Windows VM or ISO boot freeze when starting

[markrattray]

Required information

• Distribution: Ubuntu
• Distribution version: 22.04 x86_64
• The output of "lxc info" or if that fails:

  lxc info
  config:
  core.https_address: :8443
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - macaroon_authentication
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  - container_mount_propagation
  - container_backup
  - devlxd_images
  - container_local_cross_pool_handling
  - proxy_unix
  - proxy_udp
  - clustering_join
  - proxy_tcp_udp_multi_port_handling
  - network_state
  - proxy_unix_dac_properties
  - container_protection_delete
  - unix_priv_drop
  - pprof_http
  - proxy_haproxy_protocol
  - network_hwaddr
  - proxy_nat
  - network_nat_order
  - container_full
  - candid_authentication
  - backup_compression
  - candid_config
  - nvidia_runtime_config
  - storage_api_volume_snapshots
  - storage_unmapped
  - projects
  - candid_config_key
  - network_vxlan_ttl
  - container_incremental_copy
  - usb_optional_vendorid
  - snapshot_scheduling
  - snapshot_schedule_aliases
  - container_copy_project
  - clustering_server_address
  - clustering_image_replication
  - container_protection_shift
  - snapshot_expiry
  - container_backup_override_pool
  - snapshot_expiry_creation
  - network_leases_location
  - resources_cpu_socket
  - resources_gpu
  - resources_numa
  - kernel_features
  - id_map_current
  - event_location
  - storage_api_remote_volume_snapshots
  - network_nat_address
  - container_nic_routes
  - rbac
  - cluster_internal_copy
  - seccomp_notify
  - lxc_features
  - container_nic_ipvlan
  - network_vlan_sriov
  - storage_cephfs
  - container_nic_ipfilter
  - resources_v2
  - container_exec_user_group_cwd
  - container_syscall_intercept
  - container_disk_shift
  - storage_shifted
  - resources_infiniband
  - daemon_storage
  - instances
  - image_types
  - resources_disk_sata
  - clustering_roles
  - images_expiry
  - resources_network_firmware
  - backup_compression_algorithm
  - ceph_data_pool_name
  - container_syscall_intercept_mount
  - compression_squashfs
  - container_raw_mount
  - container_nic_routed
  - container_syscall_intercept_mount_fuse
  - container_disk_ceph
  - virtual-machines
  - image_profiles
  - clustering_architecture
  - resources_disk_id
  - storage_lvm_stripes
  - vm_boot_priority
  - unix_hotplug_devices
  - api_filtering
  - instance_nic_network
  - clustering_sizing
  - firewall_driver
  - projects_limits
  - container_syscall_intercept_hugetlbfs
  - limits_hugepages
  - container_nic_routed_gateway
  - projects_restrictions
  - custom_volume_snapshot_expiry
  - volume_snapshot_scheduling
  - trust_ca_certificates
  - snapshot_disk_usage
  - clustering_edit_roles
  - container_nic_routed_host_address
  - container_nic_ipvlan_gateway
  - resources_usb_pci
  - resources_cpu_threads_numa
  - resources_cpu_core_die
  - api_os
  - container_nic_routed_host_table
  - container_nic_ipvlan_host_table
  - container_nic_ipvlan_mode
  - resources_system
  - images_push_relay
  - network_dns_search
  - container_nic_routed_limits
  - instance_nic_bridged_vlan
  - network_state_bond_bridge
  - usedby_consistency
  - custom_block_volumes
  - clustering_failure_domains
  - resources_gpu_mdev
  - console_vga_type
  - projects_limits_disk
  - network_type_macvlan
  - network_type_sriov
  - container_syscall_intercept_bpf_devices
  - network_type_ovn
  - projects_networks
  - projects_networks_restricted_uplinks
  - custom_volume_backup
  - backup_override_name
  - storage_rsync_compression
  - network_type_physical
  - network_ovn_external_subnets
  - network_ovn_nat
  - network_ovn_external_routes_remove
  - tpm_device_type
  - storage_zfs_clone_copy_rebase
  - gpu_mdev
  - resources_pci_iommu
  - resources_network_usb
  - resources_disk_address
  - network_physical_ovn_ingress_mode
  - network_ovn_dhcp
  - network_physical_routes_anycast
  - projects_limits_instances
  - network_state_vlan
  - instance_nic_bridged_port_isolation
  - instance_bulk_state_change
  - network_gvrp
  - instance_pool_move
  - gpu_sriov
  - pci_device_type
  - storage_volume_state
  - network_acl
  - migration_stateful
  - disk_state_quota
  - storage_ceph_features
  - projects_compression
  - projects_images_remote_cache_expiry
  - certificate_project
  - network_ovn_acl
  - projects_images_auto_update
  - projects_restricted_cluster_target
  - images_default_architecture
  - network_ovn_acl_defaults
  - gpu_mig
  - project_usage
