[06:25] <mborzecki> morning
[06:26] <mborzecki> the car just rolled into the shop
[06:32] <mup> PR snapd#10754 closed: packaging, tests/lib/prepare-restore: build packages without network access, fix building debs with go modules <Simple 😃> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/10754>
[06:32] <mup> PR snapd#10772 opened: kernel/fde: mock systemd-run in unit test <Created by mardy> <https://github.com/snapcore/snapd/pull/10772>
[06:34] <mardy> mborzecki: hi!
[06:35] <mborzecki> mardy: hey
[06:35] <mardy> mborzecki: I hope that the gates of the shop were open, when the car rolled in
[06:36] <mborzecki> hahah
[06:37] <mborzecki> but the traffic is real bad at this time of day, took more 1:10h to drive from NW suburbs to the show which is in the southern part of lodz
[06:58] <mborzecki> mvo: hi, shall we land https://github.com/snapcore/snapd/pull/10661 ?
[06:58] <mup> PR #10661: cmd/libsnap-confine-private: device cgroup v2 support <Complex> <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10661>
[06:59] <zyga-mbp> good morning :)
[07:00] <zyga-mbp> amurray not as pretty as before but non the less interesting https://twitter.com/zygoon/status/1437666089773813764?s=21 :)
[07:02] <mvo> mborzecki: +1
[07:02] <mvo> mborzecki: in a meeting right now, but I can do it after
[07:03] <mborzecki> zyga-mbp: fungi?
[07:03] <zyga-mbp> mborzecki yeah
[07:03] <mborzecki> new hobby?
[07:03] <zyga-mbp> not new :)
[07:03] <zyga-mbp> but I don't plan on eating it, it was just interesting to see
[07:03] <zyga-mbp> they are not as rare as, say, 10 years ago
[07:03] <pstolowski> morning
[07:03] <mborzecki> haha
[07:04] <zyga-mbp> but I only see them several times a year
[07:04] <mborzecki> pstolowski: hey
[07:04] <zyga-mbp> hey pstolowski :)
[07:04] <pstolowski> o/
[07:17] <mborzecki> mardy: can you adjust the PR title in https://github.com/snapcore/snapd/pull/10764 before landing?
[07:17] <mup> PR #10764: tests: allow spread tests to skip the OOM test <Squash-merge> <Created by mardy> <https://github.com/snapcore/snapd/pull/10764>
[07:25] <mardy> mborzecki: sure, let me actually squash the commits too
[07:28] <mardy> done
[07:36] <mborzecki> mardy: hm thinking about https://github.com/snapcore/snapd/pull/10772/ perhaps the problem is that fde tests use the real systemd-run at all
[07:36] <mup> PR #10772: kernel/fde: mock systemd-run in unit test <Created by mardy> <https://github.com/snapcore/snapd/pull/10772>
[07:36] <mardy> mvo: can you please use your superpowers on https://github.com/snapcore/snapd/pull/10762?
[07:36] <mborzecki> maybe we should have a thing that kind of behaves like systemd-run in testutil?
[07:36] <mup> PR #10762: o/servicestate: Update task summary for restart action <Simple 😃> <Created by mardy> <https://github.com/snapcore/snapd/pull/10762>
[07:36] <mvo> mardy: sure
[07:37] <mup> PR snapd#10762 closed: o/servicestate: Update task summary for restart action <Simple 😃> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10762>
[07:38] <mardy> mborzecki: yes, it looks like they are using the real systemd-run
[07:38] <mardy> mvo: thanks!
[07:39] <mborzecki> https://paste.ubuntu.com/p/5FNF4R3mYg/ hmm microstack interface unit tests failing on distro not using /usr/lib?
[07:41] <mardy> mborzecki: thanks, I'll fix it
[07:41] <mardy> mborzecki: is it on a machine we have in our spread?
[07:42] <mborzecki> mardy: already have a change, i'll opena  PR in a minute
[07:44] <mborzecki> mardy: https://github.com/snapcore/snapd/pull/10773
[07:44] <mup> PR #10773: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10773>
[07:45] <mardy> mborzecki: interfaces/builtin/common_test.go is using %v in this case, is there any difference?
[07:46] <mborzecki> mardy: not really, %s means that we're expecting a string already, %v otoh means that go will try to use the default format whcih is the same as %s
[07:47] <mup> PR snapd#10773 opened: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10773>
[08:00] <mborzecki> hmm we run the docker-smoke test only on ubuntu, guess it's expected that the snap being docker may not work properly anywhere else right?
[08:11] <mborzecki> mvo: something isn't quite working in the docker snap when cgrou pv2 is around
[08:11] <mborzecki> https://paste.ubuntu.com/p/xy5jWPrNCX/
[08:15] <mborzecki> hmm /usr/lib/snapd/snap-gdb-shim: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /usr/lib/snapd/snap-gdb-shim)
[08:16] <mborzecki> ok, looks like it's just failing like this on 21.10
[08:22] <mborzecki> mvo: we have a problem on 21.10, looks like the binaries that are built there no longer work when invoked in core16 base
[08:34] <mvo> mborzecki: in a meeting right now, sry, will look in a bit 
[08:35] <mvo> mborzecki: can I squash 10540 btw?
[08:37] <mborzecki> mvo: yes
[08:37] <mup> PR snapd#10661 closed: cmd/libsnap-confine-private: device cgroup v2 support <Complex> <cgroupv2> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10661>
[08:47] <mup> PR snapd#10540 closed: cmd/snap-confine: handle CURRENT_TAGS on systems that support it <Squash-merge> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10540>
[08:50] <mborzecki> oh, there was no conflict?
[08:52] <mup> PR snapd#10773 closed: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10773>
[08:57] <mup> PR snapd#10628 closed: usersession/xdgopenproxy: move PortalLauncher class to own package <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10628>
[09:14] <mborzecki> ok, my ride has arrived, bbiab
[10:07] <mup> PR snapd#10759 closed: tests: be more robust against a new day stepping in <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10759>
[10:12] <mup> PR snapd#10764 closed: tests: increase memory quota in quota-groups-systemd-accounting <Squash-merge> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10764>
[10:18] <mborzecki> re
[10:24] <mborzecki> heh, one more debian/rules tweak is apparently needed
[10:27] <mvo> mborzecki: meh, hopefully the last one :)
[10:34] <mardy> has anyone seen a similar spread failure on tests/main/security-device-cgroups:kmsg? https://paste.ubuntu.com/p/nJ7z2wxrKX/
[10:35] <mborzecki> again a mystery, why didn't this come up in our builds
[10:40] <mvo> mborzecki: strange, we even have the sbuild test to make sure we test as closely to the buildds as possible :/
[10:41] <mborzecki> mvo: but it's nightly, so maybe it's failing?
[10:43] <mborzecki> mvo: and it runs on debian only :)
[10:48] <mup> PR snapd#10774 opened: asserts, snapstate: return full validation set keys from CheckPresenceRequired and CheckPresenceInvalid <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10774>
[10:50] <mborzecki> mvo: well, i know, we dont' run tests when building the package ;)
[10:58] <mvo> mborzecki: meh, ok
[11:04] <mardy> so, this looks weird: https://github.com/snapcore/snapd/pull/10739/checks?check_run_id=3596874649
[11:04] <mup> PR #10739: mount-control: step 2 <Needs Samuele review> <Needs security review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10739>
[11:05] <mardy> the test tests/main/security-device-cgroups:uinput was run successfully, but it didn't issue a REBOOT
[11:05] <mardy> so the udev rules were not cleaned up, and tests/main/security-device-cgroups:kmsg failed because of that
[11:08] <mup> PR snapd#10775 opened: packaging/ubuntu: pass GO111MODULE to dh_auto_test <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10775>
[11:09] <mborzecki> https://github.com/snapcore/snapd/pull/10703 needs reviews, it's pretty fun with some python bits
[11:09] <mup> PR #10703:  tests/main/security-device-cgroups-strict-enforced: demonstrate device cgroup being enforced <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10703>
[11:43] <mup> PR snapd#10776 opened: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10776>
[11:44] <mardy> mborzecki: reviewed!
[11:44] <mborzecki> thanks, i'll take a look in a bit
[11:45] <mborzecki> 10766 is also fun and simple
[11:45] <mardy> cachio: hi! I have a spread failure which I cannot understand; I'll paste the same messages that I sent to the channel in private message, then we can continue here (when you have time)
[11:47] <mardy> mborzecki: wrong PR number? 10766 is already merged
[11:47] <mborzecki> mardy: 10776 :)
[11:54] <mardy> mborzecki: +1
[13:18] <mup> PR snapd#10777 opened: interfaces/modem-manager: add access to PCIe modems <Created by alfonsosanchezbeato> <https://github.com/snapcore/snapd/pull/10777>
[14:43] <mup> PR snapd#10778 opened: cmd: build gdb shims as static binaries <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10778>
[14:44] <mborzecki> mvo: ^^
[14:44] <mvo> mborzecki: nice!
[14:45] <mborzecki> adds about 1.7MB to the overall uncompressed size
[14:46]  * cachio_ afk
[14:46] <mborzecki> maybe we could somehow handle all of the shim business in a single binary and add a symlink eg. snap-gdbserver-shim -> snap-gdb-shim
[14:48] <mvo> mborzecki: +1
[14:48]  * mvo needs to switch network
[15:10] <ijohnson[m]> @bboozzoo hmm regarding docker, is your cgroupsv2 change effectively the case that snaps now always enter into a device cgroup whenever snap-confine runs? Remember we had the behavior before where snaps are not put into cgroups unless there is an interface which declares rules to tag devices for that snap
[15:10] <zyga-mbp> oh
[15:10] <zyga-mbp> I remember that
[15:10] <zyga-mbp> I caused a regression a while abck
[15:10] <zyga-mbp> remember?
