Meltdown and Spectre bugs: Difference between revisions

Jump to navigation Jump to search
Marked this version for translation
No edit summary
(Marked this version for translation)
Line 2: Line 2:


<translate>
<translate>
<!--T:1-->
Meltdown and Spectre are bugs related to speculative execution in a variety of CPU architectures developed during the past ten to fifteen years and which affect in particular processors from Intel and AMD, including those in use on Compute Canada clusters. A detailed discussion of the two bugs can be found on [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ this page]. Compute Canada personnel are currently patching systems deemed sensitive to this vulnerability.  
Meltdown and Spectre are bugs related to speculative execution in a variety of CPU architectures developed during the past ten to fifteen years and which affect in particular processors from Intel and AMD, including those in use on Compute Canada clusters. A detailed discussion of the two bugs can be found on [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ this page]. Compute Canada personnel are currently patching systems deemed sensitive to this vulnerability.  


== What are the impacts ? ==
== What are the impacts ? == <!--T:2-->
=== Availability impacts ===
=== Availability impacts ===
Updates to patch the vulnerabilities require updating the operating system and rebooting the nodes. For compute nodes, this is typically done in a rolling fashion, resulting in nodes being unavailable for a short period of time. This may impair the scheduling of large jobs, but typically goes unnoticed by users. Some nodes, such as login nodes and cloud hosts, will however see a short interruption of service.
Updates to patch the vulnerabilities require updating the operating system and rebooting the nodes. For compute nodes, this is typically done in a rolling fashion, resulting in nodes being unavailable for a short period of time. This may impair the scheduling of large jobs, but typically goes unnoticed by users. Some nodes, such as login nodes and cloud hosts, will however see a short interruption of service.


=== Performance impacts ===
=== Performance impacts === <!--T:3-->
Many groups around the world, including within Compute Canada, are running benchmarks to evaluate the effects of the operating system patches on performance. Certain figures that have been cited are alarming (up to a 30% or even 50% performance hit), while others are very minimal.
Many groups around the world, including within Compute Canada, are running benchmarks to evaluate the effects of the operating system patches on performance. Certain figures that have been cited are alarming (up to a 30% or even 50% performance hit), while others are very minimal.


<!--T:4-->
Tasks which involve a lot of input/output (reading and writing files) seem to be most heavily affected. Examples include databases, or file transfers (e.g. rsync). Most high performance computing jobs should be minimally affected since the vast majority of the run time is spent computing rather than doing input and output. Different processor generations are also affected to different degrees, with the most notable performance degradation reported for older processors.
Tasks which involve a lot of input/output (reading and writing files) seem to be most heavily affected. Examples include databases, or file transfers (e.g. rsync). Most high performance computing jobs should be minimally affected since the vast majority of the run time is spent computing rather than doing input and output. Different processor generations are also affected to different degrees, with the most notable performance degradation reported for older processors.


<!--T:5-->
In the References section below you will find links to some recent performance comparisons. Keep in mind that these were not necessarily run on hardware and operating systems similar to what Compute Canada clusters are running.
In the References section below you will find links to some recent performance comparisons. Keep in mind that these were not necessarily run on hardware and operating systems similar to what Compute Canada clusters are running.


== What is Compute Canada doing about it ? ==
== What is Compute Canada doing about it ? == <!--T:6-->
Teams managing the Compute Canada clusters are acting diligently to update their servers as needed and as patches are released by various vendors. Many servers have already been patched, but some may require more updates as vendors release new patches.
Teams managing the Compute Canada clusters are acting diligently to update their servers as needed and as patches are released by various vendors. Many servers have already been patched, but some may require more updates as vendors release new patches.


== What should I do about it ? ==
== What should I do about it ? == <!--T:7-->
Security-wise, please rest assured that Compute Canada team members are taking every action possible to ensure that systems we run are secure. '''If you are operating your own virtual machine''' in our cloud, you are however responsible for updating its operating system to include the latest security patches (see next subsection).  
Security-wise, please rest assured that Compute Canada team members are taking every action possible to ensure that systems we run are secure. '''If you are operating your own virtual machine''' in our cloud, you are however responsible for updating its operating system to include the latest security patches (see next subsection).  


<!--T:8-->
Performance-wise, if you believe that your application may be severely impacted by the security patches, please contact our [[Technical support]] team. We encourage you to bring forward comparative performance numbers of your application (job run times before and after the announcement, for example). Keep in mind however that mitigating the performance impact of the security patches is likely to require some modification to the code you are running, and may not always be possible.
Performance-wise, if you believe that your application may be severely impacted by the security patches, please contact our [[Technical support]] team. We encourage you to bring forward comparative performance numbers of your application (job run times before and after the announcement, for example). Keep in mind however that mitigating the performance impact of the security patches is likely to require some modification to the code you are running, and may not always be possible.


=== I have a virtual machine running on the Compute Canada Cloud ===
=== I have a virtual machine running on the Compute Canada Cloud === <!--T:9-->
Update your virtual machine's operating system to the latest version frequently over the coming days to ensure it has the latest security patches to address these bugs. See [[Security_considerations_when_running_a_VM#Updating_your_VM|updating your VM]] for specific instructions on how to update Linux VMs.
Update your virtual machine's operating system to the latest version frequently over the coming days to ensure it has the latest security patches to address these bugs. See [[Security_considerations_when_running_a_VM#Updating_your_VM|updating your VM]] for specific instructions on how to update Linux VMs.


== References ==
== References == <!--T:10-->
# Other general information about Spectre and Meltdown is available on the [https://www.us-cert.gov/ncas/alerts/TA18-004A US-CERT web site].
# Other general information about Spectre and Meltdown is available on the [https://www.us-cert.gov/ncas/alerts/TA18-004A US-CERT web site].
#* Includes comprehensive links to vendor patch sites.
#* Includes comprehensive links to vendor patch sites.
Bureaucrats, cc_docs_admin, cc_staff
2,915

edits

Navigation menu