/srv/irclogs.ubuntu.com/2020/05/19/#snappy.txt

mborzecki	morning	05:25
mup	PR snapd#8695 opened: data/completion, packaging: cherry-pick zsh completion (2.45) <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/8695>	05:31
mup	PR snapd#8696 opened: packaging/arch: update PKGBUILD to match one in AUR <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/8696>	06:08
mborzecki	mvo: hey	06:26
mborzecki	mvo: opened a cherry-pick of zsh completion: https://github.com/snapcore/snapd/pull/8695	06:27
mup	PR #8695: data/completion, packaging: cherry-pick zsh completion (2.45) <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/8695>	06:27
mborzecki	mvo: looks like we need the mount-ns fixes in 2.45 branch	06:27
mborzecki	mvo: i believe the fixes are: https://github.com/snapcore/snapd/pull/8666 and https://github.com/snapcore/snapd/pull/8669	06:29
mup	PR #8666: tests/mount-ns: update to reflect new UEFI boot mode <Created by zyga> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/8666>	06:29
mup	PR #8669: tests/mount-ns: stop binfmt_misc mount unit <Test Robustness> <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/8669>	06:29
zyga	o/	07:00
pstolowski	morning	07:02
mborzecki	zyga: pstolowski: hey	07:05
mvo	hey zyga, pstolowski and mborzecki	07:08
mup	PR snapd#8688 closed: state: log task errors in the journal too <Needs Samuele review> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/8688>	07:12
mvo	8604 needs a second review please :)	07:13
mup	PR snapd#8695 closed: data/completion, packaging: cherry-pick zsh completion (2.45) <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/8695>	07:14
zyga	+1	07:20
mborzecki	pstolowski: https://github.com/snapcore/snapd/pull/8692#discussion_r427101228	08:05
mup	PR #8692: configcore: add nomanagers buildtag for conditional build <Created by stolowski> <https://github.com/snapcore/snapd/pull/8692>	08:05
pstolowski	mborzecki: thank you	08:06
mborzecki	pstolowski: maybe we could siplify that even further	08:06
pstolowski	mborzecki: what do you mean by whitelist and not using tags?	08:20
mborzecki	pstolowski: instead of building snap command with -tags nomanagers, you could check which overlord packages are imported, we know that overlord/state and overlord/auth are needed (for debug state and macaroons iirc) so those are the whitelist, everything else should throw an error	08:23
pstolowski	mborzecki: but how? we need to import configcore, it just needs conditional build to exclude certain parts	08:23
pstolowski	mborzecki: this dependency is introduced in my other PR	08:24
mborzecki	aaah ok	08:24
pstolowski	mborzecki: for that reason the simple dependency check will not work either	08:24
mborzecki	pstolowski: which is the other pr?	08:25
pstolowski	mborzecki: the spread test will be updated to check if packaging was done right (in followup(s))	08:30
pstolowski	mborzecki: #8533. the conditional build will fix selinux denials there	08:30
mup	PR #8533: image, tests: core18 early config <Created by stolowski> <https://github.com/snapcore/snapd/pull/8533>	08:30
pstolowski	mborzecki: this is where we pull configcore from snap prepare-image: https://github.com/snapcore/snapd/blob/055397eb7bb37699ebe4ab885b378d3160771392/image/image_linux.go#L436	08:30
mborzecki	pstolowski: btw. have you checked the size of snap binary with that branch?	08:30
mborzecki	pstolowski: uhh, looks like it's importing every package found in overlord now? https://paste.centos.org/view/9964d6af	08:32
pstolowski	mborzecki: i haven't check the size, will do in a moment, going to do packaging changes	08:34
pstolowski	mborzecki: these imports are from current master, or from #8533?	08:34
mup	PR #8533: image, tests: core18 early config <Created by stolowski> <https://github.com/snapcore/snapd/pull/8533>	08:34
pstolowski	mborzecki: nb snap bootstrap will benefit too	08:35
mborzecki	pstolowski: isn't this import problem happening only because of devicestate.CanManageRefreshes() in configcore/refresh.go?	08:42
pstolowski	mborzecki: i'm not sure, i haven't tracked it down precisely. nonetheless we want to eradicate all managers (i think snap bootstrap size is one of the main concerns)	08:45
mborzecki	fwiw snapd package is full of bit fat binaries already, tried to fixed that via symlinking of snap to snapd (also the imports would not be a concern in such setup)	08:47
mborzecki	pstolowski: snap is 20MB, with 8533 it's 21MB, snapd is 25MB, s-b is 16MB	08:48
pstolowski	mborzecki: mhm, interesting numbers	08:53
mborzecki	pstolowski: commented out devicestate.CanManageRefreshes() and the devicestate import in configcore, then proxy.go imports assertstate, but that's no fs-only-option either	08:55
mborzecki	pstolowski: maybe it'd make sense to make the split with a tag in configcore rather than individual managers?	08:57
mborzecki	pff nvm	08:59
mborzecki	pstolowski: it's what you have in your latest change ;)	09:00
mborzecki	apparently i need a coffee	09:01
pstolowski	mborzecki: ok, good, i got very confused by this last remark ;)	09:01
pstolowski	having fun with debian packaging now ;)	09:03
zyga	pedronis: hi, IIRC you hinted at dbusutil package, did you mean a new top level or something else?	09:08
pstolowski	mborzecki: thanks for the review!	09:08
mborzecki	zyga: found some scripts that cachio is using: https://github.com/snapcore/snapd/pull/8693#issuecomment-630692280	09:10
mup	PR #8693: tests: add fedora 32 to spread.yaml <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/8693>	09:10
pedronis	zyga: would it contain only testing stuff atm	09:24
pedronis	?	09:24
zyga	Not only, looking at the current code I would put isSessionBusLikelyPresent and the associated mocking code	09:30
pedronis	zyga: then yes, a top-level dbusutil (I want to move all *util under some package at some point but not immediately)	09:38
zyga	Ok, will do	09:39
zyga	Should I also move the relevant test code from testutil to something like dbusutil/dbustest?	09:39
zyga	It would be the non trivial dbus call testing stack	09:40
pedronis	yes	09:40
zyga	Great, on it	09:41
pedronis	mborzecki: mvo: #8675 needs a 2nd review	09:46
mup	PR #8675: osutil: add disks pkg for associating mountpoints with disks/partitions <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/8675>	09:46
mborzecki	i'll take a look, already got it opened in a tab since yday	09:48
pedronis	mborzecki: thx, I did a pass on 8686 btw, there's a question there	09:55
zyga	I need to do a small errand. Back in 45	10:23
zyga	It’s such a sleepy day that some air will help	10:23
* mvo is in a meeting		10:24
mup	PR core20#60 opened: Copy-in launchpad's build-archive <Created by xnox> <https://github.com/snapcore/core20/pull/60>	10:29
mup	PR snapd#8678 closed: tests: port interfaces-contacts-service to session-tool <Test Robustness> <Created by zyga> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/8678>	10:34
zyga	Thanks guys	11:14
zyga	Making progress on tests for dbus bits	11:14
zyga	And perhaps pressure is better as I’m not so sleepy anymore	11:15
mup	PR snapd#8679 closed: tests: port interfaces-location-control to session-tool <Test Robustness> <Created by zyga> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/8679>	11:15
zyga	Also, it must be spring because look at those green tests :-)	11:19
* mvo hugs zyga		11:20
mup	PR snapd#8697 opened: [RFC] packaging: build cmd/snap with nomanagers tag <Created by stolowski> <https://github.com/snapcore/snapd/pull/8697>	11:48
=== msalvatore_ is now known as msalvatore
=== verterok` is now known as verterok
ogra	xnox, sil2100, we have some serious probs with customers not being able to diable console-conf anymore ... when you guys removed the --disable-console-conf option in ubuntu-image you only did that for core20 builds, didnt you ?	13:06
xnox	ogra: that is correct. What is customer building? UC20 or 18/16?	13:08
ogra	18 ... but on a 20.04 host machine it seems	13:08
xnox	ogra: what is the snap revision of ubuntu-image the customer is using?	13:08
xnox	Or are they using the deb?	13:08
ogra	xnox, apparently the deb (for whatever insane reason)	13:10
mup	PR snapd#8696 closed: packaging/arch: update PKGBUILD to match one in AUR <Simple 😃> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/8696>	13:11
ogra	(they are using 1.9-20.04 ... but i think we need to ask them to not use the deb anyway ... why is that still in the archive ? it will cause the same problems we have since yeats with the snapcraft db)	13:15
ogra	*deb	13:15
ogra	*since years	13:15
xnox	ogra: because we still use it to build production images.	13:16
xnox	And we have snap haters too.	13:16
ogra	fix that and make them use the snap ;)	13:16
ogra	there cant be snap haters n canonical :P	13:17
roadmr	🤭	13:19
xnox	ogra: so	13:19
xnox	ogra: https://paste.ubuntu.com/p/zFMWpCqd2D/	13:19
pstolowski	mvo: these 3 checks: https://github.com/snapcore/snapd/blob/80c895a0216cee4116826be5ceda8fa2791d7f97/packaging/ubuntu-16.04/rules#L179	13:19
xnox	ogra: ubuntu-image snap has --disable-console-conf option; the deb does not yet have it. As we update the snap more often.	13:19
xnox	ogra: but it might depend on channels too, I'm running latest/edge	13:19
xnox	ogra: let me check if stable has that option at all	13:20
ogra	xnox, yeah .. they tried the snap before and switched to the deb because the stable snap was lacking the option ... heh	13:20
ogra	probably time for a release to stable :)	13:20
xnox	ogra: but deb doesn't have it either.... so..... ?	13:20
ogra	right, then they started to use a script to modify the image on the fly during build ... and then hell broke loose :)	13:21
xnox	sil2100: when will new ubuntu-image get released?	13:21
ogra	now pointing them to the edge snap should fix them ...	13:21
xnox	ogra: beta has it too	13:21
ogra	yeah	13:21
xnox	stable\|candidate do not	13:21
xnox	deb does not	13:21
ogra	yup ...	13:21
xnox	1.9+snap3 is the one they want for now	13:22
xnox	ogra: please test & ask for version numbers, before escalating next time =)	13:22
ogra	i was only asking ... not "escalating" ... :)	13:22
sil2100	xnox: yes	13:32
sil2100	;)	13:32
sil2100	(I know that is not the answer to the question)	13:33
sil2100	Seriously speaking, I talked with Samuele and Michael and I will be releasing the beta UI to stable soon, probably after my +1 maintenance shift	13:34
mup	PR snapd#8674 closed: tests: fix nested tests <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/8674>	13:40
mborzecki	does github work for you guys?	13:54
mborzecki	i can't fetch or push anything	13:54
ijohnson	mborzecki: seems fine to me	13:58
ogra	works fine for me .... tried to re-connect the caonical VPN ?	13:58
ogra	that hangs at times for me	13:58
cachio	ijohnson, hey, which is the other step I need to do after re-sign the kernel?	14:05
ijohnson	cachio: you need to re-build the gadget snap, signing shim with the snakeoil keys	14:06
ijohnson	cachio: to do that, you need the snakeoil dir from this git repo: https://github.com/snapcore/pc-amd64-gadget/	14:06
ijohnson	then unpack the pc gadget snap and run this:	14:06
ijohnson	https://www.irccloud.com/pastebin/IgmkHoBY/	14:07
cachio	ijohnson, I am using sbsign --key /etc/ssl/private/ssl-cert-snakeoil.key --cert /etc/ssl/certs/ssl-cert-snakeoil.pem	14:08
cachio	currently to sign the kernel	14:08
ijohnson	cachio: ok, I think the snakeoil keys from /etc/ssl are the same as from the gadget	14:08
cachio	ijohnson, should I use the cert and key provided by the gadget?	14:08
ijohnson	let me double check that they are the same	14:08
cachio	ijohnson, thanks	14:09
* zyga -> lunch		14:09
ijohnson	cachio: hmm no the snakeoil key is different it seems, so I think you need to sign shim with the keys from the gadget dir	14:11
ijohnson	cachio: when you sign the kernel, are you signing the kernel.efi ?	14:12
cachio	ijohnson, yes	14:12
cachio	which key and cert should I use?	14:12
ijohnson	cachio: are you using the ubuntu-core-initramfs package to create the efi?	14:12
ijohnson	i.e. are you running `ubuntu-core-initramfs create-efi` ?	14:12
cachio	yes	14:12
ijohnson	cachio: ok, so that is doing the same thing I am doing so you should be okay	14:13
cachio	ijohnson, nice, thanks, I'll try that and re-test	14:14
ijohnson	cachio: as long as you are not doing anything different from `ubuntu-core-initramfs create-efi` you should be good	14:14
cachio	thanks for the help	14:14
ijohnson	yeah np, let me know if you run into any more issues	14:14
cachio	ijohnson, sure	14:14
ijohnson	zyga: any idea why this check was "skipped" ? https://github.com/snapcore/snapd/pull/8683/checks?check_run_id=688936733	14:15
mup	PR #8683: osutil/disks: support IsDecryptedDevice for mountpoints which are dm devices <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/8683>	14:15
zyga	yeah, I clicked twice	14:28
zyga	and I cancelled a run	14:28
zyga	that's a stale marker of some kind	14:29
zyga	note that actual tests did run	14:29
ackk	sergiusens, hi, I'm seeing a strange behavior wrt the rbac snap on core20. it works fine when installed on focal, but I get https://paste.ubuntu.com/p/zNNJPdpSh5/ in a bionic container	14:37
ackk	sergiusens, both on snapd 2.44.3	14:39
zyga	ackk: any python native code?	14:42
ackk	zyga, possibly, why?	14:42
zyga	ackk: classic confinement?	14:43
ackk	zyga, it's a fully confined snap, FTR	14:43
zyga	ackk: different so versions, won't import	14:43
zyga	just guessing	14:43
ackk	zyga, "snaphelpers" doesn't use native code	14:46
ackk	zyga, I just tried in a snap run --shell, trying to import that from python cli also fails	14:46
zyga	Strace it perhaps	14:49
cjp256	ackk: can you share the yaml?	14:50
cjp256	i'm guessing you'll need to set PYTHONPATH for your runtime environment	14:50
cjp256	ackk: e.g. https://github.com/snapcore/snapcraft/blob/master/tests/spread/plugins/v2/snaps/python-hello-with-stage-package-dep/snap/snapcraft.yaml#L15	14:51
ackk	cjp256, I updated https://bugs.launchpad.net/snapcraft/+bug/1876370	14:52
mup	Bug #1876370: Python libraries installed by python path are not found in sys.path <Snapcraft:New> <https://launchpad.net/bugs/1876370>	14:52
roadmr	hey folks, - what happens if I install a snap that has an auto-alias that conflicts with an existing command on the system? does the snap's take precedence? does the deb-installed one? does snapd refuse to configure the conflicting alias?	14:53
=== lool- is now known as lool
cjp256	ackk: out of curiosity, if you don't filter out files, do you get the same result? the bionic vs focal is interesting	14:58
ackk	cjp256, haven't tried, let me	14:58
cjp256	ackk: also consider staging all of python and see if that changes things: https://github.com/snapcore/snapcraft/blob/master/tests/spread/plugins/v2/snaps/python-hello-staged-python/snap/snapcraft.yaml	14:59
ackk	cjp256, well that's what we did before, but it'd be nice not to have now that snapcraft supports using the builtin one	14:59
cjp256	ackk: this is a strict snap, right?	15:00
ackk	cjp256, correct	15:00
pedronis	roadmr: it's the same as what happens with snap that have a name that matches a system command, snapd will install the snap. The precedence depends on PATH, as set by default snaps are searched after system commands.	15:01
roadmr	thanks pedronis	15:01
cjp256	ackk: i'll see if can repro on 18.04	15:02
pedronis	roadmr: we check for conflicts among snaps, but not with the system commands	15:02
roadmr	pedronis: right, I knew about inter-snap checking but was unsure about existing command behavior	15:02
roadmr	asking for a friend :)	15:02
ackk	cjp256, it's unfortunaly not a public snap, so I can't share the code here	15:03
cjp256	with my own attempt at a reproducer anyhow	15:03
ackk	cjp256, same issue without filtering files	15:07
cjp256	ackk: i cannot reproduce on bionic. if you want, you can gmail me the full yaml and i can give it a shot	15:15
