Hi guys, I don't think we are really worried about how those patches affect OSDs performance -patches can be easily disabled via sys- but quite worried about how do they affect librbd performance. Librbd is running on the hypervisor, and even if you don't need to patch hypervisor kernel for Meltdown, you have to patch it to avoid Spectre. And in pure SSD clusters, librbd and network performance -we are running ceph over 40G- is quite important. Cheers, Xavier. -----Mensaje original----- De: ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] En nombre de ceph@xxxxxxxxxxxxxx Enviado el: viernes, 12 de enero de 2018 10:26 Para: Van Leeuwen, Robert <rovanleeuwen@xxxxxxxx>; ceph-users@xxxxxxxxxxxxxx Asunto: Re: Linux Meltdown (KPTI) fix and how it affects performance? Well, if a stranger have access to my whole Ceph data (this, all my VMs & rgw's data), I don't mind if he gets root access too :) On 01/12/2018 10:18 AM, Van Leeuwen, Robert wrote: >> Ceph runs on a dedicated hardware, there is nothing there except Ceph, >> and the ceph daemons have already all power on ceph's data. >> And there is no random-code execution allowed on this node. >> >> Thus, spectre & meltdown are meaning-less for Ceph's node, and >> mitigations should be disabled >> >> Is this wrong ? > > In principle, I would say yes: > This means if someone has half a foot between the door for whatever reason you will have to assume they will be able to escalate to root. > Looking at meltdown and spectre is already a good indication of creativity in gaining (more) access. > So I would not assume people are unable to ever gain access to your network or that the ceph/ssh/etc daemons have no bugs to exploit. > > I would more phrase it as: > Is the performance decrease big enough that you are willing to risk running a less secure server. > > The answer to that depends on a lot of things like: > Performance impact of the patch > Costs of extra hardware to mitigate performance impact Impact of > possible breach (e.g. GPDR fines or reputation damage can be extremely > expensive) Who/what is allowed on your network How likely you are a > hacker target How good will you sleep knowing there is a potential > hole in security :) Etc. > > Cheers, > Robert van Leeuwen > > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |