[06:25] morning [06:26] the car just rolled into the shop [06:32] PR snapd#10754 closed: packaging, tests/lib/prepare-restore: build packages without network access, fix building debs with go modules [06:32] PR snapd#10772 opened: kernel/fde: mock systemd-run in unit test [06:34] mborzecki: hi! [06:35] mardy: hey [06:35] mborzecki: I hope that the gates of the shop were open, when the car rolled in [06:36] hahah [06:37] but the traffic is real bad at this time of day, took more 1:10h to drive from NW suburbs to the show which is in the southern part of lodz [06:58] mvo: hi, shall we land https://github.com/snapcore/snapd/pull/10661 ? [06:58] PR #10661: cmd/libsnap-confine-private: device cgroup v2 support [06:59] good morning :) [07:00] amurray not as pretty as before but non the less interesting https://twitter.com/zygoon/status/1437666089773813764?s=21 :) [07:02] mborzecki: +1 [07:02] mborzecki: in a meeting right now, but I can do it after [07:03] zyga-mbp: fungi? [07:03] mborzecki yeah [07:03] new hobby? [07:03] not new :) [07:03] but I don't plan on eating it, it was just interesting to see [07:03] they are not as rare as, say, 10 years ago [07:03] morning [07:03] haha [07:04] but I only see them several times a year [07:04] pstolowski: hey [07:04] hey pstolowski :) [07:04] o/ [07:17] mardy: can you adjust the PR title in https://github.com/snapcore/snapd/pull/10764 before landing? [07:17] PR #10764: tests: allow spread tests to skip the OOM test [07:25] mborzecki: sure, let me actually squash the commits too [07:28] done [07:36] mardy: hm thinking about https://github.com/snapcore/snapd/pull/10772/ perhaps the problem is that fde tests use the real systemd-run at all [07:36] PR #10772: kernel/fde: mock systemd-run in unit test [07:36] mvo: can you please use your superpowers on https://github.com/snapcore/snapd/pull/10762? [07:36] maybe we should have a thing that kind of behaves like systemd-run in testutil? [07:36] PR #10762: o/servicestate: Update task summary for restart action [07:36] mardy: sure [07:37] PR snapd#10762 closed: o/servicestate: Update task summary for restart action [07:38] mborzecki: yes, it looks like they are using the real systemd-run [07:38] mvo: thanks! [07:39] https://paste.ubuntu.com/p/5FNF4R3mYg/ hmm microstack interface unit tests failing on distro not using /usr/lib? [07:41] mborzecki: thanks, I'll fix it [07:41] mborzecki: is it on a machine we have in our spread? [07:42] mardy: already have a change, i'll opena PR in a minute [07:44] mardy: https://github.com/snapcore/snapd/pull/10773 [07:44] PR #10773: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec [07:45] mborzecki: interfaces/builtin/common_test.go is using %v in this case, is there any difference? [07:46] mardy: not really, %s means that we're expecting a string already, %v otoh means that go will try to use the default format whcih is the same as %s [07:47] PR snapd#10773 opened: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec [08:00] hmm we run the docker-smoke test only on ubuntu, guess it's expected that the snap being docker may not work properly anywhere else right? [08:11] mvo: something isn't quite working in the docker snap when cgrou pv2 is around [08:11] https://paste.ubuntu.com/p/xy5jWPrNCX/ [08:15] hmm /usr/lib/snapd/snap-gdb-shim: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /usr/lib/snapd/snap-gdb-shim) [08:16] ok, looks like it's just failing like this on 21.10 [08:22] mvo: we have a problem on 21.10, looks like the binaries that are built there no longer work when invoked in core16 base [08:34] mborzecki: in a meeting right now, sry, will look in a bit [08:35] mborzecki: can I squash 10540 btw? [08:37] mvo: yes [08:37] PR snapd#10661 closed: cmd/libsnap-confine-private: device cgroup v2 support [08:47] PR snapd#10540 closed: cmd/snap-confine: handle CURRENT_TAGS on systems that support it [08:50] oh, there was no conflict? [08:52] PR snapd#10773 closed: interfaces/builtin: fix microstack unit tests on distros using /usr/libexec [08:57] PR snapd#10628 closed: usersession/xdgopenproxy: move PortalLauncher class to own package [09:14] ok, my ride has arrived, bbiab [10:07] PR snapd#10759 closed: tests: be more robust against a new day stepping in [10:12] PR snapd#10764 closed: tests: increase memory quota in quota-groups-systemd-accounting [10:18] re [10:24] heh, one more debian/rules tweak is apparently needed [10:27] mborzecki: meh, hopefully the last one :) [10:34] has anyone seen a similar spread failure on tests/main/security-device-cgroups:kmsg? https://paste.ubuntu.com/p/nJ7z2wxrKX/ [10:35] again a mystery, why didn't this come up in our builds [10:40] mborzecki: strange, we even have the sbuild test to make sure we test as closely to the buildds as possible :/ [10:41] mvo: but it's nightly, so maybe it's failing? [10:43] mvo: and it runs on debian only :) [10:48] PR snapd#10774 opened: asserts, snapstate: return full validation set keys from CheckPresenceRequired and CheckPresenceInvalid [10:50] mvo: well, i know, we dont' run tests when building the package ;) [10:58] mborzecki: meh, ok [11:04] so, this looks weird: https://github.com/snapcore/snapd/pull/10739/checks?check_run_id=3596874649 [11:04] PR #10739: mount-control: step 2 [11:05] the test tests/main/security-device-cgroups:uinput was run successfully, but it didn't issue a REBOOT [11:05] so the udev rules were not cleaned up, and tests/main/security-device-cgroups:kmsg failed because of that [11:08] PR snapd#10775 opened: packaging/ubuntu: pass GO111MODULE to dh_auto_test [11:09] https://github.com/snapcore/snapd/pull/10703 needs reviews, it's pretty fun with some python bits [11:09] PR #10703: tests/main/security-device-cgroups-strict-enforced: demonstrate device cgroup being enforced [11:43] PR snapd#10776 opened: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode [11:44] mborzecki: reviewed! [11:44] thanks, i'll take a look in a bit [11:45] 10766 is also fun and simple [11:45] cachio: hi! I have a spread failure which I cannot understand; I'll paste the same messages that I sent to the channel in private message, then we can continue here (when you have time) [11:47] mborzecki: wrong PR number? 