Download 2004-03-Tutorial-6-Inside OSGi

aQute
Inside OSGi
By Peter Kriens
CEO aQute
OSGi Technology Officer and
OSGi Fellow
Contents
©1999-2004 aQute, All Rights Reserved slide #2
Framework Architecture
Package
Permission
Service
Permission
Admin
Permission
<<interface>>
Service
Fact ory
optionally
implements
java.security.
Permission
<<interface>>
Bundle
Acti vator
0,1
start/stop
bundle
0..n
security
permissions
im plem ent ation
code of bundle
1
registers service
0..n
uses service
1..n
0..n
0..n service controller
im pl
1
manages
1
fram ework
impl
1
<<interface>>
Service
Reference
<<interface>>
1 Bundl e
Context
1
associated
with
1
bundle events
1
Bundle
Event
<<interface>>
Synchronous
Bundl eLi stener
1
1
1
service events
associated
with
framework events
Framework
Ev ent
0..n
<<int erface>>
Bundle
Listener
1 implemented by
1
used
through
used
through
<<interface>>
Constant s
owned by 1 <<interface>>
Service
Registrati on
represented by
represented by
1
<<interface>>
Bundl e
java.lang.
Throwable
1
1 1
bundle controller
1 impl
1
java.lang.Object
service impl.
1
0..n
<<interface>>
Framework
Listener
1
ServiceEvent
0..n
<<interface>>
Service
Listener
0,1
©1999-2004 aQute, All Rights Reserved slide #3
Bundle
Excepti on
Invali dSyntax
Exception
<<interface>>
Filter
Classloading
•
•
•
Standard Java loads all classes from
a global CLASSPATH and class
loaders
CLASSPATH consists of many entities
–
–
–
Actual class loading is uncontrolled
and fails too often
–
–
–
–
•
•
Jar Files
Directories
Other sources via a classloader
A
B
C
ClassNotFoundException
NoClassDefFoundError
ClassCastException
Shadowing: Wrong version
Complex!
It would be nice if this was more
controlled …
©1999-2004 aQute, All Rights Reserved slide #4
Execution
Environment
CDC
CDC
OSGi Modules
•
•
•
•
•
•
•
•
OSGi adds a powerful module system to
Java
Allows isolated modules to co-exist in
single VM
Does not use the global CLASSPATH, but
allows fine grained control of package
sharing
Modules specify constraints through
Manifest Header in their JAR
Module dependencies are controlled and
checked
Fine grained PackagePermission
(optional)
Non-Intrusive, works with existing code.
Only Manifest headers required
Bundles automatically activated when
first used
A
©1999-2004 aQute, All Rights Reserved slide #5
B
C
MODULE
Execution
Environment
CDC
CDC
OSGi Modules
• Prevents ClassCastExceptions
when multiple bundles share
objects with Import- and ExportPackage clauses
• Dependency on other bundles
can be expressed with RequireBundle
– A cannot work without B
– Multiple versions: A must work with
B 1.2 and C must work with B 1.4
A
• Extending Packages with extra
content (Fragments)
– Internationalization
– Private classes (when statics are
(mis)used)
©1999-2004 aQute, All Rights Reserved slide #6
B
C
MODULE
Execution
Environment
CDC
CDC
Problem
• Reboot is required for
configuration changes
– Boot time
– Disruption in service
• Server is in a remote
location and needs to be
managed over the network
A
• It should be possible
manage the set of bundles
in the VM without
rebooting
©1999-2004 aQute, All Rights Reserved slide #7
B
C
MODULE
Execution
Environment
CDC
CDC
OSGi Life-Cycle
• The OSGi Life-Cycle support
allows bundles to be:
–
–
–
–
–
LIFE-CYCLE
Installed
Started
Stopped
Updated
Uninstalled
• Life cycle operations are
persistent
• Full API for management
• Easy to manage remotely
because of management agent
concept
• AdminPermission and
BundlePermission for security
• Fully Evented
A
©1999-2004 aQute, All Rights Reserved slide #8
B
C
MODULE
Execution
Environment
CDC
CDC
D
Problem
• Bundles need to
collaborate
LIFE-CYCLE
• Discover potential partners
• Find applicable objects that
can be used in the
collaboration
A
• Handle the coming and
going of bundles
©1999-2004 aQute, All Rights Reserved slide #9
B
C
MODULE
Execution
Environment
CDC
CDC
D
OSGi Service Registry
• Service Registry is a dynamic
registry of service objects
LIFE-CYCLE
• Adds strict decoupling between
bundles
SERVICE-REGISTRY
• Manages life-cycle dependencies
• Fully Evented
A
B
C
• Dynamic discovery
• Implements many important
software patterns
• Fine grained security model with
ServicePermission (optional)
©1999-2004 aQute, All Rights Reserved slide #10
MODULE
Execution
Environment
CDC
CDC
D
OSGi Service Platform
SERVICE-REGISTRY
LIFE-CYCLE
MODULE
Execution
Environment
CDC
CDC
L3 - Decouples bundles so that the
deployer can mix and match
configurations
L2 - Manages bundles life-cycles in a VM
without requiring reboots
L1 - Creates the concept of bundles that
use classes from each other in a
controlled way according to system and
bundle constraints
L0 •CDC
•CLDC
•OSGi/Minium
©1999-2004 aQute, All Rights Reserved slide #11
Java 2 Security Primer
implies(p)
• Java 2 security provides a
flexible and comprehensive
model for security
call foo()
• Permission subclasses hide the
semantics of the permission type
–
–
–
–
FilePermission
SocketPermission
ServicePermission
…
{…}
Protection
Domain
Permissions
Permission
{…}
Protection
Domain
Permissions
Permission
implies(p)
checkPermission(p)
• Code is associated with a set of
permissions
• The SecurityManager checks a
permission by creating a
permission
implies(p)
Access
Access
Control
Control
Context
Context
Security
Manager
Access
Controller
implies(p)
©1999-2004 aQute, All Rights Reserved slide #12
Permissions
• Permission associated with code
– …
– FilePermission(“/tmp/-”, “read,write”);
– …
• Check
– void open(String path) {
…
SecurityManager.checkPermission(
new FilePermission(path,”read”) );
…
}
©1999-2004 aQute, All Rights Reserved slide #13
Changing the context
• Normally all classes on the call
stack are evaluated and must
return true
• Sometimes a method wants to
run with only its own
permissions
• This is possible with a
doPrivileged method on the
Access Control context
• This places a marker on the
stack to indicate the search
should stop
• Can also be used to run code
with the context of another
protection domain
...normal code here...
String user = (String) AccessController.doPrivileged(
new PrivilegedAction() {
public Object run() {
return System.getProperty("user.name");
}
}
);
...normal code here...
©1999-2004 aQute, All Rights Reserved slide #14
Issues with Java 2 Security
• Checking permissions is heavy
• Impossible to cache results of a check due to
polymorphistic model
– The result of an implies can change at any time
• Too flexible
– Every class can have its own protection domain
• The doPrivileged model is expensive due to too
many class creations
• Complex!
©1999-2004 aQute, All Rights Reserved slide #15
Permission Admin
• Permissions are managed
through Permission Admin
• Permissions are stored in
PermissionInfo objects
• Permission Admin is used by
Management Agents to store the
PermissionInfo objects
• The location is the key to the
PermissionInfo objects
– Allows permissions to be set before
download
• Changes in permissions are
immediate
©1999-2004 aQute, All Rights Reserved slide #16
Management
Agent
PermissionAdmin
PermissionInfo
Framework
location
Bundle
Permission Admin
<<interface>>
Permission
Admin
Permissi on
0..n Info[]
1
1
bundle location
constructs
1
java.secur ity.
