Proactive Infrastructure:Proactive Infrastructure:The Ninja Service Platform The Ninja Service Platform

David Culler, Eric Brewer, Anthony Joseph & Randy Katz

UC Berkeley

ninja.cs.berkeley.edu

Moving Away from the ‘average’ Device

ScalableInternet Services - millions of clients - always up

Infomationappliances

Client

Server

Core Questions

• Scalable, Highly Available Services => well-Scalable, Highly Available Services => well-engineered, well- maintained and relatively engineered, well- maintained and relatively centralized platformscentralized platforms – How do we preserve the distributed innovation of the

personal computer era in a service-centric world

• Emerging devices are diverse and highly Emerging devices are diverse and highly constrainedconstrained– How do we deliver powerful services on small devices?

=> Push services into an Active infrastructure=> Push services into an Active infrastructure

Ninja Project Goals

• Enable a service-centric world (rather than applications)Enable a service-centric world (rather than applications)– Move applications into the core of the network

• Robust infrastructure for services:Robust infrastructure for services:– Scalable, highly available, and persistent

– Customizable: enable personal preferences (and code!)

– Support a wide-range of devices: pagers to PCs

– Easy to author despite these challenges

• Universal framework for constructing and deploying servicesUniversal framework for constructing and deploying services– Programming model and execution environment for scalable services

– Authentication and pay-per-use services

– Automatic discovery, composition and use of sub-services

Ex: Personal Information Management

Voice Mail store Laptop (VAT)

Univ-InboxService

E-Mail store

DirectoryServer1

AP1

AP2

AP3

AP4

GSM

AP5

IP Core NetworkPSTN

DirectoryServern

• Users (will) have lots of (new) end devices• Each device has its own address, capabilities, etc.• Universal Inbox gives users control over how info reaches them• Transcoders adapt content to end device

Example: Ninja Jukebox

CD “ripper”service

CDDBservice

iSpace

Fetches track/title & artist information from an online DB.

1

iSpace

Music Directoryservice

HTTPdservice

Pushes an index of locally available songs to the master directory.

2

WWW Browser

Web page with song playlists

3

.au/.mp3 player

Music stream (.au or .mp3)

4

Example: Millennium Cluster

• Large-Scale Campus-wide TestbedLarge-Scale Campus-wide Testbed• Management by ServicesManagement by Services

– push monitoring service into nodes

– clusterview service logs, aggregates, manages

• Resource allocation by market servicesResource allocation by market services– banks, brokers, merchants

Cell PhonesPDAs Future Devices

Wireless DesktopPCs

Servers

Clusters

Massive Cluster

Gigabit Ethernet

Traditional Internet Service

DATEK(Trust Contract)Trusted

Clienthttps

Infrastructure Services: Embedded Untrusted Interface

Key Store

DATEK(Trust Contract)Trusted

Clienthttps

Content Filter(pseudonym)

sRMI

NINJA Infrastructure Services

EmbededUntrusted

Client

https

Example: One Time Passwd to pseudo-service

• Cannot increasing the security level of the communications Cannot increasing the security level of the communications channel so decrease the value of the content.channel so decrease the value of the content.

Constrained Personal Info Appliance - Untrusted Gateway

Key Store

DATEK(Trust Contract)Trusted

Client

Content Filter(pseudonym)

https

EmbededUntrusted

Client

https

sRMIPersonalAppl

CF

NINJA

GWY RMIPXY ST

Example: Minimal Trader

• Shared secret between Shared secret between user and keystoreuser and keystore

• keystore maps to service keystore maps to service identity / authenticationidentity / authentication

• Content filter transcodes Content filter transcodes to very concise info to to very concise info to pilotpilot

Uniform Access to Diverse Services

Key Store

RMIPXY

DATEK(Trust Contract)Trusted

Client

Content Filter(pseudonym)

https

EmbededUntrusted

Client

https

sRMIPersonalAppl GWY

CF

NINJA

Trade-R-usTrade-R-us

ST

Automated “Clients”, ...

