--- title: WWDC2003 Session 606 framework: wwdc role: article path: wwdc/wwdc2003-606 --- # WWDC2003 Session 606 ## Transcript Kind: captions Language: en good afternoon and welcome to session so six my question server in depth before we start other explain just minutes or so talking about some of the statistic goals we had for the 3ds the pencil server duties first we want to enhance our admin software with more features include usability integration and so on second we wanted to wait provides ways to simplify the setup and configuration of lots of different servers so for example racks WebEx or and next we wanted to complete a transition from near info to ldap server as a primary directory server for scalability and many other benefits and also establish a single sign-on strategy around Kerberos authentication this is really important to us and lastly improve our windows compatibility features both in terms of being able to fit into existing Active Directory networks as well as being able to display aging empty servers out there there are tons of them out there and since we're going to be talking about directory services and authentication in two different sessions in details we have section 106 coming up right after death and have section 6 10 tomorrow morning at ten-thirty we're going to be focusing on three remaining items that are listed here with that we divided this session into fourth subsections first we're going to talk about server admin software and architecture behind it and also how developers can plug the software into the architecture second we're going to be looking at the details of the server systems new features that's going to label use to set up bunch of different servers simultaneously very quickly and then we're going to be talking about Windows Features we're going to be talking about how we implement it on top of number three and also how we integrated it with rest of my question server components in the last three but not least we have a handful tips on developing for the answer server platform we will be talking about things like optimizing your server software and such so these are the four things we're going to talk about today and since we usually have mixed audience or both developers and cease admin side people in these armed service Asians we're going to try to have used for information for both of those audience group sort of mixed in everywhere let's just start talking about the admin software in Jaguar server we had two separate applications for configuring and monitoring servers server settings for configuration and service status for monitoring in pencil server we are combining those two into a single application called server admin and it has bunch of new features which I'm going to come back to but also have a new GUI for number of services that did not have GUI in the past for example we now have two dias management integrated with rest of my question server services so you no longer have to go to web-based admin to manage the streaming server we also now have open directory GUI because we keep adding these new features open directory deadly force configuration such as replication support for ldap and corals and we finally have dns query as well since started people to be asking for this for us for five years so thank you for waiting and hope you're going to like it and we also have grief on that application server which includes things like on jboss and such and of course we also enhance existing GUI for services such as web and male with a bunch of new features at the application level before we start how many of you went to the mapquest observer overview session before this so pretty much everybody so you know some of the new features so we do have this new on duplication feature that you can replicate configuration services by simple drag-and-drop she's a pretty cool feature we also have a GUI for remote software update so you no longer have to go to the server machine to perform software update or go to terminal to do so read-only mode so now that we combined configuration and monitoring there was one problem and that is we think many of you want to keep this application up and running all the time so you can monitor things but if you walk walk away from the machine for few minutes to go to bathroom or whatever people can just come up and then change your configuration so to prevent that we implemented this thing called read-only mode where the application will not let you thank you application will not let you make any changes to your configuration until you type in your password to unlock it and I'm gonna demo done a few minutes we also have a summary view we're at a glance you can do get the status of all the servers and services so you don't have to go to individual servers and see how things are going so this will be useful for computational clusters or whips or performs with different environment where you have large number of servers that you want to monitor simultaneously and there are other features too scattered throughout application so you can try out your CD and then check it out I should also mention this application is backward compatible so but so you can protect the boss Iago servers and pencil servers however in jago server it's monitoring only so you cannot configure sorry so now to actually give you a little demo of server admin but the problem is this has applications in popular and it's been demo'd into other stations and running out of things to show you but I do have a couple of things I wanted to go over so the first thing is II go to SD and as everybody seen you can do drag and drop the application here between different servers we can also drag this on to a desktop and this makes a backup copy of your configuration so they'll Iran if you need to be stowed server or whatever else you can just go ahead and simply drag back in these are you handy for other people and the bead only mode so let's go to menu here and then lock now an application tails to everything is locked out so is that you see this little icon here that's it's read-only and everything in the settings panel is now cannot be edited so same thing if you go to the windows so great out same thing for ftp so great out and you can unlock it by just going here citing in admin password and you're back in business you can also arm set a timer so after certain amount of time the application automatically locks itself so it works much like the screen saver so that's the server admin 30 seconds demo back to