Hacker News new | past | comments | ask | show | jobs | submit login
Sandstorm App update: New open-source self-hostable apps (sandstorm.io)
152 points by andybak on Feb 2, 2016 | hide | past | favorite | 60 comments

Looks nice and I'd love to try it out for my company -- hosted at first, then maybe on-premises if we like it.

There's no pricing details on /business, though, only a "Contact Us" link.

So I'll do what I do every time this happens: click "Close Tab" and move on.

(I don't want to talk to your -- or anybody else's -- sales people. Ever. I know I'm not alone either, so you're artificially limiting your user base if you do this.)


This isn't because we want to force you to talk to sales people (we don't even have any sales people! just us techies here!). The problem is that Sandstorm+Business is still in development, so there's nothing self-service for us to offer you. We want people willing to contact us to do so so that we can get their requirements and keep them updated, but if you don't want to talk to us (understandable -- I'm the same way), then your best bet is to try out the "individual" version now (which actually works OK for companies, but doesn't yet have all the features listed on the /business page).

Within a couple months we'll ship this, and then you'll be able to get it set up without talking to anybody. In fact, we plan to make it all part of the same build, so if you install from https://sandstorm.io/install today then the features will appear over time...

(We're currently not actively working on a managed-hosting version of the "business" features. We'll probably do that someday, but on-prem is a big selling point so we're focusing on that for now. That said, many people use https://oasis.sandstorm.io for work purposes today.)

Seriously, you should consider making that somehow part of the "contact us" link. Because even as someone not using the service, anytime I see "contact us" I get the same disgusting feeling in the pit of my stomach that you want me to contact you because you want to up-sell me.

At the very least, make it a link to "show pricing" and then on the next page give an explanation of like - if you need X, it should cost approximately X. Because we're still figuring things out, we may need to give you custom pricing (from the geeks, not a sales guy, we promise!). "Contact Us" has unfortunately become synonymous with shitty used-car negotiations.

If you don't trust their salespeople, why on earth would you trust them claiming that they aren't sales people? Judge based on the available facts, not superficial prejudices.

As stated above, I think it's not so much a lack of trust but a lack of confidence in a company that can't give you a straight-up pricing structure on their web page.

It screams "we'll charge you as much as we think you can afford", kinda like those domain squatters. Oh you're a big company and want this random domain name? $40,000 please.

Most have set prices, but contact us for pricing is often because a company is well aware the sticker shock on the price is going to drive most customers off. Being on the phone when you share that price gives them more of a chance to ease you into the number and try to justify it.

But in the case of Sandstorm devs, it's just that those features/that product is still in development.

Yeah, but vendors should realize that users can see-through the facade. Seeing "contact sales" makes me think of the sticker shock, and me being a cynic I often expect the pricing offered to be much higher then it ultimately ends up being.

Ehh... I think you're being too cynical and that you're projecting. I also think you're forgetting that this is a two-way street.

When Walmart calls your sales department, they aren't going to be suckered into a high price. On the contrary, they have a procurement department whose job is to negotiate the price down. They also probably have custom requirements that they want met, so a self-service option wouldn't even work for them.

Typically -- especially among "scalable" startups -- the "contact sales" option is meant specifically for these big fish to utilize, while the smaller fish get a self-service option with standardized pricing. This is what Sandstorm will have in the future.

I would say that I think there needs to be a more upfront accounting of ballpark figures for 'contact sales' moments. Working as a SysAdmin, I've come across points where you call, they want to set up a trial, you ask them how much it's going to cost, and they keep saying 'well, depends on which options you get and this and that, so it's hard to say'.

And I just wanna know if it's a four, five, or six digit figure for God's sakes.

I agree, and I think Sandstorm is not a great center piece to have the "contact sales" discussions round. I think it's just a note that the start up community in general could up its 'sales experience' game, ranging from pricing, to support, to onboarding/offboarding. Let's face it half the time the developers will also be in charge of sales, and speaking for myself I sometimes do not provide the best sales experience to customers.

Also I think Sandstorm is really cool. Feel like I should mention that.

We draw the best inferences we can based on the limited facts available.

I'm also one of those Tab-closers. My advice is, hit me with a real-life demo of these apps, in a video within 8 seconds minimum, or I gtfo, basically..

There is huge value in your offering. But there is also a massive investment required by users of these apps and .. eventually .. your services. You have to show me a demo full of real apps in use, with solid data ..

Well... the front page has a big demo button right at the top...

.. which I have to make the effort to press, if I'm interested, but I actually lost interest within the first 8 seconds of visiting the site because the cyclomatic complexity is just too darn high. Seriously.

You should actually make a "Pricing" page with some representation of this info. I remember seeing sandstorm.io sometime ago and dismissing it because I could not find a page showing me what it would cost. I might check it out now thou.

https://sandstorm.io/get has pricing, FWIW -- just not for the product that we haven't quite figured out yet.

I'd love to hear from people that are using Sandstorm day to day.

The only thing stopping me that none of the current apps fill a need that I currently have - although there are a few things I'm close on (I still use Mozilla's etherpad but could easily switch if I can break my habit)

I use Sandstorm daily. Private/company projects are run in Gitlab instances, though I may switch to Gitweb if a minor cosmetic issue is resolved (Gitweb in Sandstorm can only host one repo by design but you still have to click through to it when viewing the instance, which is mildly annoying when all other apps come up ready to use.) I have a bunch of Wekan boards managing everything from coding projects to my GTD buckets to separate boards for random home improvement projects. I prefer Wekan to spreadsheets because I can track work through arbitrary workflows and annotate items with additional data, and Sandstorm lets me manage that without having to maintain and secure a separate Wekan server that any random person could find and exploit. My blog is hosted in Sandstorm WordPress so I have the niceness of its admin interface but none of its security risks, and all the speed of a static site. A small 2-person bootstrapped startup I've cofounded uses it for many of the same use cases plus hosting our app's Piwik instance, again so there's literally no non-Sandstorm-secured user-facing attack surface other than Piwik's API endpoint. I have an idea for a platform co-op in the middle distant future, and if I manage to launch it then I'll run it via Sandstorm-hosted Loomio, which I'm actively attempting to port and am fairly close to completing.

Sandstorm is a great platform, and the community comprises some of the nicest, most dedicated folks I know. When my cofounder messed up our install a bit, Kenton talked us through fixing it on a weekend no less, right down to giving us database queries to run and then patching Sandstorm to handle our edge case the next week. Awesome people.

I've been hosting a Groove Basin instance on it for the last little while. Check it out, it's anarchist radio!


At some point some crazy mofo is going to post it to hackernews. Hopefully I don't have to revoke the URL and clean up any spam and y'all just groove with the little community I've got going on there! But just in case, here's one where you can only listen, that might last a little longer:


I posted a URL for that station to my work's Slack, and then people started uploading stuff and rocking out. We've had a great time taking turns DJing, sharing our musical taste with each other, and hijacking the stream when it gets too boring or weird. I've had friends of mine jump on from elsewhere in the world, some who I haven't seen in years, and drop their music on us. We're completely in love with this -- it's a way for us to stay connected through music without disturbing the people who just want to work quietly.

I'm astounded at how easy Sandstorm made this whole thing. These guys continue to blow me away with their ability to create incredibly useful experiences on a small budget and in such a short time.

I use it daily for etherpad and ethercalc.

Lots of apps now that I need to explore and see where they fit for me.

Looking forward to kentonv <.< clearing the path for huginn


That seems like a killer app when wrapped in the smooth awesome deploy of sandstorm.

Huginn is tricky because it needs to talk to the outside world a lot and we need ways to let it do so securely[0]. But we're closing in on getting that done, and I can't wait to be able to port Huginn to show off how much more secure it will be running inside Sandstorm. :)

[0] https://docs.sandstorm.io/en/latest/using/security-practices...

I use Sandstorm daily. Effectively it replaces Google Drive/Docs for me. I use Etherpad, EtherCalc, and Text Editor a lot on it. And I use Davros for storing arbitrary files I want to share. My blog is hosted on Sandstorm tlo, but I've posted to it like four times so it doesn't really count.

How do you back up / replicate? How would you recover from your sandstorm instance failing?

Currently, you can back up any particular app instance (grain) by clicking "download backup" in the topbar -- this gives you a .zip of its data, which you can then re-upload to any Sandstorm server. For full-system backups, you'll need to use a standard Linux filesystem backup solution, configured outside of Sandstorm. We (Sandstorm team) plan to add the ability to configure full-system backup through the Sandstorm UI in the future. (Of course, if you use our managed hosting, we are making daily backups.)

I'd love to see integration with uploads of backups to Backblaze B2!

<vaporware>Indeed, the plan is to provide an API such that apps can be written to push backups to different providers. The API will only provide access to already-encrypted data, so you don't have to worry about the app stealing your secrets.</vaporware>

As kentonv mentions, right now that's not fully fleshed out. I do download backups of important grains somewhat regularly, but I'm currently using their hosted service until I'm ready to run my own. (Literally just got a server to play with recently.)

Don't use it day to day; we use Google Docs at my company, so that's what I happen to use for most of that kind of stuff.

But one day Google Docs happened to be down while I was doing a phone screen using Google Docs as a whiteboard for the candidate, and I'd heard about Sandstorm's Etherpad, so I signed up, launched that, and shared it with the candidate. Was quick and easy and we were able to go on with the phone screen.

"Sandstorm Security Non-events

This page contains a partial list of security issues that have not affected web apps when they run in Sandstorm -- typically because of the hardening we do to apps, or because of the hardening we do against the attack surface of the Linux kernel. The purpose is to demonstrate that our security practices provide some degree of useful protection in the face of real-world vulnerabilities."

I understand the usecase of having your own google doc-like services or a note taking device, but reading through the docs I got the picture that everything used would be behind the user wall; is there any way to expose apps from sandstorm as sort of standalone things? I.e., could I make 'forums.example.com', and the forums points to an install of nodebb, allowing for access/registration outside of sandstorm?

I like the idea of having a system where I can deploy instances of open source systems for me/friends to use on my own domain/server (like a small message board or something), but if it's entirely behind the being-a-user-of-the-sandstorm-instance first, then the utility is lessened.

You can freely share any app in Sandstorm with other users using the "share access" button. If you want an app to be "public", you can create a sharing link and post it publicly. (Note that anyone can log into your Sandstorm server, but unless you share with them there is nothing they can do when they log in.) We have a lot of plans to make the UX better here, but it basically works.

The experience does end up pretty different that traditional self-hosted apps, and not everyone will be happy with that, but there are some pretty big advantages to this approach. Users don't need to log into each app separately; instead, they log into Sandstorm once. Apps don't need to implement their own login systems, which means fewer opportunities for security bugs.

Most importantly, having the Sandstorm UI makes it feasible to manage lots of fine-grained app instances that are isolated from each other. Fine-grained containerization in turn has all kinds of advantages, in particular in terms of security. See:


Out of curiosity, what would be the point of someone logging into NodeBB but not your Sandstorm hosting it? Sandstorm takes care of the authentication by design, so you can ensure your users are protected even if a bug is found in the app in question. That's a large part of the benefit of it.

There might be some sense in a way to present it without the sidebar to go to other apps or shared grains or some such, but I can't imagine you'd want to not authenticate users with Sandstorm in that scenario.

For instance if they don't want to sign up, just view content; or in the case of the meteor digg-like app, requiring sign up before use is a major turn-off. Or if I am away from my own computer but want to show someone something on the bulletin board; I don't want to have to log in to the full system to get a link to view (or a link to share) when the alternative is a normal self-hosted app where I could go to forum.mydomain.com.

Just to be clear (and expand on ocdtrekkie's comment):

- Most apps today do not require login when accessing a sharing link. It's an important design goal for us that your friends don't have to create accounts to collaborate.

- <vaporware>We plan to add ways to bind grains to easier-to-remember names in the future.</vaporware>

Ah, I think there's kinda two sides to this.

1. Apps should definitely work as a guest. Many do, some don't. But when a user wants to then log in, they should use the Sandstorm login button on the top right, rather than apps all having their own authentication code (and authentication bugs!).

2. Apps definitely need prettier links. Right now the grains that do work as a guest still are ugly links like example.sandcats.io/shared/gdgfdfhdsjfjsdfksdjfhsdkjfhsdkjf and you have to do a redirect to create a prettier link. Eventually I do believe Sandstorm devs intend to make it easier for you to set certain grains to be at subdomains or what-have-you.

3. Also note that for static content publishing, there's already an established method for as well, you can see my blog as an example: blog.jacobweisz.com is hosted on Sandstorm's alpha server.

FWIW, one way Sandstorm addresses this is that anyone can sign in with their Google/GitHub/email if you give them a sharing link. So they don't have to have an account first.

e.g. try this:


This is my friend's bulletin board on his own personal Sandstorm server (admittedly ugly URL - we need to make it possible to make less ugly, but you could work around that with a redirect elsewhere).

Visit it, and then sign in, and you're talking.

If I could choose one app I'd love to see on sandstorm, I'd choose https://github.com/cantino/huginn

Or to generalize just a bit, any good app in the category of "automate all the things". With the recent demise of yahoo pipes, I'm not even sure there is a decent hosted service available in this category anymore, unless IFTTT meets your needs.

I think there's likely a lot of overlap between "people who want their own server" and "people who want to set up automations tying together their various devices and services".

I think Sandstorm sits in the sweet spot between "people who are not only professional engineers but also want to spend the time and effort to maintain a personal server" and "people who don't understand technology and/or will just use what their peers use". Power users, basically.

So yeah. Huginn :)

I agree! We plan to port Huginn just as soon as we have the infrastructure in place so that it is able to request permission to talk to the various external servers that it wants to talk to -- which will be pretty soon now. :)

That was exactly the question I wanted to ask about sandstorm's capabilities. Glad to read this :)

I'm a fan but I haven't used it yet. I'm still a bit wary of either storing data I actually care about (originals) or serving a public website from either a self-hosted or startup-managed machine.

It would be nice to run Sandstorm apps that store their data and serve static websites from Github. Occasionally they go down, but on the whole I'm more confident that their hosting will be around for a long time.

Even longer term, backing up a grain to a git repo (not necessarily Github) would be pretty nice.

Sandstorm's hosting service (Oasis) is hosted on a service arguably/probably more reliable than GitHub... Google Compute Engine.

The big difference between Sandstorm and say... GitHub hosting (if the code is written for their APIs), is no matter whether I self-host or use Oasis, I can easily move my data to a different storage medium later.

Well... I am not going to claim that Oasis itself has better uptime than Github. :)

(Although we have had very few unexpected issues, we still need to take Oasis down briefly during updates. This is something I'm working on fixing, and until then I try my best to schedule updates when people are asleep...)

As to GP's concern about longevity of the service, the key point is that unlike any SaaS service, you can easily move your data off Oasis onto a self-hosted server running only open source software, and end up with exactly the same user experience you had before.

It doesn't really work for me because then I'd be hosting it myself. Even with Digital Ocean, I ended up shutting down a hobby website after a year because I was the only one using it (and then rarely) and I didn't want to pay the monthly fee anymore. App Engine would have been a better choice - everything I put there is still running.

Sandstorm on Digital Ocean might be somewhat better since I could cram more onto one instance, provided I was running multiple things there that I actually used.

Yeah, I was saying Oasis + GitHub would probably not be better than Oasis + GCE.

Being able to do a git clone of a repo containing text files that I actually understand, with a full history, is very comforting.

I'm not sure a zip file containing binary files in some unknown format gives me that.

I really like what Sandstorm is doing here, but the most attractive setup for me (self-hosted on a box I physically control) is hampered by the asynchronous up/down speeds of consumer internet. I already have a somewhat slow download (~15Mbps), but my upload is 10% of that, and I'm not fond of the idea of reducing all of my access speeds to my "cloud" data by 90% of what they currently are.

