The Inane Fuss Over Apple’s Secret Port To The ARM

 Computing  No Responses »
Feb 082012
 

If you read certain articles on the web you might be under the impression that Apple has had a secret project to port OSX to the ARM-based architecture with the intention of producing a cut down (although not necessarily very cut down) Macbook Air running on the ARM architecture.

Which is preposterous.

Firstly this secret project to port OSX was merely bringing up the ‘lower half’ of OSX (Darwin) on a particular variety of ARM-processor. The end result ? Probably something more or less equivalent to a “login” prompt on an old multi-user Unix system with no GUI. That is not to underestimate the accomplishment of the student involved – in many ways that would be a good 75% of the work involved.

But a few key facts here :-

  1. This is not the first port of Darwin (or even OSX) to the ARM-based architecture. Pick up your iThingie … that’s got an ARM inside, and whilst we all call the operating system it runs iOS, it is really OSX with a different skin on. Sure there are some differences and limitations, but they are merely skin deep – at the lowest level they’re both Darwin.
  2. If there’s a secret project to run OSX on an ARM-based laptop of some kind, this ain’t it. Take a closer look at the processor used in this experiment. It’s an ARM processor less capable than that in the very first iPhone. You won’t see it in any new laptops. If this secret experiment had any real product behind it, it would be more likely to be an intelligent embedded device – a really clever fridge or something (and no, not a TV).
  3. If there was a real product behind this, it seems pretty unlikely that Apple would choose a student on work experience to do the work. After all such a student might just spill the beans on a secret project given enough green folding stuff as incentive.

What is probably the case here is that Apple came up with this project for the student as a way of testing whether he was worth considering as a full employee – after all it is a better way of testing a potential employee than asking them to make the tea! And have no intention of using the result as a product.

What they will do however is use the student’s observations to feed back into the OSX team – what problems did he encounter that might qualify as bugs ? Etc.

In reality, Apple probably already has OSX running on ARM based machines in their labs. It’s an obvious thing to try out given that all their iThingies are ARM based, and it is not an enormous amount of extra work to finish off what is already in place to get something that looks and runs like OSX. After all, Apple did ages ago admit that early versions of OSX did run on x86-based processors when their product line was all PowerPC based, and keeping OSX portable across architectures is something they probably want to keep as a possibility.

Will Apple launch an ARM-based Macbook Air ? Not anytime soon. Whilst the value of a 64-bit architecture is over-rated, it would seem unlikely that Apple will ever again launch a 32-bit based “real” computer. But with 64-bit based ARMs arriving in a year or two, who knows ?

Resurrecting “Discovering The Internet”

 Computing, History  No Responses »
Jan 302012
 

Looking through my archives, I realised that my ancient guide to the Internet was no longer online. Whilst really only of historical interest, it seems a shame that it is not available for the terminally bored, or those who wish to investigate what the Internet was like during the 1990s.

An online version is available here with a PDF version also available.

Linux Containers (LXC): What? Why? And How?

 Linux  No Responses »
Jan 212012
 

One of the things I miss from Solaris are the Solaris Containers – zones – which are extremely useful for isolating lightweight services in their own “virtual machines”. This blog entry is about LXC – Linux Containers. There are of course other methods of accomplishing much the same thing with Linux, but LXC has the advantage that the necessary kernel extensions are included by default.

Or in other words it isn’t necessary to compile a custom kernel. Which has advantages in certain environments.

There are of course some disadvantages too – LXC isn’t quite as mature as some of the alternatives, and there’s a few missing features. But it works well enough.

What?

Operating system level virtualisation, or what I prefer to call lightweight virtualisation is a method by which you can run multiple virtual servers on a single physical (or virtual!) machine. Like normal virtualisation supplied by products such as ESX, Hyper-V, etc., light-weight virtualisation allows you to run multiple servers on a single instance of server hardware (actually you can do this on a virtual server too!).