the presentation price please so now let's look at how this one works behind the scene server asthma is a cocoa application day and there is a plugin for each of the services that you saw in the left-hand column so there is a plugin for asp that's bugging for the web service and so on on the server side we have a stripped-down version of apache web server with a few custom modules that we developed and it's working as the admin server engine and the server admin talks to the backend engine by passing XML back and forth over HTTP usually also over SSL and whenever there's a request that comes from the GUI application the engine dispatches to a cylinder cjis and again there is one CGI for each of the services for that acct iWeb CGI and so on and individual CGS do know how to talk to its own particular service so can do things like start and stop the particular server or service you can get runtime real-time static information from the service and it can also read and write configuration file or configuration information for the service which are usually stored either in the config file or up in the directory server and as needed to TGI also signals application refresh its configuration or distort if necessary and by the way these CGI's are all in on the just regular unix command line tools so that's the real basic on design of our admin application with urban architecture and if you notice we try to use standard technology whenever possible so HTTP xml apache cgi ssl and so on and also with this modular design what's really easy for us to develop and debug this product for example to debug the client side GUI application or the plugin we didn't have to even have the server side we could simply pass external into it and test its functionality and vice versa 22 we could just use web browser in tastic chanel file through the back end to test the server side we could also test the rcg is you could unit test it by simply ssh into the server indirectly in voting expenses as unix command line tools and just so this works out pretty well for us and right now it is not public but instead enough demand we would like to make it public so if you're interested please let us know and I her seven eight okay thank you um I guess we have to look into making a public we have been actually working with one particular developer to ports their administration software to server admin and looks like we have something up and running now so I thought would be need to actually have it demoed so now I'd like to welcome Steve awesome who is the technical director of engineering outside a thank-you kazoo I think most of us here who had the job of managing and network of servers can appreciate and understand the value of having a right tool for the job weed sci dates have you heard that from our customers just about every single day so we're very pleased at Apple has provided this extensible framework that allows us to plug in our server management capabilities with the admin framework that Apple has provided Apple understands user interfaces we don't and but we understand our database and what needs to be done so they've provided a very elegant framework that makes a very nice user interface for the administration of our of our server so what we have well we've we've done that we've we've been working with this this toolkit for about 10 days now and we have a first pass at what we think will be available with the Panther release when one Panther comes out so standard disclaimer applies here is I demo this it may change quite a bit by the time we actually release this so I've got a Jaguar version here I don't have the panther relief and what I have is a plug-in on the admin tool side and the the Apache module on the server side that understand something about sybase so the general status tool says what is the state of the service in the service is our adaptive server enterprise you can do things like read read the transaction logs we have a usage indicator that tells us the general summary of what's going on inside the server in terms load the number of users connected the databases present in the system and their size and attributes and so forth databases map to devices of physical devices so we have some information about those an engine is an operating system process we associated one engine / cpu so we can get information about that any locks that are present in the system various monitor information is available we have after learning the framework it took us a day or two to sort out what this cocoa environment is about the challenge before us was then figuring out what information to present to you to make it useful and meaningful we have for example over 200 configuration values yet there's probably a dozen or so that are very commonly used so our task is going to be to sort out which one of these are most relevant we will expose them all but in the settings I'm sorry in the settings value will provide a maybe a dozen or so configuration settings that for example numbers of users memory cache sizes and so forth that are typically used by our customers when they want to reconfigure the server so we've been having a lot of fun with it this is a very very convenient tool to help us manage and by the way you can start and stop the server without having to you know use a terminal window or anything else so it's a very convenient way to look at everything going on in the server from a single workstation and one thing that is very nice is that if you've got a list of servers here you can get a summer review of all servers and each service appears as a dot which is either red or green or some other color and you can get a very clear overview of everything running on your on your network so that's what we've done and this will be available with our product our 12 51 release which were time to the release and availability of Panther thank thank you okay so let's go back to the architecture diagram I know many of you like my question microsemi Christine gooey and cocoa but some of us still like to use terminal for managing servers for those people we actually developed a new command line tool also called server admin and with this tool you can do everything that you can do from GUI and more so I've show that you right now switch to machine here ok ok so this was terminal you can do server admin list that this all the services that are installed on server and of course you can use this to the start of stop in any of them you can also get status on any particular service