First, please allow the author to pull a ticket in the blog, if you feel good essays, readers please sweep the following two-dimensional code, support the next!
January 9, Tencent officially open its cloud-native operating system kernel TencentOS Kernel: (Github address https://github.com/Tencent/TencentOS-kerne after l), released a few hours I saw on Github, the project We have received nearly a hundred Star.
Ten years ago the industry generally spread the word called "code that is engulfing the world," he said later, "everything from open source Internet world," and until recently people really wake up the original native cloud is the big BOSS behind all do not use the cloud will be left behind, we can not do agility to keep up with the times.
TencentOS Kernel can be described as an open source cloud + native model, customized to the LINUX community long-term support of 4.14.105 version, resource scheduling flexibility, container support, system performance and safety levels have made the corresponding optimized. Open source and application of this system can help customers significantly improve the utilization efficiency of cloud resources, reduce operating costs, while achieving a more secure and reliable business operating environment.
Tencent Open Source constantly surprises
The author previous text "Tencent" crazy "open source" in once introduced. In last year's Developers Conference on Tencent Techo, officially announced in a "bottom-up" and "top-down" collaborative work to promote open-source combination. The establishment of foreign revenue management office for guidance and help open source projects, communities provide networking opportunities for developers to build open source as the core technology ecosystem.
I just do a bit on Github statistics, the total number of projects currently Tencent posted on Github reached 95, Star number nearly 270,000; and its many open-source projects are rated as heavy as Tencent its high performance in 18 years RPC development framework TARS aND lIGHTWEIGHT name service program TSeer donated to the Linux Foundation; micro-channel Web services framework WeUI but was released on acclaimed.
腾讯在操作系统方面也是动作不断,比如TencentOS Kernel的兄弟- Tencent OS Tiny,这个才刚刚问世的Iot操作系统,凭借其低功耗、低资源占用、模块化、安全可靠等特点,目前在Github上获得3.7k颗star。有关这个项目笔者之前也曾经撰文《腾讯Tiny OS组合NB-loT,值得程序员一试吗》做过详尽介绍。
云原生TencentOS Kernel初体验
在目前超大规模计算的时代,提升效率、降低成本是最基本的时代诉求。而云原生的最大的特点就是可持续交付和微服务化,将容器打造成微服务的运行载体。 
但是现在的通用LINUX系统内核并不是为容器+微服务的云原生架构所设计,在很多方面甚至可以说不太合适云原生,但是TencentOS Kernel做了很多直面痛点的优化工作:
ARM64架构的内核热补丁方案: 内核热补丁技术是一种无需重启服务器,即可实现修改内核运行时代码的技术。基于该技术,可以在不影响业务正常运行的情况下,修复内核bug或者安全漏洞,以提高运营效率、底层平台的稳定性和可用性,并使得业务运营体验有效提升。
目前面向互联网的云服务,每天都会面对数量众多的攻击事件,及时针对内核的漏洞进行热补丁升级是云服务安全运营的最低要求,但是目前其它LINUX内核针对在云计算中被广泛应用的ARM架构设备还缺乏热补丁支持。不过TencentOS Kernel填补了这个空白。
TencentOS Kernel基于Kpatch框架开发了arm64热补丁特性。Kpatch在内核中是基于ftrace实现内核函数的替换,类似于ftrace的动态探测点,不过不是统计某些运行数据,而是修改函数的运行序列:在函数运行某些额外的代码之后,略过旧函数代码,并跳转至新函数。大面积在用户态中,则通过kernel 源码编译内核,打上补丁后再次编译内核,通过分析两次目标文件的变动情况,生成diff.o,并通过解析diff.o生成最终的patch.ko,有关这个方面的实现令人拍案叫绝,笔者后续计划专文详述此部分原理。
升级资源隔离特性:由于容器是特殊的进程,不同容器之间间并不能像同一操作系统下的进程间那样进行共享,安全隔离始终是容器平台的核心问题。而其它版本的LINUX内核提供的隔离特性远远不能满足容器隔离的实际需求内核中,/proc文件系统中大部分信息没有实现namespace功能,隔离性根本无从谈起。
TencentOS Kernel从容器角度出发对于cpuinfo、stat、loadavg、meminfo、vmstat、diskstats、uptime等进行了隔离增强,保证容器中的应用能获得正确的系统状态信息。还提供进程GDB禁止功能,阻止跨进程获取内存,加载动态库等,保障业务进程的数据安全。
并且针对容器内外进程PID对应关系的痛点,做出了优化,在内核参数kernel.watch_host_pid = 1时,容器内可以通过读取/proc/self/hostinfo文件来获取容器内进程在容器外的真实pid。
更重要的是,TencentOS Kernel待push的版本中还特别提到了,将提供包括NVME IO隔离等特性,这将彻底解决IO控制组在多队列设备场景资源利用率低,不支持按比例隔离等问题,保证了不同场景下的IO隔离效果。
CPU弹性调度算法:TencentOS Kernel针对容器的特性实现了专门的调试算法,在离在线业务混布场景下收益十分显著。在不影响在线业务质量的前提下,整机的CPU利用率最高提升了3倍,部分业务场景下可将整机CPU利用率提升至90%。
性能方面,TencentOS Kernel针对计算、存储和网络子系统均经过独有的优化,例如PAGE CACHE LIMIT功能,限制page cache的使用率,尽量使系统剩余的内存能够满足业务的需求;TencentOS Kernel还新增多个sysctl/proc控制接口,内核启动参数等来优化用户体验。
后记
IT业与传统行业最大的不同,就是其背后还隐藏着侠义江湖的影子,笔者相信腾讯此次怀着巨大诚意开源的TencentOS Kernel,也必将能从开源社区中得到中肯的意见与支持。开源则是武林高手下场比武,而在这种不断交流切磋的过程中,必将提高各门派的武功水准。所以在此笔者也由衷希望腾讯今后能够开源更多优质的项目,推动行业良性发展。
