/srv/irclogs.ubuntu.com/2019/05/08/#ubuntu-devel.txt

xnoxvorlon, LocutusOfBorg - corosync in a lxd container seems sad. cannot start it on amd6400:14
xnoxat first seemed like low default limits:00:14
xnoxlxc config set CONTAINER-NAME limits.kernel.memlock 3355443200:14
xnoxhelped to get past one error in corosync, but now logs don't initialize, and i'm not sure why00:14
xnoxMay 08 00:10:42 nice-mako corosync[349]:   [MAIN  ] Can't initialize log thread00:15
xnoxMay 08 00:10:42 nice-mako corosync[349]:   [MAIN  ] Corosync Cluster Engine exiting with status 7 at main.c:1507.00:15
xnoxor maybe worse.00:15
sarnoldxnox: kinda looks like that needs posix semaphores https://sources.debian.org/src/libqb/1.0.4-2/lib/log_thread.c/?hl=142#L14200:19
sarnoldxnox: any idea if those work or are disallowed by your container? seccomp rules?00:20
sarnold.. hmm, or maybe it's the scheduling priority00:21
xnoxhmmm00:21
xnoxmax locked memory       (kbytes, -l) 6553600:21
xnoxmax memory size         (kbytes, -m) unlimited00:21
xnoxi don't like this in ulimit -a00:21
xnoxi think i need more00:21
xnoxand i did do $ lxc config set nice-mako limits.kernel.memlock 655360000:21
xnoxso why does my container not do more?!00:22
sarnoldsystemd can fiddle rlimit_memlock https://sources.debian.org/src/systemd/241-3/src/core/main.c/?hl=1376#L137600:23
xnoxsarnold, sigh $ sudo systemctl edit snap.lxd.daemon.service00:30
xnox[Service]00:30
xnoxLimitMEMLOCK=65536000000:30
xnoxand it looks like it doesn't respect units right....00:30
xnoxas if that's in bytes, instead of kb00:30
* xnox tries a suffix00:30
xnoxhttps://paste.ubuntu.com/p/mCnQfD6StH/00:33
sarnoldheh :/00:33
xnoxi think that's progress!00:33
xnoxcause i get new errors =)00:33
sarnoldhey! :)00:33
xnox"File name too long" lovely00:33
sarnoldnew errors are always great00:33
xnoxstgraber, what insanity do i need to set on my snap.lxd.daemon.service to make it "production"? also, do you want to try installing corosync from eoan-proposed to make it start in the lxd container? at the moment, that fails for me =(00:34
xnox[pid   336] setsockopt(12, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)00:38
xnoxhmmm00:38
xnox                if (savederrno == EPERM) {00:45
xnox                        errno = ENAMETOOLONG;00:45
xnoxkwalitee =)00:45
sarnoldbingo00:45
sarnoldsystemd again?00:45
sarnoldor apparmor this time? :)00:45
xnoxnah, kronosnet-1.800:45
xnoxbut the eprm is real00:45
xnoxi do not see things in apparmor denials....00:46
xnoxsarnold, i think it wants the real CAP_NET_ADMIN for no reason.00:52
xnoxcause reading SO_RCVBUF & SO_RCVBUFFORCE in http://manpages.ubuntu.com/manpages/disco/en/man7/socket.7.html00:53
sarnoldxnox: yeah it's really annoying that this cap is needed for something that feels so bland00:53
xnoxit's normal that i can't do the later, but if the former succeeded... i fail to see why we force things?!00:53
xnoxroot@nice-mako:~# strace -s99999 -f /usr/sbin/corosync 2>&1 | grep setsock00:53
xnox[pid   386] setsockopt(12, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 000:53
xnox[pid   386] setsockopt(12, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)00:53
sarnoldxnox: loads of apparmor profiles either have to decide to grant this terrifying priv, or force a failure here :(00:54
xnoxah, maybe it did fail!00:56
xnox[pid   401] setsockopt(12, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 000:56
xnox[pid   401] getsockopt(12, SOL_SOCKET, SO_RCVBUF, [425984], [4]) = 000:56
xnox[pid   401] setsockopt(12, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)00:56
xnoxcause it's trying to set 8388608, but gets back 425984 instead. smells like one more "ulimit" imposed on me.00:56
xnoxand calling it a night.00:57
xnoxexit00:57
sarnoldthis one might be a cgroup for kmem or similar? you wouldn't be happy if your fart app container went crazy and allocated half your kernel memory in silly receive and send buffers..00:57
sarnoldgnight xnox ;)00:57
=== ricab is now known as ricab|bbl
LocutusOfBorgmdeslaur, FYI, I syncd libcaca, discarding your doxygen-latex switch, basically because the fix is now probably in doxygen, and the package doesn't FTBFS anymore https://launchpad.net/ubuntu/+source/libcaca/0.99.beta19-2ubuntu209:25
LocutusOfBorghttps://launchpad.net/ubuntu/+source/libcaca/0.99.beta19-2.109:25
mwhudsonrbasak: does the git source package importer have some magic way of getting things out of the debian NEW queue?09:37
mwhudson(it seems unlikely but i thought i'd ask)09:38
mwhudsonoh wait you can't even download stuff from new09:41
rbasakmwhudson: yeah, sorry. I was going to say wishlist but you've reminded me it's impossible.09:58
rbasakmwhudson: you might find git/bin/git-dsc-commit in the source tree useful. If you have a source package you can "force commit" it into a branch. Eg. an orphan branch. Then you can at least diff it against other things, etc.09:59
TomyWorkhi10:05
TomyWorkI'm trying to install ibm notes (formerly known as lotus notes) from the vendor's .debs. It's a 32 bit package that depends on gdb. This has always been a problem, since I'm on a 64 bit system and I have a 64 bit gdb package. On 14.04, I used an otherwise empty package with this control file in order to get it to work: https://paste.ubuntu.com/p/wKRXyfzFk3/  On 18.04, when trying to install that package, I now get a conflict: https://paste.ubuntu10:05
TomyWork.com/p/GRXHwrBzPG/  this is likely due to the fact that the 18.04 gdb:amd64 package conflicts with "gdb", which the 14.04 gdb:amd64 package did not. How do I install a package that requires gdb:i386 while that gdb:amd64 package is installed and conflicting with any other package that even *provides* "gdb"10:05
TomyWorkoops, that link got cut in half. here's the whole link: https://paste.ubuntu.com/p/GRXHwrBzPG/10:06
juliankugh I merged wpa from experimental but wrote unstable in the changelog, sorry10:06
juliankI merged unstable first, then copied changelog over and forgot to replace it :D10:07
=== ricab|bbl is now known as ricab
marcustomlinsonsil2100: hey! any chance you got around to https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/182656010:53
ubottuLaunchpad bug 1826560 in libreoffice-l10n (Ubuntu Disco) "[SRU] libreoffice 6.2.3 for disco" [High,In progress]10:53
mdeslaurLocutusOfBorg: cool, thanks!10:59
mwhudsonrbasak: ah yeah that might be handy indeed11:28
mwhudsonrbasak: i can probably get the uploader to give me the dsc11:28
mwhudson(or just make one from git)11:28
rbasakmwhudson: if it's already in git, then surely you already have it in git? :-)11:44
=== ricab is now known as ricab|lunch
xnoxsarnold,12:40
xnoxsudo sysctl -w net.core.wmem_max=838860812:40
xnoxsudo sysctl -w net.core.rmem_max=838860812:40
xnoxwas the answer to the other one, and i do have corosync/pacemaker in the container now. Opened: https://bugs.launchpad.net/auto-package-testing/+bug/182822812:40
ubottuLaunchpad bug 1828228 in Auto Package Testing "corosync fails to start in container (armhf) bump some limits" [Undecided,New]12:40
=== ricab|lunch is now known as ricab
=== Wryhder is now known as Lucas_Gray
rbasakahasenack: on bug 1616123, did we already make a decision to SRU it? I remember something like bug - is this the only instance or was there another variable affected in another bug?14:02
ubottubug 1616123 in nfs-utils (Ubuntu Cosmic) "rpc-svcgssd.service uses incorrrect variable SVCGSSDARGS" [Undecided,In progress] https://launchpad.net/bugs/161612314:02
ahasenackrbasak: we will want to sru it, we were waiting on what debian was going to do, but they made the same change14:02
rbasakahasenack: I'm wondering from the perspective of "is this worth an SRU?"14:02
rbasakBecause a workaround is to override via systemd in /etc, right?14:02
ahasenackit's a low hanging fruit14:02
ahasenackyes14:02
rbasakOK14:03
ahasenacka good one for someone new perhaps? :)14:03
michael-vbHello, does anyone here feel responsible for the update-secure-boot-policy script in shim-signed?  It is intended to be used by DKMS modules, but I have experimental changes to the VirtualBox installer to use it as well, and wanted to talk about that.14:35
michael-vbI e-mailed Mathieu Trudel-Lapierre, who is in various change logs, but didn't get a response.14:36
xnoxmichael-vb, well, talk about it. how are you using it?14:46
michael-vbWell, the bit in my script I like the least is this:14:48
michael-vb# update-secureboot-policy "expects" DKMS modules. Work around this and talk to the authors as soon as possible to fix it.14:48
michael-vbmkdir -p /var/lib/dkms/vbox-temp14:48
michael-vbupdate-secureboot-policy --enroll-key 2>/dev/null || [...]14:48
michael-vbrmdir -p /var/lib/dkms/vbox-temp 2>/dev/null14:48
michael-vbIf you see what I mean.14:48
michael-vbAt this point that will have to stay in my script so that it works with existing versions of update-secureboot-policy, but it would be great if it were not needed.14:50
michael-vbAnd the other thing was whether there were any thoughts about a cross-distribution solution, say with the freedesktop/XDG people.  I would assume that14:53
michael-vbthey would want to see a bit more protection of the private key, like14:53
michael-vboptionally adding a protection password (if that is possible), or14:53
michael-vbletting the user specify the location at signing time and optionally14:53
michael-vbmounting external storage containing the key.14:53
michael-vb(Sorry, pasted that from an e-mail which was of course line-split.)14:54
xnoxmichael-vb, no passwords is an Ubuntu UX decision.14:55
xnoxmichael-vb, so even if passwords / unlocking / tpm / usb-stick is added, we'd need/want to keep "unprotected/passwordless/unattended" mode as well.14:56
xnoxmichael-vb, re bogus directories to enroll-key => please open a bug report and propose a patch? to either just do things, or do things if there is like '--force' or something?14:56
michael-vbHappy to do that (the bug report).14:57
xnoxmichael-vb, and well do wait for response from cyphermox cause i think he does maintain that script. and we do keep changing what we do by default, and etc.14:57
michael-vbI just wanted to talk to someone first to get your thoughts.14:58
michael-vbLike if someone was going to say "no way, this is only for DKMS".14:58
cyphermoxmichael-vb: I have been writing that email response to you, I just want to get it just right14:59
cyphermoxmichael-vb: essentially, you probably don't want to use update-secureboot-policy; it's not needed for what you want aside maybe to create the key to begin with15:01
cyphermoxfor everything else it's just a wrapper, so if you don't want to use DKMS, you might as well just call mokutil --import yourself if needed, and sign things yourself using kmodsign15:01
cyphermoxfor anything else, I mean, sure, protecting the key more is possible, but it's not necessarily going to do much aside from making it more hoops for users to jump through to get something signed, even if it's automated15:03
michael-vbThere were two reasons I was keen to use update-secureboot-policy.  One was that I don't want to replicate all the debconf bits but still get a native "experience".  And the second is more evil, if I do it myself I am responsible for the security decisions.15:03
michael-vbThose added hoops are what I imaging other distributions might want to see, not what I am interested in myself.15:04
cyphermoxwell, you can also call update-secureboot-policy --enroll-key as part of your build it will do the password asking15:04
michael-vbRight, so then the question is - can you remove that "if [ $dkms_modules -lt 2 ]; then" part?15:06
michael-vbWorking around it for existing deployments of the script is no problem, I just feel better when I am not fighting against the tools I am using.15:06
cyphermoxnot really15:06
cyphermoxthis is specifically so upgrades happen seemlessly without prompting the user again15:06
michael-vbCould you add a couple of words to that?15:07
cyphermoxif you don't have a key enrolled and already had a dkms module installed, you don't necessarily want to prompt to enroll again unless a new DKMS module appears15:09
michael-vbOh, I thought that that line would detect any DKMS modules, not just new ones.15:10
LocutusOfBorgseb128, can I abuse your patience once more and see if you can help me in xpdf poppler sadness? https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3714/+packages its the last one15:12
seb128LocutusOfBorg, hey, not today but I can have a look tomorrow15:12
LocutusOfBorgbasically I have to replace goolist with std::vector, but my c++foo sucks :)15:15
LocutusOfBorgI'll try again tonight15:15
michael-vbcyphermox: have to go for a bit (will stay in the channel), but actually what I would like would be a way of using update-secureboot-policy without having the feeling that I am using it in a way I should not be.  So removing that line was an idea, but any other way to say "please continue even though no DKMS modules are there" is fine too.15:20
michael-vbAn environment variable would be nicer than a switch of course, as the switch would break on current versions.15:21
michael-vbOh, actually "sudo /usr/sbin/update-secureboot-policy --enroll-key --foo" works without complaining.15:22
michael-vbForget the environment variable thing then.15:22
michael-vbBack later.15:22
cyphermoxyup15:23
michael-vb(Why does everyone in software love the word "foo" so much?)15:23
ginggsfooknows15:27
michael-vbcyphermox: oh yes, the other thing - did you have any ideas of co-operating with other distributions about handling this at some point, or is that something you are not interested in starting?  If the second I would ping Hans again myself to ask who to talk to.15:32
michael-vbAway again.15:32
cyphermoxmichael-vb: it's not about not being interested, tbh it's more that I'm not sure I currently have any time to put to that endeavor; and it really needs to work on desktop and servers equally well.15:33
cyphermox(so that means a gtk-only solution is out of the way, that's partly why debconf was a "good idea" for this)15:34
cyphermoxessentially, that means some amounts of UI engineering work; it's not like a shell script that can be banged together in a couple of hours :)15:35
michael-vbI read that as I am welcome to ask people, but on my time.15:35
cyphermoxmichael-vb: I sent my response by email already; best is to file a wishlist bug and we can discuss that; maybe I can get time blocked to work on that15:36
michael-vbThanks.15:36
sarnoldxnox: nice, thanks16:39
plongshotPlease forgive me if I've come to the wrong place but I'm not connecting with people in the regular channel and I don't know if it's because my question is a bit dense or what.  Can anyone kindly advise on the best way to find what I need?17:11
plongshotMy original qestion was thus..17:11
plongshotI dont' know the connections under the hood with ubuntu but is the location for the default directory for bluetooth file transers determined by something else in the system?  In other words, is it going off of some default setting for "Downloads" folder location and create the folder if ti down't exist?  If that is so then maybe I should look for a way to change the setting for the defalult "Downloads" location and the things17:11
plongshotthe rely on it will  honor that?17:11
plongshotty17:11
plongshotI need to seriously mitigate mutations to my directory structure - It drives me nutz!  :>17:13
plongshotI'm on / talking about 18.0417:14
=== SuperKaramba is now known as BenderRodriguez
mwhudsonrbasak: you make a good point21:24
=== msmarcal is now known as msmarcal|eod

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!