notes-computer-systems-greenField

OS

• Plan 9 and Inferno
  • many famous ppl associated with Unix and C were involved at some point or another, including Rob Pike, Ken Thompson, Dennis Ritchie, Brian Kernighan, Bjarne Stroustrup. It is also associated with the somewhat popular language Go (golang), in that Rob Pike who worked a lot on Plan 9 and Inferno is one of the principal designers of Go, and Go shares some similarities with Limbo, a language which Pike also worked on which was developed for Inferno (and both Go and Limbo share some similarities with other related languages developed for Plan 9 and Inferno projects).
  • Plan 9 syscall intro: http://man.cat-v.org/plan_9/2/intro
  • 9P protocol intro: http://man.cat-v.org/plan_9/5/intro
    • 9P protocol fileserver example: http://debu.gs/entries/inferno-part-3-let-s-make-a-filesystem
  • http://plan9.bell-labs.com/wiki/plan9/faq/index.html (also mentions Inferno)
  • http://debu.gs/tags/inferno
  • plan 9 or inferno? despite inferno being later than plan 9 and being apparently easier to run within Linux or Windows (see http://debu.gs/entries/plan-9-and-inferno ), plan 9 seems to have more momentum. Compare https://www.google.com/search?q=ec2+inferno with https://www.google.com/search?q=ec2+"plan+9" .
  • some shortcomings of/ideas to improve Inferno: http://code.google.com/p/inferno-npe/wiki/FutureWork
    • inferno has release notes for changes in each 'edition': http://doc.cat-v.org/inferno/4th_edition/release_notes/changes
  • inferno vs. erlang: https://www.linkedin.com/groups/Erlang-is-about-change-cloud-60972.S.225859663 "Some time ago I tried to figure out why Google didn't start from taking over Vita Nuova to make Dis the platform for cloud-savvy Go implementations. I used to implement big distributed systems with Inferno years ago, and I have to confess that I prefer Erlang and functional programming which allow to code much faster and cleaner, but Inferno is still the great system. That will be a pity if it dies. In Erlang On Xen we also use some concepts which were introduced in Plan9 (9p protocol particularly), they work perfectly. " -- Viktor Sovietov, Founder at Cloudozer LLP
• https://en.wikipedia.org/wiki/Lisp_Machine
• /home/bshanks/Dropbox/website/notes/computer/systems/greenField.txt

"To be a viable computer system, one must honor a huge list of large, and often changing, standards: TCP/IP, HTTP, HTML, XML, CORBA, Unicode, POSIX, NFS, SMB, MIME, POP, IMAP, X, ... A huge amount of work, but if you don’t honor the standards you’re marginalized. Estimate that 90-95% of the work in Plan 9 was directly or indirectly to honor externally imposed standards." -- http://herpolhode.com/rob/utah2000.pdf (Rob Pike talk)

MS singularity:

• Singularity
• https://codingkaiser.blog/2021/07/23/operating-systems-are-more-exciting-than-you-think/
• https://www.microsoft.com/en-us/research/publication/singularity-rethinking-the-software-stack/?from=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F69431%2Fosr2007_rethinkingsoftwarestack.pdf https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/osr2007_rethinkingsoftwarestack.pdf

Plan 9 notes:

syscalls from http://man.cat-v.org/plan_9/2/intro :

bind open read dup fork seek stat remove fd2path getwd pipe exec chdir segattach exits wait sleep notify lock errstr

• bind: mount
• pipe "creates a connected pair of file descriptors, useful for bidirectional local communication."
• segattach: attach other memory segments
• exits: exit/halt/terminate
• wait: "A parent process may call wait(2) to wait for some child to terminate."
• notify: "There is a notification mechanism for telling a process about events such as address faults, floating point faults, and messages from other processes. A process uses notify(2) to register the function to be called (the notification handler) when such events occur."

