The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
* [TUHS] Abstractions
@ 2021-02-20 23:09 M Douglas McIlroy
  2021-02-21  8:15 ` Otto Moerbeek
                   ` (3 more replies)
  0 siblings, 4 replies; 26+ messages in thread
From: M Douglas McIlroy @ 2021-02-20 23:09 UTC (permalink / raw)
  To: tuhs

>  - separation of code and data using read-only and read/write file systems

I'll bite. How do you install code in a read-only file system? And
where does a.out go?

My guess is that /bin is in a file system of its own. Executables from
 /letc and /lib are probably there too. On the other hand, I guess
users' personal code is still read/write.

I agree that such an arrangement is prudent. I don't see a way,
though, to update bin without disrupting most running programs.

Doug

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-20 23:09 [TUHS] Abstractions M Douglas McIlroy
@ 2021-02-21  8:15 ` Otto Moerbeek
  2021-02-21 11:08 ` Rich Morin
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 26+ messages in thread
From: Otto Moerbeek @ 2021-02-21  8:15 UTC (permalink / raw)
  To: M Douglas McIlroy; +Cc: tuhs

On Sat, Feb 20, 2021 at 06:09:42PM -0500, M Douglas McIlroy wrote:

> >  - separation of code and data using read-only and read/write file systems
> 
> I'll bite. How do you install code in a read-only file system? And
> where does a.out go?
> 
> My guess is that /bin is in a file system of its own. Executables from
>  /letc and /lib are probably there too. On the other hand, I guess
> users' personal code is still read/write.
> 
> I agree that such an arrangement is prudent. I don't see a way,
> though, to update bin without disrupting most running programs.
> 
> Doug

I always wonder how to distunguish data and programs when people want
to separate them. One person's data is another person's program and
vice versa. Think scripting, config files, grammar definitions,
postscript files, exectuables to be fed to emulators, compilers,
linkers, code analysis tools, the examples are endless.

Turing already saw that form the theoretical point of view, others
(like Von Neumann) more from the practical persppective.

Data = Programs.

	-Otto

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-20 23:09 [TUHS] Abstractions M Douglas McIlroy
  2021-02-21  8:15 ` Otto Moerbeek
@ 2021-02-21 11:08 ` Rich Morin
  2021-02-21 22:40 ` Dave Horsfall
  2021-02-21 22:54 ` Clem Cole
  3 siblings, 0 replies; 26+ messages in thread
From: Rich Morin @ 2021-02-21 11:08 UTC (permalink / raw)
  To: TUHS main list

> On Feb 20, 2021, at 15:09, M Douglas McIlroy <m.douglas.mcilroy@dartmouth.edu> wrote:
> 
>> - separation of code and data using read-only and read/write file systems
> 
> I'll bite.  How do you install code in a read-only file system?

Disclaimer: I haven't actually used Nerves myself, just watched some presentations, read various web pages, etc.  So anything I say about it is quite unreliable.  And, although that item was (sort of) true, it was obviously rather misleading if interpreted too broadly.  So, I'll try to provide some context to explain what I meant by it.

As I understand it, Nerves is intended as a build and delivery mechanism for IoT system software.  It's supposed to be possible to upgrade a deployed device without blowing away its persistent saved state.  And, if the upgrade fails, to back down to the previous version.  Also, the running code on the device should not be able to trash the system software.

To support this, they use multiple file systems, with various updating attributes.  For example, they might have two file systems for the system software and a third one for the persistent saved state.  This lets a developer upload and boot a new copy of the system software, but fall back to the old version if something goes wrong.

-r


^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-20 23:09 [TUHS] Abstractions M Douglas McIlroy
  2021-02-21  8:15 ` Otto Moerbeek
  2021-02-21 11:08 ` Rich Morin
@ 2021-02-21 22:40 ` Dave Horsfall
  2021-02-21 23:01   ` Steve Nickolas
                     ` (2 more replies)
  2021-02-21 22:54 ` Clem Cole
  3 siblings, 3 replies; 26+ messages in thread
From: Dave Horsfall @ 2021-02-21 22:40 UTC (permalink / raw)
  To: The Eunuchs Hysterical Society

On Sat, 20 Feb 2021, M Douglas McIlroy wrote:

>>  - separation of code and data using read-only and read/write file
>>  systems
>
> I'll bite. How do you install code in a read-only file system? And where 
> does a.out go?

I once worked for a place who reckoned that /bin and /lib etc ought to be 
in an EEPROM; I reckon that he was right (Penguin/OS dumps everything 
under /usr/bin, for example).

> My guess is that /bin is in a file system of its own. Executables from 
> /letc and /lib are probably there too. On the other hand, I guess users' 
> personal code is still read/write.

That's how we ran our RK-05 11/40s since Ed 5...  Good fun writing a DJ-11 
driver from the DH-11 source; even more fun when I wrote a UT-200 driver 
from the manual alone (I'm sure that "ei.c" is Out There Somewhere), 
junking IanJ's driver.

The war stories that I could tell...

> I agree that such an arrangement is prudent. I don't see a way, though, 
> to update bin without disrupting most running programs.

Change is inevitable; the trick is to minimise the disruption.

-- Dave, who carried RK-05s all over the UNSW campus

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-20 23:09 [TUHS] Abstractions M Douglas McIlroy
                   ` (2 preceding siblings ...)
  2021-02-21 22:40 ` Dave Horsfall
@ 2021-02-21 22:54 ` Clem Cole
  3 siblings, 0 replies; 26+ messages in thread
From: Clem Cole @ 2021-02-21 22:54 UTC (permalink / raw)
  To: M Douglas McIlroy; +Cc: TUHS main list

[-- Attachment #1: Type: text/plain, Size: 819 bytes --]

On Sat, Feb 20, 2021 at 6:10 PM M Douglas McIlroy <
m.douglas.mcilroy@dartmouth.edu> wrote:

> >  - separation of code and data using read-only and read/write file
> systems
>
> I'll bite. How do you install code in a read-only file system? And
> where does a.out go?
>
The best way I have seen this done is with overlay and union file system
support.   The 'writeable' versions are the file in /bin are overlayed as
needed.   To do this properly you need the stackable file system stuff we
worked on at LCC and Sun.  If you can interpose at the inode level it's
very cool and flexible (Sun played with - but makes the Sun symlink
nightmare seem like an easy night at the movies), at the filesystem switch
layer (Locus and UCLA - scheme that was in BSD at one point - easier to
manage/admin).


ᐧ

[-- Attachment #2: Type: text/html, Size: 1892 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-21 22:40 ` Dave Horsfall
@ 2021-02-21 23:01   ` Steve Nickolas
  2021-02-23  3:31     ` Andrew Warkentin
  2021-02-22  0:13   ` [TUHS] Abstractions Warren Toomey
  2021-02-23  0:25   ` Wesley Parish
  2 siblings, 1 reply; 26+ messages in thread
From: Steve Nickolas @ 2021-02-21 23:01 UTC (permalink / raw)
  To: Dave Horsfall; +Cc: The Eunuchs Hysterical Society

On Mon, 22 Feb 2021, Dave Horsfall wrote:

> I once worked for a place who reckoned that /bin and /lib etc ought to be in 
> an EEPROM; I reckon that he was right (Penguin/OS dumps everything under 
> /usr/bin, for example).

I have used distributions in the past that maintained the traditional 
distinction.

While I've been stuck regarding bringing up a kernel, C compiler and libc 
all together, (keeping in mind my desire to avoid gcc and glibc for the 
project) the conceptual distribution I've been working on for some time 
uses more or less the same abstraction as the BSDs, with distinct /bin and 
/sbin vs. /usr/bin and /usr/sbin as I personally believe it should be, 
that the stuff in /bin should be enough to bring up and/or run diagnostics 
on a system, and everything else go in /usr.

