IRC logs for #baserock for Monday, 2014-09-08

*** thecorconian [] has quit [Quit: Leaving.]01:48
*** thecorconian [] has joined #baserock05:41
*** franred [] has quit [Quit: Leaving]06:18
*** franred [] has joined #baserock06:28
*** fay_ [] has joined #baserock07:22
*** tiagogomes [~tiagogome@] has joined #baserock08:10
*** jonathanmaw [] has joined #baserock08:30
franredjjardon, good morning08:34
paulsherwoodpedroalvarez: i'm rebuilding with your ca-certs...09:03
pedroalvarezpaulsherwood: if you don't want to rebuild everything you can maybe move them out of core.morph09:03
paulsherwoodwhich is a lot of rebuild. would it make any sense to consider a separate stratum for this and other security related stuff?09:04
paulsherwoodpedroalvarez: yes, i should have thought of that :) but it's nearly done now09:04
pedroalvarezpaulsherwood: yeah, "network-securty" stratum maybe? I think franred is going to create a stratum to put things like that, so maybe we can move it there.09:05
* Kinnison thinks it being in core might make sense09:07
Kinnisonbecause it provides a potential trust chain for verifying upgrades fr.ex.09:07
KinnisonOf course, that's not necessary for that, just might be "nice"09:07
paulsherwoodi prefer the network-security idea, but Kinnison probably has deeper knowledge here09:09
KinnisonI think overall we need a discussion of whether it makes sense to parallelise some more of what's in foundation and core09:10
KinnisonWith parallel build opportunities, it'd be nice to have fewer choke points09:10
richard_mawpaulsherwood: here's a reason why I think we need something like unpetrify-ref: your linux chunk for docker doesn't list which ref it needs, and you needed to create a branch that includes AUFS, but I have no idea which branch the ref: refers to09:14
paulsherwoodrichard_maw: noted. actually my build doesn't include AUFS, though09:21
richard_mawyou enable it in your kernel config09:21
paulsherwoodyes true09:21
paulsherwoodbut the only thing special about my linux is the config09:22
paulsherwoodi think that ref was master at the time i did it09:22
paulsherwoodi agree with your original point, though09:23
paulsherwoodpedroalvarez: yes, it works :)09:27
pedroalvarezgood to know09:27
pedroalvarezpaulsherwood: thanks!09:28
paulsherwoodpedroalvarez: i notice that curl doesn't seem to find the certs, though09:33
Kinnisonpaulsherwood: If you can give me access to a system running that, I can diagnose what it is09:36
KinnisonI'll bet it's a paths issue09:36
richard_maw/usr/etc strikes back?09:36
KinnisonIt'll likely be a path baked into openssl09:37
paulsherwoodKinnison: i'm in vegas09:37
Kinnisonaah, I thought you were using our new cloudy thing09:37
paulsherwoodis there some magic you can do to access my mc?09:37
paulsherwoodactually, i could maybe do the cloudy thing :)09:37
* paulsherwood goes to try09:37
pedroalvarezpaulsherwood: how did you test curl?09:44
paulsherwoodby running curl -O09:44
paulsherwoodon a https file09:44
paulsherwoodparticularly: curl -k -O
paulsherwoodtar xvf Tegra124_Linux_R19.3.0_armhf.tbz209:45
paulsherwoodworks with -k, doesn't work without09:45
paulsherwood(scrap the tar line)09:45
Kinnisonthe issuer for nvidia's certificate is issuer=/O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA09:46
* Kinnison assumes that's in the ca-certificates chunk09:46
Kinnisonso we need to check path lists etc09:46
Kinnisonpaulsherwood: could you run: strace -s1024 -f -o /tmp/curl.trace curl -I
petefothKinnison: is that available on the fs1 jukebox?09:47
Kinnisonpaulsherwood: and then upload curl.trace to somewhere I can fetch it from?09:47
paulsherwoodso, for a cloud-based devel machine - is it safe for me to run 'morph deploy --upgrade upgrade-devel.morph self.HOSTNAME=$(hostname) self.VERSION_LABEL=newlabel'09:47
Kinnisonpaulsherwood: if the file is too large, then grep it for c692a373 and pastebin the matches09:50
pedroalvarezpaulsherwood:  should be possible to upgrade.09:52
Kinnisonpaulsherwood: could you run `curl-config --ca` and tell me what it says?09:56
Kinnisonpedroalvarez: In your ca-certificates chunk, do you create a bundle?09:57
richard_mawKinnison: not unless the Makefile from the debian repo does it09:58
pedroalvarezKinnison: no09:59
KinnisonNo, Debian creates a bundle at postinst because they can disable/enable certificates at runtime09:59
KinnisoncURL requires a bundle09:59
Kinnisonand requires to be configured to know where the bundle is09:59
pedroalvarezright, so I'm missing that part10:00
pedroalvarezpaulsherwood: I'd prefer another way to do an upgrade in an openstack environment10:00
Kinnison1. create a bundle (cat all the certificates together into one file, Debian calls it /etc/ssl/certs/ca-certificates.pem)10:00
Kinnison2. configure cURL (--with-ca-bundle=/etc/ssl/certs/ca-certificates.pem)10:00
Kinnisonthat should solve that (and the git issue)10:00
paulsherwoodKinnison: curl-config --ca is empty10:01
Kinnisonpaulsherwood: yeah, see the two steps above :-)10:02
Kinnisonpaulsherwood: if you're okay to test those, then you can simulate with:10:03
Kinnisoncat /etc/ssl/certs/*.pem > /tmp/bundle.pem10:03
Kinnisonenv CURL_CA_BUNDLE=/tmp/bundle.pem curl -I
Kinnisonand see if it works10:03
paulsherwoodKinnison: yes, it works10:04
Kinnisoncool, pedroalvarez ^^^^10:04
paulsherwoodKinnison: tvm10:04
*** fay_ [] has quit [Ping timeout: 255 seconds]10:04
paulsherwoodpedroalvarez: +1 from me on ca-certificates if you fix the above10:05
paulsherwood(can stay in core for now)10:05
Kinnisonpedroalvarez: I think richard_maw's suggestion on baserock-dev might be a tad less evil and more supportable too :-)10:13
*** fay_ [] has joined #baserock10:23
SotKis there a way to tell morph to not try to clone submodules?10:26
KinnisonI doubt it10:27
KinnisonIt'd be very odd10:27
richard_mawKinnison: I didn't suggest anything about the cert. bundle, since I didn't know it was a problem when I suggested the fix10:27
Kinnisonrichard_maw: that's what update-ca-certificates does10:28
richard_mawthat was already in the systemintegration commands, so we're missing the curl chunk config10:28
SotKok then, how should I handle the case I currently have, where there is a submodule with url: which gives me permission denied?10:29
KinnisonMake a fresh branch which disables that submodule I guess10:30
richard_mawrant at upstream or make a branch that changes the url to a git:// URL10:30
Kinnisonrichard_maw: update-ca-certificates needs the .conf in order to construct the bundle10:30
SotKok, thanks10:30
richard_mawKinnison: that was also constructed in system-integrations10:30
Kinnisonthen curl needs the config in addition10:31
pedroalvarezKinnison, paulsherwood, richard_maw: Thanks for the help with ca-certificates, I think I know what needs to be done :)10:31
Kinnisonand all should be well10:31
richard_mawKinnison: yep, which is what I said was missing10:31
* richard_maw ponders whether it might make sense to do ansible integration10:31
KinnisonI'm a little slow today10:31
KinnisonHaving some ansible stuff for re-running update-ca-certificates in the case that new certs are installed might be worthwhile10:32
Kinnisonto allow for deploy-time certificate addition to take effect10:32
paulsherwoodon arm too, i hope :)10:33
* Kinnison fails to see why architecture would affect this10:34
richard_mawif the update-ca-certificates script had an option to disable cert hooks and add a root prefix (like $DESTDIR) then we could run the update-ca-certificates script at deployment time10:36
richard_mawand allow for added certificates then10:36
KinnisonI doubt upstream would be hostile to such a patch10:36
richard_mawI still think it would be useful to be able to do this at boot time10:42
richard_mawwhich means standardising our ansible hook unit I guess, rather than making it trove specific10:43
KinnisonProbably a good plan10:47
* richard_maw would like a daemon that looks at changes to files in /etc and runs hooks10:48
richard_mawI had a look at etcd, which is what the coreos guys wrote to handle this, but it appears to effectively be an eventual-consistency networked registry10:49
paulsherwoodis that bad?10:50
richard_mawit's useless for what I want, since you need to rewrite your apps to talk to a networked configuration service, and they're hogging the name etcd10:51
