/srv/irclogs.ubuntu.com/2018/10/12/#snappy.txt

sergiusens	cachio: that is a test that recently broke, joc can put you up to speed on that.	00:27
cachio	sergiusens, great, thanks	00:58
mup	PR snapcraft#2339 closed: lifecycle: switch to multipass by default <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2339>	01:40
mup	PR snapcraft#2344 opened: schema: remove the deprecated snap keyword for bases <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2344>	02:35
mup	PR snapcraft#2345 opened: build providers: remove the qemu implementation <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2345>	02:47
=== chihchun_afk is now known as chihchun
mup	PR snapd#5972 opened: tests: initial setup for testing current branch on nested vm and hotplug management <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/5972>	03:35
zyga	good morning	05:23
=== chihchun is now known as chihchun_afk
=== chihchun_afk is now known as chihchun
mvo	good morning! 5867 needs a second review	06:32
mborzecki	morning	06:51
mvo	hey mborzecki	06:54
mvo	mborzecki: if you have a moment, a second review for 5867 would be great	06:54
mborzecki	mvo: looking	06:56
mborzecki	mvo: left a comment there	07:05
=== pstolowski\|afk is now known as pstolowski
pstolowski	heyas	07:05
mborzecki	pstolowski: hey	07:05
mvo	hey pstolowski ! good morning	07:08
mup	PR snapd#5913 closed: daemon: expose snapshots to the API <Snapshots 📸󠁟> <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/5913>	07:44
mup	PR snapd#5879 closed: vendor, cmd/snap: refactor to accommodate the new less buggy go-flags <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/5879>	07:45
Chipaca	morning	07:46
Chipaca	who was it that said something about everything being green, yesterday	07:47
Chipaca	you've doomed us all	07:47
mborzecki	heh ;)	07:48
zyga	Hey	07:49
zyga	(again)	07:49
zyga	Sorry I sent kids to school and overslept again if that is a thing	07:50
zyga	I’ll be down shortly	07:50
Chipaca	WRT "Sorry I sent the kids to school", homeschooling sucks tho	07:50
lool	ogra: how long to land the kernel patch in source and a kernel deb and a kernel snap? :-)	07:59
pstolowski	mvo: hey, wrt to hooks optimization from yesterday, hijacking seems to be the only painpoint. the problem is this: in ifacestate.Connect() i know which hooks exist based on snapinfo.Hooks (it has all hooks defined explicitely and also those not defined but present on the disk in meta/hooks). but hijacked ones (core - configure only?) are exceptional as (afaiu) they don't have to be listed in snap yaml (and they have no	07:59
pstolowski	file on the disk). ideally i'd just ask hookmgr if a (snap, hook) IsHijacked, but we don't have access to hookmgr there. any thoughts on this? there would be no issue if we required hijacked hook to be explicitely listed in the snap yaml.	07:59
Chipaca	ohhh, nice, there's a spread test that hasn't been working for who-knows-how-long and we didn't know because pipefail :-(	08:05
mvo	Chipaca: gar we should simply kill pipefail again	08:05
mvo	Chipaca: I think it trades one horror for another	08:05
* Chipaca looks at mvo		08:05
Chipaca	mvo: yes, yes it does	08:06
Chipaca	mvo: my looking at you was because I was looking at 'git log -p' for the test in case	08:06
Chipaca	mvo: you should feel guilty	08:06
mborzecki	Chipaca: which one?	08:06
Chipaca	nothing serious :)	08:06
mvo	pstolowski: hm - I need to look but if adding the one hijack we have to meta/snap.yaml for core that seems ok	08:06
mvo	Chipaca: which oneß	08:06
Chipaca	still, let me guilt some cake out of mvo	08:06
mvo	Chipaca: ?	08:06
Chipaca	mvo: tests/main/help/task.yaml	08:06
mvo	Chipaca: guilt is my default emotion	08:07
Chipaca	mvo: grep -e and grep -E are not the same thing	08:07
pstolowski	mvo: but how about reverts?	08:07
mvo	Chipaca: cough indeed - this looks like you reviewed this though ;) I usually write '(foo\|bar)'	08:08
Chipaca	mvo: and in particular, grep -evFx 'foo\|bar' will always fail because the pattern is now vFx and 'foo\|bar' the file to search for	08:08
Chipaca	mvo: yep, i missed this too	08:08
Chipaca	mvo: but what's the fun in blaming myself when I can blame somebody kilometers away	08:08
mvo	Chipaca: :( what an annoying bug	08:08
mvo	Chipaca: haha	08:08
Chipaca	anyway, nothing serious, i'll just be removing the test entirely soon :-)	08:09
Chipaca	(because I know how to do this in static tests now :-) )	08:09
mvo	Chipaca: shame that its review friday or we could just push a pr that removes pipefail again	08:09
Chipaca	mvo: i think we've already removed pipefail, otherwise this would've failed?	08:10
mvo	Chipaca: oh, ok	08:10
Chipaca	but, yeah no, pipefail is just choosing one bag of bugs over another	08:10
mvo	Chipaca: I thought you discovered while looking at it	08:10
mvo	Chipaca: anyway, I get back to core18	08:10
Chipaca	nah, while looking at running it 'by hand' for a static check	08:11
Chipaca	mvo: enjoy your eighteen cores	08:11
Chipaca	sergiusens: do you have tests for packing things with weird exclusion lists?	08:12
dot-tobias	I'm having trouble installing snapcraft or git through apt in the classic snap on Core stable. “E: Sub-process /usr/bin/dpkg returned an error code (1)” → Does someone have a hint how I can fix that?	08:15
mup	PR core18#82 opened: hooks: use hkp:// to fetch the key from the keyserver <Created by mvo5> <https://github.com/snapcore/core18/pull/82>	08:15
ogra	lool, thats a ppisati question, he said he'd put it nxt on his TOOD	08:19
ogra	*next	08:20
lool	ogra: Hmm ok, should we put a workaround in place?	08:20
lool	I realize we have been without a 3b+ compatible image since Jan/Feb, but I'm keen to wrap up this effort, especially since UC18 is coming soon	08:21
pedronis	mvo: pstolowski: hijacking exists for core configure only, pstolowski are you doing your change in hookstate, and just for interface hooks?	08:21
pedronis	*and not just	08:21
dot-tobias	(re my own question five minutes ago): seems like this error line: “update-alternatives: error: error creating symbolic link '/etc/alternatives/jsonschema.dpkg-tmp': No such file or directory” is the root cause; once I've created /etc/alternatives everything works fine	08:21
pedronis	pstolowski: we run configure even before we have the core	08:22
pedronis	so we cannot depend on it being there in the meta yaml	08:22
pedronis	by definition	08:22
sil2100	mvo: thanks for the PRs for console-conf! I'll release them into the PPA in some moments	08:22
mvo	sil2100: I have one more pending	08:22
pedronis	pstolowski: we need to do snap set system before we have core	08:22
pstolowski	pedronis: no, i'm doing it in ifacestate.Connect only for interface hooks. i know hijacking is for core configure only, but it's kinda 'open-ended' and made extensible	08:22
mvo	sil2100: testing it right now	08:22
pedronis	pstolowski: we cannot make it mandatory to have it in meta.yaml anyway	08:23
pedronis	pstolowski: it's designed exactly to work even before the snap there	08:23
pstolowski	pedronis: i see	08:23
pedronis	pstolowski: honestly if you are changing ifacestate, I would ignore the problem for now	08:23
mvo	mborzecki: hm, I just go "error: internal error: unsupported download with instance name "/home/mvo/devel/snaps/core18/core18_18_amd64.snap"" from ubuntu image - that looks like a recent change, no?	08:24
pstolowski	pedronis: i could naively make an exception for core configure in ifacestate, but that would circumvent hijacking (which in the future can have more hijacked stuff, at least in theoyr)	08:24
ogra	lool, well, honestly .... i wouldnt have held back on this issue but the test lab wil not be able to manage when their IPs change, i dont think its a biggie and it will be easily fixed with a kernel update	08:24
ogra	and image with a known issue is still better than no image at all ... any workarounds would be rather hackish	08:24
ogra	*and an	08:24
pedronis	pstolowski: I don't understand how configure relates to ifacestate	08:24
pedronis	I'm getting a bit lost	08:24
mborzecki	mvo: what was the command?	08:25
mborzecki	mvo: ah it was from ubuntu image	08:25
lool	ogra: I was thinking u-boot var to override mac address, perhaps via cmdline/initrd	08:25
pstolowski	pedronis: ifacestate.Connect() with my change will only create HookTask if it sees given hook. and if it doesn't create task for core configure, then hijacking will not even have a chance to run	08:25
lool	but yeah, I agree it's hackish	08:25
mvo	mborzecki: yes, via --extra-snaps	08:25
lool	ogra: alright, let's fix it cleanly and take the time	08:26
ogra	lool, well, that first needs an initrd hack to make use of that uboot var	08:26
Chipaca	mvo: ogra: who "owns" the classic snap?	08:26
pedronis	pstolowski: what's the relation between ifacestate.Connect and core configure ?	08:26
pedronis	core configure is not an interface hooks	08:26
pedronis	pstolowski: I'm missing something here	08:26
ogra	Chipaca, theoretically mvo and me i guess	08:26
mborzecki	mvo: that's weird, it's like it's calling Download(/home/mvo/....core18_18_amd64.snap)	08:26
pstolowski	pedronis: aaah, you're right, silly me	08:27
pstolowski	of course	08:27
Chipaca	ogra: mvo: dunno if you read dot-tobias's report above, but it looks like we've broken it recently with /etc/alternatives shenanigans	08:27
mvo	Chipaca: uh	08:27
ogra	Chipaca, i used it yeterday ... i that core 16 ?	08:27
pstolowski	pedronis: so yeah, it's theoretical problem anyway in case of future hijacked hooks	08:27
ogra	+s	08:27
Chipaca	ogra: did you use it to install something that tried to write to /etc/alternatives?	08:28
pedronis	pstolowski: I don't think we need to solve it now, anyway as I said given the nature of hijack	08:28
pstolowski	(i got carried away with configure hook because of that)	08:28
pedronis	expecting it to be in the yaml	08:28
ogra	nah, just to build a snap with snapcraft	08:28
mvo	dot-tobias: thanks for the report! we will fix it soon	08:28
pedronis	would not be a solution	08:28
ogra	did we change alternatives handling in core 16 ? i thought that was an 18 thing	08:29
mvo	mborzecki: aha - nevermind, its not validation its just a stupid error message	08:29
mvo	mborzecki: typo in the path	08:29
mvo	mborzecki: so it does stat() fails -> tries to download	08:29
mvo	mborzecki: which is silly, if it looks like a path it should give a useful error. sorry for the noise	08:30
mborzecki	mvo: right, we could produce more useful error in image.go:acquireSnap()	08:30
mborzecki	mvo: in case the snap ends with .snap	08:30
mvo	mborzecki: yeah, not high priority but definitely a good improvement	08:30
mborzecki	mvo: also funny cause it would actually poke the store to get that snap? :)	08:31
mborzecki	(if it wasn't for that instance name check)	08:31
mvo	mborzecki: yeah	08:31
dot-tobias	mvo, ogra: I just double-checked, the error occurs on a raspi 3B with core 16-2.35.2 stable (rev 5546) and classic snap 16.04 rev 26 (edge)	08:33
dot-tobias	(/etc/alternatives thing with apt install)	08:33
Chipaca	dot-tobias: and this was trying to install what?	08:37
dot-tobias	Chipaca: Tried installing git and snapcraft (independently)	08:38
mup	PR snapd#5944 closed: cmd/snap: speed up unit tests <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/5944>	08:38
ogra	weird, i did the same just yesterday	08:38
ogra	on a dragoboard though but that shouldnt matter	08:39
mborzecki	Chipaca: left some comments in #5955 and #5957	08:40
mup	PR #5955: cmd/snap, tests: snapshots for all <Snapshots 📸󠁟> <⛔ Blocked> <Created by chipaca> <https://github.com/snapcore/snapd/pull/5955>	08:40
mup	PR #5957: overlord/snapshotstate/backend: fall back on sudo when no runuser <Snapshots 📸󠁟> <Created by chipaca> <https://github.com/snapcore/snapd/pull/5957>	08:40
Chipaca	mborzecki: yep, just reading	08:40
Chipaca	mborzecki: when you say "list" i'm assuming you menan "list-snapshots" or some such?	08:40
mborzecki	yes	08:41
Chipaca	mborzecki: note "saved" was not my decision, but was arrived at after much discussion	08:41
mborzecki	ahh ok, so then it	08:41
Chipaca	same for all of the commands in there, actually	08:41
mborzecki	's ok for me	08:41
Chipaca	onlu one I winged was check	08:41
Chipaca	only*	08:41
mborzecki	Chipaca: maybe we could make that check help message more friendly	08:42
Chipaca	mborzecki: «check-snapshot tells you if your 📸󠁟 is actually a 🍆»?	08:43
* Chipaca runs		08:44
mborzecki	eggplant?	08:44
Chipaca	vegetable	08:45
mborzecki	haha	08:45
Chipaca	mborzecki: https://www.dictionary.com/e/emoji/eggplant-emoji/	08:46
mborzecki	well, hashsums feels brutalist :)	08:46
mborzecki	wow, that's one interesting emoji	08:46
Chipaca	hehe	08:47
mborzecki	mvo: the logs are here https://forum.snapcraft.io/t/snapd-not-responding/7867/6	08:52
mborzecki	hm should failure in catalog refresh be fatal?	08:55
mborzecki	nvm, the errors are only logged, the machine is rebooting though	09:01
mvo	mborzecki: hm, hm, the logs are not exactly telling much :(	09:07
mvo	mborzecki: I guess we need grub-editenv list next to see if something strange in our boot config is happening	09:07
mvo	mborzecki: but it might be something external rebooting, like a broken watchdog or something	09:08
* mvo scratches head		09:08
zyga	mvo: systemd knows why the system rebooted	09:14
* zyga tires to remember how		09:14
mborzecki	zyga: journalctl -b -1 ?	09:17
zyga	I think there was something deeper	09:26
zyga	perhaps it was not systemd but UEFI	09:26
zyga	AFAIK the boot reason is stored for user space to know	09:26
zyga	but starting with the last boot log would be useful	09:26
mvo	zyga: did scott get back to you last night about the overlay issue btw?	09:26
mvo	zyga: I wonder what the status here is and if we need some last minute fixes	09:27
zyga	mvo: I read the backlog	09:27
zyga	and I have the data to reproduce this	09:27
zyga	I think it is problematic, we were not expecting this use case	09:27
zyga	give me a moment	09:27
zyga	woah!	09:30
zyga	I managed to install a snap	09:30
zyga	after installing core	09:30
zyga	but then core install failed	09:30
zyga	and I got a snap without core	09:30
* zyga collects changes		09:30
=== cpaelzer_ is now known as cpaelzer
zyga	http://paste.ubuntu.com/p/q7pNPtJKNH/	09:32
zyga	mvo: the system is using overlayfs	09:33
zyga	mvo: AppArmor service is active (despite some logic that disables it when / is overlayfs, the logic doesn't trigger in this case because the backing directory is different,	09:34
zyga	snapd detects the overlay and injects a special profile for snap-confine	09:35
zyga	but that profile is probably not active, we did not reload the profile of the system-loaded snap-confine (the one in /etc, not from the core reexec)	09:35
pedronis	mvo: one of the conclusion was that they don't actually need snapd to work	09:36
pedronis	in that context	09:36
pedronis	indeeed is a bit of waste of snapd to seed there	09:36
zyga	I think there is a real bug still	09:37
pedronis	but they have use case with overlayfs that need to work to some extent	09:37
pedronis	zyga: it's ok, I just expected them to then lament that we made seeding work but then boot there is slow :)	09:37
zyga	heh :)	09:38
pedronis	I mean fixing bug is orthogonal to turning off snapd there anyway	09:38
mvo	pedronis: aha, thank you	09:38
zyga	interestingly, in the scenario today we do not reexec	09:39
zyga	because 18.10 is ahead of stable	09:39
zyga	that probably compounds the bug I mentioned	09:39
zyga	but something more is fishy, hold on	09:39
zyga	aha	09:40
pedronis	mvo: I think last words sounded like they could probably work around things on their side by disbaling snapd.service completely there	09:40
pedronis	that sounded what steve was proposing	09:40
zyga	we grant permission: "/media/root-rw/overlay/{,**/}" r,	09:40
zyga	and the denial is: "/overlay/" r,	09:41
mup	PR snapd#5973 opened: image: improve validation of extra snaps <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5973>	09:41
zyga	I suspect the paths differ because of something that was done in intrd	09:41
mborzecki	mvo: this should catch the typos and invalid names ^^	09:41
mvo	mborzecki: nice	09:41
zyga	mvo: we can detect and add a hack	09:42
zyga	with that changed I can install and run a simple snap	09:42
zyga	trying to install lxd now	09:43
zyga	trying to use lxd for whatever	09:45
zyga	mvo: lxd doesn't work because it cannot setup networking	09:47
zyga	failed to list ipv4 rules for LXD network lxdbr0 (table filter)	09:47
zyga	there are no more denials	09:47
zyga	so perhaps missing module or something like that	09:48
zyga	anyway, I think that we can fix the immediate issue they saw with a one liner hack	09:48
zyga	but it's not something I'm very proud of	09:48
zyga	mvo: let me prepare a patch, you can decide	09:49
mvo	zyga: ta	09:54
mvo	and 5971 needs a review	09:57
Chipaca	mvo: i retried 5971 ~5 times last night	09:57
Chipaca	fyi	09:58
mvo	Chipaca: meh, that sounds nasty	09:59
mvo	Chipaca: failures all over the place? or some pattern?	10:00
mvo	things look very red in general right now :/	10:00
Chipaca	mvo: no discernible pattern	10:00
zyga	mvo: what is the magic LP:# syntax that is picked up by gnome-terminal	10:00
