gopar has quit [Remote host closed the connection]
mnutt_ has quit [Quit: mnutt_]
jadewang has joined #sandstorm
jdenz has joined #sandstorm
<jdenz>
Hi all. I realized that even though I was able to get SSL working with the sandcats.io using my own CA certificate, this isn't ideal for the types of apps currently available in sandstorm and my use case. I work with clients who would have problems adding a CA cert to their browsers, they may be using multiple devices, etc... Am I right in thinking that the only way to get SSL on a self-hosted instance of sandstorm is to purchase a certificate that wil
jadewang has quit [Ping timeout: 265 seconds]
<jdenz>
I mean, the only way that will work for most users.
<jdenz>
Also, I was looking here: https://community.letsencrypt.org/t/frequently-asked-questions-faq/26 hoping to see if Let's Encrypt might be an option, but they say they won't support wildcard certificates because they don't think the "vast majority of potential subscribers" will need them.
mnutt_ has joined #sandstorm
mnutt_ has quit [Client Quit]
mnutt_ has joined #sandstorm
mnutt_ has quit [Quit: mnutt_]
mnutt_ has joined #sandstorm
jadewang has joined #sandstorm
<kentonv>
jdenz: paulproteus is working on a better solution, but it won't be ready for a few weeks still...
<jdenz>
Ok, yeah. I think he mentioned that to me yesterday. Something to do with GlobalSign?
<kentonv>
jdenz: yeah, setting up to make it really easy to get a cert for sandcats hosts
<kentonv>
alright people, the performance problems on oasis should be a lot better in a few hours when I push the next update
neynah has joined #sandstorm
<jdenz>
kentonv: That's promising for folks using the sandcats.io DNS. It's not too helpful for folks using a different DNS. I'm using sandcats.io for now, so it's ok for my needs so far, but it would be nice to somehow have an inexpensive (if not free) way to use sandstorm fully self-hosted. I guess there's still potential for the Let's Encrypt folks to issue wildcard certs at some point in the future, maybe after they're fully up and running.
<jdenz>
kentonv: Also, I really appreciate the work you all have done. I don't mean to come off negatively. You all are creating a really helpful system and I'm grateful. Thank you!
<kentonv>
yeah, though once you're no longer under sandcats it just becomes much, much harder for us to automate things, since everyone has a different starting point...
<paulproteus>
oasis seems speedy. Are we post-deploy?
<paulproteus>
I'm glad jdenz came by and chatted with us. I hope I can finish some of that work soon, and that something Let's Encrypt-like works out for everyone else.
<kentonv>
nah, just at the lowpoint of thhe day
<kentonv>
going to deploy at 11
<paulproteus>
meonkeys: Thanks for dropping by and saying so!
<kentonv>
it still amazes me that my computer's and phone's clocks are synchronized to within a fraction of a second without me having done anything to achieve that
<kentonv>
in my day most clocks were off by up to 5 minutes and that's how we liked it!!!1
<paulproteus>
kinit(v5): Clock skew too great while getting initial credentials
<kentonv>
computer clocks used to be the worst
<kentonv>
yet somehow we survived
<kentonv>
I guess because nothing was connected so who cares
<paulproteus>
make: warning: Clock skew detected. Your build may be incomplete.
<kentonv>
workers 0, 4, and 5 are taking their sweet time dying
<kentonv>
there we go
<kentonv>
time for a mongo election
<kentonv>
oh boy, four frontends complaining about mongo election not being done, all interleaved in the logs
<paulproteus>
Like UK citizens fearful of the coalition never forming a government.
<kentonv>
and we're back
<paulproteus>
I'm not sure my grain is loading: make: warning: Clock skew detected. Your build may be incomplete.
<paulproteus>
One of my tabs says 504 Gateway Timeout nginx/1.8.0
<paulproteus>
Seems fine now though?
<kentonv>
bleh, I think it just takes a while to warm the caches
<paulproteus>
Two min is a while for a grain, but OK! I guess nginx even agrees with me.
<paulproteus>
But yeah, I can live with that for now.
<paulproteus>
+1
<kentonv>
yes, I agree that's way too long
<paulproteus>
I can totally live with it though. Sleep well, talk to you tomorrow!
<kentonv>
note that it's the app that needs warming, not so much the grain
<kentonv>
so typically everything will be warm already
<kentonv>
oasis: performs better with more users, I guess
<kentonv>
(to a point)
mnutt_ has quit [Quit: mnutt_]
jadewang has quit [Remote host closed the connection]
gopar has quit [Remote host closed the connection]
larjona has joined #sandstorm
mquandalle has quit [Quit: Connection closed for inactivity]
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 240 seconds]
xcombelle has joined #sandstorm
davidjgr_ has joined #sandstorm
davidjgraph has quit [Ping timeout: 268 seconds]
Aric has quit [Quit: Connection closed for inactivity]
davidjgr_ is now known as davidjgraph
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 252 seconds]
mort___ has joined #sandstorm
mort___ has quit [Quit: Leaving.]
mort___ has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 260 seconds]
mort___ has quit [Quit: Leaving.]
xcombelle has quit [Remote host closed the connection]
ecloud has quit [Ping timeout: 246 seconds]
ecloud has joined #sandstorm
jadewang has joined #sandstorm
losvedir has joined #sandstorm
jadewang has quit [Ping timeout: 264 seconds]
larjona has quit [Quit: Konversation terminated!]
jadewang has joined #sandstorm
jadewang has quit [Ping timeout: 264 seconds]
bpierre_____ has quit []
bpierre has joined #sandstorm
xcombelle has joined #sandstorm
mort___ has joined #sandstorm
mnutt_ has joined #sandstorm
gopar has joined #sandstorm
jadewang has joined #sandstorm
jeffmendoza has joined #sandstorm
jadewang has quit [Ping timeout: 246 seconds]
mort___ has quit [Quit: Leaving.]
mort___ has joined #sandstorm
mnutt__ has joined #sandstorm
gopar has quit [Quit: Leaving]
mnutt__ has quit [Quit: mnutt__]
mnutt_ has quit [Quit: mnutt_]
jadewang has joined #sandstorm
NOTevil has joined #sandstorm
mort___ has quit [Quit: Leaving.]
<paulproteus>
These yaks will be so finely shorn.
mort___ has joined #sandstorm
chris_severs has joined #sandstorm
<chris_severs>
hi, I'm running a self hosted sandstorm install and everything looks fine but when I run a grain I get a spinner and nothing else. I don't see any obvious red flags in the sandstorm logs or the grain logs. Any ideas?
<paulproteus>
Hi chris_severs !
<chris_severs>
hi!
<paulproteus>
This sounds like a problem with wildcard hosts, see "Why do I see an error when I try to launch an app, even when the Sandstorm interface works fine?"
<paulproteus>
Let me know if that helps you out, and/or if it doesn't!
<chris_severs>
doh, I did not see that question, will check it out
<paulproteus>
Happy to help out. I'm the main maintainer of the installer so it matters a lot to me that people get set up correctly!
<chris_severs>
unrelated to my self hosted at work issue, I have an oasis account for personal use and I love it so far, great work :)
<paulproteus>
: D
<paulproteus>
Glad you like it!
<paulproteus>
If you feel like blogging or tweeting about it, that always helps.
<paulproteus>
And I'd love to help get past the self-hosting issues too.
<chris_severs>
checking with our infrastructure folks to see what I need to do to enable wildcard dns
<chris_severs>
if I get an answer I'll see if I can share it, this is on an internal openstack system
<paulproteus>
Great.
<paulproteus>
BTW if possible I'd love if you can email us at some point -- community@sandstorm.io -- so you can keep us posted on how we can make Sandstorm more useful for you.
<chris_severs>
will do
<chris_severs>
I might try and package a couple things I like as well, I saw a few of them on your wanted list
<paulproteus>
That would make you larger than life.
mnutt_ has joined #sandstorm
<paulproteus>
I would be extremely happy to provide Q&A and package review whenever as you do that -- community@sandstorm.io is a good place for that if you want to avoid public archiving; sandstorm-dev on Google Groups is best if you are OK with public archiving.
<paulproteus>
What are you thinking of packaging?
<chris_severs>
to start with probably jupyter notebooks for julia and R since we use them a lot
<paulproteus>
jparyani: ^
<paulproteus>
(jparyani is iirc the maintainer of the IPython Notebook package)
<paulproteus>
(and yes you should totally package Jupyter notebooks for Julia & R)
<chris_severs>
I think there is an issue that covers all of them though which is how do I add a package that I want to use that wasn't part of the initial install?
<chris_severs>
oh sorry I mean in an existing notebook, so in the current ipython setup it has numpy/scipy/pandas which is great but suppose I want some other module
<chris_severs>
normally I would do something like !pip install blah in the notebook and it would install it in the underlying system if I had permissions
<chris_severs>
doing so in the current notebook however gives an error
<paulproteus>
Oh, gotcha.
<paulproteus>
Yeah -- two answers for you.
<chris_severs>
there might be some workaround in the python instance at least by running from a virtualenv environment in the persistent writable part of the system /var something I think?
<paulproteus>
1. Make a fresh package that contains the packaging you want, or
<paulproteus>
2. Figure out how to give the notebook outbound Internet access.
<paulproteus>
#2 isn't documented at the moment )-: but it is totally theoretically possible.
<chris_severs>
got it
<chris_severs>
will start playing and see what I can find
<maurer>
paulproteus: Are you sure you couldn't also have 3.) Create a local cache in the package that contains most of pip?
<paulproteus>
The Tiny Tiny RSS package does that.
<paulproteus>
maurer: Oh fascinating.
<maurer>
paulproteus: You'd probably want dedup of some kind to avoid massive blowup of the per-notebook size
<paulproteus>
It'd be super interesting to create, like, a wheel cache that could be stored in /var
<paulproteus>
I mean in the package
<paulproteus>
And then pip install-ing something can only install from that wheel cache, but hey, that means +1 improved privacy too.
<maurer>
vov just another option that allows much more limited permissions
<maurer>
(I really like the notion that grains don't get default access to the internet)
<chris_severs>
now assume the same for R and Julia
<paulproteus>
What does vov mean?
<paulproteus>
Is it like wow but with less intensity?
<maurer>
it is a shrug
<paulproteus>
Oh okay.
<dwrensha>
¯\_(ツ)_/¯
<paulproteus>
: D
<paulproteus>
Looks like you'd need to do something like
<paulproteus>
I honestly really love the lack of Internet connectivity too even though it might be somewhat annoying, so it'd be pretty neat to bundle packages that are needed.
<paulproteus>
In the future we could connect it to a separate package cache grain.
<paulproteus>
I'm actually sort of curious if chris_severs that network isolation is something you like/appreciate/hate/find boring/etc.
mnutt__ has joined #sandstorm
jadewang has quit [Ping timeout: 265 seconds]
jadewang has joined #sandstorm
<maurer>
paulproteus: oh, btw, are we going to be able to get anonymous write links for grains at some point?
<paulproteus>
Tell me more about what anonymous write links means.
<paulproteus>
You mean, without creating a sharing link?
<maurer>
Maybe I misunderstood what sharing links do, but the goal would be:
<maurer>
1.) Create an etherpad or similar grain
<maurer>
2.) Publish some kind of link on an out of band medium that allows arbitrary people to read said grain, watching the document
<maurer>
3.) Send to some set of collaborators a link which allows them to write to the document as well, but which they do not need an account for
<maurer>
Maybe I misunderstood and if I just send someone the link in my URL bar it will give them read only, and the sharing link will give them write?
mnutt_ has quit [Quit: mnutt_]
mnutt_ has joined #sandstorm
<maurer>
A sample use case would be a design doc for an open source project - everyone should be able to see it, but only primary contributors at the time should really be able to edit it
<maurer>
Actually, that may not be a perfect use case, since you could argue you want accounts there in order to allow for revocation
<paulproteus>
maurer: I have a meeting in a sec, but -- try this on the demo w/ Etherpad by creating a read-only sharing link
<paulproteus>
afk a bit
<dwrensha>
maurer: we support such things already
<maurer>
Yeah, I think I may have just gotten the UI wrong
<maurer>
OK, so just pasting the grain URL doesn't do a read only share (private browser getting 403)
<dwrensha>
right, you need a sharing link
<maurer>
Oh, there's a CAN EDIT in the Etherpad app. It looks like I was just confused because the app I was running at the time hadn't declared permissions
<maurer>
Sorry for wasting time
<maurer>
(you have implemented the feature I was asking for already, I just didn't check for it thoroughly enough)
<dwrensha>
maurer: UI feedback is useful!
<maurer>
It's not even UI feedback really though :P
<maurer>
What happened here was I checked the sharing menu in an app with no permissions
<maurer>
didn't see a permissions dropdown (as well there should not be)
<maurer>
and assumed that it just didn't exist
<maurer>
this was an engineer's mistake >_>
gopar has joined #sandstorm
losvedir has quit [Quit: losvedir]
mnutt__ has quit [Quit: mnutt__]
mort___ has quit [Quit: Leaving.]
itscassa|away has quit [Ping timeout: 268 seconds]
itscassa|away has joined #sandstorm
mquandalle has joined #sandstorm
xcombelle has quit [Remote host closed the connection]
mort___ has joined #sandstorm
<geofft>
do y'all have a long-term mobile story, out of curiosity?
<geofft>
I may end up switching this thing from an Etherpad grain to Google Docs so that it works better on phones :(
gwollon has joined #sandstorm
dcb_ has joined #sandstorm
dcb has quit [Ping timeout: 244 seconds]
gwillen has quit [Ping timeout: 244 seconds]
mrshu has quit [Ping timeout: 244 seconds]
mrshu has joined #sandstorm
jadewang has quit [Remote host closed the connection]
<chris_severs>
paulproteus: sorry for the slow reply, lots of meetings and lunch. Network isolation is something fairly important since at least in my work environment we have a lot of sensitive data that shouldn't leak and should be restricted
<paulproteus>
Cool! That's useful to know.
<chris_severs>
having guarantees at the system level about isolation makes me much more confident about using other people's packages too
<paulproteus>
Can I say, chris_severs, I basically expect no one to care about security.
<paulproteus>
So I'm legit impressed, and it sounds like you'll like other things we do, and that's really great!
<chris_severs>
so I actually started awhile back building a system somewhat like sandstorm (but using larger blocks like mesos and docker) for our applied research/data science people to have on demand compute resources and preconfigured environments and the concern I ran into over and over was data security
<chris_severs>
the current incarnation looks something like kubernetes pods with the only entry point through an nginx sidecar which is set up to use our single sign on system
<paulproteus>
Neat!
<chris_severs>
I think you're ahead of the game though on this front and we're trying to learn from sandstorm :)
<paulproteus>
I'd love to have Sandstorm be something you can use productively!
<paulproteus>
I'm in a meeting so probably all you'll get is platitudes from me for the next couple fof hours.
<paulproteus>
s/fof/for/
isd has quit [Ping timeout: 244 seconds]
isd has joined #sandstorm
mcpherrin has quit [Ping timeout: 272 seconds]
mcpherrin has joined #sandstorm
gopar has quit [Quit: Leaving]
NOTevil has quit [Quit: Leaving]
mort___ has quit [Quit: Leaving.]
isd has quit [Ping timeout: 252 seconds]
isd has joined #sandstorm
decipherstatic has quit [Quit: No Ping reply in 180 seconds.]
decipherstatic has joined #sandstorm
mnutt_ has quit [Quit: mnutt_]
mnutt_ has joined #sandstorm
gopar has joined #sandstorm
jadewang has joined #sandstorm
jeffmendoza has quit [Ping timeout: 265 seconds]
mnutt_ has quit [Quit: mnutt_]
jadewang has quit [Remote host closed the connection]
mnutt_ has joined #sandstorm
jadewang has joined #sandstorm
jadewang has quit [Remote host closed the connection]