The purpose of this document is to define the technology stack that can be used to define and implement OpenMDM™ 5 components.
1. License
Eclipse Public License - v 1.0
THE ACCOMPANYING DOCUMENT IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT’S ACCEPTANCE OF THIS AGREEMENT.
1. DEFINITIONS
"Contribution" means:
-
in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and
-
in the case of each subsequent Contributor:
-
changes to the Program, and
-
additions to the Program;
-
where such changes and/or additions to the Program originate from and are distributed by that particular Contributor. A Contribution 'originates' from a Contributor if it was added to the Program by such Contributor itself or anyone acting on such Contributor’s behalf. Contributions do not include additions to the Program which: (i) are separate modules of software distributed in conjunction with the Program under their own license agreement, and (ii) are not derivative works of the Program.
"Contributor" means any person or entity that distributes the Program.
"Licensed Patents" mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its Contribution alone or when combined with the Program.
"Program" means the Contributions distributed in accordance with this Agreement.
"Recipient" means anyone who receives the Program under this Agreement, including all Contributors.
2. GRANT OF RIGHTS
-
Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense the Contribution of such Contributor, if any, and such derivative works, in source code and object code form. .Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution of such Contributor, if any, in source code and object code form. This patent license shall apply to the combination of the Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other combinations which include the Contribution. No hardware per se is licensed hereunder.
-
Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient’s responsibility to acquire that license before distributing the Program.
-
Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
3. REQUIREMENTS
A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that:
-
it complies with the terms and conditions of this Agreement; and
-
its license agreement:
-
effectively disclaims on behalf of all Contributors all warranties and conditions, express and implied, including warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose;
-
effectively excludes on behalf of all Contributors all liability for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits;
-
states that any provisions which differ from this Agreement are offered by that Contributor alone and not by any other party; and
-
states that source code for the Program is available from such Contributor, and informs licensees how to obtain it in a reasonable manner on or through a medium customarily used for software exchange.
-
When the Program is made available in source code form:
-
it must be made available under this Agreement; and
-
a copy of this Agreement must be included with each copy of the Program.
Contributors may not remove or alter any copyright notices contained within the Program.
Each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows subsequent Recipients to identify the originator of the Contribution.
4. COMMERCIAL DISTRIBUTION
Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the Program in a commercial product offering should do so in a manner which does not create potential liability for other Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor ("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor") against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense.
For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to Product X, those performance claims and warranties are such Commercial Contributor’s responsibility alone. Under this section, the Commercial Contributor would have to defend claims against the other Contributors related to those performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the Commercial Contributor must pay those damages.
5. NO WARRANTY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement , including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. GENERAL
If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
If Recipient institutes patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of the Program with other software or hardware) infringes such Recipient’s patent(s), then such Recipient’s rights granted under Section 2(b) shall terminate as of the date such litigation is filed.
All Recipient’s rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance. If all Recipient’s rights under this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipient’s obligations under this Agreement and any licenses granted by Recipient relating to the Program shall continue and survive.
Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right to modify this Agreement. The Eclipse Foundation is the initial Agreement Steward. The Eclipse Foundation may assign the responsibility to serve as the Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version number. The Program (including Contributions) may always be distributed subject to the version of the Agreement under which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to distribute the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b) above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement, whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this Agreement are reserved.
This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation.
2. Introduction
The OpenMDM™ 5 Architecture defines how components are composed and how they interact together with core services provided by the OpenMDM™ 5 Platform. However it does not define a particular technology stack. The previous version of the OpenMDM™ standard (version 4) relied heavily on OSGi, it’s seen by many members of the OpenMDM™ Working Group as the only solution to continue going forward. The selection of this particular technology has been put into question given the architecture design and recent changes to the expected behavior of the components in action. This document list out all behavior requirements as put forward by the OpenMDM™ Working Group members and candidate technologies that can fulfil them.
2.1. Conventions and Terms
2.1.1. Typography
A fixed width, non-serif typeface (sample) indicates the term is a Java package, class, interface, or member name. Text written in this typeface is always related to coding.
Emphasis (sample) is used the first time an important concept is introduced. Its explanation usually follows directly after the introduction.
2.1.2. Key Words
This specification consistently uses the words may, should, and must. Their meaning is well-defined in [1] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels. A summary follows.
-
must â An absolute requirement. Both the Framework implementation and bundles have obligations that are required to be fulfilled to conform to this specification.
-
should â Recommended. It is strongly recommended to follow the description, but reasons may exist to deviate from this recommendation.
-
may or can â Optional. Implementations must still be interoperable when these items are not implemented.
3. Requirements
In the following list we equate component to service, due to the fact that components expose their public API through a SPI - Service Provider Interface. This SPI is the Component Specification that is particular to each component.
3.1. Required
These requirements are an absolute must-have, that is, a technology must be found that can deliver a solution that fulfils the requirement.
There may be times when two different components make use of the same library but with different versions. These divergent versions may be incompatible with one another. Having both of them in the same classpath will certainly create a problem at runtime. There must be a way to have these two components coexisting within the same JVM process without their respective dependencies interfering with each other.
A service can depend on the behavior of another service.
Available services can be discovered at runtime, in order to find out the capabilities that the system has.
A service may have a reference to another service in order to consume its behavior. This reference can be obtained explicitly or by using dependency injection.
Services may be started and stopped by the OpenMDM™ platform at any time.
It should be possible for the OpenMDM™ platform to shutdown a service that’s behaving erratically or wrong, without bringing the whole system down, perhaps even the whole JVM process if other services are also running in the same process. Re-enabling the service should be done without causing disruption in the overall system.
3.2. Optional
These requirements are nice-to-have, that is, they influence the implementation options but do not restrict component development in any way.
There are no optional requirements.
4. Candidate Technologies
4.1. OSGi
The OSGi (Open Service Gateway initiative) specification describes a modular system and a service platform for the Java programming language that implements a complete and dynamic component model, something that does not exist in standalone Java/VM environments. Applications or components, coming in the form of bundles for deployment, can be remotely installed, started, stopped, updated, and uninstalled without requiring a reboot; management of Java packages/classes is specified in great detail. Application life cycle management is implemented via APIs that allow for remote downloading of management policies. The service registry allows bundles to detect the addition of new services, or the removal of services, and adapt accordingly.
4.2. Dependency Injection for Java
JSR-330 defines a set of annotations for declaring injected fields, methods and constructors of a bean. Google Guice is the reference implementation for this JSR.
4.3. Contexts and Dependency Injection for the JavaTM EE platform
Contexts and Dependency Injection for Java EE (CDI Spec) 1.0 was introduced as part of the Java EE 6 platform, and has quickly become one of the most important and popular components of the platform.
CDI defines a powerful set of complementary services that help improve the structure of application code.
-
A well-defined lifecycle for stateful objects bound to lifecycle contexts, where the set of contexts is extensible
-
A sophisticated, typesafe dependency injection mechanism, including the ability to select dependencies at either development or deployment time, without verbose configuration
-
Support for Java EE modularity and the Java EE component architecture. The modular structure of a Java EE application is taken into account when resolving dependencies between Java EE components
-
Integration with the Unified _expression_ Language (EL), allowing any contextual object to be used directly within a JSF or JSP page
-
The ability to decorate injected objects
-
The ability to associate interceptors to objects via typesafe interceptor bindings
-
An event notification model
-
A web conversation context in addition to the three standard web contexts defined by the Java Servlets specification
-
An SPI allowing portable extensions to integrate cleanly with the container
JSR links
4.4. DeltaSpike
DeltaSpike consists of a number of portable CDI extensions that provide useful features for Java application developers.
4.5. Maven
Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project’s build, reporting and documentation from a central piece of information.
4.6. Maven Tycho
Maven Tycho is focused on a Maven-centric, manifest-first approach to building Eclipse plug-ins, features, update sites, RCP applications and OSGi bundles. Tycho is a set of Maven plugins and extensions for building Eclipse plugins and OSGi bundles with Maven. Eclipse plugins and OSGi bundles have their own metadata for expressing dependencies, source folder locations, etc. that are normally found in a Maven POM. Tycho uses native metadata for Eclipse plugins and OSGi bundles and uses the POM to configure and drive the build. Tycho supports bundles, fragments, features, update site projects and RCP applications. Tycho also knows how to run JUnit test plugins using OSGi runtime and there is also support for sharing build results using Maven artifact repositories. Tycho plugins introduce new packaging types and the corresponding lifecycle bindings that allow Maven to use OSGi and Eclipse metadata during a Maven build.
