Is it possible to disable spectre/meltdown/related patches on coreos?

2/26/2019

Is it possible to disable Spectre and Meltdown patches on later builds of CoreOS? At my company we are running an entirely internal Kubernetes computer cluster, and are looking to get the performance back.

On a normal linux system, you could boot with the kernel boot parameters:

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

But adding:

set linux_append="coreos.autologin=tty1 pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier"

To /usr/share/oem/grub.cfg doesn't appear to have any effect.

I'm wondering if I have the configuration incorrect or if CoreOS just doesn't allow changing this behavior.

If it helps, we're running CoreOS version: "Container Linux by CoreOS 1967.6.0 (Rhyolite)"

-- Darrien
coreos
kubernetes
linux
linux-kernel

1 Answer

2/27/2019

So apparently the above config does in fact disable those patches. I was using /proc/cpuinfo to determine whether or not the patches were applied. A colleague ran a checker and they are disabled after adding the above config.

Go figure, don't trust /proc/cpuinfo for spectre/meltdown on container linux.

-- Darrien
Source: StackOverflow