Trying Tencent QCloud

I thought it might be interesting to try some of the cloud services that aren't talked about as much, starting with Tencent's QCloud. I should note, I am an American and can't read or speak any Chinese. I'm walking into this as someone with experience on AWS, GCE, RackSpace, and SoftLayer (IBM) as well as several years of deploying and managing servers in colocation facilities and private datacenters.

Tencent's cloud offering is called QCloud, hosted, not surprisingly, at qcloud.com. The English and Chinese versions of this site are completely different, with an angry bearded man gripping a tablet on the English site and bright colors and smiling people on the Chinese site. The English site is fairly outdated compared to the Chinese one, listing most services as Coming Soon. Piping the Chinese site through Google Translate shows several services that aren't even mentioned on the English site, such as GPU instances, FPGAs, a Container solution, Auto scaling, a queue service, VPC-like VPNs, and some sort of machine learning.

The signup process requires both email and SMS verification, or linking to an existing verified QQ or WeChat account. I tried to signup for a QQ account first, but their SMS verification appears to be broken for US phone numbers, it gave me a rate limit error on the first and all subsequent attempts. Failing that, I just signed up for QCloud using my existing email address and was able to complete the SMS verification from there without issue.

Once the account was created, I was prompted to do identity verification. The FAQ page linked from there told me that I could sign up as a company or an individual. A corporate identity requires proof of a Chinese business license, which sounds really hard, so I opted to register as an individual. In order to verify myself, I needed to top up my account with ¥0.10CNY (about $0.01USD at the time of writing) with a Visa or Mastercard. This went smoothly enough, redirecting to Tencent's payment service, TenPay, which redirected again through the Verified by Visa service, then finally back to QCloud. This charge did result in a fraud alert text message from my bank, which I confirmed was not an issue, but it's good to know that small international transactions do raise a red flag.

Now that I had an account, I clicked around the console a bit... Most of the UI elements are translated and the layout is fairly intuitive if you're familiar with other cloud providers. I'm mostly interested in the Cloud Virtual Machine or CVM service, which is equivalent to EC2 or GCE. I took a moment to setup multi-factor authentication, using the Authy app on my phone.

I clicked through the form to create a new CVM instance and was surprised to see that there are several US regions available. The pricing and available options seem to vary quite a bit depending on which region and payment method you select. There are Package (Prepaid) and Postpaid options available. The prepaid instances seem to be a fair bit cheaper, but a large portion of the instance price is driven by which method of network billing you select.

There are two network pricing options, by bandwidth or by usage. The usage based billing is similar to the pay-per-GB pricing that the American cloud providers offer, with the addition of a slider that allows you to limit the bandwidth available to the instance, effectively limiting the potential cost of that instance's data usage. The bandwidth option is similar to traditional dedicated hosting providers, where you pay per month for a guaranteed rate. With either option, bandwidth is more expensive in China.

Once I'd settled on configuration (1 CPU, 1GB memory, 20GB cloud disk) roughly equivalent to a t2.micro (AWS) or f1-micro (GCE) running Debian, the price came out to ¥45CNY/$6.53USD for one month prepaid, plus ¥0.80CNY/$0.12USD per GB transferred.

It took about a minute to launch the instance and I was able to login as root with the ssh key I'd generated through the console. The instance appears to be running on a KVM-based hypervisor and was a slightly modified Debian jessie install. As far as I can tell, the modifications were mostly done by a script at boot time that left a log in /tmp/cvm_init.log. Nothing too fancy going on here, it untarred a monitoring agent and log aggregator&emdash; there was an option to disable this when I created the instance, but I left it in. The script also disabled ipv6, installed 32-bit libc compat libraries, and deleted .bash_history and all the logs so that we can't see how they really modified the image.

Most of the agent code is installed in /usr/local/qcloud. The system metrics agent, called "barad", shipped with a 32-bit python 2.6 binary and stdlib built on an older SuSE system. Barad looks like a fairly straightforward metrics collector that POSTs JSON to a tencent server at regular intervals for things like CPU utilization, memory, and network transfer. There are a few counters for things like TCP sockets in await state, which is evidence that this has been written by people that have run production systems where it's been used to debug tricky things. Barad has a nice plugin framework and it's own internal scheduler too.

The "stargate" agent runs from root's crontab every minute and makes sure barad is running. It's shipped with both 32 and 64-bit binaries and appears to have been written in C++, compiled on the same SuSE system that Barad's python was. It has a config file that points to another tencent URL, but I really have no idea what data it's sending there without doing a fair bit more digging. Hopefully just a heartbeat.

There are a couple of scripts that are started from /etc/rc.local that ensure that each network interface has CPU affinity for a single processor configured. This is evidence that somebody's tried to use these instances for a high-throughput application where cache coherency makes a big difference. Likely related to their claims of "300K PPS" on the second generation instances. It's a bit unusual that this type of configuration would be done in the default images, but I suppose it doesn't really hurt.

I noticed a number of other non-standard but harmless things, like mutt being installed that don't really concern me. Speaking of mutt, I checked my email and found an order confirmation for the new instance. The email was in Chinese, so back to Google Translate we go... The email contains the root password in plaintext. PasswordAuthentication no was set in /etc/ssh/sshd_config, which is slightly less worrying, but then I found at the bottom of sshd_config that they'd overridden the default Ciphers and MACs. Several of the algorithms listed here are known to be weak or broken, so it's a bit scary to think about what motives they might have for changing the defaults, which would be updated as ciphers break. These lists do contain some of the more recent algorithms, so perhaps there's nothing malicious going on here, as long as they don't have a way of forcing clients to downgrade.

At this point, I went back to poking around in the web console to see what sort of functionality was provided for controlling the instance from there. I'd noticed that a serial console was configured in the image, so I figured there'd be at least a serial viewer here. To my surprise, they have a web-based VNC solution with VGA output... So that explains why they'd email you the root password. There's no sign of a serial console though. Perhaps they used serial in an earlier version before they had VNC configured. Or maybe the serial console is a last resort for their support staff if you mess up the iptables config.

Some of the documentation has been translated into English, but it has the feel of a set of wiki pages and step-by-step notes rather than a comprehensive reference. Still, there's not a lot of additional information you need if you're just running a Linux instance. For the more complex services, it might be a bigger problem.

Overall, QCloud is more or less what I expected. It's a solid clone of AWS with a handful of features that are specific to China (like identity verification and business registration requirements). I'm vaguely unsettled by the ssh configuration and install scripts that go out of their way to wipe the logs, but overall it seems like a viable option if you need to run cheap servers in China. Far easier than getting colo space there.

posted four hours, 26 minutes ago