/srv/irclogs.ubuntu.com/2021/09/21/#snappy.txt

mborzeckimorning05:05
pstolowskimorning07:06
mborzeckipstolowski: hey07:11
mvogood morning pstolowski and mborzecki 07:13
mvomborzecki: is 10803 ready or still needs security review?07:13
mborzeckimvo: does amurray's review count as +1? :)07:14
mborzeckii'm trying to track down all the method names, but some are generated07:15
mupPR snapd#10791 closed: gadget/gadget.go: LaidOutSystemVolumeFromGadget -> LaidOutVolumesFromGadget <Simple 😃> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10791>07:16
mvomborzecki: heh, I don't know if amurray gave a +1 in 10803 at least he did not remove the label so I assume not. if the method names are auto-generated that is annoying :/ maybe the "only know names" breaks down there?07:17
mborzeckimvo: i'll try to track down which methods are used, and if that proves to be futile effort we'll stick with allowing all of them07:18
mborzeckischool run, brb07:21
mardy'morning all07:21
mardysome more reviews on https://github.com/snapcore/snapd/pull/10739 and /10739/checks?check_run_id=3652775103 would be appreciated :-)07:24
mupPR #10739: mount-control: step 2 <Needs Samuele review> <Needs security review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10739>07:24
mardyBTW, when a PR is tagged "Needs security review", does it mean that it's in the backlog of the security team, or do I still need to ping them?07:31
amurraymardy: if you want it to get looked at with some urgency, it doesn't hurt to ping me/us ;)07:34
zyga-mbphaha, the brutal honesty :)07:36
amurrayhehe - hey zyga-mbp :)07:36
zyga-mbpI think pinging is useful to set priority07:36
zyga-mbpbut everyone is busy as is07:36
zyga-mbphey there alex :)07:36
amurrayyep, the "needs security review" queue is pretty long, so it definitely helps to communicate priority/urgency by letting me know directly if you need something faster than "whenever I happen to get to it"07:37
amurrayplus I am not across all the snapd release dates/milestones/targetted features etc - I'd like to have more time to devote to snapd security stuff but like zyga said, everyone is busy07:39
mardyamurray: thanks, it's not super urgent, but that mount-control PR (link 10 lines above) needs a pair of security-trained eyes :-)07:39
zyga-mbpor two security pirrrrrates, each with one eye07:39
mardyzyga-mbp: that would be even better07:39
amurrayarrrr now yerr talkin matey07:40
zyga-mbphaha07:40
mardymborzecki: have you seen a similar failure before? https://paste.ubuntu.com/p/JWJprHmsDD/ Do you think it's again a matter of adding a `sleep 1` before the last check? (https://github.com/snapcore/snapd/blob/master/tests/main/security-udev-input-subsystem/task.yaml#L82)07:41
mupPR snapd#10815 opened: fde: add HasDeviceUnlock() helper <Simple 😃> <Skip spread> <Created by mvo5> <https://github.com/snapcore/snapd/pull/10815>07:41
mborzeckire07:41
mardymborzecki: in that test, you can see that there's the AppArmor denial in the logs.07:45
mborzeckimardy: yeah, EACCESS is from apparmor lsm, iirc EPERM would be generated by device cgroup07:45
mborzeckialthough it was checking for EPERM and the test was successful so far07:46
mardymborzecki: can I change the test to MATCH for both errors, or does that defeat the point of the test?07:53
mardyor do you think that a sleep 1 can help there, since cgroups are involved?07:53
mborzeckimardy: is this the only test that failed this way?07:56
mborzeckii suspect this may be about lsm evaluation order, although looking at the kernel devcgroup is checked first always, so the device must have been still allowed, maybe the tag did not get removed?07:59
mborzeckimardy: can you reproroduce it?07:59
mardymborzecki: in this test run, it was the only failed test: https://github.com/snapcore/snapd/pull/10739/checks?check_run_id=366003695608:03
