VM templating is a Kata Containers feature that enables new VM creation using a cloning technique. When enabled, new VMs are created by cloning from a pre-created template VM, and they will share the same initramfs, kernel and agent memory in readonly mode. It is very much like a process fork done by the kernel but here we fork VMs.
Both VMCache and VM templating help speed up new container creation.
When VMCache enabled, new VMs are created by the VMCache server. So it is not vulnerable to share memory CVE because each VM doesn't share the memory.
VM templating saves a lot of memory if there are many Kata Containers running on the same host.
VM templating helps speed up new container creation and saves a lot of memory if there are many Kata Containers running on the same host. If you are running a density workload, or care a lot about container startup speed, VM templating can be very useful.
In one example, we created 100 Kata Containers each claiming 128MB guest memory and ended up saving 9GB of memory in total when VM templating is enabled, which is about 72% of the total guest memory. See full results here.
In another example, we created ten Kata Containers with containerd shimv2 and calculated the average boot up speed for each of them. The result showed that VM templating speeds up Kata Containers creation by as much as 38.68%. See full results here.
One drawback of VM templating is that it cannot avoid cross-VM side-channel attack such as CVE-2015-2877 that originally targeted at the Linux KSM feature. It was concluded that "Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities."
Warning: If you care about such attack vector, do not use VM templating or KSM.
VM templating can be enabled by changing your Kata Containers config file (/usr/share/defaults/kata-containers/configuration.toml
,
overridden by /etc/kata-containers/configuration.toml
if provided) such that:
qemu-lite
is specified inhypervisor.qemu
->path
sectionenable_template = true
initrd =
is setimage =
option is commented out or removed
Then you can create a VM templating for later usage by calling
$ sudo kata-runtime factory init
and purge it by calling
$ sudo kata-runtime factory destroy
If you do not want to call kata-runtime factory init
by hand,
the very first Kata container you create will automatically create a VM templating.