But what if you realize there’s no formatter set up for a project after it has already started? In this blog post, I’ll share my steps for addressing this issue, particularly for repositories where all branches are frequently rebased.

Step 0. Prioritize PR Merges

Given that applying a formatter will likely impact almost all files and potentially lead to merge conflicts, it’s advisable to merge pull requests before proceeding with the formatter implementation. This will minimize your (or your colleague’s) workload in later steps.

Step 1. Introduce the Formatter Config

We begin by adding the files containing your formatters’ config (like .editorconfig, .clang-format, etc.). Place a script in the root your repository – say, format_all.sh – that applies the formatter to all files. Your script might look something like this:

#!/bin/sh
# Script to format all the files in this repo in place.
# Your script will likely use a different formatter.
# This one uses find to find all c++ related files and then executes
#   clang-format -i {file}
# on each of them.


find . -regex '.*\.\(cpp\|hpp\|cc\|cxx\|c\|h\)' -exec clang-format -i {} \;

Don’t execute the formatter just yet! Add and commit the script and the formatter config files. Next, tag that commit for future reference (we’ll need it in step 3).

# Add ONLY the formatting files
git add .editorconfig .clang-format format_all.sh
git commit -m "clean: introduce formatter configuration"
git tag tmp/fmt-add-config # for future reference

Step 2: Apply the Formatter and Commit

In the root of your repository, run the format_all.sh script and commit the results.

./format_all.sh
git add --all
git commit -m "clean: format all the files"
git tag tmp/fmt-applied

Step 3. Fix all the branches

For each branch that couldn’t be merged earlier, follow these steps.

git rebase tmp/fmt-add-config
git filter-branch -f --tree-filter ./format_all.sh -- tmp/fmt-add-config~..HEAD
git rebase --empty=drop tmp/fmt-applied
git push --force-with-lease

I’ll break down these steps below.

Step 3.1 Rebase on the commit adding the formatter.

git rebase tmp/fmt-add-config

This makes the code in this branch as close as possible to the code you applied the formatter on (step 2). Additionally, this branch now also contains the formatter config and format_all.sh script.

It may be possible that you have some rebase conflicts here, but these are not related to applying the formatter. If you hit one of these, fix the conflict, git add the conflicting file and git rebase --continue.

Step 3.2: Apply the formatter on all the commits of this branch

Now, we will format all the files, to do this, we will use the wonderful git filter-branch, a program that edits the contents of the files at each commit.

git filter-branch -f \
  --tree-filter ./format_all.sh \
  -- \
  tmp/fmt-add-config~..HEAD

Filter branch will check out every commit between the one where we added the formatter config and where we are now (HEAD). At each commit it executes the ./format_all.sh script, which replaces all the file in the commit with their formatted counterparts.

Our current “tree filtered” branch, and the formatted main branch now only differ at those places where there were actually changes made.

The attentive reader may have noticed that this branch does not have our “format all the things” commit. However, on this branch the commit that introduced the formatter config has been rewritten to also include the formatting. In the next step we will paste these two histories together.

Step 3.3: Rebase on the formatted main branch

git rebase --empty=drop tmp/fmt-applied

Git will now apply our changes onto the commit that formatted all the files. In doing so, it will notice that the changes in the first commit of this branch are the same as the ones in the last commit of the main branch. It will skip this commit with the message:

dropping SOME SHA ... -- patch contents already upstream

Step 4: Push the changes (with gentle force)

git push --force-with-lease

As we have changed all the commits in this branch we cannot simply push. That would lead to the push being rejected with “failed to push some refs”. So instead we push with force and lease lock. The --force-with-lease differs from the simple --force in that it checks that the stuff you are forcefully pushing is only replacing commits you know of. If someone else pushed a commit since you last pushed, the push --force-with-lease will fail (which is what you should want).

Password-store is an application that uses PGP to keep your passwords (and other data) secure. You enter your secret data into a text file which pass then encrypts with your public PGP key and stores in a folder. You can also set up this folder as a git repository. If you do so pass will create a commit in for every change you make. By using pass git push you can then push your changes to other devices.

To automagically call pass git push after every commit we can create a post-commit hook to trigger an action at the right moment. Because pass makes a commit for every change, this means that we can call a program after every edit.

To do this, create a file .git/hooks/post-commit in your password store and set its content to:

#!/bin/sh
set -x
git pull --rebase # get edits by other devices
git push          # send the latest commit

We use git here, instead of pass git, because hooks always execute in the root of the password store repository. To make it more likely that the hook succeeds, we pull in remote changes first. Thanks to the set -x we ensure that no push will occur if the pull failed.

Use git -C to set a working directory

Existing pass users may have noticed that pass git acts like git in the password store, even when working elsewhere in the filesystem. How can pass git do that? Well, it can first cd into that directory and then execute the git actions. So basically:

cd "/path/to/folder/"
git $@

We can also accomplish the same with git -C, like how pass does it internally. The following is equivalent¹ to the previous block of code:

git -C "/path/to/folder/" $@

Bonus: GIT_DIR and GIT_WORK_TREE

We can also combine the GIT_WORK_TREE and GIT_DIR environment variables to achieve the same result:

• GIT_DIR specifies the location of the .git directory of the repository want to interact with
• GIT_WORK_TREE contains the path to the root of the repository (that is not bare)

So, the following command stages /path/to/folder/file in the git repository in /path/to/folder no mater where we are in the filesystem.

GIT_DIR="/path/to/folder/.git" GIT_WORK_TREE="/path/to/folder" git add file

If we only want to inspect the history, GIT_DIR will suffice. As an example, the following will act like git log executed in /path/to/folder/:

GIT_DIR="/path/to/folder/.git" git log

Although these environment variables look cool, they are also non-trivial. If you want to carry out more than one action on a repository, and don’t need stuff from other places it might be best to just cd into the right directory or use git -C. Combining these environment variables with -C can lead to unexpected results as the environment variables GIT_DIR and GIT_WORK_TREE will be interpreted relative to the path given to -C. If you are using git in a script that may be used in bizarre environments, you should clear these environment variables like pass does:

unset GIT_DIR GIT_WORK_TREE GIT_NAMESPACE GIT_INDEX_FILE GIT_INDEX_VERSION GIT_OBJECT_DIRECTORY GIT_COMMON_DIR

Final notes

The approach laid out here to push changes does not poll the remote repository for incoming changes. I personally do not need that, because I can just pass git pull whenever a login fails. I almost always have internet when trying to log in to places, and thanks to the post-commit hook, the latest passwords are always in the remote.

Sources

• The source code of pass
• A chapter in the gitbook on Git’s Environment Variables
• manual page on githooks (also man githooks)

Step 1: Setting up ZFS

First, we’ll need to get the ZFS tools installed:

sudo apt install zfsutils-linux

Then, we make a pool called rpool representing the whole vdev, and we add a dataset named rpool/backup that used lz4 compression. The command below is for a single disk. If you have multiple disks, you may want to make a mirror vdev (like I will probably do after Covid-19). Lookup what configuration will work best for you. There is a more elaborate tutorial on how to set up a ZFS pool on the ubuntu website.

sudo zpool create -f -o ashift=12 -O  acltype=posixacl -O xattr=sa rpool "$DISK_ID"
sudo zfs create rpool/backup
sudo zfs set compression=lz4 rpool/backup

Step 2: Put the Pi’s SSH key on the remote server

We will pull in snapshots over SSH. To this end, we add the SSH key of the root user on the pi to the root user’s authorized keys file on the remote server.

Note that we do not do it the other way around, we want our backup server to reach out to the remote server and pull in snapshots. We do not want the remote server to push snapshots to the pi, because if this server gets compromised it should not have access the backup server (to wipe it).

It is advised to always pull from the backup server, and ensure that you harden the backup server’s security: only accessible over VPN, the bare minimum of running services, ….

Step 3: Install Syncoid

To pull in snapshots from the remote machine, we will use Syncoid. This is a tool bundled with the policy-driven ZFS snapshot management package Sanoid. To install it, use:

sudo apt install sanoid

Syncoid facilitates incremental replication of ZFS datasets.

Example with one dataset

#             ___________ source ___________   _______target ______
sudo syncoid root@remote:rpool/data/mydataset rpool/backup/mydataset

1. The above snippet creates a snapshot named “syncoid_ubuntu_YYYY-MM-DD-HH:MM:SS” for rpool/data/mydataset on the remote server.
2. Rolls back rpool/backup/mydataset to the latest common snapshot between the target and the source.
3. Incrementally receives that “syncoid_ubuntu_YYYY-MM-DD-HH:MM:SS” snapshot and all earlier snapshots to our target rpool/backup/mydataset dataset (the pi4).
4. Removes older “syncoid_ubuntu_YYYY-MM-DD-HH:MM:SS”-like snapshots on both the source and the target (keeping the latest one).

Working with multiple datasets recursively

We want Syncoid to incrementally receive all the snapshots for all datasets under /rpool/data on the remote machine to /rpool/data on the pi. To do this we use:

sudo syncoid -R --skip-parent --no-rollback root@remote:rpool/data rpool/backup

Let’s go over the flags:

• -R indicates that we want to recursively visit all datasets under root@remote:rpool/data
• --skip-parent ensures that we do not receive root@remote:rpool/data itself (I don’t have anything in there)
• --no-rollback prevents Syncoid from rolling back snapshots on the target machine (the pi).

The --no-rollback flag ensures that Syncoid does not delete snapshots but only adds them. If you mess with the snapshots on your remote machine (e.g. by doing a rollback), ZFS receive will not be able to receive the latest snapshot. Syncoid will continue with the other datasets and then exit with exit code 2. To still get the changes regardless, you can remove this flag, then Syncoid will look for the latest common snapshot, and it will roll back target to that snapshot and then do the receive.

Because this is a backup system, we do not want to roll back in case an adversary rolls back the ZFS filesystem on our server.

Step 4: Automate and monitor

To not forget to run Syncoid, we will use a SystemD timer. As a general rule you should ensure that you monitor your automated backups actively, If you don’t and something silently goes wrong, you will not notice it until it is too late. Have your monitoring service constantly check the freshness of your backups (active). Do not only rely on the backup server to send you mail when something went wrong (passive monitoring).

Create a file /opt/syncoid-pull/syncoid-pull owned by root and only writeable and executable by root that calls syncoid and sends off metrics for monitoring:

#!/usr/bin/env bash
set -xeuo pipefail # failfast and be verbose

syncoid -R --skip-parent --no-rollback --debug root@remote:rpool/data rpool/backup

zfs list -Hpo creation,name,used -t snapshot -r rpool/backup -s creation |\
    sed 's:\t\([^@]*\)@:\t\1\t:' |\
    column -J --table-columns creation,dataset,name,size -s $'\t' --table-name 'snapshots' |\
    ssh  root@remote 'cat > /var/www/status/backups.json'

The last command in this file sends a JSON of snapshots to a file on the remote machine to be monitored. Replace the last line with something that interacts with your monitoring system.

Automate a call to the script above during the off-peak hour with these SystemD unit and timer files:

/etc/systemd/system/syncoid-pull.service:

[Unit]
Description=syncoid pull
Requires=local-fs.target
After=local-fs.target

[Service]
Type=oneshot
ExecStart=/opt/syncoid-pull/syncoid-pull
WorkingDirectory=/opt/syncoid-pull/

/etc/systemd/system/syncoid-pull.timer:

[Unit]
Description=syncoid pull every night

[Timer]
OnCalendar=04:37:41
Persistent=true

[Install]
WantedBy=timers.target

sudo systemctl enable syncoid-pull.timer && sudo systemctl start syncoid-pull.timer

Extra: Delete old snapshots

To preserve some space on the pi, I want to remove snapshots older than 2 months automatically. To do this, I added the equivalent of the following snippet to my syncoid-pull script.

now=$(date +%s)
zfs list -Hpo creation,name -t snapshot -r rpool/backup \
    | grep $'\t''rpool/backup/[^@]*@zfs-auto-snap_' \
    | tac \
    | while read -r creation snapshot; do
        if (( ( $now - $creation ) > 60 * 60 * 24 * 30 * 2 )); then
            zfs destroy $snapshot;
        fi;
      done

It finds all snapshots in rpool/backup and deletes them once they reach teh age of two months. The tac reverses the list which makes it faster. This action should be performed before sending the list of snapshots to monitoring.

Other tips and tricks

• Attach a M.2 SATA SSD to USB 3.0 External SSD enclosure to your pi.
• Do regular ZFS scrubs (zpool scrub rpool) to check the health of your pool and send the health status to monitoring.
• Use logcheck to send mails to you when a service fails.
• Don’t boot your Pi from the SD card

Suppose we wanted to make a container called wasabi that hosts a simple HTTPD server. The configuration would look something like this:

  containers.wasabi = {
    ephemeral = true;
    autoStart = true;
    config = { config, pkgs, ... }: {
        services.httpd.enable = true;
        services.httpd.adminAddr = "foo@example.org";
        networking.firewall.allowedTCPPorts = [ 80 ];
    };
  };

After a nixos-rebuild switch, we will see that a new service is started container@wasabi. If we curl localhost then we will see that it works:

$ curl 'http://localhost'
<html><body><h1>It works!</h1></body></html>

$ systemctl status container@wasabi
● container@wasabi.service - Container 'wasabi'
     Loaded: loaded (/nix/store/...-unit-container-wasabi.service/container@wasabi.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-12-24 14:22:49 UTC; 1h 15min ago

The container punched a hole through the firewall of the host and allowed us to access the hosted content, even from other computers than our own. But how can we see the status of the HTTPD daemon? Running systemctl status httpd on our server will show us nothing.

$ systemctl status httpd
Unit httpd.service could not be found.

Logging in to the container

To see the HTTPD service, we need to log into the container with:

sudo nixos-container root-login wasabi

Once in there, we see that the HTTPD service is indeed running:

[root@wasabi:~]# systemctl status httpd
● httpd.service - Apache HTTPD
     Loaded: loaded (/nix/store/...-unit-httpd.service/httpd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-12-24 14:22:49 UTC; 12min ago
     ...

We can also find the server logs in /var/logs/httpd directory in the container.

To preserve state or not to preserve state

By default, nix-containers are stateful, files you modify while logged in to your container will persist over restarts and updates of the container. Just like your document folder that remains untouched by nixos-rebuid. Files managed by nix cannot be modified as they are symlinked from the read only /nix/store shared by host and container. So don’t store secrets in the store if you don’t trust the container fully.

We can also ensure that a container starts “fresh” every time it is updated or reloaded. To do this we set containers.wasabi.ephemeral = true. My general recommendation for configuration management is that you want as less state in your containers as possible. This ensures that you can nix-rebuild on another host and still have everything working.

Mounts

But sometimes there is important state you want to keep: uploaded files, database contents and so on. How can we manage those? You can preserve data in a mount. For this example, let’s imagine that we want to preserve our HTTPD logs. To do this, we use the containers.<name>.bindMounts option:

    containers.wasabi.bindMounts = {
      "/var/log/httpd" = {
        hostPath = "/mnt/wasabiData/";
        isReadOnly = false;
      };
    };

The configuration above specifies that /var/log/httpd in the container should be linked to /mnt/wasabiData on the host (machine running the containers). For this to work the folders should exist and for HTTPD to have write privileges on the folder in the container we should declare the folders as follows, with systemd.tmpfiles (it’s a bad name, I know). In the config of the container (the body of the function in containers.wasabi.config), we must ensure that the /var/log/httpd directory is a directory (d) and that it is owned by user wwwrun (first one) and the group wwwrun (second one). The user and group must be set differently depending on the needs of your system, if you don’t set the user and group properly, HTTPD will not be allowed to write to the folder. The easiest way to find out what user and group you need is to log into the container before you set up the mount and find out the permissions with ls -l in the parent directory.

containers.wasabi = {
    ...
    config = { config, pkgs, ... }: {
       systemd.tmpfiles.rules = [
        "d /var/log/httpd 700 wwwrun wwwrun -"
       ];
       ...
    };
}

We must also ensure that /mnt/wasabiData/ exists on the host. Do not use tempfiles to achieve this, as this can cause confusing problems when you redeploy the system without modification to the container. In that case, the tempfiles on the host get executed, changing the permissions of the mounted directory in a way that may conflict with the configuration inside your container (your container will suddenly lose access to the data).

Data stored in mounted folders will be preserved even if the container is set to be ephemeral.

Networking and port forwarding

By default, declarative nix containers can use the network of the host. They can initiate connections to anywhere and listen on any port.

If you want to do any kind of port forwarding or reverse proxies you must set all of the following properties on your container

  containers.wasabi = {
    privateNetwork = true;
    hostAddress = "192.168.100.2"
    localAddress = "192.168.100.11";
  }

You may adjust the IP addresses to your liking. By setting privateNetwork to true, the containers network is decoupled from the hosts network. It gets its own virtual interface ve-wasabi. The container can not directly listen on ports on the host, and it cannot initiate connections to the outside world. The only connections it can have is to the host.

Give internet access

To allow our container to initiate connections to the public internet we need to set up network address translation (NAT). This will allow our containers to open non-privileged ports (> 1024) on the host to send and receive packets to the outside world. To do this, add the following to the host config. (with eth0 the name of your real network interface)

  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-wasabi" ];
  networking.nat.externalInterface = "eth0";

You can add the names of all containers with privateNetwork set to true that need internet access. To allow access to the internet to all your containers with a private network you can set networking.nat.internalInterfaces = [ "ve-*" ];

Note: This only if the container needs to connect remote servers (like databases), it is not needed to reply to incoming traffic coming form, for example a reverse proxy service on the host.

Reverse proxies

Before you start remapping ports, it might be interesting to realize that this is not necessary for all applications. Consider that our host is a service that host various HTTP based services in the containers wasabi, sambal and tabasco. With IP addresses 192.168.100.11, 192.168.100.22 and 192.168.100.33. We can use a nginx instance with Let’s Encrypt certificates that allows us to dispatch incoming requests to the right container.

  security.acme.acceptTerms = true;
  security.acme.email = "letsencrypt@example.com";
  services.nginx = {
    enable = false;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "wasabi.example.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://192.168.100.11:80";
      };
      "samabal.example.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://192.168.100.22:80";
      };
      "tabasco.example.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://192.168.100.33:80";
      };
    };
  };

Tip: you might want to put the IP addresses in variables.

