| mborzecki | morning | 06:47 |
|---|---|---|
| mardy | mborzecki: hi! I think I need your help :-) | 06:59 |
| mborzecki | mardy: hey, what's up? | 06:59 |
| mardy | I have made these changes to snap-confine: https://github.com/snapcore/snapd/pull/11367 | 06:59 |
| mup | PR #11367: snap-confine: ground work for homedirs support <⛔ Blocked> <Created by mardy> <https://github.com/snapcore/snapd/pull/11367> | 06:59 |
| mardy | many tests already work, some others don't | 07:00 |
| mardy | I see this error message: cannot update snap namespace: cannot recover from trespassing over / | 07:00 |
| mardy | I added some more debug now, and here's what I see: https://paste.ubuntu.com/p/DVSvY8NG5s/ | 07:01 |
| mardy | (this is when running google:ubuntu-20.04-64:tests/main/docker-smoke) | 07:01 |
| mborzecki | mardy: hm this must be from snap-update-ns | 07:02 |
| mardy | mborzecki: yes, and the problem is that I don't know what it does, and whether it's trying to do the right thing | 07:03 |
| mborzecki | hahaha, let me look at the code, maybe i can remember | 07:03 |
| mardy | like, should /etc/docker be restricted? | 07:04 |
| mborzecki | mardy: iirc the problem was that without those checks we could have modified directories on the host by accident | 07:04 |
| mborzecki | eg. /etc/ which is mounted from the host and isn't ro | 07:04 |
| mardy | mborzecki: ok, then it looks like that /etc/docker should be restricted indeed | 07:06 |
| mardy | but then why is the test failing? | 07:07 |
| mardy | I guess I can try to run this test on the master branch, with some extra debugging, and compare the logs | 07:08 |
| mborzecki | mardy: is there a specific layout that docker snap.yaml has? | 07:08 |
| * mardy checks | 07:08 | |
| mardy | mborzecki: yes, there's a bind on /etc/docker: https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L38-L46 | 07:10 |
| mardy | could it be that my changes on snap-confine broke something and made the bind impossible to setup? Would that explain the error I'm seeing? | 07:10 |
| mborzecki | mardy: hm maybe, in theory snap-update-ns should either create tmpfs on /etc within the snap ns, then bind mount everything there, or if /etc/docker exists in /etc/already it would use that | 07:11 |
| mborzecki | is it happy if you create /etc/docker on the host? | 07:11 |
| mborzecki | mardy: it's clearly creating a writable mock on /etc; https://pastebin.ubuntu.com/p/rjnK94bJYy/ | 07:14 |
| mardy | mborzecki: yes, it's happy, then. It still fails, but on another file (/etc/gitconfig): https://paste.ubuntu.com/p/qrjGx2rjwF/ | 07:15 |
| mborzecki | mardy: maybe it's confused as there's tmpfs on / no too | 07:15 |
| mborzecki | s/no/now/ | 07:15 |
| mardy | mborzecki: ah, thanks, your logs give me some hints: "change.go:124: DEBUG: need to create writable mimic needed to create path "/etc/docker" (original error: cannot write to "/etc/docker" because it would affect the host in "/etc")" | 07:17 |
| mardy | mborzecki: so, it expects an error like "cannot write to "/etc/docker" because it would affect the host in "/etc"", whereas with my changes it gets another error | 07:18 |
| mborzecki | mardy: yeah, that's what should happen, but i wonder why it doesn't, looking at the code | 07:18 |
| mborzecki | aa | 07:18 |
| mborzecki | ok | 07:18 |
| mborzecki | that explains it then | 07:18 |
| mardy | mborzecki: thanks a lot, you made my day :-) | 07:19 |
| mborzecki | mardy: hm actually the logs sugges that it returns TrespassingError | 07:21 |
| mardy | mborzecki: yes, trespassing error is returned in https://github.com/snapcore/snapd/blob/master/cmd/snap-update-ns/trespassing.go#L229, whereas with my changes it returns on line 222. | 07:26 |
| mborzecki | mardy: ah ok, so it already called createPath() which then calls itself again and fails with the error from 222 | 07:28 |
| mardy | mborzecki: thanks, then I'll add some debugging in there | 07:35 |
| pstolowski | morning | 08:03 |
| mborzecki | pstolowski: hey | 08:06 |
| mup | PR snapd#11362 closed: libsnap-confine-private: string functions simplification <Simple 😃> <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11362> | 08:12 |
| mardy | hi pstolowski, mvo | 08:48 |
| mvo | good morning mardy pstolowski | 08:48 |
| mborzecki | mardy: can you take a look at https://github.com/snapcore/snapd/pull/11372 ? | 09:04 |
| mup | PR #11372: interfaces/systemd: use batch systemd operations <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11372> | 09:04 |
| mardy | mborzecki: I see that the AppArmor profile for snap-confine has "/run/snapd/ns/snap.*.fstab w,", but I don't see where snap-confine is writing that file | 09:36 |
