Figure 1: Hardware Architecture of Amoeba Operating System

advertisement
CS 550: Comparative Operating System
Saie Mulay
CS 550
COMPARATIVE OPERATING SYSTEM
AMOEBA - A DISTRIBUTED OPERATING SYSTEM
Submitted by: SAIE MULAY
SID: 359 96 2339
1
CS 550: Comparative Operating System
Saie Mulay
CONTENTS
ABSTRACT…………………………………………………………….….
3
INTRODUCTION………………………………………………………….
3
WHAT IS AMOEBA?……………………………………………………..
4
ARCHITECTURE………………………………………………………….
4
HARDWARE ARCHITECTURE………………………………………….
4
SOFTWARE ARCHITECTURE……………………………………………
7
DESIGN GOALS AND CHIEF DESIGN FEATURES…………………….
8
PROTECTION AND CAPABILITIES…………………………………….
9
FILE SYSTEM……………………………………………………………….
11
PROCESS MANAGEMENT…………………………………………………
12
MACHINES ON WHICH AMOEBA RUNS………………………………...
13
PRICING……………………………………………………………………...
13
CONCLUSION………………………………………………………………..
14
2
CS 550: Comparative Operating System
Saie Mulay
Abstract:
This paper attempts to describe a distributed operating system called Amoeba, with
special reference to its hardware architecture, software architecture, file system and
process management. We also study the design goals and chief design features in brief.
Apart from these I have also described protection and capabilities of Amoeba.
Introduction:
We can divide the history of modern computing into the following eras:

1970’s: Timesharing (1 computer with many users)

1980’s: Personal computing (1 computer per user)

1990’s: Parallel computing (many computers per user)
Until about 1980, computers were huge, expensive, and located in computer centers.
Most organizations had a single large machine.
In the 1980s, prices came down to the point where each user could have his or her
own personal computer or workstation. These machines were often networked together,
so that users could do remote logins on other people’s computers or share files in various
ways.
Nowadays some systems have many processors per user, either in the form of a
parallel computer or a large collection of CPUs shared by a small user community. Such
systems are usually called parallel or distributed computer systems.
This development resulted in a new operating system called Amoeba, which is designed
for an environment consisting of a large number of computers.
3
CS 550: Comparative Operating System
Saie Mulay
What is Amoeba?
Every computer has a main program that controls and manages the operations on the
machine; this program is called an Operating System. The Operating System (OS)
provides the user interface into the system, allows input and output (I/O), and manages
memory, files, and the CPU processing, in addition to providing security for the system.
Amoeba is a general purpose Distributed Operating System.
Amoeba is designed to take a collection of machines and make them act together as a
single integrated system. In general, users are not aware of the number and location of the
processors that run their commands, nor of the number and location of the file servers
that store their files. To the casual user, an Amoeba system looks like a single oldfashioned time-sharing system. It is a powerful micro kernel based system that turns a
collection of workstations or single board computers into a distributed system.
Amoeba is an ongoing research project. It should be thought of as a platform for
doing research and development in distributed and parallel systems, languages, protocols
and applications.
Amoeba is intended for both ‘‘distributed’’ computing (multiple independent users
working on different projects) and ‘‘parallel’’ computing (e.g., one user using 50 CPUs
to play chess in parallel). Amoeba provides the necessary mechanism for doing both
distributed and parallel applications, but the policy is entirely determined by user-level
programs.
Architecture:
The following 2 subsections describe the hardware architecture and software architecture
of Amoeba.
Hardware Architecture:
The Hardware Architecture of Amoeba has four major components:

Workstations
4
CS 550: Comparative Operating System

A local area network

A gateway

A processor pool
Saie Mulay
Figure 1: Hardware Architecture of Amoeba Operating System
The workstations execute processes that require intense user interaction such as window
managers or text editors. The specialized servers are for resource specific tasks. These
servers handle a process that is requesting specific I/O from a disk array.
Amoeba is a distributed system, in which multiple machines can be connected
together. These machines need not all be of the same kind. The machines can be spread
around a building on a LAN. Amoeba uses the high performance FLIP network protocol
for LAN communication. If an Amoeba machine has more than one network interface it
will automatically act as a FLIP router between the various networks and thus connect
the various LANs together.
The gateway is the part of the system that allows wide area connectivity and handles
difficulties related to WAN connectivity.
5
CS 550: Comparative Operating System
Saie Mulay
The processor pool handles all the other processes. Figure 2 below shows the processor
pool model.
Figure 2: The Processor Pool Model
Each of these units typically consists of a processor, local memory, and a network
connection. Each process is given a processor until the processors run out, after which the
tasks must be queued. This is where we begin to see the reliability of the Amoeba system.
If a processing unit dies, the processes allocated to it have to be restarted, but the system
integrity is not violated, if the correction detection occurs. The design possibility here is
to give a user between 10 and 100 processors.
The Amoeba operating system is natively programmed for Suns, VAXs and Motorola
chips. The following is the information about possible hardware configurations taken
from a paper on the Amoeba Operating System.
Minimum configuration for a SPARC station system:
File Server: 16 MB RAM, a 300 MB disk, a SCSI tape drive.
Workstation: 8 MB RAM, monitor, keyboard, and mouse.
Pool processor: 8 MB RAM
6
CS 550: Comparative Operating System
Saie Mulay
Minimum Configuration for 386 or 486 systems:
File Server: 16 MB RAM, a 300 MB disk, 3.5” floppy drive, Ethernet
card, VGA card, keyboard, monitor, mouse.
Workstation: 8 MB RAM, Ethernet card, VGA card, keyboard, monitor,
mouse.
Pool Processor: 4 MB RAM, 3.5” floppy drive, Ethernet card
Minimum Configuration for a Sun 3/60 system:
File Server: exactly 12 MB RAM, a 300 MB disk, a QIC- 24 tape drive.
Workstation: 4 MB RAM, Monochrome monitor, keyboard, mouse.
Pool Processor: 4 MB RAM.
Software Architecture:
The Amoeba software architecture is characterized by objects in a client – server
relationship. Client processes use remote procedure calls to send requests to server
processes for carrying out operations on objects. Each object has a characteristic called a
capability.
A capability is 128 bits. The first 48 bits represent the service that owns the object. The
next 24 bits is the object number. The next 8 bits represent the operations that are allowed
on the object. The final 48 bits are the “check field” which is an encrypted field that
prevents modifications to the other fields.
Operations are done by remote procedure calls (RPC’s) made by the clients in the form of
lightweight processes. This type of process has its own address space, and may contain
one or more threads. Threads, in turn have their own program counter and stack, but
share code and data within other threads in the process. There are three basic system calls
available to a user process. These are do_operation, get_request, and send_reply.
do_operation: Client sends a request message and receives a reply: the header contains a
capability for the object upon which an operation is being requested.
7
CS 550: Comparative Operating System
Saie Mulay
get_request:
Server sends a request from the port specified in the message header.
put_reply:
Server replies.
Several threads can receive messages from the same port. Amoeba automatically routes
the message using put_reply to the sender of the corresponding call to do_operation. A
thread cannot reply out of order to messages it has received, and must follow every call to
get_request with a call to put_reply.
Built on these primitive system commands is an interface for applications programming.
This is done by a level of indirection that allows users to think of this structure as objects
and operations on these objects.
Associated with each object is a class. Classes may contain other classes and therefore
are hierarchical in nature. This inheritance creates the object interface for object
manipulation such as deleting, read, write, append, etc.
Design Goals and Chief Design Features:
Three central design goals were set for the Amoeba distributed operating system, as
follows.

Network transparency: All resource accesses were to be network transparent. In
particular, there was to be a seamless system-wide file system, and processes were
to execute at a processor of the system’s choosing, without the user’s knowledge.

Object-based resource management: The system was designed to be object-based.
Each resource is regarded as an object and all objects, irrespective of their type,
are accessed by a uniform naming scheme. Objects are managed by servers,
where they can be accessed only by sending messages to the servers. Even when
an object resides locally, it will be accessed by request to a server.