mupPR #10739: mount-control: step 2 <Needs Samuele review> <Needs security review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10739>08:03
mardymborzecki: I'll try to reproduce it08:03
pstolowskimardy: thanks for the review of #10814, i'm going to iterate over it a bit though, therefore it's a draft and probably approving it is premature at this point (and it's missing tests)08:08
mupBug #10814: Parted made my partition table to overlap. <parted (Ubuntu):Fix Released by cjwatson> <https://launchpad.net/bugs/10814>08:08
mupPR #10814: [RFC] o/ifacestate: don't loose connections if snaps are broken <Created by stolowski> <https://github.com/snapcore/snapd/pull/10814>08:08
mardypstolowski: it was for encouragement :-)08:20
pstolowskimardy: LOL08:20
pstolowskimardy: appreciate it :)08:20
mupPR snapd#10705 closed: tests: add minimal smoke test for microstack <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/10705>08:21
mborzeckimvo: hm exporting keys failed on LP: https://paste.ubuntu.com/p/YB5nqD3dnb/08:23
mvomborzecki: "can't connect to the agent: IPC connect call failed" - sounds like something funny is going on there08:26
mborzeckiyeah08:26
mvomborzecki: I wonder if we can run this outside of spread as have little control over the GH containers08:27
mvo(or maybe we do and just don't exercise it enough?)08:27
mardymborzecki: nope, I'm running a test in a loop, it doesn't seem to fail08:27
mborzeckimvo: this failed on LP builder, so that should be an sbuild-like environment?08:28
mardywait, I spoke too early08:28
mardymborzecki: yes, I can reproduce it; happens maybe once out of 20 tries08:32
mborzeckimardy: do you ahve a debug shell?08:33
mardylet me add a sleep, and see...08:33
mardyyes08:33
mardyit's strange that there's no apparmor denial in the logs...08:33
mvomborzecki: oh, interessting, this is inside lp :/08:34
mvomborzecki: that we control even less, maybe we need to mock more (but in meetings a lot today :/08:34
mborzeckimardy: can you cat /sys/fs/cgroup/devices/snap.test-snapd-udev-input-subsystem.plug-with-time-control/devices.list08:35
mardya "sleep 1" after connecting the time-control interface does not help08:35
mardymborzecki: https://paste.ubuntu.com/p/pbBYG4ZTBC/08:36
mborzeckimardy: hm so evdev's major number is 13, i don't see anything with that major in the list08:38
mborzeckimardy: if you run `test-snapd-udev-input-subsystem.plug-with-time-control` does it fail with permission denied?08:38
mborzeckiis there a new apparmor denial logged at that time?08:38
mardymborzecki: I need to reproduce it again :-). But I added a cat of that sys/fs file you pasted above, and while running the test its contents are just "c 249:0 rwm"08:41
mardyeven when it passes08:41
mardyand even when it fails, it's always just "c 249:0 rwm"08:43
mardynow let me check apparmor...08:43
mardyno denials08:43
mardynevermind, there are denials -- for some reason dmesg doesn't show them, but journalctl does :-o08:45
mardySep 21 08:42:39 sep210805-077008 audit[12507]: AVC apparmor="DENIED" operation="open" profile="snap.test-snapd-udev-input-subsystem.plug-with-time-control" name="/dev/input/event2" pid=12507 comm="read-evdev-kbd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=008:46
mborzeckimardy: maybe they are from before you stated meddling in the debug shell?08:52
mborzeckimardy: anyways, with the dump you provided, the device is not lsited in device cgroup, so EPERM is expected08:53
mardymborzecki: but it's never there, not even when the test succeeds08:58
mborzeckimardy: hm not sure what the test is checking, judging by the commnt about rtc, i suspect there's supposed to be an event device related to rtc? but i don't see anything like that on my host08:59
mardymborzecki:  this is what I'm running in a loop: https://paste.ubuntu.com/p/2D8DbRCTwR/09:00
