Key Features

openEuler 22.03 LTS SP2 runs on Linux kernel 5.10 and inherits the competitive advantages of community versions and innovative features released in the openEuler community.

• Simultaneous multithreading (SMT) expeller free of priority inversion: This feature resolves the priority inversion problem in the SMT expeller feature and reduces the impact of offline tasks on the quality of service (QoS) of online tasks.
• CPU QoS priority-based load balancing: CPU QoS isolation is enhanced in online and offline hybrid deployments, and QoS load balancing across CPUs is supported to further reduce QoS interference from offline services.
• Tidal affinity scheduling: The system dynamically adjusts CPU affinity based on the service load. When the service load is light, the system uses preferred CPUs to enhance resource locality. When the service load is heavy, the system adds new CPU cores to improve the QoS.
• Kernel Same-page Merging (KSM) at the process or container level: KSM can be enabled at the process level without explicitly invoking madvise. A prctl system call interface is added to enable all virtual memory addresses (private anonymous pages) in a process to participate in KSM deduplication. Subprocesses forked from the process also inherit this deduplication mode.
• Enhanced Data Access MONitoring (DAMON): This feature enables online, proactive, and lightweight monitoring and reclamation of memory resources when the memory load is light. You can customize a policy to initiate the most appropriate operation on the memory areas based on the monitoring result.
• Enhanced uswap: Memory pages can be swapped out to the back-end storage in user mode, which saves memory resources.
• Intel Emerald Rapids (EMR): It is Intel's next-generation CPU platform built on the Intel 7 process. With Intel EMR, openEuler boosts hardware performance and delivers new hardware features such as Trust Domain Extensions (TDX).
• ACPI for AArch64 MPAM 2.0: Memory System Resource Partitioning and Monitoring (MPAM) is an extension feature of Armv8.4. It resolves system-wide or application-specific performance deterioration due to contention for shared resources (cache, DMC, and interconnects) in server systems that run diverse types of services concurrently.

SysCare

SysCare is a system-level hotfix software that provides security patches and hot fixing for OSs. It can fix system errors without restarting hosts. SysCare combines kernel-mode and user-mode hot patching to take over system repair, saving time for users to focus on other aspects of their business.

• Hot patch making: To generate a hot patch RPM package, users only need to input the paths to the source RPM package, debuginfo RPM package, and patches to be installed of the target software without modifying the software source code.
• Patch lifecycle management: SysCare provides a complete and easy-to-use patch lifecycle management method to simplify usage. Users can manage hot patches by running a command.
• User-mode hot patches for ELF files (program executable files): SysCare uses the uprobe technology to bind hot patches to ELF files. When ELF files are running, uprobe can make the patches take effect. In this way, the patching process does not need to be monitored.
• Integrating kernel-mode and user-mode hot patches: By utilizing the upatch and kpatch technologies, SysCare streamlines the hot patch software stack from top to bottom for applications, dynamic libraries, and kernels, and provides seamless full-stack hot fixing.

The current version is compatible with the AArch64 architecture and supports automatic derivation of patch making parameters, saving and restoration of patch status, restoration of the patch status after a restart, and the syslog capability.

sysmonitor

sysmonitor is a system O&M and monitoring utility. It can monitor the usage of system resources (such as drives, CPUs, memory, and the number of processes, threads, and handles).

• Monitors the filesystems, drive partitions, NIC status, CPUs, memory, number of processes, and number of system handles.
• Monitors key processes and restores service processes quickly when they are abnormal.
• Monitors key files and logs file operations, facilitating file error locating.
• Allows you to customize the monitoring framework to extend monitoring capabilities.

sysMaster

sysMaster manages processes, containers, and VMs centrally and provides fault monitoring and self-healing mechanisms to help deal with Linux initialization and service management challenges. All these features make sysMaster an excellent choice for server, cloud computing, and embedded scenarios.

sysMaster 0.2.4 released with openEuler 22.03 LTS SP2 supports system service management in the container scenario.

• The AArch64 and x86_64 architectures are supported.
• Unit service types of service and target are supported.
• More than 10 service units can be configured.
• The sctl command can be used to manage the lifecycle of a service.
• Logs can be exported to files.

