/srv/irclogs.ubuntu.com/2019/06/26/#snappy.txt

=== harrisj_ is now known as harrisj
df00zIs multipass based on anything, like lxd, or is it it's own thing entirely?04:22
jameshdf00z: it is a frontend for various virtualisation systems.  On Linux, it will generally create kvm/qemu VMs04:34
df00zOn ubuntu for snap?  I dont have qemu or kvm installed04:34
df00zit seems to be launching some sort of container though04:34
jameshit launches a VM04:35
jameshkvm is the kernel support for virtualisation04:35
df00zoh so it'll integrate with KVM directly, dont need qemu?04:35
df00zit seems like a weird black box is all04:36
jameshmost KVM based virtualisation systems use qemu04:36
jameshyou need more than just a virtual CPU to run a VM04:36
df00zwhen you use base: core18 in a snapcraft yaml file though it uses multipass, i dont have qemu installed04:36
df00zi dont know how its launching a vm though i see it is04:36
df00zunless they built qemu into the snapcraft snap, very well they could have04:37
jameshthere is a copy of qemu in the multipass snap04:38
df00zah-ha, cool.04:41
df00zim actually trying to build a snappy for qemu + libvirt, wondering if i am going to have to use classic security04:49
df00zconfinement04:51
df00zthat whole steam\wine debacle with ubuntu, couldnt they just release it with snapcraft04:53
df00zother distros support multiarch, and snap04:54
mborzeckimorning05:17
mborzeckisuper simple PR: https://github.com/snapcore/snapd/pull/703405:36
mborzeckigot a quick errand to run, bbiab05:46
jameshdf00z: there is a kvm interface that should let a strict confined snap use virtualisation.  I don't know whether that will be enough for what you want to do or not though.  Probably the best way forward is to create a strict confinement snap, install in devmode (which turns access denials into warnings) and check the logs05:49
zygaGood morning06:11
mborzeckire06:36
mborzeckizyga: hey, already in spain? is it colder than back here? :)06:36
fnordahljdstrand: no worries, I was aware of the summit and figured you got busy.  Thx for the response, I'll propose a PR for the fstype thing.  I would be interested in a ``fuse-control`` interface, not quite sure where to start though.07:03
=== pstolowski|afk is now known as pstolowski
pstolowskimornings07:08
zygaHey Paweł07:10
mborzeckipstolowski: heya07:11
zygamborzecki: yeah, it is colder07:11
zygaI’m just taking the dog out, sorry for the late start07:11
zygaLast night I slept for 10 hours or more07:17
zygaJust felt so tired07:17
zygare07:41
zygafinally working07:41
zygaI'm using some open wifi I found here, feels dirty07:48
zygalike finding a rj45 port in the public bathroom and connecting to it07:48
mborzeckizyga: remember about protection07:52
zygabrb08:03
zygare08:36
Chipacadid I accidentally wake up in a word that is just as strange but more dystopian?09:07
zygaChipaca: what happened?09:08
Chipacazyga: it probably involves purple giraffes09:09
zygawhaat?09:09
mborzeckizyga: do you know if there are any ubuntu specific apparmor patches for samba too?09:28
zygamborzecki: I don't know, let me look quickly09:28
zygamborzecki: nope09:29
mborzeckiChipaca: do the giraffes move their heads to follow the mouse cursor?09:29
zygamborzecki: nothing related to apparmor in any of the patches09:29
mborzeckizyga: thanks, idk if you've seen https://forum.snapcraft.io/t/manjaro-apparmor-kernel-patches-create-issues-with-smbd/1202409:30
zygamborzecki: that's what I mentioned yesterday, I was expecting this post to be published09:31
zygamborzecki: what I find possible is that on debian samba is not confined09:31
mborzeckizyga: mhm09:31
zyganot sure where the profile is coming from on manjaro09:31
mborzeckizyga: it's from the aa package, i have it too i believe09:32
zygaI don't have those09:32
mborzeckizyga: yup, it's there, idk why it jsut called 'smbd' in aa-status output though09:32
zygamborzecki: smbd because that's the executable name09:34
mborzeckizyga: i expected /usr/sbin/smbd or usr.sbin.smbd, unless it's magically amtches when a binary smbd is executed from whatver location09:35
zygaah, I understand what you meant now09:36
zyganot sure09:36
mborzecki34C in shade :/09:59
* Chipaca laughs in 17C10:12
Chipacajamesh: thank you for #7036 !10:16
jameshChipaca: no problem.  It's nice when PRs have more minuses than pluses10:17
Chipacayuss10:17
