1CS514: Intermediate Course in Operating SystemsProfessor Ken BirmanVivek Vishnumurthy: TARecapn We started by thinking about Web Servicesn Basically, a standardized architecture that clients client systems talk to serversn Uses XML and other Web protocolsn And will be widely popular (“ubiquitous”)n Our goal is to build “trustworthy” systems using these standard, off-the-shelf techniquesn So we started to look at the issues top downRecapn First we looked at naming/discoveryn We asked what decisions need to be maden Client needs to pick the right servicen I want this particular database, or display devicen Service may have a high-level routing decisionn Send “East Coast” requests to the New Jersey centern Service also makes lower-level decisionsn John Smith is doing a transaction; send requests to the same node if possible to benefit from cachingn And finally the network does routingRecapn In the case of naming/discoveryn We observed that the architecture doesn’t really offer “slots” for the associated logicn Developers can solve these problemsn I.e. by using the DNS to redirect requestsn But the solutions feel like hacksn Ideally one would wish that Web Services tackled such issues. n One day they will! But not for a decade…Recapn Next we looked at performance issuesn We imagined that we’re building a service and want to increase load on itn Led us to think about threading, staged event queuing (SEDA)n Eventually leads us to a clustered architecture with load-balancersn Again, found that WS lacks key featuresTrustworthy Web Servicesn To have confidence in solutions we need rigorous technical answersn To questions like “tracking membership” or “data replication” or “recovery after crash”n And we need these embodied into WSn For example, would want best-of-breed answers in some sort of discovery “tool” that applications can exploit2Trustworthy Computingn Overall, we want to feel confident that the systems we build are “trustworthy”n But what should this mean, and how realistic a goal is it?n Todayn Discuss some interpretations of the termn Settle on the “model” within which we’ll work during the remainder of the termCategories of systems…n Roles computing systems play vary widelyn Most computing systems aren’t critical in a minute-by-minute sensen … but some systems matter more; if they are down, the enterprise is losing moneyn … and very rarely, we need to build ultra-reliable systems for mission-critical usesExamplesFly-by-wire control system for airplaneMilitary weapons targeting systemMicrosoft.com websiteLess “critical” More “critical”Benign threats Malicious attackHospital billing systemControl of electric power gridAuthentication system of a campus networkOur focusTechniques vary!n Less critical systems that face accident (not attack) lend themselves to cheaper solutionsn Particularly if we don’t mind outages when something crashesn High or continuous availability is hardern The mixture of time-critical, very secure, very high availability is particularly difficultn Solutions don’t integrate well with standard toolsn “Secure and highly available” can also be slowImportance of “COTS”n The term means “commercial off the shelf”n To understand importance of COTS we need to understand history of computingn Prior to 1980, “roll your own” was commonn But then with CORBA (and its predecessors) well-supported standards won the dayn Productivity benefits of using standards are enormous: better development tools, better system management support, better feature setsn Today, most projects mandate COTSThe dilemman But major products have been relaxed about:n Many aspects of securityn Reliabilityn Time-critical computing (not the same as “fast”)n Jim Gray: “Microsoft is mostly interested in multi-billion dollar markets. And it isn’t feasible to make 100% of our customers happy. If we can make 80% of them happy 90% of the time, we’re doing just fine.”3Are COTS trustworthy?n Security is improving but still pretty weakn Data is rarely protected “on the wire”n Systems are not designed with the threat of overt attack in mindn Often limited to perimeter security; if the attacker gets past the firewall, she’s home freen Auditing and system management functions are frequently inadequateAre COTS trustworthy?n Most COTS technologies do anticipate crashes and the need to restartn You can usually ask the system to watch your application and relaunch after failuren You can even ask for a restart on a different node… but there won’t be any protection against split-brain problemsn So-called “transactional” model can helpn Alternatively can make checkpoints, or replicate critical data, but without platform helpIs this enough?n The way COTS systems provide restart is potentially slown Transactional “model” can’t offer high availability (we’ll see why later)n Often must wait for failed machine to reboot, clean up its data structures, relaunch its main applications, etcn In big commercial systems could be minutes or even hoursn Not enough… if we want high availabilityAre COTS trustworthy?n Security… reliability… what about:n Time-critical applications, where we want to guarantee a response within some bounded time (and know that the application is fast enough… but worry about platform overheads and delays)n Issues of system administration and management and upgradeSoS and SOAsn The trend is towardsn Systems of Systems (SoS): federation of big existing technologiesn Service Oriented Architectures (SOAs). n Object oriented or Web Services systemsn Components declare their interfaces using an interface definition language (IDL) or a description language (WSDL)n Implementation is “hidden” from clientsExample: the Air Force JBIDecision-Quality InformationGlobally Interoperable Information “Space” that …Aggregates, fuses, and disseminates tailored battlespaceinformation to all echelons of a JTFLinks JTF sensors, systems &users together for unity of effortIntegrates legacy C2 resourcesFocuses on Decision-MakingEnables Affordable Technology RefreshLeverages Emerging Commercial Technologies4Inside the Battlespace InfoSphere(circa 1999)InputPlanning/ExecutionProductsCommand GuidanceUserInformation Products & DBsFusionProductsCombat SupportProductsManipulateto CreateKnowledgeQueryPublishSubscribeTransform ControlCommonRepresentationInteractTask
View Full Document
Unlocking...