The idea behind this project is to completely replace currently used configuration approach, which is based on several shell scripts, and to provide ability to change system behaviour basing on set of well-defined parameters' hierarchy. One of the goals is also to provide an object oriented model of the OS management and structure, instead of currently used (inconsistent) procedural model of system/service startup/shutdown.
This project involves such issues as:
This is work in progress - I'm aware that many pieces are either completely missing or misplaced. Please send any comments and changes you seem appropriate either directly to me, or better to email@example.com. I'll gladly welcome anyone who can help with design and/or implementation.
Let's first introduce the following terms:
One possible approach to storing the management data is to use already existing framework known as MIB, as defined in applicable RFCs.
This approach has several advantages: it represents well thought-out work of many experienced individuals and teams, it has already proven to be useful, it's widely used and accepted, it's easily extensible, it's able to represent quite complicated objects, etc.
It has some drawbacks, as well: e.g. there is no standard mechanism for representing events and indirectly related objects, it tends to create deep and narrow trees which require to descent several levels to change some commonly used parameters, it doesn't say anything about the mutual dependencies between objects and parameters (except parent-child-sibling), and about required sequence to properly set their parameters, etc.
These issues are not directly addressed in standards, and real implementations (known to me) have to implement these additional mechanisms "behind the scenes", so that their workings are not obvious nor easily accessible (let alone changeable).
So, if we decide to use it, we need to address these issues somehow. The next point presents one possible approach to this dilemma.
The term "object" used in the following discussion represents a functional subsystem, such as system service, usually performed by some specific process (or, a set of global system parameters, in which case the system monitor agent is the service itself).
Each object represented in management base can be characterized by following properties:
A few words on system startup: the system startup routines should ensure that dependencies can be unwound into linear, ordered list. If it's not possible, they should detect possible deadlocks at runtime, and act as an arbiter between conflicting parties (or signal an error). In case of unsatisfied dependency on some missing subsystem, the system monitor will act appropriately as described below (in paragraph on request handling).
The set of symbolic states may consist of the following states, depicting object's current internal state (as described by its FSM):
|INIT||the subsystem is initializing itself, possibly loading necessary data and binaries from permanent storage.|
|CHECK||performing consistency check on newly supplied parameter values|
|READY||ready to start performing its primary function, but not started|
|START||start-up tasks (related to its primary function, as opposed to INIT which is related to its own initialization)|
|STOP||stop (shutdown) tasks (when the object intends to stop performing its function). This can involve unloading data and binaries from main memory.|
|RUN||primary (work) phase|
|IDLE||waiting for some external event to happen|
|BUSY||the subsystem is busy (either with performing some high-priority task, or just simply hung), and cannot be interrupted without complete restart,|
|ERROR||this object is either improperly configured, or malfunctioning|
The set of possible actions may include the following actions:
|LIST_EV_REQ||get list of events the subsystem can generate|
|LIST_ACT_REQ||get list of actions the subsystem can respond to|
|GET_DEF_REQ||get definition of given parameter (the arguments, and valid ranges)|
|SET_REQ||set given parameter to given value (this value will be used only after COMMIT_REQ)|
|GET_REQ||get currently used value of given parameter|
|COMMIT_REQ||commit changes supplied in last transaction to currently used set of parameters|
|ROLLBACK_REQ||revert last commit|
|INIT_REQ||perform initialization tasks|
|START_REQ||start performing primary function|
|STOP_REQ||stop performing primary function|
|RESTART_REQ||restart operation, possibly forcefully|
|NOTIFY_REQ||notify me of any changes in your state|
|CHECK_REQ||perform self-consistency check|
|UPGRADE_REQ||upgrade the subsystem - this possibly involves downloading necessary pieces via network to permanent storage area. The upgrade process should be transactional, and should save the older version of the subsystem in case the DOWNGRADE_REQ should be issued.|
|DOWNGRADE_REQ||downgrade the subsystem - restore the previous version of the subsystem from the copy on permanent storage.|
|UNINSTALL_REQ||uninstall the subsystem completely - possibly freeing the space on permanent storage.|
(Each request includes source service identifier and credentials of the sender)
The set of events which can be generated by subsystems may include the following:
|EV_ACK||positive acknowledge of the last operation|
|EV_NACK||negative acknowledge of the last operation|
|EV_CHANGE||change notification (includes the name of changed parameter, and/or FSM state change)|
|EV_DEP||signal the dependency on another subsystem - ask for existence of the service. Probably there should be two types of the dependency: a soft one (where the subsystem can still function even if the dependency is unresolved) and a hard one (when the existence and proper functioning of the other subsystem is mandatory for its function).|
One of event attributes can be a flag which says that this particular event is a directed, or broadcast message. In case of directed message, it should be forwarded only to interested parties. Broadcast message is sent to all subsystems.
