The kernel patches to mitigate the recent Meltdown and Spectre bugs enable the Page-Table Isolation feature. These patches, dubbed dubbed KAISER or KPTI, remedy these vulnerabilities but can come with a performance loss.
In order to compare performance before and after these patches I need to disable this PTI feature temporarily. Now I don’t recommend disabling this security feature indefinitely because you will end up with a less secure system!
First, let’s see if the PTI module is compiled directly into the kernel by examining the
cat /boot/config-`uname -r` | grep -iq CONFIG_PAGE_TABLE_ISOLATION=y && echo "PTI is available" || echo "PTI is not available"
The output should say
PTI is available.
Now we can disable it by adding the
pti=off to the kernel boot parameters. Open up
/etc/default/grub and add this parameter to the
GRUB_CMDLINE_LINUX_DEFAULT parameters. Example:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 cgroup_enable=memory swapaccount=1 pti=off splash quiet"
If you have overrides in
/etc/default/grub.d directory you should update the
GRUB_CMDLINE_LINUX_DEFAULT line in there.
Now we regenerate Grub’s menu.lst file to include the new option:
Restart your system and run
cat /proc/cmdline to see if it contains the
pti=off parameter. Now you can compare your machine’s performance with and without PTI!
We saw some performance losses on all our PHP web servers. CPU usage was up by around 10%-30% in some instances, depending on load and function, but thanks to caching the applications still run great for end-users.