Re: [ovirt-users] Re: Testing ovirt 4.4.1 Nested KVM on Skylake-client (core i5) does not work

Monday, 14 September 2020

On Mon, Sep 14, 2020 at 8:42 AM Yedidyah Bar David <didi(a)redhat.com&gt; wrote:
...

 On Mon, Sep 14, 2020 at 12:28 AM wodel youchi <wodel.youchi(a)gmail.com&gt; wrote:
 >
 > Hi,
 >
 > Thanks for the help, I think I found the solution using this link :
https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qem...
 >
 > When executing : virsh dumpxml on my ovirt hypervisor I saw that the mpx flag was
disabled, so I edited the XML file of the hypervisor VM and I did this : add the already
enabled features and enable mpx with them. I stopped/started my hyerpvisor VM and voila,
le nested VM-Manager has booted successfully.
 >
 >
 > <cpu mode="host-model" check="partial">
 >     <feature policy="require" name="ss"/>
 >     <feature policy="require" name="vmx"/>
 >     <feature policy="require" name="pdcm"/>
 >     <feature policy="require" name="hypervisor"/>
 >     <feature policy="require" name="tsc_adjust"/>
 >     <feature policy="require" name="clflushopt"/>
 >     <feature policy="require" name="umip"/>
 >     <feature policy="require" name="md-clear"/>
 >     <feature policy="require" name="stibp"/>
 >     <feature policy="require" name="arch-capabilities"/>
 >     <feature policy="require" name="ssbd"/>
 >     <feature policy="require" name="xsaves"/>
 >     <feature policy="require" name="pdpe1gb"/>
 >     <feature policy="require" name="ibpb"/>
 >     <feature policy="require" name="amd-ssbd"/>
 >     <feature policy="require" name="skip-l1dfl-vmentry"/>
 >     <feature policy="require" name="mpx"/>
 >   </cpu

 Thanks for the report!

 Would you like to open a bug about this?

 A possible fix is probably to pass relevant options to the
 virt-install command in ovirt-ansible-hosted-engine-setup.
 Either always - no idea what the implications are - or
 optionally, or even allow the user to pass arbitrary options. 
I don't think we need to do such change on our side. This seems like a
hard to reproduce libvirt bug.

The strange thing is that after playing with the XML generated by
virt-manager, using

[x] Copy host CPU configuration

Creating this XML:

  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Skylake-Client-IBRS</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='vmx'/>
    <feature policy='require' name='pdcm'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='clflushopt'/>
    <feature policy='require' name='umip'/>
    <feature policy='require' name='md-clear'/>
    <feature policy='require' name='stibp'/>
    <feature policy='require' name='arch-capabilities'/>
    <feature policy='require' name='ssbd'/>
    <feature policy='require' name='xsaves'/>
    <feature policy='require' name='pdpe1gb'/>
    <feature policy='require' name='ibpb'/>
    <feature policy='require' name='amd-stibp'/>
    <feature policy='require' name='amd-ssbd'/>
    <feature policy='require' name='skip-l1dfl-vmentry'/>
    <feature policy='require' name='pschange-mc-no'/>
    <feature policy='disable' name='mpx'/>
  </cpu>

Or using this XML in virt-manager:

  <cpu mode="host-passthrough" check="none"
migratable="on"/>

Both work with these cluster CPU Type:

- Secure Intel Skylake Client Family
- Intel Skylake Client Family

I think the best place to discuss this is libvirt-users mailing list:
https://www.redhat.com/mailman/listinfo/libvirt-users

