June changelog - what's new in Sandstorm
By Asheesh Laroia - 13 Jul 2016
June’s big change is that we’ve reworked what first-time users see when using Sandstorm. There are speech bubbles guiding them to install an app, create a grain, and to take a look at the “Share access” interface, all powered by intro.js. I’m hopeful this helps people become productive and comfortable with Sandstorm faster than before.
It applies to all users, including demo users, so test it out by opening demo.sandstorm.io in an incognito window and click Try a quick demo.
Some readers will appreciate that this month, we also chased down a subtle memory leak caused by a lack of flow control in the HTTP implementation spread across proxy.js and sandstorm-http-bridge. You’ll find the details in pull request #2056.
Read the full changelog here, or visit your own Sandstorm server’s “About Sandstorm” section for a changelog at any time.
v0.169 (2016-06-26) [bugfixes]
- Fixed regression in static web publishing that caused requests that should have returned 404s or redirect-to-add-trailing-slash to instead return a 500 status with a blank page.
- Added ability for admin to request a heapdump (to debug memory leaks).
v0.168 (2016-06-24) [bugfixes]
- Sandstorm for Work: SAML connector should now work with Active Directory.
- Fixed various subtle resource leaks in Sandstorm front-end and sandstorm-http-bridge.
- Fixed random crash/hang bug introduced in sandstorm-http-bridge v0.166. Apps build since that time will need to be rebuilt.
- The old admin interface has been completely removed (the new admin interface has been the default since v0.164).
- The email configuration test dialog now shows more informative error messages.
- The “most-used” apps row is now only shown if you have more than 6 apps, without which it isn’t helping.
- Added “guided tour” hint highlighting the “share access” button.
- Added explanatory text to admin user invite page.
- Fixed search bar autofocus on app list page.
- The question mark info button on Grains page was supposed to have a circle around it.
v0.167 (2016-06-18) [bugfixes]
- Updated to Meteor 1.3.3.1.
- Implemented hard flow control at the Cap’n Proto layer so that an errant (or malicious) app cannot cause excessive memory use elsewhere in the system by making excessive simultaneous calls. This should improve the stability of Oasis.
- Implemented flow control for uploads to an app (though it rarely comes into play unless running Sandstorm locally).
- Fixed that after losing internet connectivity for a while (or suspending your laptop) and then coming back, grains would refresh.
- Fixed some memory leaks in shell server.
- Added more “guided tour” points to help new users learn Sandstorm.
- Sandstorm for Work: SAML connector now exports XML auto-configuration blob.
- Sandstorm for Work: Improved UI around feature keys.
v0.166 (2016-06-11) [bugfixes]
- Implemented flow control for large file downloads from apps so that they don’t buffer in the front-end consuming excessive RAM. Apps that handle large files will need to re-pack using the latest sandstorm-http-bridge and push an update.
- Sandstorm for Work: Made SAML entity ID configurable; added more setup instructions.
- Updated Google login setup instructions to match latest gratuitous UI changes.
v0.165 (2016-06-04) [bugfixes]
- Re-enabled websocket self-check under new admin UI.
Upcoming Event: Web app packaging in Sandstorm: It's not LAMP
By Nena Nguyen - 29 Jun 2016
On July 19th, Sandstorm core dev Asheesh Larioa will be giving a talk about web packaging at our South Bay Sandstorm meetup.
Talk details
This talk covers how web app packaging works for Sandstorm.io. Asheesh will compare and contrast Sandstorm packaging against the typical install process on a Linux/Apache/MySQL/PHP system. This talk was featured at Debconf16, the yearly Debian conference.
He will outline how Sandstorm’s packaging tools do a few strange things to allow unprivileged users to install apps with one click:
• Every app package is a tiny Debian derivative, often as small as 20MB.
• Apps have no Internet connectivity to the outside world.
• Sandstorm uses a FUSE filesystem to identify which files are needed to run the app.
• An app bundles all its needed services, as well as files, resulting in one MySQL service per app.
• Users click and run one instance of an app like Etherpad per document, which is all handled transparently via a web app, a strategy that has neutralized 95% of 0-day web app vulnerabilities, based on our analysis.
• Developers on Mac OS and Windows can create packages for Sandstorm, even though Sandstorm is Linux-only, due to an emphasis on Linux VMs in our development tools.
