i hc Hoa Sen

Secure Process Migration

Secure Process Migration

Nguyn Thnh Tn Truyn thng v Mng my tnh i hc Hoa Sen

Tm tt
Vic di chuyn tin trnh (Process Migration) l mt qu trnh truyn ti mt lng thng tin cn thit v trng thi ca mt tin trnh t mt my ny sang mt my khc sao cho tin trnh vn c th tip tc thc thi cng vic trn my c chuyn n. Ngy nay mt h thng phn phi (distributed system) thng c dng ln bi cc node thng khng ng nht v c kt ni bng mt h thng mng. a phn cc h thng ny u c kh nng tnh ton rt ln. Tuy nhin kh nng ny thng khng c tn dng ht tr khi s dng nhng c ch, phn mm p dng khi nim single system image (SSI) trn cc h thng phn phi vt l. Bng cch ny, ti nguyn trn mt node cng c th c truy xut t mt node bt k trong h thng. Bi bo co ny s bn v cc c ch hot ng ca vic di chuyn tin trnh cng nh nhng vn v bo mt trong khi thc hin di chuyn tin trnh.

1. Gii thiu
Trong sut hai thp nin cui ca vic pht trin nhng b siu vi x l v mng li my tnh tc cao c nhng thay i ng k n m hnh h thng my tnh. T nhng h thng my tnh trung ng s dn c thay th bi nhng cm my tnh nh nh c kh nng x l cao c kt ni bng mt mng li d liu tc cao. i vi ngi dng, thay v phi lm vic trn mt thit b c cm trc tip n my tnh trung ng th gi y h ch cn c mt my tnh nh kt ni n mng li h thng cng ty. iu ny mang li kh nng cho ngi dng c th truy xut n ton b ngun ti nguyn ca h thng. Nguyn Thnh Tn 081665

Tuy nhin, kh nng ny khng th tn dng trn vn tr khi ngi dng c th truy xut xuyn sut ton b h thng. Xuyn sut y c ngha l ngi dng c th truy cp n bt k ngun ti nguyn no m khng cn phi quan tm n (khng nhn bit c) v tr vt l ca ngun ti nguyn . l iu m h thng phn phi em li. Mc ch ca h thng phn phi l to ra cho ngi dng mt ci nhn v mt h thng timesharing n nht thay cho mt tp hp cc my tnh c lp nhng c kt ni li thnh mt h thng. Mt s h thng phn phi ni ting l Amoeba, Sprite, MOSIX, Condor v.v.v. a phn cc h thng phn phi ny u chy bng bn sao ca cng mt h iu hnh trn cc my tnh trong h thng v nhng bn sao h iu 1

i hc Hoa Sen

Secure Process Migration

hnh ny mang li cho ngi dng hnh nh ca mt h thng n nht (SSI).

khc, do mt php ton ang din ra c th tip tc thc hin mt cch chnh xc.

2. Process Migration
2.1. nh ngha
Hnh 2: Chuyn giao tin trnh

Tin trnh l kt qu ca cc php ton cc giai on ca qu trinh tnh ton. Vo mt thi im bt k, trng thi ca mt tin trnh c biu din bng hai thnh phn l: trng thi ban u (initial state) v nhng thay i (changes) xy ra trong qu trnh tnh ton. Trc khi khi nim chuyn giao tin trnh ra i th chng ta s dng x l t xa (remote execution) nh l mt phng thc client c th truy cp v x l cc thng tin d liu nm trn server. Vi x l t xa th client s gi cc hm v tham s cho server x l. Sau khi x l xong th server s tr gi tr v cho client v client s tip tc tin trnh.

Hnh 3 : Lung d liu trong qu trnh di chuyn tin trnh

Trng hp trn l tin trnh ch bt u tnh ton khi m trng thi tin trnh c truyn sang ni n. Tuy nhin, trong thc t th vic di chuyn tin trnh s tip tc tnh ton ch n gn nh tc thi. iu ny c th c thc hin bng cch chuyn cc thanh ghi lin quan v thit lp mt khng gian a ch, phn cn li ca trng thi tin trnh s c gi sau.

