← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71303

[Bug 1750829] [NEW] RFE: libvirt: Add ability to configure extra CPU flags for named CPU models

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Motivation
----------

The recent "Meltdown" CVE fixes resulted in criticial performance
penalty, From here[*]:

    [...] However, in examining both the various fixes rolled out in
    actual Linux distros over the past few days and doing some very
    informal surveying of environments I have access to, I discovered
    that the PCID ["process-context identifiers"] processor feature,
    which used to be a virtual no-op, is now a performance AND security
    critical item.[...]

So if a Nova user has applied all the "Meltdown" CVE fixes, and is using
a named CPU model (like "IvyBridge", or "Westmere" — which specifically
lack the said obscure "PCID" feature) they will incur severe performance
degradation[*].

Note that some of Intel *physical* CPUs themselves include the 'pcid'
CPU feature flag; but the named CPU models provided by libvirt & QEMU
lack that flag — hence we explicitly specify it for virtual CPUs via the
following proposed config attribute.

[*] https://groups.google.com/forum/m/#!topic/mechanical-
sympathy/L9mHTbeQLNU

Proposed change
---------------

Modify Nova's libvirt driver such that it will be possible to set
granular CPU feature flags for named CPU models.  E.g. to explicitly
specify the 'pcid' feature flag with Intel IvyBridge CPU model, set the
following in /etc/nova.conf:

    ...
    [libvirt]
    cpu_model=IvyBridge
    cpu_model_extra_flags="pcid"
    ...

The list of known CPU feature flags ('vmx', 'xtpr', 'pcid', et cetera)
can be found in /usr/share/libvirt/cpu_map.xml.

Note that before specifying extra CPU feature flags, one should check if
the named CPU models (provided by libvirt) already include the said
flags.  E.g. the 'Broadwell', 'Haswell-noTSX' named CPU models provided
by libvirt already provides the 'pcid' CPU feature flag.

Other use cases
---------------

  - Nested Virtualization — an operator can specify the Intel 'vmx' or
    AMD 'svm' flags in the level-1 guest (i.e. the guest hypervisor)

  - Ability to use 1GB huge pages with Haswell model as one use case for
    extra flags (thanks: Daniel Berrangé, for mentioning this scenario):

        cpu_model_extra_flags=Haswell
        cpu_model_extra_flags="pdpe1gb"

** Affects: nova
     Importance: Undecided
     Assignee: Kashyap Chamarthy (kashyapc)
         Status: In Progress


** Tags: libvirt

** Tags added: libvirt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1750829

Title:
  RFE: libvirt: Add ability to configure extra CPU flags for named CPU
  models

Status in OpenStack Compute (nova):
  In Progress

Bug description:
  Motivation
  ----------

  The recent "Meltdown" CVE fixes resulted in criticial performance
  penalty, From here[*]:

      [...] However, in examining both the various fixes rolled out in
      actual Linux distros over the past few days and doing some very
      informal surveying of environments I have access to, I discovered
      that the PCID ["process-context identifiers"] processor feature,
      which used to be a virtual no-op, is now a performance AND security
      critical item.[...]

  So if a Nova user has applied all the "Meltdown" CVE fixes, and is using
  a named CPU model (like "IvyBridge", or "Westmere" — which specifically
  lack the said obscure "PCID" feature) they will incur severe performance
  degradation[*].

  Note that some of Intel *physical* CPUs themselves include the 'pcid'
  CPU feature flag; but the named CPU models provided by libvirt & QEMU
  lack that flag — hence we explicitly specify it for virtual CPUs via the
  following proposed config attribute.

  [*] https://groups.google.com/forum/m/#!topic/mechanical-
  sympathy/L9mHTbeQLNU

  Proposed change
  ---------------

  Modify Nova's libvirt driver such that it will be possible to set
  granular CPU feature flags for named CPU models.  E.g. to explicitly
  specify the 'pcid' feature flag with Intel IvyBridge CPU model, set the
  following in /etc/nova.conf:

      ...
      [libvirt]
      cpu_model=IvyBridge
      cpu_model_extra_flags="pcid"
      ...

  The list of known CPU feature flags ('vmx', 'xtpr', 'pcid', et cetera)
  can be found in /usr/share/libvirt/cpu_map.xml.

  Note that before specifying extra CPU feature flags, one should check if
  the named CPU models (provided by libvirt) already include the said
  flags.  E.g. the 'Broadwell', 'Haswell-noTSX' named CPU models provided
  by libvirt already provides the 'pcid' CPU feature flag.

  Other use cases
  ---------------

    - Nested Virtualization — an operator can specify the Intel 'vmx' or
      AMD 'svm' flags in the level-1 guest (i.e. the guest hypervisor)

    - Ability to use 1GB huge pages with Haswell model as one use case for
      extra flags (thanks: Daniel Berrangé, for mentioning this scenario):

          cpu_model_extra_flags=Haswell
          cpu_model_extra_flags="pdpe1gb"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1750829/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next