/srv/irclogs.ubuntu.com/2017/10/19/#snappy.txt

sergiusenskyrofa and?00:35
kyrofasergiusens, seems to work, but my test case is broken anyway (opencv) so I still want to poke at it some more tomorrow. Left some comments on the PR00:55
stgraberzyga-suse: not crazy urgent, not warranting a point release on its own, but it is something we need sorted to have LXD actually be at feature parity with the deb package. Custom seccomp policies is a feature we've had quite a bit of interest for lately and it's pretty unfortunate that it's not working with the snap.00:59
sergiusenskyrofa it would be nice to know how it is broken and what is the test case, I'll most likely be off tomorrow but all the info you can get would be good01:08
kyrofasergiusens, it's the bug I logged about snapcraft on trusty01:21
kyrofaDetails are there01:21
=== chihchun_afk is now known as chihchun
=== JoshStrobl is now known as JoshStrobl|zzz
zyga-susestgraber: I understand, I'll talk to mvo05:24
morphisstgraber: zyga-suse: not sure what I see here: https://paste.ubuntu.com/25770362/05:40
stgraberthat's a snapd bug05:41
stgraberthat got fixed in a 2.28 point release05:41
morphisah good to know05:41
morphiswhich isn't yet in stable as it seems05:41
morphisstgraber: yeah, with latest candidate of core it seems to be fixed05:43
zyga-susemorphis: indeed, this is fixed in one of the point releases after 2.28, try .5 to be sure06:03
elopiosnappy-m-o autopkgtest 1630 xenial:amd64:integration06:10
snappy-m-oelopio: I've just triggered your test.06:10
sborovkovogra_: hi. Looks like psplash is not present in cm3? Is it like forgotten there?06:18
zyga-susemvo: good morning06:46
mvohey zyga-suse06:46
mvozyga-suse: how ar ethings?06:46
zyga-susemvo: sorry to start like that straight when you join06:46
zyga-susehttps://bugs.launchpad.net/snapd/+bug/172469706:47
mupBug #1724697: snap-confine shouldn't setup a seccomp policy if policy is @unrestricted <snapd:Triaged> <https://launchpad.net/bugs/1724697>06:47
zyga-susewe need to solve this quickly06:47
zyga-susemvo, stgraber said it's not a 2.28.6 thing but important for him06:47
zyga-susemvo: I think the idea to keep the file and put a unique string into it is simple and should be enough06:48
mvozyga-suse: ok, sounds reasonable06:49
mvozyga-suse: I'm just reading the bugreport06:49
mvozyga-suse: I can work on a fix this morning, just doing some pi2 related research but I'm almost done07:09
zyga-susemvo: I can help too07:10
zyga-susemvo: I'm working on loads of tests for the new overlayfs mount feature07:10
mvozyga-suse: overlays are priority07:10
zyga-suseok07:10
mvozyga-suse: at least that is my understanding :)07:10
mvozyga-suse: hey, if we could get that for 2.29 ...07:10
mvozyga-suse: maybe as a experimental thing or so?07:10
zyga-suseI think it's too soon as neither gustavo nor jamie saw it yet07:11
zyga-susebut we'll see :)07:11
zyga-suseI need to land a prereq branch07:11
zyga-suseI may yet tweak it to move files around and shrink diff for future PRs but not my priority yet07:11
kalikianao/07:34
c-lobranomorning :)07:37
c-lobranokalikiana: thinking about hardening `get_os_release_info`, as suggested by kryofa. What about a little bit more robust `get_os_release_info` and some `get_os_release_fieldname` that wrap the first and provide fallback? Like `get_os_release_version_id()`. This way, the user does not need to know the actual dictionary key name07:43
kalikianac-lobrano: Hmm maybe one step further and make it a little class?07:45
c-lobranokalikiana: yes, that would be good07:50
mupPR snapcraft#1633 opened:  recording: record information from the image in container builds  <Created by elopio> <https://github.com/snapcore/snapcraft/pull/1633>08:47
kalikianaelopio: since you're awake: we hit the timeout again in snapcraft#1632 :-(08:50
mupPR snapcraft#1632: libraries: exclude the full set of libc6 <bug> <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/1632>08:50
elopioI'm working on the split.08:57
* zyga-suse -> coffee08:57
kalikianaawesome09:06
Chipacapedronis: how're things?09:10
Chipacamvo: has #4050 earned your +1?09:10
mupPR #4050: cmd/snap: tell translators about arg names and descs req's <Created by chipaca> <https://github.com/snapcore/snapd/pull/4050>09:10
mvoChipaca: I look in a tiny bit09:14
Chipacamvo: how's things?09:15
mvoChipaca: I can foresee nitpicking about tidyNoticef, as the name gives no hint that it transforms into a panic under certain conditions. but I have not made up my mind much09:15
mvoChipaca: otherwise things are good mostly, looking at pi firware stuff right now09:16
Chipacamvo: do we have a reproducer for the insane flip-flops?09:16
mvoChipaca: what flip-flops, do you have a reference to a forum post or a bugreport?09:18
mupPR snapd#4054 opened: snap-{confine,seccomp}: make @unrestricted fully unrestricted <Created by mvo5> <https://github.com/snapcore/snapd/pull/4054>09:20
mvozyga-suse: and you may say "told you so" now :) I remeber we talked about fully unrestricted seccomp and iirc you suggested we should do it in the above way09:20
jaceknaaaaaaaaaaaaaaaaaaaaaaaaaaaaa3aaaaaaad09:21
jaceknsorry09:21
Chipacamvo: sorry, i meant the thing where sergio's pi3 would boot into one thing but think it's booting into another? something like that09:25
mvoChipaca: we know it is caused by the ubuntu-image snap, once sergio uses the deb things are ok. my plan was to look into it more once I have a pi3 (should arrive today)09:26
Chipacaah ok09:26
mvoChipaca: which is a huge relief that its not a snapd issue09:26
Chipacamvo: we can shake our fists at barry and move on :D09:27
mvoChipaca: :-D09:30
zyga-susemvo: impossible, I don't recall saying that ;-)09:38
* zyga-suse is progressing thrgough testing, with some nice simplifications and improvements to code in result of finding tiny details off09:39
Son_Gokumvo, zyga-suse: https://github.com/canonical-docs/snappy-docs/pull/13809:46
mupPR canonical-docs/snappy-docs#138: Update Fedora snapd to 2.28.5 <Created by Conan-Kudo> <https://github.com/canonical-docs/snappy-docs/pull/138>09:46
Son_Gokudavidcalle ^09:46
Son_Gokuzyga-suse: this will likely be the end of the line for Fedora 2509:46
Son_Gokuas by the time 2.29 becomes available, Fedora 25 will EOL09:47
Son_Gokuzyga-suse, you should reach out to pitti at some point to talk about downstream Fedora CI09:49
Son_Gokuhe's been working on a project to introduce the equivalent of autopkgtests in Fedora for a while now09:49
mvozyga-suse: does "cannot open current mount profile: /run/snapd/ns/snap.*<snap_name>*.fstab:permission denied" ring any bell? we got a bugreport about this, I can forward09:59
* kalikiana break10:17
mupPR snapd#4055 opened: daemon: generate a forbidden response message if polkit dialog is dismissed <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/4055>10:20
mupPR snapd#4056 opened: tests: improve revert related testing <Created by mvo5> <https://github.com/snapcore/snapd/pull/4056>10:21
zyga-susemvo: hmmm, no, not immediately, looks like apparmor10:44
zyga-susemvo: please forward10:44
mvozyga-suse: I did10:44
mvozyga-suse: its the mail from pierre, I don't have many details yet10:44
zyga-susemvo: ePierre?10:44
mvozyga-suse: yeah, I think so10:48
mvozyga-suse: does http://paste.ubuntu.com/25771634/ ring a bell?10:49
zyga-susemvo: that looks like a custom base snap with no /dev10:49
mvozyga-suse: that is from core stable -> edge auto refresh test http://paste.ubuntu.com/25771638 has the debug10:50
mvozyga-suse: anyway, I have a look10:51
mvozyga-suse: but it looks like pierre foudn a bug10:51
zyga-susemvo: this code didn't change10:51
zyga-susemvo: I bet it's /dev missing10:51
zyga-susemvo: FYI, I'm chatting with ePierre on #chekbox10:51
zyga-suse#checkbox10:51
mvozyga-suse: aha, ok10:52
zyga-suseI want to collect some quick info since pierre is likely to EOD any time now10:52
zyga-susemvo: can you forward the rport please?10:52
mvozyga-suse: I did that already, you are in the CC10:53
mvozyga-suse: message-id: 20171019102101.h7wlysxnpqjfufqk@bod10:54
zyga-suseI get 0 matches10:54
zyga-susemaybe gmail doesn't filter on those10:54
zyga-susemvo: ok, I understand the issue now10:56
zyga-susemvo: not sure why it happens but here's what happens:10:56
zyga-susemvo: when we introduced snap-update-ns as the namespace initializer10:57
zyga-susemvo: we removed the ability to read / process .fstab files from snap-confine10:57
zyga-susemvo: after reverting we are running on the profile from the +next version10:57
zyga-susemvo: I think it looks like a bug in the code that re-builds snap-confine's apparmor profile10:57
zyga-susemvo: does that make sense?10:58
zyga-susemvo: after revert we should immediately rebuild the profile10:58
zyga-susemvo: what is curious here is that since the profile is *path based* it should not be a problem10:59
zyga-susethe old profile is around10:59
zyga-susemvo: (around as in loaded in memory)10:59
mvozyga-suse: well, we reboot in between in tests on core11:00
mvozyga-suse: but yeah, it makes sense11:00
zyga-susehmmm11:00
mvozyga-suse: I mean, if its loaded in memory it will get lost accross the reboot11:01
zyga-susethis should not be an issue on core11:01
zyga-suseyes11:01
zyga-susewell11:01
zyga-suseno11:01
mvozyga-suse: the report is about core afaict11:01
zyga-suseacross reboot we'll keep the file in /etc/apparmor.d11:01
zyga-suseso it will get re-loaded11:01
zyga-susewas this on core on classic?11:01
mvozyga-suse: from what I read its a regular core device (caracalla/stlouis911:01
mvo)11:01
zyga-suseright11:01
* zyga-suse thinks11:01
zyga-suseit doesn't seem device specific11:02
zyga-suseso we should be able to reproduce it11:02
mvoyeah11:02
zyga-susethat was edge->stable?11:02
mvoI did a PR that tests some more things with reverts11:02
mvoyeah11:02
zyga-susethank you11:02
zyga-susedo you want me to explore or shall I keep at layouts?11:02
mvosee the linked PR11:02
zyga-suseack11:03
mvoI can work a bit on this and get a reliable test, then we can brainstorm again11:03
mvozyga-suse: just wanted to double check that its not something obvious11:03
mvo(or known)11:03
zyga-suseno, nothing obviously smoking-gun-wrong11:04
mvota11:04
zyga-susemvo: when we run reexecing snap-confine do we follow the current symlink?11:10
zyga-susemeh11:11
zyga-susemvo: I'm dumb11:11
zyga-susemvo: I understand now11:11
zyga-susemvo: on core / is the core snap11:11
zyga-susemvo: so when we get new core via update11:11
zyga-susemvo: (and we don't reload the profile there)11:11
zyga-susemvo: so when we get the new core, we must not follow any current symlinks and must use the old profile11:12
zyga-susemvo: right?11:12
zyga-susemvo: so we literally run /usr/lib/snapd/snap-confine11:12
mvozyga-suse: correct11:13
zyga-susemvo: so dump my other theories, the cause still is likely (we removed the right to touch .fstab profiles) but why it gets applied here is unclear11:14
zyga-susemvo: (assuming before reboot)11:14
zyga-suseI'm getting hungry, let's break for some lunch11:19
mvozyga-suse: good idea11:22
kalikianamwhudson: Hey! I was wondering if we should discuss snapcraft#1557 a bit11:56
mupPR snapcraft#1557: cleanbuild: add a --image option to build in a different image <Created by mwhudson> <https://github.com/snapcore/snapcraft/pull/1557>11:56
zyga-susere12:07
Chipacakalikiana: you know it's 1am for mwhudson, yes?12:07
kalikianaChipaca: Oh, I didn't realize. What timezone is he in?12:08
zyga-susekalikiana: NZ12:09
zyga-suse"the far side of the moon^Hearth"12:09
kalikianaHeh12:09
kalikianaThanks12:09
kalikianaI'll try to ping him at a better time then12:09
Chipacakalikiana: that's not to say he isn't sometimes around at this time, but it's usually bad news :-)12:10
* zyga-suse works on 400812:14
zyga-suseI can put some future code there to make eventual diff smaller12:14
zyga-susehmm12:15
zyga-suseon go 1.9.1 I cannot "go test" stuff anoymre12:15
zyga-suse*anymore12:16
zyga-susezyga@faroe:~/snapd/cmd/snap-update-ns> go test .12:16
zyga-suse# github.com/snapcore/snapd/vendor/gopkg.in/tomb.v212:16
zyga-suseflag provided but not defined: -goversion12:16
zyga-suseniemeyer: ^ does this ring any bells?12:16
* zyga-suse reboots12:20
zyga-suseok, all good now12:22
zyga-suseprobably stale env after update12:22
jdstrandzyga-suse: overlayfs? I thought this was being done with bind mounts...12:28
zyga-susejdstrand: with both12:36
niemeyerzyga-suse: No, I've never seen that flag either I think12:37
zyga-suseniemeyer: it's all good now12:37
niemeyerzyga-suse: Perhaps go tool was out of date with underlying tooling12:38
zyga-suseyes, I just updated; it's okay now, probably some stale stuff while I was logged in12:38
cachiomvo, I am creating a test for gsettings interface, an I am getting "gsettings: not found" when I execute a command12:42
mvocachio: curious what this is about12:42
mvocachio: it is installed and in /usr/bin/gsettings I pressume?12:42
cachioyes12:43
cachiomvo, it is just a wrapper for gsettings command12:44
cachiothe snap makes gsettings "$@"12:45
zyga-susemvo: just saw this from go vet12:46
zyga-susecmd/snap-repair/runner.go:254: arg r.RepairID() for printf verb %d of wrong type: string12:46
zyga-susecmd/snap-repair/runner.go:415: arg repair.RepairID() for printf verb %d of wrong type: string12:46
zyga-susemvo: shall I fix?12:46
zyga-suseodd, I don't see the issue12:48
zyga-suse%d is printing int's12:48
cachiopedronis, hey, tests/lib/assertions/auto-import.assert  is expired, do you know how to generate a new one?12:49
jdstrandzyga-suse: I was unaware that layouts required overlayfs. when was the greenlight given on overlayfs? we can't guarantee it is going DTRT with apparmor in modern kernels or in backported apparmor to older kernels. overlayfs is unbackportable to older kernels. all the same arguments as always...12:50
Chipacazyga-suse: in 451, it's doing ("... %s/%d != %s/%d", repair.BrandID(), repair.RepairID(), brandID, repairID)12:51
zyga-susejdstrand: this is a new development (relatively), we plan to use overlayfs to poke writable holes over squashfs; I made a RFC branch that does this12:51
zyga-suseChipaca: I know, I think go vet is wrong here12:51
ogra_sborovkov, i changed teams and all, i simply didnt get to cm3 yet, but should be ready before end of this week (i'm currently working on the remaining bits for cm3 and dragonbard splash support)12:52
zyga-suseChipaca: especially after fixing it tests are failing12:52
Chipacazyga-suse: RepairID() returns a string12:52
zyga-suseaha12:52
jdstrandzyga-suse: obviously it's a new development :) my question is where was it discussed? it seems to be ignoring the previous discussions12:52
zyga-susejdstrand: I don't remember if it was a hangout recently or IRC recently12:52
zyga-susejdstrand: I recall the earlier discussion but this is an experiment to see if we can use overlay for this purpose12:53
jdstrandzyga-suse: I thought things like this were supposed to be captured in the forum? this is a major technical decision12:53
zyga-susejdstrand: as it presents simpler semantics and has easier undo story12:53
zyga-susejdstrand: indeed, I wanted to talk to you about this because it's a big change but all the sprints/holidays were in the way12:54
zyga-susejdstrand: the short summary is that we'd like to use overlayfs over squashfs12:54
zyga-susejdstrand: as a hole-poking tool12:54
zyga-suseChipaca: no, it's an int:12:55
zyga-suse... error string = "cannot fetch repair, repair id mismatch canonical/%!s(int=2) != canonical/4"12:55
zyga-suse... regex string = "cannot fetch repair, repair id mismatch canonical/2 != canonical/4"12:55
zyga-susejdstrand: anyway, let's put that on hold now12:55
zyga-susejdstrand: (the discussion)12:55
Chipacazyga-suse: i was wrong ¯\_(ツ)_/¯12:55
* Chipaca tries to find out why he was wrong12:56
zyga-susejdstrand: I'll have a thread and PR to review (very short) soon after https://github.com/snapcore/snapd/pull/4008 lands12:56
mupPR #4008: cmd/snap-update-ns: create missing mount points automatically <Created by zyga> <https://github.com/snapcore/snapd/pull/4008>12:56
zyga-suse(that's what I'd like to focus on now)12:56
jdstrandI understand that. I have little confidence it is going to work reliably with apparmor  considering people are backporting apparmor to older kernels (or even an unpatched kernel). I mean, it might work with a recent Ubuntu kernel. note that overlayfs wasn't even an official thing in the upstream kernrel til relatively recently. this makes snaps that utilize the feature impossible to use on older kernels where you can't backport overlayfs12:57
* Chipaca disappears again12:57
* zyga-suse nods12:58
jdstrandtyhicks: warning ^. the plan is to try overlayfs to poke holes in squashfs in an exploratory PR12:59
jdstrandtyhicks: (in support of layouts)13:00
zyga-susejdstrand: I have the undo logic to tweak but it looks promising (so far)13:00
zyga-susejdstrand: the diff is very small so far, which is also very very promising13:00
zyga-suseohg13:00
zyga-susestandup13:00
jdstrandwell, except the technologies you are utilizing have to actually work right13:00
jdstrandnot to mention my point that overlayfs is new so its use means those snaps can't work on older kernels13:01
mupPR snapd#3972 closed: interfaces: sanitize plugs and slots early in ReadInfo <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/3972>13:03
jdstrandzyga-suse: I should also stress that overlafs didn't land in its current form. it landed early and had lots of trouble with LSMs. It still has trouble with LSMs. this means that there is a huge test matrix to make sure  the feature even works for kernels that claim to support the feature13:03
* jdstrand still wonders why he or tyhicks weren't pulled into the conversation13:04
jdstrandor jj13:04
ogra_pobably zyga will simply fix all missing LSM bits with overlayfs on the go then ;)13:05
ogra_... will just delay the ETA for the feature by a few years :)13:09
skjensenHi guys, I'm trying to build an image for my Nvidia TK1. I made an attempt on a snap gadget for the device and have created the model.json. But to make it into a image I need the gadget snap to be available. I'm on Ubuntu 16.04 (amd64) but the device I'm building for is armhf.  So I can't use the snap install --dangerous to install the gadget snap I need. How do I build the image on my arm64 workstation?13:20
ogra_skjensen, you need to use the ubuntu-image tool (theer is a snap with it) and use the --extra-snaps optin to point to your local gadget13:21
ogra_skjensen, https://docs.ubuntu.com/core/en/guides/build-device/image-building13:22
skjensenI did try that but with little luck..13:22
ogra_see part 313:22
ogra_sudo ubuntu-image -c edge --extra-snaps /path/to/your/gadget.snap /path/to/your/model.assertion13:23
skjensenStill can't find it..13:27
ogra_whats the exact error ?13:27
skjensenskj@laptop:~/Documents/snap/TK1$ sudo ubuntu-image -c edge  --extra-snaps /home/skj/Documents/snap/TK1/tk1_16-0.1_armhf.snap /home/skj/Documents/snap/TK1/tk1.model13:27
skjensenerror: cannot find snap "tk1_16-0.1_armhf": snap not found13:27
skjensenCOMMAND FAILED: snap prepare-image --channel=edge --extra-snaps=/home/skj/Documents/snap/TK1/tk1_16-0.1_armhf.snap /home/skj/Documents/snap/TK1/tk1.model /tmp/tmp904xzqti/unpack13:27
skjensenand I have defined the gadget like this in the model.json file "gadget": "tk1_16-0.1_armhf",13:28
ogra_ah13:28
ogra_you just want the name in there13:29
ogra_"tk1"13:29
ogra_change that and re-create the assertion13:29
skjensenYes, that's working.. :)13:30
ogra_;)13:30
skjensenI had it with only the name to start with, but because it couldn't find it I changed to the complete name of the file..13:30
skjensenOkay, so far so good.. Now I need the kernel snap.. ogra, did you say I can use the bbb kernel?13:31
ogra_yeah "linux-generic-bbb" is the name ...13:31
ogra_though ubuntu-image might complain that this isnt a "canonical" package ... in that case use snap download oor grab it from https://code.launchpad.net/~snappy-dev/+snap/linux-generic-bbb/+build/76303 and use the --extra-snaps arg for it as well13:32
skjensenIt found it correctly..13:33
ogra_cool13:33
ogra_i knoow there is some builtin policy that the owner of the gadget must match the owner of the kernel snap ... unless the kernel is owned by canonical ... seems we dropped it13:34
skjensenNope.. you are right.. Just a delayed error message..13:34
skjensenerror: cannot use kernel "linux-generic-bbb" published by "QfOqF7d2M1Pk2O0SbEKqTdB9Ry2aI0BP" for model by "bdSXYoRKHbnUgDeg0MU6rJIID8IODntX"13:34
ogra_so just pull it from the LP build page and use --extra-snaps13:35
ogra_that should ignore the requirement13:35
skjensenIt's downloading.. :)13:35
ogra_(i hope)13:35
skjensenMe too.. Unfortunately I got to go pick up my son.. so will have to wait before I can test the image.. I'm right in saying I can flash this image to a SD card and boot from that?13:36
ogra_yes13:36
ogra_(if your booard generally can boot from SD indeed)13:37
skjensenIt's one of it's best features, if there is a bootable SD card it will boot from that by default..13:37
skjensenOkay, I'm gone.. Thanks a lot for the help again.. :)13:39
ogra_then it shoould just woork (if your gadget is correct :) )13:39
zyga-suseok, stuff is reabsed13:49
zyga-susenow to tie overlay mount entries to things that use them13:49
zyga-suseso that undo works :)13:49
zyga-susecome to think of it, I think it's actually easier than I thought13:50
zyga-suseperhaps we don't need to annotate overlays13:51
zyga-susewe can just keep them IFF there's anything mounted underneath13:51
zyga-suseso yeah, less patches needed :)13:51
* kalikiana lunch time13:54
Son_Gokuzyga-suse: overlays?13:58
Son_Gokuare we using overlayfs now?13:58
zyga-susewell, I'm trying to13:58
sergiusenszyga-suse if you have a discussion on irc or a hangout the "minutes" for it at least should really make their way to the forum13:58
sergiusenskalikiana kyrofa elopio et. al. reminder I am out today13:59
zyga-susesergiusens: are you referring to overlays or something else?13:59
sergiusenszyga-suse yes, but anything really needs to go there if it "matters"14:00
sergiusenskyrofa mind looking at snapcraft#1607 and snapcraft#1583 ? Those are yours and getting those failures out of the way would be great! ;-)14:01
mupPR snapcraft#1607: python plugin: use extracted pip <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/1607>14:01
mupPR snapcraft#1583: ament plugin: new plugin <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/1583>14:01
zyga-suseyes, you are right; I wanted to describe this on the forum but I had a few crazy days and I spent most of the time on just coding this14:01
zyga-suseI'll write something now14:02
Son_Gokuso for once, a feature that actually already has SELinux support :)14:02
zyga-suseSon_Goku: https://github.com/zyga/snapd/commit/f34aca5625013b3d02ee6dba384e9918770f94ef#diff-4480ffd44957efa3395867c929f88014R14514:04
cachiomvo, same error using devmode14:11
cachioto use gsettings14:11
zyga-susecachio: any denials?14:11
cachiomvo, no14:11
cachiozyga-suse, I am using snap try14:11
cachiozyga-suse, could that affect?14:12
Son_Gokuhmm14:12
zyga-suseyes, perhaps14:12
kalikianakyrofa: mind taking another look at  snapcraft#1412 today? I hope I made it clearer now what's addressed there vs. the other PR14:42
mupPR snapcraft#1412: lxd: snapcraft refresh in containers <Created by kalikiana> <https://github.com/snapcore/snapcraft/pull/1412>14:42
kalikianakyrofa, elopio: also snapcraft#1627 should be fairly straight-forward. I'm splitting lxd.py into different classes/ files to make the code more maintainable. It's getting a bit unwieldy :-D so might even be better to get this in first, since it probably makes other PRs easier to review14:46
mupPR snapcraft#1627: lxd: split container classes into different files <Created by kalikiana> <https://github.com/snapcore/snapcraft/pull/1627>14:46
kyrofakalikiana, will do. Just want to fix my branches now that slow tests have landed etc.14:46
zyga-suseniemeyer: gentle ping about https://github.com/snapcore/snapd/pull/395814:47
mupPR #3958: many: add support for /home on NFS <Created by zyga> <https://github.com/snapcore/snapd/pull/3958>14:47
kalikianakyrofa: Aye, no rush. Let me know if you need another review from me there.14:48
=== JoshStrobl|zzz is now known as JoshStrobl
mvocachio: if you post your work-in-progress branch I can have a look14:51
cachiomvo, sure14:51
=== chihchun is now known as chihchun_afk
cachiomvo, this is the branch https://github.com/sergiocazzolato/snapd/tree/tests-interface-gsettings14:56
kyrofaAgh, test_list_plugins will be the death of me14:57
cachioniemeyer, I think the problem about the refresh core is that after I start the stable version I see https://paste.ubuntu.com/25773077/14:57
niemeyerzyga-suse: Ack14:58
niemeyercachio: Looking14:58
cachioniemeyer, I am using the stable version from long time ago14:58
niemeyercachio: Yeah, so exactly what we discussed14:58
cachioso it triggers a refresh to the current stable14:58
cachioreboots the device and then I start the tests14:59
cachiorunning against stable instead of using beta14:59
niemeyercachio: Yeah.. it's a simple race with auto-refresh14:59
niemeyercachio: As mvo predicted14:59
cachioniemeyer, I should wait until the autorefresh is done to trigger the refresh to beta15:00
niemeyercachio: Yeah, that should work15:00
cachioniemeyer, nice, thanks for the support15:01
niemeyercachio: np!15:01
kyrofaelopio, kalikiana I'm getting this a lot on the pip PR: https://travis-ci.org/snapcore/snapcraft/jobs/28962593415:06
kyrofaelopio, kalikiana have you guys seen that elsewhere?15:07
kyrofaIt's definitely not my error, but it only surfaces when running pip stuff, which makes me think I'm doing something to surface it15:07
kalikianakyrofa: Yeah, I've seen and mentioned that before... the answer I got in the past was "Re-run"...15:07
kyrofakalikiana, oh really? Okay so maybe not this PR then15:07
kyrofakalikiana, I wasn't seeing it elsewhere, so was starting to question myself15:08
kalikianakyrofa: I try to add a comment these days quoting the last lines of such errors, so we can check other PRs for the same false negatives15:09
kalikianaOtherwise it really is difficult to keep track of15:09
=== cachio is now known as cachio_lunch
mvozyga-suse: fwiw, I can reproduce the issue the ePiere was describing, I think I have a test, my local spread is just unhappy, steps are pretty simple, will send via mail15:30
mvozyga-suse: i.e. the error is: "cannot open current mount profile: ....fstab: permission denied"15:30
mvozyga-suse: and I get an apparmor denied from /usr/lib/snapd/snap-confine15:31
zyga-susemvo: aha15:32
zyga-susemvo: right15:32
zyga-susemvo: I'll check it out, let me look at the mail15:32
mvozyga-suse: I have not written the mail yet15:33
zyga-susemvo: if you have access to the shell there15:33
zyga-susemvo: look at the profile in /etc/apparmor.d15:33
zyga-susemvo: you can also collect the data about the loaded profile in sysfs15:34
zyga-susemvo: can you paste the denial really quick please?15:34
mupPR snapd#4057 opened: interfaces: remove duplicated MockPlug/MockSlot helpers from interface tests <Created by stolowski> <https://github.com/snapcore/snapd/pull/4057>15:34
pstolowskizyga-suse, can you look at this trivial if you have a moment? ^15:35
mvozyga-suse: http://paste.ubuntu.com/25773282/15:35
zyga-susemvo: you can also poke at /sys/kernel/security/apparmor15:35
zyga-susepstolowski: yes15:35
mvozyga-suse: http://paste.ubuntu.com/25773287/ is the denial15:35
zyga-susemvo: and the denial?15:35
zyga-suseah15:35
zyga-suseoh15:35
zyga-susemknod?15:36
zyga-susethat's odd15:36
zyga-susethat's totally unexpected15:36
zyga-susecan you run with SNAP_CONFINE_DEBUG=yes15:36
mvozyga-suse: this is the strace (the last few lines) http://paste.ubuntu.com/25773303/15:37
zyga-suseopen("/run/snapd/ns/snap.test-snapd-tools.fstab", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = -1 EACCES (Permission denied)15:37
zyga-susemvo: that looks like a bug in apparmor15:38
zyga-susemvo: we get open and mknod15:38
zyga-susemvo: that doesn't make sense15:38
mvozyga-suse: and http://paste.ubuntu.com/25773306/15:38
zyga-susejdstrand: ^15:38
zyga-susepstolowski: why do you want that change?15:38
zyga-susepstolowski: I wanted it the other way around but I didn't find a way to do it15:38
zyga-susepstolowski: now we're keeping more test-only code in the real package15:39
zyga-susemvo: thinking15:39
jdstrandis there actually an *apparmor* denial?15:39
zyga-susemvo: `    /run/snapd/ns/*.fstab rw,` is the rule that should allow the open15:39
pstolowskizyga-suse, cause I need two other Mock* helpers like that in my other branch, so I thought I'd go ahead and change existing ones to avoid duplication15:39
jdstrandhttp://paste.ubuntu.com/25773282/ doesn't show there is anything in syslog/journalctl15:40
zyga-suse[  290.377428] audit: type=1400 audit(1508427272.862:36): apparmor="DENIED" operation="mknod" profile="/usr/lib/snapd/snap-confine" name="/run/snapd/ns/snap.test-snapd-tools.fstab" pid=4066 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=0 ouid=015:40
zyga-susejdstrand: it's a separate pastebin15:40
jdstrandok, yes, I see that15:40
zyga-susepstolowski: can you make it so that we call one of the mock from the other and still use the test package rather than the main package?15:40
zyga-susemvo: I don't have any theory yet15:41
pstolowskizyga-suse, i'm not totally clear on what do you mean? you don't want builtin.Mock*?15:42
zyga-susepstolowski: no, I don't want builtin.Mock15:42
zyga-susepstolowski: we can keep the mock in test-only code15:42
zyga-susepstolowski: but becase we cannot do that yet there are two copies of the code15:43
jdstrandmvo: are you sure that the .real is what is being used and not snap.core....15:43
zyga-susepstolowski: I was thinking one could call the other15:43
zyga-susemvo: are there .real and plain profiles?15:43
pstolowskizyga-suse, ah, that. let me see15:43
zyga-susepstolowski: and in general we should perfer test package to the main package15:43
zyga-susepstolowski: thank you!15:44
jdstrandmvo: you pasted 'cat /etc/apparmor.d/usr.lib.snapd.snap-confine.real'15:44
mvojdstrand, zyga-suse http://paste.ubuntu.com/25773336/15:44
zyga-susemvo: (I mean are there both)15:44
zyga-susemvo: good15:44
mvozyga-suse, jdstrand so that is the only apparmor profile for snap-confine (this is on a core system)15:44
jdstrandmvo: what kernel are you using?15:45
zyga-suseyeah, my question exactly15:45
jdstrandcat /proc/version_signature15:45
mvojdstrand: http://paste.ubuntu.com/25773342/15:45
zyga-susemvo: that product may have a different kernel snap15:45
zyga-susemvo: but I assume you have done this on generic15:45
zyga-suseaha15:46
mvojdstrand: http://paste.ubuntu.com/25773346/15:46
mvoyeah, this is a stock (spread) core VM15:46
zyga-susemvo: at this time I'd collect verbose apparmor debug data15:46
zyga-susemvo: can you look at /sys/kernel/apparmor15:47
mvozyga-suse: sure, what do I need to do ?15:47
zyga-susemvo: and collect (cat + redirect) the profile for snap-confine15:47
zyga-susejust a moment15:47
zyga-susecd /sys/kernel/security/apparmor15:47
zyga-susecd policy/profiles15:48
jdstrandmvo: what if you downgrade the kernel to stable15:48
zyga-susecd usr.lib.snapd.snap-confine.*15:48
zyga-susemvo: collect everything there15:48
zyga-susemvo: note that tar is silly and gets empty files15:48
zyga-suseyou need a dumb cp -R copy15:49
zyga-susethen tarball15:49
zyga-susethen please send/attach that15:49
zyga-suseI'll have a look15:49
zyga-suseif you could, save the snap_confine profile text as well15:49
zyga-suseverbatim as it appears for you15:49
zyga-suseI know you pastebinned it but if it's in the same tarball it's more convenient15:50
zyga-susemvo: after that you can experiment in any way, change the kernel as jdstrand suggeste15:50
zyga-suse*suggested, perhaps15:50
mupPR snapd#4057 closed: interfaces: remove duplicated MockPlug/MockSlot helpers from interface tests <Created by stolowski> <Closed by stolowski> <https://github.com/snapcore/snapd/pull/4057>15:50
mvozyga-suse: on the way via mail15:52
mvozyga-suse: jdstrand going to the stable kernel now and trying it again15:53
zyga-susethank you15:54
jdstrandmvo: you said this is part of spread. what test?15:54
pstolowskizyga-suse, I can make the Mock* method from tests call the one from builtin, so we get rid of duplicated body, a little win..15:54
mvojdstrand: its a new spread test I'm currently working on. we got a report from CE QA about this issue15:54
jdstrandI see a test for that file in  tests/main/snap-discard-ns, but that wouldn't be confined since calling snap-discard-ns directly...15:54
pstolowskibut not the other way around15:54
zyga-susepstolowski: yeah, that's good15:54
zyga-susepstolowski: little by little :)15:55
mvojdstrand: and we have no test yet that checks snap refresh stable->edge and revert back15:55
pstolowskiok..15:55
mvojdstrand: fwiw, stable kernel shows the same message15:55
jdstrandmvo: how can I reproduce?15:55
jdstrandmvo: do you have a branch somewhere?15:56
=== cachio_lunch is now known as cachio
jdstrandmvo: what is it that you are reverting btw?15:57
mvojdstrand: I reverted core15:57
* jdstrand wonders if it is a timing issue15:57
mvojdstrand: one sec, I'm writing a mail and will CC you15:57
jdstrandeg, if the policy gets updated but the snap-confine binary does not...15:57
jdstrand(eg, as part of the revert)15:58
mupPR snapd#4058 opened: interfaces: reduce duplicated code in interface tests mocks <Created by stolowski> <https://github.com/snapcore/snapd/pull/4058>15:59
jdstrandfwiw, I would be surprised if there is a bug in apparmor for file mediation. I am not saying it isn't possible, but I would expect we would see a ton more issues if there was15:59
pstolowskizyga-suse, ^15:59
zyga-susejdstrand: yes, it's a bit mysterious why this happens15:59
zyga-susejdstrand: remember when we once saw a case of apparmor profile staying stale after being loaded?15:59
zyga-susemvo: is this reproducible or did you just get it once and didn't try again?16:00
jdstrandif it happens as a result of reverting core, I suspect we are loading the policy from the reverted core but using the snap-confine binary from the unreverted core, or something similar16:00
zyga-susepstolowski: +116:00
zyga-susejdstrand: but note that on core we reboot and we don't have any core-derived profiles16:00
pstolowskitx16:01
zyga-susemvo: maybe one more sanity check16:01
jdstrandI bet it is the cache file then16:01
mvozyga-suse: I rebooted at least twice, manually loaded the profile to double check, definitely reproducible for me. but I have not done a full scenario yet16:01
zyga-susemvo: reload that profile from disk16:01
zyga-susemvo: and see if the data in sysfs changes16:01
zyga-susemvo: and if the error goes away16:01
zyga-susejdstrand: yes, that's a good idea16:01
zyga-susemvo: hold on, you reloaded the profile manually and it still failed?16:01
jdstrandeg, boot into current core, generate the cache. reboot into an older core, the mtime check is older than the previous cache file16:01
mvozyga-suse: apparmor_parse -r /etc... ? I did that, same failure16:01
zyga-susemvo: yes16:01
zyga-suseholly molly16:02
jdstrandI need a reproducer16:02
jdstrandI strongly suspect there is something along these lines16:02
mvojdstrand: what file is the cache? I think your theory is correct16:02
zyga-susemvo: /var/cache/apparmor I think16:02
mvojdstrand: I can touch the file and see16:02
zyga-susemvo: for that file16:02
jdstrand/etc/apparmor.d/cache16:02
mvozyga-suse: cool, let me try that16:02
zyga-susejdstrand: oh, sorry16:03
jdstrand/var/cache/apparmor is for snaps. /etc/apparmor.d/cache is for system16:03
mupPR snapcraft#1591 closed: snapd integration tests: print stdout/stderr <Created by kyrofa> <Closed by kyrofa> <https://github.com/snapcore/snapcraft/pull/1591>16:03
mvojdstrand: http://paste.ubuntu.com/25773431/ <- looks suspcious16:03
jdstrandmvo: a better test might be to rm -f /etc/apparmor.d/cache/usr.lib.snapd.snap-confine* before the reboot16:03
zyga-suseseptember 27th?16:04
zyga-susewat?16:04
jdstrandmvo: exacctly16:04
mvojdstrand: if I remove the cache file and reload the profile things are ok.16:04
zyga-susethe cache looks good though16:04
jdstrandok16:04
jdstrandso, I think the revert needs to remove the cache file unconditionally16:04
zyga-susemvo: is that september 27th the moment when the profile was loaded?16:04
zyga-suseer16:04
zyga-susewhen the image was built16:04
mvozyga-suse: yes16:04
jdstrandit'll be regenerated on reboot16:05
zyga-susejdstrand: when is the cache not used?16:05
jdstrandit's always used as part of boot16:05
zyga-susealways even if stale?16:05
zyga-suseis there any staleness check?16:05
jdstrandno16:05
jdstrandyes16:05
jdstrandit doesn't use a stale cache. it has a check. it will regenerate it if stale16:06
zyga-susewhat is the condition?16:06
jdstrandthe problem is it doesn't look stale16:06
jdstrandmtime16:06
mvocould we rework the cache? I remember we had issues with this before, I vaguely remember some discussion to move to md5sum/sha1 or similar for cache comparing16:06
zyga-suseaha16:06
zyga-suseI see16:06
jdstrandthe cache file is always going to be newer than the reverted core's profile16:06
zyga-susejdstrand: I think this will explain what I saw earlier as well16:06
zyga-susejdstrand: the issue that federico ran into right in front of my eyes16:07
jdstrandmvo: just remove the cache files on revert16:07
zyga-susejdstrand: all of them? /var/cache/apparmor /etc/apparmor/cache ?16:07
jdstrandthat is the fast and correct fix for today. if want to use checksums, that could come later16:07
jdstrandno16:07
jdstrandwe are talking about snap-confine. just remove the /etc/apparmor.d/cache/*snap-confine* profiles on core revert16:08
mvojdstrand: I just found something, it makes me weep a bit16:08
* zyga-suse hugs mvo and is curious to know16:08
mvojdstrand: https://bugs.launchpad.net/snappy/+bug/146015216:08
mupBug #1460152: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates) <patch> <Snappy:Fix Released by mvo> <Snappy 15.04:Fix Released by mvo> <apparmor (Ubuntu):Fix Released> <https://launchpad.net/bugs/1460152>16:08
zyga-suseoh my https://code.launchpad.net/~mvo/ubuntu/vivid/ubuntu-core-config/lp1460152-workaround/+merge/26117916:09
zyga-susemvo: we barely notice this bug because the profile for snap-confine rarely changes in ways that newer revision can do *less* than the older revision16:10
zyga-susemvo: where shall we change this?16:11
zyga-susemvo: in request snapd restart?16:11
zyga-susemvo: or in the apparmor backend?16:11
zyga-susemvo: we could purge the cache whenever core is installed16:12
zyga-susemvo: just in case16:12
zyga-susejdstrand: is the apparmor cache location the same in various distros?16:12
jdstrandin thinking about this, on core, should rm -rf /etc/apparmor.d/cache/*16:12
jdstrandon refresh/revert of the core snap16:12
zyga-susejdstrand: yeah, because new policy can be inside and we won't know16:12
jdstrandzyga-suse: we are talking about Ubuntu Core here. on classic, re-exec solves all this ith per-revision profiles16:13
jdstrandso on Ubuntu Core, we can depend on /etc/apparmor.d/cache16:13
zyga-susejdstrand: yes, but what about !snap-confine profiles?16:13
zyga-susejdstrand: well, we ge-gen those on startup now16:13
jdstrandwhat about them?16:13
zyga-susejdstrand: I think you are right, those are fine16:14
* jdstrand is confused. I thought we were talking about snap-confine16:14
zyga-susejdstrand: yes but I was thinking that the cache issue may affect other profiles too16:14
zyga-susejdstrand: but I agree with you that it is just for this single profile16:14
jdstrandsnap profiles?16:14
mvojdstrand: what was the downside of https://bugs.launchpad.net/snappy/+bug/1460152/+attachment/4409034/+files/lp1460152-apparmor.diff  ? this syncs mtime of profile and cache, if there is a difference we re-generate. cheap and (at first glance) reliable, no?16:15
mupBug #1460152: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates) <patch> <Snappy:Fix Released by mvo> <Snappy 15.04:Fix Released by mvo> <apparmor (Ubuntu):Fix Released> <https://launchpad.net/bugs/1460152>16:15
jdstrandno-- cause of the overlord or whatever making sure if they are different they are regenerated16:15
elopiokyrofa: sorry, I didn't see the error and now that link is an execution in progress.16:17
mvojdstrand: I can prepare something that "rm -rf /etc/apparmor.d/cache/* on core devices when the core snap changes. but I still would to discuss how to make apprmor itself more reliable here"16:17
elopiokyrofa: when I get repeated errors, I report them in a bug even if it's not clear if they are snapcraft's fault.16:17
kyrofaelopio, good idea. I'll do that again if I see it16:18
mvojdstrand: if you think the syncing is ugly, just embedding the timestamp of the source file in the cache is also super cheap or putting an .aux file next to it with the timestamp16:18
jdstrandmvo: the downside is that apparmor would need an SRU everywhere. that will be too slow for you16:18
mvojdstrand: *cough* dput ppa:snappy-dev/image apparmor_13371+ppa1_source.changes. problem solved until the SRU is in16:19
mvojdstrand: it seems more correct to me and I'm happy to give it a shot16:20
jdstrandmvo: I'll defer to jjohansen on the best approach. It looks like he started to pick up that work16:20
jdstrandmvo: you know I very much hate that :P16:20
jdstrandmvo: I would very much prefer to not be ahead of upstream apparmor on this point16:20
kyrofaelopio, is snapcraft#1629 good to go?16:20
mupPR snapcraft#1629: lxd: fix the unit test for the user id map <Created by elopio> <https://github.com/snapcore/snapcraft/pull/1629>16:20
elopioyes, it even got a green autopkgtest execution16:21
zyga-susemvo: so we need a .6?16:21
mvojdstrand: thats ok, I can do both: add code to snapd and poke at apparmor (or poke you guys to do that)16:21
zyga-susemvo: I think we need a .6 :/16:21
mvozyga-suse: no, not a regression16:21
zyga-susemvo: it breaks revert16:21
zyga-susemvo: CE won't like that16:21
kyrofaelopio, excellent, I'm merging it. So tired of bad autopkgtests16:21
mvozyga-suse: but its stable->edge so far, no?16:21
zyga-suseno, this is ever since we have snap-update-ns16:21
elopiothanks kyrofa.16:21
mvozyga-suse: if its old-stable->stable thats different16:21
zyga-susemvo: hmmmm16:21
jdstrandmvo: note that we are probably going to do an apparmor SRU for the af_unix issue, so maintaining an extra apparmor in a ppa makes that more complicated16:21
zyga-susenot sure16:21
* zyga-suse looks16:22
jdstrandmvo: yes, rm -rf in PR +1. working with upstream on better parser +116:22
mvojdstrand: my suggestion about the ppa is only to quicken the sru process, i.e. we would not maintain something, we would just upload something that you guys have already in the upstream git16:22
mvojdstrand: let me know if I can help, happy to poke at this again, the fact that I worked on this 2y ago and it came back indicates to me that I don't want to do this again in 2y :/16:23
jdstrandmvo: right, but then we'd need to remember to include that in the SRU so it isn't dropped16:23
mvojdstrand: agreed16:23
jdstrandI'm not saying it isn't impossible or anything, just, we need to think through coordination, etc16:23
mvojdstrand: as long as we have a regression test in our tree things should be ok.16:24
mupPR snapcraft#1629 closed: lxd: fix the unit test for the user id map <Created by elopio> <Merged by kyrofa> <https://github.com/snapcore/snapcraft/pull/1629>16:24
zyga-susemvo: dccfcb26c5fe59fb259a800a22208f355e79d6bd is the patch that changes the policy16:26
jdstrandmvo: looking at trunk, it seems like there were commits related to this16:26
zyga-susemvo: I don't see it in 2.28 release branch16:26
zyga-susemvo: so I think it's looking like a quiet weekend16:26
mvozyga-suse: :)16:28
mvozyga-suse: yay, big hugs to the CE QA team then16:28
jdstrandmvo: with a regression fix: https://bugs.launchpad.net/apparmor/+bug/148417816:29
mupBug #1484178: Policy cache file mtimes are not being set correctly <AppArmor:Fix Released by tyhicks> <apparmor (Ubuntu):Fix Released by jdstrand> <https://launchpad.net/bugs/1484178>16:29
jdstrandmvo: so it looks like a version of your patch made it in, but "Starting in AppArmor 2.10, the policy cache file's mtime was meant to be updated to be equal to the newest mtime detected on the profile and abstraction files used to generate the policy cache file"16:29
jdstrandmvo: this was something I was trying to think through. the include files are going to be a problem on revert16:30
jdstrandI think16:30
jdstrandso the parser is supposed to use the newest value of mtime between the profile and include files16:31
tyhicksthat's correct16:32
jdstrandso if /etc/apparmor.d/tunables/global is newer than /etc/apparmor.d/*snap-confine*, the mtime of global will be used for the cache16:32
jdstrandif we revert but global did not change, then the mtime will be the same and the cache won't be stale16:33
kyrofakalikiana, snapcraft#1412 has conflicts16:33
mupPR snapcraft#1412: lxd: snapcraft refresh in containers <Created by kalikiana> <https://github.com/snapcore/snapcraft/pull/1412>16:33
tyhicksjdstrand: sounds like the cache read should be skipped in such a situation16:34
tyhicksthe '--skip-read-cache' option of apparmor_parser16:34
jdstrandtyhicks: which part are you talking about?16:35
jdstrandtyhicks: in snapd on refresh/revert?16:35
tyhicksjdstrand: yes16:35
jdstrandfor core16:35
tyhicksyes16:35
jdstrandthat would work too, but having the stale cache files around seems wrong too16:35
jdstrandso long as we use --write-cache, that would be ok16:36
tyhicksjdstrand: you're talking about stale cache files for app snaps?16:36
zyga-susethe parser could unlink them16:36
jdstrandtyhicks: no, snap-confine16:36
jdstrandzyga-suse: I don't think the parser is the place to do this. it is doing what everyone asked16:37
jdstrandit still has a concept of 'newer'16:37
jdstrandin terms of what it is including. if there is a concept of 'newer' then reverts are problematic to handle in the parser itself16:37
