Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hi guys, I don't think we are really worried about how those patches affect OSDs performance -patches can be easily disabled via sys- but quite worried about how do they affect librbd performance. Librbd is running on the hypervisor, and even if you don't need to patch hypervisor kernel for Meltdown, you have to patch it to avoid Spectre. And in pure SSD clusters, librbd and network performance -we are running ceph over 40G- is quite important. Cheers, Xavier. -Mensaje original- De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de c...@jack.fr.eu.org Enviado el: viernes, 12 de enero de 2018 10:26 Para: Van Leeuwen, Robert <rovanleeu...@ebay.com>; ceph-users@lists.ceph.com Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? Well, if a stranger have access to my whole Ceph data (this, all my VMs & rgw's data), I don't mind if he gets root access too :) On 01/12/2018 10:18 AM, Van Leeuwen, Robert wrote: >> Ceph runs on a dedicated hardware, there is nothing there except Ceph, >> and the ceph daemons have already all power on ceph's data. >> And there is no random-code execution allowed on this node. >> >> Thus, spectre & meltdown are meaning-less for Ceph's node, and >> mitigations should be disabled >> >> Is this wrong ? > > In principle, I would say yes: > This means if someone has half a foot between the door for whatever reason > you will have to assume they will be able to escalate to root. > Looking at meltdown and spectre is already a good indication of creativity in > gaining (more) access. > So I would not assume people are unable to ever gain access to your network > or that the ceph/ssh/etc daemons have no bugs to exploit. > > I would more phrase it as: > Is the performance decrease big enough that you are willing to risk running a > less secure server. > > The answer to that depends on a lot of things like: > Performance impact of the patch > Costs of extra hardware to mitigate performance impact Impact of > possible breach (e.g. GPDR fines or reputation damage can be extremely > expensive) Who/what is allowed on your network How likely you are a > hacker target How good will you sleep knowing there is a potential > hole in security :) Etc. > > Cheers, > Robert van Leeuwen > > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Well, if a stranger have access to my whole Ceph data (this, all my VMs & rgw's data), I don't mind if he gets root access too :) On 01/12/2018 10:18 AM, Van Leeuwen, Robert wrote: Ceph runs on a dedicated hardware, there is nothing there except Ceph, and the ceph daemons have already all power on ceph's data. And there is no random-code execution allowed on this node. Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations should be disabled Is this wrong ? In principle, I would say yes: This means if someone has half a foot between the door for whatever reason you will have to assume they will be able to escalate to root. Looking at meltdown and spectre is already a good indication of creativity in gaining (more) access. So I would not assume people are unable to ever gain access to your network or that the ceph/ssh/etc daemons have no bugs to exploit. I would more phrase it as: Is the performance decrease big enough that you are willing to risk running a less secure server. The answer to that depends on a lot of things like: Performance impact of the patch Costs of extra hardware to mitigate performance impact Impact of possible breach (e.g. GPDR fines or reputation damage can be extremely expensive) Who/what is allowed on your network How likely you are a hacker target How good will you sleep knowing there is a potential hole in security :) Etc. Cheers, Robert van Leeuwen ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
> Ceph runs on a dedicated hardware, there is nothing there except Ceph, >and the ceph daemons have already all power on ceph's data. >And there is no random-code execution allowed on this node. > >Thus, spectre & meltdown are meaning-less for Ceph's node, and >mitigations should be disabled > >Is this wrong ? In principle, I would say yes: This means if someone has half a foot between the door for whatever reason you will have to assume they will be able to escalate to root. Looking at meltdown and spectre is already a good indication of creativity in gaining (more) access. So I would not assume people are unable to ever gain access to your network or that the ceph/ssh/etc daemons have no bugs to exploit. I would more phrase it as: Is the performance decrease big enough that you are willing to risk running a less secure server. The answer to that depends on a lot of things like: Performance impact of the patch Costs of extra hardware to mitigate performance impact Impact of possible breach (e.g. GPDR fines or reputation damage can be extremely expensive) Who/what is allowed on your network How likely you are a hacker target How good will you sleep knowing there is a potential hole in security :) Etc. Cheers, Robert van Leeuwen ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hello, On Thu, 11 Jan 2018 11:42:53 -0600 Adam Tygart wrote: > Some people are doing hyperconverged ceph, colocating qemu > virtualization with ceph-osds. It is relevant for a decent subset of > people here. Therefore knowledge of the degree of performance > degradation is useful. > It was my understanding that meltdown can not reach the host kernel space from inside VMs, only other VMs would be at risk at the most. Spectre is a different beast, but again AFAIK there aren't any kernel patches for that yet. See for example: https://security.stackexchange.com/questions/176709/meltdown-and-virtual-machines The chuckles you're hearing are me with nearly all of our compute nodes still being AMD ones. ^o^ Christian > -- > Adam > > On Thu, Jan 11, 2018 at 11:38 AM,wrote: > > I don't understand how all of this is related to Ceph > > > > Ceph runs on a dedicated hardware, there is nothing there except Ceph, and > > the ceph daemons have already all power on ceph's data. > > And there is no random-code execution allowed on this node. > > > > Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations > > should be disabled > > > > Is this wrong ? > > > > > > On 01/11/2018 06:26 PM, Dan van der Ster wrote: > >> > >> Hi all, > >> > >> Is anyone getting useful results with your benchmarking? I've prepared > >> two test machines/pools and don't see any definitive slowdown with > >> patched kernels from CentOS [1]. > >> > >> I wonder if Ceph will be somewhat tolerant of these patches, similarly > >> to what's described here: > >> http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/ > >> > >> Cheers, Dan > >> > >> [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64 > >> vs the ancient 3.10.0-327.18.2.el7.x86_64 > >> ___ > >> ceph-users mailing list > >> ceph-users@lists.ceph.com > >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > >> > > ___ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Rakuten Communications ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Some people are doing hyperconverged ceph, colocating qemu virtualization with ceph-osds. It is relevant for a decent subset of people here. Therefore knowledge of the degree of performance degradation is useful. -- Adam On Thu, Jan 11, 2018 at 11:38 AM,wrote: > I don't understand how all of this is related to Ceph > > Ceph runs on a dedicated hardware, there is nothing there except Ceph, and > the ceph daemons have already all power on ceph's data. > And there is no random-code execution allowed on this node. > > Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations > should be disabled > > Is this wrong ? > > > On 01/11/2018 06:26 PM, Dan van der Ster wrote: >> >> Hi all, >> >> Is anyone getting useful results with your benchmarking? I've prepared >> two test machines/pools and don't see any definitive slowdown with >> patched kernels from CentOS [1]. >> >> I wonder if Ceph will be somewhat tolerant of these patches, similarly >> to what's described here: >> http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/ >> >> Cheers, Dan >> >> [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64 >> vs the ancient 3.10.0-327.18.2.el7.x86_64 >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
I don't understand how all of this is related to Ceph Ceph runs on a dedicated hardware, there is nothing there except Ceph, and the ceph daemons have already all power on ceph's data. And there is no random-code execution allowed on this node. Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations should be disabled Is this wrong ? On 01/11/2018 06:26 PM, Dan van der Ster wrote: Hi all, Is anyone getting useful results with your benchmarking? I've prepared two test machines/pools and don't see any definitive slowdown with patched kernels from CentOS [1]. I wonder if Ceph will be somewhat tolerant of these patches, similarly to what's described here: http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/ Cheers, Dan [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64 vs the ancient 3.10.0-327.18.2.el7.x86_64 ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hi all, Is anyone getting useful results with your benchmarking? I've prepared two test machines/pools and don't see any definitive slowdown with patched kernels from CentOS [1]. I wonder if Ceph will be somewhat tolerant of these patches, similarly to what's described here: http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/ Cheers, Dan [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64 vs the ancient 3.10.0-327.18.2.el7.x86_64 ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Graham, The before/after FIO tests sound interesting, we’re trying to pull together some benchmark tests to do the same for our Ceph cluster. Could you expand on which parameters you used, and how the file size relates to the RAM available to your VM? Regards, Paul Ashman ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
We ran some quick/simple tests using an unpatched centos vm on patched and unpatched hypervisors. CPU bound test (HPL) showed a 2% hit. i/o bound test (fio) showed 30%. This is before patching the VM, which I expect should have *some* additive effect (we'll run the same tests). And also before patching the ceph storage nodes (again we'll run the same tests). I had the same thought about selectively disabling some of the kpti using the sysctls on osd nodes, but it will be interesting to see the effect first. Graham On 01/05/2018 07:24 AM, Xavier Trilla wrote: Ok, that's good news, being able to disable the patches in real time is going to really help with the performance testing. ATM we won't patch our OSD machines -we've had several issues in the past with XFS and some kernels in machines with plenty of OSDs- so I won't have information about how does it affect OSD performance. But we will rollout some upgrades during the next days to our hypervisors, and I'll run some tests to see if librbd performance is affected. I'm quite worried about latency. We run a pure SSD cluster, and we've invested a lot of time and effort to get latency under 1ms. Losing a 30% because of this, would be really bad news. I'll post our test results as soon as I have them, but if anybody else has done some testing and can provide some information as well, I think it would be really useful. Thanks! Xavier -Mensaje original- De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Stijn De Weirdt Enviado el: viernes, 5 de enero de 2018 13:00 Para: ceph-users@lists.ceph.com Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? or do it live https://access.redhat.com/articles/3311301 # echo 0 > /sys/kernel/debug/x86/pti_enabled # echo 0 > /sys/kernel/debug/x86/ibpb_enabled # echo 0 > /sys/kernel/debug/x86/ibrs_enabled stijn On 01/05/2018 12:54 PM, David wrote: Hi! nopti or pti=off in kernel options should disable some of the kpti. I haven't tried it yet though, so give it a whirl. https://en.wikipedia.org/wiki/Kernel_page-table_isolation <https://en.wikipedia.org/wiki/Kernel_page-table_isolation> Kind Regards, David Majchrzak 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>: Hi Nick, I'm actually wondering about exactly the same. Regarding OSDs, I agree, there is no reason to apply the security patch to the machines running the OSDs -if they are properly isolated in your setup-. But I'm worried about the hypervisors, as I don't know how meltdown or Spectre patches -AFAIK, only Spectre patch needs to be applied to the host hypervisor, Meltdown patch only needs to be applied to guest- will affect librbd performance in the hypervisors. Does anybody have some information about how Meltdown or Spectre affect ceph OSDs and clients? Also, regarding Meltdown patch, seems to be a compilation option, meaning you could build a kernel without it easily. Thanks, Xavier. -Mensaje original- De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick Fisk Enviado el: jueves, 4 de enero de 2018 17:30 Para: 'ceph-users' <ceph-users@lists.ceph.com> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? Hi All, As the KPTI fix largely only affects the performance where there are a large number of syscalls made, which Ceph does a lot of, I was wondering if anybody has had a chance to perform any initial tests. I suspect small write latencies will the worse affected? Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from these vulnerabilities, due to them not being direct user facing and could have this work around disabled? Nick ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com -- Graham Allan Minnesota Supercomputing Institute - g...@umn.edu ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Ok, that's good news, being able to disable the patches in real time is going to really help with the performance testing. ATM we won't patch our OSD machines -we've had several issues in the past with XFS and some kernels in machines with plenty of OSDs- so I won't have information about how does it affect OSD performance. But we will rollout some upgrades during the next days to our hypervisors, and I'll run some tests to see if librbd performance is affected. I'm quite worried about latency. We run a pure SSD cluster, and we've invested a lot of time and effort to get latency under 1ms. Losing a 30% because of this, would be really bad news. I'll post our test results as soon as I have them, but if anybody else has done some testing and can provide some information as well, I think it would be really useful. Thanks! Xavier -Mensaje original- De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Stijn De Weirdt Enviado el: viernes, 5 de enero de 2018 13:00 Para: ceph-users@lists.ceph.com Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? or do it live https://access.redhat.com/articles/3311301 # echo 0 > /sys/kernel/debug/x86/pti_enabled # echo 0 > /sys/kernel/debug/x86/ibpb_enabled # echo 0 > /sys/kernel/debug/x86/ibrs_enabled stijn On 01/05/2018 12:54 PM, David wrote: > Hi! > > nopti or pti=off in kernel options should disable some of the kpti. > I haven't tried it yet though, so give it a whirl. > > https://en.wikipedia.org/wiki/Kernel_page-table_isolation > <https://en.wikipedia.org/wiki/Kernel_page-table_isolation> > > Kind Regards, > > David Majchrzak > > >> 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>: >> >> Hi Nick, >> >> I'm actually wondering about exactly the same. Regarding OSDs, I agree, >> there is no reason to apply the security patch to the machines running the >> OSDs -if they are properly isolated in your setup-. >> >> But I'm worried about the hypervisors, as I don't know how meltdown or >> Spectre patches -AFAIK, only Spectre patch needs to be applied to the host >> hypervisor, Meltdown patch only needs to be applied to guest- will affect >> librbd performance in the hypervisors. >> >> Does anybody have some information about how Meltdown or Spectre affect ceph >> OSDs and clients? >> >> Also, regarding Meltdown patch, seems to be a compilation option, meaning >> you could build a kernel without it easily. >> >> Thanks, >> Xavier. >> >> -Mensaje original----- >> De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre >> de Nick Fisk Enviado el: jueves, 4 de enero de 2018 17:30 >> Para: 'ceph-users' <ceph-users@lists.ceph.com> >> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects >> performance? >> >> Hi All, >> >> As the KPTI fix largely only affects the performance where there are a large >> number of syscalls made, which Ceph does a lot of, I was wondering if >> anybody has had a chance to perform any initial tests. I suspect small write >> latencies will the worse affected? >> >> Although I'm thinking the backend Ceph OSD's shouldn't really be at risk >> from these vulnerabilities, due to them not being direct user facing and >> could have this work around disabled? >> >> Nick >> >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
or do it live https://access.redhat.com/articles/3311301 # echo 0 > /sys/kernel/debug/x86/pti_enabled # echo 0 > /sys/kernel/debug/x86/ibpb_enabled # echo 0 > /sys/kernel/debug/x86/ibrs_enabled stijn On 01/05/2018 12:54 PM, David wrote: > Hi! > > nopti or pti=off in kernel options should disable some of the kpti. > I haven't tried it yet though, so give it a whirl. > > https://en.wikipedia.org/wiki/Kernel_page-table_isolation > <https://en.wikipedia.org/wiki/Kernel_page-table_isolation> > > Kind Regards, > > David Majchrzak > > >> 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>: >> >> Hi Nick, >> >> I'm actually wondering about exactly the same. Regarding OSDs, I agree, >> there is no reason to apply the security patch to the machines running the >> OSDs -if they are properly isolated in your setup-. >> >> But I'm worried about the hypervisors, as I don't know how meltdown or >> Spectre patches -AFAIK, only Spectre patch needs to be applied to the host >> hypervisor, Meltdown patch only needs to be applied to guest- will affect >> librbd performance in the hypervisors. >> >> Does anybody have some information about how Meltdown or Spectre affect ceph >> OSDs and clients? >> >> Also, regarding Meltdown patch, seems to be a compilation option, meaning >> you could build a kernel without it easily. >> >> Thanks, >> Xavier. >> >> -Mensaje original- >> De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick >> Fisk >> Enviado el: jueves, 4 de enero de 2018 17:30 >> Para: 'ceph-users' <ceph-users@lists.ceph.com> >> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects >> performance? >> >> Hi All, >> >> As the KPTI fix largely only affects the performance where there are a large >> number of syscalls made, which Ceph does a lot of, I was wondering if >> anybody has had a chance to perform any initial tests. I suspect small write >> latencies will the worse affected? >> >> Although I'm thinking the backend Ceph OSD's shouldn't really be at risk >> from these vulnerabilities, due to them not being direct user facing and >> could have this work around disabled? >> >> Nick >> >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hi! nopti or pti=off in kernel options should disable some of the kpti. I haven't tried it yet though, so give it a whirl. https://en.wikipedia.org/wiki/Kernel_page-table_isolation <https://en.wikipedia.org/wiki/Kernel_page-table_isolation> Kind Regards, David Majchrzak > 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>: > > Hi Nick, > > I'm actually wondering about exactly the same. Regarding OSDs, I agree, there > is no reason to apply the security patch to the machines running the OSDs -if > they are properly isolated in your setup-. > > But I'm worried about the hypervisors, as I don't know how meltdown or > Spectre patches -AFAIK, only Spectre patch needs to be applied to the host > hypervisor, Meltdown patch only needs to be applied to guest- will affect > librbd performance in the hypervisors. > > Does anybody have some information about how Meltdown or Spectre affect ceph > OSDs and clients? > > Also, regarding Meltdown patch, seems to be a compilation option, meaning you > could build a kernel without it easily. > > Thanks, > Xavier. > > -Mensaje original- > De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick > Fisk > Enviado el: jueves, 4 de enero de 2018 17:30 > Para: 'ceph-users' <ceph-users@lists.ceph.com> > Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? > > Hi All, > > As the KPTI fix largely only affects the performance where there are a large > number of syscalls made, which Ceph does a lot of, I was wondering if anybody > has had a chance to perform any initial tests. I suspect small write > latencies will the worse affected? > > Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from > these vulnerabilities, due to them not being direct user facing and could > have this work around disabled? > > Nick > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hi Nick, I'm actually wondering about exactly the same. Regarding OSDs, I agree, there is no reason to apply the security patch to the machines running the OSDs -if they are properly isolated in your setup-. But I'm worried about the hypervisors, as I don't know how meltdown or Spectre patches -AFAIK, only Spectre patch needs to be applied to the host hypervisor, Meltdown patch only needs to be applied to guest- will affect librbd performance in the hypervisors. Does anybody have some information about how Meltdown or Spectre affect ceph OSDs and clients? Also, regarding Meltdown patch, seems to be a compilation option, meaning you could build a kernel without it easily. Thanks, Xavier. -Mensaje original- De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick Fisk Enviado el: jueves, 4 de enero de 2018 17:30 Para: 'ceph-users' <ceph-users@lists.ceph.com> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance? Hi All, As the KPTI fix largely only affects the performance where there are a large number of syscalls made, which Ceph does a lot of, I was wondering if anybody has had a chance to perform any initial tests. I suspect small write latencies will the worse affected? Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from these vulnerabilities, due to them not being direct user facing and could have this work around disabled? Nick ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
Hi All, As the KPTI fix largely only affects the performance where there are a large number of syscalls made, which Ceph does a lot of, I was wondering if anybody has had a chance to perform any initial tests. I suspect small write latencies will the worse affected? Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from these vulnerabilities, due to them not being direct user facing and could have this work around disabled? Nick ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com