[01:15] PR snapcraft#2468 opened: [WIP] many: support for stage-snaps [06:26] Good morning === doko_ is now known as doko [08:04] hello mvo === pstolowski|afk is now known as pstolowski [08:09] heyas [08:10] hey, how are you? [08:14] https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b is fun [08:18] * dot-tobias says hi [08:24] hey zyga, i'm fine, thanks, you? wife and baby back home? [08:24] pstolowski: yes, we are all home now :-) [08:26] great :) [08:27] zyga: yay, great news! [08:27] pstolowski: and good morning to you as well [08:27] and hello dot-tobias [08:38] hey mvo! [08:39] i feel like i'm ready to tackle selinux PRs today [08:40] mvo: hi, I landed a couple things that were green etc and seemed innocent enough, hope it's ok [08:43] pedronis: yeah, that sounds good === ricab is now known as ricab|bbl [10:03] mvo: Chipaca has a couple PRs that need 2nd reviews [10:03] yes, yes I do [10:04] Chipaca: one has a couple nitpicks from me as well [10:04] pedronis: yes. I will address them, but am waiting for a review [10:04] maybe i should say as much [10:08] PR snapd#6492 opened: snapstate: restart into the snapd snap on classic [10:08] pedronis: good timing, just finished my current task, I have a look now [10:09] Chipaca: 6034 and 6356? [10:09] mvo: ye === ricab|bbl is now known as ricab_ [11:05] mvo: I answered a couple of nitpicks for Chipaca [11:06] pedronis: ta === sgclark is now known as sgmoore [11:46] mvo: what can we do about https://github.com/snapcore/snapd/pull/6252 it seems to have hit some weirdness where now there's a lot of conflicts ? [11:46] PR #6252: userd: handle help urls which requires prepending XDG_DATA_DIRS [11:47] pedronis: mbozecki was looking at the test, let me see [11:48] pedronis: uh, I think ken has pushed something incorrec,t it says 10k+ commits [11:50] pedronis: this needs some manual surgery it seems, I can look at this after lunch [12:20] zyga: is #1814450 something you know about? [12:20] Bug #1814450: subsync - error: signal: segmentation fault [12:21] Chipaca: the bug in general, no [12:21] zyga: the 'annot use "/snap/gtk-common-themes/818/share/icons/Suru" as bind-mount source: not a directo'? [12:21] https://gitlab.gnome.org/Community/Ubuntu/gtk-common-themes/issues/1 [12:21] * Chipaca is bad at cut-n-paste [12:21] that's been open for a while [12:22] I meant to ping will about it yesterday but then the return happened [12:22] zyga: aha! i'll update the bug with this info [12:22] PR snapd#6493 opened: userd: handle help urls which requires prepending XDG_DATA_DIRS [12:23] abeato: ping [12:23] wait, probably unping [12:23] yeah, wrong person, sorry [12:26] kenvandine: hey, can we bump https://gitlab.gnome.org/Community/Ubuntu/gtk-common-themes/issues/1 somehow? [12:27] pstolowski: got a sec? [12:31] Issue # closed: core18#56, core18#86, core18#89, core18#117 [12:31] PR # closed: core18#43, core18#63, core18#72, core18#90, core18#98 [12:31] Chipaca: in 15 [12:32] Issue # opened: core18#56, core18#86, core18#89, core18#117 [12:32] PR # opened: core18#43, core18#63, core18#72, core18#90, core18#98 [12:34] Chipaca, haha, nw [12:43] * Chipaca ⇝ lunch === ricab_ is now known as ricab === ricab__ is now known as ricab|laptop [12:51] mvo: #1814484 should be fixed, right? [12:51] Bug #1814484: wal-e no longer works as of snapd 2.37 [12:52] popey: might #1814242 be something you can look into? [12:52] Bug #1814242: Remmina snap package review [12:53] thanks Chipaca will take a look [12:53] mvo: did the latest change wrt --classic for strict land in .2? [12:54] Chipaca: yes [12:57] degville: when you have a bit, could you see if you have suggestions wrt #1811276 ? [12:57] Bug #1811276: Installing an already-installed snap docs could be more helpful [12:57] Chipaca: yep, or course. [12:58] pedronis: #1811063 for your consideration [12:59] Bug #1811063: "snap refresh" does not report failure to update because snap switched to classic confinement [12:59] pedronis: also #1810982 [12:59] Bug #1810982: Preseeding Snaps Broken for Trusty [13:00] did I share this in here yet? https://snapstats.org/ [13:00] Chipaca: isn't the first bug a matter of using warnings appropriately? [13:00] the user marked it invalid [13:00] pedronis: invalid in snappy, not in snapd [13:00] pedronis: I think so, warnings would make it better [13:01] pedronis: I'll explain on the bug [13:01] pedronis: and assign it to me because why not [13:01] the trusty one we are aware from other channels, nobody had time to dig into it [13:01] so far [13:02] pedronis: ah ok [13:02] pedronis: maybe tweak the bug so that much is clear? [13:02] Chipaca: hey, sorry, had to bring my daughter from school, i'm in now, what's up? [13:03] pstolowski: I've got a question about 'snap get' vs 'snapctl get', and thought you might know [13:03] pstolowski: 'snapctl get' always returns a document? [13:03] pstolowski: or is it only if the thing is documentish [13:03] ah, yes [13:04] pstolowski: so, sorry, my actual question is: why don't we support a bare -d in snapctl get? any strong reason? [13:06] mvo: are you ok to get https://bugs.launchpad.net/snapd/+bug/1810982 assigned, it involves livecd-rootfs which I don't think anybody else is familiar with [13:06] Bug #1810982: Preseeding Snaps Broken for Trusty === Saviq is now known as ricab|test === ricab|test is now known as Saviq [13:09] Chipaca: hmm, i'm looking at ctlcmd/get.go and it has '... short:"d" description:"always return document, even with single key"' [13:10] pstolowski: I think Chipaca is asking about "snapctl get -d" with no key [13:10] which I think maybe you mentioned in your open PR [13:11] pedronis: ah [13:12] yep, -d with no key [13:13] #1814876 [13:13] Bug #1814876: snapctl get -d doesn't allow returning full config [13:14] Chipaca: right. I *think* (i wasn't yet in the team when snapctl was implemented) the idea was the "snap get" is user facing tool, so it's desirable to return entire document to discover options; snapctl is queried programatically, the snap knows its options so it just retrieves specific keys [13:17] Chipaca: i vaguely remember hearing that reasoning from someone.. but it's possible i made it up ;) [13:18] I agree the primary use case is that one, but developers still like to debug their things :-) [13:18] allegedly [13:19] Chipaca: not disagreeing [13:20] Is it possible to delete old revisions of a snap in the store? === ricab is now known as ricab|lunch [13:22] Chipaca: pstolowski: fwiw I'm not against making -d without key work until we have finished other stuff. I think arbitrary differences between snapctl and snap are mostly not worth it [13:22] s/until/after/ [13:24] +1 [13:43] dot-tobias: no, you can only remove them from any channels [13:44] diddledan: ok, thanks! [13:47] pstolowski: I did a first pass over #5962, didn't quite look at everything yet [13:47] some questions there [13:47] PR #5962: ifacestate/hotplug: hotplug handlers [13:47] pedronis: thanks [13:51] cachio: proposed a trivial PR https://github.com/sergiocazzolato/snappy-qa-jobs/pull/2 [13:51] PR sergiocazzolato/snappy-qa-jobs#2: Added doc about SPREAD_TESTS and SKIP_TESTS vars [13:52] mvo: should we close #6252 now that you made 6493 ? [13:52] PR #6252: userd: handle help urls which requires prepending XDG_DATA_DIRS [13:56] pstolowski: also reviewed #6490 with a small comment [13:56] PR #6490: tests: fix NFS home mocking [13:56] pstolowski, nice, I'll take a look [13:57] thank [13:58] pedronis: yeah, let me close it now, its not useful in its current form [13:58] mvo: hey, there are some milestones on https://launchpad.net/snapd/trunk that feel stale, would you mind if I closed them? (2.36.x) [13:58] pedronis: thanks [13:59] PR snapd#6252 closed: userd: handle help urls which requires prepending XDG_DATA_DIRS [14:00] mvo: thanks! [14:00] kenvandine: if you could quickly double check [14:01] mvo: looking [14:02] oh [14:02] standup [14:02] kenvandine: thanks [14:03] kenvandine: hey :) [14:03] kenvandine: I sent a ping earlier today, not urgent but please confirm that you saw it [14:03] zyga: i did see it [14:04] i think jamesh might have submitted a fix to Yaru instead [14:04] great, thank you [14:04] kenvandine: I think it's still out in the wild so I wonder if it's a matter of publishing something to stable [14:16] zyga: that should be fixed by https://gitlab.gnome.org/Community/Ubuntu/gtk-common-themes/merge_requests/8 [14:16] should the issue be closed then? [14:17] people still report it [14:19] it's still waiting for feedback [14:41] hello [14:41] looks like snapcraft broke backwards compatibility for me, without warning [14:41] Failed to get part information: Cannot find the definition for part 'desktop-gtk3', required by part 'app'. [14:41] Remote parts are not supported with bases, so make sure that this part is defined in the `snapcraft.yaml`. [14:41] the same snapcraft.yaml was working before [14:42] snapcraft 3.x did indeed disable remote parts [14:42] also, version: 2 is no longer accepted (but version: "2") works [14:43] is there some manual on how to migrate? What should I use instead of the remote part? [14:43] 2 is a number. '2' is a string. if it accepted 2 before that was a bug [14:43] t1mp: https://paste.ubuntu.com/p/jdMWkMJKhF/ [14:45] * diddledan pastes his link again for anyone who missed it - go look :-p https://snapstats.org/ [14:46] popey: thanjsk! [14:46] -j [14:46] njp [14:46] :-p [14:46] popey: yeejit :-p [14:47] why do I need to remove the base: core18 line? [14:47] that's what I'm using for my snap too [14:47] because snapcraft define wont work with it [14:47] you dont need to remove it in *your* yaml, only in the tmp one [14:48] it won't expand the definition with it in place - the base: core18 triggers snapcraft to use new features and remove old ones === ricab|lunch is now known as ricab [14:49] of course you can add it back as soon as you've run `snapcraft define` [14:49] ok [14:54] * cachio lunch [14:55] popey, diddledan: okay, thanks. I'm rebuilding my snaps (with snapcraft 3.. and 2 on jenkins. I hope that one still works after my changes). [14:57] I get some errors, [14:57] Staging desktop-gtk3 [14:57] rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied [14:57] but the pull seems to continue after that [14:58] I require coffee. brb [15:03] An error occurred when trying to execute 'sudo -i snapcraft prime' with 'multipass': returned exit code 2. [15:05] ah. I have a version-script, and I guess before snapcraft wasn't building the stuff in a vm. Now it is and my script is not available there. [15:20] * zyga is eating lunch [15:20] Issue # closed: core18#56, core18#86, core18#89, core18#117 [15:20] PR # closed: core18#43, core18#63, core18#72, core18#90, core18#98 [15:21] Issue # opened: core18#56, core18#86, core18#89, core18#117 [15:21] PR # opened: core18#43, core18#63, core18#72, core18#90, core18#98 [15:22] mup seriously needs educating about what "closing" means - it keeps on with things like ^^^^^ where it says "foo is closed" immediately followed by "foo is new and just been opened!!!! OMGZOR IT'S BRAND NEW!!!!" [15:24] diddledan: github api hiccups [15:24] and mup-side state [15:24] afaik [15:24] ikn [15:24] ikr? [15:24] wtf [15:25] oh dear. stack smashing in a quit message? [15:25] ref: 15:25:04 ⇐ mdeslaur quit (~mdeslaur@ubuntu/member/mdeslaur) Quit: *** stack smashing detected *** [15:25] that sounds nasty [15:34] pedronis: re your comment about why do i only log error on from addHotplugSeqWaitTask(chg, key) - it's a good point - i wonder what's the right thing to do; is chg.Abort() the right way of dealing with this? we have change and tasks already created in the state, but we shouln't run them if seq task couldn't be added [15:35] pstolowski: need to think a bit [15:35] pstolowski: I think is doing things with a patter that we don't use [15:35] *pattern [15:37] pstolowski: we usually have all the tasks, and then add them to the change [15:38] pstolowski: we might have to tweak the helper [15:38] pedronis: btw, error here is if things go really bad (failure other than NoState from st.Get("hotplug-seq"..)) [15:38] pstolowski: I understand but see my comment here [15:44] pedronis: i'd move allocHotplugSeq out of the helper, so it needs to be allocated by the caller and passed to the helper. that way it can be allocated (or fail) early before creating change and tasks. wdyt? [15:45] pstolowski: yes, something like that [15:46] pstolowski: we should follow other places and create the change last [15:46] pedronis: i see [16:22] fun things to do: run out of space on /tmp 🗹 [16:22] PR snapd#6490 closed: tests: fix NFS home mocking [16:27] Chipaca: just a reminder that #6034 description/commit needs updating, it still using the original names of things [16:28] PR #6034: many: save media info when installing, show it when listing [16:28] pedronis: thanks [16:28] pedronis: I'm waiting for an answer from mvo, but I'd already forgotten about the desc [16:29] Chipaca: about the test? [16:33] pedronis: yes [16:33] pedronis: (description updated) [16:37] thx [17:20] pedronis: thanks for catching a few issues in the hotplug PR; i think i've addressed all your 1st pass comments === pstolowski is now known as pstolowski|afk [18:56] PR snapd#6493 closed: userd: handle help urls which requires prepending XDG_DATA_DIRS === JanC_ is now known as JanC === blackboxsw_ is now known as blackboxsw === hunterk_ is now known as hunterk === bashfulrobot_ is now known as bashfulrobot [19:07] mvo: I looked again at #6418, I am a bit confused because the code you changed in snap-confine looks like it was originally buggy? [19:07] PR #6418: many: allow core as a fallback for core16 [19:07] pedronis: thanks, let me check [19:07] pedronis: I remember I fixed something in there, yes [19:08] pedronis: let me check, you mentioned the new code looks also a bit strange, let me open it [19:08] mvo: mind not buggy, just strange [19:08] the new code [19:08] * mvo nods and looks [19:25] pedronis: yeah, the triple access is strange, I have a look what can be done [19:31] mvo: going to eod, I'll continue with your other PRs in the morning [19:31] pedronis: thank you! [19:45] mvo: hey, I can't recall the details, but I feel like you said something like this would break snapd: https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906 [19:45] mvo: (server team is adding a syscall to bionic's libseccomp) [19:57] jdstrand: thanks, let me check [20:00] jdstrand: hm, I don't recall having said this, zyga was working on statx, maybe he remembers more -^ [20:10] mvo: I thought you said that the act of adding syscalls to trusty's libseccomp complicated things for you [20:11] PR snapcraft#2467 closed: [legacy] ruby plugin: support new download URL [20:14] mvo: or maybe that was vivid. like I said, I do not recall the details :) [20:21] jdstrand: I don't remember .( I will double check with -proposed tomorrow === gurmble is now known as grumble [20:38] PR snapcraft#2469 opened: cli: clean up snapcraft push output [21:02] hm i want to capture communication between snap and snapd for testing later [21:02] i wonder how many recording proxies support unix sockets :) [21:03] and then i guess i'd need to coerce snapd to talk to it anyway [21:03] er snap [21:04] mwhudson: you can have snapd take arbitrary sockets by tweaking its .socket unit [21:04] hmm [21:04] mwhudson: even, gasp, ip [21:05] mwhudson: (but good luck getting unix credentials) === epod is now known as luk3yx [21:05] probably easier just to hack my own snapd binary that writes all requests and responses somewhere? [21:05] argh snap binary [21:06] mwhudson: either would work -) [21:06] i can't type 'snap' without the 'd' apparently [21:07] mwhudson: I'm going to write a tool and call it 'snadp', just for you [21:07] Chipaca: i hope you feel bad [21:07] pretty good actually [21:07] my mum sent triple-choc brownies [21:15] i guess this Client.Hijack method might be useful for this [21:16] other question [21:16] is there a snapd api i can use to ask if there is an update available for a particular snap? [21:17] iirc i could only ask about all installed snaps which i guess is ok too [21:17] basically i'm working on adding support for triggering a self refresh to subiquity and am wondering about how to test it [21:24] mwhudson: snap refresh --list ? [21:25] mwhudson: (sorry I didn't see your question) [21:26] mwhudson: wrt logging, I'd look at (*client.Client).do [21:27] actually, this sounds useful [21:27] * Chipaca looks [21:27] i would actually like it for my other thing so i can see which api snap refresh --list is hitting :) [21:29] mwhudson: http snapd:///v2/find select==refresh [21:29] Chipaca: thanks [21:29] mwhudson: niets te danken [21:32] mwhudson: but [21:32] mwhudson: snapd is already logging that :-) [21:32] Feb 12 21:32:20 fleet snapd[6262]: daemon.go:296: DEBUG: pid=26464;uid=1001;socket=/run/snapd.socket; GET /v2/find?select=refresh 244.125698ms 200 [21:33] I thought you were looking at POSTs [21:33] only if you turn up logging right? [21:34] mwhudson: just SNAPD_DEBUG=1 [21:34] yes [21:34] DEBUG [21:34] but yes i want post and response bodies in general [21:34] ok, I'll play with that in a bit [21:34] PR snapd#6494 opened: interfaces/builtin/udev: add spec to disable udev + device cgroup [21:34] would be great [21:35] i can hack something for my own use but i'm sure your version would be cleaner :) [21:45] mwhudson: http://paste.ubuntu.com/p/RN5xYkwf3c/ [21:45] mwhudson: that still won't log the body of the request, but I can add that if this would work [21:45] I also have a delogger.py you might find useful [21:46] mwhudson: https://gist.github.com/chipaca/5d0f0e2b7fecd2df87f25b798a6c6537 [21:46] delog.py [21:57] + Key: "SNAPD_DEBUG_HTTP", [21:57] -D? [21:57] but thanks [22:03] Chipaca: where would that log to? [22:03] mwhudson: yeah, it's not pretty [22:04] that logs to the log :-/ [22:04] as in [22:04] SNAPD_DEBUG=1 SNAPD_DEBUG_HTTP=7 /tmp/snap refresh --list [22:04] *** here [22:04] 2019/02/12 21:44:33.361905 logger.go:67: DEBUG: > "GET /v2/find?q=&select=refresh HTTP/1.1\r\nHost: localhost\r\nUser-Agent: [22:04] etc etc [22:05] oh you need SNAPD_DEBUG=1 as well [22:05] there's probably some standard for logging http requests that is weeping [22:15] also whoa what's with tht funky date format [22:15] * Chipaca hopes it'll make sense in the morning [22:16] o/ [22:37] Hey jdstrand, how is the docker (not docker support) interface being used these days? Reading the code, it kinda looks like I can't even install a snap that plugs it, is that true? (allow-installation: false) [22:38] kyrofa: you can do an unasserted install with --dangerous. you need a snap decl to distribute via the store [22:39] the docker socket gives you device ownership, just like docker-support since it gives you access to the socket whose listener has docker-support and there aren't acls on the api [22:40] Ah, so nothing random folks can really use, then [22:40] correct [22:41] I mean, if it is legitimate use, that is one thing [22:42] eg, k8s or something, but it is superprivileged [22:42] I just want to be able to fire up a docker container from within a confined snap. Bundling docker would require super plugs, and it seems using docker ALSO requires super plugs [22:43] Decent confinement would require mediation, basically? [22:43] kyorfa: the "designed" way to do this with the docker snap is to plug the docker:docker-executables slot in your snap and then use the docker binary from the docker snap in your snap [22:43] kyrofa: ^ [22:44] ijohnson_, what if I want to use the API instead of shelling to a binary? [22:44] then you would plug docker:docker-daemon also slotted by the docker snap (which is the "docker" interface which allows access to the unix socket) [22:45] That one isn't a super plug? [22:46] no, the "docker" interface is explicitly not slotted by the core snap, only docker-support is slotted by the core snap [22:46] as jdstrand pointed out you will have a hard time getting an auto-connection for the docker-support interface if you aren't actually docker or k8s, etc. [22:47] this is the "designed" way to launch docker containers from a different snap, which is admittedly quite awkward and not well supported at the moment [22:47] it should work though, please let me know if it doesn't [22:47] ijohnson_, who is maintaining that snap these days, you? [22:48] it is super [22:48] err [22:49] it is super for the slot [22:50] but the docker snap has a snap decl that allows connecting to it [22:50] * jdstrand forgot about that [22:50] so if you use the docker snap, you can plugs it [22:51] but it won't autoconnect [22:51] Heh, yeah I didn't even think to see if core provided a docker slot, of course it doesn't [22:52] someone else couldn't slots docker or plugs it [22:52] Indeed, that makes sense [22:52] hey also jdstrand while you're here talking about the docker snap, there was a CVE published yesterday concerning a bad actor being able to overwrite the runc binary which docker runs as root to start containers. The snap wasn't affected because the runc binary is mounted read-only (cause squashfs), but looking through the apparmor we allow writes to /proc/[0-9]*/fd/[0-9]* (which is what I think /proc/self/exe resolves to [22:52] anyways) [22:53] is mounting as read-only the only way we can prevent similar attacks overwriting a binary using /proc/self/exe? [22:53] so, I'll revise my answer. if you have the docker snap installed, you can plugs docker and manually connect and go on your way [22:53] ijohnson_: apparmor protects us as well [22:54] it is a symlink so it resolves to the binary and the policy doesn't allow arbitrary writes [22:54] hmm when I was looking yesterday it seemed to allow it [22:54] err wait you mean don't allow arbitrary writes to $SNAP ? [22:54] ijohnson_: as for programmatically fixing this for a container management system that doesn't use apparmor, you can do something like what the runc devs did [22:55] they have an ingenious approach. I suggest reading https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/runC [22:55] good to know, thanks for the link [22:55] I meant that https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/template.go#L306-L313 allows writes to /proc/*/fd/* doesn't it? [22:57] ijohnson_: if you can write to what /proc/self/exe is pointing to, then you can use the same technique. but, you don't need to use the technique because you already have write access to it. the difference is that with runc you were able to escalate privileges and write to somewhere you weren't supposed to [22:58] ah I see, okay [22:58] thanks for confirming [22:59] so for snapd, it isn't an issue on several fronts. $SNAP is ro squashfs, apparmor doesn't allow it, apparmor doesn't allow strict mode snaps to write to /var/lib/snapd/hostfs, etc. in forced devmode, it is wide open. we aren't providing file restrictions so no priv escalation [22:59] yep that all makes sense now [23:08] ijohnson_: to specifically answer your /proc/*/fd/* question. we do allow reads there and writes to [0-9]*, but importantly, those are symlinks that apparmor will resolve [23:08] ack