Nested virtualization (aka CPU extra flags revisited)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Florian Haas | ||
OpenStack Public Cloud WG |
Fix Released
|
Undecided
|
Kashyap Chamarthy |
Bug Description
We should contribute some authoritative documentation on how to configure nested virtualization in a way that (a) doesn't break live migration, (b) does not tank guest performance because of Spectre/Meltdown.
Since https:/
[libvirt]
cpu_mode = custom
cpu_model = IvyBridge
cpu_model_
It is my understanding that deployers should always set the pcid flag so that Spectre/Meltdown mitigation patches don't kill guest performance. Deployers who want to also enable nested virtualization should enable pcid,vmx (which is only available from Rocky forward — in prior releases pcid is the only available option for reasons discussed in that Gerrit change).
This is already documented, albeit only deeply buried in the Nova configuration reference. I think it would be good to have a paragraph in the admin guide as well that simply explains how to enable nested virtualization, and what to consider. In particular, that enabling nested virtualization breaks live migration for guests that are themselves running guests, which tends to not be very widely known among OpenStack users.
Related links:
https:/
https:/
https:/
https:/
tags: | added: docs libvirt |
Changed in openstack-publiccloud-wg: | |
status: | New → Fix Released |
I think Kashyap would be an ideal person to write some admin docs for this. He has context on live migration, nested virt, as well as the spectre/meltdown stuff. He also loves words.
Kashyap could you take this on?