[01:43] <df00z> Hm, would it be an abuse of snap to try to package up libvirtd + qemu + virt-manager with snappy?  It can register services with systemctl and run as root, right?
[05:34] <mborzecki> morning
[05:44] <df00z> morning
[06:01] <zyga> Good morning
[06:01] <zyga> I will be around in a hour, need to get breakfast and take the dog out
[06:13] <mborzecki> zyga: so the dog is travelling with you too? :)
[06:19] <morphis93417> zyga, mborzecki: do you guys know if `snap save` is intended to show me all snapshots? I can see way more in /var/lib/snapd/snapshots than in `snap save`
[06:19] <mborzecki> morphis93417: snap saved?
[06:20] <morphis93417> ah
[06:20] <morphis93417> the output looks quite similar
[06:21] <morphis> just run into the issue that our CI system ran out of space because of the automatic snapshot creation on remove
[06:21] <morphis> 100GB of snapshots ...
[06:21] <mborzecki> morphis: i think you want snap remove --purge
[06:21] <mborzecki> morphis: though it's probably for 2.40
[06:22] <morphis> is there another way to purge or avoid the automatic snapshot?
[06:22] <mborzecki> morphis: i don't think so, but pstolowski|afk or Chipaca will know more
[06:24] <morphis> hm, that is unfortunate
[06:25] <mborzecki> morphis: looked throught the forum, you can set `snap set system snapshots.automatic.retention=no` that should stop snapshots from being created
[06:25] <morphis> mborzecki: looks like it doesn't for the creation on snap removal
[06:26] <mborzecki> morphis: https://forum.snapcraft.io/t/snapshots/9468 states 'Disabling automatic snapshots will not affect pre-existing automatically generated snapshots, only those generated by the removal of subsequent snaps.'
[06:27] <morphis> yeah read that
[06:27] <mborzecki> morphis: looks like you need to drop the old ones manually, but new ones should not be created
[06:29] <morphis> mborzecki: yeah, looks like that's it
[06:29] <df00z> Oh jeeze.   I get to the end of my package compile and it says linker version 2.3.3 isn't compatible with files in this app.
[06:29] <df00z> I dont want to\cant build this in an ubuntu 16.04 env
[06:30] <df00z> Not possible to move past that, right?
[06:30] <mborzecki> df00z: can you use a core18 base instead? that should be like 18.04 env
[06:31] <df00z> Ugh maybe but probably not.   Building something that needs up to date libs(qemu, libvirt)
[06:32] <df00z> The whole point of me trying to use this was to avoid managing /usr/local or something awful for a custom build
[06:32] <jamesh> df00z: it sounds like you've got snapcraft running in legacy mode.  Make sure you've got a "base:" key at the top level, set to "core" or "core18"
[06:32] <df00z> let me try it
[06:33] <jamesh> that will switch snapcraft over to building in a VM (for which you'll need to install Multipass) with appropriate libraries to match the base
[06:34] <df00z> weird I put base: core18, it worked, didnt try to start any kind of VM that I can see
[06:34] <df00z> I'm on 19.04
[06:35] <df00z> Unless it only does that with cleanbuild
[06:37] <zyga> Breakfast time
[06:37] <zyga> I will be back around 9-10. Once we pack and hit the road again
[06:37] <df00z> i gotta head to sleep.  i think it worked?  maybe coincidentally because 19.04 isn't using an incompatible linker?
[06:38] <mborzecki> df00z: afaik it's built in a clean environment, so perhaps you already have multipass, or it just spun up a lxd container
[06:39] <df00z> long term im probably going to have to build parts for the entire dependency chain...theres gotta be like 50 libs though
[06:40] <df00z> for now i only built gnutls as a part which ubuntu doesnt have an up to date release that is compatible in it's repo
[07:08] <zyga> I will be around shortly
[07:20] <pstolowski> morning
[07:22] <mborzecki> pstolowski: hey
[07:22] <pstolowski> morphis: hi, all clarified re automatic snapshots afaict? old ones need to be removed manually with snap forget
[08:24] <ackk> hi, anyone familiar with non-root users in snap?
[08:26] <mborzecki> ackk: non root users in snaps with services?
[08:27] <ackk> mborzecki, I mean the work for being able to use system users in the snap
[08:28] <mborzecki> ackk: there was a PR from jdstrand but I don't know where it stands at this point
[08:28] <ackk> mborzecki, right, I'm testing with a snapd built from there
[08:28] <zyga> re
[08:29] <zyga> finally all packed and on the road
[08:29] <ackk> mborzecki, I'm having a weird issue. I pass in the "daemon" user and I have a dir under $SNAP_COMMON that's owned by it (daemon:daemon). If I try to delete it from the app, it gets permission denied. that's understandable if I run it as root, but it happens also if I drop privileges to daemon:daemon
[08:29] <ackk> mborzecki, so I'm not sure how to handle that
[08:29] <zyga> it's hard to pack three kids and a dog
[08:29] <zyga> mborzecki: yeah, so there was a selinux denial
[08:30] <zyga> mborzecki: question: should a program that is selinux aware actively set the context of a file it creates?
[08:30] <ackk> zyga, is that like the wolf sheep cabbage problem? :)
[08:30] <mborzecki> ackk: maybe soemthing inside is now owned by daemon?
[08:30] <zyga> mborzecki: or should this be done from the policy side?
[08:30] <zyga> ackk: it's a OMG why did we agree to do this problem :)
[08:30] <zyga> ackk: driving across europe with our family, including a small baby
[08:30] <mborzecki> zyga: labels are inherited from parent, unless there's an automatic transition defined
[08:30] <zyga> mhm
[08:31] <ackk> mborzecki, not that I can see it, it's all daemon:daemon
[08:31] <zyga> mborzecki: I didn't look yet but I don't quite get it why the new .info file is any different from the exisiting .fstab or .mnt files
[08:31] <zyga> mborzecki: so I'll get to selinux shortly, I'll read your review first
[08:37] <Chipaca> zyga: also to spain?