Real Port Forwarding

If you only have one HTTP host or if the solution above does not work for you, you can use real port forwarding. The example below forwards port 22 on the container to port 2222 on the host, and forwards port 80 on the container to 8080 on the host. The ports should be opened by both the container’s firewall and the hosts’ firewall.

  containers.wasabi.forwardPorts = [
    {
      containerPort = 22;
      hostPort = 2222;
      protocol = "tcp";
    }
    {
      containerPort = 80;
      hostPort = 8080;
      protocol = "tcp";
    }
  ];

Notes:

• Unfortunately, IPv6 forwarding is not supported (issue) yet.
• The loopback interface is explicitly excluded when forwarding ports. This means that we cannot curl localhost:8080 on the host but other devices on the network can curl myIP:8080.

Underpinnings

NixOS containers are based on systemd-nspawn, a fancy chroot in the systemd-container program.

If you run into trouble, it might be interesting to check out the man pages of the project systemd-nspawn (1) and systemd-nspawn (5) and ofcourse the systemd-nspawn page on ArchWiki.

Security

A quick online search for “systemd-nspawn security” will tell you that it is “not secure”. By default, NixOS containers are “privileged containers”, these are containers where the user id zero inside the container has the same meaning outside the container. With some tricks, the root user inside the container can escape the container. (This issue also affects docker and the likes).

There are two ways around this: 1) don’t run vulnerable programs in your container as root, 2) make the container unprivileged. Option 1) will probably work for you, but if not, I’ll briefly show you what option 2) entails.

Unprivileged containers

Luckily there is a dim ray of hope: We can drop the privileges of a container to a non-privileged user with nspawn’s -U option (set containers.wasabi.extraFlags = [ "-U" ];). This option ensures that the root user inside the container does not have UID 0 outside the container but rather something like 1815543862. This works, but there are a lot of downsides to this regarding communication with the host and the outside world:

• You cannot listen on ports below 1024 in the container, not even as root (but we can easily tell httpd to listen on 8080)
• bindMounts break because there is no way to change the permissions of the mount to the right thing, because root in the container is not allowed to alter the permissions.
• nixos-container root-login is not compatible with these kinds of permissions

But if you are OK with that, you should be fine.

Note: if you find a nice way to fix some of these problems, let me know, or even better open a PR adding a privileged option to the containers in nixpkgs.

Stripping capabilities

Another way to reduce the capabilities of a container is by using containers.wasabi.dropCapabilities to remove some capabilities assigned to the container by default. A list of capabilities can be found in the capabilities (7) manpage, the capabilities assigned by default can be found in the “security options” section of the systemd-nspawn (1) . This section also holds more tricks to be added with containers.wasabi.extraFlags.

Sources

• Runtimes And the Curse of the Privileged Container by Christian Brauner, June 18, 2019: An excellent read on container security
• The NixOS containers module implementaion
• systemd-nspawn on ArchWiki
• A lot of manpages

[Unit]
Description=Reverse SSH connection
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/ssh -i /home/root/.ssh/id_rsa -g -N -T -o "ExitOnForwardFailure yes" -R 22221:localhost:22  hole@YOURSERVER.TLD
Restart=always
RestartSec=30s

[Install]
WantedBy=default.target

Let’s pull that apart. The Unit part described when the unit should be run and its description. We need a network connection to SSH, so we run after we have that.

But the interesting part is the [Service], it diverges lightly from the version in the article I stole the idea from, this is because the SSH server on the remarkable is not OpenSSH but Dropbear. This SSH server is much smaller, ideal for embedded devices but it also has fewer functionalities: no ServerAliveInterval and no extra verbose mode. The argument we give tho ssh are:

• -i /home/root/.ssh/id_rsa specifying the identity file the reMarkable uses to identify itself to the remote server,
• -g permits the server the reMarkable is connecting to initiate connections back to the reMarkable,
• -N -T do not run a remote command and don’t even allocate a pseudo terminal (we don’t need that),
• -o "ExitOnForwardFailure yes" adds an option to the ssh connection to fail and exit if it was not able to establish the port forward.
• -R 22221:localhost:22 does the magic connecting port 22221 on the remote machine with port 22 on the reMarkable.
• hole@YOURSERVER.TLD the final argument specifies what host and username to connect to, here we connect to YOURSERVER.TLD as user hole.

Making this secure

An important security principle is that of the minimal privilege, the remarkable should only be allowed to open a specific port on our server and nothing else. To do this we will put restrictions on the what is allowed with the reMarkable provides.

Creating a SSH key on the reMarkable

Before we can set restrictions on a key, we need to create it. Because there is no openSSH on the reMarkable but dropbear, we need to use its key generator to make a key in /home/root/.ssh/id_rsa. The second line prints the public part of the key.

dropbearkey -f ./.ssh/id_rsa -t rsa -s 2048
dropbearkey -f ./.ssh/id_rsa -y

Making a dedicated hole user for port forwarding on the server

The remarkable only needs to open a port, and it should not be able to authenticate as one of the actual users on the server. So we create a hole user on the server that will only be used to manage forwarded ports. This user should be created as a system user without a login shell, but with a home directory:

useradd --system --create-home --shell /usr/bin/nologin hole

Now in the home directory of this user /home/hole we will need to make an autorised keys file /home/perforation/.ssh/authorized_keys with the following contents:

restrict,port-forwarding,permitopen="localhost:22221" ssh-rsa BCDAD5PscK...WgTp root@reMarkable

Where BCDAD5PscK...WgTp is replaced with the public key of remarkable. This file ensures that any connection authenticating with the given key will only be able to use portforwarding to listen on port 22221.

Making it convenient

With all this set up we can connect to our remarkable with a jump host. To make this more simple we can add this to our ssh config (~/.ssh/config).

Host remarkableTun
    Hostname localhost
    ProxyJump jumphost
    Port 22221
    User root

Host jumphost
    Hostname YOURSERVER.TLD
    User user

This configuration allows us to connect to the reMarkable with:

ssh remarkableTun

Extra tips and tricks

Getting the correct IP

Sending files to the remarkable can be slow over this SSH tunnel certainly if the server is not on the same network. We can use the following command to find out programmatically what IP address is assigned to the reMarkable. Then we can connect to it directly over the local network. Of course, this does not work if the remarkable is on a different network or a network that drops ssh packets on the local network.

ssh remarkableTun -- /sbin/ip addr | awk -F ' ' '$1 == "inet" && $7 == "wlan0" { print $2 }'

Alternative ports

If f your ssh server does not run on port 22 add -p PORTNUMBER to the end of the ExecStart

The ExecStart command to use when on OpenSSH

I just put this here for archival purposes if site I learned this from goes down.

ExecStart=/usr/bin/ssh -vvv -g -N -T -o "ServerAliveInterval 10" -o "ExitOnForwardFailure yes" -R 22221:localhost:22  hole@YOURSERVER.TLD

Luckily, you can define your own regexes to be placed at the top of a “hunk” by defining a xfuncname for the file type. The code snippet below show you how you can make likes starting with # (headers in markdown) become the header of the hunk, if the file is of type “md” for diffing according to git.

[diff "md"]
    xfuncname="^#.*"

You can put this in your ~/.gitconfig if you want it defined in all your repos, or you can specify it for one repo only in $repo/.git/config.

To let git know that files ending in .md are of diffing type “md” the following line should be added to your $repo/.gitattributes. If you don’t want to share this setting, put it in $repo/.git/info/attributes. Put it in $XDG_CONFIG_HOME/git/attributes (probably ~/.config/git/attributes) if you want it in all your repos.

*.md  diff=md

Learn more about this in the gitattribute documentation page (man gitattributes).

Example result

What was

...
@@ -274,7 +231,7 @@ this is some example prose text not much interesting here
except this line git shows you for context, but where is it located? Well,`git`
+shows the name of the section after the `@@`, because it understands markdown.
-does not understand how markdown works, so it's not very helpfull.

now becomes:

...
@@ -274,7 +231,7 @@ ## Getting `git` to understand markdown
except this line git shows you for context, but where is it located? Well,`git`
+shows the name of the section after the `@@`, because it understands markdown.
-does not understand how markdown works, so it's not very helpfull.

Bonus

Want to see the whole function/section that was edited using git? Use git diff --function-context or more cryptic:

git diff -W

#!/bin/sh
file="${1:-README.md}";

if [ -f "$file" ]; then
  pandoc -s -M header="$(basename "$file")" -f gfm -t man "$file" | man -l -
else
  echo "File could not be found."
fi

The code above transforms a markdown file into a manpage for easy reading in the terminal. Although markdown in itself is already readable in its pure raw format, this makes it even nicer.

As you can see Pandoc is doing all the work here, it is the tool converting the markdown into a manpage. Let’s go over the basic flags we gave it:

• -s asks for a “standalone” document,
• -f gfm tells Pandoc we want to convert from Github flavoured markdown (gfm) and
• -t man indicated that we want to get out a manpage.

There is one flag we did not discuss yet: -M header=.... This flag sets the value of the metadata field header to the filename of the file we are looking at. If we look at Pandocs default template for manpages, we see that the metadata field $header is used in the line starting with .TH.

.TH "$title/nowrap$" "$section/nowrap$" "$date/nowrap$" "$footer/nowrap$" "$header/nowrap$"

From the man page about the format of manpages (man man-pages 7) we learn that .TH can indeed take 5 arguments, namely:

.TH title section date source manual

By setting the headers we are in fact setting the name of the manual shown. This name is shown at the top centre of the manpage. For the curious, the following diagram shows where the other arguments end up.

title(section)       manual      title(section)

                      ...

source               date        title(section)

To complete the description of our script:

• To make man read from standard input we use the “local file” -l flag (see man man).
• To by default read README.md we use ${var:-default} to set a default value if $var is not set.
• We use if [ -f "$file" ] to check if the file is a regular file before we try converting.

Tip: save this script as mdread in your $PATH and read markdown files with mdread in your terminal.

This is how the output looks:

       iso, a val and a ref can be subtyped to a box or tag, but a val cannot become a ref

       nor can a ref become a val, finally a box can become a tag]



       Apart  from  using generic functions, you can also use subtyping to just throw away

       your capabilities:



              val myRefCar = consume myIsoCar



Receiver reference capabilities

       Reference capabilities are checked when you are trying to access the value  or  the

       fields  of  a variable.  If you have an iso variable you can read any of its iso or

       val fields.  All other types of fields are read as a tag.



       At first, that seems odd, you might be wondering "If I have an iso why can't I read

       its  ref  field?"  The  reason is that an iso must maintain the property that it is

       isolated and that there is thus no other alias that can read or write to that memo‐

       ry.  This includes its fields.  If you were able to make an alias to one on the ref

       fields of an iso variable, you could still read from and write to the internals  of

       the  iso  trough  the alias of this ref field even if you passed the iso to another

       actor.  The same holds for trn and box fields.  val Fields are  fine  because  they

       are immutable, and they are always safe to read.



       The following table summarizes the restrictions.  The row indicates your capability

       on an object, the column specifies the capability the  object  itself  has  on  the

       filed you are trying to access.  Because you can't read fields form a tag, that row

       only contains "n/a".



       ▷            iso field   trn field   ref field   val field   box field   tag field

       ───────────────────────────────────────────────────────────────────────────────────

       iso origin   iso         tag         tag         val         tag         tag

       trn origin   iso         trn         box         val         box         tag

       ref origin   iso         trn         ref         val         box         tag

       val origin   val         val         val         val         val         tag

       box origin   tag         box         box         val         box         tag


       tag origin   n/a         n/a         n/a         n/a         n/a         n/a



       When you are calling a method on an object, the  restrictions  from  the  call-site

       still need to hold.  You can't call the method setRefField(...) on an iso variable.

       For this reason functions are annotated with a receiver reference capability.   You

       can  only  call  a  method that is compatible with your capabilities on the object.

       The default receiver reference capability of a method is box.



Refcap recap

       Reference capabilities guard the amount of references there are to a certain  piece

       of memory.



       A  variable is a pointer to an object.  Or to be more precise a variable references

       a capability.  When creating a variable, you need to assign a reference  capability

 Manual page (stdin) line 293 (press h for help or q to quit)

Pony is a programming language that allows concurrent programming using actors. The language features an intelligent type system that prevents data-races trough a system called “capabilities”. In this blog post I will attempt to explain them.

Let’s start with the definition of a capability in pony:

A capability is an unforgeable token that

1. designates an object and
2. gives the program the authority to perform a specific set of actions on that object.

In other words with a capability you can do anything with the object. You can think of the capability as being the object itself.

So how do capabilities help us with concurrency problems? Well, they don’t, at least not on their own. The thing that makes capabilities useful is limiting how they are used. In Pony, the type system limits on how you can use these unforgeable tokens. When working with actor based concurrency, these limitations allow us to make some useful guarantees.

References

The objects that are created in pony are stored in a space that is accessible by all actors. An actor can only change an object trough a reference to the objects’ capability. When an object is created, a reference to the capability of the newly created object is returned.

val a : Object = Object.create()

After executing the above, a holds a reference to the newly created object. In pony references allow the holder one of the following functionalities:

• M: If the reference points to an actor, the reference can be used to send messages to it
• RM: The referenced object can be read, and messages can be sent
• RWM: The referenced object can be read form, written to, and messages can be sent

Aliases

Let’s look at what happens if we clone a reference:

val b : Object = a

Now b references the same object that a was pointing to. We say that a and b are aliases, they reference the same object. Aliases can cause problems during parallel computation. Race conditions can occur when aliases live on different actors. Consider the following example:

Actors A and B are counting the number of ponies on a farm. Both actors work on a different field, and increment a counter each time a pony is found. The example below shows what happens when both actors find a pony at the same moment, and increment the count by looking at what the current value of the counter is, adding one and storing it. The result is wrong.

actor A           a,b          actor B
   |               0            |
a' = a (0)         0         b' = b (0)            Both read 0 as counter value
   |               1          b = b' + 1 (2)       B overwrites content with 1
 a = a' + 1        1            |                  A overwrites content with 1
   |               1            |                  The count is 1 (not 2)

When aliases are created

Apart from doing, b = a, aliases are also created for every parameter in a function call, and for the this in every method call.

So,

object.f(a,b,c)

Creates an alias for object, a, b and c.

Managing aliases

As we will see, ponies type system strongly relies on counting the number of aliases of a certain kind. For this reason it will come in handy to be able to move a capability over to another variable, without aliasing it. There are two ways to move a capability.

1. Destructive read: In pony the result of value of the expression a = b is the old value of a. By doing the following, the number of aliases to the location b points to in the beginning remains unchanged.

   a = b = ...
   

   a now refers to what b used to refer to, and b refers to whatever the result of ... is.

2. Consuming the variable: This takes the value out of the variable you gave it. The given variable is now empty (think of it as null). The type checker will prevent you form using a consumed variable.

   consume b
   

   This is effectively the same as the following destructive read (which is not valid pony code):

   b = null
   

Reference capabilities

Tag

To avoid concurrency problems, we could simply say that it is forbidden to read or write trough a reference. This is what the tag reference capability does. You are allowed to make as many aliases of a tag as you like, you can store them and you can compare two tag variables for identity.

Aliases of a tag can safely live on different actors as they cannot be read form or written to. The only thing you can do is send messages to it (if is an actor). These messages will then be handled sequentially by the actor in the order in which they arrived.

Value

In some cases you really only need to read the referred information. The only way that we can safely read data at the same location form multiple actors, is when we know the data is immutable. The main principle is:

If I can read, no other actor can write.

The val reference capability guarantees something even stronger, that no actor has write permissions. A val can only be used to read or to send messages, never to write.

There may also exist tag (or box) aliases of a val, but that’s fine because they too don’t allow writing.

Isolate

So, now that we know how to read safely, we want to write safely. Mutable data must reside on one actor (thread). There must not be a reference through witch data can be read by another actor. This is where the iso reference capability comes in. It stands for “Isolate”. An iso variable must not have any other alias (of any kind) to it, or to an internal part of it. It is isolated, only accessible form the outermost layer and exactly once.

Let’s look at an example.

If you have a Car iso reference capability that is stored in car, you cannot do the following:

weels : Wheels iso = car.wheels      # Won't work

Because if you could, there would be two aliases to the memory location of car.wheels (wheels and car.wheels).

The benefit of these strong restrictions is that you know there is exactly one reference a piece of memory referred to by an iso. There are no aliases. if you give up your local alias you can pass it on to another actor. As you remember, giving up an alias can be done with consume. consume car is of type Car iso^ , here the ^ modifier on the type indicates that there is no reference to the value. The reference is ephemeral (short-lived, it has no alias). When there is no alias it is safe to send it to another actor using a give_automobile(Car iso car) behaviour.

otherActor.give_automobile(consume car)

Now only otherActor has access to the car in memory. The original owner is no longer allowed to use car by the type checker.

This is cool, by using an iso we ensure that there is only one reference to that piece of memory. No aliases are allowed. But an iso is very restrictive. As you recall form the previous section, it is very easy to create aliases. Using an iso as a argument to a function will not work without consuming the alias. If we don’t plan on sharing a reference, an iso is far to restrictive. This is where the ref reference capability comes in.

Reference

The ref reference capability is the most permissive read-write capability. It permits as many aliases as you like as long as all the aliases with read and/or write capabilities are on the same actor. There may still be tag (no read, nor write) aliases on other actors. The principle is:

If I can write, no other actor can read.

A reference with the ref reference capability is like the variables you are used to from for example Java. The only thing you can’t do with it is send it to an other actor. That is, a ref reference capability is not sendable. The sendable reference capabilities are iso, val and tag .

Transition and box

A more flexible variant of the iso that allows reading and writing is the trn (transition). This reference capability is designed to create a read-only variable (a val). As opposed to the iso a trn may have read aliases. But these aliases must remain on the same actor. In other words, these aliases must not be sendable. Luckily the type system of pony has a reference capability that is just that: box.

Summary

The following “deny matrix” summarizes the aliases that are forbidden for each of the reference capabilities. RW means read and write access, W means write access. The upper right corner is empty because it is not possible to deny more on your actor (local) than on other actors (global). On the diagonal, we find the sendable reference capabilities, they have the same restrictions local and globally.

Syntax

So how do you assign a reference capability to a variable? Well, you add the name of the reference capability to the end of the type name:

val myCar : Car iso = ...;
val sharedPicture: Picture val = ...;

Here myCar is an iso reference to a Car and sharedPicture is a val reference to a Picture.

Default capabilities

Often the default reference capability of an object can be derived from the “meaning” of the class. Therefore, when you define a class you can specify a default reference capability:

class val Picture:
  ...

And then just use:

val sharedPicture: Picture = ...;

Capabilities of methods

In a method you can make use of this, which refers to the current instance of the class. Remember that calling a method, an alias is created for this. By default, the reference capability for this is ref, but you can change it by adding a reference capability to your function definition:

class iso Car:
  fun ref doIt() => ...
  fun val doThat() => ...

Recovering capabilities

Recover: Lifting your capabilities

You might have a ref and know that there is only one reference to it. You want to turn your ref into an iso. The type checker would not let you undertake this, unless you can prove everything is fine. The recover-expression is a mechanism to provide such a proof. Form within a recover expression you can access all sendable variables form the enclosing lexical scope (iso, val and tag). You can do complex things with it and get out an iso if your expression evaluated to any mutable reference capability.

val thing : Thing iso = recover
  ... complex stuff ...
  aRefThing
end

If your expression evaluates to an immutable, you can get out a val. And tags stay tags.

So you can recover an

• iso form {iso,trn,ref} (preserve mutability)
• val form {val,box} (preseve immutability)
• tag form {tag} (preserve opacity)

Receiver recovery

When you call a method, there is an alias to this. As a consequence, we should not be able to call non-tag functions on an iso. Unless we use what we just learned and write the following:

var obj : Object iso= Object
var returnValue : String val= ""
obj = recover
        val refObj : Object ref = consume obj
        returnValue = refObj.toString()
        refObj
      end

We consume our iso and make it into a ref, do what we want to do and recover our original object with the iso reference capability. Luckily we don’t need to do this as pony will do this for us automatically in a process called Automatic receiver recovery.

Subtyping

There is a hierarchy to reference capabilities. If a function expects a ref you can give it an iso or a trn (if you consume it), after all you have write permissions. A box may have at most one writeable alias, a val may have none, therefore a function that expects a box will happily accept a val.

Apart from using generic functions, you can also use subtyping to just throw away your capabilities:

val myRefCar = consume myIsoCar

Receiver reference capabilities

Reference capabilities are checked when you are trying to access the value or the fields of a variable. If you have an iso variable you can read any of its iso or val fields. All other types of fields are read as a tag.

At first, that seems odd, you might be wondering “If I have an iso why can’t I read its ref field?” The reason is that an iso must maintain the property that it is isolated and that there is thus no other alias that can read or write to that memory. This includes its fields. If you were able to make an alias to one on the ref fields of an iso variable, you could still read from and write to the internals of the iso trough the alias of this ref field even if you passed the iso to another actor. The same holds for trn and box fields. val Fields are fine because they are immutable, and they are always safe to read.

The following table summarizes the restrictions. The row indicates your capability on an object, the column specifies the capability the object itself has on the filed you are trying to access. Because you can’t read fields form a tag, that row only contains “n/a”.

When you are calling a method on an object, the restrictions from the call-site still need to hold. You can’t call the method setRefField(...) on an iso variable. For this reason functions are annotated with a receiver reference capability. You can only call a method that is compatible with your capabilities on the object. The default receiver reference capability of a method is box.

Refcap recap

Reference capabilities guard the amount of references there are to a certain piece of memory.

A variable is a pointer to an object. Or to be more precise a variable references a capability. When creating a variable, you need to assign a reference capability to it. One of iso, trn, var, ref, box or tag. The reference capability you choose is your promise to the compiler that states how you will use this variable. The pony compiler will strictly uphold you to your promise.

In the following overview R means read rights, RW means read and write rights.

iso = Isolate. (RW, no aliased, can be passed) : If you have an iso variable, this means that you are certain that there is no other alias to that piece of memory with read (or write) access. It is safe to read, and write to this variable. You can pass an iso to another actor if you also pass the ownership by using consume.

trn = Transition. (RW, may have R aliases, cannot be passed) : A trn variable is designed to create a read only variable. Having one allows you to make edits to its contents and allows you to create read only variants of it (boxes). These read-only variants can’t be passed to other actors but may come in handy when constructing your read only data. For example when you are creating a val data structure with cyclic references.

box = Box. (R, may have R and RW aliases, cannot be passed) : This box should be thought of as transparent with a slot for messages. You can read its (internal public) data but you cannot alter its state trough function calls. You can still send messages to it if it is an actor

ref = Reference (RW, may have RW aliases, cannot be passed). : A ref variable is your default reference capability. It states that you can modify the data the variable is pointing and that there may be other aliases with the same RW capability.

val = Value. (R, can have R aliases, can be passed) : A val reference to data implies that all references to that data are read-only. You can safely use the data without worrying about concurrency problems.

tag = Tag. (only allows sending of messages, can be passed) : A tag variable references a place in memory that has no guarantees. The only thing you can do is send a message to it. Since it a tag does not allow changing the internals directly it can be passed without problem.

Five silent philosophers sit at a round table with bowls of spaghetti. Forks are placed between each pair of adjacent philosophers.

Each philosopher must alternately think and eat. However, a philosopher can only eat spaghetti when they have both left and right forks. Each fork can be held by only one philosopher and so a philosopher can use the fork only if it is not being used by another philosopher. After an individual philosopher finishes eating, they need to put down both forks so that the forks become available to others. A philosopher can take the fork on their right or the one on their left as they become available, but cannot start eating before getting both forks.

Eating is not limited by the remaining amounts of spaghetti or stomach space; an infinite supply and an infinite demand are assumed.

The problem is how to design a discipline of behaviour (a concurrent algorithm) such that no philosopher will starve; i.e., each can forever continue to alternate between eating and thinking, assuming that no philosopher can know when others may want to eat or think.

You can find the file with the pony implementation on my GitHub

Actors based solution

Since Pony is an actors-based programming language, we take on this problem in the default actor way.

When a philosopher wants to start eating, they request both sticks form the table (which is also and actor). Eating can only commence once both sticks are acquired. If the philosopher fails to acquire a stick, they go on to think a bit longer and try again later.

Main

The main of the program creates a table with 5 sticks and 5 philosophers.

actor Main
  new create(env: Env) =>
    let number  = USize(5)
    env.out.print("Let's eat!")
    let table = Table(number)
    for i in Range(0, number) do
      Philosopher(i,env, table, i, (i+1) % number)()
    end

Stick class

We represent a stick using a class that has a default reference capability of iso. This means that there may be at most one actor in possession of a stick.

class iso Stick
  let _id:USize val

  new iso create(id':USize)=> _id = id'
  fun box id():USize => _id
  fun box eq(that: Stick box): Bool => this._id == that._id

Table actor

A table actor gets a USize as argument to its constructor. This indicates the number of sticks and seats. An array is made of optional sticks (that is None or Stick iso).

actor Table
  let _sticks: Array[(Stick|None)] ref

  new create(num: USize) =>
    _sticks = Array[(Stick|None)]()
    for i in Range(0,num) do
      _sticks.push( Stick(i) )
    end

There are two messages the table actor accepts: takeStick and realeaseStick. They are both implemented as a behaviour in Pony. These behaviours are different from the notion of behaviours in other actor based languages in which they are used as a synchronisation mechanism.

For the first behaviour, we get a request for a certain stick and who to give it to. Because the sticks in our array are iso we cannot just take a stick with _sticks(num) and send it back to the philosopher as this would create a new alias. To solve this we perform a destructive read, using update. The return type of Array.update is a (Stick iso|None)^. This is an ephemeral type, which means that there are no aliases to the returned value. We are allowed to send it back to the philosopher.

  be takeStick(num: USize, who:Philosopher)=>
    try  who.stick(num, _sticks.update(num,None)?)
    else who.stick(num, None)
    end

When a stick is returned, it is sent with a realeaseStick call. We take that stick and use match to verify if we got a stick. Take not of how we use consume in the match. By doing this we do not create an extra alias to the stick. Our initial stick is consumed and placed in s. Since s is an iso we can call the box method s.id() to get the id of the stick such that we can put it back in the array at the right place. To place the stick in the array we need to consume the stick s again.

  be realeaseStick(stick:(Stick iso | None)) =>
    try match (consume stick)
        | let s:Stick iso => _sticks.update(s.id(),consume s)?
    end end

Philosopher actor

The philosopher is the most complicated actor.

To create one we save the number of the philosopher and the required sticks in instance variables. We also set the _sticksPending tuple to (false,false). This tuple keeps track of which sticks we have requested but haven’t received or been denied. We also keep a Rand in the actor to generate random sleep times.

actor Philosopher
   ...

  new create(number': USize, env: Env, table: Table tag, left_stick:USize, right_stick:USize) =>
    number = number'
    _sticks = (left_stick,right_stick)
    _sticksOwn1 = None
    _sticksOwn2 = None
    _sticksPending = (false,false)
    _table = table
    _env = env
    rand = Rand(133742 + (number'.u64()))

The apply behaviour, which is called at the start of the program, waits a random amount of time and requests sticks.

  be apply() =>
    let l:Philosopher tag = this
    _env.out.print("@THINK " + number.string())
    this.doDelayed({(l:Philosopher tag) => l.requestSticks(); None })

This is carried out by simply sending a takeStick request to the table. After asking sticks we must wait for a stick message as response from the table. To keep track of which sticks we do not have an answer for we set _sticksPending to true for both sticks.

  be requestSticks()=>
    _env.out.print("Request sticks " + number.string())
    _sticksPending = (true,true)
    _table.takeStick(_sticks._1,this)
    _table.takeStick(_sticks._2,this)

When stick messages arrive, we store the Stick or None in _sticksOwn1 and _sticksOwn2. We update _sticksPending. If have got a response for all sticks, we validate that we have both sticks. If one of the sticks is missing, we return all sticks we have. In the fortunate case that we have both sticks, we eat.

  be stick(num:USize, s: (Stick|None)) =>
    match (consume s)
    | let x:Stick =>
        if     x.id() == _sticks._1 then _sticksOwn1 = consume x
        elseif x.id() == _sticks._2 then _sticksOwn2 = consume x
        end
    end

    _sticksPending = (
      if num == _sticks._1 then false else _sticksPending._1 end,
      if num == _sticks._2 then false else _sticksPending._2 end
    )

    if ((_sticksPending._1) or (_sticksPending._2)) then return end

    // Check if none of the sticks are None
    recover
      match _sticksOwn1
      | None => this.returnSticks()
      else
        match _sticksOwn2
        | None => this.returnSticks()
        else
          eat() // We have both sticks
        end
      end
    end

Eating is simple. We print that we are eating and return the sticks after some time.

  fun ref eat() =>
    state = Eating
    _env.out.print("@EATING " + number.string())
    this.doDelayed({(l:Philosopher tag) => l.returnSticks(); None } iso)

When the sticks are returned we set our state to Thinking and send back the sticks to the table. Since we mustn’t create aliases to our Sticks, we first use a destructive read to get the iso in a local variable we can consume. Once the sticks are sent, we can go back to our apply().

  be returnSticks() =>
    _env.out.print("Return sticks "+number.string())
    state = Thinking
    let s1 = _sticksOwn1 = None; _table.realeaseStick(consume s1)
    let s2 = _sticksOwn2 = None; _table.realeaseStick(consume s2)
    this()

zcat file.tsv.gz | \
    mysql "$databasename" -e "LOAD DATA LOCAL INFILE '/dev/stdin' INTO TABLE $tablename"

Showing warnings,

Another functionality that mysqlimport is missing is reporting warning in full. If warnings occur during loading you get is “1337 warnings”, which does not help you pinpoint the problem. To work around this issue, you can append SHOW WARNINGS at the end of the command (after a ;).

Loading in binary data

There is no support for loading in binary data, but there is a simple workaround. If your TSV contains a column with binary data as hex the following will work.

zcat file.tsv.gz | \
    mysql "$databasename" -e "
            LOAD DATA LOCAL INFILE '/dev/stdin'
            INTO TABLE targettable (col1, col2, @hex3, col4)
            SET col3 = UNHEX(@hex3);
            SHOW WARNINGS;"

Rather than being loaded into the table, the third column will be placed in a variable that is later used to set the value of the third column.

Reminder: The following command transforms data to a hex.

... | xxd -p | tr -d "\n"

Storing a compressed column

Instead of using UNHEX, all kinds of operations can be done. A nice example is COMPRESS. Using a similar piece of code, you can compress data form your TSV with gzip.

zcat file.tsv.gz | \
    mysql "$databasename" -e "
            LOAD DATA LOCAL INFILE '/dev/stdin'
            INTO TABLE targettable (col1, col2, @large3, col4)
            SET col3 = COMPRESS(@large3);
            SHOW WARNINGS;"

Want to compress binary data? Combine the last 2: COMPRESS(UNHEX(…)).

Sources

This solution was inspired by the stackoverflow post “MySQL import from stdin”. The best answer unfortunately did not have the majority of the up-votes at the time of writing this.