On 16 Aug 2018, at 09:13, Eduardo Mayoral <emayoral(a)arsys.es>
wrote:
Hi,
For mitigation of the recently announced L1TF vulnerability, is it
sufficient to update the compute nodes to the updated kernel?
for all mitigations? no, you’d need to disable HT
Are any
other updates to KVM / vdsm / ovirt-engine required?
no, nothing that would be pending. If you’re running latest updates you should be fine.
Vendor’s microcode would help with performance degradation, but it’s not strictly needed
IIUC.
Also, for the concurrent variant. Should we disable hyperthreading
altogether? Is there any remediation (even if expensive from a
performance view), that can be enabled?
for complete mitigation HT need to be disabled. Either in BIOS or kernel cmdline or even
dynamically after system booted in sysfs.
It’s not always practical, so you should probably review the details and also compare the
performance degradation for your workloads. It really varies a lot.
Red Hat published a security article which applies to platforms oVirt runs on
(obviously:)
https://access.redhat.com/security/vulnerabilities/L1TF
Thanks
michal
Thanks for your help!
--
Eduardo Mayoral.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ALGCZCKNS4Y...