/srv/irclogs.ubuntu.com/2020/09/16/#snappy.txt

mup	Bug #1887153 opened: Installing network-manager drops the network <Snappy:New> <https://launchpad.net/bugs/1887153>	00:53
mup	Bug #1887153 changed: Installing network-manager drops the network <Snappy:New> <https://launchpad.net/bugs/1887153>	00:59
mup	Bug #1887153 opened: Installing network-manager drops the network <Snappy:New> <https://launchpad.net/bugs/1887153>	01:05
mborzecki	morning	06:15
mborzecki	mvo: hey	06:17
mvo	hey mborzecki	06:19
mvo	mborzecki: do you think you could have a look at 9358? seems like we need it for 2.47 :)	06:19
mvo	mborzecki: what did I miss otherwise?	06:20
mborzecki	mvo: yes, i'll push a patch dropping that fmt.Println	06:20
mborzecki	otherwise it seems ok	06:20
mborzecki	mvo: so the gadget assets update seems to be a nogo now, maybe we should have a managers test instead?	06:21
mborzecki	i totally missed that we're only modifying the conf files	06:21
mvo	mborzecki: why a no-go? wouldn't changing/resigning work?	06:22
mvo	mborzecki: yeah, sorry for that, I messed up the test :(	06:22
mborzecki	mvo: i mean, in the current form it's a no go, needs more work	06:23
mvo	mborzecki: yes, sorry, then we are in agreement	06:23
mvo	mborzecki: I was wondering if maybe just changing the pe header timestamp would be enough	06:23
mvo	mborzecki: I'm looking how archivable this is right now	06:24
mborzecki	mvo: cool, that would modify the contnt so a differnt hash, thus triggering assets to be updated and a reseal after	06:24
mvo	mborzecki: yes, iirc secboot does understand pe binaries already to some extend so there are libs	06:25
mvo	mborzecki: and then the same problem applies to the kernel	06:25
mvo	mborzecki: I guess managers should not write code or tests anymore :(	06:25
mvo	mborzecki: anyway, looking at this now	06:26
mborzecki	mvo: why miss out on all the fun? :)	06:26
mvo	mborzecki: lol	06:26
mborzecki	mvo: fwiw, maybe we should emply reflection for modeenv at some point, when we add more fields	06:28
mborzecki	mvo: i mean field tags, and so on, then it'd be easier to not loose new fields by accident	06:29
mvo	good point	06:29
zyga	good morning	06:32
mvo	zyga: good morning	06:34
mborzecki	zyga: hey	06:35
zyga	hey guys	06:38
zyga	everyone had breakfast but Lucy decided to go back to bed for some reason	06:39
zyga	so here I am	06:39
zyga	let me see if I can connect to the office	06:39
zyga	I had some issues last night, I think the switch is faulty	06:39
zyga	it's got a flaky power cable and turns off easily when moved	06:39
mvo	mborzecki: testing proper gadget manip now locally before pushing to avoid congesting spread	06:43
zyga	I'll slowly start working while Lucy is not doing much	06:46
mvo	sounds good	06:48
mborzecki	mvo: tweaked #9358 a little, please take a look	06:58
mup	PR #9358: boot/modeenv: track unknown keys in Read and put back into modeenv during Write <UC20> <⚠ Critical> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9358>	06:58
pstolowski	morning	07:00
zyga	adjusted ExportEntryt to be a struct now	07:03
mborzecki	pstolowski: hey	07:04
mborzecki	mvo: looked at gadget assets and 9348, both ran nested core20 tests which were successful (not counting gadget assets reseal test)	07:05
mvo	mborzecki: http://paste.ubuntu.com/p/6x7ZXFhccH/ is what I have for the gadget reseal test	07:10
mvo	mborzecki: it's running locally now	07:10
tobias_	good morning	07:10
mborzecki	mvo: haha, can you maye do sed -i 's/This program cannot be run in DOS mode/This program cannot be run in mode/' otherwise it's hard to spot the O/0 change	07:16
zyga	brb	07:18
zyga	re	07:20
mvo	mborzecki: sure thing	07:31
mvo	mborzecki: the test is funny right now, I ran it but now it resealed when I installed the same gadget again, I'm confused but maybe I need to merge master or something else if funky	07:31
mborzecki	mvo: ok, let me try to run it	07:34
mvo	mborzecki: I'm also running it now	07:36
mvo	mborzecki: I changed the XXX	07:36
mborzecki	mvo: so you're saying it stopped after the install of unchanged gadget?	07:40
mvo	mborzecki: http://paste.ubuntu.com/p/mCVhCYSv5t/	07:41
mvo	mborzecki: that's the full log	07:41
mvo	mborzecki: eh, sorry, that does not look full, one sec	07:41
mvo	mborzecki: so SEALED_KEY_MTIME_1 and _2 are different, the original error scrolled past my logbuffer .(	07:43
mvo	mborzecki: which is strange because the "snap change" output of the gadget install tells me that there is gadget update needed	07:43
mvo	mborzecki: which also reminds me that I should add code that checks if a gadget update was triggered to this test	07:44
mborzecki	mvo: added some extra logs and running again	07:58
mborzecki	pedronis: Model/Brand was a problem when i tried adding tags, looked like there'd be a separate structure needed for read/write with just the eported fields (and tags)	08:02
pedronis	mborzecki: no, we can do something simple, I will try. but in a meeting now	08:03
mborzecki	pedronis: ok	08:03
mborzecki	mvo: after reinstalling the gadget snap, the reseal count is unchaged	08:29
mborzecki	(at least that's what I see here)	08:29
mvo	mborzecki: oh, so the test should work? that's great actually	08:34
mborzecki	mvo: not quite, https://github.com/snapcore/snapd/pull/9341/files#r489259093	08:35
mup	PR #9341: tests: add nested core20 gadget reseal test <Run nested> <UC20> <⛔ Blocked> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9341>	08:35
mborzecki	mvo: and i'm executing it manually, one by line, there's something wrong with the gadget.yaml i think	08:35
mborzecki	mvo: 2020-09-16T08:34:04Z ERROR bootloader not declared in any volume, need to find out why	08:36
mborzecki	mvo: fwiw, i can work on the test and push fixes there :)	08:37
mvo	mborzecki: pleae, in a meeting now	08:37
mvo	mborzecki: and then another one	08:37
mvo	mborzecki: and then another one	08:37
mborzecki	haha	08:38
mvo	mborzecki: fwiw, this is my updated kernel reseal draft https://github.com/snapcore/snapd/compare/master...mvo5:kernel-reseal-better-test but I think this misses kernel re-signing	08:41
mvo	mborzecki: most FYI but if the gadget stuff goes quickly it might be a good one to check out too :)	08:41
mvo	mborzecki: and THANK YOU for this :)	08:41
zyga	afk	08:50
=== doko_ is now known as doko
mborzecki	mvo: so, i got a reboot, but then this appeared: https://paste.ubuntu.com/p/jRJhY4yp7W/	09:04
mborzecki	hmm	09:10
mborzecki	i'm looking at boot chains, grubx64.efi for the recovery chain was changed (by the test), but also bootx64.efi was changed during the update	09:11
mvo	mborzecki: oh, interessting, aha, I think it's because we resign both	09:25
mvo	mborzecki: just resign both	09:25
mvo	mborzecki: I will explain more, in a meeting still	09:25
ijohnson	morning folks	09:52
pstolowski	morning ijohnson !	09:55
tobias_	morning ijohnson	09:55
ijohnson	hey pstolowski tobias_ o/	09:56
pstolowski	pedronis: hey, i think i'm confused by one thing we discussed about snapshots - why would we keep external .hash file (apart from .idx), seems it would duplicate meta.sha3_384 or i misunderstood that?	09:57
pedronis	pstolowski: sorry, what external hash file?	09:58
pstolowski	pedronis: afair we would have the .zip file, but then we would introduce .idx and .hash file (for hash of the metadata), but maybe i made a mistake in my notes	09:59
pedronis	pstolowski: no, idx would have both the set id and the new hash	09:59
pedronis	not two files	09:59
pedronis	does that make more sense?	09:59
mup	PR snapd#9357 closed: interfaces/process-control: add sched_setattr to seccomp <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/9357>	10:00
pstolowski	pedronis: not really, i'm not clear why would we need to store the hash again if we have it in meta.sha3_384 (which would be caclulcated with id:0 in new code)	10:02
pedronis	pstolowski: maybe, we need to sync again	10:03
ijohnson	huh can anyone else actually access the log for this spread run ? https://github.com/snapcore/snapd/pull/9333/checks?check_run_id=1119044782	10:03
mup	PR #9333: tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9333>	10:03
ijohnson	when I cleck on "view raw logs" it just gives me like 4 lines of trying to allocate a self hosted worker, but the time it took to run is 1hr 39m, so spread must have run	10:03
pstolowski	pedronis: also, maybe i'm confused, but it seems we store timestamp inside meta, and it will affect checksum as well, we may want to do move it out as well	10:05
pedronis	pstolowski: let's chat when we both have a moment	10:10
* pedronis lunch		10:10
pstolowski	ok	10:10
xnox	ijohnson: so you are saying that beta-image recovery partition is now broken?	10:18
ijohnson	xnox: sorry do you mean about last night's discovery about the regression after resealing ?	10:18
xnox	ijohnson: meaning, it's no longer forward compatible with current snapd/sealing any more?	10:18
xnox	ijohnson: yes.	10:18
xnox	seed partition will always have older kernel/snapd/snap-bootstrap than what is in the ubuntu-data partition. and it currently must remain forever forward compatible with how ubuntu-data is sealed.	10:19
xnox	until we can update seed partition with a new recovery system.	10:19
ijohnson	xnox: well I don't think the recovery partition is broken because while the snap-bootstrap there will always drop new keys that it didn't know about in May from the modeenv which breaks fresh install, an old boot to recover will always work because that recovery system must have been generated with a snapd that didn't have resealing logic in it	10:20
xnox	sure	10:20
xnox	but doesn't resealing logic, reseals things upon upgrading snapd in the ubuntu-data partition?	10:20
ijohnson	xnox: hmm although I wonder if an old system refreshed to a new snapd with modeenv on the encrypted data gets the new resealing keys in the modeenv, if during recover mode we will ever modify the data modeenv	10:21
ijohnson	I don't think we will	10:21
ijohnson	but I can test that	10:21
ijohnson	give me a moment, I will try with a beta image refresh to edge snapd, then recover, then go back to normal run mode and see if things are broken	10:21
xnox	i guess it will reseal when you also trigger a reseal event? or do we now have two codepaths depending on how the system was installed?!	10:22
xnox	ack	10:22
xnox	that would help us understand the scope of brokeness =)	10:22
ijohnson	my hope/expectation is that recover mode won't mutate the run mode modeenv, because for example the initramfs of recover mode writes the modeenv for recover mode to the tpmfs data	10:22
xnox	maybe refresh snapd first, then refresh kernel or like gadget.	10:22
ijohnson	but maybe I'm wrong	10:22
xnox	it has access to both, so it could do either, or bugs	10:23
ijohnson	the number of possible bugs is only limited by our imagination	10:23
pedronis	mborzecki: this is what I'm doing: https://paste.ubuntu.com/p/PNXqQ5yWpw/ is it too naive? I'm not sure what you tried (I'm not happy with the model& syntax but I can change it)	10:32
mborzecki	pedronis: looks fine for the PR ijohnson has, i tried to do the serialization bits and ran into trouble with model being <brand>/<model>	10:36
pedronis	ah	10:36
ijohnson	mborzecki: is there a bug in my PR?	10:36
pedronis	no, but mborzecki suggested trying to avoid mantaining the list of fields separately from the struct	10:37
pedronis	by using tags	10:37
ijohnson	yeah that makes a lot of sense	10:37
mborzecki	ijohnson: no, we're trying to use tags to replace the hard coded list of keys	10:37
pedronis	but then I think he tried to do even more and then it gets complicated	10:37
mborzecki	yup	10:37
mborzecki	pedronis: anyways, the thing you have seems fine	10:38
jamesh	ijohnson: re. https://github.com/snapcore/core20/issues/72 -- my interest came from the "GDM on Ubuntu Core" experiments I've been doing. It's the sudo group I'm more interested in than docker.	10:38
ijohnson	jamesh: right understood	10:39
ijohnson	jamesh: I will keep you and the issue updated with the result of the discussion we have tomorrow about this issue	10:39
ijohnson	our more immediate concern is what to do for uc20 1.0 but that will involve some discussion of what to do in general for adding users to groups like that	10:39
ijohnson	pedronis: hmm so if I use cloud-init to create a user on uc20 and don't run console-conf, should console-conf run when I transition to recover mode? seems wrong to me to run console-conf in recover mode, but then again I suppose since it was never run in run mode, you could just reboot the device back to run mode and then run console-conf anyways	10:41
pedronis	are we even running console-conf in non run mode?	10:43
ijohnson	pedronis: well in this case it seems console-conf is being run in recover mode	10:43
ijohnson	pedronis: it's my feeling that that's a bug	10:43
ijohnson	uhh	10:45
ijohnson	I seem to have refreshed the kernel snap without getting a reboot scheduled	10:45
ijohnson	ah the same revision of the kernel snap is on edge as beta	10:45
pedronis	ijohnson: remember though that the service also trigger the recovery menu	10:45
pedronis	so i'ts a bit unclear exactly what we need there	10:46
ijohnson	pedronis: sure, shall I just file a bug about it and we sort out the right thing to do there later ?	10:46
pedronis	yes	10:46
ijohnson	k	10:46
pedronis	to be clear I'm not sure never running it is the general answer either	10:47
pedronis	the problem is more if its runs what should it do/not do	10:47
pedronis	and when should it run	10:47
ijohnson	yeah it's a bit confusing	10:48
ijohnson	pedronis: how does disabling console-conf work from the gadget defaults now?	10:49
pedronis	it creates a the complete file (that hasn't changed)	10:49
ijohnson	ok, I wonder if we copy the complete file over from the run system to the recover system, I think we do	10:50
ijohnson	hmm	10:50
ijohnson	I actually don't think we do :-(	10:50
pedronis	why would we	10:51
pedronis	anyway if it's disabled in the gadget we will disable it in recover	10:51
pedronis	mode	10:51
pedronis	mvo has a PR about that triggering a bug	10:51
ijohnson	pedronis: right that was my question was about whether we will disable it in recover when we seed	10:51
ijohnson	(when we seed the recovery system that is)	10:51
ijohnson	sorry this has probably already been discussed and I'm just now discovering the fixes that were merged for it	10:52
mborzecki	mvo: hm so, the gadget asset test manages to get the first mtime of sealed key before snapd reseals on mark boot successful (and the branch does not have fixes from pedronis about avoiding that)	10:54
mborzecki	mvo: also explains why i could run the test manuall line by line	10:55
pedronis	ijohnson: this is the PR https://github.com/snapcore/snapd/pull/9353 it actually but install, not recover	10:55
mup	PR #9353: configcore: do not error in console-conf.disable for install mode <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9353>	10:55
pedronis	mborzecki: which fixes you mean? (I fixed lots of things)	10:56
ijohnson	pedronis: hmm so I wonder if we need to make that work for recover mode too	10:56
ijohnson	pedronis: do you want me to test that works as advertised ?	10:56
mborzecki	pedronis: not resealing with unasserted kernel when modeenv was not changed	10:56
ijohnson	(gadget default to disable console-conf in recover mode works)	10:56
pedronis	mborzecki: ah	10:56
pedronis	ijohnson: yes	10:57
ijohnson	ack will add it to my list of things to test this morning	10:57
