/srv/irclogs.ubuntu.com/2022/09/19/#snappy.txt

mupPR snapd#12153 opened: boot: add factory-reset cases for boot-flags <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/12153>06:35
mupPR snapd#12154 opened: overlord: run install-device hook during factory reset <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/12154>06:35
eoli3nHey mardy 07:20
eoli3nthis week will be the one we fix it :P07:20
eoli3ni'm full of hope07:20
eoli3ni think that i need to reread the whole post, and try to make a state post to figure "where we are now" to be able to find "what we could try, or what we miss"07:21
eoli3nok, i'm testing07:36
eoli3n(see my answer on the thread)07:36
eoli3nthread updated, i'm still searching for a way to trigger permanent nfs-support08:10
mupPR snapd#12155 opened: DT-576 Check the status of refresh-pending snaps <Created by sergio-costas> <https://github.com/snapcore/snapd/pull/12155>10:15
mardyeoli3n: hi! Let me read the forums...11:18
eoli3n(y)11:18
mardyeoli3n: instead of delaying snapd startup, can't you make the mount of the NFS happen earlier?11:23
eoli3nno, because there is no nfs at startup11:24
eoli3nnfs is automounted by autofs when a user log in11:24
eoli3nmardy: i guess, that there is no way to force nfs support permanently ?11:24
eoli3ni don't want snapd auto detection11:25
eoli3ni want to force nfs support permanently, is there a way ?11:25
mardyeoli3n: don't you have an autofs entry in your fstab?11:27
eoli3nno11:27
eoli3nthat's not the way autofs work11:27
eoli3nmardy: you should be a politic guy, you are really good at skipping answers :P11:28
mardyeoli3n: sorry, I did look up the code and indeed saw that there's no way to force nfs support, but I was looking for workarounds11:30
mardyeoli3n: if snapd sees a nfs or autofs entry in the fstab, it will enable it. I wonder if there's a way to add an entry there, which is basically a no-op11:31
eoli3nthere is no autofs entries in fstab11:31
eoli3nAFAIK it doesn't even exist11:32
eoli3nsnapd should test if autofs as mounts in /etc/autofs/auto.master.d11:32
eoli3nsorry /etc/auto.master.d11:32
eoli3nif autofs have* mounts11:34
eoli3ncould you explain why there is no way to force nfs-support ?11:35
eoli3nthat's not what /var/lib/snapd/apparmor/snap-confine/nfs-support file does ?11:35
eoli3nthe only problem is to make that file permanent11:36
eoli3nit seems crazy af to me that that file is "moved" by something11:36
eoli3nthat's like create /etc/something.conf, chattr +i the file and then a daemon fails to start because of the chattr +i11:37
eoli3nit sounds like a crazy design11:37
mardyit's snapd removing it11:37
mardyit removes all files from that directory, that were not created by it11:38
eoli3nis there any reason ?11:38
eoli3ni mean, why doing this ?11:38
mardylet me check if I can dig some info out of the git repo11:38
eoli3nok11:38
eoli3nthanks again for helping11:38
mardyeoli3n: the logic was added here: https://github.com/snapcore/snapd/commit/8db78ad30cb060ad4aab0de3489e5d5060d8c74311:43
eoli3nmardy: should I fire a bug somewhere ?11:44
mardyI think it's clear that we needed to ensure that the file contents were the expected ones, but the EnsureDirState function also removed unrecognized files,11:44
mardyand this seems was not explicitly requested11:44
eoli3nso there is two things, 1° fix autofs test, to guess nfs use not only from fstab, but also /etc/auto.master.d11:45
eoli3n2° give the ability to trigger nfs-support with a root created file, without removing it11:46
mrecso snap basically eliminates the global IPC/Shared memory support?11:46
mrecbackward development in my eyes... certainly flagged as "safety"11:47
eoli3ni could workaround by adding a fake nfs mount, with good systemd options to ignore if fails11:47
mardyeoli3n: I updated https://bugs.launchpad.net/snapd/+bug/191734811:53
mupBug #1917348: NFS access not permitted for snap's on LDAP autofs system <snapd:In Progress by zyga> <https://launchpad.net/bugs/1917348>11:53
mardymrec: no, we do have the shared-memory interface: https://snapcraft.io/docs/shared-memory-interface11:54
ogramardy, sadly that doc lacking a description of the "private" attribute which actually allows full /dev/shm access) 11:56
ogra+is11:56
mrecmardy: this defines that 2 snap packages can communicate with each other, but how about a native application and a snap package accessing the native application via IPC / shared memory?12:19
eoli3nmardy: is there a way to setup a cacher serveur for packages ? something like apt-cacher ?12:20
mrecwe just have this situation we have a video server which is providing the data via shm/ipc and regular applications are connecting via the system hooks. Now the snap package disallows all that and won't work.12:21
mrecthat worked for like 1 1/2 decades12:21
ogramrec, that is the "private" flag i mentioned above ... it i described in the core that is linked from the doc lage 12:22
ogras/lage/page/12:22
mrecok and how about sysv-ipc?12:22
ogramrec, note though that this will make your snap go into manual review and it will have to undergo inspection by the security team to be allowed into the store12:22
ograsysv-ipc ? you mean sockets ? 12:23
mreceg. semaphores12:23
mrecmessage queues12:23
mardyeoli3n: not AFAIK12:24
mrecthere should be an easy to set option to give snap packages access to that in order to keep backward compatibility12:24
mrecstripping off everything that has been there for decades cannot be flagged as "security".. certainly if things are removed they cannot be exploited.12:25
ograwell, age des nto tell anything about how secure something is ... if you lived without doorlocks in your house for three decades that doesnt mean adding a lock is not adding security 🙂12:26
mreclet's not use a computer so it cannot be exploited :-)12:27
mrecthat was basically the reason why people preferred linux over windows because linux gave freedom, but now it's going the other way.12:31
mrecno certainly full ipc and shared memory support has to be supported - and not only by security review but also as an option for the user to set it himself.12:31
ograi think semaphores can be handled via the snapcraft-preload wrapper 12:31
ograwell, this is not how snaps are designed ... security checks happen on upload *before* anything goes into the store ... if something uses a super privileged interface that allows breaking out of the sandbox, it goes into manual review12:33
mrecwe use semaphores eg. to notify the client application that a video frame is ready12:33
ograi doubt this will change anyt time soon ...12:33
mrecit looks more like security is an excuse for an incomplete system, if security is so important put everything into the browser12:34
mrecdestroying sysv ipc is not good12:35
mrecespecially if the underlying system supports it... if someone wants that fool proof system he can remove it from the kernel (it's just an option)12:36
ograwell, what are the exact erros you did hit with your snap = 12:36
ogradid you run it throug the snappy-debug tool yet (it will giv interface suggestions)12:37
mrecthe problem is basically that the snap package does not recognize the host server, so we modified the snap package itself and included the server into the snap package as a workaround12:37
mrecwe treat it as a virtual machine (which it is.. due to the sandboxed nature)12:37
ograright, but if bot snaps do come from the same publisher you can use the shm interface just fine 12:38
ogra*both12:38
ogra(or even work without shm interface at all if you peoperly use a snap-named subdir in /dev/shm)12:39
mrecwell we got it work but it would still be better to restore full sysvipc support in snap packages12:41
mrecunix domain sockets are also locked no?12:41
ograIIRC they work inside a snap for IPC 12:42
mrecthat's so bad...12:42
ograeither way, if you want changes, better start a thread in the snapd category in forum.snapcraft.io 12:42
mrecit needs to reach servers outside of the snap package that's what sysv-ipc and domain sockets were introduced for12:42
mrecok12:43
mupPR snapd#12156 opened: tests: fix unbound SPREAD_PATH variable on nested debug session <Simple 😃> <Run nested> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12156>12:56
mupPR snapd#11419 closed: gadget: Use systemd-repart to create new partition during install <Precious but later :heart:> <Created by valentindavid> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/11419>13:16
mupPR snapd#11421 closed: many: Do not use -enc suffix for encrypted parition labels <Precious but later :heart:> <Created by valentindavid> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/11421>13:16
mupPR snapd#12031 closed: systemd: Do not mount snaps before `ostree-remount.service` <Created by valentindavid> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/12031>13:21
mupPR snapd#12132 closed: wrappers: use a revision-agnostic paths when rewriting a desktop file <Needs Samuele review> <Precious but later :heart:> <Created by oSoMoN> <Closed by pedronis> <https://github.com/snapcore/snapd/pull/12132>13:36
mupPR snapcraft#3915 opened: legacy: install unpinned build packages <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3915>15:06
mupPR snapd#12157 opened: tests: disable quota tests on arm devices using ubuntu core <Simple 😃> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12157>15:12
mupPR snapd#12146 closed: image: update `prepare-image` work with UC20+ style classic  models <Created by mvo5> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12146>15:47
mupPR snapd#12158 opened: image,tests: tweak naming and test for classic UC20+ image <Created by mvo5> <https://github.com/snapcore/snapd/pull/12158>16:02
mupPR snapcraft#3914 closed: build(deps): bump oauthlib from 3.2.0 to 3.2.1 <dependencies> <python> <Created by dependabot[bot]> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3914>23:41

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!