[01:07] PR snapcraft#3157 opened: spread: use absolute path to lxd [03:46] PR snapd#8817 opened: tests: new test to validate refresh and revert of kernel and gadget on uc20 [06:40] morning [06:42] Hey [06:44] zyga: hey hey [06:46] hey mborzecki and zyga [07:02] morning [07:03] hey, I just had to do something weird to log in [07:04] can you guys please check if you are a member of group "video" [07:04] and if /dev/dri/card0 is group-owned by that file [07:04] er [07:04] group [07:05] I had to add myself to the video group [07:05] as otherwise gdm would fail to start the session for my account [07:12] zyga: I'm not in video [07:12] zyga: on 20.04 [07:12] thanks [07:12] hmm (I'm on 20.10) [07:12] what's the ownership of /dev/dri/card0? [07:36] zyga: root:video [07:36] thanks [07:36] I talked in #ubuntu-devel a little and normally logind would grant extra permissions to my account [07:36] so something on that line is broken [07:36] oh well, the fun of running devel :) [07:37] thank you for checking [07:37] I will finish coffee and jump into PRs [07:41] zyga: funny, i'm in video group [07:41] wonder what happens when i drop that [07:42] zyga: do you have any other ideas about https://forum.snapcraft.io/t/notification-on-reboot-initiation-or-coming-up-from-reboot/18005 ? [07:42] looking [07:43] mborzecki: /tmp as seen by a snap is not discarded on refresh [07:44] zyga: ha, so maybe that could be used then [07:45] anyways, this feels like thin ice [07:45] hi, how do I get a snap out of --devmode without reinstalling? [07:46] mborzecki: yeah, I replied [07:46] ackk: hmmm good question [07:46] zyga: thanks! [07:46] I think there's no way actually, maybe refresh --strict but I don't remember if we forward that [07:47] ackk: maybe snap revert --revision but not sure [07:47] pedronis: hey, wdyt about mechanical splitting of snapstate_test.go by "topics", e.g. snapstate_install_test.go, snapstate_update_test.go, snapstate_try_test.go etc? no new test suites to be clear. it's 16K+ lines, very hard to navigate :( [07:47] * ackk tries [07:47] --strict is not accepted by refresh [07:48] revert also doesn't seem to work if you try to revert to the same revision [07:50] pstolowski: it's a good idea, but we would need to think a bit how to tackle it [07:51] pedronis: how about if i propose just a few obvious ones? do you have particular concern in mind? [07:52] pstolowski: mostly conflict for wip work [07:52] mvo: https://github.com/snapcore/snapd/pull/8722#issuecomment-639319127 heh a bit unexpected [07:52] PR #8722: tests: check that host settings like hostname are settable on core [07:52] also there might be some corner cases where is not clear but maybe that isn't true [07:54] pedronis: I updated the netplan thing [07:54] mborzecki: oh, woah, unexpected indeed! [07:59] pedronis: yes, would be good to avoid conflicts with wip. and i suppose we will have some tests that cross many boundaries, in which case they fall into a "generic" category, i.e. snapstate_test.go [08:00] mborzecki: updated https://github.com/snapcore/snapd/pull/8815 [08:00] PR #8815: tests: port snap-handle-link test to tests.session [08:04] pstolowski: I would start with snapstate_install_test.go I suppose ? [08:04] that would be tests that involve mainly snapstate.Install and snapstate.InstallPath [08:05] I suppose [08:05] pedronis: yes, that's a good candidate [08:06] notice though sometimes they are used to setup conflicts for other things, but hopefully the test name/content makes that clear [08:11] zyga, pedronis so I guess the only way to get out of devmode is to wait for an update and then refresh without devmode, right? [08:13] seems so, though is a legitimate request (not super high prio) to have a local way [08:14] perhaps snap switch could grow an option [08:15] mabye but switch never unlink/link atm [08:15] and this would need to [08:16] or some subset of that [08:16] mmmm [08:17] why would we have to unlink? [08:17] well, it would need to stop all services for example [08:17] it's refresh like in some ways [08:17] yeah, stop, flip flags, setup security, start [08:18] just saying it's not super clear that switch is a good syntax for it [08:19] ackk: I think filing a bug and letting us eventually get to it is the way forward [08:19] zyga, ok, thanks [08:19] given how it works, I actually switch would probably just change the flag for the next refresh [08:19] *actually think [08:19] pedronis: ideed, you are right [08:20] that would break some invariants though, so not sure we