<dwrensha>
paulproteus: any ideas about how to debug?
* paulproteus
scratches head.
<paulproteus>
You could look at the list of libraries that imagemagick depends on, and see if you can install versions from Ubuntu 14.04 of those libraries.
<paulproteus>
And/or the imagemagick binary itself; maybe that's the one that became sad.
<paulproteus>
You could also see if a stock Ubuntu 15.04 system has the same problem.
<paulproteus>
That's probably the best idea actually.
<dwrensha>
right, start from scratch on 15.04, see if the same thing happens
<paulproteus>
If so, then it's "just" an Ubuntu bug, and you should file it (although then there does remain the problem of figuring out what the real Ubuntu bug is).
<paulproteus>
If I were you, I'd boot an Ubuntu 15.04 live CD in qemu/kvm/etc and test there.
<paulproteus>
You could also use Docker or something like it to get an Ubuntu 15.04 container.
<paulproteus>
You could also test if other SVGs convert OK; maybe it's something special about the SVG inputs that you're providing.
<dwrensha>
yeah, the key icon seems to do just fine
<paulproteus>
For now, if you 'sudo chgrp sandstorm /opt/sandstorm/var/sandstorm/socket/backend' and 'sudo service sandstorm restart', does the problem go away?
<posix4e>
kentonv: y'all should double check it
<kentonv>
I mean, to be clear, if the backend socket can't be open, that should break *all* apps.
<paulproteus>
Yeah, I'm pretty confused about that.
<posix4e>
kentonv: it does
<posix4e>
Well i don't get that error at least
<posix4e>
i wonder if it matters that I installed on top of an install
<paulproteus>
I can't say I've carefully tested installing on top of an install. | :
<posix4e>
*nod
<posix4e>
But you have no uninstall
<posix4e>
what do you do?
<posix4e>
should i be runnign it out of a git repo?
<posix4e>
or just manually uninstall
<posix4e>
rm etc
<paulproteus>
There's an "update" command, which is one thing you can do.
<paulproteus>
Plus there are auto-updates by default.
<kentonv>
note that dwrensha's suggestion will of course delete all your data
<posix4e>
cheers
<kentonv>
but yes, to install updates you want to use "sandstorm update". To update to a version you built yourself, you can actually run the build with "make update".
<posix4e>
dwrensha: sorry we still haven't cut that podcast, now that we have 3 in the can we will certainly start putting them out
<posix4e>
coolio
erikoeurch has joined #sandstorm
<dwrensha>
posix4e: No worries. Let me know if you need anything else from me.
<kentonv>
hmm the code pretty clearly chown()s that socket to root:sandstorm right after creating it.
<paulproteus>
posix4e: I wonder if you're not running Sandstorm as root, but your previous install did run as root?
<paulproteus>
Oh, but SERVER_USER=sandstorm so you presumably did let it do the things it wants with sudo.
<posix4e>
welp i blew it away and am trying again
<paulproteus>
Oh, but maybe not; maybe you're relying on the fact that your regular user is in the Sandstorm group.
<kentonv>
paulproteus: I can't see any case where the socket would end up being root:root, though
<paulproteus>
posix4e: Aw well, I was hoping to get to the bottom of this, but now that'll be a little harder. Oh well!
<paulproteus>
kentonv: Yeah, huh.
<posix4e>
paulproteus: sorry
<paulproteus>
That's life!
<kentonv>
unless the backend process actually crashed between making the socket and chown()ing it
<paulproteus>
(perhaps it should create it with a temporary name to avoid this problem, renaming it to the final name when it's properly configured!)
<paulproteus>
(not that I necessarily think that's what happened, so I dunno)
<kentonv>
that wouldn't help things, really... if the backend has crashed, you're not going to get anywhere regardless.
<paulproteus>
Sure, but if it crashes just the first time it runs, then my suggestion would enable it to successfully re-initialize the second time.
<paulproteus>
I don't super duper know why it would crash just the first time.
<paulproteus>
Similarly if we're making code changes, it could sanity-check the permissions on the socket at start and log a message when the sanity check fails.
<kentonv>
it will correctly re-initialize the next time regardless
<paulproteus>
Oh, okay, great.
<kentonv>
it does unlink() before creating the socket, and it's root at that point
<paulproteus>
Or, let me put it a different way -- why do you think 'node' should be found?
<posix4e>
yea
<posix4e>
that's a good question, it seems to be in the /bin on the sandstorm chroot
<posix4e>
so i figured from the point of view of the launching app it should be on the "path"
<paulproteus>
If you're relying on the nodejs that Sandstorm bundles, you'll probably have to add it to PATH in order for the app to be able to find it.
<paulproteus>
If instead you're going to e.g. sudo apt-get install nodejs nodejs-legacy
<paulproteus>
then the app will find it by default.
<posix4e>
i have a node on my path as well
<posix4e>
using nvm
<posix4e>
not sure what intsalling the ubuntu package will help
<posix4e>
or am i missing something
<paulproteus>
I would check the $PATH that the app is using, I suppose!
<paulproteus>
iirc PATH is defined in the Sandstorm package definition file.