Somehow we manage to make this scale reasonably well. Additionally, it is popular with upstream authors: of the >58 web apps packaged for Sandstorm, about 1/3 are maintained by their upstreams.
This talk focuses on how the Sandstorm packaging tools work, with community insights as well as technical ones, with the hopes of showing Debian how to more effectively package web apps for end users.
Come for the opportunity to meet others in the Sandstorm community, and work on your project with guidance from our core devs. This event will be held at RethinkDB in Mountain View on July 19. RSVP here.
Designing secure systems with Object-Capabilities, Python, and Cap'n Proto
By Nena Nguyen - 20 Jun 2016
At our Sandstorm meetup on June 16th, Sandstorm core dev Drew Fisher talked about an object-oriented programming inspired technique for designing secure systems called object-capability security.
Object-capability security is a technique for designing systems that lets us apply object-oriented design principles to security policies, reducing cognitive overhead and risk of errors that lead to vulnerabilities. In this talk, Drew explains capabilities, how they work, and what cool things they make possible for your systems, with real-world examples from Sandstorm.io.
Watch the full talk here:
To see the slides: http://zarvox.org/pycon2016-talk
To read more about capability-based security: https://sandstorm.io/how-it-works#capabilities
To read more on Cap’n Proto: https://capnproto.org/
We also have an upcoming meetup on July 19 where Asheesh is giving a talk entitled, “Web app packaging in Sandstorm: It’s not LAMP.” RethinkDB is kind enough to host our event at their office in Mountain View, and all are invited. Read the details & RSVP here.
How to create a shared photo library with Lychee
By Ovidiu Pacuraru - 13 Jun 2016
Today’s blog post comes from guest writer Ovidiu Pacuraru.
In this tutorial, we will show you how a family on holiday can organize images from dad’s DSLR, mom’s iPhone and the kid’s Android phone inside one album. They can all use the same Lychee grain in Sandstorm from a web browser; this tutorial shows how to set it up.
There are at least a couple of different scenarios where you’d want to create a photo library and share it with others. Another example is when 3 people are writing a blog but only one editor approves images, so images need to be collected at a central point. I have found uploading and sharing via Google to be a bit hit and miss.
In any case where you need to create a shared photo library using Lychee, you can follow these steps:
1. Get Sandstorm by signing up for Oasis or installing it on your own machine.
2. Install Lychee from the App Market
3. In the next window that opens, click: INSTALL
4. Create a new grain
5. Rename your grain
6. Add an album
7. Name your album
8. Upload some images
9. Browse your album
10. Share access with your family
11. Invite family members
2. Install Lychee from the App Market
3. In the next window that opens, click: INSTALL
4. Create a new grain
5. Rename your grain
6. Add an album
7. Name your album
8. Upload some images
9. Browse your album
10. Share access with your family
11. Invite family members
I hope you enjoy creating photo albums using Lychee from the Sandstorm App Market. Don't forget to leave a review!
Upcoming events in June in San Francisco, Morgantown
By Jade Wang - 06 Jun 2016
Designing secure systems with Object-Capabilities, Python, and Cap’n Proto (San Francisco, CA)
Join us for a talk from Sandstorm core dev Drew Fisher about an object-oriented programming inspired technique for designing secure systems called object-capability security. Drew’s talk will be followed by a Q&A session with opportunities to chat with Sandstorm’s community before and after. A huge shoutout and thanks to ThoughtWorks for hosting the meetup and for dinner!
Thursday, June 16, 2016
6:00 PM to 9:30 PM
ThoughtWorks
814 Mission St, 5th Floor, San Francisco, CA
RSVP here: http://www.meetup.com/Sandstorm-SF-Bay-Area/events/231065150/
Building a decentralized web with Sandstorm
If you’re in Morgantown, West Virginia, join the Linux User Group, and meet Sandstorm core dev David Renshaw! David will give an overview of Sandstorm, and will dive into some of the technical details of what makes Sandstorm tick.
Thursday, June 9, 2016
7:00 PM
Listhub
453 Suncrest Towne Centre, 2nd Floor, Morgantown, WV
RSVP here: http://www.meetup.com/Morgantown-Linux-User-Group/events/228038429/