/srv/irclogs.ubuntu.com/2019/12/06/#snappy.txt

mup	PR snapd#7855 opened: snap-confine: revert suppress noisy classic snap file_inherit denials <Simple 😃> <⚠ Critical> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7855>	01:04
mup	PR snapcraft#2833 opened: Arnatious/remove rospack workaround <Created by Arnatious> <https://github.com/snapcore/snapcraft/pull/2833>	01:45
mup	PR snapd#7856 opened: snap-confine: revert, with comment, explicit unix deny for nested lxd <Simple 😃> <Created by jdstrand> <https://github.com/snapcore/snapd/pull/7856>	02:01
mup	PR snapd#7857 opened: tests: update google ubuntu 16.04-64 expected host mount ns <Simple 😃> <⚠ Critical> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7857>	04:41
mup	PR snapd#7858 opened: tests: add nested-lxd test to confirm lxd inside lxd works <Test Robustness> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7858>	04:46
mup	PR snapd#7855 closed: snap-confine: revert suppress noisy classic snap file_inherit denials <Simple 😃> <⚠ Critical> <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/7855>	04:49
mborzecki	morning	06:30
mup	PR snapd#7846 closed: devicestate: add missing test for failing task setup-run-system <Simple 😃> <UC20> <Created by mvo5> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/7846>	06:59
mborzecki	mount-ns test failing on google?	07:04
zyga	Gooos morning	07:27
zyga	I saw that. Suspicious. Could be a test merged recently. Could be a package upgrade (though I doubt that)	07:28
zyga	Oho	07:29
zyga	Yesterday evening was eventful	07:29
zyga	I need to scan the backlog	07:29
zyga	But first... dog	07:29
mborzecki	zyga: my best bet is the lxd test, but who knows, tryig main/tests/lxd right now	07:32
sdhd-sascha	Good morning	07:37
zyga	Do you have backlog to read?	07:40
mborzecki	zyga: so on vanilla system it's 31 22 0:26 / /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755	07:46
mborzecki	zyga: in -shell-before of tests/main/lxd it's already 1 22 0:26 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:9 - tmpfs tmpfs ro,mode=755	07:47
zyga	mborzecki: on which kernel	07:51
zyga	mborzecki: systemd / kernel change if /sys/fs/cgroup is ro or rw	07:51
zyga	it used to be rw	07:51
mborzecki	zyga: heh, the gcp one	07:52
zyga	nowadays it is always ro	07:52
zyga	perhaps that's why	07:52
zyga	are we consistently getting "new" behavior?	07:52
zyga	if so let's just change the test and carry on	07:52
mborzecki	zyga: but it's not consistent, a clean node has rw	07:52
zyga	I'd only worry if half of the machines got one kernel and other half another	07:52
mborzecki	zyga: also, the reboot variant assumes rw and observes rw on the host	07:53
zyga	mborzecki: note, we do prepare.sh changes	07:53
zyga	oh	07:53
zyga	I'll dig in a moment	07:53
zyga	need to get that dog out first	07:53
zyga	there's some drama about apparmor bug last night	07:53
mborzecki	zyga: yeah, saw the PRs	07:54
mborzecki	zyga: also, don't know if you saw this comment from jdstrand https://github.com/snapcore/snapd/pull/7555#discussion_r354452340	07:55
mup	PR #7555: tests: add a test demonstrating that snaps can't access the session agent socket <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/7555>	07:55
sdhd-sascha	zyga: is there a summary (bug report) of the conversion. A year ago, i also had trouble to install kubernetes-suite with conjure-up. I also need to reparse apparmor at some installation step to make it work. But i didn't know if it was my fault, because i deployed everthing on zfs and kubernetes at this time the most kubernetes containers has missing zfs-utils	08:03
mborzecki	zyga: it's systemd version	08:05
pstolowski	mornings	08:05
mborzecki	zyga: on a clean host it's 229-4ubuntu21.22, then it gets update dto 229-4ubuntu21.23	08:05
mborzecki	pstolowski: hey	08:05
pstolowski	mounts ns fun again	08:06
mborzecki	zyga: still, it's a bit of a myster why the mount-ns:reboot works	08:06
mborzecki	pstolowski: yeah	08:06
mborzecki	pstolowski: it's friday, some critical fix in a PR, and mount-ns failing, i.e. business as usual	08:07
mborzecki	zyga: hahah, soo, after a reboot it's back to rw	08:12
mborzecki	zyga: and only gets switched to ro after systemctl daemon-reexec, wtf	08:13
pstolowski	can we disable this test until a fix is ready to unblock landings?	08:13
zyga	re	08:14
zyga	mborzecki: maybe compund bug	08:14
zyga	compound*	08:15
zyga	perhaps the fixes we do ought to be each-boot and are first-boot	08:15
mborzecki	zyga: what fixes?	08:15
zyga	mborzecki: we do, or did some project wide changes, let me find that part	08:15
mborzecki	mvo: hey	08:16
mvo	hey mborzecki	08:17
zyga	hey mvo	08:17
mvo	hey zyga	08:18
mvo	how are you guys?	08:18
zyga	winter is here	08:18
mvo	I'm tired, tried to explore some ideas	08:18
pstolowski	hey mvo o/	08:18
mvo	last night	08:18
mvo	but only medium successful :/	08:18
