Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Systemd Service Unit Restrictions: A Common Cause of Daemon Startup Failures

2025-09-20

A classic problem for Linux system administrators is a daemon failing to start normally but working fine when manually run as root. Traditional causes include incomplete $PATH environment variables, SELinux, and AppArmor. Increasingly, systemd service unit restrictions (documented in systemd.exec) are the culprit. Directives like ProtectHome and PrivateTmp can cause cryptic 'permission denied' or 'file not found' errors, or even indirect failures like blocking DNS queries. Removing restrictions from the daemon's .service file can help diagnose the issue, but future daemons may rely on these restrictions, complicating troubleshooting.

Read more
(utcc.utoronto.ca)
Development daemon

The Neglected Client-Side Web: Why Nobody Cares About Slow Loading Times

2025-08-23

This article discusses the often-overlooked issue of poor client-side web experiences. While server-side problems frequently dominate discussions, the author points out the consistent neglect of slow loading times, clunky UIs, and other client-side frustrations. Using Github's recent update as an example, many users report slow performance, yet website operators prioritize server-side concerns. The author argues that websites hold significant power, leaving users with boycotts as their only recourse, which are largely ineffective. Websites often lack effective measurement of user churn, contributing to their apathy toward client-side experiences. Ultimately, the author admits to making editorial decisions that may negatively impact users but frames it as a necessary trade-off.

Read more
(utcc.utoronto.ca)
Development client-side

Replicating OpenBSD's pflog in Linux: nftables and ulogd2

2025-08-16

This article details how to replicate OpenBSD and FreeBSD's convenient pflog functionality on Linux using nftables and ulogd2 for network packet logging and analysis. By adding 'log group' statements to nftables rules and forwarding logs to different netlink sockets, you can use tcpdump for live monitoring and ulogd2 for disk logging. The article walks through configuring ulogd2, logging to pcap files, and notes limitations and alternatives to ulogd2.

Read more
(utcc.utoronto.ca)
Development

The Unexpected Persistence of Traditional Unix Login Servers

2025-08-03

The author explores the surprising continued use of traditional Unix login servers in a hypothetical rebuild of their computing environment as a modern, greenfield development. Despite the prevalence of containerization, they maintain two types: a general-purpose server with CPU and RAM limits, and compute servers offering unrestricted resource access. While usage has declined, these servers remain surprisingly relevant, particularly for SSHing to internal machines or running backends for development environments like VSCode. The author also notes the use of login servers for cron jobs and the reason for users storing code on fileservers, which is closely tied to the use of their SLURM cluster and compute servers. The lack of a robust support model makes tracking exact usage difficult.

Read more
(utcc.utoronto.ca)
Development Unix servers

Recursive Descent Parsers: Simple Wins Over Complexity?

2025-07-28

The author explores approaches to parsing computer languages, specifically comparing recursive descent parsers to LR parser generators. While LR parser generators handle more complex grammars, the author favors recursive descent parsers due to their ease of use, lack of reliance on external tools, and ability to be written directly in the target language, thus minimizing learning curve and debugging challenges. For developers who occasionally need to build parsers for small languages, the simplicity and ease of use of recursive descent parsers outweigh their limitations in handling complex grammars.

Read more
(utcc.utoronto.ca)
Development parsers recursive descent

Debugging Bash Scripts: Gracefully Handling `set -e` Errors

2025-07-27

This article presents a neat trick for gracefully handling errors triggered by `set -e` in Bash scripts. By using `trap 'echo "Exit status $? at line $LINENO from: $BASH_COMMAND"' ERR`, you can print information like the error line number, failing command, and exit status when the script encounters an error, making debugging easier. This leverages Bash-specific features: `$LINENO`, `$BASH_COMMAND` environment variables, and the `ERR` trap condition. Other shells like sh may behave differently and might not fully support this functionality.

Read more
(utcc.utoronto.ca)
Development script debugging

The Curious Limitation of errno(3) in Linux

2025-07-04

The Linux errno(3) man page reveals a peculiar limitation: errno can be modified even on successful function calls, and it's never set to zero by any system call or library function. This stems from traditional Unix design where system calls typically return errno only on failure, leaving it unchanged on success. C library functions might make multiple system calls, some of which could fail without affecting the library function's overall success, leaving errno with the failure value. ANSI C and POSIX inherited this behavior, requiring errno to be meaningful only when a function fails and its documentation specifies setting errno.

