HCE Container OS
HCE Container OS is a lightweight OS based on Huawei Cloud EulerOS (HCE). It is used in cloud native scenarios. It can meet basic needs for running container services and provides atomic upgrades and API O&M for HCE Container OS components that can connect to Kubernetes APIs.
HCE Container OS uses the lightweight kernel tailored for container scenarios. Only the modules and components required for running containers are integrated to construct a simplified rootfs. Basic services such as systemd and cloud-init are simplified. No RPM is required. Files are tailored based on the trustlist, and necessary files are integrated. To ensure system security, the root partition in HCE Container OS is mounted as read-only. The system configuration directory /etc and runtime data directory /var are mounted to a persist partition as overlays for write operations. In addition, HCE Container OS provides features such as atomic upgrades, API O&M, and an admin container for cloud native scenarios.
Functions and Advantages
- Lightweight system
HCE Container OS improves startup speed, minimizes memory usage, and shrinks image size.
To accelerate the system startup, HCE Container OS optimizes the kernel startup process, reduces redundant devices, and simplifies user-mode service configurations. Simplified kernel and fewer runtime programs and services minimize the memory usage. and shrink image size.
Compared with the standard OS, HCE Container OS uses fewer resources and improves resource utilization, which reduces costs. It also reduces the system attack surface and improves OS security. In addition, HCE Container OS speeds up node elasticity.
- High security
The root file system in an HCE Container OS image is read-only to prevent malicious tampering and improve system security.
The writable directories, such as the system configuration directory /etc and runtime data directory /var, must be mounted to an independent persist partition. A persist partition can store data persistently, so read-only directories can be mounted to a persist partition as overlays for write operations. The capacity of a persist partition can be dynamically expanded using cloud-init based on the system disk size.
In addition, unnecessary files (such as SSH files) are deleted from HCE Container OS to reduce the attack surface.
- Atomic upgrades
The read-only root partition can be upgraded to fix system vulnerabilities.
In atomic upgrades, the ping-pong mode is used. In this mode, the updated image is alternately downloaded to two partitions. You can modify the GRUB boot item to switch back and forth between the two partitions.
An atomic upgrade needs the os-operator, os-proxy, and os-agent to work together in container scenarios. In HCE Container OS, os-agent is a backend process, os-proxy is a monitoring container, and os-operator is a management container running on a control plane node.
os-operator receives requests from the API server and forwards them to os-proxy through the API server. os-proxy calls os-agent to handle the requests and return responses along the original path.
- Admin container
The sshd configuration is removed from HCE Container OS, so you cannot log in to any nodes directly. In addition, HCE Container OS has fewer tools and commands than other systems. To perform O&M, you need an admin container.
An admin container contains the sshd service and hostshell tool. The sshd service is started by sysmaster or systemd. After the admin container is deployed, you can connect to it through SSH and run the hostshell command in the admin container to obtain the root shell of the host.
The admin container is usually not required. Deploy one only if you need HCE Container OS O&M.
Constraints
- When using an HCE Container OS image, do not change GRUB boot parameters.
- In the VM configuration file, you need to configure the <boot order='1'/> label to specify the system disk as the boot disk.
- Only 64-bit architectures are supported.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot