/srv/irclogs.ubuntu.com/2018/03/13/#snappy.txt

jaitaiwanHey folks, just wondering if snaps are supposed to be apart of your $PATH by default or if there's some sort of setup steps I'm missing before using CLI snaps01:23
naccjaitaiwan: /etc/profile.d/apps-bin-path.sh on ubuntu (from snapd)03:51
mborzeckimorning06:06
mupPR snapd#4800 closed: cmd/snap: in changes and tasks, default to human-friendly times <Created by chipaca> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/4800>07:22
zyga-ubuntugood morning07:30
zyga-ubuntujaitaiwan: hey, it's supposed to be automatic but if you just installed the snapd package you may need to reboot / log out for the changes to take effect07:31
zyga-ubuntumvo: good morning07:32
* zyga-ubuntu was up at 6AM but $KIDS needed more help today07:32
mvozyga-ubuntu: hey, good morning07:33
zyga-ubuntuman, this bug is more elusive than we thought :/07:33
mvozyga-ubuntu: yeah, I was thinking it was caching07:34
mborzeckizyga-ubuntu: mvo: morning guys07:34
zyga-ubuntumvo: did you get to a point where you can reproduce it on your machine?07:34
mvohey mborzecki07:34
mvozyga-ubuntu: I did manage that07:34
zyga-ubuntumvo: and if so did you have to run all of main or was a subset sufficient?07:35
zyga-ubuntumborzecki: hey! :)07:35
mvozyga-ubuntu: I have to run all07:35
zyga-ubuntumvo: I tried just the cgroup tests and I was "lucky"07:35
mvozyga-ubuntu: I managed to get into a shell last night and changed the profile and reload and then things were good again07:35
zyga-ubuntumvo: so just *one* test (with sub-tests)07:35
mvozyga-ubuntu: I suspect its something subtle like the cache07:35
zyga-ubuntuok, I can try disabling all of the cache07:36
mvozyga-ubuntu: oh, just the cgroup tests, cool07:36
zyga-ubuntuand see if that helps07:36
mvozyga-ubuntu: sounds great, how do you disable the caches?07:36
mvozyga-ubuntu: I rm -f them in my PR but that is not enough07:36
zyga-ubuntumvo: apparmor_parser explicitly controls this so we'd have to pass some options in a few places, the patch should be minor07:36
zyga-ubuntumvo: the only exception is /etc/init.d/apparmor07:36
zyga-ubuntubut I _think_ we can ignore that07:37
zyga-ubuntubecause it just runs once on boot07:37
zyga-ubuntuhmm hmm07:37
zyga-ubuntubut then again, some tests do reboot07:37
zyga-ubuntuI'll focus on the cgroup test07:37
zyga-ubuntuand on disabling cache07:37
zyga-ubuntumaybe it will show us something usefil07:37
zyga-ubuntuoh07:37
mvozyga-ubuntu: is there magic to dump a profile from memory? i.e. to see if the in-memory state matches the on disk state?07:38
zyga-ubuntuand I have a small patch, though not a bug fix, related to what I did yesterday07:38
zyga-ubuntuyes07:38
zyga-ubuntuish07:38
zyga-ubuntuyou can dump the profile from memory07:38
zyga-ubuntuhold on, I will show you how07:38
mvozyga-ubuntu: cool, when I am in the broken state I will try that07:38
zyga-ubuntumvo: it's not easy or useful without some extra tools07:40
zyga-ubuntumvo: you can go to /sys/kernel/security/apparmor/policy/raw_data/07:40
zyga-ubuntu(raw_data is a magic symlink which behaves as a magic directory)07:40
zyga-ubuntuthen you will see a lot of numbers07:40
zyga-ubuntueach time you insert a new profile you get a new number (including replaces I think)07:41
zyga-ubuntuthen you can see the raw_data file inside the number directory07:41
zyga-ubuntunow07:41
zyga-ubuntuthis doesn't match the cache I think07:41
zyga-ubuntubut there is a way to compile a profile and get the raw data07:41
zyga-ubuntufrom apparmor_parser that is07:41
zyga-ubuntuso with some tooling we might compile all the profiles from disk07:41
zyga-ubuntuto get their raw_data07:42
zyga-ubuntuand compare that to the raw_data that the kernel knows about07:42
zyga-ubuntuand in the end try to match files to loaded profiles07:42
zyga-ubuntuI wrote a decompiler for the raw_data format a while ago07:42
zyga-ubuntubut did not manage to get the most interesting part of the policy07:42
zyga-ubuntuthat is the set of regular exressions and matching permissions07:42
zyga-ubuntuI do get profile names and a lot of other things out though07:43
zyga-ubuntuthe format is not documented well, I did this by following the kernel code that parses the binary profiles07:43
zyga-ubuntuso, that's that, not sure if useful07:43
mvozyga-ubuntu: uh, ok07:44
zyga-ubuntu*fun* :-)07:44
mvozyga-ubuntu: yeah07:44
zyga-ubuntuthe format is not hard either07:44
zyga-ubuntuit's mostly tagged strutures and some tables07:44
zyga-ubuntuthe devil is in the details07:44
zyga-ubuntuand the yet-not-understood (by me) format to which the DFAs are compiled07:44
zyga-ubuntuit's also coupled with some compression07:44
zyga-ubuntumvo: though having such a decompiler would be very useful as it's our backbone in many ways07:46
* mvo nods07:48
=== pstolowski|afk is now known as pstolowski
pstolowskimornings07:53
zyga-ubuntuhey hey07:54
mvozyga-ubuntu: so you reproduced it without the core transition tests? I suspected those might be the culprits :/07:55
zyga-ubuntuyes, I did07:55
zyga-ubuntuI'm running another pass now07:55
zyga-ubuntuI'm tweaking prepare/restore debugging07:55
mvozyga-ubuntu: ta07:56
mupPR snapd#4821 opened: tests: define MATCH from spread <Created by zyga> <https://github.com/snapcore/snapd/pull/4821>08:00
mvozyga-ubuntu: I replied to your question about the system-key08:01
mvozyga-ubuntu: let me know if that is reasonable, if not happy to have a quick HO to discuss08:01
zyga-ubuntuthanks, looking08:01
mvozyga-ubuntu: my theory is essentially that during one of the tests we generate/load a snap.core.*.snap-confine profile from the real core in edge instead of from our modified core08:03
mvozyga-ubuntu: and never undo this08:03
zyga-ubuntuhmm hmm08:03
mvozyga-ubuntu: and then things fall apprt08:03
zyga-ubuntucan you explain when system key would be stale and we would not regenerate it?08:03
mvozyga-ubuntu: and also its super confusing because we restore the profile *on-disk* (via tar) but of course do not reload08:03
zyga-ubuntuahh08:03
mvozyga-ubuntu: the core snap is 4422 (or whatever)08:03
mvozyga-ubuntu: that is the one in edge08:03
zyga-ubuntumaybe as a part of restore we can do apparmor_parser -r /some/path/*08:04
mvozyga-ubuntu: and also the one we "hack"08:04
mvozyga-ubuntu: yes, that could be it08:04
zyga-ubuntuI just ran the cgroup tests and they didn't fail08:04
zyga-ubuntuyour patch from yesterday (the 1st one) makes it less likely things break08:04
mvozyga-ubuntu: the core transition tests will (most) definitely do that, use the "real" edge with the "wrong" snap-confine profile and load that08:04
mvozyga-ubuntu: yeah08:04
zyga-ubuntuI'll run the core transition tests and the cgroup test in sequence now08:05
zyga-ubuntumvo: so to get back to the PR with the system-key question08:08
mvozyga-ubuntu: I suspect that we will see the error now in the 2.32 branch only, edge is up-to-date with core again so the apprmor profiles are essentially the same08:08
mvozyga-ubuntu: sure08:08
zyga-ubuntuif I understand you correctly, you are saying that because we remove system key we trigger profile loads08:08
mvozyga-ubuntu: correct08:08
zyga-ubuntuyeah, I work on the release branch all the time08:08
zyga-ubuntumvo: I would strongly prefer if this was a bit less magic and more organized08:09
mvozyga-ubuntu: we *could* also force this in restore as a big hammer08:09
zyga-ubuntuthere's a lot of voodoo in our scripts08:09
mvozyga-ubuntu: I think we are all in agereement about this :)08:09
mvozyga-ubuntu: part of the problem is that the problem domain itself is confusing, I mean, re-exec make things confusing and we do some strange things in the suite08:10
mvozyga-ubuntu: if we could rely on snapshots, that would be best08:10
zyga-ubuntuyeah, no question about that, a snapshot (though at a right time, this is tricky too) would be wonderful08:10
mvozyga-ubuntu: or some way to ensure that prepare/restore really go back to a pristine state but given the amount of things that could change (apparmor profiles in memory, kernel bootloader vars, on-disk state) this is really hard08:11
zyga-ubuntuahem08:11
mvozyga-ubuntu: haha08:11
* mvo hugs zyga-ubuntu 08:11
zyga-ubuntuhttps://github.com/snapcore/spread/pull/4708:11
mupPR spread#47: Add support for project-wide measure-each stanza <Created by zyga> <https://github.com/snapcore/spread/pull/47>08:11
mvozyga-ubuntu: do you feel better today?08:11
zyga-ubuntumvo: yes, less coughing :)08:11
mvozyga-ubuntu: I remember this one!08:11
zyga-ubuntuI wish we could just land it08:11
mborzeckicould we dump the profiles, clean the state  in prepare/restore each steps instead of just the selected tasks?08:11
mvozyga-ubuntu: btw when I use less leaves from your tea its not so strong, I like this better08:12
zyga-ubuntumborzecki: I think part of the problem is how our prepare/restore is organised, it's not really prepare and restore08:12
zyga-ubuntuprepare does restore internally08:12
zyga-ubuntuand restore is mostly a no-op08:12
mvomborzecki: I think the profile restore is something to explore, I'm try to reproduce now again and then will add it08:12
mvozyga-ubuntu: yeah, this part is also slightly terrible08:13
zyga-ubuntumvo: yeah, I also use the same set of leaves throughout the day, it's easily good enough for 2-3 infusions08:13
zyga-ubuntumvo: I'm fixing that now08:13
mvozyga-ubuntu: \o/08:13
zyga-ubuntumvo: the MATCH pr is the first step now08:13
zyga-ubuntuchipaca had this idea some months ago08:13
zyga-ubuntumvo: I'm making it so that prepare really prepares (applies tarball) and restore really cleans up08:14
zyga-ubuntuusing the measure feature to ensure it's happening for real08:14
zyga-ubuntuthough it will be a few PRs to review08:14
zyga-ubuntumvo: what I found interesting is places that are not covered by the tarball08:14
zyga-ubuntulike various caches08:14
zyga-ubuntulike the apparmor cache you started cleaning now08:14
mborzeckiafair apparmor has an in kernel db so even if you clean the cache, the rules may still be there right?08:15
zyga-ubuntuyes08:15
zyga-ubuntutotally08:15
zyga-ubuntuthat is another thing we should clean08:15
