How to validate KATA Sandbox VM sizing and resources reservation [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate.

Common mistake

The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources.
Correct approach is to create a respective number of additional VMs and distribute these resources between them.

For example, if you want to double the performance of a KATA Sandbox VM instead of adding 15 more CPU cores and 32 more gigabytes of RAM to an existing Sandbox, you need to deploy a new Sandbox VM with the following resources:

• CPU: 15 cores, 2.1 GHz or higher
• RAM: 32 GB
• HDD volume: 300 GB
• Two network adapters with 1 Gbit/s data transfer rate

Virtual machine settings: 

1. Only VMware ESXi hypervisor is fully supported.
2. Nested virtualization is enabled
3. Supported VMware ESXi versions 6.5, 6.7U3 or 7.0 hypervisor. 
4. Entire CPU clock rate reserved. For a minimum CPU clock this means 12*2100=25200 MHz reserved. For a clock rate higher than 2.21Hz, use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>.
5. Entire RAM reserved (32 GB).
6. Expose hardware assisted virtualization to the guest OS check box selected.
7. Latency Sensitivity option set to High.
8. No Secure Boot.
9. The maximum number of simultaneously running virtual machines set to 12.

Please note, these cannot be checked from a debug report or from inside of the VM, as these settings are configured in a hypervisor.

Checking VMX file

Obtain a .vmx file of the respective sandbox VM. Demo video showing how to locate a .vmx file. Note, that in this video the goal is to modify the .vmx, and we only need to access it for reading, therefore, there is no need to unregister a VM from inventory as done in video. All the following lines in .vmx file must match exactly with the following two exceptions: 

• For sched.cpu.min, the value can be higher than 25200, see formula above.
• Line uefi.secureBoot.enabled might be absent, which is OK.

Correct .vmx settings

numvcpus = "15" sched.cpu.units = "mhz" sched.cpu.min = "26400"   memSize = "32768" sched.mem.min = "32768"   vhv.enable = "TRUE" sched.cpu.latencySensitivity = "high" uefi.secureBoot.enabled = "FALSE" ethernet0.present = "TRUE" ethernet1.present = "TRUE"

Checking number of slots

• In the Sandbox web interface window, select the Administration section.
• In the Guest virtual machines group of settings, in the Maximum simultaneous VMs field, number of simultaneously running virtual machines must equal 12.