Skip to content

Latest commit

 

History

History
66 lines (50 loc) · 3.04 KB

what-is-vm-templating-and-how-do-I-use-it.md

File metadata and controls

66 lines (50 loc) · 3.04 KB

What Is VM Templating and How To Enable It

What is VM templating

VM templating is a Kata Containers feature that enables new VM creation using a cloning technique. When enabled, new VMs are created by cloning from a pre-created template VM, and they will share the same initramfs, kernel and agent memory in readonly mode. It is very much like a process fork done by the kernel but here we fork VMs.

How is this different from VMCache

Both VMCache and VM templating help speed up new container creation.
When VMCache enabled, new VMs are created by the VMCache server. So it is not vulnerable to share memory CVE because each VM doesn't share the memory.
VM templating saves a lot of memory if there are many Kata Containers running on the same host.

What are the Pros

VM templating helps speed up new container creation and saves a lot of memory if there are many Kata Containers running on the same host. If you are running a density workload, or care a lot about container startup speed, VM templating can be very useful.

In one example, we created 100 Kata Containers each claiming 128MB guest memory and ended up saving 9GB of memory in total when VM templating is enabled, which is about 72% of the total guest memory. See full results here.

In another example, we created ten Kata Containers with containerd shimv2 and calculated the average boot up speed for each of them. The result showed that VM templating speeds up Kata Containers creation by as much as 38.68%. See full results here.

What are the Cons

One drawback of VM templating is that it cannot avoid cross-VM side-channel attack such as CVE-2015-2877 that originally targeted at the Linux KSM feature. It was concluded that "Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities."

Warning: If you care about such attack vector, do not use VM templating or KSM.

How to enable VM templating

VM templating can be enabled by changing your Kata Containers config file (/usr/share/defaults/kata-containers/configuration.toml, overridden by /etc/kata-containers/configuration.toml if provided) such that:

  • qemu version v4.1.0 or above is specified in hypervisor.qemu->path section
  • enable_template = true
  • initrd = is set
  • image = option is commented out or removed
  • shared_fs should not be virtio-fs

Then you can create a VM templating for later usage by calling

$ sudo kata-runtime factory init

and purge it by calling

$ sudo kata-runtime factory destroy

If you do not want to call kata-runtime factory init by hand, the very first Kata container you create will automatically create a VM templating.