Ubuntu Server team update - 1 July 2019

VIRTUALIZATION

  1. QEMU HW mitigations support (ARCH_CAPABILITIES)
    LP: #1828495 | PPA: #1828495 | MERGE: #1828495

Backported ARCH_CAPABILITIES MSR to QEMU 3.1 (Ubuntu Disco, this time). Based on @paelzer’s review on my Bionic patches. PPA is good for testing if anyone is interested.

With this features, guest can now report not being susceptible to a specific side-channel vulnerability. For this particular case, by supporting IA32_ARCH_CAPABILITIES MSR we are able to provide the same MSR to a KVM/QEMU guest, informing its kernel about HW support for:

  • IBRS_ALL (enhanced IBRS support)
  • SKIP_L1DFL_VMENTRY (L1D flush is needed on VMENTRY)
  • RDCL_NO (HW is vulnerable to Rogue Data Cache Load)
  • Foreshadow-NG (OS) vuln. (L1 terminal fault, OS)
  • Foreshadow-NG (VMM) vuln. (L1 terminal fault, VMM)

and making it to take better decisions on which mitigation to use, if one is needed (leveraging guest performance for those CPUs).

  • Libvirt support for {Ice,Cascade}Lake CPUs might be needed now.
  • Still waiting on some more requests from Intel (might be to enable features by default, might be to add Cascade Lake v2, I’ll inform here next week).
  1. Reviewed @paelzer’s QEMU ppc backports on count cache flush Spectre v2 mitigation (CVE) (check his reply for this topic).

UBUNTU HA

  1. Corosync and Redundant Rings - The Totem Protocol Explained
    I published an article I have written not too long ago, explaining how to get redundant rings in corosync and what to expect from configuration option changes.

  2. CTDB NFS HA Enablement
    LP: #722201 | DOC: #722201 | PPA: #722201 | MR: #722201
    Enabling Samba CTDB for NFS HA: @ahasenack provided me good feedback on documentation and how the patch should be organized for a better maintenance. I have made modifications and provided a documentation (in discourse) on how to use this new package (from PPA right now).

1 Like