best approach to set mitigations=off cluster wide?

[ilia987]

I use around 80% of the nodes in the cluster as a compute grid,
i can freely disable the mitigation on them and gain some performance, what is the best approach?

can it be done to a group of nodes (like based on name pattern) or it must be done one by one in grub ?

do i need to do something special for each vm\lxc as well?

 

[leesteken]

can it be done to a group of nodes (like based on name pattern) or it must be done one by one in grub ?

Kernel parameters like mitigations=off need to be done per node. You probably want to do that per VM as well. Containers share the kernel with the Proxmox node.

 

[ilia987]

should i set mitigations=off
in the line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off"

both on proxmox and vm

is it enough?

 

[katbyte]

I had done this and was surprised to see it didn't seem to work:

[12:32:08] root@mini:~# cat /etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off intel_iommu=on iommu=pt"

Vulnerabilities:
[12:39:15] root@mini:~# lscpu
...        
  Gather data sampling:  Vulnerable: No microcode
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
  Mds:                   Mitigation; Clear CPU buffers; SMT vulnerable
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT vulnerable
  Retbleed:              Mitigation; IBRS
  Spec rstack overflow:  Not affected
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; IBRS, IBPB conditional, STIBP conditional, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Mitigation; Microcode
  Tsx async abort:       Mitigation; TSX disabled

i had to do

[12:45:38] root@mini:~# cat /etc/kernel/cmdline
root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
[12:45:47] root@mini:~# proxmox-boot-tool refresh

 

[ilia987]

it requires reboot to reload the new config for the kernel

 

[katbyte]

Yes I am aware and there is a reboot in-between there, it didn't work until I changed the kernel cmdline file

 

[Joshua M]

Yes I am aware and there is a reboot in-between there, it didn't work until I changed the kernel cmdline file

changing grub defaults worked for me. maybe you forgot to update-grub after the change?

 

[leesteken]

changing grub defaults works. maybe you forgot to update-grub after the change?

His/her Proxmox installation probably uses systemd-boot instead of GRUB: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysboot