Solaris: What comes next?
- by alanc
As you probably know by now, a few months ago, we released
Solaris 11 after years of development.
That of course means we now need to figure out what comes next -
if Solaris 11 is “The First Cloud OS”, then what do
we need to make future releases of Solaris be, to be modern and
competitive when they're released? So we've been having planning
and brainstorming meetings, and I've captured some notes here from
just one of those we held a couple weeks ago with a number of the
Silicon Valley based engineers.
Now before someone sees an idea here and calls their product rep
wanting to know what's up, please be warned what follows are rough
ideas, and as I'll discuss later, none of them have any committment,
schedule, working code, or even plan for integration in any possible
future product at this time. (Please don't make me force you to read
the full Oracle future product disclaimer here, you should know it by
heart already from the front of every Oracle product slide deck.)
To start with, we did some background research, looking at ideas
from other Oracle groups, and
competitive OS'es. We examined what was hot in
the technology arena and where the interesting startups were heading. We
then looked at Solaris to see where we could apply those ideas.
Making Network Admins into Socially Networking Admins
We all know an admin who has grumbled about being the only one stuck late
at work to fix a problem on the server, or having to work the weekend alone
to do scheduled maintenance. But admins are humans (at least most are), and
crave companionship and community with their fellow humans. And even when
they're alone in the server room, they're never far from a network connection,
allowing access to the wide world of wonders on the Internet.
Our solution here is not building a new social network - there's enough of
those already, and Oracle even has its
own Oracle Mix social network already. What we proposed is integrating
Solaris features to help engage our system admins with these social networks,
building community and bringing them recognition in the workplace, using
achievement recognition systems as found in many popular gaming platforms.
For instance, if you had a Facebook account, and a group of admin friends
there, you could register it with our Social Network Utility For Facebook,
and then your friends might see:
Alan earned the
achievement Critically Patched (April 2012) for patching all his
servers.
Matt is only at 50% -
encourage him to complete this achievement today!
To avoid any undue risk of advertising who has unpatched servers that are
easier targets for hackers to break into, this information would be tightly
protected via Facebook's world-renowned privacy settings to avoid it falling
into the wrong hands.
A related form of
gamification we
considered was replacing simple certfications with role-playing-game-style Experience
Levels. Instead of just knowing an admin passed a test establishing a
given level of competency, these would provide recruiters with a more
detailed level of how much real-world experience an admin has. Achievements such
as the one above would feed into it, but larger numbers of experience
points would be gained by tougher or more critical tasks - such as recovering
a down system, or migrating a service to a new platform. (As long as it
was an Oracle platform of course - migrating to an HP or IBM platform would
cause the admin to lose points with us.)
Unfortunately, we couldn't figure out a good way to prevent (if you will)
“gaming” the system. For instance, a disgruntled admin might
decide to start ignoring warnings from FMA that a part is beginning to fail
or skip preventative maintenance, in the hopes that they'd cause a
catastrophic failure to earn more points for bolstering their resume as they
look for a job elsewhere, and not worrying about the effect on your business
of a mission critical server going down.
More Z's for ZFS
Our suggested new feature for ZFS was inspired by the worlds most successful
Z-startup of all time: Zynga.
Using the Social Network Utility For Facebook described above,
we'd tie it in with ZFS monitoring to help you out when you find yourself
in a jam needing more disk space than you have, and can't wait a month to
get a purchase order through channels to buy more. Instead with the click
of a button you could post to your group:
Alan can't find any
space in his server farm! Can you help?
Friends could loan you some space on their connected servers for a few
weeks, knowing that you'd return the favor when needed. ZFS would
create a new filesystem for your use on their system, and securely
share it with your system using Kerberized NFS.
If none of your friends have space, then you could buy temporary use space
in small increments at affordable rates right there in Facebook, using your
Facebook credits, and then file an expense report later, after the urgent
need has passed.
Universal Single Sign On
One thing all the engineers agreed on was that we still had far too many
"Single" sign ons to deal with in our daily work. On the web, every web
site used to have its own password database, forcing us to hope we could
remember what login name was still available on each site when we signed
up, and which unique password we came up with to avoid having to disclose
our other passwords to a new site.
In recent years, the web services world has finally been reducing the number
of logins we have to manage, with many services allowing you to login using
your identity from Google, Twitter or Facebook. So we proposed following
their lead, introducing PAM modules for web services - no more would you have
to type in whatever login name IT assigned and try to remember the password
you chose the last time password aging forced you to change it - you'd
simply choose which web service you wanted to authenticate against, and
would login to your Solaris account upon reciept of a cookie from their
identity service.
Pinning notes to the cloud
We also all noted that we all have our own pile of notes we keep in our daily
work - in text files in our home directory, in notebooks we carry
around, on white boards in offices and common areas, on sticky notes on our
monitors, or on scraps of paper pinned to our bulletin boards. The contents
of the notes vary, some are things just for us, some are useful for our groups,
some we would share with the world.
For instance, when our group moved to a new building a couple years ago,
we had a white board in the hallway listing all the NIS & DNS servers,
subnets, and other network configuration information we needed to set up
our Solaris machines after the move. Similarly, as Solaris 11 was finishing
and we were all learning the new network configuration commands, we shared
notes in wikis and e-mails with our fellow engineers.
Users may also remember one of the popular features of Sun's old BigAdmin
site was a section for sharing scripts and tips such as these. Meanwhile,
the online "pin board" at Pinterest is
taking the web by storm. So we thought, why not mash those up to solve
this problem?
We proposed a new BigAddPin site where users could “pin”
notes, command snippets, configuration information, and so on. For instance,
once they had worked out the ideal Automated Installation manifest for their
app server, they could pin it up to share with the rest of their group, or
choose to make it public as an example for the world. Localized data,
such as our group's notes on the servers for our subnet, could be shared
only to users connecting from that subnet. And notes that they didn't want
others to see at all could be marked private, such as the list of phone
numbers to call for late night pizza delivery to the machine room, the
birthdays and anniversaries they can never remember but would be sleeping
on the couch if they forgot, or the list of automatically generated
completely random, impossible to remember root passwords to all their servers.
For greater integration with Solaris, we'd put support right into the
command shells — redirect output to a pinned note, set your path to include
pinned notes as scripts you can run, or bring up your recent shell history
and pin a set of commands to save for the next time you need to remember how
to do that operation.
Location service for Solaris servers
A longer term plan would involve convincing the hardware design groups
to put GPS locators with wireless transmitters in future server designs.
This would help both admins and service personnel trying to find servers
in todays massive data centers, and could feed into location presence apps
to help show potential customers that while they may not see many Solaris
machines on the desktop any more, they are all around. For instance,
while walking down Wall Street it might show “There are
over 2000 Solaris computers in this block.”
[Note: this proposal was made before the recent
media coverage of
a
location service aggregrator app with less noble intentions, and in hindsight,
we failed to consider what happens when such data similarly falls into the
wrong hands. We certainly wouldn't want our app to be misinterpreted as
“There are over $20 million dollars of SPARC servers in this building,
waiting for you to steal them.” so it's probably best it was rejected.]
Harnessing the power of the GPU for Security
Most modern OS'es make use of the widespread availability of high powered
GPU hardware in today's computers, with desktop environments requiring 3-D
graphics acceleration, whether in Ubuntu Unity, GNOME Shell on Fedora, or
Aero Glass on Windows, but we haven't yet made Solaris fully take advantage
of this, beyond our basic offering of Compiz on the desktop.
Meanwhile, more businesses are interested in increasing security by using
biometric authentication, but must also comply with laws in many countries
preventing discrimination against employees with physical limations such
as missing eyes or fingers, not to mention the lost productivity when
employees can't login due to tinted contacts throwing off a retina scan
or a paper cut changing their fingerprint appearance until it heals.
Fortunately, the two groups considering these problems put their heads
together and found a common solution, using 3D technology to enable
authentication using the one body part all users are guaranteed to have -
pam_phrenology.so, a new PAM module that uses an array USB attached web
cams (or just one if the user is willing to spin their chair during login)
to take pictures of the users head from all angles, create a 3D model and
compare it to the one in the authentication database. While
Mythbusters
has shown how easy it can be to fool common fingerprint scanners, we have
not yet seen any evidence that people can impersonate the shape of
another user's cranium, no matter how long they spend beating their head
against the wall to reshape it.
This could possibly be extended to group users, using modern versions of
some of the older
phrenological studies, such as giving all users with
long
grey beards access to the System Architect role, or automatically
placing users with pointy spikes in their hair into an easy
use mode.
Unfortunately, there are still some unsolved technical challenges we haven't
figured out how to overcome.
Currently, a visit to the hair salon causes your existing authentication to
expire, and some users have found that shaving their heads is the only way
to avoid bad hair days becoming bad login days.
Reaction to these ideas
After gathering all our notes on these ideas from the engineering
brainstorming meeting, we took them in to present to our management.
Unfortunately, most of their reaction cannot be printed here, and they chose
not to accept any of these ideas as they were, but they did have some
feedback for us to consider as they sent us back to the drawing board.
They strongly suggested our ideas would be better presented if we
weren't trying to decipher ink blotches that had been smeared by the
condensation when we put our pint glasses on the napkins we were taking
notes on, and to that end let us know they would not be approving any
more engineering offsites in Irish themed pubs on the Friday of a Saint
Patrick's Day weekend. (Hopefully they mean that situation specifically and
aren't going to deny the funding for travel to this year's
X.Org Developer's
Conference just because it happens to be in Bavaria and ending on the
Friday of the weekend Oktoberfest
starts.)
They recommended our research techniques could be improved over just sitting
around reading blogs and checking our Facebook, Twitter, and Pinterest
accounts, such as considering input from
alternate viewpoints on topics such as gamification.
They also mentioned that Oracle hadn't fully adopted some of
Sun's common practices and we might have to try
harder to get those to be accepted now that we are one unified company.
So as I said at the beginning, don't pester your sales rep just yet for
any of these, since they didn't get approved, but if you have better ideas,
pass them on and maybe they'll get into our next batch of planning.
