You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be valuable to have core scheduling for Firecracker, to avoid, and potentially eliminate side channel attacks.
Describe the desired solution
To add core scheduling to firecracker, and have it run the ioctl to set a new cookie for the vCPU processes.
Describe possible alternatives
One can avoid using core scheduling by disabling SMT. Unfortunately, this means everything else on the system loses capacity, and if you're running VMs with more than 1 core, you can't take advantage of SMT.
Checks
Have you searched the Firecracker Issues database for similar requests?
Have you read all the existing relevant Firecracker documentation?
Have you read and understood Firecracker's core tenets?
The text was updated successfully, but these errors were encountered:
Hi @sargun . Thanks for contacting us!
We investigated running Firecracker using Core Scheduling on a host with SMT enabled. Our results show that the performance gains/degradations are very workload-dependent, and not sufficient in magnitude to justify the risk of introducing a wide class of security issues currently excluded by disabling SMT. We may investigate the use of SMT and Core Scheduling further in the future, but for now we will not merge a PR implementing Core Scheduling because of the fundamental shift in the security posture it would introduce in Firecracker.
Feature Request
It would be valuable to have core scheduling for Firecracker, to avoid, and potentially eliminate side channel attacks.
Describe the desired solution
To add core scheduling to firecracker, and have it run the ioctl to set a new cookie for the vCPU processes.
Describe possible alternatives
One can avoid using core scheduling by disabling SMT. Unfortunately, this means everything else on the system loses capacity, and if you're running VMs with more than 1 core, you can't take advantage of SMT.
Checks
The text was updated successfully, but these errors were encountered: