[00:19] zyga: Do you have the snapd documentation on snap refresh, first boot behavior. [00:50] PR snapcraft#1054 closed: [WIP] snapcraft as a snap [00:50] PR snapcraft#1069 closed: snapcraft.yaml and building in snap directory === Mister_Q_ is now known as Mister_Q === chihchun_afk is now known as chihchun [01:38] PR snapcraft#1125 opened: tests: fix the env vars passed to the docker container in travis [01:52] wow that much people, neat! [01:52] is it true that if i publish a snap on myapps.developer.ubuntu.com and send an update, people will get my update automagically after 24h? [02:01] also I don't see the documentation for plugs: ... (need to access the webcam) https://snapcraft.io/docs/reference/ [02:02] Bug #1663091 opened: Mir interface does not auto-connnet === markusfluer1 is now known as markusfluer === chihchun is now known as chihchun_afk === chihchun_afk is now known as chihchun [03:33] Bug #1663060 opened: Add a title field to snap metadata [03:36] Bug #1663103 opened: No snapd API to determine which plugs/slots an app uses === chihchun is now known as chihchun_afk === chihchun_afk is now known as chihchun [04:30] PR snapcraft#1117 closed: [wip] build and push the API docs to github pages [04:52] PR snapcraft#1122 closed: repo: cache stage packages for faster future use === chihchun_afk is now known as chihchun [06:05] PR snapd#2818 opened: Allow specifying another store via env variable for the download command === durksauce_ is now known as durksauce === om26er_ is now known as om26er === mpontillo_ is now known as mpontillo === thomi_ is now known as thomi === eshlox_ is now known as eshlox [06:44] Bug #1662817 changed: some snaps stop working after revert the core snap [06:46] ogra_: we have arm64, since the general idea was vivid/armhf/click -> xenial/arm64/snap. of course, armhf would be only a click^Wsnap away in Launchpad. [06:49] hi all here [06:51] i'm found some new ubuntu-core ami on aws, but i cannot connect to instances via ssh [06:51] maybe i need some like `ssh_enabled: True` on instance user data? === Guest is now known as p1gmale0n === Dmitrii-Sh_ is now known as Dmitrii-Sh [07:25] ogra_, so far, packageproxy works well. However, i find that it does not cache the packages for ppa:ci-train-ppa-service/stable-phone-overlay. when I build my app, this repository always re-downloaded. is this normal? thanks === JanC_ is now known as JanC [07:52] PR snapd#2816 closed: interfaces/builtin/core-support: Allow modifying logind configuration from the core snap [08:06] ogra_, ping [08:23] liuxg, edit /snap/packageproxy/current/config.yaml and add an entry to the "repos" list there ... then restart packageproxy or reboot [08:24] ogra_, really, I do not know the trick. thanks. let me try it :) [08:24] i.e. like: [ubuntu-overlay,http://ppa.launchpad.net/ci-train-ppa-service/stable-phone-overlay/ubuntu] [08:25] i must damit i never tried ppas, so no guarantee that it works ... but after all ppas are just archives [08:25] *admit [08:27] liuxg, in your sources.list on the client you then use something like: deb http://localhost:9999/ubuntu-overlay xenial main [08:27] ogra_, so, I need to use two places, right? [08:28] PR snapd#2819 opened: packaging/ubuntu-14.04: inform user how to extend PATH with /snap/bin [08:28] ogra_, one is for the config.xml and the other is sources.list [08:28] well, like you always do ... on the client you use sources.list and on the server the config.yaml [08:29] ogra_, ok. thanks [08:30] ogra_, , one problem here, /snap/packageproxy/current/config.yaml is read only. [08:30] ogra_, we cannot change the file mannually [08:31] oh, right, there is a writable version in SNAP_DATA [08:31] sorry, the above is indeed the wrong location [08:32] ogra_, so, var/snap/packageproxy/current$ , this is the location. but I think it is good to add it to your app by default [08:33] ogra_, so that everyone does not need to manually add it. what do you think? [08:33] well, once i fixed the config hooks you will just use "snap set" [08:33] ogra_, yeah, I know. [08:33] this used to work in 15.04 with snappy config, i just havent ported that part yet [08:55] Mirv, i'd really appreciate that one click ;) i assume we might actually have some users using RPi's for kiosk apps or even with unity8 once it runs smooth [09:01] +1 [09:03] (it actualyl runs very smooth btw (i got it running here) it is just still awfully buggy) [09:04] Meanwhile I'll ask once more: does anyone know about snapcraft on Trusty? The package doesn't seem to be there. I kinda expected snapd and snapcraft to be like a monogamous couple that won't be separated [09:20] kalikiana, well, they are separate projects [09:20] kalikiana, ask sergiuens or kyrofa [09:20] Bug #1663175 opened: chroot not allowed in devmode/strict [09:20] Bug #1663177 opened: "Bad System Call" when using "dbus" snapd interface [09:21] (once they are up) [09:27] kalikiana: I assume that even on trusty, the snaps run against the 16.04.1 ubuntu-core snap, so then they should be built on xenial? [09:27] Yeah, I guess they are, I tend to see it as part of the same meta thing. === chihchun is now known as chihchun_afk [09:28] t1mp: Right, I would expect the sources for 16.04 to be used. [09:29] Note: I'm saying this with my user hat on. [09:30] It makes sense to my mind, but it could be blocking on some bugs. [09:30] didrocks: are the desktop helpers are pulled in from github when building a snap? So then https://github.com/ubuntu/snapcraft-desktop-helpers/commit/82ebfb53afa897f32ac029fd46fe4b7453319037 is effective immediately when I build a snap now? [09:31] Try it. The answer should be evident? === chihchun_afk is now known as chihchun [09:32] right :) [09:32] t1mp: indeed, it's effective immediately. Only if snapcraft.yaml definition changed you need to snapcraft update first [09:32] didrocks: great, thanks. [09:32] (or you will get older snapcraft.yaml content with newer git code) [09:32] yw! [09:33] didrocks: Do you know if that'll be automated at one point? I find it confusing and potentially error-prone to have to 'snapcraft update' "in case something changed" [09:33] kalikiana: I think it's something to discuss with sergio [09:34] kalikiana: he wasn't against it latest time we did discussed about it [09:34] and yeah, it's error-prone, I got caught myself once :) [09:40] PR snapd#2820 opened: Add send/recv syscalls for upower-observe interface as required on ARM [09:44] PR snapd#2821 opened: overlord/ifacestate: setup seccomp security on startup [09:54] PR snapd#2822 opened: Added a linux framebuffer interface [10:12] ogra_: armhf platform snap now available in the store (candidate, beta and edge channels) [10:13] * ogra_ hugs Mirv [10:13] (and his cat) [10:15] lol [10:25] jdstrand: are you the one to talk about apparmor/snap socket() call accepting/rejecting ? [10:27] ogra_, after I change the config.yaml and sources.list, it still fetches from the server. is there anything I did worngly? I have rebooted the machine. sources.list http://paste.ubuntu.com/23959907/, /var/snap/packageproxy/current/config.yaml http://paste.ubuntu.com/23959909/ [10:28] liuxg, looks all fine to me ... and you did apt update and removed the old ppa entries from the clients sources ? [10:30] liuxg, note that the ppa bits might be in sources.list.d/ [10:30] ogra_, previously, I used "sudo add-apt-repository ppa:ci-train-ppa-service/stable-phone-overlay" to add the ppa. do you mean I need to use "sudo add-apt-repository -r" to remove it? [10:31] yeah [10:31] ogra_, ok. I got it. thanks [10:31] as long as you have it in sources.list (or .d/ ) it will indeed be used [10:32] ogra_, http://paste.ubuntu.com/23959927/, this is it. so I need to remove it, right? [10:32] right [10:33] and the next apt update should actually show it using ubuntu-overlay then [10:34] re [10:37] tsdgeos: hey, how can I help you [10:37] zyga: so i'm trying to figure out if it's on purpose that we're denying this call without the network plug [10:37] socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT); [10:37] definitely [10:38] this is basically udev connecting to it's socket [10:38] so it's not a network connection [10:38] s/it's/its [10:38] tsdgeos: yes but before recently we didn't do argument filtering in seccomp [10:38] tsdgeos: even now I don't think we will allow this in the network interface [10:38] zyga: why? [10:38] tsdgeos: there should be a dedicated netlink interface as netlink is rats nest of stuff [10:38] tsdgeos: netlink is privileged [10:39] so basically any app using udev won't be functional? [10:39] tsdgeos: any app using netlink will need a correct interface [10:39] tsdgeos: (security is hard) [10:39] tsdgeos: what exactly do you need to do? [10:39] tsdgeos: often there's an easier solution [10:39] no :D [10:39] you know i'm using qml that uses the ubuntu-ui-toolkit that uses QtSystemInfo that uses udev [10:40] and udev uses that socket [10:40] sure i can rewrite the world [10:41] ogra_, if I have another computer pointing to the server, does it need to have any authorization? I have not tried it yet. [10:41] tsdgeos: I see, this needs to be discussed with the security team, my rough feeling is that it may require patches to qt or a review of what is allowed once you have a netlink socket [10:41] tsdgeos: jdstrand is the right person for that, yes [10:41] ok [10:41] liuxg, nope, it just acts like a http server [10:41] no auth required [10:41] zyga: so what's the best way to discuss this? a bug? an email? if a bug, where, in launchpad? [10:41] but make sure your sources.list is correct indeed [10:41] ogra_, so, is there any security issue?: ) [10:41] yeah, I will have a try for it. thanks [10:41] tsdgeos: bug is a first idea, yes, file it on launchpad.net/snapd, tag it with #snapd-interface tag [10:42] well, some hacker could DOS your disk by downloading the whole archive i guess :) [10:42] zyga: ok, will do, thanks [10:42] ogra_, yeah, that is what I am thinking :) [10:42] but beyond that it is just a copy of deb packages in the end [10:42] no risk in that [10:42] Mirv: meanwhile i guess you can patch qtsystems with my patch so we get reduced functionality instead of a crash :D [10:43] ogra_, yeah, I got it. just joking :) [10:43] tsdgeos: I would love to know what happens after you have that netlink socket [10:43] tsdgeos: if you can add that to the code it would be fantastic [10:43] reads from it afaics [10:43] tsdgeos: sure but what exactly is being looked for [10:45] zyga: what do you mean? "what is being looked for" [10:45] tsdgeos: so you read from it, what happens then [10:45] tsdgeos: what information is being accessed [10:45] tsdgeos: what's the goal of QtSystemInfo [10:45] gives you system info [10:46] which is what exactly? [10:46] in this particular case it's telling us if you have keyboard/mouse attached [10:49] tsdgeos: thanks, please attach this to the bug as well [10:51] will do [10:54] ogra_, you are right. the second time is super fast! [10:54] ;) [10:55] ogra_, previously, it took almost one hour to build it :( [10:55] wow, bad [10:55] ogra_, yes, this is why your solution is super. I will try to use another machine to access it. [11:11] didrocks: great, thanks. [11:11] heh, I thought I sent that message 1.5h ago ;) [11:12] why do I get DEPRECATED: Custom plugins should now be placed in 'snap/plugins'. [11:12] when I don't have custom plugins? [11:12] plugin: nil and plugin: dump don't seem custom to me. [11:14] t1mp: Do you have a folder parts/plugins? [11:14] kalikiana: no === chihchun is now known as chihchun_afk [11:15] Hmmm maybe something in a cloud part? [11:16] could be, desktop helpers don't have though [11:17] unsure about the other you get [11:18] I use after: [desktop-ubuntu-app-platform] [11:18] it has plugin:make [11:18] but that doesn't sound like a "custom plugin" to me [11:20] Right, it's not [11:23] yeah, there is no custom plugin in my helper [11:23] could be a snapcraft bug, would be interesting to either report or retrace in the code what triggers it [11:24] also, having the plugin name in the deprecation notice would worth a bug :) [11:24] to see what it's complaining about [11:29] +1 === hikiko is now known as hikiko|ln === ronnie is now known as Guest72753 [12:02] Hi guys, I am trying to find out why an electron-based app works in devmode but not in strict, the logs show that a config file can't be written within the snap: /home/osboxes/snap/linkbox/x14/.config/configstore/linkbox-log.json [12:02] any clue on what i am missing here? [12:03] Guest72753: hey [12:04] Bug #1663220 opened: Add support to Secret Service APIs [12:04] Guest72753: can you pastebin: dmesg | grep DENIED [12:04] sure, just a sec [12:04] zyga: took me a while but https://bugs.launchpad.net/snapd/+bug/1663221 [12:05] Bug #1663221: snap/apparmor default confinement rejects socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT); [12:05] zyga: anything else you'd like me to add? [12:05] Guest72753: and dmesg | grep type=1326 [12:05] ogra_, if it works for pips, that would be fantastic :) [12:05] tsdgeos: thank you, that should be fine for now [12:06] zyga: http://pastebin.com/nTTuJSRf [12:07] Guest72753: it seems that the writeful snap wants to run "ip", that is not allowed by the base policy [12:08] Guest72753: if you disable that do you see any other issues? [12:08] how do I disable that? [12:09] Guest72753: it's your snap, don't ask me [12:09] electron app are chromium based [12:09] Guest72753: is electron shelling out to run /bin/ip? [12:09] so I don't really know why it needs ip [12:09] Guest72753: neither do I; you can use the network-observe plug on your app but it is reserved and your app will be blocked in store review [12:10] Guest72753: do you see anything in the second grep I asked for? [12:10] no, that one is empty [12:11] zyga, why woulld it be locked ? will it not just be not connected by default ? [12:11] Guest72753: so that's the only problem [12:11] ogra_: it's marked as reserved [12:11] ogra_: there's a difference between not connecting and not allowing to have it [12:11] ah [12:11] ogra_: if you just don't connect it people will fall for simple sociological attacks "this is how you install my snap" [12:11] zyga: so if I add the plug to network-observe plug it will work but not accepted in the store? [12:12] it will go into manual review [12:12] Guest72753: it will not go through automatic review, it will be flagged and will go to manual review [12:12] ok [12:12] Guest72753: I'm not sure, maybe there's a better idea; I don't have experience with electron [12:12] sergiusens: ^^ any ideas (electron based app uses /bin/ip) [12:12] sergiusens: is that electron itself? [12:12] I'll try doing that and see if it works at least [12:12] Guest72753: yeah, go ahead [12:12] Guest72753: don't forget to connect the plug [12:18] popey: hey, so apart from https://github.com/snapcore/snapd/pull/2815/files [12:18] PR snapd#2815: release: don't force devmode on LinuxMint "serena" [12:18] popey: what else should we whitelist there? [12:18] popey: I saw you mention various distros in the os-release-zoo project but I'm not feeling very well and I wanted to confirm those with you [12:18] zyga: still doesn't work, this is all the output since I started it: http://pastebin.com/4Y3JRVmG [12:19] Guest72753: hmm, so now it wants to ptrace an unconfined process [12:19] PR snapcraft#1125 closed: tests: fix the env vars passed to the docker container in travis [12:19] Guest72753: can you tell me if that's stock electron or is this the app itself? [12:20] Guest72753: ptrace is very powerful and ptracing unconfined processes is a clear no-go [12:20] Guest72753: also based on this output I don't think you did the plug correctly (maybe it's disconnected) because /bin/ip is still denied [12:20] Guest72753: or maybe this is a new feature of recent snapd, I'd have to check [12:21] Guest72753: but can you ensure that "snap interfaces" shows that your snap is using the new plug? [12:21] (and that it is connected) [12:22] popey: ideally, can you please open a bug for each distribution that you know should be whitelisted [12:22] zyga: this is the app itself, and you're right the plug is still not there [12:22] i'll try again [12:22] popey: a distribution should be whitelisted iff: it uses the ubuntu kernel, it uses ubuntu packages (snapd/snapp-confine/...) *without* rebuilding them from source (some decisions are compile time and distro-based) [12:23] Guest72753: just rebuild the snap and install it again [12:23] Guest72753: if you are in try mode [12:23] Guest72753: you need to uninstall/try again [12:23] AFAIR [12:23] (we should have --retry or something) [12:23] Chipaca: ^^ just an idea, have snap try --retry or just smarter try that updates meta/snap.yaml without dropping data) [12:24] popey: if you file those bugs please poke me with URLs [12:24] zyga, a bare "snap try" should work; doesn't it? [12:25] no uninstall needed [12:25] (granted it's a bit messy) [12:25] Chipaca: won't it artificially stack more "revisions" (which feels wrong) [12:25] right [12:25] well, yes it will, but why would it feel wrong? [12:25] maybe try should use a "xx" revison [12:25] Chipaca: people get into all kinds of mess with try [12:25] zyga, ? [12:26] Chipaca: you remove a directory and it's all wonky [12:26] `xx` as in not `x1`? [12:26] hmm ? does try actually bump the revision unconditionally ? [12:26] Chipaca: and the way to fix that is only sensible if you know how snapd works [12:26] ogra_, of course [12:26] * ogra_ wouldnt expect that [12:26] Chipaca: yes, xx as a special-special revision [12:26] ogra_, just like snap install --dangeroos ./potato.snap [12:26] zyga: this is it right? http://pastebin.com/1eHFpdzT [12:26] ah, i thought try just spawns the snap [12:27] ogra_, i'd love to know what spawning a snap means :-D [12:27] Guest72753: yes [12:27] "spawn more snaps" [12:27] dunno, execute it and stuff in it [12:27] ogra_: snaps are just zip files ;-) [12:27] without actually installing over [12:27] lies ! you cant unip them :P [12:27] (fancy zipfiles) [12:28] *unzip [12:28] ogra_, so, a snap is just a filesystem-in-a-file [12:28] zyga: it does show but at the end of snap interfaces: - writefull:network-observe [12:28] yeah [12:28] ogra_, "snap try" uses the directory directly [12:28] as if it were mounted already (it does a bind mount) [12:28] right, so there is no reason to bump the revision every time [12:28] PR snapcraft#924 closed: New plugin: jhbuild [12:28] ogra_, there totally is [12:29] why is that ? if you end the try the revision is free again, no ? [12:29] yes [12:29] and revert of a try would be fun [12:29] so you could just re-use [12:29] Guest72753: you need to connect that now [12:29] Guest72753: snap connect writefull:network-observe [12:30] ogra_, yes, we could reuse, but that would involve a bunch of special-casing for something that is trying hard not to be that different from installing the snap [12:30] heh, k [12:31] zyga: yeah, that works and the app works again [12:31] zyga: will the user have to do this? [12:32] Hi, it's been about 6 month since I last was building a snap package. At the time there was an issue that if your snap depended on TeXLive you basically had to include it yourself which makes the snap quite big. Does any one know if there is now a way to make use of an existing TexLive installation? [12:32] we have a content sharing interface now so you could roll a texlive snap you can share ... [12:33] and there is a way to build classic snaps ... whihc are essantially debs in a new dress [12:33] could you point to some up to date docs on that sharing interface and how to use it? [12:34] oh the classic snap would be interesting too. [12:34] but that will only work on classic systems (ubuntu-server, ubuntu desktop etc) [12:34] ah right. [12:34] using the content sharing stuff would make it more future proof for running on an all-snap image later [12:35] i guess classic is a good quick start way though [12:35] well upstream has already switched to appimage (because of the texlive issue) [12:36] I was hoping to make them consider snap again if this TeXLive thing was fixed [12:36] to build a classic snap you can just use ""confinement: classic" in your snapcraft.yaml ... and make sure to not use any interfaces at all (they are not available in classic mode) [12:37] interface == plug? [12:37] PR snapcraft#1115 closed: kernel plugin: fix kernel snap layout [12:38] well, socket and plug ... [12:38] any doc you can link to? [12:38] or i think we call them "slot" not socket now [12:38] on the snpcraft side you only use plug though [12:39] https://docs.ubuntu.com/core/en/reference/interfaces/index [12:39] zyga: seems app specific [12:40] so documentation is still spread around snapcraft.io and docs.ubuntu and dev.*** ? ;-) [12:40] * sergiusens is not paying too much attention to irc these days as it is only open on one box, the one with fixed networking [12:40] imexil, snapcraft docs are on snapcraft.io ... general docs are on docs.u.c [12:40] right. [12:41] But interfaces are a snap thing right? [12:41] https://snapcraft.io/docs/core/interfaces [12:41] OK thanks! [12:41] so you might want tostart with snapcraft.io ... for more detauls you have then docs.u.c [12:41] *details [12:44] tsdgeos: your patch will land via https://bileto.ubuntu.com/#/ticket/2456 === hikiko|ln is now known as hikiko [12:48] zyga: https://bugs.launchpad.net/snapd/+bug/1663041 [12:48] Bug #1663041: Snap packages install but can't be run on Zorin OS [12:49] does anyone know if there a way to automate `snap connect x:network-observe ` upon installation? [12:49] popey, geez, you hand people your pinky and they want the whole hand ! should be happy they can install them ! [12:50] [12:51] zyga: https://bugs.launchpad.net/snapd/+bug/1663226 [12:51] Bug #1663226: Snap packages install but can't be run on Peppermint OS [12:51] * popey builds a wall around ogra_ [12:51] * ogra_ turns the music up [12:56] ogra_: So I tried classic mode. But I have a conflicting ubuntu-core snap which snap won't remove. Any idea [12:57] http://pastebin.ubuntu.com/23960466/ [12:59] imexil, hmm, i thought that landed already, a new snapd should move you from "ubuntu-core" to "core" ... perhaps i'm wrong though and that version has not landed yet [13:00] "snapd is already the newest version (2.21)" [13:01] yeah, might be the one in -proposed that has this [13:01] iirc 2.23 [13:02] Well it looks like I'm fighting a lost fight here anyway. Upstream has a working cross-distro solution which only takes up 30 MB for the image and no duplicate minimal TeXLive installation required. There is probably no point in putting more energy into snap :-( [13:02] That's appimage based there. [13:03] well, 2.23 should be released this week (or latest next) [13:03] the alternative is to remove snapd and reinstall [13:03] alternatively you coudl uninstall snapod and reinstall that ... [13:03] which is what I did to switch from ubuntu-core to core, as I was in a hurry [13:03] but that makes you lose all existing snaps [13:03] yeah [13:03] classic mode would not help since it means distro depending again which is kind of the opposite you want. [13:04] classic mode isn't distro dependent [13:04] you can install classic snaps on debian 9 [13:04] yeah [13:04] PR snapcraft#1127 opened: Release changelog for 2.27 [13:04] well debian derivative dependent then [13:06] So I see classic mode now the nicer alternative to build something for deb like systems without having to do deb packaging. Which is nice but does not help when distributing cross distro. [13:06] i only mentioned debian 9 because that is the only one I've tested. others may well work but i dont run them here [13:06] theoretically it has no distro limits [13:06] as long as the libs and binaries are on the host [13:06] zyga, Guest72753: fyi, in the advent of snap declarations, plugging (almost all) manually connected interfaces does not trigger a manual review [13:07] jdstrand, thats how i understood it initially ... is that true for "reserved2 too ? [13:07] *"reserved" [13:07] zyga: the 'Usage: reserved' stuff needs to get cleaned out. it is all in the base declaration now (I can do that) [13:08] ogra_: you too ^ [13:08] ah [13:08] ogra_, popey: yes. Well I might give classic a go when the next upstream version of Ipe comes out. For now the PR is send. Thanks again for the help. [13:08] Guest72753: as for electron using ip-- I have tested electron apps and none of them used ip. I'm not sure why yours is... [13:08] np [13:10] ogra_: there is no 'reserved' any more. it is all base declaration. there are only a handful of plugs that trigger a manual review because they are deemed 'super-privileged'. eg, docker-support, snapd-control. network-observe is not one of them [13:10] ah ! [13:10] thanks ! [13:10] np [13:10] jdstrand, I think because we're trying to detect proxy though one of electron's packages [13:11] Guest72753: that would make sense. and with that, you should plug an appropriate interface that grants that [13:12] zyga: hey, so, on its own, https://github.com/snapcore/snapd/pull/2821 doesn't seem to fix anything because the seccomp profiles are always regenerated and that means they will be regenerated by the new snapd, which means the new policy that snap-confine may not understand. You mentioned a followup PR for compatible seccomp profiles. can you talk to me about that? [13:12] PR snapd#2821: overlord/ifacestate: setup seccomp security on startup [13:12] jdstrand: I plugged network-observer as suggested by zyga, and that works, but I was wondering if the user will have to do this manually, or if there's an automated way to do this [13:13] the user has to do it [13:13] Guest72753: the user will have to do it manually because network-observe grants privileged access to network information [13:13] unless you use your snmap inside an all snap image (i.e. an IoT install or such) [13:13] Guest72753: a gadget snap could also do it [13:13] there you coudl define the pre-plugged interfaces in the gadget snap of the image [13:14] Guest72753: you might want to read https://github.com/snapcore/snapd/wiki/Interfaces [13:15] jdstrand: thanks I did a few hours ago [13:15] trying to figure out how everything works [13:17] Mirv: should "Use eg example 1 from en blog 2016 11 16 snapping-qt-apps but with plugs: network" be "Use eg example 1 from en blog 2016 11 16 snapping-qt-apps but *without* plugs: network" [13:17] Guest72753: ah, there is a blog you might want to read. /me finds it [13:17] Guest72753: https://blog.labix.org/2016/04/22/snappy-interfaces [13:18] tsdgeos: thank you [13:18] tsdgeos: yes [13:26] jdstrand: o/ [13:26] jdstrand: noted, thank you [13:26] jdstrand: question, how would you feel if a snippet of the base declaration was in each interface? [13:26] jdstrand: right now it's a bit spread out [13:28] Bug #1663175 changed: chroot not allowed in devmode/strict [13:29] zyga: I like the way it is because you can see all of them in one place. it is 'the base declaration' that anyone can see and the tests are in one spot. I don't personally view it as a security backend. I also think we have much bigger fish to fry [13:30] not a backend, a dedicated thing [13:30] jdstrand: right now it is another thing that everyone has to patch in a secondary file, I wanted to streamline that to just the interface file [13:31] zyga: I know what you want :) you asked my opinion :) [13:31] jdstrand: ack, thanks [13:32] jdstrand: I really want to write a few tools like "snap internal policy-dump" or something like that (also for other built-in things) [13:33] pstolowski: hi! I updated my snapd with your latest changes to the iface hook branch, but now I'm getting this wehn I try to connect: http://paste.ubuntu.com/23960586/ [13:34] pstolowski: did I do something wrong when rebuilding snapd? [13:34] zyga: we do need that, but the base declaration feels different to me. it is something that snapd applies to interfaces [13:35] zyga: as opposed to something interfaces provide [13:35] jdstrand: kind of but you see why it is connected [13:35] mardy, no, there is a problem (I think it manifests itself if you used edge before) unrelated to my branch which is being adressed today. zyga can you take a look at that pastebin and confirm? [13:35] zyga: but, can we discuss https://github.com/snapcore/snapd/pull/2821 and the followup branch. I have a lot of concerns [13:35] PR snapd#2821: overlord/ifacestate: setup seccomp security on startup [13:36] zyga: first off-- you added quatactl-- that is bad. it was never there and is now granting far more than observe to mount-observe [13:36] pstolowski, mardy: known issue: https://bugs.launchpad.net/snapd/+bug/1662489 [13:36] Bug #1662489: snap-confine failed with: hsearch_r failed: No such process [13:36] jdstrand: ah, thanks I can correct that quickly [13:36] jdstrand: thank you for looking at the current fire, I was about to ask for your review [13:36] zyga: but I'm quite concerned about the approach and where things are going [13:37] jdstrand: yes, let's discuss this now [13:37] jdstrand: do you know the context? right now snapd broke everywhere on edge [13:37] yes [13:37] ok [13:37] I discussed this at length with mvo and in fact triaged the issue to snap-confine vs policy diversion [13:38] so I'm up on it :) [13:38] jdstrand: not sure I follow [13:38] nm [13:38] I know the issue [13:38] jdstrand: the issue is that snapd runs snap-confine from the system, right? [13:38] jdstrand: and that's the old snap-confine [13:38] yes [13:38] yes [13:38] ok, just checking [13:38] * jdstrand understands the issue [13:38] :) [13:39] so this is only an issue on classic [13:39] because on all-snaps, everything is in the os snap. you get the old stuff, or you get the new stuff [13:39] jdstrand: it is also an issue on core if you revert [13:40] (rollback) [13:40] yeah [13:40] writable is unversioned ... [13:40] (though on all-snaps, I think there is an issue of the policy not being updated on core refresh after reboot, but that is a separate thing) [13:40] mardy, i think the bug 1662817 which is a duplicate has a workaround [13:40] not a new prob ... [13:40] Bug #1662817: some snaps stop working after revert the core snap [13:40] jdstrand: it's not that separate, see what I wrote on the internal channel [13:40] jdstrand: it's a required part of the fix in my eyes [13:41] zyga: so on core, to fix revert *and* updating policy on refresh, we need a way to say 'trigger policy regeneration for these affected snaps' [13:41] or have writable live in SNAP_DATA of the core snap ;) [13:42] jdstrand: we cannot do that cause the core you revert to doesn't know it should generate profiles and the current core cannot generate old security profiles [13:42] zyga: yes, I was typing the same thing as you were :) [13:42] jdstrand: I think it is fine if stuff is broken for a short while (e.g. rollback now breaks) but we need to plan the general fix [13:42] zyga: you can if it is designed [13:42] (that would just make updates really slow since you need to copy all of writable on upgrade) [13:42] jdstrand: right, I agree; I just mean that nothing we can do now makes old cores capable of doing this [13:42] (this is what I meant by a short while) [13:42] of course [13:43] jdstrand: ok, we're in agreement [13:43] zyga: but I suggest we talk about fixing core, and then see how fixing classic falls out of that [13:44] jdstrand: I think the right fix is to refresh profiles as I described in the card *and* run snap-confine from core [13:44] jdstrand: that's the generic solution that will always work when it lands [13:44] jdstrand: what I proposed now was a short-term way to unbreak edge [13:44] let me read the card [13:44] zyga: how will that fix the revert problem? [13:44] * mvo should also read the card [13:45] jdstrand: let's chat over a HO [13:45] https://hangouts.google.com/hangouts/_/canonical.com/snappy-devel?authuser=1 [13:45] zyga: your approach is too heavy [13:45] especially when you add apparmor into the mix [13:46] cause every refresh/revert will unconditionally regenerate/recompile everything [13:47] this is not theoretical. we have to be very careful with apparmor policy regeneration on arm with lots profiles (eg, on Personal) [13:47] jdstrand: not really [13:47] jdstrand: we only do that if it is different [13:47] yeah, we have been bitten badly by that before [13:47] zyga: 'it' is the build id which is different for every refresh, no? [13:48] jdstrand: sorry, I'm in a hangout with mvo here; it would be easier to discuss this together [13:48] jdstrand: having two parallel conversations is too much for my head today [13:50] pstolowski: thanks! Do you know what are the concrete steps for restoring the seccomp profiles? [13:50] jdstrand: we lost you [13:52] mardy, nope, sorry. they live in /var/lib/snapd/seccomp/profiles but i'm not sure if they will be re-generated if removed manually. zyga will know [14:25] pstolowski: they will not, I will make that happen today though [14:30] jdstrand: can you re-review and hopefully adjust the outcome on https://github.com/snapcore/snapd/pull/2821 [14:30] PR snapd#2821: overlord/ifacestate: setup seccomp security on startup [14:30] jdstrand: I removed quotactl entirely [14:31] sergiusens: hey! Do you have any idea on how I can avoid this workaround: https://github.com/ubuntu/booth-demo-manager/blob/master/snap/plugins/bower.py#L38 ? (with side-effects :/) [14:33] mvo: ok, fyi only, merged master for seccomp-mknod and pushed. My previous merge with master was 23 hours ago. fingers continue to be crossed :) [14:34] wililupy: ping, are you around to help me confirm that the change lool introduced fixes your problem? https://bugs.launchpad.net/snapcraft/+bug/1658177 [14:34] Bug #1658177: snapcraft kernel plugin puts module and firmware under 15.04-era lib/ directory [14:35] elopio: hi [14:36] sergiusens, elopio: I have yet to test whether resulting kernels work as expected; I can say I fixed the layout of the resulting snaps though [14:37] lool, i think ppisati tried the fix [14:37] (but had other issues) [14:38] lool: /buffer #ubuntu-mir [14:38] sorry, wrong command :p [14:39] * ogra_ flushes #ubuntu-mir from lool again [14:41] ogra_: thanks [14:41] :) [14:41] ogra_: why is it that the official kernel snaps are not built using the snapcraft kernel plugin? Is there something you are missing from our side? [14:42] elopio, yes, and archive signing key :P [14:42] *an [14:42] ppisati: just saw your debug on initrd boot with new kernel snap, did you find the issue? [14:42] elopio, we need the signed deb kernels for secureboot to work ... [14:42] elopio: the main difference is that they are built from the original debs [14:42] elopio, so we cant build them from source [14:42] instead of from source [14:42] albeit I thought we had a plugin for that too [14:43] we have a snapcraft.yaml ansd Makefile the kernel team maintains [14:43] fvor the official kernels [14:44] I see. It would be nice to have a test that builds the official kernel from source, just to check our plugin. And that doesn't need signature. [14:44] you can surely do that as long as you dont upload them to the store under the same name [14:45] of course :D I'll make sure this just builds, the runner won't even have credentials. [14:45] note though that we also pull in extra binaries ... like the raspberry-pi wlan firmware package on the pi kernels and linux-firmware on the generic ones [14:45] ogra_: do you know where is the source for the debs? [14:45] PR snapd#2820 closed: interfaces/builtin: add send/recv syscalls for upower-observe interface as required on ARM [14:45] the source for the debs or for the snap builds from debs ? [14:46] the git trees are on kernel.ubuntu.com if you mean that [14:46] ask the kernel team for the right branch etc though ... i never get that right :PÖ [14:47] yes, I meant that. Thanks ogra_, I'll ask. [14:49] ppisati: ping. Can you please tell us about the kernel issues you are still having? We are trying to make a release soon, and it would be great to have all of that fixed. [15:01] ogra_: to be fair you can do the same trick that's done with the deb but with the snap instead [15:01] ? [15:01] PR snapd#2813 closed: tests: filter ubuntu-core systems for authenticated find-private test [15:01] trick ? [15:03] elopio: loic: with loic's patch applied to snapcraft, i can build a correct kernel snap [15:03] ogra_: the signing [15:03] sergiusens, there is no trick [15:04] elopio: loic: now i'm fixing the config of the 96boards's snapcraft snapcraft demos, sicne it was missing some required options [15:04] sergiusens, the ubuntu-archive key which only gets used during archive builds needs to be used [15:04] ogra_: I was told the deb was built, intercepted or pulled out of the archive, signed and resubmitted [15:04] e.g. mmc_sdhci <- no mmc on boot [15:04] sergiusens, nope [15:04] ogra_: that's the summary steve gave me [15:04] and apparently it's missing something else, but i think it's the ext4=m being the problem here [15:04] elopio: lool: i'll send a patch to snapcraft once i'm done [15:04] sergiusens, i think you think about the way it is done if you need a *different* kernel [15:05] ogra_: it can still be signed with snapcraft by using an `install` scriptlet [15:05] sergiusens, how ? [15:05] ppisati: ok, so board specific issues - cool [15:05] ppisati: thanks for the update [15:05] sergiusens, you need *all* the binaries signed with a key you dont have access to [15:05] only the archive builders can use this key [15:06] elopio: BTW, we have snapcraft.yaml in our kernel tree (at least for xenial) [15:06] so you need a deb built in the archive in any case ... sure you can loop that through with snapcraft somehow ... but why [15:06] elopio: if you clone the xenial tree, git checkout the raspi2 or snapdragon branch [15:06] elopio: you can rebuild a kernel snap from there [15:10] ppisati, oh, yeah, if you use ext4=m you need to include ext4 in the initrd with a snapcraft option [15:10] re [15:12] ppisati, can you file a bug, iirc your initrd was just hanging, we can add a check for /proc/filesystems and error out [15:12] that would have made this clearer and saved debugging [15:13] didrocks: sorry, might have asked this recently already, but where's the most recent electron snap template I can hand someone? [15:14] morphis_: hey, would you have a gadget.yaml example showing interface connections from gadget? [15:14] (ideally of privileged interfaces) [15:15] lool: I don't think we have any. I didn't tackle one myself and was told that all electron apps are different [15:15] lool: I guess the telegram one from sergiusens could be handy [15:15] didrocks: oh wow really [15:16] sergiusens: did you see my question btw about the bower.py workaround? :) [15:16] didrocks: hmm I dont see electron anywhere in the telegram snap, isn't it qt? [15:16] (https://github.com/sergiusens/telegram-snap/blob/master/snapcraft.yaml) [15:17] it's Qt, but I really thought it was electron-based [15:17] my bad then [15:17] Trevinho and flexiondotorg worked on electron examples I think [15:17] Trevinho, flexiondotorg, ^ [15:18] lool: it's all qt... [15:18] lool: check this for an upstreamable version which... I already have [15:18] lool: https://github.com/3v1n0/telegram-snap/ [15:18] this is to allow someone to create a webapp snap [15:18] basically they have the URL/HTML and they need to ship a runtime around it [15:19] jdstrand: I've updated the PR as instructed [15:19] lool, why not https://github.com/fcole90/fcole-hexgl-webapp [15:19] (uses ubuntu-app-platform though) [15:19] PR snapd#2815 closed: release: don't force devmode on LinuxMint "serena" [15:20] lool: what do you mean by that, a gadget with applications using plugs/slots or a gadget causing plugs/slot of certain snaps automatically connected? [15:21] morphis_: a gadget preinstalling snaps and connecting them to the right plugs/slots [15:23] lool: you can't do both from a gadget [15:23] preinstalling snaps is a thing ubuntu-image/snap prepare-image does by setting up the seed.yaml in your image [15:24] (in old snappys we used to be able to force certain snaps to remain installed, might be where my confusion comes from) [15:25] morphis_: so I can preinstall snaps in my ubuntu-image call, and I can pre-connect them in the gadget yaml? [15:25] that is what you do via an validation assertion [15:25] no, no pre-connecitng in gadget.yaml [15:25] that is handled via snap-declaration [15:25] so it has to be per snap [15:25] yes [15:25] but it could potentially be in the image only and not the store [15:26] sure [15:26] the image is build with a set of assertions and a set of .snap files [15:26] I guess we can add authorities to the image [15:26] and sign the snap-declaration by whoever [15:28] lool: not sure about this, right now the assertions are signed by canonical [15:28] https://github.com/3v1n0/electron-quick-start-snap/blob/master/snapcraft.yaml looks like a good electrn snap template [15:28] pedronis can comment on that maybe who is able to sign them [15:28] morphis_: ok [15:28] I think if it's per snap it can probably come from the store anyway [15:28] even if it's preloaded [15:29] lool: I've probably to update it though [15:29] I've not touched it for some time [15:29] but as they express some kind of critical policy I guess its only the device maker or the store instance (canonical) [15:29] as per https://github.com/3v1n0/electron-quick-start-snap/issues/1 ... [15:31] probably the launcher should be better to be desktop-gtk2 though, [15:32] ogra_: it was more than a single issue [15:33] ppisati, well, but missing ext4 is definitely one we can catch [15:33] and print a pretty message for you so you dont need to dig [15:33] ogra_: the hang was due to missing mmc, it couldn't find it so it was hanging in "wait-for-root" - there are 3 calls, one in fixrtc, another in resize and the third was in the main ubuntu-core fs logic [15:33] then there was ext4 [15:33] and now i'm having a === verterok` is now known as verterok [15:33] but wait-for-root has a timeout [15:33] it should have returned after 120sec [15:34] lool: actually 've just thested that exampla and still works, so... yeah, you can start from that if needed [15:34] or 180 or so [15:34] "can't mount loop device: no space left on device" and i think it's the devloop min count too low ( = 8 atm) [15:34] Trevinho: yeah, I actually think I handed it to some folks who told me it was working, wasn't sure it was this exact one [15:34] wow, never seen that one [15:34] ogra_: yes, but there are 3 in a row, so if you don't wait long enough, you never land in busybox [15:34] lool: that is the one I did long time ago, I've updated it some time ago to use desktop launchers, but it should work [15:35] yeah [15:35] ogra_: i'm piling up config changes for the snapcraft kernel pluigin example [15:35] i guess 180sec are also quite long ... [15:35] even a spinning disk should be ready in less than 1min [15:35] i put some prints inside initrd scripts to see where it was hanging [15:38] Out of curiosity, are (graphics) drivers snappable? [15:41] Blu2_, tricky since they usually have a kernel side component ... [15:43] jdstrand: do we have an official position on a realtime interface for pthread_setschedparam()? [15:44] outside of "just do it and that's privileged and needs a snap-declaration" [15:44] Blu2_, but i.e. in case of a whole image it is easily possible ... i.e. the RPi images we have ship the vc4 driver in the kernel snap and snaps that include gallium can use DRM/KMS and GLES [15:45] so it depends a bit on the context the snap is used in [15:46] hm.. would be awesome to use for example Open drivers for the desktop and proprietary for specific apps [15:46] if that would be possible from a driver POV ... then you could already do it with debs :) [15:47] if certain HW is driven by an open driver you wont be able to use the prop. one at the same time with it ... [15:47] thats not snap specific though [15:47] Having multiple drivers installed and only grant one access to a snap or something [15:47] just a limitation of HW and drivers [15:47] seb128 Yes, I'm working on electron stuff. They are a bit variable in terms of what is required. [15:48] I don't know, I'm not too knowledgable about this topic [15:48] electron is still using GTK2+ despite lots of requests to move to GTK3+ [15:48] Blbut if the HW is already being used by one of them, how do you make the snap use the other ? [15:49] Blu2_: what you can do is have two kernels snaps and chose one or the other [15:49] yeah, but not dynamically [15:49] or a kernel snap with a config/cli to swap, likely with reboot [15:49] that isnt how garphics hardware works [15:49] *graphics too [15:50] right the hw (lowest layer) seems like it wouldn't support non-exclusive usage [15:50] at least that i know of [15:50] yep [15:51] i guess you could make it work in SW if you had access to the source of the proprietary driver ... you could split out the common parts and make the higher level switchable ... [15:52] but then you have two open drivers in the end :) [15:52] (or two closed ones and a vendior that sues you :P ) [15:52] (because you broke your NDA) [15:53] Hopefully Valve and the community push open drivers further [15:53] btw, no steam snap yet :P [15:53] go ahead ! [15:53] * ogra_ would use it [15:54] joc: ping. The plainbox provider snap fails to build now. https://travis-ci.org/elopio/snapcraft-de-noche/jobs/200009799 [15:54] do you know about that? [15:55] Maybe I'll give a try on the upcoming weekends [15:55] PR snapd#2823 opened: interface/seccomp: sort combined snippets [15:55] elopio: hi, sorry i've been away for a week, i saw i had a few more comments so i'll check it all [15:57] lool: pthread_setschedparam isn't a syscall so I'm going to assume that it is using varous sched_* syscalls. 