Spectre, Meltdown, and L1TF recommendations for SUSE Enterprise Storage

This document (7023480) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Enterprise Storage 5.5
SUSE Enterprise Storage 5
SUSE Enterprise Storage 4

Situation

The Spectre, Meltdown, and L1TF issues made public in 2018 are a topic of frequent discussion when tuning storage performance.  In some workloads, disabling these mitigations will provide positive performance benefits.

Resolution

Relevant information on each issue is below:

Spectre & Meltdown * TID 7022512

L1 Terminal Fault * TID 7023077

SUSE guidance for the topic has the following parameters:
  1. This guidance only holds true if there is NO other workload running on the nodes in question.

    • This is inclusive of any non SUSE Enterprise Storage packages, third party monitoring agents, or other extra services enabled by the customer.

  2. This guidance needs to be discussed and agreed upon with the customer's corporate IT security team.

SUSE guidance is:

  1. Spectre & Meltdown mitigations can be disabled to improve performance on the following nodes.

    • OSD (storage) node
    • CephFS Metadata Server (MDS) node
    • Monitor node
    • ISCSI Gateway
    • NFS Gateway
    • CIFS/SMB Gateway
    • As a general rule, RADOS Gateways (RGW) should have the mitigations enabled as they tend to be a publicly exposed interface.
    • In certain environments where the network is tightly controlled, it MAY be acceptable to disable the mitigations on the RGW nodes.  Such environments could be those where S3 is used as a target for backup and archive operations on a private network and/or a location where load-balancer infrastructure with threat mitigations is employed.
    • If the customer wishes to disable mitigations on the RGW, it is recommended that a thorough review of the architecture and possible attack vectors be evaluated.

  2. The admin (openATTIC/salt) node(s) should have the mitigations enabled as they provide web services that accept unprivileged logins, thus broadening the potential attack surface.
  3. If RADOS Object Classes are in use, it may be advisable to enable the mitigations on the OSD nodes as the classes provide a path to code execution on each storage node.
  4. If there is ANY doubt about the node, the mitigations should be enabled in order to help maintain a strong security posture.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023480
  • Creation Date: 30-Oct-2018
  • Modified Date:03-Mar-2020
    • SUSE Enterprise Storage

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center