[05:10] <mborzecki> morning
[06:07] <mborzecki> mvo: hi, any ideas if snapd will blow up if there's apparmor support in the kernel but no userspace tools?
[06:08] <mvo> mborzecki: that sounds likely
[06:08] <mvo> mborzecki: I think we need a extra check in the release.Apparmor code that checks if apparmor_parser is available
[06:08] <mvo> mborzecki: should be a trivial PR
[06:08] <mvo> mborzecki: and nice catch
[06:09] <mborzecki> mvo: i'll look into that
[06:10] <mvo> mborzecki: ta
[06:10] <mvo> mborzecki: and GOOD MORNING :)
[06:10] <mborzecki> mvo: hah right :) morning
[06:12] <mvo> mborzecki: I also left some feedback in the arch -hardended kver PR, nice catch on the details of the kernels there
[06:13] <mborzecki> mvo: saw your review, thanks
[06:14] <mborzecki> mvo: nice thing is apparmor will be in the default kernel in arch, but you still need to pass apparmor=1 security=apparmor to the kernel and have the userspace tools, need to make sure we degrade gracefully
[06:15] <mvo> mborzecki: nice! thats a good step forward
[06:45] <zyga> good morning!
[06:45] <mvo> hey zyga ! good morning
[06:45]  * zyga is sleepy but needs to wake up rapidly
[06:46] <zyga> today I plan to spend 30% on PRs (reviews and gardening) and 70% on helping with a CE request
[06:46] <mup> PR snapd#5715 closed: selftest: detect if apparmor is unusable and error <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5715>
[06:53] <zyga> mvo: question about 5715
[06:53] <zyga> https://github.com/snapcore/snapd/pull/5715#pullrequestreview-149598142
[06:53] <mup> PR #5715: selftest: detect if apparmor is unusable and error <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5715>
[06:54] <mborzecki> zyga: hey
[06:54] <zyga> :-) o/
[06:58] <mvo> zyga: whats the question?
[06:58] <zyga> mvo: I asked in the review if there's any difference about the two lines that check for the new message inside a container
[06:58] <mvo> zyga: aha, sorry, I see it now. one is the loop but we also need to ensure the loop did not timeout
[06:59] <zyga> ah
[06:59] <zyga> that makes sense, thanks
[06:59] <mvo> zyga: ok
[06:59] <mvo> zyga: does it look ok otherwise? sorry did not see that we were also reviewing
[06:59] <zyga> yes, it looks good :)
[06:59] <zyga> nice and simple
[07:00] <zyga> (which is not to say that it is easy, it's great to make simple things)
[07:00] <mvo> ta
[07:11] <mborzecki> mvo: for the record, i've removed apparmor tooling and cannot remove snaps anymore https://paste.ubuntu.com/p/fhmfjm6vhM/
[07:14] <mvo> mborzecki: can you install snaps? or does anything install/remove related break?
[07:15] <mborzecki> mvo: snap remove/install errors out on security profiles
[07:15] <pstolowski> morning
[07:15] <mborzecki> mvo: refresh probably doesn't work either as it's practically install under the hood
[07:16] <mborzecki> pstolowski: hey
[07:17] <mborzecki> zyga: when checking if we need to downgrade apparmor template to classic, do we care about specific kernel version, or is 4.16+ good to go in general?
[07:17] <zyga> mborzecki: it was just the version that opensuse happened to ship with
[07:17] <zyga> and was meant as an experiment to see what breaks
[07:17] <zyga> I think it was successful though
[07:56] <mborzecki> zyga: any clue how network_v8 is different from network in apparmor features?
[07:58] <zyga> some, network is just "you can interact with given set of sockets", there's a very simple table that has some flags per socket type (AF_INET, AF_INET6, etc).
[07:58] <zyga> network_v8 is ... more than that :) I heard that fine grained network mediation was coming
[07:58] <zyga> so perhaps there's a more rich table now
[07:58] <zyga> let me look quickly
[08:00] <zyga> mvo: can you please look at https://github.com/snapcore/snapd/pull/5721
[08:00] <mup> PR #5721: interfaces: retain order of inserted security backends <Created by zyga> <https://github.com/snapcore/snapd/pull/5721>
[08:01] <zyga> (again, updates based on your review)
[08:01] <mvo> zyga: sure
[08:01] <zyga> thanks :)
[08:02] <zyga> mborzecki: looking now
[08:04] <mborzecki> zyga: found this https://www.mail-archive.com/apparmor@lists.ubuntu.com/msg09772.html
[08:05] <zyga> mborzecki: this is not new stuff, it was merged in July 2017
[08:05] <zyga> mborzecki: it's the old network support code from ubuntu, now mainline
[08:05] <zyga> (I'm looking at torvald's tree)
[08:06] <niemeyer> Morning all!
[08:06] <zyga> mborzecki: note that I don't see "network" (plain, without v8) anymore
[08:06] <zyga> hey :)
[08:09] <pstolowski> morning niemeyer!
[08:10] <mvo> I see some strange errors on arch: Aug 27 07:17:06 arch snapd[25825]: task.go:303: DEBUG: 2018-08-27T07:17:06Z ERROR cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2 does that ring any bells?
[08:11] <mvo> and good morning niemeyer
[08:11] <niemeyer> o/
[08:14] <mborzecki> niemeyer: hey
[08:35] <zyga> mvo: no, I never heard of this issue before
[08:42] <mborzecki> mvo: ... value *state.changeError = &state.changeError{errors:[]state.taskError{state.taskError{task:"Generate device key", error:"cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2"}}}
[08:42] <mborzecki> ("cannot perform the following tasks:\n- Generate device key (cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2)")
[08:42] <mborzecki> in unit tests
[08:46] <zyga> are we shelling out to external tools for key crypto?
[08:47] <pedronis> yes, to ssh-keygen because go own key creation was deemed too slow
[08:47] <pedronis> so something might be going on there
[08:48] <mborzecki> hmm [2018-08-26 22:29] [ALPM] upgraded openssh (7.7p1-2 -> 7.8p1-1)
[08:48] <mborzecki> what version are you guys on?
[08:48] <mvo> 7.6
[08:49] <zyga> mborzecki: ssh changed something lately
[08:49] <zyga> mborzecki: there was an article about this on lwn
[08:49] <mvo> aha and the changelog has information that they changed the output of ssh-keygen
[08:49] <mvo> -m PEM will fix it
[08:49] <mborzecki> ok, i'll add it here
[08:50] <zyga> https://lwn.net/Articles/763444/
[08:50] <zyga> indeed
[08:50] <zyga>  * ssh-keygen(1): write OpenSSH format private keys by default
[08:50] <zyga>    instead of using OpenSSL's PEM format. The OpenSSH format,
[08:50] <zyga> mborzecki: nice :)
[08:50] <mvo> and it works all the way back to trusty
[08:50] <mvo> so that should be fine
[08:53] <mborzecki> seems to work now, opening a PR in a minute
[09:00] <mup> PR snapd#5725 opened: overlord/devicestate: use OpenSSL's PEM format when generating keys <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5725>
[09:00] <mvo> mborzecki: ta
[09:28] <mborzecki> hm apparmor mocking around the tests for system-key is noop
[09:29] <mvo> mborzecki: oh? do you have more details?
[09:30] <mborzecki> mvo: a path to apparmor sysfs features directory was built in SetUpTest() but it was never used afaict
[09:39] <mvo> mborzecki: the pem pr failed with an unrelated error, I can restart but I will have a look at the error, it looks like we don't mock enough somewhere
[09:40] <mborzecki> mvo: ack, unit tests sans snap-seccomp were passing locally
[09:50] <mup> PR snapd#5726 opened: release, interfaces: make snapd degrade gracefully when AppArmor userspace tooling is unavailable <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5726>
[09:51] <mborzecki> mvo: zyga: let me know if that makes sense
[09:51] <mborzecki> ^^
[09:51] <zyga> reading that now
[09:51]  * mvo looks
[09:51] <mup> PR snapd#5723 closed: cmd: remove --skip-command-chain from snap run and snap-exec <Created by kyrofa> <Merged by niemeyer> <https://github.com/snapcore/snapd/pull/5723>
[09:55] <mborzecki> ok, time for some reviews
[10:13] <mup> PR snapd#5725 closed: overlord/devicestate: use OpenSSL's PEM format when generating keys <Critical> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5725>
[10:14] <zyga> thank you!
[11:44] <zyga> brb, coffee and snack
[11:45] <mup> PR snapd#5716 closed: tests: spread test for parallel-installs desktop file handling <Parallel installs> <Simple> <Created by bboozzoo> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5716>
[12:01] <zyga> re
[12:34] <mup> PR snapcraft#2220 closed: schema: allow license field <Created by mvo5> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/2220>
[12:41] <mvo> can I get a review for https://github.com/snapcore/core/pull/93 please?
[12:41] <mup> PR core#93: hooks: unwind /etc/alternatives <Created by mvo5> <https://github.com/snapcore/core/pull/93>
[12:45] <zyga> mvo: looking
[12:47] <zyga> mvo: wow, I missed that!
[12:47] <zyga> thank you for sharing
[12:47] <mvo> zyga: no worries
[12:55] <zyga> mvo: reviewed
[12:58] <mvo> zyga: thanks, I like your suggestion there
[12:59] <mvo> zyga: mind if I do it in a followup, first in core18 ? that is much simpler to test (i.e. it can be build in 1/10 of the time)
[12:59] <ogra> jdstrand, an interesting one for you https://paste.ubuntu.com/p/ZwdqN6XMVY/
[13:01] <mup> PR snapcraft#2223 closed: snap: prepare override scripts to allow rebuilding <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2223>
[13:27] <zyga> ogra: how is it interesting?
[13:27] <zyga> it looks like just missing "home"
[13:28] <ogra> zyga, the traceback ...
[13:28] <ogra> that shouldnt happen
[13:29] <ogra> (and usually doesnt)
[13:29] <zyga> locale?
[13:29] <ogra> well, german ...
[13:29] <ogra> it doesnt happen with other snaps
[13:29] <zyga> no, I mean PYTHONENCODING=utf-8
[13:29] <zyga> is home connected?
[13:29] <ogra> the snap doesnt have a home plug
[13:29] <ogra> (yet)
[13:30] <zyga> then it cannot access Dokumente
[13:30] <zyga> I still don't see what's the interesting part
[13:30] <ogra> sure, but snappy-debug shouldnt crash
[13:30] <ogra> i dont care about home, i know i havent added it yet
[13:31] <ogra> i want to see all the subsequent info that comes after home in the log
[13:31] <ogra> but snappy-debug crashes hard before it can evcen show anything
[13:31] <ogra> *thats* the interesting part
[13:32] <zyga> aaah, it was snappy-debug
[13:32] <ogra> right
[13:33] <zyga> I missed that
[13:33] <zyga> indeed, I don't know why we do that
[13:33] <ogra> i guess snappy-debug needs some utf-8 love somewhere in the code
[13:43] <zyga> ijohnson: hey
[13:43] <zyga> thank you!
[13:43] <zyga> ijohnson: when would be a good time to chat?
[14:08] <pedronis> zyga: wrong channel?
[14:11] <mup> PR snapd#5721 closed: interfaces: retain order of inserted security backends <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5721>
[14:12] <twobitsprite> So, I'm delving in to the world of snaps on my Debian Buster system... I'm trying to install the helm client, and it's only available as a snap or as a tarball, so I figured I'd try the snap version... I got snapd installed and I ran "sudo snap install helm". It says it installed it, but I don't have a helm command in my path...
[14:16] <zyga> pedronis: yes, we moved
[14:17]  * zyga -> errand break (1.5-2hrs)
[14:20] <ogra> twobitsprite, "snap info helm" should list any commands the snap ships
[14:21] <ogra> twobitsprite, you also might want to check if there are interfaces you need to manually connect ... list them with "snap interfaces helm"
[14:21] <twobitsprite> ogra: it says "helm" is a command it should provide
[14:22] <ogra> twobitsprite, ah,m you newly installed snapd .. that adds /snap/bin to your oath but it will indeed only take effect if you re-login
[14:22] <ogra> *path
[14:22] <twobitsprite> ogra: interfaces lists :home, :network and :network-bind, all of them say "helm" under the "Plug" column
[14:22] <twobitsprite> ogra: ahh
[14:22] <ogra> yeah, these typically auto-connect
[14:22] <ogra> you can either use "snap run helm"
[14:23] <ogra> or use the full path via /snap/bin/heml
[14:23] <ogra> *helm
[14:23] <ogra> or re-login indeed
[14:24] <twobitsprite> ogra: yep, that was the problem, thanks
[14:24] <ogra> enjoy
[14:51] <jdstrand> ogra: ack, thanks
[15:00] <niemeyer> Taking a short break here
[15:11] <kyrofa> mvo, can I get your input on this? https://bugs.launchpad.net/snapd/+bug/1779416
[15:11] <mup> Bug #1779416: Scripts in core snap attempt to do things impossible under confinement and die <snapd:New> <https://launchpad.net/bugs/1779416>
[15:12] <mvo> kyrofa: that sounds sensible, I was not aware this is actually used
[15:13] <kyrofa> mvo, me neither, took me forver to sort it out :P
[15:20] <mvo> heh, thanks for this kyrofa
[15:35] <zyga> re
[15:35]  * zyga has finished the car insurance and ownership saga
[16:02]  * cachio lunch
[16:43] <zyga> jdstrand: hey, just a gentle ping about https://github.com/snapcore/snapd/pull/5170 and https://github.com/snapcore/snapd/pull/5307
[16:43] <mup> PR #5170: interfaces/builtin: add adb interface <Created by zyga> <https://github.com/snapcore/snapd/pull/5170>
[16:43] <mup> PR #5307: cmd,interfaces,tests: add /mnt to removable-media interface <Squash-merge> <Created by zyga> <https://github.com/snapcore/snapd/pull/5307>
[16:43]  * zyga gets back to his activity
[16:44] <jdstrand> zyga: yep, both on the list. hopefully today
[16:46] <zyga> thank you :)
[17:08] <mup> PR snapcraft#2227 opened: Wait lxd <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2227>
[17:19] <om26er> How far along is "parallel install" feature of snaps ?
[17:20] <om26er> we want different versions (stable, beta, canary) of android studio at the same time (popular request)
[17:21] <zyga> om26er: it is coming along
[17:22] <zyga> om26er: ask mborzecki tomorrow morning
[17:22] <om26er> zyga: will do, thanks
[19:28] <mup> PR snapd#5727 opened: interfaces/builtin, cmd/snap-seccomp: Allow read-only ptrace, for the Breakpad crash reporter <Created by jld> <https://github.com/snapcore/snapd/pull/5727>
[19:33] <cachio> zyga, hey, any idea why this could be happening? https://paste.ubuntu.com/p/dG7WVRZ8Q3/
[19:34] <cachio> it is braking ubuntu-core-18
[19:40] <cachio> zyga, if I restart the service it works, but initially it fails
[20:11] <dave_uy> What is the right way to reference a desktop icon in a .desktop file?
[20:27] <dave_uy> Nevermind. I found an example: https://github.com/sergiusens/telegram-snap/blob/master/snap/gui/telegram.desktop
[21:09] <zyga> cachio: looking
[21:09] <cachio> zyga, tx,
[21:09] <cachio> otherwise tomorrow is ok
[21:10] <zyga> perhaps because the socket doesn't respond initially (seeding)
[21:10] <zyga> but yeah, tomorrow
[21:10] <cachio> zyga, tomorrow better, now it is time to rest :)
[21:46] <kyrofa> Is the store down?
[21:46] <kyrofa> Ah, it seems so
[21:47] <kyrofa> "Intermittent access issue in few services for 7 Mins 20 Secs" makes it sound like it's over