Multics Technical Bulletin MTB-674
Volume Registration Commands
To: Distribution
From: Ed Sharpe
Date: 08/09/84
Subject: Removing Volume Registration from Operator Control
1 ABSTRACT
This MTB describes the changes proposed for moving the
volume registration commands from the Multics operator
interface to system administration interface. In
addition to moving the functionality, some code
deficiencies are corrected.
Comments should be sent to the author:
via Multics Mail:
EJSharpe at either System-M, or CISL-SERVICE.
via Forum:
>udd>m>mtgs>B2 on System-M
via telephone:
(617/HVN) 492-9367
________________________________________
Multics project internal working documentation. Not to be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.
MTB-674 Multics Technical Bulletin
Volume Registration Commands
2 REQUIREMENTS:
These are the four commands in question:
add_vol_registration (avr)
change_vol_registration (cvr)
del_vol_registration (dvr)
list_vol_registration (lvr)
They are available to the system operator in release MR10.2 at
both ring-1 and ring-4 initializer levels.
A prerequisite for a B2 system security rating is that these
commands be removed from operator access. They are considered
too powerful and should be available to more trusted personnel.
They shall be transferred to the system administrator interrface.
Another requirement is that operations on logical volumes be
logged. All changes to volume registration must be logged.
Also, all attempts to access (i.e. attach or detach) a private
volume must be logged (whether access was granted or denied).
3 CURRENT IMPLEMENTATION:
The commands are implemented by respective entrypoints in the
module "hvr_.pl1". This module invokes ring-1 primitives for
database manipulation. These primitives are implemented in the
module "hdx.pl1" which is accessed through the gate
"initializer_mdc_". Audit trails are kept only as operator input
entries in the AS log.
4 DEFICIENCIES:
Auditing of volume registration changes is inadequate. Logging
of private volume access attempts is done only on successful
attachments (i.e. "Mount LV..." operator message).
The ring-1 (hdx) primitives for database manipulation are
ill-defined and depend upon the outer ring invoking them in a
prescribed sequence without interruption.
Ring-1 database update (by hdx) is suboptimal. Updates are
accomplished by simply replacing the current database with an
updated copy from ring-4.
Multics Technical Bulletin MTB-674
Volume Registration Commands
Scenario: (Adding a new PV to an existing LV)
The ring-1 routine (hdx) will pass a copy of the whole database
to ring-4 (hvr_). Ring-4 will then finish parsing/validating
command line arguments, update its copy of the ring-1 data, and
finally pass the whole mess back to ring-1. Ring-1 will blindly
replace its database with that received from ring-4. Ring-4 must
then make appropriate calls back into ring-1 to update database
names and to update the associated Master Directory Control
databases.
5 CHANGE CONSIDERATIONS:
To move this code to system administration it must be able to
deal with the potential for collisions between multiple
processes. Some locking mechanism must be introduced.
Considering the present organization of the code, this would be
tricky and non-robust. (Ring-4 would have to control a ring-1
lock, or a ring-4 lock would control access to a ring-1 database.
Either way seems sloppy.)
Rewriting of some code is necessary. The basic approach will be
to migrate that ring-4 code which deals with the database
structure into ring-1. Any database update will be done in a
single call to an hdx (ring-1) entrypoint. Thus, locking can be
done in a straightforward manner. Also, auditing of database
changes and access inquiries will be done from ring-1.
6 CHANGES REQUIRED:
hdx
- Change name to "volume_registration_mgr_". The old name
will be retained for compatibility with other calling
routines. These other routines shall be updated at some
future time.
- Improve primitives for database manipulation so that
ring-4 need make only one call per update operation.
- "add_lvr" entry shall replace "write_hv" ("lvr" is an
abbrev for logical volume registration). The entrypoint
should itself take care of creating ACS links, and calling
the proper mdc_ procedure for setting up the mdcs (mdir
database). This entrypoint will be used only to add a NEW
LV.
MTB-674 Multics Technical Bulletin
Volume Registration Commands
- "add_pvr" ("pvr" is an abbrev for physical volume
registration) is a new entry used to adda NEW PV and to
take care of database add names.
- "change_lvr" is a new entrypoint used to update
individual fields for an existing LV registration. It will
take care of any necessary name changes.
- "change_pvr" is a new entrypoint used to change
individual fields in a PV entry. It will take care of any
necessary name changes.
- "read_lvr" shall replace "read_hv" retaining the same
funtion.
- "read_pvr" is a new entry used to return the structure
for a single PV only. (read_lvr returns the whole
database.)
- "delete_lvr" shall replace "delete_hv" retaining the same
function.
- "delete_pvr" is a new entry used to remove a single PV
from an LV database.
- all entries which modify the databases shall use
vrm_lock_$(lock unlock) ("vrm" is an abbrev for
volume_registration_mgr_).
- Add auditing to all entries to log all database changes.
Access changes to volumes cannot be audited since private
volume access is controlled by user-ring ACSs.
- Add cleanup/any-other handlers as necessary to ensure
lock unlocking and correction of database inconsistancies
(where possible).
hvr_
- Change module name to "volume_registration_cmds_".
- Remove database manipulation code. Code for each of the
four entries shall be simply that necessary to
parse/validate arguments and pass the information to
ring-1. Message documentation shall be removed as this is
no longer accessible from the operator console.
- Completely spell out command entries rather than use the
current non-obvious abbreviations. The current names will
be retained for compatability.
Multics Technical Bulletin MTB-674
Volume Registration Commands
Present Name New Name Abbrev
add_vol_registration add_volume_registration avr
change_vol_registration change_volume_registration cvr
del_vol_registration delete_volume_registration dvr
list_vol_registration list_volume_registration lvr
initializer_mdc_
- Remove the following database manipulation entries:
write_hv
read_hv
read_pv
delete_hv
make_link *
chname_hv *
* - These will no longer be available from ring-4 -
functionality shall be internalized within
volume_registration_mgr_. (Other entries will be moved to
mdc_priv_ - with appropriate renames).
mdc_priv_
- Add the following new entries into hdx to be used by
volume_registration_cmds_ (formerly hvr_):
add_lvr
add_pvr
read_lvr
read_pvr
change_lvr
change_pvr
delete_lvr
delete_pvr
volume_registration.incl.pl1
- Change declaration for based references of PV array
entries.
vrm_lock_
- New routine to perform locking for
volume_registration_mgr_ (copied from mdc_lock_.pl1).
Replace each occurance of "mdc" with "vrm" and rename
entrypoints "set" and "reset" to "lock" and "unlock"
respectively.
vrm_data.incl.pl1
- New include file (copied from mdc_data.incl.pl1) which
has lock word and metering info. (Segment in >sl1 is
created during system initialization.)
MTB-674 Multics Technical Bulletin
Volume Registration Commands
rcp_attach_lv_
- This ring 1 module shall be changed to log all private
volume access attempts whether or not successful. (This is
already covered by the developer handling the RCP changes.)
rcp_detach_lv_
- This ring 1 module shall be changed to log all private
volume detachments. (This is already covered by the
developer handling the RCP changes.)
system_startup_
- This routine must be modified to remove the four volume
registration commands from the ring 1 initializer
interface.
system_control_commands.incl.pl1
- All data entries pertaining to the four volume
registration commands shall be nulled (or zeroed) and
commented as "unused". This is to remove those commands
from the ring 4 initializer interface.
sc_parse_
- This routine shall be recompiled after the changes to the
above include file are made.
MOH (Operator Handbook)
- This manual shall be modified to remove all references to
the volume four registration commands which are the subject
of this MTB.
MAM - System
- This manual shall be modified to include the commands
descriptions removed from the MOH. References to
initializer specific considerations shall be changed or
removed (e.g. "This command can be executed in ring 1 or
ring 4.").