09:38 <mato> hannes: Hmm. Wondering about the memory leaks you saw. Take a look at this:

09:39 <mato> hannes: https://github.com/mato/mirage-solo5/blob/remove-verbosity/lib/bindings/solo5_console_stubs.c#L28

09:40 <mato> hannes: eh, ignore that

09:41 <mato> My misunderstanding.

10:58 <mato> hannes: Some data on ukvm memory usage: I've been hammering a non-TLS mirage http server with "siege -t120s -b http://10.0.0.2:8080".

10:58 <mato> hannes: On Linux RSS starts at ~9MB, grows fairly rapidly to ~270MB and stays around there.

10:59 <mato> hannes: On FreeBSD RSS starts at ~6MB and grows much slower, currently after several runs I've seen it go up to ~40M.

10:59 <mato> This may be a leak, or it may just be normal GC behaviour. Both running with OCaml 4.04.

11:00 <mato> The difference in behaviour between Linux and FreeBSD is... interesting. No idea right now what might be causing it.

11:41 <mk[]> does Mirage support SCTP, DCCP, or RUDP?

11:42 <mato> not that I know of

11:45 <mk[]> I searched OPAM and found no results. is OCaml a bad choice for "low" level networking?

12:10 <kensan> mk[]: There is an implementation of DHCP.

12:12 <mk[]> kensan: I'm looking for Datagram Congestion Control Protocol support

12:12 <mk[]> transport layer, but can be tunneled over UDP

12:14 <kensan> mk[]: Ok, I just wanted to mention that there are "lower"* level protocols implemented in OCaml (* for some meaning of "lower").

12:16 <mk[]> kensan: I'm new to OCaml, where should I look for SCTP or RUDP implemenations?

12:23 <kensan> mk[]: Sorry, I am new to this community as well ;)

12:26 <mk[]> kensan: what's your interest in unikernels?

12:28 <mk[]> I've found LingVM (erlangonxen.org) a couple of days ago, but the project seems dead. no updates since 2015

12:31 <mk[]> running bytecode VMs on Xen seems awesome, but C interop and kernel calls kinda kill the possibility (at least for Erlang)

12:45 <kensan> mk[]: I ported MirageOS to the Muen Separation Kernel by implementing support in Solo5.

12:45 <kensan> mk[]: So more on the platform-level, "below" OCaml.

13:00 <mk[]> kensan: I see. High assurance is hard to achieve with Intel's Management Engine

14:05 <kensan> mk[]: That is true but it does not mean we shouldn't try and work on x86 ;)

14:06 <mk[]> nah, let's just wait for RISC-V to take off :)

14:06 <apache2> when the xen mirage logs say "Attempt to open(/dev/urandom)!", what's the best way to debug where it's coming from?

14:06 <mk[]> the sooner the reign of x86 and von Neuman architecture ends, the better

14:16 <kensan> mk[]: Unfortunately, Intel x86 will be around for quite a while... My bet is that in a few years the ISA spec will surpass 5k pages.

14:16 <dstolfa> kensan: It will be around for about 10-15 more years I'd say

14:17 <dstolfa> We need to move on eventually :P

14:19 <mk[]> I guess 10-15 more years of having 1960s designs isn't too bad

14:38 <kensan> mato: I found a small ukvm_module_net issue a while back: https://github.com/codelabs-ch/solo5/commit/0a74a46

14:38 <kensan> mato: Not sure if that is the right fix. Alternatively one could declare the strings as constants and us strlen.

19:55 <dudelson> I got a tls cert from let's encrypt and I'm trying to use it in the static site example from mirage-skeleton instead of the default cert. I made privkey.pem -> server.key, chain.pem -> ca-roots.crt, and cert.pem server.pem

19:55 <dudelson> the unikernel fails when I start it with "ERR [application] main: Unix.Unix_error(Unix.EACCES, "bind", "")"

19:56 <dudelson> does anyone know what I'm doing wrong?

19:57 <lobo> dudelson: just out of the blue. if it is using port 443, you'll have to start it as root or with sudo

21:24 <dudelson> lobo: why's that? It's been working fine for me without sudo so far.

21:26 <Drup> 443 is usually reserved, you need superuser rights to bind to it

21:30 <dstolfa> Drup: In typical UNIX access control, yes. If you have a MAC policy that allows you to bind to privileged ports as a certain user or group, then you don't need to be superuser

21:31 <dstolfa> FreeBSD's portacl lets you do something like that, I'm sure that Linux has something similar

21:31 <dstolfa> dudelson: You might want to make sure that you weren't running on a machine that had a policy like that running

21:36 <dudelson> I changed the port back to 4433 and it works like I was expecting. I forgot I had previously

21:36 <dudelson> set the port to 443 to try deploying the unikernel

21:36 <dudelson> but I didn't know that that port was privileged, thanks for clarifying!

21:40 <lobo> dstolfa: right. seems like it is possible on linux with capabilities. https://gist.github.com/verbosemode/6844daa4db4a7add7d3429d379f9831a#file-gistfile1-txt-L12

21:41 <dstolfa> lobo: Yeah, it's a nifty little thing

21:42 <lobo> dudelson: all ports < 1024 are priviledge ports. they need some special treatment :-)