Hi Christian, I'd say that the CPUs aren't perfectly uniform in terms of capabilities and microcode patches. "ssbd" is a speculative store bypass, as far as I know and if your host doesn't have the ยต-code patches installed but your cluster definition has them (based typically on the machine used to install the hosted-engine), then you either need to lower your base in the hosted-engine VM (and restart it), or patch the host so it delivers on the mitigation.
All this Spectre stuff is creating quite a bit of extra work and I try to just keep them out of my clusters, because I have no potential for hostile workloads on them (nor data worth exploiting). But it's clear that production environments with compliance requirements need to manage this carefully. _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/4A46VIW5ZFGVTQAGZ6OXRX4H2F7NYUDD/
