WWDC2003 Session 606

Transcript

Kind: captions
Language: en
good afternoon and welcome to session
so six my question server in depth
before we start other explain just
minutes or so talking about some of the
statistic goals we had for the 3ds the
pencil server duties first we want to
enhance our admin software with more
features include usability integration
and so on second we wanted to wait
provides ways to simplify the setup and
configuration of lots of different
servers so for example racks WebEx or
and next we wanted to complete a
transition from near info to ldap server
as a primary directory server for
scalability and many other benefits and
also establish a single sign-on strategy
around Kerberos authentication this is
really important to us and lastly
improve our windows compatibility
features both in terms of being able to
fit into existing Active Directory
networks as well as being able to
display aging empty servers out there
there are tons of them out there and
since we're going to be talking about
directory services and authentication in
two different sessions in details we
have section 106 coming up right after
death and have section 6 10 tomorrow
morning at ten-thirty we're going to be
focusing on three remaining items that
are listed here with that we divided
this session into fourth subsections
first we're going to talk about server
admin software and architecture behind
it and also how developers can plug the
software into the architecture second
we're going to be looking at the details
of the server systems new features
that's going to label use to set up
bunch of different servers
simultaneously very quickly and then
we're going to be talking about Windows
Features we're going to be talking about
how we implement it on top of number
three and also how we integrated it with
rest of my question server components in
the last three but not least we have a
handful tips on developing for the
answer server platform we will be
talking about things like optimizing
your server software
and such so these are the four things
we're going to talk about today and
since we usually have mixed audience or
both developers and cease admin side
people in these armed service Asians
we're going to try to have used for
information for both of those audience
group sort of mixed in everywhere let's
just start talking about the admin
software in Jaguar server we had two
separate applications for configuring
and monitoring servers server settings
for configuration and service status for
monitoring in pencil server we are
combining those two into a single
application called server admin and it
has bunch of new features which I'm
going to come back to but also have a
new GUI for number of services that did
not have GUI in the past for example we
now have two dias management integrated
with rest of my question server services
so you no longer have to go to web-based
admin to manage the streaming server we
also now have open directory GUI because
we keep adding these new features open
directory deadly force configuration
such as replication support for ldap and
corals and we finally have dns query as
well since started people to be asking
for this for us for five years so thank
you for waiting and hope you're going to
like it and we also have grief on that
application server which includes things
like on jboss and such and of course we
also enhance existing GUI for services
such as web and male with a bunch of new
features at the application level before
we start how many of you went to the
mapquest observer overview session
before this so pretty much everybody so
you know some of the new features so we
do have this new on duplication feature
that you can replicate configuration
services by simple drag-and-drop she's a
pretty cool feature we also have a GUI
for remote software update so you no
longer have to go to the server machine
to perform software update or go to
terminal to do so read-only mode so now
that we combined configuration and
monitoring there was one problem and
that is
we think many of you want to keep this
application up and running all the time
so you can monitor things but if you
walk walk away from the machine for few
minutes to go to bathroom or whatever
people can just come up and then change
your configuration so to prevent that we
implemented this thing called read-only
mode where the application will not let
you thank you application will not let
you make any changes to your
configuration until you type in your
password to unlock it and I'm gonna demo
done a few minutes we also have a
summary view we're at a glance you can
do get the status of all the servers and
services so you don't have to go to
individual servers and see how things
are going so this will be useful for
computational clusters or whips or
performs with different environment
where you have large number of servers
that you want to monitor simultaneously
and there are other features too
scattered throughout application so you
can try out your CD and then check it
out I should also mention this
application is backward compatible so
but so you can protect the boss Iago
servers and pencil servers however in
jago server it's monitoring only so you
cannot configure sorry
so now to actually give you a little
demo of server admin but the problem is
this has applications in popular and
it's been demo'd into other stations and
running out of things to show you but I
do have a couple of things I wanted to
go over so the first thing is II go to
SD and as everybody seen you can do drag
and drop the application here between
different servers we can also drag this
on to a desktop and this makes a backup
copy of your configuration so they'll
Iran if you need to be stowed server or
whatever else you can just go ahead and
simply drag back in these are you handy
for other people and the bead only mode
so let's go to menu here and then lock
now an application tails to everything
is locked out so is that you see this
little icon here that's it's read-only
and everything in the settings panel is
now cannot be edited so same thing if
you go to the windows so great out same
thing for ftp so great out and you can
unlock it by just going here citing in
admin password and you're back in
business you can also arm set a timer so
after certain amount of time the
application automatically locks itself
so it works much like the screen saver
so that's the server admin 30 seconds
demo back to the presentation price
please so now let's look at how this one
works behind the scene server asthma is
a cocoa application day and there is a
plugin for each of the services that you
saw in the left-hand column so there is
a plugin for asp that's bugging for the
web service and so on on the server side
we have a stripped-down version of
apache web server with a few custom
modules that we developed and it's
working as the admin server engine and
the server admin talks to the backend
engine by passing XML back and forth
over HTTP usually also over SSL
and whenever there's a request that
comes from the GUI application the
engine dispatches to a cylinder cjis and
again there is one CGI for each of the
services for that acct iWeb CGI and so
on and individual CGS do know how to
talk to its own particular service so
can do things like start and stop the
particular server or service you can get
runtime real-time static information
from the service and it can also read
and write configuration file or
configuration information for the
service which are usually stored either
in the config file or up in the
directory server and as needed to TGI
also signals application refresh its
configuration or distort if necessary
and by the way these CGI's are all in on
the just regular unix command line tools
so that's the real basic on design of
our admin application with urban
architecture and if you notice we try to
use standard technology whenever
possible so HTTP xml apache cgi ssl and
so on and also with this modular design
what's really easy for us to develop and
debug this product for example to debug
the client side GUI application or the
plugin we didn't have to even have the
server side we could simply pass
external into it and test its
functionality and vice versa 22 we could
just use web browser in tastic chanel
file through the back end to test the
server side we could also test the rcg
is you could unit test it by simply ssh
into the server indirectly in voting
expenses as unix command line tools and
just so this works out pretty well for
us and right now it is not public but
instead enough demand we would like to
make it public so if you're interested
please let us know and
I her seven eight okay thank you um I
guess we have to look into making a
public we have been actually working
with one particular developer to ports
their administration software to server
admin and looks like we have something
up and running now so I thought would be
need to actually have it demoed so now
I'd like to welcome Steve awesome who is
the technical director of engineering
outside a thank-you kazoo I think most
of us here who had the job of managing
and network of servers can appreciate
and understand the value of having a
right tool for the job weed sci dates
have you heard that from our customers
just about every single day so we're
very pleased at Apple has provided this
extensible framework that allows us to
plug in our server management
capabilities with the admin framework
that Apple has provided Apple
understands user interfaces we don't and
but we understand our database and what
needs to be done so they've provided a
very elegant framework that makes a very
nice user interface for the
administration of our of our server so
what we have well we've we've done that
we've we've been working with this this
toolkit for about 10 days now and we
have a first pass at what we think will
be available with the Panther release
when one Panther comes out so standard
disclaimer applies here is I demo this
it may change quite a bit by the time we
actually release this so I've got a
Jaguar version here I don't have the
panther relief and what I have is a
plug-in on the admin tool side and the
the Apache module on the server side
that understand something about sybase
so the general status tool says what is
the state of the service in the service
is our adaptive server enterprise you
can do things like read read the
transaction logs we have a usage
indicator that tells us the general
summary of what's going on inside the
server in terms
load the number of users connected the
databases present in the system and
their size and attributes and so forth
databases map to devices of physical
devices so we have some information
about those an engine is an operating
system process we associated one engine
/ cpu so we can get information about
that any locks that are present in the
system various monitor information is
available we have after learning the
framework it took us a day or two to
sort out what this cocoa environment is
about the challenge before us was then
figuring out what information to present
to you to make it useful and meaningful
we have for example over 200
configuration values yet there's
probably a dozen or so that are very
commonly used so our task is going to be
to sort out which one of these are most
relevant we will expose them all but in
the settings I'm sorry in the settings
value will provide a maybe a dozen or so
configuration settings that for example
numbers of users memory cache sizes and
so forth that are typically used by our
customers when they want to reconfigure
the server so we've been having a lot of
fun with it this is a very very
convenient tool to help us manage and by
the way you can start and stop the
server without having to you know use a
terminal window or anything else so it's
a very convenient way to look at
everything going on in the server from a
single workstation and one thing that is
very nice is that if you've got a list
of servers here you can get a summer
review of all servers and each service
appears as a dot which is either red or
green or some other color and you can
get a very clear overview of everything
running on your on your network so
that's what we've done and this will be
available with our product our 12 51
release which were time to the release
and availability of Panther thank
thank you okay so let's go back to the
architecture diagram I know many of you
like my question microsemi Christine
gooey and cocoa but some of us still
like to use terminal for managing
servers for those people we actually
developed a new command line tool also
called server admin and with this tool
you can do everything that you can do
from GUI and more so I've show that you
right now switch to machine here ok ok
so this was terminal you can do server
admin list that this all the services
that are installed on server and of
course you can use this to the start of
stop in any of them you can also get
status on any particular service you'd
like so you can do something like full
status ap that give through this stuff
on how service or were is doing so the
FG server is running this is the time it
was started and get successes on there
is currently one user connected from
this machine here and throughput 20
since the client sitting idle you can
also issue commands that are specific to
any particular service for example you
can do
so there you go so that least arm or the
currently connected users with
information such as name of the the
login name the idea address and how long
the persons in connected for and so on
of course you have command for
disconnecting the user sending messages
and so on but probably the most common
use for this tool is doing the
configuration of different services for
that you can just do settings and again
you can specify any of the services to
AFP that lists all the configuration
options for the AFP server and photo
current settings are sincere Kelly got
the max amount of number of threads 40
the max guess is minus one which you
think means unlimited the arrow log size
and so on you can also if you know for
exactly what you're looking for you can
simply type it in one of the options and
show yourself of that so this tells you
that log in greeting setting text is not
set right now it's empty of course you
can set configuration as well so let's
go here and use the login greeting she
go to the GUI in Bucharest and after
Logan greetings empty right now go here
and Swiss find it seeing welcome to WWDC
let you go here d fresh it works
again you can pretty much do everything
that you want you can do from the GUI
from this terminal application but you
can also use this as a building block to
build your own custom solution on top of
it and to illustrate that we wrote a
real quick simple shell script that I
will show it to you so let's say you add
new websites to your server frequently
with mostly same options and you want to
do that from command line you can use
our short quiz called outside and
actually before start let me go to GUI
here web settings site and make sure the
only sites that define the right now the
default so there's no other virtual host
but we're going to go ahead and add 14
outside the spy IP address and let's see
the port number make it a DAT name of
the site my site and web folder there
you go so if you go to the GUI here the
site now you have this website up and
running once you double click on it you
got the web for that we specified and so
on so now let's look at how this works
so add site is just actually a single
line shell script so for it does is uses
said to substitute some of the strings
in this data file at sites are in with
argument that's been passed into the
shell script and then it pipes the
output to our command line tool which is
running on that I which is an inductive
or input mode and then if you look at
the arm does that file it's actually
basically just a collection or be
settings for the web server with lot of
default values except for a few of them
that starts with underscore such the IP
address and then the port number gets
substituted by said so it's real simple
but work so hopefully people can use
this serve as Nick mine line tool to
create your own custom solution so to
summarize server admin for system admins
we have a new server admin GUI
application that combines configuration
and monitoring it has bunch of new
features we also have server admin
command line tools that you can use to
do pretty much everything that you can
do in the GUI or you can use it to use a
building block to build your own custom
solution on top of it for developers we
have a modular and scalable and flexible
server admin architecture that you can
plug into and if you're interested let
us know and we love to work with you so
that concludes the server admin portion
and I would like to welcome Scott
Morgan's who is going to tell us all
about the new server server assistant
features thanks
hi there this afternoon I'm Scott
Mulligan and I'll be spending a few
minutes with you discussing the server
assistant the server assistant is the
first application that runs on a freshly
installed server and its objective is to
to get the system set up in the most
basic setup state so that it can be
fully configured at a later time one
after it's been rebooted so in the
Jaguar server the server assistant is
always run on the system console and the
system keyboard and mouse is used to
capture setup data additionally to
accommodate headless servers and to
provide additional level of convenience
the Jaguar server assistant can be run
from a remote system to in order to
perform both setup and installation of
course in Panther server we've come up
with a couple ways that we can improve
this experience even more so with the
popularity of Mac OS 10 server we
realized that many of our customers are
buying multiple servers and thus they're
setting up multiple servers so with
Panther Panther server we've designed it
so that they will be able to set up
multiple servers simultaneously from a
single interview process this will be
accomplished by running the server
assistant from a remote system and
targeting the specific servers that you
want to set up it will look something
like this servers that are eligible for
setup on the local subnet will show up
in a list the system administrator
simply selects the servers to be set up
additionally the administrator may add
servers to this list by providing an IP
address thus enabling the remote setup
of a server that's not on the local
subnet once the target systems are
selected and authentication information
has been provided
the administrator proceeds into a
standard set up interview where the
setup information is collected and at
the end of the interview all the servers
are set up there's also another scenario
that we found that some of our customers
are running into it turns out that some
of our customers actually reinstall
their systems from time to time and
others due to the specific nature of how
they use our servers actually end up
resetting their systems up more
frequently as they repurpose our servers
from one particular task to another for
these folks setting up the server is
something that they'd rather not deal
with it all so for these folks we
thought why not have the servers shut
themselves up of course you need to
provide the setup information once but
you could save it to a file to be used
again later so in Panther server the
server assistant has been designed to
actually go out and discover set up
profile data on its own it does this by
looking for the setup data in local file
systems which can include local hard
drives and various types of removable
media such as CDs firewire drives USB
drives etc additionally the server
assistant will look and try to discover
set up data that has been saved to a
directory server if a directory server
is accessible and it holds setup data
that pertains directly to this server
then the setup assistant will utilize
that data to set up the server so what
does this mean well for one thing it
means that your iPod can set up your
server imagine saving set up profiles
for dozens of servers onto your iPod or
a firewire drive a USB thumb drive maybe
even a compact flash card reader you
walk up to your server plug it in and
your server sets itself up
or maybe you save these profiles on to
your directory server it's on your local
network your service just set themselves
up you wouldn't have to plug anything in
they could just find the info they need
set themselves up all on their own so
how does this work well first of all we
have a special set up demon that runs on
the server when the server needs to be
set up and there is a special place on
the server that the server setup demon
examines from time to time looking for
setup data the demon loops periodically
checking to see if this data has shown
up but there are other places the demon
could attempt to find a setup data
directory servers for example or local
file system the demon will examine these
places as it proceeds proceeds through
its loop and if it's able to find the
relevant setup data it will utilize it
and then it will restart the system so
these last few slides have focused on
the back end process that actually
enables this auto setup feature let's
look at the bigger picture though as I
showed you in the previous slides
there's a server setup demon that roop
is running on the server and there's a
specific place that is examined for that
setup data but there's also a GUI
application and that GUI application can
be running locally on the server or it
could be running on a remote system say
your desktop in your office in either
case the scooty application presents an
interview to the administrator in order
to collect the setup data and at the end
of that interview if the server is to be
set up at this time in other words at
the end of the interview process that
setup data is delivered to this specific
location on the server that the server
setup demon examined from
time to time and if that's done it
enables the server to set itself up but
as we said the server setup demon can
discover data and other locations as in
the directory server so therefore the
GUI application has to have the ability
to save to to connect to to begin with
to connect to a directory server and
save to a directory server the setup
data and once this is done of course it
allows the server to set itself up and
as we mentioned before the same thing
can be done with the local file system
I'd like to point out that the local
file system here may not be local to the
server at the time that you save it it
may be your iPod but when you carry it
over and plug it into your server
becomes local file system on the server
on the other hand it could be a
partition that already exists on this
server ok so the setup profile for your
server may contain sensitive data that
you don't want other people to see if
that data is saved on to some form of
removable media that you actually
safeguard yourself as the administrator
such as your iPod that might not be a
problem but that's not always the case
therefore any time data is saved from
the GUI application whether it's to a
file or to directory services an option
is provided to encrypt that data the
encryption utilizes a user-provided pass
phrase that is used as the key for both
encrypting and decrypting the data
encryption is accomplished using the
cast live CBC algorithm of the openssl
command-line tool the server setup demon
process will wait for the data to become
decrypted so if the data is available
but it's encrypted it will wait for that
data to become decrypted however while
it's waiting
it has also been designed to see if it
can find a decryption key so it will
look in local file systems in a specific
location on those local file systems to
see if it can find that decryption key
it will not look in directory services
for obvious reasons but if it can find
that key who will utilize it to decrypt
the file so you can imagine having this
key file on your iPod and while the data
may be available and encrypted all you
need to do is walk up and plug in your
ipod and it goes additionally the GUI
application itself has a mechanism for
delivering this passphrase directly to
the server and in that case that pass
phrase is used to decrypt the data
directly now you may remember I said
that you might be able to save dozens or
even hundreds if not more of these setup
profile data files onto your iPod this
is how you keep track of them so that
you know which setup file goes with
which server basically the server setup
demon process looks for these setup
files by name and it looks in a
particular order so these are the naming
conventions and this is the order in
which it looks for them to begin with it
will look for a file it's named with the
ethernet hardware address dot p list
then it will look for an IP address
followed by a host name dot p list and
then finally the hardware serial number
and then we also provide a catch-all
name which is just the word generic
which will match any server so let's
take a quick look at generating a setup
profile using the server assistant and
then we'll look at how we can examine
that file using the plist editor so
could you switch over to this machine
please
so here i have the server assistant and
bring it up and we'll be working on with
this in sort of an offline mode and in
order to make the disco a little bit
quicker and i don't have to type in a
lot of stuff i'm actually going to load
in a configuration file I've saved
earlier and in my home directory here in
the admin home directory I have one
called server settings pilas so I'm
going to load that in so as you can see
you can use for resistant to actually
edit configurations you phase before so
it's been brought in and you can see
we've already set up certain things we
could actually change this if we wanted
to look got to be able to type and we'll
continue on here I've already got a
server name set up for it network
interface here i already have apple file
service and ftp service enables but i'm
also going to turn on mail service
continue on with our time zone we'll go
ahead and have it using network time
server and at the very end of the
interview process you have a summary
page that you can review the settings
that you've that you've made you can see
all those here you can go back and make
changes if you like and then over here
you have the ability to save this now
you can save it as a text file which is
basically going to be just like this
this part right here that that we're
looking at that I was scrolling through
something that you might be able to
print out put in a file cabinet
somewhere or you can save it as a
configuration file and this is this is
where you save it into a plist file and
here's your option to save it encrypted
if you'd like you could also save it to
a directory server so I'm going to go
ahead and save this as a configuration
file and I'm going to save it into the
admin home directory go ahead and call
this
server 02 apple com p list and it's been
saved into the home directory so let's
go take a look at that where is it there
it is so here's my home directory and
you probably just saw that blink is the
file was added to the list here so we
can we can open this file with our
property list editor and you can see
this is just a simple XML file let's
look at the services that we set to auto
start as you can see we have file ftp
and mail which are the settings up here
the admin user i had i changed it to
snide lee snidely whiplash so that's it
in a nutshell and at this time i'm going
to turn the podium over to rusty Tucker
who's going to talk to you about windows
compatibility thank you thanks gotten
even before we started you guys were
booing my demo so we might as well bring
up number four here and you know get it
out of our system
but what is there not to love about an
operating system that demands to give it
the three finger salute just to log in
so if we go back to the slides but
seriously we've got a lot of neat things
in mac OS x server that help you
integrate in into existing windows
networks and support windows networks so
where we are today the jaguar server
provides basically a standalone server
for windows clients and that's all based
on tomba 2 point 2 X provides good you
know very robust and high performance
SMB file and print services but that
comes with a number of functional
limitations in in how people would like
to deploy it we don't have a way to
change password you can't provide domain
