mborzecki | morning | 05:10 |
---|---|---|
mborzecki | mvo: hi, any ideas if snapd will blow up if there's apparmor support in the kernel but no userspace tools? | 06:07 |
mvo | mborzecki: that sounds likely | 06:08 |
mvo | mborzecki: I think we need a extra check in the release.Apparmor code that checks if apparmor_parser is available | 06:08 |
mvo | mborzecki: should be a trivial PR | 06:08 |
mvo | mborzecki: and nice catch | 06:08 |
mborzecki | mvo: i'll look into that | 06:09 |
mvo | mborzecki: ta | 06:10 |
mvo | mborzecki: and GOOD MORNING :) | 06:10 |
mborzecki | mvo: hah right :) morning | 06:10 |
mvo | mborzecki: I also left some feedback in the arch -hardended kver PR, nice catch on the details of the kernels there | 06:12 |
mborzecki | mvo: saw your review, thanks | 06:13 |
mborzecki | mvo: nice thing is apparmor will be in the default kernel in arch, but you still need to pass apparmor=1 security=apparmor to the kernel and have the userspace tools, need to make sure we degrade gracefully | 06:14 |
mvo | mborzecki: nice! thats a good step forward | 06:15 |
zyga | good morning! | 06:45 |
mvo | hey zyga ! good morning | 06:45 |
* zyga is sleepy but needs to wake up rapidly | 06:45 | |
zyga | today I plan to spend 30% on PRs (reviews and gardening) and 70% on helping with a CE request | 06:46 |
mup | PR snapd#5715 closed: selftest: detect if apparmor is unusable and error <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5715> | 06:46 |
zyga | mvo: question about 5715 | 06:53 |
zyga | https://github.com/snapcore/snapd/pull/5715#pullrequestreview-149598142 | 06:53 |
mup | PR #5715: selftest: detect if apparmor is unusable and error <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5715> | 06:53 |
mborzecki | zyga: hey | 06:54 |
zyga | :-) o/ | 06:54 |
mvo | zyga: whats the question? | 06:58 |
zyga | mvo: I asked in the review if there's any difference about the two lines that check for the new message inside a container | 06:58 |
mvo | zyga: aha, sorry, I see it now. one is the loop but we also need to ensure the loop did not timeout | 06:58 |
zyga | ah | 06:59 |
zyga | that makes sense, thanks | 06:59 |
mvo | zyga: ok | 06:59 |
mvo | zyga: does it look ok otherwise? sorry did not see that we were also reviewing | 06:59 |
zyga | yes, it looks good :) | 06:59 |
zyga | nice and simple | 06:59 |
zyga | (which is not to say that it is easy, it's great to make simple things) | 07:00 |
mvo | ta | 07:00 |
mborzecki | mvo: for the record, i've removed apparmor tooling and cannot remove snaps anymore https://paste.ubuntu.com/p/fhmfjm6vhM/ | 07:11 |
mvo | mborzecki: can you install snaps? or does anything install/remove related break? | 07:14 |
mborzecki | mvo: snap remove/install errors out on security profiles | 07:15 |
=== pstolowski|afk is now known as pstolowski | ||
pstolowski | morning | 07:15 |
mborzecki | mvo: refresh probably doesn't work either as it's practically install under the hood | 07:15 |
mborzecki | pstolowski: hey | 07:16 |
mborzecki | zyga: when checking if we need to downgrade apparmor template to classic, do we care about specific kernel version, or is 4.16+ good to go in general? | 07:17 |
zyga | mborzecki: it was just the version that opensuse happened to ship with | 07:17 |
zyga | and was meant as an experiment to see what breaks | 07:17 |
zyga | I think it was successful though | 07:17 |
mborzecki | zyga: any clue how network_v8 is different from network in apparmor features? | 07:56 |
zyga | some, network is just "you can interact with given set of sockets", there's a very simple table that has some flags per socket type (AF_INET, AF_INET6, etc). | 07:58 |
zyga | network_v8 is ... more than that :) I heard that fine grained network mediation was coming | 07:58 |
zyga | so perhaps there's a more rich table now | 07:58 |
zyga | let me look quickly | 07:58 |