2.2.
Hnh 1 : Remote Execution

Cc kiu Process Migration

C 3 kiu chuyn giao tin trnh: Total Freezing: tin trnh s ngng hon ton cho n khi qu trnh chuyn giao tin trnh hon tt th tin trnh mi tip tc cng vic. u im l d trin khai. Nhc im l thi gian ngng lu. 2

Sau mt thi gian nghin cu th x l t xa pht trin ln thnh chuyn giao tin trnh. Chuyn giao tin trnh (process migration) l s truyn ti mt s tp hp con ca thng tin v trng thi tin trnh n mt a im Nguyn Thnh Tn 081665

i hc Hoa Sen

Secure Process Migration

u tin. u im l qu trnh di chuyn din ra nhanh chng. Nhc im cn nhiu b nh, bng thng.

Hnh 4 : Total Freezing

Pretransferring: tin trnh s tm ngng khi m khng gian a ch cui cng c truyn i v tip tc cng vic ch n. u im l gim thi gian ngng. Nhc im l thi gian x l tin trnh ko di.

Hnh 6 : Transfer-on-reference

2.3.

Li ch ca Process Migration

Vic di chuyn tin trnh l cn thit trong mt h thng phn phi bi cc l do sau: Mt s h thng hin ti c th gp nhng vn v vic truy xut tp tin; vic di chuyn tin trnh c th cung cp mt gii php n gin cho nhng vn trn. V d nh mt s h thng tp tin phn phi khng cp quyn truy xut n cc remote file trn my local. Khi di chuyn mt tin trnh ang thc thi sang mt my khc c cung cp c ch x l t xa th tin trnh vn c th thc hin c. Nhng tin trnh chy mt thi gian di c th cn phi di chuyn nhm m bo an ton, chnh xc, cng nh phng nga, nhn 3

Hnh 5 : Pretransferring

Transfer-on-reference: tin trnh s bt u cng vic ngay khi c quyt nh di chuyn v d liu cn thit tin trinh x l ch n s c

Nguyn Thnh Tn 081665

i hc Hoa Sen

Secure Process Migration

din mt s li. V d nh mt h iu hnh c th gi n tin trnh mt thng bo rng h thng chun b tt. Trong trng hp ny, tin trnh no mun tip tc thc thi s c di chuyn sang my khc hoc m bo rng n c th tip tc thc thi trn my vo mt thi im khc. Di chuyn tin trnh c th c coi nh l mt cng c phc v cho mc ch cn bng ti trong h thng phn phi. Vic cn bng ti ny c th mang li mt tc dng to ln trong hiu sut lm vic ca mt h thng. Bt c khi no mt tin trnh thc hin vic thu nh d liu trn mt khi d liu ln hn kch thc ca tin trnh , th s thun li hn nu ta di chuyn tin trnh n ni cha d liu. V d nh khi mt h thng c s d liu phn phi c th yu cu thc hin mt php ton join trn mt tp d liu truy cp t xa c kch thc l N. Nu nh php join c d on l s gim dung lng d liu xung mt lng ng k v c s d liu rt ln th vic di chuyn tin trnh sang c s d liu x l s tt hn l x l d liu t my local. Mt v d khc l mt tin trnh thc hin thng k thng s ca mt lng ln d liu. Trong trng hp tin trnh c di chuyn th d liu truyn ti bao gm dung lng tin trnh + dung lng d liu x l; trong khi d liu truyn ti trong trng hp x l t xa l dung lng ca remote file.

Lng ti nguyn cn thit cho mt tin trnh x l t xa c th khng c p ng. iu ny kh l ng i vi mt s thit b phn cng chuyn dng. V d nh ta kh c th cung cp kh nng truy cp t xa n nhng h thng trin khai Fast Fourier Transforms hoc Array Processing; hoc vic truy cp ny c th lm chm h thng bi vic truy xut n cc i tng d liu real-time.

