Spectre, Meltdown, and L1TF recommendations for SUSE Enterprise Storage
This document (7023480) is provided subject to the disclaimer at the end of this document.
Environment
Situation
The Spectre, Meltdown, and L1TF issues made public in 2018 are a topic of frequent discussion when tuning storage performance. In some workloads, disabling these mitigations will provide positive performance benefits.
Resolution
Relevant information on each issue is below:
Spectre & Meltdown * TID 7022512
L1 Terminal Fault * TID 7023077
- This guidance only holds true if there is NO other workload running on the nodes in question.
- This is inclusive of any non SUSE Enterprise Storage packages, third party monitoring agents, or other extra services enabled by the customer.
- This guidance needs to be discussed and agreed upon with the customer's corporate IT security team.
SUSE guidance is:
- Spectre & Meltdown mitigations can be disabled to improve performance on the following nodes.
- OSD (storage) node
- CephFS Metadata Server (MDS) node
- Monitor node
- ISCSI Gateway
- NFS Gateway
- CIFS/SMB Gateway
- As a general rule, RADOS Gateways (RGW) should have the mitigations enabled as they tend to be a publicly exposed interface.
- In certain environments where the network is tightly controlled, it MAY be acceptable to disable the mitigations on the RGW nodes. Such environments could be those where S3 is used as a target for backup and archive operations on a private network and/or a location where load-balancer infrastructure with threat mitigations is employed.
- If the customer wishes to disable mitigations on the RGW, it is
recommended that a thorough review of the architecture and possible
attack vectors be evaluated.
- The admin (openATTIC/salt) node(s) should have the mitigations enabled as they provide web services that accept unprivileged logins, thus broadening the potential attack surface.
- If RADOS Object Classes are in use, it may be advisable to enable the mitigations on the OSD nodes as the classes provide a path to code execution on each storage node.
- If there is ANY doubt about the node, the mitigations should be enabled in order to help maintain a strong security posture.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023480
- Creation Date: 30-Oct-2018
- Modified Date:03-Mar-2020
-
- SUSE Enterprise Storage
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com