What kinds of things would you want in the GNU OS?

Fri May 26 13:57:11 AEST 1989

In article <106326 at sun.Eng.Sun.COM> bitbug (James Buster) writes:
>What kinds of things should be in the GNU Kernel?
>What kinds of features or design rationale should it use?

Well, I've never done any OS design, but nobody can claim I'm not
opinionated :-)...

The most important thing is to build a framework in which things can be
added later. It's not important to provide a lot of user functionality
that's not in existing systems. What is important is not to make any
decisions that'll prevent somebody else from adding it later. That'll
be difficult enough. The module interface designs will probably be the
most enduring part of the whole system.

Make the system lean and, and make it configurable, so people can choose only
the code they need. Allow as much dynamic reconfiguration as possible. If
it's not too hairy, support SysV.4 device drivers and streams modules. Put
emulation for BSD calls (or SysV calls, or whatever) in libraries, not in
the kernel, unless it *really* needs to be there.

It's important to support multiprocessors and allow for tightly-coupled
distributed systems. No non-reentrant code. Good locking and synchronization
primitives, available both within the kernel and outside it, probably
message-based. Do this stuff right, allow user processes to run in kernel
VM space, and keep your interrupt handling clean, and you can go a long
way toward letting somebody add a real-time scheduler to the system later.

Multiple threads of control: Decouple threads of control from address
spaces. It should be possible to have more than one thread in a given
address space, and to have the scheduler manage that for you. It might
be nice to be able to start a thread of control in *somebody else's*
address space (maybe even in kernel address space), to manipulate other
address spaces and other threads in other ways.

Extensions to the filesystem name space: Everything (from the user's point
of view) should be a file.  That means real files, devices, pseudo-devices,
network connections to other machines, VM address spaces other than your
own, data about threads, scheduler control, everything. When you open a
file, you establish a connection to some kind of object. It may be
implemented by kernel code or by user-mode code. You can send data to it,
read data from it, maybe seek it, and maybe map it into your address space.
What it does with your data is type-specific.  You can also send it
type-specific commands, using something like ioctls, but more general;
perhaps typed reads and writes. It can generate events that wake you up
and/or signal (or something better than signal!) you when it has data for
you. It should be possible for user-mode code to "get behind" mount points,
and maybe even disk "files" and "directories", and provide services. It
should be possible to have the trailing part of a pathname passed to
whatever implements a "directory" for further processing. This probably
means that there need to be directory access mechanisms built into the file
system primitives, so these objects can tell programs what's available in
the name space. There probably also needs to be some kind of unique object
identifier that can be a successor to the inode.

>File system:	SysV vs Berkeley? Something better?
>		Embedded file types? >32-bit file offsets?

The Berkeley file system (perhaps slightly augmented) would be fine for
disks, at least for now. Heathen file systems without symbolic links would
not be adequate :-). It's more important to build a flexible operating
system foundation than to design a new disk structure. The file system
definitely shouldn't worry about the type of the data in a file until
much, much later on.

>Security:	ACLs? Get rid of root? Security monitors? Auditing?
>		Provably secure(A1)?

There's no need for ACL's, or A1 security, or auditing, or whatever just yet.
There *do* need to be hooks for providing these things. That basically means
that a reference monitor interface needs to be designed, and that the system
needs to channel requests for access through it. There needs to be a clear
definition of what objects have privileges, what operations may require
privileges, how privileges get passed around, how to *prevent* privileges
from getting passed around, and so forth.

Glimmerings of a structure: Privileges belong to threads of control; each
thread has a privilege list. A privilege is represented by a unique
identifer, which subsumes the functions of both UNIX UIDs and GIDs.
Certain of a thread's privileges are marked as corresponding to real
and effective UNIX UIDs and GIDs. Privileges in a thread's privilege
list have other binary attributes, things like "can/can't be delegated",
"can/can't be given up", "pass/don't pass on fork", and so forth. Some
attributes can be modified by the thread, others can't. A reference
monitor gets called by whatever implements a file/object to examine
opens, closes, reads, writes, and control operations. The reference monitor
is allowed to issue a capability identifier of some kind at object open,
and can restrict how that capability can be delegated.  Whenever an operation
is attempted on the opened object, the object implementation passes the same
capability to the reference monitor as part of the information about the
operation. It may choose to revoke a capability at any time.

Issues: When you open a "file", does the object at the other end get your
privileges by default? Can you change the default? What code is allowed
to issue privileges?

>Scheduler:	Real-time support? Task-driven? Event driven?
>		Direct brain hookups:-)?

Start with the simplest scheduler you can get away with... and make it
easy to replace. Real-time people seem to like to write their own schedulers
anyway.

>Virtual Memory:	Should GNU run on non-VM machines? Algorithm ideas?
>		How general (map *everything* into VM space, like Multics)?
>		Shared libraries?

It would be nice to have a well-defined subset of the system that could
be run on a non-VM machine, but the full-blown system needs to offer
functions that you can only get with virtual memory.

*Everything* should be in the file system name space... and it should be
possible to map anything sensible from the file system into your VM space.
That doesn't mean that everything needs to be mapped by default, though.
There needs to be support for wiring down pages, user-defined paging
strategies, read-only mapping under user control, and maybe copy-on-write
(there definitely shouldn't be any choices made that would preclude
copy-on-write).

Shared libraries (which are a good idea) can be supported in user code.
No need to clutter the kernel with anything more complicated than file
mapping.

>Networking:	NFS? RFS? Something better?
>		Interfaces: Streams? TLI? Something better?
>		TCP/IP? OSI? SAA/SNA:-)?
>		RPC Services? What kind?

My personal desires: Definitely TCP/IP. Definitely NFS. Maybe RFS. Maybe OSI.
Make it easy to add stuff. Use Streams/TLI (perhaps somewhat extended) for
the real networking code, but provide a socket emulation library.

>Overall Design:	What nice ideas from other OSes could we use?
>		Multics? VMS? VM? DG/OS?
>		Fault tolerance?
>
>How about this? Make everything a user process which serves
>a resource to a client. Resources include the CPU (scheduler),
>memory (VM), disk (file system), network (sockets, etc),
>serial lines (terminal handlers), etc. Each server determines the access
>method and security criteria for its service. Make no arbitrary policy
>decisions regarding a service! Don't like the VM server? Replace it! You
>could have a security monitor provide a security policy on behalf of
>your file system or IPC mechanisms. If you have no need for security,
>don't run the monitor.

I'm not sure how you'd put the scheduler in a user process, but this
is basically a good way to go... provided that you can get decent performance
out of it. Some of these processes could probably run in the kernel's address
space. I think that putting things in the file system name space is a good
way to provide access to the resource managers for everything but the
two really essential resources, CPU and memory, and even for some of the
fine control over those.

-- 
John R. Bashinski   johnb at sj.ate.slb.com   {amdahl,decwrl,uunet}!sjsca4!johnb
+1 408 437 5218        M/S 32-0846, 1601 Technology Drive, San Jose, CA 95110