[05:05] <zyga> good morning
[05:06] <mborzecki> morning
[05:13] <mvo> hey zyga and mborzecki
[05:13] <zyga> Hey guys
[05:47]  * zyga has a doctor appointment on the other side of the city at 12:30, wondering if he should go now and wait there or wait and then go when it's hotter outside
[05:50] <zyga> mborzecki: can you look at 5254 please? :)
[05:50] <zyga> mvo: I sent the kernel RFC idea we talked about last night to 5260
[05:50] <mborzecki> btw. i think we should merge #5258
[05:50] <mup> PR #5258: tests: fix lxd test which hangs on restore <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/5258>
[05:50] <zyga> +1
[05:52] <zyga> mborzecki: 5257 is a short low hanging fruit in need of a 2nd review
[05:53] <mvo> zyga: ok
[05:55] <mup> PR snapd#5258 closed: tests: fix lxd test which hangs on restore <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5258>
[06:16] <mborzecki> zyga: 5257 is magic, had to go through snapstate for it to make sense :)
[06:22] <zyga> jdstrand:
[06:23] <mvo> mborzecki: thank you! it was sightly annoying because it poped up in the middle of something totally different
[06:23] <mup> PR snapd#5257 closed: snapstate: ensure fakestore returns TypeOS for the core snap <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5257>
[06:23] <mborzecki> mvo: hah, i can imagine it was tricky :)
[06:24] <mborzecki> zyga: can you take another look at #5256?
[06:24] <mup> PR #5256: cmd/libsnap-confine-private: helper for extracting store snap name from local-name <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5256>
[06:26] <mup> PR snapd#5261 closed: tests: wait more time until snap start to be downloaded on econnreset test <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5261>
[06:46] <mup> PR snapd#5241 closed: interfaces/udev: call 'udevadm settle --timeout=10' after triggering events <Created by jdstrand> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5241>
[07:02] <mup> PR snapd#5255 closed: cmd/snap-confine: applied make fmt <Simple> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5255>
[07:05] <zyga> mvo: can I merge https://github.com/snapcore/snapd/pull/5248#pullrequestreview-125842002
[07:05] <mup> PR #5248: tests: add test to ensure /dev/input/event* for non-joysticks is denied - 2.33 <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5248>
[07:05] <zyga> it is a 2.33 branch
[07:05] <zyga> with LXD test failing
[07:06] <pstolowski> morning
[07:06] <zyga> pstolowski: good morning
[07:06] <mborzecki> mvo: can you cherry-pick https://github.com/snapcore/snapd/commit/7f4d533166b73551317bf421bc88f65cfd6b12f9 to 2.33 ?
[07:07] <mborzecki> or let me open a PR with it
[07:07] <mborzecki> (that's the lxd bit)
[07:07] <mvo> mborzecki: if you open a PR please also cherry-pick the econnreset thing
[07:08] <mborzecki> mvo: ok
[07:12] <mup> PR snapd#5262 opened: tests: backport lxd force stop and econnreset fixes (2.33) <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5262>
[07:12] <mborzecki> mvo: zyga: ^^
[07:12] <zyga> thanks
[07:15] <mvo> mborzecki: ta
[07:46] <pstolowski> jeez, got google:ubuntu-14.04-64:tests/main/econnreset failure this time; it seems to be flaky as well, i saw occasional failures before
[07:47] <mvo> pstolowski: master should have a workaround (timeout got increased)
[07:47] <pstolowski> mborzecki: hey, would you like to take another look at #5215 ?
[07:47] <pstolowski> mvo: ah, great, ty
[07:48] <mup> PR #5215: ifacestate: improved conflict and error handling when creating autoconnect tasks <Created by stolowski> <https://github.com/snapcore/snapd/pull/5215>
[07:52] <justasking> hello everybody
[07:52] <justasking> will firefox snap touch my existing firefox profile (ESR 52)?
[07:53] <zyga> Hey
[07:54] <zyga> I’m going offline for a few hours, at least till 14
[07:54] <zyga> Ping me on irc if urgent
[07:54] <zyga> I have an older laptop without a modem with me
[07:54] <zyga> And I will be gardening my old branches
[07:55] <mvo> 5204 needs a review
[07:55] <mvo> it would unblock some more core18 work
[08:19] <mborzecki> mvo: left some comments in 5204
[08:20] <mborzecki> pedronis: you're breaking my heart, can't use gorename for that Name() -> LocalName() job now :)
[08:20] <pedronis> mborzecki: ?
[08:21] <mborzecki> pedronis: your comment about parallel installs and using a different name for the method to actually go through all the code locations where it's used at
[08:21] <mborzecki> pedronis: it's a valid concern btw
[08:21] <pedronis> mborzecki: well, I'm trying to make suggestions not to break the software
[08:22] <pedronis> I understand they are annoying, maybe
[08:22] <pedronis> as I said, it's likely that you might learn that most places were fine
[08:22] <pedronis> but is a bit unclear
[08:24] <mborzecki> yeah i tried to jot down some places where i'm certain we'll need the non-local name (eg. apparmor profiles, sice we'll hide the local name inside the mount ns)
[08:33] <pstolowski> pedronis: hey, about disconnect hooks, i think that if the snap on either end of connection is not active, we should either error out (but not with retry, it doesn't make much senso imho) or we should run the disconnect hook only on the active side and ignore the inactive one. both options are a little bit problematic though - we don't want to leak resources by not running a hook, but at the same time you may have good
[08:33] <pstolowski> reason to have snap disabled. and I don't think we want to block snap removal on not being able to run disconnect hook on the other end (because snap on the other end is not active)
[08:34] <pedronis> pstolowski: mmh, we have static inactive and dynamic inactive though
[08:34] <pstolowski> pedronis: what do you mean, don't we have a single Active flag?
[08:35] <pedronis> pstolowski: yes, but remember a refreshed snap is inactive for a while
[08:35] <pedronis> and then gets back to active
[08:35] <pedronis> that's why we have the complexity in autoconnect
[08:38] <pedronis> pstolowski: afaik you need the same kind of code as autoconnect, but anyway all of this shows we really need to implement some of my recommendations or something similar. it's clear it's hard to keep in mind this stuff
[08:38] <pstolowski> yes
[08:40] <pstolowski> pedronis: btw I've read your recommendations twice last week, very well written, i've yet to read it once more
[08:47] <pedronis> pstolowski: but yes, if the other side has no pending link* task and its inactive you have to skip its hooks
[08:48] <pedronis> that's probably true for autoconnect as well (unless it's not listed anyway for other reasons)
[09:16] <pedronis> pstolowski: as we discussed the behavior of disable and connections is probably a bit buggy already
[09:25] <pstolowski> yes
[09:52] <mup> PR snapd#5263 opened: errtracker: do not send duplicated reports <Created by mvo5> <https://github.com/snapcore/snapd/pull/5263>
[10:13] <Chipaca> how would root know what a user's XDG_CONFIG_HOME is?
[10:23] <mvo> Chipaca: in what context do you want to know?
[10:23] <mvo> Chipaca: inspect /proc/$pid/environ
[10:23] <mvo> Chipaca: of the user
[10:23] <Chipaca> mvo: daemon running as root needing to look at a user's config
[10:23] <mvo> Chipaca: but even then nfs-root-squash may squash us
[10:24] <mvo> Chipaca: maybe running a helper as this user?
[10:24] <Chipaca> :-( yeah
[10:26] <Chipaca> mvo: there might be a way to refactor things to take away the need, also
[10:29] <mup> PR snapd#5215 closed: ifacestate: improved conflict and error handling when creating autoconnect tasks <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5215>
[10:29] <mup> PR snapd#5248 closed: tests: add test to ensure /dev/input/event* for non-joysticks is denied - 2.33 <Created by jdstrand> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5248>
[10:33] <mvo> Chipaca: quick question about 5176 - this need to be reworked to just do a net.Dial() - is that correct? and also a new api command?
[10:33] <Chipaca> mvo: I understand that for some of them, yes
[10:34] <Chipaca> mvo: but not for all
[10:34] <Chipaca> mvo: the 'get the details and check the cdn' thing is still full http
[10:34] <Chipaca> so really just the auth check
[10:34] <mvo> Chipaca: ok
[10:34] <Chipaca> mvo: and one of the auth checks needs dropping entirely
[10:35] <mvo> Chipaca: do you have any thoughts about the API to use? apparently /v2/debug is out
[10:35] <pedronis> mvo: we need to discuss,  I think it could go in some for under system-info
[10:35] <pedronis> inventing tons of new api is not sane either
[10:35] <pedronis> I think
[10:35] <Chipaca> mvo: so... I'd either like to add a system-info command that better mapped /v2/system-info, with options of all sorts
[10:35] <Chipaca> mvo: or, maybe, have version grow options
[10:35] <pedronis> Chipaca: yes, that was my proposoal
[10:35] <Chipaca> the second one feels weird
[10:36] <pedronis> but didn't discuss it with Gustavo
[10:36] <pedronis> is in a note in the PR
[10:36] <pedronis> s/note/commnet/
[10:36] <Chipaca> and then, whatever the command, i think a /v2/system-info option would be best for this and the verbose sandboxing thing
[10:36] <Chipaca> sandbox-features i mean
[10:36] <pedronis> that one landed already though
[10:37] <pedronis> but maybe it's in .33 ?
[10:37] <Chipaca> e.g. /v2/system-info?select=connectivity and /v2/system-info?select=sandbox-features
[10:37] <Chipaca> yep, landed, but could be hidden and deprecated
[10:37]  * pedronis needs to go have lunch
[10:37] <mvo> 2.33 is not released outside of beta yet so that should be fine
[10:37] <pedronis> mvo: anyway we should have a chat at standup about this
[10:38] <mvo> pedronis: ok
[10:43]  * pedronis lunch is a bit delayed
[10:44] <pedronis> mvo: btw discussing  with Gustavo he also proposed that maybe we just continue to stick system config to "core" as key  (even if it's not there), it might work, but it might mean disallowing config on any base until we have understand more/have a use case
[10:46] <mvo> pedronis: oh, interessting idea
[10:47] <mvo> pedronis: I was starting to look at the config once 5259 is ready (unless the concensus is that we should solve both in a single PR)
[10:50] <mborzecki> what would be the easiest way to stick custom snap-exec into core? bind mount my local copy over the real one?
[10:50] <mvo> mborzecki: for testing? yeah, bind mount sounds like the easiest option
[10:50] <mborzecki> mvo: yup for testing only
[10:51] <mvo> mborzecki: yeah, manual testing should be fine this way. alternative you can unpack the core snap and repack it
[10:51] <mvo> (but no need I think)
[10:51] <mborzecki> i actually make the tmpfs for /snap work somehow, snap-exec is the last bit standing in the way
[11:13] <pstolowski> ugh, unit test error on debian-9-64:tests/unit/go in master, on undo hooks test; i'm looking at it
[11:23] <mup> PR snapd#5252 closed: store, jsonutil: move store.getStructFields to jsonutil.StructFields <Created by chipaca> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5252>
[11:35] <mup> PR snapd#5264 opened: many: use ~/.config/snap if it exists, instead of ~/.snap <Created by chipaca> <https://github.com/snapcore/snapd/pull/5264>
[11:36] <Chipaca> law of preservation of the number of chipaca PRs
[11:39] <mborzecki> Chipaca: you should aim for 2, no more, no less, one big one small
[11:39] <mborzecki> your own rule of two
[11:40]  * Chipaca checks
[11:40] <Chipaca> yep, that's where I'm at
[11:40] <Chipaca> now if we all did this, we'd be *fine*
[11:44] <pedronis> mborzecki: afair  Gustavo explicitly said he expected to force the dir to always exist, not to use a tmpfs (that might be an issue on systems not having /snap though)
[11:45] <mborzecki> pedronis: the /snap/<snap-name> dir?
[11:45] <pedronis> yes
[11:45] <mborzecki> ack
[11:52]  * Chipaca lunches
[12:10] <zyga> mborzecki: hey, would you mind reviewing 5254?
[12:16] <pstolowski> fyi, my isp seems to be experiencing a major outage, even their own website is down and their phone is completely busy right now
[12:20] <zyga> pstolowski: orange?
[12:21] <pstolowski> zyga: awacom, a local provider
[12:21] <zyga> ah
[12:21] <zyga> wired network?
[12:21] <pstolowski> Yes
[12:23] <mvo> 5225 needs a second review, should be simple
[12:27]  * zyga looks
[12:28] <zyga> mvo: are we putting snapfuse on PATH?
[12:29] <mvo> zyga: yes and iirc we have to so that fuse finds it
[12:30] <Chipaca> mborzecki: The proposed constrains <- constraints
[12:31] <Chipaca> mborzecki: and I'd expect to be able to know the local key from inside the snap, as a debugging aid if nothing more
[12:31] <Chipaca> hm, i'll repeat this on the forum
[12:31]  * pstolowski back online
[12:32] <mborzecki> Chipaca: please do
[12:32] <mup> PR snapd#5225 closed: selftest: add new selftest package that tests squashfs mounting <Squash-merge> <Created by mvo5> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5225>
[12:34] <mvo> zyga: was 5225 a squash merge or a regular one?
[12:34] <zyga> pstolowski: https://github.com/snapcore/snapd/pull/5260/files needs a 2nd review and is pretty simple
[12:34] <zyga> mvo: I don't know, whatever was default on my system :/
[12:34] <mup> PR #5260: sefltest: advise reboot into 4.4 on trusty running 3.13 <Created by zyga> <https://github.com/snapcore/snapd/pull/5260>
[12:34] <zyga> probably regular
[12:34] <zyga> do you need a cherry pick ?
[12:34] <mvo> zyga: ok, I will do some cherry picks then
[12:34] <mvo> zyga: yeah, I want this for 2.33 as it may help with the protocol problem issues we see on errors.u.c
[12:35] <zyga> mvo: hold on, we can revert
[12:35] <zyga> and squash
[12:35] <zyga> shall I try?
[12:35] <mvo> zyga: its ok, its not that many commits
[12:35] <zyga> I'm sorry, I just read the diff and didn't noice the squash label
[12:35] <mvo> zyga: no worries
[12:38] <Chipaca> zyga: don't forget the 360 fun
[12:39] <zyga> Chipaca: already done it
[12:39] <zyga> oops
[12:39] <zyga> I will skip standup today
[12:39] <mup> PR snapd#5265 opened:  selftest: add new selftest package that tests squashfs mounting (2.33) <Created by mvo5> <https://github.com/snapcore/snapd/pull/5265>
[12:39] <zyga> I actually should file the day as off as I wasn't of much use (doctor visit)
[12:39] <Chipaca> zyga: hmmm!
[12:39]  * Chipaca scribbles in his little black book
[12:39] <zyga> my daughter is returning from overnight school trip
[12:39] <zyga> and I need to pick her up in 20 minutes
[12:39] <sil2100> mvo: hey! Hope that you don't mind that to save you some time after I review some smaller merges from you and approve, I'll also merge them?
[12:40] <mvo> sil2100: sounds great
[12:40] <sil2100> mvo: also, my work hours will be a bit strange this week as my team is in Portland
[12:40] <mvo> sil2100: aha, right. the sprint
[12:40] <mvo> sil2100: have fun, I understand that you will be less available during the sprint
[12:40] <sil2100> So I'm working in the morning and then to be with them on all the meetings I'm sticking around till after midnight
[12:41] <zyga> sil2100: Portland sounds just like Poland, there was a joke about that somewhere ;)
[12:41] <sil2100> (since I stayed home)
[12:41] <mvo> sil2100: ok
[12:41] <sil2100> zyga: almost like home!
[12:42] <zyga> Chipaca: some comments on 5264
[12:44] <mborzecki> Chipaca: SNAP_HKEY_LOCAL_MACHINE and we're ready for being bought by MS
[12:44] <Chipaca> mborzecki: \o/
[12:44] <pstolowski> :)
[12:45] <zyga> mborzecki: you will implement snapd active directory integration
[12:45] <zyga> and local group policy
[12:45]  * sil2100 AFK for a bit, will try to be back for standup
[12:45] <Chipaca> As part of that  effort, I'll implement counting the dosh
[12:45] <zyga> dosh?
[12:45] <Chipaca> zyga: money
[12:45] <mborzecki> zyga: i can do the LDAP login bits, leave the rest for you :P
[12:45] <zyga> Chipaca: cash++
[12:45] <Son_Goku> nooooo!
[12:46]  * Son_Goku runs away from the insanity
[12:46]  * zyga observes Son_Goku run around in a room where all walls are plastered with big-brand company names
[12:46]  * Son_Goku runs screaming with his eyes bugging out
[12:47] <Chipaca> also we need to move from squashfs to that filesystem that was actually just ms's sql
[12:47]  * Son_Goku dies
[12:47] <mborzecki> Chipaca: the one that never made its way to windows?
[12:48] <Son_Goku> WinFS
[12:48] <Son_Goku> https://en.wikipedia.org/wiki/WinFS
[12:48] <Son_Goku> DBaaFS
[12:49]  * zyga goes to pick up his daughter
[12:49] <zyga> mvo: I'm skipping standup, sorry
[12:50] <mvo> zyga: ok
[12:50] <mvo> zyga: (fun fact right next to ok (if you shift one row to the right): pl)
[12:53] <Chipaca> mvo: so you're saying pl is not ok because it's too far east
[12:54] <mvo> Chipaca: the opposite, its very ok, spelled ok one column on the keyboard to the east actually
[12:54] <Chipaca> mvo: if you want ok, but you're from the far right, you get pl
[12:54] <Chipaca> mvo: got it
[13:24] <mup> PR snapd#5266 opened: interfaces/builtin/docker: use commonInterface over specific struct <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/5266>
[13:31] <mup> PR snapd#5264 closed: many: use ~/.config/snap if it exists, instead of ~/.snap <Created by chipaca> <Closed by chipaca> <https://github.com/snapcore/snapd/pull/5264>
[13:40] <mup> PR snapd#5260 closed: sefltest: advise reboot into 4.4 on trusty running 3.13 <Created by zyga> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5260>
[13:42] <mborzecki> pstolowski: is this something you are looking into https://paste.ubuntu.com/p/qkNvVZcZZ6/ ?
[13:42] <pstolowski> mborzecki: yes!
[13:42] <mborzecki> ack
[13:42] <pstolowski> mborzecki: where do you see it?
[13:43] <mborzecki> pstolowski: saw it here https://github.com/snapcore/snapd/pull/5256 (restarted the build already)
[13:43] <mup> PR #5256: cmd/libsnap-confine-private: helper for extracting store snap name from local-name <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5256>
[13:43] <pstolowski> mborzecki: debian or something else?
[13:43] <mborzecki> pstolowski: ubuntu-16.04-32
[13:44] <Chipaca> https://github.com/snapcore/snapd/pull/5266 seems wrong to me, but I don't know enough to explain (or even count) the ways
[13:44] <mup> PR #5266: interfaces/builtin/docker: use commonInterface over specific struct <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/5266>
[13:44] <pstolowski> mborzecki: ah, ok. that's good i guess
[13:44] <Chipaca> probably a zyga or jdstrand thing ^^
[13:46]  * zyga looks
[13:47] <Trel> I had one question after continuing to read up on this, what interfaces need to be request for access to dotfiles in a user's home directory?
[13:48] <zyga> done
[13:49] <zyga> Trel: there's no generic interface for all of them
[13:49] <zyga> Trel: which dot files are you after, specifically?
[13:51] <zyga> https://github.com/snapcore/snapd/pull/5230 needs a second review
[13:51] <mup> PR #5230: interfaces/udisks2: also implement implicit classic slot <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5230>
[13:51] <Trel> In this case the ability to write new dotfiles to a user's home directory (or another they specify) as well as read ones that are already there, specifically .profile and .bashrc
[13:52] <Trel> maybe also .bash_profile
[13:52] <Trel> I saw "home" gives homedir access, but not to hidden files
[13:52] <zyga> Trel: there is no interface for that
[13:52] <zyga> because that is very dangerous
[13:52] <zyga> you can use it to essentially bypass confinement
[13:52] <zyga> why do you need to write to bash/sh profile files?
[13:52] <Trel> I'm assuming because of . and ..?
[13:53] <Trel> In this case, I was thinking of converting my new machine/account setup script(s) to a snap
[13:54] <Trel> Part of it is adding my standard dotfiles like .vimrc, adding to my PATH and adding some bits to .profile and .bashrc
[13:54] <zyga> because any interface that would allow this is pretty much equivalent to becoming unconfined it would not be something we hand out easily
[13:54] <zyga> I would instead suggest to rework the application to show how to add anything to one's profile scripts
[13:55] <zyga> part of the appeal of snaps is that they don't have real root/superpower over one's machine anymore
[13:55] <zyga> and we don't want to break the trust by creating an interface that can be easily abused
[13:55] <zyga> even if the intentions were pristine
[13:56] <Trel> I'm a confused about other than the .. directory entry, how accessing dotfiles in user's home is dangerous to anything other than the user
[13:56] <Trel> Or is that the reason why?
[13:57] <zyga> Trel: let me explain
[13:57] <zyga> Trel: if you can write to ~/.profile
[13:57] <zyga> then you can insert a payload that runs the next time a terminal is open
[13:57] <zyga> (or the next time any login shell starts)
[13:57] <zyga> that code is no longer confined so it could, for instance, wget a script from somewhere
[13:57] <zyga> and pipe it to sh
[13:57] <zyga> and that can do anything
[13:57] <zyga> so this is effectively a way to break out of the sandbox
[13:58] <Trel> Still restricted to that user's permissions though, right? That doesn't get you root access for example
[13:58] <zyga> no, but you can steal user's secrets, install malware, exploit a kernel issue to become root or anything else
[13:58] <zyga> (malware doesn't have to be root)
[13:59] <Trel> Yes, I meant full system compromise vs user compromise is all
[13:59] <Trel> I suppose I could have it generate a finalize script and drop it in their home that they'd have to run after manually.
[14:00] <Trel> In this case it's for my use primarily to expidite new setups, so I'd trust it since I wrote it.
[14:00] <zyga> right
[14:00] <zyga> well,  you can always make a private devmode snap
[14:01] <zyga> but if you want to ship it to everyone you need to play by the sandbox rules
[14:04] <Trel> That's not something that'd be depreciated right?  I have no problem using devmode for this since it's primarily personal.  I'd distribute manually to anyone (non-me) who'd want it
[14:04] <niemeyer> sergiusens: I won't be around at that time today.. can we have it right now?
[14:05] <niemeyer> Otherwise it'll probably be too late for Evan
[14:05] <zyga> Trel: I don't think devmode for private snaps is something that is going to become deprecated
[14:05] <sergiusens> niemeyer: I set it for tomorrow, it is 7am for kyrofa_ right now
[14:05] <sergiusens> starting next week, it is on Tuesdays,
[14:06] <niemeyer> sergiusens: Ah, that works, thanks
[14:06] <sergiusens> does that work niemeyer or should I reschedule?
[14:06] <sergiusens> ah, great :-)
[14:07] <sergiusens> I had an issue yesterday with family and scheduling the meeting earlier flew by me, sorry for that
[14:10] <Trel> Then I guess that's fine for this one then.  Most of the others I wanted to do are simple text transforms which I have to pipe text into, so I don't think those would need anything at all
[14:10] <Trel> I'm thinking of bundling a bunch of the text transforms into a single one and publishing that.
[14:12] <mup> PR snapd#5262 closed: tests: backport lxd force stop and econnreset fixes (2.33) <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5262>
[14:16] <zyga> mborzecki: thank you for the review
[14:22] <sergiusens> Chipaca: what's the progress on getting the snap command split out and ported over for us to use for `snap pack`?
[14:31]  * zyga -> lunch
[14:35] <Chipaca> sergiusens: "ported over"?
[14:35] <Chipaca> sergiusens: snap pack has had --check-skeleton for a while now (i thought you'd reviewed that?)
[14:37] <Chipaca> sergiusens: we haven't split it into its own .deb yet though
[14:37] <sergiusens> Chipaca: I had not reviewed AFAIK. We only discussed early March. "ported over", we currently support `snapcraft pack` on osx (and windows)
[14:38] <sergiusens> Chipaca: yeah, I cannot really use it until it is standalone
[14:38] <Chipaca> sergiusens: sorry, getting mixed messages
[14:38] <Chipaca> sergiusens: you wouldn't use the .deb on windows nor osx
[14:38] <Chipaca> sergiusens: so as far as those are concerned, it's unclear to me what you need
[14:39] <Chipaca> sergiusens: there are no code changes afaik to make it standalone, unless i'm misremembering
[14:39] <Chipaca> it's just packaging
[14:39] <sergiusens> Chipaca: let me state the requirement so I don't impose how you deliver it; I the `snap pack` to be runnable on Windows, OSX and Linux
[14:39] <Chipaca> sergiusens: ok. Done!
[14:39] <sergiusens> just tell me how to get it on each platform and we are good :-)
[14:40] <Chipaca> sergiusens: I don't have access to those platforms, but I assume you do. Do you have a go build env?
[14:40] <mvo> Chipaca: I did the changes as discussed in the standup to connectivity check, what about authConnCheck() - should this become a net.Dial() only check? if so I will delete a lot of code now
[14:41] <Chipaca> sergiusens: I seem to recall we explicitly agreed that we weren't on the hook for delivering binaries to windows and osx; if that's not correct, then we have a bunch of busywork to have that happen
[14:42] <Chipaca> sergiusens: so my question is, i think, how do you get the rest of the snapcraft build environ onto windows and osx
[14:42] <sergiusens> Chipaca: not immediately, no. I don't think it is as important now, but it would be a regression to not support it anymore
[14:43] <sergiusens> Chipaca: `brew install snapcraft` and on windows in a venv for now
[14:43] <sergiusens> brew install snapcraft is essentially a venv, just wrapped nicely into a higher order package manager
[14:45] <Chipaca> sergiusens: how does 'brew install snapcraft' or the venv pull in squashfs-tools?
[14:45] <sergiusens> Chipaca: https://formulae.brew.sh/formula/snapcraft
[14:46] <Chipaca> sergiusens: and that builds mksquashfs from source?
[14:46] <sergiusens> Chipaca: it is easy to create a formula for the snap command, I can scaffold it and get the first version if you promise to maintain it ;)
[14:46] <sergiusens> Chipaca: only on "upload", you would get it in what homebrew calls a "bottle"
[14:46] <Chipaca> sergiusens: if by "it" you mean the formula or whatnot, that's exactly what I'm trying to understand who owns it
[14:46] <sergiusens> which is like a wheel in python
[14:47] <sergiusens> Chipaca: https://github.com/Homebrew/homebrew-core/blob/master/Formula/snapcraft.rb
[14:47] <Pharaoh_Atem> brew formulae are similar to rpm specs or Arch PKGBUILDs
[14:47] <mvo> Chipaca: did my earlier question get lost? or are you just busy?
[14:47] <Pharaoh_Atem> main difference is that unlike the latter two, formulae are based on Ruby rather than shell
[14:47] <mvo> Chipaca: (busy is fine, just asking to ensure its not lost)
[14:48] <Chipaca> mvo: I'm trying to understand if we're on the hook for windows and osx binaries of snap and the surrounding build infra or not
[14:49] <Chipaca> I wouldn't even start to hazard a guess at how to integrate that with our CI
[14:49] <Pharaoh_Atem> Chipaca: you are probably not
[14:49] <sergiusens> Chipaca: I own the snapcraft formula (maintain it), someone else the squash one. Once there is a snap command on homebrew I can replace the squashfs in "depends_on" to whatever the snap thing is called.
[14:49] <mvo> Chipaca: hm,hm,we will need a minimal snap pack in this case, we use too much syscall imports right now for GOOS=windows (but you know this already :)
[14:49] <sergiusens> Chipaca: alternatively, I can condition the code to just use the snap command on Linux and fallback to mksquashfs on other OS
[14:50] <Pharaoh_Atem> sergiusens: it'd be simpler to just test for the /usr/bin/snap command, and if it doesn't exist, always fall back
[14:50] <sergiusens> Pharaoh_Atem: yeah, an actual call with parameter checks to be honest as the `snap` command namespace is quite busy ;-)
[14:51] <sergiusens> there is no `snap` formula yet at least
[14:52] <Chipaca> mvo: yes, authConnCheck should be a single net.Dial to the macaroon endpoint
[14:54] <Chipaca> sergiusens: do you know how to build things for osx and windows from travis?
[14:56]  * Chipaca googles
[15:10] <sergiusens> Chipaca: look at our .travis.yml and appveyor.yaml
[15:11] <mup> PR snapd#5267 opened: tests: retry 'restarting into..' match in the snap-confine-from-core test <Created by stolowski> <https://github.com/snapcore/snapd/pull/5267>
[15:15] <morphis> mvo: ping
[15:16] <Chipaca> sergiusens: ok, i'll take a stab at it
[15:17] <mvo> morphis: pon
[15:17] <mvo> morphis: h
[15:17] <mvo> morphis: pong
[15:17] <mvo> Chipaca: I updated the PR in question fwiw, but no rush
[15:18] <mvo> zyga: do you think you could look at 5204 again?
