mup | PR core20#86 opened: .travis.yml: use stable snapcraft now <Created by anonymouse64> <https://github.com/snapcore/core20/pull/86> | 01:34 |
---|---|---|
mborzecki | morning | 05:22 |
mborzecki | school run and then a quick errand, back around 9 | 05:22 |
pstolowski | morning | 07:01 |
pedronis | zyga-kaveri: hi, we are getting google:ubuntu-16.04-64:tests/main/lxd:snapd_cgroup_just_outside failures sometimes, also cgroup-tracking on arch sometimes fails | 07:03 |
pedronis | zyga-kaveri: for example, https://github.com/snapcore/snapd/pull/9325/checks?check_run_id=1100227725 | 07:03 |
mup | PR #9325: strutil: add SortedListsUniqueMerge <Created by pedronis> <https://github.com/snapcore/snapd/pull/9325> | 07:03 |
pedronis | mborzecki: hi, should we sync? | 07:06 |
mup | PR snapd#9325 closed: strutil: add SortedListsUniqueMerge <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/9325> | 07:07 |
pedronis | mvo: mborzecki: hello, should we sync? | 07:16 |
mvo | pedronis: I'm trying to get an overview about the open PR over the night right now | 07:17 |
mvo | pedronis: but yeah, a quick sync would be good I think | 07:18 |
mborzecki | re | 07:20 |
mborzecki | pedronis: sorry starting only now, i can join in 5 | 07:20 |
pedronis | mborzecki: mvo: ok, I can be in SU in 5 | 07:20 |
mvo | pedronis, mborzecki call we meet at :30 ? nice round time, only slightly more than 5min :)? | 07:21 |
pedronis | that's fine too | 07:22 |
mborzecki | mvo: works for me | 07:23 |
mup | PR snapd#9324 closed: secboot: adjust parameters to buildPCRProtectionProfile <Simple π> <UC20> <Created by cmatsuoka> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/9324> | 07:52 |
pedronis | mborzecki: I will push some tweak to the reasel PR, it seems some code was copied before applying feedback about errors | 08:02 |
mborzecki | pedronis: ok | 08:12 |
mup | PR snapd#9320 closed: boot: group SealKeyModelParams by model, improve testing <Run nested> <UC20> <Created by cmatsuoka> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/9320> | 08:17 |
pedronis | thx | 08:18 |
zyga | good morning | 08:22 |
mborzecki | zyga: hey | 08:34 |
zyga | long night | 08:35 |
* zyga EODd at about 1AM | 08:35 | |
pedronis | mborzecki: mvo: I merged master and fixed/adjusted things into #9322, it's ready for 2nd/3rd reviews | 08:41 |
mup | PR #9322: boot: add call to reseal an existing key <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9322> | 08:41 |
mvo | pedronis: cool, will refresh and go over it again | 08:41 |
mvo | pedronis: approved 9322 as well, funny that we have very similar comments there | 08:58 |
mborzecki | pedronis: InstallHostFDEDataDir is avaialble in run mode? | 09:00 |
pedronis | mborzecki: for that one we really need a different var for run mode | 09:01 |
pedronis | I think | 09:01 |
pedronis | Int | 09:02 |
pedronis | InstallHost doesn't make sense during run mode | 09:02 |
pedronis | mborzecki: we might need a helper that gives a dir based on mode, depends on details | 09:03 |
mvo | pstolowski: I noticed the spread tests in 9221 tend to fail, are you on this or shall I have a look ? I'm reviewing this right now and was wondering | 09:11 |
pstolowski | mvo: i'm working on it right now, apart from shellcheck errors it needs to be disabled on some systems because it's too intrusive e.g. for selinux | 09:13 |
pstolowski | and also for core | 09:13 |
pstolowski | (as it's messing up with /var/lib/snapd) | 09:13 |
mvo | pstolowski: cool, I will just wait for the update then | 09:20 |
ijohnson | hey mvo, good morning, did you restart tests in #9208 at all? the most recent run I see on that PR does not have the kernel-failover test failing, just the fundamentals test and preparing generally failing | 09:33 |
mup | PR #9208: tests/nested/core20/kernel-failover: add test for failed refresh of uc20 kernel <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9208> | 09:33 |
mvo | ijohnson: I didn't restart, I though master was merged | 09:35 |
ijohnson | mvo: ok, sorry just trying to understand your comment there cause you said the failover test was failing in that pr | 09:36 |
mvo | no worries, just restart if needed | 09:38 |
ijohnson | ok, just that I haven't seen the actual kernel-failover test fail and if you saw it fail I would be very interested in logs :-) | 09:39 |
zyga | good morning ijohnson :) | 09:40 |
ijohnson | morning zyga | 09:40 |
zyga | gosh | 09:48 |
zyga | gnome-shell is stuck | 09:48 |
zyga | I have a full-screen prompt | 09:48 |
zyga | like polkit | 09:48 |
zyga | that prompts me about ssh key of a host | 09:49 |
zyga | I have no idea why | 09:49 |
zyga | there are two buttons that don't do anything | 09:49 |
zyga | the machine is up, I can run stuff but I cannot get that modal popup to go away | 09:49 |
zyga | I guess it's save and reboot for the new kernel anyway :/ | 09:49 |
zyga | but one argument against modal shell popups | 09:49 |
zyga | and lack of QA | 09:49 |
zyga | (this is on focal) | 09:50 |
zyga | it's 2020 but I can ssh -X from a mac to ubuntu and run git gui | 09:55 |
zyga | I'm happy | 09:55 |
mborzecki | pedronis: do i remember correctly we shoudl always reseal if the boot chain contains an unasserted kernel? | 10:01 |
pedronis | mborzecki: yes, there's a todo in bootchain how to achieve that | 10:01 |
pedronis | mborzecki: see predictableBootChainsEqualForReseal | 10:02 |
mup | PR snapd#9327 opened: overlord: assorted typos and miscellaneous changes <Simple π> <Skip spread> <Created by zyga> <https://github.com/snapcore/snapd/pull/9327> | 10:03 |
zyga | man after this is all done I feel you guys should do a presentation about resaling | 10:08 |
zyga | it seems to have grown into this large complex system all by itself | 10:09 |
zyga | not that it's any different from the reality it models | 10:09 |
ijohnson | I'm actually very curious if there's another linux distro out there that does full disk encryption with automatic resealing like this, I'm inclined to think not | 10:11 |
zyga | ijohnson windows ;D | 10:15 |
zyga | but jokes aside, it does work for windows | 10:15 |
ijohnson | haha yeah | 10:15 |
zyga | which is impressive as it shipped about ~ well boatload years ago | 10:15 |
zyga | when was bitlocker introduced? | 10:15 |
zyga | ijohnson also macos but there it's a bit different in implementation | 10:16 |
ijohnson | yeah that's not using a generic tpm 2.0 afaik | 10:16 |
ijohnson | (for mac) | 10:16 |
zyga | I suspect apple's T2 is more like android encryption | 10:16 |
ijohnson | yeah | 10:16 |
zyga | yeah | 10:16 |
zyga | yeah, T2 is totally different | 10:16 |
ijohnson | I remember setting up bitlocker on windows 7 in like 2010 | 10:16 |
zyga | but it does handshake each hardware in the system | 10:17 |
zyga | right, I was wondering if I remembered win7 had bitlocker in the pro edition | 10:17 |
zyga | still | 10:17 |
zyga | it's one hell of a thing to bring it to linux this way | 10:17 |
zyga | I would love to see this eventually arrive to classic desktop for 22.04 | 10:17 |
zyga | even if you have some more rigidity in result | 10:17 |
ijohnson | yeah the automatic nature of it makes it super useful for installing I think, if your system has tpm 2.0 + uefi, bam fde for free w/ no passphrase, etc. | 10:18 |
zyga | I think this will be very popular for corporate users | 10:19 |
zyga | oh my | 10:27 |
* zyga realized unexport-content should be after unlink-snap | 10:27 | |
pstolowski | mvo: pushed to 9221 | 10:31 |
mvo | pstolowski: thanks, looking | 10:31 |
zyga | I need more spread tests | 10:32 |
zyga | or a check in all tests | 10:32 |
mup | PR snapd#9327 closed: overlord: assorted typos and miscellaneous changes <Simple π> <Skip spread> <Created by zyga> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9327> | 10:33 |
zyga | thanks mvo | 10:33 |
mup | PR snapd#9328 opened: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 10:38 |
mborzecki | pedronis: ^^ | 10:39 |
zyga | neat, no failures | 10:44 |
zyga | let's add some spread tests now | 10:44 |
mvo | pstolowski: let me poke at this a bit, I have some ideas | 10:46 |
pstolowski | mvo: ok, thank you. i'm playing with it as well | 10:48 |
mvo | pstolowski: how does http://paste.ubuntu.com/p/ZDk8fR5Pz9/ look (untested, but should give hte idea)? | 10:53 |
zyga | mvo are we measuring space in snapshots or in the parent dir? | 10:55 |
pstolowski | mvo: hmm i wonder if we will get correct size in snapd if it's not a single filesystem | 10:55 |
pstolowski | yeah exactly, what zyga says | 10:55 |
zyga | brb, need to stretch a little | 10:56 |
zyga | pstolowski I wonder if we could stop snapd, mv all of var/lib/snapd over, mount a tmpfs, copy things and resume the test | 10:58 |
zyga | bonus points for cleanup that just unmounts | 10:58 |
pstolowski | yeah i had that initially but hit some issues (don't remember what that was anymore, probably solvable) | 11:00 |
mvo | pstolowski: it looks like we test for the actual path so that should work, I can tweak and run locally to double check | 11:04 |
pstolowski | mvo: i can try that, i like how it simplifies it and avoid space calc | 11:05 |
mvo | pstolowski: yeah, that's the appeal | 11:06 |
mborzecki | pedronis: hmm boot.Device needs to have Model() now too right? | 11:19 |
pedronis | mborzecki: yes | 11:19 |
pedronis | I knew about that but forgot to mention | 11:19 |
pedronis | mborzecki: I reviewed #9328, mostly a lot of nitpicks | 11:20 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 11:20 |
mborzecki | pedronis: cool, thanks (and thanks to mvo too!) | 11:20 |
pedronis | mborzecki: thx for it | 11:20 |
pstolowski | mvo: so this gives this - Download snap "hello-world" (29) from channel "stable" (link /var/lib/snapd/snaps/hello-world_29.snap /var/lib/snapd/cache/b07bdb78e762c2e6020c75fafc92055b323a6f8da3ab42a3963da5ade386aba11f77e3c8f919b8aa23f3aa5c06c844f9: invalid cross-device link) :( | 11:24 |
pstolowski | mvo: which reminded me that i tried this approach before | 11:24 |
pstolowski | mvo: that's because of our hardlink cache logic | 11:24 |
pedronis | mborzecki: one more comment | 11:24 |
pstolowski | i need a short break and lunch | 11:25 |
* pstolowski lunch | 11:25 | |
mvo | pstolowski: yeah, just noticed this too, slightly annoying that our code is not more robust here, I think that's a bug in itself. oh well | 11:27 |
* mvo also lunches | 11:27 | |
* zyga is bad at taking breaks | 11:28 | |
zyga | taking one now for real | 11:28 |
pedronis | mborzecki: should I do a small PR to complete predictableBootChainsEqualForReseal ? | 11:33 |
mborzecki | pedronis: go ahead | 11:34 |
mborzecki | thanks! | 11:34 |
pedronis | mborzecki: made another remark | 11:34 |
mup | PR snapd#9329 opened: boot: consider boot chains with unrevisioned kernels incomparable <Skip spread> <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9329> | 11:58 |
pedronis | mborzecki: done ^ | 11:58 |
ogra_ | so in #9307 i added "tee" to tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml , yet the test still fails and does not seem to find my added lines ... | 12:00 |
mup | PR #9307: interfaces/tee: add TEE/OPTEE interface <Needs security review> <Created by ogra1> <https://github.com/snapcore/snapd/pull/9307> | 12:00 |
ogra_ | https://github.com/snapcore/snapd/pull/9307/checks?check_run_id=1092075286 is just telling me to add it to that file | 12:00 |
ogra_ | am i missing anything (and do we perhaps have some doc where to typically turn the knobs to add the expected tests) | 12:01 |
ogra_ | (bah, there seems to be a missing space in the plug decl. ignore the question .. i'll ask again if it fails again) | 12:06 |
pedronis | ijohnson: answered your review question | 12:08 |
zyga | hmm | 12:10 |
ijohnson | pedronis: ack makes sense, but why skip spread on that PR? | 12:12 |
zyga | sigh | 12:12 |
pedronis | ijohnson: nothing is using that function yet | 12:12 |
ijohnson | ok | 12:12 |
pedronis | ijohnson: #9328 uses it, but in a helper that itself is not used yet, but ideally we should land this first then that | 12:14 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 12:14 |
ijohnson | makes sense, I +1d it | 12:14 |
ijohnson | I'm working through a review of 9328 now | 12:14 |
ijohnson | well actually gonna make more coffee then will continue working through that | 12:14 |
mborzecki | wow, seal tests are pita to set up | 12:14 |
pedronis | mborzecki: yes, we might need some helper | 12:15 |
ijohnson | mborzecki: hmm is it a typo in TestMakeBootable20RunMode that we use Revision: snap.Revision{N: 0}, for pc-kernel_1.snap ? | 12:22 |
ijohnson | should that actually be snap.Revision{N:1}, ? | 12:22 |
ijohnson | it's just unexpected to me that in the BootChain you read from the file at the end of that test we get `KernelRevision: "",` | 12:22 |
pedronis | that seems weird | 12:23 |
pedronis | revisions starts at 1, 0 is unset | 12:23 |
pedronis | if the goal is to make it look local/unasserted then its N: -1 | 12:23 |
ijohnson | yeah I think it's a typo from the previous PR | 12:24 |
ijohnson | (which coincidentally I approved /o\ ) | 12:24 |
pstolowski | mvo: fyi my get_disk_usage helper has an issue in that spread test, i might have a fix | 12:26 |
ijohnson | pedronis: I finished lookingat 9328, is there another pr I should look at before SU today? | 12:29 |
ijohnson | s/today/right now/ | 12:29 |
pedronis | ijohnson: #9322 could use a 3rd review (given that I worked a bit on it myself) | 12:30 |
mup | PR #9322: boot: add call to reseal an existing key <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9322> | 12:30 |
ijohnson | sure | 12:30 |
pedronis | #9239 needs a 2nd review, it's small | 12:36 |
mup | PR #9239: many: misc doc-comment changes and typo fixes <Simple π> <Skip spread> <Created by anonymouse64> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/9239> | 12:36 |
ijohnson | oh? | 12:36 |
pedronis | heh | 12:37 |
pedronis | I meant #9329 | 12:37 |
mup | PR #9329: boot: consider boot chains with unrevisioned kernels incomparable <Skip spread> <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9329> | 12:37 |
ijohnson | mborzecki: are you still running arch? are you able to install the vokoscreen-ng snap via snap install ? | 12:39 |
mup | PR snapd#9329 closed: boot: consider boot chains with unrevisioned kernels incomparable <Skip spread> <UC20> <Created by pedronis> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9329> | 12:53 |
mup | PR snapd#9322 closed: boot: add call to reseal an existing key <Run nested> <UC20> <Created by cmatsuoka> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9322> | 12:58 |
mup | PR snapd#9330 opened: boot: reseal when updating boot assets <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9330> | 13:28 |
pedronis | mborzecki: I re-reviewed #9328 | 13:47 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 13:47 |
pstolowski | mvo: only unrelated failures in #9221 now | 13:50 |
mup | PR #9221: tests: disk space awareness spread test <Disk space awareness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9221> | 13:50 |
* zyga errand | 13:50 | |
mvo | pstolowski: cool, looking | 13:53 |
cachio | zyga, when you have a momento could you take a look again to #9316 | 13:55 |
mup | PR #9316: tests: use full path to test-snapd-refresh.version binary <Simple π> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9316> | 13:55 |
ijohnson | cachio: I commented on your other similar PR that's the wrong way to fix this | 13:56 |
ijohnson | we should figure out why /snap/bin is not on $PATH | 13:56 |
cachio | ijohnson, you mean for the tests.tool right? | 13:59 |
cachio | because it is on $PATH for snap run o if I just execute the snap | 13:59 |
ijohnson | cachio: I mean this comment https://github.com/snapcore/snapd/pull/9315#issuecomment-690375166 | 14:00 |
mup | PR #9315: tests: fix snap-routime-portal-info test <Simple π> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9315> | 14:00 |
cachio | ijohnson, I am not sure yet but think the issue is related to the tests.session setup, but really couldn't find where | 14:04 |
cachio | becuause it fails just when we run using tests.session | 14:05 |
cachio | ijohnson, I mean, this works: su -c 'snap run test-snapd-refresh.version' test | MATCH v1 | 14:06 |
mborzecki | pedronis: cmatsuoka: hmm, current code assumes we always have a trusted assets bootloader :/ | 14:24 |
mborzecki | and fails otherwise | 14:24 |
mborzecki | (i mean the reseal code) | 14:24 |
pedronis | mborzecki: we should check that outside, if it's not trusted there is nothing to do, really | 14:25 |
pedronis | we need to cleanup bootloader interface zoo | 14:25 |
pedronis | but basically is like that atm | 14:25 |
pedronis | mborzecki: do you need more input on this? | 14:26 |
pedronis | mborzecki: well, outside, maybe inside, I don't know how you structured your helpers | 14:27 |
* cachio afk | 14:34 | |
zyga | cachio sure | 14:38 |
zyga | cachio replied | 14:39 |
mup | PR snapd#9331 opened: boot: reseal when changing kernel <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9331> | 15:14 |
mborzecki | pedronis: mvo: cmatsuoka: more like an RFC really ^^ | 15:16 |
mvo | mborzecki: thank you! | 15:17 |
cmatsuoka | mborzecki: I'll check after lunch, thanks! | 15:19 |
mvo | mborzecki: why rfc? it looks pretty reasonable from a quick look | 15:19 |
mvo | mborzecki: anything to watch out for? | 15:19 |
mborzecki | mvo: hope i got all the places that need to be tweaked, the tests could use more work | 15:20 |
mborzecki | and bootloadertest.MockTrustedBootAssetsBootloader is kind of getting in the way | 15:20 |
* mvo nods | 15:21 | |
mborzecki | btw. the tests are spotty for calls to seal/reseal when the bootlaoder is not a trusted assets one | 15:21 |
mborzecki | and probably the same if there's no trusted assets (even if bl implements the interface) | 15:21 |
mborzecki | landing #9328 will make the other PRs considerably smaller | 15:24 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 15:24 |
mborzecki | wth `src/github.com/snapcore/snapd/overlord/snapstate/check_snap.go:485:26: ambiguous selector deviceCtx.Model`? | 15:29 |
mborzecki | but it builds just fine locally, maybe a go version change? | 15:29 |
pedronis | mborzecki: IsResealNeed is not used yet, right? | 15:37 |
mborzecki | pedronis: it's not | 15:38 |
mborzecki | pedronis: cmatsuoka: mvo: do we need to sync? i'll need to wrap it up ~6 to take the kids to a swimming class | 15:42 |
pedronis | mborzecki: I think the code is understable, anyway we need to land one piece at a time | 15:45 |
pstolowski | i see recurring failures of google:ubuntu-16.04-64:tests/main/lxd:snapd_cgroup_just_inside | 15:47 |
pedronis | yes, I mentioned that in the morning | 15:47 |
pstolowski | right, not sure zyga saw your message | 15:51 |
pedronis | there are some missing tests in 9328 | 15:52 |
pedronis | mmh | 15:53 |
mborzecki | damn, i'm late, i'll check back in later | 16:02 |
pedronis | mborzecki: sorry, my answer was a no | 16:03 |
pedronis | maybe it wasn't clear | 16:03 |
cmatsuoka | mborzecki: sorry, I was away, back now | 16:13 |
pedronis | cmatsuoka: can we sync quickly? | 16:15 |
cmatsuoka | pedronis: sure | 16:16 |
pedronis | cmatsuoka: going to the standup channel | 16:16 |
pedronis | cmatsuoka: https://github.com/snapcore/snapd/pull/9328#pullrequestreview-486951806 | 16:32 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 16:32 |
cmatsuoka | pedronis: ack | 16:32 |
* pedronis dinner break | 16:34 | |
cachio | ijohnson, updated the PR following the zyga's recomendation | 16:55 |
ijohnson | cachio: ok, which pr ? | 16:55 |
cachio | ijohnson, #9315 | 16:56 |
mup | PR #9315: tests: fix snap-routime-portal-info test <Simple π> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9315> | 16:56 |
cachio | ijohnson, I think it is still open the fact that the env is not correct and needs to be fixed | 16:57 |
cachio | ijohnson, there is another one opened with that discussion #9316 | 16:57 |
mup | PR #9316: tests: use full path to test-snapd-refresh.version binary <Simple π> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9316> | 16:57 |
ijohnson | ok, as long as we know that's the issue and that should be fixed eventually I think it's fine to fix the way you did | 16:57 |
ijohnson | cachio: can you add a TODO in tests.session somewhere to debug why that doesn't work? | 16:58 |
ijohnson | doesn't have to be in these PR's, can be a different PR | 16:58 |
cachio | ijohnson, sure, thanks!! | 16:58 |
pedronis | ijohnson: nested tests failed here: https://github.com/snapcore/snapd/pull/9328 we need to understand why | 17:20 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 17:20 |
ijohnson | pedronis: mmm looks like the generic problem we keep seeing where sometimes uc20 users don't get created or get created too slowly | 17:21 |
pedronis | should I just try again? | 17:21 |
ijohnson | just a second let me finish perusing the logs | 17:22 |
ijohnson | I mean to be clear, yes there is a real problem with the nested uc20 tests somewhere and I'm doing my best to track it down | 17:22 |
ijohnson | but just because they failed on this pr doesn't mean that this pr caused that | 17:23 |
ijohnson | pedronis: yeah go ahead and restart that pr, there's nothing indicative in the logs | 17:25 |
