yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88954
[Bug 1975686] [NEW] MEM_ENCRYPTION_CONTEXT trait is missing from the compute RP even if AMD SEV is enabled on the compute node
Public bug reported:
Compute nodes with amd-sev enabled are reporting that support is
available but MEM_ENCRYPTION_CONTEXT is not present in the placement
traits for the compute nodes.
# Domain capabilites report support
[heat-admin@computeamdsev-1 log]$ sudo podman exec -it -u root nova_virtqemud virsh domcapabilities | grep -A 12 features
<features>
<gic supported='no'/>
<vmcoreinfo supported='yes'/>
<genid supported='yes'/>
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='yes'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<maxGuests>509</maxGuests>
<maxESGuests>0</maxESGuests>
</sev>
</features>
</domainCapabilities>
# It is active as well in /sys/module/kvm_amd
[heat-admin@computeamdsev-1 log]$ cat /sys/module/kvm_amd/parameters/sev
Y
[heat-admin@computeamdsev-1 log]$
# I do not see any errors with sev during startup
[heat-admin@computeamdsev-1 log]$ sudo dmesg | grep -i sev
[ 0.000000] Command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb
[ 0.000000] Kernel command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb
[ 0.000000] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly
[ 101.753478] ccp 0000:24:00.1: sev enabled
[ 101.769894] ccp 0000:24:00.1: SEV firmware update successful
[ 102.058746] ccp 0000:24:00.1: SEV API:0.24 build:14
[ 120.398153] systemd[1]: Hostname set to <computeamdsev-1>.
[ 149.487548] SEV supported: 509 ASIDs
# MEM_ENCRYPTION_CONTEXT is not present
(overcloud) [stack@undercloud-0 ~]$ !21
openstack --os-placement-api-version 1.17 resource provider trait list ba3bccf9-c283-4cb5-a14d-35ae7ba88533
/usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior.
warnings.warn('One or more Python packages bundled by this ansible-core distribution were already '
+---------------------------------------+
| name |
+---------------------------------------+
| COMPUTE_GRAPHICS_MODEL_NONE |
| COMPUTE_ACCELERATORS |
| COMPUTE_NET_VIF_MODEL_VMXNET3 |
| COMPUTE_STORAGE_BUS_VIRTIO |
| COMPUTE_NET_VIF_MODEL_E1000E |
| COMPUTE_VOLUME_ATTACH_WITH_TAG |
| COMPUTE_NET_ATTACH_INTERFACE |
| HW_CPU_X86_BMI2 |
| COMPUTE_VOLUME_EXTEND |
| HW_CPU_X86_SSE |
| COMPUTE_NET_VIF_MODEL_RTL8139 |
| COMPUTE_GRAPHICS_MODEL_VIRTIO |
| COMPUTE_IMAGE_TYPE_RAW |
| COMPUTE_TRUSTED_CERTS |
| HW_CPU_X86_SSE42 |
| HW_CPU_X86_SSSE3 |
| HW_CPU_X86_SSE2 |
| COMPUTE_STORAGE_BUS_IDE |
| COMPUTE_SECURITY_UEFI_SECURE_BOOT |
| COMPUTE_SOCKET_PCI_NUMA_AFFINITY |
| COMPUTE_IMAGE_TYPE_AMI |
| COMPUTE_GRAPHICS_MODEL_CIRRUS |
| COMPUTE_VOLUME_MULTI_ATTACH |
| HW_CPU_X86_SSE4A |
| HW_CPU_X86_SSE41 |
| COMPUTE_IMAGE_TYPE_QCOW2 |
| COMPUTE_IMAGE_TYPE_AKI |
| HW_CPU_X86_AVX2 |
| HW_CPU_X86_FMA3 |
| HW_CPU_X86_MMX |
| HW_CPU_HYPERTHREADING |
| COMPUTE_NET_VIF_MODEL_NE2K_PCI |
| HW_CPU_X86_SVM |
| HW_CPU_X86_AVX |
| COMPUTE_IMAGE_TYPE_ISO |
| HW_CPU_X86_CLMUL |
| HW_CPU_X86_ABM |
| COMPUTE_NET_VIF_MODEL_SPAPR_VLAN |
| COMPUTE_STORAGE_BUS_SCSI |
| HW_CPU_X86_AMD_SVM |
| COMPUTE_NET_ATTACH_INTERFACE_WITH_TAG |
| COMPUTE_STORAGE_BUS_FDC |
| COMPUTE_NET_VIF_MODEL_VIRTIO |
| COMPUTE_NET_VIF_MODEL_PCNET |
| COMPUTE_STORAGE_BUS_SATA |
| HW_CPU_X86_F16C |
| COMPUTE_NET_VIF_MODEL_E1000 |
| COMPUTE_DEVICE_TAGGING |
| COMPUTE_NODE |
| COMPUTE_GRAPHICS_MODEL_VGA |
| COMPUTE_IMAGE_TYPE_ARI |
| HW_CPU_X86_SHA |
| HW_CPU_X86_AESNI |
| COMPUTE_RESCUE_BFV |
| COMPUTE_STORAGE_BUS_USB |
| HW_CPU_X86_BMI |
+---------------------------------------+
It is seen on stable/wallaby.