[15:18] <mvo> zyga: you asked for changes and I think I addressed things now
[15:21] <zyga> Chipaca: sure
[15:21]  * zyga looks
[15:21] <morphis> mvo: I tried to create a base snap recently and wanted to check if I was running into a bug or if what I was trying to do is simply not supported yet
[15:22] <morphis> mvo: basically I was setting `type: base` in my snap, build it and then installed it
[15:22] <morphis> however after running $ snap run --shell snap.app I was still seeing the core snap mounted on /
[15:22] <zyga> morphis: we didn't anticipate bases with apps so bases use core for their apps
[15:22] <zyga> (which is odd)
[15:23] <morphis> isn't that the core principle of a base?
[15:23] <zyga> morphis: no, the principle of bases (so far) is to host other snaps
[15:24] <zyga> not saying that it's a bad idea
[15:24] <zyga> but it is something we didn't anticipate
[15:24] <zyga> that's all
[15:24] <morphis> isn't that what ubuntu-core will require snapd to do?
[15:25] <zyga> I don't understand, can you rephrase please?
[15:25] <zyga> snapd won't ship any apps either
[15:25] <zyga> (in the sense of snap declared apps)
[15:25] <morphis> in terms of ubuntu-core core18 will be a base snap, right?
[15:25] <zyga> yes
[15:25] <zyga> but it won't have apps or services
[15:26] <morphis> none which are exposed through the snap, right
[15:26] <morphis> but something still has to provide systemd which is handled by the initramfs mounting core18 as / and running systemd outside of a snap environment
[15:27] <zyga> yes, that is whatever has booted, my only point is that snap applications from bases were unanticipated
[15:27] <zyga> it's a bug
[15:27] <zyga> but we need to think what it means if we allow it
[15:27] <morphis> so basically snapd ignores all apps defined in a base snap, correct?
[15:28] <zyga> I don't think it does
[15:28] <zyga> Chipaca: ^ does it
[15:28] <Chipaca> hmmmm
[15:28] <zyga> I think we need to decide if we should ignore all apps / hooks or if we should handle them consistently with the same snap used as base
[15:29] <Chipaca> I'd have to check, as I don't remember offhand, but it's quite possible there's an "if snap.type is app"
[15:29] <morphis> I saw the apps exported as I could do `$ snap run --shell snap.app`
[15:30] <zyga> mvo: review on 5204
[15:32] <morphis> Chipaca, zyga: let me get that base snap back installed and try again
[15:32] <zyga>  morphis can you open a thread about this
[15:32] <Chipaca> morphis: it's also possible there _isn't_ one
[15:33] <zyga> so that we don't forget
[15:33] <morphis> zyga: sure
[15:33] <zyga> I think it's a valid use case
[15:33] <zyga> but I want to be formal about it
[15:33] <zyga> my gut feeling is that bases _must_ use themselves as base
[15:33] <zyga> I need to walk my dog quickly, 15 min AFK
[15:34] <morphis> zyga: if they don't I see weird things happening
[15:34] <morphis> what if a fedora base snap has an app defined which then is executed against the Ubuntu core snap
[15:38] <zyga> Yeah
[15:38] <zyga> I agree
[15:39] <Chipaca> graaaahgh
[15:40] <Chipaca> I think I'm going to start from the other end, and move stuff around for pack, instead of trying to make osutil build everywhere
[15:40]  * Chipaca gets more tea
[15:40] <morphis> zyga: Chipaca: but thanks for the insights
[15:44] <morphis> zyga, Chipaca: ok, both services and apps work when `type: base` is set, however my base is more or less Ubuntu 16.04 as its more or less an app snap relabeled as a base
[15:55] <mup> PR snapd#5268 opened: tests: fix flaky test for hooks undo <Critical> <Simple> <Created by stolowski> <https://github.com/snapcore/snapd/pull/5268>
[15:56] <pstolowski> zyga, mvo ^ a trivial that should fix flaky test that we currently have
[16:00] <zyga> Thank you :-)
[16:08] <pstolowski> zyga: thanks for review, I enhanced the description, hope it makes more sense
[16:08] <mvo> pstolowski: nice
[16:09] <pstolowski> cachio: addressed your suggestion re #5267
[16:09] <mup> PR #5267: tests: retry 'restarting into..' match in the snap-confine-from-core test <Created by stolowski> <https://github.com/snapcore/snapd/pull/5267>
[16:10] <pstolowski> mvo, zyga ^ and that's another trivial re flaky tests
[16:10] <mvo> morphis: sorry, had to step out for a bit, that sounds like something to discuss in the forum, I'm not against having apps for bases but we need to discuss this at least with gustavo
[16:10] <zyga> Ok
[16:11] <mvo> zyga: re review> $< iirc only takes the first "dependency" of a make rule
[16:14] <zyga> yes, did I suggest that?
