mborzeckihome schooling day 2 :/07:02
zyga-mbpgood morning07:32
mvogood morning zyga-mbp !07:35
zyga-mbphey mvo07:35
zyga-mbphopefully today will be more productive, yesterday I was a bit sleepy after very busy weekend07:35
zyga-mbpI'm looking at the GPIO issue reported by cert07:35
mvozyga-mbp: thank you07:37
zyga-mbpreplied there07:40
mborzeckimvo: zyga-mbp: hey07:42
mvohey mborzecki07:42
zyga-mbphey mborzecki07:42
zyga-mbphey pedronis, good morning07:53
mvogood morning pedronis :)07:59
mvogood morning pstolowski08:02
zyga-mbpgood morning pawel08:04
zyga-mbpeither everything is loading very very slowly or eschooling is saturating my home uplink08:05
zygaokay, finally in the office08:14
zygashould be more manageable now08:14
mvozyga: a small update in the status of 7700 would be great, it lists next steps and step 2 (desktop notifications) is certainly done now :)08:17
mvozyga: but no rush, just noticed while going over open pts08:18
mvozyga: open prs08:18
zygamvo, yeah that's certainly something to pick up soon08:21
zygaI know time is short, I'll try to do a bit more today08:21
mvozyga: tiny comment is fine for now :)08:21
mvozyga: just curious where in the schema we stand08:21
zygamvo, let me look quickly08:22
mvopedronis: if my style comments in 9549 make sense I can push them myself but I think it does not make sense if I touch this before you did a review(?)08:41
pedronismvo: I have the PR checked out, I can apply the changes,  I think the new file name is right but indeed it will break old installs08:45
mvopedronis: thanks08:45
mborzeckipedronis: mvo: either of you working on tweaks to 9549?08:52
pedronismborzecki: I am08:52
mborzeckipedronis: ah, ok08:53
mupPR snapd#9551 opened: dirs, boot: add ubuntu-save directories and related locations <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9551>09:04
mborzeckipedronis: mvo: ^^ extracted some trivial bits from #952809:05
mupPR #9528: cmd/snap-bootstrap: mount ubuntu-save during boot if present <Run nested> <UC20> <⛔ Blocked> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9528>09:05
mvomborzecki: in a meeting, will get to it right after that :)09:33
mvomborzecki: and thank you!09:33
zyga-mbpwe need reviews for https://github.com/snapcore/snapd/pull/954209:42
mupPR #9542: interfaces: deny connected x11 plugs access to ICE <Bug> <Needs security review> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9542>09:42
mupPR snapd#9552 opened: usersession: fix typo in test name <Simple 😃> <Skip spread> <Created by zyga> <https://github.com/snapcore/snapd/pull/9552>09:45
zyga-mbpmvo ^ plz merge typo fix09:45
mvozyga-mbp: sure09:47
zyga-mbpthank you09:47
pstolowskimhm nested stuff is fun...09:56
zyga-mbppstolowski are you using cachio's new nested tool?09:57
pstolowskizyga-mbp: actually not! but this is just syntactic sugar..09:58
pstolowskijust having an issue i don't understand yet09:59
zyga-mbpI see09:59
pedronismvo: mborzecki: I pushed to #9549, it needs 2nd reviews10:04
mupPR #9549: many: update to secboot v1 (part 1) <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>10:04
mborzeckipedronis: thanks, let me see10:04
mborzeckipedronis: #9551 is trivial and needs a pass from you or mvo10:05
mupPR #9551: dirs, boot: add ubuntu-save directories and related locations <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9551>10:05
pedronismborzecki: sorry, I had a typo in my new code, repushed10:06
pedronis(well in a comment)10:06
mupPR snapd#9552 closed: usersession: fix typo in test name <Simple 😃> <Skip spread> <Created by zyga> <Merged by zyga> <https://github.com/snapcore/snapd/pull/9552>10:10
mupPR snapd#9551 closed: dirs, boot: add ubuntu-save directories and related locations <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9551>10:25
pedronismvo: mborzecki: could either of you look at my own last 3 commits here (they are small tweaks or error formatting changes):  https://github.com/snapcore/secboot/pull/1211:20
mupPR secboot#12: Make policyPCRData serializable <Created by chrisccoulson> <Closed by chrisccoulson> <https://github.com/snapcore/secboot/pull/12>11:20
pedronismvo: mborzecki: could either of you look at my own last 3 commits here (they are small tweaks or error formatting changes):  https://github.com/snapcore/secboot/pull/12511:20
mupPR secboot#125: Add ActivateVolumeWithMultipleTPMSealedKeys <Created by chrisccoulson> <https://github.com/snapcore/secboot/pull/125>11:20
mvopedronis: sure, once I'm done with 9418 I can look11:21
mborzeckipedronis: sure11:21
mupPR snapd#9553 opened: tests: add spread test for refreshing from an old snapd and core18 <Test Robustness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9553>11:40
mupPR snapd#9418 closed: many: implement snap routine console-conf-start for synchronizing auto-refreshes <Needs Samuele review> <UC20> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9418>12:00
pedronismvo: mborzecki: (nested) kernel reseal failed on #954912:02
mupPR #9549: many: update to secboot v1 (part 1) <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>12:02
mborzeckipedronis: hm, also have some trouble unsealing data (if logs are to be believed) in recover mode with 9549 merged to my branch, but that may well be my fault12:03
mborzeckihm false alarm, worked on the second run, a base update kicked in between12:13
mborzeckithat kernel-reseal log is a bit hard to follow12:19
mborzeckipedronis: hmm `2020-10-27T11:59:39.1587365Z [0;1;39mPlease enter the recovery key for disk /dev/disk/by-partuuid/2709461b-d8cd-2244-85cb-a924abd353a6:`12:20
zygapstolowski, interesting bug in the snapshot code https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/190157812:39
mupBug #1901578: Cannot remove snap package ubuntu 20.10 <package> <snap> <snapd> <snapd:Confirmed> <snapd (Ubuntu):Incomplete> <https://launchpad.net/bugs/1901578>12:39
zygapstolowski, we should probably skip users without a name12:39
zygaor warn, but not fail12:39
pstolowskizyga: indeed12:41
pedronismborzecki: are we using the wrong initramfs somehow? gadget-reseal worked unless for some reason is not testing what we think it tests12:41
pstolowskizyga: i'll assign to myself12:43
zygamborzecki, any advice on type=AVC msg=audit(10/27/20 12:31:35.999:23751) : avc:  denied  { rmdir } for  pid=12800 comm=snap-update-ns name=.X11-unix dev="sda2" ino=17778788 scontext=system_u:system_r:snappy_mount_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=113:03
* zyga will be back in a moment, going to fetch tea13:03
mborzeckipedronis: trying to make it work locally, so far no luck13:04
zygaError: 2020-10-27 10:04:21 Error executing google:debian-sid-64:tests/main/interfaces-timeserver-control (oct270953-348560) :13:05
zygaThis system cannot use NTP, test precondition failed13:05
zygacachio, ^ new image?  perhaps the test needs to be adjusted13:05
mborzeckipedronis: hm i can't reproduce this, i do the same modifications as the test does, resign the kernel.efi and it boots with the new kernel13:08
zyga-mbpbrb, main network link at home has failed13:31
zygamborzecki, ping13:33
zygamborzecki, we have fs_manage_tmpfs_dirs(snappy_mount_t)13:33
zygamborzecki, yet we deny rmdir on scontext=system_u:system_r:snappy_mount_t:s013:33
zygadoes this make any sense to you?13:34
mborzeckizyga: maybe something more is needed for tmp_t13:34
mborzeckizyga: try looking for something that allow managing tmp_t13:36
mborzeckizyga:  why are we even removing this directory?13:36
mupPR snapd#9554 opened: tests/nested/core20/gadget,kernel-reseal: add sanity checks to the reseal tests <Run nested> <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9554>13:51
mupPR snapcraft#3340 opened: include SNAPCRAFT_STAGE in XDG_DATA_DIRS, needed to find Gir files built by other parts <Created by kenvandine> <https://github.com/snapcore/snapcraft/pull/3340>14:26
mborzeckicmatsuoka: any ideas what i should look for?14:37
ijohnsonwell that was a first for me14:38
ijohnsonmaybe my headset is dying14:38
cmatsuokamborzecki: hmm, if the problem is not the in the pcr profile I don't know what it could be14:40
cmatsuokamborzecki: and I don't think it's in the pcr profile, but I think we should check the measurements just in case14:40
cmatsuokamborzecki: I'm trying to retrieve the measurement data from the nested image14:42
mborzeckicmatsuoka: i got something from the vm i use locally, passed it through this parser: https://github.com/ValdikSS/binary_bios_measurements_parser14:48
cmatsuokamborzecki: that's the one I'm using too, is it booting correctly on that machine after a reseal?14:49
cmatsuokamborzecki: if yes the profiles must be correct14:49
mborzeckicmatsuoka: yes14:50
cmatsuokawe must get the measurements from the failing system which is the nested vm, perhaps we could try to reproduce the problem on a local nested vm?14:51
