Experiences with the Amoeba Distributed Operating System Tanenbaum, van Renesse, van Staveren, Sharp, Mullender, Jansen, van Rossum CACM, December 1990 Why are we reading this paper? General-purpose operating systems are hugely successful and useful. Why not build *distributed* o/s to help structure distributed systems? Should Athena switch to Amoeba? faster: run programs on any idle machine whole system looks like a single machine Should my research group switch to Amoeba? Is security model reasonable? Depends on un-guessable capabilities. Local eavesdroppers can see capabilities. Is Amoeba better/worse than NFS? AFS? Would Amoeba work with 10,000 workstations? How does Amoeba find server that implements the object capability refers to? What's in an Amoeba capability? Server port, object ID, rights, check Why "server port" -- why not IP address? What is the capability "check" field? Implies a server remembers every capability... Why is the server port field so big (48 bits)? Why is the check field so big (48 bits)? And why is the object ID field not so big? object+check == NFS filehandle What kinds of objects does Amoeba refer to w/ capabilities? files, directories, processes, devices random servers: X window server, for example How do you *use* a capability? Find the server. Send it an RPC: capability, operation #, arguments. Are Amoeba capabilities equivalent to Network Objects / RMI? type system finding the server Why can't I pretend to be any existing server? Just respond to broadcasts looking for server ports... Paper doesn't say? Servers choose public port as public = hash(secret) Kernel won't let you listen unless you can produce the secret. Of course this assumes the kernel is trustworthy. Could we use WAN stuff for scalability? Well, services have to know whether to publish themselves. If I put some random file in a world-accessible directory, how does file's server know to publish itself? Is separation of file server and directory server a good idea? very flexible: directory can hold anything, not just files/directories Does separation work? permissions atomic rename() reclaim storage for deleted files (& entire trees...) How are file permissions enforced? Does file server know who is allowed to read a file? What does "write permission" mean? (change dir entry -> new file version) Why are read-only files reasonable? Why are read-only files helpful to Amoeba? Does Amoeba not have to worry about mutable objects? Where does directory server store directories? What's the availability story for directory servers? Does rename() work? If directories are on different servers? I.e. is rename() atomic? Can I move an object? Amoeba finds servers, not objects... So you can move a service, but not an individual object.