[08:37] <zyga> Chipaca: yeah, we are approaching the coast now, south of france
[08:37] <zyga> from there just a short ride to Palamsos
[08:37] <zyga> Palamos
[08:38] <Chipaca> zyga: Palimpsest
[08:39] <zyga> Chipaca: looking at the car nav, seeing the destination being 4 hours away is surreal
[08:39] <zyga> Chipaca: normally I would say that is far away
[08:40] <zyga> Chipaca: but after the last few days that's nearly nothing and 4 hour trip is short and easy in comparison
[08:41] <Chipaca> zyga: I know that feeling
[08:41] <Chipaca> I remember getting up one morning, thinking "yeah, this morning we'll go get fuel, that's just … 3 hours south of here, we should make it back in time for tea, easy
[08:41] <Chipaca> "
[08:42] <zyga> *fuel*?
[08:42] <zyga> as in gasoline?
[08:43] <Chipaca> zyga: yes
[08:44] <Chipaca> zyga: we were in San Antonio Oeste, and the fuel on the other side of parallel 42 was 50% cheaper
[08:44] <Chipaca> or maybe more? don't remember exactly. Cheap enough to make it a no-brainer.
[08:44] <Chipaca> then the next day we did the trip again, this time to see seals and penguins and whales and stuff
[08:44] <zyga> wow, that's quite the story
[08:45] <Chipaca> zyga: patagonia resets your near/far scale in less than 24 hours :)
[08:45] <Chipaca> it's humbling and fantastic and awesome and stuff
[08:46] <Chipaca> (to be clear: argentine patagonia, which is mostly an arid peneplain of nothing but stout shrubs
[08:46] <Chipaca> )
[08:46] <zyga> passing some nuclear plant in france now
[08:46] <zyga> kids watched chernobyl a little
[08:47] <zyga> at first they way "is it real"
[08:47] <zyga> but now they just watch
[08:47] <Chipaca> zyga: is that the one where radiation sickness is contagious?
[08:48] <zyga> a-choo
[08:49] <zyga> lavender fields
[08:50] <Chipaca> #7028 and #7027 are simple enough and need a second review
[08:50] <Chipaca> (and if you've looked at the user agent pr you've already looked at these)
[08:51] <zyga> I'll look
[08:51] <zyga> ah great
[08:51] <zyga> that split out is nice and simple
[08:52] <Chipaca> yeah
[08:52] <Chipaca> kudos to james
[09:03] <Chipaca> pstolowski: one for you: https://forum.snapcraft.io/t/does-snap-refresh-trigger-the-disconnect-connect-hooks/11997?u=chipaca
[09:04] <pstolowski> Chipaca: ok
[09:05] <ackk> mborzecki, I have a minimal python script+snap which reproduces the issue. it seems it happens if I have subdirs of that dir, also owned by daemon:daemon
[09:06] <ackk> mborzecki, https://paste.ubuntu.com/p/kw8swvZS2m/
[09:06] <ackk> mborzecki, both that and with the last commented line in place of the plain os.rmtree fail
[09:07] <zyga> Chipaca: I left a review on the systemd PR that is more complex than my initial reaction
[09:07] <zyga> https://github.com/snapcore/snapd/pull/7028#pullrequestreview-253865824
[09:07] <zyga> IMO it is okay to merge but perhaps it'd be worth to look
[09:07] <zyga> ok, next one
[09:09] <zyga> Chipaca: do you know why we do this: https://github.com/snapcore/snapd/pull/7027/files#diff-98811fc63f73eed00da99c36c7326aabR72 ?
[09:10] <Chipaca> zyga: why would we pass true?
[09:11] <zyga> I don't understand why we'd pass either
[09:11] <zyga> do we need those after?
[09:11] <zyga> why is it relevant to not unset those variables?
[09:11] <Chipaca> zyga: the API call needs one or the other
[09:11] <Chipaca> I mean, it takes a boolean
[09:11] <Chipaca> choose one
[09:12] <Chipaca> it's a silly thing, just calls Unsetenv on the appropriate environment variables if it's true
[09:12] <Chipaca> which means you can't grab the sockets again
[09:12] <zyga> aha
[09:12] <zyga> and we want to have them again?
[09:12] <Chipaca> in tests, sure
[09:13] <Chipaca> outside of tests, no -- but we don't
[09:13] <zyga> ok
[09:15] <Chipaca> zyga: otoh if the environ leaks to anything we exec we might want to clear it
[09:15] <Chipaca> zyga: nothing is breaking today :-)
[09:16] <zyga> Chipaca: how about this? https://github.com/snapcore/snapd/pull/7027/files#diff-98811fc63f73eed00da99c36c7326aabR56
[09:16] <zyga> why 111?
[09:17] <Chipaca> zyga: given that 7028 is green, can we land it without the --no-block in the panic?
[09:17] <zyga> yep
[09:17] <zyga> https://github.com/snapcore/snapd/pull/7027#pullrequestreview-253874672 is +1
[09:18] <zyga> so both can land
[09:19] <mborzecki> ackk: maybe apparmor blocking this? nothing apparmor related in dmesg?
[09:19] <Chipaca> zyga: because we want the socket to be 0666
[09:20] <Chipaca> zyga: without having to chmod it after the fact
[09:23] <Chipaca> at some point we're going to have to use dynamic loading or something, to keep the snap command in check :-)
[09:23] <Chipaca> a bit like git foo → git-foo
[09:23] <Chipaca> especially for the long-running versions of things
[09:23] <zyga> why?