mardymborzecki:  and the devices.list file has always "c 249:0 rwm", both when the test passes, and when it fails09:01
mardythough maybe I should look at it from inside the executed snap script, if cgroups are setup by snap-confine?09:02
mborzeckimardy: if it were to be blocked by apparmor, i would expect something like `c 13:.. rwm`09:02
mardymborzecki: nope, the denial is the one I pasted above, and it's always a fresh one09:03
mardyit's the same denial you can see in the CI logs09:03
mborzeckiquick errand, brb09:04
mardyok, meanwhile I'll try modifying the snap script, to print the cgroups from there09:04
mvomborzecki: nice, looks like 10803 is ready now09:15
mborzeckire09:33
mborzeckimvo: yeah, let's see how the tests fare and then we can land it :)09:34
mardymborzecki: found something: when the test fails, /sys/fs/cgroup/devices/snap.test-snapd-udev-input-subsystem.plug-with-time-control/cgroup.procs is empty09:51
mardyI'm checking it from within the script run in the snap, and when the test passes I see that it contains two pids; one of them is the same pid as the shells cript09:52
mardymborzecki: could this be a real bug in snap-confine?09:52
mborzeckimardy: that file will list only live processes that exist in that cgroup, so i expect it to be empty after the program terminates09:54
mborzeckimvo: can you land https://github.com/snapcore/snapd/pull/10740 ?09:56
mupPR #10740: osutil: helper for injecting run time faults in snapd  <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10740>09:56
mardymborzecki: but I'm printing it from within the snap script: it does contain the PIDs, when the test passes09:58
mardymborzecki: here's the current contents of the snap script: https://paste.ubuntu.com/p/h5YHKj9BVC/09:59
mborzeckimardy: ok, when you print it from the script that snap runs, and it's failing that file is empty right?10:00
mardymborzecki: yes10:00
mborzeckimardy: ok, so there are likely no devices tagged for this snap then10:01
mborzeckimardy: can you add SNAP_CONFINE_DEBUG=1 when running the app? when it fails i would expect there will be no device cgroup setup in the logs10:02
mardymborzecki: yes, that explains why the test then fails, but what is not clear to me is why there are no PIDs in the group10:02
mborzeckimardy: so the device cgroup is setup iff there are devices tagged for the snap application10:03
mardymborzecki: where should I find the logs?10:03
mardybrb, need to go to lunch10:05
mborzeckimardy: the first thing to check would be debug log of s-c (that SNAP_CONFINE_DEBUG=1 thing when you run the app), if that confirms there are no devices, the next thing to check is whether there's /etc/udev/rules.d/70-snap.test-snapd-udev-input-subsystem.plug-with-time-control, its contents, and then find out which device the app was using and see `udevadm info <dev-path>`10:05
mardymborzecki: I did a "export SNAP_CONFINE_DEBUG=1" in the terminal from where I run the snap, but it didn't seem to help in making the snap more verbose.10:22
mborzeckimardy: hm that's unexpected, where are you setting it exactly?10:28
mardymborzecki: in the spread terminal, and then I run the snap10:29
mupPR snapd#10816 opened: fde: add new DeviceUnlock() call <Run nested> <Created by mvo5> <https://github.com/snapcore/snapd/pull/10816>10:31
mupPR snapd#10817 opened: libsnap-confine: use the pid parameter <Simple 😃> <Created by mardy> <https://github.com/snapcore/snapd/pull/10817>10:41
mardymborzecki: ouch, the output was being redirected by the test script, nevermind :-D11:05
mborzeckihaha11:06
pstolowskimborzecki: hey, can you take a look at https://github.com/snapcore/snapd/pull/10795 ?11:13
mupPR #10795: o/assertstate: check installed snaps when refreshing validation set assertions <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10795>11:13
mardycan I connect to a spread machine via SSH?11:22
mvomardy: cat .spread-* should give you details11:29
mardymvo: thanks!11:31
mardymborzecki: apart from the PID numbers, the snap-confine logs are exactly the same when the test fails and when it succeeds12:20
zyga-mbpheh12:20
zyga-mbpI can play the garden gnome12:20
zyga-mbpwhat's the problem?12:20
zyga-mbpmaybe if you explain it to me I can ask a silly question that helps?12:21
mborzeckimardy: can you post the logs/12:23
mardyzyga-mbp: this test failure: https://paste.ubuntu.com/p/JWJprHmsDD/ :-)12:26
zyga-mbplooking12:27
mardymborzecki: here it is: https://paste.ubuntu.com/p/bdtFCHQbhx/12:27
zyga-mbpwhat is /snap/test-snapd-udev-input-subsystem/x1/bin/read-evdev-kbd at line 22?12:28
mardymborzecki: is it normal that the PID that triggers the apparmor denial is the same one (4813) as snap-confine (you'll see the same pid in the logs I just pasted)?12:28
zyga-mbpwhat does it do? open?12:28
mardyzyga-mbp: something like that, I guess :-) https://github.com/snapcore/snapd/blob/master/tests/main/security-udev-input-subsystem/test-snapd-udev-input-subsystem/bin/read-evdev-kbd#L2212:29
zyga-mbpdoes it fail if that's the first and only test that is executed?12:29
zyga-mbpmborzecki are we synchronizing with system's setup of the cgroup for the scope?12:30
mardyzyga-mbp: well, I've got a debug session in the spread, and if I repeat this script in a loop (https://paste.ubuntu.com/p/2D8DbRCTwR/) it fails maybe once out of 20 times12:30
zyga-mbpha12:31
zyga-mbpis the app tracking feature on?12:31
zyga-mbpcan you run forkstat in the background12:31
zyga-mbpand run it in a loop until it fails12:31
zyga-mbpand then collect the forkstat please12:31
mupPR snapd#10818 opened: tests: test for enforcing with prerequisites <â›” Blocked> <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10818>12:32
zyga-mbpplease remind me, permission denied is EPERM, right?12:33
mborzeckimardy: taht's not the failure case right? I see that device cgroup is set up12:33
mborzeckizyga-mbp: what do you mean about synchronizing with systemd setup?12:35
zyga-mbpmborzecki we spawn the scope via a systemd call in snap-run12:36
zyga-mbplast time I looked we didn't wait for that to finish fully12:36
zyga-mbpjust to register 12:36
zyga-mbpmaybe systemd is doing cgroup-y things that we race with?12:36
zyga-mbpI could be totally wrong, I'm not looking at how that code evolved since12:36
mborzeckizyga-mbp: nope, it's EACCESS, EPERM is operation not permitted12:37
zyga-mbpah12:37
zyga-mbphmm12:37
cmatsuokahey zyga-mbp 12:37
mardymborzecki: it is the failure case, unfortunately :-(12:37
mardymborzecki: as I wrote, the logs are the same, only difference is the pid numbers12:37
mardyzyga-mbp: that forkstat is a nice tool! Thanks! Here's the output, when the test failed: https://paste.ubuntu.com/p/CZn2Nrryn3/12:38
mborzeckizyga-mbp: we wait now12:38
zyga-mbpwait for the job to finish?12:38
mborzeckibut this is v1, so we're actually using pids for tracking12:39
mborzeckimardy: what's the content of devices.list then?12:39
zyga-mbpahh12:39
mardythe pid that triggered the apparmor failure is 1239912:39
mardymborzecki: the same as before, no 66 or 13 in there12:41
mborzeckimardy: for ther record, can you ls -l /dev/rtc* and ls -l /dev/input/event*12:41
mardymborzecki: all looks fine there: https://paste.ubuntu.com/p/h78t2y6ypW/12:45
mborzeckimardy: ok, to sum up, 249:0 was in the list which is expected, 13:* were not, which is also expected, but we still got EPERM which in theory should not happen, because we expect that apparmor (lsm) would block access and errno would be EACCESS12:48
mardymborzecki: yep. How do I build snap-confine?12:49
zyga-mbpcd cmd12:49
zyga-mbp./autogen.sh && make12:49
zyga-mbpmaybe?12:49
mardyah, no magic? :-)12:49
mborzeckiand then `make hack`, if you're on ubuntu remember to set SNAPD_REEXEC=0 when running a snap so that your local copy is picked up12:50
