Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
aQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow Contents ©1999-2004 aQute, All Rights Reserved slide #2 Framework Architecture Package Permission Service Permission Admin Permission <<interface>> Service Fact ory optionally implements java.security. Permission <<interface>> Bundle Acti vator 0,1 start/stop bundle 0..n security permissions im plem ent ation code of bundle 1 registers service 0..n uses service 1..n 0..n 0..n service controller im pl 1 manages 1 fram ework impl 1 <<interface>> Service Reference <<interface>> 1 Bundl e Context 1 associated with 1 bundle events 1 Bundle Event <<interface>> Synchronous Bundl eLi stener 1 1 1 service events associated with framework events Framework Ev ent 0..n <<int erface>> Bundle Listener 1 implemented by 1 used through used through <<interface>> Constant s owned by 1 <<interface>> Service Registrati on represented by represented by 1 <<interface>> Bundl e java.lang. Throwable 1 1 1 bundle controller 1 impl 1 java.lang.Object service impl. 1 0..n <<interface>> Framework Listener 1 ServiceEvent 0..n <<interface>> Service Listener 0,1 ©1999-2004 aQute, All Rights Reserved slide #3 Bundle Excepti on Invali dSyntax Exception <<interface>> Filter Classloading • • • Standard Java loads all classes from a global CLASSPATH and class loaders CLASSPATH consists of many entities – – – Actual class loading is uncontrolled and fails too often – – – – • • Jar Files Directories Other sources via a classloader A B C ClassNotFoundException NoClassDefFoundError ClassCastException Shadowing: Wrong version Complex! It would be nice if this was more controlled … ©1999-2004 aQute, All Rights Reserved slide #4 Execution Environment CDC CDC OSGi Modules • • • • • • • • OSGi adds a powerful module system to Java Allows isolated modules to co-exist in single VM Does not use the global CLASSPATH, but allows fine grained control of package sharing Modules specify constraints through Manifest Header in their JAR Module dependencies are controlled and checked Fine grained PackagePermission (optional) Non-Intrusive, works with existing code. Only Manifest headers required Bundles automatically activated when first used A ©1999-2004 aQute, All Rights Reserved slide #5 B C MODULE Execution Environment CDC CDC OSGi Modules • Prevents ClassCastExceptions when multiple bundles share objects with Import- and ExportPackage clauses • Dependency on other bundles can be expressed with RequireBundle – A cannot work without B – Multiple versions: A must work with B 1.2 and C must work with B 1.4 A • Extending Packages with extra content (Fragments) – Internationalization – Private classes (when statics are (mis)used) ©1999-2004 aQute, All Rights Reserved slide #6 B C MODULE Execution Environment CDC CDC Problem • Reboot is required for configuration changes – Boot time – Disruption in service • Server is in a remote location and needs to be managed over the network A • It should be possible manage the set of bundles in the VM without rebooting ©1999-2004 aQute, All Rights Reserved slide #7 B C MODULE Execution Environment CDC CDC OSGi Life-Cycle • The OSGi Life-Cycle support allows bundles to be: – – – – – LIFE-CYCLE Installed Started Stopped Updated Uninstalled • Life cycle operations are persistent • Full API for management • Easy to manage remotely because of management agent concept • AdminPermission and BundlePermission for security • Fully Evented A ©1999-2004 aQute, All Rights Reserved slide #8 B C MODULE Execution Environment CDC CDC D Problem • Bundles need to collaborate LIFE-CYCLE • Discover potential partners • Find applicable objects that can be used in the collaboration A • Handle the coming and going of bundles ©1999-2004 aQute, All Rights Reserved slide #9 B C MODULE Execution Environment CDC CDC D OSGi Service Registry • Service Registry is a dynamic registry of service objects LIFE-CYCLE • Adds strict decoupling between bundles SERVICE-REGISTRY • Manages life-cycle dependencies • Fully Evented A B C • Dynamic discovery • Implements many important software patterns • Fine grained security model with ServicePermission (optional) ©1999-2004 aQute, All Rights Reserved slide #10 MODULE Execution Environment CDC CDC D OSGi Service Platform SERVICE-REGISTRY LIFE-CYCLE MODULE Execution Environment CDC CDC L3 - Decouples bundles so that the deployer can mix and match configurations L2 - Manages bundles life-cycles in a VM without requiring reboots L1 - Creates the concept of bundles that use classes from each other in a controlled way according to system and bundle constraints L0 •CDC •CLDC •OSGi/Minium ©1999-2004 aQute, All Rights Reserved slide #11 Java 2 Security Primer implies(p) • Java 2 security provides a flexible and comprehensive model for security call foo() • Permission subclasses hide the semantics of the