Re: [TUHS] [tuhs] The Unix shell: a 50-year view

Theodore Ts'o wrote in <YOKDovR8h8r1yoIP(a)mit.edu>: |On Sun, Jul 04, 2021 at 09:10:49PM +0100, Tony Finch wrote: |> Dan Cross <crossd(a)gmail.com> wrote: |>> |>> Systemd is both good and bad. |> |> I thought this article was well-informed and informative, but VERY long: |> https://blog.darknedgy.net/technology/2020/05/02/0/ |> "systemd, 10 years later: a historical and technical retrospective" | |This is also a really good talk, by Benno Rice. Benno is a FreeBSD |developer, and has served on the FreeBSD Core Team. He gave this talk |at Linux.Conf.au 2019, and it was a repeat of a talk he gave at BSDCan |2018, entitled "The Tragedy of Systemd" ("Tragedy" in the title was |used in the Greek drama context): | | https://www.youtube.com/watch?v=o_AIw9bGogo | |It's a pretty fair talk about the why systemd came up, and what we |might be able to learn from systemd. His closing line was, which I |think is quite good was: | | "What I would challenge every one here is to look at systemd, and | try find one thing you like --- and then go try to implement it." Disclaimer: i .. have not .. seen this. Everybody may use systemd until they die, my very personal concern is only that the infrastructure boils down to be unusable without it. Also as noone cares, just a few voices here and there, even more so. Many small tools exist that can do things, but as systemd grows they do not, they are not extended to follow suit Linux kernel features. I mean, i could hack instead of complaining, but as i use unshare(1) not docker/systemd i find it unpleasant that i have to use capsh(1) in addition for example instead of simply feeding unshare(1) also with the capabilities. For systemd users this is just a single line, and often programs come with readily prepared unit files, take iwd for example [Service] Type=dbus BusName=net.connman.iwd ExecStart=@libexecdir@/iwd [taken from source not installed base as not installed, no systemd here.] NotifyAccess=main LimitNPROC=1 I have cgroups yes, but unshare(1) does not do that by itself. So my shell script wrapper moves the PID by itself, which it is, essentially. Restart=on-failure I have a cron based watchdog on the server. (Which never had to trigger in >5 years of operation.) But yes... CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW Not unshare. I am about to add this via capsh(1). PrivateTmp=true So private tmp directories only via boxing into overlayfs views, but not as it is done here. NoNewPrivileges=true Capabilities not yet. Maybe one should go and write an unshare which can this too. DevicePolicy=closed DeviceAllow=/dev/rfkill rw ProtectHome=yes ProtectSystem=strict ProtectControlGroups=yes ProtectKernelModules=yes You see systemd making touchdowns, and i mean it. Because only it can. And i played football with my feet. ConfigurationDirectory=iwd StateDirectory=iwd StateDirectoryMode=0700 Granted, all these tortured administrators have a life way easier by using systemd and just adjusting the unit, if at all needed. Easier to just browse and copy+paste. I have to take back my iwd complaint about syslog. It is just they did not bother at all. This Intel program uses the Intel "ell" (Embedded Linux library), and whereas that offers ell/log.c: * l_log_set_ident: ell/log.c:LIB_EXPORT void l_log_set_ident(const char *ident) ell/log.c: * l_log_set_handler: ell/log.c:LIB_EXPORT void l_log_set_handler(l_log_func_t function) ell/log.c: * l_log_set_null: ell/log.c:LIB_EXPORT void l_log_set_null(void) ell/log.c: * l_log_set_stderr: ell/log.c:LIB_EXPORT void l_log_set_stderr(void) ell/log.c: * l_log_set_syslog: ell/log.c:LIB_EXPORT void l_log_set_syslog(void) ell/log.c: * l_log_set_journal: ell/log.c:LIB_EXPORT void l_log_set_journal(void) ell/test.c: l_log_set_stderr(); ell/log.h:void l_log_set_ident(const char *ident); ell/log.h:void l_log_set_handler(l_log_func_t function); ell/log.h:void l_log_set_null(void); ell/log.h:void l_log_set_stderr(void); ell/log.h:void l_log_set_syslog(void); ell/log.h:void l_log_set_journal(void); they use #?0|kent:iwd-1.15$ grep -r l_log_set tools/hwsim.c: l_log_set_stderr(); tools/probe-req.c: l_log_set_stderr(); client/main.c: l_log_set_stderr(); src/main.c: l_log_set_stderr(); wired/main.c: l_log_set_stderr(); One could at least be happy they did not fixate "journal", maybe. Anyhow, the actual error output is for developers only. Bitrot everywhere. So just jump on the train that delivers and pass the rest. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)