Bug 1745181
| Summary: | virt-ssbd not included on CPU mode='host-model' | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eduardo Habkost <ehabkost> | |
| Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> | |
| Status: | CLOSED ERRATA | QA Contact: | jiyan <jiyan> | |
| Severity: | high | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.7 | CC: | afox, dyuan, jdenemar, jiyan, jortialc, jsuchane, lhuang, lmen, lmiksik, mkalinin, mvanderw, stanislav.moravec, xuzhang, yalzhang | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | libvirt-4.5.0-30.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1787556 (view as bug list) | Environment: | ||
| Last Closed: | 2020-03-31 19:58:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1787556 | |||
Hi I am trying to reproduce this bug:
For physical host:
lscpu |grep ssbd
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc art rep_good nopl nonstop_tsc extd_apicid amd_dcm aperfmperf eagerfpu pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_l2 cpb hw_pstate retpoline_amd ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif overflow_recov succor smca
S1: We use qemu-kvm-rhev during daily test. The test scenarios are as follows:
There is no virt_sshbd in active dumpxml when starting VM with host-model; but I can see the cpu flag in guest os.
# rpm -qa libvirt qemu-kvm-rhev kernel
kernel-3.10.0-1062.el7.x86_64
libvirt-4.5.0-25.el7.x86_64
qemu-kvm-rhev-2.12.0-33.el7_7.2.x86_64
# virsh dumpxml test --inactive |grep "<cpu" -A20
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
# virsh start test
Domain test started
# virsh dumpxml test |grep "<cpu" -A20
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='x2apic'/>
<feature policy='require' name='tsc-deadline'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='virt-ssbd'/>
<feature policy='disable' name='monitor'/>
<feature policy='disable' name='svm'/>
<feature policy='require' name='topoext'/>
</cpu>
# virsh console test
Connected to domain test
Escape character is ^]
Red Hat Enterprise Linux Server 7.7 (Maipo)
Kernel 3.10.0-1062.el7.x86_64 on an x86_64
localhost login: root
Password:
[root@localhost ~]# lscpu |grep virt_ssbd
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm art rep_good nopl xtopology extd_apicid eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext retpoline_amd ssbd ibpb vmmcall fsgsbase tsc_adjust bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 virt_ssbd arat
S2: When testing the same scenario above on qemu-kvm
For qemu-kvm; virt_ssbd can not be seen in either active dumpxml after starting VM with host-model or in guest os.
For the following Version;
# rpm -qa qemu-kvm libvirt kernel
libvirt-4.5.0-25.el7.x86_64
kernel-3.10.0-1062.el7.x86_64
qemu-kvm-1.5.3-168.el7.x86_64
So I am not sure whether this issue is libvirt's problem as I think it works well with qemu-kvm-rhev.
(In reply to jiyan from comment #2) > Hi I am trying to reproduce this bug: [...] > # rpm -qa libvirt qemu-kvm-rhev kernel > kernel-3.10.0-1062.el7.x86_64 > libvirt-4.5.0-25.el7.x86_64 > qemu-kvm-rhev-2.12.0-33.el7_7.2.x86_64 The bug is reproducible only using qemu-kvm-1.5.3. I'm not quite sure how we could solve this with such an old QEMU that is shipped with RHEL 7.7. And why would we do it anyway? The host-model CPUs are very fragile with QEMU older than 2.9, which provides the necessary interface for implementing host-model CPUs in a sane way. With older QEMU, host-model CPU will just try to enable all features (known to libvirt) that the host CPU supports without any hint from KVM or QEMU. In addition to enabling bunch of features which cannot or should not be enabled (esp. when the chosen CPU model is older than the real CPU model) none of the features which can be provided by KVM even without host support will be enabled. And that's the case of virt-ssbd. That said, using host-model with QEMU older than 2.9 is not a good idea in general. With a custom CPU model it's pretty easy to request virt-ssbd. The only way we could solve this would be some kind of downstream hack which would add virt-ssbd in the host-model based on some heuristics. But what should the heuristics look like? BTW, the secure=yes option for virt-install is relies on libvirt for telling what features can be enabled. The most important feature here is not querying, but trying to enable it when starting the VM. Isn't it possible to simply enable the feature unconditionally on the command-line when using host-model, and then remove it from the XML in case the feature appears on 'filtered-features' and/or is not on 'feature-words'? Correcting needinfo for comment #5. As the description said, can not reproduce this issue on qemu-kvm-rhev.
Version:
libvirt-4.5.0-29.el7.x86_64
qemu-kvm-rhev-2.12.0-38.el7.x86_64
kernel-3.10.0-1115.el7.x86_64
Steps:
1. Check "lscpu" and "virsh domcapabilities"
# lscpu
Model name: AMD EPYC 7251 8-Core Processor
Flags: ... ssbd ...
# virsh domcapabilities
...
<cpu>
<mode name='host-passthrough' supported='yes'/>
<mode name='host-model' supported='yes'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='x2apic'/>
<feature policy='require' name='tsc-deadline'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='invtsc'/>
<feature policy='require' name='virt-ssbd'/> *****
<feature policy='disable' name='monitor'/>
<feature policy='disable' name='svm'/>
</mode>
2. Prepare a shutdown VM with host-model cpu conf
# virsh domstate test
shut off
# virsh dumpxml test --inactive |grep "<cpu" -A2
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
# virsh start test
Domain test started
# virsh dumpxml test |grep "<cpu" -A20
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='x2apic'/>
<feature policy='require' name='tsc-deadline'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='virt-ssbd'/> *****
<feature policy='disable' name='monitor'/>
<feature policy='disable' name='svm'/>
<feature policy='disable' name='arat'/>
</cpu>
# ps -ef |grep test
...-cpu EPYC-IBPB,x2apic=on,tsc-deadline=on,hypervisor=on,tsc_adjust=on,cmp_legacy=on,virt-ssbd=on **** ,monitor=off,svm=off
Reproduce this issue on libvirt-4.5.0-29.el7.x86_64 with qemu-kvm.
Version:
libvirt-4.5.0-29.el7.x86_64
kernel-3.10.0-1115.el7.x86_64
qemu-kvm-1.5.3-171.el7.x86_64
Steps:
1. Check "lscpu" and "virsh domcapabilities"
# lscpu
Model name: AMD EPYC 7251 8-Core Processor
Flags: ... ssbd ...
# virsh domcapabilities
...
<cpu>
<mode name='host-passthrough' supported='yes'/>
<mode name='host-model' supported='yes'>
<model fallback='allow'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='ht'/>
<feature policy='require' name='osxsave'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='extapic'/>
<feature policy='require' name='skinit'/>
<feature policy='require' name='wdt'/>
<feature policy='require' name='tce'/>
<feature policy='require' name='topoext'/>
<feature policy='require' name='perfctr_core'/>
<feature policy='require' name='perfctr_nb'/>
<feature policy='require' name='invtsc'/>
</mode>
2. Prepare a shutdown VM with host-model cpu conf
# virsh domstate test
shut off
# virsh dumpxml test --inactive |grep "<cpu" -A2
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
# virsh start test
Domain test started
# virsh dumpxml test |grep "<cpu" -A20
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='disable' name='ht'/>
<feature policy='disable' name='osxsave'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='disable' name='extapic'/>
<feature policy='disable' name='skinit'/>
<feature policy='disable' name='wdt'/>
<feature policy='disable' name='tce'/>
<feature policy='disable' name='topoext'/>
<feature policy='disable' name='perfctr_core'/>
<feature policy='disable' name='perfctr_nb'/>
<feature policy='disable' name='monitor'/>
<feature policy='require' name='hypervisor'/>
<feature policy='disable' name='arat'/>
<feature policy='disable' name='svm'/>
</cpu>
# ps -ef |grep test
...-cpu EPYC-IBPB,+ht,+osxsave,+cmp_legacy,+extapic,+skinit,+wdt,+tce,+topoext,+perfctr_core,+perfctr_nb
BTW, there is another problem when libvirt works with qemu-kvm.
# rpm -qa libvirt qemu-kvm
libvirt-4.5.0-29.el7.x86_64
qemu-kvm-1.5.3-171.el7.x86_64
# virsh domcapabilities
<domainCapabilities>
<path>/usr/libexec/qemu-kvm</path>
<domain>kvm</domain>
<machine>pc-i440fx-rhel7.0.0</machine>
<arch>x86_64</arch>
<vcpu max='240'/>
<iothreads supported='no'/>
<os supported='yes'>
<loader supported='yes'>
<enum name='type'>
<value>rom</value>
<value>pflash</value>
</enum>
<enum name='readonly'>
<value>yes</value>
<value>no</value>
</enum>
</loader>
</os>
<cpu>
<mode name='host-passthrough' supported='yes'/>
<mode name='host-model' supported='yes'>
<model fallback='allow'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='ht'/>
<feature policy='require' name='osxsave'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='extapic'/>
<feature policy='require' name='skinit'/>
<feature policy='require' name='wdt'/>
<feature policy='require' name='tce'/>
<feature policy='require' name='topoext'/>
<feature policy='require' name='perfctr_core'/>
<feature policy='require' name='perfctr_nb'/>
<feature policy='require' name='invtsc'/>
</mode>
<mode name='custom' supported='yes'>
<model usable='unknown'>EPYC-IBPB</model>
<model usable='unknown'>EPYC</model>
<model usable='unknown'>Opteron_G5</model>
<model usable='unknown'>Opteron_G4</model>
<model usable='unknown'>Opteron_G3</model>
<model usable='unknown'>Opteron_G2</model>
<model usable='unknown'>Opteron_G1</model>
<model usable='unknown'>Skylake-Server-IBRS</model>
<model usable='unknown'>Skylake-Server</model>
<model usable='unknown'>Skylake-Client-IBRS</model>
<model usable='unknown'>Skylake-Client</model>
<model usable='unknown'>Broadwell-IBRS</model>
<model usable='unknown'>Broadwell</model>
<model usable='unknown'>Haswell-IBRS</model>
<model usable='unknown'>Haswell</model>
<model usable='unknown'>IvyBridge-IBRS</model>
<model usable='unknown'>IvyBridge</model>
<model usable='unknown'>SandyBridge-IBRS</model>
<model usable='unknown'>SandyBridge</model>
<model usable='unknown'>Westmere-IBRS</model>
<model usable='unknown'>Westmere</model>
<model usable='unknown'>Nehalem-IBRS</model>
<model usable='unknown'>Nehalem</model>
<model usable='unknown'>Penryn</model>
<model usable='unknown'>Conroe</model>
<model usable='unknown'>cpu64-rhel6</model>
<model usable='unknown'>n270</model>
<model usable='unknown'>athlon</model>
<model usable='unknown'>pentium3</model>
<model usable='unknown'>pentium2</model>
<model usable='unknown'>pentium</model>
<model usable='unknown'>486</model>
<model usable='unknown'>coreduo</model>
<model usable='unknown'>kvm32</model>
<model usable='unknown'>qemu32</model>
<model usable='unknown'>kvm64</model>
<model usable='unknown'>core2duo</model>
<model usable='unknown'>phenom</model>
<model usable='unknown'>qemu64</model>
</mode>
</cpu>
Is that okay for the "unknown" display in "virsh domcapabilities"?
Yes, that's expected as QEMU 1.5.3 is too old to tell us whether a given CPU model can be used without disabling some features. Verified this bug on libvirt-4.5.0-31.el7.x86_64.
Version info:
libvirt-4.5.0-31.el7.x86_64
qemu-kvm-1.5.3-171.el7.x86_64
kernel-3.10.0-1115.el7.x86_64
Env info:
# lscpu |grep "Model name"
Model name: AMD EPYC 7251 8-Core Processor
Steps:
1. Check "virsh domcapabilities" (**No virt-ssbd here**)
# virsh domcapabilities | grep "<cpu>" -A20
<cpu>
<mode name='host-passthrough' supported='yes'/>
<mode name='host-model' supported='yes'>
<model fallback='allow'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='ht'/>
<feature policy='require' name='osxsave'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='extapic'/>
<feature policy='require' name='skinit'/>
<feature policy='require' name='wdt'/>
<feature policy='require' name='tce'/>
<feature policy='require' name='topoext'/>
<feature policy='require' name='perfctr_core'/>
<feature policy='require' name='perfctr_nb'/>
<feature policy='require' name='invtsc'/>
</mode>
2. Prepare a shutdown VM with the following conf and start VM
# virsh domstate test78
shut off
# virsh dumpxml test78 --inactive |grep "<cpu" -A2
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
# virsh start test78
Domain test78 started
# virsh dumpxml test78 |grep "<cpu" -A20
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='disable' name='ht'/>
<feature policy='disable' name='osxsave'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='disable' name='extapic'/>
<feature policy='disable' name='skinit'/>
<feature policy='disable' name='wdt'/>
<feature policy='disable' name='tce'/>
<feature policy='disable' name='topoext'/>
<feature policy='disable' name='perfctr_core'/>
<feature policy='disable' name='perfctr_nb'/>
<feature policy='require' name='virt-ssbd'/>
<feature policy='disable' name='monitor'/>
<feature policy='require' name='hypervisor'/>
<feature policy='disable' name='arat'/>
<feature policy='disable' name='svm'/>
</cpu>
# ps -ef |grep test78
qemu 15292 1 99 22:08 ? 00:00:14 /usr/libexec/qemu-kvm -name test78 -S -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off,dump-guest-core=off -cpu EPYC-IBPB,+ht,+osxsave,+cmp_legacy,+extapic,+skinit,+wdt,+tce,+topoext,+perfctr_core,+perfctr_nb,+virt-ssbd
# virsh console test78
Connected to domain test78
Escape character is ^]
Red Hat Enterprise Linux Server 7.8 Beta (Maipo)
Kernel 3.10.0-1111.el7.x86_64 on an x86_64
localhost login: root
Password:
[root@localhost ~]# lscpu
...
Model name: AMD EPYC Processor (with IBPB)
[root@localhost ~]# lscpu |grep ssbd
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm art rep_good nopl extd_apicid eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw retpoline_amd **ssbd** ... ** virt_ssbd **
Hi Jiri there is another issue when I verified this bug. It can both happen in libvirt-4.5.0-29.el7.x86_64 and libvirt-4.5.0-31.el7.x86_64. I installed VM by virt-manager in the physical machine comment 17, the err raised like this "Unable to complete install: "unsupported configuration: vmport is not avaiable with this QEMU binary"". But I can install VM by virt-install successfully as follows: # virt-install --connect qemu:///system -n test78 --hvm --accelerate -r 1024 --vcpus=2 --os-variant rhel7.6 --disk path=/var/lib/libvirt/images/RHEL-7.8-x86_64-latest.qcow2,bus=ide,format=qcow2 --network bridge=virbr0,model=virtio --import --noreboot --noautoconsole --serial pty --memballoon model=virtio --graphics vnc --video cirrus Starting install... Domain creation completed. You can restart your domain by running: virsh --connect qemu:///system start test78 Could you please help to check this issue? Thank you. (In reply to jiyan from comment #18) > It can both happen in libvirt-4.5.0-29.el7.x86_64 and > libvirt-4.5.0-31.el7.x86_64. > > I installed VM by virt-manager in the physical machine comment 17, the err > raised like this "Unable to complete install: "unsupported configuration: > vmport is not avaiable with this QEMU binary"". This is unrelated. Please, file a new bug for virt-manager for investigation. According to comment 20, move this bug to be verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1094 |
Description of problem: `virsh domcapabilities` and CPU model='host-model' don't include virt-ssbd when using qemu-kvm-1.5.3, even though the host is capable of emulating virt-ssbd. Version-Release number of selected component (if applicable): libvirt-4.5.0-25.el7.x86_64 qemu-kvm-1.5.3-167.el7.x86_64 How reproducible: Always Steps to Reproduce: Install RHEL-7 in a host with EPYC CPU (with "ssbd" available on /proc/cpuinfo): Confirm that QEMU can enable "virt-ssbd" with no warnings: # /usr/libexec/qemu-kvm -cpu EPYC-IBPB,-svm,-monitor,+virt-ssbd,enforce Check "virsh domcapabilities": # virsh domcapabilities | grep ssbd # Using virt-install: # virt-install --name testvm --memory 1024 --import --disk none --cpu host-model --noautoconsole WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results. Starting install... Domain creation completed. # virsh dumpxml testvm | grep -10 cpu [...] <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>EPYC-IBPB</model> <vendor>AMD</vendor> <feature policy='disable' name='ht'/> <feature policy='disable' name='osxsave'/> <feature policy='require' name='cmp_legacy'/> <feature policy='disable' name='extapic'/> <feature policy='disable' name='skinit'/> <feature policy='disable' name='wdt'/> <feature policy='disable' name='tce'/> <feature policy='disable' name='topoext'/> <feature policy='disable' name='perfctr_core'/> <feature policy='disable' name='perfctr_nb'/> <feature policy='disable' name='monitor'/> <feature policy='require' name='hypervisor'/> <feature policy='disable' name='arat'/> <feature policy='disable' name='svm'/> </cpu> [...] Actual results: virt-ssbd is not enabled by virt-install if using 'host-model' or '...,secure=yes' Expected results: virt-ssbd should be enabled when using 'secure=yes', and preferably also enabled when using 'host-model' Additional info: Not reproducible using qemu-kvm-rhev. This happens because query-cpu-model-expansion isn't available on qemu-kvm-1.5.3, and libvirt is falling back to querying CPUID directly. virt-ssbd is never present on CPUID on bare metal, though. I'm not sure this is solvable just on the libvirt side, but we need either libvirt or virt-manager/virt-install to be able to work around it somehow.