Key Store

RMIPXY

DATEK(Trust Contract)Trusted

Client

Content Filter(pseudonym)

https

EmbededUntrusted

Client

https

sRMIPersonalAppl GWY

CF

NINJA

Trade-R-usTrade-R-us

BOT svc

ST

Requirements Summary

• Utility: scalable, highly available, reliableUtility: scalable, highly available, reliable• Support for persistent dataSupport for persistent data• Support for streams, not just RPCSupport for streams, not just RPC• Support for automatic data transformationSupport for automatic data transformation• Support for fine-grain authentication and paymentSupport for fine-grain authentication and payment

The Ninja architecture addresses theseThe Ninja architecture addresses these

What is a Service?• ServiceService

– Highly available program (or cooperating programs)• fixed interface at a fixed location (lives in the infrastructure)

• guarantees about performance, availability, consistency

– Strongly typed interface• Multiple services of a given type compete

• Compete on location, price, robustness, “quality”, brand name

• Service Discovery Service (SDS)Service Discovery Service (SDS)– Find “best” service of given type

• current approach based on weighted statistical matching

– Construct a “path” from client to service

• Bases (1M’s)Bases (1M’s)– scalable, highly available– persistent state (safe)– databases, agents– “home” base per user– service programming environment

Wide-Area Path

• Active Proxies (100M’s)Active Proxies (100M’s)– not packet routers – bootstrap thin devices into

infrastructure– soft-state and well-connected

• Units (1B’s)Units (1B’s)– sensors / actuators– PDAs / smartphones / PCs– heterogeneous– Minimal functionality: “Smart Clients”

Impose Structure to Simplify

Bases

• A physical, administrative, and logical boundaryA physical, administrative, and logical boundary– a collection of machines geographically co-located

– administrative guarantees: no network partitions (!), constant power supply, trust within the Base

• Base platform simplifies authoring of servicesBase platform simplifies authoring of services– cluster primitives

• task execution, naming, and monitoring

• load balancing, failure detection, and restart

– persistent data primitives and guarantees• distributed, available data structures

• Hides service implementation from rest of worldHides service implementation from rest of world– granularity of services is at cluster level, not node level

Base Implementation

• iSpace: the building block of a BaseiSpace: the building block of a Base– receptive execution environment

– intra-Base primitives (stub generation, persistent data repository, etc.)

• Multispace: cluster-wide naming and resource mgmtMultispace: cluster-wide naming and resource mgmt

iSpace

SAN

Multispace cluster

iSpace iSpace iSpace

JVM provides code mobility and service upload capability, plus strong typing of service interfaces. Added distributed hash table API (think Linda space) to JRE.

Ground up re-implementation of Sun RMI. Includes authenticated, secure RMI, multicast RMI, and soon, AM-RMI and VIA-RMI.

Name service, RMI stub registry, and service control API:

• LoadService (URL)• interf.[ ]=ListServices• stub=GetService(name)• KillService(name)

KillService semantics unclear… objects vs threads?

Sandbox that contains untrusted, uploaded services. Currently just the JRE’s standard appletSecurityMgr

Service is an interface, plus objects that implement that interface.

Tru

sted

Serv

ices

Ninja RMI

iSpace Execution Environment

JVM + persistent store APIs

Security Mgr Loa

der

UntrustedServices

iSpace

Multispace

iSpace

Multispaceservices

Mul

tisp

ace

Loa

der

• RMI “Redirector Stubs” assembledRMI “Redirector Stubs” assembled– run-time compiled RMI superstub

– contains all of a service’s instance’s stubs

– stub selection policy• fail-over, broadcast, multicast, fork, etc.

– currently, idempotency and atomicity required of service instances

1

2

3

Services names are at the granularity of the entire cluster, not individual nodes.

Distributed Data Structures

• Solve the state management problem once and Solve the state management problem once and provide high-level abstractions to service authorsprovide high-level abstractions to service authors– Hypothesis: given a set of highly-available, scalable,

persistent data structures, persistent BASE services will be much easier to construct

• Example data structures:Example data structures:– append/truncate-only LogLog

• system logging, generational mailstore, undo/redo logs, etc.

– Hash tableHash table• web cache, search index/data, mint accounts, etc.• consistent, persistent, and highly available

– Tree Tree // Trie Trie // Treap Treap

Active Proxy

• Local execution environment (interchangeable)Local execution environment (interchangeable)• No support for persistent data (soft state)No support for persistent data (soft state)• Runs an iSpace but not a MultiSpaceRuns an iSpace but not a MultiSpace• Bootstraps small devices into the infrastructureBootstraps small devices into the infrastructure

– could run Jini or other local discovery mechanisms

– could be in a home or basestation

– performs resource discovery and path creation for the device

– typically well connected (while device is not)

Fast Communication and I/O in Java

• Scalable Ninja services need full Scalable Ninja services need full capabilities of Base devicescapabilities of Base devices– fast SAN, IO rivers

• JNI overhead too largeJNI overhead too large– can violate type safety– chokes JVM

• JDI by JIT interpositioningJDI by JIT interpositioning– intelligent devices reflected as Java

objects– JIT interprets operations on devices– data buffers bypass JVM– ex: Java AM over VIA on Myrinet

JVM JDI?

Scalable SVC

Proc Intelligentdevices

Streamingdata

Status

• Several services running all the timeSeveral services running all the time

• Release 1.0 now availableRelease 1.0 now available– contact info: ninja.cs.berkeley.edu– Includes:

• NinjaRMI, including authentication• iSpace/MultiSpace infrastructure• SDS (soon)• Several example services, including Ninja Jukebox

• Active current focus:Active current focus:– driving applications: e-mail, group calendar– service discovery & path creation– Java I/O and fast communication– cluster-wide data structures

Existing Applications

• Ninja "NOW Jukebox"Ninja "NOW Jukebox"– Harnesses Berkeley Network of Workstations

– Plays real-time MPEG-3 audio served from 110+ CD's worth of music

• Voice-enabled room controlVoice-enabled room control– Speech-to-text Operators control room services (camera, lights, microphone)

– Integration with GSM cell phones and PDA-based UI (soon)

• Stock Trading ServiceStock Trading Service– Accesses real-time stock data from Internet

– Programmatic interface to buy/sell/trade stocks through online brokerage

• NinjaFAXNinjaFAX– Programmable remotely-accessed FAX machine service

– Send/receive FAXes; authentication used for access control

• Keiretsu: The Ninja Pager ServiceKeiretsu: The Ninja Pager Service– Provides instant messaging service via Web, 1/2-way pagers, WorkPads, etc.

Coming Applications

• Universal InboxUniversal Inbox– e-mail, FAX, pager, voicemail accessible anywhere

– persistent data (yes we will use it!)

• Infrastructure-based group calendarInfrastructure-based group calendar– handles both web and PDA access

– supports disconnected operation

• Universal RemoteUniversal Remote– multiple-UI control of household/room devices

– automatic UI generation

• Ecash MintEcash Mint– Authenticated service to act as digital secure cash mint

– Enable real pay-per-use services (e.g. Coke machine)

Ninja Requirements Summary• Utility: scalable, highly available, reliableUtility: scalable, highly available, reliable

– Base, MultiSpace, Smart Client, NinjaRMI, and mobile code

– Architecture for easy development/deployment of services

• Support for persistent dataSupport for persistent data– Base and persistent hash tables

• Support for streams, not just RPCSupport for streams, not just RPC– Operators and wide-area paths

• Support for automatic data transformationSupport for automatic data transformation– Wide-area paths: Strong typing & Automatic Path Creation

– Span spectrum of end-user devices dynamically

• Support for fine-grain authentication and paymentSupport for fine-grain authentication and payment– Authenticated and pay-per-use services

To Read More

• http://ninja.cs.berkeley.eduhttp://ninja.cs.berkeley.edu• The MultiSpace: an Evolutionary Platform for The MultiSpace: an Evolutionary Platform for

Infrastructural Services, S. Gribble, Welsh, Brewer, and Infrastructural Services, S. Gribble, Welsh, Brewer, and Culler. 1999 Usenix Annual Technical Conference.Culler. 1999 Usenix Annual Technical Conference.

• An Architecture for a Secure Service Discovery Service, An Architecture for a Secure Service Discovery Service, Czerwinski, Zhao, Hodes, Joseph, and Katz., MobiCom '99Czerwinski, Zhao, Hodes, Joseph, and Katz., MobiCom '99