Consider disabling CPU vulnerabilities mitigation features in our Vagrant build box
Given the kind of things we do in our Vagrant build box, it seems very unlikely that vulnerabilities such as Spectre and Meltdown can be exploited in there. So perhaps we can reclaim some of the performance cost of the corresponding mitigation features?
This can be done by adding
mitigations=off to the kernel command line.
Related to Tails -
#3 Updated by intrigeri 2019-12-30 15:57:57
- Status changed from In Progress to Needs Validation
- Assignee deleted (
- Target version set to Tails_4.2
- Type of work changed from Test to Code
- 7% i.e. 2 minutes saved on my laptop (quick SquashFS compression)
- 2% i.e. 30 seconds saved on my local Jenkins (release-time SquashFS compression; also has
mitigations=offboth in the l0 virtualization host and in the l1 Jenkins slave VM).
- 3.5% i.e. 2.5 minutes saved on lizard (all builders & testers busy; release-time SquashFS compression; has
mitigations=auto— the default — both in the l0 virtualization host and in the l1 Jenkins slave VM)
That’s not a ton, but it adds up:
- When one is in a dev frenzy and builds lots of images in a day, it starts to make a significant difference.
- Every minute saved on a build job on our CI not only shortens the feedback loop for this build, but in heavy load situations, it also frees the builder VM earlier, which in turn shortens the feedback loop for other, queued jobs.
So IMO we should do it. Thoughts?