/srv/irclogs.ubuntu.com/2018/03/22/#snappy.txt

=== ads20000_ is now known as ads20000
mborzeckimorning06:15
mupPR snapd#4901 opened: cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4901>06:38
=== chihchun_afk is now known as chihchun
zygagood morning07:08
mborzeckizyga: hey07:09
mborzeckizyga: take a look at 4901 please07:09
zygaohhh07:09
zygaI see now07:09
zygaman, is that it?07:09
mborzeckiyeah07:09
mborzecki'magic'07:09
zygaman :)07:10
zygathat's insane07:10
mborzeckizyga: left a note here https://forum.snapcraft.io/t/nvidia-acceleration-on-chrome-and-firefox/4532/16 , there's 2 copies of these libraries07:10
zygabut also brittle on our part, I wonder how can we make sure to pick the right set in general07:10
zygaI think that should be a snap07:10
zygaand that snapcraft should prevent people from shipping those07:10
* zyga reads07:10
mborzeckiwe already pick up libnvidia-tls.so*, bu there's another one under tls/libnvidia-tls.so*, no clue how the second one gets loaded07:10
zygaare they identical?07:11
mborzeckiyup07:11
mborzeckiaah w8,07:12
mborzeckino, damn, looked wrong07:12
mborzeckithey're different07:12
mborzeckineed to correct the post07:12
zygaAh07:13
zygaThis makes more sense now07:13
zygaOk07:14
zygaStill +107:14
mborzeckinote to self, make sure to sort the inputs07:14
zygaAre they coming out of nvidia private build?07:14
zygaOr out of libglvnd07:14
mborzeckizyga: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/nvidia-utils#n114 nvidia07:14
mborzeckizyga: it even works the arch glvnd libs now07:15
zygaOk07:16
zygaCan you please do a small experiment07:17
zygaTake the nvidia build from their website07:17
zygaUnpack it07:17
zygaAnd correlate the files inside with our patterns07:17
zygaAre we missing anything07:17
zygamborzecki: I'll review and perhaps land the makefile change today07:27
zygabut can you please look at this: https://github.com/snapcore/snapd/pull/489107:28
mupPR #4891: tests: add support for phased prepare-restore logic <Created by zyga> <https://github.com/snapcore/snapd/pull/4891>07:28
zygaI have some nice follow-ups07:28
zygaand I wanted to get the foundation in place07:28
mborzeckizyga: hm i think we might be doing something silly with those globs07:31
=== chihchun is now known as chihchun_afk
mborzeckion the host I have both paths /usr/lib/libnvidia-tls.so.390.42 and /usr/lib/tls/libnvidia-tls.so.390.42, but in the mount ns only one appears07:32
mborzeckithen readme in the drivers states this: The nvidia-tls libraries (/usr/lib/libnvidia-tls.so.390.42 and /usr/lib/tls/libnvidia-tls.so.390.42); these files provide thread local storage support for the NVIDIA OpenGL libraries (libGL, libnvidia-glcore, and libglx). Each nvidia-tls library provides support for a particular thread local storage model (such as ELF TLS), and the one appropriate for your system will07:33
mborzeckibe loaded at run time.07:33
zygamborzecki: look at the snap-confine code there, we probably don't look at tls/* at all07:35
zygamborzecki: my idea is to convert the nvidia tarball into a snap07:36
zygaand mount it07:36
zygaignore anything the host does07:36
mborzeckiyou'd need a tarball for each version of the drivers07:36
zygawe only need to support each family, not each version07:37
zygathere are about 3 at most07:37
zygaand yes, I agree07:37
zygaalthough I don't know if all families support libglvnd07:37
zygawhat is the layout of the working setup at runtime, what is in /var/lib/snapd/lib/gl07:38
zyga(can you ls -lR there please?)07:38
mborzeckijust a sec, got some changes in place07:39
zygakk07:39
zygagreat work btw! this is very promising07:39
mborzeckizyga: https://paste.ubuntu.com/p/jHSFhjbjV9/07:42
mborzeckizyga: we have this: libnvidia-tls.so.390.42 -> /var/lib/snapd/hostfs/usr/lib/tls/libnvidia-tls.so.390.42, but the symlink should be to var/lib/snapd/hostfs/usr/lib/libnvidia-tls.so.390.42 and we should have directory tls with symlink to respecive libs inside07:43
mborzeckisame for vdpau07:43
zygahmm07:44
zygathis will require small changes there07:44
zygabut yeah07:44
zygaand can you pastebin the tree of files that is in the nvidia tarball?07:45
mborzeckizyga: the correct layout https://paste.ubuntu.com/p/NHHHpNCrVY/, seems to work fine too07:45
zygahmm07:47
zygaa bit magic07:47
zygasince you said those libnvidia-tls.so files are not the same07:47
mborzeckizyga: files in the driver package pulled from nvidia's site: https://paste.ubuntu.com/p/zDFygPwSQ2/07:48
mborzeckiyeah the readme says: 'the one appropriate for your system will be loaded at run time.'07:49
zygadrwxr-xr-x 2 maciek maciek     4096 03-03 14:03 tls07:53
zygathey have a tls dir07:53
zygaI need to run07:53
zygamy son forgot his homework (yeah)07:53
zygaand just called me07:53
zygaAFK07:53
zygaand then I will work from a coffee shop because I planned to move anyway07:54
zygamvo: good morning, I'll be back soon, please ping me if urgent07:54
mvozyga: ok07:55
mupPR snapd#4901 closed: cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4901>08:01
mborzeckimvo: can you cherrypick it to 2.32?08:02
mvomborzecki: already done08:02
mvomborzecki: thank you08:02
mborzeckimvo: thanks08:02
kalikianamoin moin08:12
pstolowskimorning08:16
mupPR snapd#4902 opened: cmd/snap-confine: nvidia: preserve globbed file prefix <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4902>08:46
mborzeckizyga: ^^ https://paste.ubuntu.com/p/NSWPHDrNBd/08:46
zygaAlmost back09:04
zygare09:11
zygasorry for being late09:11
zygamvo: hey, I'm ready to assist in any way I can09:12
zygamvo: I was thinking about the trespassing bug09:12
zygamvo: and I think we can postpone that for 2.3309:12
zygamvo: since the impact is not serious and this is a beta feature09:12
zygamvo: I will work on cleaning it up to have proper data path from main all the way down09:12
zygamvo: and this will lessen the impact on the release09:13
zygamvo: I would only like to merge the symlink fixes09:13
zygamvo: and do more more more testing to see if we can reproduce the issue again09:13
mvozyga: that sounds great. I'm working right now on the snap run fixes we talked about yesterday09:13
zygamvo: I also have a tiny PR to add (I can add it to the symlink PR) to add something to debug: there09:13
zygamvo: thank you sounds good09:13
zygamvo: I moved downtown to meet with an old colleague09:13
zygasuper smart guy, I wonder if he would consider joining our team :)09:14
mvozyga: heh, ok09:15
zygahe's an old lisp hacker, not sure if he'd want to use go ;-)09:15
mvozyga: ha! a sage09:17
zygaI think he needs to upgrade his beard a few times for that ;D09:17
mvozyga: CE testing found that 2.32 would not work correct on caracalla because the security profile re-generation. I am curretnly trying to write up how this happens, do you remember in what way we modify the security profiles between 2.31->2.32 that would trigger this?09:18
zygayes09:18
mvozyga: please tell me then :)09:18
zygamvo: we now require a new profile snap-update-ns.$SNAP_NAME on startup09:18
zygain the past whenever we changed profiles and the changes were not huge we would just start with the old profile09:19
zygaand replace the profile in place as soon as snapd woke up09:19
mvozyga: what requires this? snap-confine?09:19
mborzeckizyga: please take a look at 4902 when you can09:19
zyganow we cannot start apps because w ecannot complete the profile transition from snap-confine to snap-update-ns09:19
zygamborzecki: ack09:19
zygamvo:  in 2.31 we had one profile for snap-update-ns09:19
zygaone that was very open because of layouts09:19
mvozyga: that is excellent, this also means that without system-key this would not even possible?09:19
mborzeckii'll be looking at 4891 in a while and then will try nvidia & bionic09:20
mvozyga: is it snap-confine that loads these extra profiles?09:20
zygain 2.32 we have one profile per snap, that is tailored to construct the layout09:20
zygamvo: no, it's not snap-confine09:20
mvozyga: what is loading those?09:20
zygamvo: snap confine doesn't even check if they exist, it just requests transition on the next exec09:20
zygamvo: normally they are loaded by apparmor init script on early boot09:20
zygamvo: those are stored just like snap application profiles, in /var/lib/snapd/apparmor/profiles09:20
mvozyga: hm, I'm puzzled then, so part of the new profile (that require these extra things) are on disk already?09:21
zygamvo: no09:21
zygamvo: they will be created by snapd after core reboots to 2.3209:21
mvozyga: what am I missing :)09:21
zygamvo: in 2.31 they were not a thing09:21
pedronisbut in 2.31 -> 2.32 transition they will not be there until after reboot and start of snapd, no?09:21
zygamvo: so we hit a hard transition when a profile is missing09:21
zygayes pedronis, exactly right09:21
zygamvo: this will become less of an issue once we have snapd.snap09:22
zygaand snapd can restart itself without rebooting the box09:22
mvozyga: what bit falls over? I mean, if the old profiles are there until we run snapd one would assume that network-manager would run happily with the old profiles?09:22
zygathen the profiles will show up in phase 209:22
zygamvo: you miss one fact09:22
zygamvo: it's a brand new profile09:22
zyganot one that existed in 2.31 at all09:22
pedronismvo: well after reboot there's a profile that requires a profile that is not there09:23
pedronisnot quite sure how the profile transition work09:23
zygamvo: the name is snap-update-ns.network-manager09:23
zygamvo: we never had that profile in 2.3109:23
zygamvo: note that this can happen even if we take snap-update-ns out of the picture09:23
mvozyga,pedronis: why the mismatch, I mean, if there is a new profile after reboot then the other profile should also be written. and if its an old profile it does not reference the new profile. what am I missing :) ?09:23
mvozyga: sorry for being a bit slow today09:24
zygamvo: 2.31 doesn't write snap-update-ns.network-manager09:24
zygamvo: 2.32 does and requires it to start network-manager process09:24
mvozyga: but does 2.31 references this profile in any way?09:24
zygamvo: no09:24
zygamvo: do you want to HO to have me explain this in person?09:25
mvozyga: yes09:25
zygakk09:25
zygaone sec09:25
mvosure, I'm sure there is some tiny details I'm missing, but I don't know yet what09:25
* zyga hopes background coffee shop music won't be an issue09:25
mvozyga: I'm in the stadnup HO09:26
zygamvo: one moment, I don't have chrome here09:26
zyganormally I HO from my desktop09:26
* mvo nods09:26
zyga2 minutes to download09:26
zygauh, I should visit that telco store and get a modem for my sim :(09:27
mvozyga: we could also have a old-fashioned phone call if you want :)09:28
zygainstalling chrome now09:29
mvook09:29
zygaif this fails, yeah09:29
zygaI'll call you09:29
mwhudsonpedronis: can you read Laney's comments on https://bugs.launchpad.net/snapd/+bug/1723094 and reply on the bug?09:37
mupBug #1723094: Live images should be able to turn off Snap updates <snapd:Confirmed> <casper (Ubuntu):Triaged by jibel> <casper (Ubuntu Bionic):Triaged by jibel> <https://launchpad.net/bugs/1723094>09:38
pedronismwhudson: I tried to answer, does it make sense?09:44
mwhudsonpedronis: it makes sense to me at least :)09:45
Laneythanks!09:46
zygamborzecki: done09:54
* Chipaca afk for a bit10:05
zygamvo: can we merge https://github.com/snapcore/snapd/pull/489910:06
mupPR #4899: many: backported fixes for layouts and symlinks (2.32) <Created by zyga> <https://github.com/snapcore/snapd/pull/4899>10:06
mborzeckiwhen i'm running bionic from usb stick, are the changes preserver accross reboots?10:06
zygamborzecki: dunno10:06
zygait used to be (some)10:06
zygabut not sure10:06
* Chipaca really afk now10:10
zygao/10:10
Chipacamborzecki: it depends on whether, when you created the thing, you told it to leave some rw space10:10
mborzeckiChipaca: I dd'ed iso to usb stick10:11
Chipacahmm, i can't see where on usb-creator-gtk there was that option, but i'm sure it was there before10:12
zygaI think it may have been removed now10:13
mborzeckiChipaca: dd is the only usb-creator i ever use :)10:13
zygabecause that code evolved a lot10:13
mvozyga: let me look at it. in the meantime: 4882 is updated10:13
zygamborzecki: install ubuntu on some spare hdd10:13
zygamvo: thank you, looking10:13
Chipacausb-creator (0.3.0) xenial; urgency=medium10:14
Chipaca  [ Marc Deslauriers ]10:14
Chipaca  * Rework the whole imaging process for writing to devices:10:14
Chipaca    - Use an equivalent of dd to make an exact copy of the image to the device10:14
Chipaca    - This also breaks persistence.10:14
Chipacathat last line there? boom. no more persistence.10:14
mborzeckidamn10:14
mvogodd!10:14
mvojust saying :)10:14
Chipacamvo: does that do persistence10:14
Chipaca:-)10:14
mvoits persistently nice, if that is what you mean ;)10:15
Chipacamborzecki: get your hands on usb-creator-gtk 0.2.68 :-)10:15
Chipacamvo: dunno, seems unmaintained, i proposed a pr ages ago and got no feedback10:15
* Chipaca runs10:15
mborzeckiChipaca: i'll try installing to a usb stick (while running the installer from another usb stick)10:15
Chipacamborzecki: usb-creator-gtk from trusty should do it10:16
Chipacamborzecki: https://packages.ubuntu.com/trusty-updates/amd64/usb-creator-gtk/download10:16
zygaChipaca, mborzecki: I would not trust that :)10:18
Chipacazyga: 'course you can trust it, it's got 'trusty' in the name!10:18
* Chipaca really needs to afk for a bit now10:18
zygahahaah10:20
zyga:-)10:20
* zyga bakes a few more patches in google10:20
zygawhile on the go, google is a nice place to test10:20
zygawe should update the reference tag to get smaller deltas10:20
mvozyga: hm, one test missing, sorry for this, will push a new 4882 in some minutes10:21
zygaok10:21
pedronismvo: do we know if for some reasons network-manager needs to start before snapd on those machines? (I suppose not, we write the all the relevant units and there's no such dep)10:22
zygapedronis: I think that on those machines n-m manages all networking10:23
zygapedronis: and it just starts as early as it can10:23
zygait's not strictly "before snapd" but not explicitly linked to through dependencies10:23
zygapedronis: and if we go and change the units now we'd have issues in the field as there's no easy way to change any systemd units10:23
pedronisthat's fine as long as snapd doesn't wait for that, and the timeout on starting that service is within the time it takes for snapd to do its job10:23
zyga(we don't have equivalent of ensure there)10:23
pedronisin terms of profile writing10:24
mborzeckihm the installer does something funny, there's 'Erase disk and install Ubuntu' option, but I have 5 disks plugged in at the moment, so which one will it erase?10:24
zygapedronis: that's a good point10:24
zygamborzecki: choose manual partitioning10:24
zygamborzecki: 18.04 or 16.04?10:24
zygaI'm used to 16.04 installer but I think that 18 changed a lot10:24
mborzecki18.0410:25
zygamborzecki: one more "hint" detach other disks :D10:25
zygait's surprisingly low tech robust solution for this problem10:26
zygaalso helps if you install windows or other OS with silly installer that just overwrites everything agressively10:26
mborzeckii'm clicking, but franly i'm minutes away from debootstrapping the thing10:26
zygamborzecki: you can do it, just a bit more patience :)10:29
mborzeckislightly worrying, wonder wher grub efi will get installed, i've made a partition for efi and set the bootloader to be installed to that disk10:41
mborzeckiaaannd it installed grub to the wrong drive10:44
mborzeckiinistaller finished, now i can start fixing the system :/10:55
zygamborzecki: is it booting?10:57
zygawhat's up?10:57
zygamborzecki: sorry :/10:57
mborzeckizyga: the installer hijacked the ESP on the main nvme drive, heh so the system i got now is ubuntu/efi on nvme and rootfs on usb stick10:59
mborzeckigot to install ubuntu's grub in efi partition of usb stick and make arch boot again10:59
Chipacamborzecki: are you having fun yet11:00
mupPR snapd#4899 closed: many: backported fixes for layouts and symlinks (2.32) <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4899>11:04
zygawoot11:04
zygathanks mvo11:04
zygamvo: I forgot to push that debug branch so I'll add a debug PR to 2.32 as well11:04
zygamvo: in 15 minutes, busy with some topics11:05
mvozyga: 4882 is ready to review. this and your debug pr are the last bits, right?11:05
zygayes11:05
zygawell11:05
zyga4882 not sure11:05
zygaI forgot which PR that was11:05
mvozyga: snap run --system-key11:05
zygaay11:05
zyga+111:06
zygayes11:06
zygaI left the debug bits at home so I'll just make a new PR11:06
mborzeckizyga: fwiw bionic boots now11:09
mborzeckiand from the right drive11:10
zygamborzecki: cool :)11:10
zygadid you have to update bootloader layout?11:12
mborzeckizyga: yes, mount proper partiion under /boot/efi, edit fstab to make it work after reboot, install grub x86_64-efi11:15
mborzeckii'll deal with arch later, i have a slightly convoluted luks+lvm there11:16
mupPR snapd#4903 opened: tests: split prepare-restore.sh into prepare-restore.d modules <Created by zyga> <https://github.com/snapcore/snapd/pull/4903>11:29
zygahey mborzecki-ubuntu :)11:33
ogra_Chipaca, shouldn't whatever needs /var/cache/snapd/commands.db create it if it is none-existent ? (see https://forum.snapcraft.io/t/var-cache-snapd-commands-db-permission-denied/4590 )11:33
mborzecki-ubuntuzyga: hey11:33
Chipacaogra_: if it doesn't exist there's nothing to do, so it should just move on11:33
ogra_well, it doesn't11:34
Chipacaogra_: IKR11:34
