Sandstorm personal cloud platform
Containerization is popular these days, with technologies like Docker having made a big splash recently. But earlier containerization efforts like LXC (which Docker was at one time based on) and OpenVZ laid the foundation, and newer efforts like Sandstorm may take the technique even further. Sandstorm is an early-stage project that bills itself as a "personal cloud platform". It is targeted at solving some of the same kinds of problems that FreedomBox is trying to solve, such as allowing users to take control of their own data.
Containers are not really Linux distributions per se, but they solve some of the same problems, particularly in the area of packaging. Both Docker and Sandstorm provide a mechanism to distribute Linux applications that is quite different from what users of traditional distributions have become accustomed to. Each Sandstorm container is, in some sense, a mini-distribution focused on providing just the environment needed by a particular application. All of the binaries, libraries, configuration, and so on, are collected up into the container so that they are available to a particular application instantiation, but not to other applications.
That isolation is why lead developer Kenton Varda (who developed the open
source version of Protocol
Buffers while at Google) calls the containers "sandboxes". The idea is
to isolate each application instance in its sandbox so that it cannot
affect any of the other applications running in sandboxes on the same
host. There is still a fair way to go before that goal is realized. As
the Caveats
section on the Sandstorm GitHub page
indicates: "At present, Sandstorm's sandboxing is incomplete. Malicious code probably can escape. Malicious code definitely can DoS your server by consuming all available resources.
"
For applications to work in this new, sandboxed world, they will need to be packaged up differently, using the Sandstorm tools. The porting guide shows how to use those tools. The basic mechanism is to install the application on a development server, which will observe an application in action while recording all of the files that it uses during its execution. That list of files, potentially with tweaks made by the developer, can then be used to create a container that will run the application when it gets installed on a Sandstorm server.
The vision is to have these applications available in an "App Store" of
sorts, where the applications can be easily installed by users onto their
own Sandstorm server (or as instances under their control on a shared
Sandstorm server). There would be no command-line interaction required, as
"the only way you ever interact with an app is through your web
browser
", Varda said in the Sandstorm
Development Google Group. He was answering a question about the
differences between Sandstorm and Docker, and continued:
This leads to several very different design choices:
- Containers only run while you have them open in your browser. Once you close the browser, the container is shut down, and then restarted the next time you return. (This implies that containers have to start up very fast.)
- Most of the container's filesystem is read-only, so that all containers can share common files (such as the application binary). Only /var is writable, and that's where it stores data specific to the particular document.
- Containers do not usually run any background daemons. Just a web server for the app itself.
- Containers do not use OS-level user accounts.
- HTTP requests going into the container must pass through the Sandstorm front-end, which handles authentication and access control so that the application doesn't have to. Thus apps are easier to write and many kinds of possible security bugs in apps are avoided.
The project is quite new, as it was announced by Varda on March 24. The plan is for Sandstorm to use Varda's follow-up to Protocol Buffers, called Cap'n Proto, for remote procedure calls (RPCs) between the sandboxed applications. The permissions for doing so would be managed through a powerbox-like graphical user interface (GUI). Currently, Sandstorm's API only allows sandboxed applications to handle HTTP and WebSocket requests, but much more is planned.
The big picture is all about users taking control of their own data, so that it can't be misappropriated, spied upon, data mined, or simply vanish if the service where it is stored decides to close up shop. There's a lot to do to get there. Even with a platform that handles problems like security and authentication, as Sandstorm is envisioned to do, there will need to be a large number of cooperating applications to make for a viable ecosystem. The current crop of Sandstorm apps is small, with just a handful of simple apps that can be installed either on local Sandstorm servers or on the managed instances that those who have signed up and been invited to join the Alpha test can use.
Overall, Sandstorm is an interesting idea of what user-controlled services could look like down the road. It remains to be seen if enough users actually care about that control and are willing to do something about it. The promise of total app isolation, such that malicious apps can do no real damage, is intriguing, as is having a user-friendly way to set it all up and get it running. There's a lot of promise, but it may be difficult to nurture a robust, cooperating app ecosystem, which could make for a fairly large hurdle for the project. In any case, it is an ambitious vision and it will be interesting to watch where Sandstorm goes from here.
[ Thanks to Jim Garrison, who reminded us about a topic that has been on
our list for a while now. ]
| Index entries for this article | |
|---|---|
| Security | Containers |
| Security | Distributions |
Posted Jun 26, 2014 3:46 UTC (Thu)
by kentonv (subscriber, #92073)
[Link] (1 responses)
This design would be totally impossible without modern Linux kernel features like namespacing, cgroups, and seccomp-bpf. Lightweight sandboxing means it's reasonable to sandbox at the granularity of documents and spin-up sandboxes on-demand -- simply not feasible with traditional VMs. Meanwhile, using native-code sandboxes (as opposed to programming-language-specific) means we've been able to port a lot of existing open source apps to quickly bootstrap the ecosystem. In just the last couple weeks we've ported Mailpile, Ghost, ShareLaTeX, Mediawiki, and others. These aren't on the app list yet as we're still polishing a couple things, but will be there soon.
Many thanks to the Linux kernel devs for making all this possible!
Posted Jun 26, 2014 18:50 UTC (Thu)
by smoogen (subscriber, #97)
[Link]
Posted Jul 14, 2014 2:30 UTC (Mon)
by zenaan (guest, #3778)
[Link]
Over the years, some proprietary apps (which some unfortunate sods like me still have to use on occasion) have gone from "good luck with that" to "gold" level compatibility/ runtime support, only to later slip back down to say "bronze".
When an environment/ setup/ version of WINE ready for the installation of that app is at "gold" level, then that env ought be containerized, so that it can be deserialized/ unzipped/ copied as needed, ready for consistently installing at "gold" level, that specific proprietary application.
Posted Jul 20, 2014 21:57 UTC (Sun)
by kentonv (subscriber, #92073)
[Link]
Update: We've now started a crowdfunding campaign for Sandstorm:
Sandstorm personal cloud platform
Sandstorm personal cloud platform
Sandstorm personal cloud platform
Sandstorm personal cloud platform