| 7 Mar 2024 |
 edef | and we have UI on eg https://releases.nixos.org | 01:06:01 |
| edef | but for cache.nixos.org there's basically no easy UI on top of the raw objects that would be that useful | 01:06:22 |
 Zhaofeng Li | you totally can, but the setup process can be daunting/annoying for those who have never used AWS before and just want to download one dataset | 01:06:35 |
| edef | we have the data to build a cache explorer now though :p | 01:06:35 |
| edef | the counterparty risk is different doing credit card processing for long-lived accounts vs one-offs | 01:07:15 |
| edef | like, it may well be a profitable business, it's just a different one | 01:07:26 |
 raitobezarius | is there anything like frontend clickhouse | 01:07:30 |
| raitobezarius | where people can type clickhouse queries in their browser and get results | 01:07:39 |
| edef | In reply to @raitobezarius:matrix.org
is there anything like frontend clickhouse it has a UI on the same port | 01:07:40 |
| edef | it's just a textbox | 01:07:43 |
| raitobezarius | is it safe to expose? | 01:07:44 |
| raitobezarius | publicly I mean | 01:07:52 |
| edef | if you set the auth and confine CH properly, kinda? | 01:08:13 |
| edef | it's a pile of C++ and i have segfaulted it before | 01:08:21 |
| raitobezarius | well seccomp should reasonably prevent bad things to happen | 01:08:34 |
| raitobezarius | mmmmm | 01:08:37 |
| raitobezarius | i may be tempted to run this | 01:08:40 |
| edef | but give it a read-only dataset and seccomp it, and it should be fine | 01:08:44 |
| edef | you probably want to leave the query caches on, so don't wipe it for every request | 01:08:56 |
| edef | but wipe it every 24h or something and it shouldn't get too nasty, i think | 01:09:15 |
| edef | or every hour, doesn't really matter | 01:09:28 |
| raitobezarius | clickhouse-gc.service | 01:09:37 |
| edef | your biggest concern is like, someone hogging your CPU | 01:09:37 |
| raitobezarius | cgroups for that | 01:09:42 |
| edef | since it does arbitrary computation | 01:09:44 |
| edef | dunno what odds i'd take bets on ClickHouse RCEs for but they're not as huge as you'd like | 01:10:53 |
| edef | dunno how well it responds to seccomping | 01:11:45 |
| edef | it has explicit mechanisms for running arbitrary subprocesses iirc but i don't know what the defaults on that are | 01:12:29 |
| raitobezarius | .o O(cgroup slice per web session) | 01:12:44 |
| edef | whatever faith you place in local code exec ≠ local root is your call :p | 01:13:38 |