Operating system level virtualisation is not quite the same as full virtualisation where you get a complete virtual machine with a VGA display, a keyboard, mouse, etc. Instead you trick the first program that starts on a normal Unix (or Linux) system – /sbin/init – into believing that it is running on a machine by itself when it is in fact running inside a specially created environment. That is if you want a full virtual operating system; it is also possible to setup an environment so that a container simply starts a single application.

In some ways this is similar to the ancient chroot mechanism which was often recommended for securely installing applications such as BIND which were prone to attack. But it has been improved with greater isolation from the operating system running on the hardware itself.

Note that I said /sbin/init – these containers do not run their own kernel. Merely their own user processes.

Why?

So why are these containers useful ? Especially in a world where virtualisation is ubiquitous and can even be free (VirtualBox, and various KVM solutions). Well of course they are, or they wouldn’t exist – the equivalent of BSD Jails has been introduced for every single remaining Unix-based system as well as Linux.

First of all, containers provide a perfectly viable virtualisation mechanism if all you require are numbers of Linux machines. Indeed it is possible to use this kind of virtualisation on already virtualised machines – for example on a Cloud-based virtual server (as you might get from Amazon) which could potentially save you money.

Secondly, containers provide lightweight virtualisation in that there is little to no overhead in using them. There is no virtualised CPU, no I/O virtualisation, etc. In most “heavyweight” virtualisation solutions the overhead of virtualisation is negligible except for I/O where there is often a considerable performance hit for disk-based applications.

Next if carefully setup, it is possible to reduce the incremental cost of each server installation if you use containers rather than full virtual machines. Every additional server you run has a cost associated with maintaining it in terms of money and time; a variety of different mechanisms can reduce this incremental cost, but there is still a cost there. Containers can be another means of reducing this incremental cost by making it easier to manage the individual servers.

As an example, it is possible to update which DNS servers each container uses by simply copying the /etc/resolv.conf file to each container :-

for container in $(lxc-ls | sort | uniq)
do
  cp /etc/resolv.conf /srv/lxc/${container}/rootfs/etc/resolv.conf
done

It’s also very handy for testing – create a container on a test server to mess around with some component or other to find out how it should be installed, and then throw away the container. This avoids “corrupting” a test server with the results of repeated experiments over time.

Of course there are also reasons why you should not use them.

First of all, it is another virtualisation technology to learn. Not a difficult one, but there is still more to learn.

In addition, it does not provide complete isolation – if you need to reboot the physical server, you will have to reboot all of the containers. So it is probably not a good technology for multiple servers that need to stay up forever – although the only real way of arranging that is to use a load balancer in front of multiple servers (even clustering sometimes requires an outage).

There is also the fact that this is not entirely a mature technology. That is not to say it isn’t stable, but more that the tools are not quite polished as yet

Finally there are hints that containers do not provide complete isolation – someone with root access on a container might be able to escape from the container. Thus it is probably not a good solution to provide isolation for security reasons.

How ?

The following instructions assume the use of Debian, although most modern distributions should be perfectly fine too – I’ve also done this with SLES, and seen instructions for ArchLinux. You can also mix and match distributions – SLES as the master operating system, and Debian for the distribution in the containers. That works perfectly fine.

To see if your currently running kernel supports the relevant extensions, see if the cgroups filesystem is available :-

# grep cgroup /proc/filesystems
nodev	cgroup

If the grep command doesn’t return the output as shown, you will need to upgrade and/or build your own kernel. Which is a step beyond where I’m going.

Initial Setup

Before installing your first container, you need to setup your server to support LXC. This is all pretty simple – the most complicated part is to setup your server to use a bridged adapter as it’s network interface. Which we will tackle first.