3. Chnh sch v c ch
Vic lp lch cho cc tin trnh trong mt h thng phn phi c kh nng cn bng ti khng ch bao gm kh nng quyt nh khi thc thi tin trnh m cn bao gm c vic quyt nh ni thc thi tin trnh. Theo nh gi chung th vic lp lch tin trnh trong h thng phn phi c thc hin bi hai thnh phn l allocator v scheduler. B nh phn (allocator) s quyt nh ni m tin trnh c thc thi v trnh lp lch (scheduler) s quyt nh khi no tin trnh c truy xut n CPU. V c bn th mi node trong h thng phn phi u c trnh lp lch ca ring n nhm lp lch cho cc tin trnh trn b x l local, thng c dng trong cc cch phn chia thi gian lm vic v ni m c mc u tin cao hn s c m nhim vic x l tin trinh thng qua b nh phn. Mc d ch c mt vi thay i nh nhng k hoch lm vic ny c s dng nhiu trong cc h thng phn phi. C hai l do quan trng cho s ph bin ca k hoch lm vic ny. u tin l mi node thng c h iu hnh ring cho php t lp lch lm vic. Th hai l tnh 4

Nguyn Thnh Tn 081665

i hc Hoa Sen

Secure Process Migration

n th, ngi thit k c th tp trung nhiu hn v cc vn phn phi ti tng i phc tp m khng phi quan tm n tng chi tit nh trong vic lp lch. B nh phn v trnh lp lch c cc chnh sch ring bit cho tng thnh phn. Chnh sch ca b nh phn l c gng phn phi ti trong tng th h thng n cc node ring bit bng cch chuyn giao cc tin trnh gia cc node. Cn chnh sch ca trnh lp lch ch n gin l kim tra tp hp cc tin trnh c th chy c trn mt node v chn ra tin trnh thch hp nht chy nhm ti u ha hiu sut lm vic. Thng thng th vic lp lch tin trnh ca mt s h iu hnh u hot ng nh mt c ch lp lch bnh thng, mc d trong mt vi h thng c th c nhng k thut c bit c dng nh lp lch song song ... Trong thc t th vic lp lch thng c thc hin ngay ti my local. Tuy nhin, ta nn xem xt n chnh sch ca b nh phn. B nh phn khng ch thc hin di chuyn tin trnh m cn gip cho c ch chuyn giao tin trnh bng cch cung cp cc thng tin nh khi no mt node nn di chuyn mt tin trnh ra khi, khi no l thch hp mt tin trnh c chuyn n, ri node no m tin trnh c chn c th chuyn n v.v.v. Module chnh sch cho cc node khc nhau trao i thng tin ti c c nhng thng tin ti hin ti ca cc nt khc nhau trong h thng a ra nhng quyt nh thng minh. Vic qun l tin trnh trong h thng Unix l khng d dng khi tun theo cc c ch nh trong mt mi trng phn phi.iu ny l do gi nh vn c v mt b x l Nguyn Thnh Tn 081665

duy nht trong khi thit k h thng, v quan trng hn l cc khp ni cht ch cc tin trnh ca h thng ph ny vi cc h thng ph khc trong cc h thng Unix in hnh.

4. Bo mt trong h thng chuyn giao tin trnh

phn ny ta s bn n mt s c ch chuyn giao tin trnh trong h thng phn phi nh c ch cng nh cch tng cng bo mt v cc gii php chung c th c p dng vo cc h thng chuyn giao tin trnh.

4.1.

