It sounds like you have perhaps updated libvirt & QEMU to the version that includes spec-ctrl support but not updated the kernel, or perhaps not yet rebooted into the new kernel.

If that's not the case, please provide the domain XML generated by
virt-install and the output of "virsh domaincapabilities".

TBH, I'm not sure when the 'spec-ctrl' support landed, but I believe my running kernel is up-to-date for Fedora 28.

$ rpm -q kernel
kernel-4.16.12-300.fc28.x86_64
$ uname -r
4.16.12-300.fc28.x86_64

I've repeated the same install process as before:

$ sudo qemu-img create -f qcow2 -o backing_file=Fedora-AtomicHost-28-20180425.0.x86_64.qcow2 Fedora-AtomicHost-28-20180425.0.vm0601a.qcow2
Formatting 'Fedora-AtomicHost-28-20180425.0.vm0601a.qcow2', fmt=qcow2 size=6442450944 backing_file=Fedora-AtomicHost-28-20180425.0.x86_64.qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16

$ sudo virt-install --import --name Fedora-AtomicHost-28-20180425.0.vm0601a --ram 2048 --vcpus 2 --disk path=/var/lib/libvirt/images/Fedora-AtomicHost-28-20180425.0.vm0601a.qcow2,format=qcow2,bus=virtio --disk path=/var/lib/libvirt/images/atomic-cloud-init.iso,device=cdrom,readonly=on --os-type linux --os-variant fedora27 --noautoconsole  --cpu host-passthrough
                                   
Starting install...                                      
Domain creation completed.                          

$ virsh dumpxml Fedora-AtomicHost-28-20180425.0.vm0601a                             
<domain type='kvm' id='5'>                                                      
  <name>Fedora-AtomicHost-28-20180425.0.vm0601a</name>  
  <uuid>7f69638b-e17a-49c1-a313-135ba51f39d5</uuid>                  
  <memory unit='KiB'>2097152</memory>                                            
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>                                         
  <resource>                  
    <partition>/machine</partition>                                  
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-2.11'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-passthrough' check='none'/>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/Fedora-AtomicHost-28-20180425.0.vm0601a.qcow2'/>
      <backingStore type='file' index='1'>
        <format type='raw'/>
        <source file='/var/lib/libvirt/images/Fedora-AtomicHost-28-20180425.0.x86_64.qcow2'/>
        <backingStore/>
      </backingStore>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/atomic-cloud-init.iso'/>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <alias name='usb'/>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <alias name='usb'/>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <alias name='usb'/>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:82:b9:a0'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/6'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/6'>
      <source path='/dev/pts/6'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-5-Fedora-AtomicHost-28/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir0'/>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir1'/>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c747,c926</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c747,c926</imagelabel>
  </seclabel>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

$ virsh domcapabilities
<domainCapabilities>                    
  <path>/usr/bin/qemu-system-x86_64</path> 
  <domain>kvm</domain>                     
  <machine>pc-i440fx-2.11</machine>        
  <arch>x86_64</arch>                       
  <vcpu max='255'/>                         
  <os supported='yes'>                   
    <loader supported='yes'>                 
      <value>/usr/share/edk2/ovmf/OVMF_CODE.fd</value>
      <enum name='type'>                       
        <value>rom</value>               
        <value>pflash</value>                  
      </enum>                                      
      <enum name='readonly'>                 
        <value>yes</value>           
        <value>no</value>                 
      </enum>                           
    </loader>                              
  </os>                                          
  <cpu>                                              
    <mode name='host-passthrough' supported='yes'/>
    <mode name='host-model' supported='yes'>
      <model fallback='forbid'>Skylake-Client</model>
      <vendor>Intel</vendor>
      <feature policy='require' name='ss'/>
      <feature policy='require' name='hypervisor'/>
      <feature policy='require' name='tsc_adjust'/>
      <feature policy='require' name='clflushopt'/>
      <feature policy='require' name='xsaves'/>
      <feature policy='require' name='pdpe1gb'/>
      <feature policy='require' name='invtsc'/>
    </mode>
    <mode name='custom' supported='yes'>
      <model usable='yes'>qemu64</model>
      <model usable='yes'>qemu32</model>
      <model usable='no'>phenom</model>
      <model usable='yes'>pentium3</model>
      <model usable='yes'>pentium2</model>
      <model usable='yes'>pentium</model>
      <model usable='yes'>n270</model>
      <model usable='yes'>kvm64</model>
      <model usable='yes'>kvm32</model>
      <model usable='yes'>coreduo</model>
      <model usable='yes'>core2duo</model>
      <model usable='no'>athlon</model>
      <model usable='yes'>Westmere</model>
      <model usable='no'>Westmere-IBRS</model>
      <model usable='no'>Skylake-Server</model>
      <model usable='no'>Skylake-Server-IBRS</model>
      <model usable='yes'>Skylake-Client</model>
      <model usable='no'>Skylake-Client-IBRS</model>
      <model usable='yes'>SandyBridge</model>
      <model usable='no'>SandyBridge-IBRS</model>
      <model usable='yes'>Penryn</model>
      <model usable='no'>Opteron_G5</model>
      <model usable='no'>Opteron_G4</model>
      <model usable='no'>Opteron_G3</model>
      <model usable='yes'>Opteron_G2</model>
      <model usable='yes'>Opteron_G1</model>
      <model usable='yes'>Nehalem</model>
      <model usable='no'>Nehalem-IBRS</model>
      <model usable='yes'>IvyBridge</model>
      <model usable='no'>IvyBridge-IBRS</model>
      <model usable='yes'>Haswell</model>
      <model usable='yes'>Haswell-noTSX</model>
      <model usable='no'>Haswell-noTSX-IBRS</model>
      <model usable='no'>Haswell-IBRS</model>
      <model usable='no'>EPYC</model>
      <model usable='no'>EPYC-IBPB</model>
      <model usable='yes'>Conroe</model>
      <model usable='yes'>Broadwell</model>
      <model usable='yes'>Broadwell-noTSX</model>
      <model usable='no'>Broadwell-noTSX-IBRS</model>
      <model usable='no'>Broadwell-IBRS</model>
      <model usable='yes'>486</model>
    </mode>
  </cpu>
  <devices>
    <disk supported='yes'>
      <enum name='diskDevice'>
        <value>disk</value>
        <value>cdrom</value>
        <value>floppy</value>
        <value>lun</value>
      </enum>
      <enum name='bus'>
        <value>ide</value>
        <value>fdc</value>
        <value>scsi</value>
        <value>virtio</value>
        <value>usb</value>
        <value>sata</value>
      </enum>
    </disk>
    <graphics supported='yes'>
      <enum name='type'>
        <value>sdl</value>
        <value>vnc</value>
        <value>spice</value>
      </enum>
    </graphics>
    <video supported='yes'>
      <enum name='modelType'>
        <value>vga</value>
        <value>cirrus</value>
        <value>vmvga</value>
        <value>qxl</value>
        <value>virtio</value>
      </enum>
    </video>
    <hostdev supported='yes'>
      <enum name='mode'>
        <value>subsystem</value>
      </enum>
      <enum name='startupPolicy'>
        <value>default</value>
        <value>mandatory</value>
        <value>requisite</value>
        <value>optional</value>
      </enum>
      <enum name='subsysType'>
        <value>usb</value>
        <value>pci</value>
        <value>scsi</value>
      </enum>
      <enum name='capsType'/>
      <enum name='pciBackend'/>
    </hostdev>
  </devices>
  <features>
    <gic supported='no'/>
  </features>
</domainCapabilities>

I was getting mixed up with CPU features previously. spec-ctrl is a feature added for the original Spectre fixes, not the new SSBD fixes, so that should already be working, assuming new enough microcode.  The capabilities XML shows it detected an IBRS CPU model so that include spec-ctrl feature.  So something odd is going on here, almost like the KVM module is claiming spec-ctrl isn't supported, despite existing in the CPU.

You're hitting two separate issues at once. Hitting any of them alone wouldn't
cause a failure to create a new domain.

First, the capabilities XML (based on CPUID) confirms spec-ctrl is supported
by the host CPU:

    <cpu>
      <arch>x86_64</arch>
      <model>Skylake-Client-IBRS</model>
      <vendor>Intel</vendor>
      <microcode version='112'/>
      ...
    </cpu>


however the domain capabilities XML says this feature cannot be provided by
QEMU on this host:

    <mode name='host-model' supported='yes'>
      <model fallback='forbid'>Skylake-Client</model>
      <vendor>Intel</vendor>
      <feature policy='require' name='ss'/>
      <feature policy='require' name='hypervisor'/>
      <feature policy='require' name='tsc_adjust'/>
      <feature policy='require' name='clflushopt'/>
      <feature policy='require' name='xsaves'/>
      <feature policy='require' name='pdpe1gb'/>
      <feature policy='require' name='invtsc'/>
    </mode>

What does kernel say about this in /proc/cpuinfo (please, copy just one
processor section from that file here)?

Additionally, could you attach
/var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml
file to this bug? And does removing that file (but please, attach the original
file first) and restarting libvirtd make any difference? Don't remember to
remove the "--cpu host-passthrough" workaround from your virt-install command.
If so, could you please attach the newly generated file too?


Second, the reason why the domain does not start by default on your host is
that virt-install uses the CPU model from host capabilities when creating a
new domain which means it asks for the feature QEMU cannot provide. I think
there is a separate bug focused on fixing this behavior. Pavel knows more
about this.

But of course, even if virt-install used the CPU from domain capabilities or
even host-model CPU, the domain would start but without spec-ctrl CPU feature.

Created attachment 1447466 [details]
/var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml

(In reply to Jiri Denemark from comment #5)

> What does kernel say about this in /proc/cpuinfo (please, copy just one
> processor section from that file here)?

processor       : 3
vendor_id       : GenuineIntel
cpu family      : 6
model           : 142
model name      : Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz
stepping        : 9
microcode       : 0x84
cpu MHz         : 997.605
cache size      : 4096 KB
physical id     : 0
siblings        : 4
core id         : 1
cpu cores       : 2
apicid          : 3
initial apicid  : 3
fpu             : yes
fpu_exception   : yes
cpuid level     : 22
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass
bogomips        : 5808.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

> Additionally, could you attach
> /var/cache/libvirt/qemu/capabilities/
> 192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml
> file to this bug? And does removing that file (but please, attach the
> original
> file first) and restarting libvirtd make any difference? Don't remember to
> remove the "--cpu host-passthrough" workaround from your virt-install
> command.
> If so, could you please attach the newly generated file too?

Attached the original, removed it, restarted libvirtd and now I'm able to use `virt-install` without the `--cpu host-passthrough` option.


$ sudo rm /var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml

$ sudo systemctl restart libvirtd

$ sudo qemu-img create -f qcow2 -o backing_file=Fedora-AtomicHost-28-20180425.0.x86_64.qcow2 Fedora-AtomicHost-28-20180425.0.vm0604a.qcow2
Formatting 'Fedora-AtomicHost-28-20180425.0.vm0604a.qcow2', fmt=qcow2 size=6442450944 backing_file=Fedora-AtomicHost-28-20180425.0.x86_64.qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16

$ sudo virt-install --import --name Fedora-AtomicHost-28-20180425.0.vm0604a --ram 2048 --vcpus 2 --disk path=/var/lib/libvirt/images/Fedora-AtomicHost-28-20180425.0.vm0604a.qcow2,format=qcow2,bus=virtio --disk path=/var/lib/libvirt/images/atomic-cloud-init.iso,device=cdrom,readonly=on --os-type linux --os-variant fedora27 --noautoconsole

Starting install...
Domain creation completed.


I'll attach the newly generated capabilities XML file after making this comment.

Created attachment 1447468 [details]
new capabilities XML file

(In reply to Micah Abbott from comment #7)

> I'll attach the newly generated capabilities XML file after making this
> comment.

Strange, there is no difference between the original XML + newly generated XML:

$ sudo cp /var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml ~/new-192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml

$ diff 192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml new-192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml && echo $?
0

OK, the old capabilities cache file says QEMU is not able to provide spec-ctrl
to a guest on this host. That explains why libvirt didn't want to start a new
domain with Skylake-Client-IBRS CPU model taken from host capabilities.
However, spec-ctrl is still missing after forcing the cache regeneration and
even /etc/cpuinfo says the CPU does not support this feature and it is
affected by all CPU bugs. I think at this point "virsh capabilities" would
show Skylake-Client (i.e., without the -IBRS suffix) and thus virt-install
succeeds even without the "--cpu host-passthrough" workaround. Could you
please share the current output of "virsh capabilities" with us?

BTW, it's pretty strange that both caps cache files show
<microcodeVersion>112</microcodeVersion> which matches the original output of
"virsh capabilities", but disagrees with /etc/cpuinfo where I can see
microcode: 0x84 (which is 132; 112 would be 0x70).

(In reply to Jiri Denemark from comment #10)
> BTW, it's pretty strange that both caps cache files show
> <microcodeVersion>112</microcodeVersion> which matches the original output of
> "virsh capabilities", but disagrees with /etc/cpuinfo where I can see
> microcode: 0x84 (which is 132; 112 would be 0x70).

libvirtd caches the microcode version for life, so it feels like something caused the capabilities to be regenerated before libvirtd got restarted, or perhaps it did not in fact restart at all. A safer option would be to explicitly stop it before puring cache

systemctl stop libvirtd
rm -f /var/cache/libvirt/qemu/capabilities/*xml
systemctl start libvirtd

(In reply to Daniel Berrange from comment #11)

> libvirtd caches the microcode version for life, so it feels like something
> caused the capabilities to be regenerated before libvirtd got restarted, or
> perhaps it did not in fact restart at all. A safer option would be to
> explicitly stop it before puring cache
> 
> systemctl stop libvirtd
> rm -f /var/cache/libvirt/qemu/capabilities/*xml
> systemctl start libvirtd

OK, I tried this route (explicitly checking to make sure it was active/inactive), but still got the same capabilities XML:

$ sudo systemctl is-active libvirtd
active
$ sudo systemctl stop libvirtd
$ sudo systemctl is-active libvirtd
inactive
$ sudo rm /var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml
$ sudo systemctl start libvirtd
$ sudo systemctl is-active libvirtd
active

$ sudo cp /var/cache/libvirt/qemu/capabilities/192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml regen-192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml 

$ diff 192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml regen-192d00e33ab81b6844471cabff1f91a820494354af4a271affc2b6dd076536e1.xml && echo $?
0


> Could you please share the current output of "virsh capabilities" with us?

$ virsh capabilities
<capabilities>

  <host>
    <uuid>6385a54c-31c7-11b2-a85c-bd46707c6150</uuid>
    <cpu>
      <arch>x86_64</arch>
      <model>Skylake-Client-IBRS</model>
      <vendor>Intel</vendor>
      <microcode version='112'/>
      <topology sockets='1' cores='2' threads='2'/>
      <feature name='ds'/>
      <feature name='acpi'/>
      <feature name='ss'/>
      <feature name='ht'/>
      <feature name='tm'/>
      <feature name='pbe'/>
      <feature name='dtes64'/>
      <feature name='monitor'/>
      <feature name='ds_cpl'/>
      <feature name='vmx'/>
      <feature name='smx'/>
      <feature name='est'/>
      <feature name='tm2'/>
      <feature name='xtpr'/>
      <feature name='pdcm'/>
      <feature name='osxsave'/>
      <feature name='tsc_adjust'/>
      <feature name='clflushopt'/>
      <feature name='xsaves'/>
      <feature name='pdpe1gb'/>
      <feature name='invtsc'/>
      <pages unit='KiB' size='4'/>
      <pages unit='KiB' size='2048'/>
      <pages unit='KiB' size='1048576'/>
    </cpu>
    <power_management>
      <suspend_mem/>
    </power_management>
    <migration_features>
      <live/>
      <uri_transports>
        <uri_transport>tcp</uri_transport>
        <uri_transport>rdma</uri_transport>
      </uri_transports>
    </migration_features>
    <topology>
      <cells num='1'>
        <cell id='0'>
          <memory unit='KiB'>16301456</memory>
          <pages unit='KiB' size='4'>4075364</pages>
          <pages unit='KiB' size='2048'>0</pages>
          <pages unit='KiB' size='1048576'>0</pages>
          <distances>
            <sibling id='0' value='10'/>
          </distances>
          <cpus num='4'>
            <cpu id='0' socket_id='0' core_id='0' siblings='0,2'/>
            <cpu id='1' socket_id='0' core_id='1' siblings='1,3'/>
            <cpu id='2' socket_id='0' core_id='0' siblings='0,2'/>
            <cpu id='3' socket_id='0' core_id='1' siblings='1,3'/>
          </cpus>
        </cell>
      </cells>
    </topology>
    <cache>
      <bank id='0' level='3' type='both' size='4' unit='MiB' cpus='0-3'/>
    </cache>
    <secmodel>
      <model>selinux</model>
      <doi>0</doi>
      <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
      <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
    </secmodel>
    <secmodel>
      <model>dac</model>
      <doi>0</doi>
      <baselabel type='kvm'>+107:+107</baselabel>
      <baselabel type='qemu'>+107:+107</baselabel>
    </secmodel>
  </host>