zyga | mvo: can you please look at https://github.com/snapcore/snapd/pull/5721 | 08:00 |
mup | PR #5721: interfaces: retain order of inserted security backends <Created by zyga> <https://github.com/snapcore/snapd/pull/5721> | 08:00 |
zyga | (again, updates based on your review) | 08:01 |
mvo | zyga: sure | 08:01 |
zyga | thanks :) | 08:01 |
zyga | mborzecki: looking now | 08:02 |
mborzecki | zyga: found this https://www.mail-archive.com/apparmor@lists.ubuntu.com/msg09772.html | 08:04 |
zyga | mborzecki: this is not new stuff, it was merged in July 2017 | 08:05 |
zyga | mborzecki: it's the old network support code from ubuntu, now mainline | 08:05 |
zyga | (I'm looking at torvald's tree) | 08:05 |
niemeyer | Morning all! | 08:06 |
zyga | mborzecki: note that I don't see "network" (plain, without v8) anymore | 08:06 |
zyga | hey :) | 08:06 |
pstolowski | morning niemeyer! | 08:09 |
mvo | I see some strange errors on arch: Aug 27 07:17:06 arch snapd[25825]: task.go:303: DEBUG: 2018-08-27T07:17:06Z ERROR cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2 does that ring any bells? | 08:10 |
mvo | and good morning niemeyer | 08:11 |
niemeyer | o/ | 08:11 |
mborzecki | niemeyer: hey | 08:14 |
zyga | mvo: no, I never heard of this issue before | 08:35 |
mborzecki | mvo: ... value *state.changeError = &state.changeError{errors:[]state.taskError{state.taskError{task:"Generate device key", error:"cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2"}}} | 08:42 |
mborzecki | ("cannot perform the following tasks:\n- Generate device key (cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2)") | 08:42 |
mborzecki | in unit tests | 08:42 |
zyga | are we shelling out to external tools for key crypto? | 08:46 |
pedronis | yes, to ssh-keygen because go own key creation was deemed too slow | 08:47 |
pedronis | so something might be going on there | 08:47 |
mborzecki | hmm [2018-08-26 22:29] [ALPM] upgraded openssh (7.7p1-2 -> 7.8p1-1) | 08:48 |
mborzecki | what version are you guys on? | 08:48 |
mvo | 7.6 | 08:48 |
zyga | mborzecki: ssh changed something lately | 08:49 |
zyga | mborzecki: there was an article about this on lwn | 08:49 |
mvo | aha and the changelog has information that they changed the output of ssh-keygen | 08:49 |
mvo | -m PEM will fix it | 08:49 |
mborzecki | ok, i'll add it here | 08:49 |
zyga | https://lwn.net/Articles/763444/ | 08:50 |
zyga | indeed | 08:50 |
zyga | * ssh-keygen(1): write OpenSSH format private keys by default | 08:50 |
zyga | instead of using OpenSSL's PEM format. The OpenSSH format, | 08:50 |
zyga | mborzecki: nice :) | 08:50 |
mvo | and it works all the way back to trusty | 08:50 |
mvo | so that should be fine | 08:50 |
mborzecki | seems to work now, opening a PR in a minute | 08:53 |
mup | PR snapd#5725 opened: overlord/devicestate: use OpenSSL's PEM format when generating keys <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5725> | 09:00 |
mvo | mborzecki: ta | 09:00 |
mborzecki | hm apparmor mocking around the tests for system-key is noop | 09:28 |
mvo | mborzecki: oh? do you have more details? | 09:29 |
mborzecki | mvo: a path to apparmor sysfs features directory was built in SetUpTest() but it was never used afaict | 09:30 |
mvo | mborzecki: the pem pr failed with an unrelated error, I can restart but I will have a look at the error, it looks like we don't mock enough somewhere | 09:39 |
mborzecki | mvo: ack, unit tests sans snap-seccomp were passing locally | 09:40 |
mup | PR snapd#5726 opened: release, interfaces: make snapd degrade gracefully when AppArmor userspace tooling is unavailable <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5726> | 09:50 |
mborzecki | mvo: zyga: let me know if that makes sense | 09:51 |
mborzecki | ^^ | 09:51 |
zyga | reading that now | 09:51 |
* mvo looks | 09:51 | |
mup | PR snapd#5723 closed: cmd: remove --skip-command-chain from snap run and snap-exec <Created by kyrofa> <Merged by niemeyer> <https://github.com/snapcore/snapd/pull/5723> | 09:51 |
mborzecki | ok, time for some reviews | 09:55 |
mup | PR snapd#5725 closed: overlord/devicestate: use OpenSSL's PEM format when generating keys <Critical> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5725> | 10:13 |
zyga | thank you! | 10:14 |
zyga | brb, coffee and snack | 11:44 |
mup | PR snapd#5716 closed: tests: spread test for parallel-installs desktop file handling <Parallel installs> <Simple> <Created by bboozzoo> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5716> | 11:45 |
=== pstolowski is now known as pstolowski|lunch | ||
zyga | re | 12:01 |
=== King_InuYasha is now known as Son_Goku | ||
mup | PR snapcraft#2220 closed: schema: allow license field <Created by mvo5> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/2220> | 12:34 |
=== pstolowski|lunch is now known as pstolowski | ||
mvo | can I get a review for https://github.com/snapcore/core/pull/93 please? | 12:41 |
mup | PR core#93: hooks: unwind /etc/alternatives <Created by mvo5> <https://github.com/snapcore/core/pull/93> | 12:41 |
zyga | mvo: looking | 12:45 |
zyga | mvo: wow, I missed that! | 12:47 |
zyga | thank you for sharing | 12:47 |
mvo | zyga: no worries | 12:47 |
zyga | mvo: reviewed | 12:55 |
mvo | zyga: thanks, I like your suggestion there | 12:58 |
mvo | zyga: mind if I do it in a followup, first in core18 ? that is much simpler to test (i.e. it can be build in 1/10 of the time) | 12:59 |
ogra | jdstrand, an interesting one for you https://paste.ubuntu.com/p/ZwdqN6XMVY/ | 12:59 |
mup | PR snapcraft#2223 closed: snap: prepare override scripts to allow rebuilding <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2223> | 13:01 |
zyga | ogra: how is it interesting? | 13:27 |
zyga | it looks like just missing "home" | 13:27 |
ogra | zyga, the traceback ... | 13:28 |
ogra | that shouldnt happen | 13:28 |
ogra | (and usually doesnt) | 13:29 |
zyga | locale? | 13:29 |
ogra | well, german ... | 13:29 |
ogra | it doesnt happen with other snaps | 13:29 |
zyga | no, I mean PYTHONENCODING=utf-8 | 13:29 |
zyga | is home connected? | 13:29 |
ogra | the snap doesnt have a home plug | 13:29 |
ogra | (yet) | 13:29 |
zyga | then it cannot access Dokumente | 13:30 |
zyga | I still don't see what's the interesting part | 13:30 |
ogra | sure, but snappy-debug shouldnt crash | 13:30 |
ogra | i dont care about home, i know i havent added it yet | 13:30 |
ogra | i want to see all the subsequent info that comes after home in the log | 13:31 |
ogra | but snappy-debug crashes hard before it can evcen show anything | 13:31 |
ogra | *thats* the interesting part | 13:31 |
zyga | aaah, it was snappy-debug | 13:32 |
ogra | right | 13:32 |
zyga | I missed that | 13:33 |
zyga | indeed, I don't know why we do that | 13:33 |
ogra | i guess snappy-debug needs some utf-8 love somewhere in the code | 13:33 |
zyga | ijohnson: hey | 13:43 |
zyga | thank you! | 13:43 |
zyga | ijohnson: when would be a good time to chat? | 13:43 |
pedronis | zyga: wrong channel? | 14:08 |
mup | PR snapd#5721 closed: interfaces: retain order of inserted security backends <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5721> | 14:11 |
twobitsprite | So, I'm delving in to the world of snaps on my Debian Buster system... I'm trying to install the helm client, and it's only available as a snap or as a tarball, so I figured I'd try the snap version... I got snapd installed and I ran "sudo snap install helm". It says it installed it, but I don't have a helm command in my path... | 14:12 |
zyga | pedronis: yes, we moved | 14:16 |
* zyga -> errand break (1.5-2hrs) | 14:17 | |
ogra | twobitsprite, "snap info helm" should list any commands the snap ships | 14:20 |
