this post was submitted on 15 Jan 2025
29 points (96.8% liked)

Programming

17984 readers
141 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
29
Am I crazy in thinking that bash is good enough for production? (lemm.ee)
submitted 2 weeks ago by Badland9085@lemm.ee to c/programming@programming.dev
125 comments fedilink hide all child comments
 

This may make some people pull their hair out, but I’d love to hear some arguments. I’ve had the impression that people really don’t like bash, not from here, but just from people I’ve worked with.

There was a task at work where we wanted something that’ll run on a regular basis, and doesn’t do anything complex aside from reading from the database and sending the output to some web API. Pretty common these days.

I can’t think of a simpler scripting language to use than bash. Here are my reasons:

  • Reading from the environment is easy, and so is falling back to some value; just do ${VAR:-fallback}; no need to write another if-statement to check for nullity. Wanna check if a variable’s set to something expected? if [[ <test goes here> ]]; then <handle>; fi
  • Reading from arguments is also straightforward; instead of a import os; os.args[1] in Python, you just do $1.
  • Sending a file via HTTP as part of an application/x-www-form-urlencoded request is super easy with curl. In most programming languages, you’d have to manually open the file, read them into bytes, before putting it into your request for the http library that you need to import. curl already does all that.
  • Need to read from a curl response and it’s JSON? Reach for jq.
  • Instead of having to set up a connection object/instance to your database, give sqlite, psql, duckdb or whichever cli db client a connection string with your query and be on your way.
  • Shipping is… fairly easy? Especially if docker is common in your infrastructure. Pull Ubuntu or debian or alpine, install your dependencies through the package manager, and you’re good to go. If you stay within Linux and don’t have to deal with differences in bash and core utilities between different OSes (looking at you macOS), and assuming you tried to not to do anything too crazy and bring in necessary dependencies in the form of calling them, it should be fairly portable.

Sure, there can be security vulnerability concerns, but you’d still have to deal with the same problems with your Pythons your Rubies etc.

For most bash gotchas, shellcheck does a great job at warning you about them, and telling how to address those gotchas.

There are probably a bunch of other considerations but I can’t think of them off the top of my head, but I’ve addressed a bunch before.

So what’s the dealeo? What am I missing that may not actually be addressable?

top 50 comments
sorted by: hot top controversial new old
[–] ProbablyKaffe@lemmygrad.ml 1 points 6 days ago

Using python makes it much easier to maintain scripts especially if they are useful for many people. I like bash for adhoc stuff on my machine or my sandbox, but most of my coworkers are not strong in it so it's not good for prod ops.

[–] vext01@lemmy.sdf.org 26 points 2 weeks ago

Honestly, if a script grows to more than a few tens of lines I'm off to a different scripting language because I've written enough shell script to know that it's hard to get right.

Shellcheck is great, but what's greater is a language that doesn't have as many gotchas from the get go.

[–] ShawiniganHandshake@sh.itjust.works 19 points 2 weeks ago (2 children)

I've worked in bash. I've written tools in bash that ended up having a significant lifetime.

Personally, you lost me at

reading from the database

Database drivers exist for a reason. Shelling out to a database cli interface is full of potential pitfalls that don't exist in any language with a programmatic interface to the database. Dealing with query parameterization in bash sounds un-fun and that's table stakes, security-wise.

Same with making web API calls. Error handling in particular is going to require a lot of boilerplate code that you would get mostly for free in languages like Python or Ruby or Go, especially if there's an existing library that wraps the API you want to use in native language constructs.

load more comments (2 replies)
[–] zygo_histo_morpheus@programming.dev 18 points 2 weeks ago (2 children)

One thing that I don't think anyone else has mentioned is data structures. Bash does have arrays and hashmaps at least but I've found that working with them is significantly more awkward than in e.g. python. This is one of several reasons for why bash doesn't scale up well, but sure for small enough scripts it can be fine (if you don't care about windows)

[–] syklemil@discuss.tchncs.de 6 points 2 weeks ago (2 children)

I think I mentioned it, but inverse: The only data type I'm comfortable with in bash are simple string scalars; plus some simple integer handling I suppose. Once I have to think about stuff like "${foo[@]}" and the like I feel like I should've switched languages already.

Plus I rarely actually want arrays, it's way more likely I want something in the shape of

@dataclass(frozen=True)
class Foo:
    # …

foos: set[Foo] = …
load more comments (2 replies)
[–] Badland9085@lemm.ee 3 points 2 weeks ago

That’s definitely worth mentioning indeed. Bash variables, aside from arrays and hashmaps that you get with declare, are just strings. Any time you need to start capturing a group of data and do stuff with them, it’s a sign to move on. But there are many many times where that’s unnecessary.

[–] Die4Ever@programming.dev 15 points 2 weeks ago (1 children)

I just don't think bash is good for maintaining the code, debugging, growing the code over time, adding automated tests, or exception handling

[–] Badland9085@lemm.ee 5 points 2 weeks ago (2 children)

If you need anything that complex and that it’s critical for, say, customers, or people doing things directly for customers, you probably shouldn’t use bash. Anything that needs to grow? Definitely not bash. I’m not saying bash is what you should use if you want it to grow into, say, a web server, but that it’s good enough for small tasks that you don’t expect to grow in complexity.

[–] MajorHavoc@programming.dev 8 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

it’s (bash) good enough for small tasks that you don’t expect to grow in complexity.

I don't think you'll get a lot of disagreement on that, here. As mention elsewhere, my team prefers bash for simple use cases (and as their bash-hating boss, I support and agree with how and when they use bash.)

But a bunch of us draw the line at database access.

Any database is going to throw a lot of weird shit at the bash script.

So, to me, a bash script has grown to unacceptable complexity on the first day that it accesses a database.

[–] Grtz78@feddit.org 2 points 2 weeks ago (3 children)

We have dozens of bash scripts running table cleanups and maintenece tasks on the db. In the last 20 years these scripts where more stable than the database itself (oracle -> mysql -> postgres).

But in all fairness they just call the cliclient with the appropiate sql and check for the response code, generating a trap.

load more comments (3 replies)
[–] EfreetSK@lemmy.world 4 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

small tasks that you don’t expect to grow in complexity

On one conference I heard saying: "There is no such thing as temporary solution and there is no such thing as proof of concept". It's an overexaguration of course but it has some truth to it - there's a high chance that your "small change" or PoC will be used for the next 20 years so write it as robust and resilient as possible and document it. In other words everything will be extended, everything will be maintained, everything will change hands.

So to your point - is bash production ready? Well, depends. Do you have it in git? Is it part of some automation pipeline? Is it properly documented? Do you by chance have some tests for it? Then yes, it's production ready.

If you just "write this quick script and run it in cron" then no. Because in 10 years people will pull their hair screaming "what the hell is hapenning?!"

Edit: or worse, they'll scream it during the next incident that'll happen at 2 AM on Sunday

load more comments (1 replies)
[–] FizzyOrange@programming.dev 13 points 2 weeks ago (8 children)

I'm afraid your colleagues are completely right and you are wrong, but it sounds like you genuinely are curious so I'll try to answer.

I think the fundamental thing you're forgetting is robustness. Yes Bash is convenient for making something that works once, in the same way that duct tape is convenient for fixes that work for a bit. But for production use you want something reliable and robust that is going to work all the time.

I suspect you just haven't used Bash enough to hit some of the many many footguns. Or maybe when you did hit them you thought "oops I made a mistake", rather than "this is dumb; I wouldn't have had this issue in a proper programming language".

The main footguns are:

  1. Quoting. Trust me you've got this wrong even with shellcheck. I have too. That's not a criticism. It's basically impossible to get quoting completely right in any vaguely complex Bash script.
  2. Error handling. Sure you can set -e, but then that breaks pipelines and conditionals, and you end up with really monstrous pipelines full of pipefail noise. It's also extremely easy to forget set -e.
  3. General robustness. Bash silently does the wrong thing a lot.

instead of a import os; os.args[1] in Python, you just do $1

No. If it's missing $1 will silently become an empty string. os.args[1] will throw an error. Much more robust.

Sure, there can be security vulnerability concerns, but you’d still have to deal with the same problems with your Pythons your Rubies etc.

Absolutely not. Python is strongly typed, and even statically typed if you want. Light years ahead of Bash's mess. Quoting is pretty easy to get right in Python.

I actually started keeping a list of bugs at work that were caused directly by people using Bash. I'll dig it out tomorrow and give you some real world examples.

[–] JamonBear@sh.itjust.works 7 points 2 weeks ago (3 children)

Agreed.

Also gtfobins is a great resource in addition to shellcheck to try to make secure scripts.

For instance I felt upon a script like this recently:

#!/bin/bash
# ... some stuff ...
tar -caf archive.tar.bz2 "$@"

Quotes are OK, shellcheck is happy, but, according to gtfobins, you can abuse tar, so running the script like this: ./test.sh /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh ends up spawning an interactive shell...

So you can add up binaries insanity on top of bash's mess.

[–] lurklurk@lemmy.world 2 points 2 weeks ago

I imagine adding -- so it becomes tar -caf archive.tar.bz2 -- "$@" would fix that specific case

But yeah, putting bash in a position where it has more rights than the user providing the input is a really bad idea

load more comments (2 replies)
load more comments (7 replies)
[–] melezhik@programming.dev 13 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

We are not taking about use of Bash in dev vs use Bash in production. This is imho incorrect question that skirts around the real problem in software development. We talk about use of Bash for simple enough tasks where code is rarely changed ( if not written once and thrown away ) and where every primitive language or DSL is ok, where when it comes to building of medium or complex size software systems where decomposition, complex data structures support, unit tests, error handling, concurrency, etc is a big of a deal - Bash really sucks because it does not allow one to deal with scaling challenges, by scaling I mean where you need rapidly change huge code base according changes of requirements and still maintain good quality of entire code. Bash is just not designed for that.

[–] Badland9085@lemm.ee 6 points 2 weeks ago (2 children)

But not everything needs to scale, at least, if you don’t buy into the doctrine that everything has to be designed and written to live forever. If robust, scalable solutions is the nature of your work and there’s nothing else that can exist, then yeah, Bash likely have no place in that world. If you need any kind of handling more complicated than just getting an error and doing something else, then Bash is not it.

Just because Bash isn’t designed for something you want to do, doesn’t mean it sucks. It’s just not the right tool. Just because you don’t practice law, doesn’t mean you suck; you just don’t do law. You can say that you suck at law though.

[–] tleb@lemmy.ca 9 points 2 weeks ago

If your company ever has >2 people, it will become a problem.

[–] melezhik@programming.dev 5 points 2 weeks ago* (last edited 2 weeks ago)

Yep. Like said - "We talk about use of Bash for simple enough tasks ... where every primitive language or DSL is ok", so Bash does not suck in general and I myself use it a lot in proper domains, but I just do not use it for tasks / domains with complexity ( in all senses, including, but not limited to team work ) growing over time ...

[–] jollyroberts@jolly-piefed.jomandoa.net 9 points 2 weeks ago

"Use the best tool for the job, that the person doing the job is best at." That's my approach.

I will use bash or python dart or whatever the project uses.

[–] furrowsofar@beehaw.org 9 points 2 weeks ago (1 children)

Just make certain the robustness issues of bash do not have security implications. Variable, shell, and path evalutions can have security issues depending on the situation.

[–] Badland9085@lemm.ee 2 points 2 weeks ago (1 children)

Certainly so. The same applies to any languages we choose, no?

[–] furrowsofar@beehaw.org 9 points 2 weeks ago* (last edited 2 weeks ago) (3 children)

Bash is especially suseptable. Bash was intended to be used only in a secure environment including all the inputs and data that is processed and including all the proccess on the system containing the bash process in question for that matter. Bash and the shell have a large attack surface. This is not true for most other languages. It is also why SUID programs for example should never call the shell. Too many escape options.

load more comments (3 replies)
[–] synae@lemmy.sdf.org 5 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

As I've matured in my career, I write more and more bash. It is absolutely appropriate for production in the right scenarios. Just make sure the people who might have to maintain it in the future won't come knocking down your door with torches and pitchforks...

[–] Badland9085@lemm.ee 2 points 2 weeks ago

That’s my take on the use of bash too. If it’s something that people think it’s worth bring their pitchforks out for, then it’s something you should probably not write in bash.

[–] syklemil@discuss.tchncs.de 4 points 2 weeks ago (3 children)

At the level you're describing it's fine. Preferably use shellcheck and set -euo pipefail to make it more normal.

But once I have any of:

  • nested control structures, or
  • multiple functions, or
  • have to think about handling anything else than simple strings that other programs manipulate (including thinking about bash arrays or IFS), or
  • bash scoping,
  • producing my own formatted logs at different log levels,

I'm on to Python or something else. It's better to get off bash before you have to juggle complexity in it.

[–] 0x0@lemmy.dbzer0.com 3 points 2 weeks ago

If you're writing a lot of shell scripts and checking them with Shellcheck, and you're still convinced that it's totally safe... I tip my hat to you.

[–] sabin@lemmy.world 2 points 2 weeks ago

Set don't forget set -E as well to exit on failed subshells.

[–] vext01@lemmy.sdf.org 2 points 2 weeks ago (2 children)

-e is great until there's a command that you want to allow to fail in some scenario.

I know OP is talking about bash specifically but pipefail isn't portable and I'm not always on a system with bash installed.

load more comments (2 replies)
[–] toynbee@lemmy.world 3 points 2 weeks ago

Over the last ten - fifteen years, I've written lots of scripts for production in bash. They've all served their purposes (after thorough testing) and not failed. Pretty sure one of my oldest (and biggest) is called temporary_fixes.sh and is still in use today. Another one (admittedly not in production) was partially responsible for getting me my current job, I guess because the interviewers wanted to see what kind of person would solve a coding challenge in bash.

However, I would generally agree that - while bash is good for many things and perhaps even "good enough" - any moderately complex problem is probably better solved using a different language.

[–] MITM0@lemmy.world 3 points 2 weeks ago (1 children)

Well then you guys will love what this guy (by tha name "icitry") did with bash https://www.youtube.com/watch?v=b_WGoPaNPMY

He created a youtube clone with Bash

[–] Badland9085@lemm.ee 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

That is definitely not something I would do… for work (totally not implying that I miiiight do it outside of work for shits and giggles :P).

I didn’t create this post trying to be like “y’all should just use Bash”, nor is it an attempt to say that I like Bash, but I guess that’s how people boil others down to these days. Fanatics only. Normalcy is dead. (I’m exaggerating ofc)

[–] MITM0@lemmy.world 2 points 2 weeks ago

Basically, If you are crazy enough, you csn make anything with any language Hence, me sharing the video

[–] MajorHavoc@programming.dev 2 points 2 weeks ago* (last edited 2 weeks ago) (8 children)

A few responses for you:

  • I deeply despise bash (edit: this was hyperbole. I also deeply appreciate bash, as is appropriate for something that has made my life better for free!). That Linux shell defaults settled on it is an embarrassment to the entire open source community. (Edit: but Lexers and Parsers are hard! You don't see me fixing it, so yes, I'll give it a break. I still have to be discerning for production use, of course.)
  • Yes, Bash is good enough for production. It is the world's current default shell. As long as we avoid it's fancier features (which all suck for production use), a quick bash script is often the most reasonable choice.
  • For the love of all that is holy, put your own personal phone number and no one else's in the script, if you choose to use bash to access a datatbase. There's thousands of routine ways that database access can hiccup, and bash is suitable to help you diagnose approximately 0% of them.
  • If I found out a colleague had used bash for database access in a context that I would be expected to co-maintain, I would start by plotting their demise, and then talk myself down to having a severe conversation with them - after I changed it immediately to something else, in production, ignoring all change protocols. (Invoking emergency change protocols.)

Edit: I can't even respond to the security concerns aspect of this. Choice of security tool affects the quality of protection. In this unfortunate analogy, Bash is "the pull out method". Don't do that anywhere that it matters, or anywhere that one can be fired for security violations.

(Edit 2: Others have mentioned invoking SQL DB cleanup scripts from bash. I have no problem with that. Letting bash or cron tell the DB and a static bit of SQL to do their usual thing has been fine for me, as well. The nightmare scenario I was imagining was bash gathering various inputs to the SQL and then invoking them. I've had that pattern blow up in my face, and had a devil of a time putting together what went wrong. It also comes with security concerns, as bash is normally a completely trusted running environment, and database input often come from untrusted sources.)

[–] NegativeLookBehind@lemmy.world 3 points 2 weeks ago (3 children)

Why internet man hate Bash? Bash do many thing. Make computer work.

load more comments (3 replies)
load more comments (7 replies)
[–] MonkderVierte@lemmy.ml 2 points 2 weeks ago* (last edited 2 weeks ago) (6 children)

Run checkbashisms over your $PATH (grep for #!/bin/sh). That's the problem with Bash.
#!/bin/sh is for POSIX compliant shell scripts only, use #!/bin/bash if you use bash syntax.

Btw, i quite like yash.

[–] Badland9085@lemm.ee 2 points 2 weeks ago

Always welcome a new shell. I’ve not heard of yash but I’ll check it out.

load more comments (5 replies)
[–] Ephera@lemmy.ml 2 points 2 weeks ago (3 children)

Wanna check if a variable’s set to something expected? if [[ <test goes here> ]]; then <handle>; fi

Hey, you can't just leave out "test goes here". That's worst part by a long shot.
The rest of the syntax, I will have to look up every time I try to write it, but at least I can mostly guess what it does when reading. The test syntax on the other hand is just impossible to read without looking it up.

I also don't actually know how to look that up for the double brackets, so that's fun. For the single bracket, it took me years to learn that that's actually a command and you can do man [ to view the documentation.

load more comments (3 replies)
[–] friend_of_satan@lemmy.world 2 points 2 weeks ago

Dude, pihole is bash.

https://github.com/pi-hole/pi-hole/blob/master/pihole

load more comments
view more: next ›