  <guest>
    <os_type>hvm</os_type>
    <arch name='i686'>
      <wordsize>32</wordsize>
      <emulator>/usr/bin/qemu-system-i386</emulator>
      <machine maxCpus='255'>pc-i440fx-2.11</machine>
      <machine canonical='pc-i440fx-2.11' maxCpus='255'>pc</machine>
      <machine maxCpus='1'>isapc</machine>
      <machine maxCpus='255'>pc-1.1</machine>
      <machine maxCpus='255'>pc-1.2</machine>
      <machine maxCpus='255'>pc-1.3</machine>
      <machine maxCpus='255'>pc-i440fx-2.8</machine>
      <machine maxCpus='255'>pc-1.0</machine>
      <machine maxCpus='255'>pc-i440fx-2.9</machine>
      <machine maxCpus='255'>pc-i440fx-2.6</machine>
      <machine maxCpus='255'>pc-i440fx-2.7</machine>
      <machine maxCpus='128'>xenfv</machine>
      <machine maxCpus='255'>pc-i440fx-2.3</machine>
      <machine maxCpus='255'>pc-i440fx-2.4</machine>
      <machine maxCpus='255'>pc-i440fx-2.5</machine>
      <machine maxCpus='255'>pc-i440fx-2.1</machine>
      <machine maxCpus='255'>pc-i440fx-2.2</machine>
      <machine maxCpus='255'>pc-i440fx-2.0</machine>
      <machine maxCpus='288'>pc-q35-2.11</machine>
      <machine canonical='pc-q35-2.11' maxCpus='288'>q35</machine>
      <machine maxCpus='1'>xenpv</machine>
      <machine maxCpus='288'>pc-q35-2.10</machine>
      <machine maxCpus='255'>pc-i440fx-1.7</machine>
      <machine maxCpus='288'>pc-q35-2.9</machine>
      <machine maxCpus='255'>pc-0.15</machine>
      <machine maxCpus='255'>pc-i440fx-1.5</machine>
      <machine maxCpus='255'>pc-q35-2.7</machine>
      <machine maxCpus='255'>pc-i440fx-1.6</machine>
      <machine maxCpus='288'>pc-q35-2.8</machine>
      <machine maxCpus='255'>pc-0.13</machine>
      <machine maxCpus='255'>pc-0.14</machine>
      <machine maxCpus='255'>pc-q35-2.4</machine>
      <machine maxCpus='255'>pc-q35-2.5</machine>
      <machine maxCpus='255'>pc-q35-2.6</machine>
      <machine maxCpus='255'>pc-i440fx-1.4</machine>
      <machine maxCpus='255'>pc-i440fx-2.10</machine>
      <machine maxCpus='255'>pc-0.11</machine>
      <machine maxCpus='255'>pc-0.12</machine>
      <machine maxCpus='255'>pc-0.10</machine>
      <domain type='qemu'/>
      <domain type='kvm'>
        <emulator>/usr/bin/qemu-kvm</emulator>
        <machine maxCpus='255'>pc-i440fx-2.11</machine>