ijohnson | pedronis: note that the minimal-smoke test just timed out there, the other one we just never got a user login | 17:26 |
* ijohnson lunches | 17:26 | |
pedronis | ijohnson: let's see how it goes, the PR adds writing one more file during install fwiw | 17:26 |
pedronis | so it's not completely neutral | 17:26 |
cachio | pedronis, hey, I am trying to fix some tests which require a model signed by canonical | 17:34 |
cachio | pedronis, is it ok if I add a env var to set when the model is not signed by canonical so then we can skip some parts of the tests | 17:34 |
cachio | because surrently the smapd-model test fails on beta validation because I am signing the models used for those images | 17:35 |
pedronis | cachio: it depends, we have other option nowadays, you can also put serial-authority: generic in your model | 17:35 |
cachio | pedronis, ahh, right | 17:36 |
pedronis | the test needs changes but not skipping full bits then | 17:36 |
cachio | My idea is just to skip small parts of the test | 17:36 |
cachio | I'll try adding serial-authority: generic first | 17:37 |
pedronis | I understand my point is that you could set a var that says if we expect serial signed by canonical or generic etc but depends on details | 17:37 |
pedronis | cachio: is it a lot of tests ? a few | 17:37 |
pedronis | ? | 17:37 |
cachio | pedronis, just a few | 17:37 |
cachio | refresh-* and snap-model | 17:38 |
pedronis | cachio: I don't have a lot of time today, if you can make a list I could look next week? | 17:38 |
cachio | pedronis, sure | 17:38 |
cachio | thanks | 17:38 |
mborzecki | re | 17:55 |
cachio | pedronis, I think the problem is solved now, I moved all the model to canonical, I used to use my models because I needed a user assertion but now I am using cloud init in all the cases | 17:59 |
cachio | so I'll just leave the model signed by me for nested tests where we test user assertions | 18:00 |
cachio | pedronis, does it make sense? | 18:00 |
pedronis | mborzecki: cmatsuoka: I just noticed, is not that we don't check if we have the right boot loader, we also don't check if we have a key or encrypted disk at all, in reseal? is that right? | 18:00 |
cmatsuoka | hmm, this check will be needed somewhere | 18:01 |
* cmatsuoka takes note | 18:01 | |
mborzecki | pedronis: yes, we don't | 18:01 |
pedronis | ok, just double checking | 18:02 |
mborzecki | heh, https://github.com/snapcore/snapd/pull/9330 panics (the unit tests are passing though) | 18:03 |
mup | PR #9330: boot: reseal when updating boot assets <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9330> | 18:03 |
pedronis | yes, I expect one I said is part of the problem | 18:04 |
pedronis | *what I said | 18:04 |
mborzecki | not sure why modeenv would be nil though there | 18:04 |
pedronis | because nothing has change? | 18:05 |
pedronis | maybe we have nop | 18:05 |
pedronis | anyway I'm trying to look a bit around | 18:05 |
pedronis | in the code | 18:05 |
pedronis | to re-understand some things | 18:05 |
mup | PR snapd#9332 opened: spread.yaml, tests/nested: misc changes <Run nested> <Simple π> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9332> | 18:10 |
mup | PR snapd#9333 opened: tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9333> | 18:15 |
mup | PR snapd#9334 opened: tests/nested/manual: add test for grades above signed booting with testkeys <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9334> | 18:15 |
pedronis | mborzecki: we don't track assets at install if we are not encrpyting, but we try at update | 18:15 |
mborzecki | pedronis: yes, we create the observer, probably shouldn't be | 18:15 |
pedronis | yes, trying to find the cleanest way to achieve that | 18:16 |
mborzecki | pedronis: there's a checkEncryption helper in devicestate | 18:17 |
pedronis | I know | 18:18 |
pedronis | we don't want to use that | 18:18 |
pedronis | it's more whether we should encrypt first time | 18:18 |
mup | PR snapd#9065 closed: debug: forward systemd journald output to serial console when booting for uc20 <Precious Logs> <Run nested> <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/9065> | 18:20 |
pedronis | mborzecki: we can call BeforeWrite and then Cancel together right? | 18:28 |
* ijohnson soft-eows | 18:29 | |
mborzecki | pedronis: cancel is called after before write, but it may also be called without before write (if we never got past the backup pass) | 18:31 |
mborzecki | pedronis: added TODO that it makes no sense to reseal in canceled if we never resealed in before write | 18:32 |
pedronis | mborzecki: this is not the end of the story, but does this change in itself make sense: https://paste.ubuntu.com/p/XrgxJSyrM9/ | 18:40 |
mborzecki | pedronis: got a bit more changes, i'll push them to 9330 in a bit | 18:41 |
pedronis | mborzecki: changes about what? | 18:42 |
mborzecki | pedronis: tests mostly | 18:42 |
mborzecki | pedronis: but the change in BeforeWrite is almost the same | 18:42 |
pedronis | mborzecki: sorry, I thought you were done coding | 18:42 |
pedronis | for the day | 18:42 |
mborzecki | pedronis: came back for a bit, high priority thing after all | 18:43 |
pedronis | mborzecki: yes, but maybe we need to sync, I don't think we want to do the same things twice :) | 18:44 |
cmatsuoka | I'll merge #9328 | 18:44 |
mup | PR #9328: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9328> | 18:44 |
zyga | re | 18:45 |
mup | PR snapd#9328 closed: boot: store boot chains during install, helper for checking whether reseal is needed <Run nested> <UC20> <Created by bboozzoo> <Merged by cmatsuoka> <https://github.com/snapcore/snapd/pull/9328> | 18:45 |
mborzecki | pedronis: pushed a patch to this branch: https://github.com/snapcore/snapd/compare/master...bboozzoo:bboozzoo/uc20-reseal-with-boot-assets-wip (the last one) | 18:46 |
mborzecki | pedronis: this one exactly: https://github.com/snapcore/snapd/commit/ed30e18ed284ce77893ea5031e3d871cbfca836e | 18:46 |
pedronis | mborzecki: ok, better than my quick thing | 18:48 |
mborzecki | pedronis: shall i push it? | 18:48 |
pedronis | yes | 18:49 |
mborzecki | ok | 18:49 |
pedronis | code wise, that diff is all I did | 18:49 |
pedronis | I'm thinking about something but haven't coded it yet | 18:49 |
mborzecki | k, pushed now | 18:50 |
mup | PR snapd#9316 closed: tests: use full path to test-snapd-refresh.version binary <Simple π> <Created by sergiocazzolato> <Merged by zyga> <https://github.com/snapcore/snapd/pull/9316> | 18:50 |
mborzecki | ah, and 9328 landed, i can merge master too now | 18:50 |
pedronis | yes | 18:51 |
mborzecki | pushed, added 'run nested' label and closed/reopened so that we get a full run | 18:52 |
mborzecki | eod for real this time, time to tuck the kids to bed | 18:52 |
mup | PR snapd#9335 opened: boot: verify boot chain file in seal and reseal tests <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9335> | 18:55 |
pedronis | ijohnson: could you review https://github.com/snapcore/snapd/pull/9335 ? | 19:02 |
mup | PR #9335: boot: verify boot chain file in seal and reseal tests <Skip spread> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9335> | 19:02 |
* cmatsuoka afk for 30min, virtual school meeting for parents | 19:13 | |
ijohnson | pedronis sure in a little bit | 19:18 |
pedronis | thx | 19:19 |
mvo | anything i can help withΓ | 19:22 |
mvo | ? | 19:22 |
ijohnson | +1d | 19:26 |
pedronis | mvo: I think our reseal code has all the wrong dirs | 19:37 |
mvo | pedronis: oh no! | 19:37 |
mvo | ijohnson: did you see that the nested tests failed in 9334 = | 19:37 |
mvo | ? | 19:37 |
mvo | (sorry if I'm stating something that was already discussed) | 19:38 |
mvo | pedronis: do you have more details somewhere? | 19:38 |
pedronis | mvo: no, just staring at code, there's too much Install * in there | 19:38 |
* mvo nods | 19:39 | |
mup | PR snapcraft#3283 opened: specifications: unified provider <Created by cjp256> <https://github.com/snapcore/snapcraft/pull/3283> | 19:47 |
pedronis | mvo: maybe they work anyway, not sure | 19:49 |
mvo | pedronis: I suspect we have the same /run/mnt mounts in run mode | 19:49 |
mvo | pedronis: but I need to double check | 19:49 |
* mvo checks | 19:49 | |
mvo | pedronis: I guess you mean InstallHostFDEDataDir = dirs.SnapFDEDirUnder(InstallHostWritableDir) which is InstallHostWritableDir = filepath.Join(InitramfsRunMntDir, "ubuntu-data", "system-data") ? we have /run/mnt/ubuntu-data also in run mode | 19:56 |
mvo | (or am I misunderstanding?) | 19:56 |
pedronis | yes, I mean those | 19:56 |
pedronis | mvo: anyway #9330 can be reviewed (though I'm not sure is not missing some code to really work when we haven't encrypted) | 19:59 |
mup | PR #9330: boot: reseal when updating boot assets <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9330> | 19:59 |
ijohnson | mvo mmm no I did not I'll have a look | 20:04 |
cmatsuoka | pedronis: it seems to be the case, I think it will fail if the system is not encrypted | 20:04 |
mvo | pedronis, cmatsuoka should we makr 9330 as "ready" (i.e. move it out of draft?) | 20:12 |
mvo | it looks reasonable to me | 20:12 |
pedronis | mvo: yes | 20:12 |
cmatsuoka | mvo: yes, I think so | 20:15 |
mvo | ta | 20:16 |
* cmatsuoka is getting confused with his local branches, time to remove a few of them | 20:24 | |
mvo | I merged master into 9331, it's a bit smaller now | 20:24 |
pedronis | mvo: anyway I'm working on resealing only if we had sealed keys and if the boot chains are different | 20:25 |
pedronis | that's a piece that no PR has atm | 20:25 |
mvo | ok | 20:25 |
pedronis | maybe we need to land 9330, maybe not | 20:25 |
mup | PR snapd#9335 closed: boot: verify boot chain file in seal and reseal tests <Skip spread> <UC20> <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/snapd/pull/9335> | 20:25 |
pedronis | sorry, I meant, maybe we need that logic already to land 9330 maybe not | 20:26 |
mvo | pedronis: aha, right | 20:26 |
pedronis | mvo: I looked at 9331 a bit, I think it will need a bit more work | 20:26 |
pedronis | but haven't done a proper review | 20:26 |
mvo | pedronis: ok, what's your hunch on what is missing? | 20:27 |
pedronis | tests I think and the changes in bootstate20.go seems a bit too invasive (maybe they are really needd like that, not sure) | 20:28 |
* mvo nods | 20:28 | |
mvo | thanks | 20:28 |
ijohnson | pedronis anything for me to review before EOW ? | 21:20 |
pedronis | ijohnson: I'm trying to finish something but is not quite ready yet | 21:21 |
pedronis | defeated by SnapFDEDir = SnapDeviceDirUnder(rootdir) | 21:22 |
pedronis | spot the error | 21:22 |
ijohnson | should it have a filepath.Join somewhere? | 21:22 |
pedronis | no s/Device/FDE/ | 21:23 |
pedronis | anyway apparently nothing is using it yet, except the test code I was writing | 21:23 |
cmatsuoka | ouch | 21:23 |
ijohnson | Ah | 21:24 |
pedronis | now unit tests are passing, maybe I can propose this but is on top of #9330 | 21:27 |
mup | PR #9330: boot: reseal when updating boot assets <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9330> | 21:27 |
* cmatsuoka needs to eod, but I'll check the PR at some point during the weekend | 21:36 | |
cmatsuoka | or he will, to be consistent | 21:36 |
pedronis | ok, I proposed #9336 on top of #9330 | 21:39 |
mup | PR #9336: boot,many: do not reseal unless is meaningful and necessary <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9336> | 21:39 |
mup | PR #9330: boot: reseal when updating boot assets <Run nested> <UC20> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9330> | 21:39 |
ijohnson | I'll try to take a look later tonight | 21:39 |
ijohnson | Have a good weekend pedronis and cmatsuoka | 21:39 |
cmatsuoka | thanks! you too | 21:39 |
mup | PR snapd#9336 opened: boot,many: do not reseal unless is meaningful and necessary <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9336> | 21:40 |
pedronis | seems I skipped one commit :/ | 21:42 |
pedronis | ijohnson: I'll have to close it and open it again, it's a bit confusing atm | 21:44 |
mup | PR snapd#9336 closed: boot,many: do not reseal unless is meaningful and necessary <UC20> <Created by pedronis> <Closed by pedronis> <https://github.com/snapcore/snapd/pull/9336> | 21:46 |
pedronis | reproposed as #9337 | 22:05 |
mup | PR #9337: boot,many: reseal only when meaningful and necessary <Run nested> <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9337> | 22:05 |
mup | PR snapd#9337 opened: boot,many: reseal only when meaningful and necessary <Run nested> <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9337> | 22:06 |
ijohnson | ack I'll take a look at that one then | 22:14 |
mup | PR snapd#9315 closed: tests: fix snap-routime-portal-info test <Simple π> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9315> | 22:21 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!