From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1]) by tb-mx0.topicbox.com (Postfix) with ESMTP id 8C8CB1F685E3 for ; Wed, 17 Jul 2024 16:09:31 -0400 (EDT) (envelope-from josh@sysmgr.org) Received: from tb-mx0.topicbox.com (localhost [127.0.0.1]) by tb-mx0.topicbox.com (Authentication Milter) with ESMTP id D35C5B37C63; Wed, 17 Jul 2024 16:09:31 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1721246971; b=mw0LTAIP7o9FMfXnqJkB1Th0p0QqAKr+r2mSHH/ZGGprSZjwsu N5TOn90rzY88PWuQAGoScULAeQRMzpCGQUYq9oFWKNQ1i0wXDdV5Gb6K4xI+l/Gk 5kkWaRicteU5W8e3fFhV4HT+XN/2pbLe1QlxDyN6sDg4SoIJLjzFlx/t/dDXYAD/ FwfC7I0PQ/qeYX/MuxR94NTtHe69+i5UKsNzk6h4pKRYXHTdkYXe43SqBqwixEMB zMFidVz2qjO3CbZKzo1u986UW62WGYMhK+RBQ6gju3Vfl1JtPNY7XHaliSAj/lxQ TtOsdxOlgEA8zH5PFIjb9xi/MD60in+hX45w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type:content-transfer-encoding; s=arcseal; t=1721246971; bh=JvUYsuHRdraZy/3ej2GK3CZLIHqGnELBMU7 PzJ9CavU=; b=MGg41+gSxX2fWoNQyUkA01+HQxqunVYKx6OtPU1WFzXaOd341ZL kw6GGK9tn85h4/Gig6SPcPGpiQsQAu3odCdaYmdqK4syMv6v7OLf1kg8kE1Hrqz/ OtAVGVY5b8zxKPNEvwfveQC7lgtvqxvZIar61v+phmkjNFtL7eHWJmbRco/FgE1S gNCxcAe6En/FoU0JZh+6PN4FkjfNWjiYz+bg2tb+K7n7fC2ipqdiYuMZVtxonsg9 CaydRn7b6prNz6ewAwa96LSVRrYPxfu2G8260GiZVgk4xyr3I5HcequPkyp1VS0/ Aop+wbcxtjLAwlzXZszxMNnIrNf2oC5L8UQ== ARC-Authentication-Results: i=1; tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (No BIMI records found); dkim=pass (2048-bit rsa key sha256) header.d=sysmgr.org header.i=@sysmgr.org header.b=hoQp5Uk9 header.a=rsa-sha256 header.s=google x-bits=2048; dmarc=pass policy.published-domain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sysmgr.org; iprev=pass smtp.remote-ip=209.85.215.179 (mail-pg1-f179.google.com); spf=pass smtp.mailfrom=josh@sysmgr.org smtp.helo=mail-pg1-f179.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=T6D1dOWW; x-me-sender=none; x-ptr=pass smtp.helo=mail-pg1-f179.google.com policy.ptr=mail-pg1-f179.google.com; x-return-mx=pass header.domain=sysmgr.org policy.is_org=yes (MX Records found: alt1.aspmx.l.google.com,alt4.aspmx.l.google.com,alt2.aspmx.l.google.com,aspmx.l.google.com,alt3.aspmx.l.google.com); x-return-mx=pass smtp.domain=sysmgr.org policy.is_org=yes (MX Records found: alt1.aspmx.l.google.com,alt4.aspmx.l.google.com,alt2.aspmx.l.google.com,aspmx.l.google.com,alt3.aspmx.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 Authentication-Results: tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (No BIMI records found); dkim=pass (2048-bit rsa key sha256) header.d=sysmgr.org header.i=@sysmgr.org header.b=hoQp5Uk9 header.a=rsa-sha256 header.s=google x-bits=2048; dmarc=pass policy.published-domain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sysmgr.org; iprev=pass smtp.remote-ip=209.85.215.179 (mail-pg1-f179.google.com); spf=pass smtp.mailfrom=josh@sysmgr.org smtp.helo=mail-pg1-f179.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=T6D1dOWW; x-me-sender=none; x-ptr=pass smtp.helo=mail-pg1-f179.google.com policy.ptr=mail-pg1-f179.google.com; x-return-mx=pass header.domain=sysmgr.org policy.is_org=yes (MX Records found: alt1.aspmx.l.google.com,alt4.aspmx.l.google.com,alt2.aspmx.l.google.com,aspmx.l.google.com,alt3.aspmx.l.google.com); x-return-mx=pass smtp.domain=sysmgr.org policy.is_org=yes (MX Records found: alt1.aspmx.l.google.com,alt4.aspmx.l.google.com,alt2.aspmx.l.google.com,aspmx.l.google.com,alt3.aspmx.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeeftddrgeejgdehiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpeggfhgjhfffkffuvfgtgfesthhqredttddtjeenucfh rhhomhepfdflohhshhhurgcuofdrucevlhhulhhofidfuceojhhoshhhsehshihsmhhgrh drohhrgheqnecuggftrfgrthhtvghrnhepvdeludeltdegjeevheefkedvveevheejtdei lefhheevhfeuhfevffeikeffveefnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpsh ihshhmghhrrdhorhhgnecukfhppedvtdelrdekhedrvdduhedrudejleenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvtdelrdekhedrvdduhedrudejle dphhgvlhhopehmrghilhdqphhguddqfhdujeelrdhgohhoghhlvgdrtghomhdpmhgrihhl fhhrohhmpeeojhhoshhhsehshihsmhhgrhdrohhrgheqpdhnsggprhgtphhtthhopedupd hrtghpthhtohepoeguvghvvghlohhpvghrsehlihhsthhsrdhilhhluhhmohhsrdhorhhg qe X-ME-VSScore: -100 X-ME-VSCategory: clean Received-SPF: pass (sysmgr.org: Sender is authorized to use 'josh@sysmgr.org' in 'mfrom' identity (mechanism 'include:_spf.google.com' matched)) receiver=tb-mx0.topicbox.com; identity=mailfrom; envelope-from="josh@sysmgr.org"; helo=mail-pg1-f179.google.com; client-ip=209.85.215.179 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx0.topicbox.com (Postfix) with ESMTPS for ; Wed, 17 Jul 2024 16:09:30 -0400 (EDT) (envelope-from josh@sysmgr.org) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-75e15a48d6aso15567a12.0 for ; Wed, 17 Jul 2024 13:09:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sysmgr.org; s=google; t=1721246968; x=1721851768; darn=lists.illumos.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=JvUYsuHRdraZy/3ej2GK3CZLIHqGnELBMU7PzJ9CavU=; b=hoQp5Uk9FKBIwickXDq7XoJFZ1wT7ldEc7UGp2HO9g+gF4tPFAXY13/27CAWuDi51u XqHCO8IUO2NfIp8jayCtIyKkSHMz6wqOnnt58nPVBDKvb0K7CeLQjNbbYcP//Ad9F1bG GcReQjlod0tPtfy7NS7lMNpNK+qoF2Bsgvz7PF2601D3lFnTrW30HeI6gKolRQw6ruEM qXtbmkgU0TIQoLGueRnTZb5IRd6Zbwf1Z4GCmx1kv0xGduh24X1jBT8a+KftwvjdPiUt ozfoFVdtHM1mtnfMpmYYFVCQ8pxm5jGGnjuAneze8J02fr9T5oPZJvXn4trOGJs6Vk0h mtTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721246968; x=1721851768; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JvUYsuHRdraZy/3ej2GK3CZLIHqGnELBMU7PzJ9CavU=; b=T6D1dOWWCHlHy2F9vloVmIyYNw0A6ii708pxhwgkzusjGdG9MNqUZeVVSE7kZSPj0m R+W6XdAlPYLeuQexVnVMPQO9IHQXlzq6SWdmTPK/NUsjnMIQz37n/HRCPoCzQpqMcZwB CLdemZbCVgpkrjpxOB3uYtDOyfi5WttwQXVsUxGxpNb3zTNYwsomJlltJ0vQCO5CIKlq MmwOccqIB+x96rzlYRelCVERtU6zVA3oFqrQVt2gaRjO9mWwyb6hnSsFjct2ftT+1Afm OLsPNdeWg6jYBcbQVPVjU6RO1Ba9wZMZ9olqGB8/5bqT0WYRZCzAvtMzG7Hiw+tpuCe2 D6bg== X-Gm-Message-State: AOJu0YxnQ8zsQ3JFowE5YhyYBqqakotnuYlkPW7j6EydmeCNP8bX3Xv/ k+zghCcBGHBOY6UrOKRlTNUc/jYBVrD/YTOWRl6Fo4rdgJnBgbF+LEYJ5nipWhH/+ODjrfCOdpH PhjZ+Jhoj8QAPWxw64Gq2X7N+NuQ4NI1T+KyNYAX2HUMfoSi2ycM= X-Google-Smtp-Source: AGHT+IHruehDVMwqd8C9vM2X1tz+g37OZrGnPbwfBxS2TIuKPii3ErNVfLSuV7NMo8UTPNn3A50z2EDsQ+EXfpTdYHM= X-Received: by 2002:a05:6a21:3409:b0:1c0:e5d1:619f with SMTP id adf61e73a8af0-1c3fdccd505mr3078318637.4.1721246968381; Wed, 17 Jul 2024 13:09:28 -0700 (PDT) MIME-Version: 1.0 References: <48-6697c700-1d7-71122080@11933559> In-Reply-To: <48-6697c700-1d7-71122080@11933559> From: "Joshua M. Clulow" Date: Wed, 17 Jul 2024 13:09:16 -0700 Message-ID: Subject: Re: [developer] A couple of kernel questions To: illumos-developer Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Topicbox-Policy-Reasoning: allow: sender is an admin Topicbox-Message-UUID: 7d61335e-4478-11ef-881c-9274058c7b06 On Wed, 17 Jul 2024 at 06:29, Lonnie via illumos-developer wrote: > 1. As Illumos is designed for zones (VMs), I am wondering if there are dr= iver and service zones implemented such that if a driver crashes then it do= es not heavily impact the OS in operation? From what I understand so far,= the drivers and system wide services are installed in the Global-Zone whic= h makes me think of the Xen Type-1 Hypervisor in which these things are ins= talled in their Dom0 which is similar to the Illumos Global-Zone (GZ) It's not so much that illumos is designed _for_ zones or VMs, as that we have first class features in the OS that support those things. Aside from those features, illumos is a UNIX operating system with a monolithic kernel. Drivers are generally kernel modules, though there are limited areas in which drivers can be implemented in user mode software; e.g., ugen(4D) allows for user mode USB drivers, and one of the FUSE ports would allow for a user mode file system. That said, because our consolidation can ship both kernel and user mode software, we can indeed relatively easily move some things into daemons where they might have ended up in the kernel in other systems. We ship a lot of daemons for different purposes, supervised by smf(7) and in may cases deprivileged by rbac(7) and privileges(7) features in the OS. In most or all cases, these daemons could crash and restart without necessarily bringing down other parts of the system. If a daemon restart does cause unavailability, you could definitely file that as a bug to fix. > 2. Another crazy thought that I had was about the possibly of investigati= ng what it might take to (fork illumos for an experiment) and try to remove= the dependencies on a hierarchal tree-based filesystem and to implement a = type of "Property-Graph Database (PGDb)" filesystem. The rationale here is= that a hierarchal tree-based filesystem can easily be represented as well = but that a PGDb filesystem also allows for assigning new types of attribute= s to files, blocks, objects, users, etc. and thus allowing for granular sec= urity on users at the application level. Users can be allowed/disallowed t= o see/access application/files/block/objects and only authorized applicatio= ns are "mapped" to a particular user. I think it's unlikely that we would move away from a hierarchical file system. It's really at the core of a lot of UNIX abstractions. We tend to focus on mandatory access control through privileges(7) and rbac(7) mechanisms. Individual users, or processes, can be restricted from seeing quite a lot of other things occuring on the computer in other accounts, etc, by removing privileges from their processes. They can be prevented from making network connections, or seeing other processes in /proc, etc. We're always interested in new security and sandboxing features, but would generally like them to build on and fit in with the existing designs where possible. The core team is happy to help with design advice if someone wants to put together an illumos project discussion (IPD) document that covers a new sandboxing feature; see: https://github.com/illumos/ipd. ZFS, our primary file system, has extensive support for extended attributes. It also has rich support for NFSv4 ACLs, which allow for fine-grained permissions in the regular file system; see acl(7) for more details. There is also support for other more complex attributes, such as marking things totally immutable; see fgetattr(3C) and chmod(1) for more details. > 3. I could see that when a user does a login, then a blank empty zones is= set up at which time their configured files, directories are mapped in to = their container zone and allowed applications are only used. The users cann= ot escape their zone and does not have access to the rest of the system unl= ess privilege's are elevated. I know that "zlogin" can do this from the GZ= , but perhaps automatically and full console since graphic display will be = needed. You could achieve a lot of automatic provisioning for users on login through some combination of NSS and PAM modules and distribution-specific control software. I don't think this would really be a core illumos feature, at least to begin with, but there's a lot of mechanism that could help you get there! Graphics is obviously something of an uncharted challenge. As I mentioned in your OmniOS thread, our DRM/KMS software needs work to be brought up to date, and there are probably new facilities that we would then need to add to the core OS to provide a richer graphical console experience. It's also possible that you could, once DRM is sorted out, drive a lot of that from distribution-specific software like X11, or a port of DirectFB2, etc, without needing much or any additional core OS support. > 4. One need that may be a challenge to get done will be the need for a en= able/disable consoles such that a local users could use a hot-key (API call= ) to switch between zone consoles which would include graphics, audio, etc.= This would be akin to running multiple VirtualBox OSs, or VMware Guests = in which you can step through the guest graphic tabs in fullscreen mode, pe= rhaps. I am seeking to replicate that idea in Illumos to step through guest= s (maybe in Bhyve or native zones) that are in their own configured zone wh= ich is the thought. This is mostly the same as my comments on graphics above. Some work will be required specifically on improving the graphical/desktop support we have, as part of a project like that. > I am not sure how these things might be approached and/or tackled in illu= mos but wanted to start investigating them one by one and build up at the p= roject evolves. I suspect most of what you want to do, you could get started by prototyping on top of facilities that exist already! I can't stress enough that if you want the graphics stuff to work out, I would work on that first, as I think it's the biggest risk/unknown in your plans so far. > Well, I thought that I would ask these questions here since they are more= kernel related than OS configuration related and hope that you also find t= hem interesting although may have already been considered in the past well. We generally try to keep the illumos developer list focused on specific bits of in-progress development (questions about how to proceed, code and design reviews), or about specific bugs or issues, etc. Generally we would do broad, exploratory ideation on the illumos-discuss list. Cheers. --=20 Joshua M. Clulow http://blog.sysmgr.org