[01:07] PR snapd#7832 closed: snap-bootstrap: support auto-detect device in create-partitions [06:14] morning [06:29] nfs-support failed on 19.10 https://paste.ubuntu.com/p/JvGPJxMxZx/ [06:34] good morning [06:45] morzecki: how can i run this single test ? go test -check.f ... ? [06:45] mborzecki: [06:46] sdhd-sascha: go test -check.f in the corresponding package or jsut passing the pacakge name eg. github.com/snapcore/snapd/cmd/snap [06:47] sdhd-sascha: writing import paths is tedious, so i just cd into the directory of the package [06:48] i tried: [06:48] $ go test -check.f github.com/osutil/nfs_linux_test.go [06:51] sdhd-sascha: when in snapd tree, cd osutil ; go test -check.f nfsSuite [06:52] sdhd-sascha: nfsSuite because it's the test suite defined in nfs_linux_test.go file [06:53] mborzecki: thank you - it works [06:54] but on my 19.10 it works [06:54] go test -check.f nfsSuite [06:54] OK: 1 passed [06:54] PASS [06:54] ok github.com/snapcore/snapd/osutil 0.005s [06:54] I have there a nfs-mount. [06:56] mborzecki: Or, is this a different nfs test in the paste from you? Error executing google:ubuntu-19.10-64:tests/main/nfs-support : [06:58] mborzecki: you mean the "spread" tests. sorry [07:13] good morning [07:13] mborzecki: I have a question [07:15] mborzecki: I was fighting snap security tag mess spread around the code and I think that's a separate cleanup [07:15] zyga: hey [07:15] mborzecki: do you think it would be ok to do just a regexp based validation on the supposed security tag [07:16] mborzecki: and do nothing more in the sandbox/cgroup package for now? [07:17] zyga: let me take a look at the pr [07:18] mborzecki: I didn't push anything since yesterday [07:18] mborzecki: because trying to make sense of how security tags are used and validated brings one headache [07:18] zyga: heh, indeed it does [07:21] mborzecki: the best I can think of [07:21] mborzecki: for now [07:21] mborzecki: is that security tag becomes an interface that is implemented by a number of things [07:21] mborzecki: pluse a few special cases that wrap a string [07:21] zyga: hm looks like the only code validating security tags is in s-c now [07:21] yeah [07:23] zyga: and it's a regex, so i guess it's fine [07:24] yeag [07:24] yeah [07:25] it's a regex that says snap.$(snap name regex)(.hook)?.$(app name regex) [07:25] and one more weird variant, IIRC [07:27] on top of this I'd like to craft something that unifies all knowledge of security tags, documents it and puts validation functions that everything uses [07:27] we mostly always generate tags, not read them [07:27] so we didn't need much validation before [07:27] (in go, at least) [07:29] good morning [07:30] zyga: sandbox/tags? or stuff that in snap/naming? [07:30] hey, good morning sdhd-sascha [07:31] mborzecki: I started snap/naming/sectag.go but not married to it [07:31] I think it's silly because of how we must be careful not to get import cycles [07:31] so eventual placement is really more related to where it compiles [07:39] hey mvo [07:39] hey zyga [07:44] mvo: hey [07:45] hey mborzecki [07:45] what did I miss this morning so far :) ? [07:45] how are tests looking? [07:45] I don't think you've missed much [07:46] tests are green [07:46] some red but probably branch related [07:49] mvo: schedule question, when do you cut [07:49] mvo: and if you cut now, do you anticipate another cut before release or is that it? [07:53] zyga: probably today [07:53] zyga: and no worries, we can always cherry pick [07:53] ok [07:54] zyga: but once branched there will be no merge from master anymore [07:54] zyga: like a full-one [07:54] that's fine [07:54] just wondering if everything you wanted in 2.43 is in master now [07:54] or is it likely we'll add more because there's known missing bits [07:57] zyga: didn't found the time these days to get thing working. Is difficult to explain, if you do it for free [07:57] zyga: Now i had another question [07:57] i just modified and build snap & snapd [07:58] And i don't want to replace the original [07:58] How do you test the new installation on the same machine ? [07:59] Or, do you use a vm ? I think about a user-systemd-service [08:01] sdhd-sascha: it varies [08:01] sdhd-sascha: it depends on what I changed [08:01] zyga: wait, i build a .deb package. [08:01] sdhd-sascha: snapd vs snap-confine or other programs [08:02] i have enougt machines. and can replace it [08:02] sdhd-sascha: I never build a distro package for that [08:02] sdhd-sascha: most often than not I use "make hack" or I build snapd and run it manually [08:02] I want to replace the snap cmdline and snapd [08:02] sdhd-sascha: (just stop snapd.socket and snapd.service before) [08:02] sdhd-sascha: for snap command you can just run it from the tree (go build ./cmd/snap and run it) [08:03] morning [08:05] zyga: until now i never wrote "go" before. So i just copied "strace", remove the timings and add "ltrace" into osutils/ltrace [08:06] sdhd-sascha: that's fine, go is easy to get into [08:06] sdhd-sascha: there are remarkably few quirks [08:06] zyga: the unittests runs. [08:07] sdhd-sascha: perhaps open a draft PR, it will be easier to give advice this way [08:09] zyga: if go had "tail-call optimization, then i would have started learning it earlier. [08:10] sdhd-sascha: if it mattered, it would be there ;) [08:11] zyga: yes, i read about it. the solved anything by iteration. But the parser's api looks good at the first look ;-) [08:12] PR snapd#7842 closed: tests: cache snaps also for ubuntu core and add new snaps to cache [08:15] hmm [08:15] can a snap have an app that is just called "hook"? [08:16] zyga: I don't think we have anything that would block that atm [08:16] right [08:16] just writing unit tests and got surprised [08:17] good morning pedronis :-) [08:18] wow [08:18] found a bug already [08:18] ValidateApp allows uppercase apps [08:18] but we don't allow that, do we? [08:18] at least, it was not allowed in the specs [08:19] * zyga checks other implementations [08:20] PR snapd#7775 closed: seed: support extra snaps on top of Core 20 dangerous models [08:21] mm [08:21] can app names have upper-cache characters? [08:21] \o/ another uc20 merged! [08:21] regexps say they do [08:21] * mvo hugs mborzecki [08:21] my memory says they don't [08:22] zyga: no [08:22] pedronis: we don't allow them? [08:22] we don't [08:22] pedronis: then we need to fix a bunch of things first [08:22] pedronis: I'll part my branch and address that first [08:23] we have ValidApp = regexp.MustCompile("^[a-zA-Z0-9](?:-?[a-zA-Z0-9])*$") [08:23] zyga: you can look at snap/naming/validate.go [08:23] yeah, I was there just now [08:23] writing tests and noticed one didn't fail as expected [08:23] ah, sorry, we do [08:23] I was confused [08:24] I read snap name [08:24] no, we allow them [08:24] what we don't allow is . [08:24] pedronis: so name like package.FOO is okay? [08:25] (for an snap+app name)? [08:25] seems so [08:25] ok then [08:25] back to my branch [08:25] :) [08:31] mborzecki: hi, what's the status of #7570 ? [08:31] PR #7570: [RFC] snap-mount-dir: add mount unit for snap-mount-dir [08:32] pedronis: i need to figure out the selinux errors that popped up there [08:37] #7840 is long but simple and could land easily [08:37] PR #7840: tests: use test-snapd-sh snap instead of test-snapd-tools - Part 2 [08:50] mborzecki: could you push your suggestions to #7555 when you have a slice of time [08:50] PR #7555: tests: add a test demonstrating that snaps can't access the session agent socket [09:01] pedronis: sure, can do [09:01] mborzecki: thx [09:08] mborzecki: pushed updates to https://github.com/snapcore/snapd/pull/7825 [09:08] PR #7825: many: use transient scope for tracking apps and hooks [09:11] mborzecki: have a look when you can, most of your comments can be resolved now, I think [09:11] I