~~ ~

Amoeba
A Distributed Operating System
for the 1990s

Sape J. Mullender and Guido van Rossum

Centre for Mathematics and Computer Science

Andrew S. Tanenbaum, Robbert van Renesse, and

Hans van Staveren
Free University of Amsterdam

n the nexi decdde, computer prices
T
1
will drop 50 low that IO, 20, or per-
haps IO0 powerful microprocessors
per user will be feasible. All this comput-
ing power will have to be organized in a
simple, efficient, and fault-tolerant system
that is easy to use. The basic problem with
current networks of PCs and workstations
is that they are not transparent; that is,
users are aware of the other machines. The
user logs into one machine and uses that
machine only, until doing a remote login to
another machine. Few if any programs take
advantage of multiple CPUs, even when all
are idle.
We envision a system for the 1990s that
will appear to users as a single, 1970s
centralized time-sharing system. Users
will not know which processors their jobs
are using (or even how many), where their
files are stored (or how many replicated
copies are maintained to provide high
availability), or how processes and ma-
chines are communicating. All resources
will be managed completely and automati-
cally by a distributed operating system.
Few such systems have been designed,
The Amoeba
distributed operating
system appears to
users as a centralized
system, but it has the
speed, fault tolerance,
security safeguards,
and flexibility
required for the 1990s.
and even fewer have been implemented.
Fewer still are actually used by anyone yet.
An early distributed system was the Cam-
bridge system.' Later systems were Lo-
cus,* Mach,' the V - K e r n ~ l and
, ~ Chorus.s
Here we describe Amoeba, a distributed
system developed at the Free University
and the Centre for Mathematics and Com-
puter Science in Amsterdam. Amoeba
combines high availability, parallelism,
and scalability with simplicity and high
performance.
Although distributed systems are neces-
sarily more complicated than centralized
systems and tend to be much slower, we
have worked hard to achieve extremely
high performance: Amoeba is already one
of the fastest distributed systems (on its
class of hardware) reported so far, and
future versions will be even faster. With
the current implementation, a remote pro-
cedure call can be performed in 1.4 ms on
Sun-3/50 class machines. The file server
can deliver data continuously at 677
Kbytes per second.
The Amoeba software is based on ob-
jects. An object is a piece of data on which
well-defined operations can be performed
by authorized users, independent of the
user's and object's locations. Objects are
managed by server processes and named
using capabilities chosen randomly from a
sparse name space.

44 0018-9162/90/0500-0014501.000 1990 IEEE COMPUTER

-.
 A process is a segmented address space
shared by one or more threads of control. Processor pool Workstations
m
Processes can be created, managed, and
debugged remotely. Operations on objects d d d
are implemented using remote procedure
calls.
Amoeba has a unique, fast file system
split into two parts: The bullet service
stores immutable files contiguously on the
7
-I
Gateway
Wide area
network
disk; the directory service gives capabili- Local area
ties symbolic names and handles replica- network
tion and atomicity, eliminating the need
for a separate transaction management Specialized servers
system. (file, database, etc.)
To bridge the gap with existing systems,
Amoeba has a Unix emulation facility Figure 1. Four components of the Amoeba architecture.
consisting of a library of Unix system call
routines that make calls to the various
Amoeba server processes.
Most classical distributed systems lit-
erature describes work on parts of or as- 48 24 8 48 Bits
pects of distributed systems: distributed
file servers, distributed name servers, dis- Service Object Rights Check
tributed transaction systems, and so on. Port number field field
Here we discuss the whole system, cover-
ing most of the traditional operating sys-
tem design issues, including communica- Figure 2. The structure of a capability. The service port identifies the service
tion, protection, the file system, and pro- that manages the object. The object number specifies the object (for example,
cess management. We explain not only which file). The rights field determines which operations are permitted. The
what we did but also why we did it. check field provides cryptographic protection to keep users from tampering with
the other fields.

Overview of Amoeba
The Amoeba project6 has been under
way for nearly 10 years and has seen
numerous system redesigns and reimple-
mentations as design flaws became glar-
ingly apparent. This article describes the
Amoeba 4.0 system, released in 1990.
Hardware architecture. As Figure 1
shows, the Amoeba hardware consists of
four components: workstations, pool pro-
cessors, specialized servers, and gateways.
The workstations execute only processes
that require intense user interaction - for
example, window managers, command
interpreters, editors, and CAD/CAM gra-
phical front ends. Most applications, how-
ever, do not interact much with the user
and are run elsewhere.
Amoeba’s processor pool provides most
of the computing power. Typically it con-
sists of many single-board computers, each
with several megabytes of private memory
and a network interface. The Free Univer-
sity, for example, has 48 such machines. A
pile of diskless, terminalless workstations
can also be used as a processor pool.
When a user has an application to run -
for example, building a program consist-
ing of dozens of source files -a number of
processors can be allocated to run many
compilations in parallel. When the user is
finished, the processors are returned to the
pool for other work. Although the pool
processors are all multiprogrammed, the
best performance is obtained by giving
each process its own processor, until the
supply runs out.
The processor pool allows us to build a
system in which the number of processors
exceeds the number of users by an order of
magnitude or more, something quite im-
possible in the personal workstation model
of the 1980s. The software has been de-
signed to treat the number of processors
dynamically, so processors can be added
as the user population grows. When a few
processors crash, some jobs may have to be
restarted and the computing capacity is
temporarily lowered, but otherwise the
system continues normally, providing a
degree of fault tolerance.
Specialized servers, the third system
component, are machines for running
dedicated processes with unusual resource
demands. For example, it is best to run file
servers on machines that have disks.
Finally, there are gateways to other
Amoeba systems that can be accessed only
over wide area networks. For a project
sponsored by the European Community
we built a distributed Amoeba system that
spanned several countries. The gateway
protects local machines from the idiosyn-
crasies of protocols that must be used over
the wide area links.
Why did we choose this architecture
instead of the traditional workstation
model? As it becomes possible to give each
user 10 to 100 processors, centralizing the
computing power will allow incremental
growth, fault tolerance, and the ability for
a large job to obtain a large amount of
computing power temporarily. Current
systems have file servers, so why not let
them have computer servers as well?
Amoeba software architecture.
Amoeba is an object-based system using
clients and servers. Client processes use
remote procedure calls to send requests to
server processes for carrying out opera-
tions on objects. Each object is both iden-
tified and protected by a capability, as
Figure 2 shows. Capabilities have the set

May 1990 45
 Amoeba Interface Language
Interfaces for object manipulation are specified in a nota-
tion called the Amoeba Interface Language.’ AIL resembles
the notation for procedure headers in C, but it has some ex-
tra syntax for automatic generation of client and server
stubs. The Amoeba class for standard manipulations on
filelike objects, for instance, could be specified as follows:
class basic-io [1000..1199] (
const BIO-SIZE = 30000;
bio-read(’,
in unsigned offset,
in out unsigned bytes,
out char buffer[bytes:bytes]);
bio-write(*,
in unsigned offset,
in out unsigned bytes,
in char buffer[bytes:BIO-SIZE]);
1;
The names of the operations, bio-read and bio-write,
must be globally unique. They conventionally start with an
abbreviation of the name of their class. The first parameter,
indicated by an asterisk, is always a capability of the object
to which the operation refers. The other parameters are la-
beled “in,” “out,” or ”in out” to indicate whether they are in-
put or output parameters to the operation, or both. Specify-
ing this allows the stub compiler to generate code to trans-
port parameters in only one direction.
The number of elements in an array parameter can be
specified by [n:m], where n is the actual number of elements
in the array and m is the maximum number. In an out array
parameter such as buffer in bio-read, the maximum size is
provided by the caller. In bio-read, it is the value of the in pa-
rameter bytes. The actual size of an out array parameter is
given by the callee and must be less than the maximum. In
bio-read it is the value of the out parameter bytes - the ac-
tual number of bytes read. On an in array parameter, the
maximum size is set by the interface designer and must be a
constant, while the actual size is given by the caller. In
bio-write, it is the in value of bytes.
This AIL specification tells the stub compiler that the opera-
tion codes for basic-io must be allocated in the range 1000 to
1199. A clash of operation codes for two different classes
matters only if these classes are both inherited by another,
bringing them together in one interface. Currently, each group
of people designing interfaces has a different range from
which to allocate operation codes. Later we hope to allocate
operation codes automatically.
The AIL stub compiler can generate client and server stub
routines for a number of programming languages and ma-
chine architectures. For each parameter type, marshalling
code is compiled into the stubs that convert data types of the
language to AIL data types and internal representations. Cur-
rently, AIL handles only fairly simple data types (Boolean, in-
teger, floating point, character, string) and records or arrays
of them. However, it can easily be extended with more data
types when the need arises.
Reference
1. G. van Rossum, “AIL - A Class-Oriented Stub Generator for
Amoeba,” Proc. Workshop on Experience with Distributed Sys-
rems, Springer-Veriag, Berlin, to be published in 1990.

of operations that the holder may carry out
on the object coded into them, and they
contain enough redundancy and crypto-
graphic protection to make guessing an
object’s capability infeasible. Keeping
capabilities secret by embedding them i n a
huge address space i s the key to protection
i n Amoeba. Because of the cryptographic
protection, capabilities can be managed
outside the kernel, by user processes them-
selves.
Objects are implemented by the server
processes that manage them. Capabilities
have the identity o f the object’s server
encoded into them (the service port) so
that, given a capability, the system can
easily find a server process that manages
the corresponding object. The remote pro-
cedure call system guarantees that requests
and replies are delivered only once, and
only to authorized processes.
Although at the system level objects are
identified by their (binary) capabilities, at
the level where most people program and
work, objects are named using a symbolic
hierarchical naming scheme. The direc-
tory service maintains a mapping o f ASCII
path names onto capabilities and has
mechanisms for performing atomic opera-
tions on arbitrary collections o f name-to-
capability mappings.
Amoeba has already gone through sev-
eral generations o f f i l e systems. Currently,
one f i l e server i s used almost to the exclu-
sion of all others. The bullet service (which
got i t s name from being faster than a speed-
ing bullet) i s a simple file server that stores
immutable files as contiguous byte strings
both on disk and i n i t s cache.
The Amoeba kernel manages memory
segments, supports processes containing
multiple threads, and handles interprocess
communication. The process management
facilities allow remote process creation,
debugging, checkpointing, and migration,
all using a few simple mechanisms ex-
plained i n a later section.
A l l other services (such as the directory
service) are provided by user-level pro-
cesses, in contrast to, say, Unix, which has
a large monolithic kernel for these ser-
vices. B y putting as much as possible i n
user space, we have achieved a flexible
system without sacrificing performance.
In the Amoeba design, concessions to
existing operating systems and software
were carefully avoided. But a Unix emula-
tion service was developed to run existing
software on Amoeba.
Communication
Amoeba’s conceptual model i s that o f a
client thread (thread o f control or light-
Yeight process) performing operations on
objects. For example, a common operation
on a file object is reading data from it.
Operations are implemented by making