mardymmm... it's still not being picked up (though I can see that's correctly installed as /usr/lib/snapd/snap-confine)12:57
mardyah, it's picking up the one from /snap/core/...13:09
zyga-mbpyou have reexec 13:22
mborzeckimardy: set SNAPD_REEXEC=0 in your environment13:24
zyga-mbpmborzecki that breaks unit tests13:52
zyga-mbpI had that13:52
mardymborzecki, zyga-mbp: so, I stopped snapd.{service,socket}, added SNAPD_REEXEC=0 in my env and restarted snapd (from the terminal); still, it's using the snap-confine from the /snap/core/... path13:55
zyga-mbpsnapd is local though, right?13:56
zyga-mbpand snap-confine is not?13:56
zyga-mbpsnap-confine is actually invoked by snap-run13:56
zyga-mbpso ... which version of snap run are you getting?13:56
zyga-mbpyou probably need to put snap symlink next to snapd13:56
zyga-mbpIIRC there was some funny thing where it found where snap-run is running from13:56
zyga-mbpto find snap-confine13:56
mardyzyga-mbp: I only rebuilt snap-confine, so both snap and snapd are the unmodified ones13:57
mardybut OTOH, I didn't touch them...13:57
zyga-mbpwhere is your snap-confine?13:57
zyga-mbpmy memory of this is rusty13:58
mardyin /usr/lib/snapd/snap-confine13:58
zyga-mbpbut if you set the env var maciej mentioned13:58
zyga-mbpand copy snap-confine over13:58
zyga-mbpit should be used13:58
zyga-mbpthere are exceptions13:58
zyga-mbpbut very convoluted13:58
zyga-mbpcan you forkstat and see if snap-run calls the wrong one?13:58
zyga-mbpif so, set SNAP_DEBUG=1 to see why13:58
mardyyes it calls the wrong one13:59
zyga-mbpthe logic is in cmd/*/.go14:00
mardySNAP_DEBUG does not seem to make a difference...14:00
zyga-mbpI forgot what the sub-package name was14:00
zyga-mbp(at least last Nov, it could have moved since)14:00
mardyI'm now building a local /usr/bin/snap, let's see if that helps14:01
zyga-mbpthe stock one should have debug enabled to tell you what is wrong14:01
mardynope it doesn't, and it still executes /snap/core/11893/usr/lib/snapd/snap-confine :-(14:03
zyga-mbpdid you enable debug logs?14:03
zyga-mbpit should tell you why14:03
zyga-mbpwhat's the command like you are trying?14:04
mardycould it be SNAPD_DEBUG=1?14:04
mardythat prints something before running snap-confine, but does not seem super useful: https://paste.ubuntu.com/p/DmNv7rns5R/14:05
zyga-mbpyes14:05
zyga-mbp2021/09/21 14:04:25.830781 tool_linux.go:204: DEBUG: restarting into "/snap/core/current/usr/bin/snap"14:06
zyga-mbpok, look at the condition there14:06
zyga-mbpthat's your next clue14:06
mborzeckimardy: sorry, that's SNAP_REEXEC=014:10
mborzeckii always forget as I don't really have to deal with reexec14:11
mupPR snapd#10817 closed: libsnap-confine: use the pid parameter <Simple 😃> <Created by mardy> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10817>14:12
mardymborzecki: aaaah, just found out the same looking at the sources :-)14:12
mardymborzecki: ok, so it ran my snap-confine, but I'm not sure where the output from system() went; I thought it'd be merged with my stdout, but my C is a bit rusty14:15
zyga-mbphahaha14:15
zyga-mbpoh my14:15
zyga-mbpnice14:15
mborzeckimaybe the files were empty?14:19
mborzeckimardy: try adding echo around that14:19
mborzeckimardy: can you paste the diff also?14:20
mardymborzecki: ah: Sep 21 14:21:40 sep211335-363145 audit[15140]: AVC apparmor="DENIED" operation="exec" profile="/usr/lib/snapd/snap-confine" name="/bin/dash" pid=15140 comm="snap-confine" requested_mask="x" denied_mask="x" fsuid=0 ouid=014:22
mborzeckimeh14:25
mborzeckiyou can tweak snap-confine's profile and add `/bin/dash ixr,`14:26
mardyadded a line for it, now it works14:26
mardymborzecki: I made it Ux :-)14:26
zyga-mbpUx provides the best UX ;014:29
zyga-mbpapparmor joke14:29
zyga-mbpamurray might approve if it wasn't midnight for him14:29
mardy:-)14:30
mardymborzecki: so, this confirms it: the devices.list is always the same, regardless of failure or success, but the procs file is empty when the test fails14:31
mardywhereas normally it has three PIDs in it14:31
zyga-mbpprocs?14:31
zyga-mbpoh14:31
zyga-mbpwell, it's racy14:31
zyga-mbpor 14:31
zyga-mbpare we reading it wrong?14:31
mardyzyga-mbp: I mean /sys/fs/cgroup/devices/snap.test-snapd-udev-input-subsystem.plug-with-time-control/cgroup.procs14:31
zyga-mbpthat file is supposed to be read with a huge buffer14:31
zyga-mbpall in one go14:31
zyga-mbpright, thanks for confirming that14:31
mardyzyga-mbp: I'm reading it from within snap-confine, with a system("cat /sys/fs...")14:32
zyga-mbp(same thing applies to mountinfo btw, I think I never changed that14:32
zyga-mbpok14:32
zyga-mbpcan you strace cat it?14:32
zyga-mbpthat file is natually racy 14:32
zyga-mbpoh 14:32
zyga-mbpwait14:32
zyga-mbpthis is devices!!!14:32
* zyga-mbp is so dumb14:32
zyga-mbpmborzecki do you see it14:32
zyga-mbpmardy do you see it? :)14:32
mardyI don't :-)14:32
zyga-mbpwhat's the path?14:33
zyga-mbpit's the snap-specific hierarchy14:33
zyga-mbpfind this process in a systemd managed one14:33
mardythe path is /sys/fs/cgroup/devices/snap.test-snapd-udev-input-subsystem.plug-with-time-control/cgroup.procs14:33
zyga-mbpwe (incorrectly) steal a process from systemd14:33
zyga-mbpcan you look at /proc/self/cgroups14:33
* zyga-mbp double-checks the name14:33
mardyzyga-mbp: from within snap-confine, or is the terminal ok?14:34
zyga-mbpsorry, singulaar14:34
zyga-mbpmardy from whitin the process executed by snap-confine14:34
zyga-mbpwe always did this part wrong14:34
zyga-mbpbut most of the time systemd didn't care14:34
zyga-mbpwe stole the process14:34
zyga-mbpwe placed it in a device hierarchy we created14:35
zyga-mbp(that's the devices/snap.* namespace)14:35
zyga-mbpbut it was already in a systemd provided cgroup perhaps14:35
zyga-mbpfrom within snap-confine, cat /proc/self/cgroup14:35
zyga-mbpI'm sure it will be interesting14:35
zyga-mbpand not what you expectr14:35
zyga-mbpmborzecki do you see what I'm getting at?14:35
=== dob1_ is now known as dob1
mborzeckizyga-mbp: hm not sure wheher systemd cares unless you actually limit devices to begin with14:36
mardyzyga-mbp: normally it says "7:devices:/snap.test-snapd-udev-input-subsystem.plug-with-time-control", now let's wait for it to fail...14:37
zyga-mbpmborzecki no that's not the point14:37
zyga-mbpwe got stolen back14:37
zyga-mbpif there are no processe14:37
zyga-mbpwhere are they?14:37
zyga-mbpall processes inhabit all cgroups14:37
zyga-mbponly the hierarchy changes14:37
mardyzyga-mbp: YES!!!14:37
mardyit's 7:devices:/user.slice/user-0.slice/user@0.service on failure14:37
mardyzyga-mbp: so, the solution is to run a kill(1, 9) before setting up the cgroups? ;-)14:38
mborzeckiheh14:39
mardyzyga-mbp: do you mean that sometimes we are not writing the PIDS into cgroup.procs quickly enough, and systemd takes it over?14:39
zyga-mbpwell14:40
zyga-mbpI mean we never cared up until this point14:40
zyga-mbpbecause systemd was not doing anything 14:40
zyga-mbpbut well14:40
zyga-mbpapparently snap-confine needs to wait somewhere14:40
zyga-mbpdo I get a beer? :)14:40
mardyzyga-mbp: this is more like grappa14:41
mborzeckimardy: what system is this?14:42
mardymborzecki: xenial14:42
mardyI guess I need to do some reading of how systemd treats cgroups, to fully understand the problem14:43
zyga-mbpmardy it changes over time14:43
zyga-mbp(as in over systemd versions)14:43
mardyzyga-mbp: but are you sure that the problem is that we don't wait enough? my gut feeling is that we have too big of a time window between the time when we create the cgroup and when we assign the PIDs to it. But as I said, I might be completely off14:44
mborzeckihmmm why on earth the user scope is in device cgroup?14:44
zyga-mbpmardy it's a command running in a user session14:44
