Upgrading ZST after Linux KPTI fix (Spectre / Meltdown)

 

This article refers to Zing with the ZST component. Since ZVM 19.07, Zing can also be installed and used without the ZST component. See Zing System Requirements for more details.

 

With Zing System Tools (ZST) 5.20.5, Zing provides compatibility with the newly available Linux fixes for the recently reported Intel CPU kernel side-channel security flaws known as Spectre and Meltdown.

ZST 5.20.5 (or newer) is required for Zing to operate on Linux distributions that have been updated to address these flaws with the addition of KPTI (kernel page table isolation).

Without upgrading ZST, the new Linux kernel KPTI fix will prevent Zing from working and the Operating System and kernel will crash when the first Zing java application is launched or just the following command is run: /opt/zing/zing-jdk8/bin/java -version

In that case you might see the following messages or similar on the Linux console / dmesg:

#  fatal error: az_mremap() failed

azmm: assert failed ... av_vmem
Call trace: az_vmem_exit_mm

The solution is to upgrade to ZST 5.20.5 or higher as soon as possible if you are running Zing on RHEL, CentOS, Oracle Linux, SLES 12, Ubuntu, Debian or Amazon Linux. For SLES 11 you need  ZST 5.20.6 or higher.

Upgrading ZVM, the other Zing component, is not necessary for the KPTI fix.

ZST Download page: https://www.azul.com/downloads/software-downloads-and-documents/

ZST Upgrade instructions: http://docs.azul.com/zing/UpgradingZingSystemTools.htm

If you are working on a test or developer system with the Zing trial, just use "yum update"  or equivalent commands on your Linux distribution to upgrade the ZST package.

 

In addition to the ZST upgrade, please run the following command to verify if it lists "pcid":

grep -i pcid /proc/cpuinfo | head -1

PCID (process-context identifier) is a CPU feature which increases performance when running with the KPTI fix. Zing will work without PCID, but PCID is preferred for Zing.

If it does not list "pcid" and you are running on a virtual machine or a cloud service, then please check the hypervisor documentation whether PCID it can be enabled. On cloud services relaunch the instance or start a newer instance type as it might be already included in upgraded instances.

 

PCID on VMware

See the description above, why it should be enabled on VMware systems running Zing.

Documentation from VMware about the KPTI fix and recommendation to upgrade the VM guests to virtual hardware version 11:
https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html

PCID is enabled on VMware since virtual hardware version 11:
https://kb.vmware.com/s/article/52085

 

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful