16:24 <gharris> Is there any documentation about optimizing Sandstorm? I can't seem to find anything.

16:48 <dwrensha> gharris: what do you mean by "optimizing"?

17:47 <gharris> dwrnesha: Aren't there adjustments to be made to things like available memory and the like?

18:15 <dwrensha> Sandstorm is known to consume hundreds of MBs of memory. I don't think there's much a system administrator could do about it.

18:16 <dwrensha> gharris: or maybe you are speaking from a developer's perspective? Like how can we improve Sandstorm to make it more efficient?

18:22 <isd> simpson: there's no "canonical" transport for capnproto, but just doing TLS is a common recommendation. Can work over any reliable transport.

18:22 <simpson> isd: Okay. Foolscap uses TLS client certs to pin identities; is there anything similar for Capn?

18:23 <isd> "identities" run somewhat counter to the whole capability based approach

18:23 <isd> what you'd probably do is construct your bootstrap interface to provide the security properties you want.

18:25 <simpson> Sorry, I don't mean identity. I'm trying to remember how Foolscap does this.

18:25 <isd> You also could just use client certs, handle authentication/authorization with TLS, and then just have the capnp server "trust" that the client is authorized to talk to the bootstrap interface.

18:25 <isd> I'm not actually familiar with Foolscap?

18:26 <simpson> It's Perspective Broker on steroids. There's only a couple users left, notably Tahoe-LAFS, and I'm doing research on a possible new Capn API for Tahoe.

18:27 <simpson> CapTP -> Perspective Broker -> Foolscap -> regret, more or less.

18:28 <isd> :P

18:29 <simpson> Okay, so IIUC what happens is that Foolscap establishes a "tub" (like an E vat, kind of) and gives it a TLS cert. The tub IDs itself using the hash of the cert.

18:29 <isd> What I'd reach for not knowing more about your application: just do the widespread TLS thing, where the client verifies the server's identity, but not vice-versa. Then, have your server's bootstrap interface be something with a method like: getCap @0 (token :Data -> obj :RealInterface);

18:29 <simpson> So whenever you connect to a tub over TLS, you can check the TLS client cert's hash to verify that you're talking to the tub that the FURL (SturdyRef) told you to use.

18:30 <isd> Where "RealInterface" is the actual service you're exporting.

18:30 <isd> and token is some suitable credential, maybe a cryptographically random 128-bit number or such that's stored in a DB server side.

18:31 <simpson> Hmm. I suppose that that might work, but it would require us to change our cap diagrams quite a bit. Right now you don't need anything other than a SturdyRef to join a Tahoe grid.

18:31 <isd> Depending on your application, you may have more specialized ways of doing things that are sensible.

18:31 <simpson> We just want CapTP. Capn is modern CapTP.

18:32 <isd> I mean, that token basically is a SturdyRef

18:33 <simpson> Yeah, I guess. I'm just anticipating that I won't be winning hearts and minds if we're regressing on our TLS setup.

18:33 <simpson> OTOH who actually uses TLS client certs, right~

18:33 <isd> Do you mean you want to be able to have one SturdyRef to access a whole cluster?

18:33 <simpson> Well, yes. Right now, you have one "introducer" SturdyRef, and it gives you access to an entire Tahoe grid of storage servers.

18:34 <simpson> In the future, I have plans to build some Monte daemons, and Monte comes pre-equipped with its own vat machinery, so I'll probably be integrating some variant of this into the Monte language directly too.

18:34 <isd> Ah.

18:35 <isd> Would be nice if the level 3 stuff was implemented; that's really what you want here.

18:35 <isd> (in rpc.capnp)

18:36 <simpson> Yes. We're eventually going to go all the way to level 4, and we'll contribute upstream as needed. Right now I'm in the guts of the compiler, like always.

18:36 <isd> :P

18:37 <simpson> If y'all happen to be at PyCon, warner and I will be around to discuss this at more length. Look for the guy with lots of hair and a shirt that says "LET ME TELL YOU ABOUT OBJECT CAPABILITY SECURITY".

18:38 <isd> :P

18:38 <isd> But yeah, a natural way to do this (given level 3 support) is just to set RecipientId = domain name, and use both client and server TLS certs

18:40 <simpson> Yeah, that's something good to explore later. Certainly, given the Internet's topology, it's reasonable that you might not be able to make three-vat handshakes unless both of the "server" vats have a public name.

18:42 <simpson> isd: Thanks, this is good food for thought.

18:42 <isd> You're welcome.

18:44 <isd> Could also use something like noise with RecipientId = (host, port, static public key)

18:44 <isd> Avoids the key distribution question.

18:45 <simpson> In Foolscap/Tahoe, we're used to just popping the keys into the SturdyRefs.

18:45 <simpson> e.g. URI:CHK:nlipf2ej2gd2c3op4otj2yaaky:g4wgcat7gsuj6tyrfvqxc6ivmc6s2y3m524wipqyn5nkgweww4uq:3:10:1540

18:45 <isd> Yeah, basically the same thing.

18:46 <simpson> Immutable file, storage index, decryption key, storage params, file size. A complete breakfast.

18:46 <simpson> I haven't read much about Noise. It sounds trendy, which always makes me suspicious in cryptography.

18:46 <isd> SturdyRef := (RecipientId, opaque server-generated value)

18:46 <isd> :P

18:47 <simpson> Yeah. Foolscap URLs look like, uh, furl://awesome.tld:1234/pubkey

18:48 <isd> Worth reading about. I like what I see from the spec. kentonv has expressed that he thinks noise is a good thing to use down the line.

20:28 <gharris> dwrensha: No, from a SysAdmin perspective. I've got four users on a VM with 8 GB of RAM with extremely sporadic usage. One user logs in and the EtherCalc grain never loads. A day later, same scenario, and everything pops up like lightning. Nothing in the logs.

20:33 <dwrensha> 8GB should be enough

20:34 <dwrensha> kentonv was investigating some memory leaks

20:34 <dwrensha> gharris: did you check which process was the memory hog?

20:35 <dwrensha> 'sudo sandstorm restart' might help if you've run out of memory