mborzeckicmatsuoka: go a diff between dumps of state before and after a kernel refresh https://paste.ubuntu.com/p/VjJKcYmrNk/ there are differnces but not quite sure what i should be looking for there14:52
cmatsuokamborzecki: the PR logs show the PCR profile dump before and after the reseal in the gce nested vm, but we need the measurement data on that same machine to be able to compare14:53
mborzeckicmatsuoka: the differences show up after the following entry `chainloader (hd0,gpt3)/EFI/ubuntu/try-kernel.efi ...` and then diferent bytes appear, so i guess it's the old and new kernel measureemnt14:54
cmatsuokathe profile dump in the logs shows what the system is expecting and the measurements show the actual data14:55
cmatsuokaif they match the problem is elsewhere14:56
mborzeckicmatsuoka: ok, so the list of final PCRs is the same for both boots here14:56
cmatsuokamborzecki: I have an 1:1 now, quick chat after that?14:59
mborzeckicachio: zyga-mbp: so i have this project: https://github.com/bboozzoo/spread-mini i've pushed a test which clones snapd and then runs govendor sync, and it's not failing 100% of time on our tumbleweed images15:01
cachiomborzecki, I tested yesterday and the master fails 8/12 aprox doing govendor sync15:02
mborzeckicachio: and then if i keep on cloning and syncing in a loop it works too15:03
mborzecki(on a host)15:03
cachioyou are using gce image right?15:04
mborzeckicachio: yes, the one we have15:04
cachioyesterday I published a last image with all the latest updated15:04
cachioperhaps it works a bit better15:04
* cachio lucnch15:12
* zyga-mbp lunch soon15:15
zyga-mbpnot a good weather for walk15:16
zyga-mbpjdstrand do you think you could review a +3 security change https://github.com/snapcore/snapd/pull/954215:16
mupPR #9542: interfaces: deny connected x11 plugs access to ICE <Bug> <Needs security review> <⚠ Critical> <Created by zyga> <https://github.com/snapcore/snapd/pull/9542>15:16
zyga-mbp+9 -015:16
zyga-mbptechnically three denials15:16
* zyga-mbp goes to plug the laptop15:17
mborzeckihttps://github.com/snapcore/snapd/pull/9554 <-- trivial sanity checks15:22
mupPR #9554: tests/nested/core20/gadget,kernel-reseal: add sanity checks to the reseal tests <Run nested> <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/9554>15:22
pedronismborzecki: I'm looking at the test, afaik it can't pass for simple reasons15:25
pedronismborzecki: it's using the kernel from edge and just tweaking it15:26
pedronisis not repacking it with a recent initramfs15:26
pedronisunless I'm reading it wrong15:26
pedroniscmatsuoka: ^15:27
mborzeckipedronis: heh. yes it's not repacking the kernel with new s-b15:28
* cmatsuoka checks15:29
pedronisanother reason to add a prompter interface to secboot15:30
zygamborzecki, how did it pass for you earlier?15:30
pedronisit would allow us to maybe log things before asking for a recovery key15:30
pedroniszyga: it was landed later before the last beta, we haven't really changed relevant bits since15:31
pedronisso edge was good until the switch to v115:31
pedronisthat the PR does15:31
mborzeckizyga: and locally it works because i have a signle repacked kernel tree which i reused15:31
mupPR snapd#9554 closed: tests/nested/core20/gadget,kernel-reseal: add sanity checks to the reseal tests <Run nested> <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/9554>15:31
cmatsuokawell that explains a lot15:31
pedronisif we could log the issue before getting stuck with the recovery key asking we would have seen an invalid key file error or something like that15:32
pedronisedge has v0-only code, so it can't use v1 keys15:34
pedronismborzecki: cmatsuoka: we need to add some real repacking I suppose15:35
pedronisor unpack and repack the installed kernel, not the one from edge15:36
cmatsuokayes, doing it with the installed kernel should be easy15:38
mborzeckicmatsuoka: i think it should be around somewhere in /tmp15:39
cmatsuokamborzecki: could you have a look at it? otherwise I'll check after lunch, I need to finish some cooking right now15:40
mborzeckicmatsuoka: yes, trying now15:44
mborzeckicmatsuoka: hopefull this is the whole diff ps://paste.ubuntu.com/p/SKvdFKKscj/15:46
mborzeckicmatsuoka: https://paste.ubuntu.com/p/SKvdFKKscj/15:46
mupPR snapd#9550 closed: osutil/disks/mockdisk: panic if same mountpoint shows up again with diff opts <Simple 😃> <Test Robustness> <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/9550>15:51
ijohnsonzyga: I saw one of the mountns inherit spread tests fail on 18.04 like this:15:55