46 COMPUTER
 Transport interface
The transport interface for the server consists of the calls * reply parameters
get-request and send-reply, as described in the section on *I
communication. They are generally part of a loop that ac- send-reply (
cepts messages, does the work, and sends back replies, as &repheader,
in this C fragment: &repbuffer,
repbuflen);
I' Code for allocating a request buffer *I ] while (I);
do I
get-request( Get-request blocks until a request comes in. Putreply
&port, blocks until the header and buffer parameters can be
&reqheader, reused. A client sends a request and waits for a reply by
&reqbuffer, calling
reqbuflen);
I' Code for unmarshalling do-operation(reqheader, reqbuffer, reqbuflen,
the request parameters repheader, repbuffer, repbuflen);
'I
I' Call the implementation routine ' I All of this code is generated automatically by the AIL com-
I' Code for marshalling the piler from the object and operation descriptions given to it.

remote procedure calls.' A client sends a
request message to the service that man-
ages the object. A server thread accepts the
message, carries out the request, and sends
the client a reply. To increase performance
and fault tolerance, multiple server pro-
cesses often jointly manage a collection of
similar objects to provide a service.
Remote procedure calls. The kernel
provides three basic system calls to user
processes: do-operation, get-request, and
send-reply. The first is used by clients to
get work done. It consists of sending a
message to a server and then blocking until
a reply comes back. The second is used by
servers to announce their willingness to
accept messages addressed to a specific
port. Servers use the third call to send
replies back. All communication in
Amoeba takes this form: First a client
sends a request to a server; then the server
accepts the request, does the work, and
sends back the reply.
No doubt systems programmers would
be content with only these three system
calls, but for most applications program-
mers they are far too primitive. Therefore
a more user-oriented interface has been
built on top of the mechanism, to allow
users to think directly in terms of objects
and operations on these objects.
Corresponding to each type of object is
a class. Classes can be composed hierar-
chically; that is, a class can contain opera-
tions from one or more underlying classes.
This multiple-inheritance mechanism al-
lows many services to inherit the same
interfaces for simple object manipulations,
such as for changing the protection proper-
ties on an object or deleting it. The mecha-
nism also allows all servers manipulating
objects with filelike properties to inherit
the same interface for low-level file I/O
(read, write, append - see sidebar on
Amoeba Interface Language). The mecha-
nism resembles the filelike properties of
Unix pipe and device I/O: The Unix read
and write system calls can be used on files,
terminals, pipes, tapes, and other 1/0 de-
vices. But for more detailed manipulation,
specialized calls are available (ioctl,
popen, and so forth).
Remote procedure call transport. The
Amoeba Interface Language compiler
generates code to marshal or unmarshal the
parameters of remote procedure calls into
and out of message buffers and then call
the Amoeba transport mechanism for de-
livery of request and reply messages (see
sidebar on the transport interface). Mes-
sages consist of a header and a buffer. The
header has a fixed format and contains
addressing information (including the
capability of the object that the remote
procedure call refers to), an operation code
that selects the function to be called on the
object, and some space for additional para-
meters. The buffer can contain data. A file
read or write call, for instance, uses the
message header for the operation code plus
the length and offset parameters, and the
buffer for the file data. With this setup,
marshalling the file data (a character array)
takes zero time because the data can be
transmitted directly from and to the argu-
ments specified by the program.
Locating objects. Before a request for
an operation on an object can be delivered
to a server thread that manages the object,
such a thread must be located. All capabili-
ties contain a service port field, which
identifies the service that manages the
object referred to by the capability. When
a server thread makes a get-request call, it
provides its service port to the kernel,
which records it in an internal table. When
a client thread calls do-operation, the
kernel's job is to find a server thread with
an outstanding get-request that matches
the port in the capability provided by the
client.
We call the process of finding the ad-
dress of such a server thread locating. It
works as follows: When a do-operation
call comes into a kernel, a check is made to
see if the port in question is already known.
If not, the kernel broadcasts a special lo-
cate packet onto the network asking if
anyone has an outstanding get-request for
the port in question. If one or more ker-
nels have servers with outstanding
get-requests, they respond by sending
their network addresses. The kernel doing
the broadcasting records the porthetwork
address pair in a cache for future use.