richard_mawdconf backends would be more useful10:55
richard_mawif you could plug that into etcd, you might get something interesting10:57
pedroalvarezlooks like 'curl' needs the certificates at build time, like 'git'10:59
richard_mawAIUI git uses curl, so it's likely to be curl preventing it working in git10:59
Kinnisonpedroalvarez: If you specify the location directly then it shouldn't11:04
Kinnisonpedroalvarez: If the bundle is present in one of a number of places at build time, it'll default to that11:04
Kinnisonpedroalvarez: but --with-ca-bundle=/path/to/bundle.pem it *should* take it11:04
pedroalvarezKinnison: yeah, what I wanted was curl working with the default configuration11:06
Kinnisonpedroalvarez: aah, then you need to place (at least an empty) bundle in the chunk11:06
Kinnison*or* implement staging-integration-commands11:06
* Kinnison would prefer the latter11:07
* pedroalvarez ponders11:07
Kinnisonbut the former is far easier11:07
pedroalvarezI wonder how can be the behaviour of the latter11:07
KinnisonI had a reasonable definition of them I can look up and provide to you later if you want11:08
Kinnisonit's lunchtime for me now though11:08
* richard_maw pondered implementing staging-integration-commands as creating a new chunk to be built before every chunk that transitively depends on the chunk that introduced the commands11:08
pedroalvarezI was pondering: Run the system-integration commands when creating the staging area11:09
pedroalvarez1) uncompress all the chunks11:12
pedroalvarez2) run system integration commands of the dependencies. (`run-parts /baserock/system-integration.`)11:12
pedroalvarez3) linux-user-chroot (build and install chunks)11:12
pedroalvarezBut 2) can be slow, and run more things than needed.11:13
pedroalvarezso maybe 2) can be replaced by "run whatever is described in  staging-integration-commands"11:13
pedroalvarezBut I think that the staging-integration-commands should be system-integration commands as well in some cases.11:20
*** thecorconian [] has quit [Ping timeout: 252 seconds]11:25
jjardonFYI, I need libgcrypt (and its dependency libgeg-error) for the my GNOME stratum. But its also needed for modenr versions of systemd so it would be nice to have it somewhere in a lower stratum11:52
Kinnisonpedroalvarez: there's implications regarding write-ability of staging areas, and that staging != system so needs to be different commands12:06
richard_mawjjardon: I thought libgcrypt was being deprecated, since GNUTLS switched to using libnettle instead12:09
jjardonrichard_maw: Didnt know about that, but:
paulsherwoodpedroalvarez: did you get baserock on pi working?14:00
pedroalvarezpaulsherwood: I have a bootstrap tarball ready to test. So, not yet.14:00
paulsherwoodooh ;)14:01
*** franred [] has quit [Quit: Leaving]14:01
pedroalvarezAlso I had problems to  uncompress the tarball in my external hard drive... :-(14:01
liw-orccan I have a quick review of this: -- I forgot to tell morph's to install the helper scripts for the sparse file deployment speedups; I've tested this patch by building a new system and the files are in the right place on that system14:03
richard_mawliw-orc: ack. looks good to me: +1, or +2 depending on whether you want more eyes14:06
liw-orcI'll take a +2, thanks14:07
*** dabukalam [] has quit [Ping timeout: 252 seconds]14:21
*** dabukalam [] has joined #baserock14:33
straycatOh cool, there are cross-bootstrap docs.15:42
Kinnisoncross-bootstrap is currently a tad broken because we're still doing per binary-artifact building rather than per-source building15:43
KinnisonI believe richard_maw was working on fixing that last week, so hopefully we'll have something soon15:43
pedroalvarezstraycat: do you want to port baserock to another architecture?15:48
straycatI'm just messing around really, I think rjek's already working on the port.15:49
pedroalvarezokay :)15:50
* pedroalvarez is debugging a trove which has stopped lorrying16:25
paulsherwoodit's a pity the lc status doesn't allow followthrough on links16:26
KinnisonIt only supports that in certain circumstances because of various raisins16:27
paulsherwoodpedroalvarez: i'm assuming you mean this trove ...
pedroalvarezodd things in the journal16:29
Kinnisonpedroalvarez: how odd?16:29
pedroalvarezone sec16:29
*** jonathanmaw [] has quit [Quit: Leaving]16:31
*** tiagogomes [~tiagogome@] has quit [Ping timeout: 268 seconds]16:36
pedroalvarezthe log was full of attempts of ssh connections16:37
Kinnisonthey should be harmless for the most part16:37
Kinnisonprobably someone portscanned the netblock, saw your ssh port, and "had a go"16:38
Kinnisonshouldn't affect the lorrying process16:38
pedroalvarezbut it affects me to find useful information in the journal :P16:39
Kinnisonmy guess would be that the lorries listed died for some reason and the minions are not being reallocated as a result16:40
paulsherwoodpedroalvarez: how many attempts? i may have tried a couple of times, not more16:48
pedroalvarezpaulsherwood: hundreds17:07
pedroalvarezpaulsherwood: and I believe you are not in china17:07
* straycat wonders why the conf exts don't live in their own dir17:10
Kinnisonbecause we've not done that yet17:15
* Kinnison updates his notes on jetson flashing and heads off for the night, ciau all17:17
paulsherwoodpedroalvarez: how would i check for chinese friends in my own cloud vm?17:31
paulsherwoodanyone object to us adding smartdevicelink to genivi baseline?18:49
KinnisonIs it defined to be part of baseline?  If not, I'd kinda prefer us to have a GENIVI++ system which included things like that18:50
Kinnisonso baseline remains "pure"18:50
KinnisonIf it's optional in baseline then sure, lets shove it in18:50
paulsherwoodit's an optional component. but given it's actually visible, and usable, would be worth having it18:57
Kinnisonnod. seems reasonable then.  Does it add any unpleasant dependencies?18:58
paulsherwoodi can't remember. am building it now - will let you know18:58
paulsherwoodi had it integrated for a few demos last year18:58
paulsherwoodistm it would be a useful thing to show alongside the things wr proposed for genivi demo18:59
* paulsherwood is assuming that bluetooth still works :)19:00
paulsherwoodactually, it was easy last time..
paulsherwoodthey want doxygen19:14
paulsherwoodand liblog4cxx - i wonder where that is19:20
paulsherwoodbah #219:30
paulsherwoodchecking for APR... no19:30
paulsherwoodconfigure: error: APR could not be located. Please use the --with-apr option.19:30
* paulsherwood hopes he can persuade julius and friends at smartdevicelink to drop the logging19:53
KinnisonAPR isn't too hard20:11
Kinnisonwe did it for trove20:11
*** vmeson [~quassel@] has quit [Ping timeout: 250 seconds]20:13
*** vmeson [~quassel@] has joined #baserock20:17
*** pedroalvarez [] has quit [Quit: No Ping reply in 180 seconds.]20:17
*** pedroalvarez [] has joined #baserock20:17
Mode #baserock +cnt by morgan.freenode.net20:17
radiofreedid we ever get smartdevicelink working?20:53
radiofreei remember there was an issue with displaying the interface in the qt5.0 demo browser20:53
radiofreei *think* it was due to some security key issue? there was a patch for it though....20:54
paulsherwoodis APR libapr, Kinnison ?20:55
* paulsherwood answers his own question - yes20:55
paulsherwoodit just seems like a lot of spurious dependencies, to me20:56
* paulsherwood notices that it was done from tarballs, for trove20:57
paulsherwoodradiofree: we had it working i believe20:58
* paulsherwood would like to get it working again :)20:58

Generated by 2.15.3 by Marius Gedminas - find it at!