OpenStack Compute (nova)

Allow ability to disable individual CPU features via `cpu_model_extra_flags`

Bug #1852437 reported by Kashyap Chamarthy on 2019-11-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Medium	Unassigned

Bug Description

What?
-----

When using a custom CPU model, Nova currently allows enabling
individual CPU flags/features via the config attribute,
`cpu_model_extra_flags`:

    [libvirt]
    cpu_mode=custom
    cpu_model=IvyBridge
    cpu_model_extra_flags="pcid,ssbd, md-clear"

The above only lets you enable the CPU features. This RFE is to also
allow _disabling_ individual CPU features.

Why?
---

A couple of reasons:

  - An Operator wants to generate a baseline CPU config (that facilates
    live migration) across his Compute node pool. However, a certain
    CPU flag is causing an inteolerable performance issue for their
    guest workloads. If the Operator isolated the problem to _that_
    specific CPU flag, then she would like to disable the flag.

  - More importantly, a specific CPU flag might trigger a CPU
    vulnerability. In such a case, the mitigation for it could be to
    simply _disable_ the offending CPU flag.

Allowing disabling of individual CPU flags via Nova would enable the
above use cases.

How?
----

By allowing the notion of '+' / '-' to indicate whether to enable to
disable a given CPU flag.

E.g. if you specify the below in 'nova.conf' (on the Compute nodes):

    [libvirt]
    cpu_mode=custom
    cpu_model=IvyBridge
    cpu_model_extra_flags="+pcid,-mtrr,ssbd"

Then, when you start an instance, Nova should generate the below XML:

    <cpu match='exact'>
      <model fallback='forbid'>IvyBridge</model>
      <vendor>Intel</vendor>
      <feature policy='require' name='pcid'/>
      <feature policy='disable' name='mtrr'/>
      <feature policy='require' name='ssbd'/>
    </cpu>

Note that the requirement to specify '+' / '-' for individual flags
should be optional. If neither is specified, then we should assume '+',
and enable the feature (as shown above for the 'ssbd' flag).

Tags:

Revision history for this message

Matt Riedemann (mriedem) wrote on 2019-11-13:

This is a feature request, not really a bug, so a specless blueprint would be more appropriate for this.

Changed in nova:
importance:	Undecided → Wishlist
tags:	added: libvirt

Revision history for this message

Kashyap Chamarthy (kashyapc) wrote on 2019-11-13:

Blueprint for the above: https://blueprints.launchpad.net/nova/+spec/allow-disabling-cpu-flags

(Maybe should close this bug and track it in the blueprint above?)

Kashyap Chamarthy (kashyapc) on 2019-11-13

Changed in nova:
status:	New → Invalid

Revision history for this message

Kashyap Chamarthy (kashyapc) wrote on 2019-11-14:

A note on bug metadata: I marked this as "Invalid" only because (a) it is being tracked via the blueprint mentioned in comment#2 above, and the feature request is quite valid and enables important use cases; (b) I don't see a better 'Status' field in Launchpad to indicate point (a).

Kashyap Chamarthy (kashyapc) on 2021-02-02

Changed in nova:
status:	Invalid → Triaged
importance:	Wishlist → Medium

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2021-02-05:

setting this back to invalid as Matt Riedemann siad this is a feature not a bug fix.
it is trcked as a blueprint https://blueprints.launchpad.net/nova/+spec/allow-disabling-cpu-flags and we shoudl use that to track it
not this bug.

Changed in nova:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

Allow ability to disable individual CPU flags

Remote bug watches

Bug watches keep track of this bug in other bug trackers.