Additional CPU Flags for OPNSense

[absolutesantaja]

I'm trying to figure out if it's possible to add the CPU flags sse4_1 and sse4_2 when your using the default kvm64 cpu type? OPNSense complains about the lack of SSE4_1 when I enable the AES flag. If I pick the host cpu type AES works correctly but for some reason OPNSense routing performance is reduced by 50%. I can pick a cpu type of SandyBridge and everything works but that seems like maybe the wrong approach. Trying to set the flag via qm fails with a regex error.

root@cloudctl1:~# qm set 100 --cpu=kvm64,flags=+sse4.1
400 Parameter verification failed.
cpu: invalid format - format error
cpu.flags: value does not match the regex pattern

I found the cpu flags here http://www.linux-kvm.org/page/Tuning_KVM

 

[oguz]

hi,

you can try with a custom cpu model[0]

/etc/pve/virtual-guest/cpu-models.conf

 
cpu-model: cpu1
    flags +aes;+sse4.1
    reported-model host

qm set 100 --cpu=custom-cpu1

[0]: https://pve.proxmox.com/pipermail/pve-devel/2019-October/039608.html

 

[absolutesantaja]

I can't seem to get that to work. I rebooted after adding the file.

I'm running pve-manager/6.1-8/806edfe1 (running kernel: 5.3.18-3-pve)

root@cloudctl1:~# cat /etc/pve/virtual-guest/cpu-models.conf
cpu-model: cpu1
    flags +aes;+sse4.1
    reported-model host
root@cloudctl1:~# qm set 100 --cpu=custom-cpu1
400 Parameter verification failed.
cpu: invalid format - format error
cpu.cputype: value 'custom-cpu1' does not have a value in the enumeration '486, athlon, Broadwell, Broadwell-IBRS, Broadwell-noTSX, Broadwell-noTSX-IBRS, Cascadelake-Server, Cascadelake-Server-noTSX, Conroe, core2duo, coreduo, EPYC, EPYC-IBPB, Haswell, Haswell-IBRS, Haswell-noTSX, Haswell-noTSX-IBRS, host, Icelake-Client, Icelake-Client-noTSX, Icelake-Server, Icelake-Server-noTSX, IvyBridge, IvyBridge-IBRS, KnightsMill, kvm32, kvm64, max, Nehalem, Nehalem-IBRS, Opteron_G1, Opteron_G2, Opteron_G3, Opteron_G4, Opteron_G5, Penryn, pentium, pentium2, pentium3, phenom, qemu32, qemu64, SandyBridge, SandyBridge-IBRS, Skylake-Client, Skylake-Client-IBRS, Skylake-Client-noTSX-IBRS, Skylake-Server, Skylake-Server-IBRS, Skylake-Server-noTSX-IBRS, Westmere, Westmere-IBRS'

qm set <vmid> [OPTIONS]
root@cloudctl1:~# qm set 100 --cpu=cpu1
400 Parameter verification failed.
cpu: invalid format - format error
cpu.cputype: value 'cpu1' does not have a value in the enumeration '486, athlon, Broadwell, Broadwell-IBRS, Broadwell-noTSX, Broadwell-noTSX-IBRS, Cascadelake-Server, Cascadelake-Server-noTSX, Conroe, core2duo, coreduo, EPYC, EPYC-IBPB, Haswell, Haswell-IBRS, Haswell-noTSX, Haswell-noTSX-IBRS, host, Icelake-Client, Icelake-Client-noTSX, Icelake-Server, Icelake-Server-noTSX, IvyBridge, IvyBridge-IBRS, KnightsMill, kvm32, kvm64, max, Nehalem, Nehalem-IBRS, Opteron_G1, Opteron_G2, Opteron_G3, Opteron_G4, Opteron_G5, Penryn, pentium, pentium2, pentium3, phenom, qemu32, qemu64, SandyBridge, SandyBridge-IBRS, Skylake-Client, Skylake-Client-IBRS, Skylake-Client-noTSX-IBRS, Skylake-Server, Skylake-Server-IBRS, Skylake-Server-noTSX-IBRS, Westmere, Westmere-IBRS'

qm set <vmid> [OPTIONS]

 

[absolutesantaja]

I also tried putting the file at /etc/pve/cpu-models.conf based on the mailing list but it didn't make a difference. The list of valid CPUs seems to be hard coded.

 

[oguz]

sorry, i forgot to mention that you need to get it from pvetest repository [0], as this is a relatively new addition

[0]: https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_test_repo

 

[jschelfh]

I have the same problem with sse4.1 flag in opnsense
Were you ever able to get this working ?
my config: /etc/pve/virtual-guests/cpu-models.conf
cpu-model: custom-cpu1
flags +aes;+sse4.1

# qm set 101 --cpu=custom-cpu1
400 Parameter verification failed.
cpu: invalid format - Custom cputype 'cpu1' not found

 

[mac.linux.free]

args: -cpu qemu64,+ssse3,+sse4.1,+sse4.2,+x2apic,aes,rdrand

this is how it works for me