Chapter 11. Configuring CPU feature flags for instances
You can enable or disable CPU feature flags for an instance without changing the settings on the host Compute node and rebooting the Compute node. By configuring the standard set of CPU feature flags that are applied to instances, you are helping to achieve live migration compatibility across Compute nodes. You are also helping to manage the performance and security of the instances, by disabling flags that have a negative impact on the security or performance of the instances with a particular CPU model, or enabling flags that provide mitigation from a security problem or alleviates performance problems.
11.1. Prerequisites
The CPU model and feature flags must be supported by the hardware and software of the host Compute node:
To check the hardware your host supports, enter the following command on the Compute node:
$ cat /proc/cpuinfo
To check the CPU models supported on your host, enter the following command on the Compute node:
$ sudo podman exec -it nova_libvirt virsh cpu-models <arch>
Replace
<arch>
with the name of the architecture, for example,x86_64
.
11.2. Configuring CPU feature flags for instances
Configure the Compute service to apply CPU feature flags to instances with specific vCPU models.
Procedure
-
Log in to the undercloud as the
stack
user. Source the
stackrc
file:[stack@director ~]$ source ~/stackrc
- Open your Compute environment file.
Configure the instance CPU mode:
parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: <cpu_mode>
Replace
<cpu_mode>
with the CPU mode of each instance on the Compute node. Set to one of the following valid values:-
host-model
: (Default) Use the CPU model of the host Compute node. Use this CPU mode to automatically add critical CPU flags to the instance to provide mitigation from security flaws. custom
: Use to configure the specific CPU models each instance should use.NoteYou can also set the CPU mode to
host-passthrough
to use the same CPU model and feature flags as the Compute node for the instances hosted on that Compute node.
-
Optional: If you set
NovaLibvirtCPUMode
tocustom
, configure the instance CPU models that you want to customise:parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: <cpu_model>
Replace
<cpu_model>
with a comma-separated list of the CPU models that the host supports. List the CPU models in order, placing the more common and less advanced CPU models first in the list, and the more feature-rich CPU models last, for example,SandyBridge,IvyBridge,Haswell,Broadwell
. For a list of model names, see/usr/share/libvirt/cpu_map.xml
, or enter the following command on the host Compute node:$ sudo podman exec -it nova_libvirt virsh cpu-models <arch>
Replace
<arch>
with the name of the architecture of the Compute node, for example,x86_64
.Configure the CPU feature flags for instances with the specified CPU models:
parameter_defaults: ComputeParameters: ... NovaLibvirtCPUModelExtraFlags: <cpu_feature_flags>
Replace
<cpu_feature_flags>
with a comma-separated list of feature flags to enable or disable. Prefix each flag with "+" to enable the flag, or "-" to disable it. If a prefix is not specified, the flag is enabled. For a list of the available feature flags for a given CPU model, see/usr/share/libvirt/cpu_map/*.xml
.The following example enables the CPU feature flags
pcid
andssbd
for theIvyBridge
andCascadelake-Server
models, and disables the feature flagmtrr
.parameter_defaults: ComputeParameters: NovaLibvirtCPUMode: 'custom' NovaLibvirtCPUModels: 'IvyBridge','Cascadelake-Server' NovaLibvirtCPUModelExtraFlags: 'pcid,+ssbd,-mtrr'
Add your Compute environment file to the stack with your other environment files and deploy the overcloud:
(undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/<compute_environment_file>.yaml