[16:14] <zyga> I meant $^
[16:14] <zyga> sorry
[16:18] <mvo> zyga: aha, sure
[16:23]  * zyga tea and fixing branches
[16:29] <mvo> zyga: thanks for the review, I will think about the name a bit over dinner (snapd.manager, snapd.entrypoint, snapd.run-from-snapd, snapd.start-me-up, ...) ideas welcome :)
[16:29] <zyga> snapd.stargate
[16:29] <zyga> snapd.snapd.snapd
[16:29] <zyga> snapd.make-it-so
[16:30] <zyga> snapd.startup
[16:39] <zyga> maybe just snapd.run-from-snapd-snap
[16:50] <morphis> mvo: thanks! I will open a forum topic tomorrow
[17:02] <mup> PR snapcraft#2157 opened: nodejs plugin: update to the latest 6.x LTS point release <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2157>
[17:29] <mvo> zyga: updated, thanks for your suggestions
[17:30] <zyga> Super, i will check in a sec, finishing my supper
[17:30] <zyga> Which name did you pick?
[17:30] <mvo> pedronis: just to double check - we can kill authConnCheck entirely?
[17:30] <mvo> zyga: your suggestion from earlier: snapd.run-from-snap
[17:31] <pedronis> mvo: afaiu yes,   all those bits are activate/relevant only on "snap login"
[17:32] <zyga> +1
[17:32] <pedronis> *activated
[17:33] <mvo> pedronis: great, less code is always better. I removed those bits now
[18:06] <zyga> mvo: review on 5204
[18:38] <cachio> zyga, https://paste.ubuntu.com/p/tqghBCHfb6/
[18:39] <cachio> any idea why the configure hook is giving me this?
[18:39] <alphawarrior> Hello everyone. Can I update snapcraft from an older version using itself? I'm on gentoo and the "latest" package linked by the snapcraft tutorial on installing only has a 2 year old version :(
[18:53] <nacc> alphawarrior: snapcraft is itself available as a snap
[18:54] <alphawarrior> oh thanks ^^
[19:52] <jzzz> Hello. I'm having trouble getting new vanilla canonical kubernetes installed into lxd containers on my ubuntu host to come back up after a restart. Wondering if anyone might be able to help me. The error msgs seem to point towards apparmor/snap.
[19:56] <jzzz> I'm thinking apparmor/snap is the root cause because `dmesg` shows entries like `[90947.819924] audit: type=1400 audit(1528228545.536:2983): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.kube-apiserver" pid=24205 comm="snap-confine"`
[19:57] <zyga> I’m afk but I will check it out soon
[19:58] <jzzz> with snap-update-ns errors for kube-apiserver and etcd, and similar snap.kubelet.kubelet errors.
[19:59] <jzzz> thx @zyga. pls let me know whatever I can do on my system for more clues.
[19:59] <zyga> Ack
[20:04] <jzzz> the stacktrace from `juju debug-log` looks like it might be kicking off a subprocess that is running a sanity check command (giving back the version) to determine that the service is installed in the container. Here's a pastebin: https://pastebin.com/60VR7gSi
[20:05] <jzzz> so I'm not sure if the apparmor/snap error is a cause or a symptom. :\
[20:08] <jzzz> ``` $ uname -r 4.4.0-127-generic  $ lsb_release -a  No LSB modules are available. Distributor ID: Ubuntu Description:    Ubuntu 16.04.4 LTS Release:        16.04 Codename:       xenial ```
[20:26] <mup> PR snapd#5265 closed:  selftest: add new selftest package that tests squashfs mounting (2.33) <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5265>
[20:31] <cachio> niemeyer, hey, did you see this https://travis-ci.org/snapcore/snapd/builds/388466179 ?
[20:38] <Luke> hey guys, is there a recommended way for dealing with creating and using multiple users within a single snap? For example, nginx + pgsql + the app all being on different users?
[21:03] <mup> PR snapd#5269 opened: systemd: adjust TestWriteMountUnitForDirs() to use squashfs.MockUseFuse(false) <Simple> <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5269>
[21:09] <jdstrand> Luke: not yet. you probably want to follow https://forum.snapcraft.io/t/multiple-users-and-groups-in-snaps/1461
[21:19] <Luke> jdstrand: thanks!
[21:20] <Luke> jdstrand: this is the perfect answer to my question. thanks for taking the time to write this up
[21:21] <jdstrand> Luke: np. it is roadmapped and getting closer to implementing, but it'll be a little while yet
[21:34] <Luke> jdstrand: I think with this post I can work my way around it without too much compromise
[21:36] <jdstrand> cool
[21:36] <zyga> re
[22:17] <niemeyer> cachio: No, fix is due
[22:31] <zyga> jdstrand: can you have another look at 5254 please, I'm still pondering one aspect (has suffix check) but I think I addressed all the points you have raised