10.2. Configuring CPU feature flags for instances

Configure the Compute service to apply CPU feature flags to instances with specific vCPU models.

Procedure

  1. Log in to the undercloud as the stack user.
  2. Source the stackrc file:

    [stack@director ~]$ source ~/stackrc
  3. Open your Compute environment file.
  4. Configure the instance CPU mode:

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: <cpu_mode>

    Replace <cpu_mode> with the CPU mode of each instance on the Compute node. Set to one of the following valid values:

    • host-model: (Default) Use the CPU model of the host Compute node. Use this CPU mode to automatically add critical CPU flags to the instance to provide mitigation from security flaws.
    • custom: Use to configure the specific CPU models each instance should use.

      注記

      You can also set the CPU mode to host-passthrough to use the same CPU model and feature flags as the Compute node for the instances hosted on that Compute node.

  5. Optional: If you set NovaLibvirtCPUMode to custom, configure the instance CPU models that you want to customise:

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: 'custom'
        NovaLibvirtCPUModels: <cpu_model>

    Replace <cpu_model> with a comma-separated list of the CPU models that the host supports. List the CPU models in order, placing the more common and less advanced CPU models first in the list, and the more feature-rich CPU models last, for example, SandyBridge,IvyBridge,Haswell,Broadwell. For a list of model names, see /usr/share/libvirt/cpu_map.xml, or enter the following command on the host Compute node:

    $ sudo podman exec -it nova_libvirt virsh cpu-models <arch>

    Replace <arch> with the name of the architecture of the Compute node, for example, x86_64.

  6. Configure the CPU feature flags for instances with the specified CPU models:

    parameter_defaults:
      ComputeParameters:
        ...
        NovaLibvirtCPUModelExtraFlags: <cpu_feature_flags>

    Replace <cpu_feature_flags> with a comma-separated list of feature flags to enable or disable. Prefix each flag with "+" to enable the flag, or "-" to disable it. If a prefix is not specified, the flag is enabled. For a list of the available feature flags for a given CPU model, see /usr/share/libvirt/cpu_map/*.xml.

    The following example enables the CPU feature flags pcid and ssbd for the IvyBridge and Cascadelake-Server models, and disables the feature flag mtrr.

    parameter_defaults:
      ComputeParameters:
        NovaLibvirtCPUMode: 'custom'
        NovaLibvirtCPUModels: 'IvyBridge','Cascadelake-Server'
        NovaLibvirtCPUModelExtraFlags: 'pcid,+ssbd,-mtrr'
  7. Add your Compute environment file to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
     -e [your environment files] \
     -e /home/stack/templates/<compute_environment_file>.yaml