zyga	for launchpad bug references	10:00
Chipaca	wat	10:00
mvo	zyga: in changelogs we use LP:#1234	10:01
mup	PR #1234: debian: make snapd get its environ from /etc/environment <Created by chipaca> <Merged by niemeyer> <https://github.com/snapcore/snapd/pull/1234>	10:01
zyga	thanks!	10:01
cjwatson	missing a space there	10:01
mvo	zyga: but gnome-termainal I'm not sure	10:01
mvo	cjwatson: aha, thanks (^- zyga)	10:01
cjwatson	LP: #1234	10:01
cjwatson	https://help.launchpad.net/Code/Git#Linking_to_bugs has the regex	10:01
mvo	ta!	10:01
zyga	hmm	10:06
* zyga found more weirdness		10:06
zyga	but anyway	10:06
zyga	patch incoming	10:06
zyga	mvo: I think there will be two patches, one is ready, the other one may be needed to trigger regular snap-confine profile reload	10:08
zyga	we don't have code for that, do we?	10:08
zyga	plus this will go south if someone notices and fixes the apparmor.service unit not to start	10:08
mvo	zyga: hm, hm	10:09
mup	PR snapd#5974 opened: osutil: workaround overlayfs on ubuntu 18.10 <Created by zyga> <https://github.com/snapcore/snapd/pull/5974>	10:15
zyga	mvo: ^	10:15
zyga	mvo: I also updated the bug report	10:15
zyga	I will check the other part of this issue now	10:15
mvo	ta	10:16
zyga	mvo: ok, I looked	10:17
mup	PR snapd#5975 opened: ifacestate/hooks: only create interface hook tasks if hooks exist <Created by stolowski> <https://github.com/snapcore/snapd/pull/5975>	10:17
zyga	we are good, we do reload profiles	10:17
pstolowski	mvo, zyga, pedronis ^	10:17
mvo	pstolowski: thanks	10:20
mvo	ha! 5971 is green - now it just needs reviews :)	10:20
pstolowski	mvo: i'm curious how it improves situation	10:20
niemeyer	mvo: Minor suggestion for the message on #5971 and LGTM	10:22
mup	PR #5971: interfaces: include invalid type in Attr error <Simple 😃> <Created by mvo5> <https://github.com/snapcore/snapd/pull/5971>	10:22
mvo	niemeyer: thank you!	10:22
mup	PR snapd#5739 closed: interfaces/default: don't scrub with change_profile with classic <Created by jdstrand> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5739>	10:32
mup	PR snapd#5867 closed: many: enable layouts by default <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5867>	10:32
zyga	\o/	10:32
Chipaca	mvo: question for you sir: is there anything using .snapignore that you know of?	10:33
mup	PR snapd#5971 closed: interfaces: include invalid type in Attr error <Simple 😃> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5971>	10:33
mvo	Chipaca: I don't know	10:33
Chipaca	:+1:	10:34
Chipaca	:)	10:34
mvo	Chipaca: is it supported by snapcraft too?	10:34
mvo	Chipaca: or just by us?	10:34
Chipaca	mvo: no	10:34
mvo	Chipaca: ok, then I think its fine to kill it	10:34
Chipaca	mvo: it's from 2015	10:34
mvo	Chipaca: its cargo cult from click	10:34
Chipaca	yep	10:34
Chipaca	mvo: and what about the exclusion of DEBIAN/?	10:34
Chipaca	sounds weird also	10:34
mvo	Chipaca: same I would say	10:34
Chipaca	mvo: maybe we don't need exclusions at all :-)	10:35
mvo	Chipaca: killemall	10:35
mvo	Chipaca: haha	10:35
mvo	Chipaca: really?	10:35
mvo	Chipaca: are those the only patterns? we are an inclusive bunch	10:35
Chipaca	mvo: well, snapcraft very carefully builds the thing	10:35
Chipaca	mvo: nah, we have a bunhc	10:35
Chipaca	bunch	10:35
mvo	good point	10:35
mup	PR snapcraft#2345 closed: build providers: remove the qemu implementation <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2345>	10:35
mup	PR core18#82 closed: hooks: use hkp:// to fetch the key from the keyserver <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/core18/pull/82>	10:41
zyga	pstolowski: reviewed the hooks PR	10:45
mborzecki	zyga: wonder if we could improve detection of snap mount dir in snapd, say what if we could ask snap-confine for the right path (i.e. the path it was configured with)?	10:46
zyga	mborzecki: I would actually do it backwards	10:47
zyga	mborzecki: have snapd tell snap-confine	10:47
pstolowski	zyga: thanks! looking	10:47
zyga	and have the entire logic in dirs.go in one place	10:47
zyga	mborzecki: it's not supposed to be a new PR Friday but I have a PR that removes the directory configure option from snap-confine that I mentioned a few times	10:47
mborzecki	zyga: yeah, one source of truth would be nice	10:48
zyga	one source of facts ;-)	10:48
mborzecki	zyga: as for no-new-PRs, I opened one :P although a simple one	10:48
zyga	mborzecki: let's explore this on monday	10:48
zyga	and devote this day to important fixes and reviews	10:49
zyga	mvo: have you seen the overlay PR:?	10:49
ppisati	ogra: we already have facilities to set the mac address from DT: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?h=raspi2&id=d093067d07ffba9f50d38a2e572f7ddbd36daf5a	10:49
ppisati	ogra: check drivers/of/of_net.c::of_get_mac_address	10:50
ppisati	ogra: it's the same stuff as the other patch	10:50
ppisati	ogra: oh, same for LEDs	10:51
ppisati	ogra: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?h=raspi2&id=1ad73f268cedf4a7999fabf9aecb77e0f0cd3c00	10:51
pstolowski	zyga: replied	11:05
zyga	yep, I see	11:05
jdstrand	mvo: hi! as you probably saw in the email, I didn't finish the k8s interfaces, but I could today. I just have a couple of open questions I can discuss with niemeyer to clean things up for the review	11:42
zyga	jdstrand: hey	11:44
jdstrand	niemeyer: hi! do you have a few minutes to discuss some kubernetes interfaces?	11:44
jdstrand	that I'm working on	11:44
jdstrand	niemeyer: I have 3 questions	11:45
jdstrand	hey zyga :)	11:45
zyga	jdstrand: can you look at https://github.com/snapcore/snapd/pull/5974	11:45
mup	PR #5974: osutil: workaround overlayfs on ubuntu 18.10 <Created by zyga> <https://github.com/snapcore/snapd/pull/5974>	11:45
zyga	it's very short, just tell me what you thibnk	11:45
jdstrand	zyga: what does mountinfo say about this system?	11:52
zyga	jdstrand: the test I added shows the mountinfo data exactly from the affected system	11:53
zyga	and I still have it booted if you have any questions	11:53
jdstrand	zyga: that shows a single entry, yes, but are there multiple?	11:53
zyga	multiple overlayfs-es?	11:54
jdstrand	eg, maybe there are layered overlayfs	11:54
zyga	no, there's only one	11:54
zyga	let me pastebin the whole file	11:54
zyga	http://paste.ubuntu.com/p/6kgSyPjJGG/	11:55
zyga	I have to "paste" the URL by hand because $reasons	11:55
mborzecki	when a snap has sockets or timers, snapctl stop <snap> only stops the service, but not the sockets nor timers, then #5777 addresses that, but when snapctl start is issued it starts sockets, timers and the service :/	11:56
mup	PR #5777: wrappers/services.go: don't start disabled services <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/5777>	11:56
zyga	mborzecki: I'm more re-affirmed that we should expose the full set of services, sockets and timers inside the snap and not outside	11:56
zyga	mborzecki: and on the outside, only expose "knobs" that are arbitrary subsets of the real set	11:57
zyga	mborzecki: that are defined by the snap developer	11:57
mborzecki	zyga: well, atm you cant really disable a socket or a timer from inside the snap	11:57
mborzecki	idk feels like we're missing something or trying to hide too much	11:58
zyga	I agree	11:58
jdstrand	zyga: you are supposed to end up with this rule: '"###UPPERDIR###/{,/}" r,' which becomes '"/overlay/{,/}" r,'	11:59
jdstrand	zyga: which should cover '/overlay/'	11:59
zyga	right	11:59
zyga	jdstrand: am I missing something/	12:00
jdstrand	zyga: oh, you are saying that you fixed that	12:00
zyga	yes	12:00
zyga	:D	12:00
jdstrand	I thought you were saying that still remained	12:00
zyga	no no, it's working with this patch	12:00
zyga	but I cannot explain the behaviour of the kernel	12:00
jdstrand	ok, well the overlayroot thing is doing a pivot_root or something	12:00
zyga	hmmm, I'm not sure it does	12:01
zyga	but it may	12:01
zyga	but ...	12:01
zyga	the upper and lower paths are still available	12:01
zyga	I mean, /media/... all of that exists and shows the real stuff	12:01
zyga	btw	12:01
zyga	I noticed something odd, look at the path of the workdir	12:01
zyga	yes, it ends with _	12:01
zyga	why?	12:01
ogra	ppisati, well, then i dont get why it does not work ... does the code actually use "local-mac-address" from the DT ?	12:01
jdstrand	I was wondering about that too. but that is setup by whatever did the mount	12:01
jdstrand	well, typically	12:02
zyga	yep	12:02
ogra	ppisati, because thats where it is in the DT	12:02
jdstrand	maybe the kernel changed	12:02
jdstrand	zyga: what package is used to setup the mount?	12:02