can add it to switch [08:21] anyway some form of revert or refresh would do [08:23] * zyga afk for a moment, I'll try to move to the office today [08:29] maybe no [08:29] I cannot stand for a while even === diddledan0 is now known as diddledan [08:39] mvo: updated https://github.com/snapcore/snapd/pull/8804 [08:39] PR #8804: tests: port xdg-settings test to tests.session [08:41] zyga, filed https://bugs.launchpad.net/snapd/+bug/1882214 [08:41] Bug #1882214: No way to move out of devmode without updates or reinstall [08:41] thanks! [08:42] PR snapd#8819 opened: tests: move install tests from snapstate_test.go to snapstate_install_test.go [08:45] ^ for obvious reason would be nice to land it soon ;) [08:47] pstolowski: verifyInstallTasks should move too? [08:48] or is it used for update as well? [08:48] pedronis: it's used by transition and installmany tests [08:48] pedronis: and by gadgetupdate tests [08:49] pstolowski: I think I would move it anyway, also move the InstallMany ones [08:49] I forgot about them [08:49] okay [08:51] of course git diff is weird and looks like you changed things and not just removed them :/ [08:53] heh all spread jobs passed, but the travis job failed on osx :P [08:54] pedronis: heh, indeed, complete mess [08:55] mborzecki: how? [08:55] pstolowski: I'm busy now, but I'll try to look at it again immediately after lunch [08:55] mborzecki: maybe spend a moment to port the macos job over [08:55] zyga: some random bit about osx host not coming up [08:56] even more reason to do it [08:56] just add a new job for it and that should be it [08:56] iirc we saw this happen couple of times [08:56] zyga: gh can do osx too? [08:56] I used this in libzt if that helps: https://github.com/zyga/libzt/blob/master/.github/workflows/build.yml#L18 [08:56] yes :) [08:57] go is preinstalled IIRC [08:57] mborzecki: and it's macos for a few years now :) [08:57] osx was the old name [08:57] mborzecki: yes, it has different limits than other jobs, not sure it/how it matters [08:58] pedronis: thanks [08:58] pedronis: there are no different limits *but* a macos job is like 2 other jobs [08:58] pedronis: zyga: i can try and port it over, should be a quick job [08:58] but it shold not matter much as our tests are quick and won't use the slots for long [08:59] mvo: can you cherry-pick https://github.com/snapcore/snapd/pull/8798 to 2.45? should apply cleanly [08:59] PR #8798: data/selinux: allow checking /var/cache/app-info [09:00] mborzecki: sure, will do [09:00] mvo: thanks! [09:03] PR snapd#8798 closed: data/selinux: allow checking /var/cache/app-info [09:03] if you encounter a "cancelled" test just restart, sorry my fault === ricab__ is now known as ricab [09:03] mborzecki: meh, 7 commit, I will create a 2.45 branch for this [09:04] * mvo should have marked this squash-merge [09:04] mvo: i can do that [09:04] mborzecki: yes please! [09:05] mvo: I need to show you how to cherry pick ranges [09:05] it's not a problem really [09:05] zyga: :) [09:10] zyga: what do you use for that? it's easy for a branch that was not landed, but my usual incantation is not useful when a branch got merged upstream [09:11] (probably because i list commits that are not part of a branch, and once landed that no longer lists anything) [09:11] mborzecki: look at the branch, get the base and the tip, [09:11] I did it a few times [09:11] worked okay [09:13] PR snapd#8820 opened: data/selinux: allow checking /var/cache/app-info (2.45) [09:13] zyga: at the base i use `git log --oneline --decorate HEAD '^'`, but the helpers i use cannot automatically figure out to use the the commit before the merge that included the changes upstream [09:15] Bug #1882221 opened: Cannot parse seccomp profile in snapd update [09:18] Bug #1882221 changed: Cannot parse seccomp profile in snapd update [09:21] Bug #1882221 opened: Cannot parse seccomp profile in snapd update [09:26] mborzecki: huh [09:26] https://bugs.launchpad.net/snappy/+bug/1882221 is bad [09:26] Bug #1882221: Cannot parse seccomp profile in snapd update [09:26] I need to go afk, I'll look soon [09:27] hmm [09:27] Bug #1882221 changed: Cannot parse seccomp profile in snapd update [09:30] Bug #1882221 opened: Cannot parse seccomp profile in snapd update [09:33] Bug #1882221 changed: Cannot parse seccomp profile in snapd update [09:39] Bug #1882221 opened: Cannot parse seccomp profile in snapd update [09:48] PR snapd#8821 opened: github: port macOS sanity checks from travis [09:51] mborzecki: do you have any fail logs for ^ / [09:51] ? [09:52] i have homebrew locally and can check something out, but don't know yet how it maps to github actions [09:53] mborzecki: https://formulae.brew.sh/formula/squashfs is the forumla [09:54] I' -1 on using a 3rd party action [09:54] especially if it is just "brew install" [09:54] mborzecki: maybe you need brew install --with-xz --with-zstd [09:54] pstolowski: ^ can you check [09:55] I should just install brew I guess [09:56] ah, the question is about how to install manually [09:56] brew install squashfs [09:56] works [09:56] so that's all we need [09:56] brew is preinstalled in those images [09:56] right/ [09:56] installs squashfs-4.4 [09:56] no args needed [09:56] pstolowski: maybe check if it has xz and zstd [09:56] can it unsquash a test .snap [09:56] zyga: Installing dependencies for squashfs: lz4, lzo and zstd [09:56] no mention of xz [09:56] maybe xz is preinstalled [09:56] anyway [09:57] just check with any snap if you can [09:57] btw, I just noticed brew works on linux [09:57] maybe a nice way to build ... snaps [09:57] interesting [09:57] just bake a custom prefix, something brew can do [09:57] hm looks like you can fix whatever needed there ;) [09:57] zyga: i find brew a must on mac [09:58] hmmm [09:58] w8, why there's no job there? [09:58] does mvo need to enable something? [09:58] because you called this job cla-check [09:59] :) [09:59] hm? [09:59] w8, wat? [09:59] pfff [09:59] hah [09:59] look at the PR [09:59] hhahah [09:59] I commented [10:00] a sneaky way to pass cla checks;D [10:00] zyga, mborzecki i'll check if ^ works on mac after 1-1 [10:00] https://github.com/snapcore/snapd/actions/runs/125815205 [10:00] it's also wrong [10:01] IIRC args are [] [10:01] but check the docs please [10:05] mborzecki: some early opinion on https://github.com/snapcore/snapd/pull/7700 would be great [10:05] PR #7700: cmd/snap: wait while inhibition file is present [10:05] it's WIP code [10:05] pedronis: and for you https://github.com/snapcore/snapd/pull/8573 -- equally WIP and super tiny - just to start the conversation [10:05] PR #8573: overlord/snapstate: inhibit startup while unlinked [10:06] mborzecki: did you see https://github.com/snapcore/snapd/pull/8821/files#r435820550 [10:06] PR #8821: github: port macOS sanity checks from travis [10:07] mborzecki: this is what GH says https://github.com/snapcore/snapd/actions/runs/125824530 [10:07] zyga: yeah, but i'm not sure what's wrong there, yaml is valid, the entrypoint in the action is basically `brew $*` [10:07] yeah but that's not the right yaml [10:07] there's a different way to say that [10:07] let me find that [10:07] hm maybe it shoudl be under `with:` [10:07] look at https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions [10:07] yeah [10:07] exactly :) [10:07] I think you can also drop the "" [10:10] hmm [10:10] maybe just do that manually [10:10] I don't know what that action does [10:10] did you read the code? [10:11] zyga: yeah, it literally calls brew $* [10:11] https://github.com/artemnovichkov/action-homebrew [10:11] then really just do it yourself [10:11] less magic [10:14] in the meantime, i'm not sure how https://bugs.launchpad.net/snappy/+bug/1882221 happened [10:14] Bug #1882221: Cannot parse seccomp profile in snapd update [10:14] zyga: hey o/ [10:14] zyga: should snap-seccomp re-exec ? [10:14] hey ian :) [10:14] ijohnson: snapd should call it from the same location as the snapd binary is running [10:14] mborzecki: but what about for folks that are developing their own profiles [10:15] IIRC we call it with full path [10:15] i.e. you are hacking on a seccomp / apparmor snapd profile to test things [10:15] ijohnson: what do you mean? [10:15] jamesh: are you asking about https://bugs.launchpad.net/snappy/+bug/1882221? [10:15] Bug #1882221: Cannot parse seccomp profile in snapd update [10:15] er [10:15] ijohnson: ^ [10:15] like locally changing the profile.bin in /usr/lib/snapd/seccomp/snap....src [10:15] and then compiling it [10:16] zyga: yes [10:16] also https://forum.snapcraft.io/t/cannot-parse-seccomp-profile-in-snapd-update/18007/5 [10:16] right [10:16] so no [10:16] I can reproduce the error here [10:16] ijohnson: they should call whatever version is appropriate i suppose [10:16] how? [10:16] right but how would they know which version is appropriate ? [10:16] ijohnson: they're already ahcking the profile so i would guess they can figure that out ? :) [10:17] developing a profile is something like what developers do [10:17] so minimal requirement