mvo	hey pstolowski !	08:18
zyga	other than that I wanted to swap off today	08:18
zyga	what did you try mvo?	08:18
mvo	zyga: ok	08:18
zyga	(but no swap because omg master red)	08:19
mvo	zyga: oh?	08:19
zyga	mborzecki: tests/lib/prepare-restore.sh	08:19
mvo	pstolowski: is 7771 ready?	08:19
mvo	I still want to branch 2.43 :)	08:19
zyga	mborzecki: look at line 215	08:19
zyga	we undo lxd changes	08:19
zyga	that's only once on 1st boot	08:19
zyga	maybe that has consequences?	08:19
pstolowski	mvo: thanks for asking.. it is, but master is broken	08:19
zyga	mborzecki: we do -o remount	08:20
zyga	mborzecki: we don't do -o remount,ro -- maybe that makes it rw?	08:20
mborzecki	zyga: i don't think so, i have a clean host, after reboot i have rw, issue systemctl daemon-reexec and i have ro now	08:20
mvo	pstolowski: ok	08:20
zyga	ooooooooh	08:20
zyga	mborzecki: so	08:20
zyga	mborzecki: maybe that's just new systemd	08:21
zyga	it does do ro on /sys/fs/cgroup on modern systemd	08:21
mvo	zyga: anything we can do quickly to unbreak master? any test to skip for now until we have a solution?	08:21
mborzecki	zyga: it's triggered in the test, because we install/upgrade systemd as a build ependency, and postinst runs daemon-reexec	08:21
zyga	mvo: yes, we can disable mount-ns test	08:21
mborzecki	zyga: also why the :reboot variant works	08:21
zyga	it picked up something weird	08:21
zyga	mborzecki: that's curious, no explanation there	08:21
pstolowski	can we disable the mount-ns test until a fix is ready to unblock landings? or is there more?	08:21
pstolowski	zyga: ^	08:21
mborzecki	pstolowski: yeah, i think so	08:21
zyga	pstolowski: that's one way, yeah	08:21
zyga	mvo: did you see last night chat between jdstrand and stgraber?	08:22
mvo	zyga: I did not	08:22
zyga	there's some kernel bug drama and broken lxd	08:22
zyga	mvo: please scan that - I bet it affects the releaase	08:22
pstolowski	zyga, mvo, mborzecki ok, i'll prep a PR	08:22
zyga	pstolowski: thanksI	08:22
mvo	pstolowski: thank you	08:23
zyga	I will read the backlog now	08:23
mborzecki	zyga: this is the changelog https://paste.ubuntu.com/p/zMvnwTHrDH/	08:23
zyga	nothing scary there	08:24
mvo	hm, looks harmless	08:24
mborzecki	meh, there's no log or anythin that systemd remounts /sys/fs/cgroup	08:26
zyga	ijohnson: we don't have nested lxd tests AFAIK	08:27
mup	PR snapd#7859 opened: tests: disable mount-ns test on 16.04 for now <⚠ Critical> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7859>	08:29
mborzecki	so we should probably be seeing ro after the reboot, but it's rw	08:29
mborzecki	btw. did you gus notice that the lxd test is not run on ubuntu-19.* ?	08:30
pstolowski	mborzecki: oh	08:31
zyga	mvo: you have mail	08:31
zyga	mvo: look for a message from stgraber please	08:31
mborzecki	pstolowski: it lists only this [ubuntu-16, ubuntu-18.04, ubuntu-2, ubuntu-core-]	08:32
pstolowski	yeah	08:32
zyga	mvo: we need to revert one line for the next release to unbreak lxd	08:32
zyga	mvo: and to check it we need to install lxd inside lxd	08:32
zyga	mvo: and then run snaps in the 2nd nested lxd to confirm	08:32
zyga	mborzecki: can you expand that to more systems please, it's likely related to the bug	08:33
mvo	zyga: ok	08:33
* mvo looks		08:34
zyga	mvo: e7afbc34b1d630aeae4a7d20c34da75f4cb67546	08:34
zyga	mvo: there we need to remove the "deny unix," rule	08:34
zyga	that's all	08:34
zyga	the regression test is nested lxd	08:35
zyga	I'll be back in 20 minutes, need to handle something at home	08:35
pedronis	hi	08:35
pstolowski	hi pedronis	08:35
mvo	zyga: uh, yeah, just reading	08:35
mvo	zyga: sucks :(	08:35
mvo	zyga: shows once more that dot releases can't be conservative enough :(	08:36
mborzecki	pedronis: hey	08:36
pedronis	mvo: seems we need a .5, also master is broken, see #7857 #7859	08:36
mup	PR #7857: tests: update google ubuntu 16.04-64 expected host mount ns <Simple 😃> <⚠ Critical> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7857>	08:36
mup	PR #7859: tests: disable mount-ns test on 16.04 for now <⚠ Critical> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7859>	08:36
zyga	mvo: kernel bugs are just bugs but yeah	08:36
mvo	pedronis: yes on both counts	08:37
mvo	pedronis: I will take care of this this morning	08:38
pedronis	mborzecki: if I understand correctly we are not sure about 7857 and your are looking into that?	08:40
pedronis	so we should go for 7859 for now?	08:40
mvo	I am in favour of 7859 for now to unblock things while it's investigated	08:41
pedronis	mvo: it's fine, trying to understand where we are, this mount-ns failures are starting to get a bit annoying	08:42
mborzecki	pedronis: yes	08:42
pedronis	mvo: not the most high prio right now, but I did leave comments late last night on your late PR(s)	08:43
mvo	pedronis: thank you so much	08:43
mvo	pedronis: will try to get to it as soon as I can. sorry that it's not easy :/	08:44
pedronis	np, let's try to get master green and .5 ready	08:44
* pedronis is also not feeling 100% today, not sure why/what		08:45
mvo	pedronis: just read your comment, makes a lot of sense	08:45
pstolowski	pedronis: yep (about mount-ns test). it's fine to have a test like this but it seems to be picking platform changes which are more frequent than expected, rather than our bugs. this area is unit-tested, so perhaps this test should be run nightly	08:48
zyga	re	08:50
zyga	pstolowski: we can also tweak the test to skip certain areas	08:50
pstolowski	zyga: that's an option too. it should probably be less picky about flags on the filesystems that are not controlled by us	08:52
zyga	pstolowski: it's all a learning exercise, we figure out as we go what is broken	08:52
zyga	mborzecki: do you need a hand on that flag mystery or can I focus on something else?	08:54
mup	PR snapd#7261 closed: interfaces/serial-port: support pci bus serial-port with HotplugKey() <⛔ Blocked> <Created by anonymouse64> <Closed by pedronis> <https://github.com/snapcore/snapd/pull/7261>	09:04
sdhd-sascha	Chipaca: would it be ok, to build spread snap on core18 ?	09:11
Chipaca	sdhd-sascha: why do i get the impression you're breadth-first digging all the rabbit holes?	09:12
sdhd-sascha	Chipaca: just for learning. You mention yesterday, that the snap needs a update.	09:13
zyga	brb, rebooting	09:13
Chipaca	sdhd-sascha: the updated snapcraft.yaml I have here is base:core18	09:14
pedronis	mborzecki: we are getting failures on selinux-clean	09:15
pedronis	https://api.travis-ci.org/v3/job/621494044/log.txt	09:16
pedronis	that are failing on the disable mount-ns PR	09:16
pedronis	pstolowski: ^	09:16
sdhd-sascha	Chipaca: does your snapcraft.yaml has kvm inside ? then i could took this and experiment.	09:17
Chipaca	sdhd-sascha: it does not, no :)	09:17
Chipaca	sdhd-sascha: i can push what i have here so you start from it	09:18
sdhd-sascha	Chipaca: ok. Yesterday, i only added git and gcc for core18 on multipass/qemu.	09:19
pstolowski	pedronis, mborzecki mhm.. looking	09:19
mborzecki	pstolowski: i think the policy needs to beupdated	09:20
pstolowski	mborzecki: yes, i'm just wondering what changed that triggered it\	09:20
mborzecki	pstolowski: i think it's the interfaces-kvm test that ran before, the kvm inteface writes out a modprobe conf file that loads the relevant kvm driver	09:24
zyga	mborzecki: I'm doing other things, assuming you are good	09:24
mborzecki	pstolowski: i guess you can restart the travis job, and open a fix in a separate PR (or i'll do it after the meeting)	09:24
zyga	mborzecki: please drag me back if you need assistance on anything	09:25
zyga	trying to cut the number of my open branches	09:25
pstolowski	mborzecki: ok, let me try	09:27
pstolowski	mborzecki: ok, i've the policy update, will give it a try and wait for #7859 (in case it needs to go together)	09:42
mup	PR #7859: tests: disable mount-ns test on 16.04 for now <⚠ Critical> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7859>	09:42
zyga	pstolowski: thank you for a targeted patch!	09:42
pedronis	zyga: are you going to force push again against --explain? I might get to do an actual review pass today	09:50
zyga	pedronis: not anymore, I just changed where the spread test runs to limit it to ubuntu classic 64	09:51
pedronis	ok	09:51
mborzecki	pstolowski: ok, thanks!	10:00
mborzecki	zyga: btw. another data point, clean cloud image from cloud-images.u.c has ro mode after booting	10:00
mborzecki	quick errand, back in 30	10:01
zyga	that's good, that's what I would expect	10:01
mborzecki	zyga: makes me wonder, why our spread images have rw, obviously the kernel is different, but i would expect systemd to apply very specific mount options when setting up /sys/fs/cgroup	10:02
zyga	mborzecki: yeah, it does	10:02
zyga	I read that part of systemd source code	10:02
zyga	mborzecki: two ideas: cloud agent	10:02
zyga	mborzecki: or custom kernel playing a factor	10:02
mborzecki	zyga: you mean some gcp cloud agent? bc i'm using cloud-init under qemu too	10:03
mborzecki	brb	10:03
zyga	yes	10:03
mup	PR snapd#7859 closed: tests: disable mount-ns test on 16.04 for now <⚠ Critical> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/7859>	10:11
mup	PR snapd#7860 opened: selinux: update policy to allow modifications related to kmod backend <Created by stolowski> <https://github.com/snapcore/snapd/pull/7860>	10:15
pedronis	mborzecki: you can try to run the tests with an error in the early prepares and see how the world looks there	10:15
mborzecki	re	10:37
mborzecki	pedronis: i'm using https://github.com/bboozzoo/spread-mini to spin up the node without any of our test setup	10:38
pedronis	ah	10:45
mvo	mborzecki: which test was it again that caused the selinux denial that was just fixed?	10:46
mborzecki	mvo: interfaces-kvm	10:46
mvo	mborzecki: ta	10:48
pstolowski	mvo: i think it's a good idea to have selinux check in kvm-interfaces	10:50
mvo	pstolowski: thank you	10:54
sdhd-sascha	Chipaca: if you have pushed, maybe in a feature-branch. you could inform me. I just cleanup git-history and build a current sway version	11:01
Chipaca	sdhd-sascha: https://github.com/chipaca/spread/tree/update-snapcraft-yaml	11:05
zyga	I'll be right back, I'll make something warm to drink	11:23
mup	PR snapd#7771 closed: o/hookstate/ctlcmd: snapctl is-connected command <Needs Samuele review> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7771>	11:42
mup	PR snapd#7860 closed: selinux: update policy to allow modifications related to kmod backend <Test Robustness> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7860>	11:42
mup	PR snapd#7861 opened: tests: check for SELinux denials in interfaces-kvm spread test <Simple 😃> <Test Robustness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7861>	11:47
mup	PR snapcraft#2824 closed: Support for go.mod <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2824>	12:07
mup	PR snapcraft#2832 closed: appstream extractor: take xml comments into account <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2832>	12:07
mup	PR snapcraft#2822 closed: xattrs: ignore errors if SNAPCRAFT_BUILD_INFO is unset <Created by cjp256> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2822>	12:10
mup	PR snapcraft#2830 closed: elf: properly handle corrupted ELF files <Created by kyrofa> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/2830>	12:10
mup	PR snapd#7856 closed: snap-confine: revert, with comment, explicit unix deny for nested lxd <Simple 😃> <⚠ Critical> <Created by jdstrand> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7856>	12:28
zyga	mvo: https://github.com/snapcore/snapd/pull/7856#issuecomment-562517492	12:29
mup	PR #7856: snap-confine: revert, with comment, explicit unix deny for nested lxd <Simple 😃> <⚠ Critical> <Created by jdstrand> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/7856>	12:29
zyga	mvo: do we plan to add this?	12:29
mvo	zyga: add what exactly?	12:30
zyga	mvo: a spread test verifying that this is fixed,	12:30
zyga	mvo: a lxd inside lxd	12:31
Tuor	Hi, I just install vlc with snap on a kubuntu 19.10. My mouseppointer changes when it hovers over the vlc window. Can I keep my normal mousepointer somehow?	12:31
mvo	zyga: it's running in master	12:31
zyga	mvo: I don't follow, sorry	12:31
zyga	mvo: are you saying we have that test already?	12:31
zyga	mvo: a test running nested lxd	12:31
zyga	Tuor: hey, this is a known bug	12:31
zyga	Tuor: I can refer you to kenvandine	12:31
Tuor	Shall I upvote a bugrequest or something?	12:32
Tuor	*bugreport	12:32
mvo	zyga: sorry in a meeting	12:33
zyga	mvo: I think we don't have that test, please double check that we add one before doing a .5	12:33
zyga	mvo: or we may realize more is broken and .6 is required	12:33
zyga	Tuor: I don't know where it is tracked, please ask kenvandine for details	12:35
Tuor	kenvandine: I encountered a known bug, that my mouse pointer changes when I use the vlc snap. Where can I report a bug or where should I upvote?	12:36
mborzecki	anyone up for a 2nd review of https://github.com/snapcore/snapd/pull/7821 ?	12:37
mup	PR #7821: interfaces/seccomp: parallelize seccomp backend setup <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7821>	12:37
pstolowski	mborzecki: yeah, i'll, was meaning to	12:46
=== pedronis_ is now known as pedronis
pedronis	zyga: Ian wrote one I think	12:46
pedronis	zyga: https://github.com/snapcore/snapd/pull/7858	12:46
mup	PR #7858: tests: add nested-lxd test to confirm lxd inside lxd works <Test Robustness> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7858>	12:47
pedronis	it needs reviews	12:47
zyga	pedronis: that's good, we should ensure it passes with updated master	12:47
zyga	yep	12:47
pedronis	zyga: does #7830 need jdstrand review? I would say no but open otherwise... or just your re-review	12:50
mup	PR #7830: interfaces: include hooks in plug/slot apparmor label <Bug> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7830>	12:50
mborzecki	pstolowski: cool, thnanks!	12:55
=== ricab is now known as ricab\|bbl
mvo	zyga: sorry, was in a meeting - 7858 is the one I had in mind	13:07
zyga	pedronis: checking	13:08
mvo	zyga: i.e. we have a test for this	13:08
mvo	zyga: in a PR	13:08
mvo	zyga: but it's incomplete, see PR	13:08
mup	PR snapd#7862 opened: release: 2.42.5 <Created by mvo5> <https://github.com/snapcore/snapd/pull/7862>	13:20
Chipaca	woo! got an appointment with the orthopedician! woo	13:22
Chipaca	with xmas coming up i was sure i was going to get punted into the new year	13:23
mborzecki	heh, our test cleanup, or lack thereof, keeps on giving	13:29
mvo	mborzecki: hm?	13:39
mvo	mborzecki: more catastrophies?	13:39
mborzecki	mvo: yeah, though suprised this one didn't happen earlier, the failure in selinux-context in 7570 is install-socket-activation test leaking socket units apparently	13:40
mborzecki	and we're probably missing cleanup for sockt files too, meh	13:41
mup	PR snapd#7767 closed: tests: run snap-set-core-config on all core devices <Created by mvo5> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/7767>	13:51
mup	PR snapd#7863 opened: interfaces/builtin: add uio interface <Created by zyga> <https://github.com/snapcore/snapd/pull/7863>	13:57
Chipaca	huh, firefox crashed trying to get to the meet	14:01
mup	PR snapd#7864 opened: cmd/snap-mgmt, packaging/postrm: stop and remove socket units when purging <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/7864>	14:24
pstolowski	https://github.com/snapcore/snapd/pull/7861 needs 2nd review (trivial)	14:35
mup	PR #7861: tests: check for SELinux denials in interfaces-kvm spread test <Simple 😃> <Test Robustness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7861>	14:35
* zyga breaks for food		14:46
pstolowski	thanks ijohnson !	14:47
mup	PR snapd#7861 closed: tests: check for SELinux denials in interfaces-kvm spread test <Simple 😃> <Test Robustness> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/7861>	14:48
mborzecki	off to pick up the kids	15:04
* cachio lunch		15:06
pedronis	pstolowski: thx for the card	15:13
pedronis	ijohnson: will you get to 7768 today?	15:14
ijohnson	pedronis: yes I will look at it now; sorry I didn't have time yesterday with the k8s stuff and then this lxd issue	15:15
pedronis	np, thx	15:15
mup	PR snapd#7858 closed: tests: add nested-lxd test to confirm lxd inside lxd works <Test Robustness> <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/7858>	15:17
=== ricab\|bbl is now known as ricab
mup	PR snapd#7857 closed: tests: update google ubuntu 16.04-64 expected host mount ns <⛔ Blocked> <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/7857>	15:19
* Chipaca goes for tea		15:22
ogra	is there an api call that would trigger a restart of snapd ? i.e. like https://github.com/snapcore/snapd/wiki/REST-API#request-2 but with snapd as the snap ? or is that blocked	15:24
zyga	re	15:25
zyga	what should I review?	15:25
ogra	(this is obviously a core18 and beyond question where snapd is its own snap)	15:28
ogra	hmm, k ... i think this answers it ...	15:28
ogra	$ snap restart snapd	15:29
ogra	error: snap "snapd" has no services	15:29
zyga	jdstrand: fyi https://github.com/snapcore/snapd/pull/7850/files#r354888954	15:31
mup	PR #7850: apparmor: allow 'r' /sys/kernel/mm/transparent_hugepage/hpage_pmd_size <Simple 😃> <Created by jdstrand> <https://github.com/snapcore/snapd/pull/7850>	15:31
pedronis	zyga: #7830 needs your re-review	15:32
mup	PR #7830: interfaces: include hooks in plug/slot apparmor label <Bug> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7830>	15:32
zyga	I'm doing that now :)	15:33
zyga	pstolowski, pedronis: https://github.com/snapcore/snapd/pull/7830/files#r354891136	15:35
mup	PR #7830: interfaces: include hooks in plug/slot apparmor label <Bug> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7830>	15:35
pstolowski	zyga: ty	15:35
pstolowski	btw i'm looking at your uio iface	15:35
zyga	cool :)	15:35
zyga	pstolowski: one thing to keep in mind is that it must grant mmap access to /dev/uioN	15:36
zyga	I fixed that but missed it in the initial testing because the test tool didn't require that	15:36
zyga	pstolowski: https://github.com/snapcore/snapd/pull/7830#pullrequestreview-328280697 +1	15:37
mup	PR #7830: interfaces: include hooks in plug/slot apparmor label <Bug> <Created by stolowski> <https://github.com/snapcore/snapd/pull/7830>	15:37
zyga	pstolowski: let me know if you want to work on the test device remotely	15:38
jdstrand	zyga: responded, thanks	15:39
zyga	jdstrand: cool :-)	15:41
jdstrand	zyga: it was even in the commit missage for snaap-update-ns... not surre why I put it there :)	15:41
jdstrand	message*	15:41
zyga	haha, no worries	15:42
zyga	I'm happy I asked a meaningful question :)	15:42
* ijohnson needs to go downtown for an hour or so, probably will miss tgif		15:44
zyga	take care ijohnson	15:44
ijohnson	zyga: I'll be back! And I realize in retrospect that phrase is a bit loaded, it's just some paperwork things :-)	15:51
zyga	pstolowski: updated https://github.com/snapcore/snapd/pull/7863 -- thank you for the quick review!	16:31
mup	PR #7863: interfaces/builtin: add uio interface <Created by zyga> <https://github.com/snapcore/snapd/pull/7863>	16:31
zyga	mvo: https://github.com/snapcore/snapd/pull/7825#issuecomment-562645242	16:37
mup	PR #7825: many: use transient scope for tracking apps and hooks <⛔ Blocked> <Created by zyga> <https://github.com/snapcore/snapd/pull/7825>	16:37
