CentOS KPTI Disabling Method

To address the security risks posed by the recently disclosed MeltDown vulnerability, UCloud’s official CentOS 6.x and 7.x images have been updated. The new version images enable KPTI (Kernel Page Table Isolation) by default to fix the vulnerability. Please see Meltdown Vulnerability Details 

However, according to tests, enabling KPTI may have a 5%-30% impact on the virtual machine Computational tasks are less affected, while IO/memory-intensive tasks are more significantly impacted.

You can decide whether to disable KPTI based on actual conditions to restore performance while accepting the associated security risks.

Centos 6.x

1）Disable KPTI

vim /boot/grub/grub.conf 

Add to the kernel line

nopti 

Reboot the virtual machine for the change to take effect.

2）Verify if it has been disabled

Enter the command:

dmesg | grep isolation 

If the following information is displayed, it means that KPTI is still enabled.

x86/pti: Kernel page table isolation enabled

If successful, the above line of information will not be displayed.

CentOS 7.x

1）Disable KPTI

Enter the command:

vim /boot/grub2/grub.cfg

Add to the /boot/vmlinuz-* line

nopti

Reboot the virtual machine for the change to take effect

2）Verify if it has been disabled

Enter the command:

dmesg | grep isolation 

If the following information is displayed, it means that KPTI is still enabled.

x86/pti: Unmapping kernel while in userspace

If it is disabled, the above line of information will not be displayed.