[virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter

Daniel P. Berrangé berrange at redhat.com
Thu Apr 4 09:14:21 UTC 2019 

On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote:
> This will allow users to override the default behavior of virt-install
> which copies CPU security features available on the host to the guest
> XML if specific CPU model is configured.
> 
> Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
> ---
>  man/virt-install.pod                          |  8 +-
>  .../compare/virt-install-cpu-disable-sec.xml  | 93 +++++++++++++++++++
>  tests/clitest.py                              |  1 +
>  virtinst/cli.py                               |  1 +
>  virtinst/domain/cpu.py                        |  7 +-
>  5 files changed, 108 insertions(+), 2 deletions(-)
>  create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
> 
> diff --git a/man/virt-install.pod b/man/virt-install.pod
> index 8407e795..18d44808 100644
> --- a/man/virt-install.pod
> +++ b/man/virt-install.pod
> @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as known to libvirt.
>  
>  Libvirt's feature policy values force, require, optional, disable, or forbid,
>  or with the shorthand '+feature' and '-feature', which equal 'force=feature'
> -and 'disable=feature' respectively
> +and 'disable=feature' respectively.
> +
> +If exact CPU model is specified virt-install will automatically copy CPU
> +security features available on the host to mitigate recent CPU CVEs.

I'd tweak it slightly to

s/security features/features/

s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./

> +This however will have some impact on performance and will break migration
> +to hosts without security patches.  In order to turn off this default behavior
> +there is a B<secure> parameter.  Possible values are I<on> and I<off>.

At the end, add

 , with I<on> as the default. It is highly recommended to leave this
 enabled and ensure all virtualization hosts have fully up to date
 microcode, kernel & virtualization software installed.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the virt-tools-list mailing list