The patching needed to fix the Intel Meltdown security flaw revealed earlier this month is hurting CPU performance, both on in-house systems and those of the cloud providers.
As we reported, the Kernel Page Table Isolation (KPTI) approach provides mitigation but has a negative impact on system performance. Red Hat reported that its benchmarks are seeing an 8-19 percent degradation of performance for many database workloads. Red Hat noted that performance on cloud systems may suffer in particular: “We expect the impact on applications deployed in virtual guests to be higher than bare metal due to the increased frequency of user-to-kernel transitions.”
In fact, a Sysdig post highlights reports from throughout the Twitterverse that the impact is much more severe for a range of workloads. For example, Darko Ronić saw Riak performance decline by 50 percent and Redis by 40 percent. When Amazon Web Services applied the Meltdown patch to its own systems, production Kafka brokers running on d2.xlarge AMIs gobbled up 5 to 20 percent additional CPU usage, according to observations by Branch Analytics’ Director of Engineering Ian Chan.
Users of AWS’ ElasticCache, which is a managed Redis service, are also concerned that this will result in increased expenses on their monthly AWS bill. The chart below shows how CPU utilization jumped for the ElasticeCache implementation that Crowdfire’s Amanpreet Singh was monitoring:
At least one cloud provider, Google, had been working feverishly through the last few months of 2017 to mitigate the then-pending performance lag on its own systems, at least until the new generation of processors come along. Company engines came up with Retpoline, a software binary modification technique designed to prevent branch-target-injection.
“With Retpoline, we didn’t need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker,” Google noted.
Will similar approaches work elsewhere? As Red Hat noted, with its own kernel patches, that “even disabled, the additional code and the microcode updates may have a slight performance impact.”
The moral of this story is that even if new chips do not need to be purchased, the Intel security flaws may still hurt your wallet.
TNS Managing Editor Joab Jackson contributed to this story.