/srv/irclogs.ubuntu.com/2017/11/29/#snappy.txt

kyrofaAnyone around here have any GPIO experience on raspberry pi 2? https://forum.snapcraft.io/t/raspberry-pi-2-missing-gpio-slot/297900:30
ogra_sorry for sounding like a broken record kyrofa ...01:06
kyrofaogra_, oh you're being super helpful, and I know this isn't on you :)01:07
kyrofaogra_, but I... just can't believe it :01:07
kyrofa:P01:07
ogra_kyrofa, well, seems niemeyer thinks it is safe ... so we'll see what happens01:10
ogra_the answer sounds like a "soon" :)01:11
niemeyerogra_: No, I don't just think it is safe.. I'm saying the specific reason for which these images were held back for a very long time was investigated and turned out to be a non-issue in practice, after actual verification of the specific differences between the old kernel and the new kernel... the kernel team agrees this is a good path to take.01:12
ogra_niemeyer, well, it is not "old vs new kernel" but old dtb in the gadget with new kernel binary ... if the research showed that all HW works 100% in that constellation, thats fine indeed (though given that we changed config options for peripherials over time this surprises me)01:13
ogra_(specifically the overlay dtbs ... and even more specifically the graphics stack (which is actually used by customers in production) ...)01:15
ogra_(IIRC the kernel in stable did not even have the vc4 driver enabled so the dtb overlay will be missing or broken)01:16
ogra_but i trust that you guys tested all this :)01:17
niemeyerogra_: No, you actually don't.. this is called irony, and also passive aggressiveness. It's unhealthy when we work together with people.01:19
ogra_niemeyer, i meant what i said ... sorry that you interpreted the smiley as irony, i was just trying to be firendly ...01:23
niemeyerogra_: No, you really didn't. The fact you can't be honest to yourself about this is part of the issue.01:24
ogra_niemeyer, well, i had different results when testing it myself, there are 98 overlay dtbs shipped in the gadget for addon HW along with the main dtb and there were many changes ... but i also fully trust paolos expertise if he says it is fine, he is definitely more expert than me ... i really dont try to be ironic oer anything01:33
niemeyerogra_: We are not updating any of those dtbs.. We are updating the kernel.01:40
ogra_err01:40
niemeyerogra_: Yes, things can break, always, on any update.01:41
niemeyerogra_: We'll do our best to keep things stable and working.01:41
niemeyerogra_: And it's exactly for that sort of reason we have a release process. Anyone using Ubuntu Core and the kernel snap in real production environment *must* be testing it.01:41
niemeyerThe release will go into beta, and into candidate, and then into stable.01:41
mupIssue snapcraft#1709 closed: Extract macaroon retrieval into more generic place <Created by sergiusens> <Closed by kyrofa> <https://github.com/snapcore/snapcraft/issue/1709>01:47
mupPR snapcraft#1765 closed: store: refactor acquirement of attenuated macaroon <Created by kyrofa> <Merged by kyrofa> <https://github.com/snapcore/snapcraft/pull/1765>01:47
ogra_niemeyer, are your mongodb snapcraft.yamls anywhere public ?02:24
ogra_( i dont see a mongo repo under your GH account)02:24
niemeyerogra_: Haven't been updated in a while, but haven't changed much either:02:24
niemeyergithub.com/niemeyer/snaps02:25
ogra_thanks !02:25
niemeyernp02:25
lundmaranyone know if there is a plug interface available that allows access to NFS network mounted home directories? (the 'home' interface is apparently not sufficient).02:29
lundmarI can't seem to find anything useful in the docs regarding this.02:29
lundmarspecificall I need to be able to write in a NFS network mounted home dir.02:30
lundmar+y02:30
mupIssue snapcraft#1752 closed: export the arch triplet variable during build time <Created by sergiusens> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/issue/1752>02:32
mupPR snapcraft#1768 closed: project: export the arch triplet into the environment <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1768>02:32
ogra_lundmar, https://forum.snapcraft.io/t/snaps-and-nfs-home/438 discussed this02:36
mupPR snapcraft#1557 closed: cleanbuild: add a --image option to build in a different image <Created by mwhudson> <Closed by mwhudson> <https://github.com/snapcore/snapcraft/pull/1557>02:47
mupPR snapcraft#1769 opened: lxd: add an --image argument to cleanbuild <Created by mwhudson> <https://github.com/snapcore/snapcraft/pull/1769>02:47
lundmarogra_: ok thanks. So it looks like NFS mounted home suppor is arriving in snap v2.2903:01
lundmarsupport*03:01
ogra_which should technically be released already03:01
* ogra_ sees 2.29.3 in "snap version"03:02
lundmartoo bad many if the distributions running snapd are hopelessly behind in snapd version :/03:02
lundmarof*03:02
ogra_well, it will eventually dripple down into all of them03:03
lundmartrue03:05
ogra_(would be great if all of them would do re-exec like ubuntu does .... then it wouldnt really matter since snapd would com from the core snap)03:06
lundmarogra_: oh, thats clear. So that way the old snapd process gets replaced by the new snapd.03:10
ogra_yeah03:11
ogra_and snapd does just update along with the core snap03:12
ogra_so you dont need to wait for a distro package to be updated03:12
=== chihchun_afk is now known as chihchun
mupPR snapcraft#1770 opened: Add codespell support <Created by daniellim2000> <https://github.com/snapcore/snapcraft/pull/1770>03:26
mupPR snapcraft#1764 closed: snapcraft.yaml: use gcc to determine tuple <Created by kyrofa> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1764>04:02
mupPR snapcraft#1771 opened: lxd: suppress traceback when lxc launch / init fails <Created by mwhudson> <https://github.com/snapcore/snapcraft/pull/1771>04:08
mupPR snapcraft#1772 opened: Release changelog for 2.36 <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/1772>04:23
sergiusenssnappy-m-o autopkgtest 1772 xenial:amd6404:23
snappy-m-osergiusens: I've just triggered your test.04:23
ogra_grrr ... why is vt.handoff= not working right in core04:25
* ogra_ wonders if thats subiquitys fault ... 04:30
=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
mborzeckimorning06:05
kozamborzecki, hey06:21
mupPR snapd#4224 closed: cmd/snap-update-ns: teach update logic to handle synthetic changes <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4224>07:01
zyga-ubuntugood morning07:04
zyga-ubuntumvo: hey, what are your release / branch plans for today?07:06
zyga-ubuntumvo: looking at the 2.30 tags we have a few branches still open07:06
mborzeckizyga-ubuntu: morning07:07
zyga-ubuntuhey :)07:07
mborzeckimvo: hey07:08
mvozyga-ubuntu: hey, good morning. yeah, branch happens as soon as we get the blockers out of the way07:09
mvomborzecki: hey, good morning07:09
zyga-ubuntumvo: I recall pedronis said something about some blocker yesterday, is that already reflected in the list of PRs?07:09
mborzeckihttps://github.com/snapcore/snapd/commit/308c7ca6315a56fcc1028f3d9aeddb465c51c0d4 other distros should do the same I suppose?07:12
mvozyga-ubuntu: yes, the list should be accurate07:12
zyga-ubuntumborzecki: yeah, I was thinking about htat07:13
zyga-ubuntumborzecki: idea07:13
zyga-ubuntumborzecki: add a make install code to data07:13
zyga-ubuntumborzecki: let that handle all mkdir's07:13
zyga-ubuntumborzecki: and let that handle distro differences as well07:14
zyga-ubuntumborzecki: then drop the random code from packaging that just creates those directories07:14
zyga-ubuntumborzecki: then we have one place07:14
zyga-ubuntumborzecki: and packaging will at most complain about unpackaged directories07:14
zyga-ubuntumborzecki: +1/-1?07:14
mborzeckiiirc you'll still have to list the directories, eg in rpm spec07:14
zyga-ubuntumborzecki: yes but then you know when you messed up in packaigng07:15
zyga-ubuntumborzecki: and the directories are the same in one central place07:15
mborzeckiright07:15
mborzeckibut yeah, sounds like a good idea07:15
* zyga-ubuntu needs a review on 431507:16
mborzeckion top of this, i'm not quite fond of data/ makefile taking some vars in command line while we pass those to cmd/ configur already07:17
zyga-ubuntumborzecki: is configure setting any environment we can reuse?07:17
zyga-ubuntumborzecki: anyway, I'm sure you can refactor it to be nicer :)07:17
mborzeckisomething to explore perhaps07:19
mborzeckiwhere do we keep a backlog of things to explore/revisit?07:19
zyga-ubuntumborzecki: on the forum07:20
zyga-ubuntumborzecki: tag with your name and "backlog"07:20
mborzeckioh, ok07:20
mborzeckidiscourse ux is not what i expected it to be after hearing so many good things about07:23
mborzeckizyga-ubuntu: https://forum.snapcraft.io/t/298407:39
* zyga-ubuntu looks07:40
mborzeckiat least there'd be no need to pass various *DIR settings to data/Makefile07:41
haisheng how should I package the base system(customized base ubuntu) to the snap ? I don't wamt to use the maintained Ubuntu one. any info about it can be provided ? Thanks.07:50
zyga-ubuntuhaisheng: hello07:51
zyga-ubuntuhaisheng: can you tell me more about what you mean07:52
haishengI want to customize the base snap image.07:52
haishenghttps://tutorials.ubuntu.com/tutorial/create-your-own-core-image#207:52
zyga-ubuntuhaisheng: do you intend your base snap to be used for booting the system or just as a runtime for some apps?07:52
haishengused for booting the system07:53
zyga-ubuntumvo: ^07:53
haishengI am from china. And my english is not good. sorry for that.07:54
zyga-ubuntuhaisheng: I think this is something we are still exploring/building but mvo is focusing on that more than I do07:54
zyga-ubuntuhaisheng: no worries :)07:54
zyga-ubuntuhaisheng: what kind of changes would you like to make to your base snap?07:55
mvohaisheng: hey, welcome! for now you can explore by just modifying the "core" snap. however very soon you will be able to make bootable base snaps. but right now the base snaps are not integrated into the boot process, so you can use base snaps today for applications but not yet to boot the system. but we are currently working on making this happen07:56
haishengthe ubuntu base snap has three snap at least. include a core snap and  a kernel snap .and i want to customize that core snap and kernel snap.07:57
haishengok,thanks. show can i modify the "core" snap, and info can be provided for reference.08:02
zyga-ubuntuhaisheng: can you describe the kind of changes you want to make?08:03
haishengIn fact, I just want to know how the roofs can be packaged the snap08:09
haishenghow base system can be packaged the snap08:09
zyga-ubuntuhaisheng: ikey here is making use of base snaps for app runtimes; he builds a non-ubuntu based rootfs08:09
zyga-ubuntuhaisheng: but he uses it for apps, not for booting the system08:10
* ikey flicks into life08:10
zyga-ubuntu(in his case the system is a classic distribution like ubuntu or solus)08:10
ogra_mvo, proof of concept ... https://github.com/ogra1/pc-splash-gadget/commit/b8ea0f98fb5c3e5dfa40b7ed14a652a43a39458d (using split-initrd for showing a splash screen in a grub based image ... works great)08:14
zyga-ubuntumborzecki: can you do a 2nd review on 429108:14
zyga-ubuntumborzecki: this will help chipaca's other branch08:14
mborzeckiok, looking now08:14
zyga-ubuntuthank you08:15
haishengok , zyga-ubuntu, thanks. how can i customize the base snaps for app runtimes. any info about it can be provided.08:17
zyga-ubuntuhaisheng: please look at the forum (forum.snapcraft.io), it's documented there08:17
mvoogra_: aha, nice08:19
ogra_so spit initrd for modules shouldnt be any prob either ...08:19
ogra_*split08:19
ogra_(testing it on grub was the remaining missing bit)08:20
mborzeckizyga-ubuntu: added comments to #4291, I'm not sure sure about SYS_GETUID and SYS_GETUID32, perhaps you can comment on this as well but it feels like something that should be looked at08:50
mupPR #4291: osutil/sys: reimplement getuid and chown with the right int type <Created by chipaca> <https://github.com/snapcore/snapd/pull/4291>08:50
zyga-ubuntumborzecki: yeah, I thought about that when reviewing this and I assumed that the older syscall is just not exposed08:53
zyga-ubuntumborzecki: but indeed worth checking08:53
zyga-ubuntujohn is not around yet, it seems08:54
mupPR snapd#4161 closed: snapstate: add support for refresh.schedule=managed <Created by mvo5> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/4161>08:55
mborzeckilooks like Go uses SYS_GETUID32 on 32bit arches, https://github.com/golang/go/search?utf8=%E2%9C%93&q=SYS_GETUID32&type=08:56
ikeyrewrite snapd in C when?09:00
ikey*runs*09:00
ogra_pfft ...09:00
ogra_shell ... C is boring09:01
ikey:O09:02
=== __chip__ is now known as Chipaca
Chipacazyga-ubuntu: good catch on the GETUID32 thing! i shall now add a test and do penance09:07
* Chipaca wonders if people will notice penance is actually just more coffee09:08
zyga-ubuntuChipaca: is it, I'm not sure if your syscall is wrong, I didn't check the number09:08
Chipacazyga-ubuntu: yes09:09
* ikey starts on libsoup/glib2/libxml2/glib-networking/gnutls/gobject powered "lightweight" snapd fork09:09
zyga-ubuntuikey: don't forget adding scheme "for scripting"09:10
Chipacaikey: WAT09:10
ikeyoh we could use libpeas09:10
ikeypython plugins09:10
zyga-ubuntuno no, use guile09:10
ikeyyeah i think you might be right there09:11
ikey>_>09:11
Chipacaam i missing context for this, or is it just too early?09:11
Chipacai can go away and come back at noon09:11
ikeyChipaca, im just on a wind up09:12
ikeyproposing the most offensive combination of technology possible :p09:12
ikeyhm I *did* forget the bytecode VM ..09:12
pedronismvo: hi, #4281 looks in a sane state to me, don't know if you want to wait for Gustavo to re-review09:19
mupPR #4281: snapstate: support for pre-refresh hook <Created by stolowski> <https://github.com/snapcore/snapd/pull/4281>09:19
pedroniszyga-ubuntu: yes, it is in the list, #431009:20
mupPR #4310: many: allow to configure core before it is installed <Created by pedronis> <https://github.com/snapcore/snapd/pull/4310>09:20
zyga-ubuntupedronis: great, thank you for confirming09:20
mborzeckizyga-ubuntu: added some questions to #431509:22
mupPR #4315:  cmd/snap-update-ns: add execWritableMimic <Created by zyga> <https://github.com/snapcore/snapd/pull/4315>09:22
zyga-ubuntumborzecki: thank you09:22
zyga-ubuntumborzecki: replied, thanks09:24
zyga-ubuntuugh, more snow09:42
pedronis#4310 needs a 2nd review09:50
mupPR #4310: many: allow to configure core before it is installed <Created by pedronis> <https://github.com/snapcore/snapd/pull/4310>09:50
mupIssue snapcraft#1773 opened: Please upgrade brew version <Created by fengerzh> <https://github.com/snapcore/snapcraft/issue/1773>09:51
Chipacaok, i've got to go see the doc; bbl10:09
=== chihchun is now known as chihchun_afk
mvopedronis: re 4281> checking it now10:20
pedroniszyga-ubuntu: judging from the coverage report on one of my branches it seems the snap-update-ns are not deterministic I see random coverage changes there, and I haven't touched them10:32
zyga-ubuntupedronis: let me look, probably sorting10:36
zyga-ubuntupedronis: I cannot reproduce this10:47
zyga-ubuntupedronis: I tried watch -n 1 -d "go test -cover -coverprofile=coverage.out && go tool cover -func=coverage.out"10:47
zyga-ubuntupedronis: (in the cmd/snap-update-ns) directory10:47
zyga-ubuntupedronis: and the only thing that varies slightly is time10:47
zyga-ubuntupedronis: which commit are you on?10:47
pedronisok, just weirdness then10:48
* zyga-ubuntu -> tea11:18
mupPR snapd#4316 opened: cmd/snap-mgmt: introduce snap-mgmt tool <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4316>11:21
zyga-ubuntuChipaca: should "snap switch --devmode" be a thing?11:43
Chipacazyga-ubuntu: only if snap switch --undevmode is a thig11:44
zyga-ubuntuChipaca: snap switch --strict11:44
zyga-ubuntuI think there's no way to toggle devmode now11:45
Chipacazyga-ubuntu: that is correct11:47
Chipacai mean, it is a correct description11:47
Chipacaor a true statement11:47
Chipacathere, it's a true statement.11:47
niemeyero/11:52
zyga-ubuntuhey niemeyer11:56
pdefreitaswhich plug do I need to avoid this kind of denial: operation="capable" comm="snap-confine" capability=2  capname="dac_read_search"11:58
zyga-ubuntupdefreitas: what did you do to get that error?12:00
zyga-ubuntupdefreitas: snap-confine should never experience that12:00
pdefreitassnapping an electron app from a deb like the discord one available in snapcrafters github12:02
zyga-ubuntupdefreitas: can you be more specific, this error can only happen at runtime, what did you run next?12:02
pdefreitasinstalled the app and when I ran it it crashed, checked the syslog and I got that12:03
pdefreitasrunning in devmode ofc12:03
pedronison what kind of host?12:04
pdefreitaslatest artful12:05
pdefreitasx6412:05
pedronisniemeyer: hi12:13
niemeyerpedronis: Heya12:14
pedronisniemeyer: #4281 needs a re-review from you12:14
mupPR #4281: snapstate: support for pre-refresh hook <Created by stolowski> <https://github.com/snapcore/snapd/pull/4281>12:14
niemeyerpedronis: Two trivials and LGTM, thanks for the ping12:19
niemeyerahasenack: ping12:19
ahasenackniemeyer: hi12:19
niemeyerahasenack: Heya!12:19
niemeyerahasenack: Can I abuse your knowledge for a moment? :)12:19
ahasenacksure12:20
niemeyerahasenack: It's about PAM..12:20
niemeyerahasenack: Is there:12:20
niemeyer1. A standard protocol between PAM and its modules that doesn't involve linking with libpam12:20
niemeyeror, alternatively12:20
niemeyer2. A standard module provided with most distributions that links with libpam and offers a more stable protocol that doesn't involve linking with libpam12:21
niemeyer?12:21
ahasenack1. I think not12:21
ahasenackthe "conversation" happens within the libraries/modules12:21
* mborzecki is away for half an hour12:21
niemeyermborzecki: /12:22
niemeyero/12:22
mupPR snapcraft#1774 opened: Push binary metadata to the Store <Created by matiasb> <https://github.com/snapcore/snapcraft/pull/1774>12:22
ahasenackI haven't heard about 212:22
niemeyerahasenack: Okay, thanks :(12:23
niemeyerahasenack: I was hoping for some luck12:23
ahasenacktl;dr you want to benefit from existing pam modules but without linking with libpam?12:23
niemeyerahasenack: Yeah, the key issue is ABI stability12:24
niemeyerahasenack: Well, actually, not really12:24
niemeyerahasenack: The thing I'd like to do is enable a typical libpam-linked application to use a stable ABI to authenticate12:25
ahasenackdid you just encounter an abi breakage?12:25
ahasenackbetween xenial and xenial+N perhaps?12:25
niemeyerahasenack: So *inside* the snap we need to offer something to that application that will answer auth questions12:25
niemeyerahasenack: No.. I'm anticipating that there will definitely be ABI breakages and differences across snaps12:26
ahasenackok12:26
niemeyerahasenack: I'm surprised nobody did a "Hey, here is how to do a PAM module in shell!" kind of thing12:27
niemeyerahasenack: Although that's arguably for the best ;P12:27
ahasenackI quickly searched for pam over dbus (!)12:27
