| mborzecki | morning | 06:25 |
|---|---|---|
| mborzecki | the car just rolled into the shop | 06:26 |
| mup | PR snapd#10754 closed: packaging, tests/lib/prepare-restore: build packages without network access, fix building debs with go modules <Simple 😃> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/10754> | 06:32 |
| mup | PR snapd#10772 opened: kernel/fde: mock systemd-run in unit test <Created by mardy> <https://github.com/snapcore/snapd/pull/10772> | 06:32 |
| mardy | mborzecki: hi! | 06:34 |
| mborzecki | mardy: hey | 06:35 |
| mardy | mborzecki: I hope that the gates of the shop were open, when the car rolled in | 06:35 |
| mborzecki | hahah | 06:36 |
| mborzecki | but the traffic is real bad at this time of day, took more 1:10h to drive from NW suburbs to the show which is in the southern part of lodz | 06:37 |
| mborzecki | mvo: hi, shall we land https://github.com/snapcore/snapd/pull/10661 ? | 06:58 |
| mup | PR #10661: cmd/libsnap-confine-private: device cgroup v2 support <Complex> <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10661> | 06:58 |
| zyga-mbp | good morning :) | 06:59 |
| zyga-mbp | amurray not as pretty as before but non the less interesting https://twitter.com/zygoon/status/1437666089773813764?s=21 :) | 07:00 |
| mvo | mborzecki: +1 | 07:02 |
| mvo | mborzecki: in a meeting right now, but I can do it after | 07:02 |
| mborzecki | zyga-mbp: fungi? | 07:03 |
| zyga-mbp | mborzecki yeah | 07:03 |
| mborzecki | new hobby? | 07:03 |
| zyga-mbp | not new :) | 07:03 |
| zyga-mbp | but I don't plan on eating it, it was just interesting to see | 07:03 |
| zyga-mbp | they are not as rare as, say, 10 years ago | 07:03 |
| pstolowski | morning | 07:03 |
| mborzecki | haha | 07:03 |
| zyga-mbp | but I only see them several times a year | 07:04 |
| mborzecki | pstolowski: hey | 07:04 |
| zyga-mbp | hey pstolowski :) | 07:04 |
| pstolowski | o/ | 07:04 |
| mborzecki | mardy: can you adjust the PR title in https://github.com/snapcore/snapd/pull/10764 before landing? | 07:17 |
| mup | PR #10764: tests: allow spread tests to skip the OOM test <Squash-merge> <Created by mardy> <https://github.com/snapcore/snapd/pull/10764> | 07:17 |
| mardy | mborzecki: sure, let me actually squash the commits too | 07:25 |
| mardy | done | 07:28 |
| mborzecki | mardy: hm thinking about https://github.com/snapcore/snapd/pull/10772/ perhaps the problem is that fde tests use the real systemd-run at all | 07:36 |
| mup | PR #10772: kernel/fde: mock systemd-run in unit test <Created by mardy> <https://github.com/snapcore/snapd/pull/10772> | 07:36 |
| mardy | mvo: can you please use your superpowers on https://github.com/snapcore/snapd/pull/10762? | 07:36 |
| mborzecki | maybe we should have a thing that kind of behaves like systemd-run in testutil? | 07:36 |
| mup | PR #10762: o/servicestate: Update task summary for restart action <Simple 😃> <Created by mardy> <https://github.com/snapcore/snapd/pull/10762> | 07:36 |
| mvo | mardy: sure | 07:36 |
| mup | PR snapd#10762 closed: o/servicestate: Update task summary for restart action <Simple 😃> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10762> | 07:37 |
| mardy | mborzecki: yes, it looks like they are using the real systemd-run | 07:38 |
| mardy | mvo: thanks! | 07:38 |
| mborzecki | https://paste.ubuntu.com/p/5FNF4R3mYg/ hmm microstack interface unit tests failing on distro not using /usr/lib? | 07:39 |
| mardy | mborzecki: thanks, I'll fix it | 07:41 |
| mardy | mborzecki: is it on a machine we have in our spread? | 07:41 |
| mborzecki | mardy: already have a change, i'll opena PR in a minute | 07:42 |
| mborzecki | mardy: https://github.com/snapcore/snapd/pull/10773 | 07:44 |
| mup | PR #10773: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10773> | 07:44 |
| mardy | mborzecki: interfaces/builtin/common_test.go is using %v in this case, is there any difference? | 07:45 |
| mborzecki | mardy: not really, %s means that we're expecting a string already, %v otoh means that go will try to use the default format whcih is the same as %s | 07:46 |
| mup | PR snapd#10773 opened: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10773> | 07:47 |
| mborzecki | hmm we run the docker-smoke test only on ubuntu, guess it's expected that the snap being docker may not work properly anywhere else right? | 08:00 |
| mborzecki | mvo: something isn't quite working in the docker snap when cgrou pv2 is around | 08:11 |
| mborzecki | https://paste.ubuntu.com/p/xy5jWPrNCX/ | 08:11 |
| mborzecki | hmm /usr/lib/snapd/snap-gdb-shim: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /usr/lib/snapd/snap-gdb-shim) | 08:15 |
| mborzecki | ok, looks like it's just failing like this on 21.10 | 08:16 |
| mborzecki | mvo: we have a problem on 21.10, looks like the binaries that are built there no longer work when invoked in core16 base | 08:22 |
| mvo | mborzecki: in a meeting right now, sry, will look in a bit | 08:34 |
| mvo | mborzecki: can I squash 10540 btw? | 08:35 |
| mborzecki | mvo: yes | 08:37 |
| mup | PR snapd#10661 closed: cmd/libsnap-confine-private: device cgroup v2 support <Complex> <cgroupv2> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10661> | 08:37 |
| mup | PR snapd#10540 closed: cmd/snap-confine: handle CURRENT_TAGS on systems that support it <Squash-merge> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10540> | 08:47 |
| mborzecki | oh, there was no conflict? | 08:50 |
| mup | PR snapd#10773 closed: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10773> | 08:52 |
| mup | PR snapd#10628 closed: usersession/xdgopenproxy: move PortalLauncher class to own package <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10628> | 08:57 |
| mborzecki | ok, my ride has arrived, bbiab | 09:14 |
| mup | PR snapd#10759 closed: tests: be more robust against a new day stepping in <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10759> | 10:07 |
| mup | PR snapd#10764 closed: tests: increase memory quota in quota-groups-systemd-accounting <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10764> | 10:12 |
| mborzecki | re | 10:18 |
| mborzecki | heh, one more debian/rules tweak is apparently needed | 10:24 |
| mvo | mborzecki: meh, hopefully the last one :) | 10:27 |
| mardy | has anyone seen a similar spread failure on tests/main/security-device-cgroups:kmsg? https://paste.ubuntu.com/p/nJ7z2wxrKX/ | 10:34 |
| mborzecki | again a mystery, why didn't this come up in our builds | 10:35 |
| mvo | mborzecki: strange, we even have the sbuild test to make sure we test as closely to the buildds as possible :/ | 10:40 |
| mborzecki | mvo: but it's nightly, so maybe it's failing? | 10:41 |
| mborzecki | mvo: and it runs on debian only :) | 10:43 |
| mup | PR snapd#10774 opened: asserts, snapstate: return full validation set keys from CheckPresenceRequired and CheckPresenceInvalid <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10774> | 10:48 |
| mborzecki | mvo: well, i know, we dont' run tests when building the package ;) | 10:50 |
| mvo | mborzecki: meh, ok | 10:58 |
| mardy | so, this looks weird: https://github.com/snapcore/snapd/pull/10739/checks?check_run_id=3596874649 | 11:04 |
| mup | PR #10739: mount-control: step 2 <Needs Samuele review> <Needs security review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10739> | 11:04 |
| mardy | the test tests/main/security-device-cgroups:uinput was run successfully, but it didn't issue a REBOOT | 11:05 |
| mardy | so the udev rules were not cleaned up, and tests/main/security-device-cgroups:kmsg failed because of that | 11:05 |
| mup | PR snapd#10775 opened: packaging/ubuntu: pass GO111MODULE to dh_auto_test <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10775> | 11:08 |
| mborzecki | https://github.com/snapcore/snapd/pull/10703 needs reviews, it's pretty fun with some python bits | 11:09 |
| mup | PR #10703: tests/main/security-device-cgroups-strict-enforced: demonstrate device cgroup being enforced <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10703> | 11:09 |
| mup | PR snapd#10776 opened: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10776> | 11:43 |
| mardy | mborzecki: reviewed! | 11:44 |
| mborzecki | thanks, i'll take a look in a bit | 11:44 |
| mborzecki | 10766 is also fun and simple | 11:45 |
| mardy | cachio: hi! I have a spread failure which I cannot understand; I'll paste the same messages that I sent to the channel in private message, then we can continue here (when you have time) | 11:45 |
| mardy | mborzecki: wrong PR number? 10766 is already merged | 11:47 |
| mborzecki | mardy: 10776 :) | 11:47 |
| mardy | mborzecki: +1 | 11:54 |
| mup | PR snapd#10777 opened: interfaces/modem-manager: add access to PCIe modems <Created by alfonsosanchezbeato> <https://github.com/snapcore/snapd/pull/10777> | 13:18 |
| mup | PR snapd#10778 opened: cmd: build gdb shims as static binaries <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10778> | 14:43 |
| mborzecki | mvo: ^^ | 14:44 |
| mvo | mborzecki: nice! | 14:44 |
| mborzecki | adds about 1.7MB to the overall uncompressed size | 14:45 |
| * cachio_ afk | 14:46 | |
| mborzecki | maybe we could somehow handle all of the shim business in a single binary and add a symlink eg. snap-gdbserver-shim -> snap-gdb-shim | 14:46 |
| mvo | mborzecki: +1 | 14:48 |
| * mvo needs to switch network | 14:48 | |
| ijohnson[m] | @bboozzoo hmm regarding docker, is your cgroupsv2 change effectively the case that snaps now always enter into a device cgroup whenever snap-confine runs? Remember we had the behavior before where snaps are not put into cgroups unless there is an interface which declares rules to tag devices for that snap | 15:10 |
| zyga-mbp | oh | 15:10 |
| zyga-mbp | I remember that | 15:10 |
| zyga-mbp | I caused a regression a while abck | 15:10 |
| zyga-mbp | remember? | 15:10 |
| zyga-mbp | it looked as an optimization but it broke docker | 15:11 |
| ijohnson[m] | yeah like greengrass relies on this behavior | 15:11 |
| ijohnson[m] | I think it also broke docker for the same reasons ? | 15:11 |
| mborzecki | ijohnson: it's still the same, a piece of the log from when docker fails to launch antything is here: https://paste.ubuntu.com/p/xy5jWPrNCX/ | 15:13 |
| ijohnson[m] | thanks I'll take a look | 15:14 |
| ijohnson[m] | the cupsd apparmor denials are nothing new, I don't know why but docker always seems to want to ptrace cups, but that's nothing new | 15:15 |
| mborzecki | it seems like it tries to launch a new scope, but cannot talk to systemd for some reason | 15:15 |
| ijohnson[m] | @bboozoo, if I clone your branch can I reproduce this in gCE with the 21.10 image that has cgroupsv2 enabled ? | 15:16 |
| mborzecki | perhaps that's a new bit that isn't covered by the interace yet | 15:16 |
| ijohnson[m] | could be | 15:16 |
| ijohnson[m] | @bboozzoo are there any other denials ? | 15:16 |
| mborzecki | ijohnson: use this branch https://github.com/snapcore/snapd/pull/10575 | 15:16 |
| mup | PR #10575: [WIP] many: device cgroup v2 support <â›” Blocked> <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10575> | 15:16 |
| mborzecki | there's ubuntu-21.10-64-cgroupv2 system defined in spread which uses the right image | 15:17 |
| ijohnson[m] | ack | 15:18 |
| mborzecki | hm there's nothing dbus related in the docker-support interface | 15:19 |
| ijohnson[m] | that could be it for sure then | 15:20 |
| jdstrand | ijohnson[m]: it isn't that docker is trying to ptrace cupsd, it is trying to do something akin to 'ps', hitting stuff in /proc that requires the profile to have 'ptrace read peer=/usr/sbin | 15:23 |
| jdstrand | /cupsd' | 15:23 |
| ijohnson[m] | jdstrand: ah sure, and cupsd is just unique in that it also happens to have it's own apparmor profile rather than be unconfined | 15:23 |
| ijohnson[m] | ? | 15:23 |
| jdstrand | ie, it is looking at everything in /proc/[0-9]* | 15:23 |
| jdstrand | yes. chronyd too and anything else that would've happened to be running | 15:24 |
| jdstrand | (under a profile) | 15:24 |
| ijohnson[m] | ah yeah I think I have seen chronyd too as well | 15:24 |
| jdstrand | s/profile/profile other than unconfined/ | 15:24 |
| jdstrand | you have, it is in that paste :) | 15:24 |
| jdstrand | the denial is noisy but harmless. docker doesn't need info on cupsd or chronyd | 15:25 |
| ijohnson[m] | right | 15:26 |
| jdstrand | if you did add a 'ptrace read,' rule (which you shouldn't ;), then those other profiles would need a corresponding 'ptrace readby peer=snap.docker.dockerd' rule | 15:26 |
| ijohnson[m] | oh haha yeah it is in that paste too | 15:26 |
| jdstrand | the consensus back when was to have quiet profile flags and quiet rules. eg, people could hit some 'snap set' command for the system to turn off denials for a snap, that would add a profile flag to the profile and everyone rejoices. amurray would be able to give the more details in this area | 15:28 |
| ijohnson[m] | yeah I think that would be a great feature to have some day | 15:29 |
| jdstrand | iirc, apparmor 3.1 was going to have the quiet profile flag and perhaps that could be backported into the vendored apparmor he is/has worked on | 15:29 |
| jdstrand | (or just pull 3.1 in) | 15:29 |
| ijohnson[m] | Yes, the apparmor vendoring is coming along I think I've reviewed that PR a few times now | 15:30 |
| jdstrand | \o/ | 15:30 |
| jdstrand | that's going to be *wonderful* :) | 15:30 |
| ijohnson[m] | :-) | 15:30 |
| * ijohnson[m] needs to afk for a bit | 15:31 | |
| jdstrand | ijohnson[m]: nice chatting with you; hope you're well :) | 15:31 |
| ijohnson[m] | thanks you too! | 15:32 |
| zyga-mbp | hey jdstrand :) | 15:34 |
| zyga-mbp | it's fantastic to see you here again | 15:34 |
| mup | PR snapd#10767 closed: o/snapstate: only conflict with runnable and relevant tasks <Needs Samuele review> <Created by MiguelPires> <Closed by MiguelPires> <https://github.com/snapcore/snapd/pull/10767> | 15:48 |
| mup | PR snapd#10775 closed: packaging/ubuntu: pass GO111MODULE to dh_auto_test <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10775> | 16:19 |
| mup | PR snapd#10776 closed: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10776> | 16:19 |
| ijohnson[m] | bboozzoo: yeah so there are a bunch of dbus denials for docker when run under cgroupsv2 on ubuntu like this | 16:54 |
| ijohnson[m] | https://paste.ubuntu.com/p/Jt9sGC5SZG/ | 16:54 |
| mup | PR snapd#10779 opened: tests/nested/manual: use loop for checking for initialize-system task done <Simple 😃> <Run nested> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10779> | 17:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!