Layers and abstractions
In software, we tend to build abstraction layers. But, at times, those layers get in the way, so we squash them. In a talk at SCALE 17x in Pasadena, CA, Kyle Anderson surveyed some of the layers that we have built and squashed along the way. He also looked at some of the layers that are being created today with an eye toward where, how, and why they might get squashed moving forward.
When he thinks about layers, he thinks about abstractions and the separation of concerns principle. Those two are "kind of the same to me", he said. To set the stage, he put up some quotes about abstraction from computer scientists, which can be seen in the YouTube video of the talk. He also mentioned Rich Hickey's "Simple Made Easy" talk, which Anderson said was "kind of the opposite" of his talk, so he encouraged attendees to watch it as a counterpoint.
Squashing layers
The first of the layer squashes he wanted to talk about was DevOps. He said he started with that because it is more or less non-controversial; since 2009, the software industry has agreed that DevOps is a good thing. DevOps came about as a reaction to the traditional thinking that the responsibilities for a deployed software stack should be broken up into a bunch of layers, each of which had its own person or group responsible for it. So deployment, build/release, QA, code and unit tests, task decomposition, UI wireframes, and features were each owned by their own entity (e.g. product manager for features, developers for the code and unit tests, operations for deployment).
That all looks nice on the slide, he said, but whenever he shows something like that, he would like the audience to ask: "what if we got rid of some of the layers?" That's what happened with DevOps: the developers became responsible for most of that stack (other than features and UI wireframes). Developers are responsible for breaking things up into tasks, writing code and tests, doing QA, making sure it all builds, and deploying the result into production.
What are the tradeoffs involved with squashing those layers? He works at Yelp, which uses the DevOps model. The company has found that DevOps leads to increased performance, at least in terms of the number of deployments per day. Deployments are faster, as are rollbacks, which gives a faster "time to recovery". It is somewhat harder to hire for, however, as some developers are not interested in handling production and deployment. There is also more inter-team communication, which adds overhead. Overall, though, Yelp, like much of the rest of the industry, has found DevOps to be a beneficial change.
The next layers he described were those for filesystems. In a traditional Linux filesystem stack, there are neat layers starting with the block device at the bottom, RAID and volume-management above that, dm-crypt for encryption, an ext4 or other traditional filesystem layer, and finally the files themselves available at a mount point. As instructed, the audience said: "what if we got rid of some of the layers?"
If you did so, that would look a lot like ZFS, which is a non-traditional filesystem that has squashed those layers into the filesystem itself. ZFS handles RAID, encryption, pools for volume management, and so on. There clearly is no separation of concerns for ZFS. Is that a good thing? It does lead to better error detection and recovery because ZFS is concerned with the block layer all the way up to the files themselves; it has checksums at each level. ZFS can also do deduplication more easily and take faster snapshots.
Sympathetic abstraction
To explain what is going on with ZFS, Anderson introduced the idea of a "sympathetic abstraction". It can be thought of as an "intentional leakiness" where layers are sympathetic to those above and below. For example, ZFS is sympathetic to whether the block device it runs on is spinning rust or an SSD. ZFS is also sympathetic to errors that can occur on the raw block device, while ext4 and other traditional filesystems are not: they leave that kind of error handling to some other layer below.
These kinds of sympathetic abstractions happen all the time, he said. For example, SSH sets the TCP_NODELAY option (to disable Nagle's algorithm) for interactive sessions. But SSH should not care what transport it is running on; it should be able to run on top of UDP tunneled inside DNS packets. The Apache Cassandra database wants to know if it is running on spinning rust or SSD; shouldn't that be the concern of layers below it?
He introduced "Kyle's Abstraction Law", which he has come up with, though it is "not canon", he cautioned. It says that over time, layers tend toward becoming more sympathetic (or merged) in the pursuit of performance. We start off with "beautiful layers", each with a single purpose; over time, we realize the picture is not quite so clear cut, so we squash the layers some.
Next up was HTTP and HTTPS. In order to talk about HTTPS in terms of layers, he wanted to start with the OSI seven-layer model for networking. It came out in 1984 and when he learned about it, it made a lot of sense; it was a "great way to think about how we build our networks".
So he showed how HTTPS "fit" into the OSI model. On his laptop, both the physical and link layers (layers 1 and 2) are 802.11, which already shows some layer squashing. The network and transport layers (3 and 4) are IP and TCP, but then things (further) break down. Layer 5 is the session layer, but HTTP is "stateless", so that doesn't seem to apply. HTTPS runs atop SSL/TLS, but where does that encryption go? As layer 6, since there is no other place to put it? That puts HTTP in layer 7.
That all looks a bit weird, he said. But it is because the IETF, which oversees the internet protocols, does not intend them to conform to the OSI model. It turns out that there are several layer models out there, with differing numbers of layers. So he thought the OSI model was the territory, but it was really just one of the maps of it.
What if we got rid of some of the layers? We have, he said, and it is called QUIC. It sits atop UDP, rather than TCP, and handles everything from there, including encryption, multiplexing, error correction, and so on. There is no separation of concerns at that level, but you can't argue with the performance. It also means that you can't use tcpdump to look at the traffic and you can't simply swap out the crypto implementation with something else—you have to have faith in the QUIC crypto. As he noted, if you are watching a video on YouTube or checking Gmail on your phone, you are almost certainly using it now.
Counterexample
Services and microservices were up next. If you were to start writing Twitter today, you might start with a Ruby on Rails application with a clean separation between the model, view, and controller . Add a MySQL database for storage and that might be some early version of Twitter.
In a change from the usual pattern, he asked with a chuckle: "what if we added some more layers?" His slide showed a bunch of microservices, each with their own storage, and an API gateway that routed various requests to them. This is a "service-oriented architecture" that is what Twitter has today.
Each of those microservices may talk with the others, leading to a complicated "death star" call graph, but it is useful for scaling, both in terms of the components and in terms of development. Each of the services can be scaled up or down depending on need and each can be developed and deployed by independent teams. It also has a cost, of course, but he suggested that attendees keep this counterexample in mind through the rest of the talk.
Kubernetes
He then moved on to Kubernetes. Ten years ago, a deployment of an application in the Amazon cloud had just a few layers. There was the bare metal layer that Amazon controlled and one could pick a virtual machine (VM) size to run on top of that. That VM would run the operating system (Ubuntu, say) and the application (perhaps in a Java JAR file), which would both be built into an Amazon Machine Image (AMI) file. That was four layers.
"So what if we added a bunch more layers to this?" For Kubernetes, the stack starts the same if it is deployed in the Amazon cloud; there is the bare metal and infrastructure-as-a-service (IaaS) VM. On top of that is still the operating system, but after that is where things diverge. For Kubernetes, there will be a kubelet layer and, on top of that, a pod layer. Then there are one or more containers running in the pod and, finally, the Java JAR running inside one of the containers.
"That's a lot of layers", he said. Are we just "architecture astronauts" that want to build something with lots of layers, with a clean separation of concerns? It is hard to argue against the momentum that Kubernetes has, but he does wonder: what if we got rid of some the layers?
Amazon and other cloud providers offer many different-sized VMs as a way for their users to scale their applications, but the Kubernetes world scales in a different way. So he thinks the future is to eliminate the VMs and simply run Kubernetes on the bare metal. That would squash the lowest two layers.
You could also squash all of the layers above by moving to a unikernel model, but he does not think that is necessarily the way forward. Unikernels remove many of the benefits that we get from containers, including speed of deployment and ease of iteration. In addition, unikernels are more difficult to work with, since there is no real OS that one can SSH into, for example.
Another path would be to move to a "serverless" model, though he prefers the term "function as a service" (FaaS). In that model, the hardware layer would encompass the bare metal (and VM if needed) and the next layer would provide the Amazon Kubernetes pieces (OS, kubelet, and pod). Above that would be the container layer; for Amazon's Lambda FaaS offering, that would be Firecracker, but for Kubernetes it would be Docker or a similar container runtime. Layer 4 would be the application code.
Application focus
This allows developers to focus on their code, rather than having to keep in mind all of the substrate that makes their code run. In the unikernel world, all of that infrastructure is essentially part of the application, so developers have to be aware of it. But, isn't this new model right back to where we started? Prior to Kubernetes, there were four layers and the developer really mostly needed to be concerned with their application. He believes that there are three main reasons why this architecture based on FaaS and Kubernetes is going to be beneficial for the industry.
The first is that lack of concern for the rest of the stack. Ten years ago, developers would need to build an AMI, which is "slow to bake", to iterate on their code. Troubleshooting required making an SSH connection into the instance and changing the size of the amount of CPU to be used required picking a different size of VM at the cloud provider. These days, Docker and other containerization tools have matured so that it is easy and fast to iterate on code changes. Scaling is handled at a higher level, as well, so changes do not require an entirely new VM.
The second reason is that routing and dispatch can be handled better with sympathetic abstractions. In the traditional cloud deployment, an Amazon auto scaling group would be responsible for ensuring that N copies of a service (e.g. Apache) are running. There is a different entity, the elastic load balancer, that is responsible for routing requests to these different service instances. In the "new world", the request routing and compute dispatch are combined.
Because the API gateway is sympathetic to the kinds of services being run, it can scale up or down as needed. The old way calculated the need for more service instances from CPU usage, but is not cognizant of the differences between, say, Java and Go applications. Kubernetes allows that recognition because it has squashed the routing and dispatch layers together. That should provide a lot better performance and many features that are hard or impossible using the old mechanisms, Anderson said.
The third reason is that Kubernetes operators provide a way to do compute scheduling in a sympathetic manner. While an AWS auto scaling group can bring up a new instance of MySQL, it has no conception of the fact that the new instance needs to join the MySQL cluster and to start replication. Users need to add tooling to make sure that it doesn't get added to the load balancer before it is actually ready to serve queries. Due to separation of concerns, the auto scaling group only cares about keeping N copies running, the rest is someone's else responsibility. It can be made to work, but it is difficult to do.
But by using an operator, Kubernetes can be aware of the needs of new MySQL instances. The operator is concerned with the health of the MySQL cluster; it is sympathetic to the workload. At this point, operators for specific applications are not generally production ready, but they are getting there. Until the advent of operators, there was no layer that could handle "this application-specific knowhow", he said. It is the first time in the software industry where there is a place to specify a "really tight, application-specific control loop".
Anderson concluded his talk by noting that he believes sympathetic layers are a good thing, in general. QUIC and ZFS provide two good examples of that; sympathetic layers provide better performance, which comes at a price, but he believes the cost is justified in those cases. On the other hand, separating out layers, such as running Docker containers on Kubernetes versus AMIs on VMs, can also provide more capabilities.
Layers are not good or bad, per se, but depend on how they are used, what they cost, and so on. It is up to us as engineers to look at layers (or their lack) and to ask what would happen if they were merged (or added). He also thinks that Kubernetes operators and FaaS are "re-slicing where the layers are", which is to the good. Merging dispatch and routing brings a lot of new capabilities, but means that traditional load balancers can no longer be used.
He reiterated that attendees should watch "Simple Made Easy" before making up their minds. It is a great talk that will help guide thinking about when it makes sense to "'complect' things together or split them apart". He suggested that attendees consider both talks and then come to their own conclusions.
[I would like to thank LWN's travel sponsor, the Linux Foundation, for
travel assistance to Pasadena for SCALE.]
| Index entries for this article | |
|---|---|
| Conference | Southern California Linux Expo/2019 |
Posted Mar 21, 2019 8:33 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link]
To do new things you need to slice up the new problem space in layers, to keep the complexity per layer to a manageable amount. But, managing layers is itself a complexity source.
So, the cost of doing new things, is to simplify the existing layer pile, to free up the complexity budget required to handle the new layers. And simplifying mostly means giving up on some layer combinations that seemed to have potential in the past but proved not worth the layering cost.
You see this a lot in human languages. All human languages are different. Pretty much any human language will be simpler and more regular than others in one aspect. But this simplification usually freed up a complexity budget, that humans used to make the language less simple than others on some other aspect.
Posted Mar 21, 2019 11:47 UTC (Thu)
by mm7323 (subscriber, #87386)
[Link] (13 responses)
Posted Mar 21, 2019 18:04 UTC (Thu)
by perennialmind (guest, #45817)
[Link] (12 responses)
One quibble: I don't think it was the network-layer-scope limitation that hamstrung IPv6. I was just re-reading DJB's old take. He did an excellent job calling out the problems with attempting to institute a replacement without making compatibility a top priority. QUIC, soon to be HTTP3, works so well because it works with the existing infrastructure instead of taking a hostile "We will bury you!" attitude. Imaging an alternative history in which the IETF adopted TUBA and kept the IPv4 address space at the root makes for a fun exercise.
Posted Mar 21, 2019 18:59 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (9 responses)
Posted Mar 22, 2019 14:50 UTC (Fri)
by perennialmind (guest, #45817)
[Link] (8 responses)
I don't see that. I see that NAT has been and still is the real-world solution to the address crunch. That's the bar. Any new routing protocol has to be better than NAT.
For an IPng upgrade to beat NAT44, you'd want IPng-to-IPng-over-link, IPng-to-IPng-over-IPv4, and IPng-to-IPv4. The first one is easy*. The last two need to be compatible with IPv4-only routers in the path.
IPng-to-IPng-over-IPv4 can use encapsulation, so that can also be easy. With encapsulation, the layer underneath changes from link-to-IPv4, but that's normal - boring, even.
IPng-to-IPv4 is where, if you want to beat NAT, you have to embrace NAT. Upgradable NAT.
The NAT we have today is expensive, brittle and lossy.
To support true legacy IPv4 nodes, it has to be.
If you set aside that requirement,
you can have fully stateless NAT with address extension by IPv4 option field.
If you need to support legacy IPv4, start with stateful NAT
but include the address extension option.
Then you can tear down the connection tracking and port reservation
after the first reply in the flow.
TCP would work especially well:
only OS upgrades would be strictly required for an IPv4 TCP server.
An upgraded TCP/UDP kernel+userspace would have full connectivity
with the IPng world,
without any help from an ISP.
Of course, if you decide to do IPng-to-IPv4 that way, you might as well take the same approach with IPng-to-IPng-over-IPv4. Once you take a translation approach, you can splice disjoint routing domains together. It's an inter-net after all! 😁
Posted Mar 22, 2019 16:38 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link] (6 responses)
IPng-to-IPng-over-link is obviously native IPv6.
IPng-to-IPng-over-IPv4 is covered by 6to4, Teredo, 6rd, and 6in4.
IPng-to-IPv4, without the option field, is NAT64. DNS translation is also mandatory, working in concert with the NAT64 gateway, if you intend to allow IPv4-only hosts to establish connections to "IPng" servers. Like *any* simplistic address extension scheme—including NAT44 and CGNAT—it has numerous shortcomings due to the fact that one side of the link is blissfully unaware of the need for address extensions. For a start, any protocol which relies on embedded IPv4 addresses will be unusable since (a) one side doesn't have a public IPv4 address to embed, and (b) there is no room to store an extended address even if the NAT64 gateway were modified to intervene and translate addresses at the application layer. The best you can hope for in that case is a new "IPng"-compatible protocol with space for address extensions and an application-level proxy running on the gateway to perform the translation.
Posted Mar 22, 2019 18:30 UTC (Fri)
by perennialmind (guest, #45817)
[Link] (5 responses)
Oh there's no chance of such a scheme working now! The fun thought experiment supposes an alternative history diverging in the early 90's. Maybe it was already too late then. I'm awfully curious on that point. :-) As I understand it, unrecognized options are supposed to be ignored per RFC1122 and RFC7126. So a conformant IPv4 router should not need replacing or upgrading. In theory. 😊
Yup.
Covered, yes. Miserably. The 6to4 scheme would have worked beautifully, if all the other IPv6 addresses were also 6to4. 6rd trades the anycast address for a unicast address provided by the ISP. 6rd is a mechanism for an ISP to provide IPv6 access over it's IPv4 infrastructure - a worthy goal, but a much less ambitious one. Teredo avoids upgrades to the NAT gateways but would only work well if IPv6 network operators consistently provide Teredo relays. Due to that, the complex path, added latency and limited reliability, it never reached critical mass.
The fact that the IPv6 address space doesn't extend IPv4 is precisely the problem. I still don't understand why they did that. They put IPv4 addresses at the bottom (
If you can't use the extension mechanism built into the original design (options), then the best you can do is encapsulation a la 6to4. 6to4 without the anycast route would still have been a huge improvement over NAT44. If you're referring to the sockaddr_storage type, yes, that would still be a painful, costly effort. Preferably one resulting in a sane id/locator split. Maybe replace
Hey, I just think it's a fun counterfactual! 😊
Posted Mar 22, 2019 20:56 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
This makes everything even worse, a dual stack IPv4/ng client won't know which protocol to use to connect to a V4 address.
Posted Mar 23, 2019 4:29 UTC (Sat)
by perennialmind (guest, #45817)
[Link] (3 responses)
NAT is bound to be the fallback in any scheme. If you start there and negotiate up, you can have a smooth on-ramp. Under the options-can-work scheme, the initial packet in any given flow exits the border router with it's address information intact. That packet is effectively "dual stack". (A heisenpacket?) It's only when it lands at an unenlightened IPv4 endpoint that you are stuck with stateful nat. Stateless transformations I don't mind.
But even if you drop the stateful NAT option, under this scheme, or a 6to4-only-IPv6 phase, clients with mere IPv4 access can talk to the full IPng internet. For servers, there's no good reason not to opt-in to IPng.
I do agree that IPng-blind IPv4 hosts could only talk to IPv4 servers. But that just makes sense, doesn't it? If I fired up Netwcape 4, I'd be able to load webpages over SSL3, but not those that only support TLS 1.2+. I'd be able to load
Posted Mar 23, 2019 6:53 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link]
This is what is happening right now - you still have legacy IPv4 infrastructure with NAT-ed clients and newer IPv6 infrastructure without NATs. They both live together side-by-side seamlessly, thanks to Happy Eyeballs RFC.
> But even if you drop the stateful NAT option, under this scheme, or a 6to4-only-IPv6 phase, clients with mere IPv4 access can talk to the full IPng internet. For servers, there's no good reason not to opt-in to IPng.
Posted Mar 24, 2019 0:16 UTC (Sun)
by zlynx (guest, #2285)
[Link] (1 responses)
But there's still a bunch of people who don't see the point and think it's just fine to use 10.x.x.x addresses in the data center and only rely on proxies. Forever. But those people would be a problem in any IPv4 backwards compatibility scheme for any new addressing. They'd never see the point in upgrading past the compatibility solution.
Posted Mar 24, 2019 2:10 UTC (Sun)
by perennialmind (guest, #45817)
[Link]
The vast majority of web clients have been upgraded for IPv6, but most of them have lousy IPv6 access. IPv6 required upgrades along the entire path to be useful. Even then, anything short of full adoption makes use risky. For a decade, I tried to join in the 128-bit fun: tunnelbroker.net, 6to4, teredo (once I had the twin IPs for a relay), and finally a
A larger address space in the 90's was primarily useful to client networks that were already resorting to NAT. That's where the incentive was, so start by addressing their problems. In the first phase, you don't run public servers beyond the IPv4 edge – I agree with you there! That happens once (1) there are few legacy IPv4 clients left and (2) all of your server software has support for the address extension. You don't disable the extended-address support on your IPv4.1 OS, because it's so very harmless. It's just one more upgrade like any other. No need for AAAA records at that point. 32-bit IPng destination addresses are normal. 🙃
It took so long before userspace had decent support for IPv6. Presumably because it was largely irrelevant. Once you have servers automatically upgrading connections to IPng, it becomes relevant! Upgrade your client OS and server OS, but keep the routers and userspace on IPv4 and still get bigger addresses on the wire? I have to think adoption would have been quicker!
Posted Mar 22, 2019 23:04 UTC (Fri)
by smitty_one_each (subscriber, #28989)
[Link]
(1) My observation is that technology adoption is driven by how much better the new is than the old.
(2) If IPv6 were that much of an improvement over v4, then Egress-Only Ingernet Gateways[1] would make no sense.
(3) Maybe CIDR is "good enough".
[1] https://docs.aws.amazon.com/vpc/latest/userguide/egress-o...
Posted Mar 21, 2019 19:13 UTC (Thu)
by zlynx (guest, #2285)
[Link] (1 responses)
There have been tunnel solutions ever since IPv6 started. 6to4, Teredo, 6rd. And NAT64, 646XLAT, etc.
There's just not much advantage to it unless it's used natively and that's the hold-up.
Really, there's a ton of slow and stupid solutions if all we wanted were more IP addresses. My favorite proposal I heard someone make was automatic IPSEC tunnels and new DNS records to get the second layer of IP once you had a tunnel up. Because that way you got the encryption *and* the tunnel.
Posted Mar 22, 2019 14:21 UTC (Fri)
by perennialmind (guest, #45817)
[Link]
A workable encapsulation strategy looks like a tunnel in that you have a layer 4 protocol over another layer 4 protocol. However, a tunnel abstraction usually implies a virtual interface for each "link". For an overlay network, while you can pretend the substrate is a link layer rather than another routing layer, at that point you are fighting your abstraction rather than fixing the discordance. In an more ideal world, abstractions evolve the way a model evolves to better fit the reality it describes.
Look at filesystems. Filesystems take a block device and provide files and directories. Except maybe they sit atop RAM, like tmpfs. Or other filesystems, like overlayfs or nfs. Or maybe they sit atop a single file... except they don't unless you construct an illusory loopback block device. That is, until Dave Chinner's new mapping layer teases apart the block address space concept from the block device layer. That is exactly the kind of well-defined "leak" we want between layers.
But I don't think that IPng-to-IPng-over-IPv4 should have used encapsulation. I think translation is a better approach. I think that using the extension facility built in to IPv4 should have been used. I think that new options fields should have been blessed as backwards-compatible first-class headers and a new minor version, IPv4.1 created. If IPng had benefits other than bigger addresses, then perhaps it could creep in from the edge. But if not, that's fine too.
There are other options, but the key enabler is the co-rooted address space. 6to4 worked great, except for the anycast bit, which was god-awful, a black hole of failure. If the new address space had embedded IPv4 near the top and refused to hand out anything not under it, we'd still have needed all of the host-side software changes, DNS, and routing protocol upgrades, etc, but the parties with no incentive to make costly changes would not have had to make costly changes.
To your last point: I am very glad that the entire operation of the internet does not depend on an IPSec substrate.
Posted Mar 22, 2019 23:11 UTC (Fri)
by smitty_one_each (subscriber, #28989)
[Link]
Posted Mar 24, 2019 2:24 UTC (Sun)
by riking (subscriber, #95706)
[Link]
I think my version is a little more violent 🤔
Layers and abstractions
Layers and abstractions
Layers and abstractions
Layers and abstractions
Layers and abstractions
Layers and abstractions
An IPv4 option field won't work simply because there are too many middleboxes that mangle or discard unknown option fields or entire packets containing them.
Layers and abstractions
::127.0.0.1); if they'd put them at the top, the problem you describe wouldn't exist.
sockaddr_in with a "locator handle". <shrug>
Layers and abstractions
Layers and abstractions
crusty.gif, but not snazzy.svg. The web has undergone gradual transitions, with ample consideration for legacy systems. IPv6 didn't do it that way.
Layers and abstractions
Whatever system you end up will not be functionally different from dual stack IPv6 + IPv4 NAT.
No they can not. IPv4 clients can only connect to IPv4 addresses, so the server will have to use IPv4. Peer-to-peer with IPng is still impossible.
Layers and abstractions
Layers and abstractions
/48 of my own my company's from an ISP happy to provide it but bemused that I cared. And still, I have to grit my teeth and turn off IPv6 when some website we care about turns on IPv6 and the road gets all bumpy. "Happy Eyeballs" is all about compensating for the tendency of IPv6 to be so very bumpy. It's not the hosts at either end: it's the unloved links inbetween.
Layers and abstractions
Layers and abstractions
Layers and abstractions
Layers and abstractions
Layers and abstractions