01:12 <kentonv> XgF: Hmm, it looks like seccomp, except less flexible... he of course attacks seccomp as "insane" without any good argument...

01:13 <XgF> Yeah, though I'd argue the libc-specificness of seccomp-bpf is problematic

01:13 <kentonv> what do you mean?

01:13 <kentonv> what does seccomp-bpf have to do with libc?

01:13 <XgF> e.g. the list of syscalls you want to enable for DNS resolution differs between glibc and musl

01:14 <XgF> and obviously if glibc suddenly starts using the new foo3 syscall then you need to update your bpf filter

01:14 <kentonv> how does tame() do any better?

01:15 <XgF> In the OpenBSD case, tame(2) and libc are developed together

01:15 <XgF> In the Linux case, you could have a tame(3) which used seccomp-bpf so the libc could use its' own knowledge

01:16 <kentonv> but tame() is a syscall, right?

01:16 <XgF> In OpenBSD, yes

01:16 <XgF> But there is no reason it /has/ to be

01:16 <XgF> A portable process sandboxing interface would be useful

01:16 <kentonv> wait wait

01:17 <kentonv> it doesn't help to implement it in libc, because the thing you are sandboxing may very well use a different libc

01:17 <kentonv> certainly true in Sandstorm's case

01:17 <XgF> That's very true in Sandstorm's case; not in many of the cases one wants to use seccomp-type-privdrops for

01:18 <XgF> Personally my preferred solution to all of this would be to replace Linux with a proper cap-based kernel :P

01:18 <kentonv> well sure. :)

10:53 <larjona> Hi everybody. I'm deeping my toe in sandstorm.io, congratulations for working on it. I'll try to selfhost an instance,and try to learn how to package simple apps. Wish me luck!

10:54 <larjona> Now, first question: where is the "announcements mailing list"? (if any) The link in "Get involved" web page points to sandstorm.io (website homepage)

12:19 <dwrensha> larjona: on https:sandstorm.io, there's a box for "Join our mailing list for updates", right under the "pre-order hosting" button.

12:22 <larjona> thanks dwrensha!

13:49 <larjona> Hi again. I've deployed my sandstorm instance at lacaja.larjona.net (not sure why the DNS is not resolving, but that's a different problem. I can access from my home network). I have enabled github authentication, signed in with my github account, and granted admin privileges to that account. Now, I've tried to install Etherpad, but it gets stuck at "Downloading 0%..." (nothing else happens). Where can I look for diagnosing the problem?

13:54 <dwrensha> larjona: maybe check whether there's anything interesting in /opt/sandstorm/var/log/sandstorm.log

13:57 <larjona> nothing interesting there, only old stuff. Maybe I need some configuration tweaking so it is more verbose?

14:00 <dwrensha> larjona: does the same thing happen for any app that you try?

14:01 <dwrensha> larjona: does it work to upload apps instead?

14:02 <dwrensha> larjona: you could download http://sandstorm.io/apps/etherpad9.spk to your local machine and then upload it through the "Upload app" button

14:02 <larjona> I've tried several apps, and the same happens. Will try uploading now

14:03 <dwrensha> larjona: I don't know of a good way to increase logging verbosity

14:03 <larjona> Uploading started and went to 100%, and then, "Upload failed: 500 Internal Server Error"

14:04 <dwrensha> yikes. anything interesting in the log now?

14:04 <larjona> ok, now I have log

14:05 <larjona> https://paste.debian.net/plain/283846

14:06 <larjona> No "sockets" folder in my /opt/sandstorm/var/

14:07 <dwrensha> it would be /opt/sandstorm/var/sandstorm/socket/

14:07 <larjona> sorry, yes

14:08 <dwrensha> what filesystem permissions do you observe in that directory, if it exists?

14:08 <larjona> its permissions are root:root, instead of root:sandstorm

14:08 <larjona> *ownership

14:09 <dwrensha> that sounds like it could be a problem

14:10 <larjona> Fixed ownership, problem persist. Will look at permissions

14:11 <dwrensha> hm... it might be a bad idea to go around tweaking permissions/ownership on individual files

14:11 <dwrensha> I suspect your whole sandstorm install is root:root

14:13 <larjona> I have dirs with root:root, and other with root:sandstorm

14:14 <dwrensha> do you remember what options you chose when you ran install.sh?

14:14 <dwrensha> in particular, did you put in a non-default value for the Server User?

14:15 <dwrensha> (My hypothesis is that you've hit a bug in the install script)

14:15 <larjona> I don't remember very well. How can I start from scratch? Just removing /opt/sandstorm and running the script again?

14:17 <dwrensha> sudo sandstorm stop

14:17 <dwrensha> sudo rm -rf /opt/sandstorm

14:17 <larjona> thanks

14:21 <larjona> reinstalled, didn't ask for "Server user"

14:23 <dwrensha> did you chose "full server install"?

14:24 <dwrensha> what do the permissions/ownership look like now?

14:25 <larjona> I chose full server install. Now it's working, I just installed Etherpad. Will look at permissions,but I think I know what happened

14:25 <dwrensha> do tell!

14:27 <larjona> ownership and permissions look the same as before. What I think I did differently in the first install and this one, is that in the first install I chose URL http://lacaja.larjona.net:6080 , and this time, since I already learned to setup the nginx proxy, I chose http://lacaja.larjona.net

14:30 <larjona> or maybe the problem is that before, I setup the nginx proxy and restarted nginx, but forgot to restart sandstorm. Anyway, I cannot reproduce the problem, so it's clear that something I did wrong in my first install, and now it's fixed. Thanks!

14:31 <dwrensha> the "forgot to restart sandstorm" thing sounds vaguely plausible as an explanation

14:31 <dwrensha> but I'm still a bit confused how sandstorm got in that bad state

14:32 <dwrensha> do you mind sharing the current contents of your /opt/sandstorm/sandstorm.conf?

14:33 <dwrensha> and, in your working setup right now, there are things owned by root:root in /opt/sandstorm/var/sandstorm?

14:33 <larjona> Now it is: https://paste.debian.net/283860/

14:34 <larjona> (sorry, I didn't make backup before removing the buggy one). But I suppose that I chose lacaja.larjona.net:6080 before, since I read about the nginx proxy after installing

14:36 <dwrensha> larjona: if you're going through nginx, you can make the BIND_IP be 127.0.0.1, so that Sandstorm would only be exposed to the outside world through nginx

14:42 <larjona> great, thanks!

15:38 <dwrensha> jparyani: I just learned about "SKIP_UNITTESTS=true"

15:38 <dwrensha> now I can run the tests without resetting my oauth config :)

16:38 <dwrensha> paulproteus: it looks like you intended to close this issue: https://github.com/sandstorm-io/sandstorm/issues/539

16:38 <paulproteus> Oops I'm really bad at that sometimes; let me take a look.

16:39 <paulproteus> +1

16:39 <paulproteus> Updated the ticket.

16:39 <dwrensha> thanks

16:40 <paulproteus> Thanks yourself for the ping.

16:40 <paulproteus> https://github.com/adobe/brackets/wiki/Health-Report-Data

16:41 <paulproteus> ocdtrekkie will be vindicated to know that even an extremely hip web-dev oriented editor is majority Windows users (-;

16:46 <paulproteus> Howdy larjona !

16:46 <larjona> hi!

16:47 <paulproteus> BTW I'm reading the notes you took (OK to mention that here?). They're super interesting; thank you so much for them.

16:48 <paulproteus> Hi YuviPanda !

16:48 <YuviPanda> I guess I'll see you at CCC CAMP!

16:48 <paulproteus> Yeah!

16:48 <YuviPanda> unfortunately I'm not going to debconf

16:48 <paulproteus> We should organize a Sandstorm meetup.

16:48 <YuviPanda> do you know anyone else coming?

16:48 <paulproteus> In the unofficial events times.

16:48 <YuviPanda> right

16:48 <paulproteus> From Sandstorm itself, not necessarily, but someone else emailed me.

16:48 <paulproteus> You want to email sandstorm-dev and ask? : D

16:49 <paulproteus> larjona: I do wonder what is going on with your outbound email stuff.

16:49 <YuviPanda> paulproteus: :D maybe. still neck deep in wikimania and next weeks looks similar. but maybe we could meet up in SF sometimes!

16:50 <paulproteus> Oh for sure, YuviPanda . Are you based in SF?

16:50 <paulproteus> I somehow thought you were based elsewhere.

16:50 <paulproteus> http://www.meetup.com/Sandstorm-SF-Bay-Area/ is for you perhaps!

16:50 <paulproteus> And even if you're not usually in SF, I'm happy to find time when you are around.

16:51 <YuviPanda> paulproteus: I theroetically live in SF...

16:51 <YuviPanda> in that that's what my Visa says, but I don't have a permanent place there, and I've spent 1 month there since moving there in March...

16:51 <YuviPanda> but I'm there from Monday till CCC

16:51 <paulproteus> Oh, great. Well let's hang out.

16:51 <YuviPanda> yeah. there's another person from WMF who is going to CCC CAMP too (Jan)

16:51 <YuviPanda> should be fun etc

16:54 <paulproteus> larjona: Did you get your email problems worked out?

16:57 <larjona> paulproteus Yes, you can mention my notes. They are here: https://alpha.sandstorm.io/shared/-xJH9q2x945hbjaCUlAgR_4KFNpDGtcfO_6EmzBrDWX

16:58 <paulproteus> Awesome

16:58 <paulproteus> I'm going through them and submitting docs/etc. changes to address things.

16:58 <larjona> I think the problem with email is, if I understood correctly, that your mail provider has to allow you to send mail with the sandstorm domain as sender.

16:59 <paulproteus> Yeah, that's what it seems. Perhaps you can add that to your list of GANDI outbound allowed domains? It's a subdomain of your GANDI domain so I imagine that should be possible.

16:59 <larjona> If yes, I suppose Gandi does not allow that (my work mail server does not, for example)

16:59 <paulproteus> But I'm honestly not fully sure why that's required. So I might read the source to learn more or wait until tomorrow and ask jparyani.

16:59 <larjona> I don't know how to do that. I also wonder if GMail,for example, allows that (for the case of other users selfhosting)

17:01 <paulproteus> https://www.gandi.net/domain/wishlist/ suggests it's not possible with GANDI; instead it's on their wishlist.

17:03 <paulproteus> But basically larjona I don't have advice for you yet; will hope to in a day or so.

17:04 <larjona> No problem in my side, I've enabled github authentication and workarounded the problem.

17:05 <dcb> paulproteus: howdy

17:06 <paulproteus> Are you already a Sandstorm user? Just curious about it? Let me know if there's anything I can do to help you, or any questions you have.

17:09 <paulproteus> I guess the reason that it needs to be able to send emails from the Sandstorm install domain is that apps themselves can send email, and those come from randomstring@sandstormhost.example.com

17:10 <paulproteus> re: apps to install not sorted: Yeah, it's sorted by a subjective metric that makes it easier to find what we believe are the good apps and harder to find everything in general.

17:11 <dcb> paulproteus: I'm not a sandstorm user, but I have been using cap'n proto quite a bit. That's why I'm hanging out here

17:11 <paulproteus> Ah, awesome.

17:12 <paulproteus> There's lots of cap'n proto talk that happens here, as well as Sandstorm, so I hope you'll enjoy your stay.

17:25 <paulproteus> larjona: https://github.com/sandstorm-io/sandstorm/pull/603/files

17:26 <paulproteus> Other than your email email sending not working fully, I think that addresses the feedback you have so far. Let me know if I missed something.

17:35 <larjona> Fine, thanks!

17:48 <paulproteus> Great (-:

19:16 <paulproteus> w/in 31

19:40 <paulproteus> ...

20:32 <paulproteus> Howdy gopar !

20:33 <paulproteus> Have you had time to look into the packaging tutorial yet, btw? If not, that's fine, but thought I'd ask.

20:35 <gopar> paulproteus, yo! Sorry, I've had a couple of programming job interviews and another one tomorrow.

20:36 <paulproteus> np at all.

20:37 <gopar> paulproteus, I'll ask miguel if he's been able to review the stuff. Also I rsvp for the south bay meetup :)

20:37 <paulproteus> Good luck with them! I'm sure they'll go well.