4.7. Gradle
Gradle is an open source build automation system. Gradle can automate the building, testing, publishing, deployment and more of software packages or other types of projects such as generated static websites, generated documentation or indeed anything else.
Gradle combines the power and flexibility of Ant with the dependency management and conventions of Maven into a more effective way to build. Powered by Build Programming Language, Gradle is concise yet expressive.
5. Evaluation
We’ll tackle each requirement in order.
5.1. Support different versions of the same library in the same process
- Candidate Technologies
-
OSGi, Maven, Gradle
By design OSGi supports embedding dependencies into bundle jars, making sure that those dependencies are never leaked to the outside. OSGi relies on special classloaders to determine the effective classloader to use by a bundle. This classloader includes the bundle classes (even fragments), the private classpath (the embedded dependencies) and the bundle dependencies (other bundles). Configuring the private classpath is simple, one just has to declare appropriate entries in the MANIFEST.MF file as defined by the OSGi specification.
Creating a FatJar is an alternative to OSGi, however it’s not enough to simply repackage all classes into a single, fat JAR; one must ensure that there are no clashes between classes and resources as these jars will not be governed under a special classloader that understands private classpaths. Classes and resources must be relocated to different packages. Relocation and fatjarring can be automated depending on the build tool of choice, maven-shade-plugin if using Maven or gradle-shadow-plugin if using Gradle.
5.2. Dependencies between Services
- Candidate Technologies
-
OSGi, Maven, Gradle
Services can consume the public APIs of other services that is, they depend on the SPI of said services. These SPIs are defined by the Component Specification for each component, and as such are delivered as JARs. There’s nothing more than common sense to figure out which JARs must be included in order to make a service compile against its target dependencies, as such, either Maven or Gradle fit the bill here. OSGi adds another layer on top by enforcing the compatibility between bundles as each bundle exposes its versions and declares dependencies on other bundles using a version range.
Version ranges (no matter how they are implemented and how are delivered by any technology) are seen as a bad practice as they lead to unreproducible builds. Today you get version 1.2.1 of a dependency, tomorrow you get 1.2.2 just because a bundle defined that dependency with a range of [1.2,2.0). Usage of version ranges, regardless of the chosen technology, must be disallowed.
5.3. Service Discovery
- Candidate Technologies
-
OSGi, CDI, DI
An OSGi framework can expose OSGi services just by the nature of the metadata defined in each bundle. The Service Registry can be queried for the existence of a particular service instance, per type.
A CDI container (or a simple JSR-330 container) can determine the availability of a service instance just by inspecting its type bindings. The container’s injector can be queried for a particular service instance, per type.
5.4. Service Injection
- Candidate Technologies
-
OSGi, CDI, DI
OSGi by itself provides a weak dependency injection mechanism (the BluePrint service) that relies on XML to work. Specific OSGi based products such as Eclipse Equinox deliver a higher level API (based on JSR-330) to make provide better dependency injection. Eclipse Equinox enables Declarative Services (as explained at OSGi Services - Tutorial). Developers have the choice to use XML and/or annotations.
Dependency Injection is at the core of both CDI and DI, so this feature is a given. Annotations are used to define injection points. Implementors of CDI and DI decide how type bindings are made, for example Google Guice (JSR-330) uses a programmatic API whereas the Spring Framework enables XML, annotations or a programmatic API to build such bindings. Implementors of CDI use a combination of XML (beans.xml) and annotations to define the type bindings. DeltaSpike can be used to customize beans further if CDI is used.
5.5. Service Lifecycle
- Candidate Technologies
-
OSGi, CDI, DI
OSGi supports a simple service lifecycle. Services can be started and stopped at any time. Once a service is started its SPI is made available by the container, thus other services that rely on it may access it directly. A key feature of the OSGi service lifecycle is that services can be stopped without bringing down the OSGi framework. This feature plus the bundle’s classpath enables service implementations to be swapped out at runtime; a feature arguably used by few projects in production.
Dynamic Updates - The OSGi component model is a dynamic model. Bundles can be installed, started, stopped, updated, and uninstalled without bringing down the whole system. Many Java developers do not believe this can be done reliably and therefore initially do not use this in production. However, after using this in development for some time, most start to realize that it actually works and significantly reduces deployment times.
DeltaSpike can be used to start and stop CDI containers however re-establishing a link to a fell down service can’t be done without writing additional infrastructure code.
5.6. Failover
As mentioned before, OSGi allows services to started and stopped at any time during the lifetime of an application. In theory this enables the system to be more resilient to service downtimes, however the dependent services must react to a service going down and becoming unavailable. There’s no magic solution here, this reaction is application specific and must be designed for accordingly. Sometimes service can’t react to a missing piece, for example the Authentication service goes down and can’t be brought back without a restart. In this case the whole system must be shutdown immediately.
We recommend evaluating really hard this requirement as shown by experiences in production as it’s very likely that most times a system shutdown was required to fix the problem.
6. Summary
Clearly OSGi delivers solutions for all requirements, most of them are covered by the OSGi specification itself, while injection can be made particularly better by choosing a specific OSGi framework (such as Eclipse Equinox). On the other hand there’s CDI (and the JavaEE platform) paired with the build tool (Maven or Gradle) to ensure that dependencies are properly identified, packaged, versioned and consumed. An important remark is that CDI can coexist with OSGi bundles but the inverse is not possible.
If both set of technologies cover all requirements and they look good on paper, what makes one better suited than the other? In our experience, practicality is where these technologies bend or break.
Developers can design, create and build OSGi bundles with many products, arguably the Eclipse based solutions are the best one suited for these tasks, simply put because without OSGi there’s no Eclipse; however the other tools can exist without OSGi (NetBeans, IntelliJ IDEA or simple text editors).
Building a bundle requires defining all of its incoming dependencies with proper versions, this is where version ranges come into play to make things worse. Even if the OpenMDM components are delivered with strict versions (no ranges) developers must still battle the "standard" bundles found in different artifact repositories (using the P2 layout, unique for OSGi based artifacts). Any external dependency (JAR) not found as a bundle must be transformed into a bundle. The Eclipse community has made an effort to port the commonly used Open Source libraries into OSGi bundles, however there are bound to be gaps and missing versions (think bug fix releases made in the last weeks).
Next comes the provisioning of a suitable environment. This problem is basically one of plugin compatibility (again caused by versioning). There are projects such as Eclipse Oomph that try to mitigate this problem. The plugin provisioning problem is so prevalent when using Eclipse based tools that developers no longer see it as a show stopper, they simply accept it, endure the pain and continue, wasting time in the process.
When it comes to CI and command line environments there’s one choice: Maven Tycho. Unfortunately the project’s website lacks proper documentation. Add in the fact that Tycho imposes its own conventions over Maven that contradict the Maven conventions. Due to the nature of OSGi bundles, Tycho requires tests to be put in a different project (this implies a different bundle); the sources are placed in a non-maven standard location (src/main/java instead of src/test/java) which confuses other tools that expect the conventional place (Sonar, code coverage tools, code quality tools); thus setting up a proper CI environment and reports takes more time and effort. Running tests is also slightly different; Tycho assumes all test require a running OSGi framework thus they always run in integration mode, there’s no true unit test for a particular OSGi related component.
Finally, publishing and consuming OSGi bundles must be done through an specific repository convention (the P2 repository) which is understandable given the additional metadata that a bundle exposes in order to define its incoming dependencies and its outgoing exports.
What makes then CDI (plus build tools) a better alternative then? To begin with you have a wider variety of tools to choose from in order to build a CDI based component/application. Releases and updates of these tools come more often than the Eclipse bound tools because they come from different vendors with totally different release cycles.
There’s no additional metadata required for bundling a dependency, they’re simple JAR files. There’s no need for a specialized artifact repository; the standard maven layout can be used if the chosen build tool is Maven; Maven, Ivy or even local directories are supported by Gradle.
Provisioning the working environment is simpler as CDI and JavaEE have great support in all major IDEs. Both Maven and Gradle can be used to build, package and deploy CDI artifacts without additional configuration.
CI and command line environments is where the most noticeable change in terms of tool support occurs as both Maven and Gradle have excellent support with all major code quality and audit tools. The testing experience is also much better as true unit tests can be written (there’s no need for a container to be always enabled). Container based testing can be provided by Arquillian, with both integration and functional approaches supported.
7. References
[1] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels
http://tools.ietf.org/html/rfc2119