Multics Technical Bulletin                                MTB-674
Volume Registration Commands

To:       Distribution

From:     Ed Sharpe

Date:     08/09/84

Subject:  Removing Volume Registration from Operator Control

1 ABSTRACT

     This MTB describes the  changes proposed for moving the
     volume registration commands  from the Multics operator
     interface  to  system   administration  interface.   In
     addition  to   moving  the  functionality,   some  code
     deficiencies are corrected.

Comments should be sent to the author:

via Multics Mail:
   EJSharpe at either System-M, or CISL-SERVICE.

via Forum:
   >udd>m>mtgs>B2 on System-M

via telephone:
   (617/HVN) 492-9367

________________________________________

Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.


MTB-674                                Multics Technical Bulletin
                                     Volume Registration Commands

2 REQUIREMENTS:

These are the four commands in question:

          add_vol_registration (avr)
          change_vol_registration (cvr)
          del_vol_registration (dvr)
          list_vol_registration (lvr)

They are  available to the  system operator in  release MR10.2 at
both ring-1 and ring-4 initializer levels.

A  prerequisite for  a B2  system security  rating is  that these
commands  be removed  from operator access.   They are considered
too powerful  and should be available  to more trusted personnel.
They shall be transferred to the system administrator interrface.

Another  requirement  is that  operations  on logical  volumes be
logged.   All  changes  to  volume registration  must  be logged.
Also, all attempts  to access (i.e.  attach or  detach) a private
volume must be logged (whether access was granted or denied).

3 CURRENT IMPLEMENTATION:

The  commands are  implemented by  respective entrypoints  in the
module  "hvr_.pl1".   This module  invokes ring-1  primitives for
database manipulation.   These primitives are  implemented in the
module   "hdx.pl1"   which   is   accessed   through   the   gate
"initializer_mdc_".  Audit trails are kept only as operator input
entries in the AS log.

4 DEFICIENCIES:

Auditing of  volume registration changes  is inadequate.  Logging
of  private  volume access  attempts is  done only  on successful
attachments (i.e.  "Mount LV..."  operator message).

The  ring-1  (hdx)  primitives   for  database  manipulation  are
ill-defined  and depend  upon the outer  ring invoking  them in a
prescribed sequence without interruption.

Ring-1  database  update  (by  hdx) is  suboptimal.   Updates are
accomplished  by simply  replacing the  current database  with an
updated copy from ring-4.


Multics Technical Bulletin                                MTB-674
Volume Registration Commands

Scenario:  (Adding a new PV to an existing LV)

The ring-1 routine  (hdx) will pass a copy  of the whole database
to  ring-4  (hvr_).  Ring-4  will then  finish parsing/validating
command line arguments,  update its copy of the  ring-1 data, and
finally pass the whole mess  back to ring-1.  Ring-1 will blindly
replace its database with that received from ring-4.  Ring-4 must
then make  appropriate calls back into  ring-1 to update database
names  and  to  update  the associated  Master  Directory Control
databases.

5 CHANGE CONSIDERATIONS:

To  move this  code to system  administration it must  be able to
deal   with  the   potential  for   collisions  between  multiple
processes.    Some   locking   mechanism   must   be  introduced.
Considering the  present organization of the  code, this would be
tricky and  non-robust.  (Ring-4 would  have to control  a ring-1
lock, or a ring-4 lock would control access to a ring-1 database.
Either way seems sloppy.)

Rewriting of some code is  necessary.  The basic approach will be
to  migrate  that  ring-4  code  which  deals  with  the database
structure  into ring-1.   Any database update  will be  done in a
single call to an hdx  (ring-1) entrypoint.  Thus, locking can be
done  in a  straightforward manner.   Also, auditing  of database
changes and access inquiries will be done from ring-1.

6 CHANGES REQUIRED:

hdx
      - Change name to  "volume_registration_mgr_".  The old name
      will  be  retained  for  compatibility  with  other calling
      routines.   These other  routines shall be  updated at some
      future time.

      -  Improve  primitives  for database  manipulation  so that
      ring-4 need make only one call per update operation.

      -  "add_lvr" entry  shall replace  "write_hv" ("lvr"  is an
      abbrev  for logical  volume registration).   The entrypoint
      should itself take care of  creating ACS links, and calling
      the  proper mdc_  procedure for  setting up  the mdcs (mdir
      database).  This entrypoint will be  used only to add a NEW
      LV.


MTB-674                                Multics Technical Bulletin
                                     Volume Registration Commands

      -  "add_pvr"  ("pvr"  is  an  abbrev  for  physical  volume
      registration)  is a  new entry used  to adda NEW  PV and to
      take care of database add names.

      -  "change_lvr"   is  a  new  entrypoint   used  to  update
      individual fields for an existing LV registration.  It will
      take care of any necessary name changes.

      -  "change_pvr"   is  a  new  entrypoint   used  to  change
      individual fields in a PV entry.   It will take care of any
      necessary name changes.

      -  "read_lvr"  shall replace  "read_hv" retaining  the same
      funtion.

      - "read_pvr"  is a new  entry used to  return the structure
      for  a  single  PV   only.   (read_lvr  returns  the  whole
      database.)

      - "delete_lvr" shall replace "delete_hv" retaining the same
      function.

      - "delete_pvr"  is a new  entry used to remove  a single PV
      from an LV database.

      -  all  entries  which   modify  the  databases  shall  use
      vrm_lock_$(lock   unlock)   ("vrm"   is   an   abbrev   for
      volume_registration_mgr_).

      - Add auditing to all  entries to log all database changes.
      Access changes  to volumes cannot be  audited since private
      volume access is controlled by user-ring ACSs.

      -  Add  cleanup/any-other handlers  as necessary  to ensure
      lock unlocking  and correction of  database inconsistancies
      (where possible).

hvr_
      - Change module name to "volume_registration_cmds_".

      - Remove database manipulation code.   Code for each of the
      four   entries   shall   be   simply   that   necessary  to
      parse/validate  arguments  and   pass  the  information  to
      ring-1.  Message documentation shall  be removed as this is
      no longer accessible from the operator console.

      - Completely spell out command  entries rather than use the
      current non-obvious abbreviations.   The current names will
      be retained for compatability.


Multics Technical Bulletin                                MTB-674
Volume Registration Commands

          Present Name                New Name            Abbrev

      add_vol_registration     add_volume_registration     avr
      change_vol_registration  change_volume_registration  cvr
      del_vol_registration     delete_volume_registration  dvr
      list_vol_registration    list_volume_registration    lvr

initializer_mdc_
      - Remove the following database manipulation entries:

                write_hv
                read_hv
                read_pv
                delete_hv
                make_link *
                chname_hv *

          *  - These  will no longer  be available  from ring-4 -
      functionality     shall      be     internalized     within
      volume_registration_mgr_.  (Other entries  will be moved to
      mdc_priv_ - with appropriate renames).

mdc_priv_
      -  Add the  following new  entries into  hdx to  be used by
      volume_registration_cmds_ (formerly hvr_):

                add_lvr
                add_pvr
                read_lvr
                read_pvr
                change_lvr
                change_pvr
                delete_lvr
                delete_pvr

volume_registration.incl.pl1
      -  Change  declaration  for  based references  of  PV array
      entries.

vrm_lock_
      -     New     routine     to     perform     locking    for
      volume_registration_mgr_   (copied   from   mdc_lock_.pl1).
      Replace  each  occurance  of  "mdc" with  "vrm"  and rename
      entrypoints  "set"  and  "reset"  to  "lock"  and  "unlock"
      respectively.

vrm_data.incl.pl1
      -  New include  file (copied  from mdc_data.incl.pl1) which
      has  lock  word and  metering  info.  (Segment  in  >sl1 is
      created during system initialization.)


MTB-674                                Multics Technical Bulletin
                                     Volume Registration Commands

rcp_attach_lv_
      - This  ring 1 module  shall be changed to  log all private
      volume access attempts whether or not successful.  (This is
      already covered by the developer handling the RCP changes.)

rcp_detach_lv_
      - This  ring 1 module  shall be changed to  log all private
      volume  detachments.   (This  is  already  covered  by  the
      developer handling the RCP changes.)

system_startup_
      - This routine  must be modified to remove  the four volume
      registration   commands   from  the   ring   1  initializer
      interface.

system_control_commands.incl.pl1
      -   All  data   entries  pertaining  to   the  four  volume
      registration  commands  shall  be  nulled  (or  zeroed) and
      commented  as "unused".   This is to  remove those commands
      from the ring 4 initializer interface.

sc_parse_
      - This routine shall be recompiled after the changes to the
      above include file are made.

MOH (Operator Handbook)
      - This manual shall be modified to remove all references to
      the volume four registration commands which are the subject
      of this MTB.

MAM - System
      -  This manual  shall be  modified to  include the commands
      descriptions   removed   from  the   MOH.    References  to
      initializer  specific  considerations shall  be  changed or
      removed (e.g.  "This  command can be executed in  ring 1 or
      ring 4.").