permission type – – – – FilePermission SocketPermission ServicePermission … {…} Protection Domain Permissions Permission {…} Protection Domain Permissions Permission implies(p) checkPermission(p) • Code is associated with a set of permissions • The SecurityManager checks a permission by creating a permission implies(p) Access Access Control Control Context Context Security Manager Access Controller implies(p) ©1999-2004 aQute, All Rights Reserved slide #12 Permissions • Permission associated with code – … – FilePermission(“/tmp/-”, “read,write”); – … • Check – void open(String path) { … SecurityManager.checkPermission( new FilePermission(path,”read”) ); … } ©1999-2004 aQute, All Rights Reserved slide #13 Changing the context • Normally all classes on the call stack are evaluated and must return true • Sometimes a method wants to run with only its own permissions • This is possible with a doPrivileged method on the Access Control context • This places a marker on the stack to indicate the search should stop • Can also be used to run code with the context of another protection domain ...normal code here... String user = (String) AccessController.doPrivileged( new PrivilegedAction() { public Object run() { return System.getProperty("user.name"); } } ); ...normal code here... ©1999-2004 aQute, All Rights Reserved slide #14 Issues with Java 2 Security • Checking permissions is heavy • Impossible to cache results of a check due to polymorphistic model – The result of an implies can change at any time • Too flexible – Every class can have its own protection domain • The doPrivileged model is expensive due to too many class creations • Complex! ©1999-2004 aQute, All Rights Reserved slide #15 Permission Admin • Permissions are managed through Permission Admin • Permissions are stored in PermissionInfo objects • Permission Admin is used by Management Agents to store the PermissionInfo objects • The location is the key to the PermissionInfo objects – Allows permissions to be set before download • Changes in permissions are immediate ©1999-2004 aQute, All Rights Reserved slide #16 Management Agent PermissionAdmin PermissionInfo Framework location Bundle Permission Admin <<interface>> Permission Admin Permissi on 0..n Info[] 1 1 bundle location constructs 1 java.secur ity. Perm ission ©1999-2004 aQute, All Rights Reserved slide #17 Permission Admin API PermissionInfo[] getDefaultPermissions() Gets the default permissions. java.lang.String[] getLocations() Returns the bundle locations that have permissions assigned to them, that is, bundle locations for which an entry exists in the permission table. PermissionInfo[] getPermissions(java.lang.String location) Gets the permissions assigned to the bundle with the specified location. void setDefaultPermissions(PermissionInfo[] permissions) Sets the default permissions. void setPermissions(java.lang.String location, PermissionInfo[] permissions) Assigns the specified permissions to the bundle with the specified location. PermissionInfo(java.lang.String encodedPermission) Constructs a PermissionInfo object from the given encoded PermissionInfo string. PermissionInfo(java.lang.String type, java.lang.String name, java.lang.String actions) Constructs a PermissionInfo from the given parameters Permission File (org.osgi.framework.PackagePermission "org.osgi.test.cases.*" "import") (org.osgi.framework.ServicePermission "org.osgi.test.cases.lifecycle.servicereferencegetter.ServiceRefere nceGetter" "register,get") (org.osgi.framework.ServicePermission "org.osgi.test.*" "get") (org.osgi.framework.ServicePermission "org.osgi.framework.*" "get,register") (org.osgi.framework.ServicePermission "org.osgi.test.cases.lifecycle.servicereferencegetter.*" "get,register") ©1999-2004 aQute, All Rights Reserved slide #18 Permissions • OSGi introduces a number of specific permissions • AdminPermission – Coarse permissions used to prevent administrative APIs – Has no parameters • PackagePermission – Allows a bundle to import and/or export a package – PackagePermission(“org.osgi.service.log”, “import,export”); • ServicePermission – Allows a bundle to register and get a service – ServicePermission(“org.osgi.service.log.LogService”,”get”) ©1999-2004 aQute, All Rights Reserved slide #19 OSGi Security • Framework callbacks are always done with only the Framework access control context on the stack • Application code should assume that they have only their own security permissions to take care of • This is a potential access point into code so programmers should be aware of this • If this was not done, then for most code the programmer would have to run in privileged code requiring the programmer to create PrivilegedAction objects ©1999-2004 aQute, All Rights Reserved slide #20 Package Admin • • • The Framework selects the exported packages autonomously Packages, once selected remain available