=== not_phunyguy is now known as phunyguy === not_phunyguy is now known as phunyguy === not_phunyguy is now known as phunyguy [07:29] morning [08:51] mborzecki: hi! [08:52] mardy: hey [10:09] PR snapd#11444 opened: cmd: misc analyzer fixes [10:09] mardy: something simple ^^ [10:24] PR snapd#11445 opened: asserts: start supporting optional primary keys in fs backend, assemble and signing [10:24] PR snapd#11446 opened: asserts: extend optional primary keys support to the in-memory backend [10:24] bboozzoo: approved [10:24] thx [10:34] PR snapd#11430 closed: cmd/snap-mgmt, packaging: trigger daemon reload after purging unit files [10:34] PR snapd#11438 closed: tests: add test to ensure consecutive refreshes do garbage colleciton of old revs [10:34] PR snapd#11442 closed: o/snapstate: deal with potentially invalid type of refresh.retain value due to lax validation [11:09] PR snapd#11447 opened: tests: get lxd snap from candidate channel [12:17] amurray: this broke my container image (diddledan/snapcraft) c6011693a816f7f8a5b0c7858ddce91c6ef1a352 [12:17] https://github.com/snapcore/snapd/commit/c6011693a816f7f8a5b0c7858ddce91c6ef1a352 [12:18] fails with: `aa_is_enabled() failed unexpectedly (No such file or directory): No such file or directory` [12:19] this is my snapcraft container image https://github.com/diddlesnaps/snapcraft-container [12:37] diddledani: what is aa_is_enabled returning in your container? [12:38] do you mean the C function or the executable `aa-enabled`? for the latter it shows `Maybe - policy interface not available.` [12:39] for the C function, presumably it's returning ENOENT considering the error message from snap-confine [12:40] ENOENT used to be explicitly handled, now it's a fallthrough to DIEDIEDIE https://github.com/snapcore/snapd/commit/c6011693a816f7f8a5b0c7858ddce91c6ef1a352#diff-850ad7658ba4087a28a764d6a46b74640a2fd43be09f246dabea20dd0f2a16daL56-L59 [12:44] hmm that commit was needed to resolve a CVE so we can't just revert that commit [12:54] diddledani: is securityfs mounted inside the container? [12:54] I don't believe it is.. it's not in /proc/mounts [12:55] argh, sorry I gotta run - will check scrollback in the morning - otherwise perhaps we can just add back the ENOENT bit... I recall I thought I had a good reason for making that DIEDIEDIE but I can't recall why off the top of my head... [12:55] is there a systemd unit that I need to enable to handle that? [12:56] yeah, if there's a CVE then obviously I don't want you to potentially reintroduce it [12:56] s/it/a vuln/ [12:56] diddledani is apparmor enabled in the kernel? [12:56] yes, this is on an Ubuntu Host so apparmor is working on the host os [12:57] Hmm [12:57] Is this in a docker container [12:57] yup [12:57] Is it a privileged docker container [12:58] this is how I've launched it and how I recommend others launch it: [12:58] https://www.irccloud.com/pastebin/5zbD4Yjz/ [13:19] PR snapd#11448 opened: Pr11282+fallback [13:34] PR snapcraft#3655 closed: meta: support application fields (CRAFT-814) [14:00] PR snapd#11449 opened: cmd: set core22 migration related env vars and update spread test [15:29] PR snapcraft#3654 closed: projects: add grammar validation