[00:50] cwayne: How can I import self signed certificates into Ubuntu Core 16 system? === JanC_ is now known as JanC [01:34] seshu: what exactly is it you're trying to do? [01:35] cwayne: Our EDM server allows user to upload self signed certificates to talk over https. So the user will have to import/export the same certificates to their devices so they can talk over https. [02:16] seshu: hmm, I'm not 100% sure how we could do that, would be worth a mail to the list so some more security-minded people could take a look [02:34] how far away is series (or branch?) support for multiple versions of a snap? [08:09] ogra_: my laptop just died (battery) and when it came back, packageproxy didn't load, I suspect because /var/snap/packageproxy/1/lockfile.lock still exists. Perhaps needs a sanity check when it launches? [08:18] good morning [08:24] PR snapd#2751 opened: 14.04/integrationtests: rely on upstart to restart ssh [08:31] gah [08:31] I hate being awake this early [08:40] Son_Goku: hey [08:41] Son_Goku: good morning :) [08:41] hi [08:41] * zyga goes to dig into the kernel [08:41] * Son_Goku grumbles about zsync and garbage fire build systems [08:41] I hate autotools [08:41] Son_Goku: I share the sentiment [08:43] I'm porting zsync to use meson as an exercise to learn meson and also because DNF upstream wants to libify zsync to use with librepo for doing zsync downloads of metadata [08:44] might as well kill two birds with one stone [08:44] but holy crap the source autotools build system is annoying to figure out [08:59] popey, well, there is a check (that is why it doesnt start) ... the prob is that i'd need access to the process-control interface to actually check if the pid still exists to kill the potentially hanging former process ... when i created that snap there was no such interface ... :) [09:08] ogra_: :) [09:09] i'll try to come up with something though, that behaviour is indeed not acceptable :) [09:09] jdstrand: http://askubuntu.com/questions/873495/how-do-i-use-snappy-debug-to-debug-a-snap/878204#878204 - perhaps snappy-debug description should be updated to remove mention of tools it doesn't contain? :) [09:09] ogra_: thanks === wesleyma` is now known as wesleymason [10:02] hm, my .desktop file appeared in the menu today (=after reboot). perhaps some command must be run after snap installation to update the menu. [10:09] Where can I find documentation regarding paid snaps ? I didn't see a reference to that on snapcraft.io [10:11] popey: ^ do you know ? [10:11] om26er: not landed yet [10:12] popey: hmm, what does `snap buy` do ? [10:13] om26er: nothing yet, as it hasn't all landed yet [10:28] anyone know whether the launchpad builders can build classic snaps yet? [10:52] PR snapd#2732 closed: snapenv: do not append ":" to the SNAP_LIBRARY_PATH [10:53] PR snapd#2596 closed: tests: parameterize kernel snap channel [10:56] PR snapd#2731 closed: store: always log retry summary when SNAPD_DEBUG is set [12:14] guys how to play youtube in snap packaged app?? [12:17] anyone on ?? [12:18] hi popey [12:21] bulld: can you be more specific please? [12:24] zyga, flash support in snap packages [12:25] how my qt app with qwebviw cant play youtube videos [12:38] zyga You were on one of the Hangouts recently and we talked about running snapd on a kernel without AppArmor. [12:39] My memory was that you said something to the effect that it would "work" albeit without confinement. [12:39] Is my memory wrong? [12:39] flexiondotorg, that is how it works on fedora for example [12:40] OK, so I've made a "Ubuntu" image with a 3rd party kernel. [12:40] Which has no AppArmor patches at all. [12:40] bad idea :P [12:40] I know it's a bad idea. [12:40] :-) [12:41] hi [12:41] (re) [12:41] This was the outcome [12:41] http://paste.ubuntu.com/23899188/ [12:41] flexiondotorg: no, that's accurate [12:41] flexiondotorg: but it needs some hand-holding to enable [12:41] flexiondotorg: specifically there's no runtime detection yet, you'd have to do two things: [12:41] OK, can you point me at something. [12:42] flexiondotorg: (both can be done permanently later) [12:42] flexiondotorg: snap-confine needs to be rebuilt without apparmor, simply pass the --disable-apparmor switch and that should do it [12:42] flexiondotorg: then snapd may need to be patched slightly depending on the state of your apparmor userspace [12:42] popey: done (it wasn't in the 15.04 snap. the series 16 and yaml was fine) [12:43] flexiondotorg: if changing snap-confine is not sufficient you need to edit (in snapd tree) release/release.go [12:43] flexiondotorg: and in there look at the function ForceDevMode [12:43] flexiondotorg: and have it return true for "ubuntu" [12:43] zyga OK, thanks for the info. [12:43] flexiondotorg: it would be good to give your system a different /etc/os-release [12:43] flexiondotorg: so that it doesn't register as ubuntu, that will kick in devmode automatically [12:43] zyga So this is "ubuntu" userspace right now. [12:43] flexiondotorg: (you still need to rebuild snap-confine but there are patches there (see debian/rules) to do that [12:44] But the end game here is the vendors own distribution. [12:44] flexiondotorg: a proper fix would be to fix snap-confine and snapd to do runtime detection [12:44] then tweaking os-release should happen anyway [12:44] We spoke to them yesterday, they have agreed to work together to add snapd support to their distro. [12:44] flexiondotorg: btw, if you change the kernel and it's that wildely different you should not call it ubuntu anymore [12:44] that too ... [12:44] flexiondotorg: would you mind waiting a little (~hour) [12:45] flexiondotorg: I have a meeting soon and my family calls me for lunch [12:45] It is a very popular SBC manufacturer with a distro based on Debian, with a similar sounding name. [12:45] flexiondotorg: (still not ubuntu) [12:45] I know :-) [12:46] jamespage: jdstrand nice one [12:46] zyga I'll be here later. Enjoy lunch. [12:48] flexiondotorg, in the snappy core team we dont have lunch ... we have meetings instead :P [12:49] Ah yes, meetings. The practical alternative to work ;-) [12:49] and to lunch :) [12:50] flexiondotorg: I don't think you could call a system Ubuntu if it doesn't have the Ubuntu kernel (ie, apparmor, etc) [12:50] but zyga lives in spain anyway ... lunch time isnt before 4pm there :) [12:50] jdstrand, tell that to OpenVZ :) [12:50] (they offer ubuntu on 2.6 kernels :) ) [12:50] jdstrand It is not Ubuntu. [12:51] we recently had some support fun here with that [12:51] ogra_: that can't possibly meet the trademark standards [12:51] It was the quickest way for me test test their kernel with our userspace and snapd. [12:51] FSVO "fun" [12:51] but, I'll let others decide on that [12:51] jdstrand, https://openvz.org/Download/template/precreated [12:52] ogra_: I don't doubt they have things called 'ubuntu', I doubt that they should be able to do that. IANAL [12:52] yeah [12:53] i fully agree, especially after wasting 2h to support someone trying to run snappy on such an image [12:53] but to me, a system isn't Ubuntu unless it has apparmor and our kernel configs. that is especially true for snappy. again, IANAL [12:53] yeah [12:53] i couldnt really belive the uname output when i first saw it [12:54] I wrote 'check-requirements' for ufw all those years ago because of people saying ufw didn't work on some hosted machine. "yep, it doesn't, you don't have connection tracking in your kernel" [12:54] * jdstrand shakes head [13:07] jdstrand: hey :) [13:07] jdstrand: looking at the kernel and the apparmor bug, trying to reproduce it with a smaller test case, interestingly it doesn't fail there [13:07] jdstrand: I'm trying to grow the test case to the point where the same behavior we have in snap-confine happens and the failure re-surfaces [13:08] that is annoying [13:08] jdstrand: I wasted some time because /home is nosuid for me but now progressing === hikiko is now known as hikiko|ln [13:44] PR snapcraft#1094 opened: core: switch to using rpath for clasic confinement [13:47] zyga, how application get access to flash player when snapped ?? [13:47] my qt app cant play videos from youtube [13:48] project is based on qt 5.5.1 [13:48] did you include flash in your snap ? [13:48] i guess you'd need the player inside [13:48] ogra_, it wont work [13:48] ogra_, flash player installer as stage package wont install flash layer [13:48] ogra_, flash player installer as stage package wont install flash player [13:49] no, indeed [13:49] and i didnt say flashplayer-installer :) [13:49] ogra_, how to install f.p then ? [13:50] does snapcraft require the CLA for people to contribute? [13:50] teh same way you would do it without flashplayer-installer on a desktop ... put the binaries in the right place etc [13:50] ogra_, also my qt 5 app cursor dont look as it looks in the normal deb install [13:50] PR snapcraft#1080 closed: python plugin: avoid the use of PYTHON* env vars [13:50] PR snapcraft#1090 closed: core: classic with no exported variables [13:50] stokachu: yes [13:50] sergiusens, hi [13:50] sergiusens, thanks [13:51] PR snapd#2749 closed: interfaces/default: allow mknod for regular files, pipes and sockets [13:51] jamespage: they cannot yet [13:51] ogra_, i placed the libflashplayer.so in the right place and it still dont work [13:51] bulld: hey [13:51] hi [13:51] bulld: if you bundle the flash player in your snap it should jsut work [13:51] sergiusens, my qt 5 app mouse cursor looks odd [13:51] bulld, well, you'Äd have to ship the right cursor theme in your snap (not sure there is an interface planned for that in the future, but for today you'd have to ship it) [13:52] * zyga goes to debug kernel issues, please ping/mention me explicitly if you need my attention [13:52] ogra_, sergiusens http://paste.ubuntu.com/23899428/ here is my snapcraft file [13:52] jamespage: for one reason or another, it is good as these need to happen https://github.com/snapcore/snapcraft/pull/1093 https://github.com/snapcore/snapcraft/pull/1094 [13:52] PR snapcraft#1093: python plugin: do the right thing with classic [13:52] PR snapcraft#1094: core: switch to using rpath for clasic confinement [13:52] bulld: I cannot help you with that, no idea about GUIs [13:53] ogra_, i also tried [desktop-qt5] to build [13:53] sergiusens, thanks [13:53] that should at least give you a themed cursor [13:53] * mvo hugs popey for his emoj snap [13:53] sergiusens, am having issues with youtube video playback my project is using qt5.5.1 and qwebview [13:54] ogra_, same happedned with my previous application [13:54] note that i have no clue how to make flash work, but i'd start with placing libflashplayer.so inside the snap in a place where the app can find it and then stracing the whole thing to see what it tries to do and how it actually fails [13:54] ogra_, did you checked my craft file ?? [13:55] i'm also not sure if qtwebkit would even have support for flash at all [13:55] yes, i see it === mardy_ is now known as mardy [13:55] ogra_, it works fine when i play video in normal deb install [13:55] why are you building qt from source ? [13:55] am not building qt from source [13:56] thats the name of part , my app source code is in /src folder [13:56] oh, right, thats just your app [13:56] yeah [13:56] ogra_, am bulldog you remember me ?? [13:56] yes [13:56] ty [13:56] hehe [13:57] well, for the cursor thing i'd include the qt desktop bit ... and for flash i'd debug it like i said above [13:58] but as i said, i'd be surprised if qtwebkit could even woirk with it [13:59] ogra_, konqueror webbrowser works with flash [13:59] libflashplayer is built for being used with a plugin framework and i doubt qtwebkit provides that [13:59] and qwebview works with flash am sure about it [13:59] well, then you know more than me ... just make it work :P [14:00] QWebSettings::globalSettings()->setAttribute(QWebSettings::PluginsEnabled, true); [14:00] this line enable webview to use external plugins [14:04] ogra_, i will open this url in my snapped application from webview to verify whats wrong https://helpx.adobe.com/flash-player.html [14:06] it is saying Sorry, Flash Player is either not installed or not enabled. [14:10] PR snapd#2748 closed: seccomp-support.c: add PF_* domains which can be used instead of AF_* [14:15] jdstrand: I ased in one of the reviews but I was wondering if there's any specific thing you'd like to do with seccomp [14:16] jdstrand: (any changes to default policy or some kind of new interface) [14:20] zyga: that is very open ended. I saw the question about quotactl and answered it. did you have another question? [14:20] PR snapd#2752 opened: snap: add support user-sessions from snaps [14:21] zyga: all of the PRs (except the PF_* one, which was just an omission in the original implementation) are to meaningfully improve policy [14:21] well and the cleanups one [14:22] ok, so the quotctl, mknod and ioctl ones are all to fix real world issues [14:22] once I fix mknod I' going to work on chown/setuid/friends to 'daemon' [14:23] zyga: I don't know if any of that answers your question, but there you go [14:23] ogra_, how i can trace what my app looking for ?? [14:23] jdstrand: thanks, yes, that answers it [14:23] jdstrand: I was just curious about where this is going [14:23] bulld, put strace into your snap and run the app under strace === hikiko|ln is now known as hikiko [14:24] guys any working example snap with flashplayer and html5 video playback ?? [14:24] ogra_, i have no idea how to do that :( [14:25] "and html5" ? [14:25] it is either/or [14:25] zyga: mostly everywhere where there is a TODO in the policy to fix it with seccomp arg filtering, fix it. then fix bugs, then fix other things I noticed. fix, fix, fix :) [14:25] there is no and ... [14:25] ogra_, html5 video playback [14:25] * ogra_ wouldnt use flash at all for youtube ... [14:25] jdstrand: I was thinking about changing how some of the tests look like, it'd be good to add a few lines of documentation to each one [14:25] ogra_, yes [14:25] i'D just use the ubuntu webbrowser-app isnide my snap [14:25] that works fine with youtube [14:26] jdstrand: I grok them after a while but I have to double check each time if my feeling is right [14:26] ogra_, qwebkit support html5 video playback idk if youtube is trying with html5 why cant my app play videos [14:26] no idea, really... it is your app [14:27] ogra_, it work with debian install man [14:27] and we never used qtwebkit in ubuntu anywhere so i have no clue about it [14:27] :D [14:27] damn [14:27] zyga: can you give an example of a test that was hard to understand? [14:27] jdstrand: I specifically mean each of the seccomp test [14:27] ogra_, you telling me to include ubuntu webbrowser app in my snap ?? [14:28] on the phone we use oxide inside a webapp-container or the webbrowser-app ... if we want tio use Qt based stuff [14:28] zyga: yes, I figured, but like, what is hard to understand about it? (I'd like to clarify meaningfully rather than guessing) [14:28] jdstrand: hard is perhaps an overstatement but making it obvious like "check that $SYSCALL is denied when it is not in the filter" or something like this would help, I think [14:28] https://github.com/fcole90/fcole-hexgl-webapp is an example i think [14:28] omg :9 [14:28] :( [14:28] zyga: as a comment or test output? [14:28] jdstrand: the name encodes the meaning but it's also limietd by length/readability [14:28] jdstrand: as a comment really [14:28] (i actually thougth qtwebkit was dead since years) [14:28] ogra let me check [14:29] ogra_, no [14:29] :D [14:29] ok, I'll add a todo for that. I'll do that after I finish my policy updates [14:29] jdstrand: I was wondering if we could stick most of those tests into spread with preapre/execute and details section (details would be that comment) [14:29] anyway, thats all i know about web apps [14:29] hehe [14:29] you are so nice :) [14:29] lol [14:29] jdstrand: thanks, this is not urgent in any way :) [14:30] zyga: I think we need to always have these build tests to make sure the C code is right. adding spread tests on top is fine of course. I am also working on a snap to test various parts of policy that I figured a spread test could drive [14:31] in fact, it was that exercise where I found bug #1658219 [14:31] Bug #1658219: flock not mediated by 'k' [14:31] ogra_, my app http://imgur.com/a/o2GPq [14:31] jdstrand: yes, ideally we could run those via spread (like unit tests) [14:32] jdstrand: I wish there was a "more declarative" way of defining them [14:32] ogra_, how is it ?? [14:33] jdstrand: nice [14:36] jdstrand: btw, it would be helpful if you or anyone you know could answer a question with authority: is it possible to reliably determine that something is a bind mount by looking at /proc/self/mountinfo [14:36] sergiusens: is there any way to inject version numbers into a snapcraft.yaml at build time? [14:36] jdstrand: not urgent but something that will block update-ns when we return there [14:36] zyga: I would have to investigate. perhaps tyhicks or jjohansen would know [14:36] jdstrand: I can post this to a mailing list (not sure where) so that others can reply [14:41] zyga: stgraber might be someone else otoh [14:51] mhall119, hi === bulld is now known as bulldog [14:52] mhall119, my new app http://imgur.com/a/o2GPq [14:53] mhall119, is not talking with me on telegram either :( [14:58] any suggestions in trying to debug what's happening with my config hooks? I'm trying to use the dump plugin to put files on the filesystem for a classic snap [15:00] balloons: I did just echo to $SNAP stdout from a shell script personally [15:01] (and look in /var/log/syslog for denials) [15:01] $SNAP_DATA [15:01] bulldog: in a call atm [15:01] hmm, I was thinking a script might be easier to see what's happening. I need to kick a service anyway [15:06] bulldog: what was your question? [15:06] balloons: if you have a non-daemon app defined in your snap, you can "snap run --shell " to get a shell promot in the snap environment [15:07] mhall119, interesting [15:08] balloons: that's true for shell apps as well [15:08] er [15:08] daemon apps [15:08] jdstrand: I don't know if you saw my earlier ping about that but I'd love if you could review https://github.com/snapcore/snapd/pull/2745 [15:08] so what I'm trying to do actually is get bash completion to work, along with installing a sysctl file [15:08] PR snapd#2745: cmd: add sc_must_stpcpy [15:08] jdstrand: I plan to use that for all "strcat" like code [15:09] yes. I'll look at it after I fix the mknod branch [15:09] jdstrand: thanks! [15:09] zyga: oh? Is that a recent change? When I tried to do that with a daemon in the past it didn't work [15:09] mhall119: it doesn't care if it's a daemon or not, --shell just causes us to run /bin/bash [15:09] mhall119: you get the same confinement as whetever would run otherwise [15:10] PR snapd#2753 opened: tests: install ubuntu-core from the same channel as core [15:10] mhall119: if you saw otherwise I'd love to know more [15:11] zyga: well I can't reproduce that error now, so I guess it was user-error all along :) [15:19] mhall119, you there ? [15:20] mhall119, my app uses qwebview to play youtube videos , on normal debian install it plays well and when i snap it the youtube player saus videos cant be played n this device [15:20] pstolowski: hi! got a minute? [15:20] mardy, hello! sure, what's up? [15:21] pstolowski: I'm trying snapd from master, + your interface hook branch (step 3) [15:21] brave man ;) [15:21] pstolowski: if I run snapd with SNAP_DEBUG=1, should I see the lines "Run hook %s of snap %q" in the output? [15:22] pstolowski: or, to make the question more meaningful, how can I check whether my hook is being run? [15:24] mardy, I think (but haven't actually used debug mode) you would see 'Running task ...'. but isn't it SNAPD_DEBUG (not SNAP_DEBUG)? [15:24] yeah, it's SNAPD_DEBUG [15:25] pstolowski: indeed, sorry, I launched the proper command, just misspelt it here on IRC [15:26] mardy: look at syslog/journal [15:26] mardy: how are you running snapd? [15:26] bulldog: have you tried adding the browser-support plug? [15:26] the qwebview might need that [15:26] zyga: sudo SNAPD_DEBUG=1 ./snapd [15:26] mhall119, yes [15:26] sergiusens, ack - thanks for confirming - have a few classic snaps landing into /openstack today - but holding off on the auto-build to edge bit for now then! [15:26] mardy: (funny that it works like that now, we used to require socket activation) [15:27] zyga, pstolowski: I see quite a few lines there, including "Run configure hook of "amazon-webapp" snap if present" but nothing about interface hooks [15:27] mhall119, my craft file http://paste.ubuntu.com/23899846/ [15:27] pstolowski: are the hooks run for interfaces which do autoconnect? [15:27] mardy, they will only run when you connect (sorry if that's obvious) [15:28] bulldog: I'm not sure then, I imagine it has something to do with the html5 video playback, have you checked dmesg for DENIAL? [15:28] mardy, no, not yet [15:28] pstolowski: ah, that explains it [15:28] mhall119, how to do that ? [15:28] mardy, also, this branch doesn't actually use the attributes you set in hooks. this will come in the next branch [15:29] pstolowski: you mean the "step 3" branch, or another one? [15:29] ok let me check [15:30] mardy, the upcoming 'step 4' should (hopefully) make it possible to apply the attributes to the interface [15:30] bulldog: dmesg |grep DENIAL [15:31] bulldog: are you running in --devmode or in strict confinement? [15:31] mhall119, strict [15:31] ok,then if it's confinement causing your errors,it should show up in dmesg [15:32] mhall119, i installed with --devmode flag too but it still says this device cant play videos [15:32] mardy, although with step 3 branch it's already possible to exchange data between slot and plug side, as you can see in the attached spread tests [15:32] hmm, might be a configuration thing then, not sure [15:32] or a missing dependency [15:32] pstolowski: ok, thanks [15:33] bulldog: does it need flash to work? [15:33] pstolowski: and about running hooks for interface which are autoconnected, is that planned? [15:33] mhall119, this is very sad that my some of apps are still not running fine with snap [15:35] mardy, yes, afaict this needs to be supported (I don't see a reason why we wouldn't support this). it'll just come separately as for some reason autoconnect currently bypasses this execution path completely and needs to be treated separately [15:35] mhall119, he is using his own custom webapp built around qt-webkit and trying to use adobe-flash ... (instead of just using an oxide webapp container ... i already pointed to the hexgl snap but ...) [15:35] what support browser-support gives :D [15:35] mardy, (separately as in a separate PR) [15:36] ogra_, mhall119 , its not a webapp [15:36] ita an app to play back youtube videos, no ? [15:36] *it's [15:36] ogra_, my app is a qt gui qpp , with more then 5k lines of code [15:36] ok [15:36] pstolowski: ok, thanks a lot, I'll keep an eye on your branches :-) [15:36] well, you wrote it,. you should know how to debug it too then [15:37] yes it does , the question is if my app can play video in normal install why it cant do that in snap [15:37] mardy, sorry it's taking so long... but we're making progress [15:37] first of all strace it to see how/where it looks for libfalshplayer ... if it finds it ... if it execs it etc etc ... the standard stuff you do for debugging [15:37] qt is not changing its api for snap right after compilation right ? [15:37] ogra_, i think it is not looking for flash player [15:38] well, find out why ... and fix that [15:38] i renamed the libflashplayer.so in my system and it plays videos [15:38] ogra_, yes i will :( [15:39] i renamed the libflashplayer.so in my system and it plays videos that mean app not looking for flash layer [15:39] so it likely simply uses html5 and you dont need the flash player at all ... [15:39] yes [15:39] (like i said in the beginning of our conversation) [15:39] hmm [15:39] zyga: no, I don't know of a reliable bind mount check from userspace :/ [15:40] tyhicks: I see, thanks [15:40] tyhicks: is there any place better than mountinfo to see the mount table? [15:40] so i added - libavcodec-ffmpeg56 - ffmpeg in stage-packages but still no luck [15:40] tyhicks: I'm reading kernel documentation but I'm not that far yet [15:40] anyway, look at the hexgl snap that i pointed to, try to add the same interfaces and connect them ... also try to build your app unconfined and see if it works tghen [15:40] zyga: nope, that's the best [15:40] if it doesn, thats not a confinement issue [15:40] tyhicks: thanks [15:41] not sure why you would add ffmpeg [15:41] ogra_, it even wont play , when i install app with --devmode [15:41] so its an issue with your app ... debug it [15:41] libffmpeg.so is what makes play H264 vids [15:41] and fix the errors you find [15:42] ogra_, i said it is running fine on normal system [15:42] i do not write buggy code :D [15:42] bulldog: I'd suggest doing as ogra_ suggested earlier, use strace to figure out what happens when your app runs outside of a snap (it probably accesses something on your host and uses that to work) [15:43] zyga, ok [15:43] bulldog: then do the same inside a snap [15:43] bulldog: and compare to get an idea of what is missing [15:43] ok :( [15:43] bulldog: remember that snaps run in a chroot of sorts [15:43] bulldog: why the sad face? [15:43] bulldog: so I suspect you just rely on the fact that something on your host is being automatically loaded [15:43] i dont knnow strace and chroot and sorts [15:44] idk [15:44] bulldog: and that thing is not present in the core snap (or your own snap) and it doesn't work [15:44] bulldog: strace works like strace [15:44] bulldog: just strace ./program [15:44] ok [15:44]