>From the compute logs I see that:
2022-05-23 21:25:20.873 2 DEBUG nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] /sys/module/kvm_amd/parameters/sev contains [Y
] _kernel_supports_amd_sev /usr/lib/python3.9/site-packages/nova/virt/libvirt/host.py:1557
2022-05-23 21:25:20.873 2 INFO nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] kernel doesn't support AMD SEV
The nova code looks for the "1\n" [1] in the file but it contains "Y\n"
instead
def _kernel_supports_amd_sev(self) -> bool:
if not os.path.exists(SEV_KERNEL_PARAM_FILE):
LOG.debug("%s does not exist", SEV_KERNEL_PARAM_FILE)
return False
with open(SEV_KERNEL_PARAM_FILE) as f:
contents = f.read()
LOG.debug("%s contains [%s]", SEV_KERNEL_PARAM_FILE, contents)
return contents == "1\n"
So it seems like a valid bug in nova.
[1]
https://github.com/openstack/nova/blob/e44b1a940fdc45cc9dbb08e193a8c25052cf64e7/nova/virt/libvirt/host.py#L1696-L1704
** Affects: nova
Importance: Undecided
Assignee: Balazs Gibizer (balazs-gibizer)
Status: New
** Changed in: nova
Assignee: (unassigned) => Balazs Gibizer (balazs-gibizer)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1975686
Title:
MEM_ENCRYPTION_CONTEXT trait is missing from the compute RP even if
AMD SEV is enabled on the compute node
Status in OpenStack Compute (nova):
New
Bug description:
Compute nodes with amd-sev enabled are reporting that support is
available but MEM_ENCRYPTION_CONTEXT is not present in the placement
traits for the compute nodes.
# Domain capabilites report support
[heat-admin@computeamdsev-1 log]$ sudo podman exec -it -u root nova_virtqemud virsh domcapabilities | grep -A 12 features
<features>
<gic supported='no'/>
<vmcoreinfo supported='yes'/>
<genid supported='yes'/>
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='yes'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<maxGuests>509</maxGuests>
<maxESGuests>0</maxESGuests>
</sev>
</features>
</domainCapabilities>
# It is active as well in /sys/module/kvm_amd
[heat-admin@computeamdsev-1 log]$ cat /sys/module/kvm_amd/parameters/sev
Y
[heat-admin@computeamdsev-1 log]$
# I do not see any errors with sev during startup
[heat-admin@computeamdsev-1 log]$ sudo dmesg | grep -i sev
[ 0.000000] Command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb
[ 0.000000] Kernel command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb
[ 0.000000] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly
[ 101.753478] ccp 0000:24:00.1: sev enabled
[ 101.769894] ccp 0000:24:00.1: SEV firmware update successful
[ 102.058746] ccp 0000:24:00.1: SEV API:0.24 build:14
[ 120.398153] systemd[1]: Hostname set to <computeamdsev-1>.
[ 149.487548] SEV supported: 509 ASIDs
# MEM_ENCRYPTION_CONTEXT is not present
(overcloud) [stack@undercloud-0 ~]$ !21
openstack --os-placement-api-version 1.17 resource provider trait list ba3bccf9-c283-4cb5-a14d-35ae7ba88533
/usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior.
warnings.warn('One or more Python packages bundled by this ansible-core distribution were already '
+---------------------------------------+
| name |
+---------------------------------------+
| COMPUTE_GRAPHICS_MODEL_NONE |
| COMPUTE_ACCELERATORS |
| COMPUTE_NET_VIF_MODEL_VMXNET3 |
| COMPUTE_STORAGE_BUS_VIRTIO |
| COMPUTE_NET_VIF_MODEL_E1000E |
| COMPUTE_VOLUME_ATTACH_WITH_TAG |
| COMPUTE_NET_ATTACH_INTERFACE |
| HW_CPU_X86_BMI2 |
| COMPUTE_VOLUME_EXTEND |
| HW_CPU_X86_SSE |
| COMPUTE_NET_VIF_MODEL_RTL8139 |
| COMPUTE_GRAPHICS_MODEL_VIRTIO |
| COMPUTE_IMAGE_TYPE_RAW |
| COMPUTE_TRUSTED_CERTS |
| HW_CPU_X86_SSE42 |
| HW_CPU_X86_SSSE3 |
| HW_CPU_X86_SSE2 |
| COMPUTE_STORAGE_BUS_IDE |
| COMPUTE_SECURITY_UEFI_SECURE_BOOT |
| COMPUTE_SOCKET_PCI_NUMA_AFFINITY |
| COMPUTE_IMAGE_TYPE_AMI |
| COMPUTE_GRAPHICS_MODEL_CIRRUS |
| COMPUTE_VOLUME_MULTI_ATTACH |
| HW_CPU_X86_SSE4A |
| HW_CPU_X86_SSE41 |
| COMPUTE_IMAGE_TYPE_QCOW2 |
| COMPUTE_IMAGE_TYPE_AKI |
| HW_CPU_X86_AVX2 |
| HW_CPU_X86_FMA3 |
| HW_CPU_X86_MMX |
| HW_CPU_HYPERTHREADING |
| COMPUTE_NET_VIF_MODEL_NE2K_PCI |
| HW_CPU_X86_SVM |
| HW_CPU_X86_AVX |
| COMPUTE_IMAGE_TYPE_ISO |
| HW_CPU_X86_CLMUL |
| HW_CPU_X86_ABM |
| COMPUTE_NET_VIF_MODEL_SPAPR_VLAN |
| COMPUTE_STORAGE_BUS_SCSI |
| HW_CPU_X86_AMD_SVM |
| COMPUTE_NET_ATTACH_INTERFACE_WITH_TAG |
| COMPUTE_STORAGE_BUS_FDC |
| COMPUTE_NET_VIF_MODEL_VIRTIO |
| COMPUTE_NET_VIF_MODEL_PCNET |
| COMPUTE_STORAGE_BUS_SATA |
| HW_CPU_X86_F16C |
| COMPUTE_NET_VIF_MODEL_E1000 |
| COMPUTE_DEVICE_TAGGING |
| COMPUTE_NODE |
| COMPUTE_GRAPHICS_MODEL_VGA |
| COMPUTE_IMAGE_TYPE_ARI |
| HW_CPU_X86_SHA |
| HW_CPU_X86_AESNI |
| COMPUTE_RESCUE_BFV |
| COMPUTE_STORAGE_BUS_USB |
| HW_CPU_X86_BMI |
+---------------------------------------+
It is seen on stable/wallaby.
From the compute logs I see that:
2022-05-23 21:25:20.873 2 DEBUG nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] /sys/module/kvm_amd/parameters/sev contains [Y
] _kernel_supports_amd_sev /usr/lib/python3.9/site-packages/nova/virt/libvirt/host.py:1557
2022-05-23 21:25:20.873 2 INFO nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] kernel doesn't support AMD SEV
The nova code looks for the "1\n" [1] in the file but it contains
"Y\n" instead
def _kernel_supports_amd_sev(self) -> bool:
if not os.path.exists(SEV_KERNEL_PARAM_FILE):
LOG.debug("%s does not exist", SEV_KERNEL_PARAM_FILE)
return False
with open(SEV_KERNEL_PARAM_FILE) as f:
contents = f.read()
LOG.debug("%s contains [%s]", SEV_KERNEL_PARAM_FILE, contents)
return contents == "1\n"
So it seems like a valid bug in nova.
[1]
https://github.com/openstack/nova/blob/e44b1a940fdc45cc9dbb08e193a8c25052cf64e7/nova/virt/libvirt/host.py#L1696-L1704
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1975686/+subscriptions
Follow ups
