[00:00] yeah that's what I thought, too [00:00] you might be right that it's due to unpacking the stage packages but it takes an inordinately long time [00:01] something seems screwey because a single cpu core is pegged at 100% usage (not parallelised in any way) [00:04] Well, it uses the apt python API, so yeah, that sounds right [00:26] kyrofa: hey can i talk to you about patchelf? :) [01:26] PR snapcraft#2060 opened: package: ensure all relevant files are in for sdist [05:12] morning [05:17] hey hey [05:17] good morning [05:17] there's going to be a thunderstorm this evening :) [05:17] I cannot wait for that, I really missed them [05:19] yeah, relaly can't wait for the first power outage this year [05:21] ouch, do you think it will come to that? [05:21] I was used to power outages in Spain when it was raining [05:21] but not used to them here even when there's a very fierce storm [05:21] right where i live there's an outage almost every time there's a thunderstorm [05:22] otoh living in deep suburbs/almost country has some benefits too [05:23] someone raised a really nice idea in the forum: https://forum.snapcraft.io/t/disabling-automatic-refresh-for-snap-from-store/707/102 [05:23] yes, that's a nice idea [05:23] mobile data == restrict downloads [05:24] need to look at the implementation, whether the setting is exposed over dbus and if so which bus it is [05:24] mvo: morning [05:24] mborzecki: it's dconf/gconf most likely [05:24] good morning mvo [05:24] zyga: looks like networkmanager https://bug792608.bugzilla-attachments.gnome.org/attachment.cgi?id=366968 [05:25] or libnm for that matter [05:26] * zyga goes to make breakfast for the kids [05:28] that's nice, if it's nm, then we could poke it through dbus [05:30] hey mborzecki and zyga ! good morning [05:39] PR snapd#5017 closed: daemon,overlord/hookstate: stop/wait for running hooks before closing the snapctl socket (2.32) [06:08] * zyga needs to pay some taxes but will be back to work shortly [06:25] mvo: hey [06:26] PR snapd#5019 closed: data/selinux: Give snapd access to more aspects of the system (2.32) [06:27] mvo: about 2.32.4, it seems we have some number of PRs open [06:27] is the goal to land that today? [06:36] pedronis: you mentioned the snap roadmap page on the forum was a bit outdated/confusing, I updated it now, let me know if there is anything left that looks inconsistent or wrong [06:36] zyga: not necessarily today but I think it would be good to prepare a 2.32.4 soon. we need to wait a little bit with the new api merge until we are sure that we don't need a .4 for .3 [06:37] zyga: (if that makes sense) [06:37] hehe, Yes [06:43] anyone wants to take a quick look at #5003, trivial change [06:43] PR #5003: cmd/snap-seccomp: graceful handling of non-multilib host [06:44] ? [06:45] mborzecki: sure [06:45] it'd be great if we could put it in .4 too, would allow me to drop a patch in the packacing [06:45] mvo: thanks :) [06:50] zyga: what is the version of fontconfig that breaks compatibility? [06:55] hmm btrfs on 4.14.26-54.32.amzn2.x86_64, shutting down lxc container produces this: kernel https://paste.ubuntu.com/p/kp842QyGng/ [07:00] mborzecki: 2.13 [07:00] mborzecki: I'm going afk now (dog) but once back I can give you a reference to thebug report [07:00] hm i have local/fontconfig 2.13.0+10+g58f5285-1 here [07:01] zyga: heh, see what you mean, https://paste.ubuntu.com/p/cyxSH6cwVB/ saw that earlier and assumed that it's something with spotify snap [07:03] zyga: it's not 'crashing' though === pstolowski|afk is now known as pstolowski [07:11] morning [07:15] PR snapd#5020 opened: errtracker: check for whoopsie.service instead of reading /etc/whoopsie [07:16] good morning o/ [07:21] hey kalikiana [07:25] Mborzecki: the reporter on one arch derivative saw crashes [07:25] Hey kalikiana [07:25] zyga: maybe it's some specific snap, spotify seems to work [07:26] Perhaps [07:26] I’m still outside, I’ll sit in a coffee shop soon [07:41] PR snapd#5014 closed: overlord/snapstate: introduce envvars to control the channels for bases and prereqs [07:55] moin moin [07:56] Hey hey John [08:04] PR snapd#5021 opened: overlord/snapstate: introduce envvars to control the channels for bases and prereqs (2.32) [08:04] mvo: I created a backport of the envvars branch ^ [08:05] #5018 needs a 2nd review [08:05] PR #5018: overlord/snapstate: on multi-snap refresh make sure bases and core are finished before dependent snaps [08:11] mvo: about roadmap: I see a formatting problem with USB hotplug status emoji ... also in 2.32 feeding cloud-init and CDN aware are the same I think [08:11] re [08:15] pedronis: I'll review 5018 next [08:16] zyga: checking for metered connection should be easy, just loooking at this prop on the main nm object https://developer.gnome.org/NetworkManager/unstable/gdbus-org.freedesktop.NetworkManager.html#gdbus-property-org-freedesktop-NetworkManager.Metered [08:17] mborzecki: should snapd do that check directly? [08:18] zyga: yeah, that's there it makes most sense probably [08:18] what would happen on a core device that uses network-manager for networking [08:19] snapd would have to understand that that endpoint is down when the n-m snap is inactive for instance [08:19] zyga: the values of NMMeteres are somewhat funny https://developer.gnome.org/NetworkManager/unstable/nm-dbus-types.html#NMMetered, NM_METERED_GUESS_NO, heh [08:19] (or that a device may be only and always on metered connection) [08:19] we would need some gadget config or core config to ignore this [08:19] also there might be no NM as well [08:20] no NM is easy to handle [08:20] I wonder how it determines the guess [08:21] anyway it sounds like it needs a design forum post [08:21] yes, definitely [08:22] feels like a "snap set system refresh.metered = "always | priority | never" thing [08:22] with gadget control as well [08:23] `connection.metered: unknown`, that's for my wifi connection [08:24] but i can explicitly mark it as metered [08:24] zyga: are you on a modem now? [08:24] mwhudson: yo [08:24] yes [08:25] Chipaca: hello [08:25] mwhudson: my go snap auto-refreshed and now sigsegvs [08:25] mborzecki: do you want me to check? [08:25] zyga: can you do 'nmcli c show --active', the pick the uuid and `nmcli c show `, look for connection.metered [08:25] sure [08:25] Chipaca: refresh again and it should break [08:25] *unbreak [08:25] mwhudson: ok :-) how so? [08:25] Chipaca: patchelf is bad? [08:25] Chipaca: https://forum.snapcraft.io/t/patchelf-broke-my-binary/4928 [08:26] mwhudson: sigh. ok. [08:26] mborzecki: it's a bit dumb [08:26] it'll unbreak just because i published the old version again [08:26] nmcli being dumb about metered https://www.irccloud.com/pastebin/UbF7cxGb/ [08:26] mborzecki: I wonder if it is in any way confused by the presence of the LXD bridge [08:26] mwhudson: except now the store is timing out [08:27] (╯°□°)╯︵ ┻━┻ [08:27] mborzecki: I don't see any way to mark the connection as metered from the gui [08:27] zyga: hm, aren't you on gnome 3.28? [08:27] mborzecki: and I don't see why it would not be marked as metered, pretty much all GSM/3G/4G/LTE is metered some way [08:28] mborzecki: I'm on bionic now [08:28] that's 3.28 [08:28] zyga: hm `nmcli c modify connection.metered true` should mark it [08:28] hmm, something's going on in the dc [08:28] pedronis: ok, thanks, I will fix that [08:29] yeah canonical irc is flapping [08:29] hmm [08:29] (process:14018): libnmc-CRITICAL **: 10:29:11.195: file clients/common/nm-meta-setting-desc.c: line 765 (): should not be reached [08:29] that + the assertions endpoint timing out [08:29] mborzecki: ^ that's from "show" [08:29] mborzecki: after the manual change [08:30] metered connection (after manually tweaking the value) https://www.irccloud.com/pastebin/lBCN8dLI/ [08:30] zyga: woow ;) [08:30] zyga: can you do `busctl --system introspect org.freedesktop.NetworkManager /org/freedesktop/NetworkManager` and look for .Metered ? [08:30] sure [08:30] so i have this binary in stage, it works, the one in prime breaks [08:30] oh, busctl is a new thing to me [08:31] Chipaca: is connectivity, I think they are making it worse to make it better, but it got worse than unexpected [08:31] *than expected [08:31] systemd :0 [08:31] or `busctl --system get-property org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Metered` [08:31] if i take the staged one and run strip --remove-section .note.go.buildid and patchelf --set-interpreter /snap/core/current/lib64/ld-linux-x86-64.so.2 it still works [08:31] wtf is going on [08:31] I wait for malware that is called something like ${crap}ctl to seem like another part of systemd [08:31] zyga: yeah, but it's easier to use than dbus-send [08:31] ah snapcraft does RPATH things as well [08:32] zyga@t470:~$ busctl --system introspect org.freedesktop.NetworkManager /org/freedesktop/NetworkManager | grep Metered [08:32] .Metered property u 1 emits-change [08:32] zyga: at least UX wise, just seems to do the right thing [08:32] mborzecki: yeah, no doubt about that [08:32] mborzecki: it's pretty nice [08:32] mborzecki: we could subscribe to changes of that property [08:32] mborzecki: read it [08:32] mborzecki: and then carry on [08:32] mborzecki: it feels like connectivty manager in overlord [08:32] ok, so now it's showing metered = 1 -> NM_METERED_YES according to the NM dbus spec [08:32] mborzecki: it could also monitor offline/online status [08:33] ok can repro [08:33] zyga: yes [08:33] and eventually it could understand the set of snaps responsible for network being up [08:33] zyga: i've actually used it in that camera boards i've shown you the photos of ;) [08:33] and expose that to snapmgr [08:33] yeah [08:34] mborzecki: ok, let me know if you need any more testing [08:34] mborzecki: as an intereseting use case [08:34] mborzecki: all off office.zygoon.pl is on a metered connection [08:34] mborzecki: from a router that has metered wifi [08:34] ha, wonder how it figured that out [08:34] well, the wifi/lan is metered as it is routerd through the LTE [08:35] mborzecki: nothing figures that out yet [08:35] but there's some part of the wifi spec that can convey this fact [08:35] perhaps through DHCP but I really don't know [08:35] but I read that gnome or maybe androind wants to support that [08:35] mborzecki: if you want to play on my office LAN I can make an account for you [08:35] (if it touches any of IEEE standards then it's better not to know) [08:36] zyga: thanks but no need for now ;) just wanted to get the general picture [08:37] sure :) [08:37] zyga: btw. i've updated #4989 [08:37] PR #4989: tests: add arch to CI [08:37] I'll finish review of 5018 and then start chopping my WIP user mounts branch [08:37] mborzecki: thanks, I'll check soon [08:43] http://omgfoss.com/install-spotify-linux-ubuntu-debian-fedora/ [08:43] this is cute :) [08:44] https://www.irccloud.com/pastebin/kAgEqb8f/ [08:46] zyga: funny how they skipped the 'snap install spotify' step [08:47] oh [08:47] indeed [08:47] hahaa [08:47] that's even more silly [08:48] :) [08:48] pedronis: was playing with the performance of unserialising an entry of a json object last night [08:48] pedronis: I've got another reason to move to go 1.7+ [08:48] :-) [08:48] * zyga found the "chronic" utility from moreutils [08:57] Caelum: I added LEAP 15 to https://build.opensuse.org/project/show/system:snappy [08:58] fmt.Println("baz == other type", foo["zed"] == "dez") [08:58] w8, but spotify is not a classic snap, no need for the symlink [08:58] aand copy pasted some random sample with comparing interfaces i was preparing for jdstrand's review :) [08:59] no, but if you're installing snapd for the first time, you might want to do that for future classic snaps you may install [08:59] zyga: can we land #4980? [08:59] PR #4980: Revert "spread.yaml: switch Fedora 27 tests to manual (#4962)" [08:59] mborzecki: yes [08:59] let's [09:00] this unblocks cachio's work on fedora-on-google [09:00] PR snapd#4980 closed: Revert "spread.yaml: switch Fedora 27 tests to manual (#4962)" [09:05] pedronis: reviewed 5018 [09:27] thx, I expended the comments a bit [09:32] heh, expanded [09:34] pedronis: thank you [09:35] how can I interrupt/restart travis job that's stuck somewhere since yesterday? https://github.com/snapcore/snapd/pull/4940 [09:35] PR #4940: RFC: added UDevMonitor for future hotplug support [09:42] Chipaca: well that was fun to chase down https://github.com/NixOS/patchelf/issues/146 [09:43] pstolowski: let me look [09:43] ah [09:44] that's more interesting, there's no link [09:44] mwhudson: nice spelunking [09:44] looks like travis broke there [09:44] can you se that branch via travis itself? [09:45] Chipaca: patchelf is .... interesting [09:46] mwhudson: do I want to know [09:47] :-) [09:47] /* !!! Why do we stop after a .dynstr section? I can't [09:47] remember! */ [09:47] for example [09:48] loose specs and faulty memory [09:48] mwhudson: /* yolo */ [09:48] Chipaca: pretty much [09:49] pedronis: not so much "loose specs" as "it works on my machine" :/ [09:49] mwhudson: well to be fair I expect elf and how it's used by compilers to be said, it worked with the binaries from baz [09:49] s/to be said/to be loose/ [09:49] i wonder what patchelf would do with burneye and things like that [09:54] maybe that's unfair though , and is not as bad as dwarf [09:55] we should all go back to a.out [09:55] :-) [09:58] zyga: ah, right, i can get to the branch/build from travis directly. the missing link confused me. thanks [10:09] pedronis: i've never had the courage to learn much about DWARF === chihchun_afk is now known as chihchun [10:10] mwhudson: well it's extensible, as usual if extensible format don't have way to convey this you can ignore or not, writing stable tooling is a nightmare [10:11] mvo: zyga: we are getting handshake errors from linode, it means landing stuff to 2.32 is not easy, I wonder if we should back port the switch to gcloud [10:12] otoh it might be travis network issues [10:12] I can try [10:12] anyway: this is not fun: https://travis-ci.org/snapcore/snapd/builds/364488153?utm_source=github_status&utm_medium=notification [10:14] PR snapd#5018 closed: overlord/snapstate: on multi-snap refresh make sure bases and core are finished before dependent snaps [10:18] so backporting 5018 requires the new api stuff, or a rework of the backend_test changes [10:25] pedronis: new api because of tests [10:27] pedronis: ? or because of the functionality? === pstolowski is now known as pstolowski|lunch === chihchun is now known as chihchun_afk [10:53] PR snapcraft#2061 opened: go: only use Go build package if not using the snap [11:06] mvo: because of tests [11:06] mvo: backend_test.go is very different [11:07] * mvo nods [11:10] mvo: given that the plan is still to land the new api, I will prepare a backport on top of 5002 , instead of a direct one [11:10] mvo: anyway we have troubles atm with tests on 2.32 because they still use linode and there seems to be travis->linode or linode problems [11:13] pedronis: yeah, porting to google seems like a good idea [11:14] zyga I got a report about snapd leaking threads, apparently for longer running snapd on bionic "ps -eTf|grep snapd" report very high numbers (in the 400s) for some people on bionic when it runs for ~2-3 days - you run bionic as well, is this something you see too? [11:14] mvo, CE has approved 32.3 to stable [11:14] Oh [11:15] cachio: brilliant! [11:15] No but i restart snapd for testing [11:15] cachio: so once the store is ready lets push it out :) [11:15] PR snapd#5022 opened: overlord/snapstate: on multi-snap refresh make sure bases and core are finished before dependent snaps (2.32) [11:15] cachio: and fingers crossed for tihs version [11:15] mvo, sure [11:15] zyga: yeah, same here [11:15] pedronis: thanks for this PR! [11:17] zyga: no worries, I try to gather more data [11:18] mvo: I'll try to make a PR for 2.32 with just the systems stanza from master, not sure if we need other changes [11:19] I mean backends [11:19] pedronis: +1 [11:21] is snapcraft.io down? [11:22] thresh: looks like it [11:22] hopefully nothing serious then [11:23] thresh: i've pinged a sysadmin [11:23] * mwhudson goes to bed [11:23] many thanks! [11:24] https://status.snapcraft.io/ is handy fwiw [11:24] (I firstly assumed it's the nation-wide firewall that blocks the way here, but oh well) [11:32] PR snapd#5023 opened: spread.yaml: try to switch to run tests on gcloud [11:33] let's see ^ [11:33] pedronis: thank you [11:33] sorry for not doing it before, I just got home now [11:33] I need to file some time off for today [11:33] the vet visit and other stuff was more walking than working [11:34] it might not work [11:34] I don't know if it we have other changes that were needed [11:34] we'll see [11:35] pedronis: hmm, perhaps something in run-tests.sh? [11:35] I don't know [11:36] ah true [11:36] actually run-checks [11:36] spread google: linode: [11:36] wrote a test to check if the logging through journal stream sockets works correctly, and it's failing radomly because the journal is not flushed yet :/ [11:36] that's closer to master now [11:36] mvo: is there a report for the thread leak issue? [11:37] mvo: on my artful desktop I see this: [11:37] zyga@fyke:~/go/src/github.com/snapcore/snapd$ ps -eLf | grep '[s]napd' | wc -l => 23 [11:40] mvo: I am seeing this on my bionic laptop [11:40] zyga@t470:~/go/src/github.com/snapcore/snapd/cmd$ ps -eLf | grep '[s]napd' | wc -l => 122 [11:40] over 100 more threads [11:40] even though the deskop is a 8 core machine and the laptop is a 2 core machine [11:46] PR snapd#5024 opened: systemd: add helper for opening stream file descriptors to the journal [11:48] zyga: ps -eLf | grep '[s]napd' | wc -l => 36 on CPU(s): 16 [11:49] mborzecki: on arch or ubuntu? [11:49] oh snap, lunch [11:49] arch [11:49] interesting, that's golang 1.10? [11:49] 1.10.1 [11:50] package version is 2.32.2.r508.g629585a3f-1, let me rebuild the latest master [11:50] Chipaca: there's a meeting in 10 minutes [11:50] same as in bionic (apart from probable patches) [11:50] pedronis: standup @ 3pm right? [11:50] pedronis: yeah. running. [11:50] mborzecki: yeah, meeting is about epochs [11:50] mborzecki: yes, this is something else [11:50] okok [11:50] ah [11:50] uff :) [11:52] * Son_Goku groans to life === pstolowski|lunch is now known as pstolowski [11:55] zyga, you should be able to re-enable fedora in CI now [11:55] Son_Goku: we already enabled and merged it [11:57] mborzecki: reviewed [11:57] zyga: thanks [11:58] heh, gofmt -s did not catch this [12:00] mborzecki: 5003 reviewed [12:01] zyga: ta :) [12:05] off to pick up the kids, be back for standup [12:09] cachio, mvo: 2.32.3 stable today? [12:14] * zyga installed the new "communitheme" snap [12:14] it's pretty neat, so the snap is a dumb data carrier [12:14] and something in the desktop is picking up the snap's presence [12:16] zyga, yes [12:17] It should [12:24] mvo: interestingly the number of threads is pretty stable, after reboot I see 114 [12:30] reading snapstore docs [12:30] why is "sudo snapstore config store.domain=""" used over "snap set snapstore store.domain=... [12:32] zyga: 114? I just have 12 here, let me try in a clean VM [12:32] mvo: yes, this is vanilla beta [12:32] er, sorry, that's vanilla edge [12:33] zyga: I will try chocolate edge then [12:33] I wish golang tweaked each thread cmdline buffer to indicate what is going on [12:42] PR snapd#5025 opened: interfaces/shutdown: allow calling SetWallMessage [12:43] PR snapd#5012 closed: snap: fix `snap advise-snap --command` output to match spec [12:57] niemeyer, not sure if we have something like this on any snapd TODO yet ... (would be nice to have) https://forum.snapcraft.io/t/support-ask-for-reboot-via-sapcraft-yaml-and-snapd [13:00] niemeyer, heh, i guess we can merge that one with https://forum.snapcraft.io/t/allow-automatic-reboots-when-refreshing-a-snap/4935 (seems abeato and I had the same idea ) [13:01] * Chipaca will be a couple of minutes late to the standup (previous meeting overrun and I need a technical stop) [13:04] Chipaca: ack [13:04] jdstrand: are we going to use the stash directory approach [13:04] jdstrand: or shall we go for the better option directly? [13:06] zyga: I think that is based in part on release timing. that said, since this didn't make 2.32, why not just go for the non-stash approach since it is approved [13:07] jdstrand: yeah, that sounds good to me, thank you [13:07] jdstrand: and I can use this immediately then [13:08] jdstrand: actually, can I merge both [13:09] I think it's just worth preserving in history [13:09] I'll merge the 1st approach [13:09] resolve conflicts [13:09] and merge the 2nd approach [13:09] if you don't mind I'd prefer that [13:11] zyga: I don't mind at all. it makes sense to me [13:11] perfect, thank you [13:14] It's quite unbelievable.. I just spent more than 10 minutes trying to join the meeting from an Android phone.. no go [13:15] Any hangout links send me to the application.. the application doesn't know what to do with it [13:15] zyga: How did you manage to join yesterday? === chihchun_afk is now known as chihchun [13:15] Anyway.. see you soon [13:16] niemeyer: I have an iPhone [13:16] niemeyer: maybe we can dial you in with good old phone number [13:16] one sec [13:17] zyga: That's even more ironic [13:17] zyga: Can you send me a direct invite maybe? [13:17] niemeyer: I tried to dial you in from the hangout [13:17] but that doesn't work because we're out of credit [13:17] yes, sure [13:17] Hangouts seems able to do one-on-one.. maybe with an invite it'd wake up [13:18] sent [13:19] which hangouts [13:20] from G Suite? [13:20] It joined, and then the phone rebooted /o\ [13:21] zyga: Thanks, I'll continue the trip.. next time I'll use the laptop tethered [13:21] niemeyer: you connected for a se [13:21] you're still connected here [13:21] can you hear us? [13:22] ah [13:22] I just noticed your phone rebooted :? [13:22] man, that's not fun === chihchun is now known as chihchun_afk [13:32] PR snapd#4868 closed: cmd/snap-update-ns: add secure bind mount implementation for use with user mounts [13:36] mvo: https://docs.ubuntu.com/snap-enterprise-proxy/en/install [13:36] PR snapcraft#1992 closed: tests: run integration tests on trusty [13:38] Bug #1620755 changed: x509: certificate signed by unknown authority [13:38] zyga: thank you [13:43] jdstrand: you're my hero today :-) webtorrent-desktop appears to be unblocked now thanks to confinement rules updates [13:43] diddledan: nice! :) [13:55] mvo: pedronis: fwiw I SIGQUITed snapd when it had 18 threads, and it only had ~4 goroutines [13:56] interesting [13:56] myeah [13:56] next I'll run it with the tracer and see what that says [13:57] then what are the other threads doing? :) [14:00] zyga: how many goroutines do you have if you SIGQUIT your 100ish threaded snapd? [14:00] afk, taking my son for a vaccination :/ [14:00] One sec [14:02] mvo: o, so just pkill SIGQUIT snapd [14:02] zyga: yeah [14:03] ok, done [14:03] I see tons of debug in journal [14:03] and I see 10 threads now [14:05] mvo: https://pastebin.ubuntu.com/p/kKkGJp2Hbb/ [14:05] zyga: can you 'grep -c "goroutine [0-9]"' that? [14:06] kwi 10 16:02:58 t470 snapd[1943]: goroutine 234 [syscall, 110 minutes]: [14:06] one sec [14:07] it seems go keeps the threads around once it's done with them [14:07] which makes sense :-) [14:07] 114 [14:08] zyga: whoa [14:08] zyga: is this reproducible? [14:08] yes [14:08] zyga: can you patch your snapd to run with the tracer, then? [14:08] it looks like most of this is read from htt [14:08] http [14:08] just tell me how sir [14:08] zyga: http://paste.ubuntu.com/p/PstYvgMygh/ [14:09] zyga: then run it (make sure it doesn't re-exec :) ) and when it gets to have that many threads, ctrl-c it [14:09] k [14:09] zyga: and put the /tmp/snapd.trace file somewhere :-) [14:09] (maybe compress it first) [14:11] zyga, Chipaca interessting, thats a lot of stuff [14:12] yus [14:12] patched snapd, disabled reexec [14:12] 15 threads [14:12] mwhudson, sorry, I was EOD by the time you pinged me, but yes, happy to talk about it! [14:12] _obviously_ [14:14] I'm watching the number of threads [14:14] installed a snap to do some activity [14:15] interesting [14:15] I installed tizonia [14:15] refreshed lxd to different channel [14:15] and I'm at 19 now [14:15] in that dump from your sigquit you've got a lot of things stuck on read [14:15] refreshed lxd back to stable, still 19 [14:15] yes [14:15] from (*ucrednetConn).Read( [14:16] I wonder if anything's changed with 1.10, there [14:16] hmmm https://www.irccloud.com/pastebin/JFpqggZU/ [14:16] is this expected [14:16] there's no core restart anymore [14:16] I stopped snapd.socket,service [14:16] started snapd manually with sudo [14:17] this is on master + the patch from chipaca about tracing [14:17] zyga: restart is done by systemd, not us [14:17] are we opening the snapctl socket ourselves? [14:17] zyga: snapd just goes away and comes back [14:17] Chipaca: but I don't refresh core now [14:17] Chipaca: and reexec is off [14:18] zyga: you're running snapd in another terminal, by hand, yes? [14:18] yes [14:18] zyga: what does the other terminal tell you :-) [14:18] 2018/04/10 16:14:11.222937 handlers.go:189: cannot get state of snap "no state entry for key": %!s(MISSING) [14:18] that's fun [14:18] rest of the snapd output https://www.irccloud.com/pastebin/Wyuc0qHX/ [14:18] zyga: you're running with debug on, yes? [14:18] * Chipaca looks [14:18] no :) [14:19] sorry, just regular [14:19] but that handlers.go thing is a clear bug [14:19] zyga: https://github.com/chipaca/bin/blob/master/run-snapd-srv [14:20] man, ignore me [14:20] that's an old build [14:20] PR snapd#5025 closed: interfaces/shutdown: allow calling SetWallMessage [14:21] it's working on actually patched and compled snapd [14:21] *compiled [14:21] but still 17 threads [14:23] mwhudson, ah, I see you forum post now [14:27] and wayland crashed [14:28] I wish gnome-shell would not log errors every other second [14:29] zyga, so looks like RHEL 7.5 arrived [14:29] and with it, apparently GNOME was rebased to GNOME 3.26 [14:29] I'll have to check and see if all the components of GNOME were rebased [14:29] mvo, Chipaca: no idea why the snap from core has all those weird threads [14:30] and this one does not [14:30] golang 1.6 vs 1.10.1? [14:30] Son_Goku: are you saying snapd for RHEL can now be a thing? [14:30] * zyga jokes about windows for warships [14:30] zyga: 1.6 on different kernel though [14:30] probably not [14:30] pedronis: same kernel here [14:30] but I can certainly try to rebase my current test packages [14:31] pedronis: I have the 100+ threads if I use the snapd from core [14:31] zyga: I'm saying, on the xenial kernel, go 1.6 snapd I don't see tons of threds [14:31] ah [14:31] I see [14:31] anyway we should really medidate how to stop using 1.6 for the snapd that goes into core [14:31] 1.10 would be nice :-) [14:32] well something supported (by upstream) at least [14:32] pedronis: I think snapd.snap can be built on 18.04 [14:32] zyga: fwiw, I have a bionic vm (and my real system) where I don't see this amount of threads [14:32] and we sunset 1.6 support [14:32] zyga: build the snapd.snap on Fedora :P [14:32] be different :) [14:33] Son_Goku: well, I do build it on fedora, but people who ship it tell me they need to build it in the archive [14:33] ok, I'll keep my copy running, I need to get back to coding [14:34] hey, folks what is the forecast on having the 2.32 in the stable channel? [14:34] koza: plan is today [14:35] awesome [14:35] cachio: any word from the store about the release [14:36] mvo, I'll ask now [14:36] so, an interesting thing is [14:36] once it starts a thread, it doesn't seem to let it go [14:36] (which is probably fine) [14:37] but the threads aren't doing anything [14:37] that is, in the trace they don't appear as busy [14:38] cachio: thank you [14:45] Chipaca: I looked if we had interesting LockOSThread around, but seems we don't [14:46] go itself might though [14:50] all crazy - i386 adt tests fail because of https://forum.snapcraft.io/t/oom-for-interfaces-many-on-bionic-i386/4101 apparently. just in very non-obvious ways :( [14:51] I add code [14:55] ah [15:05] mvo: man, that's nasty [15:05] maybe kernel leaks in apparmor profiles [15:06] wow [15:06] man that thread is golden [15:10] jdstrand: brave have a problem with their latest build in edge (19). The previous build works fine. I see an apparmor fail in ibus... https://paste.ubuntu.com/p/gsYkbhX2kQ/ [15:10] jdstrand: anything we have seen before, and can help? [15:10] zyga: yeah, I think there is a leak somewhere in the kernel and its especially bad on i386 [15:11] zyga: because the kernel uses lowmem only for whatever reason there [15:11] why not on arm? [15:11] zyga: I want to add a check in our restore code that checks for oom and errors hard [15:11] zyga: I don't know [15:24] popey: oSoMoN is working on that ibus bug. aiui, it is non-fatal [15:25] zyga: because right now the error is very indirect and also very unclear why it hangs journalctl [15:25] if journal is synicing and were OOM (and perhaps swapping already) maybe it is the IO load [15:25] jdstrand: brave coredumps :( [15:25] but yeah, the memory leak looks like the issue behind it [15:26] Chipaca: yeah, there's just few goroutines doing 'real' stuff, the rest is parked https://paste.ubuntu.com/p/T2WJXWwnPF/ [15:26] popey: bluez is nothing to worry about. the /etc/opt/chrome they need to adjust something-- they don't have DAC write access to that anyway. I can add something for /sys/devices/system/memory/block_size_bytes [15:27] popey: it may core dump, but the ibus access is probably not what is causing that. that is coming from a library that doesn't check the return code: https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1761585 [15:27] Bug #1761585: ibus_bus_init does an unconditional call to chmod on $HOME/.config/ibus/bus [15:27] [15:28] jdstrand: ok [15:28] popey: you can add to the profile: 'owner @{HOME]/.config/ibus/bus/ w,' to prove that to yourself [15:29] popey: you can connect the bluez interface to get rid of that denial [15:29] brave 18 works even with those denials [15:29] popey: you can add: '/sys/devices/system/memory/block_size_bytes r,' to see if that is it (again, I doubt it) [15:29] popey: right, that is what I figured [15:30] popey: the /etc/opt/chrome is possibly interesting. that needs to be $SNAP/etc/opt/chrome [15:31] in brave rev 19 the gui appears then immediately disappears again [15:33] popey: it could be something is going on down in $SNAP_USER_DATA or $SNAP_COMMON such that on first start, things are ok, then on next run they aren't. unless you are saying on first run after a refresh it shows then dies. that might suggest a gl issue [15:33] SNAP_USER_COMMON* [15:34] * jdstrand adds /sys/devices/system/memory/block_size_bytes to list for next batch of updates [15:34] jdstrand: I have tested with a clean install (wiped out ~/snap/brave before running) [15:34] * zyga still has just 15 threads [15:34] popey: gl is working ok elsewhere? [15:34] yes, and rev 18 works [15:35] i have also tested 18 vs 19 in a 16.04 VM, same issue. [15:37] https://paste.ubuntu.com/p/PkrmcR7g62/ seeing that lot on console in 19, not in 18 [15:40] is there a reasonable way of ensuring that xdg reports that the Downloads folder is in $SNAP_USER_COMMON instead of $SNAP_USER_DATA? [15:41] this is probably a reasonable thing for many snaps [15:42] For some snaps I set environment: "HOME": "$SNAP_USER_COMMON" in th apps section in the yaml [15:42] e.g. why should downloads saved through firefox get versioned? [15:42] thanks, popey , I'll try that [15:43] popey: maybe they updated browser_main_loop.cc without considering snapd, or series 16 stage-packages, or something in the desktop part. may need desktop team help [15:44] * jdstrand thought the desktop part setup symlinks from SNAP_USER_wherever to ~/Foo [15:45] no the desktop parts can't do that because they might be used on snaps that don't include the `home` plug [15:47] * zyga thinks we should have snapctl is-connected thing [15:48] bug. if you specify a remote part that you've not already cached, and try to run `snapcraft update` in the project that includes the remote part in an `after` clause, snapcraft doesn't actually fetch the updated definitions until you remove the `after` [15:51] zyga: if 'is-connected' is about network connectivity, if you add that and it needs some sort of specific access that the default doesn't allow, add it to network-status [15:51] https://www.irccloud.com/pastebin/necbNhqK/ [15:51] jdstrand: we have is-connected command already? [15:51] ^^^^ that's an attempt to fetch updated remote parts [15:52] jdstrand: ugh, browser_main_loop.cc comes from chromium upstream. oSoMoN have you seen anything like this in chromium recently? https://paste.ubuntu.com/p/PkrmcR7g62/ [15:52] zyga: there is an interface that is meant to answer that question. it needs a slot implementation. I'm saying if you make core that slot implementation, add it there [15:52] popey, no, that doesn't ring a bell [15:52] oSoMoN: ok, thanks! [15:52] jdstrand: I mean in the "snap connect" sense [15:52] a way to check if a plug is connected [15:53] or a slot [15:53] it would be useful for apps to make simple decisions [15:53] zyga: oh, I thought you meant "am I online". ignore me [15:53] pstolowski probably would know best, iirc [15:54] I thought there were hooks for that, but maybe they are only planned [15:54] there are hooks [15:54] mvo: mmh, it was lost in the other errors but #5021 also needs new api first, because of tests [15:54] PR #5021: overlord/snapstate: introduce envvars to control the channels for bases and prereqs (2.32) [15:54] but this means you need to mirror state [15:55] if we can just ask [15:55] at runtime, at any moment [15:58] zyga jdstrand the hooks executed on connect haven't landed yet; and yes, a way to check if a plug/slot is connected via snapctl would be nice [16:08] Aha, here you are. FYI, it wasn't super clear on the webpage that this is the channel (so I wound up guessing wrong a couple times with #snapcraft and #snap) [16:08] mborzecki: I reviewed your 'system' key in config defaults PR === pstolowski is now known as pstolowski|afk [16:12] pedronis: thank you! ok, so lets land the new api soon (once we got the stable out without issues :) [16:15] any steam snaps [16:15] Is there an FAQ for curmudgeonly debian types that have questions/paranoia about telemetry/tracking/fingerprinting and the like? [16:16] skomorokh, haha, no, but perhaps there should be! [16:16] Do you have any specific concerns? [16:17] I trust Canonical more than Slack/Microsoft/Google so would like to switch to using snaps vs. vendor-supplied .debs ...excecpt now I wonder what this snapd is doing and what it's telling this central service about me :) [16:17] skomorokh, well, would looking at the snapd source code make you feel better? [16:17] skomorokh: there's a few things we tell [16:17] skomorokh: like /etc/os-release level info [16:17] I'd prefer an executive summary. [16:17] and the snaps you refresh [16:17] snap uses apparmor [16:17] and the version of snapd [16:18] Can it tell I'm the same user that installed a package last week? [16:18] skomorokh: we have some extra data sent when something fails (apparmor style error reporting) but this is configurable (PR is up for that) [16:18] eg. is there an identifier tying my usage of the system together? [16:18] skomorokh: yes, I believe it uses /etc/machine-id (needs checking) [16:18] Is that optional? [16:18] skomorokh: plus, if you log in that's that [16:18] I don't believe that's optional but I honestly don't remebmer [16:18] zyga, what is the use-case for the unique identifier? [16:19] I need to check if we really send that [16:19] maybe I'm mistaken [16:19] sorry [16:19] First thing I did was go to replace my slack deb with a slack snap, only to have it tell me I have to pass it a parameter to let it run unconfined. [16:19] we don't send that [16:19] Yay! I'm happy you don't! [16:20] skomorokh: right slack is a 'classic' snap still [16:20] And while I'm sad I can't sandbox slack out of the box, I'm happy that it told me it wants to be unconfined. [16:20] but we do use it [16:20] when an error happens [16:20] we hash the machine id [16:20] and send that hash [16:20] but error reporting is optional [16:21] zyga, I didn't know snapd had error reporting. Is it enabled by default? [16:21] How does one opt in or out? [16:21] kyrofa: yes, it is enabled by default but that may change soon [16:21] Is snapcraft.io optional? eg. can I use a different hub? [16:21] kyrofa: it will follow whoopsie settings [16:21] kyrofa: this goes to the ubuntu error tracker [16:21] at least on ubuntu [16:21] Ah, okay [16:22] and some people can see statistics [16:22] we used it a few times when bugs caused widespread errors in the field [16:22] and we were ignorant to that before we had the error tracker data [16:22] skomorokh: there's no hub in snapd, there's a store and each machine talks to exactly one store [16:22] PR snapcraft#2062 opened: packaging: simplify snapcraft.yaml [16:22] stores are configurable but you will realistically still only use either the official store or your private deployment of a store proxt [16:23] kyrofa: it's not for all errors, or errors from snaps, is really errors on refresh or install [16:23] of snaps [16:23] yes, it's when snapd malfunctions really [16:23] Is the code for the store public? [16:23] no, it is not [16:23] Whenever snapd panics, I expect [16:23] Aw. So if you turn