[00:51] PR snapcraft#1470 closed: catkin plugin: default to release build [01:58] snap install /tmp/meshlab-cYdtAIYBmTS1b7L2q8yrMdpAZ38qLv6Q_4.snap [01:58] - Copy snap "meshlab" data (cannot copy "/var/snap/meshlab/4" to "/var/snap/meshlab/4": failed to copy all: "cp: cannot stat '/var/snap/meshlab/4': No such file or directory" (1)) [01:59] anyone know what that's about? the dir exists. I also intermittently get a core error [01:59] ... [01:59] # snap refresh core [01:59] error: cannot perform the following tasks: [01:59] - Setup snap "core" (2601) security profiles (cannot setup mount for snap "core": cannot update mount namespace of snap "core": cannot update preserved namespace of snap "core": fork/exec /usr/lib/snapd/snap-update-ns: no such file or directory) [02:05] PR snapd#3701 opened: tests: fix interfaces-cups-control test [03:33] How jailed are snaps? They seem to log to the root /var/log [03:34] ie, I now have samba.log files in /var/log after installing the samba snap I am working on [04:24] PR snapd#3702 opened: interfaces: add missing test for camera interface [05:26] PR snapd#3703 opened: interfaces: improve and tweak bunch of interfaces test cases [05:43] What is the correct way to create required directories for a snap? [05:43] ie, /etc if it doesnt exist? [05:43] Hooks? [07:52] PR snapd#3704 opened: interfaces: convert lxd to common iface [07:54] good morning [07:57] mvo: how are we doing? [07:57] PR snapd#3657 closed: daemon, client, cmd/snap: implement snap start/stop/restart [07:57] woooooooooooooo [07:58] hey Chipaca, feels good to have the merge go in :) [08:00] yes [08:02] hey zyga-suse [08:05] zyga-suse: o/ [08:06] hey hey [08:07] I have one important bug to check and then I'd like to release suse and arch packages [08:14] some perspective form appimage developers: https://github.com/AppImage/AppImageKit/wiki/Desktop-Linux-Platform-Issues [08:14] PR snapd#3705 opened: interfaces: convert lxd_support to common iface [08:14] zyga-suse: can you check if rc9 builds? [08:15] mvo: sure, where? [08:15] zyga-suse: suse, arch [08:16] with pleasure [08:16] do you have tarballs? [08:16] I'll build master locally but it would help to have rc tarballs [08:16] zyga-suse: I can prepare one, otherwise in the ppa [08:16] (do you still make them manually?) [08:17] for various reasons it is easier if they are on github (various tools can pull them like in debian) [08:17] zyga-suse: https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+files/snapd_2.27~rc9.tar.xz [08:17] zyga-suse: aha, ok [08:17] ok [08:17] this is fine [08:17] zyga-suse: ok, thank you. I have a script that creates them now [08:18] awesome, it would be good to commit that to the tree at some point [08:18] PR snapd#3700 closed: tests: fix for upgrade test on fedora [08:19] PR snapd#3706 opened: asserts,overlord/devicestate: support predefined assertions that don't establish foundational trust [08:28] zyga-suse: so what's the debian update waiting on? [08:28] mwhudson: not sure, I didn't look at debian seriously for too long :/ [08:28] mwhudson: I think we want 2.27 across the stack [08:28] zyga-suse: ok [08:30] zyga-suse: on the dependency side [08:30] zyga-suse: we can leave the i18n commented out for now i guess [08:31] I think that's acceptable [08:31] zyga-suse: i need to find a sponsor to upload golang-go-flags-dev [08:31] is the patch extensive? [08:31] oh, I assumed you are a DD [08:31] no [08:31] zyga-suse: not yet :) [08:31] i am in the process [08:31] great :) [08:31] mwhudson: let me know, I can help [08:32] the x/net fork can be avoiding by simply not running that test in the build? [08:32] mvo: https://anonscm.debian.org/cgit/pkg-go/packages/golang-go-flags.git/ [08:33] oh wait [08:33] mwhudson: if you create something that I just need to sign/dput, that would be best for me [08:34] * zyga-suse iterates on the opensuse package [08:34] some things failed on 2.25 still, but perhaps just racy tests [08:34] I'll focus on 2.27 [08:35] mvo: ack [08:36] mvo: the tarball has different name and internal directory name than the one before [08:37] not complaining but pointing out that we should perhaps use snapd-$version on the inside [08:37] and pick whatever fixed on the outside [08:37] zyga-suse: meh, yes [08:37] zyga-suse: part of the problem is the debian build tools, but I don't want to make excuses [08:37] zyga-suse: I look into it [08:37] debian build tools? [08:37] zyga-suse: the tarball is generated from the git repo, I will see what I can do with git-buildpackage [08:38] ok [08:41] zyga-suse, mvo: and we thing we can use upstream instead of github.com/mvo5/libseccomp-golang for debian? [08:41] I'd love to [08:41] mvo: is that under golang CLA? [08:44] * zyga-suse needs to refresh some patches [08:44] well [08:44] packaging 010 [08:44] 101 even :P [08:45] mvo: i've made something for you to upload but i'm going to test build it before i give you the link :) [08:46] zyga-suse, what are the chances of getting core snap to ship libselinux? [08:46] ikey: hey [08:46] heya [08:46] ikey: I saw your comments [08:46] ikey: I need to look into it [08:46] mwhudson: yeah, upstream libseccomp-golang should be fine, all I did there was adjust for trusty [08:46] ikey: it feels more like a bug in the app than something that really really should be in the core [08:46] mwhudson: our trusty libseccomp is heavily backported [08:47] zyga-suse, well its all over the place [08:47] ikey: but I want to look at it for real before making any calls [08:47] okidoke [08:47] core's own Things use libselinux [08:47] like gio-querymodules: [08:47] and other bits [08:47] it would seem core isn't as clean and self contained as it thinks it is [08:47] ikey: I see ./lib/x86_64-linux-gnu/libselinux.so.1 [08:48] (that's relative to core itself) [08:48] is it possible this is some derpy side effect of not having rexec? [08:48] *re-exec [08:48] no, probably a bug somewhere else [08:48] ok [08:48] look at dirs/dirs.go [08:48] I think you may need to say that on solus you use lib64 to keep distro binaries [08:48] im loath to including libselinux in solus because, well, it infects stuff [08:48] mvo: http://people.canonical.com/~mwh/golang-go-flags-dev/ [08:48] (AFAIR snapd is there [08:49] as are other relevant parts) [08:49] ah so multiarch vs multilib [08:49] curious, ty [08:49] ikey: you should never have to include anything in the distribution to make a given snap work [08:49] that was my thought [08:49] snaps don't see anything from the host really (not libraries) [08:49] ikey: do you know how it roughly works at runtime? [08:50] ikey: as a big approximation: the *base* snap (e.g. core but other bases are in progress) is used as the root filesystem [08:50] ikey: some things like /dev, /proc and /sys are "normal" (dev may be empty-ish, depending on confinement) [08:50] ikey: some things from the host are overlaid (e.g. parts of /etc) [08:50] right [08:50] ikey: /home and /root are shared but $HOME is changed [08:51] ikey: the real host root filesysystem is in /var/lib/snapd/hostfs [08:51] ikey: (with certain things unmounted, like sysfs and dev because it confuses apps [08:51] ikey: there's a long tail of small tweaks [08:51] aye [08:51] ikey: but the main point is: the host distribution is not used for runtime libraries or executables [08:52] well thats the theory [08:52] no, we really don't use them, what do you mean? [08:52] well at this point its not completely using the core snap either [08:52] yep, something is not right yet [08:53] but I bet this is packaging issue [08:53] if you want I can install solus and help you out [08:53] you'll forgive me for saying but i dont quite see *how* it would be a packaging issue [08:53] I'm working on opensuse and arch but then I can try out solus :) [08:53] when it looks more like the helper scripts are invoked host side [08:53] and not containerised [08:54] can you please run the hello snap after setting SNAP_CONFINE_DEBUG=yes [08:54] setting where, /etc/environment? [08:54] ikey: oh, one important point: if a snap uses 'classic confinement' then none of what I just said is true [08:54] sure [08:54] ikey: just export it in your shell [08:54] classic confinement is a different beast [08:55] yeah thats more at the appimage end of the spectrum [08:55] mvo: this is still breaking: [ 622s] FAIL: overlord_test.go:360: overlordSuite.TestEnsureLoopPrune [08:55] https://hastebin.com/ixovewisig.sql [08:56] zyga-suse: breaking where? [08:56] mvo: the unit test fails randomly [08:56] mvo: run it 1000 times and see the failure rate [08:57] ok [08:57] ikey: this worked, can you try with a more complex snap next? what did you try to use before? [08:57] brackets went boom [08:57] but thats classic [08:57] ikey: brackets is a classic snap :/ [08:57] so classic confinement uses different things [08:57] yer [08:58] and what must be happening is that the snap itself is broken [08:58] classic confinement is defined as follows: [08:58] a large number of them are broken* [08:58] pedronis: o/ [08:58] there is no file-system redirection [08:58] the core snap is in a well-known spot [08:58] as is the snap itself [08:58] those resources are guaranteed [08:58] sure but wouldnt you also alter LD_LIBRARY_PATH to factor in core runtime? [08:58] before executing the snap [08:58] other resources MAY be used but the snap author must do that with sanity [08:59] ikey: no, because that's snaps responsibility, some snaps are built in a way that this is not a factor [08:59] eg. [08:59] try python0 [08:59] eh [08:59] and look at the binary itself [08:59] and at how it is linked [08:59] yeah im gonna have to disagree there [08:59] the fact is that many snap with classic confinement are built in as sloppy way [08:59] so even with LD_LIBRARY_PATH, rpath is going to work fine [08:59] ikey: I can tell you why we're not setting LD_LIBRARY_PATH [08:59] ikey: because that breaks classic snaps that do certain things [08:59] there's no silver bullet here, [09:00] snaps using classic confinement *may* run apps from the host distribution [09:00] and then setting this would break that [09:00] I would argue that brackets is just done incorrectly and assumes to run on a ubuntu-ish system too much [09:00] right but its not *just* brackets that fails [09:00] its the scratch setup scripts in core [09:00] i.e. update icon cache, schemas, etc [09:00] scratch setup scripts? [09:00] idk what you call them :P [09:01] we don't have *any* scripts [09:01] so whatever you are describing comes from the snap itself [09:01] unfortunately classic confinement snaps are always going to be a hit-and-miss because when it runs on the developer's machine it doesn't mean it will run elsewhere for sure, like strictly confined snaps do [09:01] all the GUI snaps do seem to invoke gtk-update-icon-cache-3.0 (which doesnt exist) and there are some spam-debug lines about schemas, etc [09:02] ikey: that must be a common bug in those snaps then, I'm sure it can be addressed [09:02] (note that core doesn't ship any of that) [09:02] many snaps use a common helper [09:02] and if the helper has a bug we just need to fix it in one place and the next revision of those snaps will improve [09:03] non-classic: [09:03] (assuming duckmarines is non classic) [09:03] snap info foo [09:03] /snap/duckmarines/9/usr/lib/x86_64-linux-gnu/glib-2.0/gio-querymodules: error while loading shared libraries: libselinux.so.1: cannot open shared object file: No such file or directory [09:03] this will tell you [09:03] DEBUG: confinement: non-classic [09:03] when you install a snap you have to say --classic [09:04] mm, that's more interesting, let me see [09:04] it does eventually flop (no doubt due to missing apparmor) [09:04] [1] 5959 invalid system call snap run duckmarines [09:04] but im more interested in the library fail first [09:04] ikey: invalid system call == it was killed by seccomp [09:04] can you look at your journalctl/dmesg and look for seccomp [09:04] I wonder what killed it [09:04] are you on x86 or x86_64 system? [09:05] x86_64 [09:05] ok [09:05] (there were some socket/socketcall bugs on 32bit intel systems0 [09:05] because kernel changed [09:05] not seeing errors in either. odd. [09:05] Chipaca: hi [09:05] ikey: interesting, I just ran duckmarines on opensuse and it worked, no messages about missing libselinux.so.1 [09:06] can you verify if you have a host-side libselinux? [09:06] let me see what's going on deeper [09:06] ikey: again, host side libselinux is not accessible in any normal way [09:06] sure [09:06] but can you? :P [09:06] yes, checking anyway :-) [09:06] im seeing this: [09:06] 17/08/10 10:02:33.232761 taskrunner.go:367: DEBUG: Running task 298 on Do: Mount [09:06] led to reset devices.list on /system.slice: Invalid argument [09:07] ikey: hmmm, can you do "snap changes" [09:07] https://hastebin.com/eramororan.sql [09:07] pedronis: i hate that i can't get aliases from the app info :-) [09:08] Chipaca: they are not part of the snap anymore [09:08] pedronis: i know [09:08] 2 Error 2017-08-09T18:51:45Z 2017-08-09T18:51:54Z Install "hello-world" snap [09:08] can you do "snap change 2" [09:08] Chipaca: anyway you should probably build whatever you build close to where we build the alias symlinks no? [09:08] so it shouldn't be your problem [09:08] ikey: I have libselinux.so.1 but it is in /lib which is not shared [09:09] have you verified that with LD_DEBUG=libs? [09:09] Chipaca: I don't know what you did for other apps, but isn't something you can take care of in backend or wrappers ? [09:09] ikey: let's try (though I bet it cannot be that simply because we pivot_root and ther host /lib is gone) [09:09] ikey: one more tip [09:09] pedronis: i was trying to do it in wrappers, but wrappers doesn't have them [09:09] ikey: snap run --shell snapname.appname [09:09] Chipaca: s/other apps/normal app entry points/ [09:09] ikey: this drops you in a shell [09:09] pedronis: so i've got to do it in backend [09:09] aite [09:10] where you can run stuff with same environment and other magic [09:10] pedronis: (the "normal" app entry points are done in wrappers) [09:10] useful for debugging [09:10] Chipaca: backend has stuff both for normal entrypoints and aliases so yes, seems a reasonable place [09:10] crosscutting concerns and everything considering [09:10] the --shell looks an awful lot like my host system [09:11] ikey: look at /proc/mountinfo [09:11] ikey: aaaah [09:11] I know what's the problem [09:11] maaan [09:11] so obscure [09:11] :D [09:11] sorry, it's my fault entirely [09:11] go to cmd/snap-confine [09:11] mwhudson: many thanks, uploaded, waiting for the confirmation mail [09:12] Chipaca: it seems simple, I'm probably missing something, because we do tell backend about what aliases we want to make very precisely [09:12] ikey: sorry, go to cmd/libsnap-confine-private and fix classic.c [09:12] pedronis: and, to make things more interesting, UpdateAliases doesn't clean up on error [09:12] ikey: super obscure because most distros are derivatives so we didn't notice [09:12] bool is_running_on_classic_distribution() [09:12] o_O [09:12] pedronis: [09:12] pedronis: :-) [09:12] ikey: snapd knows this via other means but currently it doesn't say to snap-confine "you are on a classic distro" [09:12] mvo: you uploaded it to ubuntu :) [09:12] pedronis: quick question - I want to add auto-download/install of misisng bases (and also of missing content-provider snaps). do you think snapstate is the right place? [09:12] and what does "classic distro" mean? [09:13] ikey: snapd can run in a "core" distro where everything is a snap [09:13] mwhudson: yes and to debian [09:13] ikey: like ubuntu-core [09:13] mwhudson: for good measure ;) [09:13] mvo: ah ok [09:13] mvo: yes [09:13] Rejected: [09:13] Unable to find distroseries: unstable [09:13] mwhudson: no, sorry, the initial upload was a mistake [09:13] ikey: the kernel is a snap, the whole host filesystem is a snap, etc [09:13] wait so right now snapd is acting like its on ubuntu core? [09:13] mvo: ok:) [09:13] so close yet so far away to getting samba running as a snap [09:13] pedronis: great, I will move forward with that [09:13] ikey: and in that mode, we don't have the mount namespace changes since the main namespace is the core snap already [09:13] xD [09:13] ikey: that is actually going away as we introduce bases [09:13] gotcha [09:13] ldb: unable to stat module //lib/samba/ldb : No such file or directory buit the dir is populated with the modules [09:13] mvo: remember that auto-refresh doesn't even go through api anymore for example [09:13] ikey: but it is a pretty obscure part of snapd :) [09:13] mwhudson: happens all the time to me, I need to write me something that refuses to upload debian distor names to ubuntu [09:13] ikey: sorry and thank you for finding it [09:13] awkward ikey with his not-derivative-ness [09:13] thanks bud [09:13] pedronis: yes, good point [09:13] ikey: that should fix a loooot of things :) [09:14] yeah im sure lol [09:14] mvo: so there's probably not even another option atm [09:14] mvo: i have this desire to write a wrapper for dput that does a whole bunch of validation [09:14] alright lemme rebase my patch and make it all solusy [09:14] mvo: like, if the target is a ppa and the version doesn't have "~ppa" in --> DENIED [09:14] thank you :) [09:14] * zyga-suse adds that to his mental porting list [09:15] mvo: that test fails all the time, let me investigate [09:15] mwhudson: I would give you an extra hug for such a wrapper [09:15] mwhudson: I have a desire for a debian dev tool that is not a wrapper over wrappers over perl but ... well [09:15] * zyga-suse sings along [09:15] zyga-suse: there are go libraries for all this stuff :) [09:16] but tbh i find the perl ones easier to use [09:16] go-debhelper? [09:16] ;-) [09:16] pault.ag/Debian/something [09:16] fair enough, at some point the amount of ducktape exceeds critical mass and we get a black hole of packaging [09:18] you think that hasn't happened already? :) [09:18] * zyga-suse grabs some coffee while deps are pulled [09:20] zyga-suse: I'm preparing 2.27 now, should I also update the packaging/suse snapd.spec file? [09:20] mvo: perhaps-ish, in which way? [09:21] zyga-suse: bump version number, add changelog [09:21] mvo: please, I'll do the rest [09:21] zyga-suse: this is what I currently do on fedora too [09:21] zyga-suse: ok [09:21] I will probably have more patches that I merge back to master [09:21] mvo: I'm worried about that test failure though [09:21] I'm running it now [09:21] zyga-suse: the prune one? [09:21] yes [09:21] mvo: (there's also arch, if you have one vm handy) [09:22] mvo: I merged arch packaging back [09:22] I think we had it for a long time, no regression [09:22] zyga-suse: I have no vm but I can upadate version and changelog there too [09:22] mvo: I think we fixed a while ago [09:22] mvo: not sure if there's a changelog, look if anything seems obviously stale there [09:22] mvo: I'll update arch as soon as I'm done with opensuse [09:23] zyga-suse: what does "Release: 2" in the suse spec file mean? [09:23] mvo: it's -2 in debian-speak [09:23] reset that to 1 if the upstream version is bumped [09:23] zyga-suse: aha, so I set it back to -1 ? [09:23] precisely :) [09:23] ta [09:23] zyga-suse: there is no changelog in the suse spec file so that update is easy :) [09:24] mvo: suse changelogs are in separate files [09:24] snapd.changes [09:24] * zyga-suse sings along [09:24] zyga-suse: fun [09:24] so many ways to do everything [09:24] mvo: I suspect both suse and arch will carry small patches [09:24] mvo: but that is fine [09:24] let's get the 2.27 elephant out of the door [09:25] mvo: I plan to test your /snap symlink support patch in arch and add that to the release [09:25] pedronis: remember the prune test that failed? [09:25] * mwhudson stares at the upstream packaging/ubuntu-16.04 and the one from debian's 2.21-2 [09:25] pedronis: either something changed or our fix was wrong because it just always fails on opensuse tumbleweed for me [09:26] zyga-suse: I don't know [09:26] zyga-suse: yeah, I have no arch packaging in the 2.27 branch so I will ignore that for now [09:26] always seems strange though [09:26] mwhudson: is it very different? [09:26] https://paste.gnome.org/p0rrl0u4j [09:26] pedronis: can you have a look if that rings a bell? [09:26] I mean it seems unrelated to details of the test [09:26] mvo: no, not really [09:26] mvo: well, yes [09:26] mvo: vendorized vs not [09:26] zyga-suse: that part is easy :) [09:26] pedronis: ah, that I agree with [09:27] mwhudson: if you think it makes sense we can put the debian packaging into upstream git as well [09:27] zyga-suse: nothing obvious comes to mind [09:27] pedronis: let me dig, then [09:28] zyga-suse: what format is supported in snapd.changes? or is that just free form? [09:28] mvo: "osc vc" format [09:28] * mvo googles [09:28] one sec [09:29] https://paste.gnome.org/pz2dhm3qz [09:29] mvo: that's my latest entry [09:29] (still WIP) [09:29] entries are delimited by those dashes [09:29] zyga-suse: also remember we fixed one but I think there's another one to fix, that we never got to [09:29] mvo: yeah that might make sense [09:29] pedronis: yes but this is the one we fixed AFAIK [09:29] zyga-suse: mostly wondering about nesting [09:30] mvo: not sure [09:30] mwhudson: let me know if I can help, otherwise I will welcome a PR :) [09:30] pedronis: this is confirmed by git blame: 59472d24b3 [09:30] anyway always seems weird [09:31] ikey: does it work better now/ [09:31] ikey: I'm really surprised even "hello" worked :) [09:31] maybe because it is a shell script [09:32] zyga-suse, so [09:32] done some initial porting [09:32] there are more odd assumptions [09:32] /run/media is locked to MERGED_USR [09:32] that shouldn't be the case [09:32] /run/media is just modern-systemd-fhs-udev-udisks [09:33] and shouldn't rely on the MERGED_USR assumption [09:33] additionally.. why is /usr/src required? [09:33] this makes little sense to me .. [09:33] ikey: some snaps have permissions to build and load a kernel module and they require access to the kernel source, if you have some on the machine [09:33] woa. no [09:33] thats wrong :P [09:34] ikey: this is specifically for some bleeding edge observing/monitoring tools [09:34] so how do I turn off all kernel related functionality in snapd? [09:34] ikey: that's not wrong, that's a permission that is controlled by snapd [09:34] believe me snapd isnt going to be able to deal with solus kernels [09:34] hell GRUB barely can [09:34] ikey: this is all controlled by interfaces, unsafe interfaces are not allowed unless there's an assertion saying that a given snap from a given developer is trusted to do something specific [09:34] ikey: e.g. we allow docker and lxd to do a lot of stuff to function [09:35] yeah i want to disable this at the distribution level [09:35] ikey: because no meaningful way to confine them exists [09:35] kernel modules on solus should come only from our repositories [09:35] our kernels dont work like ubuntu kernels [09:35] ikey: note that snaps won't be able to load those modules [09:35] ikey: /usr/src is so that they can build them [09:35] ikey: loading is controlled with seccomp and snapd interfaces [09:36] ikey: that's fine, not all systems must support all interfaces [09:36] you'll see what i mean here about kernels: https://hastebin.com/ulureceful.go [09:37] i could potentially include an empty /usr/src (no owner) directory in the snapd pkg [09:37] which might mitigate that bit [09:37] ikey: I think we just want to make that non-mandatory [09:37] ikey: it's better [09:37] ikey: and we are doing some of that for base snaps [09:37] gotcha [09:38] ikey: where you can create an app that runs on top of really empty filesystem, with except for things like /snap to mount the actual code [09:38] ah [09:38] nice [09:38] ikey: so you could eventually make snaps that use solus as a base [09:38] ikey: and they still work on fedora/debian/opensuse [09:38] yeah i can definitely see use cases for that [09:39] ikey: (mvo is leading that work) [09:39] fair play :] [09:39] indeed! [09:39] ikey: if you are interested in the security aspect I really encourage you to look at interfaces/ [09:39] ikey: all snaps get the same confinement by default [09:39] ikey: and if you want to change that confinement you need to use one of the interfaces [09:39] ikey: interfaces are like contracts between two parties [09:39] ikey: and interfaces are not just permissions [09:40] right [09:40] ikey: they come in pairs, a plug and a slot that may be connected [09:40] sorta like protocols [09:40] gotcha [09:40] [Package] Including empty directory: /usr/src [09:40] * ikey cheated [09:40] ikey: simple things like "I want to create sockets and connect to the network" are so common that the slot is offered by the core snap implicitly [09:40] right [09:40] ikey: but slots and plugs are really numerous, e.g. a slot representing a serial port [09:41] ikey: on the dell gateway device there are a few of those [09:41] ikey: and if you install a snap that does something over a serial port [09:41] ikey: and connect it to the one you want (e.g. the "2nd serial port from the left" [09:41] ikey: only *then* will that snap get permissions to talk to *that* particular device [09:41] ikey: that's the general idea [09:41] ikey: interface defines the "way to communicate" [09:42] ikey: be it a file path, system call, or lots of complex rules [09:42] ikey: each interface can control many aspects of the system sandbox: seccomp, apparmor, kernel modules, udev tagging, dbus bus permissions, etc [09:42] gotcha [09:42] makes sense [09:42] ikey: interfaces are merged into snapd and audited for secuirty [09:43] ikey: snaps can use powerful interfaces after having an assertion that say we trust them to do this [09:43] aye [09:43] ikey: "powerful" interfaces are those that may break out of confinement (e.g. docker) or those that may expose user data or other privacy aspects [09:43] that's about the rough idea [09:44] ok well progress [09:44] ikey: if you have any security questions I'd love to know :-) [09:44] no library issues [09:44] \o/ [09:44] No schema files found: doing nothing. [09:44] [1] 2094 invalid system call snap run duckmarines [09:44] ikey: that syscall is worrying [09:44] can you look at system logs and see if you see any audit messageS? [09:44] (unless audit is off on solus) [09:44] audit is off because systemd broke it [09:44] hmm? [09:45] you'd gain a 50gb ring buffer in a matter of minutes [09:45] they got into a fight [09:45] do you see _anything_ in the logs when that message is printed [09:45] specifically, which system call it is [09:45] nothing related now [09:45] as a cheap wokraround you can disable seccomp [09:45] --without-seccomp to configiure [09:45] *configure [09:45] yeah but that seems nasty :p [09:46] indeed [09:46] ill see if its kernel specific and try the LTS 4.9 [09:46] ikey: my gut feeling says it's related to socket [09:46] 99% of our issues are there [09:46] mybe it's a 32bit app running in a 64bit system [09:46] also check libseccomp version [09:47] we fixed some bugs there and maybe you are still affected [09:47] Name : libseccomp, version: 2.3.2, release: 4 [09:48] * ikey sees https://github.com/seccomp/libseccomp/commit/73d83e45efbe8c31067c97155162f17ca51b7435 [09:48] is that in your version? [09:48] nay [09:48] aha [09:48] so im gonna take it to git [09:48] may be it :) [09:48] yeah, we're all pushing the edges here [09:49] *unfortunately* you guys forcibly statically link libseccomp :P === chihchun_afk is now known as chihchun [09:49] working on snapd over last year we found so many interesting kernel bugs [09:49] ikey: that's a workaround that I want to fix after 2.27 [09:49] it's all complex, nothing is perfect [09:49] we really want to statically link it in one specific case [09:50] I'll flipt the workaround [09:50] you can link it dynamically [09:50] s'ok i can just rebuild :p [09:50] zyga-suse, mvo: EOD-ing now, hopefully some action tomorrow! [09:50] mwhudson: thank you, enjoy your evening! [09:52] ikey: and if you have initial patches for solus please start sending them [09:54] PR snapd#3707 opened: interfaces: convert io_ports_control to common iface [09:59] * ikey sighs at libseccomp abuse of configure.ac [10:13] [1] 1730 invalid system call snap run duckmarines [10:13] poo. [10:15] I think you have to find the number somehow [10:16] is that still from snap-confine or from the suckmarines binary alreday? [10:17] idk, from "snap run duckmarines" [10:17] also, this is new: [10:17] error: cannot install "brackets": classic confinement is not yet supported on [10:17] your distribution [10:17] ikey: do you have /snap? [10:18] ikey: classic confinement relies on this to exist [10:18] no im using /var/lib/snapd/snap [10:18] ikey: there's a patch from mvo that makes that an actual check, not a hard-coded list [10:18] then no classic confinement :/ [10:18] * ikey patches it. [10:18] or are they all built that way? [10:18] patches it how? [10:18] for /snap/ [10:18] they *require* /snap [10:18] ew [10:18] k. [10:18] because classic confinement doesn't use mount namespaces and other goodies [10:19] so it has no other way to say "this is something you can hard-code in your binaries" [10:19] so then classic confinement snaps (like - a whole bunch of them) wont work on most distros? [10:19] because they're using /var/lib/snapd/snap? [10:19] sod that [10:19] * ikey switches to /snap [10:19] im not *that* torn up about the FHS [10:19] ikey: so far they don't work on fedora and arch but I'm not sure if arch will keep it that way [10:19] fedora is very political about that, but I respect their decision [10:20] ikey: with a patch proposed by mvo a symlink from /snap to /var/lib/snapd/snap is enough [10:20] ikey: note that you need to patch both snapd and re-configure snap-confine [10:20] ikey: when you make this decision [10:20] sure but at that point you have /snap anyway [10:20] so might as well use it [10:20] ikey: yes [10:20] symlink or not [10:21] I'd love to standardize /snap as a optional FHS feature one day [10:21] ikey: (you want to see dirs/dirs.go for the snapd side) [10:21] ikey: I think /snap is default though, not sure what you changed already [10:22] changed dirs.go [10:22] ill change it back [10:25] ok so im back to having classic "work" [10:25] im gonna have to bite the bullet probably and package up libselinux and provide the invalid ubuntu-named gtk-update-icon-cache-3.0 [10:25] and that should "fix" the vast majority of classic snaps [10:25] thank you! [10:25] and we'll use /snap too [10:25] we should also do better checks on classic confinement snaps [10:25] to figure out how to make that a bound problem [10:26] not a "whack-a-mole" [10:26] aye [10:26] ikey, sergiusens: hacks on the build tool, snapcraft [10:26] ah ok [10:26] well, the meta-build swiss-army-knife [10:26] so what you could do is effectively an ABI report on the root and discover missing bits [10:26] ikey: yeah, I think he is partially doing that today, not sure if at symbol level [10:26] so i wrote a tool while i was at intel to do simple abi reports: https://github.com/clearlinux/abireport [10:27] oh, neat [10:27] sergiusens: ^^ you want to see that [10:27] so in solus it looks like this: [10:27] https://dev.solus-project.com/source/libseccomp/browse/master/abi_symbols [10:27] https://dev.solus-project.com/source/libseccomp/browse/master/abi_used_libs [10:27] neat [10:27] I think we can learn from that [10:27] but i figured you could steal the core of abireport (Apache-2.0) to create a new kind of ABI tracker [10:28] that way you can raise warnings when there are missing providers for a used symbol [10:28] yeah, I'm sure we can improve a lot in the tooling used so far; [10:28] all the new-kind-of-apps projects are a huge community learning exercise [10:28] and collective pushing-the-boundary work [10:28] fwiw i found it quite amusing when i saw the initial snap format [10:29] given how close it is the solus format [10:29] yeah? [10:29] https://dev.solus-project.com/source/libseccomp/browse/master/package.yml [10:29] btw, I'm not familiar with solus packages [10:29] can you tell me more about them [10:29] that there is the build file for libseccomp [10:29] ha [10:29] interesting [10:29] we focus on automation and correctness [10:29] did you see snapcraft.yaml? [10:29] the one thing I love snapcraft did [10:29] ikey: nice, this looks way better than the spec files [10:29] is to separate parts [10:29] so that actually splits into libseccomp and libseccomp-devel [10:29] (and libseccomp-dbginfo) [10:29] so that you can have one snap with two elements inside [10:30] one, say, written in C with typical build-install code [10:30] if you add emul32: yes you'll get libseccomp-32bit and libseccomp-32bit-dbginfo and libseccomp-32bit-devel [10:30] and one written in something totally different, say python, [10:30] and the logic is per-part [10:30] so things compose more easily [10:30] yeah units is nice to have [10:30] the package.yml has some tricks up its sleeve like patterns [10:30] which dynamically constructs a subpackage based on a path math [10:30] ikey: did you see http://build.snapcraft.io/ ? [10:31] s/mat/match/ [10:31] failsed. [10:31] yeah its pretty [10:31] vs https://build.solus-project.com/ [10:31] xD [10:31] ikey: nice, I wrote something like that for debian a while back but it was not well received [10:31] yeaah Debian *enjoys* having hard packaging [10:31] very extreme example: https://dev.solus-project.com/source/libreoffice/browse/master/package.yml [10:32] id sooner do that than debian/control and debian/*.install ... [10:32] :p [10:32] (the format also supports profile guided optimisation and test suites fwiw) [10:32] https://pypi.python.org/pypi/dh_splitpackage/0.2.3 [10:32] curiously the links to launchpad are dead [10:33] "without pulling your hair out" lol [10:33] but the tarball is there [10:33] personally i find the linux world focuses too much on packages and package managers and superiority of these glorified tarballs (giftwraped, I guess) [10:34] i like to focus on features, scalability, delivery, cadence.. [10:34] ah [10:34] found it [10:34] http://bazaar.launchpad.net/~zyga/dh-splitpackage/trunk/view/head:/debian/splitpackage [10:34] _ vs - [10:34] yes, I agree a lot [10:34] oh cute yaml map [10:35] not quite yaml but yeah [10:35] yamlish [10:35] wow, I even wrote a man page [10:35] http://bazaar.launchpad.net/~zyga/dh-splitpackage/trunk/view/head:/dh_splitpackage.1 [10:35] check you being all dedicated [10:35] lol [10:35] oh dude you legit *wrote* a manpage [10:35] _yes_ that's what I meant [10:35] hand made [10:36] yes, I was trying to help [10:36] (then got ranty responses and lost interest) [10:36] use ronn [10:36] convert markdown to manpage :] [10:36] nice! I was using rst2man later on [10:36] but markdown is nicer [10:36] so i can do like https://github.com/solus-project/ypkg/blob/master/man/package.yml.5.md and have it generate to https://github.com/solus-project/ypkg/blob/master/man/package.yml.5 [10:37] ah rst2man is pretty sweet yea [10:37] heh [10:37] reading my own man page I still think dh_splitpackage is a few times better than anything else currently in debian [10:37] well [10:37] thinking about what you said [10:38] inclusion patterns could even be included from distro-wide global [10:38] yeah [10:38] so there would be less repetition [10:38] well :) [10:38] so you set distro policy from the outset [10:38] I like how snaps don't have that problem [10:38] yep [10:38] but the key is to allow extending the pattern [10:38] snaps are not perfect [10:38] but at least we let people make and ship apps without reading holy books of packaging [10:38] so you can see the default solus patterning here: https://github.com/solus-project/ypkg/blob/master/ypkg2/packages.py#L141 [10:39] and in almost all cases it does the right thing ™ [10:39] nice [10:39] yep [10:39] until cmake is a dick and decides to use /usr/lib [10:39] for both 32-bit and 64-bit [10:39] well [10:39] thats cmake for ya. [10:39] lol [10:39] linux distros are a dick [10:39] we love to diverge [10:39] true [10:39] well tbf you all went down the multiarch route :P [10:39] i wanted pure 64bit [10:39] but nope, steam, skype, wine .... [10:39] multiarch is great for arm cross compiling (and not just arm) [10:40] though TBH fat binaries would have been better [10:40] yeah [10:40] well :) [10:40] well, i got the whole "gah why you no use multiarch" thing a while back [10:40] it's good to find others that share one's view [10:40] and its like, well, solus is only 64-bit native [10:40] so it makes not much sense :p [10:40] I think multiarch is more than that [10:40] so instead we explicitly have lib64 and lib32 [10:40] 32/64 biarch is easier [10:40] and we split packages based on that [10:40] multiarch is is a nice general concept [10:40] i.e. automatic -32bit -32bit-dbginfo -32bit-devel [10:41] though again, fat binaries are just better still [10:41] because it doesn't have this problem of where-is-$foo [10:41] dont think we'll ever "win" all the time we focus on vanilla ELF [10:41] and even executables are >1 arch [10:41] heh [10:41] yes but note one thing: [10:41] in "linux" we often "specify" things in a text file standing on plain apache somewhere [10:41] and now it's