Understood. Thanks for your help and your fast reply! On 16/08/18 09:24, Michal Skrivanek wrote:
On 16 Aug 2018, at 09:13, Eduardo Mayoral <emayoral@arsys.es> wrote:
Hi,
For mitigation of the recently announced L1TF vulnerability, is it sufficient to update the compute nodes to the updated kernel? for all mitigations? no, you’d need to disable HT
Are any other updates to KVM / vdsm / ovirt-engine required? no, nothing that would be pending. If you’re running latest updates you should be fine. Vendor’s microcode would help with performance degradation, but it’s not strictly needed IIUC.
Also, for the concurrent variant. Should we disable hyperthreading altogether? Is there any remediation (even if expensive from a performance view), that can be enabled?
for complete mitigation HT need to be disabled. Either in BIOS or kernel cmdline or even dynamically after system booted in sysfs. It’s not always practical, so you should probably review the details and also compare the performance degradation for your workloads. It really varies a lot.
Red Hat published a security article which applies to platforms oVirt runs on (obviously:) https://access.redhat.com/security/vulnerabilities/L1TF
Thanks michal
Thanks for your help!
--
Eduardo Mayoral.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ALGCZCKNS4YJI6...