need to break for 30 minutes [09:22] mvo, hi, so I've been testing a bit more with the maas snap, I do still see snapfuse using 100%cpu [09:23] mvo, I see maas-related processes keep being restarted, and I'm not sure if this is because they're responding too slowly because of the snapfuse issue or if it's unrelated [09:27] ackk: do you know if data in the snap is getting accessed all the time? naively I would expect the snapfuse cpu usage to match access, and I would expect less access once things are running. maybe it's really a bug in snapfuse not just a perf issue [09:27] though [09:27] pedronis, yeah there's a lot of I/O [09:28] that sounds strange in itself [09:28] pedronis, I'm going to compare with the same snap unpacked and installed with try [09:31] pedronis: left a note under 7555, the snippet i proposed doesn't work on arch after all, guess it's the socket mediation that's still missing from the mainline [09:33] quick errand, back in 30 [09:35] mborzecki: sounds like we should merge it as is then [09:36] mvo: is #7817 ready for re-review? [09:36] PR #7817: boot,bootloader: make MakeBootable() uc20 aware [09:39] pedronis, yeah so same snap downloaded and unpacked works fine [09:40] ackk: when you say there is lots of IO, can you explain what kind of data is maas reading after startup? [09:40] (from $SNAP) [09:41] zyga, there's a lot happening at maas startup, including reading a lot python files. I'm not sure if that's the cause, but what I see is that supervisord spawns the different processes (named dhcpd squid ...), no error in logs, then after a few seconds they get killed and respawned [09:41] that doesn't happen if I unpack the snap [09:42] PR snapd#7844 opened: ignore visual studio code directory [09:42] ackk: ah [09:42] so it's essentially perpetual startup [09:42] zyga, correct [09:42] I was trying to understand if there's, normally, lots of IO after startup [09:42] zyga, no [09:42] why do they crash? [09:42] zyga, I mean, there is if your're synching imagaes [09:43] zyga, no idea, nothing in logs [09:43] can you see them via systemctl status [09:43] PR snapd#7845 opened: add prefix to SYSTEMD_SYSTEM_GENERATOR_DIR [09:43] I guess no, because supervisord [09:43] zyga, correct [09:43] well, that's something to debug then [09:44] I'm going to try in a fresh container [09:46] PR snapd#7837 closed: devicestate: implement creating partitions in "install" mode [09:47] pedronis: yes, I updated it this morning [09:47] pedronis: once that is in I have a simple followup that adds this call to the install handler in devicestate [10:01] pedronis, zyga not sure if my message got through before the split === igordhossegor is now known as 07EABDLLI [10:11] PR snapd#7846 opened: devicestate: add missing test for failing task setup-run-system [10:12] ackk: I didn't see it [10:23] Chipaca: ping [10:24] pstolowski: pong [10:25] Chipaca: i've updated/tweaked your check-skeleton PR but for some reason coudn't push to your PR; mind merging my changes from https://github.com/stolowski/snapd/tree/check-skeleton-check-interfaces if you're ok with them? [10:26] sure [10:26] you should be able to just push tho [10:26] pstolowski: what error does it give you? [10:29] Chipaca: nvm! i had your remote with https:// ; worked with ssh:// [10:29] pstolowski: :-D yeah happens [10:30] pstolowski: thanks, I put it in my queue for re-review [10:31] pedronis: there is one remaining remark from you about moving ParseMountEntry to shared. no strong opinion about that, can do [10:31] pstolowski: I'll look again, is not a blocker either way [10:37] re [10:37] pstolowski: btw, I'm doing a pass again on some of your pre-seeding PRs [10:37] pedronis: ty, just saw your comments [10:38] mborzecki: do you have a moment to finish the review of https://github.com/snapcore/snapd/pull/7697 ? [10:38] PR #7697: interfaces/apparmor: handle pre-seeding mode [10:39] pstolowski: sure, will do [10:55] PR snapd#7697 closed: interfaces/apparmor: handle pre-seeding mode [11:02] pretty annoying how github doesn't let you know the PR you're commenting on has been updated [11:08] pstolowski: question in #7320 [11:08] PR #7320: snap/pack, cmd_pack: 'snap pack --check-skeleton' checks interfaces [11:18] pstolowski: thx [11:19] PR snapd#7847 opened: Parse seed if either kernel or base are not mounted [11:22] snap run --strace hanging on 16.04 too: https://paste.ubuntu.com/p/FGK8JysymF/ [11:23] PR snapd#7848 opened: Mount ubuntu-data tmpfs, in one go with kernel & base [11:27] * Chipaca gets coffee [11:39] has anyone noticed that when there's a change in progress, and it's currently downlaoding a snap, runnig snap change in a separate terminal takes really long to show anything? [11:44] yeah [11:45] lock contention [11:45] we update the status a lot [11:45] wonder if that's beacuse of re-refresh taking state lock too often [11:45] perhaps that's that, though I didn't debug it that deep [11:45] re-refresh? [11:45] since it basically tries to run all the time [11:45] oh [11:45] perhaps [11:45] we could use read locks [11:45] and write locks [11:46] perhaps that would help reading the status [11:46] (or, you know, a real database) [11:46] or use the tracing endpoints and find out whihc lock is hit most often :P [11:47] it runs every 100ms, I wouldn't call it all the time [11:47] but could be [11:48] mborzecki: if there's a download going, there is the progress updates and polling as well [11:48] iirc there were also some patches from mvo to make download updates more coarse [11:50] mborzecki: anyway my point is that before fixing we need to know what is happening exactly, I wouldn't make changes based on speculation [11:51] yup [11:51] 100ms is a bit excessive [11:52] zyga: do you think you could check 7823 again? I fixed the bits you raised there [11:52] yup [11:53] mborzecki: yeah, it was really crazy in the past, it would update the progress for every packet basicly but that got fixed [11:54] mvo: done [11:54] thank you zyga ! [11:54] PR snapd#7823 closed: snap-bootstrap: implement "run" mode in snap-bootstrap initramfs-mounts [12:00] PR snapd#7844 closed: gitignore: ignore visual studio code directory [12:07] pedronis: thanks for the feedback in #7821, applied it [12:07] PR #7821: interfaces/seccomp: parallelize seccomp backend setup [12:07] oh and it needs a 2nd review [12:08] mvo: did you see my question whether 7817 can be re-reviewed ? [12:10] zyga: why is cmd/snaplock a thing? why isn't it in osutil? [12:11] we've put some random stuff in cmd but only when it was used from daemon and client and there wasn't a clear place for it [12:11] Chipaca: it was placed there after code review [12:11] and the imports were wrong for *util [12:12] Chipaca: it uses dirs, it not a util [12:12] here the imports are simple, and it's used from cmd/foo but also from overlord/snapstate [12:12] it's very specific [12:12] pedronis: we already use dirs from osutil [12:12] we don't [12:12] do so [12:12] osutil/strace/ [12:13] strace then is also wrongly placed [12:13] putting libraries under cmd/ is not a nice thing [12:14] Chipaca: putting things in util that are very snap layout specific is worse [12:14] maybe we should set aside an afternoon at a sprint or something and do an on-paper reorg [12:14] anyway strace is misplaced as is [12:15] Chipaca: snaplock is also there because the lock is also implemented in C similary for snap-confine [12:15] Chipaca: notice that we have C libraries in cmd [12:15] myeah [12:16] Chipaca: so basically as I see your point but it's more complicated, bleeding non utility things into *util is still worse in my book [12:17] it means you cannot expect them to be isolated [12:17] which as util they should [12:17] pedronis: for the record [12:17] pedronis: they are in cmd because there was aversion to a makefile in top level [12:18] pedronis: otherwise they could be anywhere [12:18] well we could have a different directory and some more Makefile fun [12:18] I'm personally not very offended either way [12:18] I mean by libraries under cmd vs not [12:19] I think we could use a top-level makefile that cleans up various per-directory makefile things [12:19] (separate of the library discussion) [12:19] it would allow us to reuse bits and not define the same things over inconsistently (e.g. libexecdir) [12:21] brb [12:22] PR snapd#7849 opened: osutil: cmd: add ltrace [12:22] 15 minute break, kids home [12:22] zyga: just created PR for "ltrace" [12:23] sdhd-sascha: cool, I'll check it out in a while [12:23] zyga: hope, i didn't make mistakes ... i really need to learn go first ;-) [12:25] mborzecki: thansk for the changes, they were not blockers, I made a follow up nitpick remark though [12:27] Chipaca: but yes I agree we need to reorg our code, there is too much things at top-level and some less than clean bits. OTOH can only be done when the open PRs are under control given the churn [12:29] hm we still have fwupd-refresh.service starting in debian-sid images [12:29] cachio: ^^ wasn't that explicitly disabled/removed at somep oint? [12:31] mborzecki, yes, the script has been updated [12:31] but the image is autogenerated on monday [12:31] I can manuallly trigger the update now if it makes sense [12:31] I just tested the script is it is disabling correctly the service [12:32] on debian 9 and sid [12:32] cachio: please do, the tests/main/degraded test keeps failing on sid [12:32] randomly [12:32] mborzecki, ok, I'll do it [12:32] cachio: thanks! [12:33] mborzecki, np [12:33] running [12:40] PR snapcraft#2831 closed: appstream extractor: add support for code [12:43] re [12:43] back with hot tea [12:43] sdhd-sascha: is sudo required there? [12:44] not sure, on my test machine i runs without sudo [12:44] sdhd-sascha: ok, I _suspect_ it may not be required, unlike strace [12:44] zyga: you mean "sudo snap run --ltrace ..." ? [12:44] no, I mean, internally can it not use sudo and still work [12:45] zyga: most of the code is adapted from strace . And the commands are very similar [12:45] yeah but the reason is different [12:45] strace uses ptrace [12:45] but there is no static ltrace and no timings [12:45] ltrace seems to only use it in a debug code [12:45] it would be good to check if it's really required [12:45] one more thing [12:45] can you look at tests/main/snap-run [12:45] and there at task.yaml [12:46] it exercises snap run --strace [12:46] it would be good to extend that to ltrace [12:46] I can tell you how to run those tests [12:47] zyga: HACKING.md: "### Running spread tests" ?? [12:48] yes [12:48] not sure how correct that is [12:48] I guess you will find out [12:49] zyga: sure -- it's little bit cold here ... good time to start some vm's on the server ;-) :-D [12:57] zyga: where does snap-update-ns output finishes here: https://github.com/snapcore/snapd/pull/7728/files#diff-e4c8d0c72c7b412376e0a04e6ad4db41 ? [12:57] PR #7728: cmd: implement snap run --explain [12:57] pedronis: because that example doesn't use a mount profile [12:58] pedronis: there should be a [snap-confine (returning)] section or something like that [12:58] I'm looking at that no [12:58] just adding headers via << >> first [12:58] well I wanted to play with << >> first [12:58] not sure they are better [12:58] pedronis: yeah, I added Header() so it's easy to change :) [12:59] I wanted to give you a changed .in [12:59] ok [12:59] go ahead, I'll integrate it [12:59] I think we need to expand the test though, it doesn't handle enough of explain cases yet [12:59] but it's a good first start for now [13:01] * Chipaca wonders what the area under a patch is, to integrate it [13:02] Chipaca: it's just len(bytes) :D [13:02] zyga: this line in HACKING.md is scary: "curl https://niemeyer.s3.amazonaws.com/spread-amd64.tar.gz | tar -xz -C $GOPATH/bin" [13:02] i will build this from repo. [13:02] you can build it [13:03] sdhd-sascha: or snap install spread [13:03] although that one's a little old [13:03] * Chipaca promised to update it and has only found 1h to work on it so far [13:03] Chipaca: +1 [13:04] ijohnson: quite puzzled that SNAP_CONTEXT is not triggered when running run-checks [13:04] zyga: my question was where would that snap-confine returning be placed ? After the whole Configuring mount namespace according to mount profile section? [13:04] ijohnson: can you bash -x run-check --unit maybe? [13:06] mborzecki: sure after I finish breakfast :-) [13:06] ijohnson: hah sure ;) enjoy your breakfast [13:06] Chipaca: What's need to be updated there ? [13:06] mvo: with #7837 landed, can #7762 be closed? [13:06] PR #7837: devicestate: implement creating partitions in "install" mode [13:06] PR #7762: devicestate: core 20 install mode handling <β›” Blocked> [13:07] sdhd-sascha: the snap package has a few issues, that i'm wanting to fix [13:07] sdhd-sascha: like not being able to access ~/.spread for example :) [13:08] sdhd-sascha: and not having a runnable kvm in it either [13:09] Chipaca: ah, ok - i will try it ;-) [13:10] pedronis: the returning message is in snap-confine [13:11] pedronis: I added Header now but I'll wait for your call to change it to << >> or whatever else [13:11] cmatsuoka: can be useful for reference, but it's fine to close it [13:12] zyga: I'm trying with <<, not super happy though, mostly because they don't take up vertical space [13:13] also pastebin doesn't like my paste atm [13:13] mvo: ok. I'll add a comment listing the split PRs [13:13] oh? [13:14] ah, pastebin doesn't like <> [13:14] evil html javascript hackers [13:14] use kannada [13:15] cmatsuoka: thank you [13:15] zyga: not sure, seems to have problems [13:16] zyga: anyway I tried this: https://gist.github.com/pedronis/93703067a720d6ddce49cf6351f44ca5 [13:16] looking [13:16] notice that << is one change, the others are indentation and I reformulated one thing [13:16] ok [13:16] let me compare [13:18] fwiw i meant ᐸᐳ instead of <> but was mostly joking (as is https://github.com/vasilevp/aboriginal ) [13:19] zyga: btw, do you remember why you picked [ ] initially ? they make me think of .ini files tbh [13:20] pedronis: we just tried things until it looked good enough [13:20] PR snapd#7762 closed: devicestate: core 20 install mode handling <β›” Blocked> [13:20] zyga: anyway as I said, not super happy with << either [13:20] need to think a bit [13:23] pedronis:, Chipaca #7320 is green, ok to land? [13:23] PR #7320: snap/pack, cmd_pack: 'snap pack --check-skeleton' checks interfaces [13:24] pstolowski: thank you [13:25] mborzecki: another comment in 7821, sorry [13:25] pedronis: haha i should get another coffee [13:25] PR snapd#7320 closed: snap/pack, cmd_pack: 'snap pack --check-skeleton' checks interfaces === ricab is now known as ricab|lunch [13:35] pedronis: applied, double checking if it passes and if I missed anything [13:35] pedronis: I'll push when ready [13:36] pedronis: as for headers, perhaps for explain we could use terminal features (colors, bold, etc)? [13:39] zyga: possibly yes, maybe Chipaca has input on that [13:41] maybe :) [13:41] zyga: what headers? [13:41] Chipaca: please look at https://gist.github.com/pedronis/93703067a720d6ddce49cf6351f44ca5 [13:41] Chipaca: headers are << foo >> lines [13:42] ah [13:42] nice [13:42] hm [13:43] do we want this to be parseable in any way? [13:43] i don't know if the first line is a message to the user or a feature or a complaint :-) [13:44] no, I don't think parseable is a requirement [13:45] we likely would do something very different if it was meant for machine consumption [13:47] ok [13:47] Should we remove *.deb packages ? because on master it isn't buildable [13:47] sdhd-sascha: ? [13:48] sdhd-sascha: master should be buildable to a .deb (and an .rpm) [13:48] sdhd-sascha: in fact we build it to a deb every spread run [13:48] and i think we also build an rpm every test run but am not 100% sure [13:50] Chipaca: on thought it was on my local machine, but then i tested it on https://launchpad.net/~sdhd/+archive/ubuntu/snapcore/+build/18206983 [13:50] it's master plus my small patches [13:52] Chipaca: i will look later, maybe something wrong with the recipe ?... [13:52] mborzecki: so when I run with run-checks, it seems that all of the packages are listed in the cmdline to `go test ...` but if I just do `go test ./...` in the root of the git repo I hit that test failure every time [13:52] pedronis: a (maybe high-level?) review of 7817 would be great [13:52] mborzecki: hey, fyi https://github.com/snapcore/snapd/pull/7555#discussion_r354323376 [13:52] PR #7555: tests: add a test demonstrating that snaps can't access the session agent socket [13:55] jdstrand: thanks for the comment, let me check that again, but there was no denial related to the session agent socket [13:56] mborzecki: there would not be if you went to forced devmode. check the profile [13:56] jdstrand: there was one related to dac override when i executed part of the test that runs curl as root [13:57] jdstrand: ok, let me start the test again [13:57] mborzecki: actually it's that run-checks will sneakily find go 1.10 to run my tests with, even though I have go 1.13 installed and that specific test fails on go 1.13 but works on go 1.10 [13:57] mborzecki: you may also want: sudo sysctl -w kernel.printk_ratelimit=0 [13:58] mvo: ok [13:59] mborzecki: to avoid kernel rate limiting. also, if you are ever thinking that the kernel is rate limiting, reload the profile and try again (even with the above sysctl, this is still needed with, for example, capability denials) [14:01] > i will build this from repo. [14:02] sdhd-sascha: Make sure you read the source.. :) [14:02] niemeyer: :-D [14:02] mborzecki: not sure what your local test was, but keep in mind, test -S won't trigger the denial. [14:03] jdstrand: the test is what's done in 7555 [14:05] mborzecki: ok, so if you ran spread, then look at test-snapd-curl.curl's profile to see if it is the classic template. if not, see if there are any matching rules [14:09] Bug #1617302 changed: Specifying a nonexistent plug does cause any errors [14:11] ijohnson: your go 1.13 is from a snap right? so SNAP_CONTEXT would be set when you run `go test ./...` [14:11] mborzecki: yes [14:13] mborzecki: it fails with go 1.10 as a snap too, so that's all it is [14:13] ijohnson: ok, easy to check, https://play.golang.org/p/_MvNzO2qf3i should print the actual context [14:13] ijohnson: if you go run it with 1.13 [14:15] mborzecki: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n763 [14:15] "Whereas binding and connecting to sockets in the file name space is mediated by the typical file permissions (and caught by the mknod and permission hooks in inode_security_ops), ..." [14:16] mborzecki: yes you're right it's just any go version from a snap will fail that test, I left a comment in the PR [14:16] jdstrand: nice, thanks for the link! [14:16] np [14:18] Hey guys! I've spend my time today figuring out Ubuntu Core a bit, and seems awesome. Although, I have another question (the first one I asked on the forums, which got answered quickly, thanks for that! <3): how is the update from Ubuntu Core 16 to 18 planned for devices in the wild, and maybe later from 18 to 20? Will this also in a transactional [14:18] manner? Or is this something that isn't going to be automated? [14:18] I've seen a core16 and a core18 snap, and someone nearly succeeded in just upgrading this snap - but will there be some official procedure? [14:32] 16 to 18 is kind of -> send someone out with USB key :) [14:33] core20 will have a new cool feature called re-modeling that will exactly cover switching to a new version ... but at the same time core20 will also come with a completely new partitioning scheme out of the box ... not sure if that will be covered ... [14:34] pedronis, ^^^ do you know ? [14:37] Oeh, that's fancy! Any release schema for core20? Because we are also still developing the Ubuntu Core setup, and when it'll be released in beginning of 2020, we should be able to wait for that just fine :). [14:37] ogra: remodeling is not core20 only [14:37] And I think that the migration to Ubuntu Core will happen with sending someone out with a USB stick :P [14:38] sure, but if you can keep the frequency low i bet thats better :) === ricab|lunch is now known as ricab [14:38] pedronis, ah, so core18 will get it too ? [14:38] yes [14:39] then i take back the USB statement :) [14:39] the beauty of rolling releases :) [14:39] Indeed, the company I'm developing this software for does not really like the fact that they've to send an engineer throughout NL :-P. Luckily it's a small country, but still [14:40] Oh, thats awesome! So then I'm just able to continue with core18 and when remodeling is released I will be able to upgrade to core20?! 😍 [14:40] technically yes ... practically there is that new partitioning scheme .... not sure how that will be handled during re-model [14:41] I see [14:41] i know mborzecki did an awesome job doing gadget upgrades (which holds the partitioning info) but i dont know if that will be integrateable with re-modeling [14:42] ogra: we do upgrade gadget during remodel, but the scheme must be compatible (the same to be exact) [14:42] yeah, thats what i feared [14:42] so 18 to 20 might be tricky [14:43] unless we start soon with providing core18 images with the same partitioning scheme that core20 will have [14:44] (or at least example gadgets for customers to base on) [14:44] Wouter0100: we plan to support 16->18 via the network, there shouldn't be any need for a usb stick here. it's a special case of the "remodel" feature that got recently added [14:44] 18->20 is a bit more fuzzy at this point but I'm pretty sure we will support it, it may just be that you won't get some of the advanced features like recovery/encryption because the partition layout of 16/18 is not flexible enough for this [14:45] ogra: we are recommending/considering that for some of the recent core 18 projects, to start with a more compartible layout, at least to have the space [14:46] pedronis, yeah, we should start pointing people to the example gadget.yaml so they know what partitions are needed [14:46] don't think we have plans to do that for the references images though [14:46] yep, understood [14:47] * zyga is in a car now [14:47] pedronis: please have a look at https://github.com/snapcore/snapd/pull/7728 again, [14:47] PR #7728: cmd: implement snap run --explain [14:47] I think the expected.in file is now what you specified [14:48] PR snapd#7850 opened: apparmor: allow 'r' /sys/kernel/mm/transparent_hugepage/hpage_pmd_size [14:49] I see, awesome. Then i'll have a look if I'm able to use the new partition layout for 18. And encryption? Is that something coming in 20? As I've discussed that with my customer that I'm developing this for, and at first said it wasn't possible - but if that would be possible in 20 - some additional leverage to get Ubuntu Core through :) [14:51] Wouter0100: it will come with UC20 (encryption) [14:52] but later in 20, right? [14:52] PR snapd#7851 opened: tests: use test-snapd-sh snap instead of test-snapd-tools - Part 3 [14:55] mvo that's awesome [14:56] Chipaca: well, potentially later, we aim still to release with it but it will be a challenge :/ [14:56] When will UC20 release then? :O [14:57] Or no ETA planned? [14:57] * cachio lunch [14:57] Wouter0100: 20.04 AFAIR [14:58] Wouter0100: roughly at the same time as 20.04 is what we aim for. no exact date set yet though. and we want to have the encryption ready by that date but it's a complex