Read more
(utcc.utoronto.ca)
Development

The Unexpected Rise of X Terminals: Not Part of X's Initial Design

2025-06-23

X wasn't initially designed for use with X terminals. Early X ran on full-fledged workstations; even diskless ones, while relying on servers for heavy tasks, still had a complete local Unix environment. X terminals arrived much later, only after X's success as a cross-vendor Unix windowing system was established. NCD, possibly among the first to produce X terminals, was founded in 1987 but likely didn't ship a product until 1989. This is further supported by the late arrival of XDM (X Display Manager), released with X11R3 in October 1988. While technically possible to use X terminals without XDM, its presence greatly simplified the process, indicating the adoption of X terminals lagged behind the maturation of X itself.

Read more
(utcc.utoronto.ca)
Tech X Terminals

Open Source Maintainer Revolt: libxml2's Sole Maintainer No Longer Prioritizes Security Issues

2025-06-19

The sole maintainer of libxml2 has announced they will no longer treat security issues differently from bugs, sparking debate within the open-source community. The author argues this reflects growing discontent among maintainers regarding corporate exploitation of open-source software. A distinction is drawn between personal, cooperative open source (e.g., Debian, BSD) and corporate use of open source for profit. The author predicts a future where the open-source community increasingly emphasizes this distinction, potentially altering interactions with corporations.

Read more
(utcc.utoronto.ca)
Development community maintenance

WireGuard: 1Gbps Network Saturation Achieved

2025-06-17

The author previously assumed encryption was too slow to achieve network saturation, even on Gigabit Ethernet. However, recent testing revealed WireGuard, running on readily available servers (Xeon E-2226G), readily saturated a 1Gbps network without special tuning, exhibiting low CPU usage. This challenged the author's assumptions about encryption speed, suggesting many methods could theoretically saturate a 1Gbps link, and highlighting potential performance tuning needs for existing VPN servers.

Read more
(utcc.utoronto.ca)
Development Network Bandwidth Encryption Performance

Argparse's Mutually Exclusive Group Nesting Limitation: A Frustrating Conundrum

2025-06-14

Python's argparse module, while offering convenient features for handling command-line arguments, including mutually exclusive groups, has a frustrating limitation when it comes to nesting. Consider a program with multiple timeout settings where users can either adjust individual timeouts or disable them entirely. Argparse doesn't support nesting a 'no-timeout' option within a group of individual timeout options, making configuration cumbersome. While you can nest a mutually exclusive group inside a regular group, the reverse isn't supported, and the official documentation explicitly states this limitation. This forces developers to manually check if specific switches were used, adding complexity.

Read more
(utcc.utoronto.ca)
Development

Unix Inode 0: A Forgotten Corner

2025-06-02

This article explores the limitations of inode numbers in early Unix systems and the special case of inode 0. The author found that while the POSIX standard doesn't explicitly prohibit the use of inode 0, many systems and programs may rely on non-zero inode numbers in practice. Using inode 0 may lead to unexpected behavior, as some programs might interpret it as a 'no such file' signal. While experimenting with inode 0 is possible using user-space filesystems, it's not recommended due to potential compatibility issues and unpredictable results.

Read more
(utcc.utoronto.ca)
Development

The JavaScript Proof-of-Work Arms Race Against LLMs

2025-05-28

Websites increasingly use JavaScript-based proof-of-work systems, like Xe Iaso's Anubis, to combat aggressive LLMs and web scrapers. However, LLMs can leverage compromised machines for substantial CPU power to solve these challenges. The problem is that LLMs operate in a hostile environment, making it difficult to distinguish genuine proof-of-work from malicious JavaScript. This exposes LLMs to CPU mining or other attacks. Trying to identify proof-of-work systems is a losing game for LLMs, as malicious actors have an incentive to mimic them. This creates an arms race between websites and LLMs, each trying to optimize resource usage while protecting their interests.

Read more
(utcc.utoronto.ca)
Development

The Evolution of Unix Filename Length Limits

2025-05-25

Early Unix versions had surprisingly short filename limits: initially just 8 bytes, later increasing to 14. This was tied to Unix's simple directory structure design. The article delves into the directory structures of Unix V4 and earlier, explaining the reasons behind the filename length evolution and how 16-byte directory entries better fit 512-byte disk blocks. It also touches upon the limited number of inodes in early Unix, reflecting some of the hard-coded limitations of early systems.

Read more
(utcc.utoronto.ca)
Development

The Perils of Sorting IPv6 Addresses with Unix Tools

2025-05-19

This article delves into the challenges of sorting IPv6 addresses using standard Unix command-line tools like 'sort'. The complexities arise from IPv6's hexadecimal representation, missing leading zeros, and the '::' shorthand notation. The author argues that a straightforward solution requires transforming IPv6 addresses into their full, expanded form or employing a programming language like Perl or Python for effective sorting, as existing Unix utilities are ill-equipped to handle the nuances of IPv6 address formatting directly.

Read more
(utcc.utoronto.ca)
Development sorting Unix command line

Single-Process Architecture: A Graceful Solution for Modern Web Development

2025-04-21

While updating his blog's software, the author found a single-process architecture to be simpler than his CGI-based approach for handling the complexities of the modern web. A single process allows easy access to shared state, simplifying tasks like detecting malicious traffic, rate-limiting requests, and implementing caching. While memory and CPU usage are concerns, the ease of implementation makes a single-process architecture advantageous when dealing with various forms of abuse, especially those that are unforeseen. The author believes that as web abuse increases, single-process architectures will become increasingly important.

Read more
(utcc.utoronto.ca)
Development single-process architecture

ZFS Compression Paradox: Logical vs. Physical Blocks

2025-04-17

A 256KB zero file created with `dd` on a ZFS filesystem with compression enabled exhibits a puzzling behavior: `ls -l` shows its size as 256KB, but `ls -s` and `ls -slh` show a much smaller size, almost zero. This is due to ZFS's efficient compression resulting in a minimal number of physical blocks. The article explores three ways to measure file size: logical size (in bytes), physical block count, and logical block count. It points out that the POSIX `st_blocks` field doesn't specify which size to report, leading to potential changes in `st_blocks` value when moving files between filesystems, and even potential file size expansion exceeding the capacity of the new filesystem.

Read more
(utcc.utoronto.ca)
Development

A Personal Approach to Unix Package Management

2025-04-13

The author shares a clever method for managing personal software packages on Unix systems. They use a `~/lib/` directory tree to store software for different architectures, with each program installed in a separate, versioned subdirectory (e.g., `emacs-30.1`). A `~/bin/bin.` directory contains symbolic links or wrapper scripts pointing to these programs, allowing easy switching between versions. For tools like pipx and Cargo, the author keeps their default installation locations but creates links in `~/bin/bin.` to avoid path conflicts. This setup isn't perfect, but it's very useful for managing software unavailable through the system's package manager or that is too old.

Read more
(utcc.utoronto.ca)
Development software management

Mysterious SSH Password Disable Bug on Ubuntu 24.04

2025-04-06

Disabling SSH password access over the internet while allowing it on the local LAN on an Ubuntu 24.04 server seemed straightforward using sshd_config. However, a custom configuration file in /etc/ssh/sshd_config.d/ was ignored after restarting the SSH daemon. The culprit was sshd_config's 'first-come, first-served' configuration rule, and a system-generated '50-cloud-init.conf' file containing 'PasswordAuthentication yes', which loaded before the custom file. Renaming the custom configuration file to '10-no-passwords.conf' solved the problem by ensuring it loaded first.

Read more
(utcc.utoronto.ca)
Development Server Configuration

Overprovisioning Fiber: Better Safe Than Sorry

2025-03-25

When planning fiber cabling between rooms or buildings, err on the side of caution and install more fiber than you initially need. Future expansion, bandwidth upgrades, and new protocols all demand extra capacity. Furthermore, fiber failures do happen—sometimes inexplicably—and having spare pairs allows for quick recovery. While single-mode and multi-mode fibers have different applications, having sufficient redundancy is crucial for minimizing downtime and costs.

Read more
(utcc.utoronto.ca)
Hardware fiber cabling network infrastructure redundancy

Loki's Structured Metadata: A Logistical Nightmare

2025-03-19

Grafana Loki, often touted as 'Prometheus for logs,' initially adopted a data model similar to Prometheus. However, this proved disastrous for system logs (syslog or systemd journal). Unlike Prometheus, Loki stores each label value set separately and lacks log compaction, leading to cardinality explosions. To address this, Loki introduced 'structured metadata,' but as of version 3.0.0, it remains underdeveloped. Structured metadata labels aren't treated as regular Loki labels, requiring different query syntax. Migration from existing labels is complex and potentially catastrophic, with the risk of unintentionally creating high-cardinality labels. Upgrading requires caution, migrating existing data is incredibly expensive, and careful consideration is crucial before using it in new projects.

Read more
(utcc.utoronto.ca)
Development system logs

JSON: A Pragmatic Choice for Machine-Readable Output on Unix

2025-02-24

The author advocates for using JSON as the machine-readable output format, based on their experience deleting emails from a Postfix mail queue. While not perfect, JSON offers several practical advantages on Unix systems: clarity, broad compatibility, extensive tool support, and easy conversion to other formats. For new programs, the author suggests that using only JSON is the simplest approach, avoiding the complexities of designing custom formats and promoting interoperability between Unix programs.

