[06:47] <mborzecki> morning
[06:59] <mardy> mborzecki: hi! I think I need your help :-)
[06:59] <mborzecki> mardy: hey, what's up?
[06:59] <mardy> I have made these changes to snap-confine: https://github.com/snapcore/snapd/pull/11367
[06:59] <mup> PR #11367: snap-confine: ground work for homedirs support <⛔ Blocked> <Created by mardy> <https://github.com/snapcore/snapd/pull/11367>
[07:00] <mardy> many tests already work, some others don't
[07:00] <mardy> I see this error message: cannot update snap namespace: cannot recover from trespassing over /
[07:01] <mardy> I added some more debug now, and here's what I see: https://paste.ubuntu.com/p/DVSvY8NG5s/
[07:01] <mardy> (this is when running google:ubuntu-20.04-64:tests/main/docker-smoke)
[07:02] <mborzecki> mardy: hm this must be from snap-update-ns
[07:03] <mardy> mborzecki: yes, and the problem is that I don't know what it does, and whether it's trying to do the right thing
[07:03] <mborzecki> hahaha, let me look at the code, maybe i can remember
[07:04] <mardy> like, should /etc/docker be restricted?
[07:04] <mborzecki> mardy: iirc the problem was that without those checks we could have modified directories on the host by accident
[07:04] <mborzecki> eg. /etc/ which is mounted from the host and isn't ro
[07:06] <mardy> mborzecki: ok, then it looks like that /etc/docker should be restricted indeed
[07:07] <mardy> but then why is the test failing?
[07:08] <mardy> I guess I can try to run this test on the master branch, with some extra debugging, and compare the logs
[07:08] <mborzecki> mardy: is there a specific layout that docker snap.yaml has?
[07:08]  * mardy checks
[07:10] <mardy> mborzecki: yes, there's a bind on /etc/docker: https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L38-L46
[07:10] <mardy> could it be that my changes on snap-confine broke something and made the bind impossible to setup? Would that explain the error I'm seeing?
[07:11] <mborzecki> mardy: hm maybe, in theory snap-update-ns should either create tmpfs on /etc within the snap ns, then bind mount everything there, or if /etc/docker exists in /etc/already it would use that
[07:11] <mborzecki> is it happy if you create /etc/docker on the host?
[07:14] <mborzecki> mardy: it's clearly creating a writable mock on /etc; https://pastebin.ubuntu.com/p/rjnK94bJYy/
[07:15] <mardy> mborzecki: yes, it's happy, then. It still fails, but on another file (/etc/gitconfig): https://paste.ubuntu.com/p/qrjGx2rjwF/
[07:15] <mborzecki> mardy: maybe it's confused as there's tmpfs on / no too
[07:15] <mborzecki> s/no/now/
[07:17] <mardy> mborzecki: ah, thanks, your logs give me some hints: "change.go:124: DEBUG: need to create writable mimic needed to create path "/etc/docker" (original error: cannot write to "/etc/docker" because it would affect the host in "/etc")"
[07:18] <mardy> mborzecki: so, it expects an error like "cannot write to "/etc/docker" because it would affect the host in "/etc"", whereas with my changes it gets another error
[07:18] <mborzecki> mardy: yeah, that's what should happen, but i wonder why it doesn't, looking at the code
[07:18] <mborzecki> aa
[07:18] <mborzecki> ok
[07:18] <mborzecki> that explains it then
[07:19] <mardy> mborzecki: thanks a lot, you made my day :-)
[07:21] <mborzecki> mardy: hm actually the logs sugges that it returns TrespassingError
[07:26] <mardy> mborzecki: yes, trespassing error is returned in https://github.com/snapcore/snapd/blob/master/cmd/snap-update-ns/trespassing.go#L229, whereas with my changes it returns on line 222.
[07:28] <mborzecki> mardy: ah ok, so it already called createPath() which then calls itself again and fails with the error from 222
[07:35] <mardy> mborzecki: thanks, then I'll add some debugging in there
[08:03] <pstolowski> morning
[08:06] <mborzecki> pstolowski: hey
[08:12] <mup> PR snapd#11362 closed: libsnap-confine-private: string functions simplification <Simple 😃> <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11362>
[08:48] <mardy> hi pstolowski, mvo
[08:48] <mvo> good morning mardy pstolowski 
[09:04] <mborzecki> mardy: can you take a look at https://github.com/snapcore/snapd/pull/11372 ?
[09:04] <mup> PR #11372: interfaces/systemd: use batch systemd operations <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11372>
[09:36] <mardy> mborzecki: I see that the AppArmor profile for snap-confine has "/run/snapd/ns/snap.*.fstab w,", but I don't see where snap-confine is writing that file
[10:42] <mup> PR snapd#11375 opened: interfaces: add private /dev/shm support to shared-memory interface <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/11375>
[11:07] <mup> PR snapd#11376 opened: tests: skip ~/.snap migration test on openSUSE <Simple 😃> <Flaky Test> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11376>
[11:14] <miguelpires> mvo: can you merge https://github.com/snapcore/snapd/pull/11337 please? failures are unrelated
[11:14] <mup> PR #11337: many: fix leftover empty snap dirs <Simple 😃> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11337>
[11:15] <mardy> mborzecki: I noticed a build failure on arch, is it something that you are already aware of? https://github.com/snapcore/snapd/runs/5154941656?check_suite_focus=true
[11:17] <mborzecki> mardy: yes, there's some inconsistency at the mirrors i think
[11:19] <mborzecki> mardy: https://bugs.archlinux.org/task/73737 the joys of arch being a niche distro
[11:20] <mborzecki> so even worse, than what i suspected
[11:25] <mvo> miguelpires: sure
[11:25] <miguelpires> thank you
[11:27] <mup> PR snapd#11337 closed: many: fix leftover empty snap dirs <Simple 😃> <Created by MiguelPires> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11337>
[12:18] <arsenique> zaga I have a question regarding the "\040(deleted)" issue that you've filed and discussed here upon my first visit of the channel.
[12:19] <arsenique> zyga sorry for the typo.
[12:19] <arsenique> zyga I have a question regarding the "\040(deleted)" issue that you've filed and discussed here upon my first visit of the channel.
[12:27] <arsenique> zyga when I reproduced the failure instead of getting suffix "\40(deleted)" or " (deleted)", I've got "//deleted"
[12:27] <mup> PR snapd#11377 opened: asserts: add preseed assertion type <Needs Samuele review> <Created by stolowski> <https://github.com/snapcore/snapd/pull/11377>
[12:29] <mup> PR snapcraft#3636 closed: parts: integrate craft-parts (CRAFT-765) <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3636>
[12:32] <zyga[m]> Interesting 
[12:32] <zyga[m]> I'm not following the kernel mount subsystem 
[12:33] <zyga[m]> I would go and check the patches on that part of the kernel
[12:33] <zyga[m]> Perhaps there is a new unified syntaxe for this?
[12:33] <zyga[m]> Do you know where to look?
[13:01] <arsenique> zyga No, unfortunately no.
[13:48] <mup> PR snapd#11379 opened: tests: smoke test support for core22 <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/11379>
[14:18] <mup> PR snapd#11338 closed: asserts,cmd/snap-repair: support delegation when validating signatures <authority-delegation> <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/11338>
[14:28] <mup> PR snapd#11380 opened: asserts: first-class support for formatting/encoding signatory-id <authority-delegation> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11380>
[14:33] <mup> PR snapd#11381 opened: asserts: fetching code should fetch authority-delegation assertions with signing keys as needed <authority-delegation> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11381>
[14:54] <mup> PR snapcraft#3637 opened: meta: generate basic snap.yaml (CRAFT-801) <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3637>
[15:28] <mup> PR snapd#11382 opened: asserts: remove unused function, fix for linter <⚠ Critical> <Test Robustness> <Created by pedronis> <https://github.com/snapcore/snapd/pull/11382>
[16:43] <mup> PR snapd#11383 opened: o/snapstate: migrate on core22 refresh and init ~/Snap <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/11383>
[17:34] <mup> PR snapd#11354 closed: gadget: identify/match encryption parts, include in traits info <Simple 😃> <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/11354>
[17:39] <mup> PR snapd#11384 opened: gadget: refactor StructureEncryption to have a concrete type instead of map <Simple 😃> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/11384>
[18:14] <mup> PR snapcraft#3637 closed: meta: generate basic snap.yaml (CRAFT-801) <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3637>
[18:29] <mup> PR snapcraft#3638 opened: Colcon v2: forward cmake args <Created by artivis> <https://github.com/snapcore/snapcraft/pull/3638>
[18:35] <zyga[m]> arsenique: I'll show you next week, ok
[21:30] <mup> PR snapcraft#3639 opened: commands: add pack command and set it as default (CRAFT-762) <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3639>