<paulproteus>
posix4e: Are you posix4e on GitHub too?
<posix4e>
truth
asmyers has quit [Remote host closed the connection]
<paulproteus>
shout-irc.com does seem cool
<paulproteus>
.
<posix4e>
i'm running it in spk dev and it can't get out on the network, is that expected?
amyers has joined #sandstorm
<posix4e>
specifically getaddrinfo
<paulproteus>
Yeah, that is part of the sandboxing. There is a way to request raw network access, which will only work on people's self-hosted servers, not on the Sandstorm Managed Hosting, which I think is OK.
<paulproteus>
I know jparyani knows how to do that; I'm not sure that I know how, immediately.
<posix4e>
yea i guess my irc client needs some internet access
<posix4e>
err the irc client
<paulproteus>
I would suppose so!
<paulproteus>
It also needs to stay alive in the background, rather than get auto-killed; jparyani has been working on that and I think support for it landed recently.
<posix4e>
so i got kiwiirc started, but it can't access the network. But should still gets this error http://pastebin.com/spMsBDcg
<posix4e>
some junk about read only fs
<paulproteus>
It's trying to mkdir the literal directory '/undefined' I think?
<paulproteus>
In general apps run with their code mounted read-only, with write access to /var and /tmp
<paulproteus>
Maybe I should add a part of the Packaging Guide that gives developers a tour of the sandbox, or something like that.
<posix4e>
ahh cool, thanks so much for the help y'all this is actually pretty easy with all the guidence
<paulproteus>
(-:
<posix4e>
*nod
<paulproteus>
Thanks for being attentive and trying stuff and asking!
<posix4e>
ok sweet i got shout and kiwi launching
<posix4e>
next step getting that network stuff all fixed
<posix4e>
And then i guess take what i learned and get it in the packaging guide
<paulproteus>
That'd be glorious.
<posix4e>
i wonder if i could see how tinytinyrss does it and rip them off
<paulproteus>
That's almost definitely a sane way to go about it.
<dwrensha>
paulproteus: imagemagick appears to be broken on a fresh 15.04 install. :/
<paulproteus>
"Hooray"!
<paulproteus>
It's not your fault!
joshbuddy has joined #sandstorm
<kentonv>
posix4e: ttrss uses an API that provides HTTP GETs
mortehu has left #sandstorm [#sandstorm]
<kentonv>
posix4e: You'll need to use the IP networking stuff instead. Note that it's intended only for "drivers", and only admins can use it.
<posix4e>
once you have any irc app, it's got a covert channel though no?
<posix4e>
How do you prevent it from dropping stuff in a room
<posix4e>
not trying to be dense, just trying to figure out what a good solution would look like, can't say i understand powerbox yet
<kentonv>
depends. If the app has permission only to communicate in one IRC room, then anyone in the room can see its communications, which make them not covert.
<kentonv>
but certainly if you give it permission to talk to an IRC server with private messages, then it can probably leak stuff
<posix4e>
Ooh that's a really interesting idea, and now I totally buy that it would need to be irc centric
<kentonv>
:)
<posix4e>
But yea, that could actually make a lot of sense to have a irc interface which can only talk on the right room, of course you'd still want to support the common irc use case as well
<kentonv>
notice that a legitimate IRC client needs to ask the user what room to connect to. In Sandstorm that would be a powerbox interaction, and the app would get a capability back for that room.
<kentonv>
so it's a choice the user was already making, but it's enforced for security
<posix4e>
makes sense, so this powerbox thing, is someone adding "irc support" or whatever that means already. Perhaps I could help
<kentonv>
you could similarly use the powerbox to get private message capabilities, although that starts to get in the way of the way IRC is normally used, where the user just enters /msg or such.
<XgF>
kentonv: Hmm, it would be good to expose a UI element for every (*some granule*) that a grain is importing (so e.g the IRC driver can do a listing of what channels/etc the client is in)
<posix4e>
Actually it might not be that bad to prompt him to say, you are talking to ... for the first time, here's some info about him (whois) are you sure you want to enable comms with him
<kentonv>
XgF: yes, the sandstorm UI will eventually let you audit and revoke capabilities
<XgF>
I guess there would be a list of powerbox capabilities, so there could be a link there
<dwrensha>
paulproteus: heh, it seems that the only icons that work in 15.04 are the ones that ocdtrekkie tweaked in Adobe Illustrator
<posix4e>
After running a firewall on my phone I am totally for keeping apps from dialing back. it's so annoying and scary, that being said for something like this an interative approach would be nice. Even if it meant less security in the beginning
<kentonv>
posix4e: To get IRC into the powerbox, you'd install an IRC driver, which is a special kind of app that is installed by the admin but appears in every user's powerbox.
<kentonv>
so, we don't quite support drivers yet. :)
<posix4e>
kentonv: I like the fact that it looks like i write c++ code (although i'd rather it be rust)
<posix4e>
ahh
<posix4e>
ok
<kentonv>
because they are kind of pointless without the powerbox
<kentonv>
which we're working on now
<posix4e>
gatcha, yea i couldn't find that code
<posix4e>
lolz
<kentonv>
you could totally write a driver in rust!
<kentonv>
it just needs to be able to speak Cap'n Proto RPC
<posix4e>
ahh sweet
<posix4e>
Welp i guess i'll be patient and continue using irssi for a bit longer
<kentonv>
the only difference between a driver and a regular app will be that its offerings appear in the powerboxes of all users of the server
<kentonv>
well you could start writing some code based on the IP networking interface, which you can obtain through HackSessionContext currently. The goal would be to create a nice Cap'nProto
<kentonv>
err, pressed enter too soon
<posix4e>
haha tyt
<kentonv>
to create a nice Cap'n Proto capability-based interface to IRC
<kentonv>
eventually, that interface would then be exposed through the powerbox
<kentonv>
you'd want something where there's an IrcServer capability which represents something like "freenode" and then IrcRoom capabilities for each room, etc.
<kentonv>
then you need to implement an HTML/JS UI through which the user can choose one of these capabilities; that UI will be embedded in the powerbox
fonfon has joined #sandstorm
<kentonv>
(the powerbox will tell you whether the request is for a server or a room, etc., so then you display a picker for that)
<kentonv>
in your case it might just be a drop-down for server and a text box for room name
<kentonv>
(or optionally let people specify an alternative server, but the common ones might as well be in a drop-down)
<kentonv>
eventually I think the driver should automatically handle interactions with NickServ authentication, so that apps don't ever handle the user's password.
<kentonv>
so the user would create a user account while interacting with the driver, and tell the driver the password
<dwrensha>
`convert -list format | grep SVG`
<paulproteus>
dwrensha: You can use inkscape to do your SVG conversion perhaps; it has a CLI
<XgF>
kentonv: For most IRC servers you can auth to NickServ by SASL now, or failing that server password
<paulproteus>
Also sadface
<dwrensha>
paulproteus: I wonder if this is a problem on debian as well?
<paulproteus>
posix4e: waah I want you to make an IRC bouncer work even before drivers are a reality, though maybe I'm putting the cart ahead of the horse
<posix4e>
paulproteus: i mean i wonder how hard it would be to cut a big hole in the security model for now, at least you only need to connect to one host
<paulproteus>
Yeah -- Tiny Tiny RSS already does this, so I do suggest stealing whatever it does (or asking jparyani )
<kentonv>
posix4e: you could just port kiwiirc as a "driver" at first. That is, it would use full network access, which means only server admins could use it.
<paulproteus>
++
<posix4e>
ooh wow
<kentonv>
paulproteus: ttrss does something that only works for HTTP
<posix4e>
that'd be hillarious and fun
<paulproteus>
Oh right kentonv .
<dwrensha>
kentonv: define "could use it". You mean "can create grains", right?
<posix4e>
So i assume i just create a spk and install it through the magic driver interface
<posix4e>
how's that?
<kentonv>
posix4e: See HackSessionContext; there's a method that gets IP networking stuff. It dosen't work if the owner isn't admin, though.
<kentonv>
there's no magic driver interface. In the long term, drivers will actually request IP networking through the powerbox, but only the admin has an IP networking capability to give them.
<posix4e>
so basically, 1/ figure out this hsc thang,, 2/ do my normal init and dev 3/ install it through a user who has admin 4/ ? 5/ profit?
<kentonv>
actually, it would be possible for non-admins to receive IP networking capabilities if the admin chose to grant it to them, or through a VPN app, or something
<kentonv>
HackSessionContext is our temporary hack to get at these things without the powerbox being implemented
<paulproteus>
(The way to get the capability is the same; the method(s) to call are different)
<kentonv>
note that you actually have to tunnel the networking over Cap'n Proto. So you might have to write a local "IP proxy" that kiwi connects to. Jason has worked a bit on an IP proxy, though I forget what state it's in.
XgF has quit [Quit: No Ping reply in 180 seconds.]
<zarvox>
presumably the default is blue to make it easier on colorblind folks?
<zarvox>
since otherwise those balls seem indistinguishable
<paulproteus>
Yeah; the idea that the plugin overwrites a core static asset is like a mini proof-of-concept exploit demonstrating how plugins can circumvent Jenkins security.
<paulproteus>
I don't know if that's how it works, but I guess in the any plugin can presumably basically do anything, so hmm!
<jparyani>
zarvox: you can enable colorblind support under your user profile on jenkins. It doesn't change the color back, but it adds an "S" to all green builds
natea has joined #sandstorm
<kentonv>
... how does "S" mean "passed"?
<jparyani>
success!
<kentonv>
ah
natea has quit [Quit: natea]
<dwrensha>
yay I can come to next week's Sandstorm meetup!
<paulproteus>
Whoa!
<dwrensha>
I'll be gone on Friday, but Thursday is good!
<phildini>
there's a sandstorm meetup next week? TIL.
<paulproteus>
Yeah it's semi secretly pre-announced on meetup.com.
<paulproteus>
I was going to give the announcement a once-over and then publish it.
bb010g has quit [Quit: Connection closed for inactivity]
amyers has joined #sandstorm
amyers has quit [Remote host closed the connection]