The tapestry of security patches currently being applied to computer systems around the world will likely degrade the performance of applications running on virtualized systems slightly more than those running on bare metal or in Docker containers, according to open source software vendor Red Hat.
Software updates preventing hackers from taking advantage of the Spectre exploit—specifically its second variant—will be the culprits in impairing virtual machine performance even beyond environments that don’t sit on top of hypervisors, though the extent of that disparity has not yet been established, Jon Masters, Red Hat's chief ARM architect, told CRN.
Masters has been on the front lines of combating Meltdown and Spectre since well before those chip security vulnerabilities became known to the public last week. Red Hat's Performance Engineering team is still assessing combinations of microcode and kernel patches to quantify performance degradation across environments, as well as workloads and devices.
"The virtualization hit could be minor," Masters told CRN, "but we're still doing a lot of benchmarking to know that. Everyone is still investigating that."
A Red Hat report concluded: "We expect the impact on applications deployed in virtual guests to be higher than bare metal due to the increased frequency of user-to-kernel transitions."
The report said: "due to containerized applications being implemented as generic Linux processes, applications deployed in containers incur the same performance impact as those deployed on bare metal."
Preventing Meltdown, the vulnerability that's unique to Intel processors and easier to exploit, won't disproportionately affect virtualized environments. Nor will patches for variant 1 of Spectre, which concerns a broader array of chip architectures, including AMD and ARM.
However, the second variant of Spectre, known as branch target injection, will, to some uncertain degree, take a higher toll on users running their applications on top of a hypervisor.
Preventing Spectre variant 2, Masters said, "is currently the most-expensive from a performance standpoint."
The fix turns off the chip's indirect branch predictor—a circuit that effectively tries to guess which way coded instructions will execute—every time the operating system kernel or the hypervisor is accessed. Doing so prevents a rogue application from "training" the kernel or hypervisor to allow it to access different applications being executed on the same chip, Masters explained.