  - network_bridge_acl
  - warnings
  - projects_restricted_backups_and_snapshots
  - clustering_join_token
  - clustering_description
  - server_trusted_proxy
  - clustering_update_cert
  - storage_api_project
  - server_instance_driver_operational
  - server_supported_storage_drivers
  - event_lifecycle_requestor_address
  - resources_gpu_usb
  - clustering_evacuation
  - network_ovn_nat_address
  - network_bgp
  - network_forward
  - custom_volume_refresh
  - network_counters_errors_dropped
  - metrics
  - image_source_project
  - clustering_config
  - network_peer
  - linux_sysctl
  - network_dns
  - ovn_nic_acceleration
  - certificate_self_renewal
  - instance_project_move
  - storage_volume_project_move
  - cloud_init
  - network_dns_nat
  - database_leader
  - instance_all_projects
  - clustering_groups
  - ceph_rbd_du
  - instance_get_full
  - qemu_metrics
  - gpu_mig_uuid
  - event_project
  - clustering_evacuation_live
  - instance_allow_inconsistent_copy
  - network_state_ovn
  - storage_volume_api_filtering
  - image_restrictions
  - storage_zfs_export
  - network_dns_records
  - storage_zfs_reserve_space
  - network_acl_log
  - storage_zfs_blocksize
  - metrics_cpu_seconds
  - instance_snapshot_never
  - certificate_token
  - instance_nic_routed_neighbor_probe
  - event_hub
  - agent_nic_config
  - projects_restricted_intercept
  - metrics_authentication
  - images_target_project
  - cluster_migration_inconsistent_copy
  - cluster_ovn_chassis
  - container_syscall_intercept_sched_setscheduler
  - storage_lvm_thinpool_metadata_size
  - storage_volume_state_total
  - instance_file_head
  - instances_nic_host_name
  - image_copy_profile
  - container_syscall_intercept_sysinfo
  - clustering_evacuation_mode
  - resources_pci_vpd
  - qemu_raw_conf
  - storage_cephfs_fscache
  - network_load_balancer
  - vsock_api
  - instance_ready_state
  - network_bgp_holdtime
  - storage_volumes_all_projects
  - metrics_memory_oom_total
  - storage_buckets
  - storage_buckets_create_credentials
  - metrics_cpu_effective_total
  - projects_networks_restricted_access
  - storage_buckets_local
  - loki
  - acme
  - internal_metrics
  - cluster_join_token_expiry
  - remote_token_expiry
  - init_preseed
  - storage_volumes_created_at
  - cpu_hotplug
  - projects_networks_zones
  - network_txqueuelen
  - cluster_member_state
  - instances_placement_scriptlet
  - storage_pool_source_wipe
  - zfs_block_mode
  - instance_generation_id
  - disk_io_cache
  - amd_sev
  - storage_pool_loop_resize
  - migration_vm_live
  - ovn_nic_nesting
  - oidc
  - network_ovn_l3only
  - ovn_nic_acceleration_vdpa
  - cluster_healing
  - instances_state_total
  - auth_user
  - security_csm
  - instances_rebuild
  - numa_cpu_placement
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  auth_user_name: root
  auth_user_method: unix
  environment:
  addresses:
  - '[REDACTED]:8443'
  - REDACTED:8443
  architectures:
  - x86_64
  - i686
  certificate: |
  -----BEGIN CERTIFICATE-----
  REDACTED
  -----END CERTIFICATE-----
  certificate_fingerprint: REDACTED
  driver: lxc | qemu
  driver_version: 5.0.2 | 8.0.0
  firewall: nftables
  kernel: Linux
  kernel_architecture: x86_64
  kernel_features:
  idmapped_mounts: "true"
  netnsid_getifaddrs: "true"
  seccomp_listener: "true"
  seccomp_listener_continue: "true"
  shiftfs: "false"
  uevent_injection: "true"
  unpriv_fscaps: "true"
  kernel_version: 5.19.0-46-generic
  lxc_features:
  cgroup2: "true"
  core_scheduling: "true"
  devpts_fd: "true"
  idmapped_mounts_v2: "true"
  mount_injection_file: "true"
  network_gateway_device_route: "true"
  network_ipvlan: "true"
  network_l2proxy: "true"
  network_phys_macvlan_mtu: "true"
  network_veth_router: "true"
  pidfd: "true"
  seccomp_allow_deny_syntax: "true"
  seccomp_notify: "true"
  seccomp_proxy_send_notify_fd: "true"
  os_name: Ubuntu
  os_version: "22.04"
  project: default
  server: lxd
  server_clustered: false
  server_event_mode: full-mesh
  server_name: calxdhost1
  server_pid: 3141
  server_version: "5.15"
  storage: zfs
  storage_version: 2.1.5-1ubuntu6
  storage_supported_drivers:
  - name: cephfs
  version: 17.2.5
  remote: true
  - name: cephobject
  version: 17.2.5
  remote: true
  - name: dir
  version: "1"
  remote: false
  - name: lvm
  version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.47.0
  remote: false
  - name: zfs
  version: 2.1.5-1ubuntu6
  remote: false
  - name: btrfs
  version: 5.16.2
  remote: false
  - name: ceph
  version: 17.2.5
  remote: true

Issue description

Linux VM, even a desktop are fine.

Freshly rebuilt and repurposed Dell R740xd host dedicated to LXD. Now running a couple of Ubuntu containers just fine.

Tried to deploy a Windows Server 2022 VM using an imported image from obtained another server, but freezes during startup.

Thinking that the image had been corrupted during transit, I tried to create a completely new image by booting off a new ISO downloaded directly to the site from Microsoft, but within a few seconds of the ISO booting it just freezes as well. I have also generated an ISO via distrobuilder, with the same freeze result.

Installed linux-image-5.15.0-76-generic on host and booted into it but no difference. This kernel version is currently working with another host and Windows VMs.

Steps to reproduce

1. lxc init ws2022std-image-template --empty --vm -c limits.cpu=4 -c limits.memory=6GiB -c security.secureboot=false -d root,size=60GiB -d winiso,boot.priority=10,source=/iso/ws2022std-lxd.iso,type=disk
2. lxc start ws2022std-image-template
3. Open a VGA console window and press any key to get it to boot of the ISO
4. Spinning circle of dots below the UEFI boot LXD logo will freeze
5. lxc list status will show error

Information to attach

• [x] Not much indmesg

  [ 2095.486898] audit: type=1400 audit(1689086971.809:61): apparmor="DENIED" operation="capable" class="cap" profile="snap.lxd.lxc" pid=30236 comm="lxc" capability=1  capname="dac_override"
  [ 4010.021816] audit: type=1400 audit(1689088886.409:62): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd- ws2022std-image-template_</var/snap/lxd/common/lxd>" pid=69906 comm="apparmor_parser"
  [ 4051.237268] audit: type=1400 audit(1689088927.627:63): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd- ws2022std-image-template_</var/snap/lxd/common/lxd>" pid=70882 comm="apparmor_parser"
  [ 4058.083443] audit: type=1400 audit(1689088934.475:64): apparmor="DENIED" operation="open" class="file" profile="lxd- ws2022std-image-template_</var/snap/lxd/common/lxd>" name="/var/lib/snapd/hostfs/etc/ssl/openssl.cnf" pid=70892 comm="qemu-system-x86" 

• [x] Container log (lxc info NAME --show-log)

  Name:  ws2022std-image-template
  Status: ERROR
  Type: virtual-machine
  Architecture: x86_64
  PID: 70892
  Created: 2023/07/11 10:27 UTC
  Last Used: 2023/07/11 15:22 UTC
  Resources:
  Processes: 0
  Disk usage:
  root: 23.00KiB
  Log:

• [x] Container configuration (lxc config show NAME --expanded)

  lxc config show  ws2022std-image-template --expanded
  architecture: x86_64
  config:
  limits.cpu: "4"
  limits.memory: 6GiB
  security.secureboot: "false"
  volatile.cloud-init.instance-id: 9d96418b-83f8-42aa-bc43-9064b53a8904
  volatile.eth0.host_name: mac2755c0ad
  volatile.eth0.hwaddr: 00:16:3e:97:c4:dc
  volatile.eth0.last_state.created: "false"
  volatile.last_state.power: ERROR
  volatile.last_state.ready: "false"
  volatile.uuid: 5757bea9-77cc-40e5-9f71-ad2a86d3266d
  volatile.uuid.generation: 5757bea9-77cc-40e5-9f71-ad2a86d3266d
  volatile.vsock_id: "2870327974"
  devices:
  eth0:
  name: eth0
  nictype: macvlan
  parent: bond0
  type: nic
  root:
  path: /
  pool: sp00
  size: 60GiB
  type: disk
  winiso:
  boot.priority: "10"
  source: /iso/ws2022std-lxd.iso
  type: disk
  ephemeral: false
  profiles:
  - default
  stateful: false
  description: ""

• [x] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)

  cat /var/snap/lxd/common/lxd/logs/lxd.log
  time="2023-07-11T14:15:17Z" level=warning msg=" - Couldn't find the CGroup network priority controller, network priority will be ignored"

• [x] Output of the client with --debug n/a
• [x] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue) lxd-issues_xxxx_lxc-monitor.txt
• [x] a never-ending video of the Windows boot process :)

[markrattray]

I have tried disabling tdp_mmu, and the ISO still quickly freezes during boot: https://github.com/canonical/lxd/issues/11520

The server does have NIC bond enabled which the macvlan interfaces are using, so will try disable that and see if it helps.

[markrattray]

disabling NIC bond didn't help.

[markrattray]

Well I've discovered that stipulating CPU Passthrough in raw.qemu gets around this issue and I'm actually able to get to the Install Windows screen, and all the way through to a working VM.

Here is some more info from the physical host:

somehost:~$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         46 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  80
  On-line CPU(s) list:   0-79
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Xeon(R) Gold 6148 CPU @ 2.40GHz
    CPU family:          6
    Model:               85
    Thread(s) per core:  2
    Core(s) per socket:  20
    Socket(s):           2
    Stepping:            4
    BogoMIPS:            4800.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fa
                         ult epb cat_l3 cdp_l3 invpcid_single pti intel_ppin ssbd mba ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts pku ospke md_clear flush_l1d arch_capabilities
Virtualization features:
  Virtualization:        VT-x
Caches (sum of all):
  L1d:                   1.3 MiB (40 instances)
  L1i:                   1.3 MiB (40 instances)
  L2:                    40 MiB (40 instances)
  L3:                    55 MiB (2 instances)
NUMA:
  NUMA node(s):          2
  NUMA node0 CPU(s):     0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78
  NUMA node1 CPU(s):     1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,63,65,67,69,71,73,75,77,79
Vulnerabilities:
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
  Mds:                   Mitigation; Clear CPU buffers; SMT vulnerable
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT vulnerable
  Retbleed:              Mitigation; IBRS
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; IBRS, IBPB conditional, STIBP conditional, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Not affected
  Tsx async abort:       Mitigation; Clear CPU buffers; SMT vulnerable

[markrattray]

tdp_mmu disablement is still needed

[tomponline]

What did you set raw.qemu to to get it to work?

[markrattray]

Hi

Per WS2022 instance on the Dell R740xd with Intel 6148 CPU, requires raw.qemu: -cpu hostto stop the ISO (original or distrobuilder) or new instance from image freezing a few seconds into boot. This isn't needed for WS2019 ISO on this host. I'm able deploy a WS2019 instance via ISO (distrobuilder) without this. Older hosts with Intel E5-2680 v2 do not need this with WS2022 instances.

For any of our physical hosts so far, the Intel PET flag needs to be disabled to stop the frequent random freezing... using the modprobe method: https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0#Older_Hardware_and_New_5.15_Kernel Do you think it's possible to set this per instance rather than on the host using raw.qemu? I've not been able to find anything, and what I've tried was incorrect and the VM wouldn't start. I don't know whether this is needed for WS2019 because I'm doing a clean migration to new WS2022 instances, with new domains and conventions.

The Proxmox forum has a lot more posts on WS2022 and your link to one of their posts via another Github LXD issue lead me to the tdp_mmu work-around.

[tomponline]

What do you mean "per-instance", as raw.qemu is a per-instance setting?

[markrattray]

In the instance config.

[tomponline]

In the instance config.

Yes you can do that using lxc config set <instance> raw.qemu=...

[markrattray]

sorry my question was whether the tdp_mmu disablement could be done via raw.qemu as well. I did try: raw.qemu: -cpu host,kvm.tdp_mmu=N also: raw.qemu: -cpu host,kvm.tdp_mmu=off but they would not start with the kvm.tdp_mmu key.

Looks this tdp_mmu issue will be fixed in kernel 6.2 according to this: https://gitlab.com/qemu-project/qemu/-/issues/1198 but there is more to it that I also need raw.qemu: -cpu host on another processor.

[tomponline]

My understanding is that LXD uses the equivalent of -cpu host by default anyway, so its odd you're needing to pass it explicitly. I suspect its one of the extensions that is being disabled by doing that.

Can you try setting lxc config set <instance> migration.stateful=true and seeing if that helps, as that disables some of the extensions.

Possibly hv_passthrough or topoext

[monstermunchkin]

sorry my question was whether the tdp_mmu disablement could be done via raw.qemu as well. I did try: raw.qemu: -cpu host,kvm.tdp_mmu=N also: raw.qemu: -cpu host,kvm.tdp_mmu=off but they would not start with the kvm.tdp_mmu key.

LXD currently doesn't support custom CPU flags.

[tomponline]

sorry my question was whether the tdp_mmu disablement could be done via raw.qemu as well. I did try: raw.qemu: -cpu host,kvm.tdp_mmu=N also: raw.qemu: -cpu host,kvm.tdp_mmu=off but they would not start with the kvm.tdp_mmu key.

LXD currently doesn't support custom CPU flags.

Well only by raw.qemu ;)

[monstermunchkin]

Well only by raw.qemu ;)

Since the raw.qemu flags are appended, will raw.qemu="-cpu host,kvm.tdp_mmu=N" override the fixed -cpu host flag? I don't know how QEMU handles duplicate flags.

[markrattray]

Trying your suggestions @tomponline

[markrattray]

@tomponline already better with the ISO. Got to the first screen where you choose the language an input. Couldn't get this far withou that -cpu host setting. Now installing as well.

[markrattray]

@tomponline that worked, WS2022 desktop installed and now running Windows Update to put some stress on it.

I will try an existing lxd image which has been working since finding raw.qemu: -cpu host.

[markrattray]

@monstermunchkin I'm only setting raw.qemu: -cpu host to get the WS2022 ISO/instances to boot, without it they will freeze a few seconds into the boot process on this CPU. The kvm.tdp_mmu append was an experiment to see whether I could disable the feature/flag at the instance level instead of the host level. I think I'm way off but it was worth a try.

@tomponline all seems fine with the setting: migration.stateful=true on both ISO and instance.

[markrattray]

I think I'm beginning to understand what's going on.

Apparently the tdp_mmu feature is Intel EPT not PET as I got mixed up with. EPT (lowercase) is listed twice in the Flags section of the lscpu output above.

So I tried setting raw.qemu: -cpu host,ept=off and got this when trying to start the VM:

qemu-system-x86_64: can't apply global host-x86_64-cpu.ept=off: Property 'host-x86_64-cpu.ept' not found

So host-x86_64-cpu is the QEMU CPU and by setting CPU passthrough (-cpu host) Windows is getting the correct set of flags. Unfortunately this does not solve the EPT feature crashes that come later then the VM is up. I gather that what Thomas suggested disables a set of QEMU CPU flags (properties) that are the problem in this scenario, and allow the VM to boot as well.

For the tdp_mmu / EPT feature, this is more tricky because I am now passing the host CPU flags which contains EPT ones, and would need the QEMU CPU to disable these features. TBH the kernel 6.2 option seems to be the best one for this because current 5.15 and 5.19 ones doesn't help: https://gitlab.com/qemu-project/qemu/-/issues/1198

[tomponline]

Is there anything left to do on this issue or can it be closed now?

[markrattray]

Hi

Well I'm not certain sorry...

In the one hand I see that you good dev folks have the impression that -cpu host is being passed through, but perhaps it's not, because on this CPU I cannot get WS2022 to boot without specifying it or your migration.stateful suggestion in the instance conf. In the other, I see that these could be QEMU and kernel bugs and need to be dealt with upstream.

Depends really on whether you want to lift some stones to see whether this will come back to bite you somewhere else more important.... e.g. with a big customer.

For me I have 2 workarounds, as we've discovered so my need is catered for. Up to you.

Hope you all have a great weekend !

[tomponline]

Yes it is passed through here:

https://github.com/canonical/lxd/blob/main/lxd/instance/drivers/driver_qemu.go#L1396-L1413

Given that setting migration.stateful fixes it its likely to be this one that was causing problems:

https://github.com/canonical/lxd/blob/main/lxd/instance/drivers/driver_qemu.go#L1401

[markrattray]

Thanks for the info. So if I understand that correctly migration.stateful feature only disables the hv_time flag?

Regardless now, this can be closed.

[tomponline]

Yes that's correct, so perhaps you manually passing the host CPU flag also wiped it out.

[tomponline]

I've got similar issues with running Windows on my CPU (Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz)

I found this helped:

echo N | sudo tee /sys/module/kvm/parameters/tdp_mmu

[markrattray]

I've got similar issues with running Windows on my CPU (Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz)

I found this helped:

echo N | sudo tee /sys/module/kvm/parameters/tdp_mmu

Good afternoon. Thanks for the info. Just repeating to collate if someone's reading just this part:

1. All my LXD servers need TDP disabled to stop WS2022 random freezes when up and running. This is required regardless of # 2 below.
2. Dell R740xd with dual Intel 6148 CPU requiresraw.qemu -cpu host or your instance config suggestion migration.stateful to get WS2022 ISO or instance to boot.

[tomponline]

Agreed, this is what I have to use too.

[markrattray]

Good morning @tomponline

I see that kernel 6.2 has been released to Ubuntu 22.04 yesterday which might make this TDP workaround redundant. I cannot test in the next week because I'm taking a break but will plan to try thereafter.

Hope you have a great weekend!

[markrattray]

Good morning @tomponline

On all LXD hosts, I have upgraded to kernel 6.2 via 22.04 HWE and re-enabled TDP. It's only been a day so a bit soon to tell although normally we'd see some WS2022 VMs fatally stopping.

CPU flags are still an issue on the Dell R740xd host with Intel 6148 CPU, so one of the following instance configs are still required:

• raw.qemu -cpu host
• migration.stateful