/srv/irclogs.ubuntu.com/2018/06/07/#snappy.txt

mupPR snapcraft#2158 opened: rust plugin: fix cargo builds and run tests <Created by tismith> <https://github.com/snapcore/snapcraft/pull/2158>03:28
mborzeckimorning05:05
zygahey hey :)05:14
mborzeckizyga: hey05:15
mupPR snapd#5273 closed: testutil: add test support for Fstatfs <Simple> <Created by zyga> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5273>05:29
zygawoot, thank you!05:30
mborzeckiso are we doing the `snap list --format=..` thing or not?05:38
zygaI ... don't know05:40
zygaI think not05:40
zygamborzecki: 5266 is simple and green05:42
mvomborzecki: it looks like no, lets see if the bugreport is happy about the snap list|awk|tail +2 solution05:45
mborzeckiit was a nice feature :(05:53
mvomborzecki: yeah, I have grown to like it as well05:53
mborzeckithere was a panic from spread in #5271 https://paste.ubuntu.com/p/XXqr7TY9KM/05:58
mupPR #5271: [WIP] cmd: attempt to start the document portal if running with a session bus <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/5271>05:58
mborzeckiniemeyer: ^^05:58
zygamborzecki: I think we saw a few panics yesterday and gustavo is aware of them06:15
zygabut I'm not sure if those are the same panics or if spread was changed but some panics remained06:15
zygahey mvo, good morning06:15
mupPR snapd#5266 closed: interfaces/builtin/docker: use commonInterface over specific struct <Created by anonymouse64> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5266>06:17
zygahttps://github.com/snapcore/snapd/pull/5230 needs a 2nd review06:17
mupPR #5230: interfaces/udisks2: also implement implicit classic slot <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5230>06:17
mvozyga: good morning to you as well!06:18
zygamvo: what's the state of https://github.com/snapcore/snapd/pull/525006:18
mupPR #5250:  interfaces/udev,misc: only trigger udev events on input subsystem as needed <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5250>06:18
zygathere's a conflict but I see that you took care of the feedback06:18
zygaare you working on this or is the conflict recent06:18
zygaer06:18
zygasorry06:18
zygabad PR06:18
zygahttps://github.com/snapcore/snapd/pull/522606:18
mupPR #5226: data: add systemd user environment generator <Created by mvo5> <https://github.com/snapcore/snapd/pull/5226>06:18
zygathis is what I meant06:18
mvozyga: the user envirronment generator? iirc it had some packaging issues I need to look at them06:24
zygaack,06:24
zygaI asked some follow up packaging questions there06:24
mvota06:24
zyga+1 on everything if it works :)06:24
mvota²06:24
zygaunicode :D06:24
Lin-Buo-Ren-alt1https://forum.snapcraft.io/t/organize-another-dir-causes-the-items-under-host-root-directory-to-be-copied-in-another-dir/580606:26
mupPR snapd#5259 closed:  devicestate: support seeding from a base snap instead of core  <Blocked> <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/5259>06:58
=== pstolowski|afk is now known as pstolowski
pstolowskimorning o/07:04
mborzeckipstolowski: hey07:06
mvohey pstolowski07:06
zygahey pawel07:26
* zyga -> walk07:45
zygaor maybe in 15 minutes07:46
mupPR snapd#5275 opened: cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests <Simple> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5275>07:53
mborzeckitrivial pr ^^07:53
mupPR snapd#5276 opened: devicestate: support seeding from a base snap instead of core <Created by mvo5> <https://github.com/snapcore/snapd/pull/5276>08:08
zygamborzecki: https://github.com/snapcore/snapd/pull/5277 :)08:18
mupPR #5277: cmd/snap-update-ns: add helper for checking for read-only filesystems <Created by zyga> <https://github.com/snapcore/snapd/pull/5277>08:18
zygaI'll take your PR for snap run08:18
mupPR snapd#5277 opened: cmd/snap-update-ns: add helper for checking for read-only filesystems <Created by zyga> <https://github.com/snapcore/snapd/pull/5277>08:18
mborzeckihaha ;) trade PRs08:18
zygaspread still panics08:18
zygacan we revert spread somehow?08:18
mborzeckii'm looking into spread right now08:18
zyga+1 on the PR08:19
zygaand I need to go or my dog will hate me08:19
mborzeckizyga: it won't hate you, it'll just piss on the floor :P08:20
zygaand *then* he will hate me ;)08:20
zygano, he's too humble for that I'm not that evil08:20
* zyga -> walk08:20
mvothe spread crash is not happening all the time, right? I saw at least one green PR from me this morning08:21
mvomborzecki: can I restart your failed MockSnapCurrent PR? or do you want to keep it for the error ?08:22
mborzeckimvo: go ahead08:22
pedronismvo: some comments on #527408:26
mupPR #5274: configstate: deny configuration of base snaps and for the "snapd" snap <Created by mvo5> <https://github.com/snapcore/snapd/pull/5274>08:26
mborzeckiniemeyer: https://github.com/snapcore/spread/pull/5908:28
mupPR spread#59: spread: do not panic if error message from google backend is empty <Created by bboozzoo> <https://github.com/snapcore/spread/pull/59>08:28
mvopedronis: great, thank you!08:28
pedronismvo: I don't understand the changer about errDoNothing in 527608:35
pedronismvo: I probably read the new code wrong but it's a bit unclear what's the intention of it08:40
mvopedronis: let me double check08:41
pedronisjust avoid calling trivialSeeding twice?08:41
pedronisI mean from two places08:41
pedronisbut then the comment in import Assertion is misleading08:42
mvopedronis: thanks, let me rework this08:43
pedronismvo: I mean we will not use the model returned by importAssertionsFromSeed in that case08:45
pedronisalso it doesn't get set in state anyway so it wouldn't help later code that needs a model in all cases08:48
pachuloHi! Does anybody knows something the vim snap? https://forum.snapcraft.io/t/vim-snap/557308:48
mvopedronis: yeah, I think this was a misconception my part, these bits can be undone08:53
pedronismvo: I suppose maybe because at some point you were passing model in trivialSeeding ?08:53
mvopedronis: exactly08:53
mvopedronis: using "core" for the config makes all of this much simpler08:54
pedronisI see, anyway as I said return a model that way from importAssertionsFromSeed breaks its invariant so we would needed to do something else anyway08:54
* pedronis errands08:54
mvopedronis: there will be some small complications in the followups because some code checks for that the snap is installed when getting config08:54
mvopedronis: thank you, I will update the PRs08:55
zygare09:06
zygapachulo: hey09:06
zygapachulo: since snap crafters are the publisher I would suggest asking popey about it09:07
zygamborzecki: my PR is green :)09:16
zygano better chance to review it than now :)09:16
zygaoh I see it's reviewed already09:16
* zyga will forever ponder what is the condition under GitHub updates the page without a reload 09:17
zygamvo: ^ quick 2nd review on 527709:17
mborzeckiheh, github ui is terrible09:17
zygaI _like_ the way it looks but _hate_ the way it is stale without apparent reason09:17
mborzeckithe funniest is when you comment on a hunk that gets changed in another patch, and you forgot to switch to 'show all patches'09:17
zygathank you for the review on 5272 pawel09:19
pachulothanks zyga !09:23
zygapachulo: note that you also got a response on the foruom09:23
zyga*forum09:23
zygajamie there is right that there should be a repository under snapcrafters on github09:24
zygamvo: thank you mvo09:26