Read more
(utcc.utoronto.ca)
Development Machine-readable output

Hidden Cache Hogs: Why Your Disk Space Is Vanishing

2025-02-08

Many Unix programs cache data in hidden `.cache` and `.local` directories, making it difficult for users to find and clear these large cache files that consume significant disk space. The author witnessed firsthand how graduate students in a shared fileserver environment were baffled by these hidden caches, with hundreds of GBs of disk space being unknowingly consumed. The article calls for developers to store caches in visible directories and suggests that disk space usage tools should explicitly show the contents of these hidden directories to aid in user disk space management.

Read more
(utcc.utoronto.ca)
Development cache management disk space unix programs

Sophisticated Phishing Attack Leverages VPN Access

2025-01-29

The University of Toronto's Computer Science department was hit by a highly sophisticated phishing attack. The attacker spoofed a departmental email address, successfully phishing a user's password. Alarmingly, the attacker used the stolen credentials to quickly register the user for the department's VPN, then used the internal-only SMTP gateway to send spam. This demonstrates pre-attack reconnaissance of the target's VPN and email environment, highlighting increasingly advanced attack techniques and the need for robust cybersecurity defenses.

Read more
(utcc.utoronto.ca)
Tech VPN exploitation

Disabling Password Authentication for Internet-Facing SSH: Security Boost or Overkill?

2025-01-18

This article weighs the pros and cons of disabling password authentication for internet-facing SSH. While strong passwords offer protection against brute-force attacks, the author argues that disabling password authentication provides extra layers of security against stolen credentials, SSH server vulnerabilities, and attacks targeting default accounts. However, this also introduces inconvenience, such as the inability to log in without a keypair. The author suggests a careful consideration of the trade-offs based on individual circumstances.

Read more
(utcc.utoronto.ca)
Development SSH security password authentication

/etc/glob: The Untold Story of Early Unix Shell Globbing

2025-01-13

This article delves into the history and function of `/etc/glob` in early Unix systems. Before the V7 Bourne Shell, Unix shell globbing wasn't handled by the shell itself but delegated to the external program `/etc/glob`. `/etc/glob` received the command and arguments, expanded wildcards, and then executed the command. The article details how `/etc/glob` worked across different Unix versions, including handling escaped characters and the rationale behind using an external program—likely due to resource constraints in early systems.

Read more
(utcc.utoronto.ca)
Development Unix history Globbing

WireGuard Setup Complexity: A Guide from Simple to Advanced

2025-01-05

This blog post explores various WireGuard setup complexities, ranging from the simplest, with completely isolated internal IP address spaces, to the most challenging 'VPN' setup where some endpoints are accessible both inside and outside the WireGuard tunnel. The author details the difficulty and potential issues of each setup, such as routing conflicts and recursive routing. The article stresses the importance of upfront planning and suggests opting for simpler configurations to avoid complex routing when designing a WireGuard environment.

Read more
(utcc.utoronto.ca)
Development Network Configuration

Potential Issue with zpool import/export in Linux OpenZFS

2024-12-26

A potential issue exists in Linux OpenZFS versions (as of 2.3.0) regarding importing and exporting ZFS pools. Even if no filesystems within a ZFS pool have the 'sharenfs' property set, `zpool import` and `zpool export` still run `exportfs -ra`. This can wipe out manually added or modified NFS exports, impacting environments like high-availability systems using custom NFS export configurations. The problem stems from OpenZFS blindly executing `exportfs -ra`, regardless of whether NFS exports need changing.

Read more
(utcc.utoronto.ca)
Development

Server Reboot Failure: Cool-Down Reboot Solves Kernel Crash

2024-12-25

The author encountered two identical servers experiencing kernel crashes that couldn't be resolved by a simple reboot. During the crash, the servers printed a series of machine check exception errors during the system firmware stage, pointing to CPU hardware issues. A cool-down period of a few minutes after powering off, followed by a reboot, resolved the problem. This demonstrates that even a brief power interruption may not fully reset certain x86 system components, requiring a cool-down period for complete recovery.

Read more
(utcc.utoronto.ca)
Tech server failure kernel crash hardware issue

A Decade-Old Fileserver's Second Life: Cost-Effective Storage Solution

2024-12-17

A company is still running a production machine, a fileserver over a decade old. While outdated, with a BMC requiring Java for KVM-over-IP, its 16 disk bays and 10G Ethernet ports make it ideal for repurposing. Used as a bring-your-own-disk low-cost storage server, it fulfills the need for high-capacity, low-performance storage despite its age and limited RAM. This highlights the value of reusing old hardware when requirements align.

Read more
(utcc.utoronto.ca)
Tech server reuse storage solution hardware cost
← Previous 1