Which CPU model to set for guest KVM when processor is Ivy Bridge?
Please use Sandy Bridge for your processor selection. Maybe Haswell?
Edit:
I worked at a large hosting company that was unable to set the right VMware EVC mode for most of their Supermicro ESXi hosts. It was just accepted that Westmere-based systems be set to the lower Nehalem instruction set. I saw this as a silly restriction...
I wrote:
One of the steps in our vSphere host install process is to enable VMware EVC mode on our clusters. When using Westmere systems (usually with Intel E5645 CPUs), we can't use the "Westmere" EVC level, and instead have to step down to the Intel 5500-series "Nehalem" level. I hadn't seen this with other Westmere servers in the past, so I looked into the BIOS setup.
VMware says: Export restrictions for some models (Clarkdale, Westmere-EP, Westmere-EX, Sandy Bridge, Ivy Bridge) of Intel CPUs require that the Advanced Encryption Standard (AES) and Carry-less Multiplication (PCLMULQDQ) features be disabled. Some OEM BIOS software might also have AES/PCLMULQDQ disabled by default.
This export restriction covers the Intel AES-NI BIOS switch. The systems we're using ship with this required feature off. Enabling it allows the use of the "Westmere" EVC level.
And from that day forward, setting this became part of the build checklist.
Lesson: Hosting companies suck and are often set in their ways. They can't help it!!
Related videos on Youtube
Comments
-
Gaia over 1 year
For a KVM host with an Ivy Bridge processor, which MODEL should use for CPU>CONFIGURATION in Virtual Machine Manager? Ivy Bridge is not available.
-
David Corsalini about 10 yearslibvirt can autoselect it for you. If you're using cmd line just use
-cpu host
-
Gaia about 10 years"Copy host config" yields "Nehalem". But it is Ivy Bridge, hence the question.
-
David Corsalini about 10 yearsit should work with the
sandybridge
setting, both are pretty much at the same instruction set (two generations of E3 basically). If you're missing a CPU flag, check your BIOS settings, you might have CPU features disabled, or your PC manufacturer has a locked down BIOS disabling CPU features (I know Sony like to do that) -
Gaia about 10 yearsIt's a dedicated server at a professional DC. I doubt they messed up BIOS config.
-
David Corsalini about 10 yearsIt's very easy to mess up, since most vendors ship hardware with everything virtualization related disabled (for security reasons). looks like you're missing the
aes
flag, do you see it in/proc/cpuinfo
? -
Gaia about 10 yearsno aes flag there.
-
Michael Hampton about 10 yearsDoubt all you want. Just because you leased a server from some big company doesn't mean that they didn't screw up the BIOS configuration.
-
David Corsalini about 10 yearsWith no AES, are you sure this is Ivy Bridge?
-
Gaia about 10 yearsAES was turned off at BIOS level. This hosting co is gonna get dropped soon. Thanks @dyasny
-
ewwhite about 10 years@Gaia :) I've seen the cloud!
-
-
Gaia about 10 years
Error starting domain: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: aes Traceback (most recent call last): ... libvirtError: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: aes
-
Gaia about 10 yearsAES was turned off at BIOS level. This hosting co is gonna get dropped soon. Thanks
-
ewwhite about 10 years@Gaia See my edited answer.
-
Gaia about 10 yearsThat's what it was. If the only diff between SandyBridge and Nehalem is the AES flag, I don't think it will impact much the operation of a standard LAMP stack on openSSL, but it's good to get it right.
-
David Corsalini about 10 yearsSo much for the amazing evc feature. I've always laughed at the amount of marketing bsaround it while libvirt was doing the same thing all along at no extra cost