-uso.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-21 22:40 ` Dave Horsfall
  2021-02-21 23:01   ` Steve Nickolas
@ 2021-02-22  0:13   ` Warren Toomey
  2021-02-27  2:47     ` Dave Horsfall
  2021-02-23  0:25   ` Wesley Parish
  2 siblings, 1 reply; 26+ messages in thread
From: Warren Toomey @ 2021-02-22  0:13 UTC (permalink / raw)
  To: Dave Horsfall; +Cc: The Eunuchs Hysterical Society

On Mon, Feb 22, 2021 at 09:40:57AM +1100, Dave Horsfall wrote:
> That's how we ran our RK-05 11/40s since Ed 5...  Good fun writing a DJ-11
> driver from the DH-11 source; even more fun when I wrote a UT-200 driver
> from the manual alone (I'm sure that "ei.c" is Out There Somewhere), junking
> IanJ's driver.

https://minnie.tuhs.org/cgi-bin/utree.pl?file=AUSAM/sys/dmr/ei.c

Cheers, Warren

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-21 22:40 ` Dave Horsfall
  2021-02-21 23:01   ` Steve Nickolas
  2021-02-22  0:13   ` [TUHS] Abstractions Warren Toomey
@ 2021-02-23  0:25   ` Wesley Parish
  2021-02-23  0:38     ` Steve Nickolas
  2021-02-23  1:47     ` Theodore Ts'o
  2 siblings, 2 replies; 26+ messages in thread
From: Wesley Parish @ 2021-02-23  0:25 UTC (permalink / raw)
  To: Dave Horsfall; +Cc: The Eunuchs Hysterical Society

I've just checked Slackware 14.* and it's still got a few binaries in
/bin, unlike the RedHat* group which has indeed sent them all to
/usr/bin. I don't know about the Debian* group, or if the Mandrake*
group have gone with the RedHat* or not. Let alone all the other
distros.

Wesley Parish

On 2/22/21, Dave Horsfall <dave@horsfall.org> wrote:
> On Sat, 20 Feb 2021, M Douglas McIlroy wrote:
>
>>>  - separation of code and data using read-only and read/write file
>>>  systems
>>
>> I'll bite. How do you install code in a read-only file system? And where
>> does a.out go?
>
> I once worked for a place who reckoned that /bin and /lib etc ought to be
> in an EEPROM; I reckon that he was right (Penguin/OS dumps everything
> under /usr/bin, for example).
>
>> My guess is that /bin is in a file system of its own. Executables from
>> /letc and /lib are probably there too. On the other hand, I guess users'
>> personal code is still read/write.
>
> That's how we ran our RK-05 11/40s since Ed 5...  Good fun writing a DJ-11
> driver from the DH-11 source; even more fun when I wrote a UT-200 driver
> from the manual alone (I'm sure that "ei.c" is Out There Somewhere),
> junking IanJ's driver.
>
> The war stories that I could tell...
>
>> I agree that such an arrangement is prudent. I don't see a way, though,
>> to update bin without disrupting most running programs.
>
> Change is inevitable; the trick is to minimise the disruption.
>
> -- Dave, who carried RK-05s all over the UNSW campus
>

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-23  0:25   ` Wesley Parish
@ 2021-02-23  0:38     ` Steve Nickolas
  2021-02-23  2:50       ` Theodore Ts'o
  2021-02-23  1:47     ` Theodore Ts'o
  1 sibling, 1 reply; 26+ messages in thread
From: Steve Nickolas @ 2021-02-23  0:38 UTC (permalink / raw)
  To: The Eunuchs Hysterical Society

On Tue, 23 Feb 2021, Wesley Parish wrote:

> I've just checked Slackware 14.* and it's still got a few binaries in
> /bin, unlike the RedHat* group which has indeed sent them all to
> /usr/bin. I don't know about the Debian* group, or if the Mandrake*
> group have gone with the RedHat* or not. Let alone all the other
> distros.

Debian links /bin to /usr/bin.

-uso.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-23  0:25   ` Wesley Parish
  2021-02-23  0:38     ` Steve Nickolas
@ 2021-02-23  1:47     ` Theodore Ts'o
  1 sibling, 0 replies; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-23  1:47 UTC (permalink / raw)
  To: Wesley Parish; +Cc: The Eunuchs Hysterical Society

On Tue, Feb 23, 2021 at 01:25:51PM +1300, Wesley Parish wrote:
> I've just checked Slackware 14.* and it's still got a few binaries in
> /bin, unlike the RedHat* group which has indeed sent them all to
> /usr/bin. I don't know about the Debian* group, or if the Mandrake*
> group have gone with the RedHat* or not. Let alone all the other
> distros.

More information about the /usr migration, can be found at:

* https://wiki.debian.org/UsrMerge
* https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/

One of the interesting points made in the above is that merging /bin
and /usr/bin, et. al., was first done by Solaris 11 (ten years ago)
and so one of the arguments for Linux distributions for proceeding
with the /usr merge was to improve cross compatibility with legacy
commercial Unix systems.

So obviously, like so many other things, it's all Oracle's fault.  :-)

   	      	      	   	 	 - Ted

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-23  0:38     ` Steve Nickolas
@ 2021-02-23  2:50       ` Theodore Ts'o
  2021-02-23  3:19         ` Warner Losh
  0 siblings, 1 reply; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-23  2:50 UTC (permalink / raw)
  To: Steve Nickolas; +Cc: The Eunuchs Hysterical Society

On Mon, Feb 22, 2021 at 07:38:21PM -0500, Steve Nickolas wrote:
> On Tue, 23 Feb 2021, Wesley Parish wrote:
> 
> > I've just checked Slackware 14.* and it's still got a few binaries in
> > /bin, unlike the RedHat* group which has indeed sent them all to
> > /usr/bin. I don't know about the Debian* group, or if the Mandrake*
> > group have gone with the RedHat* or not. Let alone all the other
> > distros.
> 
> Debian links /bin to /usr/bin.

New installs of Debian will use a /usr merged configuration.  However,
for pre-existing installations, we are not yet forcing, or even
strongly recommending, system administrators to install the usrmerge
package which will transition an legacy directory hierarchy to be /usr
merged.  So at the moment, Debian packages need to support both merged
and non-merged configurations, which is not ideal from a pacakge
maintainer's POV.

						- Ted

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-23  2:50       ` Theodore Ts'o
@ 2021-02-23  3:19         ` Warner Losh
  0 siblings, 0 replies; 26+ messages in thread
From: Warner Losh @ 2021-02-23  3:19 UTC (permalink / raw)
  To: Theodore Ts'o; +Cc: The Eunuchs Hysterical Society

[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]

On Mon, Feb 22, 2021, 7:50 PM Theodore Ts'o <tytso@mit.edu> wrote:

> On Mon, Feb 22, 2021 at 07:38:21PM -0500, Steve Nickolas wrote:
> > On Tue, 23 Feb 2021, Wesley Parish wrote:
> >
> > > I've just checked Slackware 14.* and it's still got a few binaries in
> > > /bin, unlike the RedHat* group which has indeed sent them all to
> > > /usr/bin. I don't know about the Debian* group, or if the Mandrake*
> > > group have gone with the RedHat* or not. Let alone all the other
> > > distros.
> >
> > Debian links /bin to /usr/bin.
>
> New installs of Debian will use a /usr merged configuration.  However,
> for pre-existing installations, we are not yet forcing, or even
> strongly recommending, system administrators to install the usrmerge
> package which will transition an legacy directory hierarchy to be /usr
> merged.  So at the moment, Debian packages need to support both merged
> and non-merged configurations, which is not ideal
>

I anticipate needing a /usr/bin/bash soon on my FreeBSD system for the same
reason I have a /bin/bash pointing at /usr/local/bin/bash. Progress :)

Warner

>

[-- Attachment #2: Type: text/html, Size: 1744 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-21 23:01   ` Steve Nickolas
@ 2021-02-23  3:31     ` Andrew Warkentin
  2021-02-23 17:29       ` [TUHS] /usr separation (was: Abstractions) Greg A. Woods
  0 siblings, 1 reply; 26+ messages in thread
From: Andrew Warkentin @ 2021-02-23  3:31 UTC (permalink / raw)
  To: tuhs

On 2/21/21, Steve Nickolas <usotsuki@buric.co> wrote:
>
> While I've been stuck regarding bringing up a kernel, C compiler and libc
> all together, (keeping in mind my desire to avoid gcc and glibc for the
> project) the conceptual distribution I've been working on for some time
> uses more or less the same abstraction as the BSDs, with distinct /bin and
> /sbin vs. /usr/bin and /usr/sbin as I personally believe it should be,
> that the stuff in /bin should be enough to bring up and/or run diagnostics
> on a system, and everything else go in /usr.
>
I don't see much of a point in maintaining the separation these days.
/bin and /usr/bin were originally separated because it wasn't possible
to fit everything on one disk, and (AFAIK) the separation was mostly
maintained after that to reduce the chance of filesystem corruption
rendering the system unbootable (which is much less of a problem
nowadays because of journalled and log-structured filesystems).

Under UX/RT, the OS I'm writing, all commands (administrative or
otherwise) will appear to be in /bin, and all daemons will appear to
be in /sbin (with corresponding symlinks in /usr). The separation into
administrative and regular commands will be meaningless since the
traditional root/non-root security model will be completely eliminated
in favor of role-based access control. The / and /usr separation will
be useless since it will be impossible to have a separate /usr
partition (the contents of the root will be dynamically bound from a
collection of individual package directories, and won't correspond to
the root of the system volume).

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation (was: Abstractions)
  2021-02-23  3:31     ` Andrew Warkentin
@ 2021-02-23 17:29       ` Greg A. Woods
  2021-02-23 18:28         ` [TUHS] /usr separation Grant Taylor via TUHS
  2021-02-24  3:12         ` [TUHS] /usr separation (was: Abstractions) Andrew Warkentin
  0 siblings, 2 replies; 26+ messages in thread
From: Greg A. Woods @ 2021-02-23 17:29 UTC (permalink / raw)
  To: The Unix Heritage Society mailing list

[-- Attachment #1: Type: text/plain, Size: 3764 bytes --]

At Mon, 22 Feb 2021 20:31:49 -0700, Andrew Warkentin <andreww591@gmail.com> wrote:
Subject: Re: [TUHS] Abstractions
>
> On 2/21/21, Steve Nickolas <usotsuki@buric.co> wrote:
> >
> > While I've been stuck regarding bringing up a kernel, C compiler and libc
> > all together, (keeping in mind my desire to avoid gcc and glibc for the
> > project) the conceptual distribution I've been working on for some time
> > uses more or less the same abstraction as the BSDs, with distinct /bin and
> > /sbin vs. /usr/bin and /usr/sbin as I personally believe it should be,
> > that the stuff in /bin should be enough to bring up and/or run diagnostics
> > on a system, and everything else go in /usr.
>
> I don't see much of a point in maintaining the separation these days.
> /bin and /usr/bin were originally separated because it wasn't possible
> to fit everything on one disk, and (AFAIK) the separation was mostly
> maintained after that to reduce the chance of filesystem corruption
> rendering the system unbootable (which is much less of a problem
> nowadays because of journalled and log-structured filesystems).

Maybe there isn't any impetus to _create_ a separate /usr these days of
large software but even larger disks.

However I think there are at least two good reasons to _maintain_ a
separate /usr.  At least for ostensibly POSIX and Unix compatible
systems, that is.

For one there's a huge amount of deeply embedded lore, human (finger and
brain) memory, actual code, documentation, and widespread practices that
use this separation and rely on it, effectively making it a requirement.

As Steve mentions above there's also the concept of knowing the minimum
requirements for bringing up a system capable of the most basic tasks.
Of course there's likely going to be some variance in what any given
person might define as "most basic tasks", but that's most a separate
issue.  However I will give one example of why this might be a good
thing to know and preserved:  it is highly useful for those creating
"embedded" systems, or application specific systems.  They can start
with just the minimal root filesystem, and then know exactly what they
have to add in order to meet their application's requirements precisely.
(and the reasons for doing that can be much wider than many might assume)

Also the basic idea of having a root filesystem that contains just and
only what's necessary for the system to boot and run, and putting
everything else that makes the system usable to users into /usr, is also
still a worthwhile concept even just on its own.

The maintenance of an illusion of a separate /usr can of course be
easily done with a farm of symlinks, thus preserving any dependencies in
anyone's memory, documentation, or code.

However the reality of maintaining a separate minimal toolset for system
bring-up is that it cannot be reliably done without constant and
pervasive testing; and the very best (and perhaps only) way to achieve
this, especially in any smaller open-source project, is for everyone to
use it that way as much of the time as possible.  I say this from
decades long experience of slowly moving systems to having just one
partition for both root and /usr and then on occasion testing with
separate root and /usr, and every time I do this testing I find
dependencies have crept in on something in /usr for basic booting.  (and
that's even when I base my system on a platform that still tries hard to
maintain this separation of root and /usr!)

BTW, I think it was Sun that first did some of this merging of root and
/usr a very long time ago.

--
					Greg A. Woods <gwoods@acm.org>

Kelowna, BC     +1 250 762-7675           RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>     Avoncote Farms <woods@avoncote.ca>

[-- Attachment #2: OpenPGP Digital Signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-23 17:29       ` [TUHS] /usr separation (was: Abstractions) Greg A. Woods
@ 2021-02-23 18:28         ` Grant Taylor via TUHS
  2021-02-23 18:57           ` Theodore Ts'o
  2021-02-24  3:12         ` [TUHS] /usr separation (was: Abstractions) Andrew Warkentin
  1 sibling, 1 reply; 26+ messages in thread
From: Grant Taylor via TUHS @ 2021-02-23 18:28 UTC (permalink / raw)
  To: tuhs

[-- Attachment #1: Type: text/plain, Size: 6096 bytes --]

On 2/23/21 10:29 AM, Greg A. Woods wrote:
> Maybe there isn't any impetus to _create_ a separate /usr these days 
> of large software but even larger disks.

I'm undecided.  Part of me likes the / (root) and /usr split.  But 
another part of me questions /if/ and (if so) /why/ it is (still) /needed/.

> However I think there are at least two good reasons to _maintain_ 
> a separate /usr.  At least for ostensibly POSIX and Unix compatible 
> systems, that is.

Does /usr actually /need/ to be a /separate/ file system?  Or would a 
wholesale link from /usr to / (root) suffice?  Or perhaps a collection 
of sym-links from /usr/<foo> to /<foo> suffice?

> For one there's a huge amount of deeply embedded lore, human 
> (finger and brain) memory, actual code, documentation, and widespread 
> practices that use this separation and rely on it, effectively making 
> it a requirement.

Are they relying on the /separation/ of separate file systems?  Or are 
they simply relying on wrote memory for the path?  Ergo sym-links could 
fulfill the perceived need?

> As Steve mentions above there's also the concept of knowing the 
> minimum requirements for bringing up a system capable of the most 
> basic tasks.

The pat response to this in the Linux community is "That's what the 
initrd / initramfs is for!"

What that fails to take into account is if the system actually uses an 
initrd / initramfs or not.  Many of the systems I maintain do /not/ use 
an initrd / initramfs.  Thus the systems have /some/ actual /need/ to be 
able to bring up a minimal system to repair file system problems.  Even 
if the so called problem is simply that the extent file system needs an 
fsck with human interaction (time since last check and / or maximum 
number of mounts).

If you do use an initrd / initramfs, then you can reasonably safely lump 
everything* in the / (root) file system.

*/boot still tends to be it's own file system on Linux, mostly because 
that's where the initrd / initramfs image live which contain drivers for 
more fancy things (software RAID, LVM, ZFS, SAN, etc.) which are needed 
to bring up / (root).

> Of course there's likely going to be some variance in what any 
> given person might define as "most basic tasks", but that's most a 
> separate issue.

Agreed.

However, I posit that "most basic tasks" be what is necessary to 
transition from single user mode to multi-user mode.  Including any and 
all utilities required to fix file systems, work with logical volumes, 
SAN, etc.

> However I will give one example of why this might be a good thing to 
> know and preserved:  it is highly useful for those creating "embedded" 
> systems, or application specific systems.  They can start with just the 
> minimal root filesystem, and then know exactly what they have to add 
> in order to meet their application's requirements precisely.  (and the 
> reasons for doing that can be much wider than many might assume)

Please elaborate on what that has to do with the / (root) vs /usr split?

I feel like you're differentiating between a minimal install vs a 
kitchen sink install.  Which seems to me to be independent of how the 
underlying file system(s) is (are) arranged.

> Also the basic idea of having a root filesystem that contains just 
> and only what's necessary for the system to boot and run, and putting 
> everything else that makes the system usable to users into /usr, 
> is also still a worthwhile concept even just on its own.

Many in the Linux community think this is the job of the initrd / 
initramfs.  I personally believe that this is the job of the / (root) 
file system.

Aside:  In the event that /usr is on the / (root) file system, then the 
system should still be able to come up as if /usr didn't exist b/c it 
had been renamed or was on a separate file system.

> The maintenance of an illusion of a separate /usr can of course be 
> easily done with a farm of symlinks, thus preserving any dependencies 
> in anyone's memory, documentation, or code.

Agreed.  With things like bind mounts, we don't even need to use 
sym-links.  }:-)

Though, one potential danger is that people see duplication between 
/bin/<foo> and /usr/bin/<foo> and decide to remove one of them.  Doing 
so will ultimately remove both and cause someone to have a not good day.

Aside:  Perhaps these not good days are not something to be avoided, but 
instead something to be treated as a learning opportunity.  Much like 
young kids need to learn that fire is hot for themselves.

> However the reality of maintaining a separate minimal toolset for 
> system bring-up is that it cannot be reliably done without constant 
> and pervasive testing; and the very best (and perhaps only) way to 
> achieve this, especially in any smaller open-source project, is for 
> everyone to use it that way as much of the time as possible.  I say 
> this from decades long experience of slowly moving systems to having 
> just one partition for both root and /usr and then on occasion testing 
> with separate root and /usr, and every time I do this testing I find 
> dependencies have crept in on something in /usr for basic booting. 
> (and that's even when I base my system on a platform that still tries 
> hard to maintain this separation of root and /usr!)

I have a different conundrum regarding */bin.  Why do I need nine 
different (s)bin directories in my path?  I -- possibly naively -- 
believe that we have the technology to have all commands in /one/ 
directory, namely /bin.

Quickly after that thought, I realize that I want different things in my 
path than other people do.  So I end up with custom /bin directories. 
Which usually ends up with sym-links that reference variables or custom 
mounts (possibly via auto-mount applying some logic).

> BTW, I think it was Sun that first did some of this merging of root 
> and /usr a very long time ago.

Agreed.  Though I'm far from authoritative.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-23 18:28         ` [TUHS] /usr separation Grant Taylor via TUHS
@ 2021-02-23 18:57           ` Theodore Ts'o
  2021-02-23 20:29             ` Grant Taylor via TUHS
  0 siblings, 1 reply; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-23 18:57 UTC (permalink / raw)
  To: Grant Taylor; +Cc: tuhs

On Tue, Feb 23, 2021 at 11:28:13AM -0700, Grant Taylor via TUHS wrote:
> 
> What that fails to take into account is if the system actually uses an
> initrd / initramfs or not.  Many of the systems I maintain do /not/ use an
> initrd / initramfs.  Thus the systems have /some/ actual /need/ to be able
> to bring up a minimal system to repair file system problems.  Even if the so
> called problem is simply that the extent file system needs an fsck with
> human interaction (time since last check and / or maximum number of mounts).

There are two reasons why you might want to have an initramfs.  One is
you are using a distribution-provided generic kernel, in which case
the device driver / kernel modules needed to access the root file
system needed to be loaded from *somewhere*, and that's the in-memory
initramfs/initrd.

The other reason is how you run fsck on the root file system.  That
won't be needed if hardware is perfect, the kernel is bug-free(tm),
and the root file system has journalling support, as all modern file
systems tend to have.  However, if it is needed, there are two ways to
do this.  One is the traditional way, which is to mount the root file
system read/only, repair the file system, and if any changes were
required to the root file system, force a reboot; otherwise, remount
the root file system read-write, and proceed.  The other way of doing
this is to include the fsck program in the initrams, and run fsck on
the root file system before it is mounted.  Now you never have to
worry about rebooting if any chances were made, since the root file
system wasn't mounted and so there is no danger of invalid metadata
being cached in memory.

That being said, it's certainly possible to skip using an initramfs;
it's geenrally not required, and if you're building your own kernel,
with the device drivers you need for your hardwaer compiled into the
kernel, most distributions will support skipping the initramfs.
(Debian certainly does, in any case.)

> */boot still tends to be it's own file system on Linux, mostly because
> that's where the initrd / initramfs image live which contain drivers for
> more fancy things (software RAID, LVM, ZFS, SAN, etc.) which are needed to
> bring up / (root).

/boot needs to exist due to limitations to the firmware and/or boot
loader being used.  If the boot loader is using the legacy PC Bios
interfaces to read the kernel and initial ramdisk/file system, then
those files need to be in a low-numbered LBA disk space, due to legacy
BIOS/firmware limitations.  It could also be a concern if you are
using some exotic file system (say, ZFS), and the bootloader doesn't
support that file system due to copyright licensing incompatibilities,
or the boot loader just not supporting that bleeding-edge file system.
In that case, you might have to keep /boot as an ext4 file system.

Other than that, there is no reason why /boot needs to be its own file
system, except that most installers will create one just because it's
simpler to use the same approach for all cases, even if it's not
needed for a particular use case.

					- Ted

P.S.  Oh, and if you are using UEFI, you might need to have yet
another file system which is a Microsoft FAT file system, typically
mounted as /boot/efi, to keep the UEFI firmware happy....

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-23 18:57           ` Theodore Ts'o
@ 2021-02-23 20:29             ` Grant Taylor via TUHS
  2021-02-24 14:14               ` Theodore Ts'o
  0 siblings, 1 reply; 26+ messages in thread
From: Grant Taylor via TUHS @ 2021-02-23 20:29 UTC (permalink / raw)
  To: tuhs

[-- Attachment #1: Type: text/plain, Size: 4716 bytes --]

On 2/23/21 11:57 AM, Theodore Ts'o wrote:
> There are two reasons why you might want to have an initramfs.
Rather than getting into a tit for tat debate, I'll agree that we have 
both proposed reasons why you /might/ want to use an initramfs.  The 
operative words are "you" and "might".  Each person probably wants 
slightly different things.  It's far from one size fits all.

> The other reason is how you run fsck on the root file system.

The same way that it's been done for years.  Root is mounted read only 
and you run fsck to repair damage.  If it's severe damage, you will 
likely need to boot off of something else.  I've had both situations 
happen multiple times.

The quintessential max mount count / max days since last check have 
happily been fixed while root was mounted read only.

> That won't be needed if hardware is perfect, the kernel is 
> bug-free(tm), and the root file system has journalling support, 
> as all modern file systems tend to have.

I wouldn't bet on that.  I've had to run fsck on journalling file 
systems at boot / mount time multiple times.

> However, if it is needed, there are two ways to do this.  One is the 
> traditional way, which is to mount the root file system read/only, 
> repair the file system, and if any changes were required to the root 
> file system, force a reboot; otherwise, remount the root file system 
> read-write, and proceed.

This is what happened in /most/ of the cases that I've needed to 
interact with fsck of a root file system.

> The other way of doing this is to include the fsck program in the 
> initrams, and run fsck on the root file system before it is mounted. 
> Now you never have to worry about rebooting if any chances were made, 
> since the root file system wasn't mounted and so there is no danger 
> of invalid metadata being cached in memory.

Oh ... I would definitely *NOT* say /never/.  There are ways that a file 
system can get corrupted that will cause fsck to stop and require manual 
intervention.

> That being said, it's certainly possible to skip using an initramfs; 
> it's geenrally not required, and if you're building your own kernel, 
> with the device drivers you need for your hardwaer compiled into 
> the kernel, most distributions will support skipping the initramfs. 
> (Debian certainly does, in any case.)

And if you're building a minimal kernel, removing support for modules 
and what's required for swing-root saves space.  ;-)

> /boot needs to exist due to limitations to the firmware and/or boot 
> loader being used.

Not necessarily.  E.g. one single partition containing /boot and / (root).

> If the boot loader is using the legacy PC Bios interfaces to read the 
> kernel and initial ramdisk/file system, then those files need to be in 
> a low-numbered LBA disk space, due to legacy BIOS/firmware limitations.

So make sure said /boot & / (root) partition stays within that 
limitation.  I don't recall exactly what that is.  I think it's ~8 GB. 
But it's definitely possible to have small installations in that space.

> It could also be a concern if you are using some exotic file system 
> (say, ZFS), and the bootloader doesn't support that file system due 
> to copyright licensing incompatibilities, or the boot loader just not 
> supporting that bleeding-edge file system.  In that case, you might 
> have to keep /boot as an ext4 file system.

That scenario is definitely a possibility.  Though such scenarios are 
not a requirement and tend to be antithetical to minimal installations, 
like the type that would be used in embedded devices and possibly copied 
to ROM as indicated in a different post.

> Other than that, there is no reason why /boot needs to be its own 
> file system, except that most installers will create one just because 
> it's simpler to use the same approach for all cases, even if it's 
> not needed for a particular use case.

As Steve Gibson is famous for saying; The tyranny of the default.

> P.S.  Oh, and if you are using UEFI, you might need to have yet 
> another file system which is a Microsoft FAT file system, typically 
> mounted as /boot/efi, to keep the UEFI firmware happy....

Yes, the file system needs to exist.  But that's part of the firmware, 
not the operating system.  I also question if that FAT file system needs 
to be mounted or not.  --  I don't know how GRUB et al. deal with a 
non-mounted UEFI file system.

But even if it does need to be mounted, you can still get away with two 
partitions; / (root) and /boot/efi.  I suspect UEFI does away with the 
LBA issue you mentioned.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation (was: Abstractions)
  2021-02-23 17:29       ` [TUHS] /usr separation (was: Abstractions) Greg A. Woods
  2021-02-23 18:28         ` [TUHS] /usr separation Grant Taylor via TUHS
@ 2021-02-24  3:12         ` Andrew Warkentin
  1 sibling, 0 replies; 26+ messages in thread
From: Andrew Warkentin @ 2021-02-24  3:12 UTC (permalink / raw)
  To: The Unix Heritage Society mailing list

On 2/23/21, Greg A. Woods <woods@robohack.ca> wrote:
>
> For one there's a huge amount of deeply embedded lore, human (finger and
> brain) memory, actual code, documentation, and widespread practices that
> use this separation and rely on it, effectively making it a requirement.
>

That is only a justification for keeping the /usr hierarchy around
(and using symlinks/binding to make stuff appear in both places), not
for arbitrarily separating programs and libraries between the two.

>
> However the reality of maintaining a separate minimal toolset for system
> bring-up is that it cannot be reliably done without constant and
> pervasive testing; and the very best (and perhaps only) way to achieve
> this, especially in any smaller open-source project, is for everyone to
> use it that way as much of the time as possible.  I say this from
> decades long experience of slowly moving systems to having just one
> partition for both root and /usr and then on occasion testing with
> separate root and /usr, and every time I do this testing I find
> dependencies have crept in on something in /usr for basic booting.  (and
> that's even when I base my system on a platform that still tries hard to
> maintain this separation of root and /usr!)
>

With a system-wide package manger a set of basic packages can be
maintained without having an arbitrary separation into root and usr.

The reference distribution of UX/RT will have several nested sets of
packages rather than a separation of binaries between root and usr.
The smallest will be what is included in the supervisor image (the
equivalent of a kernel image and initramfs combined into one), which
will be what is required to mount the system volume. Above that will
be the minimal system, which will be the set of packages required to
boot to a multi-user login. All of this will be in the base system
repository, along with a few other optional groups of packages
(including a full desktop
environment). Most optional third-party application packages will be
in a separate repository (like ports or pkgsrc under BSD, but using
the same package manager as the base system and available by default
without any special configuration).

On 2/23/21, Theodore Ts'o <tytso@mit.edu> wrote:
>
> /boot needs to exist due to limitations to the firmware and/or boot
> loader being used.  If the boot loader is using the legacy PC Bios
> interfaces to read the kernel and initial ramdisk/file system, then
> those files need to be in a low-numbered LBA disk space, due to legacy
> BIOS/firmware limitations.  It could also be a concern if you are
> using some exotic file system (say, ZFS), and the bootloader doesn't
> support that file system due to copyright licensing incompatibilities,
> or the boot loader just not supporting that bleeding-edge file system.
> In that case, you might have to keep /boot as an ext4 file system.
>

The BIOS addressing limitations only happen with CHS-only BIOSes,
which haven't really been a thing since the mid-to-late 90s. The only
reason to have a separate /boot partition for anything newer than that
is because of bootloader limitations.


On 2/23/21, Grant Taylor via TUHS <tuhs@minnie.tuhs.org> wrote:
>
> I have a different conundrum regarding */bin.  Why do I need nine
> different (s)bin directories in my path?  I -- possibly naively --
> believe that we have the technology to have all commands in /one/
> directory, namely /bin.
>
> Quickly after that thought, I realize that I want different things in my
> path than other people do.  So I end up with custom /bin directories.
> Which usually ends up with sym-links that reference variables or custom
> mounts (possibly via auto-mount applying some logic).
>

UX/RT will solve the issue of different sets of programs in the path
in different user or application contexts with per-process and
per-user namespaces (since fine-grained security will be deeply
integrated into the system and neither on-disk device files nor setuid
binaries will exist, there shouldn't be any security concerns with
letting regular users bind and mount stuff for themselves). $PATH will
just be set to "/bin" in the vast majority of cases.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-23 20:29             ` Grant Taylor via TUHS
@ 2021-02-24 14:14               ` Theodore Ts'o
  2021-02-24 17:50                 ` Grant Taylor via TUHS
  0 siblings, 1 reply; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-24 14:14 UTC (permalink / raw)
  To: Grant Taylor; +Cc: tuhs

On Tue, Feb 23, 2021 at 01:29:11PM -0700, Grant Taylor via TUHS wrote:
> On 2/23/21 11:57 AM, Theodore Ts'o wrote:
> > There are two reasons why you might want to have an initramfs.
>
> Rather than getting into a tit for tat debate, I'll agree that we have both
> proposed reasons why you /might/ want to use an initramfs.  The operative
> words are "you" and "might".  Each person probably wants slightly different
> things.  It's far from one size fits all.

Sure, I was trying to enumerate the reasons why initramfs, for some
combinations of hardware / configurations, might be necessary.

> > /boot needs to exist due to limitations to the firmware and/or boot
> > loader being used.
> 
> Not necessarily.  E.g. one single partition containing /boot and / (root).

Sorry, I should have written, "/boot MAY need to exist".

> > Other than that, there is no reason why /boot needs to be its own file
> > system, except that most installers will create one just because it's
> > simpler to use the same approach for all cases, even if it's not needed
> > for a particular use case.
> 
> As Steve Gibson is famous for saying; The tyranny of the default.

I wouldn't say that; I'd rather say that if you have a huge
combination of configurations that you have to test, those
configurations which aren't regularly tested will tend to bitrot, or
have odd failures in various error cases.  The more corners that you
have, the more corner cases.

And this is where it's all about *who* gets to pay, either via money,
or via their labor, to support these various cases.  Weren't people
just complaining, in other TUHS threads, of "bloat" in Linux?

Well, this is how you get bloat.  It's just that if it's a feature
*you* want, then it's not bloat, but an essential feature, and if it's
not provided, you whine mightily.  And when you have a large number of
enterprise customers paying $$$ to enterprise distribution vendors,
each with their own set of essential features, and where *binary*
backwards compatibility is considered an essential feature, then
that's how you get what others will called "bloat".  I would call this
the "Tyrany of Gold", as in the reformulated Golden Rule, "The ones
with the Gold, makes the Rules".

> > P.S.  Oh, and if you are using UEFI, you might need to have yet another
> > file system which is a Microsoft FAT file system, typically mounted as
> > /boot/efi, to keep the UEFI firmware happy....
> 
> Yes, the file system needs to exist.  But that's part of the firmware, not
> the operating system.  I also question if that FAT file system needs to be
> mounted or not.  --  I don't know how GRUB et al. deal with a non-mounted
> UEFI file system.

GRUB doesn't care.  But various system administration utilities that
want to manage to UEFI boot menu (as distinct from the GRUB boot
menu), they need to modify the files that are read by the UEFI
firmware.  So it's convenient if it's mounted *somewhere*.  Also, even
if it's not mounted, it's still a partition that has to be around, and
one reason to keep it mounted is to avoid a system administrator from
saying, "hmmm, what's this unused /dev/sda1 partition?  I guess I can
use it as an extra swap partition!"  And then the system won't boot,
and then they call the enterprise distro's help desk, and unnecessary
calls into the help desk costs $$$, and distro's tend to optimize for
unnecessary cost.  (Plus lots of unhappy customers who are down, even
if it is there own d*mned fault, is not good for business.)

> But even if it does need to be mounted, you can still get away with two
> partitions; / (root) and /boot/efi.  I suspect UEFI does away with the LBA
> issue you mentioned.

Yes, in another 5 or 10 years, we can probably completely deprecate
the MBR-based boot sequence.  At which point there will be another
series of whiners on TUHS ala the complaint that distributions are
dropping support for i386....

But since most TUHS posters aren't paying $$$ to enterprise
distributions, most enterpise distro engineers are going to give
precisely zero f*cks.  But hey, if you want to volunteer to provide
the hard work for supporting these configurations to the community
distribution, like Debian, those distros will be happy to accept the
volunteer help.  :-)

						- Ted

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 14:14               ` Theodore Ts'o
@ 2021-02-24 17:50                 ` Grant Taylor via TUHS
  2021-02-24 18:37                   ` Theodore Ts'o
  0 siblings, 1 reply; 26+ messages in thread
From: Grant Taylor via TUHS @ 2021-02-24 17:50 UTC (permalink / raw)
  To: tuhs

[-- Attachment #1: Type: text/plain, Size: 2686 bytes --]

On 2/24/21 7:14 AM, Theodore Ts'o wrote:
> I wouldn't say that; I'd rather say that if you have a huge combination 
> of configurations that you have to test, those configurations which 
> aren't regularly tested will tend to bitrot, or have odd failures 
> in various error cases.  The more corners that you have, the more 
> corner cases.

Fair enough.

> I would call this the "Tyrany of Gold", as in the reformulated Golden 
> Rule, "The ones with the Gold, makes the Rules".

Being a fan of the golden rule, I would not make, much less use, that 
derivation.  I think it completely changes the meaning of the spirit 
behind the golden rule.

I don't fault your logic.  I just dislike where it ended up.

> GRUB doesn't care.  But various system administration utilities that 
> want to manage to UEFI boot menu (as distinct from the GRUB boot menu), 
> they need to modify the files that are read by the UEFI firmware.

Valid distinction.

> So it's convenient if it's mounted *somewhere*.  Also, even if it's not 
> mounted, it's still a partition that has to be around, and one reason 
> to keep it mounted is to avoid a system administrator from saying, 
> "hmmm, what's this unused /dev/sda1 partition?  I guess I can use it 
> as an extra swap partition!"

I seem to recall hearing about a problem where a rogue rm could 
accidentally wipe out part of the UEFI.  Maybe it was the contents of 
the /boot/efi partition.  So, I'd suggest a happy medium of mounting it 
Read-Only.  That way it's known to be used /and/ it's protected from a 
simple rogue rm.  It can relatively easily be re-mounted as Read-Write 
when necessary.  As well as subsequently re-mounted back to Read-Only.

> Yes, in another 5 or 10 years, we can probably completely deprecate 
> the MBR-based boot sequence.  At which point there will be another 
> series of whiners on TUHS ala the complaint that distributions are 
> dropping support for i386....

I feel like we've already abandoned i386 as in 80386 (or compatible) 
architecture.  I think we now require Pentium (586?) or better.  At some 
point, we'll completely remove 32-bit support from mainstream Linux 
distributions, thus requiring something from the 21st century.

> But since most TUHS posters aren't paying $$$ to enterprise 
> distributions, most enterpise distro engineers are going to give 
> precisely zero f*cks.  But hey, if you want to volunteer to provide 
> the hard work for supporting these configurations to the community 
> distribution, like Debian, those distros will be happy to accept the 
> volunteer help.  :-)

~chuckle~



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 17:50                 ` Grant Taylor via TUHS
@ 2021-02-24 18:37                   ` Theodore Ts'o
  2021-02-24 18:48                     ` Grant Taylor via TUHS
  2021-02-24 20:25                     ` Steve Nickolas
  0 siblings, 2 replies; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-24 18:37 UTC (permalink / raw)
  To: Grant Taylor; +Cc: tuhs

On Wed, Feb 24, 2021 at 10:50:03AM -0700, Grant Taylor via TUHS wrote:
> > I would call this the "Tyrany of Gold", as in the reformulated Golden
> > Rule, "The ones with the Gold, makes the Rules".
> 
> Being a fan of the golden rule, I would not make, much less use, that
> derivation.  I think it completely changes the meaning of the spirit behind
> the golden rule.

Oh, sure.  I agree completely that it's 180 degrees from the original
golden rule; it had intended to be a joke.  Unfortunately, years of
living in a country whre the ones with the Gold really do make all of
the Rules has gotten me to the point where if I don't laugh at it, I
would have to cry....

> I seem to recall hearing about a problem where a rogue rm could accidentally
> wipe out part of the UEFI.  Maybe it was the contents of the /boot/efi
> partition.  So, I'd suggest a happy medium of mounting it Read-Only.  That
> way it's known to be used /and/ it's protected from a simple rogue rm.  It
> can relatively easily be re-mounted as Read-Write when necessary.  As well
> as subsequently re-mounted back to Read-Only.

So technically it doesn't wipe out UEFI; it just will destroy the
ability to boot the system.  (e.g., this is where Grub lives, and if
you delete it, UEFI will no longer be able to launch Grub, and hence,
not boot Linux.)  Fortunately, if you have a rescue CD / USB Thumb
drive, it's relatively easy to recover from this.

A rogue rm which deletes /bin (even if /bin is a symlink to /usr/bin,
all of the shell scripts and /etc/passwd entries probably still refer
to /bin/sh) is going to make the system similarly unbootable.

As far as making a system more robust against rogue rm's, I really
like scheme used by ChromeOS, where the entire file system is not only
read-only, but protected by a cryptographic Merkle Tree such that if
malware attempts to modify it, the system will crash.  This is
combined with firmware which will only load a kernel with a valid
digital signature, and the user data is stored on an encrypted file
system mounted on /mnt/stateful_partition and it is the only file
system mounted read/write on a ChromeOS system.  It violates a lot of
expectations about where files should live on a "normal" Unix or Linux
system, but it's defnitely way more safe and secure.

> I feel like we've already abandoned i386 as in 80386 (or compatible)
> architecture.  I think we now require Pentium (586?) or better.  At some
> point, we'll completely remove 32-bit support from mainstream Linux
> distributions, thus requiring something from the 21st century.

For now, as far as I know, Debian still supports a 486 (or i386 with
an i387 co-processor, which was my first Linux system).  But yes, it
is very likely, absent people showing up to volunteer to support
32-bit userspace at Debian (e.g., ongoing security updates, support
for the i386 build farm, reporting and triaging build failures of
packages on i386, etc.), that the i386 arch will probably get dropped
after Debian Bullseye release (which will probably happpen sometime in
mid-2021 if I had to guess).

I'm not sure there are any 486's around any more, and it's likely most
uses of systems with i386 binaries are on 64-bit processors running in
32-bit mode, so 486 vs 586 is probably not all that important in the
grand scheme of things.

						- Ted

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 18:37                   ` Theodore Ts'o
@ 2021-02-24 18:48                     ` Grant Taylor via TUHS
  2021-02-25  3:38                       ` Theodore Ts'o
  2021-02-24 20:25                     ` Steve Nickolas
  1 sibling, 1 reply; 26+ messages in thread
From: Grant Taylor via TUHS @ 2021-02-24 18:48 UTC (permalink / raw)
  To: tuhs

[-- Attachment #1: Type: text/plain, Size: 3530 bytes --]

On 2/24/21 11:37 AM, Theodore Ts'o wrote:
> Oh, sure.  I agree completely that it's 180 degrees from the original 
> golden rule; it had intended to be a joke.  Unfortunately, years of 
> living in a country whre the ones with the Gold really do make all 
> of the Rules has gotten me to the point where if I don't laugh at it, 
> I would have to cry....

When colleagues would say "you would think" or "I've been thinking" or 
the likes, with "We don't do that!  The logo does it for us!" when 
dealing with IBM shenanigans.  Again, laugh, lest I cry.

> So technically it doesn't wipe out UEFI; it just will destroy the 
> ability to boot the system.  (e.g., this is where Grub lives, and if 
> you delete it, UEFI will no longer be able to launch Grub, and hence, 
> not boot Linux.)

ACK

Either way, it causes someone to have a Bad Day™.

> Fortunately, if you have a rescue CD / USB Thumb drive, it's relatively 
> easy to recover from this.

And now we're back towards the start of this (sub)thread of a system 
being able to boot strap itself or not.

> A rogue rm which deletes /bin (even if /bin is a symlink to /usr/bin, 
> all of the shell scripts and /etc/passwd entries probably still refer 
> to /bin/sh) is going to make the system similarly unbootable.

Agreed.

Though I think there is a difference in containing the damage to the OS 
vs going beyond it and damaging the firmware configuration.

> As far as making a system more robust against rogue rm's, I really 
> like scheme used by ChromeOS, where the entire file system is 
> not only read-only, but protected by a cryptographic Merkle Tree 
> such that if malware attempts to modify it, the system will crash. 
> This is combined with firmware which will only load a kernel with a 
> valid digital signature, and the user data is stored on an encrypted 
> file system mounted on /mnt/stateful_partition and it is the only 
> file system mounted read/write on a ChromeOS system.  It violates 
> a lot of expectations about where files should live on a "normal" 
> Unix or Linux system, but it's defnitely way more safe and secure.

I've not looked at Chrome OS or how it does things because of my dislike 
for actually /using/ it.  However, it sounds like it's worth popping the 
hood and looking at things.

> For now, as far as I know, Debian still supports a 486 (or i386 with 
> an i387 co-processor, which was my first Linux system).  But yes, 
> it is very likely, absent people showing up to volunteer to support 
> 32-bit userspace at Debian (e.g., ongoing security updates, support 
> for the i386 build farm, reporting and triaging build failures of 
> packages on i386, etc.), that the i386 arch will probably get dropped 
> after Debian Bullseye release (which will probably happpen sometime 
> in mid-2021 if I had to guess).

I don't know how quickly 32-bit will disappear.  I think the embedded 
market and other non-i386 32-bit platforms will likely keep 32-bit code 
around for a while yet.  At least user space application code.  Maybe 
the i386 kernel code will languish ~> bit rot.  Or worse, get in the way 
of maintaining 64-bit code and thereby be ejected.

> I'm not sure there are any 486's around any more, and it's likely most 
> uses of systems with i386 binaries are on 64-bit processors running 
> in 32-bit mode, so 486 vs 586 is probably not all that important in 
> the grand scheme of things.

¯\_(ツ)_/¯



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4013 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 18:37                   ` Theodore Ts'o
  2021-02-24 18:48                     ` Grant Taylor via TUHS
@ 2021-02-24 20:25                     ` Steve Nickolas
  2021-02-24 22:08                       ` Steffen Nurpmeso
  1 sibling, 1 reply; 26+ messages in thread
From: Steve Nickolas @ 2021-02-24 20:25 UTC (permalink / raw)
  To: Theodore Ts'o; +Cc: tuhs, Grant Taylor

On Wed, 24 Feb 2021, Theodore Ts'o wrote:

> On Wed, Feb 24, 2021 at 10:50:03AM -0700, Grant Taylor via TUHS wrote:
>> Being a fan of the golden rule, I would not make, much less use, that
>> derivation.  I think it completely changes the meaning of the spirit behind
>> the golden rule.
>
> Oh, sure.  I agree completely that it's 180 degrees from the original
> golden rule; it had intended to be a joke.  Unfortunately, years of
> living in a country whre the ones with the Gold really do make all of
> the Rules has gotten me to the point where if I don't laugh at it, I
> would have to cry....

I first heard this form used in the movie "Aladdin" (the 1992 Disney one, 
with Robin Williams).

>> I seem to recall hearing about a problem where a rogue rm could accidentally
>> wipe out part of the UEFI.  Maybe it was the contents of the /boot/efi
>> partition.  So, I'd suggest a happy medium of mounting it Read-Only.  That
>> way it's known to be used /and/ it's protected from a simple rogue rm.  It
>> can relatively easily be re-mounted as Read-Write when necessary.  As well
>> as subsequently re-mounted back to Read-Only.

<snip>

> As far as making a system more robust against rogue rm's, I really
> like scheme used by ChromeOS, where the entire file system is not only
> read-only, but protected by a cryptographic Merkle Tree such that if
> malware attempts to modify it, the system will crash.  This is
> combined with firmware which will only load a kernel with a valid
> digital signature, and the user data is stored on an encrypted file
> system mounted on /mnt/stateful_partition and it is the only file
> system mounted read/write on a ChromeOS system.  It violates a lot of
> expectations about where files should live on a "normal" Unix or Linux
> system, but it's defnitely way more safe and secure.

It may not be as much of a protection, but I replaced the system rm on my 
Debian with one based on 4.4BSD (since I already had the code lying 
around) to which I added a bit of protection against attempts to "rm -rf 
/" after a worm got in and ran an obfuscated version of that...thankfully 
it didn't run as the superuser.

I do get occasional "invalid switch" errors from it while using apt, so it 
probably uses a gnuism (since afaict, the code I used was strictly 
conformant to Posix). Otherwise, it hasn't caused any issues.

-uso.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 20:25                     ` Steve Nickolas
@ 2021-02-24 22:08                       ` Steffen Nurpmeso
  0 siblings, 0 replies; 26+ messages in thread
From: Steffen Nurpmeso @ 2021-02-24 22:08 UTC (permalink / raw)
  To: Steve Nickolas; +Cc: tuhs, Grant Taylor

Steve Nickolas wrote in
 <alpine.DEB.2.21.2102241520550.15020@sd-119843.dedibox.fr>:
 |On Wed, 24 Feb 2021, Theodore Ts'o wrote:
 ...
 |> As far as making a system more robust against rogue rm's, I really
 |> like scheme used by ChromeOS, where the entire file system is not only
 |> read-only, but protected by a cryptographic Merkle Tree such that if
 |> malware attempts to modify it, the system will crash.  This is
 |> combined with firmware which will only load a kernel with a valid
 |> digital signature, and the user data is stored on an encrypted file
 |> system mounted on /mnt/stateful_partition and it is the only file
 |> system mounted read/write on a ChromeOS system.  It violates a lot of
 |> expectations about where files should live on a "normal" Unix or Linux
 |> system, but it's defnitely way more safe and secure.
 |
 |It may not be as much of a protection, but I replaced the system rm on my 
 |Debian with one based on 4.4BSD (since I already had the code lying 
 |around) to which I added a bit of protection against attempts to "rm -rf 
 |/" after a worm got in and ran an obfuscated version of that...thankfully 
 |it didn't run as the superuser.
 |
 |I do get occasional "invalid switch" errors from it while using apt, so it 
 |probably uses a gnuism (since afaict, the code I used was strictly 
 |conformant to Posix). Otherwise, it hasn't caused any issues.

Just this week i finished my move from BSD compatibility to plain
Linux-only (which you seem to run) for my "web" and my "web with
credentials" user accounts; the accounts are gone now, instead
i as "i" execute according overlays.  pstree for example now say

  [sudo..]
  box-browse.sh---box-browse.sh---unshare---
    su---.box-browse-gui-+-firefox-bin-+-Web Content

when i browse totally boxed and unprivileged.  (Still not CPU and
memory restricted, but other than that.)
The / root is the low level of an overlayfs, the upper level is
a tmpfs that may not use more than 5 percent of RAM.  It has its
own minimal /dev (with audio even) and has read/write access to
one shared folder.  Ditto with credentials, but that runs in the
global network namespace, whereas the unprivileged even runs
isolated from that.

It is a bit messy if you want to be portable to Linux
distributions which use busybox unshare etc., because there you
need to use chroot(1) yourself, and therefore mount /proc also
yourself thereafter (ie unshare(1)s --mount-proc is effectively
useless).  Also it would be nice to be able to execute a few
commands before you switch aka map user and group IDs in the
containment (if you do so).  But for open source software the
answer there usually is "shut up and hack", thus.

Of course with this approach the containers need to live in the
same X11 session, therefore the one mounts only /tmp/.X11-unix (it
is tremendous that Linux can "mount" a normal directory now!), the
other just the plain /tmp.

So an rm -f could destroy the shared folder (it lives on
a filesystem with snapshot support though).  For the credential
account it could even wipe /tmp/ and the --bind mounted .mozilla
encfs that is in the containment there (but ditto, plus specific
backups).  I have not looked at overlayfs code, but i think the
whiteouts of the upper layer will be saved in the "work" layer, so
an rm -rf / could possibly even not finish because 5 percent RAM
could exceed earlier?  Happy to (un)share ~150 lines sh(1) script.

Yes Mr. Cole, thanks for this working on overlay (less so union)
filesystems, it is tremendous!

(P.S.: that .box-browse-gui.sh is a condome to prevent that
firefox-bin as compiled by Mozilla locks me out of the system.
Have seen this twice already when browsing serious German and
Austrian magazines, needing a reboot.  So i now have my browser
session been protected by a shell guard, and my window manager
menu has a "TOUCH" entry.  If the timestamp of the touch file
becomes older than 300 seconds i hear the first gong of Big Ben
and need to touch .. after the fifth a "kill -TERM -1" happens.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] /usr separation
  2021-02-24 18:48                     ` Grant Taylor via TUHS
@ 2021-02-25  3:38                       ` Theodore Ts'o
  0 siblings, 0 replies; 26+ messages in thread
From: Theodore Ts'o @ 2021-02-25  3:38 UTC (permalink / raw)
  To: Grant Taylor; +Cc: tuhs

On Wed, Feb 24, 2021 at 11:48:28AM -0700, Grant Taylor via TUHS wrote:
> I've not looked at Chrome OS or how it does things because of my dislike for
> actually /using/ it.  However, it sounds like it's worth popping the hood
> and looking at things.

If you don't like using Chromebooks, the same scheme is used for
Google's Container Optimized OS (intended for use in cloud VM's
running docker images):

    Container-Optimized OS is an operating system image for your
    Compute Engine VMs that is optimized for running Docker
    containers. With Container-Optimized OS, you can bring up your
    Docker containers on Google Cloud Platform quickly, efficiently,
    and securely. Container-Optimized OS is maintained by Google and
    is based on the open source Chromium OS project.

    https://cloud.google.com/container-optimized-os/docs

Cheers,

						- Ted

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [TUHS] Abstractions
  2021-02-22  0:13   ` [TUHS] Abstractions Warren Toomey
@ 2021-02-27  2:47     ` Dave Horsfall
  0 siblings, 0 replies; 26+ messages in thread
From: Dave Horsfall @ 2021-02-27  2:47 UTC (permalink / raw)
  To: The Eunuchs Hysterical Society

On Mon, 22 Feb 2021, Warren Toomey wrote:

>> That's how we ran our RK-05 11/40s since Ed 5...  Good fun writing a 
>> DJ-11 driver from the DH-11 source; even more fun when I wrote a UT-200 
>> driver from the manual alone (I'm sure that "ei.c" is Out There 
>> Somewhere), junking IanJ's driver.
>
> https://minnie.tuhs.org/cgi-bin/utree.pl?file=AUSAM/sys/dmr/ei.c

Nah; that's the IanJ rubbish.  Mine was written from scratch (and actually 
worked) but I don't think that it ever left UNSW.

-- Dave

^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2021-02-27  2:48 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-20 23:09 [TUHS] Abstractions M Douglas McIlroy
2021-02-21  8:15 ` Otto Moerbeek
2021-02-21 11:08 ` Rich Morin
2021-02-21 22:40 ` Dave Horsfall
2021-02-21 23:01   ` Steve Nickolas
2021-02-23  3:31     ` Andrew Warkentin
2021-02-23 17:29       ` [TUHS] /usr separation (was: Abstractions) Greg A. Woods
2021-02-23 18:28         ` [TUHS] /usr separation Grant Taylor via TUHS
2021-02-23 18:57           ` Theodore Ts'o
2021-02-23 20:29             ` Grant Taylor via TUHS
2021-02-24 14:14               ` Theodore Ts'o
2021-02-24 17:50                 ` Grant Taylor via TUHS
2021-02-24 18:37                   ` Theodore Ts'o
2021-02-24 18:48                     ` Grant Taylor via TUHS
2021-02-25  3:38                       ` Theodore Ts'o
2021-02-24 20:25                     ` Steve Nickolas
2021-02-24 22:08                       ` Steffen Nurpmeso
2021-02-24  3:12         ` [TUHS] /usr separation (was: Abstractions) Andrew Warkentin
2021-02-22  0:13   ` [TUHS] Abstractions Warren Toomey
2021-02-27  2:47     ` Dave Horsfall
2021-02-23  0:25   ` Wesley Parish
2021-02-23  0:38     ` Steve Nickolas
2021-02-23  2:50       ` Theodore Ts'o
2021-02-23  3:19         ` Warner Losh
2021-02-23  1:47     ` Theodore Ts'o
2021-02-21 22:54 ` Clem Cole

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).