Search Docs...
⌘ K
ACOS has upgraded the kernel with patches to fix the following vulnerabilities and address the security risks. These new vulnerability patches may reduce I/O performance by approximately 20% to 30%. You can disable the patches according to actual needs.
Intel Spectre (CVE-2017-5753, CVE-2017-5715)
Meltdown (CVE-2017-5754)
Information:
If the Spectre and Meltdown patches were disabled on the ACOS cluster before the upgrade, these patches will remain disabled after upgrading the cluster to the new version, and no manual disabling is needed.
Disabling method
Information:
The following operations need to be performed on each node in the cluster.
Open the /etc/default/grub file on the node and navigate to the GRUB_CMDLINE_LINUX line. Add noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off to GRUB_CMDLINE_LINUX.
[root@node ~]$cat /etc/default/grub | grep GRUB_CMDLINE_LINUX
GRUB_CMDLINE_LINUX="crashkernel=2048M,high rd.md.uuid=00f5a41e:86a83763:655f8331:092cd656 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off"Update grub.
If the /sys/firmware/efi directory exists and is not empty, execute the following command to update grub:
grub2-mkconfig -o /etc/grub2-efi.cfg
If the /sys/firmware/efi directory does not exist, execute the following command to update grub:
grub2-mkconfig -o /etc/grub2.cfg
Execute the reboot command to restart the system.
After the node restarts, execute the following command to ensure the output includes the parameter previously added to GRUB_CMDLINE_LINUX.
cat /proc/cmdline