10766 is already merged [11:47] mardy: 10776 :) [11:54] mborzecki: +1 [13:18] PR snapd#10777 opened: interfaces/modem-manager: add access to PCIe modems [14:43] PR snapd#10778 opened: cmd: build gdb shims as static binaries [14:44] mvo: ^^ [14:44] mborzecki: nice! [14:45] adds about 1.7MB to the overall uncompressed size [14:46] * cachio_ afk [14:46] maybe we could somehow handle all of the shim business in a single binary and add a symlink eg. snap-gdbserver-shim -> snap-gdb-shim [14:48] mborzecki: +1 [14:48] * mvo needs to switch network [15:10] @bboozzoo hmm regarding docker, is your cgroupsv2 change effectively the case that snaps now always enter into a device cgroup whenever snap-confine runs? Remember we had the behavior before where snaps are not put into cgroups unless there is an interface which declares rules to tag devices for that snap [15:10] oh [15:10] I remember that [15:10] I caused a regression a while abck [15:10] remember? [15:11] it looked as an optimization but it broke docker [15:11] yeah like greengrass relies on this behavior [15:11] I think it also broke docker for the same reasons ? [15:13] ijohnson: it's still the same, a piece of the log from when docker fails to launch antything is here: https://paste.ubuntu.com/p/xy5jWPrNCX/ [15:14] thanks I'll take a look [15:15] the cupsd apparmor denials are nothing new, I don't know why but docker always seems to want to ptrace cups, but that's nothing new [15:15] it seems like it tries to launch a new scope, but cannot talk to systemd for some reason [15:16] @bboozoo, if I clone your branch can I reproduce this in gCE with the 21.10 image that has cgroupsv2 enabled ? [15:16] perhaps that's a new bit that isn't covered by the interace yet [15:16] could be [15:16] @bboozzoo are there any other denials ? [15:16] ijohnson: use this branch https://github.com/snapcore/snapd/pull/10575 [15:16] PR #10575: [WIP] many: device cgroup v2 support <â›” Blocked> [15:17] there's ubuntu-21.10-64-cgroupv2 system defined in spread which uses the right image [15:18] ack [15:19] hm there's nothing dbus related in the docker-support interface [15:20] that could be it for sure then [15:23] ijohnson[m]: it isn't that docker is trying to ptrace cupsd, it is trying to do something akin to 'ps', hitting stuff in /proc that requires the profile to have 'ptrace read peer=/usr/sbin [15:23] /cupsd' [15:23] jdstrand: ah sure, and cupsd is just unique in that it also happens to have it's own apparmor profile rather than be unconfined [15:23] ? [15:23] ie, it is looking at everything in /proc/[0-9]* [15:24] yes. chronyd too and anything else that would've happened to be running [15:24] (under a profile) [15:24] ah yeah I think I have seen chronyd too as well [15:24] s/profile/profile other than unconfined/ [15:24] you have, it is in that paste :) [15:25] the denial is noisy but harmless. docker doesn't need info on cupsd or chronyd [15:26] right [15:26] if you did add a 'ptrace read,' rule (which you shouldn't ;), then those other profiles would need a corresponding 'ptrace readby peer=snap.docker.dockerd' rule [15:26] oh haha yeah it is in that paste too [15:28] the consensus back when was to have quiet profile flags and quiet rules. eg, people could hit some 'snap set' command for the system to turn off denials for a snap, that would add a profile flag to the profile and everyone rejoices. amurray would be able to give the more details in this area [15:29] yeah I think that would be a great feature to have some day [15:29] iirc, apparmor 3.1 was going to have the quiet profile flag and perhaps that could be backported into the vendored apparmor he is/has worked on [15:29] (or just pull 3.1 in) [15:30] Yes, the apparmor vendoring is coming along I think I've reviewed that PR a few times now [15:30] \o/ [15:30] that's going to be *wonderful* :) [15:30] :-) [15:31] * ijohnson[m] needs to afk for a bit [15:31] ijohnson[m]: nice chatting with you; hope you're well :) [15:32] thanks you too! [15:34] hey jdstrand :) [15:34] it's fantastic to see you here again [15:48] PR snapd#10767 closed: o/snapstate: only conflict with runnable and relevant tasks [16:19] PR snapd#10775 closed: packaging/ubuntu: pass GO111MODULE to dh_auto_test [16:19] PR snapd#10776 closed: cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode [16:54] bboozzoo: yeah so there are a bunch of dbus denials for docker when run under cgroupsv2 on ubuntu like this [16:54] https://paste.ubuntu.com/p/Jt9sGC5SZG/ [17:59] PR snapd#10779 opened: tests/nested/manual: use loop for checking for initialize-system task done