From Fedora Project Wiki
m (Mark as ready for wrangler)
m (Never marked this as accepted for F30, even though FESCo approved that)
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Enable dbus-broker =
= Make dbus-broker the default DBus implementation =


== Summary ==
== Summary ==
Line 17: Line 17:
== Current status ==
== Current status ==


* Targeted release: [[Releases/28 | Fedora 28 ]]  
* Targeted release: [[Releases/29 | Fedora 29 ]]  
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Tracker bug:
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1557954 #1557954]
* Release Notes tracking: [https://pagure.io/fedora-docs/release-notes/issue/128 #128]


== Detailed Description ==
== Detailed Description ==


The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation. It is exclusively written for linux systems, and makes use of many modern features provided by recent linux kernel releases.
The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability while keeping compatibility to the D-Bus reference implementation. It is exclusively written for Linux systems and makes use of many modern features provided by recent Linux kernel releases.


The main focus points of dbus-broker are reliability, scalability and security. The dbus-broker project tries to improve on these points over dbus-daemon, and thus provide a better alternative. And in-depth analysis can be found in the initial [https://dvdhrm.github.io/rethinking-the-dbus-message-bus/ announcement] of dbus-broker. An excerpt:
The main focus points of dbus-broker are reliability, scalability, and security. The dbus-broker project tries to improve on these points over dbus-daemon, and thus provide a better alternative. And in-depth analysis can be found in the initial [https://dvdhrm.github.io/rethinking-the-dbus-message-bus/ announcement] of dbus-broker. An excerpt:


* [https://github.com/bus1/dbus-broker/wiki/Accounting Accounting]: dbus-broker maintains per-user accounting, including inter-user quotas. This guarantees that no single user can cause irregularly high memory consumption in the daemon. Unlike dbus-broker, dbus-daemon accounts memory in a multi-tier system, based on plain resource counters on users, connections, and other resources. The multi-tier system suffers from resource-chaining-exhaustion, where clients effectively circumvent the accounting by creating multiple connections/objects, which themselves grant them each a new set of quotas. The [https://github.com/bus1/dbus-broker/wiki/Accounting single-tier accounting] scheme of dbus-broker avoids this, while at the same time adding inter-user quotas to prevent misuse even across clients.
* [https://github.com/bus1/dbus-broker/wiki/Accounting Accounting]: dbus-broker maintains per-user accounting, including inter-user quotas. This guarantees that no single user can cause irregularly high memory consumption in the daemon. Unlike dbus-broker, dbus-daemon accounts memory in a multi-tier system, based on plain resource counters on users, connections, and other resources. The multi-tier system suffers from resource-chaining-exhaustion, where clients effectively circumvent the accounting by creating multiple connections/objects, which themselves grant them each a new set of quotas. The [https://github.com/bus1/dbus-broker/wiki/Accounting single-tier accounting] scheme of dbus-broker avoids this, while at the same time adding inter-user quotas to prevent misuse even across clients.
Line 31: Line 32:
* [https://github.com/bus1/dbus-broker/wiki/Reliability Reliability]: While D-Bus is used on reliable transports, dbus-daemon might still silently drop messages and given circumstances. This is the only possible solution dbus-daemon has, given several of its runtime guarantees. The dbus-broker project changed the architecture of the bus daemon to a degree, that it can provide many [https://github.com/bus1/dbus-broker/wiki/Reliability guarantees], including that no message will be silently, or unexpectedly, dropped.
* [https://github.com/bus1/dbus-broker/wiki/Reliability Reliability]: While D-Bus is used on reliable transports, dbus-daemon might still silently drop messages and given circumstances. This is the only possible solution dbus-daemon has, given several of its runtime guarantees. The dbus-broker project changed the architecture of the bus daemon to a degree, that it can provide many [https://github.com/bus1/dbus-broker/wiki/Reliability guarantees], including that no message will be silently, or unexpectedly, dropped.


* [https://github.com/bus1/dbus-broker/wiki/Scalability Scalability]: The message bus broker is a crucial infrastructure on modern linux system, which is a hot-path for almost all IPC going on. Hence, the broker should perform fast and be scalable to its users. dbus-daemon has several **global** data-structures that affect the overall scalability of independent message transactions. dbus-broker does not employ any global data-structures (unless required by the spec), as such any message transaction is only affected by the data provided by the involved peers. Moreover, even for spec-defined global behavior, dbus-broker avoids global data-structures, unless clients actually make use of these obscure features. In several other cases, dbus-daemon scales O(n) time looking up message targets and related data. dbus-broker runs all these in O(log(n)) time.
* [https://github.com/bus1/dbus-broker/wiki/Scalability Scalability]: The message bus broker is a crucial infrastructure on a modern Linux system, which is a hot-path for almost all IPC going on. Hence, the broker should perform fast and be scalable to its users. dbus-daemon has several **global** data-structures that affect the overall scalability of independent message transactions. dbus-broker does not employ any global data-structures (unless required by the spec), as such any message transaction is only affected by the data provided by the involved peers. Moreover, even for spec-defined global behavior, dbus-broker avoids global data-structures, unless clients actually make use of these obscure features. In several other cases, dbus-daemon scales O(n) time looking up message targets and related data. dbus-broker runs all these in O(log(n)) time.