the holly spec [10:42] we also need to lose this fixation on mutux provider names in the filesystem [10:42] "i am /usr/lib/someLIB" [10:42] * ikey shoots nvidia [10:42] so elf spec could be extended arbitrarily if people agree [10:42] yeah [10:42] ok, less rantin [10:42] lol [10:42] I need to debug this test failure :) [10:42] yeah i should likely sort out apparmor in our 4.12 [10:42] and move on to update arch packaging for the release [10:42] (no-more-patches, woot :) [10:42] noice [10:43] 4.13 is better [10:43] 4.13 is also unstable [10:43] ubuntu still has many patches that are not upstream and 4.13 will have them [10:43] *hopefully all* [10:43] we offer "-lts" and "-current" in solus [10:43] if you want to enable this LSM you want to take the few that didn't make it in 4.12 [10:43] -lts = gkh's branch [10:43] aha [10:43] -lts-apparmor would be nice :) [10:43] and -current = mostly-stableish [10:43] for snapd at least, that would give you full confinement [10:43] i.e. not rc and not mainline [10:43] those are just in security/apparmor [10:44] well im gonna backport the apparmor stuff ofr our linux-current [10:44] and you could perhaps even cherry pick those that land upstream [10:44] because having lsm specific kernels would seem silly [10:44] aha, sounds good [10:44] I can point you to the tree that has those [10:44] would love em [10:44] jjohansen1: ^ [10:44] i know 4.12 will be significantly easier to do than the 4.9 [10:44] ikey, jjohansen1 is working on upstreaming all of the apparmor changes [10:44] v nice [10:44] yes :) [10:45] and ideally i want like-for-like confinement between solus and ubuntu [10:45] ikey: since they are so self contained it should be easy to get a version for nearly any kernel that's not 3.x I heard [10:45] so people get the "full" snap experience [10:45] *yes* [10:45] not "hm but my distro said no" [10:45] thank you for caring about that! [10:45] eh its for the users - dont wanna screw em over [10:46] snapd can tell you what it thinks about confinement via "snap debug" [10:46] (I forgot the sub-command) [10:46] but this is in 2.27 only [10:46] so wait for the tarball for that :) [10:46] lolk [10:46] it looks at the kernel securityfs and checks if all the features are on [10:46] ah [10:46] ok thats handy [10:47] ok, I'll get back to bugfixing [10:47] please ping me if you find something odd to investigate [10:48] one thing that *is* going to suck initially is opengl support [10:48] that's a few months away from being sane [10:48] current approach is a stop-gap [10:48] yeah [10:48] (for ! FOSS drivers) [10:48] i might use the nvidia-arch option and see if that works [10:48] intel should be ok though it could be better supported in snapd as well [10:48] its *similar* to ours (but we symlinks it) [10:49] I'd rather not, it's a gross hack [10:49] mixes userspace with snaps [10:49] /usr/lib64/libGL.so.1: symbolic link to /usr/lib64/glx-provider/nvidia/libGL.so.384.59 [10:49] some of the common extension snap work will allow us to do this [10:49] bit messy and in time i think ill replace that with ld.so.conf trickery [10:49] (e.g. theme snaps will lead the way) [10:49] yeah theme snaps.. [10:49] people dislike lack of integration :p [10:49] those are 1st priority for this cycle [10:50] portal support, themes and a few other integration improvements [10:50] (especially now flatpak has them :P) [10:50] yep :) [10:50] that too :D [10:50] I think our approach will be similar actually [10:50] * zyga-suse would love to have alexander here to talk details [10:51] heh [10:51] right well i need to go make myself look half human for the rest of the day [10:51] bbiab [11:02] PR snapd#3707 closed: interfaces: convert io_ports_control to common iface [11:11] PR snapd#3708 opened: interfaces: convert two hardware_random interfaces to common iface [11:18] zyga-suse, got a strace for running duckmarines: https://hastebin.com/akeviquqoc.erl if you wanna check later [11:19] aha [11:19] interesting [11:19] so this is socket using AF_NETLINK [11:19] we have netling mediation in the tree now [11:19] * zyga-suse looks [11:20] this would be under netlink-observe I think [11:20] ok two more things [11:20] what does "snap version" say? [11:20] snap 2.26.14+git1302.gd1e575152.dirty [11:20] snapd 2.26.14+git1302.gd1e575152.dirty [11:20] and did you install this snap before you got other parts in place, perhaps the security profiles are out of date [11:20] hmm hmm [11:20] can you look at /var/lib/snapd/seccomp/ [11:20] only has bpf [11:21] and look for the human-readable profile for this app (seccomp profiles are per-app) [11:21] and if you can pastebin the plain text one [11:21] (those are compiled with snap-seccomp btw) [11:21] https://hastebin.com/aqizajecat.pl [11:23] soo [11:23] looks like AF_NETLINK is needed and not whitelisted [11:23] or am i reading this wrong.. [11:25] socket AF_NETLINK - NETLINK_ROUTE [11:25] aah [11:25] it wants a different type [11:26] curious [11:26] yeah mines off chasing NETLINK_KOBJECT_UEVENT [11:26] yes [11:26] one sec [11:27] can you check which interfaces are conneccted? [11:27] this one should be granted by pulseaudio interface [11:27] https://hastebin.com/cuqawagitu.rb [11:28] oookay [11:28] let me look [11:28] very curious [11:28] ah, my bad [11:28] pulseaudio doesn't grant that for plugs [11:28] so .. still a mystery [11:28] lol [11:29] * sergiusens wonders when we will start seeing zyga-solus [11:29] post-solus-release :p [11:30] yes, likely [11:30] nothing like hands-on [11:30] morning all [11:31] ikey: which revision of that snap are you on? [11:31] I'm on 9 [11:31] also 9 [11:31] ok, so I need to boot ubuntu to check [11:31] on ubuntu isn apparmor going to mediate the remaining network calls? [11:31] but my working theory is that you kit a seccomp kill because the app is normally not even going to try something after getting an apparmor denial [11:31] right [11:32] this will fix itself when seccomp can return errors as well [11:32] heh [11:32] this work is AFAIK done upstream now) [11:32] or when you will get apparmor [11:32] not sure if I'm right though [11:32] ikey: one suggestion [11:32] can you refresh that snap with --devmode [11:32] sure [11:32] this will put seccomp into no-op mode [11:32] and it _should_ at least show that it works [11:32] * zyga-suse looks at his profiles on suse [11:33] ah, still on 2.25 here so no good comparison [11:33] ok so its definitely trying to start [11:33] libGL error: No matching fbConfigs or visuals found [11:33] libGL error: failed to load driver: swrast [11:33] this is fine [11:33] it cant find my nvidia [11:33] * ikey expected as much [11:33] but its gotten along a lot further [11:33] the lethal seccomp is a workaround for lack of a kernel feature where we log stuff _and_ we don't kill [11:34] did you enable any of the nvidia hacks/workarounds? [11:34] (in snap-confine) [11:34] nah ill try the arch nvidia one and see if that works at all [11:34] ok [11:34] not sure if it will but let's see [11:34] sorry about that, nvidia support is really hit-and-miss [11:34] yeah im used to that dw [11:36] I would love to know how that works on an intel box [11:36] mvo: does this make any sense to you? https://travis-ci.org/snapcore/snapd/builds/262982604?utm_source=github_status&utm_medium=notification [11:37] * zyga-suse notices ogra's huge gadget PR [11:37] zyga-suse, same as the pi one just adjusted confiigs for pi2 [11:37] ikey: if you are familiar with the nvidia driver I could use some input [11:37] yep [11:37] *same as the pi3 [11:37] cannot mount tmpfs at /tmp/snap.rootfs_JHOwxl/var/lib/snapd/lib/gl: No such file or directory [11:37] ikey: on how I want to make that work in snaps [11:37] * ikey blows a rasberry at confinement [11:38] you need an empty directory there [11:38] :) [11:38] in /var/lib/snapd/lib/gl [11:38] oh dude [11:38] game works [11:38] i mean the music is banging too [11:38] wooooot [11:38] :D [11:38] hahaha [11:38] that's so great [11:39] pics or it didn't happen :D [11:39] better yet [11:39] tweet a pic [11:39] * ikey doesn't control the solus twitter anymore :p [11:39] https://ibin.co/3WOU2Mq91dSg.png [11:39] wat? [11:39] who does? [11:39] josh does [11:40] he does social thingies [11:40] i control the G+ [11:40] ohhh, I'd love to see those bash prompts for git integration [11:40] and most tweets are reposts of that [11:40] post it there then ! [11:40] lol [11:40] s/bash/zsh/ [11:40] :p [11:40] (things you learn from random images :D [11:40] aha [11:40] you may be interested in *very* cool tab completion [11:40] fwiw classic snap last night: https://plus.google.com/+Solus-Project/posts/BN5p1arv3Fs [11:40] snapd can do tab completion for snaps inside their confinement [11:41] and we probably miss something for zsh intergration [11:41] Chipaca can tell you all about this [11:41] a lot i think [11:41] aye [11:41] so you could tab-tab a command from a snap [11:41] and the completer runs confined [11:41] nice [11:42] alright so it looks like the remaining "main ticket item" really now is to chuck apparmor into the kernel [11:42] and then see if that fixes !devmode [11:42] yep [11:42] (gonna need it anyway) [11:42] and please send your patches back [11:43] I think we can do a 2.27.1 after we collect patches from distributions [11:43] yeah will do [11:43] I may need one for opensuse apparently [11:43] at least to fix this damn unit test [11:43] the patch is actually really basic right now [11:43] I bet it is bleeding edge golang in tumbleweed [11:43] https://hastebin.com/jotepamoki.bash - but i dont wanna send it in yet due to the disabling of apparmor [11:43] yeah, I hoped it would be easy but I just want them merged :) [11:44] and you might not like mkversion change :P [11:44] super nice [11:44] yep [11:44] read it [11:44] I think it's fine [11:44] ypkg sets $version as the package.yml key [11:44] you can just call mkversion with an argument [11:44] and it means autogen then just works [11:44] but no strong opinions [11:44] we use %autogen macro [11:44] which takes arguments too [11:44] so in autogen.sh i modified solus) to take $@ [11:45] meaning that autogen.sh/mkversion.sh/configure all play nicely in a single chain [11:45] ahh, I see [11:45] cool :) [11:45] cheers for all the help so far, very much appreciated [11:46] pleasure :) [11:48] * ogra_ sighs about the flashplugin update he gets ... [11:49] thats the only package i'd really love to see as classic snap one day :) [11:56] pedronis, hey, re your comment about having a "run-hook[refresh]" helper, are you suggesting a test-side only helper, or making "run-hook" tasks have different kinds? [11:57] pstolowski: only in the tests [11:57] pedronis, ok good [11:57] make the helper that lists kinds etc [11:57] produce that [11:57] pedronis, because the latter would be problematic [11:57] *helpers [11:57] pstolowski: understood [11:58] thanks [12:01] PR snapcraft#1474 opened: kbuild plugin: use ARCH from environment if set [12:02] ondra: ^^ [12:04] kalikiana do you have build of snapcraft with that change,so I can test it? [12:06] kalikiana not sure if this would work, as we are build on arm64 and kernel is arm64, but we need arch arm [12:06] i'm off to lunch [12:06] sergiusens: so "app-constrains" instead of "wrappers"? happy to change that [12:09] mvo, hey, is current core edge really built from master or is it a re-spin of 2.27? [12:10] abeato: today its 2.27 sorry for that, when a release is immanent edge is sometimes not really edge [12:10] abeato: I expect things to be normal by this evening [12:10] edge is not what it seems to be on days like that [12:10] mvo, ack, nw [12:10] yeah, I suspected that... :) [12:11] cachio: hey, good morning! any last minute concerns aobut 2.27, otherwise I'm going to upload 2.27-final in a wee bit :) [12:12] mvo: well I am thinking, you didn't start a forum post to discuss this ;-) [12:12] zyga-suse, should i be setting DEFAULT_SECURITY_APPARMOR=y ? [12:12] right now its DEFAULT_SECURITY_DAC [12:12] sergiusens: doing that as we speak [12:13] mvo: for example, `no-environment` might be the better keyword, or when we kill our wrappers and just shove stuff in `env`, would that still be ok for your use case? [12:13] ikey: mmmmm, I don't know, tyhicks or jdstrand can say [12:13] (please help out) [12:13] sergiusens: absolutely, my use case is that I don't want #!/bin/sh (as my base snap does not have it ;) [12:14] ikey: ^ mvo works on a test base snap that ships *nothing* :-) so apps execute in a very very empty place [12:14] ah cool [12:14] mvo: right, then `no-environment` might be the better fit as the wrapper is just an implementation detail [12:15] sergiusens: sure, works for me, I create a forum topic just to make sure that gustavo is aware and can weight in [12:15] mvo: would be nice to see `command`s of the style of the ones you see `snapcraft.yaml` allowed in `snap.yaml` and we are golden :-) [12:15] mvo: perfect [12:15] I'll add my comments [12:16] sergiusens: what is the difference today? [12:16] sergiusens: that they run via shell? [12:17] sergiusens: created and mentioned you [12:18] zyga-suse: in snapcraft you can do: `env PATH=$SNAP/bin my-command $SOME_VAR` in snap.yaml you cannot specify variables [12:18] sergiusens: right [12:18] sergiusens: but you can specify ... environment [12:18] and I know jdstrand explained the why's to me, but I just wish it were allowed [12:19] what you said above needs to be handled by /bin/sh [12:19] aha [12:19] zyga-suse: you can, but some commands require something like this: `command: my-command --work-dir $SNAP_USER_DATA` [12:19] arguable we _could_ expand $SNAP_ variables [12:19] arguably* [12:20] fwiw, the wrappers are mvo's invention ;-) [12:20] sergiusens: really? [12:20] * mvo can't remember [12:20] whaat? :-D [12:20] I won't say who complains about wrappers the most :D [12:20] lol [12:20] I always thought it was the other mike [12:20] * ikey & compiling linux-current... [12:24] mvo: ah mterry in the middle of a bunch of your commits `git diff ac2a535d52a04d9ec848026d52c19d1471bbbe39^ ac2a535d52a04d9ec848026d52c19d1471bbbe39` [12:24] you made the sell for it on the Snappy Clinics though [12:24] sergiusens: heh, thats quite possible [12:24] sergiusens: the bad old days :) [12:28] zyga-suse: mvo the only reason we didn't move to `env` yet is due to the way environment was originally implemented, and that is mvo's invention ;-) We need env stacking to make it easy and dictionaries don't make that easy [12:28] sergiusens: do you know about the merge-keys feature in yaml? [12:28] (not sure if related but I was surprised today) [12:28] http://yaml.org/type/merge.html [12:29] zyga-suse: yes [12:29] it makes the yaml look horrible, but some people like it ;-) [12:29] sergiusens: I'm still not so sure if it was my invention but my memory is sometimes flaky so I will not fight over it ;) [12:39] Does apparmor require CONFIG_AUDITSYSCALL ? [12:39] (and thus, snap) [12:39] * zyga-suse doesn't know [12:40] again that would be something that jdstrand or jjohansen1 can answer [12:40] ikey: I know this is not a good answer but you could cross-check with what the ubuntu config is [12:40] cuz CONFIG_AUDITSYSCALL is notoriously slow [12:41] * zyga-suse is melting here [12:41] anyone able to zgrep CONFIG_AUDITSYSCALL /proc/config.gz..? [12:41] (on buntu) [12:42] * zyga-suse boots [12:42] one sec [12:42] ta [12:42] i know consolekit used to require it - but like nobody uses that now [12:43] ikey: zyga@fyke:~$ cat /boot/config-4.10.0-30-generic | pastebinit [12:43] http://paste.ubuntu.com/25283420/ [12:43] PR snapcraft#1473 closed: catkin plugin: rosinstall-files is a pull property [12:43] ouch you have it on [12:48] PR snapd#3708 closed: interfaces: convert two hardware_random interfaces to common iface [12:48] pedronis: around? [12:49] zyga-suse: yes [12:49] https://paste.gnome.org/pqyailbdz [12:49] I changed the prune function to log why things happen [12:49] it seems change 1 should *not* be pruned [12:49] (according to the test) [12:50] my mind has melted today so I'm not sure if this is just still racy [12:50] or is something else at play [12:51] or maybe some scheduling or golang parts are different here [12:51] sorry, I cannot really context switch to this atm [12:51] OK [12:51] * zyga-suse keeps digging [12:53] there we go, officially snowing in hell [12:53] https://dev.solus-project.com/R3571:19e256059de04cae4f98d22f71ec0eb36ac02e13 [12:53] zyga@fyke:~$ cat /boot/config-4.10.0-30-generic | pastebinit [12:53] http://paste.ubuntu.com/25283420/ [12:53] er, sorry [12:54] wooot :) [12:54] xD [12:54] may I tweet about this :) [12:54] or would you rather [12:54] nah go ahead [12:54] ondra: You don't need to build it, you can run it from source. Although I could make you a snap if you rather wait for it to build... I tested with this https://github.com/kubiko/dragonboard-gadget/pull/1 [12:54] PR kubiko/dragonboard-gadget#1: Use upstream kbuild plugin [12:54] can link direct to the commit too as it shows the canonical.com patchwork [12:54] yknow, brownie points n all [12:56] i have a suspicion this audit change will fix some old bugs and expose some new ones, but we'll see once i have the nv ko rebuilds in.. [12:56] kalikiana now I'm even more curious how you determine to use arm [12:57] kalikiana and cross compiling also working? [12:57] ikey: this will be very interesting indeed, I wonder what results you'll get [12:57] ondra: I don't. See the PR description :-) [12:58] It works the same way as CROSS_COMPILE now [12:58] kalikiana I'm checking your changes to dragonboard, and this looks so clean, just wondering how it works that it knows to use arm ARCH [12:58] kalikiana have you tested native build on arm64? [12:58] kalikiana so when you cross compile, do you tell if to cross compile for arm64? [12:59] ondra: "ARCH=arm snapcraft --target-arch=arm64" is what I tested [12:59] kalikiana aha :) [12:59] crazy stuff [13:00] kalikiana OK that would probably fail then when build in launchpad [13:00] kalikiana as you can't really defined there env variable, unless I don't know about it [13:00] why would you cross build in lp ? [13:00] ogra_ there you native build [13:00] right [13:00] ogra_ but that means you gonna end up with arm64 ARCH [13:01] ogra_ which will fail [13:01] anything wrong with that ? [13:01] why ? [13:01] ogra_ you have so bad memory :D [13:01] it is only uboot [13:01] ondra: So Launchpad is native? Or Cross-compiling? [13:01] I assumed native [13:01] yeah, lp is native [13:01] ogra_ remember, uboot for dragonboard fails unless you use arm64 toolchain, but defined arm ARCH [13:02] but i remember there was this odd mkimage thing [13:02] kalikiana LP is native [13:03] ogra_ I don't know is this is specific to dragonboard or to arm64 [13:03] ogra_ but for dragonboard I had to use this crazy combo to make it build [13:03] yeah, i remember now [13:04] though i think the dragonboard still boots fine if you just use armhf ... iirc the prob was that you need to use this mkimage call [13:05] ogra_: it actually won't build because there's no config in arch for it [13:05] ogra_ but it won't compile [13:05] Although I wonder, can that be fixed? [13:05] ogra_ only way to build is arm64 toolchain + arm ARCH [13:06] and building arm64 architecture on armhf seems even more broken, let alone it won't build anyway [13:06] * ikey makes a one-of-them-g+ posts [13:26] ikey: :-) [13:31] ikey: note that you may still be missing some more specific apparmor patches but I'll wait for a reply from jjohansen1 which is doing this work [13:31] ikey: I'm sure he can look at your config and tree and say if anything is missing [13:31] sure [13:31] ive taken them from your kernel.ubuntu.com backports tree [13:31] aha, that's good then [13:32] I *think* all of them are in the xenial tree but xenial uses older kernel and I'm not a real kernel dev [13:32] so not sure :) [13:32] ack === chihchun is now known as chihchun_afk [13:52] zyga-suse, zyga-ubuntu, zyga-*: if you type "mount|grep disk" what do you se? [13:52] roadmr: hey, can you sync r896 just whenever [13:53] jdstrand: totally [13:54] roadmr: thanks :) [13:56] mvo: checking [13:56] mvo: note that I suspect I mounted them by clicking on them [13:56] mvo: oh wow [13:56] this is interesting [13:56] zyga@fyke:~/snapd$ mount | grep disk [13:56] /var/lib/snapd/snaps/core_2445.snap (deleted) on /media/zyga/disk type squashfs (ro,nosuid,nodev,relatime,uhelper=udisks2) [13:56] /var/lib/snapd/snaps/core_2462.snap (deleted) on /media/zyga/disk1 type squashfs (ro,nosuid,nodev,relatime,uhelper=udisks2) [13:56] check this out [13:57] zyga-ubuntu: aha! and snap list --all ? does it show those? [13:57] core 16-2.27 2610 canonical core [13:57] core 16-2.27 2604 canonical core,disabled [13:57] core 16-2.27 2601 canonical core,disabled [13:57] Chipaca: btw, snap list --all chokes on broken snaps to the point where it doesn't show *any* snaps [13:58] mvo: as I said, I was hopping channels [13:58] zyga-ubuntu: what sort of broken snap? [13:59] Chipaca: I had a few snaps I 'snap try'ied [13:59] zyga-ubuntu: interessting [13:59] Chipaca: to check specific encyptfs behavior [13:59] zyga-ubuntu: so these are really not on disk anymore? [13:59] (those snaps were on a fs my user cannot access) [13:59] mvo: yes [13:59] zyga-ubuntu: context is core not try :) [14:00] mm? [14:00] mvo, Chipaca: those broken snaps were there for months [14:00] and I never noticed any problem [14:00] because I wasn't runnin list --all [14:00] zyga-ubuntu: sudo curl -N -0 -s --unix-socket /run/snapd.socket http:/v2/snaps | pastebinit [14:01] Chipaca: I had to remove them so this will now work [14:01] zyga@fyke:~/snapd$ snap list --all [14:01] error: cannot list snaps: cannot list local snaps! cannot find installed snap "test-snapd-overmount" at revision x1 [14:01] your command is still doing stuff [14:01] timed out [14:02] Chipaca: I got: [14:02] Błąd połączenia z serwerem: [Errno socket error] The read operation timed out [14:02] ran again and got [14:02] http://paste.ubuntu.com/25283709/ [14:02] zyga-ubuntu: ok, get me snapd logs then [14:02] aaah [14:02] sie 10 14:43:40 fyke systemd[1]: snapd.service: Service hold-off time over, scheduling restart. [14:02] mvo: ^ remember this [14:03] sie 10 14:43:40 fyke systemd[1]: Stopped Snappy daemon. [14:03] sie 10 14:43:40 fyke systemd[1]: Started Snappy daemon. [14:03] PR snapd#3709 opened: release: snapd 2.27 release [14:03] we had this before [14:03] the sd-notify bug [14:03] right? [14:03] i sometimes agree with those logs: *fyke* systemd [14:03] snapd restarts periodically [14:03] zyga-ubuntu: yes, we had this before - where do you see it? [14:04] on fyke, apparently, on my dev system running [14:04] zyga-ubuntu: what did you have before that? a traceback or anything? [14:04] snap 2.27~rc9 [14:04] snapd 2.27~rc9 [14:04] Chipaca: nope [14:04] Chipaca: let me get you the full log [14:04] zyga-ubuntu: what version of snapd do you have installed as the deb? [14:04] http://paste.ubuntu.com/25283724/ [14:04] 2.25 [14:05] zyga-ubuntu: so this can happen if you have a snapd deb with "type=notify" in the deb but re-exec runs a version that does not support type=notify. but your case is the other way aroudn afact [14:05] out of curiosity, what's doing all those individual GETs? [14:06] mvo: I don't have Type=notify in snapd.service [14:06] Chipaca: not me [14:07] zyga-ubuntu: i suspect gnome-software [14:07] zyga-ubuntu: because of the icons [14:07] maybe [14:08] zyga-ubuntu: how often do you see this message? [14:08] mvo: according to the log I pasted, just a few times now [14:08] but I did hit the window a moment ago [14:08] when I was doing the queries for chipaca [14:08] maybe snapd panicked [14:08] while I had those broken snaps installed [14:08] and I ran list --all [14:08] zyga-ubuntu: you'd see the panic in the logs [14:09] ✓  ufee1dead@ironhide  ~  dmesg|grep -i armor [14:09] [ 0.026751] AppArmor: AppArmor initialized [14:09] heh [14:09] ikey: nice :D [14:11] mvo: out of curiosity, jump between beta and candidate [14:11] do it a few times and see what happens [14:12] zyga-ubuntu: will do in a bit, just in the middle of releasing 2.27 :) [14:12] * ogra_ does that multipple times a day ... but only on ubuntu core [14:12] -p [14:15] * zyga-ubuntu thinks about lunch [14:15] zyga-ubuntu, thinking about it rarely helps ;) [14:20] * zyga-ubuntu eats stuff :D [14:22] kalikiana was thinking, without over complicating kbuild plugin, best thing would be if one can define env variable for each part build [14:22] kalikiana this could be quite handy feature and it'd probably solve lot of additional hacking [14:23] kalikiana and we could do it way, that whenever we are passing env variables, like for cross compiling, we could preference those defined in snapcract.yaml [14:32] * zyga-ubuntu suspends this laptop to work on one less computer at a time [14:38] ikey: about your post earlier, I think having a common market and ease-of-deployment *is* a compelling reason for developers to target linux [14:38] ikey: so indirectly, initiatives like snaps help to achieve that [14:52] having a shop is all well good provided you put the shop on a busy street and sell things people want [15:00] zyga-suse, [15:00] snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks [15:00] (built it with libapparmor) [15:01] aaah [15:01] yeah [15:01] ok, so now you need to install the apparmor profile for snap-confine [15:01] it should have been built [15:01] snap-confine.apparmor [15:01] ah ok [15:01] where does he go [15:01] on debian this goes to /etc/apparmor.d/ [15:02] ew. [15:02] so much ew. [15:02] as usr.lib.snapd.snap-confine [15:02] thats blatant misuse of /etc [15:02] :P [15:02] just encode the path in the name [15:02] yknow im going to send you patches to fix apparmor right? [15:02] lol [15:02] well, in theory because this is something you can edit [15:02] Solus is on a mission to ban use of /etc/ [15:02] yeah ive heard that theory a lot.. [15:02] lol [15:02] ikey: yes, I saw that, that *is* a good thing [15:02] ill figure out bzr during next week i think [15:02] I don't know if apparmor supports stuff like /lib/apparmor.d [15:02] and work out the stateless approach [15:02] for now ill use /etc/ and cry later [15:03] for that I bet you want to work on jdstrand and other apparmor upstreams [15:03] /etc/apparmor.d/usr.lib64.snapd.snap-confine [15:03] its there.. [15:03] yep [15:03] zyga-suse: meh, looks like opensuse in the tests is fragile, e.g. timeout errors [15:03] zyga-suse: on the download servers [15:03] make sure the stuff inside matches the path [15:03] soo i guess the next question is how do i make it go [15:03] xD [15:04] ikey: the first few lines show which file is being confined [15:04] ikey: apparmor_parser -r /path/to/that/file [15:04] that will load it [15:04] and you can try running now [15:04] * ikey fixes up apparmor pkg [15:04] im guessing there is a systemd unit to load this cruft on boot [15:04] mvo: download servers? [15:04] ikey: yes, not a systemd unit buy old style script [15:04] it's a part of userspace apparmor tools [15:04] (it's convoluted) [15:04] o [15:05] [Package] Including empty directory: /var/lib/apparmor [15:05] * ikey sobs into a bucket [15:05] "old style" ... tsk ... [15:05] zyga-suse: yeah, I retrigger and see what happens, I got a timeout from zyper in project prepare for opensuse [15:05] oh [15:05] interesting [15:05] maybe our base image is very old [15:06] and we get lots of updates [15:06] Warning: unable to find a suitable fs in /proc/mounts, is it mounted? [15:06] Use --subdomainfs to override. [15:06] wut [15:06] did you mount apparmorfs? [15:06] idk how it works lol [15:06] in /sys/kernel/security/apparmor [15:06] should i assume i now need to build systemd with apparmor? [15:06] ikey: I'd have a look at apparmor packaging in debian and in opensuse [15:07] ikey: no, it's not mandatory [15:10] huh ok /sys/kernel/security/apparmor does exist [15:10] mmm, maybe something else is missing, I'm sorry I don't know that error [15:11] on tumbleweed I see securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 [15:11] pedronis, did you want to drop the timestamp checking of the system-user assertion or do i mis-remember that ? (regarding bug 1679739) [15:11] Bug #1679739: System-User Assertions and the system time [15:12] PR snapd#3710 opened: many: allow and support serials signed by the 'generic' authority instead of the brand [15:13] securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 [15:13] tmpfs /dev/shm tmpfs rw 0 0 [15:13] er random 2line paste [15:13] but yeah, its definitely mounted [15:14] the failed call is aa_kernel_interface_new(&kernel_interface, features, apparmorfs) == -1) { [15:15] ikey: can you strace apparmor_parser and see if there's a failing syscall inside of aa_kernel_interface_new()? [15:15] yea poking that now [15:15] tyhicks: hey :) [15:16] hey zyga-suse :) [15:16] open("/etc/apparmor.d/usr.lib64.snapd.snap-confine", O_RDONLY|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory) [15:17] that's not likely the issue [15:17] can you paste the entire strace somewhere so I can look? [15:17] https://hastebin.com/fimogokola.erl [15:18] thanks [15:18] what's the full apparmor_parser command that you're using? [15:18] the one zyga-suse gave me: sudo /sbin/apparmor_parser -f /etc/apparmor.d [15:18] er [15:18] with the filename* [15:19] sudo /sbin/apparmor_parser -f /etc/apparmor.d/usr.lib64.snapd.snap-confine [15:19] is -f wrong by any chance? [15:19] yes [15:19] -f is wrong [15:19] xD [15:19] so the failing open() was the issue :) [15:19] lol yeah [15:19] so -a or -r ? [15:19] I think you want -r instead of -f [15:19] ta [15:20] Could not open 'tunables/global' [15:20] pfft [15:20] * ikey adds profiles to pkg [15:21] /usr/lib64/snapd/snap-confine: error while loading shared libraries: libudev.so.1: failed to map segment from shared object [15:21] xD [15:21] * ikey goes to look at the confine file [15:21] ikey: aha [15:22] ikey: you may want to update paths in that file [15:22] its all multiarched up [15:22] yep [15:22] sorry [15:22] but thank you for leading the way [15:22] heh [15:22] I'll gladly take patches to imporve this [15:23] so we have @{multiarch} [15:23] is there anything like $LIB from ld? [15:23] fwiw this kinda demonstrates the sandboxing is working [15:23] lol [15:23] some things are variables expanded by apparmor [15:23] indeed :) [15:23] but I don't know, I rarely look at the global includes [15:23] ok [15:25] @{multiarch}=*-linux-gnu* [15:25] ikey: No such command! [15:25] hrm ok [15:25] ..lol [15:25] gold [15:33] cannot create symbolic link /tmp/snap.rootfs_BPPk5I/var/lib/snapd/lib/gl/libEGL.so -> /var/lib/snapd/hostfs/usr/lib64/libEGL.so.1: Permission denied [15:35] oh [15:35] that's nvidia arch support [15:35] since it was never tested under confinement you need to allow that symlink [15:36] ok how do i do that [15:36] lol [15:37] " /tmp/snap.rootfs_*/var/lib/snapd/lib/gl/ w," mebbe? [15:37] the synax is like [15:38] - Copy snap "meshlab" data (cannot copy "/var/snap/meshlab/4" to "/var/snap/meshlab/4": failed to copy all: "cp: cannot stat '/var/snap/meshlab/4': No such file or directory" (1)) [15:38] needed a * at the end.. [15:38] ok now we make progress: [15:38] cannot change profile for the next exec call: No such file or directory [15:38] lol [15:38] what's that about? I'm trying to install a snap from a file [15:38] path/to/file w, [15:38] tyhicks: ^ symlinks? [15:38] tyhicks: do I rememeber this correctly? [15:39] jaggz: that's something for Chipaca [15:39] me? :-) [15:39] ikey: that is /proc/$PID/attr AFAIR [15:39] open("/proc/24260/attr/exec", O_WRONLY) = 3 [15:39] write(3, "exec snap.duckmarines.duckmarine"..., 33) = -1 ENOENT (No such file or directory) [15:39] ikey: this is how apparmor profile changes are applied [15:39] right [15:39] jaggz: but i was just about to say: could you ls -l /var/snap/meshalb for me? [15:39] aha [15:39] maybe snap.duckmarines.duckmarine is not a generated profile [15:39] probably because snapd didn't generate a profile [15:39] zyga-suse: sorry, what specifically about symlinks are you asking? I don't see it in the scrollback [15:39] hm [15:40] and probably because you are missing a patch so it determined that apparmor support is incomplete [15:40] (lots of probably) [15:40] right [15:40] snap debug confinement yields partial [15:40] tyhicks: I forgot the syntax for symlinks in apparmor [15:40] ikey: so something is missing [15:40] yeah [15:40] but i fixed the library issue and libGL write issue [15:40] ikey: or not compiled in or misisng [15:40] zyga-suse: you have to give permission to the symlink target since that's what apparmor mediates on [15:40] Issue snapcraft#1475 opened: rust plugin recording [15:41] we look at /sys/kernel/security/apparmor/features [15:41] this bit worked for the arch confinement: [15:41] /tmp/snap.rootfs_*/var/lib/snapd/lib/gl/* w, [15:41] tyhicks: thank you [15:41] though in truth it should likely be more strict and catch .so* only [15:41] ikey: this is fine, you need more patches to get snapd to flip from "partial" to "strict" [15:41] aye [15:41] so more kernel work [15:42] well we made great headway [15:42] to the point that snapd-confine itself is happy through apparmor [15:42] now it just needs to execute this damn duck marines [15:42] telling ya, it best be a good game after all this :p [15:43] ikey: http://i.imgur.com/eTic1wS.jpg [15:43] :D [15:44] Chipaca, http://paste.debian.net/980792/ [15:44] Chipaca, lol [15:45] that's /var/snap/meshlab [15:45] jaggz: sigh, ok that's strange. How and what were you trying to install, and what version is your snapd? [15:46] Chipaca, Trying to install meshlab. snapd debian package is 2.21. Meshlab's snap I downloaded from https://uappexplorer.com/snap/ubuntu/meshlab [15:46] I also have received, intermittently, snap core errors [15:46] jaggz: why not "snap install meshlab"? [15:47] jaggz: what do the errors say? [15:47] hrm.. that says it's already installed [15:47] - Setup snap "core" (2601) security profiles (cannot setup mount for snap "core": cannot update mount namespace of snap "core": cannot update preserved namespace of snap "core": fork/exec /usr/lib/snapd/snap-update-ns: no such file or directory) [15:47] jaggz: the ls output agrees that it's installed [15:47] that was from a snap refresh core [15:48] jaggz: ok, "snap version" output please? [15:48] zyga-suse: ^ snap-update-ns error for you [15:48] Chipaca: aha [15:48] running /snap/bin/meshlab sits there.. strace -f shows: [pid 31791] execve("/snap/core/current/usr/bin/snap", ["/snap/bin/meshlab"], [/* 83 vars */] [15:48] jaggz: ok, two questions [15:48] jaggz: what is snap version [15:49] jaggz: I understand you are on 2.21 but snapd pulls in updates [15:49] ooh.. hold.. can't kill this program.. [15:49] jaggz: so I would expect that to be 2.26.14 actually [15:50] jaggz: you need to kill the strace explicitly (e.g. killall -9 strace) [15:50] is it safe to kill -9 the running /snap/bin/meshlab? (which is a symlink to /usr/bin/snap, as I figure you know) [15:50] jaggz: it should be yes [15:50] jaggz: I don't know what meshlab does :-) [15:51] okay.. yeah.. had to -9 the strace itself [15:51] jaggz: can you "snap install hello-world" and see if that works reasonably? [15:51] yeah, not an issue with meshlab itself -- it's software that lets you work on 3d point clouds and meshes [15:51] btw: snap 2.27~rc4 [15:51] snapd 2.27~rc4 [15:52] aha [15:52] ok [15:52] so far so good [15:52] ok [15:52] snap install hello-world says something about climate change [15:52] (kidding.. it's running) [15:52] sudo snap-discard-ns core [15:52] one line.. it's installed [15:52] er [15:52] right cheers again all - much appreciated, looking forward to torturing you again tomorrow hopefully for the last time :D [15:52] sudo /usr/lib/snapd/snap-discard-ns core [15:52] I think that will fix it for you [15:52] jaggz: now e.g. hello-world.env should work [15:52] ikey: with pleasure :) [15:53] zyga-suse, nice clean.. no output.. returns to prompt. :) [15:53] * ikey is off to fix his van and have dinner + wine and such niceties [15:53] mmm, dinner [15:53] reminds me i have a train to catch for dinner [15:53] 5 minutes more [15:53] most people have enough trouble catching a chicken for dinner [15:53] let alone a train... [15:53] * ikey grins and walks out slowly [15:53] Chipaca, it does. what's hello-world.env do? just a plain dump of environment to see what's in it? [15:54] ikey: what can i say, i'm feeling peckish [15:54] :P [15:54] jaggz: yes [15:54] ikey, what's wrong with the van? === ikey is now known as ikey|afk [15:54] jaggz, battery is stone dead [15:54] ikey|afk, [15:54] ikey|afk, your fault, or possibly alternator? [15:54] picked up another one couple days back, €80 -_- [15:54] ikey|afk, perhaps Chipaca can borrow you his train after dinner ? [15:54] well.. if you know how to fix it.. no need to talk good luck :) [15:54] partially my fault partially old van that i bought a while back [15:55] 2005 van [15:55] I had to replace my alternator a while ago.. 1994 van :) [15:55] and its been lined up a couple weeks [15:55] not starting each day [15:55] stuck it on the jumps, went fine, cold start, *pfft* [15:55] I leave mine for a month at a time or more.. but it's an older one and doesn't have computers sucking away at power all the time.. or whatever cars do nowadays [15:55] okay.. so.. meshlab [15:55] Issue snapcraft#1476 opened: foreign arch and sources setup for `build-packages` [15:55] Issue snapcraft#1477 opened: multi-arch build packages [15:55] PR snapcraft#1388 closed: beta [15:55] PR snapcraft#1395 closed: [WIP] python plugin: track the python packages installed during build [15:56] jaggz: ok, so hello-world works, and with zyga's command you should no longer see the nasty ns-update thing ,so now we just need to figure out why the mesh thing isn't working [15:56] jaggz: as i don't know what it would do if it worked, i can only say maybe you need to connect interfaces to it for something? maybe there are "audit" lines in your syslog to help you figure that one out [15:56] and now i must run [15:57] jaggz: if you get stuck, open a forum topic on this, so we can debug it asynchronously [15:57] ikey|afk, in case you ever need help.. ##electronics is a nice broad-topic channel with some really knowledgeable people. [15:57] Chipaca, if it works I'll get a window up :) [15:58] need to do some searches on it.. it sits there, after some errors.. http://paste.debian.net/980795/ [15:59] let me try it [15:59] jaggz: that looks like the snap needs work [15:59] jaggz: which GPU do you have? [15:59] nvidia 970. a post here says to reinstall the nvidia drivers [16:00] I'm in debian, but this is for ubuntu: https://askubuntu.com/questions/451221/how-do-i-install-the-nvidia-driver-for-a-geforce-gt-630/451248#451248 [16:00] ah, my game computer has that card, i can try it tonight [16:00] jaggz: may be missing nvidia support :/ [16:00] sorry [16:01] missing support in snapd that is [16:01] * ogra_ wonders why GL snaps work just fine on his nvidia desktop [16:02] (never had probs after the very initial issue with the leftover stale dirs from old nvidia driver packages) [16:02] ogra_: magic and complexity across distros [16:02] ah, yeah, non-ubuntu is indeed different [16:02] meshlab works fine here btw ... (on an intel based laptop though) [16:03] I'm checking out the first errors too -- I jumped to the final one with libGL [16:03] PR snapd#3706 closed: asserts,overlord/devicestate: support predefined assertions that don't establish foundational trust [16:03] the first being a gtk thing: Gtk-Message: Failed to load module "gail" [16:03] the gtk stuff is pretty normal i think [16:04] ogra_, what distribution? [16:04] ubuntu indeed :) [16:04] but that shouldnt matter at alll [16:04] yeah.. probably shouldn't. [16:05] note that the snap seems to initially create its config on first start [16:05] which takes a while [16:05] (so be patient) [16:05] with external outside packages (like nvidia's), who knows though [16:05] ondra: Maybe we should discuss it in the forum, and see if it makes sense for other plugins as well [16:05] ogra_, do you get the gtk errors? [16:05] kalikiana was thinking same [16:06] jaggz, yes, the older versions of the gnome/gtk desktop helper had them [16:06] (i think they are fixed nowadays ... but the maintainer would have to re-build the snap to have it pick that up) [16:06] ondra: I just took a look at the konfig options, wondering if that's another possibility, but it seems like uboot's arm handling a little bit... special [16:06] http://paste.debian.net/980796/ I was just testing "snap remove meshlab" btw [16:07] kalikiana, pfft ... uboot was there first .... it is *everyone elses* arm handling thats broken :P [16:07] (indeed :) ) [16:07] got those core errors again [16:07] jaggz, your snapd installation seems seriously messed up [16:08] what did "snap version" say ? [16:08] I don't have much in it.. I don't mind removing it and doing a clean install.. [16:08] 2.27~rc4 [16:08] the full utput ... [16:08] *out [16:08] series 16 [16:08] debian 9 [16:08] kernel 4.9.0-3-amd64 [16:09] and snap as well as snapd show as 2.27~rc4 ? [16:09] (smells like your core snap is on the edge channel for some reason) [16:10] ogra@styx:~$ snap version [16:10] snap 2.26.14 [16:10] snapd 2.26.14 [16:10] series 16 [16:10] ubuntu 16.04 [16:10] kernel 4.4.0-83-generic [16:10] yeah.. sorry.. didn't paste them for that purpose [16:10] kalikiana yeah it's a bit special [16:10] hmm.. I'm in debian testing [16:10] this should be what you see on anything tracking the stable channel atm [16:10] jaggz, your distro shoulldnt matter at all ... thats all internally managed by snapd [16:11] via the core snap [16:11] oh I'm at stretch [16:11] snap info core|grep tracking [16:11] that should tell you what core snap you have [16:11] beta [16:11] aha [16:11] (why did you move it to beta ? ) [16:11] I'm too unknowledgeable to have done that :) [16:11] snap refresh core --stable [16:12] that would get you back onto stable ... though i guess you are again hitting the namespace error now [16:12] namespace error? [16:12] it's working on the refresh, btw [16:12] yes, the stuff you pasted above [16:13] yeah.. :( [16:14] why's there no snap-update-ns [16:14] popey, FYI https://code.launchpad.net/~ogra/+snap/linux-generic-allwinner ... (if that ever builds, it will have the nanopi air support in it ... but we'll need a dedicated gadget for that board too) [16:17] doesn't look like it's a part of the debian package [16:19] ogra_: ooh! Exciting! [16:20] ogra_: once it does, will you make a new image for it? [16:25] popey, yep [16:25] popey, but i cant test it indeed ... so all up to you [16:25] suh-weeeet [16:26] look forward to that [16:26] got some ideas for things to do with that silly device [16:46] jaggz: snap-update-ns is not in 2.21 package [16:46] it should be used from the core snap [16:46] but something seems broken there [16:49] :/ [16:49] zyga-suse, thanks :) [16:50] ondra: ogra_ https://forum.snapcraft.io/t/custom-environment-variables-for-kbuild-and-other-plugins/1639 === chihchun_afk is now known as chihchun [16:51] kalikiana, well, i dont use kbuild anywhere (i find it way to opaque for porters) [16:52] kalikiana, i'd rather have a way to use an arch tag for build-packages :) [16:52] (like stage-packages provide) [16:52] ogra_: You mean as in libfoobar:arm64? [16:52] kalikiana, that would really help with something like https://github.com/snapcore/pi3-gadget/blob/master/snapcraft.yaml (see the cross gcc check there) [16:53] kalikiana, yeah [16:53] ogra_: So that's for multi-arch, right? Not really the same problem? [16:54] my gadgets usually already work fine for cross ... but i always need to tell the user to install the cross compiler manually (or have a sudo call in the snapcraft.yaml to apt install it) [16:54] kalikiana, not multi arch, gadgets are usually single arch target but multiple arches for building [16:55] reverse-multiarch i guess :) [16:55] ogra_: https://code.launchpad.net/~ogra/+snap/linux-generic-allwinner it built! [16:55] (can you tell I'm excited) [16:55] ogra_: When I say multi-arch I mean if you need to install armhf packages on an amd64 host - but I'm not clear on what exactly your use case is [16:55] popey, great ... i'll roll a new gadget for it [16:56] kalikiana, well, i dont install armhf packages ... look at the snapcraft.yaml above line 20-24 [16:56] kalikiana, i install a package that doesnt exist on armhf when building on x86 [16:57] that snapcraft.yaml works fine natively ... but spills an error telling you to install one additional amd64 package (teh cross compiler) when building on != armhf [16:58] ogra_: But this says you need the arm gcc. That's normally in gcc-arm-linux-gnueabihf - so that's not multi-arch, it's actually a native package [16:58] kalikiana, since that package does not exist on armhf i can not just put it into build-packages without breaking the native build ... so on amd64 installs i'd like to be build-packages selective [16:58] kalikiana, gcc-arm-linux-gnueabihf is an amd64-only package [16:59] (it is only available on x86 [16:59] ) [17:00] it is a cross compiler built only on non-armhf ... and not available at all on armhf [17:00] (else i'd just list it in build-packages and the corss build would just magically work without any fiddling) [17:02] kalikiana, but yes, essentially all i'd like is support for: [17:02] ogra_: Oh. So the problem is you need a different package depending on the architecture [17:02] gcc-arm-linux-gnueabihfgcc-arm-linux-gnueabihf [17:02] bah [17:02] build-packages: [17:02] - foobar [amd64] [17:02] something like this [17:02] which is supported in stage-packages but not in build-packages [17:02] kalikiana, yep, exactly [17:03] (super hard to explain :) ) [17:03] mvo: running through a scratch build of 2.27: https://koji.fedoraproject.org/koji/taskinfo?taskID=21150688 [17:04] kalikiana, note that all other uboot builds use this way, not kabuild [17:04] *kbuild [17:04] kbuild support in u-boot is very rare and very new and only a few new arches support it yet [17:04] gah [17:05] ogra_: So you want something like "on" for build-packages [17:05] yeh! [17:05] mongodb ftbfs with new boost 1.64 :( [17:05] yeah! [17:05] and it's blocking snapd :( [17:05] Pharaoh_Atem, huh ? how can mongodb block snapd ? [17:05] ogra_: I didn't actually realize this doesn't exist, I never need it - would you mind opening a forum topic for this? [17:06] not at all ... [17:06] * ogra_ writes [17:06] Grand, thanks! [17:06] ogra_: mongodb go driver -> mongodb-libs -> mongodb [17:06] ah [17:07] I guess I'm going to fix mongodb (ugh) === JanC is now known as Guest25300 === JanC_ is now known as JanC [17:10] niemeyer, I think we need one more worker for fedora [17:10] today 2 builds failed at least becasue of fedora jobs didn't finish [17:11] niemeyer, is it ok if I move from 2 to 3? [17:11] cachio: Ah, probably then [17:11] cachio: What was the time delta between fedora finishing and the previous one? [17:12] niemeyer, well fedora did not finish [17:12] kalikiana, https://forum.snapcraft.io/t/support-on-in-build-packages/1641 [17:13] cachio: Question still stands [17:13] niemeyer, from the last disk removed until the job exceeded time is 15 minutes [17:13] and still 46 tasks were missing [17:13] cachio: Yeah, definitely sounds like a case for another worker [17:14] niemeyer, also I think we need to try to speed up how the rmp is built [17:15] niemeyer, the .rpm it is taking about 5 minutes more than the .deb === chihchun is now known as chihchun_afk [17:19] Pharaoh_Atem: yay! build looks unhappy but failure looks unrelated (something about liboost?) [17:20] PR snapd#3711 opened: tests: adding new worker for fedora === nacc_ is now known as nacc [17:29] mvo: mongodb isn't rebuilt against new boost [17:30] and since snapd requires mongodb through requiring the go mongo driver [17:30] it looks like mongodb unit tests are failing on s390x (*sighs* [17:31] how weird, given that snapd doesnt use anything from mongodb [17:31] (or does it ?) [17:34] we gopkg.in/mgo.v2/bson (not sure how that relates to mongo itself on distros though) [17:36] *we use [17:36] ah [18:02] PR snapcraft#1427 closed: Add cx_Freeze options targeting bin/snapcraft [18:24] cachio: 5 minutes sounds pretty bad indeed [18:59] niemeyer, yes, i'll research a bit more [19:14] PR snapcraft#1478 opened: Add cx_Freeze options targeting bin/snapcraft [19:17] I would like to learn how to prodouce snap packages and have successfully followed the helo world example on snapcraft but I dont know where to look next to help me compile a snap for an application. Examples I have seen have lots of flags that I dont understand that are not in the snapcraft example. Can anyone point me in the right direction please [19:18] *hello [19:18] not helo [19:28] PR snapd#3712 opened: overlord,store: send model assertion when setting up device sessions [19:59] arm1e, hey there! [19:59] Sorry for the delay, I had my face buried in a fajita. You still around? [20:04] Is there somebody interested in doing the SRU verification of snapd in -proposed? Its been there for a bit. [20:06] cachio: I'm seeing often failures like this one: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial-snappy-dev-image/xenial/i386/s/snapd/20170810_183543_f1d6a@/log.gz are we not waiting properly for the fakestore to be started or ther is something else going on [20:08] pedronis, ok, I'll take a look [20:08] pedronis, It appeared today [20:13] or maybe we don't stop the service [20:13] cachio: yes, I don't remember seeing this at least for a while, anyway it seems the reason we get reds here and there now [20:14] pedronis, yes, I am running a set of tests to try to reproduce the error [20:15] I'll keep up updated with the result [20:15] thank you [20:16] yaw [20:31] popey, if you upgrade your kernel to linux-generic-allwinner rev 2 and run: sudo fw_setenv fdt_file sun8i-h3-nanopi-neo-air.dtb ... and reboot ... i wonder if the wlan works :) [20:46] kyrofa: yup still here [20:47] arm1e, I'm happy to help point you in the right direction. Is there something particular you're trying to snap up? [20:53] would like to snap gnucash as I have a friend who wants to switch to solus (who are adding snap support) but it will not be added to their repos as some of the dependencies are old === nacc is now known as Guest76500 === nacc_ is now known as nacc [20:57] ogra_: that'll be triicky given the machine has no network [20:57] popey, huh ? wired didnt work ? [20:57] it has no wired connector [20:57] oh ! [20:57] i thought it had both [20:58] this is why i'm so keen for wifi to work :D [20:58] yeah, understood ... ok, then it needs a full image ... i'll give you something tomorrow [20:59] magic, ta [21:18] morning [21:20] Good morning mwhudson, welcome [21:41] arm1e, what is that written in? [21:42] arm1e: kyrofa https://forum.snapcraft.io/t/call-for-comments-testing-gnucash/1480 [21:42] jacob has worked on it, maybe you can work on it together? [21:42] popey, how handy, thank you! [21:46] ok maybe i have working debian packaging for 2.27 [21:46] probably not but it's worth trying the build now at least :) [21:47] oh wait did 2.27 actually get released? [21:50] mwhudson, it's tagged anyway [21:50] and it was uploaded to artful [21:50] and even built! [21:52] mwhudson, your day is starting off strong [21:52] and it failed it's autopkgtest on i386 [21:52] Aw [21:53] whoa hasn't passed there in a while [21:53] http://autopkgtest.ubuntu.com/packages/s/snapd/artful/i386 [21:53] - Download snap "core" (2465) from channel "candidate" (received an unexpected http response code (416) when trying to download https://068ed04f23.site.internapcdn.net/download-snap/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2465.snap?t=2017-08-10T17:00:00Z&h=359a718c18b7c126e3302dce1d720f2333d87dec) [21:53] pff [21:53] * mwhudson bounces on the retry button [21:58] Sounds like https://forum.snapcraft.io/t/download-failure-416/1637/3 [22:06] omg my debian package built [22:17] slangasek: https://anonscm.debian.org/git/collab-maint/snapd.git/log/?h=debian-2.27 <- mostly complete package of snapd for debian if you're interested [22:18] slangasek: the git history is a mess (do we care? i could clean it up) and the changelog needs work (not sure what we should do there, bring in all the upstream changelog entries?) [22:18] slangasek: but it works [22:18] slangasek: do you have an opinion on using pristine-tar for this package? [22:18] slangasek: s/works/builds/ [22:19] mwhudson: pristine-tar applies only if the package is non-native, do we have that here? and is there an actual upstream tarball for us to import? [22:19] git history> if it inherits from the previous package history, that's what I care about most [22:19] slangasek: the package is non-native in debian yes [22:20] right, but still not in Ubuntu though it should be, bah [22:20] slangasek: i based it on the tarball from github https://anonscm.debian.org/git/collab-maint/snapd.git/log/?h=debian-2.27 [22:20] * mwhudson blinks [22:20] slangasek: https://github.com/snapcore/snapd/archive/2.27.tar.gz [22:21] slangasek: in a sense the non-obvious canonicity of the tarball seems an argument in favour of pristine-tar for debian ... makes it clear what i used [22:21] (even if not where i got it from)( [22:21] slangasek: the git history is based on the previous packaging history yes [22:21] it just has "oh crap i forgot a bit" commits in [22:22] and some dubious merging [22:22] that doesn't bother me ;) [22:22] ok [22:23] slangasek: http://paste.ubuntu.com/25286402/ <- this is what the debian patch ends up being === ppisati is now known as ppisati_afk [22:25] which all seems ok enough to me [22:25] need to ITP that gettext package but that doesn't need to block the update [22:28] ok afk for a bit [22:35] kyrofa: Any help in learning how to compile snaps. I have no idea how to check for deps. Willing to read, but would prefer to practise [22:35] arm1e: what do you mean "check for deps"? [22:35] dependencies [22:36] Is there a good way to convert packages in the repos into snaps? [22:36] arm1e: right, i know what deps are -- i don't know what you mean by check for them? [22:36] arm1e: not really (that i know of) [22:36] arm1e: i mean, a classic snap is the easiest way, but you still have to write the snapcraft.yaml [22:37] mwhudson: how does a missing ITP not block the update? [22:38] nacc: Sure. I just got really confused after completing the hello-world snap locally then looking at the yaml files from other snaps which have a lot of other info from plugins etc. It seems a big jump [22:38] Especially when you have never packaged before [22:39] arm1e: well, right, i think hello-world is just to get you familiar with the commands and some basic syntax [22:39] mwhudson: and do those go dep path changes make their way back upstream? [22:39] I want to learn how to do it but everywhere just does really simple syntax and nowhere really teaches you [22:39] arm1e: it doesn't, imo, make much sense to package something you're not familiar with. Do you have an application you care about? [22:40] nacc: Not particularly. I would like to get gnucash working but that looks like a major ball-ache [22:42] arm1e: i would imagine for a classic snap of a given application that builds as a .deb, you could add all it's build-deps to build-packages, all the binary package's runtime deps to stage-packages and then try and build it normally (that is, if one of the existing plugins works). If they don't, you might need to write your own plugin to build [22:44] see, I dont fully understand the difference between build / runtime deps and how you know which plugins should be used. [22:44] arm1e: do you understand the difference between build and runtime? [22:45] build is to compile and runtime is to actually use the app, right? [22:45] arm1e: right [22:45] arm1e: those are distinct environments, so they can have different dependencies [22:46] arm1e: in other words, what you need to build something is not necesarily what you need to run it and v.v [22:46] okay. [22:47] nacc: So how do you choose the plugin? [22:47] arm1e: by knowing how the code is built (what tool) [22:48] How do you know that? Is it in the source tarball? [22:48] arm1e: you look and see? I'm not sure how to answer it [22:49] it feels like a tautology: to build something, you have to know how to build it [22:49] nacc: Where can I learn this? [22:50] arm1e: depending on the specific project, it might be the language (e.g., python or go) or it might be a specific build-tool (e.g. autotools) [22:50] arm1e: where can you learn what exactly? build something, I mean, that's the whole point [22:51] nacc: What I mean is how can I tell if something is built in python etc? [22:51] arm1e: it's not built in python, it's written in python [22:51] arm1e: it's built by the python plugin by snapcraft [22:51] I see, what I mean is how can I tell from the source what the language is [22:53] arm1e: you either know, because you're familiar with it, or you read documentation or you use `file` or ... i'm sure there are other ways [22:54] Right, I would like to make a snap for get_iplayer [22:55] arm1e: link to source? [22:55] https://github.com/get-iplayer/get_iplayer [22:57] arm1e: looks to be perl [22:58] yup. What do I do about the deps, how will I know if they are in the base system of the snap as usually packages pull from the repos of the host system, but is it different for snap packages? [22:59] arm1e: how would you "build it [22:59] sorry, hit enter too fast [22:59] arm1e: how would you "build it" if you weren't thinking about snaps? [23:00] run the configure, check for deps if missing and add them via apt. once configured, make [23:01] only learnt that today, so may be wrong [23:01] right, so you add those deps to your snapcraft.yaml as build-packages [23:01] just list the names? [23:02] arm1e: see the online documentation for the syntax [23:04] what I mean is, once I have them listed, how do I know if the snap package will be able to find them? [23:08] arm1e: you try to build? [23:08] arm1e: what do you mean find them? [23:10] Might be wrong but when you normally build, your deps only matter to you if they are not already on your system, if not the build fails, so you apt-get to install them then retry. When you download a snap, doesnt the new system require these deps to be installed too? [23:11] arm1e: isntalling a snap != building a snap [23:11] arm1e: and i feel like you're jumping several steps [23:11] right [23:11] sorry [23:11] arm1e: 1) building a snap is done with snapcraft (or using snapcraft.io) [23:11] *build.snapcraft.io [23:11] gotcha [23:11] continue :) [23:11] arm1e: in that case, it's done in a special environment that generates the squashfs image (which is what a snap is) [23:11] arm1e: you don't build the snap again anywhere else [23:11] right, my bad [23:12] sorry [23:12] arm1e: installing a snap is done via the store (or locally with --dangerous) and snaps contain all their dependencies [23:12] so you would only need to have the runtime deps [23:12] (or should) [23:12] a confined snap does not have access to the system by default, so it won't run without its dependencies in the snap as well [23:13] a classic snap may work (if the dependencies happen to be installed) but won't otherwise -- and there's not a way to tie (currently) a snap to deb dependencies. So you should include them in your snap (IMO) [23:13] so how do you ensure these dependencies are in the snap? [23:14] Does it pull them from the system I am building on? [23:14] arm1e: you put them there? either via stage-packages (explicitly), or via the plugin (depending on the plugin) [23:14] arm1e: well, again, you build in a special enviornment, so it uses the ones in that environment, yes [23:15] okay, so stage-packages are the explicit dependencies for a snap to install / run on another system [23:15] arm1e: i feel like maybe you should read the snapcraft.io pages a bit? https://tutorials.ubuntu.com/tutorial/create-your-first-snap?_ga=2.140231089.346536776.1502406151-840062186.1488838724#0 [23:15] or that tutorial, maybe [23:15] arm1e: i'm pretty sure all of this on the website [23:15] arm1e: stage-packges are the list of packages you want to stage in the snap (see the website for definitino of stage) [23:15] Yes. I will read them again tomorrow and try to get it to sink in. BTW there is no perl plugin so that makes it more difficult, right? [23:16] arm1e: and to be clear "install a snap" has no dependencies, it's just a squashfs image that gets mounted somehwere [23:16] arm1e: running the snap is the only thing that has dependencies on user's systems (which should all be included in the snap) [23:16] nacc: sorry, I mean run a snap [23:16] I am with you [23:16] arm1e: might be, yes, but it seems like some users have made one, which you can copy, and it's not clear you need it in this case (if there's a makefile) [23:17] slangasek: because the functionality requiring that package is removed in debian for now [23:17] mwhudson: ah ok [23:18] right, those would be the i18n bits of the patch [23:18] yep [23:18] - "github.com/cheggaaa/pb" [23:18] + "gopkg.in/cheggaaa/pb.v1" [23:18] nacc: Will have a look in the morning. Thanks for your help. Time for bed [23:18] arm1e: gl! [23:18] ^ that path change should probably go upstream [23:18] or the debian packaging should be changed to the other path, i'm not sure what upstream considers canonical currently [23:19] the seccomp stuff is needed for trusty support upstream [23:19] so that remains necessary delta [23:19] for another 2 years i guess... [23:35] mwhudson: snapd ESM [23:35] :) [23:51] slangasek: shutup [23:51] mwhudson: it's ok, ESM is security only! [23:52] slangasek: so what should debian's debian/changelog contain? [23:52] do i copy over the new entries from packaging/ubuntu-16.04/changelog and slap something debian specific on the top? [23:53] hmm E: snapd: statically-linked-binary usr/lib/snapd/system-shutdown [23:56] PR snapcraft#1471 closed: catkin plugin: support passing args to cmake