logins you can't host windows home
directories and we have no way of taking
the client or the server to fit into an
existing Active Directory network for
example so the first thing we'll talk
about is sitting into active directory
networks both the client and the server
can do this with the Active Directory
plug-in provides proxy authentication
UID and GID mapping back to the active
directory directory and you can come and
see the directory services session
tomorrow for some more information about
that but there's one thing that's really
missing here in this scenario and that's
you still have windows NT servers on
this network so what we'd like to do in
Panther is provide a way to replace
those windows servers on the network
and so the Panther server can be
configured as a primary domain
controller and what that means is that
it provides directory and authentication
services to the windows clients on the
network and that lets you support
windows home directories and single
sign-on so windows users they log in to
the to the login window that we saw an
XP provide that name faster once and to
any services in the domain they will not
need to provide that name and password
again it also supports the roaming
profile so that the settings follow the
user when they log in from machine to
machine and we can provide unified
management using the server admin and
the workgroup manager administration
tools so what is a windows network login
what are the components of that first of
all when you login it comes and
downloads the roaming profile from the
network and this is all the settings for
the user including their desktop picture
settings for internet explorer and so on
it's really in the Mac os10 world it's
similar to what you find in the twiddle
public art whittle library all the
preferences in there the second thing is
the home directory mount and that
contains shared items and it's really
analogous to our twiddle public it's a
way for you to share files and things
with other users on the network and you
can also define the startup script which
can be used to mount other share points
or run applications every time that you
login okay
and we've chosen Samba 3 and in order to
implement this in in Panther server we
chose tomba 3 because it provides
unicord unicode support on the wire this
is supported by all the modern windows
clients and also provides a plug-in
architecture not only for the user
accounts but also for us to get
directory information back and lastly
it's we've added to this a way to
support our just-in-time home directory
creation and setting quotas as we do in
a fe and so we'll take a brief look at
how we've actually implemented this and
how the block diagram sets up we've got
Samba three puntos it's a starting point
by default it wants to integrate with
local private databases especially found
by to point to do this and even windows
NT servers do this with the windows
registry in there Sam database in our
architecture and environment we want to
switch that out and set it up to work
with open directory and while we were
working with the password server and
ldap server on the back end and the
plugins for samba are going to let us to
do this first of all without the auth
plugin we've gotta hit the plugin it's
actually called ausopen directory
provides authentication services to the
clients and that hooks us up to the ldap
server on the back are not to the ldap
server but to the password server where
we can get land man and NT hash
authentications for the windows clients
seconds directory plugin through the
directory plugin api is called the pdb
open directory and that supports all the
getting and setting of user attributes
and that's basically talking to the ldap
server set it back end so once about
that all hooked up now you can use our
administration tools click such as
workgroup manager to actually admit to
create Windows user account set their
password set password policy and so on
and lastly is integration into the
server itself as you've seen with the
server
distant setup we want to provide a way
for servers to be able to configure
themselves and a way to do this with
clients is to set up their provide
Justin hime setup for the home
directories and also to set quotas like
a fee server does and this is provided
through the route / exec configuration
and some scripts and tools that we've
written and source code for all this
available from the darwin site including
our plugin you've heard before there's
tight integration between the windows
users and the mac users in the directory
and it's actually the same user account
same user password we've extended the
user record to provide via the
attributes that are required by windows
users and their distinct for Mac users
so there's no overlap there with the
drive letter for mounting the home
directory UNC address of the SharePoint
where their home directory is going to
come from the login script path and the
path to the roaming profiles and be the
computers themselves need to
authenticate before they join the
network and so we've had to add extend
the computer record to support that as
well so now we'll look at a demo and
back to demo three
first thing we'll take a look at is how
you actually set up a PDC and you'll
notice through whenever we're looking at
setting up windows whether it's Windows
computers windows users or Windows the
service itself will have the windows
label on all the all those items and
like with all the other services it's
got an overview logs connections graphs
to shows connected users and of course
settings and so what's new here is that
we have added additional roles for each
one of the for the service it can be the
standalone server that we had with
Jaguar it can be a domain member so it
can be not the not the server that's
providing domain controller services to
the network but just be a server that's
providing sharing services or supporting
windows home directories or primary
domain controller and here you'll set
the domain name and the computer name
and whenever we do that it also when you
set it up to primary domain control it
also enables wind service so that to
enable the windows internet naming
service on the network which is really
important for that will go to work group
manager next you can see we've got two
users admin & bill bill will be our
windows user a very complicated user
everything everything that we're going
to see basically is the same is what
immaculate n use would have password
type open directory you can define
groups that they have memberships in
home directory that's got a sharepoint
called users mail print services and
then the windows panel and this is where
you define the profile past the login
script the location of where the hard
drive or where it's going to the mount
point for the user sharepoint so now
that we've got that now we can actually
log in to this Windows computer on the
salon to bring up demo for
and here we choose the domain that we're
going to log into in this case it
recognizes the in-depth domain that
we've defined on this on the server type
or password it logs in downloads the
user settings and then comes up with the
familiar windows desktop where we can go
to my computer and actually see the
mountain point you see it actually
populate sit with the Mac os10 directory
the home directory cell for mac OS 10
users so they get the movies directory
library public pictures everything so
this same user can also log in on mac OS
10 machines on this network and we'll go
ahead and do that i'm going to log him
out
now you have to first of all these want
to stage the settings back to the server
now that that's done and would come back
to demo three and we'll just log out
here and login this user has done is
forward migration and it's now Mac os10
user and see the same home directory so
that that's that so next up we'll bring
a grip on would bring those little
information about developing for mac OS
x server hello I'm Greg Vaughn yeah as
he said I'm going to talk about
developing for mac OS 10 server so i
guess i'll use this admin and sort of
tune out now so the first thing i want
to talk about is xserve xserve is the
primary platform for mac OS 10 server
because of that you need to be aware
that any applications you write for 10
server are likely to be running on its
system got no keyboard no monitor no
logged in user this sort of environment
limits the frameworks and api's you can
use and mac OS 10 obviously you're going
to want to avoid the GUI api zap get a
chai toolbox you need to be careful
about api's they might want to bring up
dialogues you know like logging in
Mountie network volumes you need to
break up a scent occation dialogue
there's a lot of api's that are
perfectly fine to use in this
environment core services as the
umbrella framework has a few including
carbon core just the lower level to the
carbon API foundations available if you
want to write a cocoa app you can write
a server and cocoa Foundation has a lot
of server safe api's you've got to see
your C++
server but you want to have some mac OS
10 functionality like reading
preferences out of a plist core
foundation has a lot of useful api's
callable from C so if you want to
provide a user interface to your
application you're going to need to
separate out that user interface from
your core service you've seen the
examples of this basically our server
admin product and our server assistant
both are implemented this way your gooey
parts going to need to be able to run on
a remote machine so you're going to need
to have a way of targeting what server
you're talking to basically you can type
in an IP address but rendezvous provides
a really nice mechanism for browsing and
locating servers going to need to
provide a networking connection between
your two halves if you've got
administration data often you want that
to be an encrypted connection but you
don't necessarily need to write the
networking software yourself our various
services we've employed a variety of
techniques server admin uses HTTP over
SSL and talks to an Apache web server on
the backend the sharing portion of
workgroup manager actually uses open
directory and open directory proxy to
stuff values into the directory on the
server that the service then reads out
that's more of a one-way communication
and server assistant actually Punk
packages functionality as a set of
command line tools and then invokes
those tools remotely using SSH finally
you're going to need a separate
installer for the GUI portion so it can
be installed on your admin client
machine next thing I'd like to talk
about its bit about performance I'm
going to pass on a few things we've
learned when we are optimizing the
performance of our own services one of
the things we've looked a lot at is the
reducing the system calls and servers
even system calls that would normally be
quite fast you need to be aware in the
server environment on a loaded server
calls into the kernel can cause
contention between various threads and
processes the contention will
cause lots of extra process slippy
flipping which will result in wasted CPU
time for instance when we were looking
at samba 3 we decided to make a couple
changes we changed the read and write
calls the P read and pee right because
it avoids the extra L seek and we also
found by implemented some locking using
s control calls and in this case spin
locks seem to be fine we switch to that
these two changes alone result in a
noticeable increase in performance we
also in Samba decided to change the for
networking io the read and write calls
to receive and send read and write need
to go through the file system code to
look at the file descriptor to decide
that it actually is a socket descriptor
whereas receive and send can call
directly into the network code and that
avoids some locking as well in AFP we
not only use receive but because AFP
reads in a header and then knows how
much data it wants to read in its packet
it actually uses the message weighed all
and receive normally receive will wake
up each time some data comes in and if
the process is just going to look at it
and go back to sleep again waiting for
the rest of the data again that's wasted
CPU time another thing we did in AFP was
we decide to switch to memory mapped i/o
for reads because that way when you're
actually doing the reading you bypass
the filesystem and go to the lower level
DM system which also can avoid some
contention and improve performance you
do need to be a bit careful of memory
mapped i/o because the vm system isn't
going to be able to return errors if
you've got a sort of a drive that can go
away like a network mounted drive it can
be difficult to deal with that situation
so you want to avoid it for drives that
perhaps can disappear you know
unexpectedly last thing I just want to
say is if you're developing a server and
you're looking at performance it's
important not to just look at the
service itself but its impact on the
performance of the whole system if the
one service you know slows down the rest
of the system people are rioting
several servers on the same xserve
obviously it's not going to be popular
the entire system gets slowed down so
the twin two performances scalability
basically the main message is when
you're developing your server you need
to look to the future look to expanded
requirements we all know computers are
getting more powerful networks are
getting bigger you have to re-implement
your server next year for some new
requirements you know that's a lot of
extra work so you just want to keep that
in mind as you're designing things hard
drives are certainly an example of this
excerpts with xserve raid it can support
two and a half terabytes you need to you
know be aware of the large files and
large numbers of files you might need to
deal with on the file system in addition
with directory system it can be large
numbers of users in the directory system
we actually had to revisit some of our
design decisions and workgroup manager
you know when we dealt with things like
the LA school system which put like
every practically every child in the LA
area into one large database you're not
going to be able to do things like a
numerate through all the users and so if
you've got a UI for picking users you
need to be able to deal with that and do
perhaps directed searches and choosing
abusers you also want to be aware of the
large number of connected users you can
have as servers become more powerful
people are going to use them to serve
more and more client machines so you
need to just keep in mind that the
number of users that may connect to your
service will increase over time the same
time you need to allow for the variety
of connection types even if you're
developing a server that's intended to
be used you know in a corporate work
group environment you're going to have
users connecting over Airport users
connecting from home using dsl and VPN
and these sorts of connections have a
very high latency so even if you have an
operation that's very fast when you're
on the land there's a large number of
network ground
trip for this type of environment it can
be some extremely slow so it's important
to look at the actual network traffic
and test for these types of connections
then the last little section I just
wanted to talk about a couple api's that
are available open directory is
certainly something we continue to push
it's a nice way to connect to a large
number of directory systems there's a
flexible API there's a plug-in
architecture so it can be expanded to
talk to new proprietary systems there's
the session on this tomorrow you're
certainly encouraged to go to single
sign on is you know it's a big push and
Panther and it's going to become even
more important in the future so
definitely if you're doing the service
you need to look at supporting Kerberos
authentication in both the client and
the server I mean hopefully single
sign-on will become very prevalent
people get very used to connecting to
network resources without having to
authenticate so if one service you know
continues to pop up an authentication
dialog people are going to become
annoyed I just wanted to point out it
was mentioned in the server overview
session that we switched to an open
source mail solution because of that
there's provided api's for spam and
virus filtering that weren't available
in Jaguar so that can be new
opportunities to look at finally if
you're developing a media related
application you might be interested in
the quicktime streaming server session
tomorrow again has a plug-in API as well
as being fully open source at the end of
my little free section and basically
here are people to contact I hadn't seen
this slide before
and here's some of the sessions I just
mentioned in addition the 10 server
feedback session is immediately
following this one in north beach so we
run out of time for Q&A here you're
welcome to go and I guess they're all
right he was just some open source
pointers and if you if you remember
something later in terms of feedback
there's the page you can go to and
harass us even after we're gone
you