is probably awareness of snapd source / build [10:17] zyga: to reproduce, launch a bionic VM/lxd container, then downgrade snapd as a deb to bionic-security, (and ensure all snaps are removed), then try to use snap-seccomp [10:17] though [10:17] I'm really curious [10:17] ah [10:17] ok [10:17] but snapd re-exec semantics can be quite confusing [10:17] ijohnson: so snap-seccomp from 2.37 then? [10:17] you answered my question [10:17] mborzecki: yes [10:17] before we supported chown stuff for system-usernames [10:17] ijohnson: my answer is don't do that I think [10:18] :-( [10:18] hm it might have been built with a different libseccomp version even [10:18] ijohnson: don't do development on top of really old snapd [10:18] (and probably was) [10:18] zyga: they are not on an old version of snapd [10:18] zyga: they have the core / snapd snap installed and have 2.45 [10:18] 2.37 is old [10:18] but the deb on their system is old [10:18] that's what I mean [10:18] zyga: but `snap version` says 2.45 ? [10:19] I think we should move everone over to snapd.snap, then the anwer is really easy [10:19] zyga: so what you're saying is that if folks are developing they need to keep both their normal snapd version up to date AND also keep the deb up to date even though no actual snaps / snapd the daemon are using the deb? [10:19] zyga: tbc, this person's machine only has bionic-security pocket enabled [10:20] zyga: so they won't ever get the deb unless they upgrade out of that pocket [10:20] w8, something is weird i think [10:20] (or we push an update to the bionic-security pocket with a new snapd I suppose) [10:20] I think the user experience here is quite poor [10:21] either snap-seccomp should re-exec or we should have snap-seccomp complain when it is not a matching version to the one that snapd the daemon is using [10:21] ijohnson: hm or no, so snapd is updated to 2.45, snapd and snap rexxec, snapd gnerates the profile that can be complied by snap-seccomp from the snapd/core snap, but it does not imply that the old snap-seccomp from the deb can do that [10:21] mborzecki: yes all the snaps work on their system right now [10:22] mborzecki: but they are developing changes to an interface in snapd [10:22] mborzecki: and the documented best practice to change seccomp is broken [10:22] ijohnson: where's that doc? maybe we need to update it [10:22] mborzecki: but what would you update it to ? [10:23] to tell people re-exec happens [10:23] ijohnson: use snapd from the ppa/roll out your own & disable reexec [10:23] mborzecki: say "if you have snapd snap use /snap/snapd/current/... if you have core snap use /snap/core/current/... if you have snapd distro pkg, use /usr/lib/snapd/..." [10:23] ijohnson: i mean that's what i do :P [10:23] and the snap-seccom binary is in /snap/{snapd,core}/current/usr/lib/snapd/snap-seccomp [10:23] but I mean you see how that's a frustrating and confusing user experience [10:23] right? [10:23] ijohnson: it's should probably be look at /proc//exec to find out which snapd binary is runnig, call snap-seccomp from the same location [10:24] (this is what snapd does iirc) [10:24] IMO that's all a bit too magic [10:24] I would not do that [10:25] zyga: it's not too magic to you because you've worked on snapd too long :-D [10:25] I mean, it is too magic [10:25] the re-exec logic is complex [10:25] I would not teach people about it [10:25] a snap debug command then? [10:25] right so why shouldn't we just make snap-seccomp do the same magic ? [10:25] I would rather have them know where the tools come from [10:25] ijohnson: because not all tools re-exec [10:25] a snap debug command makes sense to me [10:25] I really would not go overboard with this [10:26] zyga: but why don't all tools re-exec though [10:26] because it's hard and they cannot for other reasons [10:26] if some things re-exec and some things don't re-exec that is confusing and unexpected [10:26] snap-update-ns and snap-confine probably never well [10:26] *will [10:26] ijohnson: that's just the nature of the beast [10:26] :-( [10:27] I would argue that re-exec could be a helper tool that is used by everything [10:27] (that re-execs) [10:27] not by everything [10:27] so then this is more visible [10:27] maybe with maciek's idea to merge snapd and snap [10:27] ijohnson: the reexec thing is a tad complicated imo, it looks at the env, then at the distro, we'd ahve to bake it into each binary [10:27] snapd is just "snap snapd" [10:28] or snap exec-tool snapd [10:28] or something similar [10:28] snap debug exec-tool ? [10:28] it's not debug if we'd use it to run snapd :) [10:28] I would actually call it something else [10:29] snap exec-tool ... [10:29] and not reexec or debug [10:29] it's just a way to run a tool [10:29] a bit like snapd.tool [10:29] anyways, for starters we cold probably document the 'magic' thing first to make it clear [10:29] then it could do the right thing [10:30] ijohnson: do you know where the istructions for compiling profiles are? [10:30] mborzecki: offtopic: https://github.com/snapcore/snapd/pull/8821/checks?check_run_id=741848615 [10:30] PR #8821: github: port macOS sanity checks from travis [10:30] mborzecki: let me find it it was on docs.ubuntu.com/core somewhere [10:30] ijohnson: the search on docs.snapcraft.io comes up empty [10:30] I think some environment is not set up right [10:31] or perhaps something else is wrong [10:31] look at the import failures [10:32] ijohnson: there's some tips towrads the end of this page https://docs.ubuntu.com/core/en/guides/intro/security [10:32] mborzecki: yes that page [10:33] mborzecki: there's also https://github.com/snapcore/snapd/wiki/snap-confine-Overview [10:33] 2017 [10:33] mborzecki: unsquashfs from homebrew seems to work fine [10:34] ijohnson: cool, we can talk with degville to add something to the tips section in the core docs [10:38] mborzecki: yeah I marked the bug as confirmed and low priority, and added reproducer instructions [10:40] mborzecki: degville: also it would be good to move the snap-confine wiki page to the forum too, doesn't need a doc page, but that is the only place we have the snap-seccomp input format documented and also it should be updated to mention the new system-usernames changes for i.e. `chown -1` [10:41] mvo: have we setup the meeting about REST docs? [10:41] ijohnson / mborzecki: yes, I totally agree. I didn't know about that page until I just saw the link. [10:41] pedronis / mvo: not yet. [10:49] more random failures shows service leaks [10:50] I see two at least: broken document portal still mounted [10:50] and a service that sleeps for 3133731337 [10:50] randomly breaking totally unrelated test [10:50] ok, let's fix those [10:53] degville: a little bit of text with examples you could use for the doc https://paste.ubuntu.com/p/TMHPJwd85W/ [10:53] ijohnson: ^^ please take a look too [10:54] mborzecki: that's brilliant, thanks - I'll just push some changes to the core docs and create a new forum post for the seccomp stuff. [10:54] mborzecki: looks good to me === facundo__ is now known as facubatista [10:56] degville: there's a second snap-confine doc [10:56] but it's much more raw [10:56] though more up-to-date [10:56] pstolowski: thanks for checking, looks like the GOPATH is messed up in the PR though [10:58] zyga: oh, thanks - have you got a link? I'll try to merge the two? [10:58] sure, one sec [10:59] https://forum.snapcraft.io/t/snapd-2-36-snap-confine-logic-walkthrough/7843 [10:59] I forgot it is on the forum [10:59] zyga: thank you! [11:03] mborzecki: where do you see that? have you just pushed another chage? [11:03] *change [11:03] pstolowski: yeah, force pushed it [11:03] mborzecki: we set GOPATH in the other yaml IIRC [11:05] * pstolowski lunch [11:11] zyga: ijohnson cachio hey, asking you as the most knowledgeable spread people, can you tell me what is going on on https://travis-ci.org/github/snapcore/snapcraft/jobs/694864341#L433 ?... started last Monday evening [11:11] looking [11:12] stat: cannot stat '/snap/bin/lxd': No such file or directory hmm [11:13] *hmm* [11:13] no idea, can you add a debug section that does "snap changes" and "ls -l /snap" - you may also want to hash -r after setting PATH [11:13] zyga: only on core20 and non deterministic [11:13] ah wait, this is *core* 20 [11:13] no, sorry [11:13] classic [11:14] I think I know [11:14] zyga: well, yeah, sorry, 20.04 [11:14] we see it too [11:14] ubuntu 20.04 only too [11:14] we get an error from install [11:14] "not ready for operation yada yada" [11:14] even though we do an explicit "snap wait system seeded" [11:14] also random [11:14] no idea why, but look like a real bug [11:14] I did not debug it more [11:14] perhaps escalate to mvo [11:14] zyga: you just did :-) [11:15] this is sort of blocking our releases and we are blocking the multipass release I just heard [11:15] mvo: ^ [11:15] * zyga runs [11:16] lol [11:16] I heard my name? [11:17] only because it is Friday https://www.youtube.com/watch?v=H9vHwW9_1Oo [11:19] sergiusens: heh - I can look at the backlog but I need to have lunch (have a meeting soon) [11:19] mvo: so, our issue, which is more prominent since last Monday evening (no single test of ours has passed since then) is that on the 20.04 spread/google images, after we install LXD we get stat: "cannot stat '/snap/bin/lxd': No such file or directory" [11:19] mvo: we seem to have a bug in seeding on ubuntu 20.04 [11:19] zyga: it's green ;) [11:19] https://github.com/snapcore/snapd/pull/8821/checks?check_run_id=742006278 [11:19] PR #8821: github: port macOS sanity checks from travis [11:19] we wait for seeding [11:19] sergiusens: oh? is that reproducible? i.e. can I spread -debug that? [11:19] then snap install fails on "not ready yet" [11:20] mvo: it's reproducible on our tree but not frequently [11:20] I've seen it maybe 5-8 times [11:20] always ubuntu-20.04-64 [11:20] mvo: it is non deterministic, but we setup N instances and one of those always fails [11:20] zyga: but this "cannot stat /snap/bin/lxd" sounds very different [11:20] mborzecki: does that mean we don't need travis for anything any more ? [11:20] it'd be super hilarious if it was related to https://github.com/snapcore/snapd/pull/8814 [11:20] PR #8814: sanity: check for unsynchronized real time clock <β›” Blocked> [11:20] mvo: no, it just says lxd did not install [11:21] mvo: we snap install core in our case [11:21] or core20 maybe, sorry [11:21] sergiusens: do you have a log for me ? [11:21] zyga: shouldn't this error already on the "snap install lxd" then? [11:21] mvo: "spread -debug google:ubuntu-20.04-64:" [11:21] zyga: maybe I just need to see a log [11:21] mvo: maybe they don't check [11:21] we set -e in various helpers [11:21] mvo: https://travis-ci.org/github/snapcore/snapcraft/jobs/694864341#L433 [11:21] but set -e is easily lost [11:22] ijohnson: right, we can dro the extra cla check that runs on travis and were fully vendor locked to gh :) [11:22] \o/ [11:22] zyga, sergiusens ohhh: "snap "lxd" is already installed, see 'snap help refresh'" [11:23] PR snapcraft#3158 opened: spread: add snap watch [11:23] zyga, sergiusens so the snap is installed but maybe not working yet - so this indicates that we are indeed not finished seeding yet and ssh just comes in too quickly [11:23] ah, interesting [11:23] mborzecki: reviewed [11:24] sergiusens: can you try to add "snap wait system seed.loaded" ? [11:24] sergiusens: to your prepare? [11:24] * mvo really needs to have a lunch now, will read backlog [11:24] does this ubuntu 20.04 image maybe not even have the snapd deb [11:24] and just the snapd snap ? [11:25] mvo: sure [11:25] ijohnson: ohhh [11:25] interesting [11:25] ijohnson: but... [11:25] how? [11:26] actually I don't think we can do that [11:26] * ijohnson doesn't know just throwing random guesses over the wall [11:26] yeah but that might explain things [11:26] is the deb required? [11:27] ijohnson: it is the one cachio maintains [11:28] hmm let me look at the spread output again [11:28] actually the deb is explicitly installed: https://github.com/snapcore/snapcraft/pull/3158/files#diff-3c11e56e5f7f82b0f352d0fe1851a107R203 [11:28] PR snapcraft#3158: spread: add snap watch [11:28] sergiusens: btw, you should look at our actions [11:28] ah nvm [11:28] they seriously rock [11:28] way better than travis now [11:28] https://www.irccloud.com/pastebin/Yrvil8sI/ [11:29] zyga: I asked ijohnson to document, if there is a place we can run spread without needing to maintain infra I am all for it [11:29] sergiusens: there is [11:29] sergiusens: our place :) [11:29] pstolowski: can you do one more pass over https://github.com/snapcore/snapd/pull/8821 ? [11:29] PR #8821: github: port macOS sanity checks from travis [11:29] zyga: how do you build Windows binaries though? Or when is the snap command coming to Windows for us to passthrough "snap pack"? :-) [11:29] sergiusens: you can also use github actions directly without our ifra [11:30] sergiusens: I don't know, though actions supports both macos and windows [11:30] zyga: we are using actions for release drafter [11:30] mborzecki: wow and it passed now :) [11:31] hmm [11:31] mborzecki: I'm confused [11:31] zyga: in any case, our issue today does not involve Travis at all [11:31] mborzecki: did you change get-deps? [11:31] sergiusens: that's true [11:31] mborzecki: ah, sorry, I misread bits [11:31] you said "done" https://github.com/snapcore/snapd/pull/8821/files#r435859512 [11:31] PR #8821: github: port macOS sanity checks from travis [11:31] but I guess not on the right comment [11:32] anyway +1 [11:32] it's much nicer now [11:32] haha right [11:53] * zyga afk [12:03] degville: note, https://bugs.launchpad.net/bugs/1874156. I was planning on doing it but it sounds like you are? (which is fine) [12:03] Bug #1874156: Outdated docs on "Ubuntu security tips" for seccomp [12:03] * jdstrand isn't here yet [12:05] jdstrand: ah, I hadn't seen that. I don't mind making the first attempt and bringing it all over to the forum, but it would be great to have your review/edit when it's in place. [12:13] PR snapd#8821 closed: github: port macOS sanity checks from travis [12:42] hi everyone [12:42] i have a question about using snapctl manually [12:42] we use this in prepare-device script : snapctl set device-service.headers='{"api-key": "redacted"}' [12:42] to set api key for serial vault integration etc [12:43] can i change the api key on a provisioned device [12:43] when i manually run this command i receive an error saying snapctl cannot set without context [12:43] clmsy: no you can't change the api key on a device that already has a serial assertion [12:43] clmsy: can you explain your use case a bit more why do you want to change the api key ? [12:43] PR snapcraft#3159 opened: cli: improve sudo detection with euid check for warnings/errors [12:45] there was a mistake on setting the api key, it was set to the wrong value [12:47] clmsy: does the device have a serial ? [12:48] clmsy: err rather does the device with the incorrect api key have a serial assertion ? [12:49] you can surely easily use snap set to change the variable value ... but that wont gain you much since the value has already been used/processed during first boot [12:49] ogra: but if the device already has a serial assertion then changing the api key won't re-trigger that iiuc [12:49] ijohnson, i wonder if re-modeling might help here [12:49] yes, thats what i said πŸ™‚ [12:49] ogra: remodeling only would help if it had a serial assertion [12:49] you can change it but it wont have much effect [12:50] ah, right [12:57] ok thank you! [13:03] PR snapcraft#3157 closed: spread: use absolute path to lxd [13:03] PR snapcraft#3158 closed: spread: add snap watch [13:14] PR snapd#8820 closed: data/selinux: allow checking /var/cache/app-info (2.45) [13:17] mborzecki: found a curious bug [13:17] hm? [13:18] context is tests/main/services-stop-mode-sigkill [13:18] we issue snap remove test-snapd-service [13:19] that works [13:19] but leaves this [13:19] β”œβ”€snap.test-snapd-service.test-snapd-sigterm-service.service [13:19] β”‚ β”œβ”€12053 sleep 3133731337 [13:19] β”‚ └─12660 sleep 3133731337 [13:19] (that is systemctl status) [13:19] if you ask systemd about the unit it doesn't know anything (due to daemon reload) [13:19] the service is defined as [13:19] test-snapd-sigterm-service: [13:19] command: bin/start-stop-mode-sigterm [13:19] daemon: simple [13:19] stop-mode: sigterm [13:19] which means it should not do anything fancy and should really stop [13:19] and go away [13:20] this is on arch [13:20] and I think it's not deterministic [13:21] I ran this test a few times already [13:21] logs are super spammy [13:22] hmm, too large for pastebin [13:23] how do I lift a meg of logs off a spread vm [13:24] mborzecki: https://pastebin.com/Fv3Y364F gzipped [13:24] nah, broken [13:25] https://pastebin.com/RQhRtfJz [13:25] eh [13:25] that's base64 [13:25] so triggered spam detection [13:27] https://paste.ubuntu.com/p/jJf77HTTdc/ [13:27] zyga: wormhole? [13:27] that last link worked [13:27] but good idea [13:27] ugh, damn pain [13:28] had to reach for 2fa to get this [13:29] the log contains this: [13:29] Jun 05 13:15:26 jun051257-936988 systemd[1]: Stopping Service for snap application test-snapd-service.test-snapd-sigterm-service... [13:29] Jun 05 13:15:26 jun051257-936988 systemd[1]: snap.test-snapd-service.test-snapd-sigterm-service.service: Succeeded. [13:29] Jun 05 13:15:26 jun051257-936988 systemd[1]: Stopped Service for snap application test-snapd-service.test-snapd-sigterm-service. [13:30] what do you make of this? [13:30] should this happen? === hggdh is now known as hggdh-msft [13:31] the processes are still alive and their cgroup data clearly shows they belong to the snap [13:31] * zyga looks at the systemd code [13:32] huh [13:32] Jun 05 13:06:14 jun051257-936988 systemd[1]: snap.test-snapd-service.test-snapd-sigterm-service.service: Found left-over process 12053 (sleep) in control group while starting unit. Ignoring. [13:32] WHAT?! [13:33] Jun 05 13:06:14 jun051257-936988 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. [13:33] ... or a really tired service ... [13:33] * zyga goes to trim that test to bare essentials [13:34] so the test re-installs the snap [13:34] I think what happens is that stop doesn't really finish [13:34] before we continue [13:34] otherwise I cannot explain this [13:35] ah, wait [13:35] I think this is actually correct [13:35] the service doesn't terminate all the processes [13:35] this is expected [13:35] mborzecki: sorry, alarm over [13:37] ijohnson: did you try btrfs too? [13:37] mborzecki: no [13:38] but oddly it happened only on some systems, indicating that there's still something racy there [13:48] https://github.com/snapcore/snapd/pull/8815 needs a 2nd review [13:48] PR #8815: tests: port snap-handle-link test to tests.session [13:49] pstolowski: https://github.com/snapcore/snapd/pull/8819#pullrequestreview-425315738 [13:49] PR #8819: tests: move install tests from snapstate_test.go to snapstate_install_test.go [13:50] zyga: sorry, had other things this morning, if I understand I should look at #8573? I put it in my queue, likely monday at this point [13:50] PR #8573: overlord/snapstate: inhibit startup while unlinked [13:50] pedronis: yes, getting some advice on how to proceed would help with the front-end side [13:51] thanks, Monday is fine [13:51] with some luck I will be feeling better as well [13:54] mvo: would you mind a quick look at https://github.com/snapcore/snapd/pull/8804 [13:54] PR #8804: tests: port xdg-settings test to tests.session [13:55] dbus-daemon clean is so close [14:08] PR snapcraft#3160 opened: project loader: fix v1 plugin repository installation on host [14:11] mvo: just to circle back, the seed wait did seem to work [14:23] is there a simrefinery snap yet? [14:24] sergiusens: \o/ thank you [14:33] degville: emitorino and I are happy to review. are you planning on updating https://forum.snapcraft.io/t/security-policy-and-sandboxing/554 (ie, the Tips section) or writing something new? if new, keep in mind https://forum.snapcraft.io/t/security-policy-and-sandboxing/554 seems to be used by a lot of people, so we'll need to adjust that accordingly to read the new doc [14:33] degville: s/if new/or are you planning on writing a new doc? if new/ [14:38] PR snapcraft#3154 closed: cmake v2 plugin: take source-subdir into account [14:40] jdstrand: (sorry, just in a meeting). I was only planning to update it, but I often end up re-writing large sections when I get into it. I'll definitely ping you, and please let me know if there's bits you know will need special attention. I'll make sure they're fixed. [14:40] degville: cool, I preferred updating. yes, happy to review :) [14:51] pstolowski: I reviewed #8819 [14:51] PR #8819: tests: move install tests from snapstate_test.go to snapstate_install_test.go [14:53] pedronis: ty [14:54] PR snapd#8819 closed: tests: move install tests from snapstate_test.go to snapstate_install_test.go [15:08] PR snapcraft#3159 closed: cli: improve sudo detection with euid check for warnings/errors [15:13] * cachio lunch [15:14] PR snapd#8780 closed: tests: core20 early defaults spread test [15:16] finally [15:29] pstolowski: nice weekend gift \o/ [15:29] yes indeed :) === facundo__ is now known as facubatista [15:59] PR snapcraft#3161 opened: npm v2 plugin: always include $SNAPCRAFT_PART_INSTALL/bin in $PATH [16:22] cachio: is #8816 ready to review ? [16:22] PR #8816: tests: port 2 uc20 part1 [16:41] ijohnson, yes [16:41] ijohnson, thanks [16:49] mvo: did you in the past 4 hours change any github permissions? Our Travis<->GH link just broke too [16:49] PR snapcraft#3160 closed: project loader: fix v1 plugin repository installation on host [17:10] sergiusens: I did not change anything === KindTwo is now known as KindOne [17:19] PR snapd#8822 opened: release: 2.45.1 [17:49] PR snapcraft#3161 closed: npm v2 plugin: always include $SNAPCRAFT_PART_INSTALL/bin in $PATH [18:05] PR snapd#8786 closed: arch: add riscv64 [18:09] PR snapcraft#3162 opened: tests: remove scenario usage from lifecycle order [18:10] PR snapd#8823 opened: asserts/internal: limit Grouping size switching to a bitset representation [18:34] PR snapcraft#3163 opened: cli: remove the hidden inspect command [18:34] PR snapcraft#3164 opened: cli: remove enable-ci command === KindTwo is now known as KindOne [21:46] PR snapd#8824 opened: many: move encryption and installer from snap-boostrap to gadget === hggdh-msft is now known as hggdh