emulated SCSI controller will relay this information to the storage, which will
then shrink the disk image accordingly.
+If you would like a drive to be presented to the guest as a solid-state drive
+rather than a rotational hard disk, you can set the *SSD emulation* option on
+that drive. There is no requirement that the underlying storage actually be
+backed by SSDs; this feature can be used with physical media of any type.
+
.IO Thread
The option *IO Thread* can only be used when using a disk with the
*VirtIO* controller, or with the *SCSI* controller, when the emulated controller
Meltdown / Spectre related CPU flags
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-There are two CPU flags related to the Meltdown and Spectre vulnerabilities
+There are several CPU flags related to the Meltdown and Spectre vulnerabilities
footnote:[Meltdown Attack https://meltdownattack.com/] which need to be set
manually unless the selected CPU type of your VM already enables them by default.
-The first, called 'pcid', helps to reduce the performance impact of the Meltdown
-mitigation called 'Kernel Page-Table Isolation (KPTI)', which effectively hides
-the Kernel memory from the user space. Without PCID, KPTI is quite an expensive
-mechanism footnote:[PCID is now a critical performance/security feature on x86
-https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU].
-
-The second CPU flag is called 'spec-ctrl', which allows an operating system to
-selectively disable or restrict speculative execution in order to limit the
-ability of attackers to exploit the Spectre vulnerability.
-
-There are two requirements that need to be fulfilled in order to use these two
+There are two requirements that need to be fulfilled in order to use these
CPU flags:
* The host CPU(s) must support the feature and propagate it to the guest's virtual CPU(s)
* The guest operating system must be updated to a version which mitigates the
attacks and is able to utilize the CPU feature
-In order to use 'spec-ctrl', your CPU or system vendor also needs to provide a
+Otherwise you need to set the desired CPU flag of the virtual CPU, either by
+editing the CPU options in the WebUI, or by setting the 'flags' property of the
+'cpu' option in the VM configuration file.
+
+For Spectre v1,v2,v4 fixes, your CPU or system vendor also needs to provide a
so-called ``microcode update'' footnote:[You can use `intel-microcode' /
`amd-microcode' from Debian non-free if your vendor does not provide such an
update. Note that not all affected CPUs can be updated to support spec-ctrl.]
for your CPU.
-To check if the {pve} host supports PCID, execute the following command as root:
+
+To check if the {pve} host is vulnerable, execute the following command as root:
----
-# grep ' pcid ' /proc/cpuinfo
+for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done
----
-If this does not return empty your host's CPU has support for 'pcid'.
+A community script is also available to detect is the host is still vulnerable.
+footnote:[spectre-meltdown-checker https://meltdown.ovh/]
-To check if the {pve} host supports spec-ctrl, execute the following command as root:
+Intel processors
+^^^^^^^^^^^^^^^^
+* 'pcid'
++
+This reduces the performance impact of the Meltdown (CVE-2017-5754) mitigation
+called 'Kernel Page-Table Isolation (KPTI)', which effectively hides
+the Kernel memory from the user space. Without PCID, KPTI is quite an expensive
+mechanism footnote:[PCID is now a critical performance/security feature on x86
+https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU].
++
+To check if the {pve} host supports PCID, execute the following command as root:
++
----
-# grep ' spec_ctrl ' /proc/cpuinfo
+# grep ' pcid ' /proc/cpuinfo
----
++
+If this does not return empty your host's CPU has support for 'pcid'.
-If this does not return empty your host's CPU has support for 'spec-ctrl'.
+* 'spec-ctrl'
++
+Required to enable the Spectre v1 (CVE-2017-5753) and Spectre v2 (CVE-2017-5715) fix,
+in cases where retpolines are not sufficient.
+Included by default in Intel CPU models with -IBRS suffix.
+Must be explicitly turned on for Intel CPU models without -IBRS suffix.
+Requires an updated host CPU microcode (intel-microcode >= 20180425).
++
+* 'ssbd'
++
+Required to enable the Spectre V4 (CVE-2018-3639) fix. Not included by default in any Intel CPU model.
+Must be explicitly turned on for all Intel CPU models.
+Requires an updated host CPU microcode(intel-microcode >= 20180703).
-If you use `host' or another CPU type which enables the desired flags by
-default, and you updated your guest OS to make use of the associated CPU
-features, you're already set.
-Otherwise you need to set the desired CPU flag of the virtual CPU, either by
-editing the CPU options in the WebUI, or by setting the 'flags' property of the
-'cpu' option in the VM configuration file.
+AMD processors
+^^^^^^^^^^^^^^
+
+* 'ibpb'
++
+Required to enable the Spectre v1 (CVE-2017-5753) and Spectre v2 (CVE-2017-5715) fix,
+in cases where retpolines are not sufficient.
+Included by default in AMD CPU models with -IBPB suffix.
+Must be explicitly turned on for AMD CPU models without -IBPB suffix.
+Requires the host CPU microcode to support this feature before it can be used for guest CPUs.
+
+
+
+* 'virt-ssbd'
++
+Required to enable the Spectre v4 (CVE-2018-3639) fix.
