#sandstorm on 2019-03-15 — irc logs at freenode.irclog.whitequark.org

2017-06-04 23:24 kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Public logs at https://botbot.me/freenode/sandstorm/

00:38 pie__ has quit [Ping timeout: 244 seconds]

02:08 ogres has joined #sandstorm

02:52 _whitelogger has joined #sandstorm

04:09 nicoo has quit [Ping timeout: 256 seconds]

04:14 nicoo has joined #sandstorm

04:17 ogres has quit [Quit: Connection closed for inactivity]

07:30 pie__ has joined #sandstorm

08:42 <xet7> dkcd: Firecracker manages KVM VMs with REST API. Sandstorm uses cgroups like Docker on same kernel. Docker keeps containers running all the time. Sandstorm keeps containers running only when they are in use, being most RAM friendly. Sandstorm if full integrated platform with SSO login to all apps. Docker and Firecracker are just low-level tools, not a platform.

08:43 <xet7> dckc: ^

14:31 <dckc> thanks.

14:31 <dckc> though... I'm more interested in the security properties.

14:31 <dckc> sandstorm has the property that all access has to be explicitly granted.

14:31 <dckc> (I think)

14:31 <dckc> in Docker, a container gets a certain amount of access by default and you have to jump through hoops to constrain it

20:21 <xet7> dckc: https://docs.sandstorm.io/en/latest/using/security-practices/

20:26 <xet7> dckc: What kind of security properties?

20:29 <xet7> Sandstorm grains have many more cgroups/kernel privileges turned off than Docker, so security issues that affect Docker don't usually affect Sandstorm grains