forever After an update or new install, the packages need to be refreshed – • • Management Agent PermissionAdmin Packages are not automatically refreshed The PackageAdmin service provides access to functions to refresh and introspect the state of the system The Package Admin is used by the management agent to manage the packages Framework p1 p2 p3 Bundle A ©1999-2004 aQute, All Rights Reserved slide #21 Bundle C Bundle B PackageAdmin <<interface>> PackageAdmin 1 provides name <<int erface>> 0..n Export ed Package 0..n 0..n exported by imported by 1 0..n <<int erface>> Bundle ©1999-2004 aQute, All Rights Reserved slide #22 Package Admin • • getExportedPackage and getExportedPackages return ExportedPackages which supply state information refreshPackages can refresh a set of bundles. A null parameter refreshes all ExportedPackage getExportedPackage(java.lang.String name) Gets the ExportedPackage object with the specified package name. Bundle getExportingBundle() Returns the bundle exporting the package associated with this ExportedPackage object. Bundle[] getImportingBundles() Returns the resolved bundles that are currently importing the package associated with this ExportedPackage object. java.lang.String getName() Returns the name of the package associated with this ExportedPackage object. java.lang.String getSpecificationVersion() Returns the specification version of this ExportedPackage, as specified in the exporting bundle's manifest file. boolean isRemovalPending() Returns true if the package associated with this ExportedPackage object has been exported by a bundle that has been updated or uninstalled. ExportedPackage[] getExportedPackages(Bundle bundle) Gets the packages exported by the specified bundle. void refreshPackages(Bundle[] bundles) Forces the update (replacement) or removal of packages exported by the specified bundles. ©1999-2004 aQute, All Rights Reserved slide #23 Start Level Service • The Start Level Service provides the following functions: – – – – Controls the beginning start level of the OSGi Framework. Is used to modify the active start level of the Framework. Can be used to assign a specific start level to a bundle. Can set the initial start level for newly installed bundles. • Start Level service can be used for – Safe mode – The Management Agent can implement a safe mode. Only fully trusted bundles are started. – Splash screen – If the total startup time is long, it might be desirable to show a splash screen during initialization to improve the user experience – Handling erratic bundles – Problems can occur because bundles require services to be available when they get activated (this is a programming error). By controlling the start order, the Management Agent can prevent these problems. – High priority bundles – Certain tasks such as metering need to run as quickly as possible and cannot have a long startup delay. These bundles can be started first ©1999-2004 aQute, All Rights Reserved slide #24 Start Level Service a management bundle impl. an event listener impl. 0..* start level changed gets 0..* <<interface>> StartLevel Fram ework Event <<inter face>> Framework List ener 0..* Framework Implementation a Framework im pl. 1 ©1999-2004 aQute, All Rights Reserved slide #25 is notified by Bundle Environments • Bundle Environment – A well defined format with handling rules for defining the classes and methods that a bundle can rely on. • Machine Processable – It should be easy to process the specification with tools to verify bundles and Service Platforms. • Standards – It should be based on standards as much as possible. It must be compatible with J2ME ©1999-2004 aQute, All Rights Reserved slide #26 Bundle Environments • Published as JAR files – Can be downloaded from www.osgi.org • Minimum Execution Environment – Is used for test cases and reference implementation – Is a proper subset of J2ME Foundation and J2SE – Significantly smaller than Foundation but allows for class loaders • Foundation – Based on J2ME Foundation 1.0 – Submitted by SUN ©1999-2004 aQute, All Rights Reserved slide #27 Stale References • OSGi is pure Java and therefore misses the possibility to do a full cleanup • Stale references are object references to “dead” objects Bundle A – Service unregistered – Bundle stopped/uninstalled • Stale references cause class loaders to hang around • Restarting a bundle will recreate the class loader, this solves most problems and can be done by the Management Agent • No support from VMs – Nullify references ©1999-2004 aQute, All Rights Reserved slide #28 Stale Reference Bundle B Threads • Threads are Java’s weak spot – They cannot be stopped • The management agent must be aware of the threads that hang and manage the system accordingly, rebooting if necessary • JSR 121 Isolation API is interesting in this aspect but is currently not compatible with OSGi – May be useful in an environment where applications are separated from system software • A highly secure system would assign a separate thread to each bundle with its own thread group – Footprint issues – Careful with callbacks ©1999-2004 aQute, All Rights Reserved slide #29 Performance Issues • The OSGi has very little overhead – Most actions occur rarely – Straightforward implementations are possible • Initialization is usually the killer – Most bundle programmers do not understand that 1 second per bundle is an extra minute boot time for a system with 60 bundles – Name lookups and network access in the bundle activator will kill a product – Use lazy initialization whenever possible to spread the initialization out over time • Use initialization time budgets ©1999-2004 aQute, All Rights Reserved slide #30 Performance Issues: Class loading • Class loading is a major performance hog • OSGi provides faster class loading because it has a (hash) table linking the class loaders package.1 package.2 package.3 – Modularity – Standard Java uses a linear class path that must be searched (or indexed) – OSGi headers provide this information without effort ©1999-2004 aQute, All Rights Reserved slide #31 package.1 package.2 package.3 package.1 package.2 package.3 Performance Issues • Registry must be designed to handle thousands of services – This is an explicit assumption to allow simple designs • Integrate as early as possible, many problems do not show until the system is run in its intended configuration • Reason about the system, not just the components • Measure before optimize … • Links – http://www-106.ibm.com/developerworks/library/jjtp03253.html?ca=dnt-412 – “Java 2 Performance and Idiom Guide”, by Craig Larman, Rhett Guthrie ©1999-2004 aQute, All Rights Reserved slide #32 Footprint Issues • Typically OSGi footprint is – ~ 200K JAR file uncompressed – ~ 50K + ~10K per bundle dynamic memory – Persistent size depends on the size of the bundles • Class loaders are expensive! – Minimize started bundles – Stop bundles no longer needed • Assure that the framework aggressively collects unnecessary memory • Verify that native code is cleaned up well by the VM! • OSGi allows sharing of packages – Use it! – It is possible to use tools to reduce duplicated code (at the expense of more dependencies) • The OSGi architecture allows aggressive use of optimization techniques due to its event model ©1999-2004 aQute, All Rights Reserved slide #33 Synchronization • Java monitors are heavily abused in Java – Lack of timeout makes deadlocks infinite • Monitors are intended to guard java structures, calling of other code in a monitor is bad practice – Correct usage of monitors looks pretty bad in code – No time • Use higher level constructs instead – Semaphores – Locks – See JSR 166 for a current proposal ©1999-2004 aQute, All Rights Reserved slide #34 Synchronization • An OSGi system is extremely sensitive to bad synchronization calls – Callbacks through multiple bundles • Frameworks and system code (code calling other bundles) should be written not to hold locks in callbacks • Locks are ©1999-2004 aQute, All Rights Reserved slide #35 Native Code Algorithm • • Native Code Algorithm much improved in R4 The Framework must select the native code clause selected by the following algorithm: 1. Select only the native code clauses for which the following expressions all evaluate to true. • osname ~= [org.osgi.framework.os.name] • processor ~= [org.osgi.framework.processor] • osversion <= [org.osgi.framework.os.version] or osversion is not specified • language ~= [org.osgi.framework.language] or language is not specified 2. If no native clauses were selected in step 1, a BundleException is thrown, terminating this algorithm. 3. The selected clauses are now sorted in the following priority order: 1. osversion: osversion in descending order, osversion not specified 2. language: language specified, language not specified 3. Position in the Bundle-NativeCode manifest header: lexical left to right. – The first clause of the sorted clauses from step 3 must be used as the selected native code clause. • If a selected native code library cannot be found in the bundle's JAR file, Then the bundle installation must fail. ©1999-2004 aQute, All Rights Reserved slide #36 Testing in OSGi • Test cases are delivered as bundles • These bundles register a TestCase service which is picked up by the director • These bundles contain one or more bundles that are downloaded to the target • Sequencing is done from the control bundle – Can download helpers • Testing is very similar to JUNIT with asserts Test bundle Director Control Bundle Target – Inherit from TestCaseControl and write methods that begin with test… ©1999-2004 aQute, All Rights Reserved slide #37 aQute www.aQute.biz +15126929173, [email protected] ©1999-2004 aQute, All Rights Reserved slide #38