ogra | twobitsprite, you also might want to check if there are interfaces you need to manually connect ... list them with "snap interfaces helm" | 14:21 |
twobitsprite | ogra: it says "helm" is a command it should provide | 14:21 |
ogra | twobitsprite, ah,m you newly installed snapd .. that adds /snap/bin to your oath but it will indeed only take effect if you re-login | 14:22 |
ogra | *path | 14:22 |
twobitsprite | ogra: interfaces lists :home, :network and :network-bind, all of them say "helm" under the "Plug" column | 14:22 |
twobitsprite | ogra: ahh | 14:22 |
ogra | yeah, these typically auto-connect | 14:22 |
ogra | you can either use "snap run helm" | 14:22 |
ogra | or use the full path via /snap/bin/heml | 14:23 |
ogra | *helm | 14:23 |
ogra | or re-login indeed | 14:23 |
twobitsprite | ogra: yep, that was the problem, thanks | 14:24 |
ogra | enjoy | 14:24 |
=== zarcade_droid is now known as ^arcade_droid | ||
jdstrand | ogra: ack, thanks | 14:51 |
niemeyer | Taking a short break here | 15:00 |
kyrofa | mvo, can I get your input on this? https://bugs.launchpad.net/snapd/+bug/1779416 | 15:11 |
mup | Bug #1779416: Scripts in core snap attempt to do things impossible under confinement and die <snapd:New> <https://launchpad.net/bugs/1779416> | 15:11 |
mvo | kyrofa: that sounds sensible, I was not aware this is actually used | 15:12 |
kyrofa | mvo, me neither, took me forver to sort it out :P | 15:13 |
mvo | heh, thanks for this kyrofa | 15:20 |
zyga | re | 15:35 |
* zyga has finished the car insurance and ownership saga | 15:35 | |
* cachio lunch | 16:02 | |
=== pstolowski is now known as pstolowski|afk | ||
zyga | jdstrand: hey, just a gentle ping about https://github.com/snapcore/snapd/pull/5170 and https://github.com/snapcore/snapd/pull/5307 | 16:43 |
mup | PR #5170: interfaces/builtin: add adb interface <Created by zyga> <https://github.com/snapcore/snapd/pull/5170> | 16:43 |
mup | PR #5307: cmd,interfaces,tests: add /mnt to removable-media interface <Squash-merge> <Created by zyga> <https://github.com/snapcore/snapd/pull/5307> | 16:43 |
* zyga gets back to his activity | 16:43 | |
jdstrand | zyga: yep, both on the list. hopefully today | 16:44 |
zyga | thank you :) | 16:46 |
mup | PR snapcraft#2227 opened: Wait lxd <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2227> | 17:08 |
om26er | How far along is "parallel install" feature of snaps ? | 17:19 |
om26er | we want different versions (stable, beta, canary) of android studio at the same time (popular request) | 17:20 |
zyga | om26er: it is coming along | 17:21 |
zyga | om26er: ask mborzecki tomorrow morning | 17:22 |
om26er | zyga: will do, thanks | 17:22 |
=== pbek_ is now known as pbek | ||
mup | PR snapd#5727 opened: interfaces/builtin, cmd/snap-seccomp: Allow read-only ptrace, for the Breakpad crash reporter <Created by jld> <https://github.com/snapcore/snapd/pull/5727> | 19:28 |
cachio | zyga, hey, any idea why this could be happening? https://paste.ubuntu.com/p/dG7WVRZ8Q3/ | 19:33 |
cachio | it is braking ubuntu-core-18 | 19:34 |
cachio | zyga, if I restart the service it works, but initially it fails | 19:40 |
dave_uy | What is the right way to reference a desktop icon in a .desktop file? | 20:11 |
dave_uy | Nevermind. I found an example: https://github.com/sergiusens/telegram-snap/blob/master/snap/gui/telegram.desktop | 20:27 |
zyga | cachio: looking | 21:09 |
cachio | zyga, tx, | 21:09 |
cachio | otherwise tomorrow is ok | 21:09 |
zyga | perhaps because the socket doesn't respond initially (seeding) | 21:10 |
zyga | but yeah, tomorrow | 21:10 |
cachio | zyga, tomorrow better, now it is time to rest :) | 21:10 |
kyrofa | Is the store down? | 21:46 |
kyrofa | Ah, it seems so | 21:46 |
kyrofa | "Intermittent access issue in few services for 7 Mins 20 Secs" makes it sound like it's over | 21:47 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!