On Thu, 29 Mar 2018 20:43:13 +0200, Florian Haas wrote:
I have a question about enabling nested KVM, or for that matter
passing in any required CPU features to an instance, in combination
with using a "custom" cpu-mode. My compute nodes (Ocata) are
configured to run with cpu_mode=custom, cpu_model=IvyBridge. They are
also configured for nested KVM per the kvm_intel nested=Y module
parameter. virsh capabilities on any compute node correctly yields
<feature name='vmx'/> for the host CPU.
Now, when I schedule an instance to that compute node, it ends up with
a CPU configuration as shown in
http://paste.openstack.org/show/717923/, which means it is not capable
of doing any nested KVM. If I then log onto the compute node, and hack
the libvirt domain config with virsh edit, and I fix up the CPU
configuration to match http://paste.openstack.org/show/717934/, then I
can virsh shutdown/virsh start the domain and when it comes back up,
voilà nested KVM.
So my question is, do I have any way to inject that <feature
policy='require' name='vmx'/> bit into an instance from Nova? Way back
around the Essex release we had a libvirt.xml.template
(https://blog.dachary.org/2012/09/26/openstack-nested-virtual-machines/),
but that was dropped somewhere along the way — is there a contemporary
way to do this?
We discussed this in the #openstack-nova IRC channel today and I'm going
to summarize here in case there are others interested in the topic.
It sounds like the "Add ability to configure extra CPU flags for named
CPU models" feature [0] being worked on this cycle will provide the
functionality you're looking for. It allows extra CPU feature flags to
be specified in a new config option. That will be available in the Rocky
release.
The motivation for the feature was actually to mitigate the performance
penalty of the Meltdown/Spectre CVE fixes. In an effort to also provide
operators running stable branch versions the ability to mitigate the
penalty, we are going to backport a restricted version of the feature
where the only allowed extra CPU feature flag is 'pcid' (the flag needed
for mitigation). Stable branches are generally reserved for bug fixes only.
Cheers,
-melanie
[0]
https://blueprints.launchpad.net/nova/+spec/libvirt-cpu-model-extra-flags
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
