Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix markdown formatting and typos #4399

Merged
merged 4 commits into from
Jan 23, 2024
Merged

Fix markdown formatting and typos #4399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
322aeb4
chore(doc): change notes to caution messages to make them more visible
pb8o Jan 22, 2024
c00925d
chore(doc): move links to their section
pb8o Jan 22, 2024
a1a3d7f
chore(doc): fix footnotes
pb8o Jan 22, 2024
cc2d853
chore(doc): fix supported kernel version table
pb8o Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,13 +130,13 @@ The **API endpoint** can be used to:

We test all combinations of:

| Instance | Host OS & Kernel | Guest Rootfs | Guest Kernel |
| :--------- | :----------------- | :------------- | :------------- |
| m5d.metal | al2 linux_4.1 | ubuntu 22.04 | linux_4.14 |
| m6i.metal | al2 linux_5.10 | | linux_5.10 |
| m6a.metal | al2023 linux_6.1 | | |
| m6g.metal | | | |
| c7g.metal | | | |
| Instance | Host OS & Kernel | Guest Rootfs | Guest Kernel |
|:----------|:------------------|:-------------|:-------------|
| m5d.metal | al2 linux_4.14 | ubuntu 22.04 | linux_4.14 |
| m6i.metal | al2 linux_5.10 | | linux_5.10 |
| m6a.metal | al2023 linux_6.1 | | |
| m6g.metal | | | |
| c7g.metal | | | |

## Known issues and Limitations

Expand Down
37 changes: 18 additions & 19 deletions docs/prod-host-setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,17 +259,20 @@ echo "swap partitions present (Recommendation: no swap)" \

### Mitigating hardware vulnerabilities

> **Note** Firecracker is not able to mitigate host's hardware vulnerabilities.
Adequate mitigations need to be put in place when configuring the host.
> [!CAUTION]
> Firecracker is not able to mitigate host's hardware vulnerabilities.
> Adequate mitigations need to be put in place when configuring the host.

> **Note** Firecracker is designed to provide isolation boundaries between
microVMs running in different Firecracker processes. It is strongly recommended
that each Firecracker process corresponds to a workload of a single tenant.
> [!CAUTION]
> Firecracker is designed to provide isolation boundaries between microVMs
> running in different Firecracker processes. It is strongly recommended that
> each Firecracker process corresponds to a workload of a single tenant.

> **Note** For security and stability reasons it is highly recommended to load
updated microcode as soon as possible. Aside from keeping the system firmware
up-to-date, when the kernel is used to load updated microcode of the CPU this
should be done as early as possible in the boot process.
> [!CAUTION]
> For security and stability reasons it is highly recommended to load updated
> microcode as soon as possible. Aside from keeping the system firmware
> up-to-date, when the kernel is used to load updated microcode of the CPU this
> should be done as early as possible in the boot process.

#### Side channel attacks

Expand Down Expand Up @@ -312,6 +315,9 @@ merging this change [upstream][2], this seems like a conscious design decision
of the ARM code contributors, giving precedence to performance over the ability
to trap and control this in the hypervisor.

[1]: https://elixir.free-electrons.com/linux/v4.14.203/source/virt/kvm/arm/hyp/timer-sr.c#L63
[2]: https://lists.cs.columbia.edu/pipermail/kvmarm/2017-January/023323.html

##### Verification

[spectre-meltdown-checker script](https://github.com/speed47/spectre-meltdown-checker)
Expand All @@ -326,9 +332,6 @@ downloaded and executed like:
wget -O - https://meltdown.ovh | bash
```

[1]: https://elixir.free-electrons.com/linux/v4.14.203/source/virt/kvm/arm/hyp/timer-sr.c#L63
[2]: https://lists.cs.columbia.edu/pipermail/kvmarm/2017-January/023323.html

### Linux 6.1 boot time regressions

Linux 6.1 introduced some regressions in the time it takes to boot a VM, for the
Expand Down Expand Up @@ -384,18 +387,14 @@ sudo mount -o remount,favordynmods /sys/fs/cgroup
```

For cgroupsv1, remounting with `favordynmods` is not supported, so it has to be
done at boot time, through a kernel command line option[^1]. Add
done at boot time, through a kernel command line option. Add
`cgroup_favordynmods=true` to your kernel command line in GRUB. Refer to your
distribution's documentation for where to make this change[^2]
distribution's documentation for where to make this change[^1]

[^2] Look for `GRUB_CMDLINE_LINUX` in file `/etc/default/grub` in RPM-based
[^1]: Look for `GRUB_CMDLINE_LINUX` in file `/etc/default/grub` in RPM-based
systems, and [this doc for
Ubuntu](https://wiki.ubuntu.com/Kernel/KernelBootParameters).

[^1]: this command line option is still unreleased at the moment of writing, but
will be part of 6.7 and may be backported to 6.1:
<https://lore.kernel.org/lkml/[email protected]/>

#### Mitigation 2: `kvm.nx_huge_pages=never`

This mitigation is preferred to the previous one as it is less invasive (it
Expand Down
Loading