Perm ission
©1999-2004 aQute, All Rights Reserved slide #17
Permission Admin API
PermissionInfo[] getDefaultPermissions()
Gets the default permissions.
java.lang.String[] getLocations()
Returns the bundle locations that have
permissions assigned to them, that is, bundle
locations for which an entry exists in the
permission table.
PermissionInfo[] getPermissions(java.lang.String
location)
Gets the permissions assigned to the bundle
with the specified location.
void setDefaultPermissions(PermissionInfo[]
permissions)
Sets the default permissions.
void setPermissions(java.lang.String location,
PermissionInfo[] permissions)
Assigns the specified permissions to the
bundle with the specified location.
PermissionInfo(java.lang.String encodedPermission)
Constructs a PermissionInfo object from the
given encoded PermissionInfo string.
PermissionInfo(java.lang.String type,
java.lang.String name, java.lang.String actions)
Constructs a PermissionInfo from the given
parameters
Permission File
(org.osgi.framework.PackagePermission "org.osgi.test.cases.*"
"import")
(org.osgi.framework.ServicePermission
"org.osgi.test.cases.lifecycle.servicereferencegetter.ServiceRefere
nceGetter" "register,get")
(org.osgi.framework.ServicePermission "org.osgi.test.*" "get")
(org.osgi.framework.ServicePermission "org.osgi.framework.*"
"get,register")
(org.osgi.framework.ServicePermission
"org.osgi.test.cases.lifecycle.servicereferencegetter.*"
"get,register")
©1999-2004 aQute, All Rights Reserved slide #18
Permissions
• OSGi introduces a number of specific permissions
• AdminPermission
– Coarse permissions used to prevent administrative APIs
– Has no parameters
• PackagePermission
– Allows a bundle to import and/or export a package
– PackagePermission(“org.osgi.service.log”, “import,export”);
• ServicePermission
– Allows a bundle to register and get a service
– ServicePermission(“org.osgi.service.log.LogService”,”get”)
©1999-2004 aQute, All Rights Reserved slide #19
OSGi Security
• Framework callbacks are always done with only
the Framework access control context on the stack
• Application code should assume that they have
only their own security permissions to take care of
• This is a potential access point into code so
programmers should be aware of this
• If this was not done, then for most code the
programmer would have to run in privileged code
requiring the programmer to create
PrivilegedAction objects
©1999-2004 aQute, All Rights Reserved slide #20
Package Admin
•
•
•
The Framework selects the exported
packages autonomously
Packages, once selected remain
available forever
After an update or new install, the
packages need to be refreshed
–
•
•
Management
Agent
PermissionAdmin
Packages are not automatically refreshed
The PackageAdmin service provides
access to functions to refresh and
introspect the state of the system
The Package Admin is used by the
management agent to manage the
packages
Framework
p1
p2
p3
Bundle
A
©1999-2004 aQute, All Rights Reserved slide #21
Bundle
C
Bundle
B
PackageAdmin
<<interface>>
PackageAdmin 1
provides
name
<<int erface>>
0..n Export ed
Package
0..n
0..n
exported by
imported by
1
0..n
<<int erface>>
Bundle
©1999-2004 aQute, All Rights Reserved slide #22
Package Admin
•
•
getExportedPackage and
getExportedPackages return
ExportedPackages which supply
state information
refreshPackages can refresh a set of
bundles. A null parameter refreshes
all
ExportedPackage getExportedPackage(java.lang.String
name)
Gets the ExportedPackage object with the
specified package name.
Bundle getExportingBundle()
Returns the bundle exporting the package
associated with this ExportedPackage object.
Bundle[] getImportingBundles()
Returns the resolved bundles that are
currently importing the package associated with
this ExportedPackage object.
java.lang.String getName()
Returns the name of the package associated
with this ExportedPackage object.
java.lang.String getSpecificationVersion()
Returns the specification version of this
ExportedPackage, as specified in the exporting
bundle's manifest file.
boolean isRemovalPending()
Returns true if the package associated with
this ExportedPackage object has been exported by
a bundle that has been updated or uninstalled.