* zyga-suse feels that cache in apparmor is not as transparent as it should and needs hand-holiding16:37
* mvo dinner16:38
jdstrandtyhicks: the problem is on core revert, the newer cache file is still used but with an older snap-confine. that broke things16:39
mvoyeah, I think hashes or list of mtimes of the inputs would be more reliable16:39
* mvo vanishes16:39
* zyga-suse too16:39
jdstrandmvo: if you recall from the bug, hashes will slow things down16:39
tyhicksjdstrand: how about simply updating the mtime of the profile on revert?16:39
jdstrandtyhicks: that could work too16:39
jdstrandtyhicks: well, no. it is in rofs16:40
tyhicksimo, that's what needs to happen16:40
tyhicksoh16:40
jdstrand/etc/apparmor.d is read-only. /etc/apparmor.d/cache is rw16:40
jdstrandmvo: the cache is meant to be pretty much as fast as you can read them off the disk. if we add hashes, consider hundreds or more profiles16:41
mvojdstrand: if hashes are slow we could store the [(input1,mtime1),...(inputN,mtimeN)] and compare those, that should be quick16:41
zyga-susejdstrand: out of my PRs I'd like your review on https://github.com/snapcore/snapd/pull/4008 -- it's long but most of that is tests16:42
mupPR #4008: cmd/snap-update-ns: create missing mount points automatically <Created by zyga> <https://github.com/snapcore/snapd/pull/4008>16:42
zyga-susejdstrand: it contains go's version of mkpath16:42
jdstrandzyga-suse: it is already on my list. I'll put it towards the top. I've seen commits as recent as today-- is it ready for another review?16:42
zyga-susejdstrand: freeze/thaw logic that's new16:42
mupPR snapd#4059 opened: tests: add test that checks core reverts on core devices <Created by mvo5> <https://github.com/snapcore/snapd/pull/4059>16:43
mvojdstrand: please don't get me wrong, I don't want to be pushy or anything, happy to help wit hthis stuff. but dinner now really :)16:43
jdstrandmvo: that would require changes to the format on disk and thus require jjohansen's input16:43
zyga-susejdstrand: and small glue that uses mkdir when we want to mount something but target is gone16:43
kyrofaelopio, will python3 -m unittest discover -b -v -s integration_tests" not run _all_ the integration tests, including the packages below?16:43
zyga-susejdstrand: there's loads of unit tests and one comprehensive integration test16:44
elopioNot until tomorrow16:44
kyrofaelopio, isn't that how discover works?16:44
jdstrandmvo: checking and comparing the mtimes of everything is likely performant enough. I'm not sure of other ramifications. maybe it makes sense to bring up on the apparmor ML?16:44
* jjohansen reads backscroll to pickup context16:44
tyhicksjjohansen: don't spend time reading all of backscroll16:44
tyhicksjjohansen: I'll summarize16:44
elopiokyrofa: I'm moving some integration tests to a general suite, so we can properly filter.16:45
zyga-susejjohansen: hey, long time no see :)16:45
jdstrandzyga-suse: I think I heard "yes, it is ready for you to review"?16:45
jjohansenhi zyga-suse16:45
zyga-susejdstrand: hmm?16:45
zyga-susejdstrand: I think it's ready now16:45
zyga-susejdstrand: NB, this is the code without any overlayfs16:45
jdstrand11:42 < jdstrand> zyga-suse: it is already on my list. I'll put it towards the op. I've seen commits as recent as today-- is it ready for another review?16:46
zyga-susejdstrand: so should be non-controversial16:46
zyga-susejdstrand: ah, I didn't notice16:46
kyrofaelopio, ah, integration_tests/snapd, integration_tests/store etc. aren't packages, I see16:46
elopiokyrofa: at some point, somebody, probably not me but maybe... removed the init.py from some subdirs, so they are not discovered.16:46
zyga-susejdstrand: it's ready, the code today was more tests and shrinking the diff for next PRs16:46
kyrofaelopio, gotcha16:46
tyhicksjjohansen: on snap revert, snapd is rolling back profiles to old versions but there could be an include file that is newer so the mtime of the policy cache file isn't updated and the old cache file is loaded16:46
jdstrandzyga-suse: ok16:46
niemeyerzyga-suse: You've got a review16:46
zyga-suseniemeyer: thank you16:46
niemeyerzyga-suse: Thanks for the PR!16:46
elopiokyrofa: I'm moving everything around to make the split for Travis a little less painful.16:47
niemeyerzyga-suse: Ah, one more note, can we please drop the "generated-" prefix and use something more contextual?16:47
niemeyerzyga-suse: Every profile we have is generated16:47
tyhicksjjohansen: apparmor's policy cache implementation assumes that mtimes should only ever go forward but that's not the case when reverting back to older, read-only versions of a profile16:47
jdstrandtyhicks: that summarizes things ok, but more precisely, it is core snap revert, which includes system profiles in /etc/apparmor.d. non-core snap profiles are not affected because of how snapd manages them. there is an interplay with the /etc/apparmor.d profiles and the init script that is causing trouble16:47
zyga-suseniemeyer: whatever we want, we just need to have a prefix16:47
tyhicksjdstrand: sure but jj doesn't need that info16:48
niemeyerzyga-suse: What's common across all of the files?16:48
tyhicksat least, I didn't think he did :)16:48
zyga-suseniemeyer: so far we only have one file16:48
jdstrandtyhicks: I thought the system profile point was important, but ok16:48
zyga-suseniemeyer: but the theme is "local tweaks to work around something"16:48
niemeyerzyga-suse: How about nfs then?16:48
niemeyerzyga-suse: Or perhaps...16:48
jjohansentyhicks: ? ah, so what you want is the hashing consistency check16:48
zyga-suseniemeyer: we need a glob to match the set we manage, we can juse use `*`16:49
zyga-suseniemeyer: then we can drop generated-16:49
niemeyerzyga-suse: If it's just one file, it'd be better to use that one file instead16:49
jjohansenwhich we started on ages ago, and never finished because its priority was dropped16:49
jdstrandjjohansen: I think what mvo wants is that if the profile or any included files are different, then regenerate the cache. how that is done I don't think he cares16:49
tyhicksjjohansen: I'm not asking for that but the snapd folks want something along those lines or for a list of profile and include file mtimes to be stored alongside the policy cache file16:49
niemeyerzyga-suse: nfs-support is a good name for the file16:50
zyga-suseok16:50
zyga-suseI'll review the review comments and tweak this, I think it should land tomorrow16:50
niemeyerzyga-suse: The file is included/imported by name, right, not by glob?16:50
zyga-suseniemeyer: no16:50
zyga-suseniemeyer: everything in the directory is imported16:51
zyga-suseniemeyer: apaprmor includes are recursive16:51
niemeyerzyga-suse: Oh?16:51
jdstrandjjohansen: I speculated in the old bug that prompted the setting of mtime of the cache to that of the newest file patch that a hash of everything would be slow, so people thought about storiing of the list of all the mtimes and comparing those16:51
niemeyerzyga-suse: Okay, so the glob needs to be * indeed16:51
jjohansenjdstrand: well, its either store everything and compare. Or a hash and compare16:51
niemeyerOtherwise we may be including things we have no idea about16:51
jdstrandjjohansen: right16:51
tyhicksjjohansen: I'm currently of the opinion that snapd is subverting the policy cache, out from under apparmor_parser, and should be smart enough to use --skip-read-cache when appropriate16:51
tyhicksjdstrand: we could hash all the mtimes instead of hashing the profiles and include files themselves16:52
jdstrandit is true that snapd is moving forward and backward in time in arbitrary ways with the concept of revert16:52
jdstrandtyhicks: that's interesting16:52
jjohansenjdstrand: the hashing isn't that slow when you realize we read in those files already anyways, because we the time comparison is in the parse16:53
tyhicksand it doesn't have to be an cryptographic hash16:53
jjohansenright16:53
kyrofasnappy-m-o, autopkgtest 1627 xenial:amd6416:53
snappy-m-okyrofa: I've just triggered your test.16:53
jjohansenI believe I was using murmer hash3, which is faster than a crypto hash but still fairly good16:54
jdstrandjjohansen: did you profile its performance?16:54
tyhicksjjohansen: I used djb2 for my old multiple policy cache implementation16:55
jjohansenjdstrand: it was never completed to the point where performance could be checked, but it should be at least a couple order of magnitudes faster than the disk read16:55
jdstrandcause while this is prompted by the system cache and the system profile in ro media, if we introduce a hash check I would expect it to be used for all profile loads (where we are considering the use of the cache), which could easily be hundreds of profiles16:55
jjohansenso I expect you won't even notice it16:55
jjohansenjdstrand: right, which brings us to another optimization that has never been finished. Calling the parser once with all the profiles to load and caching each file once (which means hashing them once)16:57
jdstrandjust so it is understood why a crypto hash is not required, the idea is that if you can modify the files in /etc/apparmor.d{,/cache} to create a collision, you may as well just change them16:57
tyhicksjdstrand: speed is the #1 reason followed by what you just said16:58
jdstrandjjohansen: that would be quite nice since we are using templates, etc (we could actually optimize what snapd does to leverage that even more when the feature was there). I'm guessing that is quite far out though16:58
jjohansenjdstrand: we are hardening against an attack, this is just an optimization, and detecting files changes. A good hash makes that almost guarenteed16:58
* zyga-suse cannot find any bug reports about NFS and apparmor 16:59
jjohansena crypto hash would make the odds against an accidental collision even better, but for this, not worth the cost16:59
tyhicksif we do hashing, I'd think that we would want to use something very fast (djb2/murmur) and also continue to check the most recent mtime (like what we're doing today) to slightly reduce the chance of a collision under normal usage (doesn't help with snapd's revert situation)17:00
jdstrandright, I understand the reasoning, I just wanted it explicitly stated for posterity :)17:00
jjohansenzyga-suse: oh they have happened in the past, but you may need to file a new one. I am not sure there are any in launchpad, perhaps suse bugzilla17:00
jdstrandzyga-suse: let me check. I thought there was one17:00
zyga-susejjohansen: aha, I'll look at suse then17:00
zyga-susethank you!17:00
jjohansentyhicks: yep that was the plan17:00
zyga-suseI looked at apparmor on LP and general google17:00
tyhicksjjohansen: do you agree that we just hash the mtimes rather than the file contents?17:01
jjohansenzyga-suse: I remember something around 2004-2006, can't remember the details, tony dealt with it17:01
jjohansentyhicks: uh no17:01
jdstrandzyga-suse: I think I was only thinking of https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552, which you are familiar with17:02
mupBug #1662552: snaps don't work with NFS home <snapd:In Progress by zyga> <snapd (Ubuntu):Triaged> <https://launchpad.net/bugs/1662552>17:02
jjohansentyhicks: we can consider it, but its not something I have spent enough time with to agree17:02
zyga-susehmm, it feels I should file a new bug on apparmor specifically17:03
jjohansenzyga-suse: please do17:03
jdstrandtyhicks, jjohansen: to be clear, this conversation is about a proper solution. mvo and the snapd team will implement something to work with what is currently there (maybe --skip-read-cache, maybe rm -f of the cache files, etc)17:04
tyhicksjdstrand, jjohansen: I think that this was a useful technical deep dive but we don't currently have plans to work on this for 18.0417:04
jdstrandmvo: ^17:04
zyga-susejjohansen: https://bugs.launchpad.net/apparmor/+bug/172490317:06
mupBug #1724903: NFS access is not transparent to processes with apparmor profile containing network rules <AppArmor:New> <https://launchpad.net/bugs/1724903>17:06
zyga-susejjohansen: if you have insight into how this works and why the workaround is needed could you pleaseadd it there17:08
zyga-suseI'm only aware of the surface of the issue17:08
jjohansenzyga-suse: hrmmm, my guess is because nfs is using the task asking the files cred instead of a kernel cred via the act as cb when doing the network stuff. But I will have to actually dig into it to be sure17:10
jjohansenzyga-suse: how about I distract you with the fedora kernel I gave stgraber instead ;)17:11
zyga-susejdstrand: :D17:11
zyga-susefedora kernel?17:11
stgraber:)17:12
zyga-susejjohansen: note that that was just a gentle idea, I don't want you to drop what you are doing and work on that bug :)17:12
jjohansenhence the distraction to keep you occupied, so you don't realize I haven't worked on the bug :)17:12
zyga-suseI think I need to EOD now, kids are running unchecked here and I bet they have homework :)17:13
mvojdstrand, tyhicks would you accept patches if there is agreement about the approach?17:23
tyhicksmvo (cc jjohansen): definitely :)17:24
mvotyhicks: cool! and agreement is fast-hash+mtime? (cc jjohansen)?17:25
jjohansenzyga-suse: yes fedora kernel, its stack apparmor and selinux17:25
jjohansenmvo: give me a minute17:26
mvojjohansen: sure :)17:27
zyga-susejjohansen: oh, shiny!17:31
zyga-susejjohansen: do you have RPM?17:31
jjohansenzyga-suse: for the kernel only atm17:31
jjohansenzyga-suse: http://people.canonical.com/~jj/fedora/17:32
stgraberjjohansen: one thing that was mentioned last week is that we could probably call the apparmor tools from within the core snap17:32
zyga-susejjohansen: 1.1G?17:32
jjohansengive me a minute and I can send you an email with some instructions17:32
stgraberjjohansen: at which point we'd only really need apparmor support in the kernel, everything else would be coming from the core snap17:32
jjohansenzyga-suse: its all the rpms from the kernel build17:32
jjohansenstgraber: yep that is a possibility, just wanted to make sure zyga-suse understood there is no apparmor userspace rpm atm17:33
zyga-susejjohansen: ack, I understand17:36
cachioniemeyer, is it any way to stop the auto-refresh?17:39
kyrofacjwatson, any chance you're still around?17:41
cjwatsonkyrofa: about to finish.  what is it?17:43
kyrofacjwatson, quick question17:43
Pharaoh_Atemjjohansen: what is this?17:43
kyrofacjwatson, back when we were discussing the `architectures` key at the sprint, we settled on using the grammar we already have17:44
kyrofacjwatson, but this is something LP will need to parse17:44
kyrofacjwatson, we discussed your using the grammar processing we already wrote, and I'd like to quickly discuss how you'd like to consume that17:45
cjwatsonkyrofa: and I think what Sergio (or you?) said was that the relevant bit of the parser would be made available on PyPI as a thing we could use17:45
Pharaoh_Atemjjohansen: it's 1.1GB!17:45
jjohansenPharaoh_Atem: development work towards LSM stacking, which will allow for multiple LSMs on a system at once. So if enabled, apparmor based snaps would work (in enforcing, not dev mode) on an selinux fedora17:45
jjohansenor you could use and Ubuntu container with apparmor on an selinux fedora17:45
jjohansenetc17:45
kyrofacjwatson, that was my question: is that best for you? Or do you simply want it as part of the public API in snapcraft so you can import it, etc.17:45
jjohansenPharaoh_Atem: its all the kernel rpms from a kernel build, you don't need all of them, just like an ubuntu kernel build you get lots of different debs out, but only need 1 or 2 for most things17:46
cjwatsonkyrofa: PyPI would be much better for us; recall that LP is running in fairly tightly-controlled environments.17:46
kyrofacjwatson, yep, good deal, that's all I needed! Just planning out tasks17:46
kyrofacjwatson, thank you :)17:47
cjwatsonkyrofa: And while we do still consume a few Python packages from the system, we want to move away from doing that.17:47
Pharaoh_Atemjjohansen: does someone want to start talking to the Fedora kernel team about this?17:47
Pharaoh_Atembecause this is not something to enable lightly17:47
Pharaoh_Atemjjohansen: where's the src.rpm?17:47
kyrofacjwatson, makes sense17:47
jjohansenPharaoh_Atem: no, none of its upstream, its a work in progress. The selinux people are aware of it, we have been discussing LSM stacking for 5 years, slowly working towards it17:48
jjohansenPharaoh_Atem: hrmm, if its not in the tarball then the build must have dropped it in a different location17:48
Pharaoh_Atemit's in SRPMS in the rpmbuild/ tree17:48
jjohansenI tared up the build dir17:48
Pharaoh_Atemlooks like you archived rpmbuild/RPMS/*17:49
Pharaoh_Atembut not rpmbuild/SRPMS/*17:49
jjohansenPharaoh_Atem: ack, so a different location, I didn't check, and its been a long time since I have dealt with rpm packaging17:49
Pharaoh_Atemjjohansen: you should get out more ;)17:50
=== JoshStrobl is now known as JoshStrobl|Nap
jjohansenthis was a quick one off for a demo, it wasn't meant for public consumption17:50
jjohansenwell general public, people are welcome to play but I haven't even put together a good list of instructions17:51
Pharaoh_Atemjjohansen: feel free to set up something on https://copr.fedorainfracloud.org/17:51
Pharaoh_Atemit's not particularly hard ;)17:51
jjohansenthe plan was to fix some bugs, and make the git tree public, along with some instructions17:51
zyga-ubuntujjohansen: I can help17:51
Pharaoh_Atemthe only thing I'm not particularly happy about is that the LSM stacking doesn't help anything for RHEL/CentOS users17:52
jjohansenzyga-ubuntu: thanks for the offer, I will take you up on it, but it will be a few days before I can get back to playing with this17:52
Pharaoh_Atemas in, even if we got AppArmor enabled in Fedora, and had the userspace utilities packaged (not particularly difficult), it won't help for RHEL/CentOS users who use the RHEL kernel17:52
zyga-ubuntuPharaoh_Atem: we won't necessairly have to package them17:53
Pharaoh_Atemzyga-ubuntu: trust me, that *will* be a requirement of the kernel team17:53
jjohansenPharaoh_Atem: hrmm, maybe apparmor was enabled in at one of those at one point. not default, and not supported but enabled17:53
jjohansens/enabled/compiled in/ so some one could set it on the grub kernel line17:53
Pharaoh_Atemjjohansen: it's not currently enabled in the Fedora kernel or the RHEL7 kernel17:54
Pharaoh_Atemas in, not compiled in at all17:54
