[Freedombox-discuss] System requirements and architecture to support them
I have some general questions about what capabilities the freedombox
system will provide to (a) its users and (b) its user-installed apps.
I expect answers will fall into three general categories:
1) "We've already decided on this and the answer is X"
2) "We've thought about this and are leaning toward answers X, Y, or Z"
3) "We haven't thought about this and it is a completely open
question. Here are my thoughts..."
I'd urge us to stay away from discussion of specific technologies or
existing software packages capable of filling various requirements.
This discussion is about focusing on what we want the freedombox to
do; not how it does it. Once we have a clear picture of the "must
have" requirements then we can start figuring out how they will be
accomplished.
Overall Architecture
==============
1) How will apps be packaged? Will they be completely independent like
smartphone apps, or will we allow for dependencies between packages
and have an install-time dependency resolver like traditional Linux
distributions? (discussion example: consider a photo gallery app)
2) Will there be a set of core APIs that are available to any app
running on the box? Will we prefer to keep the set of APIs as small as
possible, or will we take an "anything goes" attitude? (discussion
example: consider a possibility of a SQL-backed database API...would
we want to provide one, or would we prefer to just let each app keep
its own sqlite (or whatever) in its own disk area?)
Redundancy, Reliability, & Backup
=========================
1) What happens when my house burns down? How do I get my freedombox
services and data back as soon as possible?
2) What happens when my cable modem goes down while I'm on a 2 week
vacation? How will I get at my data and services while away from home?
2a) Will my box be peers with one other friend's box? Two other boxes?
N other boxes?
2b) Will those other boxes see only encrypted copies of my data until
I log in to them and make them the "master" for my domain? If I make
my friend's box master for my data, how do I ensure all of my apps get
installed onto their box? Is it automatic or do I do it manually?
2c) Will failover to a backup box happen automatically or will I
manually do it? If automatic, how do we prevent split-brain? If
automatic, how do we ensure it is impossible for the backup box to
decrypt the data prior to the failure (I don't want my friend looking
through my data any old time, only in an emergency.)
2d) What happens when my box comes back up? How does it regain its
status as master, pull updated data from my friend's box, resolve
inconsistencies, etc. Do we need to provide a "zero inconsistency"
solution such as is required by commercial redundant databases at
banks, or are we ok with a bit of slop in failover and synchronization
handling?
Service Management
===============
1) How do we handle two apps who both want to listen on port 25? Will
the user be allowed to install both of them? (I think we must not
allow them to be installed side by side, for user-friendliness
reasons)
2) Presuming apps must register what port(s) they will use, how do we
handle the case where an app registered port 25, but then found it was
unable to open the port because somebody else was using it? (Or stated
differently, how do we handle an app that opens a port that it did not
receive permission to open?)
3) How is daemon lifecycle handled? Do we stick with a traditional
barebones linux model like sysvinit, or does freedombox services
provide some heartbeat to bring up services which have gone down for
some reason?
4) How do we host 5 different apps, all of which want to be exposed to
the user on port 80?
4a) Do we have each service listen to a nonstandard port on the local
interface and then register with master server running on port 80 to
do a reverse-proxy?
4b) What about services who don't want to provide their own http
daemon, how do we allow them to use an existing system daemon? (or do
we even want to do this?)
Sandboxing
=========
1) To what extent do we want to enforce separation of apps, app data,
users, user data, and system data?
2) Will each app get its own UID?
3) Will each user get their own UID?
4) Will every app be able to see all user data or will the user have
to give the app permission?
5) How will we allow one user to share a piece of data with another
user (consider dropbox example where I want to make file X visible to
my friend who is also registered on the box)? Assuming both users have
given the app permission to see their data, presumably it would be
entirely up to the app itself to ensure that only the correct data is
made visible to the second user. Or should the system provide some API
to enforce it?
And one final question: Am I overthinking everything and should just
start hacking instead? Or do people like this idea of laying down a
general architecture before we start hacking?
Reply to: