[05:10] morning [06:07] mvo: hi, any ideas if snapd will blow up if there's apparmor support in the kernel but no userspace tools? [06:08] mborzecki: that sounds likely [06:08] mborzecki: I think we need a extra check in the release.Apparmor code that checks if apparmor_parser is available [06:08] mborzecki: should be a trivial PR [06:08] mborzecki: and nice catch [06:09] mvo: i'll look into that [06:10] mborzecki: ta [06:10] mborzecki: and GOOD MORNING :) [06:10] mvo: hah right :) morning [06:12] mborzecki: I also left some feedback in the arch -hardended kver PR, nice catch on the details of the kernels there [06:13] mvo: saw your review, thanks [06:14] mvo: nice thing is apparmor will be in the default kernel in arch, but you still need to pass apparmor=1 security=apparmor to the kernel and have the userspace tools, need to make sure we degrade gracefully [06:15] mborzecki: nice! thats a good step forward [06:45] good morning! [06:45] hey zyga ! good morning [06:45] * zyga is sleepy but needs to wake up rapidly [06:46] today I plan to spend 30% on PRs (reviews and gardening) and 70% on helping with a CE request [06:46] PR snapd#5715 closed: selftest: detect if apparmor is unusable and error [06:53] mvo: question about 5715 [06:53] https://github.com/snapcore/snapd/pull/5715#pullrequestreview-149598142 [06:53] PR #5715: selftest: detect if apparmor is unusable and error [06:54] zyga: hey [06:54] :-) o/ [06:58] zyga: whats the question? [06:58] mvo: I asked in the review if there's any difference about the two lines that check for the new message inside a container [06:58] zyga: aha, sorry, I see it now. one is the loop but we also need to ensure the loop did not timeout [06:59] ah [06:59] that makes sense, thanks [06:59] zyga: ok [06:59] zyga: does it look ok otherwise? sorry did not see that we were also reviewing [06:59] yes, it looks good :) [06:59] nice and simple [07:00] (which is not to say that it is easy, it's great to make simple things) [07:00] ta [07:11] mvo: for the record, i've removed apparmor tooling and cannot remove snaps anymore https://paste.ubuntu.com/p/fhmfjm6vhM/ [07:14] mborzecki: can you install snaps? or does anything install/remove related break? [07:15] mvo: snap remove/install errors out on security profiles === pstolowski|afk is now known as pstolowski [07:15] morning [07:15] mvo: refresh probably doesn't work either as it's practically install under the hood [07:16] pstolowski: hey [07:17] zyga: when checking if we need to downgrade apparmor template to classic, do we care about specific kernel version, or is 4.16+ good to go in general? [07:17] mborzecki: it was just the version that opensuse happened to ship with [07:17] and was meant as an experiment to see what breaks [07:17] I think it was successful though [07:56] zyga: any clue how network_v8 is different from network in apparmor features? [07:58] some, network is just "you can interact with given set of sockets", there's a very simple table that has some flags per socket type (AF_INET, AF_INET6, etc). [07:58] network_v8 is ... more than that :) I heard that fine grained network mediation was coming [07:58] so perhaps there's a more rich table now [07:58] let me look quickly [08:00] mvo: can you please look at https://github.com/snapcore/snapd/pull/5721 [08:00] PR #5721: interfaces: retain order of inserted security backends [08:01] (again, updates based on your review) [08:01] zyga: sure [08:01] thanks :) [08:02] mborzecki: looking now [08:04] zyga: found this https://www.mail-archive.com/apparmor@lists.ubuntu.com/msg09772.html [08:05] mborzecki: this is not new stuff, it was merged in July 2017 [08:05] mborzecki: it's the old network support code from ubuntu, now mainline [08:05] (I'm looking at torvald's tree) [08:06] Morning all! [08:06] mborzecki: note that I don't see "network" (plain, without v8) anymore [08:06] hey :) [08:09] morning niemeyer! [08:10] I see some strange errors on arch: Aug 27 07:17:06 arch snapd[25825]: task.go:303: DEBUG: 2018-08-27T07:17:06Z ERROR cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2 does that ring any bells? [08:11] and good morning niemeyer [08:11] o/ [08:14] niemeyer: hey [08:35] mvo: no, I never heard of this issue before [08:42] mvo: ... value *state.changeError = &state.changeError{errors:[]state.taskError{state.taskError{task:"Generate device key", error:"cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2"}}} [08:42] ("cannot perform the following tasks:\n- Generate device key (cannot generate device key pair: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2)") [08:42] in unit tests [08:46] are we shelling out to external tools for key crypto? [08:47] yes, to ssh-keygen because go own key creation was deemed too slow [08:47] so something might be going on there [08:48] hmm [2018-08-26 22:29] [ALPM] upgraded openssh (7.7p1-2 -> 7.8p1-1) [08:48] what version are you guys on? [08:48] 7.6 [08:49] mborzecki: ssh changed something lately [08:49] mborzecki: there was an article about this on lwn [08:49] aha and the changelog has information that they changed the output of ssh-keygen [08:49] -m PEM will fix it [08:49] ok, i'll add it here [08:50] https://lwn.net/Articles/763444/ [08:50] indeed [08:50] * ssh-keygen(1): write OpenSSH format private keys by default [08:50] instead of using OpenSSL's PEM format. The OpenSSH format, [08:50] mborzecki: nice :) [08:50] and it works all the way back to trusty [08:50] so that should be fine [08:53] seems to work now, opening a PR in a minute [09:00] PR snapd#5725 opened: overlord/devicestate: use OpenSSL's PEM format when generating keys [09:00] mborzecki: ta [09:28] hm apparmor mocking around the tests for system-key is noop [09:29] mborzecki: oh? do you have more details? [09:30] mvo: a path to apparmor sysfs features directory was built in SetUpTest() but it was never used afaict [09:39] mborzecki: the pem pr failed with an unrelated error, I can restart but I will have a look at the error, it looks like we don't mock enough somewhere [09:40] mvo: ack, unit tests sans snap-seccomp were passing locally [09:50] PR snapd#5726 opened: release, interfaces: make snapd degrade gracefully when AppArmor userspace tooling is unavailable [09:51] mvo: zyga: let me know if that makes sense [09:51] ^^ [09:51] reading that now [09:51] * mvo looks [09:51] PR snapd#5723 closed: cmd: remove --skip-command-chain from snap run and snap-exec [09:55] ok, time for some reviews [10:13] PR snapd#5725 closed: overlord/devicestate: use OpenSSL's PEM format when generating keys [10:14] thank you! [11:44] brb, coffee and snack [11:45] PR snapd#5716 closed: tests: spread test for parallel-installs desktop file handling === pstolowski is now known as pstolowski|lunch [12:01] re === King_InuYasha is now known as Son_Goku [12:34] PR snapcraft#2220 closed: schema: allow license field === pstolowski|lunch is now known as pstolowski [12:41] can I get a review for https://github.com/snapcore/core/pull/93 please? [12:41] PR core#93: hooks: unwind /etc/alternatives [12:45] mvo: looking [12:47] mvo: wow, I missed that! [12:47] thank you for sharing [12:47] zyga: no worries [12:55] mvo: reviewed [12:58] zyga: thanks, I like your suggestion there [12:59] zyga: mind if I do it in a followup, first in core18 ? that is much simpler to test (i.e. it can be build in 1/10 of the time) [12:59] jdstrand, an interesting one for you https://paste.ubuntu.com/p/ZwdqN6XMVY/ [13:01] PR snapcraft#2223 closed: snap: prepare override scripts to allow rebuilding [13:27] ogra: how is it interesting? [13:27] it looks like just missing "home" [13:28] zyga, the traceback ... [13:28] that shouldnt happen [13:29] (and usually doesnt) [13:29] locale? [13:29] well, german ... [13:29] it doesnt happen with other snaps [13:29] no, I mean PYTHONENCODING=utf-8 [13:29] is home connected? [13:29] the snap doesnt have a home plug [13:29] (yet) [13:30] then it cannot access Dokumente [13:30] I still don't see what's the interesting part [13:30] sure, but snappy-debug shouldnt crash [13:30] i dont care about home, i know i havent added it yet [13:31] i want to see all the subsequent info that comes after home in the log [13:31] but snappy-debug crashes hard before it can evcen show anything [13:31] *thats* the interesting part [13:32] aaah, it was snappy-debug [13:32] right [13:33] I missed that [13:33] indeed, I don't know why we do that [13:33] i guess snappy-debug needs some utf-8 love somewhere in the code [13:43] ijohnson: hey [13:43] thank you! [13:43] ijohnson: when would be a good time to chat? [14:08] zyga: wrong channel? [14:11] PR snapd#5721 closed: interfaces: retain order of inserted security backends [14:12] So, I'm delving in to the world of snaps on my Debian Buster system... I'm trying to install the helm client, and it's only available as a snap or as a tarball, so I figured I'd try the snap version... I got snapd installed and I ran "sudo snap install helm". It says it installed it, but I don't have a helm command in my path... [14:16] pedronis: yes, we moved [14:17] * zyga -> errand break (1.5-2hrs) [14:20] twobitsprite, "snap info helm" should list any commands the snap ships [14:21] twobitsprite, you also might want to check if there are interfaces you need to manually connect ... list them with "snap interfaces helm" [14:21] ogra: it says "helm" is a command it should provide [14:22] twobitsprite, ah,m you newly installed snapd .. that adds /snap/bin to your oath but it will indeed only take effect if you re-login [14:22] *path [14:22] ogra: interfaces lists :home, :network and :network-bind, all of them say "helm" under the "Plug" column [14:22] ogra: ahh [14:22] yeah, these typically auto-connect [14:22] you can either use "snap run helm" [14:23] or use the full path via /snap/bin/heml [14:23] *helm [14:23] or re-login indeed [14:24] ogra: yep, that was the problem, thanks [14:24] enjoy === zarcade_droid is now known as ^arcade_droid [14:51] ogra: ack, thanks [15:00] Taking a short break here [15:11] mvo, can I get your input on this? https://bugs.launchpad.net/snapd/+bug/1779416 [15:11] Bug #1779416: Scripts in core snap attempt to do things impossible under confinement and die [15:12] kyrofa: that sounds sensible, I was not aware this is actually used [15:13] mvo, me neither, took me forver to sort it out :P [15:20] heh, thanks for this kyrofa [15:35] re [15:35] * zyga has finished the car insurance and ownership saga [16:02] * cachio lunch === pstolowski is now known as pstolowski|afk [16:43] jdstrand: hey, just a gentle ping about https://github.com/snapcore/snapd/pull/5170 and https://github.com/snapcore/snapd/pull/5307 [16:43] PR #5170: interfaces/builtin: add adb interface [16:43] PR #5307: cmd,interfaces,tests: add /mnt to removable-media interface [16:43] * zyga gets back to his activity [16:44] zyga: yep, both on the list. hopefully today [16:46] thank you :) [17:08] PR snapcraft#2227 opened: Wait lxd [17:19] How far along is "parallel install" feature of snaps ? [17:20] we want different versions (stable, beta, canary) of android studio at the same time (popular request) [17:21] om26er: it is coming along [17:22] om26er: ask mborzecki tomorrow morning [17:22] zyga: will do, thanks === pbek_ is now known as pbek [19:28] PR snapd#5727 opened: interfaces/builtin, cmd/snap-seccomp: Allow read-only ptrace, for the Breakpad crash reporter [19:33] zyga, hey, any idea why this could be happening? https://paste.ubuntu.com/p/dG7WVRZ8Q3/ [19:34] it is braking ubuntu-core-18 [19:40] zyga, if I restart the service it works, but initially it fails [20:11] What is the right way to reference a desktop icon in a .desktop file? [20:27] Nevermind. I found an example: https://github.com/sergiusens/telegram-snap/blob/master/snap/gui/telegram.desktop [21:09] cachio: looking [21:09] zyga, tx, [21:09] otherwise tomorrow is ok [21:10] perhaps because the socket doesn't respond initially (seeding) [21:10] but yeah, tomorrow [21:10] zyga, tomorrow better, now it is time to rest :) [21:46] Is the store down? [21:46] Ah, it seems so [21:47] "Intermittent access issue in few services for 7 Mins 20 Secs" makes it sound like it's over