ijohnson-+0:+1 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup cgroup rw,cpuset15:56
ijohnson++0:+1 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup cgroup rw,cpuset,clone_children15:56
ijohnson-+0:+1 / /sys/fs/cgroup/unified rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup2 cgroup rw,nsdelegate15:56
ijohnson++0:+1 / /sys/fs/cgroup/unified rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup2 cgroup rw15:56
ijohnsonany idea why the cgroup mounts would be different like that?15:56
zygathat's lxd for sure16:02
zygaperhaps something is not doing lxc cleanup16:02
zygadidn't pawel add a lxd test recently?16:02
mborzeckieh, damn quoting16:06
pedroniszyga: I did a pass on #9546 , special.go defeated me a bit though16:25
mupPR #9546: overlord: add inert export manager <Created by zyga> <https://github.com/snapcore/snapd/pull/9546>16:25
zygapedronis, thank you, looking16:29
zygapedronis, was special.go confusing?16:29
pedronismaybe it's because it's the end but I find it hard to read16:31
pedronislots of small helpers16:31
mborzeck1cmatsuoka: pushed a patch, i think it should work now16:35
mborzeck1need to run some errands, i'll check back later16:35
mupPR snapd#9555 opened: asserts: implement "storage-safety" in uc20 model assertion <UC20> <Created by mvo5> <https://github.com/snapcore/snapd/pull/9555>16:37
pedroniszyga: it was never the intention to decentralize all directory definition, also managers are a prolematic place to define things like that16:37
mvomborzeck1: woah, nice!16:37
mvomborzeck1: you rock16:37
zygapedronis, I see, that's an easy change16:37
zygapedronis, let's sync in the morning about remaining topics16:38
zygapedronis, some are easy16:38
zygapedronis, some I need to understand your point better16:38
zygathank you for going through this, it's the hardest part of this PR16:38
* zyga manged to tame selinux errors16:38
zygaquick recheck on systems other than f3216:38
zygacachio, f33 released today, perhaps we should swap f31 for f3316:39
pedroniszyga: I added a couple more questions16:47
pedroniszyga: we can chat at 10am tomorrow if that works for you?16:48
zygayeah, that's fine16:50
zygagrr, me sees a denial on centos-7 that doesn't show up elsewhere16:51
cachiozyga, yes, I'll create the image16:55
zyganothing urgent16:57
pedronispstolowski: I looked again at #9522,  we need to chat a bit about it, I'm slightly worried that it improves some things and not others17:00
mupPR #9522: o/snapstate: ignore remove errors in clear-snap handler, only log them <⛔ Blocked> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9522>17:00
pstolowskipedronis: hmm ok, sure17:01
pedronispstolowski: I explained in the PR17:01
pedronispstolowski: maybe you can also try to add more motivation to the description, it says what it does but not why17:02
cachiozyga, f33 has a gcp image now17:02
cachioI'll try that one17:02
zygathat's nice17:02
pstolowskipedronis: sure, will do17:02
cmatsuokamborzeck1: thanks!17:04
pedronispstolowski: I approved #9535, thanks for the last commits there17:06
mupPR #9535: o/snapstate: generate snapd snap wrappers again after restart on refresh <Bug> <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9535>17:06
pstolowskipedronis: great, thank you17:07
* zyga stabs his eyes with selinux17:16
pstolowskiijohnson: hey, if you could re-review #8395 that would be great (and it's green)17:16
mupPR #8395: o/ifacestate: handle interface hooks when preseeding <Preseeding 🍞> <Created by stolowski> <https://github.com/snapcore/snapd/pull/8395>17:16
ijohnsonpstolowski: yes will add it to my queue, thanks for the reminder17:17
zygaI really, really dislike selinux tooling17:24
zygait's both baroque and complex _and_ imprecise17:24
zygaapplying the policy is more of a whack-a-mole than anything17:25
zygaso /tmp and /tmp/X11-unix have different types17:25
zygabut only on centos 7 for some reason17:25
zygaand I have no idea to connect the dots between the type I see in the FS17:26
zygaand the abstraction I'm forced to use to write the policy17:26
zygaI really give up on that now17:26
zygaI can try tomorrow17:26
zygaI've wasted half of my day on this already :/17:26
zygaI'll talk to maciek tomorrow17:28
pstolowskicachio: i've requested your review on https://github.com/snapcore/snapd/pull/955317:49
mupPR #9553: tests: add spread test for refreshing from an old snapd and core18 <Run nested> <Test Robustness> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9553>17:49
cachiopstolowski, sure, I'll take a look today17:49
pstolowskicachio: i wasn't sure if it should be migrated to nested tool already17:49
pstolowskicachio: i think the tool doesn't have execute command yet?17:50
cachiopstolowski, don't use the nested tool17:53
cachioI'll migrate that later this week17:54
pstolowskicachio: ok, great17:54
pstolowskipedronis: added rationale to #952218:04
mupPR #9522: o/snapstate: ignore remove errors in clear-snap handler, only log them <⛔ Blocked> <Created by stolowski> <https://github.com/snapcore/snapd/pull/9522>18:04
mupPR snapcraft#3318 closed: plugin handler: set -x for scriptlets <Created by cjp256> <Closed by sergiusens> <https://github.com/snapcore/snapcraft/pull/3318>18:06
=== mborzeck1 is now known as mborzecki
mborzeckicmatsuoka: i see that the nested uc20 tests are green in #9549 yay18:17
mupPR #9549: many: update to secboot v1 (part 1) <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>18:17
cmatsuokamborzecki: excellent18:17
mborzeckicmatsuoka: 14.04 did not build though, may need looking into18:17
cmatsuokayeah. I'm checking it18:18
mborzeckisrc/github.com/snapcore/snapd/vendor/github.com/snapcore/secboot/keydata.go:43:2: cannot find package "maze.io/x/crypto/afis"18:18
mborzeckicmatsuoka: ok, cool, so i'm wrapping it up for today :)18:18
cmatsuokacachio: we have a problem in a 14.04 test apparently caused by libcurl being unable to connect to certain servers, how do you usually fix this kind of problem?18:52
cmatsuokacachio: using curl/libcurl from xenial should be enough to make it work again18:53
pedroniscmatsuoka: they are green but also say they took 4s, so something is weird there18:53
pedronisthe PR has run nested set18:54
cmatsuokapedronis: the low times are probably the result of a test re-run18:54
cmatsuokapedronis: and the trusty test is failing to connect to a certain https server because apparently libcurl is using some older crypto that's no longer supported18:56
pedronisthat is a bit of a problem though, 14.04 is still required18:57
cmatsuokayes, I don't know if we had this sort of problem before or how cachio usually handles them18:58
cmatsuokausing a slightly newer curl/libcurl should solve it but it's not available for trusty18:58
pedroniscmatsuoka: that repo is a bit in an usual location19:02
pedronismaybe we have to mirror it anyway19:02
cmatsuokayes, maze.io. We could perhaps clone it to github?19:02
pedronisthat would be fine I suppose19:03
pedronisthe license is MIT19:03
cachiocmatsuoka, hey19:08
cachioI'll checkthat19:08
cmatsuokacachio: thanks. I don't know if we ran into this sort of thing before but I thought perhaps you already have a solution19:08
cachiocmatsuoka, I think it is the first time with this19:14
cachiocmatsuoka,  it is happeninnig 100% of the time ?19:15
cachioor it is just something that happens sometimes19:15
cmatsuokacachio: it's deterministic19:16
cachiocmatsuoka, on which pr?19:16
cmatsuokacachio: it seems that the version of libcurl used in trusty lacks some new crypto used by maze.io19:16
cmatsuokacachio: it's PR #954919:17
mupPR #9549: many: update to secboot v1 (part 1) <Run nested> <UC20> <Created by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>19:17
cachiocmatsuoka, checking19:23
pedroniscmatsuoka: I made a mirror here (at least temporarely)19:28
cmatsuokapedronis: can you also change the secboot vendor.json to use the mirror?19:29
cmatsuokano, not needed, we change ours19:29
cmatsuokaI always tend to think about vendor as a hierarchy but it's flat19:30
pedroniscmatsuoka: this seems to work: govendor fetch maze.io/x/crypto/afis::github.com/pedronis/maze.io-x-crypto/afis19:30
pedronisto get the right bits into vendor.json19:30
cmatsuokaok, doing that19:30
cmatsuokathanks samuele19:30
pedroniscmatsuoka: thank you19:38
mupPR snapd#9549 closed: many: update to secboot v1 (part 1) <Run nested> <UC20> <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/snapd/pull/9549>20:53
mupPR snapd#9556 opened: tests: testing new fedora 33 image <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/9556>21:13
mupPR snapcraft#3341 opened: repo: move apt ppa helpers into apt_ppa module <Created by cjp256> <https://github.com/snapcore/snapcraft/pull/3341>23:22
mupPR snapd#9557 opened: tests/snap-advise-command: re-enable test <Simple 😃> <Test Robustness> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/9557>23:24

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!