zyga-ubuntubut it's not trivial as we really want to restore the right state08:16
zyga-ubuntunot discard it08:16
zyga-ubuntupart of the state is "competed" by the Apparmor init script08:16
zyga-ubuntuit will parse, compile, cache and load all the profiles08:16
mborzeckiclean by rebooting :)08:16
zyga-ubuntuhaha08:16
zyga-ubuntuyeah ;)08:16
zyga-ubuntumvo: I ran core transition and security cgroups and it passed :/08:16
zyga-ubuntu(I don't have your branch in yet)08:17
zyga-ubuntuhey chihchun_afk :-)08:17
zyga-ubuntumvo: would the edge being really newer affect the failure rate in the release branch?08:18
mborzeckizyga-ubuntu: otoh reboot is pretty much instant with the cloud images running under qemu08:19
itsfemme[m]is there a way to search for free software snaps?08:19
zyga-ubuntuitsfemme[m]: yes though it's not exposed in the UI yet AFAIK08:21
itsfemme[m]got a URL?08:22
zyga-ubuntuno08:22
zyga-ubuntuit's just implemented on the store now08:22
mvozyga-ubuntu: yeah, the fact that edge is now in sync (more or less) with master means even with the "wrong" profiles being loaded things are ok because the profile in edge is pretty much identical08:22
mvozyga-ubuntu: I have some hopes in release/2.32 but its only on 22/232 and ok so far08:22
mvozyga-ubuntu: I run one with just the cgroups now08:22
zyga-ubuntumvo: can we do an experiment that would not affect master08:22
zyga-ubuntumvo: publish 2.31 in some channel08:23
zyga-ubuntuand I can run tests against that channel08:23
zyga-ubuntuI want to nail the issue, not hide it till next time08:23
mvozyga-ubuntu: again, we are in agreement, lets nail it08:24
mvozyga-ubuntu: I would need a track to publish 2.31 (or a branch). I think I need store support for this08:24
zyga-ubuntuyes,08:24
zyga-ubuntuperhaps pedronis and noise][ can arrange that08:25
mupPR snapd#4815 closed: tests: fix re-exec profile generation in tests on classic <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4815>08:29
pedronisI cannot create tracks, but for sure store can help with a track or branch08:34
mwhudsondo i want to think about why downloading snaps is way slower inside a lxd than outside?08:35
zyga-ubuntuproxy settings not used?08:37
zyga-ubuntuhow much slower is slower?08:37
=== LtWorf_ is now known as LtWorf
zyga-ubuntumvo: do you want to keep https://github.com/snapcore/snapd/pull/4814/files ?08:40
mupPR #4814: tests: fix re-exec profile generation in tests on classic (2.32) <Created by mvo5> <https://github.com/snapcore/snapd/pull/4814>08:40
mvozyga-ubuntu: for now, I want to see if it breaks and in what way08:41
zyga-ubuntuok08:41
mvozyga-ubuntu: I will set it to blocked if the tests pass08:41
mvozyga-ubuntu: I think the first commit is actually correct and should land but the rest is dubious08:41
mvozyga-ubuntu: also, the first commit is not sufficient (as we established) so :(08:41
mborzeckianyone wants to take a look at #4781?08:46
mupPR #4781: wrappers: refactor desktop file sanitizer to support autostart files <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4781>08:46
mvozyga-ubuntu: yay, now I have the bug in the 2.32 PR08:48
zyga-ubuntu!!08:48
zyga-ubuntuwhere?08:48
mvozyga-ubuntu: in the fix-reexec-snap-confine-profile-generateion (2.32 based) branch08:49
mvozyga-ubuntu: in canonical-livepatch08:49
mvozyga-ubuntu: the on-disk profile is correct AFAICT08:49
mvozyga-ubuntu: but I get an error08:49
zyga-ubuntuif you reload the profile08:50
zyga-ubuntuis that fixing things?08:50
zyga-ubuntuI assume you have a shell now08:50
mvozyga-ubuntu: just reloading does not help08:50
zyga-ubuntuok, what is the denial you see08:50
mvozyga-ubuntu: *but* changing the profile (adding a whitespace) and reloading08:50
mvozyga-ubuntu: fixes it08:50
zyga-ubuntuexactly the same as before?08:50
zyga-ubuntuoooooooh08:50
zyga-ubuntuso caching?08:51
mvozyga-ubuntu: yeah, looks very much like it08:51
zyga-ubuntuhead.wall()08:51
mvozyga-ubuntu: its "funny", I had this discussion back in the click days iirc, that the cache should use more data than just the mtime :/08:51
mvozyga-ubuntu: I suspect it is something like "a new aa profile is written; profile is cached; we restore to the previous aa profile in the restore step; the apparmor-parser sees that the mtime of the cache is nwewer than the mtime of the profile -> does nothing"08:52
zyga-ubuntuyeah08:53
zyga-ubuntuthat's very likely08:53
mvozyga-ubuntu: the question is how to nuke all apparmor caches08:53
zyga-ubuntuone sec08:53
mvozyga-ubuntu: i.e. what to do short term, then what to do longer term08:53
zyga-ubuntuI have a patch for the nuclear option08:53
mvozyga-ubuntu: bring it on!08:54
mvopedronis: are you working on a backport of the refrsh hold PR that was recently merged? or shall I have a look?08:56
mvopedronis: fwiw, 2.32 is blocked right now on this apparmor caching bug zyga-ubuntu and I are chasing08:56
pedronismvo: I will work on it,  I forgot to squash it though, so it will be a bit annoying08:57
pedronismvo: it needs a follow up anyway, with the actual policy (which is what I'm working on right now, I had a variant yesterday but I had some ideas to simplify it a bit)08:58
mvopedronis: cool, please let me know if I can help in any way08:59
zyga-ubuntumvo: https://github.com/snapcore/snapd/pull/482209:03
mupPR #4822: interfaces/apparmor: skip apparmor cache <Created by zyga> <https://github.com/snapcore/snapd/pull/4822>09:03
zyga-ubuntumvo: just for consideration09:03
zyga-ubuntuI wonder what will happen09:03
mupPR snapd#4822 opened: interfaces/apparmor: skip apparmor cache <Created by zyga> <https://github.com/snapcore/snapd/pull/4822>09:03
mvozyga-ubuntu: lets run that against 2.32 and we will know :)09:04
zyga-ubuntuah, sorry, I'll make a 2.32 variant09:04
zyga-ubuntumvo: the backport is https://github.com/snapcore/snapd/pull/482309:09
mupPR #4823: interfaces/apparmor: skip apparmor cache <Created by zyga> <https://github.com/snapcore/snapd/pull/4823>09:09
mupPR snapd#4823 opened: interfaces/apparmor: skip apparmor cache <Created by zyga> <https://github.com/snapcore/snapd/pull/4823>09:09
mvozyga-ubuntu: cool, lets see what the tests say09:09
zyga-ubuntujust in case the smoking gun is found09:10
zyga-ubuntuwhat do we do09:10
zyga-ubuntufix apparmor parser caching ourselves?09:10
mvozyga-ubuntu: its mostly test related, I think we fix the tests and "gently" remind the team that the apparmor caching could need some love09:10
mvozyga-ubuntu: I suspect https://bugs.launchpad.net/snappy/+bug/146015209:11
mupBug #1460152: apparmor cache not updated when apparmor.d rules change (breaks 15.04/stable -> 15.04/edge updates) <patch> <Snappy:Fix Released by mvo> <Snappy 15.04:Fix Released by mvo> <apparmor (Ubuntu):Fix Released> <https://launchpad.net/bugs/1460152>09:11
zyga-ubuntumvo: I recall we had a spike on error.u.c09:11
zyga-ubuntucould that be related?09:11
mvozyga-ubuntu: maybe, but I suspect its different reason, this looks tests related to me still (but maybe I'm wrong)09:12
zyga-ubuntuon a related note, can you look at https://github.com/snapcore/snapd/pull/482109:13
mupPR #4821: tests: define MATCH from spread <Created by zyga> <https://github.com/snapcore/snapd/pull/4821>09:13
zyga-ubuntuit will help me land small refactors to prepare-restore next09:13
mvozyga-ubuntu: sure, looking09:22
mvozyga-ubuntu: why tail -n +2 ?09:23
mvozyga-ubuntu: what is in the first two lines?09:23
zyga-ubuntuthank you09:23
zyga-ubuntuhttps://www.irccloud.com/pastebin/4E4oqQqV/09:24
mvozyga-ubuntu: aha, I see09:29
mvozyga-ubuntu: replied in the PR09:30
zyga-ubuntu
replied as well09:34
mvota09:34
=== __chip__ is now known as Chipaca
zyga-ubuntumvo: I see an error09:42
zyga-ubuntubut it makes no sense09:42
zyga-ubuntu+ MATCH gadget09:43
zyga-ubuntu+ snap list09:43
zyga-ubuntuerror: pattern not found, got:09:43
zyga-ubuntuName  Version                   Rev   Tracking  Developer  Notes09:43
zyga-ubuntucore  16-2.31.2+git610.7a79b84  4229  edge      canonical  core09:43
zyga-ubuntuthis is in https://github.com/snapcore/snapd/pull/482209:43
mupPR #4822: interfaces/apparmor: skip apparmor cache <Created by zyga> <https://github.com/snapcore/snapd/pull/4822>09:43
mupPR snapd#4768 closed: [RFC] snap userd autostart v2 <Sprint> <Created by bboozzoo> <Closed by bboozzoo> <https://github.com/snapcore/snapd/pull/4768>09:43
zyga-ubuntumvo: shall I restart?09:43
zyga-ubuntuthose were in master09:43
zyga-ubuntu(not in the 2.32)09:43
mvozyga-ubuntu: yeah, master is probably not it09:44
zyga-ubuntudoes the error make any sense to you?09:45
mvozyga-ubuntu: does apparmor have more caches except /etc/apparmor.d/cache - do you happen to know?09:45
Chipacavery unhappy with the tests state right now :-(09:45
mvozyga-ubuntu: no09:45
zyga-ubuntuyes09:45
zyga-ubuntuit has two caches09:45
zyga-ubuntuone legacy09:45
mvoChipaca: we are as well09:45
zyga-ubuntuand one "modern"09:45
* Chipaca hugs everybody09:45
zyga-ubuntuone is in /var/apparmor/cache09:45
mvoChipaca: we are head first diving into it and its not pretty09:45
* Chipaca is still grumpy tho09:45
mvoChipaca: rightfully so09:45
zyga-ubuntuanother one is in /etc/apparmor.d/cache AFAIR09:45
zyga-ubuntuhey Chipaca :)09:45
mvozyga-ubuntu: thanks09:46
zyga-ubuntuwhy are you grumpy?09:46
Chipacazyga-ubuntu: tests breakage09:46
zyga-ubuntuChipaca: hug the tests09:46
zyga-ubuntu:D09:46
Chipacazyga-ubuntu: my huggage would be to feature flag errything09:46
Chipacaso maybe not the best approach09:47
zyga-ubuntumvo: any ideas?09:47
zyga-ubuntu(caches in /etc are "fun")09:47
zyga-ubuntumvo: shall we restart that PR/09:48
mvozyga-ubuntu: works for me09:48
mvozyga-ubuntu: I'm trying different things in parallel but its seems to be all not quite fixing it :(09:48
mvozyga-ubuntu: I think I am getting annoyed as well09:48
mvoChipaca: master at least should be more happy now, no? tests there?09:49
zyga-ubuntumvo: that's good, this is a great motivation technique09:49
mvoChipaca: because we got a new core overnight09:49
zyga-ubuntumvo: let's merge my MATCH pr (with changes if you wish) and let's reorganise prepare-restore09:49