feature that we need to get right so this part *might* slip [14:59] but we *really* want to have it as part of the first uc20 release and work very hard to make this happen [15:01] 20.04 is for amd64 [15:02] pedronis: indeed [15:02] sorry, did I miss some context and this was about non amd64? the non-amd64 will come a bit later, not april 2020 [15:03] jdstrand: this is weird https://paste.ubuntu.com/p/8FWf5S8rcv/ [15:03] mvo: I'm not sure, just making clear that 20.04 is not for all archs [15:03] +1 [15:07] mborzecki: is the curl command actually talking to the right thing? you can snap run --shell and try the head and the curl [15:08] mborzecki: fyi, for hpage_pmd_size: https://github.com/snapcore/snapd/pull/7850 [15:08] PR #7850: apparmor: allow 'r' /sys/kernel/mm/transparent_hugepage/hpage_pmd_size [15:08] jdstrand: this is even more interesting https://paste.ubuntu.com/p/Wk4GHjfQKJ/ [15:10] jdstrand: and it's using the same path [15:10] mborzecki: hmm. so, seems like there is something fishy going on in the snap run/snap-confine areas [15:11] I think an strace is in order to see how snaap-confine is being invoked [15:11] jdstrand: but the last paste is without s-c, just system curl vs head under the same profile, curl works, but head is blocked [15:11] mvo i see, thanks! [15:12] mborzecki: oh, I misread that. need to strace that first one [15:13] jdstrand: it's doing connect https://paste.ubuntu.com/p/nZvBJjJtW3/ maybe that isn't mediated as per file hooks? [15:16] pstolowski: it's not hookstate importing ifacestate, it's hookstate/ctlcmd right? [15:17] Is there any way for a snap to postpone a refresh by a couple of minutes or houes? The snap I develop sometimes requires to be not interrupted. I could schedule [15:18] I could schedule the refreshes for in the night, but can't guarantee that it'll be possible then. I've also seen a feature for network manager to postpone a refresh when on metered connection, but no hook or other ability to integrate this in my snap [15:18] Wouter0100: not yet, but is a planned feature [15:18] hmm is there not a "AsDesigned" status for lp bugs? I seem to remember there was but perhaps that was another old bug tracker [15:19] WontFix seems the closest to this [15:19] ijohnson: nope, no asdesigned on launchpad [15:19] yea, it needs to be WontFix [15:19] yeah must have been another bug tracker I'm thinking of [15:19] ijohnson: no LolNo either :-( [15:19] Chipaca: what about OMFGYASSS ? [15:20] pedronis awesome! Do you know the issue for that? Can't seem to find it. I might try to contribute such thing myself - if that's allowed. [15:20] jdstrand: ok, using the same code for both scenarios and path is used explicitly, https://paste.ubuntu.com/p/GKTxkfH2GY/ [15:21] Wouter0100, just work with the various channels ... leave your install on stable (or beta) and do all your work in edge ... only push it up to the next channel when you think it is ready [15:21] ijohnson: is that a Status, or an Importance? [15:21] both imho [15:21] :) [15:21] * ijohnson stops distracting people [15:21] * ijohnson for now [15:22] Wouter0100: no issue yet, it needs to interact with permissioning because we dont want to allow arbitrary delays. Also usually a snap needs to stop refreshes of more than itself [15:23] Yeah, that's correct.. also for some networking snaps possibly. And I see, a more complicated matter. [15:24] pedronis: yes yes [15:24] pstolowski: that's totally fine [15:25] ctclmd is slightly oddly placed itself but that's different matter [15:25] pstolowski: ifacestate imports hookstate so that import would not have worked [15:26] PR snapd#7852 opened: devicestate: call boot.MakeRunnable() in devicestate [15:29] pedronis: right === Son_Goku is now known as Conan_Kudo === Conan_Kudo is now known as Son_Goku [15:29] jdstrand, mborzecki: what's going on? [15:30] pstolowski: +1 with two comments, one is really for a follow up at this point [15:30] zyga: see my last paste, there's a /run/user/12345/snapd-session-agent.socket, the test in #7555 checks that the snap cannot access it, the check fails on arch [15:30] PR #7555: tests: add a test demonstrating that snaps can't access the session agent socket [15:31] mborzecki: do you have denials? [15:31] what's the permission on the socket? [15:31] mborzecki: did we rule out DAC? [15:31] zyga: it is failing open [15:32] mborzecki: ah, wait, so the test fails because you *can* access it? [15:32] jdstrand: right [15:32] zyga: connecting using python (no s-c or snaps involved), while running with the profile, can access it as the user (unexpected), but not as root (expected) [15:32] mborzecki: can you pastebin the apparmor profile for the snap please [15:32] I'm in a car but I can look [15:32] (not driving) [15:33] mborzecki: I'm in two different conversations and will circle back to this in a few minutes [15:33] jdstrand: sure [15:33] jdstrand: hey, can you try to review snap-explain patches, just the snap-confine C changes [15:33] jdstrand: there are two printing functions there, some getenv [15:33] jdstrand: but you need to look if we hope of having it for 2.43 [15:34] zyga: https://paste.ubuntu.com/p/N2r2n5T26b/ [15:34] zyga: oh, and it's on arch [15:34] zyga: it is on the list. there are a pile of store reviews I need to tend to though first [15:34] thx [15:34] jdstrand: ack, no rush, it's not a priority item, just a nice-to-have [15:34] zyga: I'll try later today/tomorrow [15:34] thanks [15:35] mborzecki: what's the owner of the socket? [15:35] zyga: the test user, it's a session service [15:35] pedronis: thanks [15:35] mborzecki: owned by 12345? [15:36] zyga: yup [15:36] mborzecki: can you try to run apparmor parser [15:36] mborzecki: and get a pre-processed profile [15:36] mborzecki: with all includes resolved [15:36] mborzecki: it could be an arch bug in the include statements [15:36] mborzecki: (in the things that get included) [15:36] I'd tell you the command but I'm on fedora now [15:37] mborzecki: if you get that please pastebin the result [15:38] zyga: this shoudl be it https://paste.ubuntu.com/p/yNTxCKq5Wh/ [15:39] k [15:39] mborzecki: nothing, it's good :/ [15:39] well [15:39] magic [15:39] it's 5.4.1 kernel, in case that matters [15:47] mvo: I did a pass on 7817 [15:48] mborzecki: is this a regression? [15:59] hmmm, good question, there's isn't much of an older kernel in arch to try out ;) [15:59] pedronis: THANK YOU [15:59] pedronis: :) [15:59] pedronis: in a meeting now, but will jump to it right after [16:00] mborzecki: is this a new test? [16:01] zyga: yes, #7555 [16:01] PR #7555: tests: add a test demonstrating that snaps can't access the session agent socket [16:01] Aha [16:02] Does it pass on tumbleweed? [16:02] zyga: it's supposed to run on ssytems with strict confinement, i recommended looking at specific features, jdstrand pointed me to relevant part of kernel where unix socket connect should be mediated as file operations, but it's failing (?) [16:02] zyga: i think we degrade the apparmor profile on TW [16:04] We do not [16:04] mvo: I don't understand why we need MakeRunnable now that we pass options to MakeBootable [16:09] well, we don't but we could/should [16:12] pstolowski: mborzecki: does this PR description look ok now? https://github.com/snapcore/snapd/pull/7843#issue-349074423 [16:12] PR #7843: tests/cmd/snapctl: unset SNAP_CONTEXT for the suite [16:14] ijohnson: yes [16:15] ijohnson: yeah, land it [16:18] zyga: what is the purpose of decode-mounts-opts ? I don't see it invoked anywhere [16:18] done [16:18] PR snapd#7843 closed: tests/cmd/snapctl: unset SNAP_CONTEXT for the suite [16:19] pedronis: iirc the pr using that is still on review [16:20] pedronis: I'm happy to change it so that we can use MakeBootable() for that we need a way to say if it's from PrepareImageTime or from install time. I could