#CS#OS#Kernel#Linux
Kernel: The Heart of the OS
If an OS is a collection of programs, who is the core? Identity of the Kernel that always stays in memory.
February 23, 2025
Codemapo
If an OS is a collection of programs, who is the core? Identity of the Kernel that always stays in memory.
Why does my server crash? OS's desperate struggle to manage limited memory. War against Fragmentation.
Two ways to escape a maze. Spread out wide (BFS) or dig deep (DFS)? Who finds the shortest path?
Fast by name. Partitioning around a Pivot. Why is it the standard library choice despite O(N²) worst case?
Establishing TCP connection is expensive. Reuse it for multiple requests.
I thought so too. When I first touched a Linux server, I saw "Linux Kernel Update" as a separate thing. How is that different from "Linux OS Update"? Both are Linux, right?
I struggled with this for a whole day, then suddenly I understood it like this.
Analogy:
If the AC (Utility program) breaks, the car still runs. But if the Engine (Kernel) stops, the car is scrap metal. The core program that resides in memory every single moment the computer is on, that is the Kernel.
In the end, in Linux, "OS Update" is updating peripheral tools like shells, file managers, GUIs, and "Kernel Update" is replacing the engine itself with a new model. That's how I accepted it.
When I first connected to a server, someone asked me "What's the kernel version?" I obviously didn't know. Where do you even check?
Just do this in the terminal:
uname -r
# Example output: 5.15.0-56-generic
This number is the kernel's version number.
5: Major version15: Minor version0-56-generic: Patch level + distribution-specific infoI tried it on macOS and got Darwin Kernel Version 23.3.0.
macOS is also Unix-based, so it has a separate kernel.
After learning this, I understood why server documentation needs "Kernel Version: ..." entries.
The most important job of the Kernel is "Hardware Protection". Random programs shouldn't be able to wipe your hard drive.
What I accepted is that the Kernel does these 3 things:
If this didn't exist? Programs would fight over memory, CPU would be monopolized by one program, and hardware would be accessed chaotically. Kernel is the cop and mediator.
Another new term I heard: "Kernel Space" and "User Space".
This is how the CPU divides memory.
For example, if Chrome browser (Ring 3) wants to read a file, it must ask the kernel (Ring 0). This asking method is System Call.
Analogy:
After understanding this, the answer to "Why can't programs touch hardware directly?" became crystal clear. The CPU divided the privileges from the start.
For example, when opening a file in Python:
file = open("data.txt", "r")
Behind this single line, roughly this happens:
open() function.fopen().fopen() calls system call open(). (Ring 3 → Ring 0 transition)System call is the only bridge connecting user space and kernel space.
Linux has over 300 system calls: read(), write(), fork(), exec(), socket(), etc.
This was the meaning of "programs can do nothing without the kernel".
Depending on how you design the kernel, it's divided into two major camps.
Philosophy: "Put everything in one box."
Includes crucial functions plus device drivers, file systems, network stack, all inside the kernel.
Pros:
Cons:
Representative: Linux, traditional Unix.
At first, I thought "Why use such an unstable structure?" but in server environments, speed is life. That's why monolithic structure dominates.
Philosophy: "Keep only the core, kick everything else out!"
Keep only memory management, scheduling, IPC (Inter-Process Communication) in the kernel. Run others (drivers, file systems) as normal programs (user space server processes).
Pros:
Cons:
Representative: Mach (foundation of macOS), Minix, QNX.
I use macOS, and I had a question: "Why does macOS feel more stable than Linux?" After learning it's micro-kernel based (precisely hybrid), I understood.
Modern OSs are neither pure monolithic nor pure micro.
In the end, they found a compromise between "performance vs stability".
Linus Torvalds (creator of Linux) and Andrew Tanenbaum (creator of Minix, a micro kernel) fought on Usenet in 1992.
Tanenbaum: "Monolithic kernel is outdated. Micro kernel is the future." Torvalds: "Micro kernel is slow. Practicality is the answer."
The result?
But ironically, Tanenbaum's ideas survived in macOS, QNX (automotive), Fuchsia (Google). In the end, this was it: Both are right. It depends on the use case.
The problem with monolithic kernels was "too bulky". But Linux solved this with Loadable Kernel Module (LKM).
USB drivers, graphics card drivers are dynamically plugged into the kernel only when needed.
lsmod # List currently loaded kernel modules
Example output:
Module Size Used by
nvidia_drm 102400 5
nvidia_modeset 1245184 12 nvidia_drm
nvidia 56385536 573 nvidia_modeset
If you use an NVIDIA graphics card, the nvidia module loads automatically.
You can unload it if not needed.
sudo rmmod nvidia # Remove module
sudo insmod nvidia.ko # Add module
At first, I was scared of "touching kernel modules wrong can crash the system", and when I tried it, it really crashed. Since then, I don't touch them carelessly.
Linux has a magical directory: /proc.
cat /proc/cpuinfo # CPU info
cat /proc/meminfo # Memory info
cat /proc/version # Kernel version
This directory doesn't actually exist on disk. It's a virtual filesystem generated by the kernel in real-time.
For example, to see CPU info:
cat /proc/cpuinfo
Output:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 142
model name : Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
After learning this, I understood why server monitoring scripts parse /proc/meminfo to check memory usage.
When the kernel dies, the computer stops. Because the kernel manages everything.
When I first saw Kernel Panic on a server, the log showed this:
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
Roughly meaning: "Couldn't find root filesystem. I'm dying."
After this experience, I accepted "kernel is god". When kernel dies, it's just over.
The kernel logs something when booting, and whenever hardware is connected.
The command to see this is dmesg.
dmesg | tail -20 # See last 20 lines
Example output:
[ 1.234567] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
[ 1.234568] input: Logitech USB Receiver as /devices/pci0000:00/usb1/1-1/input0
[ 10.567890] EXT4-fs (sda1): mounted filesystem with ordered data mode
When you plug in a USB mouse, it shows up in dmesg immediately.
At first, I didn't know why this was needed, but it's really useful for debugging hardware issues.
When I first used Docker, I had a question: "What's different from virtual machines?"
The key difference is the kernel.For example, running a Linux Docker container on macOS?
The moment this clicked was when I wondered "Why does uname -r in Docker show host kernel version?"
# On host
uname -r
# 5.15.0-56-generic
# Inside Docker container
docker run -it ubuntu bash
uname -r
# 5.15.0-56-generic (same!)
Containers are light and fast because they share the kernel. But security-wise, they're weaker than VMs. (If kernel is breached, host is breached too)
A new technology I recently learned is eBPF (extended Berkeley Packet Filter).
Traditionally, extending the kernel required writing kernel modules. But kernel modules are dangerous. If they have bugs, the whole system crashes.
eBPF allows inserting safe sandbox programs inside the kernel.
For example:
# Trace system calls with eBPF (using bpftrace)
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s opened %s\n", comm, str(args->filename)); }'
Running this shows in real-time which programs are opening which files.
eBPF is used in Kubernetes networking (Cilium), security tools (Falco), monitoring (Pixie). The idea of "extending kernel without kernel modules" was so brilliant, I want to dive deep.
Linux is a Monolithic Kernel. Servers have these characteristics:
So even if it's bulky and harder to maintain, performance-beast monolithic Linux dominates the server market.
99%+ of AWS, Google Cloud, Azure run on Linux kernel.
At first, I started with "What's the difference between OS and Kernel?" Now I summarize it like this:
In the end, this was it: Kernel is the engine of the computer. When engine stops, the car is scrap metal.