Distributed
Computing
Current
Architecture
Description
Summer 1995
Introduction
The primary goal of the Distributed Computing Task Force is to
make distributed computing at Penn more useful and usable. Before we
can do so, we must have an understanding of our current distributed
computing architecture, including both the good and the bad features.
In particular, we look to describe, or at least characterized, the
way in which we provide:
- Desktop Computers,
- Multi-user Hosts and Servers,
- Network Access,
- Computer Support,
- Authentication or Login,
- Authorization or Access Control,
- System Security and Management,
- File Access,
- File Backup,
- Software License Management,
- Printing,
- On-line Help and Consulting, and
- Directory Services.
For the most part, distributed computing at Penn has not been
designed or architected from a campus-wide perspective. The result of
this is many islands of distributed computing, using several different,
non-interoperable technologies. Interoperability is usually achieved
only because different organizations shared the goal of being able to
communicate with the Internet. The resulting set of services includes
basic telnet, ftp, electronic mail, WHOIS and CSO/ph directory services,
NetNews, and the World-Wide Web.
As discussed in our
"Business Requirements and University Direction", the University
has dynamic and diverse computing requirements, which demand a rich
set of heterogeneous solutions. Open standards are the key to providing
more useful and usable access to those solutions. Unfortunately, most
of Penn's current distributed computing architecture uses proprietary
standards.
This document describes some of the ways Penn presently provides
and supports the facilities and functions listed above.
Desktop Computers
Desktop computers are primarily PCs running DOS and MS-Windows, and
Macintoshes running MacOS, with a relatively small but important number of
various types of Unix workstations and X-terminals, and a very small and
unimportant number of other systems such as VAXstations and dumb terminals.
The overall ratio of PCs to Macs on campus is approximately 60/40, with a ratio of
approximately 70/30 in administrative areas. In administrative areas, between 50 and
65 percent of desktop computers are considered obsolete, with academic areas generally
thought to be in slightly better shape, but still facing multi-year upgrade cycles.
Many people also have computers at home, often the old system from the office,
although use of portable computers is increasing, and these systems are increasingly
very powerful. (Unfortunately a number of network connectivity management
problems arise for systems that go back and forth between on- and off-campus
network connections.)
For more information on Penn's Desktop Computer Standards, see URL:
"http://www.upenn.edu/computing/arch/standards/desktop.html". Information
on Penn's Desktop Networking Software Standards, see URL:
"http://www.upenn.edu/computing/product/".
Multi-user Hosts and Servers
Multi-user hosts range from a large IBM MVS mainframe supporting legacy
administrative data processing applications and a number of library systems,
to large, and small Unix systems from Digital, HP, IBM, Sequent, SGI, and
Sun, plus scattered use of Intel-based Unix systems such as FreeBSD, SCO,
and Linux. In addition there are a decreasing number of VMS systems of various
sizes.
Work group file services are provided primarily by AppleShare, Novell Netware,
and NFS, with approximately 20 dedicated AppleShare file servers, 65 Novell servers
(1 version 2.x, 60 version 3.x, and 4 version 4.x). The number of Macs running
Personal AppleShare, PCs running Windows for Workgroups, and recently
Windows 95, and Unix systems running NFS and/or Columbia AppleTalk
Protocol's (CAP) AppleShare Unix File Server (AUFS) is uncounted but significant.
Approximately 80 percent of Novell servers run the MacNLM allowing them to serve
Macintoshes. The early availability of peer-to-peer Personal AppleShare is perceived
to have reduced the need for dedicated file servers. A similar fate may await dedicated
PC file servers with the growing availability of Windows peer-to-peer networking.
In general, pure Mac workgroups use AppleShare servers, pure PC workgroups use Novell,
and Unix workgroups use NFS. Workgroups with all three tend to use NFS as the lingua
franca, while PC and Mac oriented groups use Novell with the MacNLM. Similarly,
Mac and Unix groups sometimes use CAP AUFS and NFS.
Of Penn's approximately 100 subnets, only 10-15 percent have Novell file servers and
even fewer have dedicated AppleShare servers. 80-90 percent of subnets however contain
Novell or AppleShare client systems.
Network Access
PennNet is a 100 building, collapsed backbone Ethernet with high-end Cisco Routers connected
via FDDI. Fiber-optics are used for interbuilding connections, with hub and spoke radial Ethernet
wiring with shared multiport repeaters within buildings. Some buildings make extensive use of
Ethernet bridges to isolate traffic and faults, and some of them are beginning to use Ethernet
switches to gain capacity, while the FDDI ring is being pushed closer to the switches. An ATM
switch is also being piloted. For more information on Penn's Network Architecture, see URL:
"http://www.upenn.edu/computing/group/natf/".