C ch

4.1.1. Chng thc (Authentication) Vic chng thc c p dng i vi cc yu cu ca client bng cch s dng mt c ch xc thc trn cc port u tin (privileged port) Client mun thc hin x l t xa s gi mt yu cu bng cch s dng mt socket UDP c gn vi mt port u tin. Trong cc h iu hnh m ngun m Unix hin ti th cc port t 1 n 1023 c ch nh l port u tin. Bng cch ny ch c user root c th s dng nhng port ny bng cch s dng hm bind() trong th vin socket BSD. Cc my ch s gim st cc port cng nh mt phn ca cc thng ip v s loi b thng ip nu chng khng c chuyn n ng port cn thit. Phng php ny gip phng trnh cc nguy c c th xy ra bi nhng ngi dng thiu kinh nghim (khng c quyn root). Bi ch c root mi c th s dng port u tin nn nhng tin trnh khng thuc root s c php tm thi gi hm setuid(0) t h thng trong khi ch i c gn n mt port u 5

i hc Hoa Sen

Secure Process Migration

tin. Cc server thc hin x l t xa s chp nhn yu cu ti port 300. Vic xc thc mt client node cng s c thc hin bi server. Phn header ca gi tin yu cu s bao gm NID (node Id) ca client node. Server s tm kimNID ny trong c s d liu ca n m bo rng node ny l mt phn trong cluster v c cu hnh ph hp. Nu nh khng tha cc iu kin trn th yu cu s b hy. Ngoi ra th server cn kim tra xem NID c khp vi a ch IP ca node hay khng. 4.1.2. H thng tp tin (File system) Cc h thng c khng bao gm c ch m ha (cryptographic) c th m bo vic lu tr cc thng tin mt cch ni b v x l chng trong mt mi trng bo mt. Hn na, giao thc gi nh s hin din ca NFS. Network File System cho php duy tr ci nhn thng nht v h thng tp tin mc cluster. Mt iu quan trng v NFS l tnh sn sng cao ca n; n hin din trong hu ht cc h iu hnh Unix v l mt tnh nng cn thit lm cho cc giao thc c th d dng hot ng khi di chuyn n cc h thng v h iu hnh khc nhau. Ngoi ra vic s dng mt h thng tp tin phn phi sn c s tit kim thi gian hn so vi vic thit k mt h thng mi. 4.1.3. C s d liu v cc node (nodes database) Giao thc gi nh rng tp hp cc node trong h thng chia ti c hnh thnh tnh v tt c cc node u bit c cc node cn li trong h thng. Mi node c mt danh sch cha a ch IP ca tt c cc node. Danh sch ny c gi l access list. Nguyn Thnh Tn 081665

Chnh xc th giao thc khng h tr cu hnh ng ca cluster. S hn ch ny gip gim bt cng vic v ng thi thm vo mt s tnh nng bo mt bng cch cn tr s kt hp ca cc node i nghch (hostile node) vo cluster. D sao th n khng phi l qu kh thm mt hostile node vo nh l mt phn ca cluster, v y khng c nhng c ch chng thc an ton. K xm nhp ch cn thay th (mo danh) mt node t danh sch truy cp, v d nh thc hin DoS (Denial of Service) mt node v ly a ch IP ca n. 4.1.4. Thng ip (Messages) Giao thc nh ngha rng mt tp hp cc thng ip m thng qua cc node trong cng mt cluster giao tip vi nhau thc hin vic chuyn giao tin trnh trong ton cluster. Cc thng ip c tn v ni dung khc nhau c dng cho nhng mc ch c th trong giao thc . C 3 kiu thng ip l: yu cu (request), tr li (reply), v bt ng b (asynchronous). Mt node gi mt thng ip yu cu n mt node khc khi n mun thc hin mt s tnh ton cho chnh n. Nu nhn c mt yu cu th mt node s thc hin cc php ton c nh ngha trong thng ip yu cu. Ngi nhn s gi li mt thng ip tr li cha kt qu ca php ton. Thng ip bt ng b s c gi n node khc thng bo yu cu c p ng. Nhng thng ip ny s khng c tr li. Php ton c thc hin ti mt node sau khi nhn c mt yu cu hoc thng bo c th khng s khng thay i gi tr (idempotent) - ngha l hiu qu ca vic thc hin php ton mt ln s 6

i hc Hoa Sen

Secure Process Migration

tng ng vi lp li php ton nhiu ln. Idempotent c tc ng ln trong vic phng chng li (fault tolerance). Cu trc chung ca mt thng ip bao gm thng tin ngi nhn v ngi gi thng ip, thi im gi thng ip, hnh ng ca ngi nhn sau khi nhn thng ip, hnh ng ca ngi nhn v ngi gi trong trng hp tht bi.

c yu cu s c server lu trong trng Error Code ca gi tin tr li. Trong gi tin tr li, nu trng Error Code l -PROCESS_MIGRATED, th nhng byte k tip s cha Node ID ca node mi s thc hin tin trnh t xa x l cc php ton. Nu nh trong khi x l mt s yu cu lin quan n mt tin trnh t xa m server khng tm thy tin trnh trn node th n s kim tra c phi l node ban u ca tin trnh hay khng. Nu nh phi th n s tm entry ca tin trnh trong bng process reference v nu tm c entry th n s ghi li Node ID ca node hin ti ang thc hin tin trnh v tr v li -PROCESS_MIGRATED cng vi Node ID cho client. Client khi nhn c li ny s chuyn hng phin truy cp t xa sang mt Node ID mi ca tin trinh. Trng Node ID mi ny s khng hin th trong nh dng thng ip tr li c th nhng s tn ti mc nh khi trng Error Code l -PROCESS_MIGRATED.

Hnh 7 : Header ca thng ip yu cu v tr li

nh dng ca thng ip yu cu v tr li gm header v data. Trong header l 5 trng u trong gi tin (Hnh 3). Total Length l kch thc ca gi tin Node ID gip xc nh node gi thng ip. Server node nhn c thng ip s kim tra tnh hp l ca node ID bng cch tm kim trong access list. Age Number c dng bo v tnh c nht ca cc process ID trnh xy ra li. Sequence Number c dng kim tra li, v d nh pht hin vic thng ip b lp li. Msg ID gip xc nh cc yu cu c th.

4.2.

Ci thin bo mt trong c ch

Khi nu n nhng vn bo mt trong mt h thng SSI th ngha l ta mun ni n cc mi quan h trust. Mt h thng SSI s lm m di cc ranh gii thng thng gia bn trong v bn ngoi h thng. Phn bn trong gm cc mi quan h gia ton b cc node trong danh sch cc kernel 4.2.1. Chng thc (Authentication) C ch chng thc trnh by trn cha bo mt bi nu nh bt k ai c quyn root u c kh nng ph v h thng. Do trong qu trnh chng thc giao thc 7

Nhm t hp cu tr li, server sao chp li header ca gi tin yu cu thnh header ca gi tin tr li, v kim tra n bng cch so snh vi cc trng Node ID, Age Number v Sequence Number ca n vi ca gi tin yu cu. Kt qu ca php ton Nguyn Thnh Tn 081665

i hc Hoa Sen

Secure Process Migration

chuyn giao tin trnh ta c th tng cng bo mt bng cch s dng thm cc gii php chng thc mnh m nh Kerberos, Public Key Infrastructure (PKI) v.v.v. 4.2.2. H thng tp tin (File system) Vic s dng NFS gip n gin ha h thng tuy nhin NFS li mang n hai vn l client hon ton tin tng remote file server nn rt d b tn cng v user ID c th b bt chc. Do ta cn phi c mt h thng tp tin phn phi bo mt hn so vi NFS. Trong trng hp ny ta c th s dng Self-Certifying File System (SFS), CryptosFS, AFS (hoc OpenAFS) v Coda. Nhng giao thc trn u c bao gm nhng k thut m ha trn h thng tp tin phn phi. Tuy nhin ta cng c th cu hnh NFS over ssh nhm tn dng tnh n gin v sn sng ca NFS. Cch ny cn mang li nhiu li ch khi dng chung vi NAT. 4.2.3. C s d liu v cc node (nodes database) ngn chn vic mt hostile node gia nhp vo cluster, ta c th tng cng bo mt bng cch chia c s d liu thnh hai phn. Mt phn tnh lu gi mt danh sch a ch IP ging nh trc, y l cc node c coi l hon ton ng tin. Mt khc chng ta c mt danh sch ng nhm cho php thm node vo cluster mt cch linh hot. Danh sch ny c th c thc hin bi mt phng php s dng gii thut m ha v ch k s nhm cho php chng thc mt cch an ton cc node va tham gia cluster (trnh kiu tn cng Man in the Middle MiM). Ph thuc vo bo mt ca mi trng xung quanh m cc node s thuc Nguyn Thnh Tn 081665

phn tnh hay ng ca danh sch. Trong trng hp cn tng cng bo mt i vi cc node thuc danh sch tnh th mi node s c thm vo h thng cc kha trao i trong qu trnh gi cc gi tin INIC. 4.2.4. Tnh bo mt v ton vn trong qu trnh giao tip Giao thc gi thng ip thng thng khng c bt k hnh thc bo v no khi vic b gin on, chnh sa, ph hoi gi tin. Cch n gin nht gii quyt nhng vn ny l thm vo c ch bo mt cp IP. IPSec h tr v s c ch chng thc, m ha, v bng cch s dng Encapsulated Security Payload (ESP) mode, IPSec c th m ha ton b lu thng mng lp 3. Ngoi ra ta c th trin khai mt ng VPN n cc node tham gia cluster nhm m bo ranh gii gia bn trong v bn ngoi h thng.

5. Trin khai h thng cluster

5.1. Hng pht trin
Mt cluster c thit k vi nhng c tnh trn s mang li mt hiu sut lm vic cao v c kh nng cn bng ti cho h thng. Ngoi ra th vic chuyn giao tin trnh trong mt cluster cng gip ti u khng gian lu tr, ngn nga li, kh nng truy cp d liu ni b v.v.v. T h thng cluster trn ta c th nng cao n ln thnh mt h thng in tnh mng li (grid computing system) trong mi thnh phn l mt cluster thay v l mt node. 8

i hc Hoa Sen

Secure Process Migration

Hnh 2 l mt v d v h thng mng li ny. Gi s Cluster A ang trng thi qu ti, trong khi cc cluster khc th nhn ri. Trong trng hp ny, cluster A s di chuyn cng vic sang cc cluster khc nhm m bo vic chia ti cho ton b ti nguyn.

6. Kt lun
Vic chuyn giao tin trnh c xem l mt tnh nng quan trng trong nhiu h thng. N gip m bo vic cn bng ti cng nh tng hiu sut lm vic trong h thng. Do vic bo mt trong qu trnh chuyn giao tin trnh l vic nn lm. Vic cu hnh qu trnh chuyn giao tin trnh tt s mng li li ch cho c ngi dng ln ngi qun tr. Hin nay, ngoi hng pht trin t chuyn giao tin trnh trong mt nhm my ch ln mt h thng in ton mng li th chuyn giao tin trnh cn c th c dng trong cho cc thit b di ng.

7. Ti liu tham kho

Hnh 8 : M hnh h thng in ton mng li

[1] Jonathan M. Smith - A Survey of Process Migration Mechanisms [2] Yeshayahu Artsy v Raphael Finkel Designing a process migration facility: The Charlotte experience [3] Edward R. Zayas - Attacking the Process Migration Bottleneck [4] Javier Echaiz v Jorge Ardenghi Security in Process Migration Systems

5.2.

Yu cu h thng

xy dng mt h thng nh vy th ta cn m bo nhng c tnh sau: Phn cp qun tr Giao thc lin lc: phi bao gm nhng thng s QoS nh tr, bng thng, tin cy, khng li, kim sot bin ng (jitter control) ... Cc dch v v thng tin trong h thng Dch v v tn gi (naming service) H thng tp tin phn phi Tnh bo mt Kh nng chng li Kh nng qun l ti nguyn Kh nng giao tip ngoi mng Giao din cho ngi dng ...

Nguyn Thnh Tn 081665