mup | PR snapd#11652 closed: tests: update snapd testing tools <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11652> | 01:57 |
---|---|---|
mborzecki | morning | 06:08 |
mardy | mborzecki: hi! Historical question: has there ever been a time when snap-confine was running under some other user than root (I mean, before we started using sc_set_effective_identity())? | 06:32 |
mardy | I'm asking because we are *sometimes* calling chown() on newly created directories, which seems weird | 06:34 |
mardy | like for example you did here: 73e89cf8cae423bca52df128e2f8d3508068f55c | 06:35 |
mardy | wasn't snap-confine running as root back then? | 06:35 |
mborzecki | mardy: iirc that was done as part of suse review, the problem was that all of s-c would run as root as it's a setuid binary, so they requested to limit as-root operations only to what is really necessary | 06:38 |
mborzecki | hence the code flips between uid/gid a number of times | 06:39 |
mardy | mborzecki: yes, that makes sense. I'm just wondering why we added chown after mkdir, if the mkdirs already are done as the root user | 06:48 |
mborzecki | mardy: whcih place? | 06:48 |
mardy | mborzecki: I'm working on a branch with some cleanups, and one of them would be this: https://github.com/mardy/snapd/commit/b1b668b065790b1d741add95c476300c3894fecb | 06:50 |
mborzecki | mardy: the directory could have eisted before, potentially with the wrong permissions | 06:50 |
mardy | mborzecki: but if you have a look at the commit I mentioned before (73e89cf8cae423bca52df128e2f8d3508068f55c), you'll see that some of those chowns were added by you | 06:50 |
mardy | mborzecki: but the code there calls chmod only if the directory did not exist :-) | 06:51 |
mborzecki | mardy: ah right, heh, should have been `res != 0` | 06:52 |
mborzecki | mardy: possible that this part was running under the real uid at some point | 06:53 |
mborzecki | hm but then mkdirs would fail i think | 06:54 |
mborzecki | mardy: so maybe a bug after all | 06:54 |
mardy | mborzecki: but the comment there explicitly says that the chown needs to be done only if we created the dirs, so the "==" is consistent with that | 06:56 |
mardy | I saw a comment (or maybe it was a commit message) that stated that we rely on packaging doing the right thing. I think that the current assumption is correct, and that the chown is not needed | 06:57 |
mborzecki | mardy: ok, i see now, take a look at commit 82c8083d64b9af5d35d7b7cfb11d6faeb800e375 | 07:00 |
mborzecki | mardy: now we're flipping both uid and gid, but before we only changed uid, hence mkdir would give ou a directory owned by `0:<user's-gid>` | 07:01 |
pstolowski | morning | 07:03 |
mardy | mborzecki: oh, that's interesting (and so cool when the git history is so explicative!), thanks! | 07:05 |
mardy | pstolowski: hi! | 07:05 |
mup | PR snapd#11786 opened: Mount support cleanups <Created by mardy> <https://github.com/snapcore/snapd/pull/11786> | 07:39 |
mborzecki | mardy: so there are going to be some wsl2 specific files under /var/lib/snapd/lib/ | 07:54 |
mborzecki | ? | 07:54 |
diddledani | Mardy, is that a response to my pr yesterday, or has someone else been working on wsl2, also? | 08:06 |
diddledani | mborzecki: if the is a response to my wsl2 pr then maybe we will get wsl libs in that dir. I've marked my pr as draft to get feedback for now: https://github.com/snapcore/snapd/pull/11785 | 08:07 |
mup | PR #11785: RFC: WSL2 GPU support in strict confinement <Created by diddledani> <https://github.com/snapcore/snapd/pull/11785> | 08:07 |
diddledani | Mardy once your pr merges I'll reabse and make changes to my code to match the same usage of the sc_nonfatal_mkdir etv | 08:11 |
mup | PR snapd#11787 opened: portal-info: Add CommonID Field <Created by 3v1n0> <https://github.com/snapcore/snapd/pull/11787> | 08:19 |
mardy | diddledani: AFAIK no one else is working on WSL2, I just created my PR after seeing yours | 08:25 |
diddledani | mardy: I'd like to see the sc_mkdir_and_mount_and_bind function(s) abstracted out to a shared helper location with the nvidia specifics removed (ie. call to `sc_nv_version();` and `sc_probe_nvidia_driver(&version);` bits done in the nvidia files with the mount and bind method simply mounting and binding rather than checking nvidia versions and stsuff | 08:26 |
mardy | diddledani: that would make sense, but we can work on it later | 09:05 |
mup | PR snapd#11788 opened: secboot/keymgr: extend unit tests, add helper for identify keyslot used error <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11788> | 09:19 |
svip | mardy: I think I know what the problem is. If pwd is $HOME, and I play the file, it works. But if I change pwd to the directory the file is in (on sshfs mounted directory), it fails. | 10:11 |
svip | I am still not sure of what the problem, but I do have a workaround now. | 10:12 |
mardy | svip: mmm... can you please try starting other snaps while your CWD is somewhere in the sshfs tree? I wonder if this might be a generic problem with snaps | 10:19 |
svip | I've experienced this problem with omxplayer-pi and vlc-pi, but they are both by the same developer, so they might simply share the same issue. | 10:20 |
svip | Do you have any suggestion of a snap I could try? | 10:20 |
mardy | svip: the hello-world one :-) | 10:21 |
mardy | if that works, then we can try something more complicated, like the chromium one | 10:21 |
svip | mardy: hello-world fails the same way. | 10:23 |
ogra | there should be nothing special in either of the snaps (i'm the maintainer) | 10:23 |
svip | mardy: Could it be the way I mount the sshfs volume? I simply do the sshfs command without any flags. | 10:24 |
svip | The external drives just happen to use the same user as me. | 10:24 |
mardy | svip: wow, that's cool, in a way. Let me search if we already have a bug for this | 10:34 |
mardy | svip: I cannot find anything, would you be so kind to file one? https://bugs.launchpad.net/snapd Or I can do it, if you don't have time | 10:36 |
svip | I can do it. | 10:37 |
diddledani | sshfs is fuse-based right? the default for fuse filesystems is to block "other users" including root, so snapd will be unable to access the CWD when launching a snapped app | 10:40 |
svip | diddledani: How do I allow others to read from the sshfs mounted directory? | 10:41 |
diddledani | svip: add `user_allow_other` or `allow_root` in `/etc/fuse.conf` | 10:41 |
diddledani | sorry I got that wrong | 10:42 |
diddledani | add `user_allow_other` to `/etc/fuse.conf` then you need to use the `allow_root` option when mounting the fs | 10:42 |
diddledani | with `user_allow_other` in `/etc/fuse.conf`, run this to mount `sshfs -o allow_root user@server:/source /destination` | 10:43 |
svip | diddledani: That works! Thanks. | 10:43 |
diddledani | oh, you might not need `user_allow_other` in `/etc/fuse.conf` if you mount with that command | 10:43 |
diddledani | ref: https://unix.stackexchange.com/questions/17402/why-does-root-get-permission-denied-when-accessing-fuse-directory#:~:text=It%27s%20the%20way%20fuse%20works.%20If%20you%20want,fuse%20filesystem%20with%20allow_other%20or%20allow_root%20as%20options. | 10:44 |
svip | Well, considering it's just me on this machine (a Raspberry Pi), I wouldn't be too worried. | 10:44 |
mardy | diddledani: too bad I was not looking at this chat, I just reached the same conclusion. I still think that we could improve this part a bit though, and make snap-confine more transparent about the user (who should not know about these details) | 12:01 |
mup | PR snapd#11789 opened: interfaces: opengl: add rules for NXP i.MX GPU drivers <Created by IsaacJT> <https://github.com/snapcore/snapd/pull/11789> | 12:25 |
mup | PR core-build#58 closed: initramfs: add neccessary modules for rockchip emmc and sdcard <Created by JeffyCN> <Closed by > <https://github.com/snapcore/core-build/pull/58> | 12:37 |
mup | PR snapd#11790 opened: tests: core20 preseed/nested spread test <Preseeding 🍞> <Run nested> <Created by stolowski> <https://github.com/snapcore/snapd/pull/11790> | 12:50 |
mup | PR snapcraft#3740 opened: repo: enable package repository architectures <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3740> | 14:42 |
mup | PR snapd#11762 closed: interfaces: tweak getPath() slightly and add some more tests <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11762> | 15:21 |
mup | PR snapd#11599 closed: tests: use new snaps.name and snaps.cleanup tools <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11599> | 18:12 |
mup | PR snapcraft#3740 closed: repo: enable package repository architectures <Created by cmatsuoka> <Merged by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3740> | 19:17 |
mup | PR snapd#11791 opened: tests: fix the system-snap-refresh test <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11791> | 20:32 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!