[09:24] <zyga> to keep them small?
[09:25] <Chipaca> zyga: yeah
[09:26] <Chipaca> zyga: having along-running snap command that has all the libs the snap command itself has seems strange
[09:26] <zyga> I wish go had a dynamlically linked "libc-of-go"
[09:26] <zyga> so that hello world was small
[09:26] <zyga> eh
[09:27] <ackk> mborzecki, I only get this error: https://paste.ubuntu.com/p/yX5N6xxRrj/
[09:27] <Chipaca> zyga: that should be doable, but i doubt it'd gain traction with the devs
[09:27] <zyga> ackk: looks like regular permissions are the problem
[09:27] <Chipaca> even simple dynamic loading is under-supported
[09:28] <ackk> zyga, wdym?
[09:28] <zyga> ackk: you get a denial for cap override
[09:28] <zyga> er
[09:28] <zyga> dac override
[09:28] <ackk> zyga, should I add that plug?
[09:29] <ackk> seems weird
[09:29] <mborzecki> ackk: that happens when acting as root on stuff that you wouldn't have access to given its permission bits & owner
[09:30] <zyga> ackk: I doubt so
[09:30] <zyga> (I would not add that plug)
[09:30] <zyga> ackk: what mborzecki said
[09:30] <ackk> one sec, trying now to remove as daemon user
[09:30] <zyga> the only reason root can access stuff it normally cannot access is because it has DAC override capability
[09:30] <zyga> but the profiles take that away
[09:31] <ackk> zyga, mborzecki I get the same error if I try to remove as daemon user
[09:31] <ackk> (iow after dropping privileges)
[09:34] <zyga> feeling a bit sick from looking at the screen
[09:34] <zyga> mborzecki: you were right
[09:34] <zyga> buth, only three hours left
[09:35] <zyga> so close now
[09:35] <mborzecki> zyga: hm?
[09:35] <zyga> mborzecki: looking down while moving
[09:35] <mborzecki> zyga: ah yeah ;)
[09:37] <mborzecki> so the image tool is using sfdisk now, though the script syntax is kind of ugly
[09:41] <mborzecki> ackk: apparmor denial this time too?
[09:41] <ackk> mborzecki, same
[09:47] <Chipaca> zyga: if it makes you sick, then STOP DOING IT
[09:47]  * Chipaca whacks zyga over the head with some large mythological fish
[09:48] <zyga> Chipaca: yeah, I try to look outside the window as much as I can
[09:49] <zyga> Chipaca: 3 hours 14 minutes left
[09:49] <Chipaca> popey: you around?
[09:49] <zyga> we'll break after passing montpellier but now lucy is sleeping so as much as we can push it
[09:49] <ackk> mborzecki, ah, it only works if the directory containing the one to delete is 0777
[09:49] <popey> Chipaca: for you, always
[09:49] <ackk> mborzecki, which poses a problem because I can't really change $SNAP_COMMON to be 777
[09:49] <Chipaca> popey: Wimpress: any way i should tag https://forum.snapcraft.io/t/getting-taskade-linux-app-featured/12005?u=chipaca so you guys are sure to notice it?
[09:49] <Chipaca> popey: <3
[09:50] <popey> i have seen it :)
[09:50] <Chipaca> popey: right, but if you hadn't?
[09:50] <Chipaca> (thanks for confirming)
[09:51] <Chipaca> we don't have an advocacy-requests category :-)
[09:53] <mborzecki> ackk: it shouldn't happen for test-dir/sub though
[09:53] <ackk> mborzecki, wdym?
[09:53] <ackk> mborzecki, if I os.chmod('test-dir', 0o777), then test-dir/sub can be removed, but to remove test-dir I'd need to chmod $SNAP_COMMON
[09:53] <mborzecki> ackk: i see you're using shutil.rmtree(test_dir), if you do shutil.rmtree(sub_dir) it should work
[09:53] <popey> i thought we had a snap-advocacy group
[09:54] <ackk> mborzecki, well, yes and no. in the real case that's a large tree of files/dir, I'd have to recursively chmod everything
[09:54] <mborzecki> ackk: ah, ok
[09:54] <popey> oh, we do @advocacy is us
[09:54] <ackk> mborzecki, also I'd have to remove everything inside the dir manually if I can't remove the whole dir
[09:54] <Chipaca> popey: so i should just say "yo @advocacy"?
[09:55] <ackk> mborzecki, in general, that's a problem, if you can create dirs and you can't remove them :)
[10:04] <popey> Chipaca: ya, i think that would work
[10:04] <Chipaca> popey: k
[10:11] <zyga> less than 3 hours left
[10:28] <zyga> Break time
[10:28] <Chipaca> zyga: https://www.youtube.com/watch?v=otCpCn0l4Wo
[10:29] <Chipaca> and it's ubuntu one all over again
[10:29]  * Chipaca takes a break also
[10:31]  * Chipaca lied
[11:02] <Chipaca> now yes, i'm off for a bit
[11:17] <petan> hello I would like to create a script that will release all stable versions of my software for all platforms (eg. set them to current head / latest build)
[11:17] <petan> how would I do that?
[11:17] <petan> if I know specific number I can do something like snapcraft release huggle 2146 stable
[11:18] <petan> but can I substitute the number 2146 with "whatever is latest"?
[11:18] <mborzecki> petan: i have a vague recollection of version script that can do that
[11:19] <mborzecki> petan: this is how snapd does that https://github.com/snapcore/snapd/blob/master/snapcraft.yaml#L11-L12
[11:26] <mborzecki> fun review if anyone's interested: https://github.com/snapcore/snapd/pull/7030
[11:27] <mborzecki> zyga: do you want me to look into the selinux denials you got?
[11:28] <zyga> mborzecki: if you know how to fix that quickly, sure, it will help a lot
[11:28] <zyga> Break is over, back to work
[11:36]  * zyga melts in the sun
[11:43] <mborzecki> pstolowski: what was the problem that triggered https://github.com/snapcore/snapd/pull/7029 ?
[11:45] <Gargoyle> How come this exists: https://snapcraft.io/sublime-text-bartixxx ? It makes the store confusing.
[11:53] <zyga> Gargoyle: indeed, I think it should be removed, perhaps popey has an opinion?
[11:54] <pstolowski> mborzecki: some kind of udev event is too big, i haven't seen this myself, i asked abeato for udevadm monitor output when this happens
[11:54] <mborzecki> pstolowski: was there a forum topic perhaps?
[11:56] <pstolowski> mborzecki: no, it was all discussed here and the bug report is the record of it
[11:57] <pstolowski> mborzecki: fwtw, $ getconf PAGE_SIZE
[11:57] <pstolowski> 4096
[11:57] <pstolowski> that's the value we effectively used
[11:58] <mborzecki> pstolowski: right, but it was increased in the loop with MSG_PEEK until the messag would fit
[11:58] <pstolowski> mborzecki: but the logic was bogus imho
[11:59] <pstolowski> mborzecki: mborzecki MSG_PEEK - This flag causes the receive operation to return data from the beginning of the receive queue without removing that data from the queue.  Thus, a subsequent receive call will return the same data.
[11:59] <abeato> pstolowski, mborzecki I've seen this happening on boot, when a lot of udev events accumulate
[11:59] <zyga> mborzecki: question
[11:59] <zyga> mborzecki: should I switch to error handler (as opposed to die)
[12:00] <zyga> mborzecki: so that I can write tests that don't have to fork to work?
[12:00] <zyga> mborzecki: gtest is pretty frustrating when you have to test code that die's at all errors
[12:00] <pstolowski> mborzecki: there is no mention for using it to probe buffer size; to my understanding it simply leaves the data in the queue but still errors out if buffer is too small, no?
[12:00] <mborzecki> pstolowski: yes, that's the point of MSG_PEEK :)
[12:00] <abeato> pstolowski, one interesting thing to note is that what systemd does is increasing the socket RECV size to 128MB - in general that is fine as you are only reseving a range virtual addresses in the end. Usually you do not use all
[12:03] <mborzecki> pstolowski: abeato: fwiw their actual buffer to which they receive stuff is 8k only
[12:04] <abeato> mborzecki, right, as long as they have buffer space in the kernel side, that's fine - probably there is not a single event thas is 8K
[12:05] <mborzecki> abeato: yup, so they use super careful 128MB on the kernel side, where events get buffered (althouhg never reach this size), while the usespace reads 8k at a time
[12:06] <abeato> mborzecki, that seems to be the case, yes
[12:06] <popey> zyga: sounds like a store question
[12:17] <jdstrand> ackk: I'm here if you want to talk about the daemon user. note there are a bunch of things at play here for file access: apparmor, seccomp, capabilities, traditional permissions
[12:17] <ackk> jdstrand, hi, so did you see the discussion from this morning?
[12:18] <ackk> jdstrand, basically for now I've worked it around by removing everything in the dir manually
[12:18] <jdstrand> ackk: so, if you create a directory, and chown it to daemon:daemon then the daemon user can use it, etc. *but* it can't delete the directory if the parent dir is say, 755 root:root and root can't delete the dir because it lacks dac_override
[12:19] <jdstrand> ackk: I intentionally left out dac_override since it grants way too much and the snap can be written to not need it
[12:20] <ackk> jdstrand, mhm so is there a way to go around it without having to manually clean dirs?
[12:20] <jdstrand> ackk: you probably want to create the directory 775 root:daemon
[12:20] <ackk> jdstrand, ah, interesting
[12:20] <ackk> jdstrand, we have some dirs that are the other way, daemon:root 775
[12:21] <jdstrand> ackk: that may work too. the files should be 664 as well if you want root to be able to clean them out
[12:22] <ackk> jdstrand, mhm, the problem is that we're talking about the postgres DATA_DIR, so I only create the root, then postgres (which runs as daemon.daemon) does the rest
[12:22] <zyga> mborzecki: did you see my question earlier
[12:22] <zyga> mborzecki: I'm unsure how to test this, I'm eager to proceed with error return and easy tests
[12:22] <zyga> mborzecki: and die in the caller
[12:23] <mborzecki> zyga: sounds ok to me
[12:23] <zyga> k
[12:27] <jdstrand> ackk: well, set it up however. I'm just saying you'll have the same issues with files if they are daemon:daemon and root tries to delete them because of how apparmor works
[12:27] <ackk> jdstrand, sigh also even if I set the dir to 775 postgres changes it back to 700 :(
[12:37] <jdstrand> ackk: ok, you should be able to work through the without patching anything
[12:38] <jdstrand> ackk: you create $SNAP_DATA/stuff root:daemon 770. then you create $SNAP_DATA/stuff/postgresdb 700 daemon:daemon
[12:39] <jdstrand> ackk: then postgres, running as 'daemon' can do whatever it wants in $SNAP_DATA/stuff/postgresdb
[12:39] <jdstrand> ackk: if for some reason you want to clean things out, daemon is able to delete $SNAP_DATA/stuff/postgresdb and below, and root can delete $SNAP_DATA/stuff
[12:44] <ackk> jdstrand, ah I see
[12:49] <jdstrand> ackk: with a bit of care, dac_override can pretty much always be avoided and when it is avoided, you know that the code got its priv separation right. in your case, postgres is doing fine and you're just wrapping it so it works, but I recall dhcpd having trouble getting this right in their code
[12:50] <jdstrand> ackk: where we have a profile for it. the deb packaging set up the dirs wrong assuming dhcpd would just clean things up when it started as root before it dropped
[12:51] <jdstrand> ackk: but then it didn't do that correctly for several releases (and it was funny cause you could see them trying because the behavior changed with each release), until finally they did
[12:52] <jdstrand> everything aligned and dac_override wasn't needed any more
[12:54] <jdstrand> (the same generally goes for dac_read_search)
[12:56] <jdstrand> ackk: thanks for bringing this up btw. I've added a todo to document this when documenting the feature (it is in the policy, but who reads that? ;)
[12:56] <ackk> jdstrand, thank you for the help
[12:59] <jdstrand> ackk: np
[13:01] <Chipaca> cachio: standup?