evil or something the OSS community can fork away :( [16:23] *can't [16:24] skomorokh, note that all the APIs are documented [16:24] it's a matter of implementing the store side and starting a new root of strust (store is a root of trust in the snapd model) [16:24] so if we turn evil, there's some hope still ;-) [16:24] PR snapd#5026 opened: tests: add check for OOM error after each test [16:24] Right, but that's a big barrier, implementing that whole stack! [16:25] Or is it? I've only been thinking about snaps for a handful of minutes, maybe the store is quite lightweight? [16:25] pedronis: thanks [16:26] skomorokh: but also big advantage of having one place where apps come from, with sane securty, comprehensive snadbox (it's always something that can improve but I think we're doing pretty well) [16:26] skomorokh: I think it depends on one's perspective [16:26] Oh, I like that, that's why I want to use it. [16:26] I just want the option for the community to bail on you without starting over. [16:26] skomorokh: there are a few URLs we use to search, query and download snaps and assertions [16:26] Everyone maintaining snaps is investing into the ecosystem. [16:26] but I'm not an expert in that area [16:27] I think that option is there, if there's desire someone can always fork snapd, implement some simple store, deploy it and update the store URL [16:27] not saying it's easy but it's not impossible either, snapd is complex in general [16:28] I see snapd is developed in public. [16:28] having a store that scales, etc is another thign [16:28] yes [16:28] all work, code and design is public [16:28] I think that'd make it easier, having the commits, the issues, etc. [16:29] I'm a developer that works on execution layers for example [16:29] So I think being able to search the store counterpart would help. [16:29] snap find ... [16:29] funny that "snap find foo" finds so many foo snaps :) [16:29] I mean, search the history of development communications around the store too the way we can by searching snapd issues. [16:30] ah I see [16:30] well, store is not publuc [16:30] Ya exactly :) [16:30] most of the store changes are coming directly from snapd [16:30] and can be found in the snapd history [16:30] plus there's a lot on forum.snapcraft.io [16:30] and there is discussion on store features https://forum.snapcraft.io/c/store [16:30] The click store that pre-dates it wasn't either. The community founded an "open store" which has now taken over on Ubuntu phone. [16:31] * zyga hugs noise][ [16:31] thank you! [16:31] Interesting. [16:31] When Ubuntu Phone was dropped, the community rallied and have built a pipeline for apps in the open store [16:31] also, you can always side-load snaps without a store [16:31] It's more active now than when we maintained it ;) [16:31] popey: do you know I still use my reall retail ubuntu phone [16:31] 'cause so far I'm convinced I want to use this because it feels more trustable than dpkg which is basically "here's root, go nuts" [16:32] I still have it, it's running ubuntu with the open store [16:32] you lose benefits but it's there as an option [16:32] zyga: me too :) [16:32] But I'm not quite convinced I want to _advocate_ for it and maintain snaps etc. [16:32] skomorokh: yes, the sandbox is very interesting [16:32] I have a bq 4.5 on my desk, updated it today [16:32] skomorokh: I'm also familiar with the sandbox in case you have questions [16:32] zyga: Can I sandbox things that don't want to be sandboxed? [16:32] skomorokh: I work on the developer advocacy side. I'd welcome your feedback if you did look at making a snap. [16:33] skomorokh: try making some software and ensuring it is up-to-date (yourself) in 3 most common distros (and maybe 2-3 older releases that still have users) [16:33] skomorokh: then look at snaps again :) [16:33] it's a godsend [16:33] skomorokh: we're always looking for people outside the project who have snapped something, to give us honest critical feedback. [16:33] jdstrand: do you want one last look at https://github.com/snapcore/snapd/pull/4957 before I merge it [16:33] PR #4957: cmd/snap-update-ns: remove the need for stash directory in secure bind mount implementation [16:34] Well, so far I'm leery about investing myself that much in it because the store is closed. [16:35] skomorokh: well, use it, try some snaps [16:35] skomorokh: package something, learn how that works [16:35] skomorokh: see how the interface systems looks like [16:35] I understand why it makes sense to have it centralised, but it feels sketchy to have something so closed aspire to become central to OSS [16:36] skomorokh: how the sandbox looks like [16:36] there's tons of great stuff in snapd [16:36] zyga: LGTM [16:36] thanks! [16:36] please commit [16:36] skomorokh: then people say how great android is because android is linux, this is way way way more open [16:36] for one,you can commit here [16:37] we don't throw code over the wall once in $RELEASE_CYCLE [16:37] you can discuss with the devs, not with press people [16:37] Good points! [16:37] you can influence the design, the code, everything really [16:37] there are business points (store) but that's actually good, it means it can sustain itself [16:37] it's not going to spy on you to make that money [16:38] skomorokh: like github? :) [16:38] and unlike other solutions it is more complete [16:38] it's not limited to some class of apps [16:38] popey: Quite, hence gitlab :) [16:39] :) [16:39] and doesn''t have hand-wave'y "optional security" that nobody actually uses and is actually not strong and sensible security [16:39] firejail is just handwavey? [16:39] * zyga made terrible allusions to other packaging systems [16:39] use of firejail with is very handwave'y [16:40] and note one thing: the instruction on how to confine an app comes with the app [16:40] that's not useful [16:40] that's 15.05 snappy 1.x design [16:40] and it doesn [16:40] I'm still randomly getting "invalid association handle" whenever I try to login to build.snapcraft.io via ubuntu sso [16:40] and it doesn't scale or work really [16:41] oh, and it is optional, so nobody uses it really [16:41] compare that to snapd sandbox and interface system, where everyone gets the same predictable non-optional sanbox [16:41] and there are well-defined ways to extend it [16:41] except slack gets to opt out and run as root [16:41] (which it wonderfully tells me about!) [16:41] where well-defined is that each snap uses the same definition, users can learn what that means [16:42] yes, but that's not sandboxed really [16:42] can I tell it to sandbox anyway? [16:42] and it's very honest about it as you noticed [16:42] yes but most software that requests this won't work [16:42] you can snap install --jail slack [16:42] er [16:42] --jailmode [16:42] it will just put it in a regular sandbox [16:42] but slack won't work then [16:43] eventually slack may opt into confinement [16:43] slack is just electron going to their webpage + stuff for facilitating the tray icon ya? [16:43] but they have not yet [16:43] I honestly don't know [16:44] Hm, so if I get really enthusiastic about snap and spend a bunch of time building a slack image that works in confined mode, can I publish that somehow? [16:45] I assume I can't redistribute their software, but can I maintain a patch to their packaging that lets me lock it down? [16:45] hmm, who has registered the name `webtorrent-desktop` in the store? have they actually used that name at all or can snapcrafters nab it? :-p [16:45] skomorokh: yes, but it won't be called "slack", it would have to be something else [16:45] plus, I don't know if you have the right to modify their application [16:46] but you can install it on your machine, yes [16:46] sure [16:46] is *this* _supported_ in this __client__ **maybe**? [16:46] no [16:46] diddledan: how did you format webtorrent-desktop? [16:47] maybe like `this`? [16:47] yes [16:47] ah, nice [16:47] diddledan: it was registered back in june 2016 [16:47] diddledan: no uploads. [16:47] is it owned by upstream or a random passer-by? [16:47] skomorokh: plus, snappy is pushing some boundaries, it's a very fun project to live in [16:47] diddledan: upstream [16:48] from kernel side to linux desktop technology [16:48] if it's upstream then I'll just file a PR against their repo and they can publish directly, but I wanted to get something out [16:48] Feross registered it [16:48] diddledan: appears to be upstream [16:48] right-oh, I'll just file a PR against their repo then :-) [16:48] thanks [16:50] How do snaps persist their local configs? They can access my home directory from their confinement? [16:50] skomorokh: there are more nice features that you may not know about (channels are so obviously missing from classic packaging) [16:50] skomorokh: snaps get their private place for storing data, that's $SNAP_DATA, $SNAP_USER_DATA [16:50] skomorokh: for services and apps [16:51] skomorokh: there's also SNAP_COMMON and SNAP_USER_COMMON for specialized use-cases [16:51] skomorokh: snaps don't see the real HOME variable so they have a mini-home elsewhere [16:51] skomorokh: that's in your real $HOME/snap/$SNAP_NAME/$SNAP_REVISION/ [16:52] So it copies my configs between versions as it updates? [16:52] skomorokh: snaps can read and write to most of your regular home if they use the "home" interface (run "snap interface home") [16:52] skomorokh: yes [16:52] skomorokh: we are working