ahasenackbut what I found isn't that12:27
niemeyerahasenack: I suspect that will find a huge amount of people doing the authentication part of it12:27
niemeyerahasenack: Instead of the extension12:27
ahasenackor just the very simple bits of the authentication12:28
niemeyerahasenack: Yeah, our problem is really not authenticating.. it's giving to a typical application that uses PAM something it can use12:28
niemeyerI mean, we'd then have to bridge it into the real modules, but that's easier12:28
ahasenackdo you have some sort of pam interface in snaps? for snaps to use the host's pam?12:29
niemeyerahasenack: Exactly :)12:30
ahasenackinteresting12:30
niemeyerahasenack: I'm figuring if we can do that at all12:31
ahasenackand I can see that breaking indeed12:31
niemeyerWithout major pain, of course12:31
ahasenackyou could tie it to pam in the core snap, but then the user db (for example) would have to live there, and that won't be practical12:31
sborovkovHi! When did CA bundle was last updated for core? For some reason my browser on the core stopped opening google maps due to ssl handshake error. And initially it worked on some older snapd (from 2 months ago)12:32
niemeyerahasenack: Not just that, but it implies every application in the world would use that same .so ABI12:34
niemeyerahasenack: Which we know is a time bomb12:34
ahasenackyeah12:34
ahasenackyou need some sort of pam broker12:34
mupIssue snapcraft#1773 closed: Please upgrade brew version <Created by fengerzh> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/issue/1773>12:37
niemeyerahasenack: Thanks for those details12:40
niemeyerahasenack: If you're interested:12:56
niemeyerhttps://forum.snapcraft.io/t/user-authentication-in-snapd/2915/412:56
Chipacazyga-ubuntu: do you have an armhf board on core handy?12:57
brunosferHi guys, does anyone knows how can I override the GOGCCFLAGS for a crosscompilation of Go that imports C libs ?12:58
ahasenackniemeyer: good real world case12:59
Chipacabrunosfer: is it for -ldflags?12:59
ahasenackof course, it had to be about printers :)12:59
niemeyerahasenack: :P13:00
brunosferchipaca: yes, but when I do it through ubuntu artful it always loads the predefined flags and I can't move on.13:01
Chipacabrunosfer: is this for go inside snapcraft?13:02
brunosferyep13:03
Chipacaah13:03
brunosferbut first I want to make sure I can compile it, to move further with the snapcraft tool...13:03
Chipacabrunosfer: how are you trying to compile it?13:06
brunosferI have a static lib in C inside my main.go file and I'm trying to build with: go build --ldflags '-extldflags "-static"' main.go13:08
brunosferit works if I compile to my host platform amd64, but I want to compile for arm.13:09
brunosferBut I can open a topic on the forum, I think it's the best option, since it doesn't seem to exist a straight answer for that.13:10
Chipacabrunosfer: how are you compiling it for arm?13:14
zyga-ubuntuChipaca: yes, sure13:22
zyga-ubuntuChipaca: I can give you access in a moment13:22
zyga-ubuntuChipaca: pi2 and dragon running core13:22
Chipacazyga-ubuntu: thanks13:29
pdefreitashow can I get more detailed logging of which permissions is my snap failing in devmode?13:37
pdefreitasIs /var/log/syslog the only way to debug ?13:37
cjwatsonsergiusens,elopio: Are there any constraints on when SNAPCRAFT_BUILD_INFO=1 produces a manifest file?  I've tried a couple of noddy test snaps and I'm not getting one, so I'm wondering if I'm missing something13:38
Chipacapdefreitas: snapd core team is in a meeting right now13:40
sergiusenscjwatson if this is a test, can you try using 2.35 (it is in xenial-proposed currently)13:45
sergiusenscjwatson but every build should produce at a minimum a manifest with the core attributes set (stage- and build-packages, host, kernel) and a give or take depending on the plugin (from the top of my head, parts using the python plugin are fully captured)13:47
* sergiusens checks pending-sru13:48
cjwatsonYeah, this is just me testing that my launchpad-buildd changes work.  Let's see ...13:48
cjwatsonsergiusens: No, I can't seem to get this to work.  Do you have a known-good-with-this test snap I could try?13:53
zyga-ubuntupdefreitas: we have a helper snap (snapd-debug) for that13:54
cjwatsonsergiusens: Ah, never mind, I was just looking in the wrong place!  Shows up in prime/snap/ but not in snap/, so that confused me slightly13:55
pdefreitaszuga-ubuntu: but that helper just don't watch /var/log/syslog13:57
pdefreitas*zyga-ubuntu13:57
pdefreitasit tails me to the same issue I reported lol14:01
pdefreitasjust a syslog watcher14:02
=== chihchun_afk is now known as chihchun
zyga-ubuntumwhudson: can I use netplan to assign metric to my interfaces so that I can use pi3 over eth in preference to wifi14:04
brunosferHow can I install classic snap in ubuntu snappy core on RPi3 ?14:13
brunosferI've tried sudo snap install --devmode classic but it doesn't recognize classic as a valid snap...14:14
mvobrunosfer: please try "sudo snap install --devmode --beta classic14:24
brunosfermv: thank you very much, it worked perfectly.14:27
brunosfermvo: thank you very much, it worked perfectly.14:27
mvoyw14:29
brunosferbtw, is there any gcc snap package for snappy core?14:31
mupPR snapd#4317 opened: tests: make interfaces-snapd-control-with-manage more robust <Created by mvo5> <https://github.com/snapcore/snapd/pull/4317>14:35
Chipacalunch!14:39
mupPR snapd#4318 opened: snapstate: fix unkeyed fields error <Created by stolowski> <https://github.com/snapcore/snapd/pull/4318>14:45
pstolowski^ guys, a really trivial fix14:45
pedronispstolowski: I fear I had to add a couple comments on the last feedback changes in #428114:49
mupPR #4281: snapstate: support for pre-refresh hook <Created by stolowski> <https://github.com/snapcore/snapd/pull/4281>14:49
pedronisChipaca: sha512 doesn't seem interesting, we would need something cheaper14:50
Chipacapedronis: crc32 ftw14:50
pstolowskipedronis, no worries & thanks14:52
pedronispstolowski: thx14:53
mborzeckipedronis: sha256? din't know if that's any cheaper, there are hardware acceleration implementations of both sha256 and sha51214:53
mborzeckieven in golang14:54
zyga-ubuntunetwork failed14:54
zyga-ubuntumvo: is it still expected not to be able to go from edge to candidate?14:54
zyga-ubuntuah, linode is busy14:55
zyga-ubuntujdstrand: hey14:55
zyga-ubuntujdstrand: I have an exciting PR to review14:55
cyphermoxzyga-ubuntu: mtu> you may be able to set routes: like in the very last example from the netplan manpage; there you can set a metric14:56
zyga-ubuntucyphermox: looking!14:56
zyga-ubuntucyphermox: thanks!14:56
cyphermoxbasically, a route to 0.0.0.0 via whatever your default gateway is, and a metric lower than whatever you already have otherwise14:57
mborzeckii recall a fosdem talk from one of the minio guys, they implemented sha256 in golang on armv8 and were basically beating xeon with avx214:57
jdstrandzyga-ubuntu: more exciting than 4315?14:57
zyga-ubuntujdstrand: yes, https://github.com/snapcore/snapd/compare/master...zyga:fix/discard-stale-base-snap?expand=114:57
zyga-ubuntujdstrand: I'll open it when there are more linode things available14:58
jdstrandok14:58
zyga-ubuntujdstrand: something mvo might include in 2.30 if you deem it safe14:58
jdstrandyou've really been keeping me busy...14:59
sborovkov Hi, I built an image yesterday using ubuntu-image. It includes extra snaps. When I log in into that system and refresh snap from stable to candidate. On the next boot I get loaded into busy box as system is corrupt. (Rip)14:59
sborovkov(Raspberry pi not rip)14:59
zyga-ubuntusborovkov: but rip is so appropriate here ;)15:01
zyga-ubuntusborovkov: are those extra snaps a factor?15:01
mvozyga-ubuntu: oh, stale mount namespace fix? that sounds sweet15:01
mvozyga-ubuntu: re edge -> candiate - almost there, I think the fix landed last night15:02
mvozyga-ubuntu: so the next core build in edge should be good again15:02
zyga-ubuntumvo: aha, do we need the fix in candidate or just in edge?15:03
sborovkovzyga-ubuntu, I am not sure, I have older image that works fine. There I can update from the stable to candidate with no issues15:03
sborovkovBut this one just died 3 times in a row after such update. I was thinking that it is faulty sd card first15:04
lundmarHmm, the licens of my open source lxi-tools snap is listed a having a proprietary licens here: https://uappexplorer.com/snap/ubuntu/lxi-tools (?)15:05
lundmaras*15:05
lundmaranyone know what sets the license field?15:06
mupPR snapcraft#1772 closed: Release changelog for 2.36 <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1772>15:07
zyga-ubuntulundmar: maybe robert_ancell does?15:08
brunosferHi guys, does anyone knows how can I install gcc in ubuntu snappy core for RPi3?15:08
zyga-ubuntubrunosfer: hey, just install the "classic" snap15:09
zyga-ubuntubrunosfer: and then you can apt-get install your toolchains15:09
mvozyga-ubuntu: just edge15:10
brunosferzyga-ubuntu: I've alredy done that, however when I type apt-get update or any apt-get option, the system shows me the error "Ubuntu Core does not use apt-get, see 'snap --help'!"15:17
=== cachio is now known as cachio_lunch
mupPR snapd#4319 opened: tests: add support for autopkgtests on s390x <Created by mvo5> <https://github.com/snapcore/snapd/pull/4319>15:24
zyga-ubuntubrunosfer: you must run "sudo classic"15:25
brunosferzyga-ubuntu: Thanks, it worked ;)15:26
zyga-ubuntucool, cheers :)15:29
* zyga-ubuntu -> coffee15:29
niemeyermvo, zyga-ubuntu: Did we get rid of the outdated snap-confine apparmor profiles for good?15:31
niemeyerSorry, let me fix the phrase15:31
niemeyermvo, zyga-ubuntu: Did we get rid of the issue regarding outdated snap-confine apparmor profiles for good?15:31
niemeyermvo: Just wondering as otherwise #4312 will bite us due to a new snap-confine trying to create a directory it doesn't have access to15:32
mupPR #4312: snap-confine: create mount target for lib32,vulkan on demand <Created by mvo5> <https://github.com/snapcore/snapd/pull/4312>15:32
niemeyerpedronis: Question on #431015:51
mupPR #4310: many: allow to configure core before it is installed <Created by pedronis> <https://github.com/snapcore/snapd/pull/4310>15:51
zyga-ubuntuhmmmm15:53
* zyga-ubuntu wonders why unsquashfs chowns files to test:test15:53
zyga-ubuntudrwxr-xr-x  24 test test      4096 Nov 29 05:22 squashfs-root15:54
zyga-ubuntuand this runs as root15:54
pedronisniemeyer: answered, I agree maybe we need a different name, a bit unsure what to use though15:54
zyga-ubuntuomg15:54
zyga-ubuntuacutally15:54
zyga-ubuntuthe core snap is owned by test.test!!!15:55
* zyga-ubuntu runs -shell-before15:55
zyga-ubuntu(as in, files inside are test.test)15:55
=== cachio_lunch is now known as cachio
zyga-ubuntucachio: ^16:08
zyga-ubuntumy box is busy building a fresh image for inspection16:08
zyga-ubuntucachio: I found that, for some reason, files in the core snap were not owned by root but instead by 1234516:08
mupPR snapd#4312 closed: snap-confine: create mount target for lib32,vulkan on demand <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4312>16:09
zyga-ubuntumvo: hey16:12
zyga-ubuntumvo: drwxr-xr-x  2 test test 1937 Nov 29 05:22 bin16:13
mvozyga-ubuntu: uh, where?16:13
zyga-ubuntuspread -v -shell-before qemu:ubuntu-16.04-64:tests/main16:13
zyga-ubuntumvo: my test cannot have caused that, I'm trying master now16:14
zyga-ubuntumvo: (this is most unexpected)16:15
zyga-ubuntumvo: I'll look at project-prepare16:15
mvozyga-ubuntu: could be a bug in the setup16:15
mvozyga-ubuntu: worth fixing but not omg in my book just yet :)16:15
mvozyga-ubuntu: thanks for tracking it down though16:15
zyga-ubuntumvo: looks like create_test_user does something weird16:15
mvozyga-ubuntu: still curious given that we install it from a deb that should have sane permissions16:15
zyga-ubuntumvo: I was OMG for a second, assuming it's in edge16:16
zyga-ubuntu    chown test.test -R ..16:16
zyga-ubuntuthis is what we do16:16
brunosferzyga-ubuntu: I just installed gcc toolchain with classic on ubuntu snappy core on RPi3 however I can't find it anywhere, /usr/bin, /usr/sbin... Do you have any idea?16:16
mvozyga-ubuntu: oh, right, that would have been a OMG moment for sure :)16:16
zyga-ubuntubrunosfer: in the same shell you installed them in16:17
zyga-ubuntubrunosfer: you need to sudo classic16:17
zyga-ubuntubrunosfer: those are not available outside16:17
cachiozyga-ubuntu, can I help on this?16:17
pdefreitashow can I debug plugs needed?16:17
zyga-ubuntucachio: yes, perhaps, do you remember what's the purpose of that chown?16:19
zyga-ubuntupdefreitas: can you please ask a more specific question?16:19
zyga-ubuntucachio: should that just be chown test.test -R "$SPREAD_PATH"16:20
niemeyerpedronis: The problem with having a flags option is that we cannot  import configstate from snapstate due to the cycle16:20
niemeyerpedronis: and "true" wouldn't improve the situation much16:20
niemeyerpedronis: How about Configure and ConfigureTasks16:20
pedronisthat works for me16:20
niemeyerpedronis: Or Task? (is it one)16:21
niemeyerAh, no Tasks, since it's a set16:21
pedronisthat works too16:21
pdefreitaszyga-ubuntu: I'm working in porting a electron app, just for learning purposes, so I have a binary, I have no idea which system APIs it may use. When I run the devmode it gives me an access denied in snap-confine... No clue what it is trying to that that violates since it just crashes after that (sig fault)16:21
pedronisit would be similar to other methods16:21
niemeyerpedronis: Okay, so let's please rename the var inside snapstate too, so it's ConfigureTasks16:21
niemeyerpedronis: So it doesn't feel like we're calling the wrong thing16:21
zyga-ubuntupdefreitas: not sure, can you please open a thread about this, if you include the snap or snapcraft instructions on how to build it people can try and debug16:22
niemeyerpedronis: It's not 100% ideal since both of them returns tasks, but I cannot come up with anything better either.. they are doing the same thing.. it's just that one is checked and the other is not16:23
pedronisyea16:23
niemeyerpedronis: We might say ConfigureInstalled for the first one, but then core is an exception16:23
cachiozyga-ubuntu, mmm I dont remember16:23
cachiozyga-ubuntu, let me check the code16:23
niemeyerpedronis: Perhaps that's better? We can live with the exception..16:23
pedronisniemeyer: I was looking at other things similar,  we have:16:23
niemeyerpedronis: At least the name makes more clear why we have both16:24
pedronissnapstate.SetupInstallHook = SetupInstallHook16:24
zyga-ubuntucachio: I'll let you know what I find16:24
pedronisso that would make SetupConfigureHook ?  seems a bit verbose though16:24
pedronisalso those return a single *state.Task16:25
niemeyerpedronis: Hmm16:26
niemeyerpedronis: We'd still have the same issue I guess16:26
pedronis?16:26
pedronisI mean have Configure  and SetupConfigureHook16:26
niemeyerpedronis: In the sense we need a delta between the two names so we can tell why we have two names16:27
niemeyerpedronis: They are both setting up the configure hook :)16:27
niemeyerpedronis: I suggest going with something close to your suggestion16:27
niemeyerpedronis: ConfigureInstalled and Configure16:27
pedronisConfigureInstalled is the one that checks?16:28
niemeyerpedronis: The first one is a lie in the case of "core", but at least we know exactly why we have the two, and it's clear what's going on when we call one of them16:28
pedronisok16:28
niemeyerpedronis: Yeah.. also makes for a smaller delta on the PR, which is a small win16:28
zyga-ubuntucachio, mvo: https://github.com/snapcore/snapd/compare/master...zyga:fix/overzealous-chown-in-spread?expand=116:28
zyga-ubuntucan you please comment before I open the PR, I don't want to waste spread time16:28
pedronisniemeyer: let me take a short break, and then make that change16:28
niemeyerpedronis: Thanks!16:28
zyga-ubuntumvo: I see you play with fire16:29
zyga-ubuntumvo: s390x :)16:29
lundmarHi. I assume I'm following the correct procedure when I make this request? https://forum.snapcraft.io/t/request-autoconnect-avahi-observe-plug-for-lxi-tools/297616:29
mvozyga-ubuntu: haha16:30
cachiozyga-ubuntu, nice catch16:30
mupPR snapd#4320 opened: tests: don't chown the whole world to test.test <Created by zyga> <https://github.com/snapcore/snapd/pull/4320>16:31
cachiozyga-ubuntu, the change makes sense for me16:31
mupPR snapd#4321 opened: configmgr: simplify ConfigManager <Created by mvo5> <https://github.com/snapcore/snapd/pull/4321>16:33
kyrofajdstrand, how would you feel about an interface that allows access to /dev/gpiomem? Context: https://forum.snapcraft.io/t/raspberry-pi-2-denials-using-rpi-gpio/2982/416:33
zyga-ubuntumvo: I assume the s390x PR is for 2.3016:37
* sergiusens heads out to physiotherapy 16:38
mvozyga-ubuntu: its not strictly needed but would be nice16:39
mvozyga-ubuntu: there are three open ones right now, two are musts so we can still pull targets of opportunity in but if it does not make it I will not shed a tear, it will be in .3116:39
mupPR snapd#4318 closed: devicestate: fix unkeyed fields error <Created by stolowski> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4318>16:42
zyga-ubuntumvo: I think we are SOM - so out of machines16:45
mvozyga-ubuntu: we are, but also quite advanced16:46
zyga-ubuntu:)16:47
zyga-ubuntumvo: look at 4317 please16:48
brunosferzyga-ubuntu: I'm trying to set the CC variable in "go env" to include C libs inside a go file and I can't set it with "classic gcc"? Is there another way to set the gcc path in the go env variables?16:48
zyga-ubuntubrunosfer: classic is like "ssh into this box as classic"16:49
zyga-ubuntubrunosfer: just build your stuff inside classic16:49
zyga-ubuntubrunosfer: once you are in the classic shell you can do whatever you want16:49
zyga-ubuntubrunosfer: don't try to run classic tools from the core system to build things16:49
brunosferzyga-ubuntu: I'll look for that, thanks ;)16:49
zyga-ubuntubrunosfer: also note that the filesystem is different16:50
zyga-ubuntubrunosfer: after you sudo classic only /home and a few other places are the same as before16:50
zyga-ubuntubrunosfer: most of /usr is different16:50
zyga-ubuntumvo: I wonder what it would take to shellcheck our spread scripts16:50
=== lamont` is now known as lamont
mvozyga-ubuntu: ta16:50
zyga-ubuntumvo: I think it would be very useful16:50
mvozyga-ubuntu: +1016:50
mvoor even +10016:50
zyga-ubuntumvo: I can look into that tomorrow16:51
zyga-ubuntumvo: maybe something as simple as "spread -shellcheck"16:51
brunosferzyga-ubuntu: Yeah, It's everything new for me, so I'm still getting acquainted to this paradigm shift. Thanks for the support ;)16:51
zyga-ubuntubrunosfer: sure, it's a brave new world :)16:51
=== chihchun is now known as chihchun_afk
zyga-ubuntubrunosfer: note that you can build stuff with snapcraft16:51
zyga-ubuntubrunosfer: and snapcraft does a lot of magic heavy lifting16:51
zyga-ubuntu(and makes snaps :)16:52
brunosferzyga-ubuntu: Yeah, that's my final goal. However I do have to understand the process first. Full hands on ;)16:53
niemeyerJust got mail with the subject "Remote Work: The Complete Guide"16:55
niemeyerFinally someone will explain to me how this thing works.. :P16:56
mvohaha16:56
kyrofaniemeyer, haha, from trello?16:57
niemeyerYeah :)16:57
kyrofaPretty sure they need "insider advice" from US16:57
* zyga-ubuntu doesn't believe any such guide unless it starts with "step one, get dressed"16:59
niemeyer"step two, go back to step one.. we didn't mean pijamas"17:00
zyga-ubuntuhmm17:00
zyga-ubuntuhahaha17:00
pedronisniemeyer: pushed changes to #431017:00
mupPR #4310: many: allow to configure core before it is installed <Created by pedronis> <https://github.com/snapcore/snapd/pull/4310>17:00
kyrofaCrap... /me goes back to step 117:00
niemeyerpedronis: That was all, LGTM otherwise17:00
niemeyerOops.. meeting17:01
niemeyerStill trying to figure the algorithm for hangouts to decide whether you need to click join or not.17:02
mupPR snapd#4322 opened: corecfg: rename package to overlord/configstate/configcore <Created by mvo5> <https://github.com/snapcore/snapd/pull/4322>17:03
niemeyerI thought it was number of people, but it just got me through to a meeting with 4 people with no questions17:04
mvoreviews for https://github.com/snapcore/snapd/pulls?q=is%3Aopen+is%3Apr+milestone%3A2.30 would be appreciated17:04
mvowell, I think the first has two already17:05
mvoand 4281 probably just need a final review from niemeyer17:05
niemeyermvo: It's got my +1 already, and I'm half way through default-provider17:06
pedronismvo: no, first two just need to get green17:06
pedronisnow17:06
=== Guest21343 is now known as jero-
m4sk1nhi17:26
m4sk1n`/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /snap/otter-browser/x1/lib/x86_64-linux-gnu/libsystemd.so.0)` when trying to run my snap17:26
m4sk1nlubuntu 17.10, up-to-date17:26
zyga-ubuntum4sk1n: is that snap using classic confinement?17:27
m4sk1nno17:27
m4sk1ndevmode17:27
zyga-ubuntum4sk1n: how did you build it?17:28
m4sk1nhow “how”?17:28
m4sk1ncmake17:33
zyga-ubuntum4sk1n: did you use snapcraft?17:38
zyga-ubuntum4sk1n: snapcraft ensures that the right toolchain is used17:39
m4sk1nyes17:39
zyga-ubuntum4sk1n: matching what is in the base snap at runtime17:39
zyga-ubuntum4sk1n: if this was with snapcraft then I guess that kyrofa wants to know17:39
zyga-ubuntum4sk1n: if it's not a secret, can you please open a forum thread and share your snapcraft.yaml source?17:39
m4sk1ni tried to test my snap on the same pc that i used to build it17:39
kyrofam4sk1n, you need to build your snap on Xenial, or with cleanbuild17:39
m4sk1n(on the same os)17:40
kyrofaYou're building against a libc that is too new17:40
kyrofaWhen you run your snap, it runs against the libc in the core snap, which is based on xenial17:40
m4sk1nI understand17:40
zyga-ubuntukyrofa: ah, I would have assumed snapcraft would not allow that17:40
kyrofazyga-ubuntu, how could it not?17:41
zyga-ubuntukyrofa: you could read /etc/os-release17:41
m4sk1nwhat's the easiest way? `classic`?17:41
kyrofazyga-ubuntu, just bail on newer releases?17:41
zyga-ubuntukyrofa: and say "OMG dude, cleanbuild"17:41
kyrofaHahaha17:41
zyga-ubuntukyrofa: well, this or build useless snaps that don't work?17:41
kyrofaYeah perhaps so17:41
kyrofaIndeed17:42
kyrofam4sk1n, the best way to build on xenial when you're running a newer release is to use a container. Are you familiar with LXD?17:42
m4sk1nno, but it's a good moment to start…17:43
ikeybtw when reading os-release you should do so in a cascading order17:43
zyga-ubuntuikey: ?17:43
ikey[/etc/os-release, /usr/lib/os-release, /run/os-release]17:43
zyga-ubuntuikey: ah, that17:44
kyrofaikey, that's good to know actually. We don't do that today17:44
zyga-ubuntukyrofa: this is in the manual page AFAIK17:44
ikeyaye just future++ cruft17:44
zyga-ubuntuhaha17:44
zyga-ubuntuI just did "man ikey"17:44
zyga-ubuntuwanting to do man os-release17:44
zyga-ubuntuwe should do this17:44
ikeylulz17:44
zyga-ubuntumanual pages for people17:44
ikeyman: ENOMAN17:44
zyga-ubuntuthe package could be called17:44
kyrofam4sk1n, it's pretty easy. Are you familiar with containers in general? e.g. docker?17:45
zyga-ubuntumanpages-devs (vs -dev) ;)17:45
ikeyhah17:45
* zyga-ubuntu writes ikey's manual page17:45
Chipacazyga-ubuntu: like netscape's old about:<dev> thing17:45
ikeythis is like a nerd dream come true17:45
m4sk1nyup17:45
ikeymy  biography, in groff17:45
zyga-ubuntuChipaca: I never heard about that but I'm curious now :)17:45
zyga-ubuntuhahaha17:45
zyga-ubuntuikey: just wait for it17:45
zyga-ubuntupatches welcome17:45
zyga-ubuntucrazy ideas that should be made17:45
ikey80 columns of goodness17:45
Chipacazyga-ubuntu: https://www.jwz.org/doc/about-jwz.html17:45
Chipacazyga-ubuntu: maybe instead of 'man ikey' we want 'tldr ikey'17:49
Chipacaor just apropos ikey17:49
ikeynah, whatis has the right idea17:49
ikeywhatis ikey17:49
ikeyikey: nothing appropriate.17:49
Chipacafinger ikey17:49
Chipaca… nobody runs fingerd any more17:49
ikeymight wanna buy a drink first17:50
Chipaca:-)17:50
mupPR snapcraft#1770 closed: Add codespell support <Created by daniellim2000> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1770>17:50
ikeyI once wrote a fingerd in java17:50
ikeybecause freenode was bugging me with the ~17:50
Chipacaremind me not to upset you17:51
ikeylol17:51
zyga-ubuntuikey: in java?17:52
zyga-ubuntuikey: oh man17:52
ikeyikr?17:52
zyga-ubuntushall I include this shameful fact in your manual page?17:52
zyga-ubuntu;D17:52
ikeypre nio17:52
ikeylol17:52
ikeymy manpage would probably be included with the insults portion of fortune17:53
jdstrandkyrofa: I don't know anything about gpiomem otoh. I would need to look into it17:54
pedronismvo: btw, in principle do we still need core-support (the interface) now that we don't have a configure hook in core anymore?18:01
kyrofajdstrand, would you mind putting that on your list? sysfs is deprecated, is slow, and doesn't support everything. It's actually hard to find rpi docs that don't use /dev/mem or /dev/gpiomem18:04
jdstrandkyrofa: it is already on my list18:04
kyrofajdstrand, excellent, thank you :) . I'd happily contribute the interface if you think it deserves to be there18:05
kyrofaUntil then, /me starts on on a soft PWM using sysfs. /me cries18:05
jdstrandkyrofa: on the face of it, having gpiomem access in a 'gpiomem' interface is not contentious. the question is, what does that allow? do gpio devices show up in /dev after using it? if so, how does that interact with the device cgroup? if not, what other accesses are needed?18:05
jdstrandkyrofa: or maybe we have a gpio-raw interface that is analgous to usb-raw18:06
pedronismvo: I have a question about your 2.30 open PR, left it in it18:06
jdstrandwhere everything is allowed18:06
jdstrandI'm not suggesting that, cause the usb-raw interface only exists as astop gab for dynamic hotplug and isn't really the type of interface we like to have18:07
kyrofajdstrand, both approaches seem reasonable, but I suspect... yes exactly18:07
jdstrandas a stop gap*18:07
kyrofaI want to be able to respond favorably to automatic connection requests if possible18:07
kyrofaIt may not be. As you say, we don't know much about this18:08
jdstrandkyrofa: since I don't know gpio well, and you have experience (and hardware) with it, perhaps you could play with gpiomem in strict mode. add /dev/gpiomem to the apparmor profile and then see what else pops out18:08
kyrofajdstrand, doing now18:09
jdstrandif it is just gpiomem, then having a gpiomem or gpiomem-control implicit core interface seems quite fine18:09
kyrofajdstrand, also happy to give SSH access if you want to poke about18:09
jdstrandkyrofa: that could work if you tell me the commands to use. eg, if you have a devmode snap that is representative of gpiomem use, I could put it in strict mode and run the commands that exercise the snap18:11
kyrofajdstrand, I have a strict one, indeed. Totally up to you, not sure what your schedule looks like18:12
* zyga-ubuntu started https://github.com/zyga/manpages-devs18:12
jdstrandkyrofa: what priority is this? there is a lot of stuff that is high priority atm. I really need to get to the mir issue for greyback18:13
kyrofajdstrand, high for me, but I would not presume to suggest priorities for you! Why don't I play with it and see what I can turn up, maybe I can iron things out18:15
kyrofaIf you're available for a few questions along the way, I bet we can make things work18:17
zyga-ubuntukyrofa: just make the interface18:19
zyga-ubuntukyrofa: it should be easy18:19
jdstrandkyrofa: that would be excellent. if your snap ends up with a device cgroup, then you can add the device to the cgroup by doing: echo 'c <major>:<minor> rwm' > /sys/fs/cgroup/devices/snap.name.command/devices.allow18:19
zyga-ubuntukyrofa: and then you can play with it18:19
zyga-ubuntukyrofa: and jdstrand can review it once it's ready18:19
zyga-ubuntukyrofa: it should be a no-brainer nowadays18:19
jdstrandkyrofa: alternatively, see https://forum.snapcraft.io/t/security-policy-and-sandboxing/554 for stuff with device cgroups18:19
kyrofazyga-ubuntu, right, that's my plan. Just want to make sure we understand what we're getting into with it18:19
kyrofazyga-ubuntu, I've made a few nowadays18:20
zyga-ubuntukyrofa: :)18:20
jdstrandkyrofa: note, if echoing into sysfs, use snap run --shell snap.name.command, then in another terminal do the echo, then in the snap shell, run your commands18:20
* jdstrand is curious what 'udevadm info /dev/gpiomem' does18:22
jdstrandkyrofa: ^18:22