Chipacamvo: dunno master; #4820 has been red five times already, for everything from layouts to cgroups to network09:50
mupPR #4820: cmd/snap: use timeutil.Human to show times in `snap refresh --time` <Created by chipaca> <https://github.com/snapcore/snapd/pull/4820>09:50
zyga-ubuntumvo: and the 2.32 PR failed now09:50
mvoChipaca: oh, right - layout will still be a problem09:50
zyga-ubuntucannot execute snap-update-ns: Permission denied09:50
mvoChipaca: but cgroups should be ok now, did that run today?09:50
zyga-ubuntu:-(09:50
zyga-ubuntuI don't know what's going on now09:50
mvozyga-ubuntu: meh, that is exactly the failure that I think comes from a stale cache09:50
zyga-ubuntumvo: hold on, maybe the --skip-cache does something silly09:51
* zyga-ubuntu looks09:51
Chipacamvo: it might've been late yesterday, or today, one side or the other of the date line09:51
zyga-ubuntu       -K, --skip-cache09:51
zyga-ubuntu           Perform no caching at all: disables -W, implies -T.09:51
mvozyga-ubuntu: also maybe for some reason aa thinks the profile has not changed?09:51
mvoChipaca: ok, just for "fun", please restart09:51
zyga-ubuntumvo: but without any caching how could it decide?09:51
mvoChipaca: if it still fails in the cgroups I will consider start drinking09:52
zyga-ubuntumvo: one more idea09:52
Chipacamvo: i did (and then it failed on another thing)09:52
mvozyga-ubuntu: I have no idea09:52
zyga-ubuntuactually, not sure09:52
mvoChipaca: aha, what is this other thing?09:52
zyga-ubuntuI wanted to say that we could wrap apparmor_parser09:52
mvozyga-ubuntu: ohhhh09:52
zyga-ubuntuoh?09:52
mvozyga-ubuntu: you probably need my first commit09:52
mvozyga-ubuntu: wait a sec09:52
zyga-ubuntukk09:52
zyga-ubuntujust push to those PRs09:52
Chipacamvo: a bunch of unrelated stuff like econnreset09:53
Chipacamvo: and now it's failed yet again, this time in suite prepare09:53
mvozyga-ubuntu: I think you need https://github.com/snapcore/snapd/pull/4814/commits/8c065f9f22547497ca0c925009fe1b448ea78045 or you will never have the right profile in the first place09:53
mupPR #4814: tests: fix re-exec profile generation in tests on classic (2.32) <Created by mvo5> <https://github.com/snapcore/snapd/pull/4814>09:53
Chipacaso that's six times09:53
mvozyga-ubuntu: i.e. without that commit the snap-confine profile for core is always incorrect09:53
zyga-ubuntuChipaca: in suite prepare?09:53
* Chipaca gives up on this programming stuff and goes shopping09:53
mvozyga-ubuntu: with that commit it becomes a caching issue (I think)09:53
mvoChipaca: in prepare suite :(09:54
mvoChipaca: what is the link to the log?09:54
zyga-ubuntumvo: will you push or do you want me to cherry-pick?09:54
Chipacahttps://api.travis-ci.org/v3/job/352504456/log.txt09:54
zyga-ubuntu+ tar -C/ -xf /home/gopath/src/github.com/snapcore/snapd/snapd-state.tar.gz09:55
zyga-ubuntutar: /home/gopath/src/github.com/snapcore/snapd/snapd-state.tar.gz: Cannot open: No such file or directory09:55
zyga-ubuntuI have no words09:55
zyga-ubuntuis there a gnome pissing into the milk09:55
zyga-ubuntuand messing up our tests09:55
Chipacazyga-ubuntu: s/gnome/elephant/09:55
mborzeckihmm GNOME? :)09:56
mvozyga-ubuntu: if you could cherry-pick09:57
zyga-ubuntusure09:57
zyga-ubuntumvo: pushed,09:59
zyga-ubuntudo you think it's worth to try to wrap apparmor_parser09:59
zyga-ubuntuand do caching ourselves?09:59
zyga-ubuntuwe can use apparmor_parser to get the raw data09:59
zyga-ubuntuand use any logic we wish to cache or discard the raw data (compiled profiles)10:00
pedroniszyga-ubuntu: is the branch just to check if it helps? or is the plan to really turn off the cache?10:02
zyga-ubuntupedronis: just to check10:02
zyga-ubuntu(hence the rfc)10:02
zyga-ubuntuif the caching system is broken we can work around it10:02
zyga-ubuntuI think we really could cache ourselves10:02
zyga-ubuntusince the parser gives us the primitives10:02
pedronisthe rfc?10:03
pedronisthe description is very not rfcs10:03
pedronisbut maybe I'm misunderstanding10:04
Chipacamvo: are you still using that log, or can i nuke it?10:04
mvoChipaca: nuke it10:04
mvozyga-ubuntu: thats a nice idea, use our own wrapper at least in the tests to understand things better10:05
zyga-ubuntuok, I'll get to it10:05
mvozyga-ubuntu: but same deal I think all followup work needs https://github.com/snapcore/snapd/pull/4814/commits/8c065f9f22547497ca0c925009fe1b448ea78045 first10:06
mupPR #4814: tests: fix re-exec profile generation in tests on classic (2.32) <Created by mvo5> <https://github.com/snapcore/snapd/pull/4814>10:06
mvo(so that the initial profile is ok)10:06
zyga-ubuntumvo: is this ok? https://github.com/snapcore/snapd/pull/482310:07
mupPR #4823: interfaces/apparmor: skip apparmor cache (2.32) <Blocked> <Created by zyga> <https://github.com/snapcore/snapd/pull/4823>10:07
mvozyga-ubuntu: yes, can't wait to see the result10:07
mvozyga-ubuntu: its also super annoying, spread failed, my local run is still going strong :(10:07
mvozyga-ubuntu: for 481410:08
zyga-ubuntuyeah, it's a day that keeps giving10:08
zyga-ubuntuSon_Goku: hey, I have a working F28 chroot now10:12
zyga-ubuntuthank you for that!10:12
mvozyga-ubuntu: hm, another problem is that we have ~8 workers, so ideally I would like to know what tests run on exactly the worker that failed. but spread does not give me this info, does it?10:14
zyga-ubuntuno, it does not10:14
zyga-ubuntuI wish it did10:14
zyga-ubuntua sequence of tests on the worker who failed10:14
mvozyga-ubuntu: yeah, in the travis run it fails after ~70 tests so with 8 works that is not that many that run on each worker10:15
zyga-ubuntumvo: I'll work on a wrapper for the cache10:16
zyga-ubuntujust a small prototype10:16
zyga-ubuntuto see where this goes10:16
mvook10:16
pedroniscan't we keep tab of the relevant raw_hash and see when it changes?10:19
zyga-ubuntupedronis: can you explain please?10:19
BjornT_mvo: hi! could you please rebuild and push base-18 to the store again, so that it gets the latest glibc?10:20
pedroniszyga-ubuntu:   /sys/kernel/security/apparmor/policy/profiles/usr.lib.snapd.snap-confine.17/raw_hash10:20
zyga-ubuntuyeah but that's the hash of the (assuming, I didn't check) blob that comes out of the compiler10:20
zyga-ubuntuhow does that help with the parser?10:20
mvoBjornT_: started a build now10:21
mvoBjornT_: https://code.launchpad.net/~mvo/+snap/base-18 <- sorry for the delay10:21
pedroniszyga-ubuntu: I assume the parser is deterministic?10:21
* zyga-ubuntu knocks on wood10:21
zyga-ubuntuI hope so10:21
pedronisso we can track the values of that and when it changes10:21
zyga-ubuntuhold on10:21
zyga-ubuntuwhen what changes?10:21
pedronisor also try hold of what we expect to be sane10:21
zyga-ubuntuis the idea designed to optimise the cache or to do something else?10:22
pedroniszyga-ubuntu: when we load the profile for real  and the profile is different that should change no?10:22
mvopedronis: yeah, we can store the value when the suite starts and fail if the fails, then we can narrow down what test breaks it10:22
pedroniszyga-ubuntu: to understand if we have loaded what we expect10:22
zyga-ubuntupedronis: yes, I agree10:22
BjornT_mvo: thanks10:22
mvofail if the value changes10:22
mvosorry10:22
zyga-ubuntu(this assumes we understand what that value is)10:23
zyga-ubuntuthere are more hashes there10:23
zyga-ubuntuI don't know what they do10:23
zyga-ubuntu(yet)10:23
* zyga-ubuntu is experimenting 10:23
pedronismvo: something like that, to make this a bit tractable10:23
zyga-ubuntupedronis: for debugging yeah10:23
pedronisyes, for debugging10:23
zyga-ubuntuthough it's not super clear how to map that, the profiles are loaded into subsequent slots10:23
zyga-ubuntuand each loaded profile is really a set of profiles10:24
zyga-ubuntubut I think we can come up with something10:24
zyga-ubuntuI have an idea10:25
zyga-ubuntuthat we can use to make the cache reliable10:25
zyga-ubuntuit's essentially the same problem as ccache10:25
zyga-ubunturesolve all imports, use some hash of the full text as key10:26
zyga-ubuntucompile the pre-processed text10:26
zyga-ubuntuand store that in the cache under that key10:26
zyga-ubuntuthat's it10:26
zyga-ubuntuccache for apprmor10:26
pedroniszyga-ubuntu: afaiu   raw_hash  is the sha1sum of raw_data10:26
mupPR snapd#4824 opened: tests: fix re-exec profile generation in tests on classic <Created by mvo5> <https://github.com/snapcore/snapd/pull/4824>10:28
zyga-ubuntumvo: can you vote on 482110:29
zyga-ubuntuI can make it a stub if that's what you want10:29
pedroniszyga-ubuntu: mvo: piece of good news  afaict  (here) : apparmor_parser -S  of the snap_confine profile  |sha1sum produces the same value as raw_hash10:31
mvozyga-ubuntu: I'm a bit on the fence, if there is a use case for it, then lets keep it, otherwise I would say make it a stub (YAGNI and all that)10:31
zyga-ubuntugood10:31
mvopedronis: \o/10:31
zyga-ubuntumvo: I can make it a stub10:31
zyga-ubuntumvo: I need it for real stuff after that10:32
pedronismvo: zyga-ubuntu: I mean this:   https://pastebin.ubuntu.com/p/4XGYSmk8zt/10:33
mvozyga-ubuntu: ok, if a stub is enough lets do that (if you don't mind)10:33
zyga-ubuntuyes10:33
zyga-ubuntuthat's fine10:33
mborzeckiwhy do we enable the services first and the do a daemon-reload?10:33
zyga-ubuntuI'll finish the parser wrapper and do it in a moment10:33
zyga-ubuntumborzecki: huh?10:33
zyga-ubuntuthat's odd10:33
mborzeckihttps://github.com/snapcore/snapd/blob/master/wrappers/services.go#L244 runs before daemon-reload10:34
pedronismvo: saw I think we could compute the hash in prepare somewhere and fail when it changes (and decide when is expected and what we need to do)10:34
pedroniss/saw/so/10:34
mupPR snapd#4825 opened: overlord/snapstate:  implement policy of holding refreshes for up to 6h since seeding on classic <Critical> <Created by pedronis> <https://github.com/snapcore/snapd/pull/4825>10:37
mvoBjornT_: core build failed with what looks like a snapcraft error:   if ElfFile.is_elf(path):10:39
mvo  File "/usr/lib/python3/dist-packages/snapcraft/internal/elf.py", line 152, in is_elf10:39
mvo    with open(path, 'rb') as bin_file:10:39
mvoOSError: [Errno 6] No such device or address: '/build/base-18/prime/dev/tty'10:39
mvosergiusens: -^10:39
mupPR snapd#4826 opened: wrappers: services which are socket or timer activated should not be started during boot <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4826>10:41
mvozyga-ubuntu: and no build slots right now, a bit frustrating10:42
zyga-ubuntuI have a wrapper10:42
zyga-ubuntuman10:42
mborzeckimvo: sorry, feel free to cancel the job for my PR, i'll restart it later10:43
BjornT_mvo: ah. we saw those errors when building locally. i think it's fixed already in snapcraft master, though.10:44
mvomborzecki: no worries, I think cacneling will not even help10:48
mvoBjornT_: aha, ok10:48
mvoBjornT_: thank you!10:48
mborzeckizyga-ubuntu: https://forum.snapcraft.io/t/race-condition-between-snapd-and-nm-when-providing-permissions/4451 serial devices go though device cgroups too right?10:49
zyga-ubuntuyes10:49
zyga-ubuntumvo: can you please look at https://github.com/snapcore/snapd/pull/482710:51
mupPR #4827: cmd/snap-apparmor-parser: add a prototype apparmor parser <Created by zyga> <https://github.com/snapcore/snapd/pull/4827>10:51
zyga-ubuntuI will replace the real stuff with this now, ok?10:51
zyga-ubuntuand we can implement the cache in a real language next10:51
mupPR snapd#4827 opened: cmd/snap-apparmor-parser: add a prototype apparmor parser <Created by zyga> <https://github.com/snapcore/snapd/pull/4827>10:51
* Chipaca goes for a walk10:52
mvozyga-ubuntu: looks good but I think we first need to figure out if that fixes our issues before replace the real thing (i.e. one step at a time :)11:02
zyga-ubuntumvo: hold on, how do we know that if we replace the real thing11:03
zyga-ubuntuI meant to write it and use it to see if this makes anything better11:04
zyga-ubuntuwe don't have to merge it11:04
zyga-ubuntus/if we replace the real thing/if we *don't* replace the real thing/11:04
pedronisdo we even know what is broken?11:05
zyga-ubuntupedronis: mvo ran a test where the profile on disk was ok, in memory was bad, running the parser did nothing unless a trivial whitespace change was introduced11:05
zyga-ubuntuthis hints at a bug in the cache11:05
zyga-ubuntuwhich is based solely on mtime11:05
pedroniswell, it would be good to have a reproducer then11:05
pedronisto submit a bug11:05
pedronisit also sounds very bad11:06
zyga-ubuntuupstream knows about this bug11:06
zyga-ubuntuwe had this conversation a few times now11:06
Son_Gokuzyga-ubuntu, \o/11:06
pedronisis the mtime a problem for us in general or because the tests do strange things?11:06
mvopedronis: I think our tests make the story more complicated11:07
mvopedronis: and +100 for a reliable reproducer11:07
zyga-ubuntuyeah, but I want to say that pedronis is right we don't have a single, well defined problem11:08
zyga-ubuntuwe had a problem with edge version11:08
zyga-ubuntuhow "went away" (not really fixed)11:08
zyga-ubuntuwe definitely have a problem with mtime and cache but it is unclear why11:08
zyga-ubuntuand we may have more problems we don't know about yet11:08
pedronisI still think that adding logic to the tests that check what we expect to be loaded11:08
zyga-ubuntuthe wrapper is meant to make the mtime problem void11:08
mvopedronis: so what I ran into was that I got a denial from "canonical-livepatch status" about it being not able to run snap-device-helper. then I tried appamror_parser -r which did not help, then a whitespace change in the profile and then apparmor_parser -r and things were ok11:08
pedronisvs what is laoded match would halep11:08
pedronishelp11:08
mvopedronis: unfortunately super hard to get into the right (i.e. broken) state11:08
zyga-ubuntumvo: I pushed the stub MATCH11:09
zyga-ubuntuand I'll merge when green11:09
pedronisanyway if it's naively mtime based11:09
zyga-ubuntubut first, I need to take a break and take the dog for a walk11:09
pedronisproblem should occur only if we go back in time11:09
mvozyga-ubuntu: ok11:09
pedronisI suppose our revert might not work11:09
pedronisanyway we could test this stuff out11:09
mvopedronis: I have not looked in ages how it works, it used to be mtime based and the pattern I saw indicates it but I did not double check11:10
cachiomvo, hey, I didn't see any error reported in the forum on candidate11:10
Chipacazyga-ubuntu: good idea wrt making the stub MATCH dummy11:10
cachiomvo, may I promote to stable?11:10
Chipacazyga-ubuntu: if you visit that file again, maybe make it echo to stderr instead of stdout11:10
pedronismvo: ok,  as I said I just fear that fixing things before understanding them will just add to the confusion11:10
mvocachio: yay, then I would say lets just give a quick heads up in the store channel11:10
mvocachio: and go11:10
pedronisof which it seems we have plenty11:10
mvopedronis: yeah11:10
cachiomvo, sure11:10
mvopedronis: not disagreeing at all11:11
Chipacabrb, changing machines around11:11
mvopedronis: we found one thing that is broken11:11
mvopedronis: but there is more lurking, I added a crude hash compare now to one of my test PRs11:12
mvopedronis: essentially what you suggested, maybe that gives us a clue11:12
mvopedronis: it hooks into restore so hopefully it gives us a hint what test is changing things11:12
pedronismvo: -k seems also interesting for debugging11:13
mvopedronis: indeed11:15
pedronisanyway the man page is quite explicit about it being time based11:18
pedronisfwiw11:18
* mvo nods11:18
Chipacamvo: zyga-ubuntu: any problem about merging things to master right now? (finally got green..)11:32
cachiomvo, well, core promoted to stable11:33
Chipacaniemeyer: it seems you changed spread to only build with a go newer than 1.6 and it's breaking autopackagetest11:33
Chipacaniemeyer: “go get -u github.com/snapcore/spread/cmd/spread” spits out “package context: unrecognized import path "context" (import path does not begin with hostname)” with 1.6 now11:34
zyga-ubuntuChipaca: still Alf11:40
zyga-ubuntuAfk11:40
zyga-ubuntuBut I think it is ok11:41
Chipacazyga-ubuntu: https://i.imgur.com/ZTNhK7W.png11:41
zyga-ubuntulol11:42
zyga-ubuntuAlf says “let’s eat this cat”11:42
mvocachio: thanks11:43
mvoChipaca: should be fine11:43
Chipacaack11:44
mupPR snapd#4820 closed: cmd/snap: use timeutil.Human to show times in `snap refresh --time` <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/4820>11:44
cachiomvo, niemeyer I'll be few minutes late today in the standup11:45
* cachio afk11:45
zyga-ubunture11:56
zyga-ubuntuChipaca: can you please look at https://api.travis-ci.org/v3/job/352784798/log.txt11:58
zyga-ubuntuit looks like logger unit tests panicked11:59
Chipacaahahaha11:59
Chipacazyga-ubuntu: yes i can look11:59
zyga-ubuntuah11:59
zyga-ubuntusorry, not logger11:59
zyga-ubuntuosutil11:59
zyga-ubuntuRunWithContext11:59
zyga-ubuntuhmm hmm11:59
Chipacazyga-ubuntu: timeout12:00
Chipacazyga-ubuntu: that's a timeout12:00
Chipacazyga-ubuntu: *** Test killed with quit: ran too long (10m0s).12:00
mupPR snapd#4788 closed: packaging/fedora: Merge changes from Fedora Dist-Git plus trivial fix <Created by Conan-Kudo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/4788>12:00
zyga-ubuntuChipaca: real bug or shall I restart12:01
* zyga-ubuntu tries to figure out what the test is12:01
zyga-ubuntuTestRunRace?12:01
Chipacazyga-ubuntu: yes12:04
* zyga-ubuntu asks the wrong precise questions12:04
Chipacazyga-ubuntu: this shouldn't happen, but if it happens again let me know; there should be a way to make it exponentially less likely to happen12:04
ChipacaI thought this was less-likely-enough :-)12:04
zyga-ubuntucan you explain what went wrong here?12:05
zyga-ubuntuwe called RunWithContext12:05
Chipacazyga-ubuntu: it times how long it takes /bin/false to run12:05
Chipacazyga-ubuntu: then it calls /bin/false in a loop with a timeout of exactly that time12:05
Chipacazyga-ubuntu: it _should_ fail to finish, at least once, after a little bit12:06
Chipacazyga-ubuntu: and it also _should_ be able to succeed, at least once, after a little bit12:06
zyga-ubuntuso how come it did not? after 10 minutes12:06
Chipacazyga-ubuntu: it was really (un)lucky the first time12:06
Chipacazyga-ubuntu: or the vm got clamped as soon as it got into a tight loop12:06
zyga-ubuntuI see12:06
zyga-ubuntuok, I'll reboot12:07
Chipacaso an easy way would be12:07
Chipacaif it happens even one more time12:07
Chipacato do two things in each loop: once with dt/2, once with 2*dt12:07
Chipacaif that still sometimes hiccups, change it to 4, etc :-)12:07
Chipacazyga-ubuntu: that test is meant to have some surety around it not failing if the deadline happens at just the same time the command finishes though, which is why it's written as it is12:09
Chipaca(that's why the only thing it reports as an error is an unexpected error)12:10
Chipacathe more i try to work on 18.04, the less productive it feels and the more i stick with 16.04 :-(12:11
Chipacacan no longer alt-space x to maximize a window, for example12:11
* Chipaca working in the 18 live cd12:12
zyga-ubuntuChipaca: how is it? I heard that snapd doesn't work but it was on old build12:13
Chipacazyga-ubuntu: snapd works12:14
Chipacazyga-ubuntu: snaps don't :-)12:14
zyga-ubuntuChipaca: SHIP IT ;-)12:14
Chipacazyga-ubuntu: yesterday I was getting the thing about snap-confine escalation yadda yadda12:14
zyga-ubuntuon the same ISO?12:15
Chipacatoday i'm getting 'cannot create lock directory'12:15
zyga-ubuntuChipaca: do you get an apparmor denial?12:15
Chipacazyga-ubuntu: http://cdimage.ubuntu.com/daily-live/20180313/ vs http://cdimage.ubuntu.com/daily-live/20180312/12:15
zyga-ubuntuare you getting a denial on /run/snapd/ns/ stuff?12:15
zyga-ubuntuaha12:15
zyga-ubuntuso daily12:15
mvoChipaca: oh, you are working on the script? how nice12:16
Chipacazyga-ubuntu: [ 2114.200898] audit: type=1400 audit(1520943269.861:58): apparmor="DENIED" operation="open" profile="/snap/core/4206/usr/lib/snapd/snap-confine" name="/upper/" pid=4392 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=012:19
Chipacamvo: trying to12:19
zyga-ubuntuChipaca: that's interesting12:19