mvo	maybe one system is not marked as mandatory, let's see what spread says to this PR	15:34
pedronis	ah	15:36
witquicked	I'm struggling to get snapd to run inside an Ubuntu 18.04 docker container without having run that container in "privileged" mode. I've succeeded when the Docker host is Arch Linux, but am having issues when the host is also Ubuntu. The error is "main.go:123: system does not fully support snapd: cannot mount squashfs image using "fuse.squashfuse": fuse: mount failed: Permission denied"	15:38
cachio	pedronis, mvo I tested that with "secureboot: true" and workerd	15:39
witquicked	actually, scratch that, it's not working on Arch Linux anymore either...	15:41
zyga	witquicked: hey	15:41
zyga	witquicked: docker is not a supported snapd host IIRC	15:41
zyga	witquicked: if you need a container and can use lxd instead, that should work	15:41
cachio	mvo, do you have a link to the change where secure boot is not wortking?	15:42
pedronis	cachio: I misunderstood the conversation claudio had with Gustavo	15:42
pedronis	I thought the change landed in spread with the preferred syntax	15:42
pedronis	but seems not	15:42
pedronis	mvo: for your benefit, this is the spread part: https://github.com/snapcore/spread/pull/104/files	15:43
mup	PR spread#104: Adding option for systems created on google to start with secure boot enabled <Created by sergiocazzolato> <Merged by niemeyer> <https://github.com/snapcore/spread/pull/104>	15:43
pedronis	there's a comment about the syntax by Gustavo	15:43
witquicked	zyga, I know it's not officially supported, and that I'm fighting an uphill battle. I have successfully gotten it working several times, using various mount points...	15:43
zyga	witquicked: I think it's a waste of your time, unless you have absolutely no other choice	15:44
mvo	pedronis, cachio aha, htanks	15:44
witquicked	I have a reasonable use-case for it...	15:44
mup	PR snapd#8698 closed: spread.yaml: secureboot is really secure-boot <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/8698>	15:44
zyga	witquicked: can you use lxd instead? that's a really easy way out	15:44
pedronis	mvo: anyway it means something else failed	15:44
pedronis	which isn't great either	15:45
zyga	witquicked: if you absoulutely must use docker you are on your own as we don't support that and there will be random things you need to do each time that may or may not work	15:45
zyga	witquicked: you need systemd and ability to mount squashfs (probably via fuse)	15:45
cachio	pedronis, good, thanks	15:45
witquicked	zyga, yep...	15:45
witquicked	like I said, I can get it to work using the "privileged" command, so I know it's within the realm of possible	15:46
zyga	witquicked: I don't know what that does in docker	15:46
witquicked	and yes, I've done the work needed to get systemd to run inside Docker	15:46
zyga	and if doing so is not messing up your system	15:47
witquicked	that switch essentially allows the container to run as root.	15:47
zyga	witquicked: out of all containers we only support lxd because it does apparmor nesting	15:47
zyga	witquicked: it seems you are saying this is not a container anymore	15:47
pedronis	mvo: anyway indeed store problems	15:47
zyga	witquicked: if you do this it may appear to work but may actually break something on your host	15:47
pedronis	mvo: making the PR red atm	15:47
pedronis	PRs	15:47
zyga	witquicked: and it may totally break if you run more than one "container" like that at the same time	15:47
mup	PR snapd#8699 opened: interfaces/desktop-launch: support confined snaps launching other snaps <Created by AlanGriffiths> <https://github.com/snapcore/snapd/pull/8699>	15:49
witquicked	zyga, I have multiple use-cases for running systemd in a container. The one that sidesteps the religious discussion is that I use the container for testing ansible playbooks...	15:49
zyga	witquicked: systemd is probably not the problem	15:50
