[Openstack] [nova] Enabling nested KVM (or injecting any CPU feature flags) with cpu_mode=custom
On Thu, 29 Mar 2018 20:43:13 +0200, Florian Haas wrote:
> I have a question about enabling nested KVM, or for that matter
> passing in any required CPU features to an instance, in combination
> with using a "custom" cpu-mode. My compute nodes (Ocata) are
> configured to run with cpu_mode=custom, cpu_model=IvyBridge. They are
> also configured for nested KVM per the kvm_intel nested=Y module
> parameter. virsh capabilities on any compute node correctly yields
> <feature name='vmx'/> for the host CPU.
> Now, when I schedule an instance to that compute node, it ends up with
> a CPU configuration as shown in
> http://paste.openstack.org/show/717923/, which means it is not capable
> of doing any nested KVM. If I then log onto the compute node, and hack
> the libvirt domain config with virsh edit, and I fix up the CPU
> configuration to match http://paste.openstack.org/show/717934/, then I
> can virsh shutdown/virsh start the domain and when it comes back up,
> voilÃ nested KVM.
> So my question is, do I have any way to inject that <feature
> policy='require' name='vmx'/> bit into an instance from Nova? Way back
> around the Essex release we had a libvirt.xml.template
> but that was dropped somewhere along the way â?? is there a contemporary
> way to do this?
We discussed this in the #openstack-nova IRC channel today and I'm going
to summarize here in case there are others interested in the topic.
It sounds like the "Add ability to configure extra CPU flags for named
CPU models" feature  being worked on this cycle will provide the
functionality you're looking for. It allows extra CPU feature flags to
be specified in a new config option. That will be available in the Rocky
The motivation for the feature was actually to mitigate the performance
penalty of the Meltdown/Spectre CVE fixes. In an effort to also provide
operators running stable branch versions the ability to mitigate the
penalty, we are going to backport a restricted version of the feature
where the only allowed extra CPU feature flag is 'pcid' (the flag needed
for mitigation). Stable branches are generally reserved for bug fixes only.