ijohnson	still trying to see if beta image gets broken by installing edge snapd	10:57
pedronis	mborzecki: I think maybe it's not that hard to do marshal/unmarshal as well but probably not something to do now	11:06
pedronis	s/probably/very likely/	11:06
pedronis	mborzecki: ijohnson: pushed	11:08
ijohnson	pedronis: hmm so I have an image built with edge snapd and old pc-kernel, but upon refreshing the pc-kernel, it did not add the current_trusted_... keys to the modeenv ever	11:17
pedronis	ijohnson: that's expected we have no code to do that atm	11:17
pedronis	maybe that isn't clear	11:18
ijohnson	pedronis: hmm ok	11:18
ijohnson	pedronis: wait but I built the image with a new edge snapd, shouldn't it have added the current_trusted_... keys to the modeenv during install mode?	11:18
pedronis	yes	11:18
ijohnson	hmm	11:18
pedronis	but then you said old kernel, doesnt it lose stuff as we know?	11:19
ijohnson	yes I built the image with an old kernel but new snapd	11:19
ijohnson	ahhhh	11:19
pedronis	there are lots of moving parts, they behave kind of predictably at least	11:19
ijohnson	let me think about this, probably this is expected then I guess	11:19
pedronis	ijohnson: we really need to decide what to support or not in terms of backward compat	11:20
pedronis	mvo knows that is an open question	11:20
ijohnson	probably not an issue for 1.0	11:20
ijohnson	since new images for 1.0 should be fine	11:20
ijohnson	ah dammit I'm an idiot, too many different images I just ended up booting an old snapd with an old kernel so it worked and never tried to write the extra modeenv stuff	11:27
* ijohnson tries again to not be so foolish		11:27
ijohnson	ok so yes booting an image with new snapd and old kernel fails to seed in run mode as expected because the old kernel there is broken, however given the fact that we never will add the resealing keys to the modeenv, an old snapd refreshing to a new snapd will not add the keys, so thus will not trigger a resealing and thus will not be broken by transitioning back to an old recover mode snapd	11:32
ijohnson	xnox: so we don't have a regression where your old installed system refreshes to new snapd, then goes back into old recovery system	11:32
ijohnson	pedronis: since old beta systems will never be properly resealed since we don't add those keys to the modeenv, will old beta systems ever get broken by the new secboot version format for example?	11:34
pedronis	ijohnson: sorry, I was confused last night, the secboot version thing works differently, v0 keys system will keep v0 keys	11:34
ijohnson	ok, so beta systems will keep on working as always	11:35
ijohnson	they just will never reseal	11:35
pedronis	they can reseal, to v0 keys again	11:35
pedronis	so the problem is really more on our side about that	11:35
ijohnson	but does our code ever trigger resealing for those old systems though?	11:35
pedronis	it will, it just explode doing so	11:35
pedronis	because we don't have the required data	11:36
ijohnson	... so old systems will eventually get broken by resealing	11:36
ijohnson	?	11:36
pedronis	well, I would say more by trying to reseal	11:36
pedronis	unless we do something	11:36
ijohnson	so is that what you meant about backwards compatibility? maybe we don't care that beta systems will eventually explode themselves ?	11:37
* ijohnson thought we were not supposed to let beta systems explode themselves		11:37
pedronis	we said we would prefer not to, but we also didn't propose not to break them	11:38
pedronis	but as I said, it's really a decision to make with mvo	11:38
ijohnson	I see	11:38
pedronis	s/propose/promise/	11:38
pedronis	but we also said we would have tests but we don't	11:39
ijohnson	ok well I will leave testing that aside for the moment then, we know that beta systems are not yet exploded by refreshing to new snapd	11:39
ijohnson	pedronis: we do have tests tho	11:39
mborzecki	mvo: #9341 is green, but want to push one more commit addressing the race	11:39
mup	PR #9341: tests: add nested core20 gadget reseal test <Run nested> <UC20> <⛔ Blocked> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9341>	11:39
ijohnson	we build an image from beta and then refresh to edge	11:39
ijohnson	err rather I think we download the beta image then refresh to edge	11:39
* zyga adjusts remaining manifest leftovers		11:39
ijohnson	and see if it explodes	11:39
pedronis	ijohnson: I see, it's probably not fully enough	11:39
pedronis	anyway it's a decision to make	11:39
ijohnson	pedronis: yes there's an additional test we should have I think which I mentioned last night which would have caught this issue with modeenv in pr's before things landed	11:40
ijohnson	I will try to propose it today	11:41
ijohnson	really this new test is about making sure old initramfs doesn't break new snapd	11:41
pedronis	what I mean, we need a test that upadtes snapd and then a kernel	11:41
pedronis	or simply updates snapd and then reboots (that probably would fail already)	11:42
ijohnson	mmm yes we could have a test that updates snapd first then kernel, it's a bit tricky because we need to disable refreshes from the gadget otherwise the old kernel will get refreshed first before new snapd	11:42
ijohnson	and as I said new snapd + old kernel right now is totally broken	11:42
xnox	pedronis: ijohnson: ignoring beta systems exploading is fine, but the problem repeats itself though cause v1 (GA) image should continue to reseal going forward, no?	11:55
ijohnson	xnox: yes new images built with 1.0 will properly reseal and not explode	11:55
xnox	as in new snapd snap, should be backwards compatible with older snapd that we ship on GA	11:55
xnox	when we make v2 resealing	11:55
ijohnson	xnox: yes it will be	11:55
xnox	or v3 resealing etc	11:55
xnox	and like still dont' have a way to update seed partition.	11:55
xnox	cool	11:55
ijohnson	xnox: did you get a chance to test my core-initrd pr yet?	11:56
ijohnson	xnox: last night's discoveries led to the realization that we really really need a new snap-bootstrap in the initramfs	11:56
ijohnson	pedronis: should` snap reboot --recover` without a label work? it doesn't but feels like it should :-/ it currently has an unhelpful error: `error: cannot request system reboot: method "POST" not allowed` because the client and cli doesn't validate whether systemLabel is empty	11:58
pedronis	ijohnson: that's a bug	11:58
ijohnson	pedronis: ack I can try to fix that, we could probably just do a GET to /v2/systems and then figure out the current one and then do a post to /v2/systems/<current>	11:59
pedronis	missing spread test	11:59
pedronis	ijohnson: maybe	11:59
ijohnson	fair	11:59
ijohnson	oh hey look at that I just defeated fde on uc20	11:59
pedronis	I mean not sure exactly what the solution is	12:00
ijohnson	pedronis: so gadget default for console-conf disable does not work at all for recover mode	12:00
ijohnson	because console-conf is disabled for run mode and doesn't run, or doesn't let you create a user properly, but then you go to recover mode and it lets you create a user and login	12:00
pedronis	ijohnson: we need to fix that	12:01
pedronis	I'm going to be in a meeting now	12:01
ijohnson	yes, I think mvo's patch can just be expanded to recover mode too	12:01
ijohnson	I will test this out	12:01
mborzecki	mvo: i think that #9341 is good to go	12:01
mup	PR #9341: tests: add nested core20 gadget reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9341>	12:01
mborzecki	dropped the blocked label	12:02
ijohnson	oh actually maybe that won't work	12:03
mvo	mborzecki: \o/	12:05
ijohnson	mvo: we have a blocker for 2.47, console-conf doesn't get properly disabled in recover mode	12:06
ijohnson	I'm looking at a fix now	12:06
mvo	ijohnson: ta	12:06
cachio	xnox, hi, I see there are OVMF_CODE_4M and OVMF_VARS_4M in ovmf	12:16
cachio	xnox, I tried those with uc20 yesterday but image didn't boot	12:16
cachio	xnox, any idea if we need any change to qemu command line? or any other configuration to support that?	12:17
xnox	cachio: those ones are without keys, you want the ones with MS keys and 4k, no?	12:18
xnox	cachio: which filenames did you use?	12:18
cachio	xnox, I tried OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.snakeoil.fd	12:26
mup	PR snapd#9358 closed: boot/modeenv: track unknown keys in Read and put back into modeenv during Write <UC20> <⚠ Critical> <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/9358>	12:26
cachio	xnox, and the ms as well	12:27
ijohnson	mborzecki: haha so your branch bboozzoo/uc20-tweak-sid-packaging-params.go exists in the my local git tree and breaks building the snap locally because go interprets that file in the .git dir as a go file	12:28
ijohnson	face palm	12:29
ijohnson	2020/09/16 12:27:18 processFiles failed with: /root/parts/snapd-deb/build/.git/refs/remotes/bboozzoo/bboozzoo/uc20-tweak-sid-packaging-params.go:1:1: expected 'package', found 'IDENT' c0de648a090a1690ce9d3f6b350d5e3dc92d6bd7	12:29
mborzecki	hahah	12:29
ijohnson	feels pretty clear to me the debian packaging should ignore everything in .git as possible go source files	12:29
zyga	ok, running spread now	12:30
zyga	need to adjust two variable names	12:30
zyga	and lots of related function names	12:30
zyga	but that's just small thing	12:30
zyga	first need to check if nothing is broken	12:30
* ijohnson afk for coffee		12:33
cachio	xnox, do we need to you diferent ones for uc20?	12:46
zyga	brb, see you at the standupo	12:49
ijohnson	mmm I kinda just wanna copy the complete file for console-conf from the initramfs from run mode to recover mode if it exists	12:52
ijohnson	maybe that's too naive	12:52
mborzecki	hm that mbr thing on encrypted device shouldn't be a big problem, i think we can make sure that we readlink of the mount source and then walk the /sys/block/<dev>/slaves up to a point where there's no more slaves	13:51
mborzecki	the upside is taht it will work even if there's multiple dm devices invovled, lvm, luks and others	13:51
ijohnson	cachio: could you look at #9333 again?	14:03
mup	PR #9333: tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9333>	14:03
cachio	ijohnson, on that	14:18
ijohnson	thanks	14:19
mvo	hey, I saw in 9359 a bunch of lines like: [ 124.065523] snapd[670]: 2020/09/16 13:52:57.974158 stateengine.go:150: state ensure error: devicemgr: cannot mark boot successful: cannot compose run mode boot chains: cannot find expected boot asset bootx64.efi in modeenv - does that ring any bells?	14:20
ijohnson	mvo: yes that was the regression I was talking about	14:20
ijohnson	mvo: that is what happens when you boot a uc20 image with old kernel and new snapd with resealing, it is broken right now	14:21
ijohnson	mvo: to fix it we need new snap-bootstrap in the kernel initramfs	14:21
ijohnson	sorry if I was unclear about that in SU	14:21
mup	PR snapd#9359 opened: tests: improve kernel reseal test <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	14:21
mvo	ijohnson: oh, right	14:30
ijohnson	yeah this is why even without my core-initrd pr merged it would be really good to have a new ubuntu-core-initramfs built	14:30
cachio	ijohnson, done	14:30
ijohnson	cachio: what do you mean about setting the env vars in spread.yaml? the vars are set from a specific tests's environment keyword which will be set before anything in spread's prepare, etc. is executed no?	14:31
ijohnson	at least that's what I see	14:32
cachio	ijohnson, you need to add them in environment:	14:32
cachio	GOHOME: /home/gopath	14:32
cachio	GOPATH: $GOHOM	14:32
cachio	in this part	14:33
ijohnson	cachio: but why	14:33
cachio	or in the suite specific env dict	14:33
cachio	spread will set just those vars in the environment for the test	14:33
cachio	otherwise the var will not be available for the script	14:35
ijohnson	cachio: hmm but I just use those variables for a specific nested/manual test where	14:35
ijohnson	I set the env vars and use them from prepare and it works	14:35
cachio	ijohnson, which ones?	14:36
ijohnson	cachio: see my other pr, https://github.com/snapcore/snapd/pull/9334	14:36
mup	PR #9334: tests/nested/manual: add test for grades above signed booting with testkeys <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9334>	14:36
cachio	ijohnson, that works	14:37
cachio	what doesn't work is to set the model from cli	14:38
ijohnson	cachio: right but why would we need to set the model from the cli	14:38
ijohnson	is that a thing you do ?	14:38
cachio	ijohnson, I do that for spread cron	14:38
cachio	but	14:38
cachio	I think those vars are not going to be chagned	14:39
ijohnson	cachio: so do you still want me to define those things in the spread.yaml environment?	14:39
cachio	I used to update kvm, secboot, tpm, etc	14:39
cachio	ijohnson, no	14:39
ijohnson	ok	14:39
ijohnson	I can address your other feedback now though	14:39
cachio	thanks	14:40
cachio	ijohnson, for installing jq	14:42
cachio	we already have a function called get_test_snap_suffix	14:42
cachio	it is in core-config.hs	14:42
cachio	.sh	14:42
cachio	in the lib	14:42
cachio	that could be usedfull	14:42
ijohnson	ah ok, interesting, I can take a look at that	14:43
=== pedronis_ is now known as pedronis
cachio	cmatsuoka, I reviewed hte msr doc and the case we have is the following https://paste.ubuntu.com/p/wNVYrWxxxj/	14:50
cachio	cmatsuoka, because the msr code starts with 0xffffffff	14:50
mup	PR snapcraft#3288 closed: cmake v2 plugin: add help for cmake generators <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3288>	14:50
mborzecki	got to run to a school meeting	14:55
cmatsuoka	cachio: I think the document I mentioned earlier is this one: https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3c-part-3-manual.pdf	15:04
cachio	cmatsuoka, nice, thanks	15:06
ijohnson	cachio: pr updated	15:06
cachio	ijohnson, +1	15:08
ijohnson	thanks	15:08
pedronis	pstolowski: I commented on #9350	15:19
mup	PR #9350: [RFC] store: handle v2 error when fetching assertions <Created by stolowski> <https://github.com/snapcore/snapd/pull/9350>	15:19
pstolowski	ty	15:20
* cachio lunch		15:23
mup	PR snapd#9341 closed: tests: add nested core20 gadget reseal test <Run nested> <UC20> <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9341>	16:06
mvo	pedronis: do you think you have capacity to look at 9293 ?	16:08
mvo	pedronis: and maybe 9277 (which is actually more important)?	16:09
pedronis	mvo: do we need to merge the improved reseal tests into 9277 before merging it?	16:13
pedronis	mvo: https://github.com/snapcore/snapd/pull/9277#pullrequestreview-489786595	16:14
mup	PR #9277: secboot: add boot manager profile to pcr protection profile <Run nested> <UC20> <⛔ Blocked> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9277>	16:14
mvo	pedronis: yeah, I think it makes sense to merge master once more, maybe cmatsuoka can do it? I will then branch 2.47 in the morning most likely	16:16
mvo	this should give it ample time to finish :)	16:16
mup	PR snapd#9360 opened: tests: make gadget-reseal more robust <Run nested> <Simple 😃> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9360>	16:16
mvo	cachio: I noticed we get some nested uc18 failures now sometimes, do you think you could have a look if you spot something (a pattern or so?)	16:17
* mvo dinners		16:17
pedronis	mvo: so we need to land #9359 and #9360 first ?	16:17
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	16:17
mup	PR #9360: tests: make gadget-reseal more robust <Run nested> <Simple 😃> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9360>	16:17
pedronis	only #9359	16:21
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	16:21
cachio	mvo, checking	16:29
cachio	mvo, do you have any log?	16:30
xnox	cachio: we have stopped using snakeoil keys months ago, so snakeoil.fd has not been working for months now.	16:30
pedronis	ijohnson: if we had strange cla check failure on mvo PR: https://github.com/snapcore/snapd/pull/9359/checks?check_run_id=1124165015, maybe you can look when you have a moment. I reviewed your cloud-init PR	16:31
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	16:31
cachio	xnox, I also tried ms keys	16:33
ijohnson	Thanks pedronis	16:33
cachio	xnox, should that work?	16:33
ijohnson	The cla-check issue seems to be a problem with cmatsuoka spread machine	16:33
xnox	cachio: it would be helpful if you could paste the full thing you are trying	16:33
xnox	cachio: qemu / libvirt, and which things were initialized with which and on what series.	16:34
xnox	cachio: i'll doublecheck what i do locally, and can compare.	16:34
ijohnson	cmatsuoka: perhaps you updated your spread worker python?	16:34
cachio	xnox, ok	16:36
cachio	let me prepare the environmnent	16:36
cachio	I'll leave you a note with that	16:36
cmatsuoka	ijohnson: uhm? cla-checker?	16:46
ijohnson	cmatsuoka: see pedronis' link above, the log has `claudio-spread-1` in it and has a python backtrace when it tries to run cla-checker	16:46
cmatsuoka	ugh, let's see what's happening here	16:47
mup	PR snapd#9333 closed: tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests <Run nested> <Test Robustness> <UC20> <Created by anonymouse64> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9333>	16:52
cmatsuoka	mvo: should I merge #9359 into #9277?	16:53
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	16:53
mup	PR #9277: secboot: add boot manager profile to pcr protection profile <Run nested> <UC20> <⛔ Blocked> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9277>	16:53
* cmatsuoka just came back from lunch		16:53
cachio	mvo, I didn't find the errors on nested uc18, I'll try to reproduce it manually here	16:53
cmatsuoka	ijohnson: is the cla-check expecting to use python 2?	16:53
ijohnson	cachio: the issue I think he saw was the same problem with users disappearing when spread tries to login to the nested machine	16:54
ijohnson	cmatsuoka: hmm good question, let me take a look quickyl	16:54
cachio	ijohnson, ah, ok, I think we need to skip the configuration for the images	16:55
cmatsuoka	the runner only had python 3 installed, I installed a minimal python2 now	16:55
cachio	ijohnson, i'll create a pr for that	16:55
ijohnson	cachio: ah interesting maybe that's the issue indeed	16:55
cachio	ijohnson, yes	16:55
ijohnson	cmatsuoka: it is possible that it only supports python2, but that doesn't seem to be the case just looking at the code, it seems fine python3 code to me from my non-experienced python eyes	16:57
cmatsuoka	we'll soon find out when the next cla-check job arrives	16:58
ijohnson	cmatsuoka: yes after some work, checking things the cla script does not support python3	17:07
ijohnson	err it needs to be ported slightly	17:07
cmatsuoka	ijohnson: ok, the runner now has python 2 too	17:07
ijohnson	cmatsuoka: ok well now I have a branch that works	17:12
ijohnson	with python3 that is	17:12
cmatsuoka	ah nice	17:12
mup	PR snapd#9361 opened: tests/lib/cl_check.py: use python3 compatible code <Simple 😃> <Skip spread> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9361>	17:17
mup	PR snapd#9362 opened: tests: skip nested images pre-configuration by default <Run nested> <Simple 😃> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9362>	17:22
cachio	ijohnson, I thhink with this #9362 that issue should be gone	17:22
mup	PR #9362: tests: skip nested images pre-configuration by default <Run nested> <Simple 😃> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9362>	17:22
ijohnson	cachio: thanks I'll have a look in a bit	17:23
=== ijohnson is now known as ijohnson\|lunch
mvo	cmatsuoka: I think merging master is enough	17:37
cmatsuoka	mvo: ack	17:39
cachio	ijohnson\|lunch, I need to go to the kinesiologist now, please leave a note if you think the fix is not correct	17:45
cachio	I'll take a llok once I am back	17:45
* cachio -> kinesiologist		17:45
zyga	back	17:55
* zyga is physically tired but mentally ready for coding		17:56
=== ijohnson\|lunch is now known as ijohnson
zyga	brb	18:35
zyga	coffee	18:35
zyga	I may have fixed crashes	18:35
zyga	now let's run and see	18:35
ijohnson	cachio: 9362 lgtm, not clear that it will fix all of our problems, but I don't think it can hurt	18:35
pedronis	ijohnson: https://github.com/snapcore/snapd/pull/9359/checks?check_run_id=1124222729 failed on nested.sh shell stuff, could look into it?	19:11
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	19:11
ijohnson	pedronis: sure	19:11
pedronis	failed sadly tbh :/	19:11
pedronis	/home/gopath/src/github.com/snapcore/snapd/tests/lib/nested.sh: line 290: $4: unbound variable	19:11
ijohnson	hmm	19:12
zyga	:(	19:12
ijohnson	well I mean to be fair it was only provided 3 argument	19:12
pedronis	it's still sad	19:12
ijohnson	yes still sad	19:12
pedronis	given how long it took to get to that error	19:12
ijohnson	do you want me to push a fix to this branch ?	19:12
pedronis	yes	19:12
ijohnson	ack, one moment	19:12
pedronis	I don't see how to avoid another run	19:13
pedronis	unless somebody runs it locally	19:13
ijohnson	is the concern that we wanted to branch 2.47 tonight with this pr merged ?	19:13
ijohnson	I can tend to this pr if it needs some poking tonight	19:14
ijohnson	otherwise I could try running it locally to confirm my patch works	19:15
pedronis	it's a prereq to run cmatsuoka PR again	19:16
pedronis	I think the idea was to cut 2.47 in the morning	19:16
pedronis	but this shifts a bit everything	19:16
pedronis	anyway I don't have particular opionions on this anymore	19:17
ijohnson	ok, well I'm trying a spread run locally with qemu-nested on my desktop, perhaps that will be faster, if it passes I will pastebin the results into the PR	19:18
zyga	ijohnson: how long does it take on your desktop	19:20
zyga	ijohnson: and what are your cpu specs roughly?	19:20
ijohnson	zyga: I dunno I haven't run this particular test, but in general qemu-nested is a few minutes faster on my first gen 16 core threadripper	19:21
zyga	ok	19:21
ijohnson	faster than gce at least	19:21
zyga	faster than gce?	19:21
zyga	right	19:21
zyga	hey, main/snap-run passed	19:22
zyga	I'll run more tests and see what else needs changes, snap-confine profile is still complain mode	19:22
mup	PR snapd#9318 closed: .github/workflows/test.yaml: also run 20.04 nested tests with UC20 label <UC20> <Created by anonymouse64> <Closed by anonymouse64> <https://github.com/snapcore/snapd/pull/9318>	19:22
cachio	ijohnson, left you a comment in #9362	19:27
mup	PR #9362: tests: skip nested images pre-configuration by default <Run nested> <Simple 😃> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9362>	19:27
ijohnson	cachio: ah right I didn't realize that all the other nested tests were using the generic images	19:28
ijohnson	cachio: did you ever measure for non-uc20 how much speedup you get from not rebuilding/reconfiguring the image fresh for each test ?	19:28
cachio	if you run 2 tests with the same image in the same machine you save time	19:29
cachio	ijohnson, thats the measurement I did for uc20	19:29
ijohnson	ah so you didn't measure for non-uc20 then?	19:29
cachio	not sure for uc16 and uc18	19:29
cachio	I just measured the slowest	19:30
ijohnson	I see	19:30
ijohnson	cachio: sure let's merge this if we keep seeing the issue with minimal-smoke on uc18, then let's revert this pr and try something else	19:31
cachio	ijohnson, sure	19:31
cachio	ijohnson, well	19:34
cachio	I thinks for uc16 and 18 the time is pretty the same	19:34
cachio	I just compared PRs	19:34
ijohnson	ah	19:35
cachio	and the times are pretty similar	19:35
cachio	allways between 34m and 40m	19:35
zyga	ok, snapctl adjusted	19:38
mup	PR snapd#9363 opened: boot: adjust comments, naming, log success around reseal <Simple 😃> <Skip spread> <UC20> <Created by pedronis> <https://github.com/snapcore/snapd/pull/9363>	19:47
pedronis	ijohnson: cmatsuoka: ^ simple PR addressing previous feedback	19:48
* cmatsuoka checks		19:49
ijohnson	approved	19:50
pedronis	ijohnson: I made a comment about your doubt around overlord and snap-bootstrap, we already import some bits of overlord, what we don't want to import are the managers	19:54
pedronis	that's why we build with nomanagers	19:54
ijohnson	ah	19:55
ijohnson	I didn't know about nomanagers	19:55
ijohnson	ok this is much easier now then	19:55
ijohnson	thanks for the hint	19:55
mup	PR snapd#9363 closed: boot: adjust comments, naming, log success around reseal <Simple 😃> <Skip spread> <UC20> <Created by pedronis> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/9363>	20:07
pedronis	ijohnson: how it's going the local run of #9359 ?	20:55
mup	PR #9359: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9359>	20:55
ijohnson	Sorry got distracted but it passed	21:04
ijohnson	pedronis: ^	21:05
ijohnson	I just pasted in the results so you can force-merge if you like	21:05
ijohnson	the tests are not done running yet for nested uc20 yet	21:05
ijohnson	in the pr that is	21:06
cmatsuoka	I think we should chip in and buy google some faster machines	21:09
* zyga considers going to bed now		21:14
zyga	I'll finish the rest in the morning	21:14
zyga	good luck, see you tomorrow guys	21:14
pedronis	ijohnson: cmatsuoka: I force merged it	21:15
cmatsuoka	pedronis: thanks, I'll merge master into #9277	21:15
mup	PR #9277: secboot: add boot manager profile to pcr protection profile <Run nested> <UC20> <⛔ Blocked> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9277>	21:15
pedronis	cmatsuoka: thank you, was about to ask about that	21:15
* pedronis calls is a day		21:15
* cmatsuoka will patiently wait for the tests to complete		21:17
mup	PR snapd#9359 closed: tests: improve kernel reseal test <Run nested> <UC20> <Created by mvo5> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/9359>	21:18
cmatsuoka	which will still be way better than the 8h layover in LHR last year	21:18
ijohnson	Yeah we would have been in Frankfurt again this week!	21:21

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!