zygamborzecki: to the point about GitHub UX being not too great, I got a comment (approval) from mvo and it was shown as a comment but the comment / approval count below was stale09:26
mupPR snapd#5277 closed: cmd/snap-update-ns: add helper for checking for read-only filesystems <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5277>09:28
mvopedronis: thanks again for the review(s), I update the PRs, I added a testcase that loads a snap-setup without a type. interesstingly this does not crash, it only crashes if there is an empty (or invalid) "type":"" in the json09:31
mvopedronis: but maybe you have something different in midn?09:31
mvomind09:31
mupPR snapd#5275 closed: cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests <Simple> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5275>09:48
popeypachulo: wassup?10:16
zygapopey: is the vim snap owned by snapcrafters/10:17
zygapopey: and if so, where is the snapcraft.yaml10:17
popeysergio initially created the snap, sergiusens ^10:17
zygamborzecki: one more helper before the main meat of the validation logic10:20
zygamborzecki: #527810:20
mupPR #5278: cmd/snap-update-ns: add IsTrustedTmpfs and tests <Created by zyga> <https://github.com/snapcore/snapd/pull/5278>10:20
pedronismvo: ah see, no, nothing different,  just forgot that behavior of the json umarshaller10:20
mupPR snapd#5278 opened: cmd/snap-update-ns: add IsTrustedTmpfs and tests <Created by zyga> <https://github.com/snapcore/snapd/pull/5278>10:20
mvopedronis: thank you! I feel much better having a test for this :)10:24
pedronismvo: I will re-review after lunch10:26
ChipacaHi all. A notice and reminder that I'm off work today and tomorrow.10:26
zygaChipaca: ack10:29
mvopedronis: ta10:31
mvoChipaca: enjoy! we miss you already10:31
Chipacamvo: :-)10:32
* zyga considers lunch for a change10:37
robert_ancellChipaca, after implementing the /v2/snaps?select=...&snaps=... API in snapd-glib, can you think of any reason to ever have a client use the /v2/snaps/[name] API? I'm thinking of deprecating those old methods.10:45
robert_ancellI guess we continue to use it with POST, but not GET10:46
Chipacarobert_ancell: I'd say if there is it's because of a bug10:49
robert_ancellChipaca, so be clear, /v2/snaps/[name] is really redundant now?10:49
Chipacarobert_ancell: well, it's going to be faster but probably not an issue in practice10:50
Chipacarobert_ancell: but, yeah10:50
Chipacaand it might not even be measurably faster -- i'd have to try to measure10:51
ondrazyga ping10:58
zygaGo11:00
robert_ancellah, there is a bit of a difference /v2/snaps?snaps=blah returns 200 and /v2/snaps/blah returns 40411:02
ondrazyga do we treat kernel snap differently when it comes to interfaces used by hooks?11:03
zygaNot that I know of11:04
zygaKernel should not have interfaces or hooks AFAIR11:04
mborzeckihmm snapshots separate elements using _ in snaphot file names, will need some extra care for parallel installs11:08
ondrazyga I think joc spotted my error here11:11
ondrazyga indeed it's a bit special case I have here, but let's see :)11:11
zygaWhat is the use case?11:11
ondrazyga pi3 kernel update :)11:12
zygaOj11:12
zygaTell me more please11:12
ondrazyga let me proof tested first :)11:12
zygaOk11:12
mvozyga: I updated 5263 based on your feedback (thanks for this btw). also thanks to mborzecki11:18
zygaAck11:18
zygaI will check after lunch11:18
sergiusenszyga, popey: that was my first classic snap ever, we didn't even have a build service yet iirc11:24
mborzeckione huge renames patch coming up, 97 files changed, 875 insertions(+), 702 deletions(-)11:34
zygaWhat is that11:35
zygaSwitching to under_score ;-))11:36
zygaI’m almost done with lunch11:36
zygaWill be home soon11:36
pedronismborzecki: why renaming the dir ones ?11:42
pedronisme is probably missing something11:43
mborzeckipedronis: because some paths end up using StoreName() instead of InstanceName(), hence *Dir() were changed to make me go though each place and update it accordingly11:44
pedronismborzecki: why would a path use StoreName ?11:45
pedronisgenuine question11:45
mborzeckipedronis: eg. inside snap-exec after remount, apparmor profiles which refer to the paths inside the mount ns11:46
pedronismborzecki: but there is no store variant of them,  you then do snap.MountDir(snapName, rev) and similar ?11:47
mborzeckipedronis: yes11:48
mborzeckiand the Instance*Dir() use the same snap.*Dir() helpers11:48
pedronismborzecki: I suppose we could mount files at some point, not sure the it easy though11:48
pedronissorry11:48
pedronisI mean share mount files11:48
mborzeckiit'd be nice11:49
mborzeckiright now each instance will get own copy11:49
pedronisthat's an easier starting point11:49
pedronisthere are fun questions also about conflicts11:49
mborzeckigiven that they can be on different revisions that's also a bit easier to handle11:50
pedronismborzecki: anyway afaiu snap-confine and snap-exec are the only things that need to deal with dirs without instance-key, right?11:50
mborzeckipedronis: and apparmor backend so far11:51
pedronismborzecki: I see an StoreName indeed, why ?11:52
pedronisto repelace SNAP_NAME, but unclear SNAP_NAME can still be used in profiles?11:53
pedronisah, it's because inside vs outside?11:54
pedronismborzecki: ok, I see, we could really sort of keep the old names, but maybe the new names are clearer11:57
pedronisbecause of this inside vs outside issue11:58
mborzeckipedronis: yup11:58
mborzeckipedronis: we can roll back the *Dir() renames later on when the store vs instance name thing is sorted out11:58
pedronismborzecki: anyway it's not tragically big, just a bit,  anyway will need a span of quite time to go over it12:01
pedronismborzecki: did you see test that needed doubling, or did you still not look into that?12:03
mborzeckipedronis: i doubled only few tests, mostly in snap12:07
pedronismborzecki: most places that need StoreName probably need one, places using InstanceName it depends I suppose12:09
zygare12:10
=== pstolowski is now known as pstolowski|lunch
mvozyga: what comment should I add to 526312:27
zygathat there's no locking done by specific functions12:27
zyga(so that we don't forget this)12:27
mvozyga: aha, ok12:29
zygahmm12:29
zygaspread keeps crashing12:29
mvozyga: will do12:29
mvoyeah, spread is not happy today12:29
zygawhich is odd because some PRs are just ireland-grass-green12:30
zygawhile others fail after 1st minute12:30
jdstrandmborzecki: I haven't really been following the conversation (I was conducting and interview-- note to channel: there are open positions on the Ubuntu Security team!)12:31
jdstrandmborzecki: but otoh the things to think about are file paths (both where snaps live, things are mounted, but also apparmor, seccomp, udev, dbus policy files)12:32
jdstrandmborzecki: then the security label ('profile foo' in apparmor policy) and the udev tag (which annoyingly must use underscores)12:33
mborzeckijdstrand: do the underscores have any special meaning there?12:34
jdstrandmborzecki: yes! :) they are the delimiter instead of '.'. udev tags can't have periods12:34
jdstrandmborzecki: eg: SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="snap_0ad_0ad"12:35
jdstrandmborzecki: that's ok though. we are very strict that it is 'snap_name_cmd'12:35
jdstrandmborzecki: so to date, there will only ever be exactly two underscores12:35
mborzeckijdstrand: right, but then if you have snap_0ad_local_0ad it's fine too right?12:36
jdstrandthat would be difficult12:36
jdstrandsnap_0ad_0ad_local would be better12:36
jdstrandwell12:36
jdstrandyou could do it12:36
mborzeckii mean, the snap is named 0ad_local in this case12:37
jdstrandif count(underscores) == 3, then name is 0ad_local12:37
jdstrandit does mean we'll need to adjust that parsing everywhere though12:37
jdstrandand to finish my PSA for security team position: https://boards.greenhouse.io/canonical/jobs/1158266. it's a great team to work for! :)12:41
mborzeckijdstrand: hmm snap-device-helper seems to do some funny stuff with those names12:42
mvojdstrand: I would totally apply if I hadn't a great team already12:43
jdstrandhehe12:43
jdstrandI'm not trying to poach snapd team members :)12:43
jdstrandthere are others in the channel who may see it ;)12:43
mvojdstrand: I know :)12:43
mvojdstrand: still you guys have a great team12:44
jdstrandmvo: that said, you would be a wonderful addition, as would any of the snapd devs (but I'm not poaching-- I just love working with all of you. good thing I get to continue doing so :)12:44
jdstrandmvo: thanks! it's true. the security team is awesome12:44
mvoheh :)12:44
* mvo blushes12:44
jdstrandmborzecki: right, it needs to convert back to '.' for the device cgroup name in /sys/fs/cgroup/devices12:46
jdstrandmborzecki: eg: /sys/fs/cgroup/devices/snap.firefox.firefox12:46
jdstrandmborzecki: so it would have to learn to do snap_firefox_local_firefox -> snap.firefox_local.firefox12:46
mborzeckijdstrand: right, so another small update there :/12:47
zygamborzecki: btw do you have that huge rename PR ready?12:47
jdstrandmborzecki: we try to use '.' as the delimiter everywhere we can for consistency (I tried to use '_' in the early days, but '.' was deemed prettier (is is))12:47
jdstrandit* is12:47
mborzeckizyga: yes, #525312:48
mupPR #5253: snap: introduce new fields for parallel snap installation <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5253>12:48
zygaI'll review it after standupo12:48
mborzeckijdstrand: use # and watch as the world burns :P12:48
jdstrandhehe12:48
mvozyga: I think you made me write locking code in the errtracker "db". its just too embarassing to write a comment that there is none12:50
mvozyga: smart move ;)12:50
zygahahaha12:50
* zyga mutters "success" ;)12:51
jdstrandmborzecki: note that in the apparmor profile itself, the security label is set in various apparmor variables at the top:12:55
jdstrand@{SNAP_NAME}="0ad"12:55
jdstrand@{SNAP_REVISION}="18"12:55
jdstrand@{PROFILE_DBUS}="snap_2e0ad_2e0ad"12:55
jdstrand@{INSTALL_DIR}="/{,var/lib/snapd/}snap"12:55
jdstrandprofile "snap.0ad.0ad" (attach_disconnected,mediate_deleted) {12:55
jdstrandmborzecki: you probably saw that, but I mention it specifically for PROFILE_DBUS12:55
zygathis is such an old concept it will take a while to change everywhere12:56
jdstrandmborzecki: that will probably just work, but do make sure you get snap_2e0ad_2elocal_2e0ad when have snap.0ad.0ad12:57
jdstrandmborzecki: sorry12:57
mborzeckijdstrand: SNAP_NAME=0ad_local, then PROFILE_DBUS will be snap_2e0ad_local_2e0ad12:57
jdstrandmborzecki: that will probably just work, but do make sure you get snap_2e0ad_2elocal_2e0ad when have snap.0ad_local.0ad12:57
mborzeckijdstrand: and profile "snap.0ad_local.0ad"12:57
mborzeckijdstrand: snap_2e0ad_2elocal_2e0ad instead of snap_2e0ad_local_2e0ad then?12:58
jdstrandsnap.0ad_local.0ad translated to dbus is snap_2e0ad_2elocal_2e0ad12:58
jdstrandoh no12:58
jdstrand_2e is '.'12:59
jdstrandgimme a sec12:59
pedronismborzecki: seems SNAP_NAME is sometimes used in places that really need the instance name in the templates12:59
jdstrandwhat you use depends on how the mounts are setup13:00
pedronisnot all uses are for directories in the namespace13:00
zygastandup time13:00
jdstrandright13:00
jdstrandI don't know what is happening at the filesystem level13:00
jdstrandbut you'll the security label to include _local for IPC, etc13:01
jdstrandyou'll want13:01
jdstrandmborzecki: it would be easiest if the file accesses looked like /snap/foo_local/... instead of /snap/foo/...13:02
mborzeckijdstrand: hm well, it was requested that we bind mount to /snap/foo13:03
jdstrandmborzecki: but if that isn't possible/desirable, you'll need to introduce another apparmor variable: SNAP_NAME_FILE (or something)13:04
jdstrandeg:13:04
jdstrand@{SNAP_NAME}="0ad_local"13:04
jdstrand@{SNAP_NAME_FILE}="0ad"13:04
jdstrandwith file accesses using @{SNAP_NAME_FILE} and everything else @{SNAP_NAME}13:04
jdstrandmborzecki: that is tricky though. $SNAP is easy enough, but SNAP_DATA, SNAP_COMMON and especially SNAP_USER_DATA and SNAP_USER_COMMON are going to be harder, since you'll have to manage all those addition bind mounts13:06
jdstrandit is possible, just more complexity13:06
jdstrandit is only possible because of the recent user mount work btw since a root processes will be mucking around in the user's home for SNAP_USER_DATA and SNAP_USER_COMMON13:07
zygamvo: https://github.com/snapcore/snapd/pull/5263 is green and has +213:09
jdstrandwe are setting ourselves up for if there is a bug, then 0ad_local might be able to write to 0ad's user data. from a complexity/secure design perspective, I recommend 0ad_local everywhere13:09
mupPR #5263: errtracker: do not send duplicated reports <Created by mvo5> <https://github.com/snapcore/snapd/pull/5263>13:09
jdstrandmborzecki: ^. that doesn't mean I would block the design. but I think that there needs to be an active decision that the benefit outweighs the complexity/risk13:10
jdstrandmborzecki: I would like to be involved in the PR reviews as they pertain to security13:12
mborzeckijdstrand: sure13:12
* jdstrand adds a card to trello so ratliff is aware13:12
jdstrandratliff: this'll be a blue item13:12
* ratliff reads back to understand the priority13:13
jdstrandmborzecki: hmm, I'm not sure how parallel installs are going to work with IPC. eg, two network-managers or two dockers installed13:15
jdstrandmborzecki: they necessarily need to have their service in the global namespace, so will conflict with each other...13:16
mborzeckijdstrand: i suppose common sense will have to prevail here, unless the other docker instance is configured to listen on different path things will break13:18
mborzeckijdstrand: maybe postgres usecase is simpler, local snaps on different ports (docker mangles some kernel state so it's probably not the best thing to be installed mulitple times)13:19
jdstrandmborzecki: yes... perhaps we can start be saying "if you implement a slot, you can't do this"13:19
jdstrandmborzecki: that said, gnome apps all need to slot a dbus interface for the well-known name13:20
jdstrandmborzecki: so they are going to break if parallel installed13:20
jdstrand(and it isn't just gnome)13:21
mborzeckijdstrand: this, probably snaps that have socket activation too13:21
jdstrandyeah13:21
mborzeckiat least using abstract socket paths13:22
jdstrandmborzecki: can you describe the feature of parallel installs? is it documented somewhere?13:22
mborzeckijdstrand: https://forum.snapcraft.io/t/parallel-snap-installs/576313:22
jdstrandmborzecki: well, any path where the client expects to find the server somewhere specific. it could be a dbus well-known name, abstract socket, named socket, pipe, ... all kinds of stuff13:23
niemeyerjdstrand, mborzecki: Can we have a quick sync up call shortly? (after standup, on going)13:24
mborzeckiniemeyer: ok13:24