Chipacaogra_: I think at least two things need fixing: one, which i think mvo is already on, is to make _command_not_found hide stderr from snap advise-snap (or maybe make snap advise-snap not error on no db)11:38
Chipacaogra_: the other is to make the classic snap grab the commands.db from host :-)11:38
ogra_yeah, obviously11:39
ogra_i only noticed after i wrote the first comment that it seems to be created on first boot11:39
Chipacaogra_: if you've got classic installed somewhere, could you see if you could just cp it from hostfs?11:39
ogra_so we need a cp in the classic setup script11:39
ogra_err, yes, see my last post there11:39
Chipacaogra_: no, from _inside_11:40
Chipacaogra_: maybe it's fixable inside :-)11:40
ogra_ah, nop, that wont work11:40
Chipacaaw11:40
ogra_we're in a chroot11:40
Chipacaogra_: i thought the classic snap had crazy privs11:40
ogra_and dont do fancy hostfs bind mounting or anything11:40
ogra_its a simple chroot :)11:40
ogra_but it is no prob to simply add it to the chroot setup script11:41
Chipacaogra_: given core can be size constrained, maybe ln || cp (or is there a better way to do that)11:41
* Chipaca knows nothing11:41
zygamvo: 2.32 debug PR https://github.com/snapcore/snapd/pull/490411:42
mupPR #4904: tests: change debug for layout test (2.32) <Created by zyga> <https://github.com/snapcore/snapd/pull/4904>11:42
mupPR snapd#4904 opened: tests: change debug for layout test (2.32) <Created by zyga> <https://github.com/snapcore/snapd/pull/4904>11:42
mvozyga: ta11:43
ogra_Chipaca, linking wont work (and bind mounting adds complexity i'd like to avoid) ... cp will do11:44
mborzecki-ubuntuwell, nvidia doesn't work in snaps on bionic11:44
mborzecki-ubuntui'll try my branch11:44
zygaOMG!!!! git checkout -11:46
mborzecki-ubuntuis tehre a command i can use to install all build deps listed in debian/control?11:46
zygamy favourite command11:46
mborzecki-ubuntuzyga: yeah, it's like cd - ;)11:46
mvomborzecki-ubuntu: sudo apt build-dep ./11:46
zygayes11:46
zygaI just complained I wish there was something like that11:46
mvomborzecki-ubuntu: if you are inside the unpacked deb11:46
zygaand suddenly my colleague shows me this11:46
mborzecki-ubuntumvo: ta11:47
zygaoops, pushed to wrong PR11:49
zygaPRs corrected11:55
zygamborzecki-ubuntu: https://github.com/snapcore/snapd/pull/490311:55
mupPR #4903: tests: [WIP] split prepare-restore.sh into prepare-restore.d modules <Created by zyga> <https://github.com/snapcore/snapd/pull/4903>11:55
zygano need to review yet before the other one lands11:55
zygabut this is what I was thinking about11:55
zygathere's lots of room to improve from this state11:56
zygabut it's already much more approachable than the big one we have now11:56
zygais there a spread variable that holds the name of the current test?11:57
mvozyga: meh, the system-key stuff is actually more work because snap run needs to read the build-id of snapd not of snap11:58
zygaoohh11:58
zygayeah11:58
zygaand great catch :/11:58
zygamvo: and now it needs to know which snapd to read11:58
zygamvo: /o\11:59
mvozyga: make the whole thing more complicated. exactly, re-exec and all that :(11:59
zygamvo: maybe11:59
zygamvo: maybe we drop the tailored profiles11:59
zygamvo: use the old profile for 2.3211:59
mvozyga: that sounds wise11:59
zygamvo: and at least 2.32 ships with the new profile on disk11:59
zygamvo: and 2.33 won't have massive issues11:59
mvozyga: how much work is it?11:59
zyganot a solution much but yeah11:59
zygamvo: drop a few lines of C from snap-confine11:59
mvozyga: \o/11:59
mvozyga: lets do that12:00
zygamvo: restore child profile for snap-confine.apparmor.in12:00
zygamvo: and it _should_ work12:00
mvozyga: much safer and we look at this problem again with more time and less presure12:00
zygamvo: we'll still make the snap-update-ns.$SNAP_NAME profiles and load them but they will be unused12:00
zygayes12:00
zygamvo: I'll prepare a PR12:00
zygamvo: and you can get fewer gray hair :)12:00
mvozyga: heh, indeed12:00
mvozyga: I have way too many of those already12:00
zygamvo: ok, let me do this quickly12:01
ogra_mvo, https://github.com/snapcore/classic-snap/pull/1612:01
mupPR classic-snap#16: fix breakage of command-not-found  <Created by ogra1> <https://github.com/snapcore/classic-snap/pull/16>12:01
* Chipaca switches tasks, from improving test coverage to improving lunch coverage12:03
zygahahaha12:03
* zyga hugs Chipaca 12:03
Chipacazyga: how're your breaks coming?12:03
* zyga looks the other way to avoid eye contact12:04
zygaI'm not at home12:04
zygathat's an improvement12:04
mvoogra_: thank you12:04
zygabut relaease rush12:04
zygaso ... you know12:04
zyga*release even12:04
Chipacayeah12:04
zygamvo: ok, running locally now12:14
zygamvo: https://github.com/snapcore/snapd/pull/490512:15
mupPR #4905: cmd/snap-confine: don't use per-snap s-u-n profile <Created by zyga> <https://github.com/snapcore/snapd/pull/4905>12:15
mupPR snapd#4905 opened: cmd/snap-confine: don't use per-snap s-u-n profile <Created by zyga> <https://github.com/snapcore/snapd/pull/4905>12:15
zyganot tested yet12:15
mborzecki-ubuntuzyga: failed to create prefix path: /tmp/snap.rootfs_jW5tpa/var/lib/snapd/lib/vulkan/icd.d: Permission denied12:17
diddledana bit of fun: "how to make package managers cry" https://www.youtube.com/watch?v=kguJ1ihOyV812:19
zygamborzecki-ubuntu: dmesg | grep DENIED12:25
zygaI suspect we need some apparmor love there12:25
mborzecki-ubuntuzyga: switched it to aa-complain atm12:26
zygagood, that will let you see all the access patterns12:26
zygaplease collect the denials though12:26
zygadiddledan: good one!12:37
diddledan:-)12:38
mborzecki-ubuntuzyga: hmm multiarch is broken, we're trying to bind mount the wrong paths12:40
zygaoh12:40
zygaon 18.04?12:40
mborzecki-ubuntuzyga: yes12:40
zygaon 18.04 all of nvidia is broken for us12:40
zyga:/12:41
