We may not need to apply these mitigations to Lustre servers, but a lot of Lustre code runs on the client systems.
Let's say you run a multi-user research cluster; Lab group A says that their data must not be seen by any user except those in Lab A, so user, group, and filesystem permissions are set to implement that policy. Lab groups B and C may not have malicious users, but they do download, compile, and run programs from collaborators, or from the Internet at large. So they may inadvertently install and run some malicious code on that research cluster, and potentially expose Lab group A's data even though B and C users wouldn't normally have permissions to do so. Do you analyze every bit of code that runs on your research cluster? We don't have the resources to do so. A possible related issue: In addition to the kernel-vs-user address space changes needed for Meltdown, there are also some code changes needed to prevent the Spectre type of attacks. Those changes (function call/return conventions) need to happen in user-space code, but also in the kernel. I imagine that Lustre code itself could need these mods too, in order to be protected from attack code on client systems. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-o f-Speculative-Execution-Side-Channels.pdf I didn't find any items matching "meltdown" or "spectre" in the HPDD Lustre JIRA just now, so perhaps work hasn't started on this yet. Regards, Marion > Date: Fri, 5 Jan 2018 13:31:23 -0500 > From: Mark Hahn <h...@mcmaster.ca> > To: Lustre discussion <lustre-discuss@lists.lustre.org> > Subject: Re: [lustre-discuss] Are there any performance hits with the > > > Also to what extent would a Lustre system that is essentially a filer be at > > risk? It's not running user code and you're not browsing from it... > > to be vulnerable, attack code must run on the system. > _______________________________________________ > lustre-discuss mailing list > lustre-discuss@lists.lustre.org > http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org > _______________________________________________ lustre-discuss mailing list lustre-discuss@lists.lustre.org http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org