Which CPU model to set for guest KVM when processor is Ivy Bridge?

6,665

Please use Sandy Bridge for your processor selection. Maybe Haswell?


Edit:

I worked at a large hosting company that was unable to set the right VMware EVC mode for most of their Supermicro ESXi hosts. It was just accepted that Westmere-based systems be set to the lower Nehalem instruction set. I saw this as a silly restriction...

I wrote:
One of the steps in our vSphere host install process is to enable VMware EVC mode on our clusters. When using Westmere systems (usually with Intel E5645 CPUs), we can't use the "Westmere" EVC level, and instead have to step down to the Intel 5500-series "Nehalem" level. I hadn't seen this with other Westmere servers in the past, so I looked into the BIOS setup.

VMware says: Export restrictions for some models (Clarkdale, Westmere-EP, Westmere-EX, Sandy Bridge, Ivy Bridge) of Intel CPUs require that the Advanced Encryption Standard (AES) and Carry-less Multiplication (PCLMULQDQ) features be disabled. Some OEM BIOS software might also have AES/PCLMULQDQ disabled by default.

This export restriction covers the Intel AES-NI BIOS switch. The systems we're using ship with this required feature off. Enabling it allows the use of the "Westmere" EVC level.

And from that day forward, setting this became part of the build checklist.

Lesson: Hosting companies suck and are often set in their ways. They can't help it!!

enter image description here enter image description here

Share:
6,665

Related videos on Youtube

Gaia
Author by

Gaia

SOreadytohelp

Updated on September 18, 2022

Comments

  • Gaia
    Gaia over 1 year

    For a KVM host with an Ivy Bridge processor, which MODEL should use for CPU>CONFIGURATION in Virtual Machine Manager? Ivy Bridge is not available.

    • David Corsalini
      David Corsalini about 10 years
      libvirt can autoselect it for you. If you're using cmd line just use -cpu host
    • Gaia
      Gaia about 10 years
      "Copy host config" yields "Nehalem". But it is Ivy Bridge, hence the question.
    • David Corsalini
      David Corsalini about 10 years
      it should work with the sandybridge setting, both are pretty much at the same instruction set (two generations of E3 basically). If you're missing a CPU flag, check your BIOS settings, you might have CPU features disabled, or your PC manufacturer has a locked down BIOS disabling CPU features (I know Sony like to do that)
    • Gaia
      Gaia about 10 years
      It's a dedicated server at a professional DC. I doubt they messed up BIOS config.
    • David Corsalini
      David Corsalini about 10 years
      It's very easy to mess up, since most vendors ship hardware with everything virtualization related disabled (for security reasons). looks like you're missing the aes flag, do you see it in /proc/cpuinfo ?
    • Gaia
      Gaia about 10 years
      no aes flag there.
    • Michael Hampton
      Michael Hampton about 10 years
      Doubt all you want. Just because you leased a server from some big company doesn't mean that they didn't screw up the BIOS configuration.
    • David Corsalini
      David Corsalini about 10 years
      With no AES, are you sure this is Ivy Bridge?
    • Gaia
      Gaia about 10 years
      AES was turned off at BIOS level. This hosting co is gonna get dropped soon. Thanks @dyasny
    • ewwhite
      ewwhite about 10 years
      @Gaia :) I've seen the cloud!
  • Gaia
    Gaia about 10 years
    Error starting domain: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: aes Traceback (most recent call last): ... libvirtError: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: aes
  • Gaia
    Gaia about 10 years
    AES was turned off at BIOS level. This hosting co is gonna get dropped soon. Thanks
  • ewwhite
    ewwhite about 10 years
    @Gaia See my edited answer.
  • Gaia
    Gaia about 10 years
    That's what it was. If the only diff between SandyBridge and Nehalem is the AES flag, I don't think it will impact much the operation of a standard LAMP stack on openSSL, but it's good to get it right.
  • David Corsalini
    David Corsalini about 10 years
    So much for the amazing evc feature. I've always laughed at the amount of marketing bsaround it while libvirt was doing the same thing all along at no extra cost