[04:58] morning [05:48] good morning mborzecki [05:48] zyga: hey [05:51] mborzecki: trying the new atom feature [05:51] zyga: what is it? [05:52] https://blog.atom.io/2019/05/12/atom-1-37.html [05:53] it's pretty neat :) [05:54] zyga: interesting [06:11] mborzecki: updated https://github.com/snapcore/snapd/pull/6856/files [06:11] PR #6856: cmd/snap-update-ns: add tests for executeMountProfileUpdate [06:11] specifically this part https://github.com/snapcore/snapd/pull/6856/files#diff-6e1312a8e6236111d0199b57d496b986R87 [06:21] zyga: do we have any helpers in the code to find a mount point given a device/source name? [06:22] oh, well, i'll use LoadMountInfo() then [06:53] off to drop some papers at my accountant's === pstolowski|afk is now known as pstolowski [07:01] mornings [07:07] zyga: hey, you there? [07:48] re [08:03] mborzecki: hey, 6868 can land [08:03] pstolowski: hey [08:03] pstolowski: Chipaca: thanks for the reviews [08:04] PR snapd#6868 closed: systemd: workaround systemctl show quirks on older systemd versions [08:04] #6860 has some new selinux denials, need to look at those [08:04] PR #6860: tests: running tests on fedora 30 [08:28] Chipaca: morning, thanks for the reviews! [08:29] mborzecki: niets te danken, or something [08:30] Chipaca: nice :) still remembering some dutch? [08:31] mborzecki: i think 'niets te danken' and 'natuurlijk' are the only bits i remember at this point [08:40] mborzecki: dunno if you saw but i tagged #6868 for 2.39 [08:40] PR #6868: systemd: workaround systemctl show quirks on older systemd versions [08:41] because it seems to me to be the right combination of safe and important [08:41] Chipaca: great, thanks [08:41] we'll be doing .1 anyway to include zyga's fixes [08:41] yep [08:54] hey hey [08:54] my fixes are almost ready, just need to add an instance test [08:54] I was trying to get to it between sessions [08:56] zyga: is that going to be in a separate pr? [09:07] * mborzecki feels sorry for whoever will review the raw image writer bits [09:15] mborzecki: could you wrap up your review of #6721 at some point? [09:15] PR #6721: tests: new profiler snap used to track cpu and memory for snapd and snap commands [09:15] Chipaca: sure [09:16] Chipaca: all that was missing was +1 :) [09:16] mborzecki: :) [09:16] i'm using my gh.go thing to find low-hanging fruit [09:17] i've restarted travis jobs, last it built was 13 days ago [09:18] might need a re-merge, we'll see [09:18] anyway cazzo has a few housekeeping things to do with his PRs [09:24] cmatsuoka: you around? [09:24] Chipaca: hello [09:24] cmatsuoka: hiya! good morning [09:25] good morning! [09:25] cmatsuoka: the "RootOnly" flag is now merged, and I don't know what to do with #6679: if that work continues, is it going to start there, or are you going to do it again from scratch? [09:25] PR #6679: many: implement user removal [09:25] cmatsuoka: IOW should I close the PR :) [09:26] RootOnly was only one of the parts of the puzzle that needed solving first [09:26] the other was about classic [09:26] Chipaca: I think it will be cleaner to restart from scratch, we can just drop the old PR [09:27] cmatsuoka: ok. I'll close it, unless you want to do so [09:27] close it, please [09:29] oh, the link is right here, I can close it as well [09:29] * cmatsuoka still sleepy, jet lag [09:30] PR snapd#6679 closed: many: implement user removal [09:31] mborzecki: in #6680, when you say 'root only', do you mean _actual_ root only, or is logged-in ok also? [09:31] PR #6680: [RFC] daemon: expose pprof endpoints [09:33] Chipaca: hm it's trace & profiling, not sure if anthing sensitive is accessible through the api, it's probably just stacktraces & addresses [09:33] maybe addresses are sensitive ? [09:34] Chipaca: limiting access to uid 0 probably the safest approach [09:34] mborzecki: ok, i included how to do that