        <machine canonical='pc-i440fx-2.11' maxCpus='255'>pc</machine>
        <machine maxCpus='1'>isapc</machine>
        <machine maxCpus='255'>pc-1.1</machine>
        <machine maxCpus='255'>pc-1.2</machine>
        <machine maxCpus='255'>pc-1.3</machine>
        <machine maxCpus='255'>pc-i440fx-2.8</machine>
        <machine maxCpus='255'>pc-1.0</machine>
        <machine maxCpus='255'>pc-i440fx-2.9</machine>
        <machine maxCpus='255'>pc-i440fx-2.6</machine>
        <machine maxCpus='255'>pc-i440fx-2.7</machine>
        <machine maxCpus='128'>xenfv</machine>
        <machine maxCpus='255'>pc-i440fx-2.3</machine>
        <machine maxCpus='255'>pc-i440fx-2.4</machine>
        <machine maxCpus='255'>pc-i440fx-2.5</machine>
        <machine maxCpus='255'>pc-i440fx-2.1</machine>
        <machine maxCpus='255'>pc-i440fx-2.2</machine>
        <machine maxCpus='255'>pc-i440fx-2.0</machine>
        <machine maxCpus='288'>pc-q35-2.11</machine>
        <machine canonical='pc-q35-2.11' maxCpus='288'>q35</machine>
        <machine maxCpus='1'>xenpv</machine>
        <machine maxCpus='288'>pc-q35-2.10</machine>
        <machine maxCpus='255'>pc-i440fx-1.7</machine>
        <machine maxCpus='288'>pc-q35-2.9</machine>
        <machine maxCpus='255'>pc-0.15</machine>
        <machine maxCpus='255'>pc-i440fx-1.5</machine>
        <machine maxCpus='255'>pc-q35-2.7</machine>
        <machine maxCpus='255'>pc-i440fx-1.6</machine>
        <machine maxCpus='288'>pc-q35-2.8</machine>
        <machine maxCpus='255'>pc-0.13</machine>
        <machine maxCpus='255'>pc-0.14</machine>
        <machine maxCpus='255'>pc-q35-2.4</machine>
        <machine maxCpus='255'>pc-q35-2.5</machine>
        <machine maxCpus='255'>pc-q35-2.6</machine>
        <machine maxCpus='255'>pc-i440fx-1.4</machine>
        <machine maxCpus='255'>pc-i440fx-2.10</machine>
        <machine maxCpus='255'>pc-0.11</machine>
        <machine maxCpus='255'>pc-0.12</machine>
        <machine maxCpus='255'>pc-0.10</machine>
      </domain>
    </arch>
    <features>
      <cpuselection/>
      <deviceboot/>
      <disksnapshot default='on' toggle='no'/>
      <acpi default='on' toggle='yes'/>
      <apic default='on' toggle='no'/>
      <pae/>
      <nonpae/>
    </features>
  </guest>

  <guest>
    <os_type>hvm</os_type>
    <arch name='x86_64'>
      <wordsize>64</wordsize>
      <emulator>/usr/bin/qemu-system-x86_64</emulator>
      <machine maxCpus='255'>pc-i440fx-2.11</machine>
      <machine canonical='pc-i440fx-2.11' maxCpus='255'>pc</machine>
      <machine maxCpus='1'>isapc</machine>
      <machine maxCpus='255'>pc-1.1</machine>
      <machine maxCpus='255'>pc-1.2</machine>
      <machine maxCpus='255'>pc-1.3</machine>
      <machine maxCpus='255'>pc-i440fx-2.8</machine>
      <machine maxCpus='255'>pc-1.0</machine>
      <machine maxCpus='255'>pc-i440fx-2.9</machine>
      <machine maxCpus='255'>pc-i440fx-2.6</machine>
      <machine maxCpus='255'>pc-i440fx-2.7</machine>
      <machine maxCpus='128'>xenfv</machine>
      <machine maxCpus='255'>pc-i440fx-2.3</machine>
      <machine maxCpus='255'>pc-i440fx-2.4</machine>
      <machine maxCpus='255'>pc-i440fx-2.5</machine>
      <machine maxCpus='255'>pc-i440fx-2.1</machine>
      <machine maxCpus='255'>pc-i440fx-2.2</machine>
      <machine maxCpus='255'>pc-i440fx-2.0</machine>
      <machine maxCpus='288'>pc-q35-2.11</machine>
      <machine canonical='pc-q35-2.11' maxCpus='288'>q35</machine>
      <machine maxCpus='1'>xenpv</machine>
      <machine maxCpus='288'>pc-q35-2.10</machine>
      <machine maxCpus='255'>pc-i440fx-1.7</machine>
      <machine maxCpus='288'>pc-q35-2.9</machine>
      <machine maxCpus='255'>pc-0.15</machine>
      <machine maxCpus='255'>pc-i440fx-1.5</machine>
      <machine maxCpus='255'>pc-q35-2.7</machine>
      <machine maxCpus='255'>pc-i440fx-1.6</machine>
      <machine maxCpus='288'>pc-q35-2.8</machine>
      <machine maxCpus='255'>pc-0.13</machine>
      <machine maxCpus='255'>pc-0.14</machine>
      <machine maxCpus='255'>pc-q35-2.4</machine>
      <machine maxCpus='255'>pc-q35-2.5</machine>
      <machine maxCpus='255'>pc-q35-2.6</machine>
      <machine maxCpus='255'>pc-i440fx-1.4</machine>
      <machine maxCpus='255'>pc-i440fx-2.10</machine>
      <machine maxCpus='255'>pc-0.11</machine>
      <machine maxCpus='255'>pc-0.12</machine>
      <machine maxCpus='255'>pc-0.10</machine>
      <domain type='qemu'/>
      <domain type='kvm'>
        <emulator>/usr/bin/qemu-kvm</emulator>
        <machine maxCpus='255'>pc-i440fx-2.11</machine>
        <machine canonical='pc-i440fx-2.11' maxCpus='255'>pc</machine>
        <machine maxCpus='1'>isapc</machine>
        <machine maxCpus='255'>pc-1.1</machine>
        <machine maxCpus='255'>pc-1.2</machine>
        <machine maxCpus='255'>pc-1.3</machine>
        <machine maxCpus='255'>pc-i440fx-2.8</machine>
        <machine maxCpus='255'>pc-1.0</machine>
        <machine maxCpus='255'>pc-i440fx-2.9</machine>
        <machine maxCpus='255'>pc-i440fx-2.6</machine>
        <machine maxCpus='255'>pc-i440fx-2.7</machine>
        <machine maxCpus='128'>xenfv</machine>
        <machine maxCpus='255'>pc-i440fx-2.3</machine>
        <machine maxCpus='255'>pc-i440fx-2.4</machine>
        <machine maxCpus='255'>pc-i440fx-2.5</machine>
        <machine maxCpus='255'>pc-i440fx-2.1</machine>
        <machine maxCpus='255'>pc-i440fx-2.2</machine>
        <machine maxCpus='255'>pc-i440fx-2.0</machine>
        <machine maxCpus='288'>pc-q35-2.11</machine>
        <machine canonical='pc-q35-2.11' maxCpus='288'>q35</machine>
        <machine maxCpus='1'>xenpv</machine>
        <machine maxCpus='288'>pc-q35-2.10</machine>
        <machine maxCpus='255'>pc-i440fx-1.7</machine>
        <machine maxCpus='288'>pc-q35-2.9</machine>
        <machine maxCpus='255'>pc-0.15</machine>
        <machine maxCpus='255'>pc-i440fx-1.5</machine>
        <machine maxCpus='255'>pc-q35-2.7</machine>
        <machine maxCpus='255'>pc-i440fx-1.6</machine>
        <machine maxCpus='288'>pc-q35-2.8</machine>
        <machine maxCpus='255'>pc-0.13</machine>
        <machine maxCpus='255'>pc-0.14</machine>
        <machine maxCpus='255'>pc-q35-2.4</machine>
        <machine maxCpus='255'>pc-q35-2.5</machine>
        <machine maxCpus='255'>pc-q35-2.6</machine>
        <machine maxCpus='255'>pc-i440fx-1.4</machine>
        <machine maxCpus='255'>pc-i440fx-2.10</machine>
        <machine maxCpus='255'>pc-0.11</machine>
        <machine maxCpus='255'>pc-0.12</machine>
        <machine maxCpus='255'>pc-0.10</machine>
      </domain>
    </arch>
    <features>
      <cpuselection/>
      <deviceboot/>
      <disksnapshot default='on' toggle='no'/>
      <acpi default='on' toggle='yes'/>
      <apic default='on' toggle='no'/>
    </features>
  </guest>

</capabilities>

    <cpu>
      <arch>x86_64</arch>
      <model>Skylake-Client-IBRS</model>
      <vendor>Intel</vendor>
      <microcode version='112'/>
      ...

This is totally unexpected. However, virsh started by a normal user talks to a
different libvirtd process than virsh (or another libvirt client) executed by
root. Unless you set an environment variable changing the default libvirt URI.
So to make sure we get info from the same daemon virt-install is talking to,
could you either run "virsh -rc qemu:///system capabilities" as normal user or
"virsh capabilities" as root?

If the result still shows <model>Skylake-Client-IBRS</model>, could you please
attach the output of https://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=tests/cputestdata/cpu-gather.sh
script? You may need to install "cpuid" tool if it's not already installed.
The script does not need any special privileges except for accessing /dev/kvm
and you should be able to run it as normal user.

In the past I saw a case when different CPU cores reported slightly different
features. Hopefully, it's not this case, but to be sure could you attach the
complete /proc/cpuinfo?

(In reply to Jiri Denemark from comment #13)

> This is totally unexpected. However, virsh started by a normal user talks to
> a
> different libvirtd process than virsh (or another libvirt client) executed by
> root. Unless you set an environment variable changing the default libvirt
> URI.

I do have the following defined:

LIBVIRT_DEFAULT_URI=qemu:///system

Although, I can't recall why that is in my .bashrc  :(

> So to make sure we get info from the same daemon virt-install is talking to,
> could you either run "virsh -rc qemu:///system capabilities" as normal user
> or
> "virsh capabilities" as root?

I'll attach these.

> If the result still shows <model>Skylake-Client-IBRS</model>, could you
> please
> attach the output of
> https://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=tests/cputestdata/cpu-
> gather.sh
> script? You may need to install "cpuid" tool if it's not already installed.
> The script does not need any special privileges except for accessing /dev/kvm
> and you should be able to run it as normal user.

Interestingly, in preparing to gather the output of this script, I ended up rebooting my laptop and now the model appears to be reported correctly.  I did manage to grab the output from `virsh -rc qemu:///system capabilities` before the reboot and the diff looks like this:

$ diff system-caps new-system-caps 
7c7
<       <model>Skylake-Client-IBRS</model>
---
>       <model>Skylake-Client</model>
37a38,39
>       <suspend_disk/>
>       <suspend_hybrid/>


The kernel version did not change between reboots, so I'm not sure how to explain that.


> In the past I saw a case when different CPU cores reported slightly different
> features. Hopefully, it's not this case, but to be sure could you attach the
> complete /proc/cpuinfo?

Will also attach this shortly.



I don't know if any of the requested information will be relevant, since the CPU model appears to be reported correctly now, but I will still attach the requested files.

Created attachment 1447624 [details]
virsh -rc qemu:///system capabilities (before reboot)

Created attachment 1447625 [details]
virsh -rc qemu://system capabilities (after reboot)

Created attachment 1447626 [details]
output from cpu-gather.sh (after reboot)

Created attachment 1447627 [details]
complete /proc/cpuinfo

I had a similar error message from virt-install and was able to resolve it by adding 

  --cpu Skylake-Client,disable=spec-ctrl

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.