BlocktreeCloudPaper.tex 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. \documentclass{article}
  2. \usepackage[scale=0.8]{geometry}
  3. \usepackage{hyperref}
  4. \title{The Blocktree Cloud Orchestration Platform}
  5. \author{Matthew Carr}
  6. \begin{document}
  7. \maketitle
  8. \begin{abstract}
  9. This document is a proposal for a novel cloud platform called Blocktree.
  10. The system is described in terms of the actor model,
  11. where tasks and services are implemented as actors.
  12. The platform is responsible for orchestrating these actors on a set of native operating system processes.
  13. A service is provdied to actors which allows them access to a highly available distributed file system,
  14. which serves as the only source of persistent state for the system.
  15. High availability is achieved using the Raft consensus protocol to synchronize the state of files between processes.
  16. All data stored in the filesystem is secured with strong integrity and optional confidentiality protections.
  17. A network block device like interface allows for fast low-level read and write access to the encrypted data,
  18. with full support for client-side encryption.
  19. Well-known cryptographic primitives and constructions are employed to provide this protection,
  20. the system does not attempt to innovate in terms of cryptography.
  21. The system's trust model allows for mutual TLS authentication between all processes in the system,
  22. even those which are controlled by different owners.
  23. By integrating these ideas into a single platform,
  24. the system aims to advance the status quo in the security and reliability of software systems.
  25. \end{abstract}
  26. \section{Introduction}
  27. % Describe paths, actors, and files. Emphasize the benefit of actors and files sharing the same
  28. % namespace.
  29. Blocktree is an attempt to extend the Unix philosophy that everything is a file
  30. to the entire distributed system that comprises modern IT infrastructure.
  31. The system is organized around a global distributed filesystem which defines security
  32. principals, resources, and their authorization attributes.
  33. This filesystem provides a language for access control that can be used to securely grant principals
  34. access to resources from different organizations, without the need to setup federation.
  35. The system provides an actor runtime for orchestrating tasks and services.
  36. Resources are represented by actors, and actors are grouped into operating system processes.
  37. Each process has its own credentials which authenticate it as a unique security principal,
  38. and which specify the filesystem path where the process is located.
  39. A process has authorization attributes which determine the set of processes that may communicate with it.
  40. Every connection between processes is established using mutual TLS authentication,
  41. which is accomplished without the need to trust any third-party certificate authorities.
  42. The cryptographic mechanisms which make this possible are described in detail in section 3.
  43. Messages addressed to actors in a different process are forwarded over these connections,
  44. while messages delivered to actors in the same process are delivered with zero-copying.
  45. One of the major challenges in distributed systems is managing persistent state.
  46. Blocktree solves this issue using its distributed filesystem.
  47. Files are broken into segments called sectors.
  48. The sector size of a file can be configured when it is created,
  49. but cannot be changed after the fact.
  50. Reads and writes of individual sectors are guaranteed to be atomic.
  51. The sectors which comprise a file and its metadata are replicated by a set of processes running
  52. the sector service.
  53. This service is responsible for storing the sectors of files which are contained in the directory
  54. containing the process in which it is running.
  55. The actors providing the sector service in a given directory coordinate with one another using
  56. the Raft protocol to synchronize the state of the sectors they store.
  57. This method of partitioning the data in the filesystem based on directory
  58. allows the system to scale beyond the capabilities of a single consensus cluster.
  59. Sectors are secured with strong integrity protection,
  60. which allows anyone to verify that their contents were written by an authorized principal.
  61. Encryption can be optionally applied to sectors,
  62. with the system handling key management.
  63. The cryptographic mechanisms used to implement these protections are described in section 3.
  64. To reduce load on the sector service, and to allow the system to scale to a larger number of users,
  65. a peer-to-peer distribution system is implemented in the filesystem service.
  66. This system allows filesystem actors to download sectors from other filesystem actors
  67. that have the sectors in their local cache.
  68. The threat of malicious actors serving bad sector data is mitigated by the strong integrity
  69. protections applied to sectors.
  70. By using peer-to-peer distribution, the system can serve as a content delivery network.
  71. One of the design goals of Blocktree is to facilitate the creation of composable distributed
  72. systems.
  73. A major challenge to building such systems is the difficulty in pinning down bugs when they
  74. inevitably occur.
  75. Research into session types (a.k.a. Behavioral Types) promises to bring the safety benefits
  76. of type checking to actor communication.
  77. Blocktree integrates a session typing system that allows protocol contracts to be defined that
  78. specify the communication patterns of a set of actors.
  79. This model allows the state space of the set of actors participating in a computation to be defined,
  80. and the state transitions which occur to be specified based on the types of received messages.
  81. These contracts are used to verify protocol adherence statically and dynamically.
  82. This system is implemented using compile time code generation,
  83. making it a zero-cost abstraction.
  84. By freeing the developer from dealing with the numerous failure modes that occur in a communication protocol,
  85. they are able to focus on the functionality of their system.
  86. Blocktree is implemented in the Rust programming language.
  87. Its source code is licensed under the Affero GNU Public License.
  88. It can be downloaded at the project homepage at \url{https://blocktree.systems}.
  89. Anyone interested in contributing to development is welcome to submit a pull request
  90. to \url{https://gogs.delease.com/Delease/Blocktree}.
  91. If you larger changes or architectural suggestions,
  92. please submit an issue for discussion prior to spending time implementing your idea.
  93. % Describe the remainder of the paper.
  94. The remainder of this paper is structured as follows:
  95. \begin{itemize}
  96. \item Section 2 describes the actor runtime, service and task orchestration, and service
  97. discovery.
  98. \item Section 3 discusses the filesystem, its concurrency semantics and implementation.
  99. \item Section 4 details the cryptographic mechanisms used to secure communication between
  100. actor runtimes and to protect sector data.
  101. \item Section 5 is a set of examples describing ways that Blocktree can be used to build systems.
  102. \item Section 6 provides some concluding remarks.
  103. \end{itemize}
  104. \section{Actor Runtime}
  105. % message passing interface
  106. % btmsg and how it functions as a secure transport.
  107. % security model based on filesystem permissions
  108. % service discovery.
  109. % protocol contracts, and runtime checking of protocol adherence. Emphasize the benefits to
  110. % system composability that this enables, where errors can be traced back to the actor which
  111. % violated the contract.
  112. \section{Filesystem}
  113. % Benefits of using a distributed filesystem as the sole source of persistent state for the system,
  114. % including secure software delivery.
  115. % Accessing data at two different levels of abstraction: sectors and files.
  116. % Concurrency semantics at the sector layer, and their implementation using Raft.
  117. \section{Cryptography}
  118. \section{Examples}
  119. This section contains examples of systems built using Blocktree. The hope is to illustrate how this
  120. platform can be used to implement existing applications more easily and to make it possible to
  121. implement systems which are currently out of reach.
  122. \subsection{A personal cloud for a home user.}
  123. % Describe my idealized home Blocktree setup.
  124. \subsection{An ecommerce website.}
  125. % Describe a blocktree which runs a cluster of webservers, a manufacturing process, a warehouse
  126. % inventory management system, and an order fulfillment system.
  127. \subsection{A realtime geo-spacial environment.}
  128. % Explain my vision of the metaverse.
  129. \section{Conclusion}
  130. \end{document}