Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. Inglebard

    Inglebard Member

    Joined:
    May 20, 2016
    Messages:
    43
    Likes Received:
    0
    Hi,

    Here is a newbie question.
    Are proxmox updates self-suffisant to protect against meltdown and spectre or it is necessary to install intel microcode from debian repository ?
     
  2. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    PVE updates are enough to fix Meltdown. the Spectre fixes / mitigations are still in preparation, the first round will likely only support CPUs with updated microcodes, a later iteration will then have the fallback for all CPUs. check the changelogs once they are available.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Inglebard

    Inglebard Member

    Joined:
    May 20, 2016
    Messages:
    43
    Likes Received:
    0
    So should I need to enable debian non-free and install intel-microcode (yes or no) ?
     
  4. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    don't install microcode for now, it's known to be buggy and do instability
     
  5. Inglebard

    Inglebard Member

    Joined:
    May 20, 2016
    Messages:
    43
    Likes Received:
    0
    Ok, thanks.
     
  6. speedbird

    speedbird Member
    Proxmox Subscriber

    Joined:
    Nov 3, 2017
    Messages:
    45
    Likes Received:
    4
    Installed the updates from pve-enterprise with active subscription but there's no checkbox for PCID anywhere to be seen. What did I do wrong?
     
  7. JustDanMan

    JustDanMan New Member
    Proxmox Subscriber

    Joined:
    Sep 5, 2014
    Messages:
    18
    Likes Received:
    2
    In this moment, the updates only available in pve-no-subscription.
     
  8. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    Das habe ich gar nicht mitbekommen. Gibt es einen Schalter in der Gui womit man PCID ein-/ausschalten kann?
     
  9. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    Hi!

    Compatibility and stability problems with mitigation codes continue and rise.

    Spectre and Meltdown patches causing trouble as realistic attacks get closer
    https://arstechnica.com/gadgets/201...sing-trouble-as-realistic-attacks-get-closer/

    Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds
    https://www.theregister.co.uk/2018/01/15/solarwinds_aws_meltdown_fix_analysis/

    Meltdown-Spectre: More businesses warned off patching over stability issues
    http://www.zdnet.com/article/meltdo...es-warned-off-patching-over-stability-issues/
     
    EuroDomenii likes this.
  10. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    now on pve-enterprise as well
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    JustDanMan likes this.
  11. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    there are new kernel versions for both 4.4 and 5.1 available:

    most of the SPECTRE fixes require having a compatible CPU microcode update enabling IBRS/IBPB support.

    updated pve-qemu-kvm packages which allows passing the spec-ctrl CPU flag to guest VMs are also available in pve-no-subscription (this only works for VMs with CPU type 'host' at the moment, updated qemu-server and pve-manager packages which allow setting this CPU flag for other CPU types are in the works).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chrone and EuroDomenii like this.
  12. fireon

    fireon Well-Known Member
    Proxmox Subscriber

    Joined:
    Oct 25, 2010
    Messages:
    2,964
    Likes Received:
    175
    I didn't read here Windows, so PCID has only effect with linux vm's?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    you'd have to ask Microsoft to know how they implemented their Meltdown mitigation, and whether they use PCID to limit the performance impact..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. fireon

    fireon Well-Known Member
    Proxmox Subscriber

    Joined:
    Oct 25, 2010
    Messages:
    2,964
    Likes Received:
    175
    Ok, thank you. Will do an support ticket ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. bladux

    bladux New Member

    Joined:
    Nov 7, 2016
    Messages:
    28
    Likes Received:
    0
    Hi,

    Any idea of when the patched kernels will leave pvetest ? 'Kinda worried to switch to pvetest on production servers...
     
  16. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    the latest round of kernel updates are available up to pve-no-subscription, the Meltdown / KPTI kernels are in pve-enterprise already for a while.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. bladux

    bladux New Member

    Joined:
    Nov 7, 2016
    Messages:
    28
    Likes Received:
    0
    I'm on pve-entreprise, I see the pve-manager and qemu-server upgrades.

    I must have missed something but is it worth installing without installing a patched kernel ? (If new kernels leaves the pvetest/pve-no-subscription zone to a stable one soon, then I probably should wait and install all at once).
     
  18. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,213
    Likes Received:
    498
    there have been two rounds of pve-manager and qemu-server packages, so yes - the ones in pve-enterprise match the kernel and pve-qemu in pve-enterprise, the later ones match later updates. we always move packages such that they match (e.g., a pve-manager package exposing a new feature should never be available without the backend package that provides the feature).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
  20. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    load.png

    Host:
    4.13.13-3-pve #1 SMP PVE 4.13.13-34 (Sun, 7 Jan 2018 13:19:58 +0100) x86_64 GNU/Linux
    1x Intel Xeon E3-1240v6
    Supermicro X11SSL-F
    16GB ECC DDR-4
    Adaptec 8405 RAID Controller
    2x Samsung SM863 SSD with Raid-1

    only one VM:
    3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
    KVM, Debian 8

    After that we install again tho old kernel...
    3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
     
    #120 scaa, Jan 17, 2018
    Last edited: Jan 19, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice