[ovirt-users] Re: Patches for L1FT?

> On 16 Aug 2018, at 09:13, Eduardo Mayoral <emayoral(a)arsys.es&gt; wrote: > > > Hi, > > For mitigation of the recently announced L1TF vulnerability, is it > sufficient to update the compute nodes to the updated kernel? for all mitigations? no, you’d need to disable HT > Are any > other updates to KVM / vdsm / ovirt-engine required? no, nothing that would be pending. If you’re running latest updates you should be fine. Vendor’s microcode would help with performance degradation, but it’s not strictly needed IIUC. > Also, for the concurrent variant. Should we disable hyperthreading > altogether? Is there any remediation (even if expensive from a > performance view), that can be enabled? for complete mitigation HT need to be disabled. Either in BIOS or kernel cmdline or even dynamically after system booted in sysfs. It’s not always practical, so you should probably review the details and also compare the performance degradation for your workloads. It really varies a lot. Red Hat published a security article which applies to platforms oVirt runs on (obviously:) https://access.redhat.com/security/vulnerabilities/L1TF Thanks michal > Thanks for your help! > > -- > > Eduardo Mayoral. > > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ALGCZCKNS4Y...