Chipacamvo: I'm going to have to rebuild it at some point, do you know if there's an easy way of doing that?12:19
zyga-ubuntuChipaca: can you look at /var/lib/snapd/apparmor/snap-confine12:19
zyga-ubuntuand can you please paste system-eky12:19
zyga-ubuntu*key12:19
zyga-ubuntuChipaca: unsquash, dpkg --extract12:20
zyga-ubuntuChipaca: _probably)12:20
Chipacazyga-ubuntu: which system key?12:21
zyga-ubuntuChipaca: in /var/lib/snapd/system-key12:21
Chipacazyga-ubuntu:  /var/lib/snapd/apparmor/snap-confine is empty12:21
zyga-ubuntuChipaca: that's expected given the symptom12:21
zyga-ubuntuit says that there's no overlay workaround in place12:22
Chipacazyga-ubuntu: /var/lib/snapd/system-key does not exist12:22
zyga-ubuntuif it's also not in the system-key then either you have an old snapdo12:22
zyga-ubuntuor the logic is broken12:22
* zyga-ubuntu looks12:22
Chipaca2.31.212:22
zyga-ubuntuthat's too old :/12:22
zyga-ubuntuyou need master or 2.3212:22
ChipacaI wasn't expecting it to work given just yesterday you were saying it was only fixed on master12:22
zyga-ubuntuI wonder why there's no system-key though12:22
zyga-ubuntu2.31 should have it12:22
* Chipaca takes a break from 18.04 and looks at lunch12:27
zyga-ubuntulunch sounds nice12:27
zyga-ubuntuI'm preparing a prototype of snapd-side apparmor cache12:27
Chipacazyga-ubuntu: cuban black beans sounds a'ight today, with it being dull outside12:28
Chipacapedronis: if you have a bit of time I could use a look at #4790 (which purports to fix #1750527)12:29
mupPR #4790: jsonutil/puritan: introducing puritan.String & etc <Created by chipaca> <https://github.com/snapcore/snapd/pull/4790>12:29
mupPR snapd#4828 opened: many: support holding refreshes by setting refresh.hold (2.32) <Created by pedronis> <https://github.com/snapcore/snapd/pull/4828>12:32
pedronismvo: I made the backport ^   needs to go together with #4825 (once landed in master)12:33
mupPR #4825: overlord/snapstate:  implement policy of holding refreshes for up to 6h since seeding on classic <Critical> <Created by pedronis> <https://github.com/snapcore/snapd/pull/4825>12:33
mborzeckiChipaca: do you recall if `snap pack --check-skeleton` was to run ValidateContainer too?12:33
Chipacamborzecki: the way we talked about it I imagined ValidateContainer growing a no-fail-on-missing mode12:33
Chipacamborzecki: (or equivalently checking for and ignoring snap.ErrMissingPath when calling ValidateContainer from --check-skellie)12:35
Chipacamborzecki: it'll still _log_ the error though (not sure if that's a pro or a con)12:36
mborzeckiChipaca: ok, i like the error checking approach better ;)12:36
pedronisChipaca: I'll try to look at 4790 later today,    4825 from me also needs a review12:37
Chipacapedronis: thanks12:37
ChipacaI'm grabbing lunch now, will look at it after12:37
mupPR snapd#4829 opened: store: Sections and WriteCatalogs need to strictly send device auth only if the device has a custom store <Created by pedronis> <https://github.com/snapcore/snapd/pull/4829>12:43
zyga-ubuntumvo: hey, +1 to merge 4821 now?12:46
* zyga-ubuntu finishes lunch12:47
mvozyga-ubuntu: sounds good13:00
mupPR snapd#4821 closed: tests: define MATCH from spread <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4821>13:01
zyga-ubuntumvo: interesting, on a 2.32 branch that passed --skip-cache to apparmor_parser I got the denial again13:29
zyga-ubuntuand this PR includes your patch for re-exec profile g eneration13:29
zyga-ubuntuI will look at apprmor_parser now13:29
zyga-ubuntumaybe it ignores that flag13:29
zyga-ubuntuthis is https://github.com/snapcore/snapd/pull/482313:29
mupPR #4823: interfaces/apparmor: skip apparmor cache (2.32) <Blocked> <Created by zyga> <https://github.com/snapcore/snapd/pull/4823>13:29
tyhicksit definitely doesn't ignore the --skip-cache flag13:30
zyga-ubuntutyhicks: hey13:31
zyga-ubuntuso something else is broken13:31
tyhicksI use --skip-cache regularly and I also know that there's quite a bit of test coverage for that in parser/tst/caching.py13:31
zyga-ubuntutyhicks: I'll try the snapd-side-cache prototype next13:31
tyhickshey zyga-ubuntu :)13:31
zyga-ubuntuthank you for confirming that13:31
zyga-ubuntutyhicks: I wrote https://github.com/snapcore/snapd/pull/4827 as a shoot-in-the-dark (ish) on the issues we are seeing13:32
mupPR #4827: cmd/snap-apparmor-parser: add a prototype apparmor parser <Blocked> <Created by zyga> <https://github.com/snapcore/snapd/pull/4827>13:32
tyhickszyga-ubuntu: is there a short writeup on the issues you're seeing?13:32
tyhicks(I need to finish publishing a security update before I get too involved here)13:33
zyga-ubuntutyhicks: we see an apparmor denial on snap-confine, the rest is hazy but in one case we confirmed that calling apparmor_parser --replace did _not_ fix the issue without making a no-op whitespace change.13:33
zyga-ubuntutyhicks: it's probably an error related to just our testing process but it's keeping a few people busy as tests are broken.13:34
tyhickszyga-ubuntu: have you been able to reproduce the issue manually, outside of your testing process, or are you stuck having to tickle the issue via the testing process?13:37
zyga-ubuntuit's inside the testing process13:37
zyga-ubuntuand it's not super reliable to reproduce because one factor changed13:38
zyga-ubuntuwe'll try to restore that factor so that we can really understand and nail the issue13:38
zyga-ubuntuif we nail the issue I'll tell you what it was for sure13:38
tyhicksok, let me know if I can answer any questions or help wade through apparmor_parser code13:40
zyga-ubuntuthank you13:40
mvozyga-ubuntu: does http://paste.ubuntu.com/p/4TcqxcRdgh/ ring a bell?13:58
zyga-ubuntuyes13:59
mvozyga-ubuntu: I see this on 14.04 and the profile does not allow running update-ns from core snap13:59
zyga-ubuntuit looks like we are in the system where we try to run snap-update-ns without profile transition13:59
zyga-ubuntudo you have a debug shell?13:59
zyga-ubuntucan you look at the profile for snap-confine from core14:00
zyga-ubuntuwhat's at the bottom?14:00
mvozyga-ubuntu: I am14:00
zyga-ubuntuis is the rule -> snap-update-ns.*14:00
zyga-ubuntuit looks like this thing we had on Thursday14:00
zyga-ubunturight?14:00
mvozyga-ubuntu: http://paste.ubuntu.com/p/B2fXb62yy4/14:00
zyga-ubuntuwe didn't get to the bottom of that problem14:01
zyga-ubuntuthis is the wrong profile :(14:01
zyga-ubuntu    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns Cxr -> snap_update_ns,14:01
zyga-ubuntuthis is the old code, we changed that in 2.32 and master now14:01
zyga-ubuntucan you look at the profile in the core snap14:02
zyga-ubuntuis it the same?14:02
zyga-ubuntumvo: to be clear, I'm saying this looks like a 2.31 profile14:02
dan_it__hi all, I need some help with snapcraft, not sure if this is the right channel14:09
dan_it__is there anyone online?14:10
=== pstolowski is now known as pstolowski|afk
Chipacadan_it__: yesish14:17
mborzeckii'm off to pick up the kids14:18
Chipacadan_it__: things are a little hectic today14:18
mupPR snapd#4830 opened: many: generate and use per-snap snap-update-ns profile (2.32) <Created by zyga> <https://github.com/snapcore/snapd/pull/4830>14:28
zyga-ubuntuthat's the backport14:28
zyga-ubuntuI'll work on layout fixes noww14:28
mvozyga-ubuntu: ta14:32
niemeyerdan_it__: The forum is always a good place.. lots of eyes, and async so people respond as soon as they can14:34
niemeyerChipaca: hangout?14:34
Chipacaomw14:34
Chipacaniemeyer: standup one?14:34
niemeyerYeah14:34
MuraveyHi14:44
zyga-ubuntucoffee14:44
MuraveyWhat variables are available in snapcraft.yaml14:45
Muravey?14:45
MuraveyAnd how to install fonts into package?14:46
zyga-ubuntuMuravey: we have a very very busy week, can you please look at the forum, there are (probably) people with the same desires as you now14:51
zyga-ubuntuMuravey: you can also open a new topic and ask your questions there14:51
Muraveyzyga-ubuntu: ok..sorry14:53
zyga-ubuntuMuravey: no worries, it's not your fault we're busy today, just ask your questions there as there are more than just the snapd and snapcraft teams participating there14:53
zyga-ubuntuthe whole snapcraft community is there14:53
zyga-ubuntumaking and using snaps14:53
zyga-ubuntuit's the best place to talk14:53
zyga-ubuntumvo: 4830 is green now15:16
zyga-ubuntumvo: or, green from 1st try15:16
mvozyga-ubuntu: green on first run? woah15:19
zyga-ubuntuit's magic15:19
zyga-ubuntualso15:19
zyga-ubuntuit never uses stale profiles15:19
zyga-ubuntuactually, it would still use stale profile for the transition15:20
mvozyga-ubuntu: does it keep changing what is loaded? it must do something different15:20
zyga-ubuntuit does change things but it would still be affected by a stale profile15:20
zyga-ubuntubecause it cannot do a transition without confinement permission15:22
mvozyga-ubuntu: then maybe it was a lucky PR15:25
mvozyga-ubuntu: still strange15:25
zyga-ubuntumaybe15:25
zyga-ubuntuI suspect there's something to it though15:26
mvoyeah I think so too15:26
mvozyga-ubuntu: maybe it is because now edge and 2.32 are close?15:26
zyga-ubuntushall we land it?15:26
mvozyga-ubuntu: no15:26
mvozyga-ubuntu: please not15:26
zyga-ubuntuyes, I suspect something like that15:26
zyga-ubuntuok15:26
mvozyga-ubuntu: lets wait a wee bit, I guess we could land it and then use 2.31 as the testcase15:27
zyga-ubuntu2.31 as a test case? what do you mean?15:28
mvozyga-ubuntu: running release/2.31 with the edge core should also show the bug15:29
zyga-ubuntuinteresting15:29
zyga-ubuntudoes it?15:29
mvozyga-ubuntu: i.e. we probably don't need 2.32 for this15:29
mvozyga-ubuntu: I have not tried yet :) but I would be surprised if not15:30
zyga-ubuntucareful what you wish for :)15:30
mvozyga-ubuntu: haha15:30
zyga-ubuntuoh man15:30
zyga-ubuntu16:3015:30
mvozyga-ubuntu: well, if the bug shows itself for core snap-confine profile != our snap-confine profile15:30
zyga-ubuntuand I forgot about the coffee15:30
mvozyga-ubuntu: then…15:30
zyga-ubuntuyes15:30
mvozyga-ubuntu: heh, go for it!15:30
zyga-ubuntuit will be a second15:30