[13:11] <ackk> jdstrand, so it seems the only caveat is that if you create directories that are owned by a non root user directly under SNAP_DATA/SNAP_COMMON/etc you can't ever remove them anymore
[13:12] <jdstrand> ackk: that is possible, yes, but snap remove always can
[13:13] <jdstrand> which is why I want to document it
[13:14] <jdstrand> one could also plugs log-observe, but when people ask for auto-connection, it'll come up and we can direct them ("why does postgres need access to the system logs?")
[13:14] <ackk> jdstrand, yeah I meant from the point of view of a snap
[13:15] <ackk> jdstrand, log-observe doesn't make it work though
[13:15] <ackk> at least, in my test this morning
[13:15] <ackk> or, uhm
[13:15] <ackk> maybe I didn't test it right
[13:16] <ackk> jdstrand, btw, I filed a few bugs related to the confined snap work, any chance they could get fixed soon: https://bugs.launchpad.net/snapd/+bugs?field.tag=maas ?
[13:17] <jdstrand> the first two are known. I can look at the last two. I have a PR up that I can fold those into
[13:19] <ackk> jdstrand, awesome, thanks!
[13:21] <Chipaca> zyga: when you arrive somewhere stable, there are weird things in the forum i'd like you to look at
[13:22] <zyga> Ok
[13:22] <Chipaca> zyga: i've flagged you in them so i/you/we don't forget :-)
[13:23] <zyga> Perfect, thank you
[13:26]  * pstolowski lunch
[13:29] <mborzecki> zyga: ok, so figured out some of the tmpfs stuff, i don't think we can plug it nicely now, but otoh it's probably ok to allow s-c readlink there
[13:30] <mborzecki> zyga: still don't see how the changes trigger this behavior
[13:39] <Chipaca> cachio: how's validation of 2.39.3 going?
[13:39] <zyga> mborzecki: right?
[13:39] <zyga> mborzecki: it's another file
[13:39] <zyga> mborzecki: we have a few of those already
[13:40] <zyga> mborzecki: maybe it is because when snap-confine calls snap-update-ns some things magically change?
[13:40] <zyga> mborzecki: snap-confine no longer writes to that tmpfs, apart from making an empty file
[13:40] <zyga> mborzecki: once we have snap-bootstrap-ns this can move there (to go)
[13:40] <mborzecki> zyga: something funny is going on behind the scenes, tmpfs gets a tmpfs_t label, unless there's some transition, what happens is that a bunch of directories is labeled as tmpfs_t and maybe that's a problem
[13:42] <mborzecki> zyga: take a look at this: https://paste.ubuntu.com/p/Hmkrs3Yhxp/
[13:42] <mborzecki> zyga: see how /etc and /run are tmpfs_t in mount ns of the snap?
[13:42] <zyga> mborzecki: what should that directory type be?
[13:42] <zyga> mborzecki: the hierarchy in /run/snapd/ns is managed by snap-confine
[13:43] <cachio> Chipaca, I am reviewing the last log for i386
[13:43] <Chipaca> cachio: cool cool
[13:43] <cachio> and it should go to candidate
[13:43] <mborzecki> zyga: etc_t or var_run_t for /run
[13:43] <mborzecki> etc_t for /etc ofc
[13:43] <Chipaca> cachio: let me know when/if it's done so I can poke people about it please
[13:43] <cachio> Chipaca, sure
[13:43] <cachio> I am trying to reproduce an issue
[13:44] <mborzecki> zyga: i think it's an artifact of us setting up the mount ns, perhaps we should restore the labels (?) the auto transition doesn't work bc it's named or otherwise
[13:44] <zyga> mborzecki: so we don't mount a tmpfs ourselves there
[13:44] <zyga> mborzecki: but we do make a bind mount in /run/snapd/ns
[13:45] <zyga> mborzecki: and change the propagation mode of that mount
[13:45] <zyga> mborzecki: once I'm at home I will boot fedora and explore
[13:45] <zyga> mborzecki: I only have ubuntu on the go
[13:46] <mborzecki> zyga: we already allow s-u-n to poke tmpfs_t, so I'll push a patch that allows s-c to your branch
[13:46] <zyga> thanks!
[13:46] <zyga> I'm adding tests now
[13:46] <mborzecki> zyga: and we can investigate later, as i suspect it'll take more work
[13:47] <zyga> yeah, I think so
[13:53] <Chipaca> popey: do we know any kde devs that hang around the forum? https://forum.snapcraft.io/t/bug-on-web-page-https-forum-snapcraft-io/12013?u=chipaca
[13:55] <popey> Chipaca:  sitter is on the forum.
[13:56] <Chipaca> popey: ta
[13:57]  * Chipaca tagged them in the post
[13:57]  * Chipaca goes to get a cuppa tea, and maybe some cake
[13:58] <mborzecki> zyga: this is what ends up with tmpfs_t label https://paste.ubuntu.com/p/fvnh98t27k/
[13:59] <mborzecki> zyga: oh and pushed a patch to your branch, please fetch before pushing
[13:59] <zyga> mborzecki: looking
[13:59] <zyga> mborzecki: sure, no force push!