To start with, install the bridge-utils package :-

# apt-get install bridge-utils

Next edit your /etc/interfaces file. Leave the section dealing with the loopback interface (lo) alone and comment out anything relating to eth0. Once that’s done, add something to setup the bridge interface (br0) with :-

auto br0
iface br0 inet dhcp
   bridge_ports eth0
   bridge_fd 0

That sets up a bridged interface configured with an address supplied by a DHCP server – not perhaps the best idea for a production server, but perfectly fine for a test server. At least if you have a DHCP server on the network! If you need to configure a static address, copy the relevant parts from your commented out section – the address, netmask, and gateway keywords can be added below bridge_fd.

At this point it is worth rebooting the server to check that the new network interface is working fine. You could perform all of the steps in this initial setup section and do a reboot just at the end, but I prefer to reboot after each step when I’m trying something new. It’s easier to find the horrible mistake when you do it step by step.

Assuming the reboot fine, the next step is to automatically mount the cgroup filesystem. Add the following to the end of the /etc/fstab file :-

cgroup        /cgroup        cgroup        defaults    0    0

Make the /cgroup directory, and try to mount the filesystem :-

mkdir /cgroup
mount /cgroup

At this point you should be able to see a whole bunch of files in the /cgroup directory, but it won’t show up if you try a df. You should also reboot at this point to make sure that the filesystem automatically mounts when the system boots.

The final stage is to install the LXC runtime package :-

apt-get install lxc debootstrap

Note that the LXC package is available for many distributions, and the debootstrap package is a shell script runnable under most distributions given the presence of the right set of tools.

Now we are ready to start creating containers. Well, almost.

Creating Containers

When creating containers, it is usual to use a helper script to do the donkey work of setting this up. The LXC runtime package includes a number of such helper scripts. These scripts are very useful, but it is also worth indicating that they may require some local customisation – for instance the template script I used sets the root password to root; whilst it does suggest that this should be changed when the container is built, it is also very sensible to change this initial password to something at least half-reasonable.

And the longer and more extensively you use containers, the more local customisations you are likely to want. For instance, I tend to use a bind to ensure that the /site filesystem is mounted under each container, so I can be sure that my local scripts and configuration files are available on each and every container easily. So :-

  cd /usr/lib/lxc/templates
  cp lxc-debian lxc-local

When not using Debian, it is possible that the template scripts are installed in the main $PATH. In which case you may choose to remove them, or move them somewhere else to avoid their use in preference to your own versions.

It is also worth creating a template configuration file for the lxc-create script :-

cat > /etc/lxc/lxc.conf
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
^D

To create your first container :-

  mkdir -p /var/lib/lxc/first
  lvcreate --name root-first --size=768M /dev/debian
  mkfs -t ext3 /dev/debian/root-first
  {Edit /etc/fstab to mount the new filesystem at /var/lib/lxc/first}
  mount /var/lib/lxc/root-first
  lxc-create -n first -t local -f /etc/lxc/lxc.conf

This goes through the process of “bootstrapping” Debian into a directory on your current system and setting up a configuration for your LXC container. Once complete, you are ready to start but first you will notice that I created a filesystem for the container’s root filesystem which should be self-evidently necessary if you want to avoid the possibility of a badly behaved container from bringing down other containers.

There are of course other things you can do at this stage before starting the container for the first time – for instance editing /srv/lxc/first/rootfs/etc/network/interfaces may be necessary to enter a static address which is particularly useful

Starting The Container

Once you have created a container, you will probably want to start it :-

lxc-start --daemon --name=first

You can start a container without the “daemon” option, but this means you are immediately connected to the console and it can be difficult to escape from. To connect to the system’s console try lsx-console, which should result in something like :-

# lxc-console --name=first

Type  to exit the console
--hit return here--
Debian GNU/Linux 5.0 first tty1

first login:

At this point you can login as root, and “fix” your container as you would do with an ordinary server. Install the software you need, make any changes you want, etc.

But there is one most noticeable oddity – rebooting a container does not seem to work properly. It seems to get stuck at the point where a normal server would reset the machine to boot again. Undoubtedly this will be fixed at some point … it’s possible that the fix is relatively simple anyway.

But for now the sequence :-

(in the container) shutdown -h now
(in the server) lxc-stop --name ${name-of-container}
(in the server) lxc-start --name ${name-of-container}

Will have to do.

ICT To Include Programming! At Last!

 Computing, Politics  No Responses »
Jan 112012
 

According to the BBC it has been announced that the current curriculum for computer training (ICT) in schools is to be torn up and replaced. And curiously enough the new curriculum is to include programming to a certain extent – as people have been urging for decades.

The first programming language intended for use by children was the Logo programming language first developed in 1967. So it is not as if this is a new idea.

To many of us, the most interesting aspect of computers is not that they allow us to use applications such as word processors, web browsers, and the like – all very useful tools that I would not want to give up – but that they can be controlled by programming. This could be as low-level as writing a device driver in C, or could be using some application macro language to automate a tedious task.

It is perhaps an over simplification to say so, but to a certain extent programming is that last bit – automating tedious tasks. Computers are good at tedious tasks; humans are not. We should be “teaching” computers to perform tedious tasks for us, and that is called programming.

Programming can of course get rather tricky particularly the lower the level you are getting to, but it can also be quite easy with an interactive language with more or less immediate results. For instance the old BASIC :-

10 for i = 1 to 80
20 print "Hello"
30 next i

Can be quickly typed in and then run gives an immediate result – the computer “says” hello to you. A simple example that can be typed in quickly, modified to give a more personal result … or enhanced to give different and slightly more interesting results. The immediacy is important to hook people in and interest them in programming.

And programming is not just useful for those who want to become programmers. Someone who has been introduced to programming may well be better able to :-

  1. Better specify to an IT department what they need, or the error they’re encountering. This will save time and money.
  2. Better appreciate what is and what is not possible.
  3. Be capable of automating computing tasks themselves – not quite programming, but very similar.

Islands In The Cloud

 Computing  No Responses »
Nov 172011
 

I have an Android phone that automatically uploads photos to Google; you have an iPhone that automatically uploads photos to Apple’s iCloud service. We both want to send photos to a Facebook gallery for some friends.

To solve this problem, we either have to copy photos manually from Google to Facebook, or make use of some special application to do the work for us. But isn’t this the wrong solution to the problem ?

If the different propriety clouds used an open standard for uploading photos, it would be possible to automatically upload to Google from an iPhone, upload to Apple’s iCloud from an Android phone, or … to some new competitor. Or even for those of us who prefer to do our own thing, to our own servers.

As someone who mixes and matches things, I have “islands of data” in different clouds – some photos are uploaded to Facebook (when I can be bothered), some are in Googleland, and some (the ones I regard as the better ones) are uploaded to my own server. And that is just photos; there are also contacts, notes, documents, drawings, etc. None of this can be easily moved from one island to another – sure I could move it manually, but why would I want to do that ? Computers after all are supposed to be good at automation.

This is all down to the convenience of the cloud providers of course – Google makes it easy to use their services and hard to use others because it’s in their interests to do so, Apple is similarly inclined to keep your imprisoned in their “perfumed prison”. And so on.

But it’s all our data and they should make it easy to move our data around. This not only would be useful for us, but less obviously would actually benefit the cloud providers. After all if I find it tricky moving from one online photo gallery “cloud” to another, I’m less inclined to do so.

Making it easier to move cloud data from one provider to another not only means it is easier for a customer to “escape” one proprietary cloud, but it is also easier for a customer of another cloud to move in. And it would not necessarily be that difficult to do – just produce a standardised API that works across multiple different cloud providers, and let the application developers loose.

To a certain extent this is possible right now – for example, Facebook has an API and Twitter has an API and it is possible to produce code to send status updates to both places. But the equivalent to update a Google Plus status does not seem to be available, and combining status updates in one tool just isn’t there as yet – I have a simple script which sits on top of two other tools (and very nicely pops up a window, a text input box, or takes the status on the command line). But with a standardised API, the code would be much easier to write.

 

 Older Entries  Newer Entries