on integrating desktop portals so that portal-aware apps can use them too [16:52] Nice, so I can rollback to my previous config if I have issues with the new version. Does it clean up old ones or just suck up infinite space over time? [16:53] (so typical GTK apps will use portals for opening files from arbitrary places, under user's explicit choice) [16:53] Can I protect sensitive parts of my home directory eg. exclude ~/.ssh from the "home" interface? [16:53] skomorokh: that's done by default [16:53] skomorokh: all dot-files are off-limits [16:53] Ah, nice. [16:54] But not for classic, it does w/e? [16:54] no, classic confinement == no confinement [16:54] like in "classic linux systems" [16:54] Ya, so there's no light jail to give a false sense of security, it's proper confinement or no. [16:54] Seems sensible. [16:55] skomorokh: for instance this is the whole definition of the home interface: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/home.go [16:55] Oh sweet, it's go! [16:57] yes, we are trying not to run large complex C apps as root [16:57] you can see all the other interfaces here: https://github.com/snapcore/snapd/tree/master/interfaces/builtin [16:57] ok, PR filed against webtorrent-desktop: https://github.com/webtorrent/webtorrent-desktop/pull/1353 [16:57] PR webtorrent/webtorrent-desktop#1353: add snap packaging [16:58] Oh man, this is so close to everything I hoped it would be. [16:58] diddledan: nice one! [16:58] interfaces cannot be added by apps so nobody will add "all access to everything" interface in a note taking app [16:58] * diddledan crosses his toes [16:59] So I tried a snap, figured okular is a good one because it didn't want classic and so my pdf viewer is going to get some confinement. [16:59] Which is nice because it's handling random stuff from the internet so it's attack surface. [17:00] 'cept I can't purge okular's deb since kubuntu depends on it. [17:00] mvo, so far so good, 2.32.3 is stable now and smoke test passed [17:00] How do I tell it to prefer the snap? Does this tie in to update-alternatives? [17:01] skomorokh: /snap/bin in your PATH [17:01] skomorokh: that's provided by snapd into /etc/profile.d on Ubuntu [17:01] But not early enough since which okular is still showing /usr/bin [17:01] skomorokh: is /snap/bin in your PATH? [17:02] I assume it based on what you say. [17:02] skomorokh: are you on ubuntu? [17:02] Yup, kubuntu 17.10 [17:02] skomorokh: easy enough to check, to be sure, of course [17:02] skomorokh: /snap/bin is the last entry in PATH, iirc, so if you want to prefer snaps over debs, you need to edit the profile [17:02] cachio: good [17:02] skomorokh: hash -r [17:02] Ya, exactly. And I've confirmed. [17:02] skomorokh: which okular [17:03] /etc/profile.d/apps-bin-path.sh [17:03] skomorokh: you can always "snap run okular" [17:03] snap run --help has some extra options [17:03] heh, I need to connect it to more snaps. [17:03] skomorokh: play, explore, learn ask [17:03] welcome to the community! [17:04] Thanks! I definitely do feel welcome. [17:05] And I really appreciate the project, it's going to help make Linux easier to adopt for less technical users. [17:05] Plus help everyone be more secure. [17:05] and everyone can be in one boat of apps [17:05] not in fractured silos [17:05] chihchun_afk: hey [17:05] oh you're afk [17:05] That's got pros and cons. [17:05] mborzecki: around? [17:06] I'd like a 3rd review for https://github.com/snapcore/snapd/pull/4957 [17:06] PR #4957: cmd/snap-update-ns: remove the need for stash directory in secure bind mount implementation [17:06] skomorokh: snaps complement classic packages so each distribution can still innovate by itself [17:06] but innovation doesn't zero the app counter [17:06] And that's why I would hope there is more transparency around the store if it really does have a chance of being a central hub for OSS app developement. [17:06] and innovation doesn't mean apps need to be re-packaged every 6 months or whatever the release cycle is [17:08] oho, storm is coming [17:09] So I have a suggestion for the monetisation... I can't buy software with it because then I'd need to register an account with the snapd on my computer at which point I'm tying my behaviour to my identity. [17:09] skomorokh: when linux is 1% of your userbase, the last thing you want is to spend x5 effor to cover ubuntu, fedora and maybe something else [17:10] But I'd love to login to my account in a browser and conveniently contribute money to a project. [17:10] skomorokh: how would you then tell snapd that you can use a for-pay snap/ [17:11] I never will, for that reason. [17:11] Just like I subscribe to the guardian but don't login to my account. [17:11] but the guardian is available anyway [17:11] (I also subscribe btw :) [17:11] if a snap is free you can already use it [17:11] Right, that's why I subscribe ;) [17:11] note that the buy story is still in wraps [17:11] and there's plenty of room for improvement [17:12] I don't subscribe to papers I can't read without subscribing because then they learn what articles I read (hell, they learn how I move my mouse while I'm reading the article) [17:12] Is there any risk that associating an account with snapd will become mandatory? [17:12] I imagine there'd be some pressure to do that... [17:13] no, I doubt that [17:13] don't you already have to login to snapd? [17:13] it used to be [17:13] but we made it optional now [17:13] ah ok [17:13] zyga: good to know, thanks [17:13] it was just a matter of work, it's a 2.0 but still pretty early stages [17:14] That's a good direction but kinda worrisome it was ever like that. [17:15] it was like that because we didn't have polkit support and other things [17:15] again, very early days back then [17:15] you could always use sudo to do stuff [17:15] Even at a cursory glance it's clear this is a massive engineering effort. [17:15] ah, sorry, my memory is rusty [17:15] sudo was since forever [17:15] authorization was needed in GUI apps before we had polkit [17:16] now it's fully optional [17:16] because GUI apps are regular users (not root) talking to snapd [17:16] so there was no way to prove you can install / remove apps [17:16] when you sudo snap stuff we use peer credetnials over the socket to konw [17:16] *know [17:17] so that's why we had to login to the store [17:17] because once logged in you'd get a polkit prompt from the GUI and authenticate [17:17] and that was used as proof [17:17] Heh. [17:17] now it's all history [17:19] Can I selectively deny interfaces? [17:20] Awww vscode is classic too ;( [17:20] skomorokh: you can disconnect them [17:20] skomorokh: there's a forum thread about why IDEs are classic currently [17:20] ty, I'll look for that. [17:20] there's some missing technology to make them strict still [17:21] (without making them useless) [17:21] skomorokh: once you disconnect an automatically connected interface it won't auto-connect on that snap again [17:21] skomorokh: we have a policy system so that powerful interfaces are not auto connected [17:21] skomorokh: and some cannot even be declared at all [17:21] skomorokh: each snap has an assertion that is issued by the store [17:22] skomorokh: the assertion can grant access to some powerful interfaces on a per-snap basis [17:22] Can I install something without it ever being allowed to use an interface? [17:22] skomorokh: this is why you can install LXD as a snap [17:22] So even if it might be autoconnected I can choose to not let it be? [17:22] skomorokh: no, we don't have that right now, what would be your use case? [17:22] skomorokh: if it's about home that is a transitional interface that will be phased out over time [17:22] skomorokh: it's a matter of getting portals and momentum to use them [17:23] skomorokh: note that home is only auto-connected on "classic" devices (classic that they use regular packages as well) [17:23] skomorokh: on core devices (that only use snaps for everything on the system) this is no longer the case [17:23] Hypothetically I want to use vscode but want to be sure that Microsoft never learns that my current IP used it. [17:23] skomorokh: I see, well, network is granted by default so I don't think there's a way today [17:23] If it autoconnects to the interface that lets it connect to the internet, it alerts them that my IP uses it. [17:24] Whereas if I can snap install vscode --without-interface=internet [17:24] skomorokh: I'm not saying no, just that it's not a feature today [17:24] you can open a forum thread about it [17:24] The main reason my IDE would ever need to use the internet is updating, and if snap does that for me, tada! [17:24] well, no [17:24] we can discuss it with the security team and with designers [17:24] most modern IDEs have plugins [17:24] vscode included [17:24] yeah [17:24] Yah, I know, vscode especially, actually. [17:24] sadly modern IDEs are pretty much mini-OSes (without confinement between plugins) [17:24] vscode will go and get (for example) golang components when you're editing .go files [17:25] That's why this is a hypothetical. [17:25] But it's the one that came to mind. [17:25] I'm very much waiting for the first real attempt at a code editor with untrusted plugins [17:25] with proper sandboxing [17:25] vscode oss is built without those features [17:25] it's a ticking time bomb [17:25] so you could use that instead [17:25] However, if I was cool with just using the ones it