DescriptionKashyap Chamarthy
2019-11-13 13:46:37 UTC
What?
-----
When using a custom CPU model, Nova currently allows enabling
individual CPU flags/features via the config attribute,
`cpu_model_extra_flags`:
[libvirt]
cpu_mode=custom
cpu_model=IvyBridge
cpu_model_extra_flags="pcid,ssbd, md-clear"
The above only lets you enable the CPU features. This RFE is to also
allow _disabling_ individual CPU features.
Why?
---
A couple of reasons:
- An Operator wants to generate a baseline CPU config (that facilates
live migration) across his Compute node pool. However, a certain
CPU flag is causing an inteolerable performance issue for their
guest workloads. If the Operator isolated the problem to _that_
specific CPU flag, then she would like to disable the flag.
- More importantly, a specific CPU flag might trigger a CPU
vulnerability. In such a case, the mitigation for it could be to
simply _disable_ the offending CPU flag.
Allowing disabling of individual CPU flags via Nova would enable the
above use cases.
How?
----
By allowing the notion of '+' / '-' to indicate whether to enable to
disable a given CPU flag.
E.g. if you specify the below in 'nova.conf' (on the Compute nodes):
[libvirt]
cpu_mode=custom
cpu_model=IvyBridge
cpu_model_extra_flags="+pcid,-mtrr,ssbd"
Then, when you start an instance, Nova should generate the below XML:
<cpu match='exact'>
<model fallback='forbid'>IvyBridge</model>
<vendor>Intel</vendor>
<feature policy='require' name='pcid'/>
<feature policy='disable' name='mtrr'/>
<feature policy='require' name='ssbd'/>
</cpu>
Note that the requirement to specify '+' / '-' for individual flags
should be optional. If neither is specified, then we should assume '+',
and enable the feature (as shown above for the 'ssbd' flag).
Comment 1Kashyap Chamarthy
2019-11-13 14:08:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2022:6543
What? ----- When using a custom CPU model, Nova currently allows enabling individual CPU flags/features via the config attribute, `cpu_model_extra_flags`: [libvirt] cpu_mode=custom cpu_model=IvyBridge cpu_model_extra_flags="pcid,ssbd, md-clear" The above only lets you enable the CPU features. This RFE is to also allow _disabling_ individual CPU features. Why? --- A couple of reasons: - An Operator wants to generate a baseline CPU config (that facilates live migration) across his Compute node pool. However, a certain CPU flag is causing an inteolerable performance issue for their guest workloads. If the Operator isolated the problem to _that_ specific CPU flag, then she would like to disable the flag. - More importantly, a specific CPU flag might trigger a CPU vulnerability. In such a case, the mitigation for it could be to simply _disable_ the offending CPU flag. Allowing disabling of individual CPU flags via Nova would enable the above use cases. How? ---- By allowing the notion of '+' / '-' to indicate whether to enable to disable a given CPU flag. E.g. if you specify the below in 'nova.conf' (on the Compute nodes): [libvirt] cpu_mode=custom cpu_model=IvyBridge cpu_model_extra_flags="+pcid,-mtrr,ssbd" Then, when you start an instance, Nova should generate the below XML: <cpu match='exact'> <model fallback='forbid'>IvyBridge</model> <vendor>Intel</vendor> <feature policy='require' name='pcid'/> <feature policy='disable' name='mtrr'/> <feature policy='require' name='ssbd'/> </cpu> Note that the requirement to specify '+' / '-' for individual flags should be optional. If neither is specified, then we should assume '+', and enable the feature (as shown above for the 'ssbd' flag).