Computer Support
Computer support is highly distributed, diverse, and disparate. It is also under study in hopes
of making it more rational and cost-effective. For the time being however, it is important to
note that there is no computer center at Penn. Instead, each school and many departments
have their own computer support staff. The larger schools maintain larger groups with expertise
in many areas, and infrequently turn to the University-wide computing groups. Smaller schools
and other organizations rely more or less heavily on central support and expertise in various areas.
Authentication or Login
Authentication is managed by each individual service and system. That is to say, by
each Unix system, Library database, DEC VMS or IBM MVS host, each Novell NetWare,
AppleShare, OS/2 LAN Manager, or Windows NT server. Some WWW pages also require
usernames and passwords, as does the telephone-based student registration and grades
reporting system, called PARIS. Some services use user-selectable passwords, while
others use ID numbers, birth dates, or the first 5 or last 4 digits of the user's
social security number.
This means users must enter their
username(s)
and passwords over and over as they access different systems, or, in the case of Unix
systems, use security "work-arounds" like .rhost files. Naturally, some systems do
not allow the use of security work-arounds, while others do. Similarly, some groups
of Unix systems use NIS to help manage usernames and passwords, while others use
either local "hacks" to achieve similar ends, or make users manage their passwords
themselves.
In addition, many public access computer labs use automatic, hidden "guest"
usernames to connect to file servers. While users don't need to perform this login
manually, these computing services are effectively unauthenticated.
Authorization or Access Control
In the current technologies, authorization services, by which access to computing
resources are controlled, are tightly tied to the authentication service and the file
systems. The concept of separating authentication from authorization is not generally
seen. Instead, login access to a host or file server is determined by the username
and password, from which point the user can access much of the system. Access to
specific files is determined by the protections on a given file and/or directory,
implemented in either Unix-style mode bits, or Access Control Lists (ACLs). In either
case, access is granted or denied by mapping the identity assumed at login to the
protection mask.
Due to anonymous NetNews posting abuses, posting to the NetNews server is now
blocked from most public access computer labs on campus, based on IP numbers.
Inversely, the Novell file servers for some public labs limit guest logins to
specific IPX network addresses, which are derived from Ethernet hardware network
numbers.
System Security and Management
System Security and Management includes installation of operating systems and
applications software, plus patches and upgrades, as well as load balancing of server
processors and disks. Some organizations install standard configurations onto client
systems from file servers, and some systems load their operating systems from file
servers automatically. This is typically accomplished with some local, creative
genius and one of the File Access methods described below. Patches and upgrades can
be distributed similarly.
Load balancing servers and disks is usually non-existent, except as a manual
process or a local, non-scalable, non-generalizable hack.
File Access
Three file service technologies dominate --- AppleShare, NFS, and Novell NetWare
version 3.12, often with MacNLMs (4.x is not yet used much). There is some limited
(and contained) use of OS/2 LAN Manager and growing interest and use of MicroSoft
Windows NT. And there is still no AFS or DFS.
As different client computers dominate in different organizations at Penn, so do
the preferred file systems. In some schools and offices, NFS is used extensively. In
others Novell or AppleShare. As AppleTalk and TCP/IP are the only protocols routed
throughout Penn's network, and as the client software for each is bundled with the
operating system of Macs and Unix systems, respectively, AppleShare and NFS are more
generally used for ad hoc file services. Setting up NFS is often complicated
by the lack of a campus-wide database of Unix UIDs. (Such a database is not really
possible, as we would require more UIDs than the 32,768 possible on many of the
client systems.) Turmoil in the PC networking arena makes it difficult to foresee what
will happen as we begin to route IPX during the fall of 1995, and as Windows 95 is
released.
It is worth mentioning that remote access to file systems is difficult and
generally unpleasant. It is unpleasant because bandwidth is usually relatively low.
It is difficult for many reasons. Access to NFS assumes one's remote access IP number
or address can be known in advance, but they depend on which line of the modem pool
one comes in on. Granting accesses to the entire modem pool is an invitation to
disaster. Access to Novell presently requires one to run his or her own in-bound
modem with IPX support. And the IPX protocol is inherently sensitive to latency,
which is a major problem for low bandwidth remote connections. And while access to
AppleShare is possible though the campus modem pool, it is also sensitive to latency,
and so far also prohibits simultaneous use of TCP/IP.
File Backup
File and file system backups are performed using many different tools. PennBack is a service of
ISC whereby users of almost any desktop or server computer can have their systems backed up
over the network. In wide use on Unix systems are the dump, tar, gnu-tar, and vendor-specific
value-added utilities.
RetroSpect Remote is popular among Mac users and is able to backup both AppleShare file
servers and desktop Macintoshes. PC users often copy important desktop files to Novell file
servers, which are then backed up with either Novell's SBACKUP utility or Palindrome. Even if the
server isn't backed up, this approach at least backs up users desktop files. Some DOS users use the
standard DOS BACKUP command, or a third party backup utility like Norton Utilities Backup, or
Fifth Generation System's Fastback.
Remote network file backups are impractical due to bandwidth limitations over modems and
telephone lines.
People with home and office systems often pursue a backup tactic by which important
files, especially work-in-progress, is carried and copied back and forth between home
and office on diskettes. This provides three copies of selected files -- home, office, and
diskette.
Unfortunately, many users perform absolutely no backups.
Software License Management
Some software at Penn is site-licensed, freeware, or in the public domain. However,
much is also licensed for a specific system or number of users. When licensed to a
specific machine, they are managed there. When they are licensed to a certain number
of "floating" users on a network, they are managed using several different encrypted
key-style servers, including, among others, FlexLM and NetLS for Unix systems, KeyServer for
Macs, and SiteMeter for PCs with Novell file services. KeyServer and SiteMeter both
allow metering of arbitrary applications. FlexLM may too, but is current used only
with software configured to use FlexLM by the vendors. Some of the packages currently
licensed in with FlexLM are Sun's compiler products, MATLAB, and Island Office.
Software licenses can be very difficult to understand, and knowing whether or
not you are allowed to serve a given license via a network can be very problematic.
Printing
Printing is provided through both directly connected and network addressable
printers. Printers can be directly connected to Macs, PCs, Novell servers,
asynchronous terminal servers, Unix
systems, and other hosts. In the case of Macs and PCs, direct access to a printer is
generally free reign to its use. In some lab settings, debit card readers have been
installed to control access to laser printers to curb abuses. Direct connections to
Novell and Unix systems allows access to printing to be controlled, and its use
metered, audited, and, in some cases, charged for. "Security through obscurity" is
often used to limit access to Ethernet-connected printers.
Network addressable printers can be Ethernet-connected, resulting in excellent
performance, and can be sent print requests using AppleTalk, Novell IPX or Unix lpr
protocols. Each protocol as advantages and disadvantages. AppleTalk and lpr [and
IPX?] printers typically have no security facilities, even if their server
implementations usually implement some. Thus, a printer on the network is accessible
to everyone on the network. This was cause for much concern when AppleTalk was first
routed a few years ago, but, for some reason, it has not really been a problem.
Printing via Novell IPX is usually limited to relatively local printers because IPX
is not yet routed across campus. AppleTalk printers are generally not directly
addressable from PCs, IPX printers pose the same problem for Macs and for the many
PCs not connected to Novell file servers. Unix lpr printers can be addressed directly
by programs on Unix, Macs and PCs, but those programs are not part of the standard
operating system, and are generally poorly integrated with the PC's and Mac's usual
printing services. And, while AppleTalk's Printer Access Protocol has rich
diagnostics (such are "Printer out of paper", "Printer jammed" and so on), lpr [and
IPX?] have only rudimentary messages.
All the above have led to the use of many printing gateways. For example, using a
Novell file server with the MacNLM to route print requests from Macs and PCs to an
IPX (or directly connected) printer. Or using a memory-resident lpr DOS program to
route printer requests to a Unix system, and then the Columbia AppleTalk Package
(CAP) to send print requests from Unix to AppleTalk printers, while Macs print
directly. Some organizations also use GatorPrint on a GatorBox to provide a bi-
directional lpr to AppleTalk printing gateway.
Remote printing shares many of the same problems as remote file access.
Help and Consulting
Help and consulting takes different forms in different areas. Most organizations provide
walk-in and telephone consulting. Some organizations make extensive use of FAQs (lists
of Frequently Asked Questions and stock answers), usually served via the WAIS, Gopher,
TechInfo, Web, and Newsgroups.
Electronic mail and NetNews groups are also used very widely to answer questions.
Some organizations have staff dedicated to answering questions addressed to help email
accounts and specific newsgroups. The use of newsgroups also facilitates peer support,
wherein a question posed by one user is answered by another. This is particularly valuable
for many questions students ask, as other students are often well versed in answers.
Both newsgroups and electronic mail are somewhat vulnerable to abuse, as we
currently have no robust authentication and privacy protection mechanisms for these
communications channels.
Directory Services.
Directory services parallel and support the use of the services outlined above. Thus the Apple
MacOS's Chooser is used extensively by Macintosh users to find and connect to file servers
and printers. PCs use similar Novell IPX tools, although most users simply connect via startup
batch files, and do not know how to change their default connections.
All systems that use IP numbers need to have a way to map Internet addresses into numbers,
a task which is generally handled by the campus Domain Name Servers (DNS), sometimes with
help from client utilities like Unix's nslookup.
In addition to being able to locate computing resources, people use our WHOIS and CSO/ph
interfaces to our on-line email directory. In some areas the finger command is supported, but in
others, finger is not supported for security reasons.
Summary
Penn's current distributed computing architecture has evolved to
its current state, limited by available technologies, which have been
limited in scope and scale. Thus PCs, Macs, Unix systems, as well as
pair-wise and three-way combinations, chose lowest (or simplest)
common denominator technologies to form relatively isolated clusters.
While communications between these clusters is not always impossible,
the level of integration between them is usually fairly weak.