came with, I'd like to be able to --without-internet it. [17:25] skomorokh: you can install it [17:25] skomorokh: disconnect network [17:25] and then run it [17:25] unplug the network cable and snap diconnect network [17:26] note that if it had a confiugre hook or other install hook it would execute by that time [17:26] *configure [17:26] Ya, that's not making this super convenient though. [17:26] you can also make a network namespace [17:26] and run vscode there [17:26] I think it's a better solution for networking specifically as you have full control [17:27] Yeah, I'm interested in transparency as to what my applications do on the internet. [17:27] If snap is partitioning them somehow that I can differentiate which apps are generating which traffic that'd be neat. [17:27] Like an alias interface per snap so I can wireshark vscode alone? [17:28] snapd doesn't use the network namespace so networking is "real" [17:29] Aw. Well, one thing at a time. Is that an eventual goal? [17:29] no, that's not a goal now [17:30] maybe eventually but we have plenty of things to do for now [17:30] skomorokh, you want this: [17:30] https://forum.snapcraft.io/t/autoconnection-override/2465 [17:30] zyga, install and then disconnect doesn't cut it-- daemons are fired up first [17:30] yes, I agree [17:30] we have the way to represent that now [17:31] so it's just a matter of designing and making the UI [17:31] "UI" [17:34] (Just checking, that's overriding that you can represent just have no UI ...not per-snap network usage?) [17:36] skomorokh: not specific to network [17:36] skomorokh: you can put some stuff into the "state" /var/lib/snapd/state.json that will tell snapd not to auto-connect a given interface to a given snap [17:37] state is interesting too [17:37] Does snap use cgroups? [17:37] skomorokh: yes [17:38] So potentially that could give some visibility into which snap is associated with which network traffic? [17:38] skomorokh: we use seccomp bpf, apparmor (all of it+more than mainline), device and freezer cgroup [17:38] skomorokh: we only use the two cgroups I mentioned [17:38] Ohhh. [17:38] So not per-snap cgroup. [17:38] we have per-snap cgroups [17:38] but we only use device and freezer cgroups [17:39] and I don't believe you can do what you want with just them [17:39] we also use some other things but those are the "main" guys [17:39] all of the sandbox code is in interfaces/ directory in the tree [17:39] we use mount namespaces heavily [17:39] man, I didn't mention that [17:39] that's like my life now and I didn't mention that [17:41] mvo: fyi, all my backport branches are green now, but we would need to start with 5002 once we feel ok about 2.32.3 [17:41] pedronis: mvo is offline [17:42] I always forget there are people that do that :) [17:42] yeah [17:42] irc cloud is really great [17:44] Hm, but if all the processes for a snap are in its per-snap group ...it seems like that's all we need is already in net_filter? https://lwn.net/Articles/569678/ [17:45] Except it's confusing when you say you have per-snap cgroups but don't use them: [17:45] we have per-snap cgroups [17:45] but we only use device and freezer cgroups [17:46] sorry, I meant to say that we only use two cgroup _types_ [17:46] if xtables can do that that's cool, I wasn't aware of that [17:47] brb, dog.walk() [17:47] any steam snaps [17:48] JonelethIrenicus: there isn't a steam snap from valve in the store currently. [17:49] lemme guess, --classic? [17:50] There is a steam runtime snap from ikey [17:50] WIP but promising and confined [17:50] Niiiice! [17:51] Is the sandboxing relatively new? [17:51] There is a interface review for steam specifically [17:51] Depends on which part [17:51] Some is old, some is still not in mainline [17:53] Man, this feels like summer [17:53] So warm outside [17:54] There was snow all around just a moment ago [17:55] I miss snow [17:55] Spring is the worst [17:55] The design of the sandbox is new IMO, [17:56] Whaaaat kyrofa how can you say that [17:56] Ok, so there's hope yet that slack, etc. will provide contained snaps? It's most they haven't got to it and things weren't ready when they first adopted the platform rather than they're refusing to go that way? [17:57] It depends on the ISV [17:57] We're talking to all of them. Some are motivated to get them confined, others are not. [17:57] I think it depends on the cost for them. If they see the sandbox as a cost for the people that support Linux [17:57] It’s all about users [17:57] Worth noting that for some of the really big ISVs Linux represents a vanishingly tiny proportion of their userbase. [17:58] Confinement has some advantages [17:58] So you get a tiny proportion of their time to work on it. [17:58] Snaps that are confined run in more places [17:58] So I think over time classic snaps will be rare [17:58] Well, I'm thinking specifically of slack/vscode so fairly developery things where presumably linux has a larger-than-usual marketshare. [17:58] Again, begging of the adoption curve, early adopters, etc [17:58] Depends on your definition of large. [17:59] Yeah [17:59] It’s all subjective [17:59] Linux is not large IMO (and I use it since forever) [17:59] Well, I'd imagine that linux use is an order of magnitude more common in the developer community than the world at large. [17:59] slack-term is in the store and is strictly confined btw ;) [17:59] https://snapcraft.io/slack-term [18:00] [help please] building my first snap. need to read the output of a `cat` command. getting an error "Error: Can't read from stdin: read /dev/stdin: permission denied" from the cat command. snap was built and installed locally using the "--devmode --dangerous" flags [18:00] Slack is used by lots of people, not just developers [18:00] *everything works before being snapped [18:00] katamo: hi, can you point us to your yaml somewhere online? [18:00] Is there a way I can browse snaps like the store but with added info about which are confined and which interfaces they require? [18:00] katamo: when you use —dangerous you disable enforcing confinement [18:01] zyga: uh, you mean devmode? [18:01] skomorokh: gnome software, eventually [18:01] Yes popey [18:01] It implies devmode afair [18:01] skomorokh https://gitlab.com/kat.morgan/ScoutPlane/blob/master/snapcraft.yaml [18:01] zyga: but why would I need an app for browsing a catalogue, seems like a very web-suitable task? [18:02] *oops popey [18:02] skomorokh: you can browse the store at snapcraft.io/store [18:02] skomorokh: store front can probably show this too [18:02] skomorokh: not all features of the snap are shown currently, the web site is under constant redesign [18:04] popey to be specific, line 170 of build-img is failing with the stdin permission error https://gitlab.com/kat.morgan/ScoutPlane/blob/master/bin/build-img [18:04] popey snapcraft.yaml is here: https://gitlab.com/kat.morgan/ScoutPlane/blob/master/snapcraft.yaml [18:04] Ya, I don't see either of those pieces of info on the store and would hope to. [18:05] skomorokh: yeah, it's not straightforward to expose at the moment [18:06] katamo: lxc config is going to want to poke things in hidden in folders in your home directory, isn't it? That will be blocked by confinement? [18:06] Is there a tool to replicate my snap installs on another machine? [18:07] popey, hmmmm, good thing to consider. "--devmode --dangerous" would eliminate that for the sake of argument, right? [18:07] Since it's not just a flat list of snaps but also connections... [18:07] skomorokh: not currently. [18:07] so far, i've been able to do everything with lxd from the snap except that one line [18:07] katamo: hm, I don't know what's going on there then. [18:07] :/ grr, time for more digging. alrighty [18:08] maybe try the forum for long form Q&A? [18:09] skomorokh: no, not at present [18:09] popey: Okay, I should get back to work anyhow. [18:09] That's entirely scriptable though. "snap list" and "snap interfaces" on one end and "snap install" and "snap connect / disconnect" on the other [18:09] Thanks a lot for all the welcoming / super patient replies! And ya, epic software endeavour. [18:10] Thanks for the friendly chat :) [18:10] skomorokh: good day and drop by again :) [18:11] pedronis: can you please do a 2nd review on https://github.com/snapcore/snapd/pull/5026 [18:11] PR #5026: tests: add check for OOM error after each test [18:12] ooo, actually, before I disappear [18:13] I sync my home dir between three machines using unison [18:13] That shouldn't be any more crazy with snaps, I think, because their local files are in ~/snap/snapname ...no generated uuids or anything [18:14] yeah [18:14] you may see some odd issues though [18:14] might be a challenge if the machine apps get out of sync [18:14] when on machine-a you have snap foo at revision 1 [18:14] Does anything leap out at you as likely to blow up? [18:14] but on machine-b it will refresh and get to revision 2 [18:14] Ya, I carefully manage my updates to keep them in sync [18:14] skomorokh: snaps update automatically [18:14] ... [18:14] Can they not? [18:15] skomorokh: and you can use "snap revert" to go back to revision you had before [18:15] skomorokh: you can control when they refresh (very precisely) [18:15] but we don't want to add a global toggle because the vendors do the silly thing and turn that off and ship devices with no updates, ever [18:15] and we don't want that [18:16] So I can leave refresh at "never" and set it to "now" when I want updates? [18:16] no [18:16] It's my computer though :) [18:16] so we are very opinionated and try very hard to give lots of control without a way to for someone to turn it off forever [18:16] because then people are the victim of a vendor who does that [18:16] and most people are really comfortable with that already [18:16] (not all clearly) [18:16] it has to be refreshed at least once a month AFAIR [18:17] I'm uncomfortable with how many people are comfortable with that :) [18:17] you can also deploy an enterprise proxy and tie your specific device to that proxy [18:17] and control updates through the proxy [18:17] Well, I'm not interested in me. [18:17] I'm uncomfortable with how many people run easily compromised out of date software on the internet [18:17] skomorokh: it's a tricky balance, if we give the off switch you will read an article about ubuntu routers being insecure and out of date when next major thing happens [18:18] because someone in china slaps ubuntu on a batch of no-brand machines and ships them for 15$ [18:18] True points. [18:18] skomorokh: so on your private deployment, you can and should use the enterprise proxy [18:19] skomorokh: if you have a super important snap that cannot break you can buy gating and control when core refreshes so that you are not broken by canonical shipping updated base libraries [18:19] skomorokh: you can schedule updates to go weekly on Tuesday night [18:19] but you cannot turn it off because then you would be fine but 1000s of others would suffer [18:19] I just don't like the general notion that end users are so fully conditioned that software is something managed externally. [18:20] That either you are full-time devops and that's your life or you let your most sensitive affairs be managed by one of a small handful of vendors. [18:21] It feels like there is room for a level of autonomy between OS X and Gentoo :) [18:23] At any rate, for my actual use case it sounds fine because I assume I can trigger a refresh on demand? And thus update my laptop to current before I sync things over. [18:34] you can "snap refresh" any time [18:34] some idea? https://pastebin.com/MWSkCdde this crash I get when I run snapcraft :( [18:44] PR snapd#5023 closed: spread.yaml: try to switch to run tests on gcloud (2.32) [19:08] PR snapcraft#2060 closed: package: ensure all relevant files are in for sdist [19:09] cachio: yay, thank you [19:10] hey mvo [19:10] still trying to release [19:10] mvo, yaw [19:11] zyga: we released [19:11] zyga: its all great! [19:11] wooooot [19:11] thank /dev/urandom [19:11] that's great [19:11] thank you for getting us here [19:12] mvo: do you have 3 more minutes? [19:12] zyga: yeah, not 100% [19:13] https://github.com/snapcore/snapd/pull/4957 [19:13] PR #4957: cmd/snap-update-ns: remove the need for stash directory in secure bind mount implementation [19:13] do you want to do a 3rd review [19:13] it's small [19:13] zyga: I have a look in a little bit [19:14] mvo: can I help with anything release-wise? [19:15] zyga: I think its all good, I will do the SRU in my morning and we need to keep an eye on bugs [19:15] ok [19:16] that's .4 that you will SRU [19:16] or still .3 [19:16] zyga: I hope I will be be able to announce it again later tonight but that is about it [19:16] zyga: probably .4 [19:16] zyga: I want to have at least the fix for the oom detection [19:16] .3 is very solid but .4 has a few more fixes and the all new API [19:16] well "fix" [19:16] I'm somewhat worried about the new store api there [19:16] zyga: yeah, then .3+X [19:16] but I realise it's important [19:16] mvo: oom "fix" will surely show up in adt [19:17] so "yay" for working on this bug [19:17] it was under my radar, I was surprised by how old that thread was [19:17] zyga: "yay" - really a frustrating day, oom bug, threading explosion and refresh-mode: sigterm not working. oh well, tomorrow will be better [19:17] is the SIGTERM refresh issue real? [19:18] that is, it's not an application level bug? [19:18] zyga: it may be applicatoin dependent [19:18] zyga: its strange, the strace indidate its real [19:19] hrm [19:19] let me know if you want me to look tomorrow [19:20] it would be a .5 [19:20] and 2.33 would be more off if true [19:20] but it may mean 2.32 is our first LTS :) [19:20] and I would welcome that [19:21] well, if .4 is just oom, we need .5 soon (that would have been .4) [19:21] and then later is .6 [19:21] 2.32.19 is the charm [19:21] it will also include the YAMA fix ;-) [19:22] mvo: so what was suppored to be .4 will be .5 ? [19:22] will .4 be SRU only? [19:22] I mean no core build? [19:23] ooh. I just spotted that 2.32.3 landed stable [19:23] :-) [19:24] pedronis: I think we will do .4 [19:24] pedronis: and for the sru I do .3.1 or something [19:24] pedronis: or .3ubuntu1 [19:24] ok [19:24] pedronis: just the OOM thing [19:25] mostly because I communicated that API would be in .4 [19:25] I can communicate again if needed [19:25] pedronis: yeah, I'm still onboard with that [19:25] pedronis: I think its fine [19:26] mvo: all the backports are green [19:26] (still marked as blocked tough) [19:28] mvo: once .4 is out I will massage a release page [19:28] and do suse updates [19:28] ooh! 2.32 is out? [19:29] popey: _again_ :D [19:29] lulz [19:29] popey: snapd is so cool we can release the same version twice [19:29] Thanks guys! [19:29] take that classic packages! [19:29] only twice? [19:30] popey: you only release twice [19:33] pedronis: \o/ [19:33] pedronis: great that they are green [19:33] mvo: I closed the PR about usign google for 2.32 [19:52] pedronis: ok [20:29] zyga: heh, the PR is small but the amount of discussion is not ;) I check it in my morning [21:02] is there any way you know of to prevent the /tmp/$temporary_name files from being deleted when something goes wrong? I'm receiving the message I'm about to paste, but running with --debug doesn't reveal anything further, and the files are gone when I try to investigate what's wrong [21:02] https://www.irccloud.com/pastebin/gZMbloyw/ [21:04] diddledan: mind trying out `edge`? [21:05] ok, gimme a sec [21:05] running.... [21:06] is there any way to start a script that alters the source code (like patch) before the snap start building it? [21:06] you'd love this snapcraft.yaml, sergiusens, it's now sitting at 1340 lines long :-p [21:06] now it changes the source somewhere, but seems to build it elsewhere and the patch is not applied :/ [21:06] petan: https://docs.snapcraft.io/build-snaps/scriptlets [21:07] petan: the scriptlet you want is `prepare` [21:07] petan: prepare ? [21:07] petan: `prepare` if on stable or https://forum.snapcraft.io/t/proposal-expanding-scriptlets/4673 if on edge [21:07] nacc: I did try prepare, but as I said, the script is executed but source code which is actually built by snapcraft is not touched by it [21:07] seems like prepare is touching some different copy of source code [21:07] cmake? [21:08] if that's question for me, yes the project is using cmake [21:08] petan: that seems like it would depend on the plugin (and whether it builds in place, or makes copies, etc) [21:08] bingo! [21:08] diddledan: I am waiting for you to snap up the new gnucash! [21:08] how is it related to cmake [21:08] yeah cmake references the source in `src` while the build executes in `build` so you need to adjust your prepare to reference `../src` [21:09] cmake does out of source builds, unfortunately we carry a bad legacy on that one [21:09] oh [21:09] will try [21:09] I need to leave for now, feel free to create forum posts I can follow up on those later [21:09] cheers [21:11] cmake is very popular thingie it should be supported properly [21:17] petan: it seems like it is? [21:17] petan: cmake just does a build copy [21:30] petan, the typical way to use cmake is out-of-source. That's what snapcraft does [21:30] You're not supposed to be messing with source code in prepare [21:30] That's part of the build step [21:31] The fact that it works on some plugins and not others is because it's not how you're supposed to use prepare :P [21:31] but I want to "prepare" the source code for building [21:31] so what should I use instead of prepare to prepare source? [21:31] petan, then you need to use edge and use override-pull instead [21:31] what [21:31] what is edge and what is override-pull and who says I am pulling anything? [21:32] petan, https://forum.snapcraft.io/t/scriptlets/4892 [21:32] petan, where are you getting the snapcraft you're using? [21:32] I made it myself huh [21:32] So... a venv? [21:33] anyway, that forum page is lacking simple example [21:33] I don't want to "override" something, which is only example there... [21:33] anywa [21:33] it works now with prepare [21:33] petan, overriding the pull step is exactly what you want to do there [21:33] maybe not "correct way" but it works [21:33] The example is even patching [21:33] hmm [21:34] But yeah, if you're happy with prepare, go for it. Just know that it's not the proper and supported way to patch code. There wasn't a proper and supported way to do that until override-pull [21:35] (other than implementing a local plugin) [21:45] PR snapcraft#2063 opened: many: add snapcraftctl set-version [22:29] zyga: something just broke snaps on TW, I'll look into it later today [23:36] PR snapd#5027 opened: client: snapshot sets, snapshots, snapshot actions, oh my!