9P protocol messages from http://man.cat-v.org/plan_9/5/intro :

version auth error flush attach walk open create read write clunk remove stat wstat

version auth error flush clunk are protocol metastuff (flush aborts a transaction, clunk deallocates a file descriptor), leaving:

• attach: open a server's 'filetree'; like mount, i guess
• walk: like cd (but speculative/pure function)
• open create read write remove stat: what you think
• wstat: change file properties (so stat is read, wstat is write)

ddevault on Jan 28, 2018 [-]

The kernel is simple and sanely designed and interfacing with it is done through the filesystem in, again, a very simple and sane way. Your displays are configured by a simple <10 line shell script at boot time that writes plaintext to a device file, rather than a gargantuan graphics stack that's controlled with binary device files and ioctls. Filesystem namespaces are lovely, and make the filesystem cleanly organized and customized to the logged in user's needs and desires. I have a little script that clears my current terminal window: `echo -n "" > /dev/text`. The libc is small and focused (non-POSIX), and there are only a handful of syscalls. The process model is really sane and straightforward as well. Playing an mp3 file is `mp3dec < file.mp3 > /dev/audio`.

To open a TCP connection, you use the dial(3) function, which basically does the following: write "tcp!name!port" to /net/cs and read out "1.2.3.4!80" (/net/cs resolves the name), then you write "connect 1.2.3.4" to /net/tcp/clone and read out a connection ID, and open /net/tcp/:id/data which is now a full-duplex TCP stream.

There's this emphasis on simple, sane ways of fulfilling tasks on plan9 that permeates the whole system. It's beautiful.

https://thedorkweb.substack.com/p/a-week-with-plan-9

https://lwn.net/SubscriberLink/718267/206c8a5fbf0ee2ea/ https://news.ycombinator.com/item?id=14002386

" Fuchsia: a new operating system

Nur Hussein

Fuchsia is a new operating system being built more or less from scratch at Google. ... At the heart of Fuchsia is the Magenta microkernel... LK, the kernel that Magenta builds upon, was created by Fuchsia developer Travis Geiselbrecht before he joined Google. LK's goal is to be a small kernel that runs on resource-constrained tiny embedded systems (in the same vein as FreeRTOS? or ThreadX?). Magenta, on the other hand, targets more sophisticated hardware (a 64-bit CPU with a memory-management unit is required to run it), and thus expands upon LK's limited features. Magenta uses LK's "inner constructs", which is comprised of threads, mutexes, timers, events (signals), wait queues, semaphores, and a virtual memory manager (VMM). For Magenta, LK's VMM has been substantially improved upon.

One of the key design features of Magenta is the use of capabilities....Capabilities are implemented in Magenta by the use of constructs called handles....Almost all system calls require that a handle be passed to them. Handles have rights associated with them... The rights that can be granted to a handle are for reading or writing to the associated kernel object or, in the case of a virtual memory object, whether or not it can be mapped as executable....Since memory is treated as a resource that is accessed via kernel objects, processes gain use of memory via handles. Creating a process in Fuchsia means a creator process (such as a shell) must do the work of creating virtual memory objects manually for the child process. This is different from traditional Unix-like kernels such as Linux, where the kernel does the bulk of the virtual memory setup for processes automatically. Magenta's virtual memory objects can map memory in any number of ways, and a lot of flexibility is given to processes to do so. One can even imagine a scenario where memory isn't mapped at all, but can still be read or written to via its handle like a file descriptor. While this setup allows for all kinds of creative uses, it also means that a lot of the scaffolding work for processes to run must be done by the user-space environment.

Since Magenta was designed as a microkernel, most of the operating system's major functional components also run as user-space processes. This include the drivers, network stack, and filesystems. The network stack was originally bootstrapped from lwIP, but eventually it was replaced by a custom network stack written by the Fuchsia team. The network stack is an application that sits between the user-space network drivers and the application that requests network services. A BSD socket API is provided by the network stack.

The default Fuchsia filesystem, called minfs, was also built from scratch... since the filesystems run as user-space servers, accessing them is done via a protocol to those servers....The user-space C libraries make the protocol transparent to user programs, which will just make calls to open, close, read, and write files. ... Full POSIX compatibility is not a goal for the Fuchsia project; enough POSIX compatibility is provided via the C library, which is a port of the musl project to Fuchsia..."

https://fuchsia.googlesource.com/docs/+/master/the-book/

Khaine 13 hours ago [-]

One thing I don't see addressed in the README is why? Why do we need Fuchsia? What problem are we trying to solve? Why should I use/develop for it instead of Windows/Linux/macOS?

Or is this just a research operating system designed to test new ideas out?

reply

akavel 12 hours ago [-]

The main keywords are "capability based" and "microkernel". Those ideas bring numerous advantages over monolithic kernels (including Linux, Windows, macOS), especially humongous boost to protection against vulnerabilities, also better reliability and modularity. They are quite well researched already AFAIU, and apparently the time has come for them to start breaking through to "mainstream" (besides Fuchsia, see e.g. https://genode.org, https://redox-os.org)

Other than that, for Google this would obviously bring total control over the codebase, allowing them to do whatever they want, and super quickly, not needing to convince Linus or anybody else.

reply

naasking 21 hours ago [-]

Some problems I see from skimming the docs:

> Calls which have no limitations, of which there are only a very few, for example zx_clock_get() and zx_nanosleep() may be called by any thread.

Having the clock be an ambient authority leaves the system open to easy timing attacks via implicit covert channels. I'm glad these kinds of timing attacks have gotten more attention with Spectre and Meltdown. Capability security folks have been pointing these out for decades.

> Calls which create new Objects but do not take a Handle, such as zx_event_create() and zx_channel_create(). Access to these (and limitations upon them) is controlled by the Job in which the calling Process is contained.

I'm hesitant to endorse any system calls with ambient authority, even if it's scoped by context like these. It's far too easy to introduce subtle vulnerabilities. For instance, these calls seem to permit a Confused Deputy attack as long as two processes are running in the same Job.

Other notes on the kernel:

• The focus on handles overall is good though. Some capability security lessons have finally seeped into common knowledge!
• I'm not sure why they went with C++. You shouldn't need dispatching or template metaprogramming in a microkernel, as code reuse is minimal since all primitives are supposed to be orthogonal to each other. That's the whole point of a microkernel. Shapiro learned this from building the the early versions of EROS in C++, then switching to C. C also has modelling and formal analysis tools, like Frama-C.
• I don't see any reification of scheduling as a handle or an object. Perhaps they haven't gotten that far.

Looks like they'll also support private namespacing ala Plan 9, which is great. I hope we can get a robust OS to replace existing antiquated systems with Google's resources. This looks like a good start.

reply

overview from the Lisp Machine manual http://lispm.de/genera-concepts

---

Networking

• Urbit.org

Associated VMs

• JVM (Java)
• CLR (.NET)
• Dis (Inferno)
• Nock (Urbit)

L4

" In this spirit, the L4 microkernel provides few basic mechanisms: address spaces (abstracting page tables and providing memory protection), threads and scheduling (abstracting execution and providing temporal protection), and inter-process communication (for controlled communication across isolation boundaries).

An operating system based on a microkernel like L4 provides services as servers in user space that monolithic kernels like Linux or older generation microkernels include internally. For example, in order to implement a secure Unix-like system, servers must provide the rights management that Mach included inside the kernel. " [1]

" Microkernels minimize the functionality that is provided by the kernel: The kernel provides a set of general mechanisms, while user-mode servers implement the actual operating system (OS) services [Brinch Hansen 1970; Levin et al. 1975]. Application code obtains a system service by communicating with servers via an interprocess com- munication (IPC) mechanism, typically message passing. Hence, IPC is on the critical path of any service invocation, and low IPC costs are essential.

By the early 1990s, IPC performance had become the achilles heel of microkernels: The typical cost for a one-way message was around 100us, which was too high for building performant systems. This resulted in a trend to move core services back into the kernel [Condict et al. 1994]. ... Twenty years ago, Liedtke [1993a] demonstrated with his L4 kernel that microkernel IPC could be fast, a factor 10–20 faster than contemporary microkernels. " [2]