I’ve gotten a few e-mails about Rockstor updates to mitigate Meltdown and Spectre. I want to start this post as a one stop reference for our community.
It seems like there are going to be multiple patches to address these issues. Since we don’t use upstream(CentOS) kernel, we can’t just rely on updates from them.
We use more recent mainline kernels compiled with same config as upstream, provided by the elrepo project. So the fix for Rockstor systems will be to update to an appropriate kernel from there.
Currently we run 4.12.4. It’s my understanding from Greg Kroah-Hartman’s blog that Meltdown fixes are ported to 4.14.13, which is available as an rpm here. Spectre fixes, on the other hand, have not made it to the mainline yet. So another kernel update may fix that. Or perhaps there may be a few more updates at the end when the dust completely settles down.
Kernel updates are always tricky as not all hardware platforms respond warmly, as users have Rockstor installed on all kinds of systems with subtle differences, though they may all be x86. We have begun to update our systems with 4.14.13. It’s too early for us to provide an updated kernel as part of Rockstor updates. In the meantime, if you like to address these issues, at least Meltdown, you can install 4.14.13 from elrepo directly and give it a try. You can download it directly from here.
A few thoughts. As you mention, 4.14 is the closest to what upstream has for PTI fixes. Also, it is a long term stable kernel, so it should keep getting updates long term.
In terms of the spectre situation, there are a number of patches floating about, and I fully expect them to be backported to 4.14.
In terms of hardware platforms, is it possible for you to engage more with upstream for bugs you uncover with v4.14? I know they are quite responsive and looking to fix issues.
One thing I am curious about is the perf impact on rockstor, which would be doing a lot of I/O.
My personal opinion about Meltdown & Spectre vs Rockstor:
Being Rockstor a NAS distro I assume everyone is using it inside a Lan and every SysAdmin getting care about Lan devices updates, so I would not be so worried about Rockstor (once again, I think about “good sysadmins” updating other lan devices and Rockstor not directly exposed outside a Lan)!
Perfs impact:
PostgreSQL guys had some tests revealing a 30-40% performance loss, Rockstor runs over PostgreSQL, but Rockstor DB I/O is really low
Django, Python, etc aka Rockstor env: had some tests at work with a Django env serving nearly 200k connections/hour without any loss