Gazelle

Gazelle is a high-performance user-mode protocol stack. It directly reads and writes NIC packets in user mode based on the Data Plane Development Kit (DPDK), transmits the packets through shared hugepage memory, and uses the LwIP protocol stack, thereby greatly improving the network I/O throughput of applications and accelerating the network for databases. With Gazelle, high performance and universality can be achieved at the same time.

• High performance (ultra-lightweight): High-performance lightweight protocol stack capabilities are implemented based on DPDK and LwIP.
• Ultimate performance: A highly linearizable concurrent protocol stack is implemented based on technologies such as regional hugepage splitting, dynamic core binding, and full-path zero-copy.
• Hardware acceleration: TCP Segmentation Offload (TSO), checksum (CSUM) offload, Generic Receive Offload (GRO), and other offload technologies streamline the vertical acceleration of software and hardware.
• Universality (POSIX compatibility): Full compatibility with POSIX APIs eliminates the need to modify applications. The recvfrom and sendto interfaces of UDP are supported.
• General networking model: Adaptive scheduling of the networking model is implemented based on mechanisms such as fd router and wake-up proxy. The UDP multi-node multicast model meets the requirements of any network application scenario.
• Usability (plug-and-play): LD_PRELOAD enables zero-cost deployment by removing the requirement for service adaptation.
• Easy O&M (O&M tool): Complete O&M methods, such as traffic statistics, metric logs, and CLI commands, are provided.

kunpengsecl

Kunpeng Security Library (KunpengSecL) is a fundamental security software component running on Kunpeng processors. In the early stage, KunpengSecL focuses on trusted computing fields such as remote attestation. As the first security feature of KunpengSecL, remote attestation is an end-to-end trusted computing solution that obtains the trustworthiness status of software and hardware on worker nodes. Various resource management tools can formulate policies based on trustworthiness reports to schedule and use server resources in a differentiated manner.

The remote attestation feature of KunpengSecL supports TPM-based remote attestation for universal platforms and remote attestation for the Kunpeng trusted execution environment (iTrustee).

Rubik

Deploying services based on priorities (hybrid deployment) using Rubik improves resource utilization. The core technology of hybrid deployment is resource isolation and control.

• Enhanced cluster scheduling: Enhances OpenStack Nova to support priority-based semantic scheduling.
• Power consumption control: Limits the CPU bandwidth of low-priority VMs to reduce the overall system power consumption and ensure the QoS of high-priority VMs.
• Cache and memory bandwidth control: Limits the last level cache (LLC) and memory bandwidth of low-priority VMs. Currently, only static allocation is supported.
• Memcg asynchronous memory reclamation: Limits the total memory available to offline applications in a hybrid deployment, and dynamically compresses the memory used by offline services when the online memory utilization increases.
• QuotaBurst traffic control: When the CPU traffic of key online services is limited, the limit can be exceeded in a short period of time to ensure the QoS of online services.
• Enhanced observation of pressure stall information (PSI): Collects pressure information at the cgroup v1 level, identifies and quantifies service interruption risks caused by resource contention, and improves hardware resource utilization

NestOS

NestOS is a cloud OS incubated in the openEuler community. It runs rpm-ostree and Ignition technologies over a dual rootfs and atomic update design, and uses nestos-assembler for quick integration and build. NestOS is compatible with Kubernetes and OpenStack, and reduces container overheads and provides extensive cluster components in large-scale containerized environments.

• Out-of-the-box availability: Integrates popular container engines such as iSulad, Docker, and Podman to provide lightweight and tailored OSs for the cloud.
• Easy configuration: Uses the Ignition utility to install and configure a large number of cluster nodes with a single configuration.
• Secure management: Runs rpm-ostree to manage software packages and works with the openEuler software package source to ensure secure and stable atomic updates.
• Hitless node updating: Uses Zincati to provide automatic node updates and reboot without interrupting services.
• Dual rootfs: Executes dual rootfs for active/standby switchovers, to ensure integrity and security during system running.

GCC for openEuler

GCC for openEuler is developed based on the open source GCC 10.3 and supports features such as automatic feedback-directed optimization (AutoFDO), software and hardware collaboration, memory optimization, Scalable Vector Extension (SVE), and vectorized math libraries.

• Kernel-mode profile-guided optimization: The kernel and GCC are enhanced to support compiler PGO. Users can use the A-FOT tool to build a kernel optimized for specific scenarios with a few clicks.
• Kernel: supports PGO, including the arc and value profiles.
• GCC: added the -fkernel-pgo option to support kernel-mode PGO.
• A-FOT: provides kernel-mode PGO with a few clicks.

The performance improvement depends on the proportion of target application hotspots in the kernel.

A-Ops

A-Ops is an OS-oriented O&M platform that provides intelligent O&M solutions covering data collection, health check, fault diagnosis, and fault rectification. The A-Ops project includes the following sub-projects: fault detection (Gala), fault locating (X-diagnosis), and defect rectification (Apollo).

The Apollo project is an intelligent patch management framework. It provides real-time scanning of CVEs and bugs and cold and hot patching, in order to implement automatic discovery and zero-interruption fixing.

• Community hot patch pipeline

  Hot patch preparation: The target version and patch file of the software package can be specified in the cold patch pull request (PR) to make a hot patch.

  Hot patch release: Hot patches to be released can be automatically collected based on hot patch issues, and then released by reusing the cold patch update release logic.

• Enhanced vulnerability management

  Intelligent patch inspection: CVE inspection and notification for a single-node system or cluster, and one-click fix and rollback are supported.

  Hot fixing: Some CVEs can be fixed using hot patches, ensuring zero service interruption.

  Patch service: Cold and hot patch subscription allows patches to be acquired online.

secGear

secGear is a unified security software development kit (SDK) for confidential computing. The secGear unified framework masks the differences between SDKs in the TEE. Its development tools and security components help security software developers focus on services and improve development efficiency.

• Architecture compatibility: It masks differences between different SDK APIs by sharing the same set of source code across multiple architectures.
• Easy development: The development tools and common security components allow users to focus on services, significantly improving development efficiency.
• High performance: The switchless feature improves the interaction performance between the rich execution environment (REE) and TEE by more than 10-fold in typical scenarios such as frequent interactions between the REE and TEE and big data interaction

In openEuler 22.03 LTS SP2, remote attestation and secure channel are newly supported.

• Remote attestation: secGear encapsulates remote attestation APIs based on the remote attestation capability of each vendor's SDK. secGear must run on the Kunpeng platform. It depends on the TEE verification library of KunpengSecL to verify attestation reports.
• Secure channel: By combining remote attestation and key negotiation, the secGear secure channel negotiates a key between the data owner and TEE, and uses the negotiated key to encrypt and transfer data. Specifically, the REE receives the ciphertext data, after which it transfers the data to the TEE for decryption and processing.

ROS

Robot Operating System (ROS) is a set of software libraries and tools designed to help you build robot applications. ROS is suitable for robotics software development such as communication interaction and message processing. You can customize communication functions (synchronous or asynchronous) for topics and services to build a basic robotics framework.

openEuler 22.03 LTS SP2 supports the ROS Humble version and provides the following features:

• All ros-core and ros-base software packages are available on the openEuler Server and Edge editions.
• SLAM is supported in the openEuler Embedded edition.
• ROS applications can be developed, built, and debugged based on openEuler. (The rqt series tools are supported, whereas RViz and Gazebo are not supported.)

openEuler WSL

Windows Subsystem for Linux (WSL) is an adaptation layer that allows you to run Linux user-mode software on Windows. You can download openEuler from the Microsoft Store, to enjoy a native experience on Windows.

• Out-of-the-box installation: On Windows devices that support WSL, you can download the latest openEuler LTS version from the Microsoft Store with just one click.
• Full lifecycle support: WSL applications of openEuler 22.03 LTS will be updated to openEuler 22.03 LTS SP2.
• User-friendly operations: The openEuler WSL package is available on the Microsoft Store, or you can build your own WSL applications using the open source code in the openEuler WSL repository.
• Metalink support: When you use DNF to install a software package on openEuler, the Metalink service guides DNF to download or update the software package from the mirror site near your IP address, increasing the download or update speed.

kiran-desktop 2.5

kiran-desktop 2.5 supports multi-factor authentication, which combines multiple authentication methods to authenticate users. The combination mode is OR or AND. In OR mode, users only have to pass one of the authentication methods, while in AND mode, users must pass all the authentication methods.

iSulad for Kubernetes 1.24 and 1.25

To help improve the ecosystem and facilitate user operations, iSulad has upgraded its supported CRI versions. The v1alpha2 interface has been upgraded from 1.1X to 1.24/1.25.

The following interfaces are involved in the upgrade to version 1.25:

• Optimized interfaces: CreateContainer, UpdateContainerResources, ContainerStatus, ContainerStats, and ListContainerStats
• New interfaces: PodSandboxStats and ListPodSandboxStats

Lustre Client Software Package

Lustre v2.15.2 client components have been released with openEuler 22.03 LTS SP2. Server components can be compiled from source. The latest source code of the Lustre community supports openEuler 22.03 LTS. By using the Lustre client, you can access the Lustre parallel filesystem from openEuler.

No-SVA Support of KAE

The Kunpeng Accelerator Engine (KAE) is an acceleration solution based on Kunpeng hardware capabilities. It contains the KAE encryption and decryption module and the KAE zlib compression and decompression module, which accelerate SSL and TLS applications and data compression, reduce processor usage, and boost processor efficiency.

• The KAE encryption and decryption module uses the Kunpeng hardware acceleration engine to implement the RSA, SM3, SM4, DH, MD5, and AES algorithms. It provides high-performance symmetric and asymmetric encryption and decryption based on the lossless user-mode driver framework. It is compatible with OpenSSL 1.1.1a and later versions and supports both synchronous and asynchronous mechanisms.
• KAEzip is the compression and decompression module of KAE. It uses the Kunpeng hardware acceleration module to implement the Deflate algorithm and works with the lossless user-mode driver framework to provide an interface for high-performance compression in Gzip or zlib format.

hmdfs Based on Soft Bus

hmdfs stands for HarmonyOS Distributed File System. It is a soft bus-based distributed filesystem ported from the OpenHarmony community. hmdfs provides a globally consistent access view for each device dynamically connected to a network via distributed soft bus (DSoftBus) and allows you to implement high-performance read and write operations on files with low latency by using basic filesystem APIs.

• distributed_file_daemon: user-mode daemon for distributed file management, which controls networking interfaces of access devices, mounts hmdfs, and manages permissions.
• Trusted device: manages the trust relationships between the local device and other devices established for different services in a unified manner.
• DSoftBus: discovers and connects devices at the network link layer.
• Virtual filesystem (VFS): kernel-mode software abstraction layer between users and filesystems on physical storage media.
• hmdfs: core module of the distributed filesystem. It is a high-performance layered filesystem in kernel mode for mobile distributed scenarios.

Automatic Optimization for Software Package Downloads

30 openEuler mirror sites are distributed across Asia, Europe, and North America. Software packages can be downloaded from the nearest mirror sites to improve the download speed.

A metalink, whose value is the URL of the API provided by the metalink service, is configured in the DNF or Yum configuration file shipped with openEuler releases. When a user tries to download a software package, the DNF or Yum client sends a request to the metalink URL. The metalink service returns data in XML format that contains the addresses of nearest mirror sites. The DNF or Yum client then selects the optimal site from the addresses to download the software package, ensuring a fast download speed.

EulerMaker Build System

EulerMaker is a package build system that converts source code into binary packages. It enables developers to assemble and tailor scenario-specific OSs thanks to incremental/full build, gated build, layer tailoring, and image tailoring capabilities

• Incremental/Full build: Analyzes the impact of the changes to software and dependencies, obtains the list of packages to be built, and delivers parallel build tasks based on the dependency sequence.
• Build dependency query: Provides a software package build dependency table in a project, and collects statistics on software package dependencies.
• Layer tailoring: Customizes build projects by layer models to create patches, build and installation dependencies, and compilation options for software packages.
• Image tailoring: Developers can configure the repository source to generate ISO, embedded, and container OS images, and tailor the list of software packages and user login passwords for the images.