Red Hat SummitChapter 10. Configuring CPU feature flags for instances
You can enable or disable CPU feature flags for an instance without changing the settings on the host Compute node and rebooting the Compute node. By configuring the standard set of CPU feature flags that are applied to instances, you are helping to achieve live migration compatibility across Compute nodes. You are also helping to manage the performance and security of the instances, by disabling flags that have a negative impact on the security or performance of the instances with a particular CPU model, or enabling flags that provide mitigation from a security problem or alleviates performance problems.
10.1. Prerequisites
The CPU model and feature flags must be supported by the hardware and software of the host Compute node:
To check the hardware your host supports, enter the following command on the Compute node:
cat /proc/cpuinfo
$ cat /proc/cpuinfoCopy to Clipboard Copied! Toggle word wrap Toggle overflow To check the CPU models supported on your host, enter the following command on the Compute node:
sudo podman exec -it nova_libvirt virsh cpu-models <arch>
$ sudo podman exec -it nova_libvirt virsh cpu-models <arch>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<arch>with the name of the architecture, for example,x86_64.
10.2. Configuring CPU feature flags for instances
Configure the Compute service to apply CPU feature flags to instances with specific vCPU models.
Procedure
-
Log in to the undercloud as the
stackuser. Source the
stackrcfile:source ~/stackrc
[stack@director ~]$ source ~/stackrcCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open your Compute environment file.
Configure the instance CPU mode:
parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: <cpu_mode>parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: <cpu_mode>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<cpu_mode>with the CPU mode of each instance on the Compute node. Set to one of the following valid values:-
host-model: (Default) Use the CPU model of the host Compute node. Use this CPU mode to automatically add critical CPU flags to the instance to provide mitigation from security flaws. custom: Use to configure the specific CPU models each instance should use.NoteYou can also set the CPU mode to
host-passthroughto use the same CPU model and feature flags as the Compute node for the instances hosted on that Compute node.
-
Optional: If you set
NovaLibvirtCPUModetocustom, configure the instance CPU models that you want to customise:parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: <cpu_model>parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: <cpu_model>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<cpu_model>with a comma-separated list of the CPU models that the host supports. List the CPU models in order, placing the more common and less advanced CPU models first in the list, and the more feature-rich CPU models last, for example,SandyBridge,IvyBridge,Haswell,Broadwell. For a list of model names, see/usr/share/libvirt/cpu_map.xml, or enter the following command on the host Compute node:sudo podman exec -it nova_libvirt virsh cpu-models <arch>
$ sudo podman exec -it nova_libvirt virsh cpu-models <arch>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<arch>with the name of the architecture of the Compute node, for example,x86_64.Configure the CPU feature flags for instances with the specified CPU models:
parameter_defaults: ComputeParameters: ... NovaLibvirtCPUModelExtraFlags: <cpu_feature_flags>parameter_defaults: ComputeParameters: ... NovaLibvirtCPUModelExtraFlags: <cpu_feature_flags>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<cpu_feature_flags>with a comma-separated list of feature flags to enable or disable. Prefix each flag with "+" to enable the flag, or "-" to disable it. If a prefix is not specified, the flag is enabled. For a list of the available feature flags for a given CPU model, see/usr/share/libvirt/cpu_map/*.xml.The following example enables the CPU feature flags
pcidandssbdfor theIvyBridgeandCascadelake-Servermodels, and disables the feature flagmtrr.parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: 'IvyBridge','Cascadelake-Server' NovaLibvirtCPUModelExtraFlags: 'pcid,+ssbd,-mtrr'parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: 'IvyBridge','Cascadelake-Server' NovaLibvirtCPUModelExtraFlags: 'pcid,+ssbd,-mtrr'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add your Compute environment file to the stack with your other environment files and deploy the overcloud:
openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<compute_environment_file>.yaml
(undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<compute_environment_file>.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}