mvo	zyga: oh, it is? sorry, then let's remove it	16:38
zyga	yeah	16:38
mvo	zyga: sorry, too much going on at the same time	16:38
zyga	it's a nop without it	16:38
zyga	no worries	16:38
zyga	I +1 the idea initially because it feels safe	16:38
pedronis	it's still not merge ready	16:38
pedronis	though	16:38
zyga	but I think it's not unsafe in principle	16:38
zyga	that's true :)	16:38
pedronis	it's unlikely to get merge ready by Mon or Tue	16:39
pedronis	tbh	16:39
zyga	pedronis: what is missing there?	16:40
* zyga EODs and goes for a walk		16:55
mup	PR snapd#7858 opened: tests: also check nested lxd container <Test Robustness> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/7858>	17:25
ijohnson	mvo / pedronis: should I open a PR for the lxd snap regression test against release/2.42 ?	17:26
mup	PR snapd#7847 closed: snap-bootstrap: parse seed if either kernel or base are not mounted <UC20> <Created by xnox> <Merged by cmatsuoka> <https://github.com/snapcore/snapd/pull/7847>	17:40
cmatsuoka	cachio: did you notice random test failures on debian recently?	17:56
cachio	cmatsuoka, do you have a link?	17:56
cachio	cmatsuoka, didn't see that	17:56
cmatsuoka	cachio: I just restarted it but if it fails again I'll let you know	17:57
cachio	cmatsuoka, nice, thanks	17:57
ijohnson	hey jdstrand you around for a couple minutes to discuss the kubernetes-worker snap ?	19:18
sdhd-sascha	zyga: yesterday, i tried to build a *.deb package for snapd on launchpad.net with a receipe. Is the release-deb also build on launchpad, or ... ?	19:22
sdhd-sascha	zyga: oh, wait... maybe it was build with snapcraft... i looking for it	19:25
sdhd-sascha	niemeyer: hello, sorry for mention you. Just try to build a *.deb package of snapd for testing. https://code.launchpad.net/~sdhd/+snap/snapd-daily	19:40
sdhd-sascha	But there was no place to configure the target ppa ...	19:41
sdhd-sascha	Inside of the snap-build process, there i found: dpkg-buildpackage: source package snapd	20:00
sdhd-sascha	niemeyer:	20:14
sdhd-sascha	zyga: My fault. I think i found it	20:14
jdstrand	ijohnson: I am here. what's up?	20:29
jdstrand	ijohnson: (sorry I missed the initial question)	20:29
ijohnson	no it's okay I don't think I asked the actual question here	20:29
ijohnson	so I have this kubernetes-worker snap here and I was trying to figure out why the containers launched by containerd can't create their own top level directories because AppArmor denies it	20:30
ijohnson	it was odd because docker containers are allowed to do this, and after a while it occured to me that docker will perform a profile transition to the docker-default profile which doesn't constrain the container by AppArmor for top level directories, etc.	20:31
ijohnson	after looking some more, it appears that containerd doesn't by default transition the containers to an apparmor profile, but I was wondering what your thoughts are if we somehow got the kubernetes-worker snap to do that?	20:31
ijohnson	do you think it's okay to have containers launched by the kubernetes-worker snap be confined by the docker-default profile	20:32
ijohnson	?	20:32
jdstrand	ijohnson: the profile was designed with this in mind. it is supposed to do this: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/docker_support.go#L160	20:34
jdstrand	ijohnson: when I did the interface initially with microk8s, I made it microk8s load the profile in one of the wrappers so it was able to transition	20:35
ijohnson	nice	20:35
jdstrand	ijohnson: I thought we did that with kubernetes-worker as well. I distinctly recall pointing out this should be done. and, iirc, containerd would use the profile if it was loaded	20:35
jdstrand	ijohnson: but wouldn't load it itself. I might be misremembering, but I thought that was the case	20:36
ijohnson	jdstrand: that might be the case, I'm not sure	20:36
jdstrand	ijohnson: regardless, yes, it is expected that the containerd app can load the profile and transition containers to it	20:36
jdstrand	how to make it do that is another thing... :)	20:37
ijohnson	I'm not running the full setup, I'm just trying to drive containerd manually and noticed it doesn't do this by default	20:37
ijohnson	ok, well my question for you was if this is okay, I assumed it was because it's in the policy but wanted to be sure :-)	20:37
ijohnson	thanks	20:37
jdstrand	ijohnson: let me see if that code is in microk8s...	20:37
jdstrand	ijohnson: it is not only ok, it is recommended and best practice :)	20:38
ijohnson	:-)	20:38
jdstrand	ijohnson: it does mean that containerd is more privilged, but the containers are less, and the container attack surface so what's most important	20:38
ijohnson	right	20:38
jdstrand	s/so/is/	20:39
ijohnson	jdstrand: I don't see anything in the kubernetes-worker snap to load that profile	20:39
ijohnson	joedborg: any idea on where that bit of code might have went in the kubernetes-worker snap?	20:39
jdstrand	which is why I clal the docker (and containerd) policy 'advisory', since they can load prolicy	20:39
jdstrand	policy	20:39
jdstrand	and transition to it	20:39
ijohnson	brb	20:40
joedborg	ijohnson: do you mean this bit? https://github.com/charmed-kubernetes/snap-kubernetes-worker/blob/master/wrappers/containerd.wrapper#L13	20:43
jdstrand	ijohnson: https://github.com/ubuntu/microk8s/blob/feature/strict-v2/microk8s-resources/containerd-profile and https://github.com/ubuntu/microk8s/blob/feature/strict-v2/microk8s-resources/wrappers/run-containerd-with-args#L11	20:43
jdstrand	joedborg: if you run 'sudo aa-status', you see cri-containerd.apparmor.d listed?	20:44
joedborg	no, i don't seem to	20:48
joedborg	https://www.irccloud.com/pastebin/IVv1DKT0/	20:48
joedborg	jdstrand: ^	20:48
ijohnson	joedborg: ah yes I didn't see that for some reason	20:48
jdstrand	joedborg: I think there is something wrong then with the startup. that profile needs to be loaded every time containerd starts	20:49
joedborg	ijohnson: it is missing from the eks branch since yesterday because i was getting errors	20:49
jdstrand	also, fyi I found https://kubernetes.io/docs/tutorials/clusters/apparmor/	20:49
ijohnson	jdstrand: with the eks branch that joedborg showed me yesterday I see that profile being loaded into the kernel	20:50
jdstrand	that hints at defaults and things and might provide some insight if the pods still aren't running in cri-containerd.apparmor.d once it is confirmed that it is loaded in the kernel	20:50
ijohnson	so I think that parts fine, it seems now that the issue is just in configuring $CONTAINER_TECHNOLOGY to actually run under that profile	20:51
ijohnson	https://www.irccloud.com/pastebin/fTe1mJiV/	20:51
jdstrand	ijohnson: ok, then if it is loaded, you might be able to use the above link to make k8s put it in that profile. there is probably something somewhere for defining the default profile to use	20:51
jdstrand	ijohnson: ok, cool, and yes	20:52
jdstrand	https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/pods/security/hello-apparmor.yaml	20:52
ijohnson	joedborg: have you looked at https://aws.amazon.com/blogs/opensource/using-pod-security-policies-amazon-eks-clusters/ ?	20:52
jdstrand	(from the above link)	20:53
ijohnson	that seems to imply that the pods metadata stuff from the generic kubernetes stuff can be configured in EKS	20:53
ijohnson	thanks jdstrand I saw that link earlier today too	20:53
jdstrand	ijohnson: nice find	20:53
ijohnson	BTW word of caution: don't go looking for containerd's CLI tool "ctr" docs or examples because they don't exist haha	20:53
ijohnson	(I was trying to be sneaky and just skip the k8s part and just reproduce the issue with ctr, but that doesn't seem to be the way to go)	20:54
jdstrand	oh yeah, I had some trouble with that in the past	20:54
joedborg	ijohnson: i did briefly, but saw that `Read Only Root Filesystem: false` so moved on	20:55
joedborg	ijohnson: jdstrand: ctr is also a massive trap because it behaves completely differently to anything else that drives containerd (all over CRI)	20:56
ijohnson	oh hmm so does the psp stuff work by some aws agent running on the pod to enable these things? if so that's really unfortunate	20:56
jdstrand	ijohnson: I have this in my notes when I did a seccomp security update: https://paste.ubuntu.com/p/P6M4hhkphw/	20:56
jdstrand	ijohnson: but based on what joedborg just said, you may want to ignore that :)	20:56
ijohnson	jdstrand: yes `runc spec` is a good trick until you realize how much other config settings $OTHER_CONTAINER_TECHNOLOGIES set when they drive CRI like joedborg just said	20:57
* jdstrand nods		20:57
jdstrand	this was just for the deb	20:58
jdstrand	ijohnson: I like when you say $CONTAINER_TECHNOLOGY and $OTHER_CONTAINER_TECHNOLOGIES	20:58
jdstrand	it is just right ;)	20:58
ijohnson	:-) there's just so so so many of them	20:59
jdstrand	indeed :)	20:59
joedborg	ijohnson:	21:01
joedborg	jdstrand:	21:01
joedborg	`apparmor_parser -r $SNAP/containerd-profile` i took this out because i started getting `permission denied` when it runs the wrapper	21:02
joedborg	even if i put sudo in front of it	21:02
joedborg	so i think an apparmor rule (to allow to run this) has gone missing	21:02
joedborg	that's using the custom snapd	21:02
jdstrand	joedborg: you can't put sudo in front of it	21:03
jdstrand	joedborg: can you: sudo snap run --shell snap.kubernetes-worker.conttainerd	21:03
jdstrand	joedborg: then apparmor_parser -r $SNAP/containerd-profile	21:03
jdstrand	joedborg: and ive me the denials?	21:04
jdstrand	joedborg: (from journalctl)	21:04
jdstrand	ijohnson, joedborg: not, I have a very hard stop in 15 minutes, but could circle back	21:04
jdstrand	note*	21:04
joedborg	jdstrand: okay, i've got that now	21:11
joedborg	https://www.irccloud.com/pastebin/2q7ch6D4/	21:12
jdstrand	jo	21:12
jdstrand	joedborg: I'm confused. I thought you said from within the snap it didn't work?	21:12
joedborg	jdstrand: it wasn't, then i ran it manually like you suggested and it did	21:13
jdstrand	joedborg: I was wanting you to run apparmor_parser -r $SNAP/containerd-profile from under sudo snap run --shell	21:13
jdstrand	jo	21:13
jdstrand	dang it	21:13
joedborg	but `Dec 06 20:54:31 ip-192-168-35-165 kubernetes-worker.containerd[18362]: /snap/kubernetes-worker/x1/bin/containerd.wrapper: line 13: /sbin/apparmor_parser: Permission denied`	21:13
jdstrand	joedborg: you ran it from under snap run --shell?	21:13
joedborg	yeah	21:13
jdstrand	joedborg: ok, between that and that ijohnson said it loaded for him, I'm going to chalk that up to the docker-support interface wasn't connected at the time of that denial	21:15
jdstrand	/sbin/apparmor_parser ixr,	21:15
jdstrand	that is in the docker-support policy ^	21:15
joedborg	jdstrand: ah yes, quite possibly	21:15
joedborg	either way, i'm still getting the RO filesystem errors	21:16
jdstrand	joedborg: I didn't look at the code for the kubernetes-worker, but be sure that this apparmor_parser invocation is not in a configure hook or under some conditional where it only sometimes loads the policy	21:16
jdstrand	joedborg: for the rofs issues, this is where ijohnson can come in	21:17
joedborg	jdstrand: it's with the containerd wrapper, so run everytiime containerd is (re)started	21:17
jdstrand	joedborg: perfect	21:17
ijohnson	(in meeting)	21:17
joedborg	https://www.irccloud.com/pastebin/50YgamaD/	21:18
joedborg	jdstrand: is that still looking sane? ^	21:18
jdstrand	joedborg, ijohnson: ok, I need to head out for my appt, but I'll circle back and see if there is anything for me to do	21:18
joedborg	jdstrand: +1 thanks!	21:18
jdstrand	joedborg: it looks like a containerd default profile, yes	21:19
jdstrand	sane is in the eye of the beholder :)	21:19
jdstrand	but jokes aside, yes	21:19
joedborg	jdstrand: perfect :)	21:19
jdstrand	joedborg: so, if there are apparmor denials, ijohnson can help you add them to the right places for working around stuff and moving forward. if that happens, I can collect them and give you a new demo deb. I can do that tonight/over the weekend/etc	21:20
jdstrand	joedborg: I'll keep an eye on irc	21:21
joedborg	jdstrand: sadly, there aren't any. i think that's the main issue now	21:21
jdstrand	joedborg: yes, I just wanted to reiterate that I'll update the demo deb as needed	21:21
jdstrand	I'm also on tg	21:22
joedborg	ahhh :)	21:22
ijohnson	joedborg: ok I'm back	21:49
ijohnson	joedborg: so we're still at the issue with the filesystem being ro?	21:51
joedborg	ijohnson: yeah	21:53
joedborg	ijohnson: sadly	21:54
ijohnson	joedborg: I'm wondering if you could do something like `watch -n 0.05 bash -c 'sudo aa-status \| grep $(pgrep install-aws.sh)'` on the node to see if it shows up under an apparmor profile	21:57
ijohnson	err maybe make that snippet bit smarter so it actually filters properly	21:57
ijohnson	one second	21:57
joedborg	ijohnson: +1	21:58
ijohnson	joedborg: try `until pgrep install-aws.sh; do true; done; pid=$(pgrep install-aws.sh); sudo aa-status \| grep "$pid"`	22:03
ijohnson	watch is a bit difficult to get to work there	22:03
joedborg	ijohnson: i don't appear to be getting any results as the pod starts and fails	22:06
ijohnson	joedborg: what about if you did: `until pgrep install-aws.sh; do true; done; pgrep install-aws.sh`	22:08
ijohnson	that should eventually print off some pid	22:08
joedborg	ijohnson: i still have the same node running if you wanted to watch the byobu	22:08
joedborg	ijohnson: ill try it	22:08
ijohnson	unless the name of this script is not install-aws.h	22:08
ijohnson	err install-aws.sh	22:08
joedborg	ijohnson: that latter one works	22:09
ijohnson	cool, one sec let me give you something else to run	22:09
ijohnson	joedborg: can you run `until pgrep install-aws.sh; do true; done; sudo nsenter -t $(pgrep install-aws.sh) --all /bin/bash -c "cat /proc/self/mountinfo"`	22:10
ijohnson	that should show us the mount namespace of the process when its running	22:10
ijohnson	joedborg: actually I think I will join that byobu if that's alright	22:12
ijohnson	might make this quicker	22:12
joedborg	ijohnson: of course :)	22:12
joedborg	ijohnson: fyi i have 2 tabs inside it open	22:12
* ijohnson googles how to switch tabs in byobu		22:13
joedborg	F3 and F4	22:13
mup	PR snapcraft#2834 opened: dirs: support --user install on Linux <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2834>	22:53
diddledan	--user?	23:15
mup	PR snapcraft#2835 opened: colcon plugin: support ROS 2 Eloquent <Created by kyrofa> <https://github.com/snapcore/snapcraft/pull/2835>	23:50

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!