/srv/irclogs.ubuntu.com/2019/01/29/#snappy.txt

mvokissiel: hey, good morning! ready when you are to talk about this autopkgtest failure, probably just a glitch but wanted to double check with you :)05:52
mborzeckimorning06:12
mvohey mborzecki06:12
mborzeckimvo: hey06:13
mborzeckimvo: ah, i see you're already pushing master merge to each pr06:15
mvomborzecki: well, some :)06:15
mvomborzecki: but yeah, we have some easy fixes06:15
mvomborzecki: I still need to cherry pick this for 2.3706:15
mborzeckimvo: well, no we're going to break google again :)06:16
mvomborzecki: haaha - that was a funny error06:17
mvoI can see the headlines: "search engine gigant down because snapd runs too many tests…"06:17
mupPR snapd#6442 opened:  tests: workaround missing go dependencies in debian-9 <Created by mvo5> <https://github.com/snapcore/snapd/pull/6442>06:22
mupPR snapd#6400 closed: overlord/snapstate: use an ad-hoc error when no results <Created by chipaca> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/6400>06:23
mupPR snapd#6389 closed: cmd/snap: small refactor of cmd_info's channel handling <Created by chipaca> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/6389>06:26
morphismvo, zyga: any idea about https://forum.snapcraft.io/t/snapd-2-37-breaks-existing-snap-installation/9717 ?07:32
mvomorphis: thanks. we are looking at this now07:39
morphismvo: thanks, if you need any live debugging let me know07:42
Chipacamorning peeps07:46
Chipacamvo: zyga: pedronis: 6443 is something I'd like in 2.37 if it can sneak in07:48
mupPR snapd#6443 opened: daemon, polkit: pid_t is signed <Simple πŸ˜ƒ> <Created by chipaca> <https://github.com/snapcore/snapd/pull/6443>07:48
mvoChipaca: sure thing, it looks like we need a .1 soon because of a regression that morphis  just reported07:49
mvoChipaca: so lets try to move things quickly07:49
* Chipaca shakes fist at morphis 07:49
* Chipaca hugs morphis tho07:49
morphisChipaca: :-)07:49
mvomborzecki: any idea what might have changed in snap-confine that gives the error that morphis reported above?07:49
mborzeckimvo: no, looking at it07:50
mvomborzecki: ta, I was just looking at the diff (lots of churn :/ but nothing so far that looks obvious07:50
morphismborzecki: I still have the 2.37 core snap installed, if you want me anything to try let me know07:52
zygaGoood morning07:52
mvomborzecki: thanks, please consider this priority as it breaks users, we will push hard for a fix07:52
morphisotherwise I am going to revert core07:52
mvozyga: hey, good morning07:52
mvozyga: bad news, morphis found a regression in 2.3707:53
=== cpaelzer__ is now known as cpaelzer
zygaI think it is not a regression07:53
zygaLet me wake up and get to my keyboard07:53
mvomorphis: also, could you please "snap refresh --candidate core" on all your boxes? that would be awesome because it helps us to find these issues slightly earlier (and candidate is as good as stable in 99,9% of the cases)07:53
mvozyga: thank you! keen to learn more :)07:54
zygaUsage of home outside of /home always required local configuration changes07:55
morphismvo: our dev boxes use candidate already but not our CI ones07:56
morphiszyga: these are classic snaps and things were working well for < 2.3707:57
mborzeckizyga: can HOME/HOMEDIRS be set/extended manually?07:57
* Chipaca ⇝ school run07:59
mvozyga: do you know what code change created this denial?08:01
mborzeckimvo: afaict it's snap-confine, though it seems to have the right rules to allow creating directories inside @{HOME}08:03
=== pstolowski|afk is now known as pstolowski
pstolowskimornings08:05
mborzeckimorphis: did you need to tweak /etc/apparmor.d/tunables/home.d for jenkins before?08:06
mvomborzecki: iirc HOME really just means /home :/08:06
mvomborzecki: I wonder what change in s-c caused this, I mean, if this used to work something most have changed08:07
mborzeckimvo: morphis mentioned that he's using /var/lib/jenkins as $HOME for jenkins08:07
mvomborzecki: yeah, what I mean is iirc apparmor tools are not very smart about @{HOME} when it is outside of /home but I may be wrong here08:08
mvoChipaca: your PR fails in the unit tests, could you pleae check and force-push (force-push so that we can still easily cherry-pick into 2.37)08:09
morphismborzecki: no, I didn't08:11
morphismborzecki, mvo, zyga: the problem appears with classic snaps (go, snapcraft) so theoretically they should be allowed to write to $HOME regardless where it is08:12
jameshmorphis: the error is from snap-confine: it'll have the same policy no matter what snap it is running for08:13
mvomorphis: its trivial to reproduce feel free to revert your snap08:15
mborzeckimvo: wonder if adding /var/lib/jenkins/ to /etc/apparmor.d/tunables/home would fix it08:17
mvomorphis: hm, this is strange - with the previous stable core (2.36.3) I get the same error - what was your previous version08:17
mvomborzecki: I'm pretty sure it would08:18
mvomborzecki: the interessting question is why is it breaking for morphis  now08:18
mvomborzecki: but wasn't before08:18
mvomborzecki: and an we fix it for him somehow :)08:18
zygare08:18
zygamvo: so:08:18
mvo(I mean, not just for him for everyone who might be affected)08:19
zygamvo: the change is a result of removing quirks code08:19
mborzeckioh08:19
morphismvo: https://pastebin.canonical.com/p/Rs8TmRYGJS/08:19
mborzeckizyga: tell us more :P08:19
zygamvo: this is not a regression in my eyes for the following reason08:19
zygamvo: home directories outside of /home require local configuration to work08:19
zygamvo: they may have worked partially before08:19
zygamvo: but we never tested or supported that08:19
zygamvo: it may have been that some subset of snaps operated okey08:20
zygamvo: but it's unclear if all interfaces were supported or if not all, why not08:20
zygamvo: my advice is as follows:08:20
zygamvo: for the people affected the same advice present on the forum stands08:20
zygamvo: edit local apparmor configuration to indicate HOMES contains /var/lib/jenkins08:21
zygamvo: for 2.38 we can look at properly supporting thta08:21
zygamvo: including looking across the stack at assumptions, writing tests, etc08:21
zygamvo: so that's that08:22
zygamvo: in my eyes this is not a regression, it is a change but not all changes are regressions08:23
pedroniszyga: we don't have a plan to make that work for 2.38 tough, unclear how much work it is even08:23
zygamvo: it was an unsupported feature  before08:23
mvozyga: right, people can workaround this issue. I would still like to understand if there is anything we can do and how the quirks changed things. even if its not technically a regression if it breaks existing installs thats not good (tm)08:23
zygamvo: the reason is very simple, to allow quirks in /var/lib/lxd snap-confine had wide permissions to /var/lib08:23
mvozyga: aha, that makes sense08:24
* mvo scratches head08:24
mborzeckiright, so /var/lib/jenkins would fit in there nicely08:24
mvoyeah, now it all makes sense08:24
* zyga goes to make coffee08:24
zygasorry, stayed up late last night08:25
mvoI still feel very uneasy about this08:25
* mvo scratches head harder08:25
pedronismvo: it's a bit unclear we can fix it easily for 2.38 tough, I wouldn't count on it08:25
mvopedronis: yeah, I'm fine with that, I am not looking for a general fix08:26
mvopedronis: just wondering if we can do anything about this particular case without things being horrible08:26
zygawe could restore the permission, write a a few tests, add  test-var user with home in /var/lib/test, run some selection of tests that run as an user there08:26
pedronismvo: well, if we put back the open rule is a general fix but it means living with it forever08:26
pedronisdo we want that08:26
pedronissounds a jdstrand discussion08:26
zygapedronis: I agree08:26
zygathe bad aspect of $HOME is that it can in theory point anywhere08:27
zygaI think supporting /var/lib/jenkins explicitly is sane08:27
zygabut /var/lib/snapd is not :)08:27
mvopedronis: yeah, that is the question I want to discuss. its fine if we say "no" it just want to make sure we explored options08:27
zygaso there's that balance08:27
mvozyga: indeed08:27
* mvo scratches head more 08:27
zygasorry for beinig late, I hope the explanation makes some sense08:28
mvozyga: yeah, the key was the apparmor /var/lib quirks thing, that was the missing piece for me08:28
morphiszyga: so what is the workaround you mentioned for this?08:30
zygamorphis: let me pull up the forum post08:30
zygamorphis: add one line to the proper config fle08:30
zygafile08:30
mborzeckizyga: i've edited apparmor tunables locall, but creating /var/lib/jenkins/snap/hello-world/27 fails, isn't /var/lib/ ro in the mount ns?08:31
zygaahhh08:32
zygainterestng08:32
zygainteresting08:32
zygaso08:32
zygathis is deeper than thata08:32
* zyga needs to wake up first08:32
mvomorphis: thanks for the pastebin above, what does "snap list --all core" say?08:33
mborzeckizyga: yeah, /var/lib is still from the core snap, we mount over /var/lib/snapd and quirks did a bind mount over /var/lib from what i can see08:34
mvooh, interessting08:34
zygathe quirks code added /var/lib/lxd08:34
zygabut at the same time made /var/lib writable08:34
morphismvo: https://pastebin.canonical.com/p/6b2J4rMFdD/08:35
mborzeckizyga: could we have snapd set up the snap mount profile accordingly when we find well-known home dirs in /var/lib?08:36
mvoChipaca: nevermind, I pushed the (trivial) update08:36
zygayes but it would not work for /var/lbi08:37
mvomorphis: thank you08:37
zygathe quirks code was special08:37
zygait knew how to move /var/lib/snapd aside08:37
zygaand move it back08:37
zygait also ran in a context where that is possible08:37
zygaregular mount namespace updates cannot do that08:37
zygafirst of all, they have no logic for evading "shadowing" using mount --move08:38
zygaand second of all, they have no scratch space outside of the filesystem08:38
zygathe old quirk code ran before we did the pivot08:38
zygaI have two quick ideas:08:38
zyga1) explicit support for jenkins08:39
zygaadd /var/lib/jenkinks to the core snaap08:39
zygamake appropriate changes to snapd / snap-confine to match08:39
zyga2) add home rewriting08:39
zygafor home outside of /home we synthesize a home directory and bind mount the original location to /var/lib/snapd/homes/$LOGNAME08:40
zygathe 2nd idea seems better08:40
zygait would mean we can essentially have any home directory on the outside08:40
mborzeckizyga: another thing, the case reported by morphis was for classic snaps, so we don't need to do anything about mount there (yet)08:40
zygamborzecki: apparently snap-confine still insisted on making a directory for the classic snap08:41
mborzeckizyga: yeah, very much so08:41
* zyga drinks coffee 08:41
morphiszyga, mborzecki, mvo: if there is nothing else I can do right now, I will revert back to the old core snap to get our CI back working08:44
mborzeckiChipaca: do you want to take a look at the changes in #6333, some patches were pushed since you approved it08:50
mupPR #6333: daemon: introduce /v2/connections snapd API endpoint <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/6333>08:50
pstolowskimborzecki: hey, would you take a look at another hotplug PR? https://github.com/snapcore/snapd/pull/610608:52
mupPR #6106: overlord/ifacestate: handler for hotplug-update-slot tasks <Hotplug πŸ”Œ> <Created by stolowski> <https://github.com/snapcore/snapd/pull/6106>08:52
mborzeckipstolowski: sure08:53
pstolowskity08:53
mvozyga: hm, how hard would home rewriting be?08:54
Chipacamborzecki: will do08:55
Chipacamvo: thanks08:55
pedronismborzecki: does 6016 need a master merge ?08:55
mborzeckiChipaca: thanks08:55
zygamvo: snap-confine would bind mount home from wherver it was to a new location such as /var/lib/snapd/homes08:55
mborzeckipedronis: heh, yes, pushed it to some other prs but not that one08:55
zygamvo: snapd would cooperate, telling snap-confine the home for each username08:55
zygamvo: there are some complications there though08:56
mvozyga: that sounds not too complicated08:56
mvozyga: oh?08:56
zygafor instance, it cannot be done by snap-update-ns08:56
zygaso snap-confine would need to do it08:56
zygaso it would have to have the permission to do it08:56
zygathis is complicated because again, it is open ended08:57
zygabut we could begin with a simple constraint08:57
zyga$HOME is either /home/* or /var/lib/jenkins08:57
zygathat would solve it for "now"08:57
jameshzyga: it looks like it is sc_nonfatal_mkpath needing read access to all parent directories of the home dir as it does its mkdirat/openat chain08:57
zygaindeed08:57
zygamvo: in the end the $HOME variable (alongside things that use it, like $SNAP_USER_DATA) would use the rewritten location08:58
zygamvo: for lesses impact we could only do this if $HOME is not somewhere in /home/08:58
mvozyga: the later sounds more compelling08:58
jameshif there was a version that assumed the home directory existed as a starting point, the AppArmor @{HOME} tweakable would be enough08:58
pedronisit's just me, or the forum is flaky today08:59
zygajamesh: here the problem is that home for jenkins is not representable in the mount namespace at all08:59
jameshzyga: once that's solved, presumably it's still going to hit the denial for opening /var though09:01
zygajamesh: at that time we would make a fixed change to the apparamor profile to allow writes to /var/lib/snapd/homes09:01
Chipacamborzecki: what was the conclusion about  --disconnected?09:04
mborzeckiChipaca: i don't think there was any09:05
Chipacapedronis: yo09:05
pedronisChipaca: yes09:05
Chipacapedronis: snap connections --disconnected?09:05
pedronisyes?09:06
Chipacapedronis: me and one other person thought it might be a good idea, wdyt?09:06
pedronisChipaca: used where?09:06
pedroniswith a snap, without a snap?09:06
pedronisanyway I cannot reach the forum today, it gives me network errors half the time09:07
Chipacapedronis: seems to work here09:07
popeyfine here too. take your foot off the cable09:07
mborzeckipedronis: https://paste.ubuntu.com/p/f3HGxwDcwk/ the forum message, i have it working with and without a snap09:08
pedronismborzecki: the original suggestion was to show everything if a snap is given09:08
pedronisChipaca: I'm not super happy with the need to of headers or footers to explain what has been left out09:09
mborzeckipedronis: ok, so you'd opt for the original suggestion, show both conencted & disconnected when a snap is given, show only connected when no snap is given?09:10
pedronisyes09:10
pedroniswe still have all for the 2nd case, no?09:10
pedronisor is that yet something else09:10
mborzeckipedronis: you mean --all?09:11
pedronisyes09:11
mborzeckipedronis: i'm assuming it's in (seems uncontroversial anyway)09:11
mupPR snapd#6333 closed: daemon: introduce /v2/connections snapd API endpoint <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/6333>09:14
zygamvo: one more observation, while morphis may revert now, once 2.37.1 is out, he will be back in hot water09:18
pedroniszyga: yes, reverting doesn't solve anything long term for him09:20
pedronismborzecki: the next bit is 6387? does it need a merge and tweaks ?09:21
mborzeckipedronis: yup, pushing it now09:22
mborzeckispread tests should be green now09:22
Chipacazyga: can i have a second review of 6443? it's green an' all09:23
zygaChipaca: certainly sir, looking09:24
ChipacaSon_Goku: ping09:24
zygaChipaca: ah, user ids are tricky09:24
zygaChipaca: thank you for the patch!09:24
Chipacaikr09:24
morphiszyga: is there already a date for 2.37.1?09:25
mvo6443 needs a second review09:25
Chipacamvo: zyga is on it09:25
mvota09:25
zygamorphis: there are some interface patches from jamie lined up09:25
morphiszyga: and btw. I didn't picked /var/lib/jenkins as HOME for jenkins, it does that by default09:25
Chipacamvo: merged09:26
zygamorphis: right, I know09:26
mupPR snapd#6443 closed: daemon, polkit: pid_t is signed <Simple πŸ˜ƒ> <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/6443>09:27
zygamvo: https://github.com/snapcore/snapd/pull/6442#pullrequestreview-19744915709:28
mupPR #6442:  tests: workaround missing go dependencies in debian-9 <Created by mvo5> <https://github.com/snapcore/snapd/pull/6442>09:28
zygamvo: let's land it :)09:28
pedroniscan somebody merge master into 6440 ?09:30
mvozyga: will land in a wee bit09:30
zygammm09:30
mvozyga: debina-9 is also merged now09:32
mupPR snapd#6442 closed:  tests: workaround missing go dependencies in debian-9 <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/6442>09:32
mvohaving 6413 would be good, but this needs a second review09:32
mvobut I guess its fine, we can use salsa09:33
pedronismvo: zyga: see #webops internally09:33
mvozyga: looks like more people are affected, can we revert the quirks code?09:34
zygaI see no other way09:36
mvozyga: iirc that was 612309:36
zygabut please let me spend a moment09:36
zygaI will write a quick test09:36
zygaperhaps we don't need all of quirks09:36
zygaI wonder why nobody tested candidate :/09:36
zygamorphis: did you file a bug for this?09:36
mvozyga: you write a test and I prepare the revert09:36
zygamvo: no wait09:36
zygamvo: I don't think we want the full blown revert09:37
zygamvo: it's more complex because of other changes there09:37
zygamvo: please give me two hours09:37
morphiszyga: no, just a forum topic09:37
zygamorphis: can you file a quick one, just so that we have a bug number09:37
mvomorphis: that should be fine09:37
zygamvo: or rather, give me 15 minutes for quick assesment09:37
mvomorphis, zyga I can write it if we need it09:38
mvozyga: ok09:38
mupPR snapd#6437 closed: snap/channel: improve channel parsing <Simple πŸ˜ƒ> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/6437>09:38
mvozyga: I think its fine to revert and least risky but if you justneed 15min thats fine :)09:38
zygamvo: revert won't apply cleanly anymore09:38
zygathat's what I mean by more work09:38
mvozyga: aha, ok09:38
mvozyga: conflicts are trivial09:39
mupPR snapd#6444 opened: Revert "cmd/snap-confine,snap-update-ns: discard quirks" <β›” Blocked> <Created by mvo5> <https://github.com/snapcore/snapd/pull/6444>09:41
mvozyga: ocd or something but I let you investigate and we can talk in a wee bit09:41
zygak09:41
zygathanks09:42
zygawe can look at tests09:42
mvozyga: yeah, given the urgency I want this as a plan B, feel free to poke and look for better solutions09:43
zygak09:43
zygamake sense09:43
mvozyga:  having a proper regression test would be good too09:44
mupPR snapd#6445 opened: [RFC] snap-confine: revert "cmd/snap-confine,snap-update-ns: discard quirks" <Created by mvo5> <https://github.com/snapcore/snapd/pull/6445>09:47
kissielmvo: hey! I finally managed to reproduce that crash; working on a fix09:56
zygamvo: so10:00
zygahttps://www.irccloud.com/pastebin/tx6qPpbI/10:00
zygamvo: this coupled with mkdir on /var/lib/jenkins in core / core18 fixes the issue without bringing back quirks10:00
zygamvo: can we have a call about this?10:01
pedroniszyga: a call about what?10:02
zygaabout the approach to take10:02
zygaI would really prefer not to bring back all of quirks10:02
pedroniszyga: a mkdir in core / core18 ?  you mean we need to add that dir to the snaps?10:04
zygayes10:04
pedronismmh10:04
mvokissiel: no worries, is it something on our side?10:04
kissielmvo: leaning towards that, yes10:04
mvokissiel: do you have more details? if it is something on our side we would like to fix it :)10:05
kissielmvo: damn, sorry, misunderstood, more on our side :)10:05
kissieli mean cert's10:05
mvokissiel: haha, no worries10:05
kissielso stay tuned10:05
mvokissiel: thank you10:05
mvozyga, pedronis the small size of this is compelling - the fact that we need to add the dir not so much :/10:07
zygamvo: adding the directory is cheap, adding that code restores cost for each snap startup10:07
mvozyga: yeah, I can see that10:08
mvozyga, pedronis we could add the dir until we have better !/home support?10:09
pedroniswhat is that dir visible to?10:09
zygawe need to roll out new core anyway, this would mean the change is smaller10:09
zygapedronis: in 2.36 quirks made the full real host /var/lib visible10:09
zygapedronis: in 2.37 only the /var/lib from base snap is visible10:09
zygapedronis: apparmor prevents access as usual though this is fixed by local configuration of HOMEDIRS10:10
pedroniszyga: do we do something special about extrausers?10:11
zygano10:11
mborzeckizyga: imo HOMEDIRS is not enough, we open each intermediate path and need r there10:11
zygathis is only affecting classic10:11
zygaand the patch I pasted only configures this for classic10:11
zygamborzecki: I know, that was not what I meant10:11
pedroniszyga: we have a couple of interfaces that gives access to var/lib stuff, are you saying they are broken in 2.37 now?10:12
mborzeckiah ok10:12
zygamborzecki: look at my patch above10:12
pedronisthey owuld have worked in 2.36 if all var/lib was mounted10:12
zygapedronis: no10:12
zygapedronis: which interfaces are those?10:12
ackkhi, is using snap install --dangerous ./mysnap.snap --name mysnap_2 the right way to do a parallel install from a local snap?10:12
popeyI didn't know you could parallel install local snaps10:12
pedroniszyga: account-control, classic-support, network-control10:13
mborzeckiackk: yes10:13
zygapedronis: what I'm describing so far only affects core systems10:13
zygaer10:13
mborzeckipopey: you can10:13
zygaclassic systems10:13
popeynice10:13
zygaon core systems there are other things in /var/lib10:13
pedroniszyga: they all give access to bits of var/lib10:13
pedronisare they broken now? or not?10:13
pedronisI imagine they needs the bits from host10:13
ackkmborzecki, but if you're installing directly from the store you should just use mysnap_2 right?10:13
pedronisare they using mount support properly?10:13
mborzeckiackk: yes10:14
zygapedronis: looking at master10:14
zygapedronis: excluding /var/lib/snapd/*10:14
pedronisyes10:14
zygapedronis: and excluding /var/lib/extrausers10:14
pedronisbecause?10:15
zygaI see the following10:15
pedronisanyway, I get this:  https://pastebin.ubuntu.com/p/fY9gcjw2bJ/10:15
zyga(because those have bind mounts)10:15
zygahttps://www.irccloud.com/pastebin/lH6YnuB2/10:15
zygaI would have to check each one to see if they are for core or classic, hold on10:16
mborzeckiackk: that's because the snap file has metadata that states the snap name is 'mysnap' so you need to pass the name you want separately, for the store install we know everything just having mysnap_210:16
zygapedronis: alsa is affected10:16
pedroniszyga: see10:16
pedronismvo: so we have a bit of a bigger problem10:16
zygaI think there's more though10:17
zygathe quirks code only ran if you had /var/lib/lxd AFAIR10:17
zygaso no lxd, no quirks10:17
zygalet me double check10:17
zygapedronis: we could bring the code for each of those (alsa, dhcp) to the appropriate interface10:17
zygaif they really affect classic10:17
Son_GokuChipaca: pong10:17
pedronisyes, just saying that 2.37 might be broken more than just related to jenkins10:18
zygapedronis: quirk code ran unconditionally on core (but not core18) and only on classic systems10:18
ChipacaSon_Goku: ok to use snappy in that context10:19
Son_Gokucool10:19
Son_GokuI'm going to change it then10:19
pedroniszyga: still, some snaps might be broken now10:19
pedronisapparently10:19
mvopedronis, zyga if thats the case the quirks revert seems to be the best option, yes?10:20
zygamvo: I disagree, I think bringing back quirks is the wrong move10:20
pedronismvo: would not say best, it's the quickest10:20
zygalooking at the list we need /var/lib/alsa/ for alsa, /var/lib/usbutils for hardware-observe, /var/lib/systemd/catalog/database for  log-observe and /var/lib/dhcp/ for network-control10:21
zygaapparently none of those are tested10:22
pedronisof course10:22
zygaI'd like to remind us that quirks were done in response to a bug in a similar situation (release broke lxd)10:22
pedroniswe don't have complete tests for all permissions for any interface afaik10:22
zygawe didn't anticipate it would open more things than it did10:22
zygabringing that back would not only fix those, but allow us to make the same mistake, silently, again10:22
pedroniszyga: I understand, but breaking things is not good10:23
zygapedronis: I agree on that10:23
pedroniszyga: how long would it take to do the correct fix for all relevant things?10:23
pedronisthat's a bit the question10:23
zygait's just planning what to do to fix the issue10:23
zygaadding each of those to the approrpiate interface is easy, just one line in each of the interfaces mount profiles10:23
pedronisin away that don't risk perturbing something else10:23
pedroniszyga: do we need to add them to core* as well?10:24
pedronisno, because this are normal mounts?10:24
pedronisI mean they would go through the full mount mechanism?10:24
zygapedronis: alsa and usbutils, yes, dhcp and systemd, no10:25
pedronisanyway we would need tests for all of them10:25
pedronisgiven we are at this conjuncture10:25
zygatests for functionality would be complex but a test that a snap can see host's files is easy to add (we have some of those)10:26
zyga(see or write to, as appropriate)10:26
zygathe code in snap-update-ns that can poke writable holes has one property10:26
zygait works great on top of read-only tree10:26
zygait should not be used on top of /var/lib where some things are writable10:27
zygaIMO it's safer to just make the directories required by those interfaces explicitly10:27
zygait is safer because the writable-mimic system takes a snapshot of the directory10:27
zygathis way we avoid that entirely10:28
zygain addition, quirks are not represented10:28
zygain the mount profiles10:28
zygathey don't participate in the diff calculation10:28
zygamainly in fact because of lack of ability to represent the operations performed (move of /var/lib/snapd)10:29
zygaso10:29
zygawhat shall we do?10:29
zygaI worry if 2.37 broke any core devices10:30
zygawith network-manager10:30
zygabut we got no reports of this during testing cycle10:30
pedroniszyga: have a HO10:32
mvo+1 for HO10:33
zygaI'm there10:33
zygahold on :)10:34
zygaactually, we're not in that much of hot water10:35
zygaquriks never brought random directories from the host, they made /var/lib writable10:35
zygaand brought /var/lib/lxd10:35
zygaso all the other interfaces accessing stuff10:35
zygathat was never there10:35
zygaso that's much easier to reason about :)10:35
Chipacajamesh: you're not around by chance are you?10:55
xnoxso my lxd is back to bad10:59
xnoxyesterday "apt install --reinstall snapd" fixed things, but i guess I simply got rolled back to older snapd.10:59
xnox/ core snap.10:59
xnoxtoday i have this:10:59
xnoxhttps://paste.ubuntu.com/p/hwBMf2Rwwp/10:59
mvozyga: I did a codesearch for adduser /var/lib - there are a bunch of things that also add a system user there - so if any of those is using (classic) snaps we are in trouble, right? the puppet user is one that might affect us11:01
zygamvo: interesting11:02
zygamvo: if it's a small list we can handle them the same way11:02
zygamvo: if it's not a small ist11:02
mvozyga: there are tons more but I'm not sure how relevant they are11:02
zygaright :/11:02
mvozyga: I mean, mariadb, spamd, sendmail, rabbitmq11:02
zygaI would say we should fix jenkins and perhaps some high-profile ones only11:02
pedronismvo: zyga: so my forum troubles seems related to the vpn, it works if I'm out of the vpn, doesn't if I'm on the vpn. didn't change vpn config recently tough11:02
mvobacula11:02
zygamvo: it is unlikely rabbit would need snap apps11:03
mvopacemaker etc11:03
zygamvo: the key question is: is this user going to run snap apps11:03
mvozyga: yeah, thats what I mean, I don't know if any of these are relevant11:03
mvozyga: but potentially its quite a few11:03
mvotomcat11:03
zygammm11:03
mvonagios11:04
mvoicinga11:04
mvosbuild :P11:04
sergiusensondra: for the time being you might have luck with setting the version to 811:04
ondrasergiusens I'm building for core16, so that would do for me for now11:05
zygamvo: https://github.com/snapcore/snapd/pull/644611:06
zygamvo: I'll work on a regression test now11:07
mupPR #6446: cmd/snap-confine: add special case for Jenkins <Created by zyga> <https://github.com/snapcore/snapd/pull/6446>11:07
mupPR snapd#6446 opened: cmd/snap-confine: add special case for Jenkins <Created by zyga> <https://github.com/snapcore/snapd/pull/6446>11:07
sergiusenszyga: you say"it is not a supported feature", do you have a compiled list of what ARE supported features?11:09
zygasergiusens: yes, only /home/* is supported officially11:09
zygaanything else is not11:10
sergiusensI asked if you have a compiled list11:10
zygasergiusens: the list is: /home/*11:10
sergiusenswhat are the limitations of classic confinement?11:10
sergiusenswhere is this documented?11:10
zygaI don't understand the question sorry,11:10
zygalimitations of classic confinement?11:10
zygasergiusens: classic confinment is subject to the same limitations that snapd has for users as for non-classic snaps11:11
zygaI don't believe we have a page listing limitations in snapd11:12
zygaperhaps we should have one11:12
sergiusenszyga: when you say something is supported or not, it would be ideal to know what is and what isn't without needing to be on IRC at the right time11:13
zygaI don't disagree11:13
zygait's just hard to have a comprehensive list that is correct11:13
zygawe learn the hard way about some of those11:13
zygahttps://forum.snapcraft.io/t/limitations-in-snapd/971811:14
zygait's a wiki, please feel free to expand this11:15
zygadegville: https://forum.snapcraft.io/t/limitations-in-snapd/9718 FYI11:16
degvillethanks zyga!11:17
zygaI'm sure it is not a complete list11:17
zygamvo: how does this look like?11:21
zygahttps://www.irccloud.com/pastebin/wSR2jWvJ/11:21
zygajust a quick smoke test11:21
zygaI've hand-tested this on my patched system (I have not tried the real apt install yet)11:21
mvozyga: looks good11:21
zygacool, I'll propose this separately11:21
mvozyga: we have a test-snapd-sh11:22
zygaoh, indeed11:22
zygasorry, just local testing memory :)11:22
mvozyga: that you can probably use, use "install_local" for it11:22
mvozyga: no worries11:22
zygawill do11:22
mupPR core#100 opened: hooks: add /var/lib/jenkins for compat <Created by mvo5> <https://github.com/snapcore/core/pull/100>11:23
zygaI mistyped "jenkins" as "jenkinks" way too many times today11:25
mupPR core18#115 opened: hooks: add /var/lib/jenkins for compat <Created by mvo5> <https://github.com/snapcore/core18/pull/115>11:26
mupPR snapd#6447 opened: polkit: cast pid to uint32 to keep polkit happy for now <Created by chipaca> <https://github.com/snapcore/snapd/pull/6447>11:27
mvozyga: one more complication - core18 will need a stable release (which we have not scheduled) by foundations for the jenkins fix to work11:32
zygamvo: pushed a test11:34
zygamvo: no :)11:34
zygamvo: core 18 never had quirks11:35
mupPR snapd#6440 closed: cmd/snap: fix typo in cmd_wait.go <Simple πŸ˜ƒ> <Created by sparkiegeek> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/6440>11:35
zygamvo: one less thing to worry about :)11:35
zygawe can just make core18 work on separate timeline (not a regression!)11:35
sparkiegeekyay11:35
zygamvo: right?11:35
mvozyga: aha, I like that11:38
zygamvo: I took your suggestion11:38
zygawe could add more users this way11:38
mvozyga: so we can remove the core18 PR?11:38
zygaand especially once we can drop the magic patch11:38
zygaI would keep it11:38
zygabut not release on this schedule11:39
zygaright?11:39
mvozyga: its YAGNI to me but I don't care enough to argue hard11:39
zygait means people can use core18 based snaps11:39
zygawhere before they could not11:39
mvozyga: aha, nice11:39
mvozyga: ok, sorry, I misunderstood, I will update the core18 description11:39
zygait's not YAGNI in the sense that we can get this bug back as soon as one of the snaps migrate to core18 for whatever reason11:39
zyga(layouts carrot)11:39
pstolowskimborzecki: can you take another look at https://github.com/snapcore/snapd/pull/6394? i think Sergio addressed your comment and we could land it11:40
mupPR #6394: tests: iterate getting journal logs to support delay on boards on daemon-notify test <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/6394>11:40
mvozyga: no, sorry, core18#115 is fine and no YAGNI. I thought we were talking about my suggestion in the task.yaml in the jenkins PR11:40
mupPR core18#115: hooks: add /var/lib/jenkins for compat <Created by mvo5> <https://github.com/snapcore/core18/pull/115>11:40
zygaah, I see11:40
zyganb, your suggestion was good too :)11:40
pstolowskimborzecki: great, thanks!11:41
mvozyga: I updated the core18 description - good to know that we can push that at a different pace11:41
zygayes, one less craze today11:41
mvosil2100: could you please have a look at https://github.com/snapcore/core/pull/10011:42
mupPR snapd#6394 closed: tests: iterate getting journal logs to support delay on boards on daemon-notify test <Created by sergiocazzolato> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/6394>11:42
mupPR core#100: hooks: add /var/lib/jenkins for compat <Created by mvo5> <https://github.com/snapcore/core/pull/100>11:42
sil2100mvo: sure o/11:47
sil2100mvo: ok, both approved, sadly I don't have write access to the core repo11:51
sil2100As I guess that's still under the snappy team, right?11:51
mborzeckizyga: E: Package 'jenkins' has no installation candidate ?11:52
sil2100(we have core18 and core16, right?)11:52
mupPR core18#115 closed: hooks: add /var/lib/jenkins for compat <Created by mvo5> <Merged by sil2100> <https://github.com/snapcore/core18/pull/115>11:52
zygamborzecki: drat :)11:54
mborzeckizyga: tried it on 18.04, so maybe it actually works on 16.0411:54
zygahttps://packages.ubuntu.com/search?keywords=jenkins&searchon=names&suite=cosmic&section=all11:54
zygawhere's wally?11:55
mupPR snapd#6448 opened: snapcraft.yaml: fix XBuildDeb PATH for go-1.10 <Created by mvo5> <https://github.com/snapcore/snapd/pull/6448>11:55
sparkiegeekhttp://pkg.jenkins-ci.org/debian/11:55
mupPR core#100 closed: hooks: add /var/lib/jenkins for compat <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/core/pull/100>11:55
zygasparkiegeek: is that *the* way to install jenkins?11:56
zygaI mean, is that what we do internally?11:56
zygamvo: now to trigger core build11:58
mvozyga: yeah, its running12:03
zygamvo: can you please look at https://github.com/snapcore/snapd/pull/6446 again12:03
mupPR #6446: cmd/snap-confine: add special case for Jenkins <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/6446>12:03
zygasorry, the jenkins package is not in the archive :/12:03
zygamborzecki: https://github.com/snapcore/snapd/pull/6441#pullrequestreview-19751839712:09
mupPR #6441: overlord/snapstate: validate instance names early <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/6441>12:09
mborzeckizyga: i suppose it's ok to add the external repo given that tis is the only source12:09
zygayeah12:09
sparkiegeekzyga: hmm, can't speak for every team, but that's what some teams use, yes12:17
zygasparkiegeek: thank you, that just makes our tests more relevant12:17
zygaI can now take a break and have breakfast, I guess12:19
mvozyga: sounds like an excellent plan12:20
mvozyga: thank you12:20
* ogra is surprised people dont seem to use a jenkins snap 12:21
ogra(there is one maintained by snapcrafters ... even seems reasonably up to date)12:22
pedronismborzecki: 6016 can land now, right?12:22
mborzeckipedronis: yup, let me merge it12:23
mupPR snapd#6016 closed: snap/naming: move various name validation helpers to separate package <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/6016>12:23
popeyogra: it's not classic, so it's a bit inert, I have requested classic for it12:32
zygare12:32
ograpopey, +112:32
popeyIs there some way to query the store to find out which snaps require core18?12:36
zygahttps://github.com/snapcore/snapd/pull/6413 needs a 2nd review12:38
mupPR #6413: packaging: import debian salsa packaging work, add sbuild test and use in spead <Created by mvo5> <https://github.com/snapcore/snapd/pull/6413>12:38
zygapopey: not that I know of12:38
popeyOk, I'll ask store people :)12:38
zygahttps://github.com/snapcore/snapd/pull/6426 needs a 2nd review12:43
mupPR #6426: cmd/snap-confine: refactor and cleanup of seccomp loading <Created by zyga> <https://github.com/snapcore/snapd/pull/6426>12:43
zygamvo: do we need 2.37 PRs for 2.37.1 material or do you plan to do a master-based release?12:47
mupPR snapd#6447 closed: polkit: cast pid to uint32 to keep polkit happy for now <Created by chipaca> <Merged by chipaca> <https://github.com/snapcore/snapd/pull/6447>12:49
mborzeckimvo: the spread test in #6252 needs tweaking, because we're actually using snapFromSender() now, it's looking wehther the calling pid is part of snap. cgroup12:57
mupPR #6252: userd: handle help urls which requires prepending XDG_DATA_DIRS <Created by kenvandine> <https://github.com/snapcore/snapd/pull/6252>12:57
Chipacapedronis: did you see my note on the #6280 ?12:58
mupPR #6280: cmd/snap: make 'snap warnings' output yamlish <Created by chipaca> <https://github.com/snapcore/snapd/pull/6280>12:58
zygamvo: FIY https://tracker.debian.org/pkg/snapd - 2.37 has now migrated to testing12:59
mborzeckioff to pick up the kids13:03
diddledanpopey https://www.irccloud.com/pastebin/O8qqJ1D3/13:07
pedronisChipaca: mmh, so the output there is yaml parsable but is also localized?13:08
pedronisstrange combination13:08
Chipacapedronis: … yeah i guess it is13:08
Chipacait doesn't have to be, i was just rotating the original list13:08
* diddledan pokenprod the pope! popey...13:08
pedronisChipaca: do we do that anywhere else?13:09
diddledanhas he gone?13:09
pedronisI mean that = this combo13:09
Chipacapedronis: info is the only other yaml-ish, and that's not i18n'ed13:09
diddledanI think that's a flawed query actually. it only returns 2000 results13:12
pedronisChipaca: bit of a mess13:12
pedronisChipaca: seems we need --localized  and not just --unicode13:14
Chipaca?13:14
Chipacalocalisation already has a standard way of turning it off across the board13:14
pedronisChipaca: it makes sense to localize it, but not if it goes to a tty and program wants to parse it13:14
pedronisnot-tty13:14
Chipacazyga: question about 6446 (which might already have been discussed here but i missed it)13:16
Chipacazyga: why not add /var/lib/jenkins to homes?13:16
zygahomes?13:16
zygato HOMEDIRS?13:16
ChipacaHOMEDRIS13:17
Chipacayes13:17
Chipacaor no?13:17
Chipaca/etc/apparmor.d/tunables/home:@{HOME}=@{HOMEDIRS}/*/ /root/13:17
Chipacaor HOMEDIRS13:18
Chipacaeither, probably13:18
zygaI don't know if we can do that from our package sanely13:18
ChipacaI dunno enough to know :-)13:18
zygaI think this is a question to jdstrand13:18
Chipacazyga: yes we can13:18
Chipacazyga: look at /etc/apparmor.d/tunables/home.d/13:18
zygayes but that has more implications (beyond snpd)13:19
zygasnapd13:19
zygaI think we could but I didn't think about doing this13:19
Chipacazyga: if we did it, would it work?13:19
zygait would still require the remaining patches13:19
zygabut I don't see why not13:19
Chipacaright, I'm not liking the duplication we're adding for this13:20
Chipacawhereas if it's adding it to homes or homedirs, it's less duplication imho13:20
Chipacaif it worked, and if jdstrand is ok with it13:20
zygawhere would you add that?13:21
zygain /etc/apparmor.d/13:21
=== ricab is now known as ricab|lunch
zygaadding files to /etc/ is problematic13:21
Chipacazyga: why?13:22
zygait cannot be easily changed13:22
ChipacaAIUI it'd be in /etc/apparmor.d/tunables/home.d/13:22
zygawe cannot handle the reexec case then13:22
zygait becomes a conffile that lives beyond the lifetime of the package13:22
zygaall smell in my opinion13:22
zygawe have bugs that keep us holding onto specific names in /etc because of apt bugs13:23
pedronisalso why would we do this13:23
pedronisand not jenkins13:23
zygayeah13:23
zygagood point13:23
zygajenkins is free to do this (not that they are aware it is useful)13:23
pedronisChipaca: seems the most simple thing would be not to localize those strings in 6280, not great tough13:25
mvozyga: I will cherry pick all the easy ones into 2.3713:43
mvozyga: only if there are conflicts I won't13:43
mvozyga: slightly sad that 6446 is not finished (spread)13:43
mvozyga: jenkins postinst fails in the spread test13:45
mvozyga: ERROR: no java executeable found or something13:46
pedronisheh13:47
jdstrandzyga and Chipaca: I just commented on something similar in https://github.com/snapcore/snapd/pull/644613:48
mupPR #6446: cmd/snap-confine: add special case for Jenkins <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/6446>13:48
jdstrandzyga and Chipaca: the thing is, zyga is right, HOMEDIRS only makes sense when it is something that really is home directories for actual users. eg, nfs users, etc. if we added that for every snap in the manner Chipaca described, sure it would work for snap-confine, but it would also affect non-snap policy as well as snap policy that uses @{HOME}13:51
Chipacajdstrand: to be clear this was just for jenkins, which isn't a "regular" user but it isn't a snap either13:52
jdstrandzyga and Chipaca: but we have the beginnings of a similar system with /var/lib/snapd/apparmor/snap-confine13:52
mvozyga: if you don't mind I will split 6446 into the first commit and the test and push the test as a second PR, this way we can get the fix into master and 2.37 while iterating on the test. sounds sensible?13:52
jdstrandChipaca: I know. I read all backscroll and the PR13:52
Chipacajdstrand: you're a better person than I am13:52
zygaAFK13:53
jdstrandChipaca: but I wouldn't want HOMEDIRS updated on my system to allow /var/lib/jenkins since that is a surprising side affect on the other policy on my system. snap-confine should have that, not global policy13:53
jdstrandChipaca: hehe :) I'm not sure how you came to that conclusion! ;)13:54
Chipacajdstrand: by gathering too few facts and jumping to conclusions, like I always do13:54
Chipacawhich … is kinda the point13:54
jdstrandheh, I knew what you meant but was disagreeing with the conclusion :)13:55
mupPR snapd#6449 opened: cmd/snap-confine: add special case for Jenkins <Created by mvo5> <https://github.com/snapcore/snapd/pull/6449>13:56
mupPR snapd#6106 closed: overlord/ifacestate: handler for hotplug-update-slot tasks <Hotplug πŸ”Œ> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/6106>13:59
mupPR snapd#6441 closed: overlord/snapstate: validate instance names early <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/6441>14:01
mupPR snapd#6445 closed: [RFC] snap-confine: revert "cmd/snap-confine,snap-update-ns: discard quirks" <β›” Blocked> <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/6445>14:06
mupPR snapd#6444 closed: [RFC] snap-confine: revert "cmd/snap-confine,snap-update-ns: discard quirks" (2.37) <β›” Blocked> <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/6444>14:07
zygahey jdstrand14:09
zyga(standup)14:10
zygamvo: thank you, I will fix the java thing shortly14:10
mvozyga: thank you14:10
mvozyga: and welcome back :)14:10
zygajdstrand: about home directories, I have some ideas myself, I would like to detach ideas from the current fire (unless the idea is feasible as a solution right now)14:15
zygaChipaca: unsigned is a sign of sign issue14:15
zygajdstrand: as one item I wanted to avoid depending on the environment14:16
zygajdstrand: we have too many things conveyed this way14:16
=== chrisccoulson_ is now known as chrisccoulson
diddledanpopey: https://www.irccloud.com/pastebin/fcCcNH8d/14:26
morphismvo: there seems to be another thing which "broke" with 2.37: https://bugs.launchpad.net/charm-etcd/+bug/181367814:28
mupBug #1813678: Snap install error: snap "etcd" is not compatible with --classic <field-critical> <Etcd Charm:New> <https://launchpad.net/bugs/1813678>14:28
mupPR snapd#6280 closed: cmd/snap: make 'snap warnings' output yamlish <β›” Blocked> <Created by chipaca> <Closed by chipaca> <https://github.com/snapcore/snapd/pull/6280>14:28
=== ricab|lunch is now known as ricab
diddledanpopey: if you want to replicate my test, I've put the source online at https://github.com/diddlesnaps/snap-bases (many thanks to the uappexplorer folks who I stole the majority of the api code from)14:37
morphismvo: the k8s folks are updating the charm but it actually broke existing setups, not sure if you heard about this one yet14:42
zygajdstrand: https://github.com/snapcore/snapd/pull/6446 updated with the comment you asked for14:45
mupPR #6446: cmd/snap-confine: add special case for Jenkins <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/6446>14:45
zygamorphis, mvo: looking at etcd thing14:46
zygaah14:46
zygaI think this is another of the "feature not a bug" case :/14:46
niemeyerhttps://twitter.com/gniemeyer/status/109026031741684121714:49
niemeyerSnap thread14:49
morphiszyga: yeah, it's not critical and gets fixed from the charm but revealed that the etcd snap was still installed with --classic after it got strict confined a year ago14:50
zygammm14:50
zygayeah14:50
morphiszyga: just wanted that you guys are aware of this as I am not sure if it will cause issues elsewhere too14:50
zygathank you14:50
mborzeckiChipaca: https://github.com/snapcore/snapd/pull/6252/commits/c7d97e0cacc2b40a8d51cd46f5668ff05f403c31 do you recall if there was some trouble with cla checker at the time?14:52
mupPR #6252: userd: handle help urls which requires prepending XDG_DATA_DIRS <Created by kenvandine> <https://github.com/snapcore/snapd/pull/6252>14:52
Chipacamborzecki: what do you mean?14:54
Chipacamborzecki: you trying to remember why that's set there?14:54
mborzeckiChipaca: yeah14:54
Chipacamborzecki: yeah i expect it broke at some point14:55
Chipacait needs the whole history to work properly14:55
Chipacawas this PR's  kenvandine's?14:55
mborzeckiChipaca: yes14:55
Chipaca's?14:55
Chipacayeah14:55
Chipacahe'd signed it with a weird account, that just happened to be in the tree already14:55
Chipacayou can see it in the output, probably14:56
Chipacayeah14:56
mborzeckiChipaca: briefly thought about reverting it, zyga asked for it, but if the cla checker is going to stop me then i'd leave it :P14:56
Chipacaone of those is not like the other14:56
Chipacayep14:56
Chipacait _should_ work, dunno why it didn't14:57
Chipacawe can try :-)14:57
Chipacamborzecki: zyga:  https://travis-ci.org/snapcore/snapd/jobs/46190378114:58
Chipacait's because kenvandine hasn't signed the cla, wouldn't you know14:58
zygaeh14:58
zygacan we special case in the code :-) ?14:58
mborzeckihaha14:58
Chipacaand launchpad doesn't let me ask "does this account have any other emails @canonical.com"14:59
Chipacaat least AFAIK14:59
mborzeckihm, kenvandine could reset author if the 'offending' commit14:59
Chipacayes, yes he could14:59
Chipacabut having the whole history  is the right thing to do15:00
Chipacaso, eh15:00
kenvandineI'm afk until Thursday15:00
kenvandine:-)15:00
kenvandineWhat was wrong with the author line?15:00
diddledanif Ken signed the CLA and his employer is Canonical, does that mean that Canonical are assigning their copyright to Canonical? that sounds like a deep rabbit hole ;-p15:00
mborzeckikenvandine: hehe nothing about you without you :)15:00
Chipacakenvandine: TINC! HAND.15:01
kenvandineTime for airplane mode!15:01
mborzeckiChipaca: kenvandine: i'll push the changes to the spread test so that it'll be green and then i'll request changes to get it sorted out15:02
ackkhi, if you have multiple services in a snap, can you start/stop/enable/disable them individually via snapctl inside a hook?15:08
zygaackk: I think you can now15:09
ackkzyga, is it via "${SNAP_INSTANCE_NAME}.$service" ?15:09
ograjdstrand, seeing you adding all these interface docs ... i think it might be helful having a filed "causes manual review on upload" or some such, so people are aware before using an interface in their snapcraft.yaml15:09
zygaackk: I don't recall, sorry, let me check if this is documented15:10
zygahmm15:11
zygaperhaps this is not allowed15:11
zygapstolowski, mborzecki: looking at https://github.com/snapcore/snapd/pull/5777 - do you know if this got resurrected?15:11
mupPR #5777: wrappers/services.go: don't start disabled services <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/5777>15:11
jdstrandzyga: well, that's why I said for the future. however, I think it is useful to have a vague understanding of the future so we don't do something now that would conflict with it15:12
jdstrandzyga: but we've done that15:12
zygajdstrand: I have some ideas if you'd like to know15:12
zygaI can share those quickly15:12
mborzeckizyga: 5777 went in as #597915:13
mupPR #5979: install: don't start disabled services <Squash-merge> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/5979>15:13
zygamborzecki: thank you, super15:13
jdstrandogra: as for updating the interfaces with needs manual connection, that is more of a degville thing. I'm just following established prcedure. it might be nice though15:14
jdstrandzyga: maybe for another time? we should chat about it though15:14
ograjdstrand, well, you already have "Auto-Connect: true/false" ... the above was more about ... perhaps i shouldnt bother, since using this interface will get me into manual review anyway ...15:15
ograi.e. more about the store than about the later installation of the snap15:15
degvilleogra / jdstrand: I can add a note about triggering a manual review to the interface overview.15:16
ograthat would be a great addition i think15:16
ograsaving some support questions in the forum15:16
degvillecool, I'll do that now.15:17
mborzeckiackk: yes snapctl <start|stop|restart> $SNAP_INSTANCE_NAME.$service15:17
ackkmborzecki, I see. kinda related, we currently run "snapctl start --enable $SNAP_INSTANCE_NAME" + "snapctl restart --reload $SNAP_INSTANCE_NAME" in the config hook to ensure the service is enabled and restarted if already enable (after config change). is there a way to do this in a single shot? afaict that takes a long time as it restarts the service twice15:19
mborzeckiackk: no, i don't think so, you're looking for plain `systemctl enable` if i understand correctly?15:22
ackkmborzecki, no I want to enable it but if it's already enabled and running I want to restart15:22
ackk(as the config might have been changed)15:22
mborzeckiackk: ok, so systemct is-enabled ...  && systemctl restart then?15:23
ackkmborzecki, yeah something like that, but I guess you can't do it with just snapctl, right?15:23
jdstranddegville: there are only a few that trigger a manual review, and we do have text for those (cc ogra) in the actual interface page15:24
mborzeck1ackk: heh, connection problems, idk if you got my last message, imo you'd need to parse snapctl services output15:25
jdstrandeg, https://forum.snapcraft.io/t/the-block-devices-interface/9721 has "Consumers of this interface require a snap declaration for distribution via the Snap Store."15:25
ograyeah, its only 3 or 4 ... but i still think it would be helpful having that in the doc directly15:25
jdstrandbut https://forum.snapcraft.io/t/the-u2f-devices-interface/9722 does not since it is manually connected (which is expressed in the large table)15:26
ogranow thats very ... uhm ... whats a snap declaration ... means i need to read up about that first15:26
jdstrandogra: that snap declaration is a link15:26
jdstrandto https://forum.snapcraft.io/t/process-for-aliases-auto-connections-and-tracks/455/15:26
ografeels like a text adventure :)15:27
jdstrandwell, people shouldn't be using these typically ;)15:27
zygajdstrand: ack, another time is fine15:27
zygaI feel so tired today, I'll take a nap15:28
degvillejdstrand / ogra: thanks. I'll tread lightly so that no one'e eaten by a grue, but add a note to look out for these specific cases.15:28
ackkmborzeck1, ah I see yeah that might work, thanks15:42
pedronispstolowski: question in 6322, sorry I didn't ask it before15:58
pstolowskilooking15:59
rharperdoes snapd exec udevadm trigger  ? if so when?  does it ever use 'udevadm settle' ?16:02
pedronismborzecki: some comments in 638716:05
zygarharper: yes it does16:06
pedronisChipaca: #6415 needs a re-review16:12
mupPR #6415: snapstate, snap: allow update/switch requests with risk only channel to DTRT <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/6415>16:12
pstolowskipedronis: replied16:12
Chipacarharper: https://github.com/snapcore/snapd/blob/master/interfaces/udev/udev.go#L10416:14
pedronispstolowski: re-replied :)16:17
rharperChipaca: ok;  are you aware of any snaps using subsystem=block  ?16:18
Chipacarharper: how would a snap do that?16:18
Chipacamaybe it's a question for pstolowski :-)16:19
rharperI'm not sure, there is this call, https://github.com/snapcore/snapd/blob/master/interfaces/udev/udev.go#L7916:19
pstolowskipedronis: sure, will do, fair point, ty!16:19
rharperI'm not familiar enough with the code base or interface in snap to know if only certain subsystem triggers are allowed16:20
Chipacarharper: grepping, that's called with nil, []string{"input"}, []string{"input/joystick"}, and []string{"input", "tty"}16:20
Chipacarharper: at least currently16:21
Chipacarharper: why?16:21
rharperI'm looking at logs on a system where after the core snap and the livepatch snap are installed, I can see block device rules get triggered; trying to see if that's related or not16:21
Chipacazyga: ^ ?16:23
Chipacarharper: I don't see anything that says to do that with subsusytem=block16:24
Chipacarharper: but, I'm not familiar with this part of the codebase; zyga or pstolowski would know for sure16:24
rharperChipaca: ok, thanks16:26
pstolowskirharper, Chipaca: interfaces/udev/backend_test.go tells more about cases where we retrigger udev rules; test case names give context16:26
pstolowskirharper: actually, we do "trigger --subsystem-nomatch=input", per comment in the code:"// By default, trigger for all events except the input subsystem "16:30
rharperyes, was just looking at that16:30
pstolowskirharper: that would explain the block devices case?16:30
rharperyes16:30
rharperyes it does16:30
pstolowskirharper: does it cause issues?16:33
zygaI’m sorry for the lag. I’m not feeling very well. Thank you for handling this pstolowski16:34
pstolowskinp16:35
rharperpstolowski: it is, but I'm not sure exactly why;  replaying of rules is sometime resulting in missing symlinks;16:41
pstolowskiuhm.. not good16:48
zygamvo: the jenkins core is now in edge16:52
mvozyga: great16:59
mvozyga: now we just need a green pr16:59
zygait failed on github network :/17:05
zygawith a bit of luck it will go green now17:05
zygadid you merge a 2.37 backport of just the fix (sans the test?)17:05
zygaah, I see it is also pending17:06
=== pstolowski is now known as pstolowski|afk
mupPR snapd#6449 closed: cmd/snap-confine: add special case for Jenkins <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/6449>17:29
zygajdstrand: nothing for .1 but if you have a moment, I'd love an actionable review comment on https://github.com/snapcore/snapd/pull/634717:38
mupPR #6347: many: allow snap-update-ns to write user mount profile <Per-user mount ns  πŸŽ> <Created by zyga> <https://github.com/snapcore/snapd/pull/6347>17:38
zygamorphis: hey17:47
zygamorphis: did you ended up filing that bug?17:47
morphiszyga: no18:03
jdstrandzyga: it's on my list but not for today18:09
zygathanks, just checking18:09
zyganot urgent18:09
sergiusenszyga: hey, as the resident OS snapd ecosystem rep, do we have guides to make snapd work on systems where systemd is not pid 1?18:50
zygahey18:51
zygaI think we have no written document about this18:51
zygawe have the older systemd that was patched to run alongside another init system18:51
zygafrom snapd's point of view not that many things differ18:52
zygabut I don't think we have any document about this18:52
sergiusenszyga: the reason I ask is because there's an MX Linux developer wanting to enable snapd there18:53
zygaMX linux?18:53
zygado invite him over to join us here18:53
zygaI think it takes thinking and cooperation but it can definitely be done18:53
sergiusenszyga: should I tell him to just ping you?18:53
zygaplease18:53
zygathanks for raising this!18:54
zygamvo: 2.37.1 ready19:02
zygashall I dput?19:02
mvozyga: sounds good to me19:12
zygaokay19:13
zygahere goes nothing19:13
zygadone19:13
mupPR snapd#6448 closed: snapcraft.yaml: fix XBuildDeb PATH for go-1.10 <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/6448>19:47
zygaPharaoh_Atem: hey, we released 2.37.1 with an important fix for using snaps in jenkins19:55
zyga(we broke usability badly)19:55
zygaPharaoh_Atem: if you have a moment to release the .1 package it would be great19:55
mupPR snapd#6446 closed: cmd/snap-confine: add special case for Jenkins <⚠ Critical> <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/6446>20:18
mupPR snapd#6450 opened: release: 2.37.1 <Created by mvo5> <https://github.com/snapcore/snapd/pull/6450>21:26
Pharaoh_Atemzyga: considering I haven't released 2.37 at all yet, yeah I'll look at 2.37.121:39
Pharaoh_Atemzyga: insofar as the MX Linux guy wanting to enable snapd, it should be relatively easy to repackage the deputy systemd to run on non-systemd distros21:40
mwhudsonzyga: oh hey did you update snapd on salsa?23:05
zygaI sent a PR23:05
roadmryum23:05
zygacan I push to salsa debian/snapd directly?23:06
mwhudsonzyga: ah maybe not23:06
mwhudsoni can fix that though23:06
mwhudsonzyga: ok you should have access now23:08
zygathank you, I have access now23:08
mwhudsoni merged your PR though so you can't test it by pushing that oh well23:08
zygamwhudson: that's fine, I'm sure 2.37.2 or 2.38 is soon to follow :)23:09
mwhudsonzyga: what's the status of getting the debian packaging into snapcore/snapd?23:09
zygamwhudson: it was proposed by mvo23:10
zygamwhudson: we have a card for it and will get it merged23:10
mwhudsonzyga: ok23:10
zygait includes a spread test that really uses it properly (with sbuild and dual build)23:10
zygaI will update it with 2.37.1 release tomorrow23:10
mwhudsonwill we replaced the snapd branch with something that's basically master with a single extra non-merge commit that changes the 'debian' symlink then?23:10
mwhudsoner23:11
zygayes :)23:11
mwhudsonsnapd debian branch on salsa i mean23:11
mwhudsonawesome23:11
mwhudsonzyga: huh i see prs from mvo here https://salsa.debian.org/debian/snapd/merge_requests23:11
zygayeah23:11
mwhudsonbut i guess those will get subsumed by the other work?23:11
zygaI noticed too, I'll ask him tomorrow23:11
zygaI think so as well23:12
mwhudsonsomething is a bit odd about them, maybe they are based on revisions i force-pushed over or something23:13
mwhudsonah yes they are23:13
mwhudsonhow the heck to i sign up to get an email when someone proposed a PR23:13
mwhudsonah 'watch' i guess23:14
zygayeah23:14
zygawatch23:14
mwhudsonanyway lunchtime23:23

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!