mborzecki-ubuntuwe ought to do the same as for biarch, as the libs are under /usr/lib/<arch-tuple> now12:41
zygayes12:41
zygayou can disable reexec and just build snapd with that option12:42
zygaand see what breaks12:42
zygawe can use this experience to later do this at runitme12:42
zyga*runtime12:42
mborzecki-ubuntuis there a command line tool that would return the arch tuple of current host?12:47
mborzecki-ubuntui mean the default one12:47
pedronismborzecki: I think mvo I had a PR about the exposing full triplet at some point, but was closed12:48
zygamborzecki-ubuntu: gcc -dumpmachine12:48
zygamborzecki-ubuntu: everything else disagrees12:48
zygamborzecki-ubuntu: dpkg --print-architecture is one more but not the same12:49
zygamborzecki-ubuntu: can that be a compile-time constant?12:53
mvomborzecki-ubuntu: https://github.com/snapcore/snapd/pull/4477/files#diff-fb91c6071604836b89ba2de46c45a56fR56 is what I did12:56
mupPR #4477: snapenv: add SNAP_ARCH_TRIPLET <Blocked> <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/4477>12:56
mupPR snapd#4906 opened: polkit: Pass caller uid to PolicyKit authority <Created by chrisccoulson> <https://github.com/snapcore/snapd/pull/4906>13:03
mupPR snapd#4905 closed: cmd/snap-confine: don't use per-snap s-u-n profile (2.32 only) <Critical> <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4905>13:07
mupPR snapd#4903 closed: tests: [WIP] split prepare-restore.sh into prepare-restore.d modules <Created by zyga> <Closed by zyga> <https://github.com/snapcore/snapd/pull/4903>13:08
jdstrandzyga (cc mvo): you're backing out the hardening? that is terribly unfortunate cause I only conditionally acked layouts on the promise that the hardening would be there13:08
jdstrandzyga (cc mvo): for 2.3213:08
zygajdstrand: we're backing out of 2.32 split profile13:08
jdstrandzyga: yes, the hardening that I said was required cause the child profile was way too open13:09
mvojdstrand: the split profiles cause deep issues13:09
zygajdstrand: yes, we may axe the feature for now so that we can do it properly13:09
mvojdstrand: happy to have a HO if you want maybe after the standup13:09
jdstrandI'll not do a conditional ack like this again13:09
zyga(that would break layouts entirely for 2.32)13:09
mvojdstrand: I think the alternative is to disabled this entirely13:09
jdstrandof course, I said I wouldn't do it yesterday13:09
jdstrandmvo: that was understood with the conditional ack13:10
zygaI think we can axe it and do it for 2.3313:10
zygawhere it will be all done13:10
zyga(both the hardening and the feature)13:10
jdstrandallow it to be committed to test things out and if the hardening wasn't there, back out the feature13:10
mvojdstrand: ok, lets have a HO then, we are in the middle of the standup right now so not the best time to discuss. would you be able to make it to a hangout at the top of the hour (in 49min)?13:11
jdstrandI'm not sure a hangout is needed-- my position is that with s-u-n profiles, we may as well not confine snap-confine13:11
jdstrandbut I think I can do a hangout then13:12
mvojdstrand: might be easiest just to ensure we are all on the same page. we won't do anything that you do not ACK13:12
jdstrandzyga: are you in said hangout out? I'd like to understan the 'deep issues'13:12
jdstrandhangout out?13:12
jdstrandsaid standup?13:12
mvojdstrand: well, its not that deep. basic there is a race: when snapd refresehes and reboots on core then snapd start before the new snapd is run13:13
mvojdstrand: so these snaps will not find the needed profiles13:13
mvojdstrand: and fail to start13:14
mvojdstrand: and of course thats bad(tm) for things like network-manager13:14
jdstrandisn't that what the system-key 'wait on me' stuff is for? we did that somewhere else recently13:14
mvojdstrand: https://github.com/snapcore/snapd/pull/4882 - correct, implementing this is tricky13:14
mupPR #4882: snap: make `snap run` look at the system-key for security profiles <Blocked> <Created by mvo5> <https://github.com/snapcore/snapd/pull/4882>13:14
mvojdstrand: and we are under some pressure to release 2.3213:15
mvojdstrand: anyway, might be easiest in a HO, then we can discuss options and maybe come to different conclusions13:16
zygamvo, jdstrand: yeah, let's reuse the HO after standup13:18
zygaand discuss the problem, our approach so far and the plans we had13:18
zygaand what we actually want to do after discussing this13:18
* zyga would prefer to merge the hardening but it doesn't change the other problem we had13:18
zygamvo, jdstrand: if we need to back out layouts and undo the un-hardening so that we are back to 2.31 profile I can do that quickly13:26
zygathough we have the experimental flag now and we need to remove that as well13:26
jdstrandzyga, mvo: another idea: https://github.com/snapcore/snapd/pull/4905#issuecomment-37530634313:32
mupPR #4905: cmd/snap-confine: don't use per-snap s-u-n profile (2.32 only) <Critical> <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4905>13:32
zygaack13:32
zygajdstrand: that's an interesting idea13:32
zygajdstrand: so we keep a strict profile for s-u-n13:32
zygajdstrand: and if there's a good profile we transition13:33
zygaand if not we use the strict profile13:33
zygajdstrand: how can we check if a profile with given name is loaded?13:33
jdstrandthere is probably libapparmor api for that, but a look in sysfs is sufficient (eg, /sys/kernel/security/apparmor/profiles or /sys/kernel/security/apparmor/policy/profiles/)13:35
jdstrandzyga: ^13:38
zygayes, I was trying to avoid having to parse it now13:39
zygabut sure13:39
jdstrandzyga: so you can either parse /sys/kernel/security/apparmor/profiles or do a smart glob on a directory name existence in /sys/kernel/security/apparmor/policy/profiles/13:45
jdstrandzyga: you could aa_query_label() for a file that is expected to be allowed and check for ENOENT13:47
jdstrandzyga: could also adjust the logic a bit to look for ENOENT on the aa_change_onexec, and if it fails, aa_change_onexec to the child profile instead (thus removing the Cx rules, but adding a change_profile rule for the child)13:50
jdstrandzyga: that last suggestion is probably clearest in terms of intent wrt fallback13:51
zygayes13:52
zygaI think that's sensible13:52
zygalet's discuss this soon13:52
jdstrandthen no parsing13:52
zygayes13:53
TrevinhoHey.. question, if I close a channel (say candidate), the people will be moved to stable version... But, if a new revision is released to candidate, all the people who were tracking it will keep it or not? Do they manually to go back to track it?13:57
TrevinhoI mean when we say that people will be moved to the safest risk level, is that related to the snap revision or also to the track itself?13:58
* zyga relocates14:01
ChipacaTrevinho: they're tracking candidate, if you reopen candidate and release something into it, they'll get it14:01
TrevinhoChipaca: ok good.. That was what I was assuming, but just to double-check14:01
ChipacaTrevinho: that's the "tracking" field in "snap info"14:01
Trevinhoas docs didn't mention it14:01
Chipacaogra_: ooh, ooh, could you copy _everything_ from cache to the inside?14:03
Chipacaogra_: another question: how do you update it14:03
Chipacaogra_: ie those cache files should get updated periodically...14:03
jdstrandmvo: where is the hangout?14:03
mvojdstrand: https://hangouts.google.com/hangouts/_/canonical.com/snappy-devel?authuser=1 but zyga is looking for a quiet place to join right now14:05
mvojdstrand: so we may need to wait ~2 more minutes14:05
=== chihchun_afk is now known as chihchun
ogra_Chipaca, we never update the chroot (any of it ...) it is really only to provide you apt/dpkg for development, not for any other use14:28
Chipacaogra_: hmmmm14:28
ogra_so it is really only a snapshot of the moment you create the chroot14:28
Chipacaogra_: could we have a .bashrc saying "Your classic environ is now XYZ days old, time to nuke it"?14:29
ogra_(it wont allow to run any services or inbteract with snapd on the host or anything  either)14:29
Chipacaogra_: somebody, somewhere is building an IoT device gateway on top of that :-)14:42
Chipaca(that's not a fact, just statistics)14:42
ogra_someone should stop him then ;)14:42
ogra_it might be really hard to do that though ... given that you can not automatically run anything from classic after a reboot14:43
ogra_if you need a real classic setup on top of core to run a product you'd hopefully use lxd or docker14:44
ogra_and not some developer tool14:44
ogra_(that is clearly marked as such)14:45
Chipacaogra_: I'm 93% joking14:45
ogra_yeah, but there are these 7% !14:45
ogra_:)14:45
Chipaca5% wry cynicism, 2% other14:46
Chipaca:-)14:46
ogra_(and there *is* at least one person trying to abuse it so you are not that far off ... https://github.com/snapcore/classic-snap/issues/15 )14:47
ogra_(havent found the time to answer yet )14:47
Chipacaoh man, just two sentences into the bug and i'm already noped out14:47
Chipacathree sentences if you count 'hello there!'14:48
ogra_heh14:48
* Chipaca replies with "you should install expect"14:48
Chipacaor maybe “run "/sbin/agetty -n --noclear -l /snap/bin/classic tty1" and then ...”14:50
* Chipaca shuts up14:50
ogra_heh14:52
Chipacaogra_: I mean, I've used mplayer as a filter to lpd to have a networked music player14:54
Chipacaogra_: the above wouldn't frighten me in the least :-D14:54
ogra_me neither ... but it isnt what classic is designed for ...14:55
* Chipaca goes for a walk14:55
ogra_mplayer as filter to lpd ... to do what ? print song texts ?14:55
ogra_(or is there some other lpd i dont know)14:56
sergiusensogra_: where is the snapcraft project definition for the current build of `core`?14:58
ogra_sergiusens, "sapcraft project definition" ? you mean snapcraft.yaml ?14:59
sergiusensyes14:59
ogra_https://github.com/snapcore/core14:59
sergiusensogra_: do you know where that is mirrored to on launchpad? core is such a generic name15:00
ogra_scroll down ;)15:00
ogra_it's in the README15:00
sergiusensthanks15:00
jdstrandmvo: since you are going forward with hardened profiles, it sounds like I do not need to be present in the followup hangout (I've got a number of things I need to do today)15:02
cachioSaviq, there?15:02
jdstrandmvo: I can make myself available to be pulled in if that is useful though (I may have a conflict, someone is trying to schedule a meeting today with a partner that I've been asked to attend)15:03
mvojdstrand: corret15:03
mvojdstrand: I think its fine15:03
mvojdstrand: we needed your input on the security questions, thanks for providing it15:03
jdstrandmvo: np. thanks to you, zyga and niemeyer on working through this15:05
mupPR snapcraft#2021 opened: Only mangle elf app <bug> <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2021>15:06
mupPR snapd#4907 opened: advisor: deal with missing commands.db file <Created by mvo5> <https://github.com/snapcore/snapd/pull/4907>15:09
mupPR snapd#4904 closed: tests: change debug for layout test (2.32) <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4904>15:10
Saviqcachio: hey15:13
cachioSaviq, 2 things15:14
cachiofirst, the image for fedoras was renamed, so yo dont need to add the image anymore15:15
cachioSaviq, 2nd I found the problem with resizing, but I need to agree how to fix it, if you need a temporal workaround, you can add these 2 lines to your tests (at the beginind)15:16
cachiosudo growpart /dev/sda 115:16
cachiosudo resize2fs /dev/sda115:16
cachiothat will force the partition resizing15:16
cachioniemeyer, I have a fix for spread to force the resizing that be default is not being done in fedora or centos15:17
cachioniemeyer, it is automatic on ubuntu/debian but you need to do it manually for other deistros15:17
