Cover critical business systems
Server resource utilization is improved
As a leading comprehensive securities company in China, CITIC Securities has a wide range of businesses and has diversified requirements for database systems. CITIC Securities adopts a diversified database strategy, including distributed databases, centralized relational databases, analytical databases, and non-relational databases such as key-value, document, time series, and graphs.
CITIC Securities uses the KubeBlocks containerized database management platform to decouple the database from hardware resources through K8s, and intelligently allocates different databases to the most suitable container environment according to their characteristics, security requirements, and service-level objectives (SLOs) with the help of K8s' orchestration technology and highly standardized database container images, greatly simplifying the management of multiple types of databases. When implementing a hybrid deployment, it is a significant technical challenge to meet the security levels and SLO requirements of different databases while achieving efficient resource utilization.
Based on KubeBlocks, CITIC Securities has built a database management platform on top of the K8s container platform, making full use of the localized hardware infrastructure such as Haiguang and Kunpeng, and providing a unified operating environment for the upper-layer database containers through K8s, and its automatic scheduling and resource management capabilities provide the foundation for the isolation and mixing of databases. The KubeBlocks platform enables CITIC Securities to flexibly deploy and manage multiple types of databases, optimized for database workloads, and provides unified lifecycle management, automated O&M, multi-cluster management, scheduling and mixing, resource isolation, migration and scattering, and other functions.
In the database management platform, an efficient scheduling system requires multi-dimensional evaluation of resources and the implementation of constraint control. The platform maintains a node resource allocation table, monitors resource metrics in real time, analyzes node load and capacity, and considers a variety of resource constraint strategies when making scheduling decisions, such as memory not over-allocated, CPU allowed over-allocation, and IOPS resource reservation.
The system adopts a multi-objective optimization algorithm to select the optimal node under the condition of satisfying the constraints. In addition, the scheduling system classifies database instances based on business importance, SLAs, and access patterns, and matches corresponding node resources to balance critical business assurance and overall resource efficiency.
The KubeBlocks scheduling system supports node density grading and oversubscription management, and balances resource utilization and service isolation by distinguishing between high- and low-density nodes and setting different oversubscription ratios. The system continuously monitors resource usage and performance, and dynamically adjusts density levels and oversubscription strategies. At the same time, the scheduling system performs a profile analysis of the database instance to identify the load type (such as CPU-intensive, I/O-intensive, etc.) and peak period characteristics. Based on this, the system implements an intelligent mixing strategy to schedule instances with complementary resource requirements to the same node to maximize resource utilization.
On each trading day, the trading system of the securities industry has strictly fixed trading hours. Relatively fixed liquidation periods as well as almost empty idle periods. During the trading and clearing periods, the resources of the trading and clearing systems need to be guaranteed with the highest priority; During the idle period, the resources of the trading system can be transferred to background management, analysis, reporting and other scenarios. In terms of time, the KubeBlocks scheduling system implements peak load scheduling by manually specifying and automatically analyzing the peak load period of the instance. The goal of the algorithm includes minimizing the overlap of instances on the same node during peak periods and avoiding load spikes. The system periodically or based on trigger conditions re-executes mixed and off-peak scheduling, and migrates instances when necessary to maintain the off-peak state. The dispatch system continuously monitors the optimization effect, collects performance feedback, evaluates the quality of decisions, and adjusts strategies. At the same time, the system provides a manual intervention interface, allowing the administrator to adjust the parameters according to business needs and guide the system to carry out targeted optimization. Through these strategies, the scheduling system can effectively improve resource utilization efficiency and reduce O&M costs while ensuring service quality.
On this basis, CITIC Securities has further optimized its database containerization solution, with a special focus on security and resource utilization efficiency. Considering the strict requirements of the financial industry for data security and the differences in the security level of different types of databases, CITIC Securities has adopted a more fine-grained container technology strategy. This strategy not only ensures a high level of security, but also achieves optimal allocation of resources. To achieve this goal, CITIC Securities uses secure container technology, which is not widely available in the industry, to classify database workloads with different security levels and performance requirements. This approach allows both a highly sensitive core business database and a relatively open secondary database system to run on the same platform, ensuring the security of the overall system and improving resource utilization.
CITIC Securities' secure container-based database solution is an innovative solution, the core of which is to make full use of the advantages of runC and runD container technology to achieve hybrid deployment of trusted and untrusted containers, as well as hybrid deployment of different SLO (Service Level Objective) containers. runC is a lightweight container runtime that interacts directly with the host operating system kernel, providing near-native performance and full container functionality. It is suitable for applications that are recognized as trusted, such as rigorously audited, internally developed database systems. runC containers share the host kernel and are characterized by high performance, resource efficiency, and broad compatibility. runD is an emerging container runtime that combines the lightweight nature of containers with the strong isolation of virtual machines. It provides a separate kernel for each container through the use of lightweight virtual machine technology, making it ideal for applications that are considered untrustworthy or require a higher level of security isolation, such as those provided by certain open source databases or external vendors.
In the mixed department, a differentiated container technology selection strategy is adopted: the core database used by internal business can be considered secure and trustworthy, and runC is preferred. For open source databases and databases provided by external vendors' software, runD is preferred due to the risks they may pose to the core system. This differentiated container technology selection strategy not only meets the security needs of different applications, but also achieves the best balance between resource utilization and performance.
In particular, it is worth mentioning that the KubeBlocks team has responded to the demands of CITIC Securities for off-peak scheduling, elastic resource priority scheduling, hybrid deployment of trusted & untrusted containers, and mixed deployment of different SLO containers in mixed scenarios, demonstrating industry-leading technical strength.
At present, CITIC Securities' database containerization platform has been successfully applied to a number of key business areas, supporting the application system database including the Wealth Management Committee, Planning and Finance Department, Asset Management Department, Research Department, Fixed Income Department and other departments, and up to now, the platform has covered more than 30 important business systems, covering various types of database workloads of the company.
Through the implementation of this innovative containerization solution, CITIC Securities has achieved significant technical and business results.
(1) Security enhancement: The use of secure container technology, especially the isolation of sensitive workloads by runD, greatly improves the overall security of the system. Since its implementation, there have been no safety incidents due to interference between containers.
(2) Resource utilization improvement: Through a unified container platform and hybrid deployment strategy, the server resource utilization rate is increased by more than 60% and the hardware cost is reduced.
(3) O&M efficiency improvement: The introduction of automated O&M and a unified management platform has shortened the database deployment and maintenance time and improved the efficiency of IT O&M.
This advanced database containerization solution provides CITIC Securities with strong technical support, which not only enhances the company's competitive advantage in the rapidly changing financial market, but also lays a solid foundation for the company's digital transformation and innovative business development, enabling CITIC Securities to respond more agilely to market changes, manage risks more effectively, and provide better services to customers. While ensuring compliance and safe production, CITIC Securities will effectively improve resource utilization, respond to the requirements of national ESG policies, and promote CITIC Securities to fulfill its main responsibilities of responsible investment, develop green finance, and support sustainable economic and social development.
Article published in the Financial Industry Database Innovation and Development Report (2024)
