[TUHS] [tuhs] The Unix shell: a 50-year view

Steffen Nurpmeso steffen at sdaoden.eu
Tue Jul 6 01:08:54 AEST 2021 

Theodore Ts'o wrote in
 <YOKDovR8h8r1yoIP at mit.edu>:
 |On Sun, Jul 04, 2021 at 09:10:49PM +0100, Tony Finch wrote:
 |> Dan Cross <crossd at gmail.com> wrote:
 |>>
 |>> Systemd is both good and bad.
 |> 
 |> I thought this article was well-informed and informative, but VERY long:
 |> https://blog.darknedgy.net/technology/2020/05/02/0/
 |> "systemd, 10 years later: a historical and technical retrospective"
 |
 |This is also a really good talk, by Benno Rice.  Benno is a FreeBSD
 |developer, and has served on the FreeBSD Core Team.  He gave this talk
 |at Linux.Conf.au 2019, and it was a repeat of a talk he gave at BSDCan
 |2018, entitled "The Tragedy of Systemd" ("Tragedy" in the title was
 |used in the Greek drama context):
 |
 | https://www.youtube.com/watch?v=o_AIw9bGogo
 |
 |It's a pretty fair talk about the why systemd came up, and what we
 |might be able to learn from systemd.  His closing line was, which I
 |think is quite good was:
 |
 |   "What I would challenge every one here is to look at systemd, and
 |    try find one thing you like --- and then go try to implement it."

Disclaimer: i .. have not .. seen this.

Everybody may use systemd until they die, my very personal concern
is only that the infrastructure boils down to be unusable without
it.  Also as noone cares, just a few voices here and there, even
more so.  Many small tools exist that can do things, but as
systemd grows they do not, they are not extended to follow suit
Linux kernel features.

I mean, i could hack instead of complaining, but as i use
unshare(1) not docker/systemd i find it unpleasant that i have to
use capsh(1) in addition for example instead of simply feeding
unshare(1) also with the capabilities.  For systemd users this is
just a single line, and often programs come with readily prepared
unit files, take iwd for example

  [Service]
  Type=dbus
  BusName=net.connman.iwd
  ExecStart=@libexecdir@/iwd
[taken from source not installed base as not installed, no
systemd here.]
  NotifyAccess=main
  LimitNPROC=1

I have cgroups yes, but unshare(1) does not do that by itself.
So my shell script wrapper moves the PID by itself, which it is,
essentially.

  Restart=on-failure

I have a cron based watchdog on the server.  (Which never had to
trigger in >5 years of operation.)  But yes...

  CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW

Not unshare.  I am about to add this via capsh(1).

  PrivateTmp=true

So private tmp directories only via boxing into overlayfs views,
but not as it is done here.

  NoNewPrivileges=true

Capabilities not yet.
Maybe one should go and write an unshare which can this too.

  DevicePolicy=closed
  DeviceAllow=/dev/rfkill rw
  ProtectHome=yes
  ProtectSystem=strict
  ProtectControlGroups=yes
  ProtectKernelModules=yes

You see systemd making touchdowns, and i mean it.
Because only it can.  And i played football with my feet.

  ConfigurationDirectory=iwd
  StateDirectory=iwd
  StateDirectoryMode=0700

Granted, all these tortured administrators have a life way easier
by using systemd and just adjusting the unit, if at all needed.
Easier to just browse and copy+paste.

I have to take back my iwd complaint about syslog.  It is just
they did not bother at all.  This Intel program uses the Intel
"ell" (Embedded Linux library), and whereas that offers

  ell/log.c: * l_log_set_ident:
  ell/log.c:LIB_EXPORT void l_log_set_ident(const char *ident)
  ell/log.c: * l_log_set_handler:
  ell/log.c:LIB_EXPORT void l_log_set_handler(l_log_func_t function)
  ell/log.c: * l_log_set_null:
  ell/log.c:LIB_EXPORT void l_log_set_null(void)
  ell/log.c: * l_log_set_stderr:
  ell/log.c:LIB_EXPORT void l_log_set_stderr(void)
  ell/log.c: * l_log_set_syslog:
  ell/log.c:LIB_EXPORT void l_log_set_syslog(void)
  ell/log.c: * l_log_set_journal:
  ell/log.c:LIB_EXPORT void l_log_set_journal(void)
  ell/test.c:     l_log_set_stderr();
  ell/log.h:void l_log_set_ident(const char *ident);
  ell/log.h:void l_log_set_handler(l_log_func_t function);
  ell/log.h:void l_log_set_null(void);
  ell/log.h:void l_log_set_stderr(void);
  ell/log.h:void l_log_set_syslog(void);
  ell/log.h:void l_log_set_journal(void);

they use

  #?0|kent:iwd-1.15$ grep -r l_log_set
  tools/hwsim.c:  l_log_set_stderr();
  tools/probe-req.c:      l_log_set_stderr();
  client/main.c:  l_log_set_stderr();
  src/main.c:     l_log_set_stderr();
  wired/main.c:   l_log_set_stderr();

One could at least be happy they did not fixate "journal", maybe.
Anyhow, the actual error output is for developers only.

Bitrot everywhere.  So just jump on the train that delivers and
pass the rest.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the TUHS mailing list