Nir

...
 Thanks and best regards,

 >
 >
 > Regards.
 >
 > Le dim. 13 sept. 2020 à 19:47, Nir Soffer <nsoffer(a)redhat.com&gt; a écrit :
 >>
 >> On Sun, Sep 13, 2020 at 8:32 PM wodel youchi <wodel.youchi(a)gmail.com&gt;
wrote:
 >> >
 >> > Hi,
 >> >
 >> > I've been using my core i5 6500 (skylake-client) for some time now to
test oVirt on my machine.
 >> > However this is no longer the case.
 >> >
 >> > I am using Fedora 32 as my base system with nested-kvm enabled, when I try
to install oVirt 4.4 as HCI single node, I get an error in the last phase which consists
of copying the VM-Manager to the engine volume and boot it.
 >> > It is the boot that causes the problem, I get an error about the CPU :
 >> > the CPU is incompatible with host CPU: Host CPU does not provide required
features: mpx
 >> >
 >> > This is the CPU part from virsh domcapabilities on my physical machine
 >> > <cpu>
 >> >    <mode name='host-passthrough' supported='yes'/>
 >> >    <mode name='host-model' supported='yes'>
 >> >      <model
fallback='forbid'>Skylake-Client-IBRS</model>
 >> >      <vendor>Intel</vendor>
 >> >      <feature policy='require' name='ss'/>
 >> >      <feature policy='require' name='vmx'/>
 >> >      <feature policy='require' name='pdcm'/>
 >> >      <feature policy='require' name='hypervisor'/>
 >> >      <feature policy='require' name='tsc_adjust'/>
 >> >      <feature policy='require' name='clflushopt'/>
 >> >      <feature policy='require' name='umip'/>
 >> >      <feature policy='require' name='md-clear'/>
 >> >      <feature policy='require' name='stibp'/>
 >> >      <feature policy='require'
name='arch-capabilities'/>
 >> >      <feature policy='require' name='ssbd'/>
 >> >      <feature policy='require' name='xsaves'/>
 >> >      <feature policy='require' name='pdpe1gb'/>
 >> >      <feature policy='require' name='invtsc'/>
 >> >      <feature policy='require' name='ibpb'/>
 >> >      <feature policy='require' name='amd-ssbd'/>
 >> >      <feature policy='require'
name='skip-l1dfl-vmentry'/>
 >> >    </mode>
 >> >    <mode name='custom' supported='yes'>
 >> >      <model usable='yes'>qemu64</model>
 >> >      <model usable='yes'>qemu32</model>
 >> >      <model usable='no'>phenom</model>
 >> >      <model usable='yes'>pentium3</model>
 >> >      <model usable='yes'>pentium2</model>
 >> >      <model usable='yes'>pentium</model>
 >> >      <model usable='yes'>n270</model>
 >> >      <model usable='yes'>kvm64</model>
 >> >      <model usable='yes'>kvm32</model>
 >> >      <model usable='yes'>coreduo</model>
 >> >      <model usable='yes'>core2duo</model>
 >> >      <model usable='no'>athlon</model>
 >> >      <model usable='yes'>Westmere-IBRS</model>
 >> >      <model usable='yes'>Westmere</model>
 >> >      <model usable='no'>Skylake-Server-IBRS</model>
 >> >      <model usable='no'>Skylake-Server</model>
 >> >      <model usable='yes'>Skylake-Client-IBRS</model>
 >> >      <model usable='yes'>Skylake-Client</model>
 >> >      <model usable='yes'>SandyBridge-IBRS</model>
 >> >      <model usable='yes'>SandyBridge</model>
 >> >      <model usable='yes'>Penryn</model>
 >> >      <model usable='no'>Opteron_G5</model>
 >> >      <model usable='no'>Opteron_G4</model>
 >> >      <model usable='no'>Opteron_G3</model>
 >> >      <model usable='yes'>Opteron_G2</model>
 >> >      <model usable='yes'>Opteron_G1</model>
 >> >      <model usable='yes'>Nehalem-IBRS</model>
 >> >      <model usable='yes'>Nehalem</model>
 >> >      <model usable='yes'>IvyBridge-IBRS</model>
 >> >      <model usable='yes'>IvyBridge</model>
 >> >      <model usable='no'>Icelake-Server</model>
 >> >      <model usable='no'>Icelake-Client</model>
 >> >      <model usable='yes'>Haswell-noTSX-IBRS</model>
 >> >      <model usable='yes'>Haswell-noTSX</model>
 >> >      <model usable='yes'>Haswell-IBRS</model>
 >> >      <model usable='yes'>Haswell</model>
 >> >      <model usable='no'>EPYC-IBPB</model>
 >> >      <model usable='no'>EPYC</model>
 >> >      <model usable='no'>Dhyana</model>
 >> >      <model usable='yes'>Conroe</model>
 >> >      <model usable='no'>Cascadelake-Server</model>
 >> >      <model usable='yes'>Broadwell-noTSX-IBRS</model>
 >> >      <model usable='yes'>Broadwell-noTSX</model>
 >> >      <model usable='yes'>Broadwell-IBRS</model>
 >> >      <model usable='yes'>Broadwell</model>
 >> >      <model usable='yes'>486</model>
 >> >    </mode>
 >> >  </cpu>
 >> >
 >> > Here is the lscpu of my physical machine
 >> > # lscpu
 >> > Architecture:                    x86_64
 >> > CPU op-mode(s):                  32-bit, 64-bit
 >> > Byte Order:                      Little Endian
 >> > Address sizes:                   39 bits physical, 48 bits virtual
 >> > CPU(s):                          4
 >> > On-line CPU(s) list:             0-3
 >> > Thread(s) per core:              1
 >> > Core(s) per socket:              4
 >> > Socket(s):                       1
 >> > NUMA node(s):                    1
 >> > Vendor ID:                       GenuineIntel
 >> > CPU family:                      6
 >> > Model:                           94
 >> > Model name:                      Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz
 >> > Stepping:                        3
 >> > CPU MHz:                         954.588
 >> > CPU max MHz:                     3600.0000
 >> > CPU min MHz:                     800.0000
 >> > BogoMIPS:                        6399.96
 >> > Virtualization:                  VT-x
 >> > L1d cache:                       128 KiB
 >> > L1i cache:                       128 KiB
 >> > L2 cache:                        1 MiB
 >> > L3 cache:                        6 MiB
 >> > NUMA node0 CPU(s):               0-3
 >> > Vulnerability Itlb multihit:     KVM: Mitigation: Split huge pages
 >> > Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional
cache flushes, SMT disabled
 >> > Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT
disabled
 >> > Vulnerability Meltdown:          Mitigation; PTI
 >> > Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass
disabled via prctl and seccomp
 >> > Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and
__user pointer sanitization
 >> > Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB
conditional, IBRS_FW, STIBP disabled, RSB filling
 >> > Vulnerability Srbds:             Vulnerable: No microcode
 >> > Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT
disabled
 >> > Flags:                           fpu vme de pse tsc msr pae mce cx8 apic
sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx
pdpe1gb rdtscp lm constan
 >> >                                 t_tsc art arch_perfmon pebs bts rep_good
nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx
est tm2 ssse3 sdbg fma cx16
 >> >                                  xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe
popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault
invpcid_single pti ssbd
 >> >                                  ibrs ibpb stibp tpr_shadow vnmi
flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm
mpx rdseed adx smap clflushopt in
 >> >                                 tel_pt xsaveopt xsavec xgetbv1 xsaves
dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
 >> >
 >> >
 >> >
 >> > Here is the CPU part from virsh dumpxml of my ovirt hypervisor
 >> > <cpu mode='custom' match='exact'
check='full'>
 >> >    <model
fallback='forbid'>Skylake-Client-IBRS</model>
 >> >    <vendor>Intel</vendor>
 >> >    <feature policy='require' name='ss'/>
 >> >    <feature policy='require' name='vmx'/>
 >> >    <feature policy='require' name='pdcm'/>
 >> >    <feature policy='require' name='hypervisor'/>
 >> >    <feature policy='require' name='tsc_adjust'/>
 >> >    <feature policy='require' name='clflushopt'/>
 >> >    <feature policy='require' name='umip'/>
 >> >    <feature policy='require' name='md-clear'/>
 >> >    <feature policy='require' name='stibp'/>
 >> >    <feature policy='require'
name='arch-capabilities'/>
 >> >    <feature policy='require' name='ssbd'/>
 >> >    <feature policy='require' name='xsaves'/>
 >> >    <feature policy='require' name='pdpe1gb'/>
 >> >    <feature policy='require' name='ibpb'/>
 >> >    <feature policy='require' name='amd-ssbd'/>
 >> >    <feature policy='require'
name='skip-l1dfl-vmentry'/>
 >> >    <feature policy='disable' name='mpx'/>
 >> >  </cpu>
 >> >
 >> > Here is the lcpu of my ovirt hypervisor
 >> > [root@node1 ~]# lscpu
 >> > Architecture :                          x86_64
 >> > Mode(s) opératoire(s) des processeurs : 32-bit, 64-bit
 >> > Boutisme :                              Little Endian
 >> > Processeur(s) :                         4
 >> > Liste de processeur(s) en ligne :       0-3
 >> > Thread(s) par cœur :                    1
 >> > Cœur(s) par socket :                    1
 >> > Socket(s) :                             4
 >> > Nœud(s) NUMA :                          1
 >> > Identifiant constructeur :              GenuineIntel
 >> > Famille de processeur :                 6
 >> > Modèle :                                94
 >> > Nom de modèle :                         Intel Core Processor (Skylake,
IBRS)
 >> > Révision :                              3
 >> > Vitesse du processeur en MHz :          3191.998
 >> > BogoMIPS :                              6383.99
 >> > Virtualisation :                        VT-x
 >> > Constructeur d'hyperviseur :            KVM
 >> > Type de virtualisation :                complet
 >> > Cache L1d :                             32K
 >> > Cache L1i :                             32K
 >> > Cache L2 :                              4096K
 >> > Cache L3 :                              16384K
 >> > Nœud NUMA 0 de processeur(s) :          0-3
 >> > Drapaux :                               fpu vme de pse tsc msr pae mce cx8
apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc rep_go
 >> > od nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16
pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand
hypervisor lahf_lm abm 3dnow
 >> > prefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow
vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm
rdseed adx smap clflushopt xs
 >> > aveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities
 >> >
 >> > it seems not all the flags are presented to the hypervisor especially the
mpx which causes the error
 >> >
 >> > Is there a workaround for this?
 >>
 >> I'm using a similar setup, using older generation CPU works.
 >>
 >> Cluster CPU Type:
 >> Intel Broadwell Family
 >>
 >> It looks like this bug:
 >> https://bugzilla.redhat.com/1609818
 >>
 >> But it cannot be fixed by resetting the cpu type, suggested in:
 >> https://bugzilla.redhat.com/show_bug.cgi?id=1609818#c9
 >>
 >> Nir
 >>
 >>
 >> Nir
 >>
 > _______________________________________________
 > Users mailing list -- users(a)ovirt.org
 > To unsubscribe send an email to users-leave(a)ovirt.org
 > Privacy Statement: https://www.ovirt.org/privacy-policy.html
 > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
 > List Archives:

 --
 Didi

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010