zyga-ubuntujdstrand: FYI, I have a pi3 and dragonboard available over ssh if you want18:22
zyga-ubuntujdstrand: http://pastebin.ubuntu.com/26073757/18:23
jdstrandzyga-ubuntu: I have a dragonboard, but it doesn't have /dev/gpiomem18:23
kyrofajdstrand, from outside of the snap? https://pastebin.ubuntu.com/26073768/18:23
zyga-ubuntujdstrand: just saying, available 24/7 :)18:24
jdstrandzyga-ubuntu (cc kyrofa): ok good, it is udev taggable18:24
zyga-ubuntujdstrand: yep, that's a good call to check this :)18:25
jdstranddepending on what it does, /dev/gpiomem and some sysfs entries may be sufficient. it really depends on how pin access works now18:25
jdstranddo they magically pop up in /dev, are they virtual devices (eg, like tun/tap), etc18:26
jdstrandI actually have an rpi2. I just don't have things plugged into pins, etc, etc18:26
kyrofajdstrand, it's just memory mapped18:27
kyrofajdstrand, take a look here: http://paste.ubuntu.com/26073822/18:28
mvopedronis: I noticed it, I ponder a bit and will reply, probably in my morning, will EOD soon18:28
kyrofaThis is part of the python lib I'm using18:28
jdstrandkyrofa: that is my undersatnding, but lets see what blackbox testing reveals :)18:28
kyrofajdstrand, oops, too late, it's gray box now18:28
kyrofajdstrand, adding /dev/gpiomem rw, works18:32
mupPR snapcraft#1775 opened: Add --help command for the runtests.sh script <Created by m4sk1n> <https://github.com/snapcore/snapcraft/pull/1775>18:32
zyga-ubuntum4sk1n: whee, thanks!18:33
ikeyq: when is 2.30 gonna drop?18:33
ikeythink ill do my call for testing on LSI when 2.30 is generally available18:33
jdstrandkyrofa: ok, that's great. I then suggest sending up an interface for it. happy to review it. please remember the udev backend. you'll need to figure out what to add. I suggest looking at interfaces/builtin/physical_memory_control.go and seeing if you can just use it as a template18:35
zyga-ubuntukyrofa: you should all good with just common interface nowadays18:36
jdstrandphysical-memory-control uses 'common'18:36
popeyjdstrand: i have a command line application which needs xdg-open. Do I really have to add 'desktop' or 'unity7' plugs? Won't that complain about a missing desktop file?18:36
popeyOr is it either/or, just ship xdg-open and no extra plugs?18:37
zyga-ubuntupopey: don't ship xdg-open :)18:37
popeysnappy-debug.security tells me to!18:37
zyga-ubuntujdstrand: ^18:37
jdstrandnote that snappy-debug is not the sharpest tool in the shed. I can add an exception for xdg-open to not recommend shipping it18:38
kyrofajdstrand, say someone requests an interface auto-connection. Would you be more likely to grant gpiomem than physical-memory-control?18:39
jdstrandpopey: but today, you need desktop or unity7, yes. you can add a forum topic describing your use case and why it should be allowed by default18:40
popeyok, will do18:40
popeythanks!18:40
jdstrandnp18:40
jdstrandkyrofa: gpiomem is a more specific interface so if the snap is something that clearly needs access to gpio pins, then sure, that would be a candidate for auto-connection as much as a snap that needs access to a specific pin18:41
kyrofajdstrand, okay excellent. This will be the first interface I've done that has any udev component, so I'll take a closer look at that now18:42
jdstrandkyrofa: hopefully using physical-memory-control as a template will make that easy (eg, KERNEL=="gpiomem")18:43
jdstrandkyrofa: you can test that out for yourself on the live system without a new snapd if you look at https://forum.snapcraft.io/t/security-policy-and-sandboxing/55418:44
kyrofajdstrand, similar to physical-memory-*, think it's worth adding gpiomem-observe as well as control?18:44
jdstrandkyrofa: will anyone just need read access?18:44
kyrofajdstrand, I... doubt it18:45
kyrofaAnd I'm uncertain how that would work given the memory mapping needed18:45
jdstrandkyrofa: you could name it gpiomem-control but just not add gpiomem-observe to leave the option for the future18:45
kyrofaGood call18:45
zyga-ubuntutravis is starving us18:46
zyga-ubuntuman, it wants me to say "EOD man"18:46
zyga-ubuntuI just want to see my fix work in practice18:46
jdstrandkyrofa: is there anything special about python3-coverage that would cause it to not be installed if in build-packages?18:54
kyrofajdstrand, not that I know of. Any chance it's already installed?18:55
kyrofaOr is this a cleanbuild?18:55
jdstrandit is already installe18:55
jdstrandd18:55
jdstrandBuilding review-tools18:56
jdstrandpython3 -m coverage run ./run-tests18:56
jdstrand/home/ubuntu/snappy-apps/review-tools.git/parts/review-tools/install/usr/bin/python3: No module named coverage18:56
jdstrandkyrofa: I'm using a prepare scriptlet to run tests. I thought it would be cool to run my coverage tests18:56
jdstrandkyrofa: but adding python3-coverage to build-packages doesn't seem to be pulling it down18:57
kyrofajdstrand, ah, it's probably using the snap's environment, which looks inside the part for python packages18:57
jdstrandor using what is on the system...18:57
kyrofajdstrand, try staging it, does that work?18:57
jdstrandkyrofa: no18:58
jdstrandkyrofa: it works fine for all the other ones. eg, python3-yaml, execstack, pep8, etc18:58
kyrofaOh interesting indeed18:58
jdstrandit is just python3-coverage18:58
kyrofajdstrand, I've run into similar issues before with staging python debs. Sometimes they create __init__.py files in a postinst18:59
kyrofaWhich means when staged, they aren't actually packages18:59
kyrofa(since hooks aren't run)18:59
kyrofaDo you see coverage in the installdir at all?19:00
* jdstrand uninstalled python3-coverage from the 'host' and still didn't work19:00
jdstrandlet me look at the postinst19:00
kyrofajdstrand, if I see this, I assume that means my udev tagging works properly? https://pastebin.ubuntu.com/26074073/19:01
jdstrandkyrofa: indeed19:02
kyrofa(KERNEL=="gpiomem" got me there, which seems to work like physical-memory-control)19:02
kyrofaOkay good deal19:02
jdstrandgreat19:02
kyrofaHeck, this should take about five minutes or so19:02
jdstrandkyrofa: so, python3-yaml, which works has: py3compile -p python3-yaml. python3-coverage, which doesn't, has: py3compile -p python3-coverage -V 3.2-19:03
jdstrandkyrofa: does that ring any bells?19:03
kyrofajdstrand, I'm afraid not. Let me test something...19:03
jdstrandkyrofa: it isn't hugely important. I'm about to bail on it and just run the tests without coverage19:04
jdstrandkyrofa: I just thought it was weird, and since we were already chatting...19:04
kyrofajdstrand, haha, you can always ping me, even if we're not chatting :) . I agree that it's weird!19:05
jdstrandkyrofa: btw, is my use of the prepare scriptlet to run build tests not too weird?19:05
jdstrandI wanted to fail the build if the tests fail19:05
jdstrandand thought that might be a good way to do it19:05
kyrofajdstrand, yeah seems reasonable to me, although note that until the most recent release, failing scriptlets did not fail the build process19:06
* jdstrand notes that prepare runs before the build, but in this case, that is ok-- I don't actually build anything so running before works fine19:06
jdstrandI'm on 2.35. it fails the build19:07
kyrofajdstrand, yeah, `install` runs after. Note that we're also going to get more generic with pre/post instead of those names19:07
kyrofaGood, 2.35 is what you need19:07
kyrofaOkay so staging it seems to work properly here19:07
kyrofaLet me actually try using it19:07
jdstrandkyrofa: I'm using 'python3 -m coverage run <something>'19:08
kyrofaHuh... it's working for me19:09
kyrofaI mean, I have no tests so it's bailing, but it's saying "no file to run" instead of "blah coverage doesn't exist"19:09
kyrofajdstrand, any chance your YAML is public?19:09
jdstrandkyrofa: http://paste.ubuntu.com/26074189/19:15
zyga-ubuntukyrofa: is there an acronym for 'too long to explain, give me the source'?19:15
jdstrandkyrofa: not committed yet cause not working. ./run-snap-build-tests runs 'make coverage'. https://code.launchpad.net/review-tools is the full tree19:16
kyrofajdstrand, I can confirm that using coverage as a build-package doesn't work. However, using it as a stage-package does19:18
jdstrandkyrofa: how did you use it as a stage-packages? add the scriptlet there?19:19
kyrofajdstrand, if you want to use build-packages, you can do `export PYTHONHOME="/usr"` in your scriptlet19:21
kyrofaThat will force it to use the host's python instead of the one in your snap19:21
kyrofajdstrand, I used stage-packages like this: https://pastebin.ubuntu.com/26074229/19:22
jdstrandok, so I have options19:23
jdstrandkyrofa: is this a bug in snapcraft?19:23
kyrofajdstrand, well, I'm not sure. When you use the `python` plugin, you're essentially creating a venv inside the snap, which is desired. We also assume you want to use that environment when building19:24
kyrofaIt feels weird to then say "Yes I know I've created that environment there, but I'd actually like to not use it for a sec"19:24
jdstrandkyrofa: so why isn't python3-coverage ending up in there, when everyting else is?19:24
jdstrandoh19:25
kyrofajdstrand, you have it set as a build-package, which only gets installed on the host19:25
kyrofajdstrand, if you want to get it into the part with everything else, you need to use stage-packages19:25
jdstrandok, so the issue is that I'm calling 'python3' directly in the scriptlet19:27
jdstrandwith -m coverage19:28
jdstrandkyrofa: ok, thanks19:35
mupPR snapd#4310 closed: many: allow to configure core before it is installed <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/4310>19:35
mupPR snapd#4281 closed: snapstate: support for pre-refresh hook <Created by stolowski> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/4281>19:37
sergiusenskyrofa look at this trick https://travis-ci.org/snapcore/snapcraft/builds/309146667?utm_source=github_status&utm_medium=notification :-)19:41
kyrofasergiusens, dude!19:41
mupPR snapcraft#1776 opened: ci: name the travis jobs <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/1776>19:41
kyrofasergiusens, so much better19:41
sergiusensI agree19:42
sergiusensit will need to be that way until the issue under consideration on the issue tracker for travis is decided upon19:42
sergiusensbut given how the matrix stuff works, I think that this is the intended mechanism for this19:43
pedronisjust one 2.30 PR lef but tomorrow19:43
pdefreitasgtk-update-icon-cache: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.25' not found19:49
pdefreitasArtful using a different glibc version?19:49
pdefreitasI got snapcraft 2.3519:49
zyga-ubuntupdefreitas: yes19:51
zyga-ubuntupdefreitas: use cleanbuild19:51
kyrofazyga-ubuntu, jdstrand https://github.com/snapcore/snapd/pull/4323 FYI19:53
mupPR #4323: interfaces: add gpio-memory-control interface <Created by kyrofa> <https://github.com/snapcore/snapd/pull/4323>19:53
mupPR snapd#4323 opened: interfaces: add gpio-memory-control interface <Created by kyrofa> <https://github.com/snapcore/snapd/pull/4323>19:53
zyga-ubuntukyrofa: ack19:56
mupPR snapd#4320 closed: tests: don't chown the whole world to test.test <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4320>19:57
pdefreitaszyga-ubuntu: I'm using electron.. how do I cleanbuild since npm produces the snap ?20:38
=== jero- is now known as jero
zyga-ubuntupdefreitas: I don't know what you just said, sorry,20:52
zyga-ubuntupdefreitas: cleanbuild is for snapcrat20:52
zyga-ubuntu*snapcraft20:52
jdstrandkyrofa: reviewed20:54
zyga-ubuntujdstrand: it passes!!!21:04
zyga-ubuntujdstrand: I updated my patch, it still shows the bug in apparmor (now easy to reproduce) but it passes now (hopefully in a sane way)21:05
zyga-ubuntujdstrand: it did pass before because I didn't notice I made a mistake21:05
zyga-ubuntujdstrand: and I never unmounted the old namespace, just bind mounted over it again (which probably did the right thing)21:05
zyga-ubuntujdstrand: having tried to unmount it I found the pattern that confuses apparmor21:07
zyga-ubuntujdstrand: it's a combination of an open file descriptor, that we keep open, across two setns calls21:08
zyga-ubuntujdstrand: and fchdir that is used to re-locate us to a directory prior to an unmount call21:08
zyga-ubuntujdstrand: (that uses relative name)21:08
zyga-ubuntujdstrand: what I did was to unmount the file with an aboslute name21:08
zyga-ubuntujdstrand: (this started to fail with EBUSY for unknown reason)21:09
zyga-ubuntujdstrand: (as nothing inhabits that namespace anymore)21:09
zyga-ubuntujdstrand: and I switched that to MNT_DETACH21:09
zyga-ubuntujdstrand: this passed my spread test21:09
zyga-ubuntujdstrand: I'm going to trim the appamor profile to remove things I added while shooting in the dark21:09
mupIssue snapcraft#1777 opened: Proxy support? <Created by array42> <https://github.com/snapcore/snapcraft/issue/1777>21:12
jdstrandzyga-ubuntu: nice! jjohansen, fyi ^21:14
jdstrandzyga-ubuntu: can you update the bug with that info?21:14
zyga-ubuntujdstrand: yes, I will!21:14
zyga-ubuntujdstrand: I had an euphoria and panic attack today21:14
jdstrandzyga-ubuntu: sounds like quite a day :)21:14
jjohansenuh, setns is a known problem, double setns doesn't change that21:15
zyga-ubuntujdstrand: when I realized that it worked (on my laptop) and then that it fails the spread test (which was more careful) and then that it finally worked with those extra hacks in place21:15
zyga-ubuntujjohansen: this doesn't explain why setns is not causing massive failures, we setns for every single started snap21:15
zyga-ubuntujjohansen: (well, except the first of a given snap)21:15
zyga-ubuntujjohansen: hey :) long time no see btw21:16
zyga-ubuntujjohansen: would you have some time to look at the code in the patch and at the denial (also documented in the patch) and see what you make of this?21:16
sergiusenskyrofa mind reviewing snapcraft#1774 before you EOD today?21:17
mupPR snapcraft#1774: Push binary metadata to the Store <Created by matiasb> <https://github.com/snapcore/snapcraft/pull/1774>21:17
jjohansenhey zyga-ubuntu, setns won't necessarily break everything dependent on several things. Partly to due with how mounts are shared or whether they are cloned ..21:17
kyrofasergiusens, sure thing21:17
jjohansenzyga-ubuntu: yes I will look into it21:17
mupIssue snapcraft#1777 closed: Proxy support? <Created by array42> <Closed by kyrofa> <https://github.com/snapcore/snapcraft/issue/1777>21:18
zyga-ubuntujjohansen: I see21:18
zyga-ubuntujjohansen: thank you, I'll open the PR in 10 minutes21:18
mupPR snapd#4324 opened: cmd/snap-confine: discard stale mount namespaces <Created by zyga> <https://github.com/snapcore/snapd/pull/4324>21:23
zyga-ubu1tujjohansen, jdstrand ^21:24
jdstrandjjohansen: so, what is supposed to be happening here (zyga-ubu1tu can correct me) is that we do the setns for the persistent mount namespace. that thing sticks around until it becomes 'stale'. if no processes are using the mount namespace, snap-confine will remove the persistent mount namespace so that it can be started anew the next time21:28
jdstrandjjohansen: eg, foo.bar starts and a persistent mount namespace is setup and foo.bar is put into it21:30
jdstrandjjohansen: foo.baz comes along, sees that foo's persistent mount namespace is available and doesn't have to be setup, then setns into it21:30
jdstrandjjohansen: things might be added to the mount namespace through snap connections, but if they are removed, the namespace is considered stale.21:32
jdstrandjjohansen: running processes continue to use the stale namespace until no processes are using it, at which point, the next foo.whatever invocation tears it down and reconstructs it21:33
jdstrandzyga-ubu1tu: please correct me ^21:33
jdstrandjjohansen: snaps themselves are not allowed to use setns or mount to escape21:35
jjohansenjdstrand: that wouldn't be a double setns, setns in, and then setns out21:35
zyga-ubu1tujdstrand: one thing I would correct is that we only consider it stale when the base snap revision (the rootfs) changes and we want to follow by starting with a fresh namespace21:35
jjohansenand that should not be a problem, unless the ns being reaped is lazily unmounted, at which everything within that namespace becomes disconnected, as it no longer has a namespace21:36
zyga-ubu1tujjohansen: the double setns is when we consider using a namespace, we jump inside (1st setns), see that it is stale and then jump out (2nd setns by folling /proc/1/ns/mnt) in order to be able to do the unmount (the bind mounted namespace is only visible on the main namespace)21:36
jdstrandjjohansen: I don't know what the 'double setns' talk is about. I think zyga-ubu1tu was saying he made a coding mistake that he since corrected21:36
zyga-ubu1tujdstrand: I did use MNT_DETACH, as described in the patch21:37
zyga-ubu1tuer, jjohansen ^21:37
jjohansenzyga-ubu1tu: that is basically known as a chroot escape, and it is very bad form21:37
zyga-ubu1tujjohansen: though I don't quite know why that is needed, I got EBUSY otherwise21:37
jdstrandoh yes, the setns to pid 1's namespace21:37
jdstrandthat is only for snap-confine though, not snaps21:37
zyga-ubu1tujjohansen: when we lazily unmount there should be no more processes there21:37
jjohansenjdstrand: your point being?21:38
zyga-ubu1tujjohansen: measured using a freezer cgroup that all processes from this snap inhait21:38
zyga-ubu1tu*inhabit21:38
jjohansenzyga-ubu1tu: I am going to have to dig into your specific case more21:39
jjohansenbefore I can say exactly what is going on to cause the failure21:40
zyga-ubu1tujjohansen: sure, thank you for looking21:40
jdstrandzyga-ubu1tu: this only reason for doing the /proc/1 stuff is for the devmode/checkbox snap, correct?21:41
zyga-ubu1tujdstrand: the only other reason21:42
zyga-ubu1tujdstrand: here it's a "legitimate" way to jump out21:42
zyga-ubu1tujdstrand: as a variant where we don't jump out I could use the capture helper (process forked earlier still in the original namespace) and re-distribute the flow of the code so that it does the work21:42
kyrofaHey cprov, can I not generate an attenuated macaroon for a specific project if I'm only a collaborator on that project?21:43
zyga-ubu1tujdstrand: in general I think we can refactor snap-confine, re-write it if necessary if we get directions on what to do and what not to do to stay in the bounds of the limitations of the kernel21:43
zyga-ubu1tuattenuated macaroon, boy, and I find my job confusing sometimes ^_^21:44
zyga-ubu1tukyrofa: what is an attenuated macaroon, a very small cookie?21:44
=== zyga-ubu1tu is now known as zyga-ubuntu
cprovkyrofa: let me check the code, but it's possible that is restricted to the publisher.21:44
zyga-ubuntuok, I'm EOD, it far too late already21:45
zyga-ubuntuniemeyer: ^^21:46
jdstrandzyga-ubuntu: you say "this" is a legitmate reason to jump out... can you explain the flow for this legitimate use case?21:46
zyga-ubuntujdstrand: yes21:46
zyga-ubuntujdstrand: we start in whatever the namespace is (let's say the main one), look at /var/lib/snapd/ns/$SNAP_NAME.mnt and setns inside (successfully) in an attempt to reuse it21:47
cprovkyrofa: can you file a bug on the snapstore project with the traceback of the request you are doing ?21:47
zyga-ubuntujdstrand: once inside we measure / and see that it's not the one we expect and we consider if we can clean it up21:47
zyga-ubuntujdstrand: we measure /sys/fs/cgroup/freezer/snap.$SNAP_NAME/cgroup.procs and look for inhabitants,21:48
zyga-ubuntujdstrand: finding none we consider it safe to unmount and start over21:48
zyga-ubuntujdstrand: we setns on /proc/1/ns/mnt to have a perspective in which we can unmount /var/lib/snapd/ns/$SNAP_NAME.mnt (remember that ... oh drat, I meant /run/snapd/ns above and here) has private mount sharing21:49
jdstrandzyga-ubuntu: another way to do it would not setns in it at all. just look for inhabitants. if none, reconstruct21:49
zyga-ubuntujdstrand: then we umount with MNT_DETACH and re-start the procedure (where we see the that .mnt file is no longer a namespace bind mount so we construct a fresh one and bind over it)21:49
zyga-ubuntujdstrand: yes but the current detection logic depends on looking at / from the inside (I think this is not a problem and we could adjust) and also this would make the cache effectively useless21:50
zyga-ubuntujdstrand: as a cache that is21:50
zyga-ubuntujdstrand: it would still function for as long as we have a living process inside21:50
zyga-ubuntujdstrand: it could probably cause some issues for snaps that keep data in /tmp and (currently, unaware of this) depend on it to stick around21:51
zyga-ubuntujdstrand: I would rather setns and exit and then continue from a forked child that hasn't setns at all yet21:51
jdstrandzyga-ubuntu: the /tmp case is still there regardless. consider a snap disconnect21:51
zyga-ubuntujdstrand: (and since we already fork for the bind mount that captures the namespace, due to how the kernel requires this to be done, we could do this without additional "cost")21:52
zyga-ubuntujdstrand: yes? what about it?21:52
zyga-ubuntujdstrand: (we don't lose /tmp then)21:52
jdstrandzyga-ubuntu: you said that 'it could probably cause some issues...'. I'm saying that is still the case21:53
zyga-ubuntujdstrand: yes but today this is less frequent (both in master and with this patch)21:53
zyga-ubuntujdstrand: but otherwise I agree21:53
zyga-ubuntujdstrand: I just didn't understand why "snap disconnect" matters21:53
kyrofacprov, will do... but I may have broken this21:53
zyga-ubuntujdstrand: we should never discard a namespace on disconnect21:53
jdstrandzyga-ubuntu: I was just mentioning a case where the mount namespace might have to be updated21:54
jdstrandeg, you disconnect a content interface. sure, you don't discard *then*, but you will whenever no processes are there21:54
zyga-ubuntujdstrand: right, but we don't change /tmp in that case, I really did mean /tmp specifically where software just keeps various files21:54
zyga-ubuntujdstrand: agreed on all that21:54
jdstrandanyway21:54
jdstrandzyga-ubuntu: so, it feels really weird to setns in and then out and then in again21:55
zyga-ubuntujdstrand: well, in, out, and then unshare technically21:55
zyga-ubuntujdstrand: we never setns three times21:56
jdstrandsure21:56
zyga-ubuntujdstrand: if I adjust the logic for staleness detection I think it's equally possible to not setns again, but I'd have to see how much code needs refactoring to allow that21:57
zyga-ubuntu(some of the code is a victim of evolutionary approach there)21:57
jdstrandzyga-ubuntu: I think with the myriad of PRs over weeks/months it was hard for me to understand where we were heading. I'm sorry for that (not blaming you or anything. I just feel bad about not seeing this early)21:57
jdstrandon the one hand, we are talking about 'only' snap-confine needing this access to jump out21:58
jdstrand*but* snap-confine is setuid root and an attack vector, so we are trying to minimize what it can do21:58
jdstrandzyga-ubuntu: there are certainly other ways to do this, but fork/exec'ing a helper in the namespace to detect staleness and communicating to the parent (snap-confine) how to proceed would avoid the issue22:00
jdstrandzyga-ubuntu: so, snap-confine starts in the original ns, it launches a helper that detects staleness, it gets back the results and snap-confine decides what to do22:02
jdstrandzyga-ubuntu: this way, snap confine doesn22:03
jdstrand't have any extra permissions. the helper could have a small subset of the current profile and snap-confine could have some rules removed that are only in the staleness detector22:03
jdstrandzyga-ubuntu: this should avoid the kernel issue you are seeing. that kernel issue is, I think, indicative of the fact that one shouldn't really be jumping around with setns()22:05
zyga-ubuntujdstrand: yeah, I think there are ways to do this22:05
jdstrandwhich is why it isn't surprising that it isn't working as expected22:05
zyga-ubuntujdstrand: though here I'll repeat what I said earlier in the conversation: knowing the limitations would help to desing this better22:05
zyga-ubuntujdstrand: if there's a rule to setns at most once, that's a valuable fact22:06
zyga-ubuntujdstrand: note that setns(2) doesn't really documenta any constraints22:06
zyga-ubuntu*document22:06
zyga-ubuntujdstrand: though I know this is all tricky business and there dragons around :)22:06
jdstrandzyga-ubuntu: I don't think my helper idea would require a ton of refactoring or anything. maybe you can think of something else, but the fork/exec with the parent and child in different namespaces is clean design-wise22:06
zyga-ubuntujdstrand: agreed22:07
zyga-ubuntujdstrand: but I think we still don't (at least not me) have a very clear idea of what is off limits and what is allowed22:07
zyga-ubuntujdstrand: why is 2nd setns special?22:07
jdstrandzyga-ubuntu: well, we are pushing the boundaries here. I think the only one setns() is implied rather than explicit22:07
zyga-ubuntujdstrand: I think we need to wait for a deeper analysis22:07
zyga-ubuntujdstrand: well, it works if you unconfine :)22:08
jdstrandzyga-ubuntu: so, namespaces are, in part, meant to address shortcomings in things like chroot22:08
* zyga-ubuntu should get to bed, day starts soon 22:09
jdstrandzyga-ubuntu: so if you can setns in and out of a namespace all the time, that isn't great, so people, I think, are really thinking about a single setns that you shouldn't leave22:09
zyga-ubuntujdstrand: I will shift my timezone to match yours next year22:09
zyga-ubuntujdstrand: and I will probably (likely) be off most of december to burn my holidays22:09
zyga-ubuntujdstrand: at one point in time I was hoping we can keep a thread in each namespace permanently but then, unfortunately, I learned that sents must be called when there's only one thread22:10
jdstrandjjohansen: sorry it is late for you. note that jjohansen can be considered a kernel expert in this area. the fork/exec idea is confirmed as fine22:10
jdstrandmeh22:10
jdstrandjjohansen: nm22:10
jdstrandzyga-ubuntu: ^22:10
zyga-ubuntujdstrand: it would be really cool to design snapd in a way that keeps a pool of threads in each namespace22:10
zyga-ubuntu:-)22:10
zyga-ubuntujdstrand: I will look at reworking it tomorrow if you desire22:11
jdstrandzyga-ubuntu: I do. it is a significant deparature in design-- you still detect and decide, it is just a tweak on how to organize that22:12
jdstranderr22:12
jdstrandzyga-ubuntu: it isn't*22:12
jdstrandzyga-ubuntu: and that tweak makes a big difference in what snap-confine is allowed to do, and keeps a cleaner separation of the namespaces, which is more inline with kernel expectations22:13
zyga-ubuntuack22:14
jdstrandzyga-ubuntu: so, there is still the sc_reassociate_with_pid1_mount_ns() that is called unconditionally in snap-confine.c when !classic confinement22:20
pedronisit's a bit annoying that there's no way to measure the namespace from outside even being root22:21
jdstrandzyga-ubuntu: don't worry about that for now. I want to think through that (I never cared for this-- can checkbox not just be classic)?22:21
jdstrandI guess it is really all devmode snaps. but now that we have classic and devmode is a step to strict, I don't see the problem with disallowing calling other snaps from devmode. but that conversation has been had. anyway, let me think about it22:24
mupPR snapcraft#1775 closed: Add --help command for the runtests.sh script <Created by m4sk1n> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/1775>23:00
sergiusenskyrofa any idea why from one stage to the next the built snap wouldn't be available? -> https://travis-ci.org/snapcore/snapcraft/builds/309146667?utm_source=github_status&utm_medium=notification23:12
mwhudsoner is there a reason snap run uses snap-exec from the host system not the core snap?23:17
mwhudsonsounds like a fourm question23:19
kyrofaHmm.... I'm not sure how that works sergiusens23:20
kyrofasergiusens, I mean, that dir is cached23:21
kyrofaI don't think there's magic beyond that23:21
sergiusenskyrofa maybe the next stage ran somewhere else? I am going to just click on rebuild for everything and if not wait for the transfer.sh work to finish ;-)23:22
kyrofasergiusens, unless lxc file pull can fail without exiting non-zero... super weird23:23
kyrofasergiusens, but yeah, I've seen the stages run out of order before, elopio had to close/re-open to get it to run again23:23
kyrofaCorrectly, I mean23:23
sergiusensI saw these ran in order, but with a lot of time in between each stage23:25
mupPR snapd#4325 opened: Adding test for netlink-connector interface <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/4325>23:36

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!