[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd as an appliance

To: "OpenLDAP-devel@openldap.org" <OpenLDAP-devel@openldap.org>
Subject: slapd as an appliance
From: Howard Chu <hyc@symas.com>
Date: Tue, 28 Oct 2014 16:14:17 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33a1

A couple different random thoughts all collided so I thought I'd jot them downhere...

We can have back-mdb/LMDB set the PROT_EXEC permission on the mmap, and thenstore executable code in LDAP entries and execute them directly. The idea cameto me while reading about just-in-time C compilers and remembering my previousplans for liblforth. At first I was thinking only of small plugins (e.g.syntax parsers/normalizers) but really there's no reason that you couldn'thandle larger executables the same way.

I.e., we could store all of slapd's dynamically loadable modules in a back-mdbbackend, change olcModuleLoad to use a DN, and dynamically insert and deletecode on the fly, without needing any filesystem interactions. Once you have asystem where all administrative operations can be done through LDAP, withoutrequiring any other admin interface, it becomes pretty trivial to drop it intoa sealed black box and deploy an "appliance." This would be a pretty keyadvantage for a small, self-contained embedded processor.

Of course, it doesn't stop there - if the only system interface needed is theLDAP port, we don't even need a full OS distro any more. We could run slapd asprocess #1 (who needs systemd?) - a hardened system with zero unexpectedattack surfaces, only one network port open to the world.

One of the current in-progress items for LMDB is to enable using it on rawdisk partitions. Adding this feature would mean you no longer have to worryabout what type of filesystem to choose, or how to format it before setting upa database. Again, it would be ideal for an appliance because you'd just haveto plugin a storage device and then create a back-mdb backend pointing to it.

Another item for LMDB, once raw partition support is working, is in-kernelLMDB. Initially my motivation was to reproduce the KBDBFS work - an in-kernelfilesystem built on top of BerkeleyDB (see herehttp://www.fsl.cs.sunysb.edu/docs/kbdbfs-msthesis/ ) but there's no need tostop there. We could port all of slapd into the kernel, and have a turnkeyappliance with no user processes at all.


Food for thought...
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: slapd as an appliance
  - From: Marcel Wysocki <maci@satgnu.net>

Prev by Date: Re: write-scaling problems in LMDB
Next by Date: Re: slapd as an appliance
Index(es):
- Chronological
- Thread