[15:11] <zyga-mbp> it looked as an optimization but it broke docker 
[15:11] <ijohnson[m]> yeah like greengrass relies on this behavior
[15:11] <ijohnson[m]> I think it also broke docker for the same reasons ?
[15:13] <mborzecki> ijohnson: it's still the same, a piece of the log from when docker fails to launch antything is here: https://paste.ubuntu.com/p/xy5jWPrNCX/
[15:14] <ijohnson[m]> thanks I'll take a look
[15:15] <ijohnson[m]> the cupsd apparmor denials are nothing new, I don't know why but docker always seems to want to ptrace cups, but that's nothing new
[15:15] <mborzecki> it seems like it tries to launch a new scope, but cannot talk to systemd for some reason
[15:16] <ijohnson[m]> @bboozoo, if I clone your branch can I reproduce this in gCE with the 21.10 image that has cgroupsv2 enabled ?
[15:16] <mborzecki> perhaps that's a new bit that isn't covered by the interace yet
[15:16] <ijohnson[m]> could be
[15:16] <ijohnson[m]> @bboozzoo are there any other denials ?
[15:16] <mborzecki> ijohnson: use this branch  https://github.com/snapcore/snapd/pull/10575
[15:16] <mup> PR #10575: [WIP] many: device cgroup v2 support <⛔ Blocked> <cgroupv2> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10575>
[15:17] <mborzecki> there's ubuntu-21.10-64-cgroupv2 system defined in spread which uses the right image
[15:18] <ijohnson[m]> ack
[15:19] <mborzecki> hm there's nothing dbus related in the docker-support interface
[15:20] <ijohnson[m]> that could be it for sure then
[15:23] <jdstrand> ijohnson[m]: it isn't that docker is trying to ptrace cupsd, it is trying to do something akin to 'ps', hitting stuff in /proc that requires the profile to have 'ptrace read peer=/usr/sbin
[15:23] <jdstrand>  /cupsd'
[15:23] <ijohnson[m]> jdstrand: ah sure, and cupsd is just unique in that it also happens to have it's own apparmor profile rather than be unconfined
[15:23] <ijohnson[m]> ?
[15:23] <jdstrand> ie, it is looking at everything in /proc/[0-9]* 
[15:24] <jdstrand> yes. chronyd too and anything else that would've happened to be running
[15:24] <jdstrand> (under a profile)
[15:24] <ijohnson[m]> ah yeah I think I have seen chronyd too as well
[15:24] <jdstrand> s/profile/profile other than unconfined/
[15:24] <jdstrand> you have, it is in that paste :)
[15:25] <jdstrand> the denial is noisy but harmless. docker doesn't need info on cupsd or chronyd
[15:26] <ijohnson[m]> right
[15:26] <jdstrand> if you did add a 'ptrace read,' rule (which you shouldn't ;), then those other profiles would need a corresponding 'ptrace readby peer=snap.docker.dockerd' rule
[15:26] <ijohnson[m]> oh haha yeah it is in that paste too
[15:28] <jdstrand> the consensus back when was to have quiet profile flags and quiet rules. eg, people could hit some 'snap set' command for the system to turn off denials for a snap, that would add a profile flag to the profile and everyone rejoices. amurray would be able to give the more details in this area
[15:29] <ijohnson[m]> yeah I think that would be a great feature to have some day
[15:29] <jdstrand> iirc, apparmor 3.1 was going to have the quiet profile flag and perhaps that could be backported into the vendored apparmor he is/has worked on
[15:29] <jdstrand> (or just pull 3.1 in)
[15:30] <ijohnson[m]> Yes, the apparmor vendoring is coming along I think I've reviewed that PR a few times now
[15:30] <jdstrand> \o/
[15:30] <jdstrand> that's going to be *wonderful* :)
[15:30] <ijohnson[m]> :-)
[15:31]  * ijohnson[m] needs to afk for a bit
[15:31] <jdstrand> ijohnson[m]: nice chatting with you; hope you're well :)
[15:32] <ijohnson[m]> thanks you too!
[15:34] <zyga-mbp> hey jdstrand :)
[15:34] <zyga-mbp> it's fantastic to see you here again
[15:48] <mup> PR snapd#10767 closed: o/snapstate: only conflict with runnable and relevant tasks <Needs Samuele review> <Created by MiguelPires> <Closed by MiguelPires> <https://github.com/snapcore/snapd/pull/10767>
[16:19] <mup> PR snapd#10775 closed: packaging/ubuntu: pass GO111MODULE to dh_auto_test <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10775>
[16:19] <mup> PR snapd#10776 closed: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode <Simple 😃> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10776>
[16:54] <ijohnson[m]> bboozzoo: yeah so there are a bunch of dbus denials for docker when run under cgroupsv2 on ubuntu like this
[16:54] <ijohnson[m]> https://paste.ubuntu.com/p/Jt9sGC5SZG/
[17:59] <mup> PR snapd#10779 opened: tests/nested/manual: use loop for checking for initialize-system task done <Simple 😃> <Run nested> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10779>