you'd like so you can do something like full status ap that give through this stuff on how service or were is doing so the FG server is running this is the time it was started and get successes on there is currently one user connected from this machine here and throughput 20 since the client sitting idle you can also issue commands that are specific to any particular service for example you can do so there you go so that least arm or the currently connected users with information such as name of the the login name the idea address and how long the persons in connected for and so on of course you have command for disconnecting the user sending messages and so on but probably the most common use for this tool is doing the configuration of different services for that you can just do settings and again you can specify any of the services to AFP that lists all the configuration options for the AFP server and photo current settings are sincere Kelly got the max amount of number of threads 40 the max guess is minus one which you think means unlimited the arrow log size and so on you can also if you know for exactly what you're looking for you can simply type it in one of the options and show yourself of that so this tells you that log in greeting setting text is not set right now it's empty of course you can set configuration as well so let's go here and use the login greeting she go to the GUI in Bucharest and after Logan greetings empty right now go here and Swiss find it seeing welcome to WWDC let you go here d fresh it works again you can pretty much do everything that you want you can do from the GUI from this terminal application but you can also use this as a building block to build your own custom solution on top of it and to illustrate that we wrote a real quick simple shell script that I will show it to you so let's say you add new websites to your server frequently with mostly same options and you want to do that from command line you can use our short quiz called outside and actually before start let me go to GUI here web settings site and make sure the only sites that define the right now the default so there's no other virtual host but we're going to go ahead and add 14 outside the spy IP address and let's see the port number make it a DAT name of the site my site and web folder there you go so if you go to the GUI here the site now you have this website up and running once you double click on it you got the web for that we specified and so on so now let's look at how this works so add site is just actually a single line shell script so for it does is uses said to substitute some of the strings in this data file at sites are in with argument that's been passed into the shell script and then it pipes the output to our command line tool which is running on that I which is an inductive or input mode and then if you look at the arm does that file it's actually basically just a collection or be settings for the web server with lot of default values except for a few of them that starts with underscore such the IP address and then the port number gets substituted by said so it's real simple but work so hopefully people can use this serve as Nick mine line tool to create your own custom solution so to summarize server admin for system admins we have a new server admin GUI application that combines configuration and monitoring it has bunch of new features we also have server admin command line tools that you can use to do pretty much everything that you can do in the GUI or you can use it to use a building block to build your own custom solution on top of it for developers we have a modular and scalable and flexible server admin architecture that you can plug into and if you're interested let us know and we love to work with you so that concludes the server admin portion and I would like to welcome Scott Morgan's who is going to tell us all about the new server server assistant features thanks hi there this afternoon I'm Scott Mulligan and I'll be spending a few minutes with you discussing the server assistant the server assistant is the first application that runs on a freshly installed server and its objective is to to get the system set up in the most basic setup state so that it can be fully configured at a later time one after it's been rebooted so in the Jaguar server the server assistant is always run on the system console and the system keyboard and mouse is used to capture setup data additionally to accommodate headless servers and to provide additional level of convenience the Jaguar server assistant can be run from a remote system to in order to perform both setup and installation of course in Panther server we've come up with a couple ways that we can improve this experience even more so with the popularity of Mac OS 10 server we realized that many of our customers are buying multiple servers and thus they're setting up multiple servers so with Panther Panther server we've designed it so that they will be able to set up multiple servers simultaneously from a single interview process this will be accomplished by running the server assistant from a remote system and targeting the specific servers that you want to set up it will look something like this servers that are eligible for setup on the local subnet will show up in a list the system administrator simply selects the servers to be set up additionally the administrator may add servers to this list by providing an IP address thus enabling the remote setup of a server that's not on the local subnet once the target systems are selected and authentication information has been provided the administrator proceeds into a standard set up interview where the setup information is collected and at the end of the interview all the servers are set up there's also another scenario that we found that some of our customers are running into it turns out that some of our customers actually reinstall their systems from time to time and others due to the specific nature of how they use our servers actually end up resetting their systems up more frequently as they repurpose our servers from one particular task to another for these folks setting up the server is something that they'd rather not deal with it all so for these folks we thought why not have the servers shut themselves up of course you need to provide the setup information once but you could save it to a file to be used again later so in Panther server the server assistant has been designed to actually go out and discover set up profile data on its own it does this by looking for the setup data in local file systems which can include local hard drives and various types of removable media such as CDs firewire drives USB drives etc additionally the server assistant will look and try to discover set up data that has been saved to a directory server if a directory server is accessible and it holds setup data that pertains directly to this server then the setup assistant will utilize that data to set up the server so what does this mean well for one thing it means that your iPod can set up your server imagine saving set up profiles for dozens of servers onto your iPod or a firewire drive a USB thumb drive maybe even a compact flash card reader you walk up to your server plug it in and your server sets itself up or maybe you save these profiles on to your directory server it's on your local network your service just set themselves up you wouldn't have to plug anything in they could just find the info they need set themselves up all on their own so how does this work well first of all we have a special set up demon that runs on the server when the server needs to be set up and there is a special place on the server that the server setup demon examines from time to time looking for setup data the demon loops periodically checking to see if this data has shown up but there are other places the demon could attempt to find a setup data directory servers for example or local file system the demon will examine these places as it proceeds proceeds through its loop and if it's able to find the relevant setup data it will utilize it and then it will restart the system so these last few slides have focused on the back end process that actually enables this auto setup feature let's look at the bigger picture though as I showed you in the previous slides there's a server setup demon that roop is running on the server and there's a specific place that is examined for that setup data but there's also a GUI application and that GUI application can be running locally on the server or it could be running on a remote system say your desktop in your office in either case the scooty application presents an interview to the administrator in order to collect the setup data and at the end of that interview if the server is to be set up at this time in other words at the end of the interview process that setup data is delivered to this specific location on the server that the server setup demon examined from time to time and if that's done it enables the server to set itself up but as we said the server setup demon can discover data and other locations as in the directory server so therefore the GUI application has to have the ability to save to to connect to to begin with to connect to a directory server and save to a directory server the setup data and once this is done of course it allows the server to set itself up and as we mentioned before the same thing can be done with the local file system I'd like to point out that the local file system here may not be local to the server at the time that you save it it may be your iPod but when you carry it over and plug it into your server becomes local file system on the server on the other hand it could be a partition that already exists on this server ok so the setup profile for your server may contain sensitive data that you don't want other people to see if that data is saved on to some form of removable media that you actually safeguard yourself as the administrator such as your iPod that might not be a problem but that's not always the case therefore any time data is saved from the GUI application whether it's to a file or to directory services an option is provided to encrypt that data the encryption utilizes a user-provided pass phrase that is used as the key for both encrypting and decrypting the data encryption is accomplished using the cast live CBC algorithm of the openssl command-line tool the server setup demon process will wait for the data to become decrypted so if the data is available but it's encrypted it will wait for that data to become decrypted however while it's waiting it has also been designed to see if it can find a decryption key so it will look in local file systems in a specific location on those local file systems to see if it can find that decryption key it will not look in directory services for obvious reasons but if it can find that key who will utilize it to decrypt the file so you can imagine having this key file on your iPod and while the data may be available and encrypted all you need to do is walk up and plug in your ipod and it goes additionally the GUI application itself has a mechanism for delivering this passphrase directly to the server and in that case that pass phrase is used to decrypt the data directly now you may remember I said that you might be able to save dozens or even hundreds if not more of these setup profile data files onto your iPod this is how you keep track of them so that you know which setup file goes with which server basically the server setup demon process looks for these setup files by name and it looks in a particular order so these are the naming conventions and this is the order in which it looks for them to begin with it will look for a file it's named with the ethernet hardware address dot p list then it will look for an IP address followed by a host name dot p list and then finally the hardware serial number and then we also provide a catch-all name which is just the word generic which will match any server so let's take a quick look at generating a setup profile using the server assistant and then we'll look at how we can examine that file using the plist editor so could you switch over to this machine please so here i have the server assistant and bring it up and we'll be working on with this in sort of an offline mode and in order to make the disco a little bit quicker and i don't have to type in a lot of stuff i'm actually going to load in a configuration file I've saved earlier and in my home directory here in the admin home directory I have one called server settings pilas so I'm going to load that in so as you can see you can use for resistant to actually edit configurations you phase before so it's been brought in and you can see we've already set up certain things we could actually change this if we wanted to look got to be able to type and we'll continue on here I've already got a server name set up for it network interface here i already have apple file service and ftp service enables but i'm also going to turn on mail service continue on with our time zone we'll go ahead and have it using network time server and at the very end of the interview process you have a summary page that you can review the settings that you've that you've made you can see all those here you can go back and make changes if you like and then over here you have the ability to save this now you can save it as a text file which is basically going to be just like this this part right here that that we're looking at that I was scrolling through something that you might be able to print out put in a file cabinet somewhere or you can save it as a configuration file and this is this is where you save it into a plist file and here's your option to save it encrypted if you'd like you could also save it to a directory server so I'm going to go ahead and save this as a configuration file and I'm going to save it into the admin home directory go ahead and call this server 02 apple com p list and it's been saved into the home directory so let's go take a look at that where is it there it is so here's my home directory and you probably just saw that blink is the file was added to the list here so we can we can open this file with our property list editor and you can see this is just a simple XML file let's look at the services that we set to auto start as you can see we have file ftp and mail which are the settings up here the admin user i had i changed it to snide lee snidely whiplash so that's it in a nutshell and at this time i'm going to turn the podium over to rusty Tucker who's going to talk to you about windows compatibility thank you thanks gotten even before we started you guys were booing my demo so we might as well bring up number four here and you know get it out of our system but what is there not to love about an operating system that demands to give it the three finger salute just to log in so if we go back to the slides but seriously we've got a lot of neat things in mac OS x server that help you integrate in into existing windows networks and support windows networks so where we are today the jaguar server provides basically a standalone server for windows clients and that's all based on tomba 2 point 2 X provides good you know very robust and high performance SMB file and print services but that comes with a number of functional limitations in in how people would like to deploy it we don't have a way to change password you can't provide domain logins you can't host windows home directories and we have no way of taking the client or the server to fit into an existing Active Directory network for example so the first thing we'll talk about is sitting into active directory networks both the client and the server can do this with the Active Directory plug-in provides proxy authentication UID and GID mapping back to the active directory directory and you can come and see the directory services session tomorrow for some more information about that but there's one thing that's really missing here in this scenario and that's you still have windows NT servers on this network so what we'd like to do in Panther is provide a way to replace those windows servers on the network and so the Panther server can be configured as a primary domain controller and what that means is that it provides directory and authentication services to the windows clients on the network and that lets you support windows home directories and single sign-on so windows users they log in to the to the login window that we saw an XP provide that name faster once and to any services in the domain they will not need to provide that name and password again it also supports the roaming profile so that the settings follow the user when they log in from machine to machine and we can provide unified management using the server admin and the workgroup manager administration tools so what is a windows network login what are the components of that first of all when you login it comes and downloads the roaming profile from the network and this is all the settings for the user including their desktop picture settings for internet explorer and so on it's really in the Mac os10 world it's similar to what you find in the twiddle public art whittle library all the preferences in there the second thing is the home directory mount and that contains shared items and it's really analogous to our twiddle public it's a way for you to share files and things with other users on the network and you can also define the startup script which can be used to mount other share points or run applications every time that you login okay and we've chosen Samba 3 and in order to implement this in in Panther server we chose tomba 3 because it provides unicord unicode support on the wire this is supported by all the modern windows clients and also provides a plug-in architecture not only for the user accounts but also for us to get directory information back and lastly it's we've added to this a way to support our just-in-time home directory creation and setting quotas as we do in a fe and so we'll take a brief look at how we've actually implemented this and how the block diagram sets up we've got Samba three puntos it's a starting point by default it wants to integrate with local private databases especially found by to point to do this and even windows NT servers do this with the windows registry in there Sam database in our architecture and environment we want to switch that out and set it up to work with open directory and while we were working with the password server and ldap server on the back end and the plugins for samba are going to let us to do this first of all without the auth plugin we've gotta hit the plugin it's actually called ausopen directory provides authentication services to the clients and that hooks us up to the ldap server on the back are not to the ldap server but to the password server where we can get land man and NT hash authentications for the windows clients seconds directory plugin through the directory plugin api is called the pdb open directory and that supports all the getting and setting of user attributes and that's basically talking to the ldap server set it back end so once about that all hooked up now you can use our administration tools click such as workgroup manager to actually admit to create Windows user account set their password set password policy and so on and lastly is integration into the server itself as you've seen with the server distant