UNIX Administratosphere

The command line is not immune from user interface design. Especially with the concept of language, one has to choose carefully the options and names and orders of the things in order to make things work just the way the user expects them to.

If the program is too different, people will be tripping over it all the time. The UNIX tar command comes to mind as one that failed here: options (or “actions”) specifically did not start with a dash. Likewise, UNIX find also failed: if you didn’t include the parameter -print at the end, you saw no output: your find command found nothing! (In reality, it just didn’t report it.) Both of these errors have been rectified in the last several decades: UNIX find has an implied -print, and tar often will make the dash optional – which makes it work both the way it always did and the way it should have.

As an example of what seems to be a colossal user interface failure – including poor writing – consider these articles from Scott Remnant which are absolutely a gem (albeit from way back in February 2009). He wrote an article titled Git Sucks – which was then followed by a second and then a third – followed by yet another titled Revision Control Systems Suck.

What Scott is railing about is how hard these systems are to learn (he targets not just git, but also GNU Arch and Bazaar). From his standpoint, he finds these systems to be complicated and hard to understand.

He also points out (rightly) that the most common actions should be the simplest, and finds that with git these common actions are rarely ever simple. He specifically mentions reviewing the changes that someone else has made compared to his own – and says that there’s not a revision control system that makes it easy.

An example of how user interface design can be incorporated into things like the command line and even programming is this quote from an interview with Yukihiro Matsumoto, the developer of the programming language Ruby about his guiding principle in developing Ruby:

[It's] called the “principle of least surprise.” I believe people want to express themselves when they program. They don’t want to fight with the language. Programming languages must feel natural to programmers.

and later in the same interview:

In addition, Ruby is designed to be human-oriented. It reduces the burden of programming. It tries to push jobs back to machines. You can accomplish more tasks with less work, in smaller yet readable code.

Another example: I was just rereading my copy of The Humane Interface written by Jef Raskin. In it, he had a section titled Noun-Verb versus Verb-Noun Constructions (section 3-3, p. 59). This mirrors a problem I have experienced with some command line software in the past: the command wants an action as the first argument, and the object of the action second. I despised it enough that it was the genesis of my writing a wrapper for the command that reversed the order: object first, action second. Imagine my surprise to find my troubles validated right there in Raskin’s book.

There are many examples of command line programs doing wrong things, and of programs doing right things. One of the right things comes from HP-UX and its software management tools such as swinstall: if the program can use an X display for a graphical display, it will: but if not, it goes to a text display instead.

There are many such examples, of programs just doing what you need and leaving you to think about other things. I wonder what would happen if a company like Apple decided to tackle the command line – although, in a way, they did already. In MacOS X, consider the open command for instance… absolutely brilliant, which is in contrast to the open command sometimes found in other UNIXes (never standard).

One very important point to remember: “It’s only hard until you learn it” is not a valid excuse. The learning curve for a program should not be any steeper than it has to be.

Sun’s ZFS is, by all accounts, the most revolutionary file system to come along in years. The Wikipedia entry on ZFS has some details, and Sun has a ZFS Learning Center where you can learn how to use it.

Of course, ZFS is in OpenSolaris, but it is also being introduced into FreeBSD as well.

The Solaris Internals site has a beautiful ZFS Best Practices Guide.

What does all of this have to do with Apple’s MacOS X (Snow Leopard)?

Just this: early in the development of MacOS X 10.6, Apple announced that they would use ZFS in the new MacOS X Snow Leopard. The ability to read ZFS volumes had been put into MacOS X Leopard Server. However, ZFS is missing from MacOS X Snow Leopard and Snow Leopard Server entirely. Robin Harris over at ZDNet has an excellent article that explains it all. He then went on to expand on his ZDNet article with more details.

The one detail in particular I wanted to note is the lawsuit between NetApp and Sun over ZFS and related patents. Groklaw has been following the lawsuit, but the last update from Groklaw is October 2008; Sun has more details on their lawsuit page. Way back in 2007 when the patent lawsuit erupted, CompuerWorld had an article suggesting that Apple might be forced into the lawsuit since it had been courting ZFS – or could be sued next if NetApp won. Neither Apple nor NetApp would comment.

It would also be worth noting that when IBM was in talks to buy Sun in March 2009, there were articles about how the ZFS lawsuit would affect such talks – especially given that IBM and NetApp had a strong partnership already (IBM remarkets NetApp hardware for instance). AMLawDaily had a nice article about it, as did CNET. It wasn’t much more than a month later – in April 2009 – that Sun announced it was being bought by Oracle.

Powered by ScribeFire.

This post describes the authors experience, almost losing his data on a RAID disk set. He also gives good details on why RAID is not a backup and how he rectified the situation. Remember: RAID is not a backup!

When working with corporate systems, a complete, reliable, and tested backup system is important. RAID does not protect you against many (or even most) disasters that could happen.

RAID is designed to protect against one thing: disk failure. It does not protect against user error, operator error, site destruction, and many more possibilities.

So how do I back things up? I must admit, I’ve improved my backup strategies of late. I currently have several tools that I use and would recommend to you:

• SpiderOak. This is an online backup service which offers the first 2Gb backup free. They also maintain multiple version backup, so if you want a file from two versions back, it’ll still be there. This service is worth paying for, I’d say.
• For my Mac, I’ve used PsyncX periodically (albeit not automated). It has come in handy more than once as my laptop died several times – I’ve one of those iBooks that was notorious for video hardware that failed annually (and Apple would fix for free, but never admitted fault). If you’ve a Mac, get an external drive and use PsyncX to save your home directory off. Also recommended: put your applications in your home directory, not the system directory: restoring your home directory will then be enough to get your applications back.
• For UNIX, the similar alternative to PsyncX is rsync: again, get an external drive and save your home directory off to it regularly.
• Also, come at it from the other direction: save your configuration by putting it into a cfengine or puppet setup and saving that as well. If the machine fails, running cfengine or puppet on startup will restore the system to its original state.
• One other item – that may seem a bit unusual – is using Thinkfree Office. Thinkfree Office gives you a way to save documents locally and have them mirrored in the Internet cloud – and you can also manipulate your documents on the web as well. Of course, this is only entirely true for documents that Thinkfree Office can edit.

It would seem that cfengine v3 is now available for download – that will have to be a subject for a new article.

Most every Linux system comes with GNU seq (a utility to generate sequences of numbers or characters). However, a much older utility – and more flexible one – is the underutilized and unknown utility, jot. Every BSD system, including MacOS X, will come with jot (and not with seq).

Unfortunately, commercial UNIX tends to come with neither. So unless you are using an open source operating system, both of these utilities are unavailable. This is unfortunate.

To install jot under Debian Linux and variants (including Ubuntu), install the athena-jot package. FreeBSD, OpenBSD, and MacOS X should already have jot installed out of the box.

Using jot is easy:

• Generate a count 1 to 6: jot 6
• Generate a count 5 to 10: jot 6 5
• Print “y” 100 times: jot -b y 100
• Generate a count 1 to 6 separated by commas: jot -s "," 6
• Generate abc1 to abc20: jot -w abc 20

This only begins to touch on the capabilities of jot. It can also generate random numbers and random character data.

In fact, to generate a large file (5Gb in this case), try this:

jot -r -c -s '' $(( 1024 * 1024 * 5 )) > file.5gb

If you do install the athena-jot package on Ubuntu or Debian, you may want to do this:


cd /usr/share/man/man1
sudo ln -s athena-jot.1.gz jot.1.gz


For some reason, the package – and the manpage – are called athena-jot but the utility is actually jot (not athena-jot). The FreeBSD man page for jot(1) (PDF)has more details.

I’ve known that ZFS was a revolutionary filesystem, but never understood the details. Now there is an article that explains why ZFS is so desirable, and does so well.

Apple started supporting ZFS read-only in Leopard, and has released beta versions of Leopard with writable ZFS.

FreeBSD committed ZFS to the 7.0 tree in April of 2007. There is an excellent article that describes how to install FreeBSD 7.0 with ZFS. The FreeBSD Project also has a wiki page that describes the current state of ZFS under FreeBSD, and has some nice links about ZFS.

So why isn’t ZFS in the Linux kernel tree? Because the license for ZFS, the Sun CDDL, conflicts with the Linux kernel’s GPL license. There was an interesting discussion on the Linux Kernel Mailing List (lkml) summarized at kerneltrap.

One way to avoid the license issues is to run Linux inside a Solaris zone; while the Linux system is not aware of the filesystem used as the backing store for the zone, the Solaris system could use ZFS as the zone’s filesystem.

Wandering about, it would appear that UNIX aficionados (geeks!) are putting everything imaginable onto the EeePC.

For example, there are people running MacOS X Tiger, MacOS X Leopard, OpenSolaris 2008.05, Ubuntu, and NetBSD on the EeePC. There is a video review of the EeePC which is very informative and well done (even if the video itself is slightly off-color). There is another video describing the EeePC and how to install Ubuntu Linux onto it. There’s even a video demonstration of MacOS X Tiger running on the EeePC. Doesn’t seem to be anything it can’t do.

There’s a NetBSD on EeePC page as well.

This all makes me want to go get one for myself; I’ve been holding off. One of these with a dual-bootable Windows/Linux or Windows/UNIX installation would be perfect – and as it boots off of flash cards as well, perhaps Windows 2000 on flash would be just the thing for me (every corporate doodad requires Windows – VPN, WPA, intranet – ack!).

These machines apparently continue to be quite popular, as this romp through UNIX on the EeePC shows.

The PWN to OWN Contest is a hacking contest at the CanSecWest security conference that pits a standard install of Linux, Windows, and MacOS X against all comers. Each laptop has a default installation on it, and has not been hardened at all. The successful hacker will not only win a cash prize, but the system in question as well.

The MacBook Pro was the first to fall, and the laptop running Microsoft Vista Ultimate second. However, there will be those that misinterpret the results by not realizing how the contest was conducted.

Each contestant gets 30 minutes to attempt to crack the machine, and can choose which machine to attack. The attacks are limited by the rules, and each day that went by the rules allowed a wider range of attack vectors. It was a third party application (Adobe Flash) that permitted the compromise of the Microsoft Vista machine.

No part of the contest can be considered a scientific study into which system is more secure than the other: contestants attacked a single machine of choice, and contestants were allowed their attempts one at a time – and the operating system was not hardened.

This is entirely different than, for example, the Capture the Flag contest at DEFCON. That contest consists of setting up a server and trying to capture the other teams “flag” through compromising the server in some way. In that contest, any and all comers are permitted to enter and to attack at will during the contest with whatever vulnerabilities and methods they have available.

Speaking of DEFCON, DEFCON 9 saw the entrance of an Alpha-based VMS machine – installed with the standard setup – which remained unscathed throughout the contest, though try they did. The VMS Team (the Green Team) had a writeup and also wrote a white paper afterwards.

If you are interested in DEFCON, DEFCON 16 will be August 8-10 in Las Vegas, Nevada.

Also, speaking of DEFCON – let’s not forget the similarly named but totally unrelated InterSystems DEVCON2008, which is just wrapping up. DEVCON, among other things, covers Caché development and related. It is interesting to note that InterSystems DEVCON began 15 years ago, whereas DEFCON began 16 years ago. I wonder how much Caché security is covered at DEVCON2008.

The command rsync is like a network aware copy program, and it is designed to replicate every part of the original file (ownership, group membership, etc.). It also transfers only the portions of the file that are necessary – so a slight change in a file on one host means a minimal network transfer to the other host.

However, rsync has had problems preserving extended attributes such as the Finder data and resource forks from MacOS X. Kyle Crawford has done an excellent write-up on the state of MacOS X extended attributes support in rsync 3.0.0-pre7 (a prerelease of 3.0), and it looks like the problems with rsync may be over. This is indeed good news. He used a tool called backup-bouncer to verify the MacOS X metadata; this tool looks very useful.

Kyle also has an excellent entry on his attempts to use rsync on MacOS X up to that point.

The traditional way to get all of this data on MacOS X was to use the ditto command line utility, but rsync now seems to be improving to where ditto may not be necessary (or perhaps it is…).

The rsync 3.0.0-pre7 release (as well as the current rsync-2.6.9 release) is available for download at the rsync download page. There are also important security advisories for rsync daemons in versions 2.6.6 and older; upgrade to the latest release version (2.6.9).

The NSA is, of course, the United States National Security Agency. It’s their job to a) keep the nations computers secure; b) find out how to break everyone else’s (ah, the dichotomy of national intelligence!). Thus, some of the best computer security minds are at the NSA – it was the NSA that brought us SELinux (and still does!).

They also have a vast array of security guides available for download. These include guides on securing Solaris 8 and 9, MacOS X 10.3 and 10.4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and more.

Use a security guide next time you secure a box – and not necessarily just one. Do some research. Implement all of the security you can on all of your boxes – even if it is not on the Internet. One day, someone might just crack through – then all of your internal systems will be at risk. Each system should be able to withstand an assault without falling.

OpenSolaris is very interesting, and since the introduction of dtrace and ZFS has enthralled many. I tried to install it onto my HP Compaq E300 laptop (which it was unsuitable for), and tried to install it onto an HP Compaq 6910p laptop. In this case, the networking was unsupported: both the ethernet and the wireless drivers were not included with OpenSolaris Express (Developer Edition).

In any case, I expect I might just be shopping for a laptop in the next year – and it’s nice to see that OpenSolaris does run on the Apple MacBook.  This article goes into detail about how the writer got it to work, and each of the steps that were taken to make it happen.  Paul Mitchell from Sun discusses dual-partitioning a MacBook in this context as well.  Alan Perry (also from Sun) had done the same thing with a Mac Mini, and Paul extended it to the MacBook.  Both entries are detailed and have to do with MacOS X and Solaris dual-booting.

An a different note, check out the graph of library calls from dtrace in this article.  From what I’ve heard of dtrace, it’s the ultimate when it comes to debugging…