@@ -157,6 +157,36 @@ Additional details of Jailer features can be found in the
157157
158158## Host Security Configuration
159159
160+ ### Constrain CPU overhead caused by kvm-pit kernel threads
161+
162+ The current implementation results in host CPU usage increase on x86 CPUs when
163+ a guest injects timer interrupts with the help of kvm-pit kernel thread.
164+ kvm-pit kthread is by default part of the root cgroup.
165+
166+ To mitigate the CPU overhead we recommend two system level configurations.
167+
168+ 1 .
169+ Use an external agent to move the ` kvm-pit/<pid of firecracker> ` kernel
170+ thread in the microVM’s cgroup (e.g., created by the Jailer).
171+ This cannot be done by Firecracker since the thread is created by the Linux
172+ kernel after guest start, at which point Firecracker is de-privileged.
173+ 1 .
174+ Configure the kvm limit to a lower value. This is a system-wide
175+ configuration available to users without Firecracker or Jailer changes.
176+ However, the same limit applies to APIC timer events, and users will need
177+ to test their workloads in order to apply this mitigation.
178+
179+ To modify the kvm limit for interrupts that can be injected in a second.
180+
181+ 1 . ` sudo modprobe -r (kvm_intel|kvm_amd) kvm `
182+ 1 . ` sudo modprobe kvm min_timer_period_us={new_value} `
183+ 1 . ` sudo modprobe (kvm_intel|kvm_amd) `
184+
185+ To have this change persistent across boots we can append the option to
186+ ` /etc/modprobe.d/kvm.conf ` :
187+
188+ ` echo "options kvm min_timer_period_us=" >> /etc/modprobe.d/kvm.conf `
189+
160190### Mitigating Network flooding issues
161191
162192Network can be flooded by creating connections and sending/receiving a
0 commit comments