setup we want to provide a way for servers to be able to configure themselves and a way to do this with clients is to set up their provide Justin hime setup for the home directories and also to set quotas like a fee server does and this is provided through the route / exec configuration and some scripts and tools that we've written and source code for all this available from the darwin site including our plugin you've heard before there's tight integration between the windows users and the mac users in the directory and it's actually the same user account same user password we've extended the user record to provide via the attributes that are required by windows users and their distinct for Mac users so there's no overlap there with the drive letter for mounting the home directory UNC address of the SharePoint where their home directory is going to come from the login script path and the path to the roaming profiles and be the computers themselves need to authenticate before they join the network and so we've had to add extend the computer record to support that as well so now we'll look at a demo and back to demo three first thing we'll take a look at is how you actually set up a PDC and you'll notice through whenever we're looking at setting up windows whether it's Windows computers windows users or Windows the service itself will have the windows label on all the all those items and like with all the other services it's got an overview logs connections graphs to shows connected users and of course settings and so what's new here is that we have added additional roles for each one of the for the service it can be the standalone server that we had with Jaguar it can be a domain member so it can be not the not the server that's providing domain controller services to the network but just be a server that's providing sharing services or supporting windows home directories or primary domain controller and here you'll set the domain name and the computer name and whenever we do that it also when you set it up to primary domain control it also enables wind service so that to enable the windows internet naming service on the network which is really important for that will go to work group manager next you can see we've got two users admin & bill bill will be our windows user a very complicated user everything everything that we're going to see basically is the same is what immaculate n use would have password type open directory you can define groups that they have memberships in home directory that's got a sharepoint called users mail print services and then the windows panel and this is where you define the profile past the login script the location of where the hard drive or where it's going to the mount point for the user sharepoint so now that we've got that now we can actually log in to this Windows computer on the salon to bring up demo for and here we choose the domain that we're going to log into in this case it recognizes the in-depth domain that we've defined on this on the server type or password it logs in downloads the user settings and then comes up with the familiar windows desktop where we can go to my computer and actually see the mountain point you see it actually populate sit with the Mac os10 directory the home directory cell for mac OS 10 users so they get the movies directory library public pictures everything so this same user can also log in on mac OS 10 machines on this network and we'll go ahead and do that i'm going to log him out now you have to first of all these want to stage the settings back to the server now that that's done and would come back to demo three and we'll just log out here and login this user has done is forward migration and it's now Mac os10 user and see the same home directory so that that's that so next up we'll bring a grip on would bring those little information about developing for mac OS x server hello I'm Greg Vaughn yeah as he said I'm going to talk about developing for mac OS 10 server so i guess i'll use this admin and sort of tune out now so the first thing i want to talk about is xserve xserve is the primary platform for mac OS 10 server because of that you need to be aware that any applications you write for 10 server are likely to be running on its system got no keyboard no monitor no logged in user this sort of environment limits the frameworks and api's you can use and mac OS 10 obviously you're going to want to avoid the GUI api zap get a chai toolbox you need to be careful about api's they might want to bring up dialogues you know like logging in Mountie network volumes you need to break up a scent occation dialogue there's a lot of api's that are perfectly fine to use in this environment core services as the umbrella framework has a few including carbon core just the lower level to the carbon API foundations available if you want to write a cocoa app you can write a server and cocoa Foundation has a lot of server safe api's you've got to see your C++ server but you want to have some mac OS 10 functionality like reading preferences out of a plist core foundation has a lot of useful api's callable from C so if you want to provide a user interface to your application you're going to need to separate out that user interface from your core service you've seen the examples of this basically our server admin product and our server assistant both are implemented this way your gooey parts going to need to be able to run on a remote machine so you're going to need to have a way of targeting what server you're talking to basically you can type in an IP address but rendezvous provides a really nice mechanism for browsing and locating servers going to need to provide a networking connection between your two halves if you've got administration data often you want that to be an encrypted connection but you don't necessarily need to write the networking software yourself our various services we've employed a variety of techniques server admin uses HTTP over SSL and talks to an Apache web server on the backend the sharing portion of workgroup manager actually uses open directory and open directory proxy to stuff values into the directory on the server that the service then reads out that's more of a one-way communication and server assistant actually Punk packages functionality as a set of command line tools and then invokes those tools remotely using SSH finally you're going to need a separate installer for the GUI portion so it can be installed on your admin client machine next thing