[02:15] <mup> PR snapd#7580 opened: spread.yaml: exclude vendor dir <Simple 😃> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7580>
[02:29] <mup> PR snapd#7581 opened: tests: add netplan test on ubuntu core <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7581>
[02:36] <mup> PR snapcraft#2748 opened: meta: warn about command mangling <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2748>
[05:17] <mborzecki> morning
[05:20] <mup> PR snapd#7564 closed: interfaces: add cgroup-version to system-key <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/7564>
[05:20] <mborzecki> school run, back in 30 or so
[06:02] <mborzecki> re
[06:02] <mborzecki> mvo: morning
[06:05] <mup> PR snapd#7568 closed: snap: when running `snap repair` without arguments, show hint <Simple 😃> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7568>
[06:06] <mup> PR snapd#7567 closed: snap-repair: error if run as non-root <Simple 😃> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7567>
[06:07] <mvo> hey mborzecki
[06:07] <mvo> mborzecki: good morning
[06:08] <mborzecki> mvo:  can you take a look at https://github.com/snapcore/snapd/pull/7571 ?
[06:08] <mup> PR #7571: sandbox/cgroup: refactor process cgroup helper to support v2 and named hierarchies <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7571>
[06:09] <mvo> mborzecki: uh, I think I wanted to do this yesterday already :/
[06:09] <mvo> mborzecki: let me do this *now*
[06:16] <zyga> sorry, had super stubborn kids
[06:16] <zyga> one is still at home
[06:16] <zyga> ugh :|
[06:17] <zyga> ok, let's try to focus...
[06:19] <mborzecki> mvo: thanks!
[06:19] <zyga> mvo: https://twitter.com/samerhaj/status/1182121464813756419
[06:20] <zyga> and check out the next tweet there, vmware working on this?
[06:20] <zyga> esxi for raspi anyone?
[06:20] <mborzecki> zyga: wow, nice
[06:21] <zyga> I, for one, would not mind a raspberry pi with a proper boot stack
[06:21] <mborzecki> zyga:  any clue how does uefi/acpi combo could handle hats?
[06:21] <zyga> no idea
[06:26] <mvo> mborzecki: added a comment, please let me know if it makes sense or if its too terse. happy to talk here as well if you want :)
[06:26] <mborzecki> mvo: looking
[06:28] <mborzecki> mvo: i see, it's a bit yagni right now, once we land the named hierarchy, the string will no longer the be controller name, but insteadf a named hierarchy name ('snapd' in this case)
[06:29] <mvo> mborzecki: right, landing it is fine
[06:29] <mvo> mborzecki: I was mostly wondering if consumers of the ProcGroup() need to know what matcher to create
[06:30] <mvo> mborzecki: or if we could simply keep using a string here
[06:30] <mvo> mborzecki: and the string in the future might be "snapd"
[06:30] <mvo> mborzecki: or is this not how it will work :) ?
[06:30]  * mvo obviously has less context
[06:33] <mborzecki> mvo: hm you'd have to pass name=snapd to be explicit, or "" when you mean a unified hierarchy, feels a bit too magical
[06:35] <mvo> mborzecki: hm, but we know internally in the cgroup module if we are unified or mixed so could we leverage this knowledge?
[06:35] <zyga> mvo: we use cgroup v1 even in unified mode
[06:35] <zyga> so perhaps it's all going to be simplified eventually
[06:35] <zyga> s/use/going to use/
[06:37] <mvo> ok, I don't want to rathole this too much, sry! it just seems to me right now right now we only have one user of "cgroup.ProcGroup" and we always use freezer here so I wonder if we could encapsulate the knowledge that its freezer/something-else inside the cgroup package itself maybe?
[06:37] <zyga> we could but the cgroup package doesn't know that, it's the overlord that knows this; I think it's fine as is, it will change shortly, perhaps before the next release
[06:38] <mborzecki> mvo: zyga: hm so perhaps we could have a separate call cgroup.SnapProcGroup which internally knows whether to ask for freezer or a named group?
[06:38] <zyga> it is my understanding that by the time we are done it will use a different selector or a hard-coded string for the new location
[06:38] <zyga> I really don't think we need to do more now
[06:38] <zyga> just land and iterate
[06:38] <zyga> meanwhile, I'm back to https://github.com/snapcore/snapd/pull/7576
[06:38] <mup> PR #7576: spread.yaml,.gitignore: sync ignored files <Simple 😃> <Created by zyga> <https://github.com/snapcore/snapd/pull/7576>
[06:39] <zyga> why does something so simple have to be so hard :D
[06:39] <mvo> zyga: userd is currently using it and it does not know about freezer either, does it? its just snap-confine that knows about freezer (or am I missing something?)
[06:40] <zyga> userd is using cgroups?
[06:40] <mvo> zyga: I did a "git grep ProcGroup" and a match there
[06:40] <mborzecki> zyga: yeah, it is, that's the next thing, we'll probably need some api that encodes information about how snap cgrups are made
[06:41] <mvo> zyga: fwiw, I disagree with "why does something so simple have to be so hard"
[06:41] <mborzecki> zyga: it's for checking whcih snap the talking to userd over dbus comes from
[06:41] <zyga> oh, I didn't notice that
[06:41] <zyga> I just read that code
[06:41] <mvo> mborzecki: sry again for lack of context - but do we need (external) api for how cgroups are made? mostly wondering if we can keep most of this knowledge internal to the cgroup package
[06:42] <zyga> mvo: (I was referring to the gitignore PR)
[06:42] <mvo> zyga: oh, sorry
[06:42] <mvo> zyga: then I misunderstood :)
[06:42] <zyga> mvo: ignoring in spread and git consistently is haaard :)
[06:42] <mvo> zyga: I thought it was about my bikesheding api here :)
[06:42] <zyga> and it should not
[06:42] <zyga> no no, sorry
[06:42] <mvo> zyga: git hard> makes sense ;)
[06:42] <zyga> mborzecki: I wonder if the pid usage in userd could go away
[06:42] <zyga> and use /proc/pid/root instead
[06:43] <zyga> but that's a separate conversation
[06:43] <zyga> we discussed this with james, as long term API for discovering snap processes
[06:43] <zyga> brb, need tea, coffee
[06:43] <zyga> I'll catch up on the thread here
[06:43] <mborzecki> mvo: we don't, that's why the cleanups are being done, afaik we have 3 places rightr now that made up the grup names themseleves, userd, snapstate/refresh and s-u-n
[06:43] <zyga> but mostly want to unbreak that gitignore branch
[06:43]  * zyga loves the acronym s-u-n
[06:44] <mborzecki> mvo: 'groups are made' as in how the path under the relevant group mount point is constructured for a snap :)
[06:44] <mvo> mborzecki: oh, this is spread out right now? yeah, a good reason to consolidate it :)
[06:47] <mvo> mborzecki: anyway, my concern with the PR as it is is just that the current code in userd has cgroup.ProcGroup(pid, "freezer"). that seems to require knowledge in userd about freezer that should probably not be needed there. the new code now also adds the fact that its a v1controller there. so it seems like it makes this slightly worse. I think we can land but we should reverse the direction in the next prs to require less knowledge about how exa
[06:47] <mvo> ctly we do cgroups outside of the cgroup package. does that make sense?
[06:49] <zyga> back with coffee
[06:50] <zyga> mvo: I agree that eventually we should instead have an API that refers to app / hook tracking
[06:50] <zyga> and similar pid discovery
[06:50] <zyga> and encapsulate the cgroup logic there
[06:50] <zyga> I still would merge this as-is and iterate because velocity and not-worse-than-before
[06:51] <zyga> mborzecki: last night I needed to sober up after looking at 22MB binaries
[06:51] <zyga> so I started making those few-kb, built-with-C, hello-world programs that don't need libc
[06:51] <zyga> that was refreshing
[06:52] <zyga> offtopic: I found a great use for raspi zero -- it's the cheapest reliable serial logging device I've had
[06:53] <zyga> just plug a wire and log away
[06:53] <mborzecki> mvo: right, i mean it makes sense, we should be able to figure everything out in cgrup package given the security tag
[06:53] <mborzecki> (hopefully)
[06:53] <zyga> mborzecki: I would not even use cgroup as the wrapper
[06:53] <zyga> we may end up not using cgroups eventually
[06:54] <zyga> the package should be conceptual - pid tracking and discovery, it may use cgroups internally
[06:54] <mborzecki> zyga: snaptrack? :P
[06:54] <zyga> but what it should really have is functions like PidsOfSnap and SnapOfPid or similar
[06:54] <zyga> pidof ;-)
[06:54] <mborzecki> mvo: since you're doing reviews already, can you take a look at this one too? https://github.com/snapcore/snapd/pull/7578 again it's moving some pieces scattered around into the cgroup pacakge
[06:54] <mup> PR #7578: sandbox/cgroup, overlord/snapstate: move helper for listing pids in group to the cgroup package <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7578>
[06:55] <zyga> ok
[06:55] <zyga> back to gitignore
[06:58] <mvo> mborzecki: 7578> sure - the title is promising for sure!
[06:58] <mborzecki> mvo: hope the content doesn't disappoint :P
[06:59] <pstolowski> morning
[06:59] <mborzecki> pstolowski:  hey
[06:59] <zyga> hey pawel :)
[07:04]  * zyga reads how git does .gitignore
[07:06] <zyga>  /o\
[07:06] <zyga> git has a screen full of global variables
[07:15] <mvo> mborzecki: love it
[07:15] <mvo> mborzecki: I would even go a bit further and hide pidsCgroupDir from the outside
[07:16] <mvo> mborzecki: but fine as is
[07:21] <mup> PR snapd#7571 closed: sandbox/cgroup: refactor process cgroup helper to support v2 and named hierarchies <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/7571>
[07:47] <zyga> mborzecki: so I had a look at those exclude patterns
[07:47] <zyga> and I have the following compromise
[07:47] <zyga> mborzecki: git needs /foo to exclude a file ./foo won't cut it
[07:47] <zyga> mborzecki: spread's use of tar is exactly the opposite
[07:47] <mborzecki> hahah
[07:48] <zyga> mborzecki: it requires ./foo and /foo won't cut it
[07:48] <zyga> I think it's fine if I document it
[07:48] <zyga> it's better then sending garbage
[07:48] <zyga> and better than not working
[07:48] <zyga> I don't see any way out of this for now
[08:22]  * mvo has some eoan problems today and regrets upgrading to it
[08:23] <zyga> mvo: what happens?
[08:23] <zyga> mvo: I'm running on a similar-ish thinkpad and apart from suspend resume killing input (ha ha) it works okay (sob)
[08:25] <Chipaca> fitting that you regret upgrading to eoan in the morning
[08:26] <mvo> zyga: its on my desktop, sound issues, stuttering and it always select the wrong output on login so I need to go to gnome-settings etc
[08:26] <zyga> mborzecki: oh god
[08:26] <zyga> mborzecki: tar has --exclude-vcs-ignores
[08:26] <zyga> mborzecki: it reads .gitignore directly
[08:26] <zyga> can I just path spread instead?
[08:27] <zyga> mvo: man, that sucks :/
[08:27] <zyga> mvo: it's the future though, better bite the bullet and report them
[08:28] <mvo> zyga: doing that but its a bit of a time sink this is why I regret it
[08:29] <zyga> indeed
[08:29] <mvo> Chipaca: hahaha
[08:29] <mvo> Chipaca: took a while until the penny dropped
[08:32] <Chipaca> mvo: no regrets
[08:32] <mborzecki> zyga: hm can we teach spread about --exclude-vcs-ignores then?
[08:32] <zyga> I just did locally
[08:32] <mborzecki> it'll take a while to land it though
[08:33] <zyga> it doesn't seem to work
[08:33] <mborzecki> hahahah
[08:33] <zyga> running a debug session to see if the files really got copied
[08:33] <zyga> it's driving me insane
[08:33] <zyga> I hate doing this, it breaks all C testing I work on
[08:33] <mborzecki> well, i'm trying to teach postrm and snap-mgmt about the snap.mount unit :/ so i feel you
[08:34]  * zyga hugs mborzecki :)
[08:35] <mborzecki> btw. noticed something intersting in the tests, we've supposedly stopped lxd service (and i guess any containers it ran), but then removing /var/snap/lxd/comon/ns/mntns fails with EBUSY
[08:35] <zyga> are you sure it stopped containers?
[08:36] <mborzecki> well, i guess i hope it did
[08:40] <zyga> --debug doesn't work if project prepare fails
[08:40] <zyga> WAAAAAAAAAAT
[08:40] <zyga> ah, no, spread is picky where --debug is
[08:40] <zyga> man
[08:43] <zyga> mborzecki: the plot thickens, the ignore patterns work
[08:43] <zyga> but it's removal that matters now :D
[08:43] <zyga> man, dpkg, you sure are picky
[08:46] <Chipaca> zyga: what're you fighting against? I think I missed that bit
[08:47] <zyga> Chipaca: being able to spread a tree with built files while also passing debian build package thing that hates them
[08:47] <zyga> Chipaca: almost there though
[08:47] <zyga> now that I see what the error message is
[08:48] <Chipaca> zyga: ah
[08:48] <Chipaca> ondra: if/when you have more time to poke at that slow boot, given your last pastebin, the next step would be to do a profiling of the slow step
[08:49] <ondra> Chipaca I did some progress with more logs
[08:49] <ondra> Chipaca in the meeting now, but will report back
[08:49] <Chipaca> k
[08:57] <mborzecki> zyga:  there was a snap.mount unit before?
[08:57] <zyga> mborzecki: I got it :)
[08:58] <zyga> mborzecki: so... back to your question
[08:58] <zyga> there used to be but we nuked it and got the snap.mount.service
[08:58] <zyga> AFAIR
[08:59] <zyga> mborzecki: why?
[08:59] <zyga> mborzecki: but I don't recall exactly why
[08:59] <zyga> mborzecki: gobs of complexity
[08:59] <zyga> mborzecki: note there's also a snapd-generator
[08:59] <zyga> mborzecki: look at cmd/snapd-generator/
[08:59] <zyga> it creates a mount unit AFAIR
[08:59] <mborzecki> looking at some postinst helpers, and there's a comment about snap.mount in 2.31
[08:59] <zyga> I think we used to have snap.mount
[08:59] <mborzecki> deb postinst
[09:00] <zyga> but it was too "strong"
[09:00] <zyga> so we moved it to the generator conditionally
[09:00] <zyga> or something like that
[09:00] <zyga> and the snap.mount.service is a separate beast for $REASONS
[09:00] <zyga> I honestly don't recall, I'd have to dig
[09:00]  * Chipaca steps away for a bit (washing machine beeping)
[09:01] <mborzecki> zyga: no need, just curious
[09:04] <zyga> one more place and I think this is good
[09:09] <zyga> mborzecki: heh, now the delta code sends the crap again
[09:09] <zyga> or is it...
[09:10] <zyga> I don't see it in the tree anymore
[09:10] <zyga> but I do see it in the tarball we make early on
[09:34] <mborzecki> ehh debhelper
[09:37] <Chipaca> https://bugs.launchpad.net/snapd/+bugs?field.status%3Alist=NEW is a thing of beauty
[09:38] <seb128> Chipaca, try that on the ubuntu package :)
[09:38]  * Chipaca kickbans seb128 
[09:38] <seb128> sorry *g*
[09:38] <zyga> mborzecki: it's fun, disabled the repack helper for a second and I see tar is still ask to send the stuff over
[09:38] <Chipaca> :*)
[09:38] <zyga> mborzecki: maybe it's a bug in tar
[09:38] <zyga> checking
[09:42] <zyga> yeah
[09:42] <zyga> tar is not respecting those
[09:42] <zyga> looking deeper
[09:42] <zyga> man this used to be easier
[09:44] <mvo> Chipaca: no open bugs
[09:45] <mvo> Chipaca: \o/
[09:46] <zyga> mvo: no open bugs?
[09:46] <zyga> did we just close them for 5 minutes to feel better ;) ?
[09:46] <mvo> zyga: thats what LP told me
[09:46] <mvo> "
[09:46] <mvo> There are currently no open bugs.
[09:46] <mvo> "
[09:46] <mvo> zyga: in https://bugs.launchpad.net/snapd/+bugs?field.status%3Alist=NEW
[09:46] <mvo> zyga: its a lie of course, it should be "no open bugs in this filtered view"
[09:47] <zyga> :D
[09:47] <zyga> I see it now
[09:47] <mvo> but I like the other string better
[09:47] <mvo> :)
[09:47] <zyga> 369 open bugs make a man feel honest about himself and that to err is human
[09:47] <mvo> being a software developer humbles me every single day^Wminute
[09:48] <Chipaca> zyga: #1761621 sounds like fun for you
[09:49] <zyga> mmm
[09:49] <Chipaca> zyga: it's private because of a stacktrace, i presume, let me know if you can't see it
[09:49] <zyga> I can
[09:50] <zyga> I'll look later todaty
[09:50] <Chipaca> ah i see you in the list, even
[09:57] <Chipaca> anybody with better stacktrace-reading chops than myself (basically all of y'all), #1762686 is a puzzle
[10:01] <Chipaca> hah! I'd forgotten the "Ubuntu was created for the red-eyed onanists engaged in anal balancing act"
[10:08] <Chipaca> I wonder if there's a non-escalating way of telling them that was unappropriate
[10:08] <Chipaca> inappropriate, even
[10:13] <cjwatson> That isn't just obvious ban-fodder?
[10:13] <Chipaca> mvo (and maybe cachio when he's around): anything we should do about #1734845 ?
[10:13] <mup> Bug #1734845: hook (core) configure → exit status 1 cannot create lock directory /run/snapd/lock → Permission denied <snapd (Ubuntu):New> <https://launchpad.net/bugs/1734845>
[10:14] <Chipaca> cjwatson: I don't know the policy, nor the tools available to enforce it; maybe i should, if i'm going to start calling people out on this kind of stuff
[10:14] <Chipaca> and I am going to call people out on it
[10:14] <cjwatson> Was this on Launchpad?
[10:14] <Chipaca> yes
[10:14] <cjwatson> I failed to find it
[10:15] <Chipaca> cjwatson: #1818584
[10:15] <mup> Bug #1818584: snaps applications can't open files on an USB key <amd64> <apport-bug> <disco> <snapd (Ubuntu):Invalid> <https://launchpad.net/bugs/1818584>
[10:16] <cjwatson> OK, your response is probably appropriate for what seems like a first offence from a frustrated person.  If they escalate let me know and we'll take administrative action
[10:17] <Chipaca> cjwatson: will do
[10:26] <Chipaca> mvo: your input (or your redirect to somebody else) on #1747735 would be good
[10:26] <mup> Bug #1747735: command-completion for 'snap' on 14.04 does not recommend snapd <trusty> <command-not-found (Ubuntu):Won't Fix> <snapd (Ubuntu):Invalid> <https://launchpad.net/bugs/1747735>
[10:27] <mvo> Chipaca: in a meeting, will get back to you
[10:31] <Chipaca> a bug for snapd/ubuntu: gnome display manager it's slow with devuan
[10:32]  * Chipaca is nearly WATed out
[10:32] <zyga> mborzecki: debugged it
[10:32] <zyga> maaaan
[10:32] <mborzecki> zyga: ok, i think i have worked around dh_systemd_start, but heh it's ugly
[10:33] <ogra> Chipaca, stop complaining, just fix it !
[10:34] <ogra> (its just a quick port to sysvinit to fix that devuan problem)
[10:34] <Chipaca> ogra: in the _description_ of the bug they say "it was only solved by installing the Nvidia drivers."
[10:35] <Chipaca> ogra: so the bug is... probably? that nouveau drivers are slow?
[10:35] <ogra> ah, then it is easy, just make the nvidia drivers a hard dep of snapd
[10:35] <Chipaca> chocolate por la noticia
[10:36] <ogra> (how would it work on devuan *at all* ? there is no systemd, logind or any other of the lennartisms in it)
[10:40] <mup> PR snapd#7578 closed: sandbox/cgroup, overlord/snapstate: move helper for listing pids in group to the cgroup package <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/7578>
[10:49] <mup> PR snapcraft#2743 closed: meta: warn about command mangling <Created by sergiusens> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/2743>
[10:52] <mup> PR core18#140 closed: run-snapd-from-snap: check for snapd.service existing too <Created by anonymouse64> <Merged by sil2100> <https://github.com/snapcore/core18/pull/140>
[10:53] <ondra> Chipaca hi
[10:54] <ondra> Chipaca I added more logs and essentially this is all down to sha384 :(
[10:54] <Chipaca> ondra: I feel like you owe me a beer or something for not believing me
[10:54] <ondra> Chipaca as when we preparing seed, we calculate sha384 while we are parsing seed.yaml
[10:55] <Chipaca> ondra: would've saved us both a few hours of work :)
[10:55] <ondra> Chipaca I'm happy to get you beer :)
[10:55] <ondra> Chipaca but it's not key generation, this is snap assertion validation
[10:55] <Chipaca> ondra: strange that you don't see the io or cpu usage of it though, maybe things aren't lining up properly in the bootchart?
[10:56] <ondra> Chipaca also interesting one is, if I calculate it from shell, I get 100% cpu load and I get it also 2 as fast for all snapc
[10:56] <Chipaca> ondra: _before_ even looking at key gen etc i said it was probably still the sha3
[10:56] <Chipaca> :-/
[10:56] <ondra> Chipaca I loop through all snaps, and it's not taking me as much time
[10:57] <ondra> Chipaca ah, sorry for that, I did miss sha3 message from you
[10:57] <ondra> Chipaca I did not know we calculate sha3 before we start seeding, I though we do that at time of actual snap seeding
[10:57]  * pstolowski walk, bbiab
[10:57] <ondra> Chipaca but cpu load is indeed something puzzling
[10:58] <mup> PR snapd#7580 closed: spread.yaml: exclude vendor dir <Simple 😃> <Created by anonymouse64> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/7580>
[10:58] <Chipaca> ondra: look for an email with subject 'booting the pi', 26 Jan 2017
[10:58] <mvo> Chipaca: snap on trusty - oh well
[11:00] <Chipaca> mvo: ikr
[11:00] <ondra> Chipaca ahh nice, found it
[11:03] <mvo> sil2100: thanks for merging the latest core18 PR from ijohnson ! our of curiosity, when do we plan the next stable core18 snap release?
[11:04] <mvo> sil2100: we have this fix and the netplan update in edge, would be great if those would make it to stable soon(ish)
[11:04] <Chipaca> ondra: wrt looping through all the snaps: did you unmount them and drop caches first
[11:04] <Chipaca> ondra: it's possible a large chunk of it is i/o
[11:04] <Chipaca> depends on how slow the sd card is maybe
[11:04] <ondra> Chipaca no I did not umout them
[11:05] <Chipaca> ondra: i'm assuming having them mounted keeps them in the cache somehow but could be wrong
[11:05] <Chipaca> ondra: also, what are you using to hash them from shell?
[11:05] <sil2100> mvo: yw! In theory today's a Thursday, so if the timing is right it should get picked up by automation into beta and then to certification testing - we might be able to get it to stable around Monday
[11:05] <mvo> sil2100: amazing, thank you
[11:05] <ondra> Chipaca may be some, but I doubt entire snap and all, that would be half of all mem available
[11:06] <Chipaca> ondra: because sha3-384 is not sha384
[11:06] <ondra> Chipaca I just called sha384sum
[11:06] <Chipaca> ondra: yeah, that's the wrong hash
[11:06] <ondra> Chipaca ah
[11:06] <Chipaca> that's an easy hash :)
[11:06] <ondra> Chipaca which one to use then?
[11:06] <Chipaca> ondra: snap install sha3384 ?
[11:07] <mvo> pedronis: 7556 has two +1, my two nitpicks can easily be done in a followup, I would love to see this landing so that the next pr is smaller, wdyt?
[11:09] <diddledan> re: https://discourse.ubuntu.com/t/testing-default-snap-apps-against-equivalent-deb-apps-slow-start-times/12875/17 the desktop launcher script runs gdk-pixbuf-query-loaders and gtk-update-icon-cache and gio-querymodules.. could we utilise the $SNAP_DATA or $SNAP_COMMON directories for these caches and generate them in an install and/or refresh hook?
[11:10] <mup> PR snapcraft#2746 closed: elf: handle missing dependencies not found on system <Created by cjp256> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2746>
[11:15] <ondra> Chipaca yep. now time alines more
[11:15] <ondra> Chipaca damn it, no cheap wins :(
[11:16] <Chipaca> diddledan: is there a way to do it incrementally so a user can also have local stuff?
[11:17] <diddledan> those caches only parse files that are distributed within the snap or runtime-snap so the user won't have their own local stuff, AFAIK
[11:18] <Chipaca> then why is it done at install at all?
[11:18] <Chipaca> why isn't it in the snap itself?
[11:18] <Chipaca> anyway, ⇝ lunch
[11:18] <diddledan> it is in the snap currently as part of desktop-launch script which wraps the actual command
[11:19] <diddledan> I was thinking we could extract it from running every launch to only running once when the snap is installed or refreshed
[11:20] <diddledan> at the moment it conditionally runs on refresh at launch time. so we can move it to refresh-time so that the initial launch after a refresh is perceviably faster
[11:22] <diddledan> i.e. in the launch script it has equivalent of `if refreshed, rebuild caches, then run the app`
[11:23] <mvo> mborzecki: did you had a chance to look at the error log in 7572?
[11:24] <mup> PR snapd#7572 closed: gadget: rename "boot{select,img}" -> system-boot-{select,image} <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7572>
[11:30] <mborzecki> yeah, but it dodn't make any sense though, if it keeps repeating we'll probably need to take a closer look at either glibc or go in arch
[11:30] <mborzecki> mvo: ^^
[11:32] <mvo> mborzecki: ok, thats fine. lets assume its just a glitch
[11:33] <mborzecki> mvo:  might be serious though, afaict it was related to thread local storage
[11:33] <mvo> mborzecki: hm, ok
[11:37] <mborzecki> zyga: tests/main/lxd is leaking this: https://paste.ubuntu.com/p/zkY96DMsT6/
[11:38] <mborzecki> zyga: or, iow lxd is leakingthis
[11:38] <mborzecki> i suppose the debug output should include findmnt
[11:38] <zyga> that's curious
[11:38] <zyga> the common/ns/mntns thing is a bind mounted mount namespace
[11:38] <zyga> I really really wish lxd removal would clean up
[11:39] <zyga> mborzecki: can we paper over this with lxd-tool patch?
[11:39] <zyga> mborzecki: tests/lib/bin/lxd-tool
[11:39] <zyga> though it's more serious as it seems to break actual "snap remove", right?
[11:39] <mborzecki> zyga: we can, stil, removing lxd snap does not clean this up
[11:39] <mborzecki> yup
[11:42] <mup> PR snapd#7582 opened: spread: include mounts list in task debug output <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7582>
[11:42] <mborzecki> zyga: ^^
[11:49] <zyga> mborzecki: +1 but would you mind changing that to co via prepare-restore.sh --debug-each and move the code there. This way more shellcheck love is applied.
[11:50] <mborzecki> zyga: this is covered by spread-shellcheck already
[11:50] <zyga> debug: | ?
[11:50] <mborzecki> zyga:  i mean spread.yaml
[11:50] <mborzecki> hmm let me double check
[11:52] <zyga> mborzecki: https://github.com/snapcore/spread/pull/89
[11:52] <mup> PR spread#89: runner: pass --exclude-vcs{,-ignores} to tar <Created by zyga> <https://github.com/snapcore/spread/pull/89>
[11:52] <mborzecki> zyga: yup, debug && debug-each are covered by spread-shellcheck
[11:52] <zyga> mborzecki: fair enough, +1
[11:52] <zyga> though I'd still prefer to have less things in the main yaml
[11:52] <zyga> but that's not a problem for this
[11:53] <zyga> mborzecki: I think we should re-check the leak checker
[11:53] <zyga> mborzecki: and see if we can land it for classic
[11:53] <zyga> mborzecki: even if core is still leaking other stuff I didn't fix
[11:53] <mborzecki> Chipaca: mvo: https://github.com/snapcore/spread/pull/89 might interest you as well
[11:53] <mup> PR spread#89: runner: pass --exclude-vcs{,-ignores} to tar <Created by zyga> <https://github.com/snapcore/spread/pull/89>
[11:53] <zyga> mborzecki: we'd know earlier
[11:56] <mborzecki> zyga: wodner if that's something that snapd could police as well
[11:56] <zyga> mborzecki: that's a whole new world there
[11:56] <mborzecki> otoh lxd is a special snowflake
[12:07] <mup> PR snapd#7583 opened: usersession: drive by fixes for things flagged by unused or gosimple <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7583>
[12:07] <mborzecki> really simple PR ^^
[12:19] <Chipaca> I wish I knew what these stacktraces were about
[12:19] <Chipaca> they're just … noise
[12:20] <mup> PR snapd#7576 closed: spread.yaml,.gitignore: sync ignored files <Simple 😃> <Created by zyga> <Closed by zyga> <https://github.com/snapcore/snapd/pull/7576>
[12:25] <zyga> brb
[12:42] <mborzecki> Chipaca: which ones?
[12:42] <Chipaca> mborzecki: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1841384 or https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1762686 for ex
[12:42] <mup> Bug #1841384: snapd crashed with SIGSEGV <amd64> <apport-crash> <eoan> <snapd (Ubuntu):New> <https://launchpad.net/bugs/1841384>
[12:47] <mborzecki> Chipaca: interesting, in https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1762686 there's an awful lot of threads stuck in receiving from a client, probably via the snapd socket
[12:49] <mup> Bug #1811534 changed: snap - install skype warning - main.go: should be wrapped in (i18n) <i18n> <snapd:Incomplete> <snapd (Ubuntu):Incomplete> <https://launchpad.net/bugs/1811534>
[12:49] <mup> PR snapcraft#2748 closed: meta: warn about command mangling <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2748>
[12:50] <mborzecki> Chipaca: then in the other one, there's only a single thread that's not stuck in something sleep related, and it's calling runtime.scanobject (b=824633781392, gcw=0xc000044170) at /usr/lib/go-1.11/src/runtime/mgcmark.go:1140
[12:50] <mborzecki> Chipaca: hm memory corruption perhaps?
[12:53] <zyga> man, it's raining like hell again
[12:53]  * mborzecki was hoping for a bike ride today
[12:54] <zyga> yeah
[12:54] <zyga> me too
[12:54] <zyga> it's looking like Saturday will be nice
[12:54] <zyga> 20C and sun, wow
[13:07] <mup> PR snapd#7584 opened: .gitignore: pair of trivial changes <Simple 😃> <Created by zyga> <https://github.com/snapcore/snapd/pull/7584>
[13:10] <zyga> mborzecki: ^
[13:12] <mup> PR snapd#7585 opened: spread.yaml: drop exclude list, use .gitignore <Created by zyga> <https://github.com/snapcore/snapd/pull/7585>
[13:18] <zyga> pstolowski: it's a one liner to measure the time it really took to run configure
[13:18] <zyga> pstolowski: I can show you where to patch
[13:18] <zyga> pstolowski: it's useful to do this if you have the rest of the setup
[13:19] <pstolowski> zyga: sure
[13:20] <zyga> pstolowski: on an os/exec.Cmd you can get .ProcessState which has .SystemTime and .UserTime
[13:20] <zyga> just log them after the process terminates
[13:20] <zyga> it's that simple
[13:21] <pstolowski> zyga: ah, that, right, i think we discussed that at some point some time ago
[13:21] <zyga> yeah, JFinallyDI
[13:38] <zyga> mvo: if you can review the spread change it woulod help me a little
[13:39] <mvo> zyga: sure thing
[13:39] <mvo> zyga: you may need to remind me toromorrow though
[13:39] <mvo> zyga: today is super busy :/
[13:39] <mvo> (for me)
[13:39] <zyga> mvo: it's a one liner
[13:40] <zyga> https://github.com/snapcore/spread/pull/89 :)
[13:40] <mup> PR spread#89: runner: pass --exclude-vcs-ignores to tar <Created by zyga> <https://github.com/snapcore/spread/pull/89>
[13:51] <cmatsuoka> cachio: I got this error in the test log, do you know how can I get more information on what failed? https://api.travis-ci.org/v3/job/596058356/log.txt
[13:51] <cmatsuoka> cachio: look for "build failed"
[13:52] <cmatsuoka> cachio: ah ok, just found an error messages several lines above that
[13:52] <cmatsuoka> cachio: but that line number doesn't make any sense :\
[13:58] <ijohnson> ondra, Chipaca if you want faster SHA3 on arm, please +1 this issue https://github.com/golang/go/issues/28148
[14:07] <zyga> cachio: perhaps you could look at https://github.com/snapcore/spread/pull/89
[14:07] <mup> PR spread#89: runner: pass --exclude-vcs-ignores to tar <Created by zyga> <https://github.com/snapcore/spread/pull/89>
[14:10] <zyga> pstolowski: can you please look at https://github.com/snapcore/snapd/pull/7584 -- 3 lines
[14:10] <mup> PR #7584: .gitignore: pair of trivial changes <Simple 😃> <Created by zyga> <https://github.com/snapcore/snapd/pull/7584>
[14:10] <zyga> gitignore
[14:18] <roadmr> does snapd identify if a snap requires a specific content snap and install the content snap automagically?
[14:18] <roadmr> (i.e. snapian)
[14:21] <mborzecki> roadmr: afaik snap.yaml must name a default-provider for a given content plug
[14:21] <roadmr> mborzecki: and the named default-provider snap gets auto-installed/
[14:22] <roadmr> ?
[14:30] <mborzecki> roadmr: yes
[14:31] <roadmr> thanks mborzecki :)
[15:17] <Chipaca> ijohnson: out of curiosity, how hard would it be to pull that in to our snapd build for armhf?
[15:17] <roadmr> you're pulling my armhf
[15:18] <ijohnson> not too hard, it would be a little awkward IIRC because the hashers in crypto aren't used directly they're registered with the hash package and so we'd have to go use the hasher from sha384 directly rather than using crypto
[15:18] <ijohnson> Chipaca: ^
[15:18] <ijohnson> the big thing why I don't think we should do that is because now we have to maintain that SHA3 crypto code
[15:18] <Chipaca> yeah i get that
[15:19] <Chipaca> but https://go-review.googlesource.com/q/hashtag:%22crypto-assembly%22+(status:open)
[15:19] <Chipaca> does not fill me with hope
[15:21] <ijohnson> Chipaca: yeah from talking some of the other go devs, the main person who does crypto + assembly review for Go is very very busy and has had a lot of other $GOOGLE things to do in recent years
[15:33] <Chipaca> brb, rebooting
[15:49] <mup> PR snapd#7583 closed: usersession: drive by fixes for things flagged by unused or gosimple <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7583>
[15:52] <mvo> pedronis: do you mind if I merge 7462 (the  grade support for models in uc20?)
[15:53] <pedronis> mvo: I can do it, one sec
[15:54] <mup> PR snapd#7462 closed: asserts: introduce explicit support for grade for Core 20 models <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/7462>
[15:54] <mvo> pedronis: thanks
[15:55] <mvo> pedronis: 7556 can probably also be merged, the suggestions could be done in a follouwp, this would unblock the next review I think(?)
[15:56] <pedronis> mvo: it's about documenting, maybe renaming TargetFunc, right ?
[15:57] <ondra> Chipaca I managed to shave 40s from that boot now :)
[15:57] <pedronis> mvo: and a typo
[15:57] <pedronis> mvo: I can merge and then I would apply those in the follow up
[15:57] <pedronis> if that's ok
[15:57] <ondra> Chipaca it will need reviewing from someone who can understand more implications of what I changed
[15:57] <pstolowski> mborzecki: some questions/comments to schedule fix PR
[15:58] <ondra> Chipaca but thats ~80s to ~40s
[15:58] <mvo> pedronis: yeah, lets do it this way (merge+followup)
[15:58] <ondra> Chipaca see bootchart https://private-fileshare.canonical.com/~okubik/bootchart-20191010-1545.svg
[15:59] <mvo> pedronis: thank you!
[15:59] <ondra> ogra https://private-fileshare.canonical.com/~okubik/bootchart-20191010-1545.svg
[15:59] <mup> PR snapd#7556 closed: image,seed/seedwriter: switch image to use seedwriter.Writer <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/7556>
[16:00] <ondra> mvo pedronis this could be something we might consider for landing once polished, see the difference in cpu from 60 to ~100 second
[16:00] <ondra> https://private-fileshare.canonical.com/~okubik/bootchart-20191010-1545.svg and https://private-fileshare.canonical.com/~okubik/bootchart-20191008-1710.svg
[16:00] <Chipaca> ondra: what is the change?
[16:00] <mvo> ondra: what exactly?
[16:00] <mvo> ondra: do you have a diff or something?
[16:01] <ondra> Chipaca mvo diff soon
[16:01] <ondra> Chipaca mvo but I'm calculating sha3384 in parallel
[16:01] <ondra> so this will be even faster on multicore devices
[16:02] <ondra> on 4cores this cut hashing to half, and it's mostly because one snap is 3x bigger then next biggest
[16:04] <ondra> mvo Chipaca one of you just need to review if I'm not messing up with snap seeding order
[16:04] <pedronis> we are touching that code quite a bit atm
[16:05] <pedronis> so it's probably easiest to just see the diff and measure it and do it again if it's useful
[16:06] <ondra> pedronis are any of your changes parallelising hash calculation?
[16:06] <pedronis> no, but we intergrating UC20 code
[16:06] <pedronis> which does still differently
[16:06] <ondra> pedronis right
[16:06] <ondra> I will prepare clean diff
[16:06] <pedronis> is this a change in seed16.go ?
[16:06] <pedronis> or the older code?
[16:07] <ondra> I still think this is worth to consider, as we sit there for 2 minutes with one core maxed and rest of the system is idling
[16:07] <ondra> pedronis in seed16.go
[16:07] <pedronis> ok
[16:07] <pedronis> that shouldn't change a lot anymore
[16:07] <pedronis> but we'll see
[16:07] <pedronis> clean diff is a good start
[16:08] <ondra> pedronis +1
[16:14] <ondra> Chipaca mvo it influenced order how snaps are seeded
[16:14] <ondra> so it will still need some tweaking there
[16:19] <pedronis> ondra: that doesn't sound right
[16:19] <pedronis> to be clear
[16:19] <ondra> pedronis well this is first shot and I'm just checking how to address this
[16:22] <pedronis> #7558 is ready for review
[16:22] <mup> PR #7558: boot,dirs,image: various refinements in the prepare-image code switched to seedwriter <Created by pedronis> <https://github.com/snapcore/snapd/pull/7558>
[16:22] <pedronis> Chipaca: there are also bits in boot there ^
[16:23] <Chipaca> k
[16:23] <Chipaca> i don't think i'll get to that today
[16:23] <pedronis> np
[16:23] <pedronis> just fyi
[16:43] <mup> PR snapd#7584 closed: .gitignore: pair of trivial changes <Simple 😃> <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/7584>
[16:56] <zyga> pedronis: you have two entries in the meeting notes for Thursday
[16:56] <zyga> is one of them for Friday or should they be merged?
[17:00] <Chipaca> zyga: one is pedronis' clone
[17:00] <zyga> that explains it :)
[17:01] <Chipaca> anyhoo, i'm outa here
[17:01] <Chipaca> see y'all tomorrow
[17:01] <zyga> good call :)
[17:01] <Chipaca> 👋
[17:01]  * zyga hugs Chipaca 
[17:01] <zyga> bye :)
[17:01]  * Chipaca hugs back
[17:18] <zyga> niemeyer: hello, low priority but also low effort request to look at a small change to spread: https://github.com/snapcore/spread/pull/89
[17:19] <mup> PR spread#89: runner: pass --exclude-vcs-ignores to tar <Created by zyga> <https://github.com/snapcore/spread/pull/89>
[17:40]  * cachio afk
[20:34] <mup> PR snapcraft#2749 opened: storeapi: add StoreErrorList to handle store errors <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/2749>
[21:01] <joedborg> hey zyga
[21:01] <zyga> hey
[21:02] <zyga> it's a little late so I may not respond instantly
[21:02] <zyga> but please leave me a message and I'll get to it as soon as I can
[21:02] <joedborg> zyga: ah apologies, i keep missing you
[21:03] <joedborg> just wondering if you can help with what exception i need to add to apparmor for
[21:03] <joedborg> `[285928.025967] audit: type=1400 audit(1570741250.597:1384598): apparmor="DENIED" operation="signal" profile="docker-default" pid=703 comm="kubelet" requested_mask="receive" denied_mask="receive" signal=kill peer="snap.kubernetes-worker.kubelet"`
[21:03] <zyga> no need to apologize, it's not our fault :)
[21:03] <zyga> sure
[21:04] <zyga> this means that the profile called 'docker-default' constrains a process with pid 703 so that it cannot receive the kill signal from a process labelled snap.kubernetes-worker.kubelet'
[21:04] <zyga> if you can craft the docker-default profile then it's a one liner to change
[21:05] <zyga> AFAIR, without checking something like: signal (receive) peer=snap.kubernetes-worker.kubelet,
[21:05] <zyga> note that the permission applies on both sides
[21:06] <zyga> so the snap.kubernetes-worker.kubelet needs a send permission with the appropriate peer
[21:06] <zyga> joedborg: does this make sense?
[21:07] <zyga> joedborg: you can constrain the signal further with set=(...)
[21:07] <joedborg> zyga: is there a quick line i can get round it with?
[21:07] <joedborg> * that i can add to app armor
[21:07] <zyga> signal (receive) set=(kill) peer=snap.kubernetes-worker.kubelet,
[21:07] <zyga> though note that the peer here specifies the snap name
[21:07] <zyga> so only that snap (and only that snap) would work
[21:08] <zyga> it may require some more ooomph
[21:08] <zyga> perhaps the signal could be accepted from any snap that can send it
[21:08] <zyga> so you could just say:
[21:08] <zyga> signal (receive) set=(kill) peer=snap.*
[21:08] <zyga> (make sure to add the trailing comma)
[21:09] <joedborg> zyga: thanks, i'll try that now
[21:09] <joedborg> it's just a further PoC, so I can arrest it if and when it works :)
[21:11] <zyga> joedborg: cool :)
[21:11] <zyga> joedborg: yeah, try that, let me know if it works or not
[21:12] <joedborg> zyga: sadly not, I added that to the profile `/var/lib/snapd/apparmor/profiles/snap.kubernetes-worker.kubelet¬
[21:12] <joedborg> * `/var/lib/snapd/apparmor/profiles/snap.kubernetes-worker.kubelet`
[21:12] <zyga> that's not the profile
[21:12] <zyga> look at what I said above
[21:12] <zyga> this is confining the process using the docker-default profile
[21:12] <zyga> whatever owns and writes *that* profile must change
[21:12] <zyga> when you have two processes with apparmor profiles
[21:12] <zyga> and they signal each other
[21:13] <zyga> the sender needs the send permission for the peer
[21:13] <zyga> (and you have that or the denial would say profile=snap.foo.bar)
[21:13] <zyga> the recipient needs the corresponding permission
[21:13] <zyga> that matches the peer
[21:14] <zyga> it's funny but you can craft an apparmor profile that denies sigkill with this
[21:14] <zyga> (from unconfined)
[21:14] <zyga> joedborg: does this make sense?
[21:14] <joedborg> zyga: how do i get at the docker-default profile?
[21:14] <zyga> joedborg: I don't know that, presumably something writes one, one sec
[21:15] <joedborg> zyga: i can't see it in `/var/lib/snapd/apparmor/profiles/`
[21:15] <zyga> it's not a profile made by snapd
[21:15] <zyga> so I suspect the snap itsef makes it
[21:15] <zyga> ijohnson: ^^ perhaps you know?
[21:16] <zyga> joedborg: in other words, no amount of changes to snapd will fix it
[21:16] <ijohnson> let me read the scrollback
[21:16] <zyga> the profile you must change is made or belongs to another package, presumably just docker
[21:16] <zyga> ijohnson: tl;dr; do you know if docker snap makes "docker-default" apparmor profile?
[21:16] <zyga> and if so, do you know how to change the code that makes it so that it has one more line
[21:17] <ijohnson> ah yes docker-default is generated by docker/runc when you create containers
[21:17] <ijohnson> in the docker snap we had to patch the docker-default profile to allow containers to start properly when dockerd is confined by snapd/apparmor
[21:18] <joedborg> ijohnson zyga so there's nothing i can do on a running system to patch this?
[21:18] <ijohnson> essentially, the default docker-default profile only allows unconfined processes to talk to it, so confined ones like dockerd inside the docker snap are denied as you see above
[21:19] <ijohnson> joedborg: unfortunately IIRC dockerd generates the docker-default profile in /tmp, loads it into the kernel and then deletes the /tmp profile, so no I don't think you can do to a running system to patch this
[21:19] <zyga> joedborg: not without fighting with docker
[21:19] <ijohnson> you need to patch dockerd to modify the docker-default profile to include that line
[21:19] <joedborg> zyga: ijohnson well containerd in my case
[21:19] <zyga> joedborg: you could create a profile that is the same, has one more permission, and load that
[21:19] <ijohnson> err yeah
[21:20] <joedborg> zyga: ijohnson: I can carry on in devmode and log it as a bug?
[21:20] <zyga> but that would have to be done again each time docker decided to reload the profiles
[21:20] <ijohnson> containerd/dockerd/runc/moby/the kitchen sink/a bag of chips/
[21:20] <zyga> joedborg: you'd have to run docker in devmode
[21:20] <ijohnson> jodbord: nah I don't think so, because you need the docker-default profile to be in devmode, not the snap
[21:20] <ijohnson> there's a way to launch a container with containers having their apparmor profiles turned off though
[21:21] <ijohnson> err that was akward to say
[21:21] <zyga> actually
[21:21] <ijohnson> there's an option to dockerd/containerd/whatever to launch containers without the docker-default profile
[21:21] <zyga> nah, that's not a good idea
[21:21] <ijohnson> I can't remember off the top of my head
[21:21]  * zyga remains quiet
[21:21] <ijohnson> zyga: yeah it's not a good idea, but it's the same as running in devmode
[21:21] <joedborg> zyga: ijohnson: so this is for the kubernetes-worker snap which has containerd bundled inside the snap
[21:21] <zyga> I was thinking about using aa_complain
[21:21] <zyga> but I think that only works if you can point it to a profile text
[21:22] <ijohnson> joedborg: ah if you're building the snap then you can just patch dockerd/containerd
[21:22] <joedborg> ijohnson: how? :)
[21:23] <ijohnson> joedborg: this is the patch we used in the docker snap for github.com/docker/docker (aka github.com/moby/moby): https://git.launchpad.net/~docker/+git/snap/tree/dockerd-patches/snappy-apparmor-tweaks.patch
[21:23]  * zyga doesn't know that and returns to audiobooks and assembly
[21:24] <ijohnson> zyga: go do that and stop working :-)
[21:24] <zyga> thank you ijohnson
[21:24] <zyga> joedborg: you are in good hands :)
[21:24] <joedborg> thanks zyga, sorry to have kept you at your desk
[21:24] <ijohnson> joedborg: how are you building containerd?
[21:25] <joedborg> ijohnson https://github.com/charmed-kubernetes/snap-kubernetes-worker/blob/master/snap/snapcraft.yaml
[21:25] <joedborg> it's being built in the snap
[21:26] <ijohnson> hmm this snapcraft.yaml is a bit weird, is there a reason you use `go get ...` instead of the source spec for all these parts?
[21:26] <joedborg> ijohnson: i thought we had similar issue that jdstrand got into the containerd profile
[21:26] <joedborg> ijohnson: yeah because kubernetes doesn't build things properly
[21:26] <ijohnson> but anyways since you're building containerd from scratch patching it shouldn't be too much work
[21:27] <ijohnson> hmm well still you could let snapcraft check it out, that would save you rebuild times, but oh well
[21:28] <joedborg> ijohnson: can you give commit hashes to snapcraft?
[21:28] <ijohnson> yes, `source: github.com/....` and then do `source-commit: SHA`
[21:29] <ijohnson> joedborg: see https://snapcraft.io/docs/snapcraft-parts-metadata#heading--source
[21:29] <joedborg> ijohnson: thanks, i'll add that in the todo to look at
[21:31] <ijohnson> joedborg: so you need to patch https://github.com/containerd/containerd/blob/1ac546b3c4a3331a9997427052d1cb9888a2f3ef/contrib/apparmor/template.go
[21:31] <ijohnson> that's the "docker-default" profile in containerd AFAICT
[21:32] <ijohnson> I don't actually see anything named docker-default in containerd, so I assume it's probably k8s or something else that is using the docker-default name when driving containerd
[21:33] <joedborg> ijohnson: cool, thanks, and there's no way to do this outside of containerd upstream?  I might (and probably) mixing different issues, but I think that jdstrand and I saw a similar signal violation (of containerd inside the snap) and fixed it in the template for the interdace
[21:34] <joedborg> *interface
[21:35] <ijohnson> joedborg: jdstrand is the apparmor expert so perhaps I'm mistaken but when I went through this excercise for the docker snap, we had to patch docker because the issue was not that the _snap_ processes were being denied stuff from apparmor, but rather that the _container_ processes were being denied stuff and the container processes are under a different apparmor label, so that different label has to be modified
[21:36] <ijohnson> If you look in docker-support interface, you can see that there's a rule to allow transition between the snap apparmor label and an apparmor profile named docker-default, so dockerd can launch a process, which will be confined by the snap's apparmor profile, then have that process transition to the container apparmor profile
[21:37] <ijohnson> I see that this k8s snap is using docker-support, so actually I assume that is part of why you need to use docker-default even when k8s is driving containerd, as there's no transition rule for i.e. containerd-default apparmor profile that I see
[21:38] <ijohnson> joedborg: the only other thing I could think of would be to launch every container with a manually specified apparmor profile, but that might interfere with users who have their own apparmor profile they want to launch containers with
[21:39] <joedborg> ijohnson: yeah i get that, it's an issue we've been seeing a lot - where directories inside the container are being given readonly; even though they're confined by the pivot route
[21:39] <joedborg> ijohnson: I suspect we added some to get the PoC working but, in fact, we need to open the containerd profile up a bit more by patching the file you suggested
[21:40] <joedborg>  /pivot route/pivot root/
[21:40] <ijohnson> joedborg: another useful patch you might want to look at from the docker snap is the one that changes pivot_root to just chroot all the time, because when you pivot_root then apparmor doesn't understand that your new files you touch are really prefixed with the old_root parameter
[21:41] <ijohnson> so that leads to you having to add all these random accesses that ideally wouldn't be necessary since the container isn't ever touching any host files or base snap files, it's just using it's own rootfs from $SNAP_DATA or somewhere, so it's fine to let it use whatever files it wants
[21:41] <ijohnson> joedborg: that patch is here: https://git.launchpad.net/~docker/+git/snap/tree/dockerd-patches/snappy-real-chroot.patch
[21:42] <joedborg> ijohnson: ah that’s sounding like we’re seeing the same thing, cool.  Just reading that patch
[21:43] <ijohnson> yeah I recommended to someone a long time ago that as they start working on building k8s into a strict snap they should look at the docker snap, but apparently that advice was forgotten
[21:43] <ijohnson> 🤷‍♂️
[21:44] <joedborg> ijohnson: yeah, docker isn’t cool anymore so we’ve gone down the containerd path 😊
[21:44] <ijohnson> ... and yet still have the same problems 🤔
[21:44] <ijohnson> 🙂
[21:46] <mup> PR core-build#54 closed: initramfs: update unlock keyfile parameter <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/core-build/pull/54>
[21:46] <joedborg> ijohnson: haha yes, seem so.  we had time pressure for the poc so I think the rules jdstrand put in were to get the basics cleared.  we could reconcile when he’s back?  it’d be nice to sort this properly (and we could get a free containerd snap too)
[21:47] <ijohnson> joedborg: yeah that sounds good
[21:47] <ijohnson> I think jdstrand is back next week iirc
[21:48] <joedborg> ijohnson: awesome. yeah I think so too.   thanks a lot for your help :)
[21:54] <ijohnson> np, happy to help while z y g a should be offline :-)