May 1990 47

.-
Secure communication
Client requests, addressed using an
object's capability, are delivered to one of
the servers with outstanding get-request
calls on the capability's port. Ports con-
aIntruder

I
sist of large, 48-bit numbers known only
to the server processes that make up the
service and to the server's clients. For a
public service such as the file system, the
port will be known to all users. The ports
used by an ordinary user process will, in
general, be kept secret. Knowledge of a
port is taken by the system as prima facie
evidence that the sender has a right to
communicate with the service. Of course,
the service is not required to carry out I
a Client ~ Server

work for clients just because they know

Clients, servers, intruders, and F-boxes.
the port. For example, the file server will
refuse to read or write files for clients
lacking appropriate file capabilities. Thus
Amoeba has two levels of protection:
ports for protecting access to servers and
capabilities for protecting access to indi-
vidual objects.
Although the port mechanism conven- tion that users cannot bypass. client are protected the same way, only
iently handles partial authentication of The transformation works like this. with the client picking a get-port for the
clients ("if you know the port, you may at Each port is really a pair of ports, P and reply, say G',and including P = F ( G ) in
least talk to the service"), it does not au- G,related by P = F(G),where F is a the request message.
thenticate servers. How do we ensure (publicly known) one-way function' per- The F-box makes it easy to implement
that malicious users do not make formed by the F-box. The one-way func- digital signatures for further authentica-
get-request calls on the file server's port tion has the property that given G it is a tion, if that is desired. Each client
and try to impersonate the file server to straightforward computation to find P, but chooses a random signature S and
the rest of the system? that given P, finding G is not feasible. publishes F(S).The F-box must be de-
One approach is to have all ports ma- Using the one-way F-box, servers can signed to work as follows. Each message
nipulated by kernels that are presumed to be authenticated simply, as the figure il- presented to the F-box for transmission
be trustworthy and are supposed to know lustrates. Each server chooses a get-port contains three special header fields: des-
who may listen on which port. We have G and computes the corresponding put- tination (4,reply (G'), and signature (S).
rejected this strategy because on some port P. The get-port is kept secret; the The F-box applies the one-way function
machines - for example, PCs - users put-port is distributed to potential clients to the second and third of these, trans-
might be able to tamper with the operat- or, in the case of public servers, is pub- mitting the three ports as P, F(G'),and
ing system kernel. Also, we believe that lished. When the server is ready to ac- F ( S ) , respectively. The first is used by the
by making the kernel as small as pos- cept client requests, it does a receiver's F-box to admit only those mes-
sible, we can enhance system reliability get-request (G, ... ). The F-box then sages for which the corresponding get
as a whole. Therefore, we have chosen a computes P = F(G) and waits for mes- has been done, the second is used as
different solution that can be imple- sages containing P to arrive. When one the put-port for the reply, and the third
mented in either hardware or software. arrives, it is given to the server process. can be used to authenticate the sender,
In the hardware solution we place a To send a message to the server, the since only the true owner of the signature
small interface box, a function box or F- client merely does do-operation (P, ... ), will know what number to put in the third
box, between each processor module which sends a message containing P in a field to ensure that the publicly known
and the network. The most logical place header field to the server. The F-box on F(S) comes out.
is on the VLSl chip used to interface to the sender's side does not perform any The F-box implements security and
the network. Alternatively, it can be put transformation on the P field of the outgo- protection simply, but gives operating
on a small printed circuit board inside the ing message. system designers considerable latitude in
wall socket through which PCs attach to Now consider the system from an choosing policies. The mechanism is flex-
the network. Where the processors have intruder's point of view. To impersonate a ible and general, so putting it into hard-
user mode and kernel mode, and the op- server, the intruder must do get-request ware should not preclude yet-to-be-de-
erating systems can be trusted, it can be (G, .._). However, G is a well-kept secret signed operating systems.
put into the operating system. This is the and is never transmitted on the network.
solution in the current Amoeba implemen- Since we have assumed that G cannot be
tation. deduced from P (the one-way property of
In the software solution we build the F- fj and that the F-box cannot be circum-
box with cryptographic algorithms, giving vented, intruders cannot intercept mes-
the same functional effect as the hard- sages not intended for them. An intruder Reference
ware box. In both cases we assume that doing get-request (F', ... ) will simply 1. M.V. Wilkes. Time-sharing Computer Sys-
all messages entering and leaving every cause his F-box to listen to the (useless) tems. 2nd ed.. Elsevier. New York, 1969,
processor undergo a simple transforma- port F(P). Replies from the server to the pp. 129-132.

