Kernel: The Heart of the OS

"Aren't OS and Kernel the same?"

I thought so too. When I first touched a Linux server, I saw "Linux Kernel Update" as a separate thing. How is that different from "Linux OS Update"? Both are Linux, right?

I struggled with this for a whole day, then suddenly I understood it like this.

Analogy:

• OS: The entire Car (Engine + Steering Wheel + Wheels + AC + Audio)
• Kernel: The Engine itself.

If the AC (Utility program) breaks, the car still runs. But if the Engine (Kernel) stops, the car is scrap metal. The core program that resides in memory every single moment the computer is on, that is the Kernel.

In the end, in Linux, "OS Update" is updating peripheral tools like shells, file managers, GUIs, and "Kernel Update" is replacing the engine itself with a new model. That's how I accepted it.

How to Check Kernel Version: I Was Lost at First

When I first connected to a server, someone asked me "What's the kernel version?" I obviously didn't know. Where do you even check?

Just do this in the terminal:

uname -r
# Example output: 5.15.0-56-generic

This number is the kernel's version number.

• 5: Major version
• 15: Minor version
• 0-56-generic: Patch level + distribution-specific info

I tried it on macOS and got Darwin Kernel Version 23.3.0. macOS is also Unix-based, so it has a separate kernel.

After learning this, I understood why server documentation needs "Kernel Version: ..." entries.

What Kernel Does: The Sheriff Role

The most important job of the Kernel is "Hardware Protection". Random programs shouldn't be able to wipe your hard drive.

What I accepted is that the Kernel does these 3 things:

1. Memory Management: "Program A, you only use address 100 to 200. Go beyond and you die."
2. Process Management: "Program B, run for 0.1s and step aside. Program C's turn."
3. Device Driver Mediation: Talking to mouse, keyboard, network cards.

If this didn't exist? Programs would fight over memory, CPU would be monopolized by one program, and hardware would be accessed chaotically. Kernel is the cop and mediator.

Kernel Space vs User Space: Ring 0 and Ring 3

Another new term I heard: "Kernel Space" and "User Space".

This is how the CPU divides memory.

• Ring 0 (Kernel Space): Where the kernel runs. Can access hardware directly. Unlimited power.
• Ring 3 (User Space): Where normal programs run. Cannot access hardware directly. Limited privileges.

For example, if Chrome browser (Ring 3) wants to read a file, it must ask the kernel (Ring 0). This asking method is System Call.

Analogy:

• Ring 0 (Kernel): President. All powers available.
• Ring 3 (User Program): Ordinary citizen. Must petition the President.

After understanding this, the answer to "Why can't programs touch hardware directly?" became crystal clear. The CPU divided the privileges from the start.

System Call: The Bridge Between User and Kernel

For example, when opening a file in Python:

file = open("data.txt", "r")

Behind this single line, roughly this happens:

1. Python interpreter calls open() function.
2. Internally calls C library's fopen().
3. fopen() calls system call open(). (Ring 3 → Ring 0 transition)
4. Kernel accesses file system, opens file, returns file descriptor.
5. Python receives file descriptor and continues work.

System call is the only bridge connecting user space and kernel space. Linux has over 300 system calls: read(), write(), fork(), exec(), socket(), etc.

This was the meaning of "programs can do nothing without the kernel".

Monolithic vs Micro Kernel: Design Philosophy Difference

Depending on how you design the kernel, it's divided into two major camps.

1. Monolithic Kernel

Philosophy: "Put everything in one box."

Includes crucial functions plus device drivers, file systems, network stack, all inside the kernel.

Pros:

• Fast: Just function calls. No separate Inter-Process Communication (IPC).
• Efficient: No memory copying, no context switching.

Cons:

• Unstable: One driver bug crashes the entire kernel (Kernel Panic).
• Large: Linux kernel is tens of millions of lines of code.

Representative: Linux, traditional Unix.

At first, I thought "Why use such an unstable structure?" but in server environments, speed is life. That's why monolithic structure dominates.

2. Micro Kernel

Philosophy: "Keep only the core, kick everything else out!"

Keep only memory management, scheduling, IPC (Inter-Process Communication) in the kernel. Run others (drivers, file systems) as normal programs (user space server processes).

Pros:

• Stable: If a driver crashes, kernel survives.
• Lightweight: Kernel code is small (tens of thousands of lines).
• Secure: Each module is isolated, hard to penetrate.

Cons:

• Slow: Overhead from passing messages between modules.
• Complex: Inter-module communication design is difficult.

Representative: Mach (foundation of macOS), Minix, QNX.

I use macOS, and I had a question: "Why does macOS feel more stable than Linux?" After learning it's micro-kernel based (precisely hybrid), I understood.

Hybrid Kernel: Mix Both

Modern OSs are neither pure monolithic nor pure micro.

• Windows NT: Designed like micro kernel, but moved drivers to kernel space for performance.
• macOS XNU: Mixed Mach micro kernel + BSD monolithic kernel.

In the end, they found a compromise between "performance vs stability".

Tanenbaum-Torvalds Debate: 1992 Chaos

Linus Torvalds (creator of Linux) and Andrew Tanenbaum (creator of Minix, a micro kernel) fought on Usenet in 1992.

Tanenbaum: "Monolithic kernel is outdated. Micro kernel is the future." Torvalds: "Micro kernel is slow. Practicality is the answer."

The result?

• Linux (monolithic) dominates server market.
• Minix (micro) is only used academically.

But ironically, Tanenbaum's ideas survived in macOS, QNX (automotive), Fuchsia (Google). In the end, this was it: Both are right. It depends on the use case.

Kernel Modules: Plug In Only When Needed

The problem with monolithic kernels was "too bulky". But Linux solved this with Loadable Kernel Module (LKM).

USB drivers, graphics card drivers are dynamically plugged into the kernel only when needed.

lsmod  # List currently loaded kernel modules

Example output:

Module                  Size  Used by
nvidia_drm            102400  5
nvidia_modeset       1245184  12 nvidia_drm
nvidia              56385536  573 nvidia_modeset

If you use an NVIDIA graphics card, the nvidia module loads automatically. You can unload it if not needed.

sudo rmmod nvidia  # Remove module
sudo insmod nvidia.ko  # Add module

At first, I was scared of "touching kernel modules wrong can crash the system", and when I tried it, it really crashed. Since then, I don't touch them carelessly.

/proc Filesystem: Peeking at Kernel Info

Linux has a magical directory: /proc.

cat /proc/cpuinfo  # CPU info
cat /proc/meminfo  # Memory info
cat /proc/version  # Kernel version

This directory doesn't actually exist on disk. It's a virtual filesystem generated by the kernel in real-time.

For example, to see CPU info:

cat /proc/cpuinfo

Output:

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 142
model name      : Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz

After learning this, I understood why server monitoring scripts parse /proc/meminfo to check memory usage.

Kernel Panic vs Blue Screen: When Kernel Dies

When the kernel dies, the computer stops. Because the kernel manages everything.

• Linux: Kernel Panic
• Windows: Blue Screen of Death (BSOD)
• macOS: Kernel Panic (reboot screen)

When I first saw Kernel Panic on a server, the log showed this:

Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

Roughly meaning: "Couldn't find root filesystem. I'm dying."

After this experience, I accepted "kernel is god". When kernel dies, it's just over.

dmesg: Listening to What Kernel Says

The kernel logs something when booting, and whenever hardware is connected. The command to see this is dmesg.

dmesg | tail -20  # See last 20 lines

Example output:

[    1.234567] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
[    1.234568] input: Logitech USB Receiver as /devices/pci0000:00/usb1/1-1/input0
[   10.567890] EXT4-fs (sda1): mounted filesystem with ordered data mode

When you plug in a USB mouse, it shows up in dmesg immediately. At first, I didn't know why this was needed, but it's really useful for debugging hardware issues.

Docker and Kernel Sharing: Container Secret

When I first used Docker, I had a question: "What's different from virtual machines?"

The key difference is the kernel.

• Virtual Machine (VM): Guest OS has its own kernel.
• Docker Container: Shares host OS's kernel.

For example, running a Linux Docker container on macOS?

• macOS is not Linux kernel (XNU kernel).
• Docker runs a lightweight Linux VM behind the scenes.

The moment this clicked was when I wondered "Why does uname -r in Docker show host kernel version?"

# On host
uname -r
# 5.15.0-56-generic

# Inside Docker container
docker run -it ubuntu bash
uname -r
# 5.15.0-56-generic (same!)

Containers are light and fast because they share the kernel. But security-wise, they're weaker than VMs. (If kernel is breached, host is breached too)

eBPF: Extending Kernel Without Touching It

A new technology I recently learned is eBPF (extended Berkeley Packet Filter).

Traditionally, extending the kernel required writing kernel modules. But kernel modules are dangerous. If they have bugs, the whole system crashes.

eBPF allows inserting safe sandbox programs inside the kernel.

For example:

• Filter network packets (firewall role)
• Trace system calls (monitoring)
• Performance profiling

# Trace system calls with eBPF (using bpftrace)
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s opened %s\n", comm, str(args->filename)); }'

Running this shows in real-time which programs are opening which files.

eBPF is used in Kubernetes networking (Cilium), security tools (Falco), monitoring (Pixie). The idea of "extending kernel without kernel modules" was so brilliant, I want to dive deep.

Why Linux Rules Servers

Linux is a Monolithic Kernel. Servers have these characteristics:

1. Fixed hardware specs: Don't suddenly plug/unplug USB.
2. Peak performance (speed) matters: 1ms latency affects revenue.
3. Stability covered by monitoring: If it crashes, auto-restart.

So even if it's bulky and harder to maintain, performance-beast monolithic Linux dominates the server market.

99%+ of AWS, Google Cloud, Azure run on Linux kernel.

Summary

At first, I started with "What's the difference between OS and Kernel?" Now I summarize it like this:

• Kernel is the Core of OS and the Absolute Ruler of hardware.
• Ring 0 (Kernel Space) and Ring 3 (User Space) are the caste system divided by CPU.
• System call is the only way user programs ask the kernel for help.
• Monolithic kernel is fast but unstable, micro kernel is stable but slow. Modern is hybrid mixing both.
• Linux dominates servers because of speed.
• Docker shares host kernel to be lightweight, eBPF extends kernel safely.

In the end, this was it: Kernel is the engine of the computer. When engine stops, the car is scrap metal.