add something to "BootsWith" or I could add "opts *bootloader.Options" to MakeBootable (but then we would import bootloader in higher level code :/ [16:20] pedronis: anyway, open for suggestions [16:21] pedronis: also I should probably reply in the PR instead of here - let me do that - sorry [16:21] zyga: jdstrand: behaves the same on tumbleweed with 5.3 kernel [16:22] mborzecki: ack, I'm looking at this now. I'm going to distill this down and then talk to jj about it when he comes online [16:22] mvo: I'm confused because the other PRs has TODOs like: I don't understand why we need MakeRunnable now that we pass options to MakeBootable [16:22] mvo: oops [16:23] mvo: TODOs like: // XXX: allow to override this [16:23] mborzecki: I suggest moving on for the time being until I circle back [16:23] jdstrand: ack, need to take my son to the swimming pool, so eod'ing anyway [16:24] pedronis: my original idea was to (re)use MakeBootable but I'm not sure it's the best fit anymore. But happy to chnage the PR accordingly. we just need to decide how the options are passed [16:25] jdstrand: the preprocessed apparmor profile from arch https://paste.ubuntu.com/p/yNTxCKq5Wh/ [16:25] mvo: I'm also not sure I understand why we need to pass RecoverySystem [16:26] mvo: yes, we need to agree on what we want [16:26] pedronis: I can leave this out for now, it will become clearer late, we will need to write the "modeenv" file on the real run [16:27] pedronis: the modeenv will contain the recovery_system because when the "run" system boots it will also seed itself and it needs to know what to seed (or am I missing something?) [16:27] mvo: ok [16:28] pedronis: sorry, maybe I'm slicing it too much :/ I can make a bigger PR that includes more maybe? [16:28] mvo: I think I'm confused because we have two many half done things in this area [16:28] and they start not to match [16:28] pedronis: yeah, maybe it's better to create a big(ger) PR? [16:28] mvo: or try to go step by step [16:29] pedronis: that implements most of the MakeBootable/MakeRunnable [16:29] instead of rush ahead [16:29] we haven't even set up the install system full correctly or not? [16:29] pedronis: you mean, wait until e.g. 7817 is merged before opening the next one? [16:29] mvo: do we have the boot until install fully working? [16:30] there is quite a few XXX in 7817 [16:30] mvo: how do we find the kernel? [16:30] pedronis: I think with 7817 we should have a working boot into install mode [16:30] there [16:31] pedronis: kernel is found via grub.cfg from the recovery [16:31] pedronis: it will scan the disk and pick the kernel it finds [16:31] maybe the issue is also that the grub cfg are still in the gadget [16:31] and I haven't looked at them in a bit [16:31] mvo: anyway meeting time [16:32] pedronis: indeed [17:12] hmmm travis is taking ages.. [17:44] 7768 needs a 2nd review [17:48] travis is spinning on 'job received', and not progressing [17:52] pstolowski: I've seen that before it for some reason always seems to happen after EOD for EU timezones :-/ my working guess is that the nightly jobs are configured to run after EOD for someone in EU and so PR's submitted during that time have to wait for those nightly jobs [17:52] cachio: do you know when the nightly spread-cron tasks are configured to run ? [17:53] pedronis: I can do a review of #7768 in my PM I think [17:53] which task ? [17:53] ijohnson: great [17:53] PR #7768: interfaces: add raw-volume interface for access to partitions [17:53] cachio: https://github.com/snapcore/snapd/pull/7771 [17:53] cachio: any of them? [17:53] PR #7771: o/hookstate/ctlcmd: snapctl is-connected command [17:53] ijohnson, this is the main project [17:53] https://github.com/snapcore/spread-cron [17:53] then in any branch there is a task [17:53] cachio: right but when do the tasks run? [17:54] ijohnson, it is defined in a file, this is an ecxample https://github.com/snapcore/spread-cron/blob/gce-update-centos-7/options [17:54] ijohnson, cachio may i ask either of you to retry https://github.com/snapcore/snapd/pull/7771 some time later and land if it's green? [17:54] PR #7771: o/hookstate/ctlcmd: snapctl is-connected command [17:54] ijohnson, this is another example https://github.com/snapcore/spread-cron/blob/snapd-trusty-sru/options [17:55] pstolowski: sure [17:55] ijohnson: thanks. i'm eod'ing\ [17:55] pstolowski, sure [17:55] ty [17:55] cu [17:55] cachio: so that first one you posted has `$(date +%H%M) \< "1100"` is that evaluated on travis ? [17:56] ijohnson, no [17:56] this is evaluated in a vm in an internal env [17:56] ijohnson, it evaluates every 10 minutes aprox any branch [17:56] and executes the run-checks fiel [17:56] file [17:57] cachio: any idea what TZ that internal VM is on? [17:58] ijohnson, no [17:58] I can check [17:58] give me 2 minutes [17:58] a virtual one perhaps [18:00] ijohnson, https://paste.ubuntu.com/p/NVSdkZJyk8/ [18:03] cachio: thanks, so it seems that if some of the tests are generally written to run after EOD on that machine they will run right around now [18:04] ijohnson, nightly suite is configured like pattern_extractor="if [ $(date +%H%M) \< "0200" ]; then echo ""; else date +%Y%m%d; fi" [18:05] the rest of the branches which run tests are configured based on other triggers [18:05] for example [18:05] the core snap was promoted to candidate [18:05] so tests run using the new core snap [19:17] cachio: sorry was at lunch, but so does that pattern mean that the job only runs when it is later than 0200 UTC? or it only runs when it is before 0200 UTC? [19:20] ijohnson, it prints the date and it is executed when [ $(date +%H%M) \< "0200" ] is not true [19:20] so it runs after 2am [19:20] after 2am it prints the date [19:20] so anytime later than 0200 is when the test gets executed? [19:20] and it is compared with the previous date non empry [19:21] and if it is different then the job is executed [19:21] first try after 2am it will be executed [19:22] but what controls when this check is performed then? [19:23] ijohnson, the code where this is controlled is https://github.com/snapcore/spread-cron/blob/master/cron.sh [19:24] we have a snap which runs this constantly [19:25] I see, so it's not really deterministic when these jobs actually run, the pattern there really just defines when this agent shouldn't run the job [19:26] ijohnson, it runs at some poing after 2am [19:26] usually before 0230 [19:27] when the scirpt processs that branch [19:27] cachio: ok thanks for explaining [19:27] is that the only job that has a time of the day trigger? all other jobs are event based? [19:27] ijohnson, why? [19:27] do you need any change? [19:29] cachio: I'm wondering because it seems somewhat frequently that we have the issue Pawel has this morning where Travis is stuck in the "job received" state sometimes for a couple hours [19:29] I was thinking this was causing that somehow === ricab_ is now known as ricab [19:32] jdstrand: hi there! is there any way to constrain kernel-module-control to only be able to load one specific module? [19:32] all the jobs we use for update images are time base [19:32] base are triggered on monday [19:32] ijohnson, you can see here when the jobs ran https://travis-ci.org/snapcore/spread-cron/branches [19:34] ijohnson, I jsut retrigger debian 9 [19:34] thanks for that cachio, it seems a bit like that isn't the cause of the "job received" issue [19:35] ijohnson, perhaps it is caused because too many jobs running for the same project [19:35] perhaps there is a limit [19:35] not sure [19:39] roadmr: no. but we have the kmod backend that is meant to load modules on behalf of the snap. what module? [19:40] cachio: could be, anyways it seems Pawel's PR failed on Ubuntu due to mount ns changes, the cgroup mount now seems to be ro instead of rw as expected? was there recently an