jdstrandniemeyer: maybe after that we can discuss update-alternatives and interface docs13:25
niemeyerjdstrand: Sounds good!13:25
jdstrandratliff: I created a preliminary card in trello13:27
=== pstolowski|lunch is now known as pstolowski
zygauhhh13:39
zygamy coffee machine erupted :/13:39
pedronisniemeyer: pstolowski: this can be re-reviewed now:  https://github.com/snapcore/snapd/pull/522113:39
mupPR #5221: snap: parse connect instructions in gadget.yaml <Created by pedronis> <https://github.com/snapcore/snapd/pull/5221>13:39
pstolowskiok13:39
zygait punctured the capsule incorrectly and all the coffee went outside the wrong way13:39
geniizyga: Perhaps it's one of those recalled Keurigs13:40
zygano, I'm not familiar with those13:40
mborzeckizyga: just get a moka pot ;)13:40
zygaI'll get a mop and a pot ;)13:40
pstolowskiguys, if you see econnreset test failure again please let me know, i lost yesterday's log when I re-loaded the tab with travis log today13:54
pedronispstolowski: should we add some logging to the retry logic to see the error when we don't retry?13:56
pstolowskipedronis: yep, that may help13:57
jdstrandniemeyer, mborzecki: I tried to summarize much of the above in https://forum.snapcraft.io/t/parallel-snap-installs/5763/314:00
mborzeckijdstrand: thanks!14:03
mvozyga: a second review for 5274 would be great, you did a first pass already afaict14:08
zygaACLU14:10
zygaAck14:10
zygaI wonder what spellchecker contains ACLU14:10
jdstrandniemeyer, mborzecki: I'm ready whenever you are14:10
niemeyerjdstrand: Just finishing a pre-scheduled meeting I had until the half hour.. should be off in 20 or so14:11
jdstrandack14:11
mupPR snapd#5279 opened: interfaces/builtin: create socketcan interface <Created by jocave> <https://github.com/snapcore/snapd/pull/5279>14:18
jdstrandfyi, I've added a review of PR 5279 to my list. I have a number of questions. others might want to wait until I do my first review14:30
mupPR #5279: interfaces/builtin: create socketcan interface <Created by jocave> <https://github.com/snapcore/snapd/pull/5279>14:30
jdstrandjoc: fyi ^ (and thanks for the PR. I'm stepping into a meeting so it'll be a bit)14:31
jocnp, thanks for looking at it jdstrand14:31
niemeyerjdstrand, mborzecki: https://meet.google.com/dnp-muwd-mng14:35
mupPR snapd#5280 opened: httputil: extra debug if an error is not retried <Created by stolowski> <https://github.com/snapcore/snapd/pull/5280>14:36
greybackwho can I poke to get a human reviewer for https://launchpad.net/~gerboland/+snap/chromium-mir-kiosk/+build/24171714:41
mupPR snapcraft#2128 closed: project_loader: stop setting LD_LIBRARY_PATH <Created by kyrofa> <Closed by kyrofa> <https://github.com/snapcore/snapcraft/pull/2128>14:41
greybackah, there's a button. ignore me14:45
didrocksjdstrand: hey, around15:01
jdstranddidrocks: hey, so we were thinking we were going to have the update-alternatives meeting now, but it'll be in an hour or so15:05
jdstranddidrocks: your attendance isn't stricly required, so if you can't attend that's ok, but if you can that would be great. is that an ok time?15:06
didrocksjdstrand: hum, I can't be around at that time, I have some family duties15:06
didrocksjdstrand: I don't think indeed that I'm required, you know update-alternatives as well as I do if not better :)15:06
jdstranddidrocks: that's fine. I understand the problem and even the specifics of the access you desire15:07
didrocksjdstrand: the only thing to remember is that the alternative isn't on a binary, but on a css file used by gdm via gnome-shell15:07
didrocksgdm3.css15:07
jdstrandyep15:07
didrockswhich doesn't match the snap name15:07
jdstrandnope15:07
jdstrand:)15:07
didrocksI guess that's all you need to know :)15:07
jdstrandok, thanks!15:07
didrocksjdstrand: ah, and you got why I separated that in 2 snaps, one arch:all and the other one?15:08
jdstranddidrocks: I'll summarize the outcome in the forum after the meeting15:08
didrocksperfect!15:08
jdstranddidrocks: actually, I forgot that detail15:08
jdstrandthere is gsettings and update alternatives15:08
didrocksjdstrand: basically, I built the theme via Travis CI15:08
didrockswhich is using the docker image15:08
cachioniemeyer, PR for gc ready https://github.com/snapcore/spread/pull/6015:08
didrocksand so, I need to have the theme snap arch: all15:08
mupPR spread#60: Garbage collection for google backend <Created by sergiocazzolato> <https://github.com/snapcore/spread/pull/60>15:09
cachioniemeyer, and tested15:09
didrocksI can't use snapcraft.io because the theme is made of 5 github projects15:09
didrocksand any commit in any of those can trigger a new revisino15:09
didrocksif you are interested into the glory detail, the snapcraft.yaml is: https://github.com/ubuntu/communitheme-snap-helpers/blob/master/snap/snapcraft.yaml15:10
didrocksand the build script is https://github.com/ubuntu/communitheme-snap-helpers/blob/master/build/prepare-build-snap (pulled by the 5 projects in Travis)15:10
didrocksNote: sed -i "s#    source: .*$TRAVIS_REPO_SLUG\.git#    source: \.#" snap/snapcraft.yaml15:10
didrockswhich means "for the current project, take the local branch" (handling PR)15:10
didrocksI guess that's it, more details about what I do for the theme and CI is at https://didrocks.fr/2018/04/10/welcome-to-the-ubuntu-bionic-age-new-wip-ubuntu-theme-as-a-snap/15:11
jdstranddidrocks: it seems you could instead of pointing at 5 repositories, point at one (yours, has files from all 5), and then pull in git commits from the 5 into your one as desired. then you can hook that up and do arch specific builds15:11
didrocksjdstrand: it won't work easily for proposed changes though15:12
jdstranddidrocks: it still isn't clear why the 5 trees requires arch stuff..15:12
didrocksjdstrand: see https://github.com/ubuntu/gtk-communitheme/pull/526#issuecomment-39542260615:13
mupPR ubuntu/gtk-communitheme#526: Made suggested action label button more visible when disabled <Created by clobrano> <https://github.com/ubuntu/gtk-communitheme/pull/526>15:13
jdstrandit would be maintenance overhead, so would have to weigh the options15:13
didrocksthanks to this, on each project, I can detect PR in Travis15:13
didrocksand build a particular snap with that changes on those PR15:13
didrocksthat people can switch to, test…15:13
pstolowski#5280 hit that spread panic15:13
didrocksyou can't really do that with snapcraft.io, which is only one branch on one project15:14
mupPR #5280: httputil: extra debug if an error is not retried <Simple> <Created by stolowski> <https://github.com/snapcore/snapd/pull/5280>15:14
jdstranddidrocks: perhaps that is more of an ev thing then15:14
jdstranddidrocks: but the two-snaps approach doesn't really change the conversation regarding update-alternatives/gsettings, right?15:14
didrocksjdstrand: got the confirmation that's not planned/doable right now on the store side, and I have a solution which works. All this, I mean, "I have to use Travis CI, so docker image, so one arch build, hence arch: all, hence 2 snaps"15:15
didrocksjdstrand: no, it's just to explain why there are 2 snaps instead of one :)15:15
pstolowskimborzecki: how far is your spread fix from landing? do you need a review?15:15
jdstrandI see. ok, well, if it comes up, I can refer back to this15:15
jdstrandthanks!15:15
didrocksjdstrand: thank you! :)15:16
mborzeckipstolowski: niemeyer said he'll do a slightly different fix, we'll have to wait a bit15:17