I'd like to talk about its bit about performance I'm going to pass on a few things we've learned when we are optimizing the performance of our own services one of the things we've looked a lot at is the reducing the system calls and servers even system calls that would normally be quite fast you need to be aware in the server environment on a loaded server calls into the kernel can cause contention between various threads and processes the contention will cause lots of extra process slippy flipping which will result in wasted CPU time for instance when we were looking at samba 3 we decided to make a couple changes we changed the read and write calls the P read and pee right because it avoids the extra L seek and we also found by implemented some locking using s control calls and in this case spin locks seem to be fine we switch to that these two changes alone result in a noticeable increase in performance we also in Samba decided to change the for networking io the read and write calls to receive and send read and write need to go through the file system code to look at the file descriptor to decide that it actually is a socket descriptor whereas receive and send can call directly into the network code and that avoids some locking as well in AFP we not only use receive but because AFP reads in a header and then knows how much data it wants to read in its packet it actually uses the message weighed all and receive normally receive will wake up each time some data comes in and if the process is just going to look at it and go back to sleep again waiting for the rest of the data again that's wasted CPU time another thing we did in AFP was we decide to switch to memory mapped i/o for reads because that way when you're actually doing the reading you bypass the filesystem and go to the lower level DM system which also can avoid some contention and improve performance you do need to be a bit careful of memory mapped i/o because the vm system isn't going to be able to return errors if you've got a sort of a drive that can go away like a network mounted drive it can be difficult to deal with that situation so you want to avoid it for drives that perhaps can disappear you know unexpectedly last thing I just want to say is if you're developing a server and you're looking at performance it's important not to just look at the service itself but its impact on the performance of the whole system if the one service you know slows down the rest of the system people are rioting several servers on the same xserve obviously it's not going to be popular the entire system gets slowed down so the twin two performances scalability basically the main message is when you're developing your server you need to look to the future look to expanded requirements we all know computers are getting more powerful networks are getting bigger you have to re-implement your server next year for some new requirements you know that's a lot of extra work so you just want to keep that in mind as you're designing things hard drives are certainly an example of this excerpts with xserve raid it can support two and a half terabytes you need to you know be aware of the large files and large numbers of files you might need to deal with on the file system in addition with directory system it can be large numbers of users in the directory system we actually had to revisit some of our design decisions and workgroup manager you know when we dealt with things like the LA school system which put like every practically every child in the LA area into one large database you're not going to be able to do things like a numerate through all the users and so if you've got a UI for picking users you need to be able to deal with that and do perhaps directed searches and choosing abusers you also want to be aware of the large number of connected users you can have as servers become more powerful people are going to use them to serve more and more client machines so you need to just keep in mind that the number of users that may connect to your service will increase over time the same time you need to allow for the variety of connection types even if you're developing a server that's intended to be used you know in a corporate work group environment you're going to have users connecting over Airport users connecting from home using dsl and VPN and these sorts of connections have a very high latency so even if you have an operation that's very fast when you're on the land there's a large number of network ground trip for this type of environment it can be some extremely slow so it's important to look at the actual network traffic and test for these types of connections then the last little section I just wanted to talk about a couple api's that are available open directory is certainly something we continue to push it's a nice way to connect to a large number of directory systems there's a flexible API there's a plug-in architecture so it can be expanded to talk to new proprietary systems there's the session on this tomorrow you're certainly encouraged to go to single sign on is you know it's a big push and Panther and it's going to become even more important in the future so definitely if you're doing the service you need to look at supporting Kerberos authentication in both the client and the server I mean hopefully single sign-on will become very prevalent people get very used to connecting to network resources without having to authenticate so if one service you know continues to pop up an authentication dialog people are going to become annoyed I just wanted to point out it was mentioned in the server overview session that we switched to an open source mail solution because of that there's provided api's for spam and virus filtering that weren't available in Jaguar so that can be new opportunities to look at finally if you're developing a media related application you might be interested in the quicktime streaming server session tomorrow again has a plug-in API as well as being fully open source at the end of my little free section and basically here are people to contact I hadn't seen this slide before and here's some of the sessions I just mentioned in addition the 10 server feedback session is immediately following this one in north beach so we run out of time for Q&A here you're welcome to go and I guess they're all right he was just some open source pointers and if you if you remember something later in terms of feedback there's the page you can go to and harass us even after we're gone you