[PVE-User] Meltdown/Spectre mitigation options / Intel microcode

Uwe Sauter uwe.sauter.de at gmail.com
Tue May 8 16:08:31 CEST 2018


Hi,

switching to "host" CPU is only possible if all hosts in the cluster have the same CPU type (at least if you care about live
migration). As I'm using the cluster to provide HA services, this is no option for me.


Regards,

	Uwe

Am 08.05.2018 um 16:04 schrieb lemonnierk at ulrar.net:
> Hi,
> 
> I believe you are correct. Personally I've just switched all
> my VM to "host" CPU instead, which eliminates the question.
> If you are using debian (and no source based distributions
> like gentoo with -march=native) you can do so safely,
> as far as I can tell.
> 
> On Tue, May 08, 2018 at 03:31:52PM +0200, Uwe Sauter wrote:
>> Hi all,
>>
>> I recently discovered that one of the updates since turn of the year introduced options to let the VM know about Meltdown/Spectre
>> mitigation on the host (VM configuration -> processors -> advanced -> PCID & SPEC-CTRL).
>>
>> I'm not sure if I understand the documentation correctly so please correct me if I'm wrong with the following:
>>
>> I have two different CPU types in my cluster, Intel Xeon E5606 and Intel Xeon E5-2670. Both do not have the latest microcode
>> because I don't have stretch-backports enabled (which provides microcode from 20180312 in contrast to stretch's version from
>> 20170707).
>>
>> Both have the "pcid" CPU flag, as well as "pti" and "retpoline" (whiche are not mentioned in the docs and probably show kernel
>> features and not CPU features). Both *do not* have "spec_ctrl".
>>
>> All my VMs are configured to use "default (kvm64)" CPUs.
>>
>> This means that I should manually enable the PCID flag as the kvm64 CPU doesn't set this automatically. But I mustn't enable
>> SPEC-CTRL because my host hardware doesn't support the feature. Is this correct?
>>
>>
>>
>> Regards,
>>
>> 	Uwe
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> 



More information about the pve-user mailing list