OpenVZ Forum


Home » General » Support » Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster  () 1 Vote
icon13.gif  Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53130] Mon, 15 January 2018 13:15 Go to next message
futureweb is currently offline  futureweb
Messages: 12
Registered: August 2017
Junior Member
Hey there,
I know it's about Virtuozzo 7 (already got Support Ticket #18222 because of this) and not OpenVZ - but I'm interested if same Performance Problems are observed with OpenVZ ...

Since Meltdown/Spectre Patches the Performance dropped to unuseable levels. I patched one of our Root Servers which is running 1 (ONE) productive Container with EZ CMS (Apache 2.4.6, PHP 5.6.32) and MySQL/MariaDB DB (5.5.56) to latest VZ Kernel (3.10.0-693.11.6.vz7.40.4)
Root Server is HPE Gen9 Blade Server (Xeon CPU E5-2640 v3 @ 2.60GHz), Storage is Virtuozzo Storage running on SSD only (1-2GB/s Performance) - so rather good Hardware Specs ... Wink

So here what happened when I bootet to patched Kernel:
http://temp.in.futureweb.at/virtuozzo/vz.jpg

completely unusable ... Load AVG spiked up to 150 and more (peaks up to over 200)

Disabling the Security Patches brings the Load down to normal:
Quote:
tee /sys/kernel/debug/x86/*enabled <<< 0


Answer from Virtuozzo Support:
http://temp.in.futureweb.at/virtuozzo/vz1.jpg
http://temp.in.futureweb.at/virtuozzo/vz2.jpg

Essentially this means I can either patch Virtuozzo against Spectre and cripple the Performance that much that the Server is unuseable - or I decide to not patch the Server - keep good Performance but stay vulnerable to Spectre ...
Both options not really satisfactory ...

Anyone else observed similiar issues on OpenVZ? Or got a good Tip for me? Wink

thx, bye from sunny Austria
Andreas Schnederle-Wagner

[Updated on: Mon, 15 January 2018 14:22]

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53132 is a reply to message #53130] Mon, 15 January 2018 17:00 Go to previous messageGo to next message
viadck is currently offline  viadck
Messages: 2
Registered: January 2018
Junior Member
Hi,

We run openvz6 on our nodes and we have also seen an important performace impact as explained here: https://forum.openvz.org/index.php?t=tree&goto=53129& ;S=e69f527aaf3966212d966f6e92e8180f#msg_53129

I suppose it's all quite related, independent of which exact OS used.

Disabling the problematic software in this case (clamav) has stabilized things on that particular node but I understand that this is only a workaround. But we can't really think of anything else if we want be protected..

Regards!

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53133 is a reply to message #53130] Tue, 16 January 2018 14:47 Go to previous messageGo to next message
wishd is currently offline  wishd
Messages: 14
Registered: June 2017
Junior Member
I have not personally seen the impact on openvz6 accross many servers. However openvz7 (not virtuozzo) I did experience something posted at https://forum.openvz.org/index.php?t=tree&th=13427&s tart=0 which perhaps is related to what you are seeing.

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53134 is a reply to message #53133] Tue, 16 January 2018 19:09 Go to previous messageGo to next message
futureweb is currently offline  futureweb
Messages: 12
Registered: August 2017
Junior Member
wishd wrote on Tue, 16 January 2018 15:47
I have not personally seen the impact on openvz6 accross many servers. However openvz7 (not virtuozzo) I did experience something posted at https://forum.openvz.org/index.php?t=tree&th=13427&s tart=0 which perhaps is related to what you are seeing.


Haven't noticed similiar Problems on any of our Nodes ... just the Problem I described in my inital post.

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53147 is a reply to message #53134] Wed, 17 January 2018 15:33 Go to previous messageGo to next message
wishd is currently offline  wishd
Messages: 14
Registered: June 2017
Junior Member
futureweb - out of curiosity do you have kmemsize limits set?

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53148 is a reply to message #53147] Wed, 17 January 2018 15:40 Go to previous messageGo to next message
futureweb is currently offline  futureweb
Messages: 12
Registered: August 2017
Junior Member
wishd wrote on Wed, 17 January 2018 16:33
futureweb - out of curiosity do you have kmemsize limits set?

nope

Quote:
[root@xxx ~]# cat /proc/user_beancounters
Version: 2.5
uid resource held maxheld barrier limit failcnt
xxx: kmemsize 1107066880 2246660096 9223372036854775807 9223372036854775807 0

Report message to a moderator

Re: Virtuozzo 7 - Meltdown/Spectre Patch Performance desaster [message #53153 is a reply to message #53130] Tue, 23 January 2018 23:45 Go to previous message
bjdea1 is currently offline  bjdea1
Messages: 39
Registered: February 2009
Member
Spectre and Meltdown: Linux creator Linus Torvalds criticises Intel's 'garbage' patches

Updated: 'We are actively engaging with the Linux community, including Linus,' says Intel.

Linus Torvalds is not happy about the patches that Intel has developed to protect the Linux kernel from the Spectre and Linux flaws.

In a posting on the Linux kernel mailing list, the Linux creator criticised differences in the way that Intel approached patches for the Meltdown and Spectre flaws. He said of the patches: "They do literally insane things. They do things that do not make sense."

Torvalds added: "And I really don't want to see these garbage patches just mindlessly sent around."

http://www.zdnet.com/article/spectre-and-meltdown-linux-crea tor-linus-torvalds-criticises-intels-garbage-patches/


Stop using our faulty patches: Intel

Intel is updating patches to fix security holes in its chips that leave users exposed to the Meltdown and Spectre flaws and help hackers steal information.
Updated Updated 1 day ago

Intel Corp has asked computer makers to stop rolling out a set of faulty patches it issued to fix security flaws in its chips and instead start testing an updated version.

The company said on Monday that it wanted computer manufacturers and data centre owners to stop using the current fixes for the so-called Meltdown and Spectre security flaws, which can let hackers steal sensitive information from computers made with its processors.

The patches, which the company spent months crafting, cause computers to reboot more often than normal.

Instead, Intel asked customers to start testing an updated version of its patches that it began sending out on Saturday and Sunday. Intel also said it had identified the root cause of the reboot problem in its older Broadwell and Haswell processors.


https://www.sbs.com.au/news/stop-using-our-faulty-patches-in tel



Looks like Intel has made bit of a mess of this. Does this affect Openvz?

Deasoft.com Hosting/Software
AutoBillMe.com Billing Automation

[Updated on: Tue, 23 January 2018 23:58]

Report message to a moderator

Previous Topic: RHEL5/CentOS5 CVE-2017-5754
Next Topic: Spectre and Meltdown Patch ASAP Please
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sat Jul 13 17:23:36 GMT 2024

Total time taken to generate the page: 0.02284 seconds
Powered by FUDforum Powered by Virtuozzo Containers