+Not included by default in any AMD CPU model.
+Must be explicitly turned on for all AMD CPU models.
+This should be provided to guests, even if amd-ssbd is also provided, for maximum guest compatibility.
+Note that this must be explicitly enabled when when using the "host" cpu model,
+because this is a virtual feature which does not exist in the physical CPUs.
+
+
+* 'amd-ssbd'
++
+Required to enable the Spectre v4 (CVE-2018-3639) fix.
+Not included by default in any AMD CPU model. Must be explicitly turned on for all AMD CPU models.
+This provides higher performance than virt-ssbd, therefore a host supporting this should always expose this to guests if possible.
+virt-ssbd should none the less also be exposed for maximum guest compatibility as some kernels only know about virt-ssbd.
+
+
+* 'amd-no-ssb'
++
+Recommended to indicate the host is not vulnerable to Spectre V4 (CVE-2018-3639).
+Not included by default in any AMD CPU model.
+Future hardware generations of CPU will not be vulnerable to CVE-2018-3639,
+and thus the guest should be told not to enable its mitigations, by exposing amd-no-ssb.
+This is mutually exclusive with virt-ssbd and amd-ssbd.
+
NUMA
^^^^
process a great number of incoming connections, such as when the VM is running
as a router, reverse proxy or a busy HTTP server doing long polling.
+[[qm_display]]
+Display
+~~~~~~~
+
+QEMU can virtualize a few types of VGA hardware. Some examples are:
+
+* *std*, the default, emulates a card with Bochs VBE extensions.
+* *vmware*, is a VMWare SVGA-II compatible adapter.
+* *qxl*, is the QXL paravirtualized graphics card. Selecting this also
+enables SPICE for the VM.
+
+You can edit the amount of memory given to the virtual GPU, by setting
+the *memory* option. This can enable higher resolutions inside the VM,
+especially with SPICE/QXL.
+
+Selecting Multi-Monitor mode for SPICE (e.g., qxl2 for dual monitors) has
+some implications:
+
+* Windows needs a device for each monitor, so if your ostype is some
+version of windows, {pve} gives the VM an extra device per monitor.
+Each device gets the specified amount of memory.
+* Linux VMs, can always enable more virtual monitors, but selecting
+a Multi-Monitor mode multiplies the memory given to the device with
+the number of monitors.
+
+Selecting *serialX* as display disables the VGA output, and redirects
+the Web Console to the selected serial port. A configured memory setting
+will be ignored in that case.
[[qm_usb_passthrough]]
USB Passthrough
the disk images. If you want to change the template, create a linked
clone and modify that.
+VM Generation ID
+----------------
+
+{pve} supports Virtual Machine Generation ID ('vmgedid') footnote:[Official
+'vmgenid' Specification
+https://docs.microsoft.com/en-us/windows/desktop/hyperv_v2/virtual-machine-generation-identifier]
+for virtual machines.
+This can be used by the guest operating system to detect any event resulting
+in a time shift event, for example, restoring a backup or a snapshot rollback.
+
+When creating new VMs, a 'vmgenid' will be automatically generated and saved
+in its configuration file.
+
+To create and add a 'vmgenid' to an already existing VM one can pass the
+special value `1' to let {pve} autogenerate one or manually set the 'UUID'
+footnote:[Online GUID generator http://guid.one/] by using it as value,
+e.g.:
+
+----
+ qm set VMID -vmgenid 1
+ qm set VMID -vmgenid 00000000-0000-0000-0000-000000000000
+----
+
+NOTE: The initial addition of a 'vmgenid' device to an existing VM, may result
+in the same effects as a change on snapshot rollback, backup restore, etc., has
+as the VM can interpret this as generation change.
+
+In the rare case the 'vmgenid' mechanism is not wanted one can pass `0' for
+its value on VM creation, or retroactively delete the property in the
+configuration with:
+
+----
+ qm set VMID -delete vmgenid
+----
+
+The most prominent use case for 'vmgenid' are newer Microsoft Windows
+operating systems, which use it to avoid problems in time sensitive or
+replicate services (e.g., databases, domain controller
+footnote:[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controller-architecture])
+on snapshot rollback, backup restore or a whole VM clone operation.
+
Importing Virtual Machines and disk images
------------------------------------------
Microsoft provides
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/[Virtual Machines downloads]
- to get started with Windows development.We are going to use one of these
+ to get started with Windows development.We are going to use one of these
to demonstrate the OVF import feature.
Download the Virtual Machine zip
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-After getting informed about the user agreement, choose the _Windows 10
+After getting informed about the user agreement, choose the _Windows 10
Enterprise (Evaluation - Build)_ for the VMware platform, and download the zip.
Extract the disk image from the zip
Adding an external disk image to a Virtual Machine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-You can also add an existing disk image to a VM, either coming from a
+You can also add an existing disk image to a VM, either coming from a
foreign hypervisor, or one that you created yourself.
Suppose you created a Debian/Ubuntu disk image with the 'vmdebootstrap' tool:
projects / pve-docs.git / blobdiff