[13:59] <ijohnson> hey folks, I'm trying to seed a classic image with a gadget snap and not use a brand store, but on boot/seeding snapd seems to think it needs to get a serial from the public store: https://pastebin.canonical.com/p/fCpRXvDcbV/
[14:00] <ijohnson> snapd seems to work fine otherwise, I can install snaps and such and even login with `snap login`, but I'm just wondering if there's a way to turn off this behavior where it tries to get a serial
[14:01] <zyga> ijohnson: I think that is unsupported
[14:01] <zyga> you must use a vault to use a custom gadget
[14:02] <zyga> ijohnson: it will go to the store to get a serial
[14:02] <ijohnson> zyga: hmm that's not great
[14:02] <zyga> ijohnson: but the public store only gives serials to canonical models
[14:03] <zyga> ijohnson: it is part of the design, it is unreasonable for one brand to sign serials of another
[14:03] <ijohnson> zyga: the use case here is building a local gadget snap that exposes slots so that we can use a strictly defined snap with gpio pins and such
[14:03] <ijohnson> right that's fine I don't want it to get a serial
[14:03] <Chipaca> ijohnson: everybody gets a serial tho
[14:03] <zyga> ijohnson: that's a separate concern
[14:03] <zyga> ijohnson: serial assertion is a part of the flow
[14:03] <zyga> you will hit other issues this way
[14:04] <ijohnson> hmm so what would your recommendation be for getting slots and auto-connection rules via a gadget on a classic image that is not connected to a brand store?
[14:04] <ijohnson> how necessary is it that everyone gets a serial?
[14:04] <zyga> ijohnson: don't do that?
[14:04] <zyga> ijohnson: very
[14:04] <ijohnson> :-(
[14:04] <zyga> ijohnson: what is the motivation for slots and gadgets on classic?
[14:04] <zyga> ijohnson: can you tell us more about that
[14:05] <ogra> i must admit that i have never seen any issues caused by missing serials on my dev images
[14:05]  * cachio afk
[14:05] <ijohnson> to use a strictly confined snap that needs to use gpio ports
[14:05] <zyga> ijohnson: can we make gpio hot-pluggable
[14:05] <zyga> so that you don't need classic gadgets at all
[14:05] <ogra> zyga, gpio, i2c, spi all come from the gadget, not core
[14:05] <zyga> ogra: I know, but now we have a better method for at least some of those
[14:05] <ijohnson> we convince folks to make their device snaps strict, then we don't provide a way to use those snaps on classic without a gadget
[14:06] <ogra> if hotplug works for that that would indeed be awesome
[14:06] <zyga> ogra: the basics work, it is now per-interface to expand them
[14:06] <Chipaca> mborzecki: 'basename', one word, is already a unix command
[14:06] <Chipaca> mborzecki: we have things that are bases
[14:06] <Chipaca> mborzecki: 'base name', therefore, would be the name of the base
[14:06] <Chipaca> --base-name=core18
[14:06] <Chipaca> mborzecki: probably not what we want
[14:07] <ijohnson> zyga: I think hotplug gpio is orthogonal to this
[14:07] <ijohnson> zyga: my larger concern is about how we can get folks to use these strict device specific snaps without telling they always need to be on core or have a brand store
[14:07] <zyga> ijohnson: I disagree,
[14:07] <zyga> ijohnson: classic gadgets are well defined
[14:07] <mborzecki> Chipaca: right, sounds fishy when you put it like this, Basename like you had it is probably ok then
[14:07] <zyga> ijohnson: use of gadgets for slots is a special case
[14:07] <zyga> because we lacked hotplug support
[14:08] <ijohnson> but gpio ports aren't fundamentally "hotpluggable" so it seems confusing to me
[14:08] <Chipaca> mborzecki: to be fair I'd already written a comment agreeing with you when it struck me :-)
[14:08] <mborzecki> Chipaca: hahah ;)
[14:09]  * zyga just crossed the border
[14:09] <zyga> finally not roaming anymore :)
[14:09] <zyga> wooot
[14:09] <zyga> ijohnson: sorry, lost some messages
[14:09] <zyga> ijohnson: hotplug is the confusing word
[14:09] <zyga> ijohnson: the real meaning is dynamically discovered vs statically declared
[14:10] <zyga> ijohnson: we got away with many slots being statically declared because they were not representing specific hardware but certain concepts
[14:10] <jdstrand> roadmr: hi! can you pull 20190625-1410UTC ?
[14:10] <roadmr> jdstrand: hello :) sure
[14:10] <zyga> ijohnson: GPIO pins are not like that, they are hardware and you can actually discover them (even by reading dbts)
[14:11] <zyga> ijohnson: so now that snapd has a method of dynamically adding and removing slots that represent hardware
[14:11] <zyga> ijohnson: we should strive to make more hardware compatible with that system
[14:11] <ijohnson> zyga: hmm so that all makes sense is the plan to make all device interfaces (i2c, gpio, etc.) dynamically discoverable then?
[14:11] <zyga> ijohnson: I think so
[14:11] <zyga> ijohnson: to the extent that is feasable
[14:12] <zyga> ijohnson: primarily because linux already handles that
[14:12] <zyga> ijohnson: it handles the custom ways to convey what the hardware is
[14:12] <zyga> ijohnson: so that userspace doesn't have to worry and do it again
[14:13] <ijohnson> right that's great but what to do in the meantime until that's done?
[14:13] <zyga> ijohnson: fix it, walk towards the solution
[14:13] <ogra> whistle and pretend it is already there ?
[14:13] <zyga> ijohnson: would be worth checking how hard it is to handle gpio's this way
[14:14] <ijohnson> ... so on a sacle from my device will start on fire to some failed changes in `snap changes` for the first 2 weeks that a device is running, just how bad of an idea is it to not have a serial
[14:14] <zyga> ijohnson: pstolowski can offer suggestions I'm sure
[14:15] <ijohnson> s/sacle/scale/
[14:15] <zyga> ijohnson: I suspect pretty low, but that will change over time
[14:15] <zyga> ijohnson: so while it might work now
[14:15] <zyga> ijohnson: I would not recommend that as a general solution
[14:15] <ogra> well, currently it is the nly solution to achieve what he wants
[14:15] <ogra> *only
[14:15] <ijohnson> okay so that handles my first concern which was connection of slots
[14:15] <ijohnson> there still remains the question of auto-connection to certain snaps
[14:16] <zyga> ijohnson: yeah, that will require a gadget
[14:16] <ijohnson> auto-connection of slots to certain snaps
[14:16] <zyga> ijohnson: and a brand and a vault
[14:16] <zyga> ijohnson: I would love if we could host a vault for experimenters
[14:16] <zyga> ijohnson: with self-provisioning
[14:16]  * ijohnson thinks that there should be a way for someone building their own image to support this
[14:16] <zyga> but we're not there yet
[14:16] <zyga> yeah
[14:17] <zyga> it's just not done yet
[14:17] <ogra> does connections: in gadget.yaml not work ?
[14:17] <ijohnson> ogra that's what I want to do
[14:17] <zyga> yeah, that should work
[14:17] <ogra> right
[14:17] <ijohnson> (and am currently doing in a "sideloaded" gadget)
[14:17] <zyga> hmmm
[14:17] <zyga> that may not work
[14:18] <ogra> i guess you eventually need to use ubuntu-image then
[14:18] <zyga> but double check the source please
[14:18] <ijohnson> any pointers to where I should check?
[14:18] <ogra> to have all the bits and pieces correctly set up
[14:18] <ogra> abeato, did you have a howto for ubuntu-image for classic images ?
[14:18] <ijohnson> ogra: I have KyleN's doc
[14:19] <ogra> that might be derived from his
[14:19] <zyga> ijohnson: look at snapd's gadget code, grep for "connections" in overlord
[14:19] <abeato> ogra, yeah, that is the one - there is an older one from Gary too
[14:19] <ijohnson> zyga: thanks
[14:21] <zyga> ijohnson: in my argument I was trying to not be against useful features but against making temporary workarounds for missing features, actual features
[14:22] <zyga> ijohnson: I realize there are holes in our device bring-up story
[14:22] <ogra> heh
[14:22] <ogra> canyons ...
[14:23] <ijohnson> yeah no problem I understand there's missing things
[14:29] <zyga> I'll break until we arrive
[15:13] <roadmr> jdstrand: hey so... there's no such tag in the current review-tools repo ;( did you forget to push maybe?
[15:13] <jdstrand> roadmr: oh, I did. sorry
[15:13] <roadmr> :)
[15:14] <jdstrand> roadmr: done
[15:14] <roadmr> thanks! trying again
[15:14] <jdstrand> roadmr: I pushed the code days ago and not the tag
[15:14] <jdstrand> (I created the tag today)
[15:16] <roadmr> tags are like that :)
[15:31] <popey> ogra: i was mistaken! Your qemu-virgil snap doesn't work with kvm either!
[15:31] <popey> https://www.irccloud.com/pastebin/n71Ch7Yu/
[15:32] <Chipaca> popey: it's all lies! all of it!
[15:32] <Chipaca> popey: even the turtles!
[15:37] <ondra> Chipaca ping
[15:41] <Chipaca> ondra: poit
[15:41] <ondra> Chipaca just checking if it's known that on core18 bash completion is not working. Did we drop support for bash completion on core18?
[15:41] <Chipaca> ondra: we did not
[15:41] <Chipaca> ondra: when you say 'on core18', what do you mean?
[15:42] <ondra> Chipaca when you boot core18 device and shh into it, there is no bash completion for snap command
[15:42] <Chipaca> hm
[15:42] <Chipaca> ah, for snap itself? hm
[15:42] <Chipaca> ondra: and for snapped apps?
[15:42] <ondra> Chipaca it's not biggie, yeah for snap itself
[15:42] <ondra> Chipaca I did not test actual snap apps
[15:42] <Chipaca> ondra: the 'http' snap is a little snap that has minimal bash completion
[15:43] <Chipaca> ondra: http --<tab> should give you useful options
[15:44] <ogra> popey, hmm,  does sudo'ing work ?
[15:44] <ondra> Chipaca yeah I think it's broken also for snap apps
[15:44] <popey> no
[15:45] <popey> I will come back to this another day, don't worry
[15:45] <Chipaca> ondra: and if you install the 'core' snap, does it fix itself?
[15:45] <ondra> Chipaca core is also installed there
[15:45] <Chipaca> ah
[15:45] <Chipaca> hm
[15:46] <ondra> Chipaca and does not work without core either
[15:46] <Chipaca> ondra: I'll make a note, and discuss with m vo next week (or maybe on thursday if it's not crazy hectic)
[15:46] <Chipaca> as it's not clear to me who's forgotten to do which bit of integration :-)
[15:46] <ondra> Chipaca sure, it's state for some time, so I can't image it's supper critical
[15:46] <ogra> popey, works here ...
[15:46] <Chipaca> ondra: but, quick checks: is /usr/share/bash-completion/bash_completion there in core18?
