Upgrading ZST after Linux KPTI fix (Spectre / Meltdown)

 

This article refers to Azul Platform Prime with the ZST component. Since Azul Zulu Prime JVM 19.07, Azul Platform Prime can also be installed and used without the ZST component. See Azul Zulu Prime Builds of OpenJDK System Requirements for more details.

 

With Azul Zulu Prime System Tools (ZST) 5.20.5, Azul Platform Prime provides compatibility with the newly available Linux fixes for the recently reported Intel CPU kernel side-channel security flaws known as Spectre and Meltdown.

ZST 5.20.5 (or newer) is required for Azul Platform Prime to operate on Linux distributions that have been updated to address these flaws with the addition of KPTI (kernel page table isolation).

Without upgrading ZST, the new Linux kernel KPTI fix will prevent Azul Platform Prime from working and the Operating System and kernel will crash when the first Azul Zulu Prime JVM java application is launched or just the following command is run: /opt/zing/zing-jdk8/bin/java -version

In that case you might see the following messages or similar on the Linux console / dmesg:

#  fatal error: az_mremap() failed

azmm: assert failed ... av_vmem
Call trace: az_vmem_exit_mm

The solution is to upgrade to ZST 5.20.5 or higher as soon as possible if you are running Azul Platform Prime on RHEL, CentOS, Oracle Linux, SLES 12, Ubuntu, Debian or Amazon Linux. For SLES 11 you need  ZST 5.20.6 or higher.

Upgrading Azul Zulu Prime JVM, the other Azul Platform Prime component, is not necessary for the KPTI fix.

ZST Download page: http://www.azul.com/software-downloads-and-documents/

ZST Upgrade instructions: https://docs.azul.com/prime/ZST-Upgrading

If you are working on a test or developer system with the Azul Platform Prime trial, just use "yum update"  or equivalent commands on your Linux distribution to upgrade the ZST package.

 

In addition to the ZST upgrade, please run the following command to verify if it lists "pcid":

grep -i pcid /proc/cpuinfo | head -1

PCID (process-context identifier) is a CPU feature which increases performance when running with the KPTI fix. Azul Platform Prime will work without PCID, but PCID is preferred for Azul Zulu Prime JVM.

If it does not list "pcid" and you are running on a virtual machine or a cloud service, then please check the hypervisor documentation whether PCID it can be enabled. On cloud services relaunch the instance or start a newer instance type as it might be already included in upgraded instances.

 

PCID on VMware

See the description above for why PCID should be enabled on VMware systems running Azul Platform Prime.

Documentation from VMware about the KPTI fix and recommendation to upgrade the VM guests to virtual hardware version 11:
https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html

PCID is enabled on VMware since virtual hardware version 11:
https://kb.vmware.com/s/article/52085

 

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful