CS 771/871 Operating Systems
[ Home | Class
Roster | Syllabus | Status | Glossary | Search
| Course Notes]
Amoeba Distributed Operating System
System Architecture
- Location Transparent
Non-dedicated Processor Pool
(possibly different architectures)
- X-terminals dedicated to
individual users
- Set of Services (some
dedicated, some dynamic)
- Underlying network (LAN or
WAN)
- Microkernel + CLIENT/SERVER =
OS
Microkernel
- Manages processes and threads
(with synchronization)
- Low-level memory management
(Segments)
- Communications (RPC and group)
- Low-level I/O (But using
client/server model)
Client Server Model
- Objects managed by servers
- Objects accessed by
capabilities
- General approach supporting
- files
- directories
- windows
- memory
- processors
- I/O devices
Capabilities
CREATE-OBJECT RPC to Object server
returns capability
-
- Server Port
- logical address of
service (not a machine address)
-
- Object
- Like Unix i-node
-
- Rights
- Particular to an
object type
-
- Check
- Validates capability
Object Protection
- On CREATION, object is
assigned a random Check kept
at object server and put in capability.
- Rights field is all bits set
(OWNER CAPABILITY), returned to client
- To RESTRICT capability, owner
sends it back with bit mask
bit mask XOR with RIGHT field
- Server XORs new rights mask
with old check field and passes through a one way
function. This is new check field.
- The server returns new
capability with new rights and check field to client,
which may be safely passed to another process.
QUESTION: How safe is this?
How do we know it is owner trying to restrict the capability?
Can another process make up a capability with owner rights?
Can rights be increased?
Can an imposter steal the owner's capability?
Can a process with a restricted capability, increase the
rights?
Is XOR reversible?
Give an example of a one way function.
Standard Operations on Objects
Age |
Perform Garbage Collection Cycle |
Copy |
Duplicate and return capability to
new object |
Destroy |
Destroy and reclaim storage |
Getparams |
Get parameters |
Info |
Get ASCII string describing |
Restrict |
Produce restricted capability to this
object |
Setparams |
Set server parameters |
Status |
Get status from server |
Touch |
Pretend object was just used (garbage
collection) |
NOTES:
- Age/Touch used in garbage collection of orphaned
objects
- Copy is done at server, no object-related traffic to
client needed,
can have remote machines as targets
- Get/Setparams: used by adminstrator to control object
manager
Process Management
- Process is an object
- Parents get capability to
child process objects
- suspend
- restart
- signal
- destroy
- Differs from UNIX clone method
of fork and exec
- Three Levels
- RPC to process server
kernel thread on specific machine
- library functions
which call RPC
- Run Server which finds
a processor
- Process Descriptor
- architecture
- owner's capability
(for reporting)
- memory segments
- thread descriptors
- PC
- register save
area
- stack pointer
- other state
info
/*
** Process descriptor.
** This is followed by pd_nseg segment descriptors (segment_d),
** reachable through PD_SD(p)[i], for 0 <= i < p->pd_nseg.
** The index in the segment array is also the segment identifier.
** Following the segments are pd_nthread variable-lenght thread descriptors.
** Sample code to walk through the threads:
** thread_d *t = PD_TD(p);
** for (i = 0; i < p->pd_nthread; ++i, t = TD_NEXT(t))
** <here *t points to thread number i>;
*/
typedef struct {
char pd_magic[ARCHSIZE]; /* Architecture */
capability pd_self; /* Process capability (if running) */
capability pd_owner; /* Default checkpoint recipient */
uint16 pd_nseg; /* Number of segments */
uint16 pd_nthread; /* Number of threads */
} process_d;
- API
- EXEC (capability of
process server, process descriptor)
- GETLOAD (of a
processors)
- STUN
- normal:
terminate outstanding RPCs
- emergency:
stops immediately, RPC's are orphans
- NEWPROC: high level
APi builds process descriptor from binary
file name, argument and environment
Thread Management
- Initially one thread, but can
start any number of additional ones
- GLOCAL variables (locally
global to that thread)
- Synchronization by
- SIGNALS (asynchronous
interrupts)
- MUTEX (binary
semaphore), time-out LOCK
fair
- SEMAPHORES, counting
with a time-out WAIT
Memory Management
- entirely in physical memory
- no page faults
- can read/write
directly into user space
- Assumes cheap main
memory
- segments contiguous in address
space
- segments are objects
- any number, any where
- Any process with capability to
segment could read/write it (with proper permissions)
- shared memory
communications (need not be on same machine)
- main memory file
server
Communications in Amoeba
Address is a 48 bit randomly chosen
number by thread
this is the first field of a capability.
RPC, point to point,
request/block/reply
- get_request(&header,
buffer, bytes)
(server listens to port), header Contains the PORT (6
bytes)
- put_reply (&header,
buffer, bytes)
server sends reply to send
- trans (&header1, buffer1,
bytes1, &header2, buffer2, bytes2)
send message from client to server
To prevent impersonating a server,
ports are assigned in pairs
- get-port (private) known only
to the server
- put-port (public) used by any
client
These are related by a one-way
function.
put-port =
F(get-port)
Since get_request uses
get-port, an imposter cannot issue one in place of a server.
Group Communications
Closed groups, but anyone can send
RPC message to any member for group broadcast.
- CreateGroup
- JoinGrouep
- LeaveGroup
- SendToGroup:
x
x
x
x
x
x
x
x
x
x
Copyright chris wild 1996.
For problems or questions regarding this web contact [Dr. Wild].
Last updated: November 12, 1996.