zyga	witquicked: I'm specifically talking about snapd	15:50
zyga	witquicked: (where "probably" is more of a I don't know)	15:50
witquicked	zyga, agreed, it's not systemd. Fair enough. :)	15:50
zyga	witquicked: but snapd will for sure misbehave and, given the chance, change the host, not the container	15:50
zyga	I think we are talking in circles now, I can only wish you good luck	15:50
zyga	witquicked: I'm sorry but we cannot support docker without docker growing more features	15:51
witquicked	Actually, what you said about snapd changing the host is very helpful...	15:51
zyga	witquicked: or someone writing a docker helper that lets you run more complex things	15:51
witquicked	Are the changes you're referring to in "/sys/fs/fuse/connections", or "/sys/fs/cgroups", or the socket?	15:53
zyga	witquicked: snapd loads apparmor profiles	15:54
zyga	witquicked: apparmor is not namespaced	15:54
zyga	witquicked: without special setup that is clobbering the host apparmor configuration	15:54
witquicked	aha, but it can run without apparmor, yes?	15:54
zyga	witquicked: snapd?	15:54
witquicked	yes	15:54
zyga	witquicked: yes but all security promises are gone then	15:54
zyga	witquicked: at which point the question of what the docker container brings is questionable	15:55
witquicked	yes, I'm aware - and apparmor is shipped to not start in a container...	15:55
zyga	witquicked: if you entirely trust the payload that might work to some extent	15:55
zyga	witquicked: it's not just the container, if your kernel has apparmor snapd will sue it	15:55
zyga	*use it	15:55
witquicked	Yeah, it's definitely pushing the boundaries of what it means to be a container...	15:56
* zyga wonders what's the requirement		15:56
witquicked	oh rilly?	15:56
zyga	building in "docker"	15:56
zyga	where it means that docker is the entry point and that's all	15:56
zyga	?	15:56
witquicked	the requirement is to be able to test ansible playbooks in a "somewhat" isolated and repeatable environment	15:57
zyga	I see	15:57
zyga	and how does that interact with snapd? ansible setting up snaps?	15:57
witquicked	it's also used to support a build environment, where the setup of that environment uses snap to install tools	15:57
zyga	I know it's a big shift but lxd actually properly support sthat	15:58
zyga	especially if you want to test something that feels more like a real system	15:58
zyga	alternatively a vm as running in a container and out of a container does matter for both snapd and lxd	15:59
witquicked	That's true	15:59
witquicked	I know and love lxd, and it would be my first choice... however I need for this to support Linux, Mac and Windows hosts.	16:01
zyga	I understand	16:01
zyga	my only comment is that it's not testing something that looks like a normal system	16:03
zyga	so the test may say "great, it works"	16:03
zyga	but reality will be different	16:03
witquicked	I see your point.	16:03
witquicked	And it's absolutely valid... you're basically saying that any test that works without apparmor turned on isn't really a valid test.	16:03
zyga	it depends	16:03
zyga	for some snaps it might be okay	16:03
zyga	it's just not something that I would say is a good test	16:03
zyga	it's like a test that says "echo ok" is both fast and portable	16:03
zyga	and it passes too	16:03
zyga	but that's not the goal	16:04
cachio	cmatsuoka, I see, I'll fix it	16:24
cmatsuoka	cachio: thanks	16:25
=== ijohnson\|lunch is now known as ijohnson
ogra	jdstrand, hmm, i'm playing with the account-control interface ... is there a chance we could get permission to "mkdir /home/$USER" ? it is kind f hard to create a valid user account with the interface the way it is atm	21:24
ogra	(indeed it works if i tel useradd to not create/use a homedir, but thats kind of crippled in the end)	21:25
jdstrand	ogra: I'll look into it as part of my 2.45 policy updates work. I think there is context I need to dig up	22:25
ogra	thx !	22:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!