mvozyga-ubuntu: no worries - fwiw, test-classic-firstboot is another one of the tests that will use a unmodified core and install it. all these tests will trigger the issue I bet. /me tries15:32
zyga-ubuntumvo: keep me posted, I'm curious15:35
mvozyga-ubuntu: trying this now, hopefully its a minimal testcase15:36
mvozyga-ubuntu: aha, maybe 2.31 is not enough - we need the system-key to trigger the bug I think15:38
* mvo tries that too15:38
mupIssue snapcraft#2001 opened: node-engine does not support NodeJS 8.X.X <Created by arkuhn> <https://github.com/snapcore/snapcraft/issue/2001>15:43
sergiusensmvo: that's fixed on edge, the 2.40 release will be this week which fixes that15:45
zyga-ubuntuhey sergiusens how are you15:45
mvosergiusens: cool, thank you15:45
zyga-ubuntudid you get home safely and without surprises?15:45
sergiusenszyga-ubuntu: doing well. I am home, no further surprises or incidents15:46
Chipacaniemeyer: what does 'spread -list' do, to take 2s to print out the list?15:58
* Chipaca is too lazy to go look15:58
Chipacaniemeyer: if that could take an order of magnitude less, I'd write a tab-completer for it :-)15:59
niemeyerChipaca: Generates the full matrix of tests, which includes reading and parsing everything15:59
mvo$GOPATH/bin/spread -v qemu:ubuntu-14.04-64:tests/main/classic-firstboot qemu:ubuntu-14.04-64:tests/main/interfaces-broadcom-asic-control16:09
mvozyga-ubuntu: -^16:10
mvozyga-ubuntu: that works for me to reproduce, I'm testing on 16.04 now, also 4814 seems to be good now16:10
mvozyga-ubuntu: slightly heavy handed though16:11
Chipacamvo: completely left-field question: is there a way to tell apt to not use /var/cache/apt/archives?16:16
mvocachio: yes, run "sudo apt install foo -o dir::cache=/tmp/my-cache16:18
cachiomvo, it was for Chipaca perhaps16:19
mvoChipaca: you may need to create archives/partial in there16:19
mvocachio: ups16:19
mvoChipaca: -^16:19
Chipacaheh16:19
Chipacamvo: gotcha16:19
mvoChipaca: why?16:19
Chipacamvo: chatting with a guy just now and they were talking about how they have a load of space wasted in their vms because of that dir16:20
Chipacamvo: an always-do-apt-clean would probably also work16:20
mvoChipaca: yes16:21
mvoChipaca: also unattended-upgrades cleans properly after itself16:21
Chipacamvo: is there a way to do the latter? :-)16:21
mvoChipaca: not right now it seems, would be very easy to have a "apt::tidy=1" option that does that automatically16:23
mvoChipaca: in fact, "ulink" right after the deb was installed sounds prudent16:23
Chipacamvo: thanks16:25
mvoChipaca: sounds like a fun evening patch, please remind me, I think it will be a good way to forget this apparmor profile drama I'm in right now16:26
* Chipaca hugs mvo16:26
popeyhi fireclawTheFox , hows the snap coming along?16:29
fireclawTheFoxHey popey, haven't done much yesterday and just came back from work. But yeah so far it looks good everything works. Just need to see if I can lower the size again, I think it got a few things that doesn't need to ship.16:31
popeyooh, we have done some of that optimisation in other snaps16:32
zyga-ubuntumvo: re (dog), so does it mean you still see the issue but now have a better way of reproducing it?16:32
Chipacazyga-ubuntu: mvo: FWIW my new laptop is nvidia (prime, so it has an intel mode as well), running 16.04, if you ever need to test something there (not 18 because lots of oem stuff)16:33
zyga-ubuntu!!!16:33
zyga-ubuntuwooot16:33
zyga-ubuntuperfect16:33
zyga-ubuntufirst step16:33
zyga-ubuntuupdate to 18.04 :D16:33
zyga-ubuntujust kidding16:33
Chipacazyga-ubuntu: i would, but even if i didn't hate it, i'd still not have some of the hardware16:33
zyga-ubuntubut some 2nd disk (usb is fine) to boot into 18.04 once in a while would help16:33
Chipacaah, that i could do16:34
zyga-ubuntuChipaca: I think you can reproduce the GLVND issue easily then16:34
zyga-ubuntuChipaca: and you could beta-test fixes16:34
Chipacai had to choose between a second disk and more battery (and i chose battery of course)16:34
zyga-ubuntunah, I mean external disk16:34
zyga-ubuntueven a usb thumb drive16:34
zyga-ubuntujust for testing at home16:34
zyga-ubuntuno need to affect your daily experience16:34
Chipaca:+1:16:34
zyga-ubuntuyou can install on it, if you are careful that is (don't overwrite your boot records)16:35
zyga-ubuntuare you on the nvidia driver now?16:35
Chipacayes16:35
zyga-ubuntuand if so, which version is it?16:35
zyga-ubuntudoes Minecraft snap work?16:35
popeyfireclawTheFox: I find doing "ncdu /snap/<snapname>/current" is a good way to see what's taking up space in the snap16:35
Chipacazyga-ubuntu: 384.11116:35
fireclawTheFoxpopey: ah, thanks will try.16:36
zyga-ubuntuChipaca: that's good, I think you are the missing link :-)16:36
zyga-ubuntuChipaca: I wish you had this machine last week, I'd love to see it :)16:36
Chipacaminecraft snap installing16:36
popey\o/16:36
Chipacazyga-ubuntu: it arrived at 11am on the monday16:36
zyga-ubuntuChipaca: murphy strikes16:36
Chipacazyga-ubuntu: i sat all through the sprint knowing this was waiting for me on my bed16:36
fireclawTheFoxpopey: Well, basically I shouldn't need much to add aside of the things that are packed by the engine. I think I just needed some libs like pulse, and xlib stuff.16:36
Chipacai had the jitters16:36
zyga-ubuntuChipaca: do you own a copy of Minecraft?16:37
zyga-ubuntu(disclaimer: it's a fantastic procrastination helper)16:37
Chipacazyga-ubuntu: 316:37
zyga-ubuntureally?!16:37
Chipacazyga-ubuntu: i play with the boys16:38
zyga-ubuntunice! :)16:38
Chipacathe minecraft launcher works16:38
zyga-ubuntu(we also own three haha16:38
zyga-ubuntutry logging in and see if it works16:38
zyga-ubuntuon 16.04 it should be OK16:38
Chipacanow downloading minecraft itself16:38
zyga-ubuntuso 16.04 is the baseline16:38
Chipacayes it works16:38
zyga-ubuntuok, sometime this week it'd be great to try if Minecraft works with nvidia on 18.0416:39
zyga-ubuntudo you have a spare disk to install bionic on?16:39
Chipacazyga-ubuntu: pendrives, yes16:39
zyga-ubuntucool16:40
Chipacaactual disk, maybe? still usb though16:40
zyga-ubuntuI don't have a fix yet, I'll do one just after layouts (I need two days perhaps, for layouts)16:40
zyga-ubuntupen drives are fine16:40
Chipacazyga-ubuntu: also it'll be good to know if it works when in intel mode16:41
zyga-ubuntuI didn't even consider that16:41
Chipaca:-)16:41
zyga-ubuntuI don't know how the switching works16:41
Chipacai need to log out and back in, so not that magic16:41
Chipacait's not the old voodoo switch thing :-)16:42
mvozyga-ubuntu: I thought so but its random and now its no longer reproducible and its all horrible16:42
zyga-ubuntuaaaah16:42
zyga-ubuntuso crazy16:42
mvozyga-ubuntu: yes, I think I give up for today16:48
mvozyga-ubuntu: well, almost, one more run16:48
zyga-ubuntumvo: I'm working on something to finish this exercise of the day16:48
zyga-ubuntubut tomorrow I focus solely on symlink bug and on the writable leak bug16:48
zyga-ubuntuand nothing else16:48
zyga-ubuntuso :-)16:48
zyga-ubuntuunless you ask16:48
mvozyga-ubuntu: ok, on the layouts bug, right?16:49
pedronismvo: so there is still no  good reproducer?16:49
pedronisdid you ask for a way to use 2.31 as a baseline?16:49
zyga-ubuntuoh right, did that turn out anything?16:49
mvopedronis: I thought I had one (and it all made sense): classic-firstboot installs the real core, that will generate a snap.core.xxx.usr.lib.snapd.snap-confine profile from the "real" core snap (which is out-of-sync with the profile from the branch). that gets loaded into the kernel. now the interfaces-broadcom-asic-control test runs, that runs snap-confine with the wrong profile and boom. except it exploded once and then did not explode even thou16:51
mvogh the order is correct (i.e. first classic-firstboot test runs, then the interfaces test runs)16:51
mvopedronis: 2.31 has no system-key yet so we always re-generate profiles there so its hidden there16:51
pedronisso it was 2.31 but a old edge?16:52
zyga-ubuntumvo: I think we want the track/channel16:52
zyga-ubuntuand to put 2.31 there16:52
zyga-ubuntuand test against that16:52
mvopedronis: yeah, when we had 2.31 on edge briefly things were really wrong16:52
mvozyga-ubuntu: yeah, I think that is a good plan16:53
pedronisChipaca: I did a pass on that branch, is not super easy to review17:22
niemeyercachio: Any news on https://github.com/snapcore/snapd/pull/4778?17:22
mupPR #4778: tests: moving debian 9 from linode to google backend <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/4778>17:22
niemeyercachio: 11 days old, conflicts17:23
Chipacapedronis: sorry...17:23
Chipacapedronis: if it's any consolation mborzecki futzed it and it was a'ight17:23
Chipaca(then i broke it, and he futzed it again and found the breakage, so i unbroke it)17:23
pedronisChipaca: it still feels a bit too fiddly17:24
Chipacapedronis: but also, thank you for the pass17:24
pedronisChipaca: I mean, I'm not looking forward about expanding this over more fields in the apis17:26
Chipacapedronis: in what sense?17:26
pedronisdo we need to use these things in other places?17:27
pedronisor is info the only source of things we print?17:27
pedronisit also feels like all the fields that are not freeform17:27
pedronisshould have specific validators and not this17:28
zyga-ubuntujjohansen: hey, I have a question about the kernel apparmor interface17:28
Chipacapedronis: agreed on the latter; on the former I'm still not sure what you mean: currently it's checking everything that comes from the store that doesn't have its own type17:29
Chipacapedronis: if you're asking whether we'd need to do this over the things we get from snap.yaml, I don't know17:29
zyga-ubuntujjohansen: under what circumstances would /sys/kernel/security/apparmor/policy/profiles/$something/raw_{abi,data,sha1} be broken links?17:29
zyga-ubuntuI see that on my system and don't understand the cause17:29
pedronisChipaca: no, we have other store apis17:30
pedronisdo they need the same treatment?17:30
pedronisit's a bit strange why we do this to urls for example17:30
Chipacapedronis: yes they'd need the same treatment (or equivalent) (and i just realised what you mean)17:31
