/srv/irclogs.ubuntu.com/2020/08/24/#snappy.txt

mborzecki	morning	05:11
zyga	good morning	06:26
mup	PR snapd#9198 closed: features: add HiddenSnapFolder feature flag <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/9198>	06:30
mborzecki	zyga: hey	06:36
zyga	hey :)	06:36
zyga	finally some cold air, eh?	06:36
mborzecki	yeah, much cooler (and nicer)	06:36
mborzecki	later summer/early autumn, cold mornings/evening, warm during the day	06:37
mborzecki	s/later/late/	06:37
mborzecki	errand, back ~11	06:39
mborzecki	mvo: hey	06:39
zyga	irc, eh,...	06:39
mvo	good morning mborzecki and zyga	06:39
mborzecki	need to run an errand, back ~11 hopefully	06:40
zyga	good morning mvo	06:40
zyga	mborzecki o/	06:40
* zyga waits for Lucy to wake up		06:40
* zyga goes to squash merge https://github.com/snapcore/snapd/pull/7825		06:41
mup	PR #7825: many: use transient scope for tracking apps and hooks <Security-High> <Squash-merge> <Created by zyga> <https://github.com/snapcore/snapd/pull/7825>	06:41
zyga	just need to think of a proper commit message	06:41
zyga	is anyone else using "git reflog" like the recent call lists on pre-smartphones?	06:43
mup	PR snapd#9204 opened: sandbox: track applications unconditionally <Created by zyga> <https://github.com/snapcore/snapd/pull/9204>	06:45
zyga	^ this is not yet ready for review	06:46
zyga	I want to see how it affects our tests	06:46
zyga	I'll go do some reviews	06:57
zyga	and then break to handle lucy being awake	06:57
zyga	and should then return for 1:1 and remaining work	06:57
mup	PR snapd#7825 closed: many: use transient scope for tracking apps and hooks <Security-High> <Squash-merge> <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/7825>	07:00
pstolowski	morning	07:03
zyga	good morning Pawel	07:03
mvo	good morning pstolowski	07:41
pstolowski	o/	07:42
mvo	just fyi (all) 8982 needs reviews, samuele is happy with it on a high level but did not do a full review (not urgent though)	07:48
pstolowski	ack	08:12
pstolowski	mborzecki: hey, i've updated selinux profile in #9084, can you take a look (last commit)?	08:36
mup	PR #9084: o/snapstate: check disk space before creating automatic snapshot on remove (3/N) <Disk space awareness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9084>	08:36
zyga	In the office	08:53
zyga	mborzecki hey	09:08
zyga	mborzecki I've proposed a draft that attempts systemd-based app tracking by default	09:08
zyga	and I got a few denials for selinux	09:08
zyga	1) type=AVC msg=audit(08/24/20 07:27:34.527:12644) : avc: denied { getattr } for pid=78926 comm=snap path=/run/user/0/bus dev="tmpfs" ino=22956 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1	09:08
zyga	2) type=AVC msg=audit(08/24/20 07:27:34.528:12645) : avc: denied { write } for pid=78926 comm=snap name=bus dev="tmpfs" ino=22956 scontext=system_u:system_r:snappy_cli_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1	09:09
zyga	3) type=AVC msg=audit(08/24/20 07:27:34.529:12646) : avc: denied { connectto } for pid=78926 comm=snap path=/run/user/0/bus scontext=system_u:system_r:snappy_cli_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1	09:09
zyga	I would appreciate some ideas on how to tackle that	09:09
zyga	those are from fedora 32	09:10
zyga	mborzecki I've added a comment on https://github.com/snapcore/snapd/pull/9204 with the same information	09:12
mup	PR #9204: sandbox: track applications unconditionally <Created by zyga> <https://github.com/snapcore/snapd/pull/9204>	09:12
mborzecki	re	09:23
pedronis	mborzecki: hi, I did a pass on #9201	09:27
mup	PR #9201: [RFC] boot: observe update & rollback of trusted assets <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9201>	09:27
mborzecki	pedronis: thanks, would have some time for a chat later?	09:31
pedronis	mborzecki: before the standup	09:31
mborzecki	pedronis: sounds good	09:31
mborzecki	let me add something	09:31
mborzecki	zyga: looks like this should be covered by dbus chat interfaces	09:35
mborzecki	zyga: let me see if there's something for chattign with systemd specifically	09:35
zyga	thank you!	09:35
mborzecki	zyga: there's a bunch of systemd_dbus_chat in refpolicy but those seem to cover logind, timedated, machined, resolved	09:40
zyga	do we need a new interface or is there a better way out?	09:40
mborzecki	zyga: hm but it's user_tmp_t, can you try adding userdom_write_user_tmp_sockets(snappy_cli_t) to the policy, reload and see what happens?	09:43
zyga	mborzecki sure, I'll try	09:45
pstolowski	mborzecki: heh, my selinux fix worked everywhere except for centos 8. although there i see "type=AVC msg=audit(1598261418.464:4691): avc: denied { getattr } for pid=133098 comm="snapd" path="/var/snap/lxd/common/ns/shmounts"	09:49
mborzecki	pstolowski: why is snapd looking there?	09:50
zyga	mborzecki: probably because "du"	09:50
zyga	to estimate size of the data	09:50
pstolowski	yes exactly	09:50
zyga	in a way we need one-file-system that really means ignore-magic-filesystems	09:50
mborzecki	pstolowski: zyga: there's --one-file-system switch to du	09:53
zyga	but we don't really want that	09:53
zyga	we want to allow people to have other file systems mounted on /var/snap/blargh	09:53
zyga	what we want is to filter out nsfs	09:53
zyga	or procfs	09:54
mborzecki	zyga: should those other filesystems count towards snapshot size?	09:54
pstolowski	that's interesting. i wonder what happens when we do actual snapshot	09:54
zyga	it probably archives an empty file	09:55
zyga	it's a permissive profile	09:55
zyga	it's a bind mount of /proc/PID/ns/mnt to an empty file	09:56
zyga	so the archiver will just see the empty file	09:56
pstolowski	yeah but what about the rest of proc\	10:03
zyga	pstolowski is all of proc mounted in SNAP_DATA?	10:03
pstolowski	zyga: i don't know, re-running to see what happens (it's a lxd snap_	10:03
pstolowski	)	10:03
zyga	pstolowski I think you will only find nsfs	10:03
zyga	the rest of the filesystems are mounted inside that thing	10:04
zyga	it's like a chest for more mounts	10:04
zyga	mborzecki I have one deny left	10:07
zyga	mborzecki I have one deny left	10:07
zyga	type=AVC msg=audit(08/24/20 10:05:41.032:928) : avc: denied { connectto } for pid=29450 comm=snap path=/run/user/0/bus scontext=system_u:system_r:snappy_cli_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1	10:08
zyga	brb	10:09
mborzecki	zyga: ok, so you probably need unconfined_dbus_chat(snappy_cli_t) now	10:09
ijohnson	morning folks	10:09
zyga	hey ijohnson :)	10:09
zyga	mborzecki trying	10:09
mvo	good morning ijohnson	10:09
ijohnson	o/	10:09
ijohnson	mmm have we not had a new snapd edge since 8-22 ?	10:09
mborzecki	zyga: and maybe unconfined_dbus_connect(snappy_clit_t) too	10:09
mborzecki	ijohnson: hey	10:09
ijohnson	or 22-8 for y'all europeans :-)	10:10
pstolowski	hi ijohnson !	10:10
ijohnson	hey pstolowski	10:10
zyga	ijohnson looking	10:10
zyga	yeah	10:10
zyga	it seems so	10:10
ijohnson	smells odd	10:11
zyga	ijohnson snapd had a long weekend? :D	10:11
ijohnson	haha maybe	10:11
zyga	either stuck in moderation or the publish pipeline got blocked somewhere	10:11
mvo	ijohnson: probably no changes in edge since 22 ?	10:15
ijohnson	mvo: ah actually you're right there were a couple commits this morning but nothing over the weekend	10:16
ijohnson	I'm just so used to seeing the snapd snap update every day	10:16
zyga	re	10:22
zyga	ha, does it mean we had a long weekend instead?	10:24
zyga	as in two days without patches	10:24
zyga	ijohnson https://listed.zygoon.pl/17659/introduction-to-bashunit-unit-testing-for-bash-scripts :)	10:25
ijohnson	do we hijack the post-refresh hook for the core* snaps as well as the configure hook ?	10:39
ijohnson	zyga: very cool stuff! that's really nice to see it all come together like that, one thing I wonder though is that in the failure output you have for bashunit you don't see what the actual output of `hello_world` function is before the grep fails, so it's a bit difficult to debug	10:42
ijohnson	zyga: that's probably intristic to using bash however so probably not worth looking into, but I wonder if it would be helpful to have some kind of test util command you can use in the unit test file that saves the output inside pipes only to be displayed on test failure	10:43
ijohnson	zyga: something like `hello_world \| echo_on_fail \| grep -qFx 'Hello world'`	10:43
ijohnson	just a thought	10:43
ijohnson	I've wanted something like that _so_ many times when looking at spread failures	10:44
* zyga-x240 switches devices		10:48
zyga-x240	mvo: 2.46 branches are red, do you want to merge master or cherry pick all the fixes back>	10:51
mvo	zyga-x240: will merge master to it today	10:51
zyga-x240	ok	10:52
zyga-x240	do 2.46 jamie branches make sense to review then?	10:52
mvo	zyga-x240: no, please not	10:56
mvo	zyga-x240: in a meeting now	10:56
zyga-x240	ok	10:56
mvo	zyga-x240: we can close them	10:56
zyga-x240	mvo: ack, doing that now	11:16
mvo	ta	11:16
mup	PR # closed: snapd#9192, snapd#9193, snapd#9194, snapd#9195	11:21
ijohnson	real simple uc20 PR: https://github.com/snapcore/snapd/pull/9205	11:25
mup	PR #9205: boot/initramfs_test.go: reset boot vars on the bootloader for each iteration <Simple 😃> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9205>	11:25
mup	PR snapd#9205 opened: boot/initramfs_test.go: reset boot vars on the bootloader for each iteration <Simple 😃> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9205>	11:26
zyga-x240	is shell surprising? https://paste.ubuntu.com/p/FGYyvVXmm8/	11:26
zyga-x240	our \|\| true pattern is dangerous	11:28
ijohnson	wow just wow	11:28
ijohnson	how can such fundamental things in bash be so broken	11:28
zyga-x240	ijohnson: it's documented :)	11:28
zyga-x240	it's a feature	11:28
zyga-x240	just ill-designed IMO	11:28
zyga-x240	I think we can do something like "not"	11:28
ijohnson	didn't we have a NOT in spread ?	11:29
zyga-x240	we have "not" in snapd	11:29
zyga-x240	it's really exactly the same feature in bash that requires it	11:29
diddledan	yes. it's surprising :-) (not what I expect with `set -e`)	11:30
zyga-x240	diddledan: it's just another case of https://listed.zygoon.pl/17629/broken-composition-or-the-tale-of-bash-and-set-e	11:30
diddledan	I guess you need to add set -e inside the function?	11:30
zyga-x240	diddledan: but just seeing the code behave this way is shocking	11:31
zyga-x240	diddledan: no :)	11:31
zyga-x240	diddledan: try that	11:31
zyga-x240	it's ignored	11:31
diddledan	gah	11:31
zyga-x240	the link I referenced explains why	11:31
* diddledan reads it		11:31
* zyga-x240 reviews nested.sh		11:31
diddledan	it's the same with /bin/sh (which in Ubuntu 20.04 is dash, right?)	11:32
zyga-x240	yes	11:32
zyga-x240	it's a very old feature	11:32
diddledan	the `do-something && do-something-on-success \|\| do-something-on-fail` is a common pattern that I've seen all over the interweb	11:33
zyga-x240	diddledan: it all depends on what those are	11:35
zyga-x240	diddledan: also, remove the echo that says "surprising" and it's well, also documented but more surprising	11:35
diddledan	gosh, there's a lot of strange interactions you've highlighted	11:37
zyga-x240	mvo: shellcheck issue (reported in early 2019) https://github.com/koalaman/shellcheck/issues/1484	11:42
zyga-x240	cachio: how much work would it take to make nested.sh a non-sourced script?	11:44
ijohnson	morning cachio	11:44
cachio	zyga-x240, hi, I already did something like that a time ago	11:45
cachio	ijohnson, hi	11:45
zyga-x240	cachio: oh? where?	11:45
cachio	good morning	11:45
cachio	zyga-x240, I closed that a time ago	11:45
zyga-x240	why?	11:45
cachio	I need to open it again	11:45
cachio	because there were too many changes	11:46
zyga-x240	I'm reading https://github.com/snapcore/snapd/pull/9098 and I'm very worried about bugs	11:46
mup	PR #9098: tests: new organization for nested tests <Run nested> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9098>	11:46
zyga-x240	well, we can start small	11:46
cachio	Iand I decided to create a new change to address that	11:46
zyga-x240	but I think we must go that way	11:46
cachio	I could make it again	11:47
zyga-x240	please start small	11:47
cachio	it could be a tool	11:47
zyga-x240	prepare/restore + execute	11:47
zyga-x240	yeah, I think sourcing is a no-go	11:47
zyga-x240	port a single test (keep nested.sh as-is)	11:48
zyga-x240	over time it will replace the other	11:48
cachio	zyga-x240, ok, makes sense	11:49
zyga-x240	cachio: why is execute remote using "$*"?	11:49
zyga-x240	https://github.com/snapcore/snapd/pull/9098/files#diff-3af5dfa44ec70d885e9485dbb117f52fR844	11:49
mup	PR #9098: tests: new organization for nested tests <Run nested> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9098>	11:49
cachio	zyga-x240, it is very old	11:51
cachio	zyga-x240, I think federico created that	11:51
zyga-x240	I think that's wrong	11:51
cachio	and nobody updated that	11:51
zyga-x240	and I suspect it's broken with regards to quoting	11:51
zyga-x240	cachio: I did a quick pass over https://github.com/snapcore/snapd/pull/9098#pullrequestreview-473374133	11:52
mup	PR #9098: tests: new organization for nested tests <Run nested> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9098>	11:52
cachio	zyga-x240, nice, thanks	11:52
cachio	I'll take a look	11:52
zyga-x240	cachio: let me know if anything I said there is unreasonable please	11:53
zyga-x240	cachio: please look through all the functions, they should not create new globals unless that's exactly desired	11:54
zyga-x240	e.g. start_nested_classic_vm defines a dozen or so new globals	11:54
cachio	zyga-x240, ok, np, I'll update that	11:55
zyga-x240	cachio: wait_for_ssh defines retry as a global	11:55
zyga-x240	please go through the entire file	11:55
cachio	zyga-x240, ok, I'ldd	11:56
cachio	I'll do	11:56
zyga-x240	thanks,	11:57
zyga-x240	the more we learn about shell the more we need to be careful	11:57
cachio	zyga-x240, yes hehehe	11:58
pstolowski	mborzecki: pondering what to do about that second denial on centos8 only; is "allow snappy_t unconfined_service_t:file getattr;" too terrible?	12:25
mborzecki	pstolowski: wouldn't that only mask the issue?	12:25
pstolowski	mborzecki: fwtw these files appear empty, and are included in actual snapshot	12:27
zyga-x240	pstolowski: they are empty	12:30
zyga-x240	pstolowski: they are mount points to contain nsfs objects	12:31
mup	PR snapcraft#3260 opened: tools: update setuptools in environment-setup <Created by cjp256> <https://github.com/snapcore/snapcraft/pull/3260>	12:32