Pharaoh_Atemzyga-ubuntu: it's not an unreasonable requirement to package and maintain the userspace for AppArmor17:54
jjohansenPharaoh_Atem: yep, that may change. stgraber did a demo of an ubuntu container running on fedora with selinux enforcing the host and apparmor the guest17:55
jjohansenbeing able to fully support other OS containers is a compelling use case17:55
Pharaoh_Atemwell, LXD will be fine with SELinux across the board17:55
Pharaoh_AtemI fixed the SELinux policy to add the LXD binaries, so now LXD just has to use it17:55
Pharaoh_Atemjjohansen: most people are fine with security systems being disabled17:56
Pharaoh_Atemand historically, it's been a huge burden to be an AppArmor user17:56
Pharaoh_Atemthough hopefully that is changing with the more upstream-y policy of AppArmor team17:57
skjensenAny where I can find the source for building this kernel? https://code.launchpad.net/~snappy-dev/+snap/linux-generic-bbb/+build/76303  Downloading it and using it as an extra snap still give me the with different signatures on the kernel and gadget.. :(17:59
Pharaoh_Atemso at some point soon, kyrofa and zyga-ubuntu will work with the lxd copr packager to bring those into Fedora mainline17:59
cjwatsonkyrofa: (BTW I don't particularly object if this is a matter of dumping snapcraft onto PyPI, but I also don't know whether that would be a pain due to non-standard packaging or whatever)18:01
kyrofacjwatson, haha, me neither18:01
cjwatsonkyrofa: though I guess adding all of snapcraft to our dependencies would bloat our virtualenv a *lot*, so it might be better if there were a more focused dependency split off from it, if that isn't too much hassle18:02
cjwatsonkyrofa: oh, err - also, LP is currently Python 218:02
kyrofacjwatson, oh nooooooo18:02
kyrofaHahaha18:02
cjwatsonkyrofa: making just the parser bilingual might be easier than making the whole thing bilingual18:03
cjwatsonwhich I'm fairly sure you have no interest in18:03
kyrofacjwatson, indeed, that's definitely a point in favor of refactoring into its own thing (which is what I was planning for anyway)18:03
kyrofacjwatson, glad we talked, that changes my time estimate a little18:03
cjwatsonI obviously want to get LP onto Python 3 eventually, but it's lots of code and lots of dependencies18:03
Pharaoh_Atemwill LP become Python 3?18:04
cjwatsonglad I thought of that, that obviously changes things18:04
cjwatsonPharaoh_Atem: ... as I just wrote :)18:04
kyrofacjwatson, but not unreasonably so18:04
Pharaoh_Atemwell, you want it to, doesn't mean that's actually planned :P18:04
kyrofacjwatson, sure, no problem at all18:04
Pharaoh_Atemlast time I talked to anyone about LP, they said the project is effectively dead :/18:04
kyrofaBut I appreciate the heads up18:04
cjwatsonPharaoh_Atem: they were lying18:04
cjwatsonor misinformed18:05
kyrofaPharaoh_Atem, it's a huge part of our infra18:05
cjwatsonthat sort of thing makes me quite cross because it erases e.g. my work18:05
Pharaoh_Atemkyrofa: plenty of people run on dead projects :)18:05
Pharaoh_Atemcjwatson: it gets said *a lot*18:05
cjwatsonPharaoh_Atem: turns out that porting three-quarters of a million lines of Python with 200 dependencies to Python 3 is a ton of work, and when it has to be fitted around the edges of feature work, that's tough18:05
Pharaoh_AtemX_X18:05
Pharaoh_Atemit'll be impressive at the end :)18:06
kyrofacjwatson, 200? That's all?18:06
cjwatsonPharaoh_Atem: it's significantly less funded than it used to be, certainly, but it is not dead and if you're hearing that I'd appreciate correcting the misapprehensions18:06
Pharaoh_Atemkyrofa: dude, GitLab has almost 600 dependencies18:06
Pharaoh_Atemyou should be glad LP only has 20018:06
kyrofaPharaoh_Atem, I know, I wasn't being sarcastic, I'm genuinely surprised18:06
cjwatsonkyrofa: last exact count was 208 I think18:06
cjwatsonthough that's not counting .deb-packaged deps18:07
Pharaoh_Atemcjwatson: the last couple of times I've reported LP bugs, people have messaged me to say to not bother18:07
cjwatsonbah18:07
Pharaoh_Atemso *shrugs*18:07
Pharaoh_Atemsorry18:07
cjwatsonnext time please tell me who they are so I can correct them18:07
Pharaoh_Atemwill do18:07
cjwatsonpossibly just by fixing the bug in question :P18:07
kyrofaHahaha18:08
cjwatsonif they're Canonical people, then I think it's actually really unprofessional18:08
Pharaoh_Atemyeah, it was definitely Canonicalers18:09
Pharaoh_Atemlast year or so18:09
Pharaoh_Atemand again after I filed this: https://bugs.launchpad.net/launchpad/+bug/167848618:10
mupBug #1678486: Enable watching Red Hat Bugzilla bugs <Launchpad itself:New> <https://launchpad.net/bugs/1678486>18:10
cjwatsonI didn't notice that, but will look into the history18:10
Pharaoh_Atemthe other time recently was when I asked about some of the incorrect project associations in LP18:11
Pharaoh_AtemI was told that no one maintains those and there's nothing anyone can do about it18:12
cjwatsonThat's not really about the LP codebase; those were always designed (rightly or wrongly) to be gardened by the community18:12
Pharaoh_Atemfor example, the rpm5 guys hijacked the rpm registration on LP: https://launchpad.net/rpm18:13
cjwatsonPretty much anyone can change them, but the flip side is that pretty much anyone can change them back18:13
Pharaoh_Atemwhich means it's impossible to glue upstream rpm bugs to downstream issues18:13
cjwatsonOh, you don't mean the project/package associations, you mean metadata on projects?18:13
Pharaoh_Atemyeah18:13
Pharaoh_Atemas an example, this: https://bugs.launchpad.net/rpm/+bug/147575518:14
mupBug #1475755: rpmbuild auto provides not listing shared libraries <RPM:Invalid> <https://launchpad.net/bugs/1475755>18:14
cjwatsonSomebody must've specifically asked for that18:14
cjwatsonHonestly I think it might be best to register a new project name for upstream rpm18:14
cjwatsonOr we could fight it out with ~rpm5 to get the project renamed to rpm518:14
Pharaoh_Atemthat's hard, since the "rpm" name is tied to the rpm package and all the tooling18:14
cjwatsonThe project name in Launchpad can't possibly be18:14
cjwatsonI wasn't suggesting renaming rpm upstream ...18:15
cjwatsonJust LP's view of it18:15
Pharaoh_Atemah18:15
Pharaoh_Atemwell, if the current "RPM" is renamed to RPM5 and kicked out of the associations, that'd fix it18:15
cjwatsonAnyway, doesn't sound like you asked anyone who actually knew how this stuff is handled18:16
* Pharaoh_Atem shrugs18:16
Pharaoh_AtemI don't know anything18:16
Pharaoh_Atemall I know is what people tell me18:16
Pharaoh_Atemwhich apparently is 120% wrong :)18:16
cjwatsonCan you (get somebody with suitable authority to) file a ticket on https://answers.launchpad.net/launchpad/+addquestion about the rpm issues with as much detail as possible?18:16
cjwatsonIt may take some archaeology to sort out what's been happening18:16
Pharaoh_AtemI can try18:16
cjwatsonthanks18:16
Pharaoh_Atemno promises, as most of the rpm guys just want to stay the fuck away from rpm5 maintainer18:17
Pharaoh_Atemhe's kind of a toxic asshole18:17
cjwatsonwell, LP by policy wants to stay away from that sort of thing, it's not our business; we just want to have a semi-reasonable modelling of what things are called18:17
Pharaoh_Atemyeah18:18
cjwatsonPharaoh_Atem: oh, re "you want it to, doesn't mean that's actually planned" - I landed a bunch of branches just today making concrete progress towards it, even if it does feel a bit drop-in-the-ocean sometimes :)19:16
cjwatson(lots of "from __future__ import absolute_import, print_function, unicode_literals" and associated fixups)19:19
sergiusenscjwatson and kyrofa snapcraft is already on pypi and yes we will split the package out as a stretch goal19:34
kyrofasergiusens, you missed it: needs to be python219:34
kyrofaCan't be a stretch goal :)19:34
sergiusensIt can still be stretch.19:36
niemeyercachio: Stop one in progress? snap abort19:40
niemeyercachio: Prevent it from even getting started?  schedule the refresh19:40
cachioniemeyer, yes, testing that, because wait of the auto refresh is taking so long19:44
niemeyercachio: The --last parameter of abort may come in handy19:44
cachioniemeyer, well the --last is not present inthe stable version so it makes the script fail19:55
niemeyercachio: I'm pretty sure it is19:55
niemeyercachio: It's been added a long while ago19:55
cachioniemeyer, https://paste.ubuntu.com/25774590/19:56
cachiothis stable release is from mack I guess19:56
cachiomarch19:56
niemeyercachio: lol19:57
niemeyercachio: I'm sure *some day* stable didn't have it :)19:57
cachioniemeyer, :) sadly, np, I'll continue working with the change id instead19:59
=== bashfulrobot is now known as bashfulrobot_AFK
=== bashfulrobot_AFK is now known as bashfulrobot
facubatistasergiusens, push metadata to the store: https://github.com/snapcore/snapcraft/pull/163420:51
mupPR snapcraft#1634: Push metadata to the Store <Created by facundobatista> <https://github.com/snapcore/snapcraft/pull/1634>20:51
mupPR snapcraft#1634 opened: Push metadata to the Store <Created by facundobatista> <https://github.com/snapcore/snapcraft/pull/1634>20:51
=== JoshStrobl|Nap is now known as JoshStrobl|AFK
=== JoshStrobl|AFK is now known as JoshStrobl

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!