pedronisI mean, this doesn't seem to scale to me17:31
pedroniswe need to decide to use it a bit less17:31
pedronisor rethink how to make it scale17:31
Chipacapedronis: how doesn't it scale?17:31
pedronisChipaca: we need a checker that we don't use string in our json17:32
pedronisor something17:32
Chipacaah17:32
ChipacaI can probably do that :-)17:32
Chipacayes17:32
pedronisis that sane though?17:32
pedronisI understand the fix data on input17:32
pedronisbut make all our json painful because we might print it17:33
pedronisis also strange17:33
Chipacapedronis: I think the alternative would be perhaps to have our own json decoder, but I'm not sure that's a movement towards origin on the sanity line17:33
Chipacapedronis: it seemed saner to clean everything than to answer, for each thing, 'is this going to be printed'17:34
Chipacathe latter seems a lot more bug-prone17:34
fireclawTheFoxpopey: do you maybe know if there's a way to automatically install snap-xdg-open with the snap or a way to not have to install it at all?17:35
popeyWhat's the problem you want to solve?17:35
pedronisChipaca: people have invented language level solutions for this kind of problems (tainting), so it's hard17:35
fireclawTheFoxopen a weblink from my application in a webbrowser17:37
Chipacapedronis: I'm aware17:37
pedronisChipaca: also afaiu, yes, we need the same for snap.yaml17:37
Chipacapedronis: sigh17:37
pedronisChipaca: I still think we might need to step back and rethink a bit the trade offs17:38
fireclawTheFoxpopey: currently doing this using subprocess.Popen(["xdg-open_", self.website]) as last time I tried webbrowser.open from python didn't work on snaps.17:39
popeyxdg-open should work AIUI17:39
pedronisChipaca: there are things that definitely don't come from the user17:39
pedronissha3_384, the download urls for example17:40
fireclawTheFoxyeah, xdg-open does work, but afaik only when the deb package snap-xdg-open is installed, right?17:41
zyga-ubuntufireclawTheFox: no, this is long gone now17:41
popeyi dont think that's needed anymore17:41
zyga-ubuntufireclawTheFox: the whole setup is now part of snapd17:41
fireclawTheFoxah ok, didn't know that17:41
pedronisChipaca: I mean, is there anything that is marked SimpleString that comes from the user? or doesn't have other validation?17:42
Chipacapedronis: there shouldn't be17:42
pedronisChipaca: do we need SimpleString?17:44
jjohansenzyga-ubuntu: uh it shouldn't ever be broken links17:44
zyga-ubuntuwanna see? :)17:44
zyga-ubuntuthis is on artful17:44
jjohansenunder newer kernels its moved to symlinks, but they shouldn't be broken17:44
pedronisChipaca: anyway  we can also start from the other end, what tooling we need to make sure we don't forget any string field? or we mark them somehow17:44
zyga-ubuntuhttps://usercontent.irccloud-cdn.com/file/oZ3RpjNO/Zrzut%20ekranu%202018-03-13%20o%2018.44.34.png17:44
jjohansenzyga-ubuntu: yes, if its broken it would be helpful to see how, so I can chase it down17:45
Chipacapedronis: I don't know; what I understood from jdstrand was that I needed to check _everything_17:45
zyga-ubuntuhttps://usercontent.irccloud-cdn.com/file/7ul07q75/Zrzut%20ekranu%202018-03-13%20o%2018.45.12.png17:45
zyga-ubuntujjohansen: I'm not quite sure how I got to this state17:45
zyga-ubuntuthis is on 4.13.0-36-generic17:45
pedronisChipaca: I don't know if you checked everything, I'm also not if we checked everything tomorrow17:45
zyga-ubuntujjohansen: I was just looking at my system17:45
Chipacapedronis: this does not check everything yet, no17:46
pedronisChipaca: I can add a string field, copy it, and nothing will fail17:46
Chipacapedronis: you're right about needing a static checker if we're taking this route17:46
zyga-ubuntujjohansen: I actually see plenty of broken links17:47
zyga-ubuntujjohansen: if you have any snaps, can you do a quick check17:47
zyga-ubuntujjohansen: maybe the way we remove loaded profiles is wrong17:47
zyga-ubuntuand something ends up staying behind17:47
Chipacapedronis: but if I understand correctly, your position is that this route might be wrong17:47
pedronisChipaca: it seems very fiddly and given that we need static checking, we might make lighter weight at that point17:48
pedronisChipaca: is the fear only things that can be printed?17:48
pedronisor was the worry something else17:48
pedronisChipaca: who is the attacker?17:48
pedronisthere's a lot of things that comes in and we print17:49
pedronisthere is also config17:49
pedronisstuff17:49
jjohansenzyga-ubuntu: no, there shouldn't be a way to remove profiles wrong, there is the potential for a race of sorts because the symlink doesn't have the same hard reference, but that isn't something you should be seeing17:49
zyga-ubuntufind /sys/kernel/security/apparmor/policy/profiles -type l -exec sh -c "file -b {} | grep -q ^broken" \; -print17:50
Chipacapedronis: what sort of lighter weight thing could it be?17:50
jjohansenzyga-ubuntu: the raw_data file should not be going away as long as that profile directory exists17:50
zyga-ubuntuthis reports a load of broken symlinks for me17:51
pedronisChipaca: we could have a white list of things that are store produced17:51
zyga-ubuntuChipaca: ^ can you run that and see if you get any output17:51
zyga-ubuntu(anyone with snaps on their system really)17:51
jjohansenso yeah there is a bug, I will have to hunt down17:51
pedronislike sha3_384 or the download urls17:51
pedronisand some other bits17:51
Chipacazyga-ubuntu: no output17:51
zyga-ubuntuChipaca: thank you17:51
zyga-ubuntuuptime?17:51
zyga-ubuntufor me I only see 3 hours17:51
Chipacazyga-ubuntu: i can try on other boxes; on this one:17:51
Chipaca 17:52:01 up 20:36,  1 user,  load average: 0.31, 0.24, 0.3517:52
zyga-ubuntuthansk17:52
zyga-ubuntumvo: ^ can you run the find command above17:52
zyga-ubuntupedronis: ^17:52
Chipacahmm17:52
Chipacazyga-ubuntu: i have a lot of output on my other box17:52
zyga-ubuntu(unless "broken" is localised)17:52
zyga-ubuntu!! thank you17:52
ubottuYou're welcome! But keep in mind I'm just a bot ;-)17:52
Chipaca 17:52:29 up 2 days, 21:14,  3 users,  load average: 0.18, 0.39, 0.2717:52
zyga-ubuntuChipaca: which kernel?17:52
zyga-ubuntujjohansen: where can I report this17:52
pedronisnothing here17:52
Chipaca4.13.0-36-generic on the one with lots of broken bts17:52
Chipaca4.4.0-116-generic on the one without17:53
zyga-ubuntuha17:53
zyga-ubuntuI have the same kernel as you then (the one with broken symlinks)17:53
zyga-ubuntumvo: ^ a _maybe_ problem related to what we are seeing17:53
pedronis 4.4.017:53
zyga-ubuntumborzecki, and you perhaps?17:54
pedronisChipaca: I'm happy to have a HO on Thu17:54
pedronisif we really need to do this for everything we really need a tool17:54
pedronisof sorts17:54
Chipacapedronis: to check, or to do?17:55
Chipacai'd be fine with writing a checker, seems not that much work17:55
pedronisChipaca: to check, but I would also understand if we really need SimpleString once we have a checker17:56
pedronisthe exact attack worries are still a bit unclear to me17:57
pedroniss/also/also like/17:57
Chipacapedronis: AIUI it's about decoupling things; we need it on the editable ones, but if it were already on everything we wouldn't have to worry about it at all so why not do it17:57
pedronisif it had no costs that would make sense17:58
pedronisbut is not cost free17:58
Chipacapedronis: do you mean in complexity?17:58
pedronisyes17:59
pedronisalso speed apparently17:59
pedronisyou had to make it fast17:59
pedronisto apply it everywhere17:59
Chipacayes, i worried about this impacting that, as these were potentially big fields18:00
pedronisanyway I should almost call it a day18:02
pedroniswe should chat again on Thu18:02
Chipaca(but maybe less than you might think, as the more arcane bits of this are from a de-escaper for terminal stuff i'm working on elsewhere)18:02
Chipacaok18:02
Chipacapedronis: you're off tomorrow?18:02
pedronisyes18:02
Chipacahmmm :-)18:02
Chipacapedronis: enjoy18:02
Chipacamaybe I should too18:02
Chipacamvo: you're taking friday off, right?18:02
pedronisChipaca: it's a bit unclear to me why anything but description and summary needs the heavy handed approach18:04
jjohansenzyga-ubuntu: if you want to file a bug against apparmor or even the ubuntu kernel in launchpad, and subscribe me, that would be the best place atm18:04
zyga-ubuntuthank you, I'll file one against artful kernel then18:04
zyga-ubuntujjohansen: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/175556318:12
mupBug #1755563: dangling symlinks to loaded apparmor policy <amd64> <apport-bug> <artful> <linux (Ubuntu):New> <https://launchpad.net/bugs/1755563>18:12
jjohansenthanks18:12
zyga-ubuntujjohansen: reproduced on bionic just now18:28
zyga-ubuntujjohansen: I updated all the packages and got this (not snaps!)18:29
zyga-ubuntu /sys/kernel/security/apparmor/policy/profiles/libreoffice-senddoc.17/raw_data18:29
zyga-ubuntuI updated the bug report18:30
jjohansenthanks18:32
zyga-ubuntuI cannot reproduce this by simply installing the deb again, tried downgrading and upgrading, nothing18:41
mupBug #1755568 opened: Snaps are refreshed on metered connection <Snappy:New> <https://launchpad.net/bugs/1755568>18:47
Chipacazyga-ubuntu: fwiw the one where i repro this is xenial18:57
zyga-ubuntuexcellent18:57
zyga-ubuntuI updated the bug18:58
zyga-ubuntujjohansen: it affects all supported kernels18:58
mupPR snapd#4810 closed: osutil: DropPrivs morphs an *exec.Cmd to drop privileges <Created by chipaca> <Closed by niemeyer> <https://github.com/snapcore/snapd/pull/4810>19:11
Chipacaheh19:11
Chipacathat's not what i call 'tentative' :-)19:11
Chipacaniemeyer: the driver for that PR is superseded by the hash cache, so, eh19:12
* Chipaca -> eol19:12
niemeyerIt's tentative, in that there's a "reopen" button..19:13
niemeyerDear hit-and-run chipaca..19:13
mupPR snapd#4831 opened: tests: force profile re-generation via system-key <Created by mvo5> <https://github.com/snapcore/snapd/pull/4831>19:24
mvo^- *might* be enough to workaround the profile issue19:25
mupPR snapd#4832 opened: tests: move fedora 27 to google backend <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/4832>19:48
niemeyermvo: Nice19:54
mvoniemeyer: well, I was wrong for this particular bug before, so I will hold my breath until the tests pass :)19:55
Chipacaniemeyer: i didn't mean to hit-n-run! sorry20:05
Chipacai mean, i didn't mean it as a hit20:05
Chipacai definitely meant to run, because, dinner20:05
mupPR snapd#4833 opened: tests: add a detector for kernel bug https://pad.lv/1755563 <Created by zyga> <https://github.com/snapcore/snapd/pull/4833>20:06
Chipacaniemeyer: but the order in which i saw things was: your comment about "tentative -1", then mup said "closed" -- I didn't get to see the 'tentatively closing' comment until just now20:06
Chipacaso it was funny20:06
Chipaca(but also i agreed, because the driver for the pr was gone)20:07
* Chipaca handwaves more20:07
niemeyerChipaca: No worries :)20:09
niemeyerChipaca: Hope dinner was good20:09
Chipacaniemeyer: I am learning to make my mum's cheese roll20:12
Chipacaniemeyer: hell yeah it was good :-D20:12
niemeyerWow.. I'm instantly hungry now :)20:12
Chipacastill things to tweak but getting better20:12
mvoChipaca: to answer your earlier question - yes20:13
Chipacawooooo20:13
* mvo hugs Chipaca 20:13
Chipacamvo: wait, was that the "can i have a million euros" quesiton20:13
Chipacamvo: or was it the "are you taking friday off" question20:13
Chipacamvo: either way "woo!", but I need to prepare differently20:14
Chipacawith one of them there's going to be a massive party20:14
Chipacawith the other, i need a financial advisor20:14
zyga-ubuntudoes https://amdflaws.com/ mean we will not see the security team for the next few weeks?20:15
zyga-ubuntuor was jdstrand going on holidays just a kind way to say he's busy ;-)20:17
mupPR snapcraft#2002 opened: pluginhandler: add builtin functions to scriptlets <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2002>20:18
Chipacanice that in writing code I find other code that was tested improperly and wasn't actually testing the thing and we weren't actually doing the thing we were testing for20:23
Chipaca/o\20:23
niemeyermvo: Quickie if you're still around: is #4814 still relevant given #4831?20:26
mupPR #4814: tests: fix re-exec profile generation in tests on classic (2.32) <Created by mvo5> <https://github.com/snapcore/snapd/pull/4814>20:26
mupPR #4831: tests: force profile re-generation via system-key <Created by mvo5> <https://github.com/snapcore/snapd/pull/4831>20:26
zyga-ubuntujjohansen: https://api.travis-ci.org/v3/job/353025489/log.txt and look for "kernel bug detected"20:34
zyga-ubuntuit looks like a race to me20:35
jjohansenzyga-ubuntu: hrmmm, okay I believe you, not that I didn't hours ago ;-)20:37
zyga-ubuntujjohansen: is there anything I can provide that would help you?20:38
jjohansenzyga-ubuntu: not atm, but maybe some testing when I get a patch togeth20:38
jjohansentogether20:38
cachioPharaoh_Atem, hey20:42
cachioalmost ready fedora 2720:42
cachioI just see errors on snaps connecting with dbud20:42
cachioPharaoh_Atem, any idea how to allow snaps connect through dbus?20:43
cachioPharaoh_Atem, this is an example https://api.travis-ci.org/v3/job/353017992/log.txt20:43
cachioPharaoh_Atem, the PR related is https://github.com/snapcore/snapd/pull/483220:44
mupPR #4832: tests: move fedora 27 to google backend <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/4832>20:44
Pharaoh_Atemcachio: dbus between snaps should already be allowed20:47
Pharaoh_Atemah20:47
Pharaoh_Atemwe only allow dbus comms with polkit20:47
cachioPharaoh_Atem, I tested it and selinux is blocking that20:47
Pharaoh_Atemso we probably need a policy update to allow snaps to communicate with each other20:48
Pharaoh_Atemthough I'm not exactly sure how to do that...20:48
cachiowhat I see is that is not aloowed niether connection between snaps nor using dbus-send20:49
Pharaoh_Atemcachio: are you able to give me access to the machine that has the denials happening?20:49
cachioI need to trigger again the test, it will take 10 minutes20:49
cachioPharaoh_Atem, tests triggered20:50
Chipacaslangasek: ping21:03
slangasekChipaca: hi there21:03
Chipacaslangasek: hiya21:03
Pharaoh_Atemcachio: okay ;)21:04
mupPR snapd#4834 opened: snap/squashfs: when installing from seed, try symlink before cp <Created by chipaca> <https://github.com/snapcore/snapd/pull/4834>21:04
Chipacaslangasek: so today in the standup we came up with a better plan21:04
Chipacaslangasek: ^ that pr is the first (and probably more important) half of it :-D21:04
Chipacaslangasek: (this is about first boot from livecd being slow)21:04
Chipacaslangasek: second half is doing the hash check only once, which will speed things up; that'll be a bit more code, but the whole thing ended up being a lot more straightforward than we feared21:05
slangasekah, symlink, not hardlink?21:05
Chipacaslangasek: yup21:06
slangasekseems more portable from my side, if it meets all your requirements on the snapd side21:06
Chipacaslangasek: we don't typically do that because we don't control the source (this codepath is used when sideloading for ex), but in the seed case we do21:06
Chipacaslangasek: yep, much happier with it21:06
slangasekChipaca: excellent. will we need any changes on the image mastering side to integrate this?21:07
slangasekor will it be transparent to us?21:07
Chipacaslangasek: it should be entirely transparent21:07
slangasekwfm21:08
Chipacaniemeyer: ping21:16
mupPR snapcraft#2000 closed: elf: remove dead code <bug> <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2000>21:28
Chipacaniemeyer: before I forget: the ping was about going over a rewrite of the login help with you before pushing it21:33
Chipacaniemeyer: also ping about quoting :-)21:35
mupPR snapd#4814 closed: tests: fix re-exec profile generation in tests on classic (2.32) <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4814>21:56
mvoChipaca: thanks for the PR!21:57
mvoniemeyer: I closed 4814 and will close all related ones, 4831 is hopefully enough21:58
mupPR snapd#4824 closed: tests: fix re-exec profile generation in tests on classic <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4824>21:58
mupPR snapd#4822 closed: interfaces/apparmor: skip apparmor cache <Blocked> <Created by zyga> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4822>22:00
mupPR snapd#4823 closed: interfaces/apparmor: skip apparmor cache (2.32) <Blocked> <Created by zyga> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4823>22:00
mupPR snapd#4827 closed: cmd/snap-apparmor-parser: add a prototype apparmor parser <Blocked> <Created by zyga> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4827>22:00
* mvo <- bed22:03
Chipacaniemeyer: also question: is it ok to talk about 'tracking channel' and 'channel tip' in user docs22:37
niemeyerChipaca: Yo22:38
Chipacaniemeyer: hi22:38
Chipacaniemeyer: taking the opportunity to improve the docs for find, install and refresh, via changing the help for login22:38
Chipacaniemeyer: but some of these things are hard to explain :-)22:38
niemeyerChipaca: Tracking channel sounds fine, although there's a minor conflict with the term "channel track" which is slightly sad but okayish22:39
niemeyerChipaca: Channel tip feels too developer-oriented22:39
Chipacaniemeyer: https://pastebin.ubuntu.com/p/D758SWrydd/22:39
niemeyerChipaca: Expanding it to "current revision in the channel" feels more clear to someone that doesn't have as much baggage, I guess22:40
niemeyerChipaca: Reading...22:40
Chipacayeah, s/tip/current revision/ works22:40
Chipacaniemeyer: this comes about because I tweaked the 'login' help: https://pastebin.ubuntu.com/p/BQGfmJQxXw/22:42
niemeyerChipaca: The --beta/etc references doesn't seem necessary there.. --channel is generally more interesting to teach after we introduced tracks and branches as it's the general form that works across all cases22:42
Chipacaniemeyer: so then i had to change the 'find' help: https://pastebin.ubuntu.com/p/YKWRbmrnNt/ :-)22:42
Chipacaniemeyer: yeah, was in the middle of dropping that22:43
Chipacaas in the help output it can be obvious22:43
naccChipaca: "has access to"22:43
* Chipaca adds a 'to' to 'has access'22:43
Chipacaheh22:43
nacc:)22:43
niemeyerChipaca: Mentioning --revision is nice since it's a bit of an edge case, but I think we could do a trick there by mentioning the constraint before mentioning the option, so that people don't stop reading in excitement mid-way through22:44
niemeyerE.g.22:44
Chipacahmm, interesting, that might make refresh read easier too22:44
niemeyerFor revisions that are currently installed in the local system and for personal snaps, --revision will  blah blah blah...22:44
niemeyerOr similar22:45
Chipacaok, will tinker a bit more, then push and call it a night22:45
niemeyerChipaca: That last sentence is a bit cryptic.. I mean, I get what you mean, but I suspect most people won't22:46
Chipacaniemeyer: the one about security options?22:46
niemeyerYeah22:46
niemeyerI suggest just dropping it and letting the error messages play their role..22:47
Chipacaniemeyer: perhaps. I'll try to make it obvious in context (ie when the options are spelled out below)22:47
Chipacathat's fair22:47
Chipacai mean, it's what we do today :-)22:47
niemeyerYeah :)22:47
Chipacai could drop the whole 'only one at a time' thing in fact22:47
Chipacait's very discoverable and fast22:47
* Chipaca tinkers22:48
Chipacaniemeyer: ah, one more thing23:04
Chipacaniemeyer: i had a hard time understanding your comment about 'temporarely', and i don't know if you were making a joke or not :-)23:04
niemeyerChipaca: haha23:07
niemeyerChipaca: Yeah, it was a joke :P23:07
Chipacaphew :)23:07
niemeyerThat's such a great typo, though23:07
niemeyerIs there a place we can submit candidate words?23:07
Chipacaniemeyer: you'll need a wig and a posh accent23:08
Chipacaniice23:10
Chipacahttps://forum.snapcraft.io/t/explain-permissions-better-or-people-will-freak-out/445623:10
ChipacaI didn't know we had that in place already :-)23:10
Chipacarobert_ancell: that you ^?23:10

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!