for eveyone to see just to run
[21:13] <zyga> mwhudson: I think we need some linker work to make this play ball
[21:13] <mup> PR snapd#2749 opened: interfaces/default: allow mknod for regular files, pipes and sockets <Created by jdstrand> <https://github.com/snapcore/snapd/pull/2749>
[21:13] <mwhudson> i think so too
[21:13] <zyga> mwhudson: at the very least to fix nss issue
[21:14] <mwhudson> well also this running /snap/core/bin/ls uses the host elf interp thing
[21:14] <zyga> mwhudson: hmmm
[21:14] <mwhudson> no?
[21:14] <zyga> mwhudson: yes
[21:14] <zyga> mwhudson: that's true
[21:14] <mwhudson> this is all very confusing
[21:14] <zyga> mwhudson: unless we never allow that to happen
[21:14] <zyga> mwhudson: remember that we control all entry points
[21:14] <mwhudson> zyga: you mean, just don't let classic snaps exec things from the core snap?
[21:14] <zyga> mwhudson: snap-run -> snap-exec: we can run a patched dynamic linker at that stage
[21:15] <zyga> mwhudson: exec: we can use a patched glibc that uses an alternate linker if the target is in the core snap
[21:15] <zyga> mwhudson: I think we should not restrict what classic confinement snaps can run
[21:15] <zyga> mwhudson: it would limit their usefunless heavily IMHO
[21:15] <mwhudson> yeah it's a pretty blunt instrument
[21:16] <jdstrand> zyga: hey, yes
[21:16] <zyga> mwhudson: do you see any alternative ideas?
[21:16] <zyga> jdstrand: hey :)
[21:16] <zyga> jdstrand: I just commented on your PR :)
[21:16] <mwhudson> zyga: seccomp-bpf? :)
[21:17] <mwhudson> zyga: anyway, i think the nss issue is easier than the interpreter issue
[21:17] <zyga> mwhudson: hmmm, curious
[21:17] <mwhudson> zyga: "just" patch libc (well libdl) in the core snap to respect RUNPATH in the executable, like the docs say
[21:17] <zyga> mwhudson: how would that work? we'd attach a seccomp profile that patches exec?
[21:17] <mwhudson> zyga: yeah
[21:18] <mwhudson> zyga: i have no idea if that's easily possible
[21:18] <mwhudson> er -easily
[21:18] <mwhudson> zyga: i worry about statically linked go binaries :)
[21:18] <zyga> mwhudson: but taht profile carries across exec right? would it not clash if someone wanted to run something that already uses seccomp for other things?
[21:18] <zyga> mwhudson: oh, interesting
[21:18] <zyga> mwhudson: don't those use their own name resolver stack?
[21:19] <mwhudson> zyga: for the elf interpreter stuff i mean
[21:19] <zyga> jdstrand: if you could give me some feedback on the sc_must_stpcpy branch I would really appreciate it
[21:19] <zyga> mwhudson: mmmm
[21:19] <zyga> mwhudson: wait, what's the problem there? there are no libaries to cause issues
[21:19] <zyga> mwhudson: and and golang's dlopen just needs to be fixed somehow (if broken)
[21:20] <zyga> I must be missing something
[21:20] <zyga> jdstrand: is that branch changing our dependency on base seccomp version in any way? (both in kernel and in the userspace)
[21:20] <mwhudson> zyga: it's possible i am
[21:21] <mwhudson> zyga: this is all very confusing, and you've spent longer thinking about it than i
[21:21] <zyga> mwhudson: (offtopic, I find it funny that I just opened IRC by accident and joked about "garden elf" and here we are talking about this issue that's currently also close to my heart as I was working with sergiusens earlier trying to figure out what's going on)
[21:22] <zyga> mwhudson: (any) statically compiled binary will work OK (or not) but is beyond our control, if it includes a dynamic linker inside we also have no way to influence it
[21:23] <zyga> mwhudson: I was thinking about extending the auxilliary vector to set a bit that indicates a given process uses classic confinement
[21:23] <zyga> mwhudson: and that would change how linker behaves
[21:24] <blackboxsw> hi folks, question out of left field. I'm on trusty, how do I check the status of the snapd process and my snaps. I was accustomed to using systemd w/ "service snapd status" and "service snap.<snap_name> status" on xenial.
[21:24] <mwhudson> zyga: and what behaviour would it change ?
[21:24] <zyga> mwhudson: I think we could use it to change default search path
[21:25] <zyga> mwhudson: my goal would be to leverage that to have pre-compiled software (e.g. debs) work as classic confinement snaps
[21:25] <blackboxsw> I see snapd package on trusty pulls in systemd as a dependency, I'm just not sure how that shakes out as far as checking ths snap processes via tools like services, initctl  etc. I *could* check ps easily enough, but I wondered what expected behavior is.