User-level servers: The system software was to be constructed as far as possible
as a collection of servers executing at user-level, on top of a standard micro kernel
8
CS 550: Comparative Operating System
Saie Mulay
that was to run at all computers in the system, regardless of their role. An issue
that follows from the last two goals, and to which the Amoeba designers paid
particular attention, is that of protection. The Amoeba micro kernel supports a
uniform model for accessing resources using capabilities.
The basic abstractions supported by the micro kernel are processes and threads, and ports
for communication. Each server is a multi-threaded, protected process. Server processes
can occur singly, or in groups, as we shall discuss. Communication between processes at
distinct computers running Amoeba on a network is normally via an RPC protocol
developed by the Amoeba designers. This protocol is implemented directly by the kernel.
Servers that have been constructed include several file servers and a directory server,
which stores mappings of path-name components to capabilities for files and other
resources.
Protection and Capabilities:
In Amoeba all resource identifiers are capabilities, implemented in the form shown in
Figure 3 below:
Figure 3: An Amoeba Capability
A capability is 128 bits long. It contains an identifier that is mapped at run-time onto a
server port, and the object number is used to identify the object within that server. The
two additional fields, the permissions field and check field, are used respectively to
identify the types of accesses that the possessor of the capability is allowed to make, and
to protect against forgery of the capability.
The permissions field requires integrity checks, to prevent users from forging capabilities
or tampering with the permissions. Amoeba uses the check field for this purpose as
follows.
9
CS 550: Comparative Operating System
Saie Mulay
When a client requests the creation of a new object, the server supplies a capability with
all permissions set – an owner capability (the creator of an object can do with it what it
likes). This capability contains: the identifier of the server port for receiving request
messages; a new object number; a permissions field allowing all operations on the object;
and a 48-bit random number in the check field. The server stores the owner capability
with the new object’s data.
Now, consider a client that attempts to forge a capability with all the permissions bits set.
It can copy the server port identifier from another capability and guess an object number.
However the client is unlikely to be able to guess the check field. There are 248 i.e. about
1014 combinations of 48 bit wide fields. Generating and testing all these combinations by
brute force would involve passing each guess in a message to the server, at about 2
milliseconds for each guess. That is about 2 x 1011 seconds, or about 6,300 years. The
same argument can be applied to the 48-bit server port identifier, to show that a process
not knowing the target process’s port identifier is highly unlikely to succeed in guessing
it using brute force.
A major disadvantage of capabilities is that they do not solve problems of eavesdropping
and replaying: an intruder can examine messages being sent over the network, and copy
capabilities (or encrypted capabilities) out of them, to be used in malicious accesses to
the corresponding resource.
Another disadvantage of capabilities is that they cannot easily be retracted. For Example:
If Smith and Jones have each been given capabilities to access a certain file, how is it
possible to retract Jones’s rights to access the file, but not Smith’s? The only way is for
the server to associate a different set of capabilities with the file, and to give a new
capability to Smith, but to ensure that it is not given to Jones. However, if Smith decides
to grant access to the file to Jones, then she has only to pass the capability to Jones, thus
thwarting the owner’s wishes.
10
CS 550: Comparative Operating System
Saie Mulay
File System:
Naming in the Amoeba operating system is an intrinsic part of the object capabilities.
This is abstracted, however for users. There is an extra level of mapping from symbolic,
hierarchical path names to capabilities. Through this system a user sees local objects as
well as public objects.
This also provides a user access system that can be related to Unix’s. Members of a group
may be given capability of a directory. All others are not given the capability of the
directory. Thus only members of the group can see the directory. The object property of
directories also ensures the hierarchical properties of directories through their
capabilities. In reality directories are name/capability pairs.
In the implementation of an Amoeba operating system in Amsterdam, the file server used
is the bullet file service. It supports three operations: read file, create file, and delete file.
Since no write file is supported, when a file is created all information including size and
name/capability must be provided. Files cannot be changed once they are created. This
makes for a reliability convenience. Since files don’t change the file server may back up
at any time. Lastly, this means that file stored contiguously. The bullet file server is both
efficient at file storage and is high performance disk drive.
Reliability and security rely heavily on the directory service. All the internal tables are
replicated so that the loss of a node can’t cause a system halt because it has no directory
service. The directory service also functions to grant or deny access depending on
capabilities.
Implemented in the directory service, is directory protection. An encryption key is
generated and then exclusive-ORed with a random number. This result is stored along
side the directory and the random number put in the directory’s capability. Finally the
capability is given to the owner and the directory service “forgets” the random number.
When a client makes a request for an operation on the directory, the random number,
11
CS 550: Comparative Operating System
Saie Mulay
which is stored in the capability, is received by the directory service. The directory
service can then decrypt the directory.
The directory service is also responsible for backup of the file system. The fact that files
are immutable means that information that is cached by the directory service never
becomes outdated. Immutable files, in addition, are a speed issue, because of caching,
seeking, and contiguousness.
Process Management:
In Amoeba process have a segmented virtual address. These processes may have one or
more threads. Threads are allocated to processors until all processors are used. The
resulting process management mechanism provides for better utilization of processor
cycles by minimizing context switching among more heavyweight processes, each of
which would occupy an entire address space.
Processes control their address space. They may add or remove segments from their
virtual address space through a mapping operation. A file-like object contains a
capability, and is ready by the kernel and, if the process is allowed, it can then map or
unmap segments for its virtual address space.
To create a process, a process descriptor is sent to the kernel. This is known as the
execute process request. A process descriptor contains the host descriptor, the process
capability, the handler capability and number of segments.
The host descriptor contains the information about what kind of system the potential
process can be run on. This includes instruction set, memory needs, machine class
information, etc. The kernel must match the host descriptor to continue.
The process capability is the integral part of the process, saying what can be done to and
by the process, as well as by whom. The handler capability is similar, but its capabilities
are for abnormal process actions.
12
CS 550: Comparative Operating System
Saie Mulay
Process address is encapsulated in an internal memory map. This map has an entry for
every segment of address for a potential process. An entry contains the virtual address,
segment length, segment mapping, and capability of the object from which the segment is
initialized.
There is also a thread map that describes other attributes. These include initial state of
thread, processor status, program counter, stack pointer, the stack base, register values,
and the system call state. This allows for process descriptor to be used on processes.
Processes have two possible states in the Amoeba operating system. These are running or
stunned. The stunned state is when a process exists, does nothing in the sense of
execution, and is being debugged. When a process is stunned the kernel tells all
attempted communicators (other kernels) with the process that is stunned. The other
kernels then attempt to communicate with this process that is stunned. The other kernels
then attempts to communicate with this process until it is killed or returns to running
state. An object with the correct capability can make a request to stun an object.
Debugging and migration are also done after stunning a process.
Machines on which Amoeba Runs:
Amoeba currently runs on the following architectures:

Sun 4c and MicroSPARC SPARCstations

Intel 386/486/Pentium/Pentium Pro (IBM AT bus, PCI Bus)

68030 VME-bus boards (Force CPU-30)

Sun 3/60 & Sun 3/50 workstations.
Pricing:
Amoeba is available free to universities that have FTP or WWW access to the
Internet, and for $US 500 on Exabyte or DAT tape to those that do not. Printed sets of
the manuals can be obtained for $US 500 each.
13
CS 550: Comparative Operating System
Saie Mulay
Conclusion:
The Amoeba operating system was designed as a distributed operating system from the
start. It employs radical design components such as a main processor pool consisting of a
number of processor board and memory units. The kernel provides three basic system
calls to users through remote procedure calls. It also provides security through its
embedded capability system. Amoeba uses workstation-local processors to handle user
intense processing. Other processes are distributed to the processor pool, or other
function specific processor. The Amoeba can be built off the shelf products, and produces
a very high performance operating system without custom made parts. The Amoeba
operating system in general is a highly secure, high performance distributed operating
system.
14
CS 550: Comparative Operating System
Saie Mulay
References:
1) Tanenbaum, A.S., Renesse, R., Staveren, H., Sharp, G., Mullender S., Jansen, J.,
Rossum, G.: Experiences with the Amoeba Distributed Operating System.
2) Tanenbaum, A.S., Renesse, R., Staveren, H., Sharp, G., Mullender S., Jansen, J.,
Rossum, G.: A Distributed Operating System for the 1990’s
3) http://www.cs.vu.nl/pub/amoeba/amoeba.html
4) Stallings, William: Operating System.
5) Prof. Soneru, Marius. Comparative Operating System: Lecture Notes.
15
Download