guage as it does with Prolog. 7 The assertion of X as a statement may be
interpreted as:
If not model(X), set model(X)
For example:
“/etc/passwd” create => “true”;
Repeating an infinite number of
times does not change the outcome.
With hindsight, this seems like a trivial
observation, and hardly a revolutionary
technology, yet it is the simplest of insights that are often the hardest won.
The implication of this statement is
that X is not just what you want, but a
model for what should be. The separation of the intended from the actual is
the essence of the relativity.
There is one more piece to the puzzle: Knowing the desired state is not
enough; we also have to know that it is
achievable. We must add reachability
of the desired state to the semantics.
Getting stuck in Local Minima
It is well known from artificial intelligence and its modern applications that
algorithms can get stuck while searching parameter landscapes for the optimum state. When you believe yourself
at the bottom of the valley, how do you
know there is not a lower valley just
over the rise? To avoid the presence of
false or local minima, you have to ensure that each independent dimension
of the search space has only a single
minimum, free of obstacles. Then
there are two things at work: independence and convergence. Independence
can be described by many names: atomicity, autonomy, orthogonality, and
so on. The essence of them all is that
the fundamental objects in a system
should have no dependencies.
What we are talking about is a theory of policy atoms in an attribute space.
If you choose vectors carefully (such
as, file permissions, file contents, and
processes) so that each change can be
made without affecting another, no
ordering of operations is required to
reach a desired end-state, and there
can be only one minimum. Indeed or-der-independence can be proven with
periodic maintenance as long as the
operators form irreducible groups. 3, 6
The discovery of such a simple solu-
if you are trying to
fit a solution to a
known edge state,
it is cumbersome
to start at the
opposite end with
a list of directions
that assume
the world is fixed.
tion suggests a panacea, ushering in
a new and perfect world. Alas, the approach can be applied only partially
to actual systems because no actual
systems are built using these pure constructions. Usually, multiple change
mechanisms tether such atoms together in unforeseeable ways (for example,
packages that bundle up software and
prevent access to details). The approximation has worked remarkably well
in many cases, however, as evidenced
by the millions of computers running
this software today in the most exacting environments. Why? The answer
is most likely because a language that
embodies such principles encourages
administrators to think in these terms
and keep to sound practices.
tangled by Dependency:
the Downside of Packaging
The counterpoint to this free atomization of system parts is what software
designers are increasingly doing today:
bundling atoms and changes together
into packages. In modern systems
packaging is a response to the complexity of the software management
process. By packaging data to solve one
management problem, however, we
lose the resolution needed to customize what goes on inside the packages
and replace it with another. Where a
high degree of customization is needed, unpacking a standard “package update” is like exploding a smart bomb in
a managed environment—wiping out
customization—and going back to the
demolition school of management.
We don’t know whether any operating system can be fully managed
with convergent operations alone, nor
whether it would even be a desirable
goal. Any such system must be able to
address the need of surgically precise
customization to adapt to the environment. The truly massive data centers of today (Google and Facebook)
are quite monolithic and often less
complex than the most challenging
environments. Institutions such as
banks or the military are more representative, with growth and acquisition
cultures driving diverse challenges to
scale. What is known is that no present-day operating system makes this
a completely workable proposition.
At best one can approximate a subset
of management operations, but even
