Is there a way to pin a container’s CPU to a physical core instead of a vCPU/Hyperthread core?
If there are 2 vCPUs per core with a HT based CPU, would the following work to put that container on one physical core:
lxc config set container limits.cpu 0-1 for first physical core lxc config set container limits.cpu 2-3 for second physical core
My assumption is that each sequential two vCPU cores = 1 hardware core?
Secondly, would this be of any defense against the new Spectre[1] leaks that have came out recently until software or hardware mitigations are implemented. My understanding is that this new vulnerability can’t cross physical cores?
They’re not always sequential but lxc info --resources will show you the layout and you can pass a comma separated list of threads to limits.cpu to pin to exactly what you want.
And indeed, pinning to core+thread is usually a good way to handle the issues coming with spectre though you also want to make sure that no other instance uses the same core+thread otherwise it’s possible the a process from instance A will be on the same core as another process from instance B if one is on the core and the other on the thread.
Work on core scheduling in the kernel will allow for preventing such situations at the scheduler level, hopefully later this year.
Just to confirm, I would use the id from the list to specify the threads for that core?
Example:
Use core 0: lxc config set container limits.cpu 0,32
Use core 1: lxc config set container limits.cpu 1,33
Use core 2: lxc config set container limits.cpu 2,34
