Linux Kernel Wish List

Add capabilities

The story of the Confused Deputy provides a good anecdotal introduction to concept of, and the need for, capabilities. Capabilities provide operating system security in ways that traditional Unix security mechanisms do not. In short, a capability is a pair consisting of a permission, and a file or other resource. These pairs are given to a process, which is then allowed to perform the specified action on the specified object.

Note that the difference between this, and traditional security mechanisms is that processes have the authority to do things not because of who they are (owned by root, suid root, owned by a user, etc.) but by the list of capabilities that they have been given.

Note that a limited kind of "capability" can be implemented using ACL's and Unix groups. However, this kind of an implementation is difficult to manage, is error prone, and is missing the tools needed to do it well. In short, its not the right approach -- its a hack.

A very different example of a capability is the coupling of high-priority execution rights to an interrupt. Thus, a kernel thread can catch an urgent interrupt at a very high priority, pre-empting other threads. Once the interrupt has been handled, the thread can resume execution at a lower priority, allowing other threads to run, essentially allowing real-time operation.

Related references:

• ERights provides an excellent set of tutorials explaining the concepts & utility of capabilities, and why they're better than ACL's etc.
• The Linux POSIX 1.e Project aims to implement Orange-Book security as defined by POSIX.
• A list of some of the Linux POSIX 1.e capabilities
• The Orange Book, see also here.
• Linux PAM (Pluggable Authentication Modules. The answer to the question of "What is PAM?" lies here.
• RFC 2078 -- GSSAPI -- General Security Services see also the Linux GSSAPI project -- not very far along, and stalled.

Add Persistence

Persistence can be thought of as a variation on the suspend/resume capabilities commonly found in laptops. The idea is that the entire OS, including running processes, can be checkpointed & saved to disk, the system powered down, powered back up, and then continue running where it last left off. Some more notes on this are here.

• EROS adds the concept of checkpointing, thus allowing accidental shut-downs to be recovered from.
• Just to make sure that disks are clean, it would be nice to have a rw-mode fsck AND a journalling filesystem.

Add Process Migration

Process migration allows a process to be moved from one processor to another.

Note that persistence gets you much of the way towards the ability to migrate a process from one CPU to another.

• CoCheck creates consistent checkpoints allowing processes to migrate between machines.

• Condor offers a migration and job-scheduling framework that runs on Linux and many other Unix's. One complaint I've heard about this is that programmers have link against the Condor libraries, and that the config files for even a trivial process are quite hard to set up. This bars a wide-spread deployment.

• MOSIX (mirror) Multi-computer Operating System for Unix. Performs checkpoints, and automatically migrates processes to other CPU's when a load-average threshold is exceeded. The most appealing aspect of MOSIX is it's "fork and forget" paradigm: processes are migrated transparently, with no need for configuration or special involvement by the user.

  Versions exist for various Unix's, including BSDI. A sixty-node cluster of Pentium's and PPro's has been built. A version for the Linux kernel 2.2 is available as of now (January 1999). Contact: amnon@cs.huji.ac.il (Amnon Barak)

Merge RAID and LVM Functions

The Linux software RAID and the Logical Volume Mamanger seem to be totally unintegrated projects that in fact should have considerable commonality. It would be nice to have the redundancy and protection of RAID and the convenience and manageability of LVM. See the

On-line System Checking

The ability to run the following tests while the system is live, rather than during boot and/or on unmounted file systems:

• RAM checks. Ability to run something like the BIOS ram check while system is operating.
• fsck on mounted file systems.
• RAID consistency checks on mounted file systems. Should be coupled to fsck so that raid inconsistencies can be resolved based on fsck results.
• PCI and SCSI health monitoring.
• Comprehensive system monitoring application. Currently, when installing a popular distribution, one needs to do a lot of additional installation and tweaking to get a full set of system and network performance monitors installed and running. For example, there is *no* package that by default configures CPU temperature *and* network performance.

Layered TCP/IP stack

It would be nice to have a layered, modular approach to TCP/IP. Currently, there are several kernel patches that perform TCP/IP processing, but it is not clear if they are fully compatible: ENskip for encryption, Masquerade for header re-writing, Hasenstein's NAT for a different form of header re-writing, bandwidth limiting for ISP's, and multi-cast/MBone extensions. Certainly, there is no single, unified config infrastructure for these TCP/IP modules.

Work item: clarify the actual compatibilities & incompatibilities in the above. What sort of testing has been done? What parts of a unified layering design have already been done, and are clean? What parts are not?

Can layered TCI/IP be exploited to allow for process checkpointing and migration on a cluster?

References

• Condor
• EROS embodies most-all of the ideas discussed above. See in particular the technical overview.
• Design notes for putting Unix/Linux on top of EROS.
• IBM LoadLeveler for the RS/6000 SP2
• DQS Distributed Queueing System

---

Copyright (c) 1997, 2000 Linas Vepstas.
July 2000
Contact me: linas@linas.org


Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included at the URL http://www.linas.org/fdl.html, the web page titled "GNU Free Documentation License".
Return to Enterprise Linux Page
Return to Linas' Home Page