pstolowskiok15:17
jdstrandmborzecki: re hard link vs symlink> of course, you can't hard link a dir. since we are only talking about $SNAP, you could symlink from the local ones to /snap/foo/current then adjust the template policy as needed15:19
jdstrandmborzecki: that could probably be made to work15:20
mvohrm, 5274 consistently fails with a spread panic here :/15:24
* mvo takes a break15:24
mborzeckijdstrand: afaiu hardlinking was in the context of *.snap (the squashfs images)15:24
jdstrandmborzecki: that would work. it does mean the kernel then has 3 different mount points. I wonder if it will dedupe?15:29
pedronismborzecki: I left some more input into the PR,  some of it is really note about areas that will need attention,  might want to add a TODO now or keep a note15:31
pedronisbut didn't go to the end of it15:31
cachioniemeyer, did you fixed the spread panic issue ?15:34
cachioniemeyer, I can work on that if you want15:35
niemeyerNo, have been in calls all morning, and having lunch now.. sure, if you have a clear view of the fix, please open a PR.. otherwise I can quickly look at it15:36
cachioniemeyer, ok, I'll take a look now15:38
Saviqjdstrand: hey, re: https://forum.snapcraft.io/t/classic-confinement-for-subsurface/5795 - should raw-usb give me access to /dev/ttyUSB0? any idea why I'm not seeing denials even though the app can't open the serial port?15:52
mborzeckicachio: you can take a look at https://github.com/snapcore/spread/pull/59 niemeyer mentioned he wanted something more informative (maybe some logging there as well?)16:07
mupPR spread#59: spread: do not panic if error message from google backend is empty <Created by bboozzoo> <https://github.com/snapcore/spread/pull/59>16:07
mborzeckicachio: don't know if spread is doing direct http calls to the api, if you suspect it's due to 500s the maybe it'd be possible to catch the problem earlier16:09
jdstrandSaviq: if you aren't seeing logged denials, I'm not sure why unless you are non-root or the device didn't end up in the snap's device cgroup16:09
jdstrandSaviq: the raw-usb interface uses var rawusbConnectedPlugUDev = []string{`SUBSYSTEM=="usb"`}16:09
jdstrandSaviq: it does not have /dev/ttyUSB*, but I would expect a denial to be logged16:10
jdstrandSaviq: you can see what is allowed to the snap in the cgroup with: cat /sys/fs/cgroup/devices/snap.name.cmd/devices.list16:11
cachiomborzecki, sure, I'll take a look16:12
jdstrandSaviq: (but you will need to have run the snap once for that to show anything)16:12
mborzeckicachio: this will only prevent the panic, if you can catch the problem earlier that'd be great16:12
zygajdstrand: hey, can you please enqueue https://github.com/snapcore/snapd/pull/5278/files16:14
mupPR #5278: cmd/snap-update-ns: add IsTrustedTmpfs and tests <Created by zyga> <https://github.com/snapcore/snapd/pull/5278>16:14
=== pstolowski is now known as pstolowski|afk
pedronismborzecki: btw another thing to consider is that there might be places that assume there is one local snap name for each snap-id,  which will no longer be true, UpdateMany and helpers is example (but problably not the only one), they use a stateByID map16:17
pedronisatm16:17
jdstrandok16:20
zygathank you16:20
rbasaknacc: o/16:22
rbasaknacc: oh, I'm wrong16:22
rbasakgpgrt_get_syscall_clamp appears in usr/lib/libgpg-error.so.0.22.0 both the good and bad snaps16:22
niemeyermborzecki, cachio: No logging at this point.. we already have logging.. it's the creation of the error that is wrong16:22
rbasakThat doesn't seem right16:23
naccrbasak: yeah it's right :)16:23
naccrbasak: the only thing i've been able to determine is when _pygit2's ldd shows the wrong libgpg-error16:24
naccwhere determine == indicates a good or bad snap16:24
naccrbasak: it's what makes me think our build is fine and it's a bug in snapcraft :)16:24
zygamvo: did another pass over 527416:24
cyphermoxogra_: poke; ubuntu-core-libs, do you want to get that seeded somewhere (tbh, I'm not sure where) so it ends up in main?16:25
cyphermox(bug LP: #1572539)16:25
rbasaknacc: yes, that does look different: https://pastebin.ubuntu.com/p/xtnYDMhYR7/16:25
rbasaknacc: OK, I think I might be caught up with you now :)16:26
mupBug #1572539: [MIR] ubuntu-core-libs <ubuntu-core-meta (Ubuntu):Fix Committed> <https://launchpad.net/bugs/1572539>16:26
naccrbasak: sorry, otp right now; and thit is almost exactly what we hit before, so i had a lot of context in my head16:26
naccrbasak: and yep, that's exactly the symptom i see16:26
nacci think it's a bug in the rpath/patchelf usage by snapcraft16:26
rbasakWould you agree it's non-deterministic in snapcraft? And I'm just unlucky that it only happens on Launchpad and not locally?16:27
naccrbasak: that's my suspicion; did you notice one of my CI runs failed the way your didn't?16:27
naccand in the same way as LP's build did16:27
rbasakI didn't, but I guess you're just luckier than I am then :)16:27
nacckyrofa: mentioned that the deterministic ordering stuff is in a PR now16:28
rbasakEven if it's made deterministic, how do we make sure that the one used is the one we want?16:28
nacclike i mentioned in #launchpad, it might make us fully broken or it might fully fix it :)16:28
rbasakRight :)16:28
zygamborzecki: can you do a quick pass over 528716:28
zygaer16:28
zyga527816:29
naccyeah, it depends on what the bug we're hitting actually is, and for that i think we need kyrofa or sergiusens to look16:29
rbasakI think we also need snapcraft to follow our ignores from the stage directive16:29
naccrbasak: i think it does, right? do we ever see the wrong libgpg-error in stage?16:29
* zyga has some mental thing where sometimes last two characters and almost always last two digits get swapped16:29
naccrbasak: *possibly* the rpath needs to respect the eliding16:29
rbasakI don't know what's present in stage in the broken case since I can't reproduce a broken build tree16:29
naccyeah16:30
rbasakBut I don't see anything in stage/lib/ in the successful case, which is where I'd expect that one to go16:30
rbasakSo I think the ignore is working, but it's later being unignored.16:31
naccright, could be16:31
naccthis was a pain to debug, and kyrofa just understood the details a lot better than i did and was able to figure it out faster than i could :)16:31
rbasakSo I guess we're broken until this can be addressed in snapcraft. In the meantime, the best I can do is manually build the snap locally and upload after verification that it's OK.16:32
rbasakI wonder if I can hack an actual deletion of the file from parts/16:33
rbasakAnd if that would break anything16:33
rbasakNot that I could test that since I can't reproduce :(16:34
kyrofarbasak, nacc yeah I think the first thing we need is a way to reproduce16:35
kyrofarbasak, have you tried using edge, by any chance? One (of two) deterministic-fixing things has landed there16:35
cachiomborzecki, niemeyer the PR works well16:36
cachioniemeyer, but there is something else which is causing this 50016:36
rbasakkyrofa: I could try locally where I can't reproduce, but I'm not sure where that'll get me16:36
kyrofarbasak, i.e. with edge, you should notice that snapcraft handles parts in the same order between runs16:36
kyrofarbasak, it may allow you to reproduce every time, or it may fix LP, haha16:36
zygajdstrand: #5279 is interesting16:36
mupPR #5279: interfaces/builtin: create socketcan interface <Created by jocave> <https://github.com/snapcore/snapd/pull/5279>16:37
rbasakI don't think I have any choice about what LP runs16:37
rbasakBut I can see if it reproduces every time, sure :)16:37
kyrofaIndeed, and it won't be fixed there yet anyway16:37
kyrofaYeah see if changes anything for you locally16:37
rbasakI'm running out of time today. I'll try that tomorrow.16:37
niemeyercachio: What PR?16:37
cachioniemeyer, https://github.com/snapcore/spread/pull/5916:37
mupPR spread#59: spread: do not panic if error message from google backend is empty <Created by bboozzoo> <https://github.com/snapcore/spread/pull/59>16:37
rbasakkyrofa, nacc: thank you for your help.16:37
jdstrandzyga: yes I mentioned that earlier16:38
kyrofaOf course. I'll chat with sergiusens and see if we can get the other deterministic thing sorted as well16:38
zygaoh, sorry I missed trhat16:38
kyrofa(library search order)16:38
niemeyercachio: No it doesn't work well.. an error value that says "error" is quite pointless16:38
naccrbasak: np, sorry for not documenting what i found better16:38
sergiusensrbasak, nacc: since you are building with jenkins, I would suggest you use the snap instead of the deb. We are waiting for that change to happen for buildd's as well16:40
joczyga: the question about whether to use network interfaces is indeed interesting, i'll wait to see what you all think!16:40
zygajdstrand: AFAIK some filesystems are toying with hardlinking directories but it's not mainline yet16:40
zygajoc: I'm +0.8 on making it a socket type and going with existing interfaces16:41
mvopstolowski|afk: here is a econnereset https://api.travis-ci.org/v3/job/389153950/log.txt for you (you asked earlier)16:43
zygajdstrand: oh and totally forgot to ask you16:43
pstolowski|afkmvo: great, thanks, i'll save it and inspect tomorrow16:43
zygajdstrand: the new seccomp deferral to userspace feature that was on LWN looks super juicy16:43
zygajdstrand: do you think we should eye supporting that?16:43
mvozyga: 5263 is also ready for another look16:44
mvopstolowski|afk: yw16:44
zygamvo: I was reading it already16:45
zygajust approved it again16:45
zyga(with two questions)16:45
mupPR snapd#5272 closed: cmd/snap-update-ns: improve wording in many errors <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5272>16:45
zygapstolowski|afk: econreset: https://api.travis-ci.org/v3/job/389153950/log.txt16:46
pstolowski|afkzyga: yep, just got it from mvo above, thanks16:47
zygado you want me to save the log and restart?16:47
zygamvo: shall we close https://github.com/snapcore/snapd/pull/5234 ?16:49
mupPR #5234: snap: add `snap list --format=...` option <Created by mvo5> <https://github.com/snapcore/snapd/pull/5234>16:49
jdstrandzyga: I think that is the bit that lxd and other container managers wanted. tyhicks could probably comment further. iirc, that is potentially interesting for prompting, but iirc, jjohansen mentioned that it wasn't sufficient. jjohansen already started apparmor prompting16:51
zygaI was wondering about how fast it is and if it could be used to make changes to seccomp "profiles" instant without process recycling16:52
jdstrandhttps://lwn.net/Articles/754789/ is what I presume you looked at16:52
zyga_perhaps_ https://lwn.net/Articles/756233/16:52
zygajdstrand: this is also potentially super useful for... classic confinement16:53
zygawe could do smart exec interception16:53
zygaexecing inside $SNAP would give you the dynamic linker interception with correct flags16:54
jjohansenits interesting, arguments from it are still a problem16:54
zygaexecing outside would give you the regular behaviour16:54
zyga(so finally we could ship bash as a classically confined app)16:54
zygajjohansen: yes, I understand it's still WIP16:54
zygaI'd love if some work to copy the arguments for inspection was applied to seccomp as this would make it x10 more useful16:55
cachioniemeyer, yes, that's true, I am still researching what it is causing that google returns the error16:55
jdstrandhmm, apparently my subscription expired16:55
zygajjohansen: hey :-) how are you?16:55
jjohansenhey zyga16:55
jdstrandthat's weird16:55
niemeyercachio: I don't think that's critical in this case.. a 500 is an error on Google side.. it's blowing up beyond our control.. what we need is to simply be able to display that, and to retry if needed.16:55
niemeyercachio: Most backends, and I suspect Google included, already have logic for retrying on such errors16:56
zygajdstrand: I sent you a subscriber link16:56
zyganiemeyer: spread broke google? :-)16:56
zyganext up, azure!16:56
niemeyerzyga: Apparently..16:56
cachiohehehe16:56
jdstrandI would have to believe there would be a significant performance hit16:56
zygajdstrand: people in the thread there say it's next to none16:56
jdstrandzyga: like, we have the old policy in the kernel and ask userspace if it has something new?16:57
zygaI didn't read the patches or anything, it just looks interesting on the outside16:57
jjohansenzyga: the problem with seccomp args is that copying them is TOCTTOU race16:57
zygajdstrand: I think the point is that there is no policy16:57
jjohansenwhich is always bad for security16:57
zygait's a decision that goes to userspace to ack (perform) and return a result / error / fd16:57
zygajjohansen: I know but I was hinting at a way to copy them out once16:57
zygajjohansen: and then pass them to other layers already in the kernel16:57
cachioniemeyer, it is nice to this this comment in the code16:58
cachio/ Repeat on 500s. Comes from Linode logic, not observed on Google so far.16:58
zygajjohansen: it's doable, just nobody is doing that apparently16:58
zygajjohansen: perhaps not everything can be copied but common string / stat buffers should be ok16:58
jjohansensure, problem is you need to rewrite the whole syscall stack todo that16:58
zyga:D16:58
cachioI should update it too16:58
zygaI understand that's probably the reason16:58
zygajjohansen: it's the kernel, I don't doubt it will happen, initially people will hate it, then several years later it will be better than sliced bread16:59
zygajust after more drivers in userspace and other microkernel things ;)16:59
jjohansenzyga: uhmmm, probably not ever going to happen16:59
zygajjohansen: well, isn't that _already_ happening?16:59
jjohansenit might happen on a couple syscalls17:00
jjohansenzyga: no17:00
zygaelf in userspace17:00
zygaah, the syscall thing17:00
zygabut the syscall data has to be copied out anyway17:00
zygawell, I'm not a kernel hacker, I'm sure it's not trivial and very performance sensitive17:00
jjohansenzyga: they are just copying the 6 register values for the syscall, regardless of whether the syscall actually uses 6 register values17:01
zygait's just that I don't believe in "no" anymore as the kernel has crazier stuff thrown into it every year17:01
niemeyercachio: Do you have that debug output which observed the 500 at hand?17:01
jjohansenzyga: eg. ioctl, that syscall has different params values sizes, .. based on which ioctl it is and new ones are always being added17:02
cachioniemeyer, this it what I have https://paste.ubuntu.com/p/HMvvxNMq9G/17:02
zygajjohansen: that's a good point17:02
jjohansenits a complete mess, and only the specific ioctl handler deals with it17:02
zygajjohansen: still, handling open and a few related calls this way would make seccomp incredibly more powerful17:02
jjohansensome syscalls maybe will get the treatment but not all of them17:02
zygaioctl can stay as is17:02
jjohansenzyga: there are other reasons it problematic for seccomp to access the args17:03
jjohansenlike it needs to do the copy from user but its in the syscall assembly code level17:03
niemeyercachio: Nice, thanks.. let me cook something up quickly17:03
jjohansenits not impossible, but it sure makes things uglier17:03
Saviqjdstrand: so ttyUSB0 seems to be 188:0 AFAICT and devices.list does not have that17:11
Saviqbut agreed I don't understand why no DENIED17:11
jdstrandSaviq: DAC is evaluated first, so if it isn't in the device cgroup, then no denial17:14
jdstrandSaviq: what is the output of: udevadm info /dev/ttyUSB017:14
Saviqjdstrand: http://paste.ubuntu.com/p/vtxzQHHVWQ/17:14
jdstrandSaviq: it isn't tagged: E: TAGS=:systemd:17:15
zygabtw, jdstrand I don't know if you are aware of an issue with systemd and the recent introduction of bind/unbind events17:16
jdstrandSaviq: what is the output of: snap interfaces -i raw-usb17:16
zygait apparently has caused issues with udev tagging17:16
* zyga stumbled upon systemd bug report about this17:16
jdstrandzyga: I'm not on that specific issue. when was it introduced? I needed to redo things some time ago for a change in behavior17:17
jdstrandniemeyer: is now a good time to meet?17:18
cachioniemeyer, I am not getting the panic anymore with this change https://paste.ubuntu.com/p/VhKjqwdnyf/17:20
jdstrandSaviq: fyi, the device.list with c:188:0 is 'character device' with major 188 and minor 0. ls -l /dev/ttyUSB0 will of course give you major minor. I don't have a USB serial plugged in so didn't confirm 188:017:20
cachioniemeyer, basically because the error message is comming empty17:21
niemeyerjdstrand: Just finishing the proposed change and will be with you17:21
jdstrandSaviq: but, clearly the device isn't udev-tagged so I wouldn't expect it in there17:21
niemeyercachio: I don't know how to say that more clearly.. we discussed this in the meeting, and I just explained above.. of course the error is gone if you kill the error message17:21
niemeyercachio: We don't want that17:21
niemeyercachio: We want to fix the error message instead.. please leave it with me.. I'll push a change in a minute17:22
zygajdstrand: let me find the bug link17:22
zygajdstrand: it's already deployed to bionic17:22
zygajdstrand: the summary of the bug is: systemd sees bind/unbind events and treats them as add/remove, dropping tags17:23
zygahttps://github.com/systemd/systemd/issues/822117:23
zygathe comments indicate that this has caused widespread issues17:23
jdstrandzyga: this seems different from what I saw and that systemd will need a patch17:25
mupPR snapd#5280 closed: httputil: extra debug if an error is not retried <Simple> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5280>17:26
niemeyercachio: Please give this a shot and let me know how it goes: https://github.com/snapcore/spread/commit/9aa319e17:30
niemeyercachio: It's in master17:30
niemeyermborzecki: ^17:31
cachioniemeyer, sure17:31
niemeyerMost of the change in the loop is just indenting it in  so we can repeat the call from later on17:31
niemeyerjdstrand: I'm ready17:32
niemeyerjdstrand: https://meet.google.com/ipr-very-aqb17:32
jdstrandok17:33
cachioniemeyer, it is working17:35
cachiospread images was failing 100% of the runs and now it does not fail anymore17:35
niemeyercachio: Nice, so retrying is working as well17:40
cachioyes17:41
Saviqjdstrand: so devices.list http://paste.ubuntu.com/p/x6h58TrPPk/ does not have 188:0 in it, where would you say the missing piece is? udev rules?17:41
mupPR snapd#5281 opened: snap: reject more layout locations <Simple> <Created by zyga> <https://github.com/snapcore/snapd/pull/5281>17:47
* zyga -> teak17:57
zygatea17:57
zygaPharaoh_Atem: https://www.linux.com/learn/intro-to-linux/2018/5/get-started-snap-packages-linux :-)18:24
zyganice18:24
Pharaoh_Atemwell then18:26
Pharaoh_Atemthat's surprising18:26
zygaon Fedora :)18:26
cachioniemeyer,  with this error on spread I could test the garbage colletion very well18:38
cachioCurrently I am running it18:38
cachioniemeyer, I am cleaning more than 400 machines18:43
niemeyercachio: Wow19:01
niemeyercachio: How come we have that many leftovers?19:02
cachioniemeyer, all the builds that failed in travis because of the issue left all the machines alive19:04
cachioand the testing I did to reproduce errors too19:04
niemeyerAh, makes sense19:06
* zyga breaks for some book reading19:20
mupPR snapd#5263 closed: errtracker: do not send duplicated reports <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5263>19:42
cachioPharaoh_Atem, hey, did you see this one?19:51
cachiohttps://travis-ci.org/snapcore/snapd/builds/389407059#L197319:52
Pharaoh_Atemlooks like someone needs to fix the sed command19:52
Pharaoh_AtemI think that was originally added by mvo19:52
Pharaoh_Atemalso, bogus date should be fixed too19:53
jdstrandniemeyer: ok, I sketched out a pretty complete design that someone could run with here: https://forum.snapcraft.io/t/classic-confinement-request-communitheme-set-default/5146/2420:00
cachioPharaoh_Atem, ok, I'll try20:00
jdstrandniemeyer: please review and ack since I made a couple tweaks and thought about future iterations that might affect the yaml20:00
mvozyga: did my answers to 5274 look reasonable? I whish there was a "stack this PR on top of the other" feature in GH, I have a nice cleanup pending on top of 527420:10
jdstrandSaviq: sorry, I was in a meeting. what is the output of: snap interfaces -i raw-usb?20:15
zygaMvo: I didn’t check yet. My computer is occupied by the family20:25
naccrbasak: fwiw, i thought i had a brilliant idea, that maybe we weren't specifying that pygit2 needed to be built/staged after libgpg-error, but afaict, pygit2 comes from git-ubuntu's dependencies, which is after devscripts which is after gnupg2 which is after libgpg-error.20:27
naccrbasak: but i think that might be the way to debug it, if we can get a failure and success log20:27
zygajdstrand: will alternatives allow coping of binaries out?20:29
jdstrandzyga: not by a strict definition of what you just said, but yes it allows confinement escape. the post discusses that20:29
cachioniemeyer, did you already updated spread on amazonaws?20:30
zygaRather than escape I was wondering about just working outside of the namespace20:30
cachioniemeyer, some builds still failing with the spread issue20:30
cachiolast error that I saw was 30 minutes ago20:31
Saviqjdstrand: http://paste.ubuntu.com/p/Zpq4mKT6vt/20:31
jdstrandzyga: the mechanism would allow substituting, say, /usr/bin/vim, for something copied from the snap into /var/lib/snapd/alternatives. the process regulating the use of the interface would not20:31
jdstrandSaviq: ok, and what is in /etc/udev/rules.d/70-snap.subsurface.rules20:32
zygaI don’t follow how a binary copied out of a snap would operate20:32
jdstrandzyga: it wouldn't20:33
zygaShared libraries, data, etc20:33
jdstrandzyga: we wouldn't allow it20:33
zygaAh20:33
zygaSo what would we allow20:33
jdstrandbut the interface is general20:33
zygaI assume the copy is for a specific purpose20:33
jdstranddid you read the topic?20:33
jdstrand:)20:33
zygaOn the forum20:33
jdstrandyeah20:33
zygaYes, maybe misread or missed the point20:33
jdstrandit is prompted to change out the the gdm css theme file20:34
zygaOr probably just sleeping :-)20:34
jdstrands/the the//20:34