ubuntu 16.04 image change recently? [19:40] jdstrand: I don't know, but I can ask. The snap in question is domotzpro-agent-publicstore. I can point them to examples of using kmod to load the module they need, if you point me to some, in turn :) [19:41] roadmr: well, it doesn't work quite like that. if we know the module, we can consider adding it to a new or existing interface [19:41] roadmr: but it would be hardcoded in snapd, not something that they declare [19:41] right... I see [19:42] roadmr: typically a brand store will do this via their kernel. there may be a way to do it via the gadget, but idk otoh [19:43] jdstrand: right, this is intended to be in the public store :/ so that's the boggle here [19:43] they said they'd look at options on their side including making do without the module loading capability, but were asking if we had something else to use [19:43] roadmr: we really need to understand a bit more what they are trying to do if they want to target the public store [19:44] jdstrand: fwiw this is a customer (domotz/fingbox) and they do have a brand store, but because reasons, they want this particular snap to be on the global store [19:44] roadmr: it is hard to recommend something without knowing the module in question [19:44] just saying we need to load modules is too vague for that space [19:44] jdstrand, pedronis : ok, let me ask them for more details and get back to you [19:45] pedronis: it is possible for use to have a generic interface that lists the modules to load as attributes and shove that into the kmod backend. not suggesting that, but this conversation made me think of that [19:45] us* [19:45] we protect those attributes via snap decl like with personal-files/system-files [19:46] s/those attributes/that attribute/ [19:46] jdstrand: yes, that's an approach, but we would still like to know whether a more specific or an addition to an existing interface would make more sense I think [19:46] anyway, putting it out there for background thought [19:46] anyway even for that case we know the list of modules [19:46] *we need to know [19:46] for sure. need to know the modules :) [19:47] I've asked, will wait for a reply from them folks :) [19:48] roadmr: you might not suggest my otoh comment there at the end. I don't know if we want to go there [19:48] I was more just mentioning that to pedronis as food for thought [19:50] jdstrand: I haven't offered anything concrete until I know more, just told them to get us more info so we can give them options that suit their use case [19:53] jdstrand: quick question, do you think layouts should be allowed for new top-level directories in "/" ? I tried creating one and it failed because snap-update-ns isn't allowed to create a mimic on top of "/" and I'm not sure if this is intentional or a bug [19:53] jdstrand: denial looks like type=1400 audit(1575575534.977:339): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.my-snap-name" name="/tmp/.snap/" pid=39112 comm="7" srcname="/" flags="rw, rbind" [19:58] ijohnson: it's a limitation of the current implementation [19:58] pedronis: ah ok [19:58] in principle we could allow some subsets of layout at that level carefully [19:58] but needs implementation changes [19:58] so it could work someday and is kind of a bug that it doesn't work today [19:59] it's kind of a bug, but given is top-level and doesn't work we haven't decided the exact policy [19:59] I mean in general is a limitation, specific instances might still not work [19:59] oh actually if I had read the docs the doc does say that you can't do that [19:59] because of security/policy reasons once implemented [19:59] perhaps what we should do is add a warning or fail during install/validation of a snap.yaml declaring those [20:00] until the implementation could support it [20:00] ijohnson: yes, it is known not to work, so not surprised it is documented as such [20:00] yes my fault for not reading docs closely enough :-) [20:01] ijohnson: saw your comment, did we hit another instance of the baseline of the mountspace checks changing behind our backs? [20:03] pedronis: yes I think so [20:03] this is getting a bit tedious [20:03] maybe we should rethink how we compute the baseline [20:10] pedronis: unless somehow snapctl is remounting cgroups /o\ [20:10] I hope not [20:11] ijohnson: it's the kernel again [20:11] we decide to stick with the old one [20:11] but didn't [20:12] or something like that [20:12] cachio: did we re-build new images with the wrong kernel ^ ? [20:15] pedronis, in bionic? [20:16] pedronis, we should be using 4.15 [20:16] cachio: seems xenial now [20:16] pedronis, ah, I just updated bionic [20:16] pedronis, I can update xenial as well [20:17] cachio: let me point to the failing PR [20:17] I'll make the change [20:17] cachio: the issue is here: https://github.com/snapcore/snapd/pull/7771#issuecomment-562283907 [20:17] PR #7771: o/hookstate/ctlcmd: snapctl is-connected command [20:19] pedronis, thanks [20:19] I'll take a look to the image and I'll make the change to see if that fixes the issue [20:19] pedronis, it is pretty similar to the issue we saw in bionib [20:19] bionic [20:20] cachio: yes, that's why I asked about the kernel, it seems similar [20:26] pedronis, xenial has 4.15.0 [20:26] the problem could be something else [20:28] ijohnson, the problem in bionic was caused by the kernel v5.0 [20:28] in this case in xenial the kernel is 4.15 [20:28] so I am not sure if the problem could be different [20:28] both mount-ns tests failed? or just 1? [20:29] PR snapcraft#2832 opened: appstream extractor: take xml comments into account [20:30] Is there a way to get a snapcraft package to stage packages from a third-party repo? [20:31] cachio: sorry multiple tests failed I don't remember all of the test names [20:32] ijohnson, np, lets wait for the results again [20:32] k [20:46] ijohnson, 2019-12-05 20:28:10 Aborted tasks: 0 [20:46] 2019-12-05 20:28:10 Failed tasks: 1 [20:46] - google:ubuntu-16.04-64:tests/main/mount-ns:inherit [20:46] just one failed [20:46] the other passed [20:46] I think this is something new [20:47] ijohnson, the images was updated 4 days ago [20:47] so this is some new package or a change in the code [20:47] hmm this does seem different from the bionic issue [20:54] ijohnson, my PR also failed on that test [20:55] well something updated it just seems a question of what updated [21:02] PR snapd#7853 opened: [RFC] boot,bootlaoder: setup the snapd_recovery_kernel grubenv [21:04] well after looking into it some more it seems like /sys/fs/cgroup _should_ be mounted ro, I'm not sure why our tests have it as being mounted rw [21:04] I can submit a PR in a little bit updating the tests I think to unbreak master at least [21:05] would be good to understand why it was measured as being mounted rw however [21:08] ijohnson, perhaps we could review it with zyga tomorrow [21:08] it is weird [21:28] o/ [21:29] I'm back but too sleepy to work [21:29] see you tomorrow [21:29] ijohnson: I saw the failure [22:26] so recent core (snapd) now prevents installing lxd inside a lxd container, breaking our daily CI and probably a bunch of systems out there [22:27] jdstrand: as the only snap person who may still be awake, any idea of what changed in that last core (and snapd) update that could cause issues? [22:27] inception 🀯 [22:28] as far as I can tell, it only affects the LXD snap and it may be apparmor related though I'm not getting any record denials [22:28] the culprit is snap-confine getting spawned and being told no by the kernel (looks like) [22:28] 2686 execve("/snap/core/8213/usr/lib/snapd/snap-confine", ["/snap/core/8213/usr/lib/snapd/sn"..., "snap.lxd.activate", "/usr/lib/snapd/snap-exec", "lxd.activate"], 0xc4203272c0 /* 19 vars */ [22:28] 2676 pselect6(0, NULL, NULL, NULL, {tv_sec=0, tv_nsec=20000}, NULL [22:28] stgraber: I'm afk for a little bit but I'll be around a little later to discuss more [22:28] 2686 <... execve resumed> ) = -1 EACCES (Permission denied) [22:34] stgraber: man page says that could also be due to the filesystem being mounted noexec, is that possible? [22:34] no [22:35] stgraber: Could you post a full strace log? [22:36] pastebin rejects it, too large [22:39] How large is the log? Could you email it? [22:39] aiee folks use one of the shared servers! [22:40] you both have access :) [22:40] ijohnson: http://paste.ubuntu.com/p/rDRxqrdXn9/ [22:40] ijohnson: un-b64 and un-gz to get the original [22:40] clever solution :) [22:41] roadmr: pretty used to having to extract crap from random user systems behind a bunch of firewalls and such :) [22:41] haha [22:44] stgraber: thanks I'll let you know if I figure anything else out, and make sure that the rest of the Snapd folks take a look in their morning [22:45] ijohnson: do you know what version of snapd used to be in core? [22:45] would make a local bisect a bit faster :) [22:46] stgraber: when? [22:46] latest core updated snapd to 2.42.4, I'd like to know what the snapd version was prior to that in core, if it was 2.42.3 that'd make the diff pretty short [22:47] PR snapd#7854 opened: snap-confine: raise egid before calling setup_private_mount() [22:48] looks like it was 2.42.1 looking at the previous version of the core snap on disk [22:48] that's unfortunate [22:48] PR snapd#7835 closed: gadget: add missing test for duplicate detection of roles [22:48] stgraber: confirmed, 16-2.42.1 was the previous on stable (e.g. revision 8039 for amd64) [22:48] stgraber: I looked at my release history for stable [22:49] current rev is 8213 [22:51] Sorry looks like roadmr beat me to it [22:51] ijohnson: stgraber beat us both to it :) [22:51] snap-confine apparmor change introduces a "deny unix," which may cause silent denials, not sure why it would trip on an execve though [22:52] but that's the main suspicious thing I'm seeing, so lets try reverting that first [22:54] root@c1:~# snap install lxd [22:54] lxd 3.18 from Canonicalβœ“ installed [22:54] bingo [22:54] Hmm that's odd [22:54] Also odd that our tests didn't catch this we have lxd inside lxd tests [22:55] (that supposedly work) [22:55] going to re-introduce that line to confirm that it fails again if I do so, just to make sure I didn't disable too much of apparmor by accident [22:56] nope, that's clearly the issue, re-introducing that line keeping everything the same causes the failure [22:57] it could be an apparmor parser bug, a kernel bug, ... but "deny unix," is clearly denying too much somehow [22:58] stgraber: that explicit deny rule in snap-confine was always denied. that shouldn't change anything [22:59] jdstrand: it sure does somehow, and only in containers, so likely causing something interesting to happen in the kernel [22:59] ie, it isn't a new thing being denied. it is just a new thing not being logged [22:59] that is very surprising [22:59] snap-confine had no unix rules to begin with [23:00] apparmor_parser -p /var/lib/snapd/apparmor/profiles/snap-confine.core.8213 |grep unix [23:00] deny unix, [23:01] stgraber: can you change that to an 'audit deny unix,'? or 'audit unix,'? [23:02] jdstrand: "lxc launch ubuntu:18.04 c1 -c security.nesting=true" and then "lxc exec c1 -- snap install lxd" will reproduce it [23:02] jdstrand: sure, I was actually looking for the syntax for that [23:04] jdstrand: really smells like a kernel bug, "audit deny unix," doesn't log anything but things now behave [23:04] I only see profile_load STATUS messages, no sign of anything else in there [23:05] removing the audit prefix and back to it failing [23:06] for the record, to stage packages from a third-party repository, do this: https://gist.github.com/NickZ/828be7ad23cd9d9c88b9ab0b3624bf44 [23:07] stgraber: so interesting thing I don't think our tests test snaps inside lxd inside lxd, we only test lxd inside lxd. I will make sure we have a regression test for this [23:07] (well also snaps inside lxd directly) [23:08] stgraber: where are you adjusting the rule, int he container? [23:11] i've heard that snaps have been broken on bionic lxd for a while now [23:11] stgraber: basically, I can see things are broken, but can't fix it cause when I snap install in the container, the snap-confine profile is overritten and my changes are undone [23:13] stgraber: fixing it on the host has no effect. what did you do? [23:14] ijohnson: the problem is installing lxd inside a lxd container, so in theory your test is already doing that [23:14] jdstrand: it's the profile in the container you need to fix [23:14] right, and as soon as I do snap install, the fix is reverted [23:14] stgraber: this is the test https://github.com/snapcore/snapd/blob/master/tests/main/lxd/task.yaml [23:14] jdstrand: I did: "cp /snap/core/8213/etc/apparmor.d/usr.lib.snapd.snap-confine.real ." then "vim" and finally "mount -o bind usr.lib.snapd.snap-confine.real /snap/core/8213/etc/apparmor.d/usr.lib.snapd.snap-confine.real", followed by a teardown to force a reload of the profiles [23:15] ijohnson: the problem I suspect is that you're testing the new snapd on the host [23:15] ijohnson: the issue happens when you run the new snapd in the container [23:15] hmm, no, you're installing the new snapd in there [23:16] that's... weird. I wouldn't expect .real to have anything to do with it, but you gave me an idea. I can just copy /var/lib/snapd/apparmor/profiles/snap-confine... aside, modify it and load it [23:17] ijohnson: ah, the problem is that you're never actually installing lxd in lxd [23:17] ijohnson: your test creates a lxd container, updates snapd inside it and then installs test-snapd-sh [23:17] ijohnson: if you were to snap install lxd instead of test-snapd-sh on line 100, you'd have gotten the failure [23:18] jdstrand: I went with a naive "grep -r deny.*unix /snap/core", found the file that has the offending string and over-mounted it with a version which doesn't :) [23:18] stgraber: what host are you on? [23:19] 18.04 LXD VM [23:21] on an eoan host, it isn't working at all [23:24] Oh? As in broken on the host too? [23:25] stgraber: no, it is fine on the host, but I can't get the nesting to work [23:25] I'm trying in a vm [23:25] * jdstrand tried with his lxd that was already configured [23:30] just curious, has anyone here ever successfully got mono to run in containment? [23:40] stgraber: what is the output of aa-status in the container? [23:42] ok, finally [23:44] ijohnson: I downgrading to 8159 (2.42.2) and it does not have the unix rule. I then added to /var/lib/snapd/apparmor/snap-confine/foo 'deny unix,', the did apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine* then tried to install lxd and it failed [23:44] ijohnson: we should revert that rule. I'll need to investigate to see why it is failing [23:45] ijohnson: this indeed is a kernel bug [23:47] jdstrand: how fast can we get a that line reverted in the stable snap? [23:47] stgraber: that's an mvo question [23:48] Ok, I'll email mvo to make sure he's aware when he starts the day [23:49] stgraber: please cc me and feel free to paste my comments above about downgrading and that I confirmed this is a kernel bug [23:49] stgraber: you might cc jj as well [23:50] Will do, thanks [23:50] it could be a parser bug too... [23:50] anyhoo, thanks [23:52] stgraber: jdstrand: I'll make sure mvo is aware [23:53] stgraber: fyi, this is a more specific rule (ie, to address the thing that prompted the PR in the first place): deny unix (receive, send) type=stream addr=none peer=(addr=none), and it also causes lxd to fail [23:54] stgraber: I can pass that to jj if you already sent the email or don't want to integrate that detail [23:54] Having dinner will send email after and include that in