* zyga-x240 -> lunch		12:34
mup	PR snapd#9160 closed: boot, o/devicestate: observe existing recovery bootloader trusted boot assets <UC20> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/9160>	12:46
pstolowski	degville: hi, welcome back! it seems you made a nice shot of milky way but unfortunately for some reason i see very pixelated/blurry pictures, something wrong with google photos here i suspect	12:50
ijohnson	zyga-x240: what's your take on passing function names to a bash function? I want to inject any function to be called during the execution of another function, but only sometimes, something like passing a func() as a param in Go	12:52
ijohnson	zyga-x240: does my idea seem terrible given your current experiences ?	12:52
ijohnson	I could just add all the functions I need inside the main function and just use a silly named option/switch to the function when I call it	12:53
zyga-x240	ijohnson: re	12:55
zyga-x240	ijohnson: let me read backlog	12:55
ijohnson	zyga-x240: sure no rush	12:55
zyga-x240	ijohnson: no, not really	12:55
zyga-x240	ijohnson: there's even a way to do "pointers" in bash if you need to	12:55
zyga-x240	ijohnson: the more important detail is exactly how is the function called	12:56
zyga-x240	ijohnson: I think that disabling set -e, calling the function, recording $? and re-enabling set -e is probably correct, to the best of my understanding	12:56
zyga-x240	ijohnson: some simpler functions are also correct in more generic cases, those that involve a single command	12:56
ijohnson	zyga-x240: the function I need to call is very simple, but it needs to be called at a very specific point in time	12:57
zyga-x240	ijohnson: I'm happy to review and suggest improvements	12:58
ijohnson	but actually I think I can get away with just a single implementation, thinking about it I don't know that I need multiple different functions to be called so I think I'll just use a special optional argument to the original function I need to call	12:58
degville	pstolowski: thanks for letting me know (and the welcome back!) - I'll check, but it's pretty low quality anyway as it was just a long exposure shot taken with my phone. I do have a RAW version, so I may try and play with it in Darktable.	13:15
mup	PR snapcraft#3261 opened: requirements: pin setuptools devel requirement <Created by cjp256> <https://github.com/snapcore/snapcraft/pull/3261>	13:23
mborzecki	zyga-x240: there's no way to set the 'script' interpreter in spread, or is there?	13:29
zyga-x240	mborzecki: no and in addition, spread joins many separate task together	13:29
zyga-x240	IIRC	13:29
ijohnson	let's all switch to julia instead of bash	13:32
ijohnson	alternative to julia would be the good ol lisp	13:32
zyga-x240	ijohnson: I think js is the most realistic alternative	13:34
* ijohnson really doesn't wanna write js tho		13:34
zyga-x240	it's not great but has arguably the best tooling	13:34
ijohnson	I see your clojures in js and raise you an offer of erlang	13:34
zyga-x240	I think it's not something we should pick in a rush	13:35
zyga-x240	maybe figuring out how to transition to anything is more relevant	13:35
zyga-x240	then we can consider alternatives	13:35
cachio	zyga-x240, I see this error https://github.com/snapcore/snapd/runs/1021534236#step:5:1744	13:37
cachio	todya the image has been updated	13:38
cachio	did you already see that?	13:38
zyga	cachio strange, is that image changing from efi to legacy boot?	13:40
cachio	no	13:42
cachio	zyga, it shouldn't	13:42
cachio	I am trying to reproduce	13:42
zyga	ok	13:44
mup	PR snapd#9206 opened: boot: complain about reused asset name during initial install <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9206>	14:11
zyga	snap wait --help panics	14:31
zyga	pstolowski snap save on f32 says "broken: invalid snapshot"	14:32
zyga	https://pastebin.ubuntu.com/p/cxHqJ9MZQn/	14:33
mborzecki	zyga: backtrace goes to go-flags	14:34
zyga	maybe go-flags is old	14:34
mborzecki	zyga: maybe a particular version is broken	14:35
zyga	the beauty of maintaining packages	14:35
pstolowski	zyga: ? is this my PR?	14:36
zyga	nope	14:36
zyga	mborzecki it creshes on	14:36
zyga	descPadding := strings.Repeat(" ", descStart-len(argPrefix))	14:36
zyga	afk	14:36
zyga	dog needs to go out	14:37
pstolowski	we run snapshot-basic spread test everywhere, are you sure it's not some local issue on your f32?	14:41
pedronis	pstolowski: I did a pass on #9199	14:48
mup	PR #9199: snapstate: installSizeInfo helper that calculates total size of snaps and their prerequisites <Disk space awareness> <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9199>	14:48
pstolowski	pedronis: just saw it, thanks	14:49
pstolowski	mborzecki: does the selinux workaround in #9084 look fine to you? it passed now (except for unrelated test failure on centos8 and suse)	14:51
mup	PR #9084: o/snapstate: check disk space before creating automatic snapshot on remove (3/N) <Disk space awareness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9084>	14:51
mborzecki	pstolowski: yeah, i don't think we have any other options at this point	14:55
pstolowski	mborzecki: ok thanks, i'll land this	14:56
mup	PR snapd#9084 closed: o/snapstate: check disk space before creating automatic snapshot on remove (3/N) <Disk space awareness> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/9084>	15:01
mborzecki	pstolowski: still, it'd be nice to maybe ask the lxd team what that ns/shmounts contains, my rough guess it's some bit of /proc/self/ns/.. of the lxd process, hence the unconfined_t label (and nsfs fstype)	15:03
=== davdunc_ is now known as davdunc
=== bluesabre_ is now known as bluesabre
pstolowski	pedronis: interesting, so the idea is to essentially exclude snaps that could have been installed in the meantime when computing total?	15:07
* cachio lunch		15:07
=== mborzeck1 is now known as mborzecki
pedronis	pstolowski: yes, as I said, it doesn't cover all cases, but it get us closer to the kind of code that we would need for that	15:23
pstolowski	pedronis: right, got it, thanks	15:26
* zyga-x240 goes for PT		15:34
mvo	pstolowski: I updated 8982	15:38
mvo	pstolowski: thanks for your review, the misgging BadRequest test highlighted a bad error message	15:38
pstolowski	mvo: yes, i looked briefly, thanks for the changes	15:38
pstolowski	👍	15:39
pstolowski	+1	15:53
mvo	yay now 8982 just needs a second review	16:15
mup	PR snapd#9207 opened: boot/bootstate20: reboot to rollback to previous kernel <Bug> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9207>	16:17
zyga-x240	re	18:01
zyga-x240	today's exercise was intense	18:02
zyga-x240	I'm genuinely tired	18:02
* zyga-x240 needs water		18:02
* zyga-x240 is rehydrated		18:18
zyga-x240	let's write some ocd	18:18
zyga-x240	*code	18:18
* zyga-x240 goes upstairs		18:32
mup	PR core20#82 opened: [RFC] hooks: mv docker user/group definition to extrausers <Created by anonymouse64> <https://github.com/snapcore/core20/pull/82>	18:53
mup	PR snapd#9208 opened: tests/nested/core20/kernel-failover: add test for failed refresh of uc20 kernel <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9208>	19:22
* ijohnson EODs		19:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!