| mup | PR snapd#11375 opened: interfaces: add private /dev/shm support to shared-memory interface <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/11375> | 10:42 |
| mup | PR snapd#11376 opened: tests: skip ~/.snap migration test on openSUSE <Simple 😃> <Flaky Test> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11376> | 11:07 |
| miguelpires | mvo: can you merge https://github.com/snapcore/snapd/pull/11337 please? failures are unrelated | 11:14 |
| mup | PR #11337: many: fix leftover empty snap dirs <Simple 😃> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11337> | 11:14 |
| mardy | mborzecki: I noticed a build failure on arch, is it something that you are already aware of? https://github.com/snapcore/snapd/runs/5154941656?check_suite_focus=true | 11:15 |
| mborzecki | mardy: yes, there's some inconsistency at the mirrors i think | 11:17 |
| mborzecki | mardy: https://bugs.archlinux.org/task/73737 the joys of arch being a niche distro | 11:19 |
| mborzecki | so even worse, than what i suspected | 11:20 |
| mvo | miguelpires: sure | 11:25 |
| miguelpires | thank you | 11:25 |
| mup | PR snapd#11337 closed: many: fix leftover empty snap dirs <Simple 😃> <Created by MiguelPires> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11337> | 11:27 |
| arsenique | zaga I have a question regarding the "\040(deleted)" issue that you've filed and discussed here upon my first visit of the channel. | 12:18 |
| arsenique | zyga sorry for the typo. | 12:19 |
| arsenique | zyga I have a question regarding the "\040(deleted)" issue that you've filed and discussed here upon my first visit of the channel. | 12:19 |
| arsenique | zyga when I reproduced the failure instead of getting suffix "\40(deleted)" or " (deleted)", I've got "//deleted" | 12:27 |
| mup | PR snapd#11377 opened: asserts: add preseed assertion type <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/11377> | 12:27 |
| mup | PR snapcraft#3636 closed: parts: integrate craft-parts (CRAFT-765) <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3636> | 12:29 |
| zyga[m] | Interesting | 12:32 |
| zyga[m] | I'm not following the kernel mount subsystem | 12:32 |
| zyga[m] | I would go and check the patches on that part of the kernel | 12:33 |
| zyga[m] | Perhaps there is a new unified syntaxe for this? | 12:33 |
| zyga[m] | Do you know where to look? | 12:33 |
| arsenique | zyga No, unfortunately no. | 13:01 |
| mup | PR snapd#11379 opened: tests: smoke test support for core22 <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/11379> | 13:48 |
| mup | PR snapd#11338 closed: asserts,cmd/snap-repair: support delegation when validating signatures <authority-delegation> <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/11338> | 14:18 |
| mup | PR snapd#11380 opened: asserts: first-class support for formatting/encoding signatory-id <authority-delegation> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11380> | 14:28 |
| mup | PR snapd#11381 opened: asserts: fetching code should fetch authority-delegation assertions with signing keys as needed <authority-delegation> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11381> | 14:33 |
| mup | PR snapcraft#3637 opened: meta: generate basic snap.yaml (CRAFT-801) <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3637> | 14:54 |
| mup | PR snapd#11382 opened: asserts: remove unused function, fix for linter <⚠ Critical> <Test Robustness> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11382> | 15:28 |
| mup | PR snapd#11383 opened: o/snapstate: migrate on core22 refresh and init ~/Snap <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11383> | 16:43 |
| mup | PR snapd#11354 closed: gadget: identify/match encryption parts, include in traits info <Simple 😃> <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/11354> | 17:34 |
| mup | PR snapd#11384 opened: gadget: refactor StructureEncryption to have a concrete type instead of map <Simple 😃> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/11384> | 17:39 |
| mup | PR snapcraft#3637 closed: meta: generate basic snap.yaml (CRAFT-801) <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3637> | 18:14 |
| mup | PR snapcraft#3638 opened: Colcon v2: forward cmake args <Created by artivis> <https://github.com/snapcore/snapcraft/pull/3638> | 18:29 |
| zyga[m] | arsenique: I'll show you next week, ok | 18:35 |
| mup | PR snapcraft#3639 opened: commands: add pack command and set it as default (CRAFT-762) <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3639> | 21:30 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!