System monitor agent will process these events and route them to appropriate subsystems which are registered with it. Generally, if some subsystem is dependent on some other, it will want to also receive all events generated by the other subsystem.
In case the subsystem is missing, and the system monitor received events signalling that some other subsystem is depending on it, the system monitor should arrange either for installing necessary pieces from some media (be it permanent storage, or the network), or to send an EV_NACK to the requesting subsystem. It's the responsibility of the requesting subsystem to deal with such case appropriately to the type of dependency (i.e. either "hard" or "soft").
Ideally, the system monitor agent will be equipped with routines to serialize the management data into human-readable form, so that it's easily stored, backed up, and repaired in case of inconsistencies.
Actual user interface is still quite another story: I've seen UIs which merely followed the standard MIBs, and menus were composed of actual OID numbers plus DESCRIPTION field. In my experience, they are (barely) acceptable, though due to the usual width and depth of MIB trees you had to traverse several levels down and up in order to change some (protocol-wise) related parameters.
More acceptable UI would collect interrelated items under common menu entries, irrespectibly of their actual position in the MIB tree.
A worthwhile goal to pursue is to create such an UI which could guide you through the most common configuration tasks, while at the same time allowing for unrestricted and quick use by power users. This can be done either as a set of configuration "wizards" or extensive hinting, command completion, etc.
The management database should be easily exportable via standard protocols, such as SNMP or LDAP.
Most known to me (if not all) implementations of agents for these protocols are (contrary to their name) quite heavy-weight - so their use should be either optional, or replaced with some other light-weight protocol and a proxy agent running on other machine. One example of such proxy agent is existing UCD-SNMP implementation which in significant part follows the sysctl(3) tree, merely exporting it as a part of the MIB trees.
It's worthwhile to consider also use of other protocols such as DHCP (and BOOTP), Service Location Protocol (SLP - RFC2165) for easy integration with LAN resources, easy initial configuration, and peer discovery.
All operations performed by system monitor agent should be transactional, i.e. it should be possible to commit a set of changes as one logical entity, and be sure that either it's applied in whole, or not at all. This includes also ability to abort processing in the middle.
This probably means that each object (subsystem) should be able to store not only its current configuration data, but also the newly supplied config data that are to be applied after the transaction ends successfuly.
Operations should be verified against allowed values, as well as against allowed credentials, and basing on this either committed or aborted.
A few notes on possible implementation of system monitor:
This probably means also that some libc routines would have to be replaced, because they assume reading configuration from certain disk files.
Since each such subsystem needs to implement some common actions such as installing, deinstalling, start/stop etc, we could use already present system of packages (with some minor modifications) to easily achieve part of the goals (i.e. install/deinstall/upgrade/downgrade/stop/start).
NOTE: this is one possible approach - a centralized one. It's worth to consider other approach, distributed, in which case each object (subsystem) sends and listens to the data at a meeting point specific to each other object. This eliminates (or drastically minimizes) the role of system monitor which is a single point of failure in centralized case.
Here is my initial proposal for the User Interface hierarchy:
Please send your comments to Andrzej Bialecki
Last modified: Wed Nov 25 07:01:32 PST 1998