Analysis of China Mobile's container-customized Linux operating system
General operating systems integrate a large number of software and enable many services by default. Most of these software and services are not required for the container environment. Therefore, deploying container services based on a general operating system will not only increase system overhead, but also lead to environmental instability and an expansion of the security attack surface. Compared with traditional general-purpose operating systems, container operating systems are deeply tailored and optimized for container applications, providing a lightweight minimum running environment for containers. This article introduces some of China Mobile’s attempts at containerized systems and some of its achievements.
China Mobile launched the research and development of a container-customized operating system in 2017, deeply customized it based on the Big Cloud operating system BC-LINUX, and officially released version 1.0 in May of that year, named "Big Cloud Containerized Operating System". BC-LINUX is an enterprise-level general-purpose Linux operating system independently developed by China Mobile based on the CentOS open source community and leveraging the openness advantages of open source technology through customized means. Currently, nearly 20,000 units have been deployed within China Mobile. On the basis of the general system, the Dayun containerized operating system provides a streamlined container operating environment through kernel optimization and system tailoring and other technical means, improves the system's operating speed, achieves system minimization and performance optimization. as the picture shows.
To strike a balance between system ease of use and simplicity, Dayun containerized operating system cuts out irrelevant software packages and services while retaining the basic functions of the system. On the basis of providing the minimum operating environment for containers, Dayun containerized operating system ensures that common services and functions of the operating system are not missing, reduces system overhead, and reduces the difficulty of system operation and maintenance. Compared with general systems, Dayun containerized operating system The number of system software packages has been reduced from 3723 to 376, the number of services has been reduced from 254 to 143, and the installation image size has been reduced from 4.31G to 770M, as shown in the figure.
Dayun containerized operating system integrates Docker components and provides 11 mainstream open source middleware container images for out-of-the-box use. We provide version updates, security warnings, vulnerability fixes and technical support services for these 11 open source components, and regularly scan and update to fix security vulnerabilities in container images to ensure that there are no security issues in container images, as shown in the figure.
For container usage scenarios, Dayun containerized operating system provides an optimized customized kernel. The customized kernel is customized and developed based on the latest long-term support version 4.9 of the kernel community. The kernel is tailored for the container business and adds many function enhancements and performance optimizations for XFS, Btrfs and Overlayfs. The Dayun container operating system supports the overlay2 storage driver. Compared with overlay, the overlay2 of Dayun containerized operating system is more efficient in terms of inode usage. In addition, China Mobile's multiple patches for containers are added to the customized kernel, which realizes the separation of some network configuration parameters of the container and the host system, and meets the tuning needs of the container business system in high network concurrency scenarios, as shown in the figure.
The big cloud containerized system reduces the security attack surface of the system by cutting out unnecessary services. At the same time, the system has built-in security hardening software independently developed by China Mobile, which can comprehensively scan the system for security vulnerabilities and security configuration issues, provide security assessment results and repair suggestions, and can harden the system with one click and turn on the system security mode.
The customized kernel is based on the 4.9 kernel, and higher versions of the kernel have fixed many security vulnerabilities, such as the kernel privilege escalation vulnerability Dirty Cow (CVE-2016-5195). A system with this vulnerability can bypass the system's security policy in the container and obtain root permissions of the host system, and then can view, modify or even delete any files in the host, thus posing security risks to the host and other containers.
In response to the problem of business interruption caused by dynamic library and kernel upgrades in traditional upgrade methods, Dayun containerized operating system has launched hot patch technology. Hot patch technology is an online defect and vulnerability repair technology that does not affect the business. It can achieve online upgrades of dynamic libraries and kernels without interrupting services or restarting the system. It does not affect system performance and significantly improves business performance. System stability and availability.
Specifically, dynamic library hot upgrade solves the problem of dynamic library upgrade of business programs. It is suitable for dynamic library upgrade of all processes. It is simple and convenient to operate, has high reliability, and supports multiple re-entry and reverse operations, as shown in the figure. .
Kernel hot upgrade technology, based on the kernel's ftrace mechanism, dynamically adds detection points to realize online replacement of function-level execution processes. This technology allows kernel upgrades without restarting the system, minimizing system downtime. For important security vulnerabilities, Dayun containerized operating system can respond quickly. At the same time, the system supports rollback operations and can quickly restore the kernel to the state before the upgrade.
For containerized operating systems, Dayun can provide continuous system updates and technical support services, track security vulnerabilities in the operating system, especially Docker components, and issue security warnings and vulnerability update patch packages, as shown in the figure.
Since its release, the Dayun containerized operating system has been commercially promoted within China Mobile. The current deployment scale has reached nearly 200 nodes. It uses the Kubernetes container management platform and has been running stably for 6 months, supporting 5,000 containers. The product’s Safety, stability and reliability have been fully verified in the project.
The above is the detailed content of Analysis of China Mobile's container-customized Linux operating system. For more information, please follow other related articles on the PHP Chinese website!