in my review [09:34] ('s trivial) [09:34] Chipaca: see that now, thanks [09:35] cmatsuoka: I'll be working on the next bit of user thing refactoring, namely making the user thing not be there on classic by default [09:35] cmatsuoka: after that you should be able to work on the removal without issue [09:43] PR snapcraft#2564 opened: remote_build: handle git push in detached head state [09:51] going back home [10:00] Chipaca: that bug? no, all one PR [10:00] Chipaca: all the propagation fixes are in one PR (still pending because conference) [10:01] zyga: not related to #6866 then? [10:01] PR #6866: cmd/snap-update-ns: allow changing mount propagation [10:01] when is 2.39 out? [10:32] PR snapd#6869 opened: daemon: only allow `users`/`create-users` when not on classic* [10:32] hmm, that PR looks a little daunting [10:33] popey_: cachio was coordinating with mvo and store people, dunno how that went [10:33] popey_: "asap" [10:33] ok [10:34] re [10:34] Anyone familiar with the recent change where snap-seccomp now requires a buildid? Version bumping my Gentoo snapd package and hung up on this. [10:38] zigford: yes [10:38] zigford: we landed a fix for that in master 15 days ago though [10:38] zigford: not sure what you're building [10:38] in particular: #6782 [10:38] PR #6782: osutil: use go build-id when no gnu build-id is available [10:39] Did that make it into 2.39? [10:40] * Chipaca asks git [10:40] zigford: no [10:41] at least, git says no [10:41] okay, no worries. I'll see if I can just patch in that commit [10:41] k [10:41] zigford: I'll flag mvo to see if we add it to 2.39.1 [10:43] Confirmed by looking in the release .tar.gz that it is not in 2.39 [10:44] I don't know what it takes to use gnu buildid's which is probably why it is not working without that commit on my Gentoo ebuild. [10:45] zigford: I think it's because we got rid of CGO dependencies that would previously allow gnu buildid to be involved [10:49] hm that PR should not be required for snap-seccomp [10:49] zigford: does your snap-seccomp have no buildid? [10:50] correct. The output when running snap-seccomp: error: cannot get build-id of snap-seccomp: executable does not contain a build ID [10:50] I mean snap-seccomp version-info [10:50] It could be the way I'm compiling it too. I'm a bit of a n00b when it comes to golang [10:53] zigford: can you run `file ` ? [10:53] Certainly appears to have a buildid according to file: snap-seccomp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, Go BuildID=a8kMN841Luo-M1zG6V_w/k1vJUu3M_98NWHHNQyDR/4QcWrWhdOMwMS78nFYhQ/pb96YzBzA9BKT4Mc4AMS, stripped [10:55] interesting, that's only the buildid added by go toolchain [10:57] zigford: when you build the package, can you add -x -v to go build and upload the output somewhere [10:57] PR snapd#6870 opened: cmd/snap, api, snapstate: implement "snap remove --purge" [11:01] http://zigford.org/build.log [11:02] might have to search, as that log builds all the bits [11:06] zigford: thanks, so it's using gcc to drive the linking, but somehoow there's no GNU buildid added [11:07] zigford: can you try this `echo 'int main() { return 0; }' | gcc -xc - && file ./a.out` ? [11:08] ./a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, not stripped [11:09] zigford: right, but it adds gnu buildid automatically on my system [11:09] Could BuildID's be a compile time option of GCC, ie, On Gentoo, GCC is compiled by my system, and the feature to create buildid's might be disabled [11:10] zigford: maybe some defaults are different, i doubt it would be disabled [11:10] zigford: can you try this: `echo 'int main() { return 0; }' | gcc -xc -Wl,--build-id=sha1 - && file ./a.out` ? [11:11] ./a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9fe501acda2e1d8562da2548c42b9361344804f5, not stripped [11:12] zigford: just for the record, what's the version of binutils and gcc? [11:13] gcc = 8.3.0, binutils = 2.31.1 [11:15] Hey everyone, is there a way to know if a bug if good for newcomers? [11:15] zigford: can you check if there's --enable-linker-build-id in gcc -v output? === ricab is now known as ricab|bbl [11:17] alas, it is not [11:19] zigford: right, so the PR that Chipaca linked makes snapd side of things support both GNU build id and Go build id (in case the first one is missing), but that won't be available in 2.39 until 39.1 (?) [11:20] zigford: meanwhile, maybe there's a use flag to enable build-id by default? this is enabled in configure of gcc [11:21] Yeah, I quickly checked that, but I think I might be able to find another ebuild package the enables it and just plagerize their work :) [11:21] So, there does not appear to be a use flag for GCC to enable it by default [11:21] thomascm: what do you mean? [11:22] Many thanks for your assistence in tracking down the issue, mborzecki [11:23] zigford: np, perhaps you could tweak CC/CFLAGS/LDFLAGS to add -Wl,--build-id=sha1 [11:24] chipaca: well there many bugs in launchpad, and I am not sure where to start, this is the first opensource project that I contribute to...usually someone is assigning me issues :P [11:24] Great idea. I'll post back here if I get it working [11:27] thomascm: I don't think we've been good at tracking "bitesize" bugs [11:27] we tried to start doing that but it didn't get momentum [11:27] thomascm: are you wanting to contribute to snapd, or to snapcraft? [11:36] pstolowski: what's the "dangerous" thing in the purge pr? [11:43] * Chipaca hugs pstolowski [11:43] pstolowski: 's good, just one mistake i think [11:43] Chipaca: thanks for catching! [11:43] Chipaca: snapd [11:44] thomascm: what do you know? what can you do? [11:54] Chipaca: hmm. i think i will simply pass bool there in the client (+options which will still be expected to be nil as before). don't see any nice way to check if anything-but-purge was passed [11:55] chipaca: sorry getting ready to leave for work. I can program in python, php, javascript, and new to golang ... I can handle most task, it just I don't have a lot of time, a few hours a week, so I rather start with smaller issues [11:58] PR snapcraft#2565 opened: requirements: update to requests-toolbelt 0.8.0 [12:11] mborzecki, hey [12:12] mborzecki, there is a problem on fedora 30 [12:12] mborzecki: fixed by adding a parm to go like so: go install --ldflags '-extldflags "-Wl,--build-id=sha1"' [12:12] I run the suite in a vm and after some tests it is out of space on disk [12:13] mborzecki, it is weird because du -h says we use 4.5 of 9 GB [12:13] mborzecki, I created a debug machine if you want to take a look [12:13] zigford: yup, that should work too [12:13] I am debugging this as well [12:14] cachio: can you point me to the log? [12:17] mborzecki, https://paste.ubuntu.com/p/ckqhnFxvFC/ [12:17] mborzecki, this is one from my machine [12:21] jdstrand / diddledan: Ping re: /dev/shm if you have the time 😊 → https://forum.snapcraft.io/t/proposal-add-dev-shm-namespace-to-all-snaps-by-default/5416/5?u=tobias [12:24] dot-tobias: have you tried the `browser-support` interface for the dev/shm access? [12:25] diddledan: Not yet, since I thought using this interfaces prevents publishing on the store without exceptions [12:25] you'll need to get approval for automatic connection of the interface if you need it [12:26] you can request the store admins to verify and approve/deny the automatic connection by posting in the store-requests category on the forum [12:30] dot-tobias: fwiw the snap you mention in your forum post seems like a browser so it doesn't seem unreasonable to provide browser-support to that snap [12:32] PR pc-amd64-gadget#10 closed: Add mmx64.efi (MokManager) to support mokutil [12:32] PR pc-amd64-gadget#11 closed: Add mmx64.efi (MokManager) to support mokutil [12:33] PR pc-amd64-gadget#10 opened: Add mmx64.efi (MokManager) to support mokutil [12:33] PR pc-amd64-gadget#11 opened: Add mmx64.efi (MokManager) to support mokutil [12:33] ijohnson: Yep, its a browser 😊 [12:34] diddledan: Ok, will try out locally with browser-support instead of preload + desktop launch first. I'm including this snap in a gadget and ran into issues with auto-installing chromium-mir-kiosk with browser-support interface before, but maybe that's resolved [12:35] yeah so requesting browser-support should be fine [12:35] since you're using a kiosk, you may have your snap flagged since it would be a daemon and also use browser-support, which is not automatically allowed but that should be approved eventually [12:37] diddledan / ijohnson: Just tested if browser-support resolves the shared memory error, but does not seem like it: Still getting “Failed to create shared memory file /WK2SharedMemory.3964029874: Permission denied” with browser-support interface connected for my snap. [12:38] dot-tobias: what is the apparmor denial for your snap when you try this? [12:39] ijohnson: For whatever reason there's no syslog on my Core test machine … Core 18 on PC gadget+kernel [12:40] can you get logs from `journalctl -e --no-pager | grep apparmor | grep DENIED [12:41] ijohnson: Yup: May 15 12:36:24 localhost kernel: audit: type=1400 audit(1557923784.977:691): apparmor="DENIED" operation="mknod" profile="snap.wpe-webkit-mir-kiosk.browser" name="/dev/shm/WK2SharedMemory.1479971001" pid=29142 comm="cog" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 [12:42] dot-tobias: hmm that should be allowed: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/browser_support.go#L228 [12:43] I assume your snap is a daemon because it's a kiosk, but just to clarify the wpe-webkit-mir-kiosk.browser app is a deamon right/ [12:43] ? [12:43] ijohnson: Correct [12:43] that's with sandbox [12:43] you either need to specify the sandbox on the interface or disable the webkit sandbox [12:43] ahh yes listen to diddledan [12:44] * ijohnson will be back in a bit [12:57] diddledan: I'm testing locally with allow-sandbox: true and running into a very stupid problem … how do I specify a list of plugs for an app where one is not a simple list entry but a dict (i.e. browser-support: \n allow-sandbox: true) [12:58] specifying interface options is a separate block to the `plugs` on an app: === ricab|bbl is now known as ricab [12:59] https://www.irccloud.com/pastebin/LFF8yqR4/ [13:01] cachio: standup? [13:01] Chipaca: sit down! [13:01] diddledan: dance! [13:02] Chipaca, OMW [13:02] boogy! [13:02] cachio: k [13:02] /o/ [13:02] \o\ [13:02] \o/ [13:02] /o\ [13:02] * Chipaca assigns bugs to diddledan [13:02] oh damn [13:07] diddledan: Thanks, works – the /dev/shm error is gone, but for whatever reason WPE can't find libraries that are definitely in the snap (and work fine when using snapcraft-preload + desktop-launch). Need to investigate this more . [13:09] re [13:11] * dot-tobias waves at zyga [13:15] cachio: there should be a few lines wrt that cycle, listing all the things in the cycle [13:15] cachio: can you pastebin the whole thing? [13:15] systemd will be always killing one of the units in the cycle to break it, but it picks one at random [13:16] Chipaca, https://paste.ubuntu.com/p/8p3xhCRZTH/ [13:16] Chipaca, random :s [13:16] that explains why it is happening randomly [13:18] cachio: so it's one of those four things [13:18] three, really, because one is a target [13:18] and two of them are google [13:18] so i guess it's just the one :-) [13:18] hehehe [13:18] suspect you need to talk with the cloud-init devs [13:18] cachio: this is only on fedora? [13:19] Chipaca, it is only on fedora 30 [13:19] maybe they have a "different" version of something [13:19] cachio: can you compare the unit files for those four things in fedora 30 vs 29, say? [13:19] Chipaca, yes [13:19] cachio: digo 30 vs 29 so they might be closer than 30 vs 19.04 [13:19] I'll check that [13:20] ok} [13:20] cachio: OTOH if you're seeing bug reports with this issue for ubuntus, maybe it's known and fixed in cloud-init and just needs updating on fedora [13:22] Chipaca, the issues reported are with the same error message but different root cause [13:22] cachio: aw [13:22] systemctl cat cloud-init [13:24] Chipaca, I'll review the open issues first and compare configuration with f29 and u19.04 [13:24] to see I can find the diff [13:24] k [13:42] pstolowski: OTOH wrt checking whether only Purge is set, go can compare "flat" structs directly, so just checking whether the struct was equal to the empty one or the empty one with just purge set would work [13:43] (and client.SnapOptions is "flat" in this sense) [13:44] hmm indeed [13:52] Chipaca: nah, doesn't work because of Users []string [13:52] o dang [13:53] well [13:53] you could embed the bools and compare that [13:53] but it gets silly [13:53] every other option is not allowed in multi [13:53] so just, go with that [13:53] we'll add support for multi sometime, and it'll be fine [13:53] but there's not a lot of demand so ¯\_(ツ)_/¯ [13:54] ok [13:57] pstolowski: maybe remove it from multiActionData also :) [13:58] oh yes! [13:59] ty [14:27] PR snapd#6871 opened: gadget: raw/bare strcuture writer and updater [14:29] only excuse i have is that tests make up ~70% of the whole thing [14:38] cachio: note #6618 is >this< close to a second +1, there's a suggestion from mvo that's hard to ignore [14:38] PR #6618: tests: validates snapd from ppa [14:40] Chipaca, yes, I'll update that PR today [14:41] thanks for the heads up [14:41] cachio: ping me when you do (and it's green) so we can land that [14:41] Chipaca, sure [14:42] * cachio lunch [14:51] ondra: ping [14:58] Chipaca hey [14:58] Chipaca what's up? [15:01] ondra: hey [15:01] ondra: looking at your PRs [15:01] ondra: in particular #6691 [15:01] PR #6691: boot: move ExtractKernelAssets [15:02] ondra: it looks abandoned [15:02] Chipaca no, I just need update test based on mvo's comment [15:02] Chipaca just did not find time yet :( [15:02] ondra: ah, ok, so i'll review it then [15:03] Chipaca actually review avahi one pls [15:03] Chipaca https://github.com/snapcore/snapd/pull/6325 [15:03] PR #6325: Allowing avahi-observer/control slots from app snap also on classic [15:03] ondra: it's got a needs-changes from jdstrand and conflicts [15:04] Chipaca yeah I did those [15:04] ondra: that means "stay away" in reviewese [15:04] Chipaca but it based on those changes it was bigger change, so it'd be good to have extra pair of eyes on it [15:04] Chipaca lol [15:05] ondra: i tried to look at your lk pr, and that looks interesting but it includs 6691 and is rather big to review in a single go [15:05] ondra: what's the status of #6327? [15:06] PR #6327: Allowing sockets under /run/user/0/$SNAP_NAME [15:09] Chipaca also more looking for time to rewrite it based on jdstrand comments, but that's last one on my priority list now [15:09] ondra: if it's a rewrite, would it be ok to close it? or is it not a rewrite in that sense [15:10] Chipaca not in that sense, still same idea, just a bit more clever implementation [15:10] ah well [15:10] * Chipaca goes on down the list [15:24] zyga: for per-user mounts is there something reviewable? [15:33] mborzecki: what should we do with #6708 ? [15:33] PR #6708: packaging/ubuntu: enable PIE hardening flags <⛔ Blocked> [15:40] #6734 could use a second review [15:40] PR #6734: advise-snap: add --dump-db which dumps the command database [18:04] Chipaca: I’m sorry for responding late [18:04] Not yet [18:04] Need to sit down tonight [18:30] zyga: no worries, asking only because i was going down the list