zygaYeah data would work fine20:34
zygaBtw20:34
zygaCould this be the general exports mechanism?20:34
jdstrandfrom a mount namespace perspective, yes, not for confinement escape. that is why it is manual20:35
zygaEg export wallpapers/man pages/themes/other data20:35
zygaWith alternatives on top20:35
jdstrandzyga: general exports> no, it is specifically for updating symlinks in the 'update-alternatives' system (see the man page if you are unfamiliar with it)20:35
zygaRight20:36
jdstrandzyga: I mean, maybe20:36
zygaOk20:36
jdstrandit depends on how it is all put together. it might be good, it might not20:36
Saviqjdstrand: http://paste.ubuntu.com/p/bH6cXrmqFx/20:36
zygaBtw: very nice write-up20:37
jdstrandzyga: alternatives is about files, not directories, so for a general export mechanism it wouldn't work well. for a handful of files, sure20:37
zygaI was thinking just about the copy part20:38
zygaAnd perhaps about /var/lib/snapd/e ports20:38
jdstrandSaviq: that looks correct. what happens if in one terminal you do: 'sudo udevadm monitor --subsystem-match=usb' and then you unplug and plug in the device20:39
jdstrandSaviq: then, give my the output of the monitor command and 'sudo udevadm info /dev/ttyUSB0'20:39
jdstrandzyga: the locations and dir structure in /var/lib/snapd/alternatives could change. I had to make that up as I wrote it cause I realized gdm might crash if it starts before the communitheme-set-defaults snap was mounted20:40
zygaMmm20:41
jdstrand(we initially said that the alternative would point to /snap/name/current/...20:41
jdstrand)20:41
jdstrandthat won't work great for a number of things20:41
zygaI will watch this closely, I can help with the code as well20:42
jdstrandI don't know who will work on it. I just participated in the design. if I am to do it, would need to get it prioritized with stakeholders, etc, etc20:43
jdstrandbut I tried to lay it all out so someone could run with it20:43
jdstrandbut we need a final approval on the design/write-up20:43
zygaAgreed20:45
Saviqjdstrand: https://pastebin.ubuntu.com/p/34x4k6RjxW/20:47
jdstrandzyga: I added a note to the writeup that only files are supported20:47
zygaThanks20:47
jdstrandSaviq: oh, this is on bionic?20:47
jdstrandSaviq: I think you hit zyga's bug: https://github.com/systemd/systemd/issues/822120:48
jdstrandSaviq: I suspect this might work on a xenial system (or perhaps bionic with just the xenial kernel). can you file this against systemd in Ubuntu if it works on xenial and not bionic20:50
zygaI really wonder how something this huge went under everyone’s radar since 4.1220:50
jdstrandzyga: it looks like it is subsystem dependent. eg, the input subsystem has no bind/unbind event if I plugin a joystick20:51
zygaMm20:52
zygaI see a swarm of bins/unbind messages but I didn’t check the details20:52
zygaIt may also explain why my ..  battery doesn’t work20:52
zygaI have a battery that ought to charge a ThinkPad via usb-c pd20:53
zygaIt supposedly works in windows20:53
zygaBut when I plug it I see a bazillion of errors and bind/unbind calls20:53
zygaOh well20:53
zygaSoftware20:54
jdstrandseems this would plausibly be it. the bug had a patch you could run locally if you were desperate :)20:54
zygaAs long as we don’t have GNU/Linux toilets20:54
zygaYeah, I think I’ll pass for now. I mostly work on a desktop20:54
jdstrandheh20:55
jdstrandwe might be able to work around this in snapd based on https://github.com/freedesktop/ModemManager/commit/c07382a486f53e1b3cf729b41518d2a0ba528f5a20:57
Saviqjdstrand: oh!20:58
* Saviq boots xenial up20:58
* jdstrand tries to find his usb serial20:59
mupPR snapcraft#2143 closed: lifecycle: don't clean priming area if the snap is being tried <Created by kyrofa> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2143>21:03
cachioniemeyer, https://travis-ci.org/snapcore/snapd/builds/38916627921:12
cachioniemeyer, it is not happening in all the builds, it is more sporadic now21:12
jdstrandSaviq: actually, I figured it out21:23
jdstrandzyga: you may want to listen21:23
zygaI'm here actually21:23
jdstrandSaviq (cc zyga): snapd isn't affected by that systemd issue because while bind and unbind come through, snap-device-helper ignores them21:24
jdstrandSaviq (cc zyga): the problem is that udevadm info /dev/ttyUSB0 is reporting the subsystem as tty21:25
zygado we need to update any bundled udev rules that don't involve just tagging via s-d-h ?21:25
jdstrandzyga: probably21:25
jdstrandsomeone should look at that. modem-manager was specifically affected21:25
jdstrandSaviq (cc zyga); but if I change the rules file in /etc/udev/rules.d/70... to have something like this, it works (on 18.04 and 4.15):21:26
jdstrandSUBSYSTEM=="usb", TAG+="snap_test-policy-app-consumer_raw-usb"21:27
jdstrandSUBSYSTEM=="tty", ENV{ID_BUS}=="usb", TAG+="snap_test-policy-app-consumer_raw-usb"21:27
jdstrandTAG=="snap_test-policy-app-consumer_raw-usb", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_test-policy-app-consumer_raw-usb $devpath $major:$minor"21:27
jdstrandSaviq (cc zyga): it is the second rule that I added21:27
jdstrandSaviq: I'll create a PR21:27
zygahmmmm?21:31
zygawait21:31
zygaso we append a tag (to a set of tags)21:31
zygathen if tag is .. what we added we run the helper21:31
zygais this exploiting the fact that bind/unbind reset tags?21:31
jdstrandzyga: huh?21:31
jdstrandno21:31
jdstrandthe subsystem doesn't match21:31
jdstrandthe first is what we have now21:32
zygathis is what I don't understand https://www.irccloud.com/pastebin/vLHFJYLd/21:32
jdstrandudevadmin info /dev/ttyUSB0 shows the subsystem as E: SUBSYSTEM=tty21:32
jdstrandtherefore the first rule will never match21:32
jdstrandso we add a tty rule that only adds tty devices that are usb21:33
jdstrandzyga: what's the problem?21:33
zygaI think I just need sleep21:34
zyga:)21:34
zygaI will read it with fresh mind tomorrow21:34
jdstrandif subsystem is tty and the property ID_BUS is set to usb, tag the device21:34
zygaI perhaps need to see it on a wider screen21:34
zyganot on IRC21:34
zygaand check where the newlines are21:34
jdstrandwell, you'll see it in a PR in a moment21:34
zygaas wrapping and udev using most horrid syntax makes it confusing21:34
zygasystemd guys, really, udev rules are the worst21:34
mupPR snapd#5282 opened: interfaces/raw-usb: also allow usb serial devices <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5282>21:45
jdstrandSaviq, zyga: ^21:45
zygajdstrand: can you please review https://github.com/snapcore/snapd/pull/5281 :)21:54
mupPR #5281: snap: reject more layout locations <Simple> <Created by zyga> <https://github.com/snapcore/snapd/pull/5281>21:54
zygait's just a rescue from a PR I closed21:54
mupPR snapcraft#2159 opened: many: extract lifecycle ordering into own module <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2159>22:03
niemeyercachio: No, haven't updated the Travis binaries.. will do so today still22:16
mupPR snapcraft#2156 closed: snap: use apt from the archive instead of compiling <Created by sergiusens> <Merged by kyrofa> <https://github.com/snapcore/snapcraft/pull/2156>22:21
niemeyercachio: Updated.. please let me know how it goes23:19
niemeyerJust restarted that build as well23:20
cachioniemeyer, great, thanks23:39
Matthew-SDoes anyone know how stage-packages are resolved? Do they refer to regular Ubuntu packages or something else? Thanks23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!