* Linux-specific: The dbus-broker project was explicitly designed for linux system, making use of many linux-specific APIs and behavior. This allows mitigation of several possible DoS attacks.
* Linux-specific: The dbus-broker project was explicitly designed for linux system, making use of many linux-specific APIs and behavior. This allows mitigation of several possible DoS attacks.
Line 43: Line 44:
* Proposal owners:
* Proposal owners:
** Fix regressions.
** Fix regressions.
** Enable <code>dbus-broker.service</code> in system and user-global context of systemd (via systemd presets).
** Rename the <code>dbus</code> package to <code>dbus-daemon</code>, split off its utility tools (dbus-send, etc.) to <code>dbus-utils</code>.
** Pull in <code>dbus-broker</code> package from <code>dbus</code> package.
** Move <code>dbus.service</code> to <code>dbus-daemon.service</code>, but add an alias to <code>dbus.service</code> (which is also what dbus-broker does).
** Create a new <code>dbus-common</code> package which carriers the dbus policies and configuration. Make both dbus-daemon and dbus-broker depend on it.
** Add a systemd-preset file to enable <code>dbus-broker.service</code>.


* Other developers:
* Other developers:
** Watch for regressions
** Watch for regressions


* Release engineering: [https://pagure.io/releng/issues/7262 #7262]
* Release engineering: [https://pagure.io/releng/issue/7262 #7262]
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A


Line 95: Line 98:
WIP
WIP


[[Category:ChangeReadyForWrangler]]
[[Category:ChangeAcceptedF30]]
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]

Latest revision as of 19:36, 17 December 2018

Make dbus-broker the default DBus implementation

Summary

Enable dbus-broker.service to use dbus-broker as system and session message bus backend.

Owner

  • Release notes owner:

Current status

Detailed Description

The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability while keeping compatibility to the D-Bus reference implementation. It is exclusively written for Linux systems and makes use of many modern features provided by recent Linux kernel releases.

The main focus points of dbus-broker are reliability, scalability, and security. The dbus-broker project tries to improve on these points over dbus-daemon, and thus provide a better alternative. And in-depth analysis can be found in the initial announcement of dbus-broker. An excerpt:

  • Accounting: dbus-broker maintains per-user accounting, including inter-user quotas. This guarantees that no single user can cause irregularly high memory consumption in the daemon. Unlike dbus-broker, dbus-daemon accounts memory in a multi-tier system, based on plain resource counters on users, connections, and other resources. The multi-tier system suffers from resource-chaining-exhaustion, where clients effectively circumvent the accounting by creating multiple connections/objects, which themselves grant them each a new set of quotas. The single-tier accounting scheme of dbus-broker avoids this, while at the same time adding inter-user quotas to prevent misuse even across clients.
  • Reliability: While D-Bus is used on reliable transports, dbus-daemon might still silently drop messages and given circumstances. This is the only possible solution dbus-daemon has, given several of its runtime guarantees. The dbus-broker project changed the architecture of the bus daemon to a degree, that it can provide many guarantees, including that no message will be silently, or unexpectedly, dropped.
  • Scalability: The message bus broker is a crucial infrastructure on a modern Linux system, which is a hot-path for almost all IPC going on. Hence, the broker should perform fast and be scalable to its users. dbus-daemon has several **global** data-structures that affect the overall scalability of independent message transactions. dbus-broker does not employ any global data-structures (unless required by the spec), as such any message transaction is only affected by the data provided by the involved peers. Moreover, even for spec-defined global behavior, dbus-broker avoids global data-structures, unless clients actually make use of these obscure features. In several other cases, dbus-daemon scales O(n) time looking up message targets and related data. dbus-broker runs all these in O(log(n)) time.
  • Linux-specific: The dbus-broker project was explicitly designed for linux system, making use of many linux-specific APIs and behavior. This allows mitigation of several possible DoS attacks.

Benefit to Fedora

D-Bus is a core part of Fedora, both used by system services, and in the user sessions. It will only become more critical as more things get containerized. This change provides a more scalable and more reliable implementation in place of the reference implementation. The reference implementation suffers from long-standing issues including potential dead-locks and susceptibility to denial of service attacks, which the replacement implementation does not.

Scope

  • Proposal owners:
    • Fix regressions.
    • Rename the dbus package to dbus-daemon, split off its utility tools (dbus-send, etc.) to dbus-utils.
    • Move dbus.service to dbus-daemon.service, but add an alias to dbus.service (which is also what dbus-broker does).
    • Create a new dbus-common package which carriers the dbus policies and configuration. Make both dbus-daemon and dbus-broker depend on it.
    • Add a systemd-preset file to enable dbus-broker.service.
  • Other developers:
    • Watch for regressions
  • Policies and guidelines: No changes needed.
  • Trademark approval: No changes needed.

Upgrade/compatibility impact

It is safe to switch back and forth between dbus-daemon and dbus-broker as backend for the system and session buses. There is no data migration needed. The configuration and data formats are equivalent for both implementations.

All known compatibility issues are listed and discussed on the project wiki.

How To Test

Install the dbus-broker package and enable it via:

   systemctl enable dbus-broker.service
   systemctl --global enable dbus-broker.service

After a reboot dbus-broker will be used as system and session message bus. This can be easily reverted by running the corresponding systemctl disable commands.

User Experience

No visible changes in behavior are expected, except for different log messages. Any visibly different behavior to dbus-daemon should be reported as a regression. Ideally, this change should only improve the performance and security of the message bus.

Dependencies

None

Contingency Plan

  • Contingency mechanism: Revert to dbus-daemon.
  • Contingency deadline: Any
  • Blocks release? No
  • Blocks product? None

Documentation

Release Notes

WIP