zyga-mbpso it gets shoved there by systemd14:44
zyga-mbpmaybe it's some other bug as well, I'm surprised this is on xenial14:44
zyga-mbpwhich is ancient by now14:45
zyga-mbpare we backporting systemd?14:45
mborzeckiyeah, as i wrote, systemd does not move it unless there's a deviceallow/deny set for the unit14:45
mardyI just happened to see this happening in xenial, maybe it happens on newer systems too -- I haven't tested14:45
mborzeckiunless, something else went bad14:45
zyga-mbpmborzecki not quite14:45
zyga-mbpthe scope is different14:45
zyga-mbpmardy does this fail with the app tracking feature off?14:45
zyga-mbpsystemd creates a full scope and moves the process fully into it14:46
zyga-mbpperhaps that's what is going on14:46
mardyzyga-mbp: how do I disable that?14:46
zyga-mbpshow me your snap set system experimental14:46
zyga-mbpI forgot the feature flag name14:46
zyga-mbprefresh-app-awarneness?14:46
zyga-mbp(I meant snap get, not set)14:47
mardyerror: snap "core" has no "experimental" configuration option14:47
zyga-mbpsnap set system experimental.refresh-app-awareness=false14:48
zyga-mbpI hope I remember the syntax right14:48
mardyyep, it's correct14:48
mardylet me try the test again14:49
mupPR snapd#10769 closed: tests: update test nested tool part 2 <Run nested> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10769>14:52
mardyzyga-mbp: yes, it fails too14:54
* mvo switches network14:58
mborzeckimvo: can you land https://github.com/snapcore/snapd/pull/10740 ?15:03
mupPR #10740: osutil: helper for injecting run time faults in snapd  <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10740>15:03
mborzeckimvo: and this one too: https://github.com/snapcore/snapd/pull/1080315:04
mupPR #10803: tests, interfaces/builtin: introduce 21.10 cgroupv2 variant, tweak tests for cgroupv2, update builtin interfaces <cgroupv2> <cgroupv2-impish> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10803>15:04
mardyneed to leave now, I'll continue tomorrow morning :-)15:05
mardymborzecki, zyga-mbp: thank you guys, without your help it would have taken me at least twice the time!15:06
mborzeckidebugging is the fastest way to learn things :P15:08
dbungertabout proposed migration.  snapd, squashfs-tools, and some kernels.  There is a fix in flight - https://github.com/snapcore/snapd/pull/10757 - do we anticipate that this will be available for autopkgtest sometime soon or should we do something else for squashfs-tools and the kernels?15:09
mupPR #10757: build-aux: stage libgcc1 library into snapd snap <âš  Critical> <cherry-picked> <Created by mwhudson> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10757>15:09
ijohnson[m]dbungert: what is your question? Sorry I don't understand what you are asking about15:41
dbungertijohnson[m]: I'm trying to see if I can help squashfs-tools and a few kernels migrate.  They are currently not migrating due to snapd autopkgtest failures which are resolved by adding libgcc to snapd.15:43
ijohnson[m]dbungert: where does the autopkgtest tests get snapd from ? that fix you mentioned is for the snapd snap, do autopkgtests use the snapd snap ?15:44
dbungertijohnson[m]: they do, actually.  check out the end of this log  https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/arm64/s/snapd/20210914_092631_abbf2@/log.gz15:44
dbungertI built for myself a custom snapd deb that forced that test to grab the snapd snap from the edge channel, and then that test passes.15:45
ijohnson[m]dbungert: ok, so if they are using the snapd snap, then the fix you mentioned was cherry-picked to the release/2.52 branch of snapd, but unfortunately after we already started releasing 2.52 which is now in beta. So that fix will not make it into the stable channel of the snapd snap until we do a 2.52.1 release, which I don't think we have planned yet since we haven't even finished getting 2.52 out, but we could push it through if it is15:46
ijohnson[m]important, but it would take at least 2 weeks after we do the 2.52.1 release before it is on stable15:46
ijohnson[m]dbungert: see https://forum.snapcraft.io/t/snapd-release-process/26628 for more details15:47
ijohnson[m]mvo: did you notice that the snapd snap went up by 10MB from 2.52 -> everything after 2.52 ? 15:49
ijohnson[m]  latest/beta:      2.52                 2021-09-04 (13270) 33MB -15:49
ijohnson[m]  latest/edge:      2.52+git881.gf3cd286 2021-09-21 (13460) 43MB -15:49
ijohnson[m]I wonder when that changed15:49
ograadded stage packages ? 15:51
ogra(and their deps)15:51
ijohnson[m]10 MB of stage packages ?15:51
ograwell 🙂15:52
dbungertijohnson[m]: to judge if libgcc should be pushed thru: are there cases where snapd would expect to be able to create a squashfs, or is that just a test scenario?  If so, today it's reliant on getting libgcc from the host system, which happens to have worked well until recently.15:53
ijohnson[m]huh it seems like the discrepency is just between the build that runs for edge/master and the builds that run for release/<version>, the builds on edge/master are 10MB larger since at least a few months ago15:53
ijohnson[m]dbungert: well the main use case for creating squashfs' from snapd are really just for the `snap pack` command, otherwise snapd doesn't create squashfs's, it just hands squashfs's to systemd to be mounted15:55
ijohnson[m]dbungert: so this only affects impish or does it affect other releases as well ? I haven't seen or heard of anyone complaining about issues with `snap pack` except from you and mwhudson 15:55
ijohnson[m]and actually I don't even really know if the failures y'all are seeing are about `snap pack` or something else15:56
dbungerttip of the iceberg I think.  I expect that any distribution that picks up new glibc would see the same problem.15:56
ijohnson[m]hmm, I would imagine arch linux would pick it up too then, and we haven't had any such reports15:56
dbungertperhaps there is part of this I don't quite understand then15:56
ijohnson[m]yeah but that autopkg test failure you linked above is indeed about `snap pack`15:57
dbungertthanks for the info.  On the topic of 2.52, the roadmap linked from above just says TBD, is there even coarse projections on availability of 2.52?  cc ijohnson[m] 16:15
ijohnson[m]dbungert: for 2.52 itself that is expected within the next week, but we don't have any estimate at this time for 2.52.1, the libgcc_s issue you have mentioned would be the first such critical thing that we would consider doing a 2.52.1 for16:20
dbungertijohnson[m]: cool.  I'm going to look at hinting things to allow squashfs-tools and kernels thru in the meantime.16:21
mupPR snapd#10819 opened: interfaces/builtin/opengl.go: add libOpenGL.so* too <Simple 😃> <Needs security review> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10819>16:22
mupPR snapd#10820 opened: devicestate: use EncryptionType <Run nested> <Created by mvo5> <https://github.com/snapcore/snapd/pull/10820>16:58
mupPR snapd#10740 closed: osutil: helper for injecting run time faults in snapd  <Run nested> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10740>18:08
mupPR snapd#10821 opened: interfaces/raw_usb: add write access required to support USB/IP <Created by jocado> <https://github.com/snapcore/snapd/pull/10821>18:08
mupPR snapd#10795 closed: o/assertstate: check installed snaps when refreshing validation set assertions <validation-sets :white_check_mark:> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10795>18:13
mupPR snapd#10780 closed: tests: manually umount devices during reset to prevent invariant error <Simple 😃> <Created by sergiocazzolato> <Closed by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10780>18:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!