Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Microkernels
Document related concepts
Burroughs MCP wikipedia , lookup
Plan 9 from Bell Labs wikipedia , lookup
Mobile operating system wikipedia , lookup
Berkeley Software Distribution wikipedia , lookup
Process management (computing) wikipedia , lookup
Copland (operating system) wikipedia , lookup
Unix security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Kernel (operating system) wikipedia , lookup
Transcript
CSC 660: Advanced OS Microkernels CSC 660: Advanced Operating Systems Slide #1 Topics 1. 2. 3. 4. 5. 6. 7. What is a microkernel? Mach and L4 Microkernel IPC Microkernel Memory Management Userspace Device Drivers Nooks Exokernels CSC 660: Advanced Operating Systems Slide #2 What is a Microkernel? Kernel with minimal features Address spaces Interprocess communication (IPC) Scheduling Other OS features run as user-space servers. Device drivers Filesystem Pager CSC 660: Advanced Operating Systems Slide #3 Example Microkernel Architecture: MINIX 3 CSC 660: Advanced Operating Systems Slide #4 Microkernel Philosophy A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e., permitting competing implementations would prevent the implementation of the systems' required functionality. - Jochen Liedtke CSC 660: Advanced Operating Systems Slide #5 Why use Microkernels? Flexibility: can implement competing versions of key OS features, like filesystem or paging, for best performance with applications. Safety: server malfunction restricted to that server (even drivers), not affecting rest of OS. Modularity: fewer interdepencies and a smaller trusted computing base (TCB). CSC 660: Advanced Operating Systems Slide #6 Mach First generation microkernel. Runs OS personality on top of microkernel. Core Abstractions Tasks and Threads (kernel provides scheduling) Messages (instead of system calls) Memory Objects (allow userspace paging) CSC 660: Advanced Operating Systems Slide #7 Mach Abstractions Task: unit of execution consisting of an address space, ports, and threads. Thread: basic unit of execution, shares address space, ports with other threads in task. Port: communication channel used to send messages between tasks. Tasks must have correct port rights to send message to a task. Message: basic unit of communication consisting of a typed set of data objects. Memory Object: source of memory tasks can map into their address space; includes files and pipes. CSC 660: Advanced Operating Systems Slide #8 Mach Threads and Messages • Threads have multiple ports with different port rights. • Send messages to ports instead of system calls. • Task must have port rights to send message to port. CSC 660: Advanced Operating Systems Slide #9 Mach Innovations Message passing instead of system calls. Provide uniform interface to kernel. Can extend messages w/o recompiling kernel. Userspace paging Different tasks can use different pagers. Multiprocessor / distributed OS. Ports can reside on system across network. Message passing works identically across network as on local system with NetMsgServer forwarding messages across network. CSC 660: Advanced Operating Systems Slide #10 Mach Performance System calls take 5-6X as long as UNIX. Message Passing Uses pointers, copy-on-write, and memory mapping to avoid unnecessary copies. Port rights checks are expensive. Paging Pageout kernel thread determines system paging policy (which pages are paged out to disk.) Pager servers handle actual writing. CSC 660: Advanced Operating Systems Slide #11 L4 Microkernel • Second generation microkernel. • Faster – IPC is about 10X faster than Mach. – IPC security checks moved to user space processes if needed. • Smaller – L4 is 12KB. Compare to Mach 3 (330KB) – Memory management policy moved entirely to userspace. CSC 660: Advanced Operating Systems Slide #12 Microkernel IPC Uniform way to handle kernel interactions. IPC Mechanisms Registers Direct copy Memory mapping Most performance critical component. All interactions require 2 IPCs: request, response. Hand-off scheduling: CPU control may be transferred with message so recipient can respond without waiting to be rescheduled. CSC 660: Advanced Operating Systems Slide #13 Handle Interrupts as IPC Microkernel captures interrupts. Doesn’t handle. Forwards interrupts to process as IPC. CSC 660: Advanced Operating Systems Slide #14 Microkernel Paging Microkernel forwards page fault to a pager server. Kernel or server decides which pages need to be written to disk in low memory situations. Pager server handles writing pages to disk. CSC 660: Advanced Operating Systems Slide #15 Recursive Address Spaces (L4) • Initial address space controlled by first process. – Controls all available memory. – Other address spaces empty at boot. • Other processes obtain memory pages from first or from their other processes that got pages from first. • Why is memory manager flexibility useful? – Different applications: real-time, multimedia, disk cache. CSC 660: Advanced Operating Systems Slide #16 Constructing Address Spaces grant: remove page from your address space and give to another consenting process. map: share page with another process. demap: remove page from all other processes that received it directly or indirectly from demapper. CSC 660: Advanced Operating Systems Slide #17 User Space Device Driver How do they work? Receive interrupts as IPC. I/O ports mapped to user address space. Advantages Device drivers have 3-7X bugs as kernel code. User space driver bugs don’t reduce reliability. User space driver bugs don’t reduce security. CSC 660: Advanced Operating Systems Slide #18 User Space Device Driver driver thread: wait for (msg, sender) if sender = my hw interrupt read/write i/o ports reset hw interrupt else pass end CSC 660: Advanced Operating Systems Slide #19 Nooks Problem: Most kernel bugs in device drivers. Drivers written by less experienced programmers. Drivers are tested less than core kernel code. Solution: Lightweight protection domains. Kernel-mode env w/ restricted mem write access. Isolate drivers from kernel code. CSC 660: Advanced Operating Systems Slide #20 Nooks Goals 1. Isolation: Isolate kernel from extension failures. 2. Recovery: Automatic recovery after extension failure so applications can continue execution. 3. Backwards compatibility: Extensions should not have to be rewritten to use Nooks. CSC 660: Advanced Operating Systems Slide #21 Nooks Architecture CSC 660: Advanced Operating Systems Slide #22 Exokernels Problem with traditional OS Most resource management decisions made once in a global fashion. Exokernel solution • Let programmers make resource management decisions when they write their applications. • Allows experimentation. • Allows for high performance for applications that don’t fit OS assumptions, e.g. RDBMS. CSC 660: Advanced Operating Systems Slide #23 What makes Exokernels Different? • Separate security from abstraction. – ex: Protect disk blocks not files. • Exokernel securely multiplexes hardware. • Move abstractions into userspace libraries called library operating systems (libOSes.) • Exokernels vs Microkernels – Microkernel concerned with implementing kernel in user space rather than kernel space. – Exokernel concerned with separating security from abstraction to give applications control. CSC 660: Advanced Operating Systems Slide #24 Applications on an Exokernel CSC 660: Advanced Operating Systems Slide #25 Exokernel Tasks 1. Tracking ownership of resources. 2. Performing access control by guarding all usage or binding points. 3. Revoking access to resources. CSC 660: Advanced Operating Systems Slide #26 Resource Revocation Invisible revocation – Most OSes deallocate memory, CPU without informating application. Visible revocation – Exokernels visibly request that a resource be returned to the kernel. – Ex: Exokernel informs app that CPU is revoked at end of time slice, and app responds by saving required processor state. – If application does not return resource, exokernel will take it from the application. CSC 660: Advanced Operating Systems Slide #27 Exokernel Performance Aegis/ExOS vs Ultrix performance System calls 10X faster. IPC 10-20+X faster. Virtual memory1-5X faster. OS syscall matrix pipe lrpc Aegis 2.9 Ultrix 33.7 5.2s 22.6 10.4 5.2s 231 457 CSC 660: Advanced Operating Systems Slide #28 Cheetah Web Server Exokernel web server performance features: – Transmits data directly from page cache w/o copying. – Colocates hyperlinked files within filesystem. – Network stack tuned to reduce packets by 20%. CSC 660: Advanced Operating Systems Slide #29 Exokernel Portability Apps that directly use exokernel aren’t portable to different architectures. Exokernel tied closely to hardware. Library operating systems can provide portability for other applications. LibOSes can provide POSIX interface. Can run multiple LibOSes on exokernel. CSC 660: Advanced Operating Systems Slide #30 Microkernels in Use Mach Underlying microkernel for UNIX systems. Examples: Mac OS X, MkLinux, NeXTStep QNX POSIX-compliant real-time OS for embedded sys. Fits on a single floppy. Underlying microkernel for Cisco IOS XR. Symbian Microkernel OS for cell phones. CSC 660: Advanced Operating Systems Slide #31 Key Points 1. Microkernel provides minimal features 1. 2. 3. 2. Microkernel advantages 1. 2. 3. 3. 4. Address spaces IPC Scheduling Flexibility Safety Modularity Early microkernels were slow, but flexible memory/disk policies can allow for superior application performance. Exokernels focus on separation of protection from abstraction instead of focusing on user/kernel divide. CSC 660: Advanced Operating Systems Slide #32 References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Dawson R. Engler, M. Frans Kaashoek, James O'Toole Jr., “Exokernel: An Operating System Architecture for Application-Level Resource Management,” Proc 15th Symposium on Operating Systems Principles (SOSP), December 1995. David Golub, Randall Dean, Alessandro Forin, Richard Rashid, “UNIX as an Application Program,” Proceedings of the Summer 1990 USENIX Conference, pages 87-95, June 1990. Per Brinch Hansen. “The Nucleus of a Multiprogramming System,” Communications of the ACM 13(4):238-241, http://brinch-hansen.net/papers/1970a.pdf, April 1970. Hermann Härtig, Michael Hohmuth, Jochen Liedtke, Sebastian Schönberg, “The performance of μkernel-based systems”. Proc. 16th ACM symposium on Operating Systems Principles (SOSP), 1997. Jochen Liedtke. “On µ-Kernel Construction,” Proc. 15th ACM Symposium on Operating System Principles (SOSP), December 1995 Jochen Liedtke, “Towards Real Microkernels,” Communications of the ACM, 39(9):70-77, September 1996. Avi Silberchatz et. al., Operating System Concepts, 7th edition, http://codex.cs.yale.edu/avi/osbook/os7/online-dir/Mach.pdf, 2004. Michael M. Swift, Brian N. Bershad, and Henry M. Levy, “Improving the Reliability of Commodity Operating Systems,” Proc. 19th ACM Symposium on Operating System Principles (SOSP), Oct. 2003. Andrew S. Tanenbaum, Modern Operating Systems, 3rd edition, Prentice-Hall, 2005. Andrew S. Tanenbaum, J. Herder, and H. Bos. “Can We Make Operating Systems Reliable and Secure?” IEEE Computer, May 2006. Andrew S. Tanenbaum, J. Herder, and H. Bos. “A Lightweight Method for Building Reliable Operating Systems Despite Unreliable Device Drivers,” TR IR-CS-018, http://www.minix3.org/doc/reliable-os.pdf, 2006. Andrew S. Tannenbaum, “Tanenbaum-Torvalds Debate: Part II,” http://www.cs.vu.nl/~ast/reliableos/, 2006. CSC 660: Advanced Operating Systems Slide #33