FWIW, this is why I generally recommend running on a "cloud" provider like Digital Ocean rather than running physically in your own home. But of course that requires trusting the provider, which is a trade-off.

<vaporware>Once we have all our federation plans in place it will be easy to have multiple Sandstorm servers that connect to each other so that you can restrict critical secrets (say, your PGP key) to your home machine while putting less-critical stuff in "the cloud", but still have them all connect to each other (essentially: federated Powerbox).</vaporware>


EDIT: Also, yes, a DO box with Sandstorm is what I have some amorphous period of time this summer reserved for. Just not as ideal for me as physically controlling the box.

On the plus side, you can readily start on one cloud now, pretty much drag-n-drop to another cloud later if prices jump, and bring it home to your living room whenever you want. The ability to click "download backup" and get a zip that has 100% of your app state, ready for one-click restore to a functional install, is ammaaaazing.

My problem isn't speed (300 down, 20 up). It's ipv6 (only). Can't reach my services from the go, because no network, anywhere, runs ipv6.

None of my two mobile carriers. Not my employer's corporate network. No network at any of my friends. And I've yet to see a public hotspot that isn't ipv4 only. Everything ipv6 is dark when I leave the house.

So.. different cause, same problem. Hosting at home is a non-starter.

Consider using a VPN. Great for privacy on untrustworthy networks, and if you run it on your "own" vps you can add things like IPv6

I don't understand the idea. You want me VPN into a VPS somewhere which is on ipv4 and ipv6? But .. if I have such a VPS, why would I want to host services at home (vs. on this VPS) in the first place?

I agree that a VPN is helpful, a good idea. But unfortunately it doesn't solve my problem in a meaningful way: Running services behind my otherwise decent/fast enough home connection.

The run the VPN server on your home network as well. I was merely generalizing away from a completely managed VPN service where you don't get to decide what software is used, which features are enabled, or how the routing is done.

Privacy comes at a price. Maybe you could host at a friends place or rent a physical server.

If you think about asymmetric internet connections there are many reasons it is the way it is but few of them are good reasons. To contrast this, Google fiber offers symmetric connections with 1 GBit/s upload speed which could change the game for some lucky people.

But even with your current connection, if you mostly have low bandwidth content like text/notekeeping and small documents you should try it. There is no good reason to store private notes and documents in the cloud.

Sure, privacy comes at a price, but projects like Sandstorm are (at least in part) aimed at reducing that price relative to the large-scale SaaS services. I've looked into a physical colo, but there isn't one in the town/city where I'm from and it'd be a minimum 2.5 hour drive to the closest site. Unfortunately re: hosting at a friend's house, a small-ish city like mine doesn't have anyone in it other than large businesses who have decent upload. And that's a big reason why I'm still on Gmail, Dropbox, Wunderlist, etc. -- the cost to self-host is just a little too high. For me, as attractive as I find the idea of proper privacy, the price is almost there but not quite low enough.

I look forward to a future where I have access to a symmetric fiber connection -- but that will require either a decade of development where I'm from or a move to a more metropolitan area (the latter is not out of the question, of course). In the meantime I have plans to evaluate a bunch of different self-hosted SaaS options on DigitalOcean in the next few months.

It's an interesting problem.

We don't trust big corporations.

Hosting ourselves is very expensive.

How could this be organized better? 10 people hosting a small server infrastructure together? Can you trust them?

I believe that sandstorm is making the move very much into the right direction. Self hosting will become cheaper and more convenient. In a few years you can drop some little server box off at two friends places and colocate for them and each one will have their own private cluster. With the storage encrypted, of course.

Setting this up will just require doing the handshake between the servers and between the servers and clients and done.

I've kept an eye on Sandstorm for a while now...however, I get the feeling that it is something I should want to use, but I can't find the use case that warrants it. Can any of the developers here provide a little more context as to when or where it might be useful? Is this kind of like a super simple Docker competitor?

What's the state of the Powerbox? Is it available yet?

Not quite, but here's a pull request:


Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact