From: rog@vitanuova.com
To: 9fans@cse.psu.edu
Subject: [9fans] an idea
Date: Wed, 21 Apr 2004 22:26:23 +0100 [thread overview]
Message-ID: <499f328d8dc6462edbadb7e4894feaf8@vitanuova.com> (raw)
In-Reply-To: <bea21b07b011bfc60488d8c959307252@vitanuova.com>
ok, this idea's a bit off the wall, but i thought i'd mention it
because i think it's got some potential.
some observations on the way 9p works currently:
1) if i import a remote namespace containing /srv, mounting a file in
/srv triples the latency of requests on the mounted namespace (write
tmsg, reply, read rmsg header, reply, read rmsg body, reply).
2) without re-mounting the connection, there's no way of introducing a
new user to a remotely imported namespace.
3) the '#' namespace is quite restrictive (devices can't be attached by
a remote machine, unless using an additional protocol, such as
import), but also overly permissive (there's no way of arbitrarily
restricting the set of devices available to sub-processes)
4) there's an arbitrary distinction between the '#' namespace and normal
namespace, when kernel/user boundary is potentially largely arbitrary.
you can't, for instance, substitute a user-level simulation of device
x if a program accesses it via #x rather than a previously mounted
instance of it.
5) there's a global idea of "user" (the user id of the current
process, as used by fauth(2) at al) but in a situation with resources
imported from many authentication domains, this isn't necessarily
realistic.
6) kernel level devices are privileged in that they can access some
user resources directly, in particular open fds and names. user level
servers can't.
here's the germ of a solution: put auth files in the namespace.
here's how it might work:
in your namespace you find a file with the DMAUTH bit set, an auth
file. opening this produces a fid suitable for authentication, which
can also be used as part of a later attach message, giving access to a
new namespace - the namespace accessible as a result of this attach is
distinct (files occupy a different qid space) but derived (the server
decides what namespace to provide from the auth file used).
imagine that /srv contains a load of these auth files. each one is
like a gateway into a new namespace, in just the same way that the
files in the current /srv are, except that the mount driver's job has
already been done, so that someone mounting one of these remotely does
not incur any additional latency over the network.
moreover (and this is where things start to become interesting, i
think), there's no particular reason why the auth files in /srv have
to be 9p servers - they could be devices too.
suppose, for the sake of argument, that it is possible to have a file
descriptor that represents a walked-to-but-not-yet-open file (the
kernel can do this already; an implementation would be trivial).
suppose also that there are some of the usual 9p-like operations on
such a file, such as walk, bind, open, etc.
then imagine a device similar to the current /srv, except that any
attach gives a new, clean instance, containing nothing at all, rather
than globally shared resources, as currently. any file descriptor
could be posted to this directory; a walk to it would give you back
the original.
when you boot the system, you bootstrap an instance of the /srv
device, containing an auth file for each device compiled into the
kernel, including the srv device itself.
suddenly you don't need the '#' namespace any more.
to do the equivalent of newns, attach to a new instance of the srv
device, place within it the resources you want available after the
newns (could include auth files, directories, etc), clear the
namespace, and then bind the new instance of /srv (you'll still have
its file descriptor around) onto /.
for a subprocess, you can arrange exactly the set of devices that are
available. there's also the potential to "push" an authentication
scheme onto an auth file. in fact there are bucketloads of
possibilities i haven't begun to think about yet.
this kind of arrangement seems to me to make the namespace less
arbitrary and more powerful. an auth file acts as a kind of tunnel to
another namespace, but one that itself exists within the namespace,
and is thus amenable to "meta-" namespace tools, such as iostats, cfs,
etc.
the implementation would be straightforward (main kernel change would
be having a Dev* inside a Chan rather than indirecting through
devtab), and it doesn't change 9p. almost all user-level code would
be unaffected.
quite a number of solutions to previously unpleasant problems seem to
me to fall out from this, but i'm likely missing some blindingly
obvious objection.
what do you think?
next prev parent reply other threads:[~2004-04-21 21:26 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-11 19:14 [9fans] german keymap Scusi
2004-04-11 19:28 ` boyd, rounin
2004-04-11 20:00 ` Scusi
2004-04-11 20:03 ` boyd, rounin
2004-04-11 22:10 ` Geoff Collyer
2004-04-11 22:39 ` Russ Cox
2004-04-11 22:55 ` Geoff Collyer
2004-04-12 0:01 ` Russ Cox
2004-04-12 0:06 ` Geoff Collyer
2004-04-12 0:22 ` Charles Forsyth
2004-04-12 2:42 ` boyd, rounin
2004-04-12 2:57 ` countryjoe
2004-04-12 4:02 ` boyd, rounin
2004-04-12 2:40 ` boyd, rounin
2004-04-12 2:35 ` boyd, rounin
2004-04-12 2:33 ` boyd, rounin
2004-04-21 17:43 ` rog
2004-04-21 17:44 ` boyd, rounin
2004-04-21 17:56 ` rog
2004-04-21 18:03 ` boyd, rounin
2004-04-21 18:41 ` rog
2004-04-21 18:42 ` Rob Pike
2004-04-21 19:16 ` rog
2004-04-21 18:43 ` boyd, rounin
2004-04-21 18:47 ` boyd, rounin
2004-04-21 18:57 ` Rob Pike
2004-04-21 18:58 ` boyd, rounin
2004-04-21 19:20 ` rog
2004-04-21 19:58 ` boyd, rounin
2004-04-21 20:26 ` rog
2004-04-21 21:26 ` rog [this message]
2004-04-26 7:57 ` [9fans] an idea Fco.J.Ballesteros
2004-04-26 8:04 ` Charles Forsyth
2004-04-26 8:10 ` Fco.J.Ballesteros
2004-04-26 8:13 ` Charles Forsyth
2004-04-26 16:41 ` rog
2004-04-26 16:43 ` Charles Forsyth
2004-04-26 16:57 ` rog
2004-04-26 16:48 ` Fco.J.Ballesteros
2004-04-27 1:44 ` Scott Schwartz
2004-04-27 6:43 ` Fco.J.Ballesteros
2004-04-26 15:12 ` Russ Cox
2004-04-26 15:49 ` ron minnich
2004-04-26 16:42 ` rog
2004-04-26 16:59 ` Russ Cox
2004-04-26 17:05 ` Charles Forsyth
2004-04-26 18:04 ` Philippe Anel
2004-04-26 18:16 ` rog
2004-04-26 18:36 ` Philippe Anel
2004-04-26 20:27 ` rog
2004-04-27 7:44 ` Philippe Anel
2004-04-27 8:13 ` Fco.J.Ballesteros
2004-04-26 18:20 ` rog
2004-04-26 18:09 ` rog
2004-04-26 18:44 ` [9fans] local 9p multiplexing Russ Cox
2004-04-26 18:54 ` [9fans] remote " Russ Cox
2004-04-26 19:44 ` rog
2004-04-28 17:37 ` [9fans] Vmware-4 and Plan 9 Ishwar Rattan
2004-04-28 17:58 ` Hugo Santos
2004-04-28 18:01 ` vic zandy
2004-04-26 18:55 ` [9fans] an idea Charles Forsyth
2004-04-26 20:12 ` rog
2004-04-26 20:40 ` Charles Forsyth
2004-04-26 23:26 ` rog
2004-04-26 19:51 ` ron minnich
2004-04-26 20:49 ` Charles Forsyth
2004-04-22 1:57 ` [9fans] german keymap Michael Jeffrey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499f328d8dc6462edbadb7e4894feaf8@vitanuova.com \
--to=rog@vitanuova.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).