2.23 will allow snaps to modify the scheduler for the calling process. process-control added several syscalls for adjust the scheduler for anything. so, it is available in process-control when you need more than what is in the template [15:59] jdstrand: yes, it's sched_set_params syscall I think [15:59] lool: yes, that was one that was added to template and process-control [15:59] (template for limited use, process-control for anything) [16:00] ogra_: this one is for you: https://travis-ci.org/elopio/snapcraft-de-noche/jobs/200009811 We will make sure that snapcraft master builds your kernels every night. [16:00] jdstrand: I dont understand the "added as a template" part [16:00] I see it in interfaces/seccomp/template.go [16:00] and in interfaces/builtin/process_control.go [16:00] lool: you can use sched_setparam(0, ...) in default template, sched_setparam(anything, ...) in process-control [16:01] oh ok [16:01] I need to find what value RR is [16:01] joc: hey, but this is not related to your branch :) It's the one in git.launchpad.net/~checkbox-dev/plainbox-provider-snappy [16:01] lool: again, this is 2.23 [16:01] ack [16:02] Is there any interface that will give a snap access to /proc/self/cgroup? [16:03] elopio, sexy ! [16:04] PR snapcraft#1128 opened: tests: support bzr branches for external tests [16:05] elopio: aah got you, didn't read that closely enough :) [16:06] elopio: we don't maintain the packaging repo you are using anymore I'm afraid, we now have a dedicated project here: https://code.launchpad.net/checkbox-snappy [16:07] joc: oh, good. I'll update the script. I think I will just build your master branch nightly, unless you think it would be good to build the others too. [16:08] ppisati: sorry, I was in a meeting and missed your pings. I'm scrolling back and reading... [16:09] elopio: well we are building master/edge and beta on every landing, and now have release flow for candiate and stable, so up to you [16:10] lool: there's a bug in the "moving modules and firmare around" fix [16:11] lool: http://paste.ubuntu.com/23961221/ - there are two fw directories now [16:11] elopio: our xenial kernel tree contains a snapcraft.yaml, checkout raspi2 or snapdragon and it should be there [16:12] elopio: so you can rebuild a kernel.snap from there, althougjh it will be slightly different from what we have in the store [16:12] elopio: but it might be a good test for the kernel pluging [16:14] ppisati: I see it \o/ http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/tree/snapcraft.yaml Just what I was missing. [16:14] ppisati, are you sure thats not from inside the dragonboard fw tarball ? [16:14] ppisati: the default branch is for the pc image? [16:15] iirc you unpack a tarball at snap build tiome in this case [16:15] elopio: yep [16:15] ogra_: yep, that come sfrom the firmware tarball, but if we move the /lib/firmware, we should move everything [16:16] ogra_: else wifi won't work [16:16] yes, but thats nothing the plugin can handle ... should it ? [16:16] it will just untar [16:16] ogra_: yep, what i mean [16:16] ogra_: before we moved /lib/fw to /fw everything was in one place [16:16] ogra_: ah [16:16] ... [16:17] destination: lib/firmware [16:17] i didn't see that [16:17] f*ck me [16:17] :) [16:17] ok [16:17] :D [16:17] https://github.com/snapcore/snapcraft/pull/1129 [16:17] PR snapcraft#1129: 96boards: fix the dragonboard example [16:18] this fixes the dragonboard example [16:18] mines the fw destination that i just noticed [16:18] *minus [16:19] PR snapcraft#1129 opened: 96boards: fix the dragonboard example [16:21] ogra_: before I forget to remind you, tomorrow 16UTC, bring your nice clothes. [16:21] yeah, i'll iron them ! [16:22] you are going the extra mile! so nice of you. [16:29] Bug #1663303 opened: Running snapcraft on Ubuntu 14.04 fails with a traceback [16:48] we're trying to snap kubelet and hitting a lot of permissions problems, anyone available to look at these? https://gist.github.com/Cynerva/9150f379cdf1d41aac9ae233597c1f64 [16:49] lotta cgroup stuff, and a couple others [16:49] i'm not seeing any obvious interfaces we can pull in [16:49] any assistance would be appreciated :) [16:55] Hello, did anyone had an experience building a snap that's uysing python and girepository? I added python3-gi to stage-packages. But application using it fails at runtime [17:09] Cynerva, are you familiar with the snappy-debug tool? [17:27] sborovkov: what's your error? [17:52] elopio: ImportError: cannot import name GLib, introspection typelib not found [17:52] elopio: and this ImportError: cannot import name Gio, introspection typelib not found [17:53] elopio: not sure what it's missing, I see that it has $SNAP/usr/lib/python3/dist-packages/gi [17:56] Cynerva: today is a bad day for me but come back tomorrow, I'll help you out [17:58] kyrofa: i haven't tried snappy-debug, but i see it in the docs now - thanks! [17:58] zyga: will do, thanks [18:01] mwhudson: hey, around? I have a question [18:03] Cynerva, no problem, that will hopefully give you more helpful errors [18:10] PR snapd#2821 closed: overlord/ifacestate: setup seccomp security on startup [18:10] PR snapd#2823 closed: interface/seccomp: sort combined snippets [18:12] sergiusens: around? [18:14] sborovkov: can't you install glib from the deb? [18:16] elopio: error is that introspection typelib is not found though? And I added python3-gi to stage-packages and it's installed. I also added libglib2.0 to stage packages as well... [18:17] Hrm, I wish Unity didn't remove snaps whenever they're updated. No idea, though, if that's an issue with Unity or what snapd might be doing with the files. [18:18] s/snaps/launchers of snaps/ [18:18] kalikiana, I expect snapd is removing them when disabling, and generating new ones when activating [18:18] kalikiana, if you run `sudo snap disable ` do they also disappear? [18:19] kyrofa: Yep [18:19] sborovkov: I mentioned the debs because I remember something similar when I mixed debs and pip packages. But if you are using only debs, then scratch that. [18:20] kalikiana, please report that [18:20] Will do [18:20] sborovkov: so, I don't know. Feel free to share the snapcraft.yaml with us. If you think this is something that snapcraft is doing wrong, please file a bug in bugs.launchpad.net/snapcraft [18:20] It might make sense to remove them on disable, but not upgrade [18:21] King_InuYasha: yes [18:22] elopio: I actually found similar question https://www.mail-archive.com/snapcraft@lists.snapcraft.io/msg01513.html [18:22] sergiusens: did you have a chance to take a crack at refactoring the stage/build-packages backend over the weekend (you briefly mentioned to me last week you were going to take a stab at it) [18:22] elopio: going to try and see if that helps. [18:22] jdstrand, how would you feel about making ping available in the default profile? [18:22] King_InuYasha: I am going to get it signed off for next week as an official sprint task (yeah we are doing agile now :-/) [18:22] King_InuYasha: I tried to spike it this week but ran out of time [18:23] oh dear :( [18:23] it is light weight, but still don't like it [18:23] * King_InuYasha is not much of a fan of agile/scrum/sprint things [18:23] kyrofa: Seems there's bug 1646912 for it already [18:23] Bug #1646912: Snaps disapper from the launcher after an update [18:23] me neither [18:23] I'm one of those "informally agile" people [18:23] the moment you're putting fixed process cycles, it's not really "agile" in my opinion [18:27] Bug #1646912 changed: Snaps disapper from the launcher after an update [18:32] ogra_: FYI seems there's a snapcraft snap in the store now (oddly enough not the one I wrote) and bug 1663303 is kind of answering my question [18:32] Bug #1663303: Running snapcraft on Ubuntu 14.04 fails with a traceback [18:33] Although I don't know how "sudo apt install snapcraft --classic --edge" is supposed to work [18:47] sborovkov: interesting. [18:47] kalikiana, ah ! [18:48] ssweeny, bah ... i did miss that your second case option misses the ;; [18:48] * ogra_ does a quick fix [18:48] ogra_: I've seen the ;; left out after an exit before [18:48] I thought it was valid [18:49] fwiw even an actual "snap install --classic --edge" installs fine but doesn't run on Xenial either [18:49] ssweeny, nope, isnt [18:49] but at aleast all bits are there now [18:49] ogra_: ah, my apologies then [18:49] well, i reviewed it :P no need to apologize [18:53] Huh... I have a bug report some someone who seems to be unable to resolve domain names from within the snap. Has anyone run into that? [18:54] nope [18:55] kyrofa: yes [18:55] kyrofa: on 14.04 [18:55] ah [18:55] kyrofa: is that a classic confinement snap? [18:56] zyga, no, strict, and on 16.10 [18:56] Maybe it has something to do with 16.10, I'll fire up a VM [18:57] PR snapd#2824 opened: overlord: make seeding work also on classic, optionally [18:58] kyrofa: then no [18:58] kyrofa: strace would be useful [18:58] zyga, unfortunately that requires bundling that in the snap, which I have not :P [18:58] zyga, can't even ping. Figuring out the issue in the first place was awful [18:59] Still not completely sure that's the issue [18:59] kyrofa: building what? [18:59] kyrofa: just nsenter and strace ;) [18:59] zyga, wait... [18:59] Really? [19:00] kyrofa: strace is at /var/lib/snapd/hostfs/usr/bin/strace [19:00] alll this new fangled stuff [19:00] nsenter ... tsk [19:00] ogra_, I didn't know about nsenter either :P [19:00] yeah [19:00] zyga keeps all the secrets ! [19:01] ogra_: job security [19:01] I just have to stop spilling them on irc :) [19:01] snapd hides the magic, which is cool. I just wish we _also_ hid the magical debug tools [19:02] Hahaha [19:02] ogra_, kyrofa: nsenter -m/run/snapd/ns/$SNAP_NAME.mnt [19:02] just don't add space between -m and the path [19:02] annoging thing [19:02] that runs without confinement [19:02] stop spilling ! [19:02] if you want confinement just snap run --shell [19:02] and then fire away [19:02] you will need to copy strace somewhere first [19:02] but it will work [19:02] now all the hackers know our backdoors ! [19:02] same with gdb [19:03] ogra_: nah, WE HAVE FIREWALL ;) [19:03] great FIREWALL ? [19:03] don't you watch TV [19:03] it stops _everything_ [19:03] based on the evil bit [19:03] lol [19:04] zyga, I wish technology had more boring names for things. Then tv shows would actually have to make up the NAMES for the technology they fabricate as well [19:05] zyga, I want to hear one script that mentions iptables [19:06] * ogra_ is slightly scrated by TV recently ... there is that reality TV clown in the news all the time ... i stream though :) [19:06] kyrofa: isn't that old-school, iptables got replaced by that ... thing [19:06] kyrofa: that is a long standing discussion point. it mostly had to do with the fact that it is setuid, therefore we had to allow certain things in the profile that weren't appropriate for the default profile. then there was setuid-less ping made possible by upstream kernel, but it needs distro support (tyhicks would have to comment). I was going to see if a combination of apparmor child profile and seccomp arg filtering might make it possible. that [19:06] *scared [19:07] zyga, you must be talking about ip6tables [19:08] zyga, in all seriousness, are you talking about ufw? It's just a pretty wrapper [19:08] actually, I think mr robot may have mentioned iptables [19:08] jdstrand, no way! [19:08] it may have just been on the screen, I can't remember [19:09] what would be cool is if mr robot used ufw :) [19:09] jdstrand, and yeah, ping makes sense. I would also be happy with getent [19:10] I love ufw [19:10] the setuid-less ping support has been in the kernel for a long time and support for the kernel feature was recently merged in upstream iputils [19:10] is getent missing? I think we could at least give it with network [19:10] jdstrand, seems to be [19:11] or maybe it too as a child profile, but I don't want too many child profiles. I could to sibling profiles... [19:11] there's a little bit of distro work needed to enable it but the more important piece of work to do is to understand what old features of setuid ping would regress [19:11] anyway, I'll think about it [19:11] setuid-less ping doesn't support everything [19:12] kyrofa: no, there's something more recent in the kernel [19:12] tyhicks: sorta thinking snapd could ship profile snap.ping {} # cool profile name! [19:12] kyrofa: something more generic [19:12] zyga: hello [19:12] mwhudson: hey! [19:12] tyhicks: then network could Px -> snap.ping [19:13] mwhudson: I think my question has resolved itself, just bad reading on my part, I incorrectly assumed Elf64_Word is a uint64_t, [19:13] tyhicks: and maybe, ust maybe I can do enough with seccomp arg filtering to make it work [19:13] zyga: ah haha [19:13] s/ust/just/ [19:13] mwhudson: silly elf defined that as uint32_t *because THAT's why* [19:13] jdstrand: do you think spending them time to do that work would be better than enabling setuid-less ping in the distro? [19:13] s/them time/the time/ [19:14] anyway, it is something I plan to play with whenlooking at policy for setuid with @euid and @ruid [19:14] tyhicks: well, the problem is that while it would be fantastic to have setuid ping in Ubuntu, other distros won't have it [19:15] tyhicks: but, it would be in our core. I guess we'd just need a new enough kernel. that isn't something new for snappy... [19:15] jdstrand: agreed but no other distros are using confinement [19:15] oh yeah, it would be in our core snap [19:16] tyhicks: today. I suspect by series 18 that will change (pending upstreaming work). Debian and suse should be able to just get it [19:16] jdstrand: it would be nice to have ping without the +s bit [19:16] true [19:16] zyga: it would [19:16] jdstrand: maybe just with the capability for the raw socket or maybe the special ping-something-socket (forgot) [19:17] we could supply an alternate ping too, but people would have to know to use it [19:17] jdstrand: on other distros that haven't enabled unpriv ping themselves, snapd would have to write to the special sysctl that sets up the guid's that are allowed to use the unpriv ping [19:17] on core we could update-alternatives it [19:17] anyway, lots of options [19:17] yeah [19:18] tyhicks: ah yes, I forgot that. that is semi-difficult, though possible with snap-confine understanding thing like @ruid and @euid [19:18] things* [19:18] * tyhicks nods [19:19] jdstrand: hmm, yeah [19:19] zyga: fyi, it is just a special socket(2) domain although I can't remember the name of it right now [19:20] tyhicks: right, I recall something similar [19:20] just-for-ping [19:27] kyrofa: I'm sure you know this, but ping is in network-observe if you are blocked [19:28] jdstrand, oh no, not blocked, I'm sorry if I gave the impression [19:28] you didn't, I just wanted to make sure you weren't [19:28] jdstrand, I was trying to figure out what was wrong with someone else's system running my snap, and I realized I had no network debugging facilities! [19:29] jdstrand, it seems like their DNS isn't working from within the snap, so I'm investigating that on my own now, hopefully I can duplicate [19:31] elopio: yeah that export helped. Also had to export PYTHONPATH for some reason with path to the dir it install girepository to (for some reason it's in a separate directory from all other python packages but whatever). [19:33] Hi, what's the policy for naming dbus interfaces on core and on classic? I am getting this on core g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.36" is not allowed to own the service "org.screenly.playlist" due to security policies in the configuration file [19:34] sborovkov: use the "dbus" interface. see https://github.com/snapcore/snapd/wiki/Interfaces#dbus [19:35] sborovkov: you'll want to: [19:35] slots: [19:35] dbus: [19:35] jdstrand: yeah, but I am in devmode. Seems like I am being prevented from registering this on the system bus by some policy. So I was wondering what's the policy. And what's the policy on the core as we are just in process of migrating to core. [19:36] name: org.screenly [19:36] bus: system [19:37] jdstrand: thanks, and this would help me in devmode as well? [19:37] sborovkov: are you using 'bus: session' or bus: system' in your yaml? also, is it a session or system service? [19:38] jdstrand: I was not using anything, just trying to get it running in devmode first. Hmm, we just have daemon: simple so might be that I should register on a session bus? Sorry, last time I was using dbus was like 5 years ago and back then I did not expose any interfaces :-) [19:39] quick question, so i have snap created for rclone but iam trying to have my launchpad auto build use the classic containment so rclone can write to disk for the config files located in the home directory. but as of right now Launchpad's auto build system wont even compile the snap if i use classic instead of strict or devmode [19:39] sborovkov: ok, if this is using 'daemon: simple', then you are running as root. that implies a system service, so you should use 'bus: system' [19:39] sborovkov: with devmode, you still need to specify the interface because the interface is what modifies the dbus bus policy [19:40] sborovkov: so while apparmor would allow it in devmode (it allows everything), dbus-daemon is still going to deny it. dbus-daemon has no concept of devmode, so you need to specify the interfac ein your yaml [19:41] * jdstrand updates the wiki for that point [19:46] sborovkov: fyi, I updated https://github.com/snapcore/snapd/wiki/Interfaces#dbus for the devmode with system bus case [19:47] jdstrand: understood thanks [19:51] slangasek: hey, we added a new feature (plugin) in snapcraft that fails on zesty and it seems to be related to Qt itself and not snapcraft (https://github.com/snapcore/snapcraft/pull/1127). We