aqute inside osgi by peter kriens ceo aqute osgi technology officer and osgi fellow

38
aQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

Upload: brianna-bird

Post on 27-Mar-2015

232 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

aQuteInside OSGi

By Peter KriensCEO aQute

OSGi Technology Officer andOSGi Fellow

Page 2: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #2

Contents

Page 3: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #3

Framework Architecture

<<in terfac e >>Filter

InvalidSyntaxException

BundleException

java. lan g.Th row ab le

<<in terfac e >>Constants

<<in terfac e >>Bundle

<<in terfac e >>BundleContext

<<in terfac e >>ServiceRegistration

<<in terfac e >>ServiceReference

AdminPermission

<<i nte rfac e>>BundleActivator

BundleEvent

<<in terfac e >>SynchronousBundleListener

FrameworkEvent

<<in terfac e >>FrameworkListener

<<in terfac e >>ServiceListener

ServiceEvent

<<in terfac e >>ServiceFactory

<<int erfac e>>BundleListener

PackagePermission

ServicePermission

j av a.s ec u rity .Pe rm i ss io n

j av a.l ang .O b jec ts erv i c e i m p l.

im pl em ent atio nc od e of bu nd le

se rv ic e c o ntro ll erim pl

bu ndl e c on tro ll erim p l

f ram ew orki m p l

1

11

0..n

0..n

1

1

1

1 1 1

1

1

1

1

0..n 0..n 0..n

1..n 1

0,1

1 1 1

represented by

usedthrough

registers service

represented by

owned by

optionally implements

start/stopbundle

uses service0..n 0..n

service events

framework eventsbundle events

0,1

1

associatedwith

1

1

1

1

associatedwith

manages

implemented bysecuritypermissions

usedthrough

Page 4: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #4

CDCCDC

ExecutionEnvironment

A B C

Classloading

• Standard Java loads all classes from a global CLASSPATH and class loaders

• CLASSPATH consists of many entities

– Jar Files– Directories– Other sources via a classloader

• Actual class loading is uncontrolled and fails too often

– ClassNotFoundException– NoClassDefFoundError– ClassCastException– Shadowing: Wrong version

• Complex!• It would be nice if this was more

controlled …

Page 5: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #5

OSGi Modules

MODULE

CDCCDC

ExecutionEnvironment

A B C

• OSGi adds a powerful module system to Java

• Allows isolated modules to co-exist in single VM

• Does not use the global CLASSPATH, but allows fine grained control of package sharing

• Modules specify constraints through Manifest Header in their JAR

• Module dependencies are controlled and checked

• Fine grained PackagePermission (optional)

• Non-Intrusive, works with existing code. Only Manifest headers required

• Bundles automatically activated when first used

Page 6: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #6

OSGi Modules

MODULE

CDCCDC

ExecutionEnvironment

A B C

• Prevents ClassCastExceptions when multiple bundles share objects with Import- and Export-Package clauses

• Dependency on other bundles can be expressed with Require-Bundle– A cannot work without B– Multiple versions: A must work

with B 1.2 and C must work with B 1.4

• Extending Packages with extra content (Fragments)– Internationalization– Private classes (when statics are

(mis)used)

Page 7: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #7

Problem

• Reboot is required for configuration changes– Boot time– Disruption in service

• Server is in a remote location and needs to be managed over the network

• It should be possible manage the set of bundles in the VM without rebooting

MODULE

CDCCDC

ExecutionEnvironment

A B C

Page 8: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #8

OSGi Life-Cycle

MODULE

CDCCDC

ExecutionEnvironment

LIFE-CYCLE

A B C D

• The OSGi Life-Cycle support allows bundles to be:– Installed– Started– Stopped– Updated– Uninstalled

• Life cycle operations are persistent

• Full API for management• Easy to manage remotely

because of management agent concept

• AdminPermission and BundlePermission for security

• Fully Evented

Page 9: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #9

Problem

• Bundles need to collaborate

• Discover potential partners

• Find applicable objects that can be used in the collaboration

• Handle the coming and going of bundles

MODULE

CDCCDC

ExecutionEnvironment

LIFE-CYCLE

A B C D

Page 10: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #10

SERVICE-REGISTRY

OSGi Service Registry

• Service Registry is a dynamic registry of service objects

• Adds strict decoupling between bundles

• Manages life-cycle dependencies

• Fully Evented

• Dynamic discovery

• Implements many important software patterns

• Fine grained security model with ServicePermission (optional)