zyga	I don't know but there is /etc/overlayroot.local.conf	12:02
zyga	let me look	12:02
zyga	looks like overlayroot	12:03
mvo	jdstrand: yeah, saw it but no worries, if its isolted we can cherry pick it later	12:03
zyga	jdstrand: cloud-initramfs-tools	12:03
ijohnson	mborzecki: what do you think I should do with #5777 ? I haven't gotten a chance to add tests, but from the forum it seemed unclear that everyone was on board with `snap stop <service>` always also stopping the associated sockets/timers, which is what I implemented	12:03
mup	PR #5777: wrappers/services.go: don't start disabled services <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/5777>	12:03
jdstrand	ah, cloud-initramfs-tools	12:03
zyga	jdstrand: reading that now	12:04
zyga	god how I hate shell	12:05
jdstrand	# PERSIST_DIR will persist after pivot-root	12:05
zyga	miles of shell in initrd	12:05
jdstrand	so, something is doing that	12:05
zyga	yeah	12:05
zyga	but it is set to /run/initramfs	12:05
jdstrand	that's good enough for me to explain the directory	12:05
jdstrand	that dir, yes	12:06
jdstrand	the point is, its talking about the initramfs pivot, etc	12:07
Chipaca	zyga: is your lab & mac available for some poking?	12:07
zyga	Chipaca: sure	12:07
Chipaca	zyga: ok thanks	12:07
Chipaca	zyga: ssh: Could not resolve hostname imac-pro-zygmunt.local: Name or service not known	12:07
zyga	ah, I think I tried to fix the hostname	12:08
zyga	one sec	12:08
Chipaca	heh	12:08
zyga	moved from wired to wifi	12:08
zyga	try ipro-zygmunt.local please	12:08
Chipaca	better	12:08
zyga	I renamed it because while I had both connections macOS would rename the hostname to unclash it with itself	12:08
zyga	jdstrand: so how do you feel about the PR	12:09
zyga	I think nothing short of teaching apparmor about pivot root will break this	12:10
zyga	but if that happens all hell will break loose	12:10
zyga	(we'll notice)	12:10
jdstrand	ah, the man page talks about overlayroot doing a chroot	12:11
jdstrand	zyga: I like the pr fine. I don't like why we don't know why the path is what it is	12:11
zyga	brb, the dog is telling me it's time to go	12:16
zyga	jdstrand: grepping for pivot_root in the package yields nothing	12:16
zyga	jdstrand: but chroot is used	12:17
zyga	jdstrand: btw, I looked at /proc/self/root and it was /	12:17
zyga	is that expected if a chroot happened?	12:17
zyga	(I'll reply from the phone)	12:17
jdstrand	yes, and with chroot, you'll see the beginning of the path for the chroot (ie, the chroot directory is known to apparmor)	12:17
zyga	Another question is why this happens here and not on the live cd	12:19
zyga	Is it just a coincidence that it works on the live cd?	12:19
zyga	About chroot, so are you saying that since I saw / and not some longer path then chroot did not happen?	12:20
jdstrand	zyga: I'm saying that a) I didn't read or trace the whole source to figure out exactly what is happening but that b) we know it is using a combination of overlay and chroot (as opposed to overlay and pivot_root)	12:25
jdstrand	zyga: so I responded to the PR with that in mind	12:26
jdstrand	zyga: in summary, I approved it, but please adjust the comment	12:27
zyga	Ack	12:27
zyga	Thank you	12:27
mup	PR snapd#5976 opened: interfaces: improve Attr error further <Created by mvo5> <https://github.com/snapcore/snapd/pull/5976>	12:27
jdstrand	niemeyer: can you ping me when you have a couple of minutes, I don't want to just fire of the questions with no context	12:27
jdstrand	off*	12:27
mup	PR snapd#5973 closed: image: improve validation of extra snaps <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5973>	12:31
niemeyer	jdstrand: Heya	12:41
niemeyer	jdstrand: I have a few meetings back to back now, but later in the afternoon it's open.. happy to chat	12:42
jdstrand	niemeyer: hi!	12:42
jdstrand	niemeyer: I think this should be quick	12:42
jdstrand	niemeyer: the context is that we want interfaces to support k8s worker nodes	12:43
jdstrand	niemeyer: and this is defined as kubelet and kubeproxy	12:43
jdstrand	niemeyer: which are two different daemons	12:43
jdstrand	niemeyer: so I have 2 interfaces, currently named k8s-kubelet and k8s-kubeproxy. I think that should change	12:44
jdstrand	niemeyer: to use -support at least. eg, k8s-kubelet-support or just kubelet-support	12:44
jdstrand	probably the latter	12:45
jdstrand	thoughts?	12:45
jdstrand	(and of course, kubeproxy-support (or whatever))	12:45
jdstrand	niemeyer: these are similar to other -support interfaces in that we are granting special things that only these need	12:46
mup	PR snapd#5977 opened: release: 2.36~pre2 <Created by mvo5> <https://github.com/snapcore/snapd/pull/5977>	12:48
mup	PR snapd#5947 closed: many: cleanup remaining parallel installs TODOs <Parallel installs ⛓> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/5947>	12:53
popey	On a clean core install, if you snap refresh it reboots twice. One for core, one for kernel. Why doesn't it bundle them in one boot?	13:12
ogra	popey, never heppened to me ... weird	13:36
ogra	*happened	13:37
popey	might be pilot error	13:39
ppisati	ogra: uhm, ok	13:39
ppisati	ogra: let me dig in	13:39
ogra	ppisati, i definitely see the MAC changing in the running system but i also see the MAC fixed in the DT ... so something isnt properly picked up	13:43
ppisati	ogra: do you get a random MAC at every reboot?	13:45
ogra	ppisati, yes ... ifconfig shows a different one every boot ...	13:47
ogra	the devicetree has the same one in "local-mac-address" though	13:47
ogra	(the same non-changing one that is ... differing from ifconfig output)	13:48
ppisati	ogra: ok	13:49
smoser	zyga: i think i root-cause diagnosed that bug. commented on your pull request.	13:49
zyga	smoser: looking	13:49
smoser	sorry for the bikeshed conversation with jdstrand (i hadn't noticed he'd commented there) on the code comments :)	13:51
smoser	but i do think it better to mention the 'overlayroot' package than "Ubuntu server 18.10"	13:51
* pstolowski late lunch		13:53
roadmr	zyga: time to try that snap upload that was giving you trouble - the required version of reviewer tools is now in the store	13:56
jdstrand	smoser: the overlayroot man page and scripts specically say they used chroot. if pivot_root was used, I would expect the directory to be '/', not '/overlay/' in the apparmor denial. regardless. the comment can be further generalized. the code was never meant to be completely generalized for any overlay situation	13:56
zyga	roadmr: thanks, I will try now	13:57
zyga	I tried earlier today without success	13:57
zyga	smoser: looking at the source of the package I was unable to find the use of pivot_root but I did see chroot	13:57
jdstrand	smoser: but rather only meant to handle specific situations where we know snaps are being run in a overlayfs situation. we need better apparmor/overlay support in the kernel to be better	13:57
mvo	cachio: I triggered the 2.36~pre2 core build, should be in edge ~1h	13:58
smoser	jdstrand: overlayroot is a "normal" initramfs hook. it sets up some mounts and then lets initramfs do its normal pivot and exec of /sbin/init	13:58
mvo	(max)	13:58
zyga	smoser: ah, I see, this explains it then	13:59
zyga	and is in sync with the pivot_root behaviour of apparmor	13:59
jdstrand	well except that upperdir is showing up as /overlay/ somehow with apparmor	13:59
jdstrand	I don't know the overlyroot and initramfs stuff well enough to explain why it is happening that way	14:00
smoser	jdstrand: did you read my comment ?	14:00
jdstrand	I did	14:00
niemeyer	jdstrand: +1 to dropping the k8s- prefix	14:00
smoser	the code just should not assume that the first field '/cow' in casper	14:00
smoser	means anything	14:00
niemeyer	jdstrand: Are their needs different enough to justify the two interfaces, or would it be worth exploring the potential for a single one?	14:00
jdstrand	smoser: as mentioned, this code can't be generalized without better apparmor/overlay support in the kernel	14:01
smoser	rather it needs to parse /proc/mounts in reverse order to find the second field that matches.	14:01
smoser	it can be generalized for at least these 2 cases.	14:01
smoser	but yes, i do understand that apparmor and overlayfs aren't the best of friends.	14:02
jdstrand	niemeyer: ok, well, there is an existing kubernetes-support interface, but it is ancient and nothing uses it	14:02
jdstrand	niemeyer: jcastro (yes, that ancient) was super jazzed about k8s as a snap so I through something together for comment and then never heard anything back	14:03
niemeyer	jdstrand: But are they mostly the same?	14:03
jdstrand	niemeyer: they is significant overlap, yes. the old kubernetes-support has overlap with docker-support too though	14:04
jdstrand	s/is//	14:05
cachio	mvo, nice	14:05
jdstrand	niemeyer: see https://github.com/snapcore/snapd/compare/master...jdstrand:k8s-worker-interfaces?expand=1	14:05
jdstrand	niemeyer: but kubelet needs more than kubeproxy	14:05
jdstrand	niemeyer: and kubelet needs a lot	14:05
jdstrand	niemeyer: specifically, kubelet needs to do mounts into the container, but kubeproxy does not	14:06
niemeyer	I see	14:06
jdstrand	niemeyer: so it would be nice if kubeproxy didn't have those accesses	14:06
jdstrand	niemeyer: we could have attributes for flavors of a single interface	14:06
jdstrand	which achieves the desired security properties, but isn't as transparent to the user of the system	14:07
niemeyer	jdstrand: +1	14:07
jdstrand	ok, I'll refact to use attributes	14:08
jdstrand	refactor	14:08
niemeyer	jdstrand: If we have nothing using kubernetes-support, we should probably kill it	14:08
jdstrand	niemeyer: well, or, I could just use it with attributes :)	14:08
jdstrand	pedronis: can you do a store search to see if anything is using the kubernetes-support interface?	14:09
jdstrand	niemeyer: I'll work through those details, but I have another interesting question	14:09
pedronis	jdstrand: in a meeting, I can in a bit	14:09
jdstrand	niemeyer: so, you may recall the probelsm with ptrace	14:09
jdstrand	pedronis: thanks	14:10
niemeyer	jdstrand: Meeting rolling too, but feel free to go ahead and I'll reply once I'm off	14:10
jdstrand	niemeyer: specifically, the kernel triggers a ptrace (trace) denial in situations when an application is not actually trying to attach and read its memory/etc	14:10
jdstrand	niemeyer: eg, certain invocations of 'ps' will cause ptrace denials	14:11
jdstrand	niemeyer: that use of ptrace is harmless enough, but we can't tease out the difference in policy between that and a full on gdb-style "I'm taking you over" ptrace	14:12
jdstrand	niemeyer: because the kernel doesn't give us the info to do that (it is kinda similar to how SYS_ADMIN is a catchall for a lot of things. 'trace' groups unrelated things together	14:13
jdstrand	)	14:13
jdstrand	niemeyer: ok, so, we need to allow 'ps' in, say, system-observe (that is the point of the interface), but we don't ptrace (trace) of unconfined, etc, etc because that would constitute a sandbox escape	14:14
jdstrand	niemeyer: all of the above is context for the fact that we have 'deny ptrace (trace)' rules sprinkled in a couple interfaces to cut down on ridiculously verbose logged denials, but allow the use of something like 'ps' (ps will trigger the denial but work fine otherwise)	14:15
mup	PR snapd#5777 closed: wrappers/services.go: don't start disabled services <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/5777>	14:16
jdstrand	niemeyer: but k8s actually needs 'ptrace (trace)' to function. because you can't undo a deny rule, the k8s worker can't (currently) specify 'plugs: [ system-observe ]'	14:17
mup	PR snapd#5970 closed: snapstate: tweak GetFeatureFlagBool() to have a default argument <Created by mvo5> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5970>	14:18
jdstrand	niemeyer: which brings me to my point: I'd like for the worker to user standard interfaces like system-observe, network-control, etc rather than copying stuff from those into the k8s interface to avoid the deny rule	14:19
Chipaca	mvo: I remembered what I was going to say in the standup and then forgot	14:21
jdstrand	niemeyer: but wanted you opinion on how to do it. the option I'm currently liking is that system-observe, network-control, etc have the same default behavior, but we add an interface attribute (eg, 'omit-ptrace-deny: true') which, when specified, simply skips adding those rules to the policy	14:21
Chipaca	mvo: cachio: starting with 2.36 I'd like to add a new step to the release checklist; how do I go about doing that?	14:22
jdstrand	niemeyer: in these specific cases, that's ok security wise, because we are default deny and the access is still block by the interface. but it allows another interface to be used in conjunction with it	14:22
jdstrand	niemeyer: another route is not expose it to the snap developer and instead simply reuse the rules unconditionally in the k8s interface	14:23
jdstrand	niemeyer: but don't pull in the ptrace rules. eg, system-observe internally has systemObserveConnectedPlugAppArmor, so we might break that into systemObserveConnectedPlugAppArmor and systemObserveConnectedPlugAppArmorDenyPtrace. then in kubernetes-support it adds systemObserveConnectedPlugAppArmor to its policy	14:26
jdstrand	niemeyer: so it would get all of it by simply using 'plugs: [ kubernetes-support ]'	14:26
jdstrand	niemeyer: a 3rd option is trying to work out a new 'ptrace' or two, but I don't quite know what that would look like	14:27
jdstrand	niemeyer: a new 'ptrace' interface*	14:28
jdstrand	niemeyer: I don't really want to pursue that last option now-- it is roadmapped (not product roadmapped, mind you) as something to look into in the future	14:28
jdstrand	niemeyer: ..	14:28
zyga	smoser: about parsing proc/mounts, we do parse it and in the right order too	14:30
zyga	smoser: it's just that according to the kernel the upperdir is different	14:30
zyga	smoser: this is probably because of pivot_root	14:30
zyga	smoser: so unless I misunderstood something there is nothing that we can do better	14:30
zyga	smoser: please do correct me if I'm wrong, I can show you what we do today in the code if that helps	14:30
zyga	(actually, we don't iterate over the mount entries in reverse order, that's an omission on my part)	14:31
zyga	smoser: the logic is on https://github.com/snapcore/snapd/blob/master/osutil/overlay_linux.go#L27	14:31
rharper	zyga: why does apparmor not see the same mount path as present in the mountinfo ?	14:34
zyga	rharper I believe this is a kernel question that only jjohansen can answer	14:34
zyga	rharper: but in general apparmor doesn't "see" pivot root	14:35
zyga	so if you setup a profile with some paths	14:35
zyga	then pivot root	14:35
zyga	the profile is not changed	14:35
niemeyer	jdstrand: I see.. hmmmm	14:35
rharper	zyga: interesting	14:35
zyga	and applies to the paths as they are	14:35
zyga	rharper: what is more interesting IMO	14:35
zyga	is that mountinfo doesn't reflect this either	14:35
zyga	so if you mount something like overlayfs	14:35
zyga	and pivot_root	14:35
zyga	the paths lie	14:35
niemeyer	jdstrand: The attribute feels too much like a hack for very difficult to understand reasons, for a person that isn't developing snapd	14:36
zyga	they may or may not be representable in the new root	14:36
zyga	but the kernel just says "those are the paths"	14:36
zyga	where in other places it actually hints at the fact they are no longer there	14:36
zyga	just not in this case	14:36
zyga	rharper: in the ephemeral Maas image case the kernel really says "overlayfs is mounted there and those are the options"	14:36
zyga	but it doesn't render the mount options with the relation of the current root	14:37
zyga	it just seems to say what they were at the time mount happened	14:37
rharper	zyga: it seems fine for pivot_root to close of some mounts if they're not available under the new root; but why can other things "See" the old paths ?	14:37
zyga	rharper: this is unusual in the sense that other parts of mountinfo are always rendered from the perspective of the observer	14:37
jdstrand	niemeyer: yes, it is weird. also, one could argue that kubelet can't function without system-observe, so why have it as a separate interface that could be manually disconnected	14:38
niemeyer	jdstrand: We might come up with something like an AllowPtrace() method in the intenral AppArmor specification, and when the profile is being generated, check if AllowPtrace is on, otherwise deny it	14:38
zyga	rharper: as I said above :) it's a jj question	14:38
rharper	zyga: =)	14:38
niemeyer	jdstrand: This is relatively clean, and prevents exposure of implementation difficulties	14:38
jdstrand	niemeyer: iiuc, you are saying that in k8s we would set AllowPtrace such that in system-observe it can ask if AllowPtrace is set and make a decision. correct?	14:39
niemeyer	jdstrand: Almost.. Imagine a method AllowPtrace() which sets a private attribute allowPtrace=true in the apparmor Specification	14:41
niemeyer	jdstrand: This would generally be false	14:41
jdstrand	oh	14:42
niemeyer	jdstrand: When the apparmor is being generated, we always deny it, unless one of the interfaces allowed it	14:43
niemeyer	s/apparmor/apparmor profile/	14:43
jdstrand	right. at the very, very end, before writing it out, we can see if it is set	14:43
jdstrand	and if it is, do something	14:43
jdstrand	I like that	14:43
niemeyer	Right, exactly.. if nothing enables it, we deny it	14:43
niemeyer	Then the interfaces that want to enable it would call the method instead of putting it directly into the profile	14:44
jdstrand	it yes, that is very nice indeed	14:45
jdstrand	I think I can use this idea with a problem I had with a conflicting x modifier between home and docker-support	14:46
jdstrand	cool	14:46
jdstrand	niemeyer: ok, my 3rd question was what to do with the existing kubernetes-support. if pedronis tells me nothing is using it, i'll just take it over	14:47
jdstrand	niemeyer: thank you! :)	14:47
* jdstrand really like the spec variable idea		14:47
jdstrand	likes*	14:47
pstolowski	mvo: do you want to take a look at https://github.com/snapcore/snapd/pull/5975 or can i land when green?	14:47
mup	PR #5975: ifacestate/hooks: only create interface hook tasks if hooks exist <Created by stolowski> <https://github.com/snapcore/snapd/pull/5975>	14:48
pstolowski	(it has 2 reviews)	14:48
mvo	pstolowski: yes, I had a quick peek already and it looked good but I did not do a line by line proper review	14:48
mvo	pstolowski: let me look again	14:48
mvo	pstolowski: and thanks for doing this so quickly!	14:48
mvo	Chipaca: what step?	14:49
mvo	Chipaca: aha, right	14:49
mvo	Chipaca: I think sergio is maintaing this checklist now	14:49
pstolowski	mvo: yw, happy to move to something else other than hotplug ;)	14:49
Chipaca	mvo: cachio: updating the brew formula	14:49
niemeyer	jdstrand: Glad it sounds reasonable.. let's see if it works out	14:50
mvo	pstolowski: g	14:50
Chipaca	mvo: cachio: I'll do 2.36, and then I'd like to hand it off (should be just chaning a version number and updating a hash)	14:50
Chipaca	changing*	14:50
smoser	ok. i'm back. and reading	14:51
smoser	zyga, rharper pivot_root issues aside, snapd's logic there is broken	14:52
smoser	it is trusting the first field of /etc/fstab to mean something	14:52
smoser	it does not mean anything	14:52
zyga	smoser: ? can you be more precise please	14:52
smoser	overlayroot uses 'overlayroot' as the 'fs_spec' for the mount it does	14:52
smoser	casper uses '/cow'	14:52
smoser	the kernel ignores it	14:53
smoser	as overlayroot reads the relavent values from 'fs_file' (second field) and upperdir=,workdir=	14:53
zyga	we do not read /etc/fstab	14:53
smoser	sorry	14:53
zyga	we read /proc/self/mountinfo	14:53
smoser	not fstab. proc/mounts	14:53
smoser	or mountinfo	14:53
smoser	same thing really	14:53
mvo	cachio: 2.36~pre2 is in beta now	14:54
zyga	so what are we doing wrong?	14:54
zyga	we look at the filesystem type	14:54
zyga	smoser: we are not looking at the backing device	14:55
zyga	which as you say can be anything	14:55
zyga	we are looking at the filesystem type "overlay" and the mount point "/"	14:55
smoser	ok. re-reading as i assumed /proc/mounts let me see	14:56
rharper	smoser: https://github.com/snapcore/snapd/blob/master/osutil/mountinfo_linux.go	14:56
zyga	we don't use proc mounts because it has fewer things exposed	14:57
zyga	smoser: and to be clear, our logic did trigger in the image I tested	14:57
zyga	it just used the wrong path, as instructed to by the kernel	14:57
zyga	all I did in the fix was to re-map it manually because we know what happens in this particular case	14:58
zyga	(where "knows" is perhaps too strong but you know what I mean)	14:58
rharper	https://bugs.launchpad.net/apparmor/+bug/1703674	14:58
mup	Bug #1703674: inconsistent required directory rules needed with overlayfs <aa-kernel> <AppArmor:New> <https://launchpad.net/bugs/1703674>	14:58
rharper	zyga: is that the bug that tracks the "odd" requirement for the path ?	14:58
smoser	ok. zyga this is casper /proc/1/mountinfo	14:59
smoser	http://paste.ubuntu.com/p/ftMNjsv8tx/	14:59
zyga	rharper: I don't know - perhaps	14:59
smoser	and this is overlayroot	14:59
smoser	http://paste.ubuntu.com/p/b4PZXYhCF7/	14:59
smoser	I think that you are reading the 10th field of line 9 (/cow) in casper to mean something	14:59
zyga	28 0 0:24 / / rw,relatime shared:1 - overlay overlayroot rw,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_	15:00
zyga	I don't think we do	15:00
zyga	we read the fstype filed	15:00
zyga	not the backing store	15:00
zyga	https://github.com/snapcore/snapd/blob/master/osutil/mountinfo_linux.go#L183	15:00
Chipaca	I'm going afk for a few hours. Have a great weekend, y'all!	15:00
zyga	Chipaca: enjoy :)	15:00
zyga	smoser: the first field after the -	15:01
Chipaca	zyga: i'll be asking for logs of this conversation later, to catch up -- super interesting	15:01
* Chipaca off		15:01
smoser	zyga: i'm reading https://github.com/snapcore/snapd/blob/master/osutil/overlay_linux.go#L58	15:01
smoser	"if mount source is path, strip it from dir"	15:02
zyga	smoser: as ultimate proof I can show you this https://github.com/snapcore/snapd/pull/5974/files#diff-989405fde2087a02f99e11b0c532699dR88	15:02
mup	PR #5974: osutil: workaround overlayfs on ubuntu 18.10 <Created by zyga> <https://github.com/snapcore/snapd/pull/5974>	15:02
smoser	mount source does not mean anything	15:02
pedronis	jdstrand: no snap has been granted use of kubernetes-support	15:02
cjwatson	diddledan: hi, you've typoed "build-on" as "build on" in your audacity snapcraft.yaml	15:02
zyga	smoser: ah, I missed that aspect	15:02
zyga	I was focusing on the triggering	15:03
smoser	i pointed to that line in my comments!	15:03
smoser	:)	15:03
zyga	let me think, I think this came from jdstrand	15:03
diddledan	oh fudge	15:03
diddledan	thanks cjwatson	15:03
zyga	sorry, I missed that	15:03
cjwatson	(noticed because LP emailed me an oops report)	15:03
diddledan	yey	15:03
smoser	well, zyga you were derailed by my 'fstab' comments. which i understand were confusing.	15:03
zyga	hmm	15:03
zyga	but if dir, ok := entry.SuperOptions["upperdir"]; ok {	15:03
zyga	dir is the upper path	15:03
smoser	that part is right.	15:04
cjwatson	it should go somewhere more useful, and arguably shouldn't oops, but ...)	15:04
smoser	well, right for this :)	15:04
pedronis	jdstrand: but maybe you were asking if anything has kubernetes-support plug, that is a trickier question	15:04
zyga	jdstrand: can you explain that part please: https://github.com/snapcore/snapd/blob/master/osutil/overlay_linux.go#L58	15:04
zyga	smoser: I never saw mount source being a path	15:05
zyga	I'm curious as well now	15:05
zyga	smoser: thank you for persisting! I totally missed that	15:05
cjwatson	diddledan: same for gnome-twitch, but I see you noticed that too :)	15:05
jdstrand	pedronis: that is good enough. it needs an installation constraint	15:05
diddledan	yup, both fixeded	15:05
cjwatson	ta	15:05
diddledan	thanks for the alert :-)	15:05
jdstrand	pedronis: so it would have to be granted the use for anyone to use a snap with it	15:05
jdstrand	zyga: what is the question? all of this is very casper specific. we knew it would have to be updated if the livecd pattern changed	15:06
diddledan	(some people might say I'm a "lert")	15:06
zyga	jdstrand: the question is why do we interpret mount source in overlayfs detector	15:06
zyga	jdstrand: since mount source is unused arbitrary string in the cases I'm familiar with at least	15:07
jdstrand	because of the way casper set it up, it was something we could look at	15:07
jdstrand	yes	15:07
zyga	jdstrand: that's interesting, thanks!	15:07
zyga	smoser: so we should look at casper	15:07
jdstrand	it's not 'dependable'	15:07
zyga	but I think the path is (probably) an accident more than a feature, I wonder if overlayfs itself uses it	15:08
zyga	I will finish writing a test for something I have and return to this	15:08
jdstrand	https://github.com/snapcore/snapd/commit/0f40f37c416587bd2e3b51db66601262869d2dc7	15:08
diddledan	am I correct with my belief that snaps don't expose url handlers currently? i.e. vscode in a snap cannot hook the vscode:// url scheme from the system (I'm triggering it with a non-snap process, so it's not the confinement out of another snap that's a problem): https://github.com/Microsoft/vscode-pull-request-github/issues/573	15:09
zyga	diddledan: they do	15:10
zyga	diddledan: grep for vscode in generated desktop files in /var/lib/snapd/desktop	15:10
diddledan	what am I looking for?	15:11
jdstrand	zyga: see the above commit. the detection is completely arbitrary based on what we observed. it was always known that if something changed or we wanted to support something else, we'd need to do things differently	15:11
zyga	diddledan: desktop files can declare URL handlers	15:11
zyga	jdstrand: thank you, I see	15:11
zyga	I will dig into that shortly after the other bug	15:11
zyga	diddledan: let me grep my system	15:11
popey	zyga: isnt the list hard wired?	15:11
jdstrand	so, right now it is looking for '/cow', cause that is what we know casper does	15:11
zyga	popey: which list?	15:12
popey	mailto: http etc	15:12
popey	we discussed this in belgium	15:12
zyga	that's in the snap handler	15:12
jdstrand	so the upperdir is /cow/upper, but because of the pivit root htat becomes simply /upper	15:12
zyga	not in what is published to the system	15:12
jdstrand	pivot*	15:12
jdstrand	so yes, now I see smoser's point fully	15:13
zyga	jdstrand: right I think we were not discussing the pivot aspect, just that overlayfs mount source (which is "overlay" or "overlay root" or "whatever unused") was being used by the logic	15:13
zyga	right	15:13
zyga	+1	15:13
zyga	popey: vscode is not defining any	15:14
zyga	popey: compare to telegram desktop for example:	15:15
zyga	telegram-desktop_telegramdesktop.desktop:MimeType=x-scheme-handler/tg;	15:15
popey	but even if it did, it woudln't work, surely, because they're hard wired in snapd	15:15
popey	yes, that one doesnt work	15:15
popey	because it's not listed in snapd	15:15
jdstrand	zyga (cc smoser): ok right, it has all come back to me. in a general fashion, we can't tell that something is going to pivot_root and to what from simply the mountinfo entry. so for the livecd, we try to discover if we think it is a livecd mountinfo entry, and then do stuff (assuming it will be consistent)	15:15
zyga	what is hard wired?	15:15
popey	the list of handlers	15:15
zyga	popey: if the handler is registered the opening that URL from the desktop does work	15:15
popey	we discussed this in belgium, talking about extending the list	15:15
zyga	snaps cannot open such links though	15:15
kyrofa	zyga, I'm trying to use snap try in 2.35.2 and I'm getting "cannot snap-exec: cannot read info for "my-snap-name": cannot find installed snap "my-snap-name" at revision x1: missing file /var/lib/snapd/snaps/my-snap-name_x1.snap" whenever I try to run the app. Any ideas?	15:16
diddledan	the new window action has the wrong Exec line, too: https://www.irccloud.com/pastebin/TA7qUMzu/	15:16
zyga	kyrofa: are you using encrypted FS?	15:16
jdstrand	zyga (cc smoser): if we have this: overlayroot / overlay rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0	15:16
kyrofa	zyga, full, yeah. Used to work	15:16
zyga	diddledan: indeed (ouch)	15:16
zyga	mvo: ^	15:17
jdstrand	zyga (cc smoser): then, in theory, we could look for 'overlayroot' instead of '/cow', and then try to do something with upperdir	15:17
jdstrand	zyga (cc smoser): for the overlroot case	15:17
zyga	yeah	15:17
kyrofa	zyga, not home dir encryption	15:17
zyga	we could hold a map of the use cases we saw and apply a transofrmation	15:17
jdstrand	ie, '/' + basename(upperdir)	15:17
zyga	kyrofa: where is your snap?	15:18
zyga	kyrofa: as in in the filesystem	15:19
zyga	popey: extending the list is something we can discuss and arrange for, I'm not opposing that	15:19
kyrofa	zyga, /var/lib/snapd/snaps	15:19
zyga	wait, you had that snap there?	15:20
kyrofa	zyga, oh wait, sorry, misunderstood	15:20
zyga	h	15:20
zyga	so where was it when you tried it?	15:20
kyrofa	zyga, in my home dir somewhere	15:20
zyga	did you remove the prime/ directory?	15:20
zyga	and built it again?	15:20
zyga	can you please paste /proc/self/mountinfo, grep for the snap to make the output shorter	15:20
kyrofa	No, just ran `snap try prime` and then tried running the command immediately	15:20
zyga	(ideally one line)	15:20
kyrofa	zyga, oh wait, actually, it was in /tmp. I bet that's the issue huh	15:21
* cachio lunch		15:21
zyga	mmm, perhaps but I want to see the mountinfo anyway	15:21
zyga	but most likely so	15:21
zyga	because snap-exec cannot handle that	15:21
zyga	well	15:21
zyga	actually, ignore me	15:21
zyga	it should not matter	15:21
zyga	at that stage it should be mounted in /snap/...	15:21
zyga	do you see your snap mounted there?	15:21
pstolowski	cachio: the nested vm PR seems to have failed misteriously ("null"), is it too expensive to build ubuntu image maybe?	15:22
pstolowski	cachio: btw, added a few comments, this is going to be great, thanks for working on this	15:22
kyrofa	zyga, https://paste.ubuntu.com/p/sgdjp5v3tg/	15:22
kyrofa	zyga, yeah, it's mounted in /snap/my-snap-name/x1	15:22
zyga	kyrofa: this looks correct	15:23
zyga	mmm	15:23
zyga	hold on, I need to break for dinner now	15:23
zyga	kyrofa: please hold this bug :)	15:23
mvo	zyga: in a meeting right now, would love to get a tl;dr summary in a bit	15:26
zyga	k	15:26
mup	PR snapd#5977 closed: release: 2.36~pre2 <Created by mvo5> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5977>	15:26
mup	PR snapd#5978 opened: interfaces: don't allow snaps to write to $HOME/bin <Created by zyga> <https://github.com/snapcore/snapd/pull/5978>	15:27
zyga	jdstrand: ^	15:27
mup	PR snapd#5976 closed: interfaces: improve Attr error further <Created by mvo5> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/5976>	15:30
mborzecki	pstolowski: hey, can you take a look at https://github.com/snapcore/snapd/pull/5948 ?	15:33
mup	PR #5948: asserts, image: ensure kernel, gadget, base and required-snaps use valid snap names <Parallel installs ⛓> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/5948>	15:33
pstolowski	mborzecki: sure	15:33
mborzecki	pstolowski: thanks!	15:33
mborzecki	pstolowski: responded :)	15:45
zyga	re	15:45
pstolowski	mborzecki: ok, i'm still on it	15:47
smoser	zyga, jdstrand just as an fyi. http://paste.ubuntu.com/p/pzDk8bZMjb/	15:49
smoser	if i change overlayroot like ^ and update initramfs then it works	15:49
smoser	as basically this puts '/media/root-rw' in the source (fs_spec) option fed to 'mount' for my overlay mount	15:50
smoser	and that makes it happy.	15:50
zyga	smoser: ack	15:51
smoser	but that will break 'overlayroot-chroot' command	15:51
zyga	smoser: I'm not familiar with that command but I think with the workaround I proposed for snapd we don't need to change anything else	15:52
smoser	which relies on finding 'overlayroot' in /proc/mounts	15:52
smoser	well, that command is probably not used by anyone other than me.	15:52
smoser	but it allows you to easily remount rw and jump into the "real root" to make a change	15:52
mup	PR core18#83 opened: add swapfile support (ported from ubuntu-core-config) <Created by mvo5> <https://github.com/snapcore/core18/pull/83>	15:53
=== chihchun is now known as chihchun_afk
=== pstolowski is now known as pstolowski\|afk
zyga	roadmr: trying now	16:07
zyga	roadmr: no change	16:07
zyga	same error as last time	16:07
roadmr	mm	16:08
roadmr	zyga: did the snap change?	16:08
zyga	I rebuilt the snap but I believe it didn't change at all	16:08
zyga	the error is :	16:09
zyga	- __all__: The upload does not appear to be a valid package.	16:09
mup	PR core18#84 opened: hooks: port classic mode generation to UC18 <Created by mvo5> <https://github.com/snapcore/core18/pull/84>	16:09
roadmr	zyga: let me check the snap I have against the tools	16:09
zyga	thank you	16:10
zyga	mvo: man, you are killing it on Friday :)	16:10
zyga	mvo: how about locale?	16:10
zyga	mvo: can you please review https://github.com/snapcore/snapd/pull/5974	16:10
mup	PR #5974: osutil: workaround overlayfs on ubuntu 18.10 <Created by zyga> <https://github.com/snapcore/snapd/pull/5974>	16:11
roadmr	zyga: the tools work fine with the snap build I have, so perhaps your rebuild did introduce more evil. Wormhole?	16:13
zyga	sure	16:13
mvo	zyga: whats the status for 5974 ? do we need it?	16:17
mvo	zyga: if so, for 2.35? 2.36?	16:17
mvo	zyga: I can review after dinner in a bit	16:18
zyga	mvo: I think we need it	16:18
zyga	for whatever ships	16:18
mvo	zyga: for whatever ships would be 2.35.5	16:19
mvo	zyga: do we need it like now i.e. tonight/before the weekend?	16:19
zyga	mvo: I'm not sure what to answer	16:20
zyga	smoser: ^	16:20
zyga	smoser: so we need it like now, tonight, before the weekend?	16:20
smoser	I think that submitting as "zero day SRU" is fine.	16:23
smoser	all users of overlayroot and our images are broken	16:23
smoser	which is clearly bad, but	16:23
smoser	the two users that i'm aware of are	16:24
smoser	a.) open-iscsi autopackage test http://autopkgtest.ubuntu.com/packages/o/open-iscsi/cosmic/amd64	16:25
smoser	b.) curtin vmtest (we just put in a workaround to disable snapd)	16:25
smoser	c.) MAAS installation. this works fine because they disable apparmour	16:25
smoser	so I personally dnot think there is reason for fire-drill upload at this point since we have it well understood.	16:26
smoser	but... if there was an upload going to happen anyway	16:28
smoser	then i think that that pull request should be taken	16:28
smoser	even in its simple form it fixes default use-case	16:28
smoser	zyga: ^	16:28
smoser	mvo: ^	16:28
zyga	ack thanks	16:29
zyga	I think we will still release but for another reason	16:29
zyga	and we can piggy back this patch	16:29
plars	ogra: I can't recall, is bluetooth expected to work on our rpi images?	16:29
plars	ogra: nm, I found https://bugs.launchpad.net/snappy/+bug/1674509 - I thought there was something like that but that it had been resolved already	16:34
mup	Bug #1674509: Unable to find bluetooth device on RPi3 running Ubuntu Core 16 <snapd-interface> <Snappy:Confirmed> <linux-raspi2 (Ubuntu):Invalid by p-pisati> <https://launchpad.net/bugs/1674509>	16:34
zyga	roadmr: any finings?	16:38
zyga	findings :)	16:38
roadmr	zyga: still fighting kibana for the logs	16:38
zyga	thank you	16:38
smoser	zyga: for now the solution is just to special case '/media/root-rw/overlay' as you did ?	16:44
zyga	yes	16:44
zyga	next week we can explore better options	16:44
smoser	i think thats appropriate for now.	16:44
smoser	thank you	16:44
zyga	without time pressure	16:44
zyga	thank you! and double so for pointing out the other aspect of the current solution :)	16:44
roadmr	zyga: does git-lp still exist/work?	16:50
zyga	roadmr: I don't know, I'm not using it	16:50
roadmr	ok :)	16:50
roadmr	zyga: hey any chance you could retry pushing the snap? log spew is making it very hard to find the exact entry I need	17:00
roadmr	having a shorter time window owuld help :)	17:00
zyga	doing now	17:01
zyga	done	17:01
roadmr	thanks!	17:02
jjohansen	rharper, zyga: its a limitation in the LSM atm that we are working on fixing by extending the hooks available	17:05
zyga	jjohansen: thank you for confirming this, so our prediction about pivot_root being the cause are correct?	17:05
zyga	jjohansen: would you consider it a separate bug that mountinfo doesn't show correct paths after pivot_root?	17:06
zyga	(in the mount options field)	17:06
jjohansen	yes, we see the pivot_root and can mediate it but we can't properly update/track it because its a permission hook, not a stateful hook which means the pivot_root might actually not happen, and if we track at that point, and it fails we are completely messed up	17:07
jjohansen	well, no more messed up than now I suppose, its mess up one way or the other	17:08
zyga	I mean, regardless of apparmor in this case	17:08
jjohansen	atm namespaces in general are a problem because we don't have hooks to perform permission checks or track unshare or setns	17:09
jjohansen	right, it messes up apparmor not the kernel	17:09
zyga	jjohansen: right but I was specifically asking about just plain /proc/self/mountinfo	17:14
zyga	part of the problem is that apart from the apparmor aspect we got confused by the path reported by the kernel there	17:15
zyga	it seems like a bug in overlayfs	17:15
zyga	or mountinfo rendering of itself	17:15
mup	PR snapcraft#2346 opened: ruby plugin: add support for base <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2346>	17:15
jjohansen	overlayfs is another issue	17:15
jjohansen	you have two mounts	17:15
smoser	i never expected mountinfo to be updated.	17:15
jjohansen	will potentialy more	17:15
jjohansen	s/will/well/	17:15
smoser	id have ben surprised if two processes (one with an NS change and one without) saw different values for 'upperdir='	17:16
zyga	smoser: mountinfo is updated when you pivot normally	17:16
zyga	for all the other paths	17:16
jjohansen	yep	17:16
zyga	smoser: but the upperdir (being a mount option string) is probably just printed verbatim	17:16
jjohansen	pivot_root is magic	17:17
zyga	it just seems that using system paths in mount options is not that common	17:17
smoser	right.	17:17
smoser	but essentially you're just feeding '-o' as a string to the filesystem	17:18
zyga	right	17:19
smoser	so anything could go in there and is only properly understood by that specific fs	17:19
zyga	right	17:19
zyga	but it could be :)	17:19
roadmr	zyga: hey do you have the exact filename for the snap you tried to upload? pm if you like	17:20
zyga	yes, same as I gave you but ..	17:21
roadmr	zyga: I'm not finding anything in logs, makes me suspect it's barfing even before being able to determine the snap id	17:21
roadmr	because I'm searching with snap id and getting nothing	17:21
smoser	oh. hm.. zyga so in http://paste.ubuntu.com/p/P2pdtCDn2v/	17:21
smoser	whihc is a "post-pivot" /proc/1/mountinfo	17:21
zyga	roadmr: fedora29.2018.10.12.x86_64.snap	17:21
smoser	did the kernel remove '/cow' from some string above line 9 ?	17:22
roadmr	thanks zyga	17:22
smoser	i couldnt understand how 'upperdir=/cow/upper' was a thing at the point of that mount	17:22
zyga	30 1 0:24 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//installer.squashfs://filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work	17:22
zyga	probably it existed in the initrd	17:22
zyga	mkdir /cow	17:22
zyga	...	17:22
zyga	pivot	17:22
zyga	I played with pivot and overlayfs almost all of last week	17:23
smoser	bah. duh	17:23
smoser	i guess i was just expecting to see some '/' mount	17:23
zyga	trying to write a spread test for the live CD fix	17:23
zyga	mm	17:23
smoser	but the initramfs / doesn't get represented anywhere	17:23
zyga	you have / mount	17:23
zyga	overlay is there :)	17:24
zyga	nothing else	17:24
smoser	yeah. but i was expecting to see something above that line.	17:24
zyga	the fact that overlay still holds onto a mounted filesystem	17:24
zyga	that we cannot see	17:24
zyga	is not visible	17:24
smoser	right.	17:24
zyga	if you had a process living in the initrd namespace	17:24
zyga	you would see that	17:24
zyga	it's actually easier to reason about	17:24
zyga	just make a mount namespace	17:24
smoser	:)	17:24
zyga	do a overlayfs + pivot there	17:25
zyga	and see what you see in mountinfo	17:25
zyga	you can get to one-liner overlatyfs + /proc	17:25
zyga	*overlayfs	17:25
zyga	but you can see the backing store in the initial mount namespace	17:25
zyga	roadmr: perhaps the permissions on the snap directory tree are unusual?	17:26
smoser	ok. yeah, well that is enough for me today.	17:26
zyga	or something else is making it fail	17:26
smoser	i really should be looking at other things.	17:26
zyga	:-)	17:26
smoser	thank you	17:26
zyga	thank you smoser :)	17:26
ogra	plars, sadly not, i pinged koza on the forum about it today as well ...	17:28
ogra	the bluez snap delivers everything we need but it needs manual intervention to actually initialize the BT stack	17:29
plars	ack	17:29
mup	PR snapd#5979 opened: install: don't start disabled services <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/5979>	18:45
mup	PR snapcraft#2343 closed: schema, meta: add "full" app adapter <Created by kyrofa> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2343>	19:36
mup	PR snapcraft#2346 closed: ruby plugin: add support for base <Created by kyrofa> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2346>	19:39
mup	PR snapcraft#2347 opened: extensions: support adding root properties <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2347>	19:45
kyrofa	Any update on when 2.36 will be stable?	19:47
roadmr	zyga: still around?	20:00
mup	PR snapd#5978 closed: interfaces/home: don't allow snaps to write to $HOME/bin <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/5978>	20:06
mup	PR snapcraft#2344 closed: schema: remove the deprecated snap keyword for bases <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2344>	20:24
mup	PR snapcraft#2347 closed: extensions: support adding root properties <Created by kyrofa> <Merged by kyrofa> <https://github.com/snapcore/snapcraft/pull/2347>	21:30
mup	PR snapcraft#2348 opened: extensions: remove root extensions <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2348>	21:36
mup	PR snapd#5980 opened: interfaces/apparmor: conditionally add explicit deny rules for ptrace <Created by jdstrand> <https://github.com/snapcore/snapd/pull/5980>	22:20
mup	PR snapcraft#2349 opened: extensions: use extension docstring <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2349>	22:51

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!