From owner-freebsd-hackers@freebsd.org Wed Jan 13 03:08:02 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8FDFA80C7B for ; Wed, 13 Jan 2016 03:08:02 +0000 (UTC) (envelope-from mark@heily.com) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 78239102B for ; Wed, 13 Jan 2016 03:08:02 +0000 (UTC) (envelope-from mark@heily.com) Received: by mail-io0-x233.google.com with SMTP id 77so373912123ioc.2 for ; Tue, 12 Jan 2016 19:08:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heily-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=cjccxjajb3Z0HvXgq4jV7wdffMJUmalW2vTf5enRgtk=; b=rciumxJcOFE8bIfdXFJiZovb8V2alSDLG4nSZjSaAVhYLyTOFTgtpBJm/e4Q2i3Wi5 4Cn9NZPI13HIaHTkEVRPls+/o9T6JEVWhoMa58j69MGg/XqbIXc+sfCtibn7q78I2JSD 2+VO+7ggOULDIynkMuLs9qLuHQiNAg/P3JUxywKfd0FgcXSdQBrbXLxPNxBYcaVu/c6/ KMqLhJZs8RolIaGfLxyaTz3OLOfjSPVeI3NhbWgw/zJyM13nbXUxUsJGiW98j2EcBplg Ll1DAFbck7oBuvNDLHHzsLp1L6pQ5wH5gMqc00JaRagEwUTBnBjlfvwSNWbAUK60+UH5 GUBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=cjccxjajb3Z0HvXgq4jV7wdffMJUmalW2vTf5enRgtk=; b=V2smJj7CEBYQkKzCJ4EAk7BgKNSozbyzupycsGk05ljVwRmt/jbhsVQiEnwfiyrASP k6NmEdzEWfRPAUy1Pq9jvVYRbzB6SJujQeSv6SW/myB+C0y4NTB49nPUHw3kiCYiR9Xe s+vQ0fDwgFE/DW5en70748f+oPFsbBO31NARSMJ+u4oYkFdL4RipmSCAAlcLSe+YyB9q fK+ehCtNBqfhrmIxtrGp9nzn/5U1Tto2w409cqG14UtBAVlK0Q46a7jY0in5wsSRCxFr qN7ah2FEygHyTEIourJsONzbPMZ0pJlWPvWudsarmXdfblMEPDVzxFzmEPVknIvWTiAl 8cnw== X-Gm-Message-State: ALoCoQmJNe6R2sTzNrD8fFA+njH2KeYhgmmAnVjIeUDeOZ2WYzEzM3up8fov8WWxDRe8eOpQQw++nxckGtDtsUdXB3e44m3tUA== MIME-Version: 1.0 X-Received: by 10.107.43.138 with SMTP id r132mr136416429ior.7.1452654481565; Tue, 12 Jan 2016 19:08:01 -0800 (PST) Received: by 10.79.34.196 with HTTP; Tue, 12 Jan 2016 19:08:01 -0800 (PST) X-Originating-IP: [71.70.175.250] In-Reply-To: <1D6BDF3C-28E7-40C4-A8A2-3A914A3CC76B@ixsystems.com> References: <5687D3A9.5050400@NTLWorld.com> <817860B6-5D67-41A3-ADD7-9757C7E67C35@gmail.com> <07D83705-D89F-4125-B57B-920EDEBC8A85@rdsor.ro> <70975696-3E07-48B9-BFD1-3C2F51E715BB@icloud.com> <76E6AF2A-917B-41EB-883A-C27AB2BB9F71@ixsystems.com> <20160112125948.GH3625@kib.kiev.ua> <1D6BDF3C-28E7-40C4-A8A2-3A914A3CC76B@ixsystems.com> Date: Tue, 12 Jan 2016 22:08:01 -0500 Message-ID: Subject: Re: relaunchd: a portable clone of launchd From: Mark Heily To: Hubbard Jordan Cc: Konstantin Belousov , FreeBSD Hackers Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2016 03:08:02 -0000 On Tue, Jan 12, 2016 at 10:59 AM, Hubbard Jordan wrote: > >> On Jan 12, 2016, at 4:59 AM, Konstantin Belousov w= rote: >> >> I highly recommend to Google for "Mach IPC sucks" if reader is really in= terested. > > And here we return to the usual trap=E2=80=A6 > > =E2=80=9CMach IPC sucks!=E2=80=9D > > =E2=80=9COK. What do you propose that will address all of the same conce= rns?=E2=80=9D > > =E2=80=9Cdbus!=E2=80=9D > > =E2=80=9C*Sigh*. You haven=E2=80=99t even looked at the two technologies= in any depth, have you? Go read the dbus wikipedia page, at least! Unix = domain sockets underneath, no kernel<->userland communication path, no trus= ted IPC mechanism, no support for large messages=E2=80=A6=E2=80=9D > > =E2=80=9COK, so something new!! We should totally create an IPC for the = New Millennium!=E2=80=9D > > =E2=80=9CThat would be you then? Where=E2=80=99s your white paper? Wher= e=E2=80=99s your reference implementation?=E2=80=9D > > > > Sorry. Been there, had this debate, and while it=E2=80=99s always extrem= ely easy to fling poop at an existing mechanism, it turns out it=E2=80=99s = so much harder to actually *create an alternative* that this kind of discus= sion only serves to throw cold water on evolution (=E2=80=9Cthe perfect bei= ng the enemy of the good enough=E2=80=9D) and the end-result is that evolut= ion does not occur. > > You're right in that DBus is not a great solution, and I think we can do better. I've gone ahead and created a general-purpose IPC library that is a plausible alternative to Mach IPC. Here's the code: https://github.com/mheily/libipc It is not a bus, and it is not object-oriented. Instead, it tries to make calling a remote function as easy and seamless as calling a local function. I was planning on hacking on it for a few more weeks before announcing it, but it seems very relevant to the discussion we are having today. It's built on top of Unix-domain sockets, and includes an IDL compiler that takes a reasonably simple YAML file and generates the boring code that allows programs to do structured IPC without worrying about serialization and bootstrapping and all of the underlying protocol issues. You've raised some objections to Unix-domain sockets, which I'd like to respond to. I'll quote from the slide in your presentation about Unix-domain sockets: ------------------------------------------------------------ > > > What can Mach ports do that Unix domain sockets can't? > > Separate namespace for services (doesn't rely on file system naming or > permissions) > This is generally a bad thing, IMHO. Filesystem permissions are a good way to apply security rules to an object, and they are a highly standard and well understood concept. If you need more than the traditional user/group/other support, you can supplement this with POSIX ACLs. Using the filesystem as a way to coordinate activity is a perfectly natural thing to do, and only has a disadvantage in a small corner case (where the system is in the process of booting up and the filesystem is not mounted). Right now, there is no need to perform IPC in the early part of the boot process. A machine where the root filesystem is not mounted read/write is basically unusable, and the solution is to mount the filesystem ASAP before starting any services that rely on IPC. > > Message boundaries > Not true. You have to provide your own semantics for finding the message boundaries, but it is totally possible to send messages across Unix-domain sockets. > > Kernel as peer > This is true, but not there are other ways for userspace to communicate with the kernel, such as syscalls and ioctl. Monolithic kernels don't use message passing, so we aren't missing out on much by not having this feature. > > Pre-existing well defined RPC interface > If Mach has such a great RPC interface, why do we need to hide it behind another abstraction layer like XPC? The existence of a thing is not necessarily an argument for it being the right tool for the job. > > Receive messages directly in call to kevent() > This is a "nice to have" performance optimization. We can live without it. > > OOL (out of line) messages (arbitrarily sized with zero copy for large me= ssages) > You can do zero-copy over Unix-domain sockets by sending a file descriptor across the socket that is backed by an anonymous region of memory created with mmap(2). To get the out-of-line behavior, all you need are two Unix-domain sockets; one acting as the control channel, and the other as the data channel. > > Port send rights - can only send to a port for which the process has expl= icitly > received the right to send > Unix-domain sockets have file permissions that control access. This is functionally equivalent to "port send rights", right? > > Provenance - Yes, PROVENANCE, receiver can have the kernel append an audi= t > trailer containing full set of credentials of sender > Unix-domain sockets allow you retrieve UID, GID, and PID of the client process. Unless you mean something different by "PROVENANCE", this is all the information you really need to make security decisions in the current Unix security model. ------------------------------------------------------------ So the TL;DR is that you can use Unix-domain sockets to do most of what Mach IPC provides. There are some major benefits to using sockets, such as the fact that are portable and relatively standardized across different Unix implementations (and even Windows). I think if you do a cost-benefit analysis between Mach and sockets, sockets win. Anyway, I'm planning to implement IPC in relaunchd using libipc, and relaunchd will be able to create the IPC service and launch the job "on demand" whenever a client attempts to connect to it. We've taken up a lot of airtime on this mailing list, so I invite anyone who is interested in IPC to join me on the libipc mailing list to discuss this further: https://groups.google.com/d/forum/libipc-devel