48 COMPUTER
Table 1. The delay in milliseconds and the bandwidth in Kbytes per second for remote procedure calls between user pro-
cesses in three common cases with three different systems. For local RPCs the client and server run on the same processor.
The Unix driver implements Amoeba RPCs under Sun Unix.
~ ~ ~ ~~
Case 1
(4 bytes)
Native Amoeba local 0.8
Native Amoeba remote 1.4
Unix driver local 4.5
Unix driver remote 7.0
Sun RPC local 10.4
Sun RPC remote 12.2
Another broadcast is needed only if a
server dies or migrates.
When Amoeba is run over a wide area
network with a huge number of machines,
a slightly different scheme is used. Each
server wishing to export its service sends a
special message to all domains where it
wants its service known. (A domain could
be a company, campus, city, or country.) In
each domain a dummy process called a
server agent is created. This process does a
get-request using the server’s port and
then lies dormant until a request comes in.
Then it forwards the message to the server
for processing. Note that a port is just a
randomly chosen 48-bit number. It does
not identify a particular domain, network,
or machine (see sidebar on secure commu-
nication).
Performance. We measured the speed
of the Amoeba remote procedure call with
some timing tests. For example, we booted
the Amoeba kernel on two 16.7-megahertz
Motorola MC68020s, created a user pro-
cess on each, and let them communicate
over a 10-megabit-per-second Ethernet.
For a message consisting of just a header
(no data), the complete remote procedure
call (RPC) took 1.4 ms. With 8 Kbytes of
data it took 13.1 ms, and with 30 Kbytes it
took 44.0 ms. The latter corresponds to a
throughput of 5.4 megabits per second,
which is half the theoretical capacity of the
Ethernet and much faster than the speeds
most other systems achieve. Five client-
server pairs together can achieve a total
May 1990
~
Delay (ms) Bandwidth (Kbytes per second)
Case 2 Case 3 Case 1
(8 Kbytes) (30 Kbytes) (4 bytes) (8 Kbytes)
2.5 7.1 5.0
13.1 44.0 2.9
10.0 32.0 0.9
36.4 134.0 0.6
23.6 imposs. 0.4
40.6 imposs. 0.3
throughput of 8.4megabits per second, not
counting Ethernet and Amoeba packet
headers. Table 1 shows the speeds and
throughput of local communication (com-
munication between processes on the same
machine) and remote communication
(communication over Ethernet between
processes on different machines). Remote
operations were carried out with requests
containing 4 bytes, 8 Kbytes, 30 Kbytes,
and empty replies. Three RPC implemen-
tations were measured: RPCs on native
Amoeba, the same Amoeba protocol used
from a driver under Sun Unix, and Sun’s
own RPCs.
Why did we base the design on objects,
capabilities, and RPCs? Objects are a natu-
ral way to program. By encapsulating in-
formation, users are forced to pay attention
to precise interfaces, while irrelevant in-
formation is hidden from them. Capabili-
ties are a clean and elegant way to name
and protect objects. Using an encryption
scheme to protect objects moves capability
management out of the kernel. The RPC is
an obvious way to implement the request-
reply nature of performing operations on
objects.
File system
Capabilities form Amoeba’s low-level
naming mechanism, but they are hard for
people to use. Therefore an extra level of
mapping is provided from symbolic hierar-
chical path names to capabilities. A typical
user has access to literally thousands of
Case 2 Case 3
(30 Kbytes)
3,277 4,255
625 677
819 938
225 224
347 imposs.
202 imposs.
capabilities - those of the user’s own
private objects, but also capabilities of
public objects, such as the executables of
commands, pool processors, databases,
and public files.
While a user could perhaps store his own
private capabilities somewhere, a system
manager or project coordinator cannot
hand out capabilities explicitly to every
user who may access a shared public ob-
ject. Public places are needed where users
can find capabilities of shared objects, so
that when a new object is made shareable,
or when a shareable object changes, its
capability need be put in only one place.
Hierarchical directory structure.
Hierarchical directory structures are ideal
for implementing partially shared name
spaces. Objects shared among members of
a project team can be stored in a directory
that only team members have access to.
When directories are implemented as ordi-
nary objects with acapability that is needed
to use them, group members can be given
access by giving them the capability of the
directory, while others are denied access
by withholding the capability. A directory
capability is thus a capability for many
other capabilities.
To a first approximation, a directory is a
set of namehapability pairs. The basic
operations on directory objects are lookup,
enter, and delete. The first operation looks
up an object name in a directory and re-
turns its capability. The other two opera-
tions enter and delete objects from directo-
49

Bullet server memory
File table
File 1
data
Figure 3. Bullet server file representation.
ries. Since directories themselves are ob-
jects, a directory can contain capabilities
for other directories, thus allowing users to
build an arbitrary graph structure.
Complex sharing can be achieved by
making directories more sophisticated
than we have just described. In reality, a
directory is an (n+l)-column table with
ASCII names in column 0 and capabilities
in columns 1 through n. A capability for a
directory is really a capability for a spe-
cific column of a directory. Thus, for ex-
ample, users could arrange their directo-
ries with one column for themselves, a
second column for members of their group,
and a third column for everyone else. This
scheme provides the same protection rules
as Unix, but obviously many other schemes
are possible.
The directory service can be set up so
that whenever a new object is entered in a
directory, the directory service first asks
the service managing the object to make n
replicas, which can be physically distrib-
uted for reliability. All the capabilities are
then entered into the directory.
Bullet service. The bullet service is a
highly unusual file server. Each bullet
server supports only three principal opera-
tions: read file, create file, and delete file.
When a file is created, the user normally
provides all the data at once, creating the
file and getting back a capability for it. In
most circumstances the user will immedi-
ately give the file a name and ask the
50
r-l
I IFile 2
data
directory service to enter the namekapa-
bility pair in some directory.
All files are immutable; once created,
they cannot be changed. No write opera-
tion is supported. Since files cannot
change, the directory service can replicate
them at its leisure for redundancy.
Since the final file size is known when a
file is created, files can be and are stored
contiguously, both on the disk and in bullet
servers’ caches, as Figure 3 illustrates.
Administrative information for a file is
thus reduced to its origin and size, plus
some ownership data. The complete ad-
ministrative table is loaded into the bullet
server’s memory when it is booted. For a
read operation the object number in the
capability is used as an index into this
table, and the file is read into the cache in
a single (possibly multitrack) disk opera-
tion.
The bullet file service can deliver large
files from its cache or accept large files
into its cache at maximum RPC speeds,
that is, at 677 Kbytes per second. A remote
client can read a 4-Kbyte file from a bullet
server’s cache (over Ethernet) in 7 ms; a 1-
Mbyte file takes 1.6 seconds.8
Although the bullet service wastes some
space because of fragmentation, its per-
formance easily compensates for having to
buy an 800-Mbyte disk to store, say, 500
Mbytes of data.
Atomicity. Ideally, names always refer
to consistent objects, and sets of names
always refer to mutually consistent sets of
objects. In practice, this is seldom the case
and is, in fact, not always necessary or
desirable. But in many cases consistency is
necessary.
Atomic actions are useful for achieving
consistent updates to object sets. Protocols
for atomic updates are well understood,
and it is possible to provide a tool kit that
allows independently implemented ser-
vices to collaborate in atomic updates of
multiple objects managed by several ser-
vices.
For Amoeba we chose a different ap-
proach. The directory service handles
atomic updates by allowing atomic
changes in the mapping of arbitrary name
sets onto arbitrary capability sets. The
objects referred to by these capabilities
must be immutable, either because the
services that manage them refuse to change
them (for example, the bullet service) or
because the users refrain from changing
them.
The atomic transactions provided by the
directory service are not particularly use-
ful for dedicated transaction-processing
applications (for example, banking and
airline reservation systems), hut they do
prevent the glitches that sometimes result
when people use an application just as a
new version is installed, or the lost update
that results when two people simultane-
ously update a file.
Reliability and security. The directory
service is crucial to the system: Nearly
every application depends on it for finding
the capabilities it needs. If the directory
service stops, everything else will come to
a halt as well. So that no single-site failure
can bring it down, the directory service
uses techniques similar to those used in
fault-tolerant database systems to replicate
all its internal tables on multiple disks.
The directory service must also work
correctly and should never divulge a capa-
bility to an entity not entitled to see it. Yet
even a perfectly designed directory service
might allow unauthorized users to catch
glimpses of data. Hardware diagnostic
software, for example, has access to the
directory server’s disk storage. Bugs in the
operating system kernel might allow users
to read portions of the disk.
Directories can be encrypted so that
bugs in the directory server and the operat-
ing system (or other idiosyncrasies) will
not reveal confidential information. The
encryption key can be exclusive-ORed
with a random number and the result stored
alongside the directory, while the random
COMPUTER
number is put in the directory’s capability.
After giving the capability to the owner,
the directory service itself can forget the
random number. It needs the number only Process capability Host descriptor
when the directory has to be decrypted to
carry out operations on the directory, and
will always receive the number in the
capability that comes with every client’s
request.
Why did we design such an unconven-
tional file system? Partly to achieve great
speed and partly for simplicity in design
and implementation. The use of immutable
files (and some other objects) allows the
replication mechanism to be centralized in
the directory service. Immutable files are
also easy to cache (because a cached
immutable file can never become stale), an
m Segment descriptor

important issue when Amoeba is run over ~~

wide area networks.

Number of threads

Process management
Amoeba processes can have multiple
threads of control. A process consists of a
segmented virtual address space and one or
more threads. Processes can be remotely
r Thread descriptor

created, destroyed, checkpointed, mi-

grated, and debugged.
On a uniprocessor, threads run quasi-
parallel; on a shared-memory multiproces-
sor, as many threads can run simultane-
ously as there are processors. Processes
cannot be split over more than one ma-
chine.
Processes have explicit control over
their address space. They can add new
segments to it by mapping them in and
remove segments by mapping them out.
Along with virtual address and length, a
capability can be specified in a map opera-
tion. This capability must belong to a
filelike object, which is read by the kernel
to initialize the new segment. This allows
processes to do mapped-file I/O.
When a segment is mapped out, it re-
mains in memory, although no longer as
part of the address space of any process.
The unmap operation returns a capability
for the segment, which can then be read
and written like a file. One process can thus
map a segment out and pass the capability
to another process; the other process can
then map the segment in again. If the pro-
cesses are on different machines, the con-
tents of the segment are copied (by one
kernel doing read operations and the other
kernel servicing them). On the same ma-
chine, the kernel can use shortcuts for the
same effect.
A process is created by sending a pro-
Figure 4. Layout of a process descriptor.
cess descriptor to a kernel in an execute-
process request. Figure 4 shows the four
parts of a process descriptor. The host
descriptor describes the machine on which
the process can run - for example, its
instruction set, extended instruction sets
(when required), and memory needs but-
it can also specify a class of machines, a
group of machines, or a particular ma-
chine. A kernel that does not match the
host descriptor will refuse to execute the
process.
The capabilities are next. One is the
process capability that every client ma-
nipulating the process needs. Another is
the capability of a handler, a service that
deals with process exits, exceptions, sig-
nals, and other anomalies of the process.
The memory map has an entry for each
segment in the address space of the process
to be. An entry gives virtual address, seg-
ment length, how the segment should be
mapped (read only, read/write, execute
only, and so forth), and the capability of a
file or segment from which the new seg-
ment should be initialized.
The thread map describes the initial state
of each thread in the new process: the
processor status word, the program
counter, the stack pointer, the stack base,
the register values, and the system call
state. This rather elaborate notion of thread
state allows process descriptors to be used
not only for the representation of execut-
able files, but also for processes being
migrated, debugged, or checkpointed.
In most operating systems, system call
state is large and complicated to represent
outside an operating system kernel. In
Amoeba, fortunately, there are very few
system calls that can block in the kernel.
The most complicated ones are for
communication: do-operation and
get-request.
Processes can be in two states: running
or stunned. A stunned process - for ex-
ample, a process being debugged - exists
but does not execute instructions. The low-
level communication protocols in the op-
erating system kernel respond with “this
process is stunned” messages to attempts
to communicate with the process. The

May 1990 51
sending kernel will keep trying to commu-
nicate until the process is running again or
until it is killed. Thus, communication
continues with a process being interac-
tively debugged.
A running process can be stunned by a
stun request from the outside world (the
stunner must have the process capability as
evidence of ownership) or by an uncaught
exception. When the process becomes
stunned, the kernel sends its state in a
process descriptor to a handler, whose
identity is a capability that belongs to the
process’ state. After examining the pro-
cess descriptor, and possibly modifying it
or the stunned process’ memory, the han-
dler can reply with either a resume or a kill
command.
Debugging and migration are done
through stunning. The debugger takes the
role of the handler. For migration, first the
candidate process is stunned; then the
handler gives the process descriptor to the
new host. The new host fetches memory
contents from the old host in a series of file
read requests, starts the process, and re-
turns the capability of the new process to
the handler. Finally, the handler returns a
kill reply to the old host. Processes com-
municating with a process being migrated
will receive “process is stunned” replies to
their attempts until the process on the old
host is killed. They will then get a “process
not here” reaction. After they find the
process on its new host, communication
will resume.
The mechanism allows command inter-
preters to cache process descriptors of the
programs they start and kernels to cache
code segments of the processes they run,
Combined, these caching techniques
shorten process start-up times.
Our process management mechanisms
are unusual, but they are intended for an
unusual environment, one where remote
execution is normal and local execution is
the exception. The boundary conditions
for our design were a few simple mecha-
nisms that allowed us to implement pro-
cess execution, migration, debugging, and
checkpointing efficiently.
Unix emulation
Amoeba’s system interface is quite dif-
ferent from those of today’s popular oper-
ating systems. We did not want to write
hundreds of utility programs for Amoeba
from scratch, so we quickly decided to
write a Unix emulation package to allow
52
most Unix utilities to work on Amoeba,
sometimes with small changes. We consid-
ered binary compatibility but rejected it for
an initial emulation package because bi-
nary compatibility is more complicated
and less useful. (First, we would have to
choose a particular version of Unix; sec-
ond, binaries usually work for only one
machine architecture, while sources can be
compiled for any machine architecture;
and third, binary emulation is bound to be
slow.)
Our emulation facility started as a li-
brary of Unix routines that have the stan-
dard Unix interface and semantics but do
their work by calling the bullet service, the
directory service, and the Amoeba process
management facilities. The system calls
implemented initially were those for file
I/O (open, close, dup, read, write, Iseek)
and a few of the ioctl calls for ttys. These
were very easy t o implement under
Amoeba (about two weeks’ work) and
were enough to run a surprising number of
Unix utilities.
Next a session server was developed to
allocate Unix PIDs and PPIDs, and to as-
sist in the handling of system calls involv-
ing them (for example, fork, exec, signal,
kill). The session server is also used for
dealing with Unix pipes and allows many
other Unix utilities to run on Amoeba.
Users each start one session server along-
side their login shell.
About 150 utilities now run on Amoeba
without any changes to the source code.
We have not attempted to port some of the
more esoteric Unix programs, but we are
working to make our Unix interface com-
patible with some emerging standards (for
example, IEEE Posix).
The X Window System has been ported
to Amoeba and supports both TCPnP and
Amoeba RPCs, so an X client on Amoeba
can converse with an X server on Amoeba
and vice versa.
The Unix utilities have eased the transi-
tion to Amoeba. Gradually, however,
many of them will be replaced by utilities
better adapted to the Amoeba distributed
environment. Our new parallel Make is an
obvious example.
If we had designed a system that was
binary compatible with Unix, it would not
have been much of a step beyond the ideas
of the early 1970s. We wanted a new sys-
tem for the 1990s, designed from the
ground up. If the Unix designers had con-
strained themselves to being binary com-
patible with the then-popular RT- 11 oper-
ating system, Unix would not be where it is
now.
mong the design decisions for
A Amoeba we have been most
pleased with is our determina-
tion not to restrict ourselves to existing op-
erating systems or operating system inter-
faces. Unix is an excellent operating sys-
tem, but it was not designed for distributed
systems. We could not have made such a
balanced design with a Unix interface.
Nevertheless, we found it remarkably easy
to port to Amoeba all the Unix software we
wanted to use. Programs that are hard to
port are mostly for operations that Amoeba
handles in other ways (network access and
system maintenance and management, for
example).
Amoeba’s use of objects and capabili-
ties means that when we design a service
we need not worry about the protection of
its objects. The capabilities mechanism
automatically provides enough protection.
The system also provides a very uniform
and decentralized object-naming and
object-access mechanism.
Building directly on the hardware in-
stead of on an existing operating system
has been absolutely essential to Amoeba’s
success. A primary goal was to design and
build a high-performance system, and this
can hardly be done on top of another sys-
tem. As far as we can tell, only systems
with custom-built hardware or special
microcode can outperform Amoeba’s
remote procedure calls and file system on
comparable hardware.
The Amoeba kernel is small and simple.
It implements only a few operations for
process management and interprocess
communication, but they are versatile
and easy to use. The kernel is easy to
port between hardware platforms.
Amoeba now runs on VAXs and on Motor-
ola MC68020 and MC68030 processors,
and is currently being ported to the Intel
80386.
Acknowledgments
The work described here has been supported
by grants from NWO, the Netherlands Organi-
zation for Scientific Research; SION, the Foun-
dation for Computer Science Research in the
Netherlands; OSF, the Open Software Founda-
tion; and Digital Equipment Corporation.
COMPUTER
References
1. R.M. Needham and A.J. Herbert, The
Cambridge Distributed Computing System,
Addison-Wesley, Reading, Mass., 1982.
2. B. Walker et al., “The LOCUS Distributed
Operating System,’’ Proc. Ninth Symp.
Operating System Principles, ACM, Oper-
ating SysremsReview, Vol. 17, No. 5 , 1983,
pp. 49-70.
3. M. Accetta et al., “Mach: New Kernel
Foundation for UNIX Development,” Proc.
Summer Usenix Conference, Usenix, Sun-
set Beach, Calif., 1986.
4. D.R. Cheriton, “The V Distributed
System,”Comm. ACM, Vol. 31, No. 3, Mar.
1988, pp. 314-333.
5 . M. Rozier et al., “CHORUS Distributed
Operating Systems,” Report CS/Tech.
Report-88-7.6, Chorus Systems, Paris,
1988.
6. S.J. Mullender and A.S. Tanenbaum, “The
Design of a Capability-Based Distributed
Operating System,’’ Computer J., Vol. 29,
NO.4, Mar. 1986, pp. 289-300.
7. A.D. Birrell and B.J. Nelson, “Implement-
ing Remote Procedure Calls,” ACM Trans.
Computer Systems, Vol. 2, No. 1,Feb. 1984,
pp. 39-59.
8. R. van Renesse, J.M. van Staveren, and
A.S. Tanenbaum, “Performance of the
Amoeba Distributed Operating System,’’
Software - Practice and Experience, Vol.
19, No. 3, Mar. 1989, pp. 223-234.
Sape J. Mullender heads the distributed sys-
tems and computer networks research group at
the Centre for Mathematics and Computer Sci-
ence in Amsterdam. He has been a visiting
scientist at DEC’s Systems Research Center in
California and a visiting research fellow at
Cambridge University. Mullender’s research
interests include high-performance communi-
cation in distributed systems and the design of
scalable fault-tolerant distributed file servers.
He is also concerned with organization and
protection in distributed systems that can span
a continent.
Mullender is vice chairman and conference
coordinator of the ACM Special Interest Group
on Operating Systems. He received his PhD at
the Free University in Amsterdam. He is a
member of ACM and the IEEE.
May 1990
Guido van Rossum is a research assistant at the Hans van Staveren is one of the implementers
Centre for Mathematics and Computer Science of the Amoeba distributed operating system,
in Amsterdam. Since 1987 he has been with the working primarily on network protocols and
Amoeba project, working on an RPC interface kernel efficiency. Earlier he spent four years
specification language, a Unix emulation facil- researching code generation in the framework
ity, user interface issues, and system integra- of the Amsterdam Compiler Kit.
tion. Earlier he worked on the ABC Program- Van Staveren graduated from the Free Uni-
ming Language project. versity in Amsterdam in 1980.
Van Rossum studied mathematics and com-
puter science at the University of Amsterdam
and received a master’s degree in 1982.
The authors can be contacted at the Centre for
Mathematics and Computer Science, PO Box
4079, 1009 AB Amsterdam, the Netherlands.
Andrew S. Tanenbaum is a professor of com-
puter science at the Free University in Amster-
dam. His research interests include distributed
operating systems, programming languages,
and compilers. He is the author of the Minix
operating system, a principal designer of the
Amsterdam Compiler Kit, and a chief architect
of the Amoeba distributed operating system.
Tanenbaum received his BS from MIT and
his PhD from the University of California,
Berkeley. He is a member of ACM, the IEEE
Computer Society, and Sigma Xi. Learning Ike International, world
leader in advanced technology
education, is now offering four-day
intensive courses in Japan on
Software Development, CASE,
UNIX/C, Datacomm/Networks,
SignaVImage Processing, Project
Management and other computer-
related topics. We need technical
experts who are able to teach these
short courses on a consulting basis
in Tokyo in Japanese.
Please phone Dr. David Collins
Robbert van Renesse is a researcher in the at (213) 417-9700.
Computer Science Department at Cornell Uni-
versity on a grant from the Netherlands Organi-
zation for Scientific Research. He is working on
the management of distributed systems to im-
prove their robustness, performance, and scala-
bility.
Van Renesse received his PhD in computer 053 W. Century Blvd. / Los Angeles, CA 90045
science in 1989 from the Free University of
Amsterdam. Reader Service Number 4
53
__