MODULE

CDCCDC

ExecutionEnvironment

LIFE-CYCLE

A B C D

Page 11: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #11

OSGi Service Platform

CDCCDC

ExecutionEnvironment

L0 -•CDC•CLDC•OSGi/Minium

MODULEL1 - Creates the concept of bundles that use classes from each other in a controlled way according to system and bundle constraints

LIFE-CYCLEL2 - Manages bundles life-cycles in a VM without requiring reboots

SERVICE-REGISTRYL3 - Decouples bundles so that the deployer can mix and match configurations

Page 12: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #12

Java 2 Security Primer

• Java 2 security provides a flexible and comprehensive model for security

• Permission subclasses hide the semantics of the permission type– FilePermission– SocketPermission– ServicePermission– …

• Code is associated with a set of permissions

• The SecurityManager checks a permission by creating a permission

{…}

{…}

SecurityManager

AccessControlContext

ProtectionDomain

Permis-sions

Permis-sion

ProtectionDomain

Permis-sions

Permis-sion

AccessControlContext

call foo()

checkPermission(p)

implies(p)

implies(p)

implies(p) implies(p)

AccessController

Page 13: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #13

Permissions

• Permission associated with code– …– FilePermission(“/tmp/-”, “read,write”);– …

• Check– void open(String path) {

… SecurityManager.checkPermission( new FilePermission(path,”read”) ); …}

Page 14: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #14

Changing the context

• Normally all classes on the call stack are evaluated and must return true

• Sometimes a method wants to run with only its own permissions

• This is possible with a doPrivileged method on the Access Control context

• This places a marker on the stack to indicate the search should stop

• Can also be used to run code with the context of another protection domain

...normal code here... String user = (String) AccessController.doPrivileged(

new PrivilegedAction() { public Object run() {

return System.getProperty("user.name"); }

} ); ...normal code here...

Page 15: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #15

Issues with Java 2 Security

• Checking permissions is heavy

• Impossible to cache results of a check due to polymorphistic model– The result of an implies can change at any time

• Too flexible– Every class can have its own protection domain

• The doPrivileged model is expensive due to too many class creations

• Complex!

Page 16: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #16

Permission Admin

• Permissions are managed through Permission Admin

• Permissions are stored in PermissionInfo objects

• Permission Admin is used by Management Agents to store the PermissionInfo objects

• The location is the key to the PermissionInfo objects– Allows permissions to be set

before download

• Changes in permissions are immediate

ManagementAgent

Framework

PermissionAdmin

PermissionInfo

Bundle

location

Page 17: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #17

Permission Admin

<<in terfac e>>PermissionAdmin

PermissionInfo[]0..n1

ja v a.s ec ur ity .Perm is s io n

constructs

1

1

bundle location

Page 18: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #18

Permission Admin API

PermissionInfo[] getDefaultPermissions() Gets the default permissions. java.lang.String[] getLocations() Returns the bundle locations that have

permissions assigned to them, that is, bundle locations for which an entry exists in the permission table.

PermissionInfo[] getPermissions(java.lang.String location)

Gets the permissions assigned to the bundle with the specified location.

void setDefaultPermissions(PermissionInfo[] permissions)

Sets the default permissions. void setPermissions(java.lang.String location,

PermissionInfo[] permissions) Assigns the specified permissions to the

bundle with the specified location.

PermissionInfo(java.lang.String encodedPermission) Constructs a PermissionInfo object from the

given encoded PermissionInfo string. PermissionInfo(java.lang.String type,

java.lang.String name, java.lang.String actions) Constructs a PermissionInfo from the given

parameters

Permission File(org.osgi.framework.PackagePermission "org.osgi.test.cases.*"

"import")(org.osgi.framework.ServicePermission

"org.osgi.test.cases.lifecycle.servicereferencegetter.ServiceReferenceGetter" "register,get")

(org.osgi.framework.ServicePermission "org.osgi.test.*" "get")(org.osgi.framework.ServicePermission "org.osgi.framework.*"

"get,register")(org.osgi.framework.ServicePermission

"org.osgi.test.cases.lifecycle.servicereferencegetter.*" "get,register")

Page 19: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #19

Permissions

• OSGi introduces a number of specific permissions

• AdminPermission– Coarse permissions used to prevent administrative APIs– Has no parameters

• PackagePermission– Allows a bundle to import and/or export a package– PackagePermission(“org.osgi.service.log”, “import,export”);

• ServicePermission– Allows a bundle to register and get a service– ServicePermission(“org.osgi.service.log.LogService”,”get”)

Page 20: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #20

OSGi Security

• Framework callbacks are always done with only the Framework access control context on the stack

• Application code should assume that they have only their own security permissions to take care of

• This is a potential access point into code so programmers should be aware of this

• If this was not done, then for most code the programmer would have to run in privileged code requiring the programmer to create PrivilegedAction objects

Page 21: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #21

Package Admin

• The Framework selects the exported packages autonomously

• Packages, once selected remain available forever

• After an update or new install, the packages need to be refreshed

– Packages are not automatically refreshed

• The PackageAdmin service provides access to functions to refresh and introspect the state of the system

• The Package Admin is used by the management agent to manage the packages

ManagementAgent

Framework

PermissionAdmin

BundleA

BundleC

BundleB

p1p2p3

Page 22: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #22

PackageAdmin

<<in terfac e >>PackageAdmin

<<int erfac e>>ExportedPackage

0..n1

<<int erfac e>>Bu nd le

0..n

exported by

1

imported by

0..n

0..n

name

provides

Page 23: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #23

Package Admin

• getExportedPackage and getExportedPackages return ExportedPackages which supply state information

• refreshPackages can refresh a set of bundles. A null parameter refreshes all

ExportedPackage getExportedPackage(java.lang.String name)

Gets the ExportedPackage object with the specified package name.

ExportedPackage[] getExportedPackages(Bundle bundle)

Gets the packages exported by the specified bundle.

void refreshPackages(Bundle[] bundles)

Forces the update (replacement) or removal of packages exported by the specified bundles.

Bundle getExportingBundle()

Returns the bundle exporting the package associated with this ExportedPackage object.

Bundle[] getImportingBundles()

Returns the resolved bundles that are currently importing the package associated with this ExportedPackage object.

java.lang.String getName()

Returns the name of the package associated with this ExportedPackage object.

java.lang.String getSpecificationVersion()

Returns the specification version of this ExportedPackage, as specified in the exporting bundle's manifest file.

boolean isRemovalPending()

Returns true if the package associated with this ExportedPackage object has been exported by a bundle that has been updated or uninstalled.

Page 24: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #24

Start Level Service

• The Start Level Service provides the following functions:– Controls the beginning start level of the OSGi Framework. – Is used to modify the active start level of the Framework.– Can be used to assign a specific start level to a bundle.– Can set the initial start level for newly installed bundles.

• Start Level service can be used for– Safe mode – The Management Agent can implement a safe mode.

Only fully trusted bundles are started. – Splash screen – If the total startup time is long, it might be

desirable to show a splash screen during initialization to improve the user experience

– Handling erratic bundles – Problems can occur because bundles require services to be available when they get activated (this is a programming error). By controlling the start order, the Management Agent can prevent these problems.

– High priority bundles – Certain tasks such as metering need to run as quickly as possible and cannot have a long startup delay. These bundles can be started first

Page 25: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #25

Start Level Service

a m a nage m en tb un dl e im p l.

a n even t l is ten er i m p l.

<<in ter fa ce >>F ra m ew o rkL i st ene r

<<interface>>StartLevel

0..*

0..*

FrameworkImplementation

a F ram e w ork im pl.

F ram ew orkEv e nt

gets

is notified by

start levelchanged

1

0..*

Page 26: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #26

Bundle Environments

• Bundle Environment – A well defined format with handling rules for defining the classes and methods that a bundle can rely on.

• Machine Processable – It should be easy to process the specification with tools to verify bundles and Service Platforms.

• Standards – It should be based on standards as much as possible. It must be compatible with J2ME

Page 27: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #27

Bundle Environments

• Published as JAR files– Can be downloaded from www.osgi.org

• Minimum Execution Environment– Is used for test cases and reference implementation– Is a proper subset of J2ME Foundation and J2SE– Significantly smaller than Foundation but allows for

class loaders

• Foundation– Based on J2ME Foundation 1.0– Submitted by SUN

Page 28: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #28

Stale References

• OSGi is pure Java and therefore misses the possibility to do a full cleanup

• Stale references are object references to “dead” objects– Service unregistered– Bundle stopped/uninstalled

• Stale references cause class loaders to hang around

• Restarting a bundle will recreate the class loader, this solves most problems and can be done by the Management Agent

• No support from VMs– Nullify references

BundleA

BundleB

ReferenceStale

Page 29: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #29

Threads

• Threads are Java’s weak spot– They cannot be stopped

• The management agent must be aware of the threads that hang and manage the system accordingly, rebooting if necessary

• JSR 121 Isolation API is interesting in this aspect but is currently not compatible with OSGi– May be useful in an environment where applications are

separated from system software

• A highly secure system would assign a separate thread to each bundle with its own thread group– Footprint issues– Careful with callbacks

Page 30: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #30

Performance Issues

• The OSGi has very little overhead– Most actions occur rarely– Straightforward implementations are possible

• Initialization is usually the killer– Most bundle programmers do not understand that 1

second per bundle is an extra minute boot time for a system with 60 bundles

– Name lookups and network access in the bundle activator will kill a product

– Use lazy initialization whenever possible to spread the initialization out over time

• Use initialization time budgets

Page 31: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #31

Performance Issues: Class loading

• Class loading is a major performance hog

• OSGi provides faster class loading because it has a (hash) table linking the class loaders– Modularity– Standard Java uses a linear

class path that must be searched (or indexed)

– OSGi headers provide this information without effort

package.1

package.2

package.3

package.1

package.2

package.3

package.1

package.2

package.3

Page 32: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #32

Performance Issues

• Registry must be designed to handle thousands of services– This is an explicit assumption to allow simple designs

• Integrate as early as possible, many problems do not show until the system is run in its intended configuration

• Reason about the system, not just the components

• Measure before optimize …

• Links– http://www-106.ibm.com/developerworks/library/j-jtp03253.html

?ca=dnt-412– “Java 2 Performance and Idiom Guide”, by Craig Larman, Rhett

Guthrie

Page 33: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #33

Footprint Issues

• Typically OSGi footprint is– ~ 200K JAR file uncompressed– ~ 50K + ~10K per bundle dynamic memory– Persistent size depends on the size of the bundles

• Class loaders are expensive!– Minimize started bundles– Stop bundles no longer needed

• Assure that the framework aggressively collects unnecessary memory

• Verify that native code is cleaned up well by the VM!• OSGi allows sharing of packages

– Use it!– It is possible to use tools to reduce duplicated code (at the

expense of more dependencies)

• The OSGi architecture allows aggressive use of optimization techniques due to its event model

Page 34: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #34

Synchronization

• Java monitors are heavily abused in Java– Lack of timeout makes deadlocks

infinite

• Monitors are intended to guard java structures, calling of other code in a monitor is bad practice– Correct usage of monitors looks

pretty bad in code– No time

• Use higher level constructs instead– Semaphores– Locks– See JSR 166 for a current

proposal

Page 35: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #35

Synchronization

• An OSGi system is extremely sensitive to bad synchronization calls– Callbacks through multiple bundles

• Frameworks and system code (code calling other bundles) should be written not to hold locks in callbacks

• Locks are

Page 36: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #36

Native Code Algorithm

• Native Code Algorithm much improved in R4• The Framework must select the native code clause selected by the

following algorithm:1. Select only the native code clauses for which the following expressions all evaluate

to true. • osname ~= [org.osgi.framework.os.name] • processor ~= [org.osgi.framework.processor] • osversion <= [org.osgi.framework.os.version] or osversion is not

specified • language ~= [org.osgi.framework.language] or language is not

specified 2. If no native clauses were selected in step 1, a BundleException is thrown,

terminating this algorithm. 3. The selected clauses are now sorted in the following priority order:

1. osversion: osversion in descending order, osversion not specified 2. language: language specified, language not specified 3. Position in the Bundle-NativeCode manifest header: lexical left to right.

– The first clause of the sorted clauses from step 3 must be used as the selected native code clause.

• If a selected native code library cannot be found in the bundle's JAR file,Then the bundle installation must fail.

Page 37: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #37

Testing in OSGi

• Test cases are delivered as bundles

• These bundles register a TestCase service which is picked up by the director

• These bundles contain one or more bundles that are downloaded to the target

• Sequencing is done from the control bundle– Can download helpers

• Testing is very similar to JUNIT with asserts– Inherit from TestCaseControl

and write methods that begin with test…

Testbundle Director

TargetControlBundle

Page 38: AQute Inside OSGi By Peter Kriens CEO aQute OSGi Technology Officer and OSGi Fellow

©1999-2004 aQute, All Rights Reserved slide #38

aQute

www.aQute.biz

+15126929173, [email protected]

z