ExportedPackage[] getExportedPackages(Bundle bundle)
Gets the packages exported by the specified
bundle.
void refreshPackages(Bundle[] bundles)
Forces the update (replacement) or removal of
packages exported by the specified bundles.
©1999-2004 aQute, All Rights Reserved slide #23
Start Level Service
• The Start Level Service provides the following functions:
–
–
–
–
Controls the beginning start level of the OSGi Framework.
Is used to modify the active start level of the Framework.
Can be used to assign a specific start level to a bundle.
Can set the initial start level for newly installed bundles.
• Start Level service can be used for
– Safe mode – The Management Agent can implement a safe mode. Only fully
trusted bundles are started.
– Splash screen – If the total startup time is long, it might be desirable to
show a splash screen during initialization to improve the user experience
– Handling erratic bundles – Problems can occur because bundles require
services to be available when they get activated (this is a programming
error). By controlling the start order, the Management Agent can prevent
these problems.
– High priority bundles – Certain tasks such as metering need to run as
quickly as possible and cannot have a long startup delay. These bundles can
be started first
©1999-2004 aQute, All Rights Reserved slide #24
Start Level Service
a management
bundle impl.
an event listener
impl.
0..*
start level
changed
gets
0..*
<<interface>>
StartLevel
Fram ework
Event
<<inter face>>
Framework
List ener
0..*
Framework
Implementation
a Framework im pl.
1
©1999-2004 aQute, All Rights Reserved slide #25
is notified by
Bundle Environments
• Bundle Environment – A well defined format with
handling rules for defining the classes and methods
that a bundle can rely on.
• Machine Processable – It should be easy to process
the specification with tools to verify bundles and
Service Platforms.
• Standards – It should be based on standards as
much as possible. It must be compatible with J2ME
©1999-2004 aQute, All Rights Reserved slide #26
Bundle Environments
• Published as JAR files
– Can be downloaded from www.osgi.org
• Minimum Execution Environment
– Is used for test cases and reference implementation
– Is a proper subset of J2ME Foundation and J2SE
– Significantly smaller than Foundation but allows for class
loaders
• Foundation
– Based on J2ME Foundation 1.0
– Submitted by SUN
©1999-2004 aQute, All Rights Reserved slide #27
Stale References
• OSGi is pure Java and therefore
misses the possibility to do a full
cleanup
• Stale references are object
references to “dead” objects
Bundle
A
– Service unregistered
– Bundle stopped/uninstalled
• Stale references cause class
loaders to hang around
• Restarting a bundle will recreate
the class loader, this solves most
problems and can be done by
the Management Agent
• No support from VMs
– Nullify references
©1999-2004 aQute, All Rights Reserved slide #28
Stale
Reference
Bundle
B
Threads
• Threads are Java’s weak spot
– They cannot be stopped
• The management agent must be aware of the threads that
hang and manage the system accordingly, rebooting if
necessary
• JSR 121 Isolation API is interesting in this aspect but is
currently not compatible with OSGi
– May be useful in an environment where applications are separated
from system software
• A highly secure system would assign a separate thread to
each bundle with its own thread group
– Footprint issues
– Careful with callbacks
©1999-2004 aQute, All Rights Reserved slide #29
Performance Issues
• The OSGi has very little overhead
– Most actions occur rarely
– Straightforward implementations are possible
• Initialization is usually the killer
– Most bundle programmers do not understand that 1 second
per bundle is an extra minute boot time for a system with 60
bundles
– Name lookups and network access in the bundle activator will
kill a product
– Use lazy initialization whenever possible to spread the
initialization out over time
• Use initialization time budgets
©1999-2004 aQute, All Rights Reserved slide #30