[21:25] <mwhudson> zyga: oh, so you wouldn't need to set DT_RUNPATH in the binaries in a classic snap?
[21:25] <zyga> blackboxsw: on 14.04 we have a deputy systemd
[21:25] <mwhudson> zyga: just the elf interpreter ?
[21:25] <zyga> mwhudson: exactly
[21:26] <zyga> mwhudson: because we probably cannot just (not sure) easily rewrite a random executable to have it "gain" runpath and a different dynamic linker path
[21:26] <mwhudson> well not even the elf interpreter, because you jam a custom interperter in via snap-exec
[21:26] <zyga> mwhudson: the dynamic linker path is also problematic but if we do it upstream it could work elsewhere too
[21:26] <zyga> mwhudson: yes, that's true
[21:27] <zyga> blackboxsw: and you should be able to use regular systemd commands to control services
[21:27] <mwhudson> and you'd also have a hook in exec that does if exe_path.startswith("/snap/core"): jam_custom_interp_in()
[21:27] <zyga> blackboxsw: there might be some bits missing; I don't know if journald is wired, for example
[21:28] <zyga> mwhudson: yes
[21:28] <mwhudson> zyga: well sounds crazy, and not inherently impossible
[21:28] <zyga> mwhudson: the idea with the extra bit in auxv is to have clean transitions from snaps to classic world
[21:28] <zyga> mwhudson: but perhaps we can do that with snap-exec each time and this is not required
[21:29] <zyga> mwhudson: (all transitions are out of snap world, snap-exec brings us back)
[21:29] <mwhudson> zyga: not if the classic snap just invokes /snap/core/bin/python3 directly?
[21:30] <zyga> mwhudson: that's true, I forgot about side-stepping the apps system
[21:30] <zyga> mwhudson: then we need patched glibc
[21:30] <zyga> mwhudson: or seccomp-bfp
[21:30] <zyga> mwhudson: I think that we will either 1) spec this and JFDI or 2) reconsider classic confinement
[21:31] <zyga> mwhudson: as right now the edges feel pretty sharp :/
[21:31] <blackboxsw> zyga, thanks for the suggestion. yeah, what I'm seeing from trusty-proposed seems like it's missing a little bit of glue. I'll try digging a bit more, but running "service snapd status"  errors with "unrecognized service" though I see /lib/systemd/system/snapd.service defined
[21:32] <zyga> blackboxsw: I think you want to talk to tvoss, he was working on this feature
[21:32] <mwhudson> zyga: yeah, in some ways the "mixed world" of classic snaps is trickier than isolated snaps
[21:33] <zyga> mwhudson: if we do the magic right it will seem easier
[21:33] <zyga> mwhudson: but I totally agree with what it is today
[21:34] <blackboxsw> good reference zyga thanks will continue the conversation with him.
[21:35] <tvoss> blackboxsw: o/
[21:36] <blackboxsw> tvoss, isn't it 22:35?
[21:36] <sergiusens> mwhudson: zyga well I fixed all env var leaking for classic snaps (even PATH), use a little shebang trick to chose the right interp and added a way to provide your own python in stage for the plugin to use
[21:36] <tvoss> blackboxsw: so for snapd itself and services from snaps, systemctl should do the right thing
[21:36] <tvoss> blackboxsw: yup, it's 22:35
[21:36] <blackboxsw> yowsa.
[21:37] <tvoss> blackboxsw: so systemd is not running as pid 1 on trusty, upstart is still the init system
[21:37] <tvoss> blackboxsw: so using sudo service will end up querying upstart, instead of systemd
[21:37] <blackboxsw> tvoss, ahh got it! thanks, looks like I needed "sudo" on trusty too
[21:37] <blackboxsw> without sudo it gives things like "No such interface" etc.
[21:38] <tvoss> hmmm, I can give that a spin tomorrow my morning, on my tablet right now
[21:38] <tvoss> I'll take a note, thanks for testing it out
[21:39] <blackboxsw> thanks for the response. tvoss. solved my initial hurdle
[21:39] <tvoss> blackboxsw: cool, later then :)
[21:39] <tvoss> o/
[21:39] <blackboxsw> \o
[21:40] <sergiusens> mwhudson: if it helps http://paste.ubuntu.com/23895943/
[22:16] <mup> PR snapd#2750 opened: interfaces/default: don't allow TIOCSTI ioctl <Created by jdstrand> <https://github.com/snapcore/snapd/pull/2750>
[22:34] <mup> PR snapcraft#1091 closed: tests:  add ubuntu user to sudoers on every adt platform  <Created by elopio> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1091>