The startup process of Linux includes: 1. Start BIOS/UEFI, 2. Load GRUB, 3. Load kernel and initrd, 4. Execute init process, 5. Start system services, 6. Start login manager; the startup process of Windows includes: 1. Start BIOS/UEFI, 2. Load WindowsBootManager, 3. Load winload.exe, 4. Load tonskrnl.exe and HAL, 5. Start system services, 6. Start login screen; Linux provides more customization options, while Windows pays more attention to user experience and stability.

This guide details how to configure automatic service restarts in Linux using systemd, enhancing system reliability and minimizing downtime. System administrators often rely on this functionality to ensure critical services, such as web servers (Apa

As Linux users, we often rely on commonly used commands ls, grep, awk, sed and find to complete the work. But Linux has a large number of lesser-known commands that can save time, automate tasks and simplify workflows. This article will explore some underrated but powerful Linux commands that deserve more attention. rename – efficient batch rename files The rename command is the savior when you need to rename multiple files at once. Without using loops containing mv, rename allows you to easily apply complex renaming patterns. Change all .txt files to .log. rename 's/\.txt$/\.log/' *

Linux systems provide various system services (such as process management, login, syslog, cron, etc.) and network services (such as remote login, email, printer, web hosting, data storage, file transfer, domain name resolution (using DNS), dynamic IP address allocation (using DHCP), and so on). Technically, a service is a process or group of process (usually known as a daemon) that runs continuously in the background, waiting for incoming requests (especially from the client). Linux supports different ways to manage services (start, stop, restart, enable automatic startup at system startup, etc.), usually through a process or service manager. Almost all modern Linux distributions now use the same

Run Windows Software and Games on Linux with CrossOver 25 Running Windows applications and games on Linux is now easier than ever, thanks to CrossOver 25 from CodeWeavers. This commercial software solution lets Linux users run a wide variety of Wind
![pCloud - The Most Secure Cloud Storage [50% Off Offer]](https://img.php.cn/upload/article/001/242/473/174580357418126.jpg?x-oss-process=image/resize,p_40)
Secure Your Data with pCloud: A Comprehensive Guide to Linux Installation pCloud, a leading secure cloud storage service, provides a robust platform for managing your files and data. This guide details the installation process on Linux systems. About

MangoHud: A powerful tool for real-time monitoring of Linux gaming performance MangoHud is a powerful and lightweight tool designed for gamers, developers, and anyone who wants to monitor system performance in real time. It acts as an overlay for Vulkan and OpenGL applications, displaying important information such as FPS, CPU and GPU usage, temperature, etc. This article will explore the functions, working principles and usage of MangoHud, and provide step-by-step instructions for installing and configuring MangoHud on Linux systems. What is MangoHud? MangoHud is an open source project available on GitHub and aims to provide a simple and customizable way to monitor

Managing archived files is a common task in Linux. This article, the first of a two-part series, explores five powerful command-line archive tools, detailing their features and usage with examples. 1. The tar Command: A Versatile Archiving Utility t


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

WebStorm Mac version
Useful JavaScript development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Dreamweaver Mac version
Visual web development tools

Atom editor mac version download
The most popular open source editor