mborzeckineed 2nd +1 on this thing to unblock master and jdstrand's PRs: https://github.com/snapcore/snapd/pull/703410:17
Chipacajamesh: I'm proud to be friends with this guy: https://mobile.twitter.com/perrito666/status/114365995279337062410:17
Chipacamborzecki: looking10:18
Chipacamborzecki: io_uring sounds nephrological10:18
mborzeckiChipaca: > I am going full Marie Kondo on this code.10:18
mborzeckiChipaca: well, it's upstream's doing :)10:18
mborzeckiChipaca: fwiw there's liburing too10:19
Chipacais it uring-complete10:19
Chipacasorry i had to10:19
jameshChipaca: but are those 186 lines really necessary?10:19
Chipacajamesh: wc -l /usr/share/common-licenses/* says … maybe10:20
Chipacajamesh: anyway the question should be 'do they bring joy', surely10:20
Chipacaor is it spark joy10:20
pstolowskimborzecki: 7030 +1 with a suggestion10:23
zygamborzecki: 30C here but the sea makes it nicer10:34
* zyga reviewed https://github.com/snapcore/snapd/pull/7032/files10:37
* pstolowski lunch10:44
* zyga coffee10:45
zygaactually getting up to get the coffee now10:52
mborzeckizyga: https://forum.snapcraft.io/t/manjaro-apparmor-kernel-patches-create-issues-with-smbd/12024/5 dbus & AA blocking samba?10:53
Chipacajamesh: if you're still around, can you merge master (or rebase, your call) so it doesn't fall over the missing syscalls?10:56
Chipacajamesh: if you're not around I'll merge master myself10:56
ChipacaI mean into 7036 fwiw10:57
zygaback10:58
zygamborzecki: looking at sfdisk pathces10:59
zyga*patches10:59
jdstrandfnordahl: I have it on my list to create. at what priority do you need it?11:13
zygajdstrand: hello11:17
zygamborzecki: hot, isn't it?11:18
fnordahljdstrand: that's great!  I suspect the main consumer of the snap will be a charm, so installing it in devmode will be hidden from the end user for now.  It would be great to be able to have a good end user cli experience without --devmode at some point though.11:18
mborzeckizyga: it's so hot the dogs don't care when i open a fridge anymore11:19
zygahot dogs? :D11:20
mborzeckiheh11:20
jdstrandmborzecki, zyga: I commented in the manjaro/smbd topic11:27
zygammm11:28
zygathanks, that is very reasonable advice11:29
jdstrandmborzecki: also, https://github.com/snapcore/snapd/pull/7034/files#r29761588811:30
jdstrandfnordahl: ok, based on that feedback, it'll stay on the list for 2.4111:31
jdstrandzyga, mborzecki: whoops, I fixed a typo just now s/before it can be used in complain mode/before it can be used in enforce mode/11:32
fnordahljdstrand: sweet, do not hesitate to reach out if you need a hand for testing or more information11:32
jdstrandman that had a bunch of typos :\11:33
* jdstrand fixed11:33
mborzeckijdstrand_: thanks for the suggestion, https://github.com/snapcore/snapd/pull/703711:44
zygamborzecki: https://github.com/snapcore/snapd/pull/7030#pullrequestreview-25454173511:44
zygamore reviews ahead11:45
jdstrand_mborzecki: thanks! approved11:45
=== jdstrand_ is now known as jdstrand
mborzeckijdstrand: fwiw, now we know that the test works :P11:46
mborzeckizyga: i'll double check without the `device :` bit, last time i tried it manually sfdisk failed (or segfauled for that matter), but it's quite wonky in general so the reason might have been something else11:47
mborzeckizyga: a nice example, a partition like this makes sfdisk segfault: `1 : start=2048, size=2048, type=21686148-6449-6E6F-744E-656564454649, name="BIOS Boot"foobar` xD11:48
zygamborzecki: really? I used it a few times without any issues11:49
zygaso... hot...11:49
mborzeckizyga: notice how `name="BIOS Boot"foobar` is formatted11:49
zygaah11:49
zygaI see11:49
zygawell11:49
zygaC11:49
mborzeckior not C11:49
zygalack of good parser libs11:49
jdstrandmborzecki: so, remind me, that list now has the io_uring syscalls, but no released libseccomp has them. why isn't something more needed?11:50
mborzeckijdstrand: we just track which syscalls libseccomp (upstream) know of, so that we can interrogate the host lib11:50
mborzeckijdstrand: it's part of the shenanigans for snap-seccomp recompiling bpf when a profile or the local libseccomp got changed11:51
jdstrandmborzecki: right, versioninfo. but, libseccomp *didn't* change. just syscalls.SeccompSyscalls11:53
jdstrand(libseccomp as linked into snap-seccomp that is)11:53
mborzeckijdstrand: yup, that's correct11:53
jdstrandmborzecki: so we are going to get a recompile, but for no reason afaict. I'm trying to understand/remember what is achieved here11:54
mborzeckijdstrand: it's just for the purpose of knowing what syscalls to ask the host lib for, in case that's changed we know that the lib has changed, even though x.y.z version reported by the lib is the same11:56
mborzeckijdstrand: as in case of distro patches, bc libseccomp releases are infrequent11:56
jdstrandI think I forgot about the mechanism for 'ask the host lib for'11:57
* jdstrand reads11:58
mborzeckijdstrand: oh, and snap-seccomp from core is statically linked iirc, but fedora/arch/suse are not11:58
jdstrandmborzecki: ok, duh. I forgot that versionInfo() iterates over the list and tries seccomp.GetSyscallFromName. ok, it all makes perfect sense (again)12:00
jdstrandmborzecki: thanks!12:00
mborzeckijdstrand: yw12:00
zygajdstrand: hey, could you please look at https://github.com/snapcore/snapd/pull/7026 -- it's a priority for LXD team12:03
zygajdstrand: I'll iterate through existing comments12:04
mborzeckizyga: updated the sfdisk PR12:07
zygagreat, let's see12:08
jdstrandzyga: ack12:08
zygalooks great, thanks12:08
=== ricab is now known as ricab|lunch
zygaChipaca: https://github.com/snapcore/snapd/pull/7025#pullrequestreview-25457096012:17
pstolowskire12:20
zygajdstrand: https://github.com/snapcore/snapd/pull/7019#pullrequestreview-25457727812:30
Chipacazyga: yeah it's tempting but no12:36
valentindIs there a way to enable full confinement on Debian? It says I have only devmode.12:39
zygavalentind: hello12:39
valentindHello12:39
zygavalentind: not at present, I have this on my scope to fix for the next release12:39
zygaI was just reading the freedesktop thread about this btw12:40
zygavalentind: where full confinement is not really a thing we can enable,12:40
zygavalentind: but we will enable more confinement than we do now12:40
* jdstrand notes that what zyga has is enabling everthing that is available, but the kernel may not allow full strict mode. not sure what valentind is interested in12:40
zygajdstrand: I bet file rules are what he is after now12:41
zygajdstrand: based on the thread12:41
jdstrand(eg, cause the Debian kernel doesn't have af_unix or network compat)12:41
jdstrandah, ok. I didn't read the thread12:41
valentindI want to make it fail. For now I can call lzip from the runtime.12:41
jdstrandah right12:41
zygavalentind: perhaps in a day or two,12:42
jdstrandzyga: I wonder if a temporary thing could be an env var or a snap experimental setting to force it12:43
zygavalentind: I need to sort out some things that piled up recently12:43
zygajdstrand: I think we should just do it in edge12:43
jdstrandzyga: oh, I thought be 'next release' you meant farther out12:43
zygajdstrand: and add the extra "what it means" command before release12:43
* jdstrand butts out cause he is clearly confusing things :)12:43
zygajdstrand: ideally 2.40 but perhaps the extra command is 2.4112:43
zygajdstrand: is it so hot for you as well? europe is melting12:44
zygathat doesn't help my mind to recover from the 6-day-long road trip12:44
jdstrandzyga: it has been very hot and humid. we've gotten some rain this week that kept the temp down a bit a couple of days12:44
zygaforecast here is: sunlight and 0 rain for the foreseable future :(12:45
zygaand no clouds as well12:45
jdstrandyikes12:45
jdstrandit is super cloudy atm. seems like it might rain again12:46
valentindFound it in the journal: apparmor is enabled but some kernel features are missing: dbus, network12:59
mborzeckicachio: standup?13:02
zygavalentind: that's caused by the delta between upstream kernel and ubuntu apparmor kernel13:07
zygavalentind: it should be all merged in 5.313:07
zygavalentind: but we can do better on older kernels13:07
valentindOK. Then I will try to find the patches on the ubuntu kernel and apply them locally to my debian13:09
zygavalentind: which kernel do you use now>13:09
valentind5.013:10
ograi wonder if you could just run the binary deb right away on debian13:10
zygahttps://www.irccloud.com/pastebin/emj4SlFQ/13:10
ogra(saves from patching and recompiling)13:10
zygawe have some presets for 5.1 but not for 5.013:10
valentindOK13:11
valentindMaybe I should just have a virtual machine with ubuntu.13:11
zygaI believe that if you look at the 5.2 tree there is really only one patch that is relevant to snapd13:11
zygathe rest are nice but not something we actively test for13:11
valentindWhat is the plan for apparmor configuration for other bases?13:12
zygavalentind: we discussed a while ago that perhaps a base should define the base apparmor template but this has not gone anywhere yet13:12
zygavalentind: it would need to be handled in snapd explicitly13:12
valentindIs there anything I can do to help this?13:14
zygavalentind: not much I'm afraid, just upstreaming work on one end and snapd hacking on another end13:22
zygaif you want to get involved in snapd hacking we'll gladly welcome you on board13:22
zygabut it will be a while before your patches can land into master and make it out to users13:22
zygaI will likely change the apparmor usage in snapd well before that13:22
* zyga switches to PR hacking13:38
zygaplease ping me about PRs you want to get reviewed but I didn't get to yet13:38
zygaI'll continue down the list tomorrow13:38
=== ricab|lunch is now known as ricab
zygaLunch13:47
mborzeckizyga: friendly reminder https://github.com/snapcore/snapd/pull/692214:05
zygamborzecki: ack14:09
* zyga -> dog walk15:09
valentindSomething I did not know about snap are the layout. Nice surprise. Unfortunately, it seems that it does not allow executing from bound paths.15:57
valentindIt seems that the apparmor snippet generated by bind mounts is missing allowing execution.15:58
zygare16:00
zygavalentind: hey, can you provide an example?16:01
zygavalentind: it should be working correctly, if not there's a bug16:01
valentindOh wait. My bad.16:02
valentindI will try again.16:02
valentindNo no. It was working fine. I misread the error message.16:02
valentindPermission denied was not for the execution.16:02
valentindThat is good. We can bind /app for compatibility with flatpak.16:03
zygavalentind: you should check this out:  ...16:04
zygahttps://forum.snapcraft.io/t/snapcraft-summit-2019-montreal-a-snapd-perspective/1190516:04
zygasearch for nix16:04
valentindOk16:07
=== pstolowski is now known as pstolowski|afk
zyga27C and  *falling*16:08
zygamy mind is recovering16:08
valentindWhat are they using as base image for Nix? I suppose ld.so does not come from /nix.16:10
zygait does!16:13
zygait's a snap with pretty much nothing in it, snap download nix-base16:13
zygadownload and look around16:13
zygait only has /nix so that a layout can put everything there16:13
valentindWell, that should break ABI, can Nix run binaries built from other ditributions?16:14
valentindnix-base, ok16:14
zygavalentind: nix base doesn't ship ld.so16:14
zygavalentind: apps ship it16:14
zygavalentind: each snap built out of nix contains everything it requires, literally so16:14
valentindYes, I understand.16:14
valentindBut the path is supposed to be absolute.16:15
zygavalentind: it is, download hello-nix and look at what it does16:15
zyganote that on nixos some more things happen16:16
zygabut in snap world, that's enough16:16
valentindI do not find hello-nix16:18
zygaoh, sorry,16:20
zygait's not in the store!16:20
zygaI only have it because I got it at a snapcraft summit16:20
zygavalentind: my point there was:16:20
zygahttps://www.irccloud.com/pastebin/0hgCLMlj/16:21
zyganix links everything with absolute paths using hashes of the content as directory element16:21
valentindSo, I could just make applications to provide all the runtime and bind it in the right place.16:26
zygayes16:27
zygaif that makes sense that is16:27
valentindI still need to make a base with empty directories.16:27
zygawhat do you need?16:28
zygado you need /app?16:28
valentindI need /bin /usr /lib /lib6416:28
valentindAnd /app for the application16:28
valentindI will try that.16:28
zygayou may need some more for snapd to work16:29
valentindCore could also be done like that. Just shipped in the applications.16:29
zygadownload the nix base snap and  just rename nix to app16:29
zygaand see what you need16:29
valentindSure I already have the list of directories I need somewhere to make it work.16:29
valentindBut those were path were I would bind the Freedesktop SDK.16:30
valentindActually I need only /usr to be bind mounted. The rest should be symlinks.16:32
zygayou need to provide some non-symlink directories16:32
valentindSure, those for snap.16:33
valentindWell, now it is re-building firefox like that. I will try it when it is built.16:45
=== msalvatore_ is now known as msalvatore

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!