Chapter 10. Configuring CPU feature flags for instances

You can enable or disable CPU feature flags for an instance without changing the settings on the host Compute node and rebooting the Compute node. By configuring the standard set of CPU feature flags that are applied to instances, you are helping to achieve live migration compatibility across Compute nodes. You are also helping to manage the performance and security of the instances, by disabling flags that have a negative impact on the security or performance of the instances with a particular CPU model, or enabling flags that provide mitigation from a security problem or alleviates performance problems.

10.1. Prerequisites

  • The CPU model and feature flags must be supported by the hardware and software of the host Compute node:

    • To check the hardware your host supports, enter the following command on the Compute node:

      $ cat /proc/cpuinfo
    • To check the CPU models supported on your host, enter the following command on the Compute node:

      $ sudo podman exec -it nova_libvirt virsh cpu-models <arch>

      Replace <arch> with the name of the architecture, for example, x86_64.

10.2. Configuring CPU feature flags for instances

Configure the Compute service to apply CPU feature flags to instances with specific vCPU models.

Procedure

  1. Log in to the undercloud as the stack user.
  2. Source the stackrc file:

    [stack@director ~]$ source ~/stackrc
  3. Open your Compute environment file.
  4. Configure the instance CPU mode:

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: <cpu_mode>

    Replace <cpu_mode> with the CPU mode of each instance on the Compute node. Set to one of the following valid values:

    • host-model: (Default) Use the CPU model of the host Compute node. Use this CPU mode to automatically add critical CPU flags to the instance to provide mitigation from security flaws.
    • custom: Use to configure the specific CPU models each instance should use.

      Note

      You can also set the CPU mode to host-passthrough to use the same CPU model and feature flags as the Compute node for the instances hosted on that Compute node.

  5. Optional: If you set NovaLibvirtCPUMode to custom, configure the instance CPU models that you want to customise:

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: 'custom'
        NovaLibvirtCPUModels: <cpu_model>

    Replace <cpu_model> with a comma-separated list of the CPU models that the host supports. List the CPU models in order, placing the more common and less advanced CPU models first in the list, and the more feature-rich CPU models last, for example, SandyBridge,IvyBridge,Haswell,Broadwell. For a list of model names, see /usr/share/libvirt/cpu_map.xml, or enter the following command on the host Compute node:

    $ sudo podman exec -it nova_libvirt virsh cpu-models <arch>

    Replace <arch> with the name of the architecture of the Compute node, for example, x86_64.

  6. Configure the CPU feature flags for instances with the specified CPU models:

    parameter_defaults:
      ComputeParameters:
        ...
        NovaLibvirtCPUModelExtraFlags: <cpu_feature_flags>

    Replace <cpu_feature_flags> with a comma-separated list of feature flags to enable or disable. Prefix each flag with "+" to enable the flag, or "-" to disable it. If a prefix is not specified, the flag is enabled. For a list of the available feature flags for a given CPU model, see /usr/share/libvirt/cpu_map/*.xml.

    The following example enables the CPU feature flags pcid and ssbd for the IvyBridge and Cascadelake-Server models, and disables the feature flag mtrr.

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: 'custom'
        NovaLibvirtCPUModels: 'IvyBridge','Cascadelake-Server'
        NovaLibvirtCPUModelExtraFlags: 'pcid,+ssbd,-mtrr'
  7. Add your Compute environment file to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
     -e [your environment files] \
     -e /home/stack/templates/<compute_environment_file>.yaml