Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Xavier Trilla]

Hi guys,

I don't think we are really worried about how those patches affect OSDs 
performance -patches can be easily disabled via sys- but quite worried about 
how do they affect librbd performance.

Librbd is running on the hypervisor, and even if you don't need to patch 
hypervisor kernel for Meltdown, you have to patch it to avoid Spectre. And in 
pure SSD clusters, librbd and network performance -we are running ceph over 
40G- is quite important.

Cheers,
Xavier.

-Mensaje original-
De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de 
c...@jack.fr.eu.org
Enviado el: viernes, 12 de enero de 2018 10:26
Para: Van Leeuwen, Robert <rovanleeu...@ebay.com>; ceph-users@lists.ceph.com
Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects 
performance?

Well, if a stranger have access to my whole Ceph data (this, all my VMs & rgw's 
data), I don't mind if he gets root access too :)

On 01/12/2018 10:18 AM, Van Leeuwen, Robert wrote:
>> Ceph runs on a dedicated hardware, there is nothing there except Ceph,
>> and the ceph daemons have already all power on ceph's data.
>> And there is no random-code execution allowed on this node.
>>
>> Thus, spectre & meltdown are meaning-less for Ceph's node, and
>> mitigations should be disabled
>> 
>> Is this wrong ?
> 
> In principle, I would say yes:
> This means if someone has half a foot between the door for whatever reason 
> you will have to assume they will be able to escalate to root.
> Looking at meltdown and spectre is already a good indication of creativity in 
> gaining (more) access.
> So I would not assume people are unable to ever gain access to your network 
> or that the ceph/ssh/etc daemons have no bugs to exploit.
> 
> I would more phrase it as:
> Is the performance decrease big enough that you are willing to risk running a 
> less secure server.
> 
> The answer to that depends on a lot of things like:
> Performance impact of the patch
> Costs of extra hardware to mitigate performance impact Impact of 
> possible breach (e.g. GPDR fines or reputation damage can be extremely 
> expensive) Who/what is allowed on your network How likely you are a 
> hacker target How good will you sleep knowing there is a potential 
> hole in security :) Etc.
> 
> Cheers,
> Robert van Leeuwen
> 
> 
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[ceph]

Well, if a stranger have access to my whole Ceph data (this, all my VMs 
& rgw's data), I don't mind if he gets root access too :)


On 01/12/2018 10:18 AM, Van Leeuwen, Robert wrote:

Ceph runs on a dedicated hardware, there is nothing there except Ceph,
and the ceph daemons have already all power on ceph's data.
And there is no random-code execution allowed on this node.

Thus, spectre & meltdown are meaning-less for Ceph's node, and
mitigations should be disabled

Is this wrong ?


In principle, I would say yes:
This means if someone has half a foot between the door for whatever reason you 
will have to assume they will be able to escalate to root.
Looking at meltdown and spectre is already a good indication of creativity in 
gaining (more) access.
So I would not assume people are unable to ever gain access to your network or 
that the ceph/ssh/etc daemons have no bugs to exploit.

I would more phrase it as:
Is the performance decrease big enough that you are willing to risk running a 
less secure server.

The answer to that depends on a lot of things like:
Performance impact of the patch
Costs of extra hardware to mitigate performance impact
Impact of possible breach (e.g. GPDR fines or reputation damage can be 
extremely expensive)
Who/what is allowed on your network
How likely you are a hacker target
How good will you sleep knowing there is a potential hole in security :)
Etc.

Cheers,
Robert van Leeuwen



___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Van Leeuwen, Robert]

> Ceph runs on a dedicated hardware, there is nothing there except Ceph, 
>and the ceph daemons have already all power on ceph's data.
>And there is no random-code execution allowed on this node.
>
>Thus, spectre & meltdown are meaning-less for Ceph's node, and 
>mitigations should be disabled
>
>Is this wrong ?

In principle, I would say yes:
This means if someone has half a foot between the door for whatever reason you 
will have to assume they will be able to escalate to root.
Looking at meltdown and spectre is already a good indication of creativity in 
gaining (more) access.
So I would not assume people are unable to ever gain access to your network or 
that the ceph/ssh/etc daemons have no bugs to exploit.

I would more phrase it as: 
Is the performance decrease big enough that you are willing to risk running a 
less secure server.

The answer to that depends on a lot of things like:
Performance impact of the patch 
Costs of extra hardware to mitigate performance impact
Impact of possible breach (e.g. GPDR fines or reputation damage can be 
extremely expensive)
Who/what is allowed on your network
How likely you are a hacker target
How good will you sleep knowing there is a potential hole in security :)
Etc.

Cheers,
Robert van Leeuwen


___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Christian Balzer]

Hello,

On Thu, 11 Jan 2018 11:42:53 -0600 Adam Tygart wrote:

> Some people are doing hyperconverged ceph, colocating qemu
> virtualization with ceph-osds. It is relevant for a decent subset of
> people here. Therefore knowledge of the degree of performance
> degradation is useful.
> 
It was my understanding that meltdown can not reach the host kernel space
from inside VMs, only other VMs would be at risk at the most.
Spectre is a different beast, but again AFAIK there aren't any kernel
patches for that yet.

See for example:
https://security.stackexchange.com/questions/176709/meltdown-and-virtual-machines

The chuckles you're hearing are me with nearly all of our compute nodes
still being AMD ones. ^o^

Christian
> --
> Adam
> 
> On Thu, Jan 11, 2018 at 11:38 AM,   wrote:
> > I don't understand how all of this is related to Ceph
> >
> > Ceph runs on a dedicated hardware, there is nothing there except Ceph, and
> > the ceph daemons have already all power on ceph's data.
> > And there is no random-code execution allowed on this node.
> >
> > Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations
> > should be disabled
> >
> > Is this wrong ?
> >
> >
> > On 01/11/2018 06:26 PM, Dan van der Ster wrote:  
> >>
> >> Hi all,
> >>
> >> Is anyone getting useful results with your benchmarking? I've prepared
> >> two test machines/pools and don't see any definitive slowdown with
> >> patched kernels from CentOS [1].
> >>
> >> I wonder if Ceph will be somewhat tolerant of these patches, similarly
> >> to what's described here:
> >> http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/
> >>
> >> Cheers, Dan
> >>
> >> [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64
> >> vs the ancient 3.10.0-327.18.2.el7.x86_64
> >> ___
> >> ceph-users mailing list
> >> ceph-users@lists.ceph.com
> >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >>  
> > ___
> > ceph-users mailing list
> > ceph-users@lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com  
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 


-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Rakuten Communications
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Adam Tygart]

Some people are doing hyperconverged ceph, colocating qemu
virtualization with ceph-osds. It is relevant for a decent subset of
people here. Therefore knowledge of the degree of performance
degradation is useful.

--
Adam

On Thu, Jan 11, 2018 at 11:38 AM,   wrote:
> I don't understand how all of this is related to Ceph
>
> Ceph runs on a dedicated hardware, there is nothing there except Ceph, and
> the ceph daemons have already all power on ceph's data.
> And there is no random-code execution allowed on this node.
>
> Thus, spectre & meltdown are meaning-less for Ceph's node, and mitigations
> should be disabled
>
> Is this wrong ?
>
>
> On 01/11/2018 06:26 PM, Dan van der Ster wrote:
>>
>> Hi all,
>>
>> Is anyone getting useful results with your benchmarking? I've prepared
>> two test machines/pools and don't see any definitive slowdown with
>> patched kernels from CentOS [1].
>>
>> I wonder if Ceph will be somewhat tolerant of these patches, similarly
>> to what's described here:
>> http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/
>>
>> Cheers, Dan
>>
>> [1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64
>> vs the ancient 3.10.0-327.18.2.el7.x86_64
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[ceph]

I don't understand how all of this is related to Ceph

Ceph runs on a dedicated hardware, there is nothing there except Ceph, 
and the ceph daemons have already all power on ceph's data.

And there is no random-code execution allowed on this node.

Thus, spectre & meltdown are meaning-less for Ceph's node, and 
mitigations should be disabled


Is this wrong ?

On 01/11/2018 06:26 PM, Dan van der Ster wrote:

Hi all,

Is anyone getting useful results with your benchmarking? I've prepared
two test machines/pools and don't see any definitive slowdown with
patched kernels from CentOS [1].

I wonder if Ceph will be somewhat tolerant of these patches, similarly
to what's described here:
http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/

Cheers, Dan

[1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64
vs the ancient 3.10.0-327.18.2.el7.x86_64
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Dan van der Ster]

Hi all,

Is anyone getting useful results with your benchmarking? I've prepared
two test machines/pools and don't see any definitive slowdown with
patched kernels from CentOS [1].

I wonder if Ceph will be somewhat tolerant of these patches, similarly
to what's described here:
http://www.scylladb.com/2018/01/07/cost-of-avoiding-a-meltdown/

Cheers, Dan

[1] Ceph v12.2.2, FileStore OSDs, kernels 3.10.0-693.11.6.el7.x86_64
vs the ancient 3.10.0-327.18.2.el7.x86_64
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Paul Ashman]

Graham,

The before/after FIO tests sound interesting, we’re trying to pull together 
some benchmark tests to do the same for our Ceph cluster. Could you expand on 
which parameters you used, and how the file size relates to the RAM available 
to your VM?

Regards,
Paul Ashman

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Graham Allan]

We ran some quick/simple tests using an unpatched centos vm on patched 
and unpatched hypervisors.


CPU bound test (HPL) showed a 2% hit.
i/o bound test (fio) showed 30%.

This is before patching the VM, which I expect should have *some* 
additive effect (we'll run the same tests).


And also before patching the ceph storage nodes (again we'll run the 
same tests). I had the same thought about selectively disabling some of 
the kpti using the sysctls on osd nodes, but it will be interesting to 
see the effect first.


Graham

On 01/05/2018 07:24 AM, Xavier Trilla wrote:

Ok, that's good news, being able to disable the patches in real time is going 
to really help with the performance testing.

ATM we won't patch our OSD machines -we've had several issues in the past with 
XFS and some kernels in machines with plenty of OSDs- so I won't have 
information about how does it affect OSD performance. But we will rollout some 
upgrades during the next days to our hypervisors, and I'll run some tests to 
see if librbd performance is affected.

I'm quite worried about latency. We run a pure SSD cluster, and we've invested 
a lot of time and effort to get latency under 1ms. Losing a 30% because of 
this, would be really bad news.

I'll post our test results as soon as I have them, but if anybody else has done 
some testing and can provide some information as well, I think it would be 
really useful.

Thanks!
Xavier

-Mensaje original-
De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Stijn De 
Weirdt
Enviado el: viernes, 5 de enero de 2018 13:00
Para: ceph-users@lists.ceph.com
Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects 
performance?

or do it live https://access.redhat.com/articles/3311301

 # echo 0 > /sys/kernel/debug/x86/pti_enabled
 # echo 0 > /sys/kernel/debug/x86/ibpb_enabled
 # echo 0 > /sys/kernel/debug/x86/ibrs_enabled

stijn

On 01/05/2018 12:54 PM, David wrote:

Hi!

nopti or pti=off in kernel options should disable some of the kpti.
I haven't tried it yet though, so give it a whirl.

https://en.wikipedia.org/wiki/Kernel_page-table_isolation
<https://en.wikipedia.org/wiki/Kernel_page-table_isolation>

Kind Regards,

David Majchrzak



5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>:

Hi Nick,

I'm actually wondering about exactly the same. Regarding OSDs, I agree, there 
is no reason to apply the security patch to the machines running the OSDs -if 
they are properly isolated in your setup-.

But I'm worried about the hypervisors, as I don't know how meltdown or Spectre 
patches -AFAIK, only Spectre patch needs to be applied to the host hypervisor, 
Meltdown patch only needs to be applied to guest- will affect librbd 
performance in the hypervisors.

Does anybody have some information about how Meltdown or Spectre affect ceph 
OSDs and clients?

Also, regarding Meltdown patch, seems to be a compilation option, meaning you 
could build a kernel without it easily.

Thanks,
Xavier.

-Mensaje original-
De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre
de Nick Fisk Enviado el: jueves, 4 de enero de 2018 17:30
Para: 'ceph-users' <ceph-users@lists.ceph.com>
Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

Hi All,

As the KPTI fix largely only affects the performance where there are a large 
number of syscalls made, which Ceph does a lot of, I was wondering if anybody 
has had a chance to perform any initial tests. I suspect small write latencies 
will the worse affected?

Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from 
these vulnerabilities, due to them not being direct user facing and could have 
this work around disabled?

Nick

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com





___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



--
Graham Allan
Minnesota Supercomputing Institute - g...@umn.edu
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Xavier Trilla]

Ok, that's good news, being able to disable the patches in real time is going 
to really help with the performance testing. 

ATM we won't patch our OSD machines -we've had several issues in the past with 
XFS and some kernels in machines with plenty of OSDs- so I won't have 
information about how does it affect OSD performance. But we will rollout some 
upgrades during the next days to our hypervisors, and I'll run some tests to 
see if librbd performance is affected. 

I'm quite worried about latency. We run a pure SSD cluster, and we've invested 
a lot of time and effort to get latency under 1ms. Losing a 30% because of 
this, would be really bad news.

I'll post our test results as soon as I have them, but if anybody else has done 
some testing and can provide some information as well, I think it would be 
really useful.

Thanks!
Xavier

-Mensaje original-
De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Stijn De 
Weirdt
Enviado el: viernes, 5 de enero de 2018 13:00
Para: ceph-users@lists.ceph.com
Asunto: Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects 
performance?

or do it live https://access.redhat.com/articles/3311301

# echo 0 > /sys/kernel/debug/x86/pti_enabled
# echo 0 > /sys/kernel/debug/x86/ibpb_enabled
# echo 0 > /sys/kernel/debug/x86/ibrs_enabled

stijn

On 01/05/2018 12:54 PM, David wrote:
> Hi!
> 
> nopti or pti=off in kernel options should disable some of the kpti.
> I haven't tried it yet though, so give it a whirl.
> 
> https://en.wikipedia.org/wiki/Kernel_page-table_isolation 
> <https://en.wikipedia.org/wiki/Kernel_page-table_isolation>
> 
> Kind Regards,
> 
> David Majchrzak
> 
> 
>> 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>:
>>
>> Hi Nick,
>>
>> I'm actually wondering about exactly the same. Regarding OSDs, I agree, 
>> there is no reason to apply the security patch to the machines running the 
>> OSDs -if they are properly isolated in your setup-.
>>
>> But I'm worried about the hypervisors, as I don't know how meltdown or 
>> Spectre patches -AFAIK, only Spectre patch needs to be applied to the host 
>> hypervisor, Meltdown patch only needs to be applied to guest- will affect 
>> librbd performance in the hypervisors. 
>>
>> Does anybody have some information about how Meltdown or Spectre affect ceph 
>> OSDs and clients? 
>>
>> Also, regarding Meltdown patch, seems to be a compilation option, meaning 
>> you could build a kernel without it easily.
>>
>> Thanks,
>> Xavier. 
>>
>> -Mensaje original-----
>> De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre 
>> de Nick Fisk Enviado el: jueves, 4 de enero de 2018 17:30
>> Para: 'ceph-users' <ceph-users@lists.ceph.com>
>> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects 
>> performance?
>>
>> Hi All,
>>
>> As the KPTI fix largely only affects the performance where there are a large 
>> number of syscalls made, which Ceph does a lot of, I was wondering if 
>> anybody has had a chance to perform any initial tests. I suspect small write 
>> latencies will the worse affected?
>>
>> Although I'm thinking the backend Ceph OSD's shouldn't really be at risk 
>> from these vulnerabilities, due to them not being direct user facing and 
>> could have this work around disabled?
>>
>> Nick
>>
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
> 
> 
> 
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Stijn De Weirdt]

or do it live https://access.redhat.com/articles/3311301

# echo 0 > /sys/kernel/debug/x86/pti_enabled
# echo 0 > /sys/kernel/debug/x86/ibpb_enabled
# echo 0 > /sys/kernel/debug/x86/ibrs_enabled

stijn

On 01/05/2018 12:54 PM, David wrote:
> Hi!
> 
> nopti or pti=off in kernel options should disable some of the kpti.
> I haven't tried it yet though, so give it a whirl.
> 
> https://en.wikipedia.org/wiki/Kernel_page-table_isolation 
> <https://en.wikipedia.org/wiki/Kernel_page-table_isolation>
> 
> Kind Regards,
> 
> David Majchrzak
> 
> 
>> 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>:
>>
>> Hi Nick,
>>
>> I'm actually wondering about exactly the same. Regarding OSDs, I agree, 
>> there is no reason to apply the security patch to the machines running the 
>> OSDs -if they are properly isolated in your setup-.
>>
>> But I'm worried about the hypervisors, as I don't know how meltdown or 
>> Spectre patches -AFAIK, only Spectre patch needs to be applied to the host 
>> hypervisor, Meltdown patch only needs to be applied to guest- will affect 
>> librbd performance in the hypervisors. 
>>
>> Does anybody have some information about how Meltdown or Spectre affect ceph 
>> OSDs and clients? 
>>
>> Also, regarding Meltdown patch, seems to be a compilation option, meaning 
>> you could build a kernel without it easily.
>>
>> Thanks,
>> Xavier. 
>>
>> -Mensaje original-
>> De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick 
>> Fisk
>> Enviado el: jueves, 4 de enero de 2018 17:30
>> Para: 'ceph-users' <ceph-users@lists.ceph.com>
>> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects 
>> performance?
>>
>> Hi All,
>>
>> As the KPTI fix largely only affects the performance where there are a large 
>> number of syscalls made, which Ceph does a lot of, I was wondering if 
>> anybody has had a chance to perform any initial tests. I suspect small write 
>> latencies will the worse affected?
>>
>> Although I'm thinking the backend Ceph OSD's shouldn't really be at risk 
>> from these vulnerabilities, due to them not being direct user facing and 
>> could have this work around disabled?
>>
>> Nick
>>
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
> 
> 
> 
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[David]

Hi!

nopti or pti=off in kernel options should disable some of the kpti.
I haven't tried it yet though, so give it a whirl.

https://en.wikipedia.org/wiki/Kernel_page-table_isolation 
<https://en.wikipedia.org/wiki/Kernel_page-table_isolation>

Kind Regards,

David Majchrzak


> 5 jan. 2018 kl. 11:03 skrev Xavier Trilla <xavier.tri...@silicontower.net>:
> 
> Hi Nick,
> 
> I'm actually wondering about exactly the same. Regarding OSDs, I agree, there 
> is no reason to apply the security patch to the machines running the OSDs -if 
> they are properly isolated in your setup-.
> 
> But I'm worried about the hypervisors, as I don't know how meltdown or 
> Spectre patches -AFAIK, only Spectre patch needs to be applied to the host 
> hypervisor, Meltdown patch only needs to be applied to guest- will affect 
> librbd performance in the hypervisors. 
> 
> Does anybody have some information about how Meltdown or Spectre affect ceph 
> OSDs and clients? 
> 
> Also, regarding Meltdown patch, seems to be a compilation option, meaning you 
> could build a kernel without it easily.
> 
> Thanks,
> Xavier. 
> 
> -Mensaje original-
> De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick 
> Fisk
> Enviado el: jueves, 4 de enero de 2018 17:30
> Para: 'ceph-users' <ceph-users@lists.ceph.com>
> Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?
> 
> Hi All,
> 
> As the KPTI fix largely only affects the performance where there are a large 
> number of syscalls made, which Ceph does a lot of, I was wondering if anybody 
> has had a chance to perform any initial tests. I suspect small write 
> latencies will the worse affected?
> 
> Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from 
> these vulnerabilities, due to them not being direct user facing and could 
> have this work around disabled?
> 
> Nick
> 
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Xavier Trilla]

Hi Nick,

I'm actually wondering about exactly the same. Regarding OSDs, I agree, there 
is no reason to apply the security patch to the machines running the OSDs -if 
they are properly isolated in your setup-.

But I'm worried about the hypervisors, as I don't know how meltdown or Spectre 
patches -AFAIK, only Spectre patch needs to be applied to the host hypervisor, 
Meltdown patch only needs to be applied to guest- will affect librbd 
performance in the hypervisors. 

Does anybody have some information about how Meltdown or Spectre affect ceph 
OSDs and clients? 

Also, regarding Meltdown patch, seems to be a compilation option, meaning you 
could build a kernel without it easily.

Thanks,
Xavier. 

-Mensaje original-
De: ceph-users [mailto:ceph-users-boun...@lists.ceph.com] En nombre de Nick Fisk
Enviado el: jueves, 4 de enero de 2018 17:30
Para: 'ceph-users' <ceph-users@lists.ceph.com>
Asunto: [ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

Hi All,

As the KPTI fix largely only affects the performance where there are a large 
number of syscalls made, which Ceph does a lot of, I was wondering if anybody 
has had a chance to perform any initial tests. I suspect small write latencies 
will the worse affected?

Although I'm thinking the backend Ceph OSD's shouldn't really be at risk from 
these vulnerabilities, due to them not being direct user facing and could have 
this work around disabled?

Nick

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] Linux Meltdown (KPTI) fix and how it affects performance?

[Nick Fisk]

Hi All,

As the KPTI fix largely only affects the performance where there are a large
number of syscalls made, which Ceph does a lot of, I was wondering if
anybody has had a chance to perform any initial tests. I suspect small write
latencies will the worse affected?

Although I'm thinking the backend Ceph OSD's shouldn't really be at risk
from these vulnerabilities, due to them not being direct user facing and
could have this work around disabled?

Nick

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com