[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack] [nova] Enabling nested KVM (or injecting any CPU feature flags) with cpu_mode=custom

On Thu, 29 Mar 2018 20:43:13 +0200, Florian Haas wrote:
> I have a question about enabling nested KVM, or for that matter
> passing in any required CPU features to an instance, in combination
> with using a "custom" cpu-mode. My compute nodes (Ocata) are
> configured to run with cpu_mode=custom, cpu_model=IvyBridge. They are
> also configured for nested KVM per the kvm_intel nested=Y module
> parameter. virsh capabilities on any compute node correctly yields
> <feature name='vmx'/> for the host CPU.
> Now, when I schedule an instance to that compute node, it ends up with
> a CPU configuration as shown in
> http://paste.openstack.org/show/717923/, which means it is not capable
> of doing any nested KVM. If I then log onto the compute node, and hack
> the libvirt domain config with virsh edit, and I fix up the CPU
> configuration to match http://paste.openstack.org/show/717934/, then I
> can virsh shutdown/virsh start the domain and when it comes back up,
> voilà nested KVM.
> So my question is, do I have any way to inject that <feature
> policy='require' name='vmx'/> bit into an instance from Nova? Way back
> around the Essex release we had a libvirt.xml.template
> (https://blog.dachary.org/2012/09/26/openstack-nested-virtual-machines/),
> but that was dropped somewhere along the way â?? is there a contemporary
> way to do this?

We discussed this in the #openstack-nova IRC channel today and I'm going 
to summarize here in case there are others interested in the topic.

It sounds like the "Add ability to configure extra CPU flags for named 
CPU models"  feature [0] being worked on this cycle will provide the 
functionality you're looking for. It allows extra CPU feature flags to 
be specified in a new config option. That will be available in the Rocky 

The motivation for the feature was actually to mitigate the performance 
penalty of the Meltdown/Spectre CVE fixes. In an effort to also provide 
operators running stable branch versions the ability to mitigate the 
penalty, we are going to backport a restricted version of the feature 
where the only allowed extra CPU feature flag is 'pcid' (the flag needed 
for mitigation). Stable branches are generally reserved for bug fixes only.