You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Jeremy Hansen <je...@skidrow.la.INVALID> on 2022/06/29 09:27:15 UTC
Enable available CPU security flaw mitigations
Enable available CPU security flaw mitigations.
I noticed this while digging around in virt-manager. How would I enable this as a default for all VMs in Cloudstack?
Thanks
-jeremy
Re: Enable available CPU security flaw mitigations
Posted by Jeremy Hansen <je...@skidrow.la.INVALID>.
So there’s no way to change that?
> On Thursday, Jun 30, 2022 at 11:37 PM, Wei ZHOU <ustcweizhou@gmail.com (mailto:ustcweizhou@gmail.com)> wrote:
> Hi Jeremy,
>
> Yes, threads is set to always 1.
>
> -Wei
>
> On Fri, 1 Jul 2022 at 06:46, Jeremy Hansen <je...@skidrow.la.invalid>
> wrote:
>
> > So I was able to figure out how to specify cpu model and capabilities, but
> > I’m not seeing a clear way to specify threads, which I would assume would
> > be in the Compute Offerings, but I see nothing to that looks obvious
> > reguarding threads.
> >
> > From the specific vm config through virt-manager, I see:
> >
> > <cpu mode="custom" match="exact" check="full">
> > <model fallback="forbid">kvm64</model>
> > <topology sockets="1" dies="1" cores="4" threads="4"/>
> > <feature policy="require" name="x2apic"/>
> > <feature policy="require" name="hypervisor"/>
> > <feature policy="require" name="lahf_lm"/>
> > <feature policy="require" name="ibpb"/>
> > <feature policy="require" name="spec-ctrl"/>
> > <feature policy="require" name="ssbd"/>
> > <feature policy="require" name="vme"/>
> > </cpu>
> >
> > I tried:
> >
> > guest.cpu.mode=custom
> > guest.cpu.model=kvm64
> > guest.cpu.topology.threads=4
> > guest.cpu.features=x2apic hypervisor lahf_lm ibpb spec-ctrl ssbd
> >
> > in agent.properties but the threads config does nothing. I don’t really
> > want the threads definition to be host wide, which is why I assumed this
> > would be part of the compute offerings.
> >
> > Thanks!
> > -jeremy
> >
> >
> >
> >
> > On Wednesday, Jun 29, 2022 at 4:48 AM, Wei ZHOU <us...@gmail.com>
> > wrote:
> > Hi Jeremy,
> >
> > As far as I know, it means the meltdown and spectre which have already
> > been
> > solved. The issues do not exist with the recent cpu models.
> >
> > Anyway, you can specify the cpu model (xxxx-IBRS) and add cpu features
> > (e.g. ibrs) in the agent.properties on kvm hosts.
> > Please refer to
> >
> > http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#configure-cpu-model-for-kvm-guest-optional
> >
> > -Wei
> >
> >
> > On Wed, 29 Jun 2022 at 11:27, Jeremy Hansen <je...@skidrow.la.invalid>
> > wrote:
> >
> > Enable available CPU security flaw mitigations.
> >
> > I noticed this while digging around in virt-manager. How would I enable
> > this as a default for all VMs in Cloudstack?
> >
> > Thanks
> > -jeremy
> >
> >
> >
> >
> >
> >
Re: Enable available CPU security flaw mitigations
Posted by Wei ZHOU <us...@gmail.com>.
Hi Jeremy,
Yes, threads is set to always 1.
-Wei
On Fri, 1 Jul 2022 at 06:46, Jeremy Hansen <je...@skidrow.la.invalid>
wrote:
> So I was able to figure out how to specify cpu model and capabilities, but
> I’m not seeing a clear way to specify threads, which I would assume would
> be in the Compute Offerings, but I see nothing to that looks obvious
> reguarding threads.
>
> From the specific vm config through virt-manager, I see:
>
> <cpu mode="custom" match="exact" check="full">
> <model fallback="forbid">kvm64</model>
> <topology sockets="1" dies="1" cores="4" threads="4"/>
> <feature policy="require" name="x2apic"/>
> <feature policy="require" name="hypervisor"/>
> <feature policy="require" name="lahf_lm"/>
> <feature policy="require" name="ibpb"/>
> <feature policy="require" name="spec-ctrl"/>
> <feature policy="require" name="ssbd"/>
> <feature policy="require" name="vme"/>
> </cpu>
>
> I tried:
>
> guest.cpu.mode=custom
> guest.cpu.model=kvm64
> guest.cpu.topology.threads=4
> guest.cpu.features=x2apic hypervisor lahf_lm ibpb spec-ctrl ssbd
>
> in agent.properties but the threads config does nothing. I don’t really
> want the threads definition to be host wide, which is why I assumed this
> would be part of the compute offerings.
>
> Thanks!
> -jeremy
>
>
>
>
> On Wednesday, Jun 29, 2022 at 4:48 AM, Wei ZHOU <us...@gmail.com>
> wrote:
> Hi Jeremy,
>
> As far as I know, it means the meltdown and spectre which have already
> been
> solved. The issues do not exist with the recent cpu models.
>
> Anyway, you can specify the cpu model (xxxx-IBRS) and add cpu features
> (e.g. ibrs) in the agent.properties on kvm hosts.
> Please refer to
>
> http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#configure-cpu-model-for-kvm-guest-optional
>
> -Wei
>
>
> On Wed, 29 Jun 2022 at 11:27, Jeremy Hansen <je...@skidrow.la.invalid>
> wrote:
>
> Enable available CPU security flaw mitigations.
>
> I noticed this while digging around in virt-manager. How would I enable
> this as a default for all VMs in Cloudstack?
>
> Thanks
> -jeremy
>
>
>
>
>
>
Re: Enable available CPU security flaw mitigations
Posted by Jeremy Hansen <je...@skidrow.la.INVALID>.
So I was able to figure out how to specify cpu model and capabilities, but I’m not seeing a clear way to specify threads, which I would assume would be in the Compute Offerings, but I see nothing to that looks obvious reguarding threads.
From the specific vm config through virt-manager, I see:
<cpu mode="custom" match="exact" check="full">
<model fallback="forbid">kvm64</model>
<topology sockets="1" dies="1" cores="4" threads="4"/>
<feature policy="require" name="x2apic"/>
<feature policy="require" name="hypervisor"/>
<feature policy="require" name="lahf_lm"/>
<feature policy="require" name="ibpb"/>
<feature policy="require" name="spec-ctrl"/>
<feature policy="require" name="ssbd"/>
<feature policy="require" name="vme"/>
</cpu>
I tried:
guest.cpu.mode=custom
guest.cpu.model=kvm64
guest.cpu.topology.threads=4
guest.cpu.features=x2apic hypervisor lahf_lm ibpb spec-ctrl ssbd
in agent.properties but the threads config does nothing. I don’t really want the threads definition to be host wide, which is why I assumed this would be part of the compute offerings.
Thanks!
-jeremy
> On Wednesday, Jun 29, 2022 at 4:48 AM, Wei ZHOU <ustcweizhou@gmail.com (mailto:ustcweizhou@gmail.com)> wrote:
> Hi Jeremy,
>
> As far as I know, it means the meltdown and spectre which have already been
> solved. The issues do not exist with the recent cpu models.
>
> Anyway, you can specify the cpu model (xxxx-IBRS) and add cpu features
> (e.g. ibrs) in the agent.properties on kvm hosts.
> Please refer to
> http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#configure-cpu-model-for-kvm-guest-optional
>
> -Wei
>
>
> On Wed, 29 Jun 2022 at 11:27, Jeremy Hansen <je...@skidrow.la.invalid>
> wrote:
>
> > Enable available CPU security flaw mitigations.
> >
> > I noticed this while digging around in virt-manager. How would I enable
> > this as a default for all VMs in Cloudstack?
> >
> > Thanks
> > -jeremy
> >
> >
> >
> >
> >
Re: Enable available CPU security flaw mitigations
Posted by Jeremy Hansen <je...@skidrow.la.INVALID>.
Thanks. Some of my kvm nodes are using fairly old cpu’s, so it may still apply.
-jeremy
> On Wednesday, Jun 29, 2022 at 4:48 AM, Wei ZHOU <ustcweizhou@gmail.com (mailto:ustcweizhou@gmail.com)> wrote:
> Hi Jeremy,
>
> As far as I know, it means the meltdown and spectre which have already been
> solved. The issues do not exist with the recent cpu models.
>
> Anyway, you can specify the cpu model (xxxx-IBRS) and add cpu features
> (e.g. ibrs) in the agent.properties on kvm hosts.
> Please refer to
> http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#configure-cpu-model-for-kvm-guest-optional
>
> -Wei
>
>
> On Wed, 29 Jun 2022 at 11:27, Jeremy Hansen <je...@skidrow.la.invalid>
> wrote:
>
> > Enable available CPU security flaw mitigations.
> >
> > I noticed this while digging around in virt-manager. How would I enable
> > this as a default for all VMs in Cloudstack?
> >
> > Thanks
> > -jeremy
> >
> >
> >
> >
> >
Re: Enable available CPU security flaw mitigations
Posted by Wei ZHOU <us...@gmail.com>.
Hi Jeremy,
As far as I know, it means the meltdown and spectre which have already been
solved. The issues do not exist with the recent cpu models.
Anyway, you can specify the cpu model (xxxx-IBRS) and add cpu features
(e.g. ibrs) in the agent.properties on kvm hosts.
Please refer to
http://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#configure-cpu-model-for-kvm-guest-optional
-Wei
On Wed, 29 Jun 2022 at 11:27, Jeremy Hansen <je...@skidrow.la.invalid>
wrote:
> Enable available CPU security flaw mitigations.
>
> I noticed this while digging around in virt-manager. How would I enable
> this as a default for all VMs in Cloudstack?
>
> Thanks
> -jeremy
>
>
>
>
>