VMCache is a new function that creates VMs as caches before using it.
It helps speed up new container creation.
The function consists of a server and some clients communicating
through Unix socket. The protocol is gRPC in protocols/cache/cache.proto.
The VMCache server will create some VMs and cache them by factory cache.
It will convert the VM to gRPC format and transport it when gets
requested from clients.
Factory grpccache is the VMCache client. It will request gRPC format
VM and convert it back to a VM. If VMCache function is enabled,
kata-runtime will request VM from factory grpccache when it creates
a new sandbox.
Both VM templating and VMCache help speed up new container creation.
When VM templating enabled, new VMs are created by cloning from a pre-created template VM, and they will share the same initramfs, kernel and agent memory in readonly mode. So it saves a lot of memory if there are many Kata Containers running on the same host.
VMCache is not vulnerable to share memory CVE because each VM doesn't share the memory.
VMCache can be enabled by changing your Kata Containers config file (/usr/share/defaults/kata-containers/configuration.toml,
overridden by /etc/kata-containers/configuration.toml if provided) such that:
vm_cache_numberspecifies the number of caches of VMCache:- unspecified or == 0
VMCache is disabled > 0
will be set to the specified number
- unspecified or == 0
vm_cache_endpointspecifies the address of the Unix socket.
Then you can create a VM templating for later usage by calling:
$ sudo kata-runtime factory init
and purge it by ctrl-c it.
- Cannot work with VM templating.
- Only supports the QEMU hypervisor.