cachioI made a fix for spread, addthis these 2 lines to the googleStartupScript15:18
cachioand it works15:18
cachioniemeyer, this is the PR https://github.com/snapcore/spread/pull/5415:23
mupPR spread#54: Add the resize of the partition on the googleStartupScript <Created by sergiocazzolato> <https://github.com/snapcore/spread/pull/54>15:23
Saviqcachio: I'll wait, we're fine on linode for now15:24
niemeyercachio: What does it automatically in Debian and Ubuntu?15:25
cachioniemeyer, resize the partition15:26
cachioand the disk as well15:26
Saviqcloud-init15:26
cachiobut, in centos or fedora it is not happening15:26
cachioin the forums other people is facing the same problem15:27
niemeyercachio: Yes, *what* is doing it15:27
cachiogogole compute init15:27
Saviqcachio: you sure it's not cloud-init http://cloudinit.readthedocs.io/en/latest/topics/examples.html?#grow-partitions ?15:28
cachiogoogle-compute-engine-init15:28
niemeyercachio: If it's the same software, why does it do in one image and not the other?15:28
cachiogoogle-compute-init calls to cloud init15:28
cachioniemeyer, I don't know15:29
cachiocan't find the code yet15:29
niemeyercachio: OK, so that's what we need to find out15:30
cachioniemeyer, ok15:30
cachioSaviq, is it running resize2fs as well?15:31
cachioor just growpart?15:31
Saviqcachio: both15:33
ogra_iirc growpart is a python script that shells out to a ton of shell binaries ...15:33
ogra_(resize2fs among them)15:33
cachioSaviq, ok, tx15:34
mupPR snapd#4908 opened: [RFC] cmd/snap-confine: attempt to detect if multiarch host uses arch triplets <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/4908>15:35
mborzecki-ubuntuzyga: ^^ a little experiment, at least I see the 'nvidia segfault' now15:36
Chipacaniemeyer: snapshots pr has all local changes other than tests (and even some of those, but i'm adding more right now)15:42
niemeyerChipaca: Super, thank you15:43
mborzecki-ubuntuzyga: aaand got it working now :P15:48
mborzecki-ubuntuzyga: and ohmygiraffe works now15:59
zygaSweet16:00
zygaThe way we discussed?16:00
mborzecki-ubuntuadding a note in the forum topic16:00
mborzecki-ubuntuzyga: take a look at the PR16:01
mborzecki-ubuntuneed to wrap it up for today, still have to make arch boot again :/16:02
zygaI will back home16:04
zygaI’m on a bus now16:04
zygaThank you!16:04
pedronismvo: after discussion, what's the plan/timing about releasing 2.32 now ?16:15
mvopedronis: release to candidate asap (ideally today), keep in candidate for a week is the current plan16:16
pedronisok16:17
pedronisthx for the update16:17
mvopedronis: yw - given the short time between that and the relase I think there will be a .1 and no .33 for 18.04-final. the .33 will then be a normal SRU16:18
mvopedronis: does that sounds reasonable? i.e. the delay registraion prs will need to be ported16:18
pedronismvo: ok, will need to discuss what goes into .1, ideally delay of registration16:18
mvopedronis: yeah, we can put everything important in there, it just feels risky to do full .33 before the bionic final release16:19
cachioniemeyer, I fixed the problem16:37
cachioit was a dependency missing16:37
niemeyercachio: Oh, tell me more16:37
cachioniemeyer, for fedora we need to install gce-disk-expand16:38
cachiowhich has conflicts with cloud-utils-growpart16:38
cachioso we need to remove cloud-utils-growpart and then install gce-disk-expand16:38
cachiothis is in charged of making the resize16:39
cachiocloud init is not used for that16:39
cachioI am gonna upload a new image16:39
cachioand deprecate the old one16:39
niemeyercachio: After you're done with this, can you please send a message to the forum with all the details of how to get the image in place and working?16:40
cachioniemeyer, sure16:40
cachioniemeyer, just for fedora or all the images that we use?16:41
niemeyercachio: In N months I'm sure we'll be creating an image for a different distro, or for a new release of an existing distro, and will try to remember these details16:41
niemeyercachio: It can even be something more high-level16:41
cachioniemeyer, sure, I am going to add also those scripts to spread-cron soon16:41
niemeyercachio: For no particular distro.. just the process of how to cook the image and make sure it's working16:41
cachioniemeyer, ahh, ok16:41
niemeyercachio: It may end up as a mix of the different images.. e.g. maybe there's a detail that is needed for Fedora, and another one for OpenSUSE.. we want both of these details, but no need to repeat what is the same for both16:42
cachioniemeyer, ok16:42
niemeyercachio: Yeah, the script is important as we don't want to build those images by hand.. but since all of that is so fresh in your mind, it's good to put down in text so we can easily digest in several months16:43
cachioniemeyer, yes, totally agree16:44
cachioniemeyer, months or weeks :)16:44
niemeyercachio: Thanks!16:44
niemeyerYes :)16:44
zygare16:46
zygaI'm back now16:46
zygaI'll unpack and I can return to work in a few minutes16:46
* kalikiana pipes zyga into `tar -xJf`17:04
zygahaha17:08
zyganow I need to go on a diet, I'm so much bigger than before :D17:08
kalikiana:-D17:08
* kalikiana wrapping up for the day and looking forward to getting a little bigger over dinner as well17:09
niemeyermvo, zyga: Ready when you are17:10
zyganiemeyer: [m]vo went for dinner just now17:11
zygalet's wait for him to be back17:11
niemeyerzyga: Sounds good17:11
* Chipaca going offline for a while17:21
cachiozyga, when you have a minute, could you plese take a look to #477817:28
mupPR #4778: tests: moving debian 9 from linode to google backend <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/4778>17:28
cachio?17:28
cachiomvo, today is comming new beta, right?17:28
zyga+117:29
zygacachio: yes, hopefully ;)17:29
cachiozyga, tx17:29
mupPR snapd#4778 closed: tests: moving debian 9 from linode to google backend <Created by sergiocazzolato> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4778>17:30
zygaOHHH17:34
zygaI just had a mini-heart-attack17:34
zygaI checked out release/2.23 by accident17:34
zygaand was looking at the set of patches to backport17:34
zygaand OMG what's wrong17:34
cachiozyga, heart-attack are delayed for 2.3417:37
cachio:)17:37
zygaman :)17:37
zyga2.2317:37
zyga2.3217:37
zygaso silly17:37
zyga:)17:37
cachiozyga, similar happened to me last week17:40
cachio:)17:40
mupPR snapd#4909 opened: interfaces: harden snap-update-ns profile (2.32) <Created by zyga> <https://github.com/snapcore/snapd/pull/4909>17:41
mupPR snapd#4910 opened: interfaces/apparmor: simplify UpdateNS internals <Created by zyga> <https://github.com/snapcore/snapd/pull/4910>17:42
zygajdstrand: stuff from the sprint ^17:43
zygaI just recall this existed because I remembe writing it but coudn't see it in master17:47
zygacomitted 16 days ago, I forgot to propose it17:49
jdstrandzyga: I recall this being called out in a previous PR. thanks! approved, but please do the requested comment change17:58
zygaook17:58
jdstrandit is so easy to forget to update the comments. I did it the other day...17:59
flexiondotorgdavdunc o/18:03
davduncthanks.18:03
zyganiemeyer: I think we can have that call soon18:04
niemeyerzyga: Still here18:04
niemeyerJust waiting for you and mvo18:04
mvoniemeyer: ready18:05
niemeyerOk, let's go18:05
=== pstolowski is now known as pstolowski|afk
mupPR snapcraft#2021 closed: pluginhandler: only resort to elf mangling if the snap type is app  <bug> <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2021>18:47
mupPR snapd#4819 closed: interfaces/serial: change pattern not to exclude valid devices <Created by bergotorino> <Closed by bergotorino> <https://github.com/snapcore/snapd/pull/4819>19:10
mupPR snapd#4819 opened: interfaces/serial: change pattern not to exclude valid devices <Created by bergotorino> <https://github.com/snapcore/snapd/pull/4819>19:27
=== chihchun is now known as chihchun_afk
mupPR snapd#4911 opened: daemon,client: add build-id to /v2/system-info <Created by mvo5> <https://github.com/snapcore/snapd/pull/4911>19:53
mupPR snapd#4906 closed: polkit: Pass caller uid to PolicyKit authority <Critical> <Created by chrisccoulson> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/4906>19:55
mupPR snapd#4910 closed: interfaces/apparmor: simplify UpdateNS internals <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/4910>20:03
mwhudsonLaney: re testing casper changes i have this script that mounts an iso, creates an overlay over it, drops you into a shell the repacks a new iso when you exit the shell20:23
mwhudson(and does some other stuff)20:23
mwhudsonwould that be useful for this sort of thing?20:23
cachioniemeyer, well, gce-disk-expand package does not work well in fedora21:09
cachioit works well in CentOS, redhat, RHEL and cloudlinux21:10
cachiobut fails to start in fedora21:10
cachioubuntu and debian automatically resize the partition when the disk has been resized21:10
cachiobet the other OSs are not doing that21:10
cachiothis project creates a service which makes the resize after reboot, so you can resize a disk for an instance which is already running21:12
cachioPharaoh_Atem, hey21:20
cachioI am trying to make fedora resize the partition /dev/sda1 when the system starts in google21:20
cachiomost of the sytems are resizing the partition when the disk sda is resized21:21
cachiobut in fedora it is not happening21:21
cachioany idea how to do it?21:21
cachiothe only way I could make it work was adding the resize command as part of the machine init script21:22
cachioI am using the fedora cloud image + some google dependecies21:22
pedronismvo:   what's the plan   with #4911, will it mean we need snapd running (always) for snap run? feel free to answer tomorrow, just asking/wondering before I forget21:33
mupPR #4911: daemon,client: add build-id to /v2/system-info <Created by mvo5> <https://github.com/snapcore/snapd/pull/4911>21:33
mvopedronis: we discussed this with zyga and niemeyer and the idea is that if snap run detects a system-key change it should talk to snapd to double check what is going on21:35
pedronisI see, so a 2nd line of check21:35
mvopedronis: so this communication would only happen in the (rare) case when the system-key that snap run calculates and that is on disk mismatch21:35
mvopedronis: exactly21:35
pedronisthanks for the answer21:36
mvopedronis: I think there are still some corners to think about, what if its a local build of snapd run for testing, how should snapd behave. but I think all the open questions are really the developer case, i.e. you run snapd or snap from a local build21:36
pedronismvo: I'm probably confused, are you off tomorrow? or starting monday?21:40
mvopedronis: technically tomorrow but the amount of fires make it unlikely21:43
mvopedronis: so I will swap that day with another day21:44
pedronisok, makes (sadly) sense21:44
mvopedronis: yes21:54
mvo4882 is a fun PR to review if someone feels inclined to do so :)21:55
Laneymwhudson: that sounds nice, you should make it available22:54
Laneymwhudson: for the casper scripts you have to update the initramfs and then make that available in casper/initrd.lz (iirc) too22:55
cachioniemeyer, please tell me if this makes sense https://github.com/snapcore/spread/pull/5523:00
mupPR spread#55: Make possible to add an initialization script for custom images <Created by sergiocazzolato> <https://github.com/snapcore/spread/pull/55>23:00
mupPR snapd#4912 opened: overlord/configstate: change how ssh is stopped/started <Created by zyga> <https://github.com/snapcore/snapd/pull/4912>23:52
zyganiemeyer: ^23:55
bashingboihas anyone tried the firefox snap in debian/centos?23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!