Performance Issues: Class
loading
• Class loading is a major
performance hog
• OSGi provides faster class
loading because it has a
(hash) table linking the
class loaders
package.1
package.2
package.3
– Modularity
– Standard Java uses a linear class
path that must be searched (or
indexed)
– OSGi headers provide this
information without effort
©1999-2004 aQute, All Rights Reserved slide #31
package.1
package.2
package.3
package.1
package.2
package.3
Performance Issues
• Registry must be designed to handle thousands of services
– This is an explicit assumption to allow simple designs
• Integrate as early as possible, many problems do not show
until the system is run in its intended configuration
• Reason about the system, not just the components
• Measure before optimize …
• Links
– http://www-106.ibm.com/developerworks/library/jjtp03253.html?ca=dnt-412
– “Java 2 Performance and Idiom Guide”, by Craig Larman, Rhett
Guthrie
©1999-2004 aQute, All Rights Reserved slide #32
Footprint Issues
• Typically OSGi footprint is
– ~ 200K JAR file uncompressed
– ~ 50K + ~10K per bundle dynamic memory
– Persistent size depends on the size of the bundles
• Class loaders are expensive!
– Minimize started bundles
– Stop bundles no longer needed
• Assure that the framework aggressively collects unnecessary memory
• Verify that native code is cleaned up well by the VM!
• OSGi allows sharing of packages
– Use it!
– It is possible to use tools to reduce duplicated code (at the expense of more
dependencies)
• The OSGi architecture allows aggressive use of optimization techniques
due to its event model
©1999-2004 aQute, All Rights Reserved slide #33
Synchronization
• Java monitors are heavily
abused in Java
– Lack of timeout makes deadlocks
infinite
• Monitors are intended to guard
java structures, calling of other
code in a monitor is bad practice
– Correct usage of monitors looks
pretty bad in code
– No time
• Use higher level constructs
instead
– Semaphores
– Locks
– See JSR 166 for a current proposal
©1999-2004 aQute, All Rights Reserved slide #34
Synchronization
• An OSGi system is extremely sensitive to bad
synchronization calls
– Callbacks through multiple bundles
• Frameworks and system code (code calling other
bundles) should be written not to hold locks in
callbacks
• Locks are
©1999-2004 aQute, All Rights Reserved slide #35
Native Code Algorithm
•
•
Native Code Algorithm much improved in R4
The Framework must select the native code clause selected by the following
algorithm:
1. Select only the native code clauses for which the following expressions all evaluate to true.
• osname
~= [org.osgi.framework.os.name]
• processor
~= [org.osgi.framework.processor]
• osversion
<= [org.osgi.framework.os.version] or osversion is not specified
• language
~= [org.osgi.framework.language] or language is not specified
2. If no native clauses were selected in step 1, a BundleException is thrown, terminating this
algorithm.
3. The selected clauses are now sorted in the following priority order:
1. osversion:
osversion in descending order, osversion not specified
2. language: language specified, language not specified
3. Position in the Bundle-NativeCode manifest header: lexical left to right.
– The first clause of the sorted clauses from step 3 must be used as the selected native code
clause.
•
If a selected native code library cannot be found in the bundle's JAR file,
Then the bundle installation must fail.
©1999-2004 aQute, All Rights Reserved slide #36
Testing in OSGi
• Test cases are delivered as
bundles
• These bundles register a
TestCase service which is picked
up by the director
• These bundles contain one or
more bundles that are
downloaded to the target
• Sequencing is done from the
control bundle
– Can download helpers
• Testing is very similar to JUNIT
with asserts
Test
bundle
Director
Control
Bundle
Target
– Inherit from TestCaseControl and
write methods that begin with test…
©1999-2004 aQute, All Rights Reserved slide #37
aQute
www.aQute.biz
+15126929173,
[email protected]
©1999-2004 aQute, All Rights Reserved slide #38