are still running yakkety-armhf to verify this but I wanted to know what our options were [19:51] PR snapcraft#1127: Release changelog for 2.27 [19:52] oh great, the yakkety one timed out... :-/ [19:56] jdstrand: I did not use not auto-connected interfaces before. So do I need to connect my snap to core:dbus after installation to make it work? [19:58] sborovkov: actually, no. if you read the page you'll see that the slot implementation uses 'slots' to provide the interface to other snaps [19:58] sborovkov: the slot side policy for the dbus snap allows you to bind to the well-known name without have to use snap connect [19:58] having* [19:58] jdstrand: ok, understood. was confused about that. [19:59] PR snapd#2825 opened: osutil/build_id: add package for reading Build-ID [19:59] sborovkov: a client snap that uses: [19:59] plugs: [19:59] screenly: [19:59] interface: dbus [19:59] bus: system [19:59] mwhudson: would you have a moment to review the build_id branch ^^ [19:59] name: com.screenly [20:00] sborovkov: would need to 'snap connect foo:screenly screenly:dbus' [20:00] sborovkov: which allows 'foo' to talk to your screenly service [20:00] jdstrand: but that's not needed if both services are inside the same snap? [20:01] sborovkov: with 2.23, no [20:02] PR snapd#2707 closed: overlord/snapstate: prepare for using snap-update-ns [20:02] PR snapd#2776 closed: cmd: use per-snap mount profile to populate the mount namespace [20:03] jdstrand: what if I wanted to make a call to dbus interface that is exposed by service not run as a snap? is that possible with this security implementation? [20:04] sborovkov: you'd have to be more specific. dbus is fully mediated by snaps and, like files, you need to use the proper interfaces to allow talking to the system dbus services or the services of other snaps [20:05] jdstrand: alright, understood. and if I have snapd 2.21 I need to use plugs:... code if client and server are both inside the same snap? [20:07] sborovkov: yes, you would need to plugs the slot you are providing. that is the normal case, but as it happens with dbus, 2.23 added a rule that says "any command within the snap can talk to any other command in the snap over dbus" [20:08] (caveat being the snap needs to use dbus interface or similar to bind to a well-known name) [20:08] jdstrand: thanks for assistance and have a good day :) [20:08] sborovkov: you too :) [20:19] so iam kind of stuck with this snap i created for rclone, rclone uses an .rclone.conf file located in an users home directory be deafult, but whenever i try to configure an remote cloud service with rclone, i get 2017/02/09 20:14:27 Failed to save config file: open /root/.rclone.conf: permission denied. here is what iam using currently with launchbuild to [20:19] automaitcally build and upload https://github.com/Dedsec1/rclone/blob/master/snapcraft.yaml [20:19] i meant launchpad not launchbuild lol [20:25] jdstrand: can you please add this to your queue: https://github.com/snapcore/snapd/pull/2775/files [20:25] PR snapd#2775: cmd: add functions to load/save fstab-like files [20:25] jdstrand: it's for snap-update-ns, not setuid critical [20:27] sergiusens: what are you looking for options on? are you asking about releasing the sru before pushing to zesty-proposed? [20:28] zyga: added to queue. it won't be today though [20:29] jdstrand, if you have a minute, I could use some advice [20:30] jdstrand, I have a user of the nextcloud snap (strictly confined) on 16.10 who seems to have DNS issues only in the snap. I've reached that conclusion using only these tests: http://pastebin.ubuntu.com/23962576/ [20:30] jdstrand, do you agree with that conclusion? [20:41] kyrofa: the tracebacks at line 14 and 18 indicate something unrelated to dns. I'm not convinced that the traceback at 22 is dns [20:42] kyrofa: it could be, but it might not be [20:42] kyrofa: (ie, it could be a bad error message) [20:42] jdstrand, how would you explain how the traceback at 44 seems to have gotten out, then? [20:43] i.e. if it wasn't DNS-related, wouldn't it have a similar issue? [20:43] kyrofa: what if you stage-packages bind9-host and use 'host acme-staging.api.letsencrypt.org'? [20:44] jdstrand, I guess I could host that on people.canonical and have him give it a try [20:45] kyrofa: there are no security denials? [20:45] jdstrand, not unusual ones anyway (/proc//mounts) [20:45] I get those as well and it works fine for me [20:45] kyrofa: it might be interesting to see the contents of /etc/resolv.conf and friends in the snap and outside [20:46] zyga: looking [20:46] kyrofa: since you mentioned 16.10, that implies classic vs all-snaps since we have no all-snaps 16.10 images. is this correct? [20:46] jdstrand, indeed [20:47] kyrofa: again, sure you know this, but the mounts stuff would go away if plug mount-observe [20:47] jdstrand, yeah it doesn't actually seem to hurt anything, so I've left that off [20:48] * jdstrand nods [20:48] it is usually harmless === JanC is now known as Guest72742 === JanC_ is now known as JanC [20:49] jdstrand, alright thanks for giving me a few more directions... I wasn't sure where to go next there [20:49] I hate debugging stuff that I can't duplicate [20:58] mwhudson: thanks! [20:58] jdstrand: thanks, that's all right [20:59] PR snapd#2826 opened: overlord: optional device registration and gadget support [21:07] jdstrand: I'm trying to test all the corners of the unity8 plug interface, and I'm having a hard time understanding why I'm seeing an apparmor denial: http://pastebin.ubuntu.com/23962778/ [21:19] mterry: where did you put that rule? did you reload the apparmor profile? [21:20] that rule is from the /var/lib/snapd/apparmor/ file [21:20] mterry: which one? [21:20] /var/lib/snapd/apparmor/profiles/snap.webbrowser-app.webbrowser-app [21:21] I thought it was reloaded -- let me reconnect interface and restart apps [21:21] mterry: ok, if you are reconnecting and stuff, it blows away custom rules [21:22] * mterry does some testing [21:23] mterry: the rule in the paste is correct for the 2nd denial [21:25] jjohansen: hey, do you know when can we expect the kernel with your fixes out in the wild (in ubuntu)? [21:25] zyga: 2 weeks [21:26] the kernel has a 3 week cadence [21:27] unless you are talking zesty, and then who knows, it could be sooner [21:30] Bug #1545871 changed: Be able to query with multiple terms [21:31] jdstrand: ok yeah I was just being dumb -- thanks [21:32] mterry: np. it isn't obvious that changes are blown away on enable/disable/refresh/etc [21:38] jjohansen: thanks [21:38] PR snapcraft#1130 opened: catkin plugin: produce build-ready staging area [21:38] PR snapd#2814 closed: cmd: add helpers for working with mount/umount commands [21:38] PR snapd#2827 opened: cmd: add helpers for mounting / unmounting [21:40] jdstrand: please add this to your queue: perhaps before the mount entry (and it's shorter): https://github.com/snapcore/snapd/pull/2827 [21:40] PR snapd#2827: cmd: add helpers for mounting / unmounting [21:47] anyone know if launchpad supports snap auto build with an snap using confinement: classic? [21:50] zyga: added [22:08] PR snapcraft#1131 opened: lifecycle: hardcode test_core_snap's PATH [22:08] DedSec, not yet, but it will in the next snapcraft release (early next week) [22:18] oh cool [22:19] but for now i can just build it manually and push when needed i guess [22:20] DedSec, indeed [22:21] DedSec, keep an eye out for the snapcraft 2.27 release announcement; you'll know to try again [22:26] gotcha [22:27] i mean, iam pretty certain i can get rclone to work fully if i can just get the home plug to allow it to read and write an .conf file to an users home directory [22:59] if anybody can help, I've having trouble with launchpad building snaps for me on anything > xenial b/c of not being able to verify the gpg key... "NO_PUBKEY F1831DDAFC42E99D" https://code.launchpad.net/~lutostag/+snap/easy2fa/+build/21077/+files/buildlog_snap_ubuntu_yakkety_amd64_easy2fa_BUILDING.txt.gz [23:00] lutostag, we don't recommend doing that anyway-- we don't have a core snap that corresponds to anything other than xenial [23:01] hmm, so if I want to snap with some stage packages > xenial, should I make a ppa for them instead? [23:04] lutostag, that's one way. Another would be to build them as another part [23:05] I thought someone might say that... ;) [23:05] lutostag, there are a few issues here. One is that you'll be building with a newer libc than the one on which you'll be running [23:06] lutostag, another is that snapcraft uses the core snap corresponding to the release on which you're building to be smart and strip out libraries it knows are included in the core snap. But since there is no yakkety core snap, it won't remove anything [23:11] kyrofa: ah, that's why I get the warnings for 'No libraries to exclude from this release', was curious about that [23:11] (when built locally) [23:11] lutostag, yep, that's it [23:14] kyrofa: ok, I'll see if I can build the prereqs as a part, thanks [23:15] lutostag, no problem. Give a shout if you need some help [23:55] Anyone used bluez snap?