[15:46] <ogra> ogra@acheron:~$ qemu-virgil --enable-kvm
[15:46] <ogra> Gtk-Message: Failed to load module "unity-gtk-module"
[15:46] <ogra> Gtk-Message: Failed to load module "canberra-gtk-module"
[15:46] <ogra> Gtk-Message: Failed to load module "canberra-gtk-module"
[15:47] <ogra> at that point i have a window up probing bios stuff
[15:47] <ondra> Chipaca it was probably forgotten in core18 rush for the door days
[15:47] <ondra> Chipaca no but there is /usr/share/bash-completion/completions/
[15:48] <Chipaca> ondra: yeah those are useless without the main thing
[15:48] <Chipaca> :-/
[15:48] <Chipaca> sil2100: OHAI
[15:48] <Chipaca> sil2100: are bugs in core18 a 'you' thing?
[15:48] <ogra> sil2100, run !
[15:48] <ackk> ondra, maybe related to https://github.com/snapcore/core18/issues/89 ?
[15:49] <Chipaca> heh, indeed, that's not fixed yet is it
[15:49] <Chipaca> :-(
[15:49] <Chipaca> ondra: https://bugs.launchpad.net/snappy/+bug/1825254
[15:49] <popey> ogra: are you in the kvm group?
[15:50] <Chipaca> ondra: I thought that one was fixed, I should have started there
[15:50] <ogra> popey, yep and i'm on 16.04
[15:50] <popey> hm
[15:50] <ogra> not sure if tat makes a difference
[15:50] <ogra> *that
[15:50] <popey> i am not, and if i add myself it doesn't show in groups
[15:50] <ogra> re-logged in ?
[15:50] <ogra> shows defiitely in "groups" output for me on 16.04
[15:51] <popey> no, avoiding re-logging in, but tried starting a new bash and newgrp
[15:51] <popey> I'll reboot
[15:52] <ogra> perhaps 18.04 has a new way of managing access to kvm ... not sure
[15:52] <ogra> (udev-acl or whatnot)
[15:53] <ogra> in 16.04 the group stuff works if you have qemu-system-common installed (that ships the udev rule enabling the kvm group access to /dev/kvm)
[15:54]  * ogra reads mail and humps Wimpress' leg !
[15:54] <ogra> *woof*
[15:54]  * Chipaca steps away from ogra 
[15:55] <ogra> lol
[16:05] <ondra> Chipaca yeah this seems like same bug
[16:05] <Chipaca> ondra: yeap
[16:05]  * Chipaca ⇝ afk (fetching car from the mechanic)
[16:05] <ackk> ondra, fwiw it works for me when I also have "core" installed. but my case is a --classic snap, so maybe it's different
[16:06] <ondra> ackk yeah I'm UC18 system
[16:11] <popey> ogra: rebooted, still doesn't work on 18.04
[16:11] <ogra> very weird
[16:12]  * popey uninstalls things and starts again :)
[16:12] <ogra> i'm pretty sure my virgil even defaults to usekvm
[16:12] <popey> \o/ success
[16:12] <ogra> oh ??
[16:13] <ogra> how that ?
[16:16] <zyga> re
[16:16] <zyga> soooo happy to not be in a car now
[16:17] <zyga> I'll do my best to get back to speed
[16:49] <Chipaca> zyga: welcome to the world of people that aren't in cars!
[16:50] <Chipaca> zyga: i thought i had two forum topics for you but the guy in the first one hasn't responded yet (probably in a different tz), so it's just the one
[16:50] <Chipaca> zyga: no the other one
[16:50] <Chipaca> :-p
[16:50] <zyga> I started looking at the kail linux one now
[16:51] <Chipaca> zyga: right, guy didn't respond but sure :-)
[16:51] <Chipaca> zyga: the one linked from there, sil's one, is the one i meant had a bit more info
[16:51] <Chipaca> zyga: but ¯\_(ツ)_/¯
[16:51] <Chipaca> anyway, i should go see a barber about dinner
[16:52] <Chipaca> or maybe separately, see a barber, and see about dinner
[17:07] <zyga> I'm enjoying the non-moving landscape
[17:08] <zyga> my head is dizzy as if I just got off a carousel
[17:27] <zyga> I’ll look for some food
[17:27] <zyga> Then catch up with PRs
[17:39] <jdstrand> fnordahl: hey, I finally responded to the fuse question. sorry it took so long. It came in before the snapcraft summit then slipped of my radar for a bit
[18:04]  * Wimpress wipes leg clean
[18:04] <Wimpress> You're welcome ogra 😁
[18:13] <jdstrand> ogra: fyi, https://github.com/snapcore/snapd/pull/7019/commits/62d5e064fbd3b62445f03b953b37a0518886d5ad
[18:19] <zyga> Zzzz
[18:42] <diddledan> popey: to acquire new group assignments without re-logging-in or rebooting there is a command you can run in the terminal `newgrp` which will set that terminal session with the new assignment
[18:42] <diddledan> you run it e.g. `newgrp kvm`
[18:42] <diddledan> or just `newgrp` by the looks
[19:09] <ogra> jdstrand, awesome !
[21:18] <popey> diddledan: that didnt work, i had to reboot
[21:54] <popey> ogra: ok, I get qemu launching, but with the various gl options, it segfaults with apparmor failing to get to /home/alan/.cache/mesa_shader_cache/index
[21:54] <popey> I guess that's a hard-wired path somewhere
[21:58] <popey> i reckon I can coerce that with MESA_GLSL_CACHE_DIR
[23:25]  * diddledan wonders what popey is cooking-up with qemu and opengl
[23:37] <ogra> popey, hmm, with qemu-virgil or with your implementation ?
[23:37] <popey> currently with mine
[23:38] <popey> but I ported yours to core18
[23:38] <ogra> oh, neat
[23:38] <popey> got it working, had to remove -soundhw ac97 as that was segfaulting
[23:38] <ogra> yeah, sound is still on my list to look at
[23:38] <ogra> there is some env var magic to make pulseaudio work