第5期 Oracle Linux 7和8如何禁用Transparent HugePages

  • pxbibm

    2024-07-22 13:51:07
  • Oracle
  • 原创

随着计算机科技的不断发展,安全问题越来越受到关注,其中内存管理安全也越来越被关注。在这个背景下,Oracle数据库针对透明大页(Transparent Huge Pages, THP)的问题进行了一系列的改进和研究,关闭透明大页,实现安全内存管理。

透明大页是一个为Linux设计的内存管理技术,旨在提高系统性能和内存利用率。它通过把内存分为更大的块,减少了内存碎片,提高了访问效率。但同时,透明大页也有一些潜在的安全问题,例如碎片化攻击和缓存侧信道攻击等。

为解决这些安全问题,Oracle关闭了透明大页。在Oracle 12.1版本之后,透明大页自动关闭,这也是Oracle从安全角度出发对透明大页的一次重大改进。

目标

本篇文章的目的是为了详细说明在运行 Linux 7和8内核为OL7上使用调优服务和禁用透明HugePages的步骤。

解决方案

To keep THP disabled across a reboot, Please perform any one of the following action plans

Use a systemd(1) service to disable transparent hugepages

  1. Create the  systemd(1) service definition file  /etc/systemd/system/disable-thp.service similar to this:   
    [Unit]
    Description=Disable Transparent Huge Pages (THP)

    [Service]
    Type=simple
    ExecStart=/bin/sh -c "echo 'never' >/sys/kernel/mm/transparent_hugepage/enabled && echo 'never' >/sys/kernel/mm/transparent_hugepage/defrag"

    [Install]
    WantedBy=multi-user.target

     
  2. Enable the new service to run automatically:   
    # systemctl daemon-reload
    # systemctl start disable-thp
    # systemctl enable disable-thp
    # systemctl status disable-thp

Disable transparent hugepages via the Linux kernel command line

  1. Add the clause " transparent_hugepage=never" to the  GRUB_CMDLINE_LINUX entry of  /etc/default/grub, like this:   
    # /etc/default/grub
    GRUB_TIMEOUT=5
    GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
    GRUB_DEFAULT=saved
    GRUB_DISABLE_SUBMENU=true
    GRUB_TERMINAL_OUTPUT="console"
    GRUB_CMDLINE_LINUX="elevator=deadline audit=1 crashkernel=auto rd.lvm.lv=rootvg/rootlv rd.lvm.lv=rootvg/swaplv rd.lvm.lv=rootvg/usrlv transparent_hugepage=never"
    GRUB_DISABLE_RECOVERY="true"
     
  2. Backup the GRUB configuration file and generate a new file to incorporate the change:   
    # cp -pv /boot/grub2/grub.cfg /boot/grub2/grub.cfg-bkp
    # grub2-mkconfig -o /boot/grub2/grub.cfg
     

    For UEFI based machine run the below command for grub configuration change.

    # cp -pv /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/redhat/grub.cfg-bkp
    # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  3. Reboot the server to activate the change.   
    # reboot
     
  4. Verify the change is persistent:   
    # cat /sys/kernel/mm/transparent_hugepage/enabled
    always madvise [never]
     
NOTE:  echo never > /sys/kernel/mm/transparent_hugepage/enabled will only help for new THP creations but the one which got wrongly allocated to Oracle DB will still cause issues hence need to have a planned reboot.

  Disable Transparent Hugepages via  tuned service

" tuned.service" on OL7 set the  transparent_hugepage to  always by default, even if it is disabled in grub kernel command line as above.

# grep transparent_hugepage /boot/grub2/grub.cfg
linux16 /vmlinuz-3.10.0-229.el7.x86_64 root=/dev/mapper/vgsystem-root ro  rd.lvm.lv=vgsystem/swap rd.lvm.lv=vgsystem/root rhgb quiet numa=off  transparent_hugepage=never                                               
 

Verify the THP (Transparent hugepage) mode

# uname -r
3.10.0-229.el7.x86_64

# cat /sys/kernel/mm/transparent_hugepage/enabled
[always] madvise never                                 ←  THP is enabled 

Disable it globally on throughput-performance

  1. Take a backup of " /usr/lib/tuned/throughput-performance/tuned.conf", then change  " transparent_hugepages=always" to  " transparent_hugepages=never"
    #cp /usr/lib/tuned/throughput-performance/tuned.conf /usr/lib/tuned/throughput-performance/tuned.conf.bkp_original
    #vi /usr/lib/tuned/throughput-performance/tuned.conf
     [vm]
      transparent_hugepages=always
       to 
     [vm]
      transparent_hugepages=never 
  2.  Reboot the server and verify the outcome.   
    #cat /sys/kernel/mm/transparent_hugepage/enabled
     always madvise  [never]                          ←  THP is disabled

Disable it on active tuned profile

  1.  First Identify which profile is active.     
    # tuned-adm active
    Current active profile: virtual-guest            ←  Virtual-guest is the active profile
  2. Now edit " /usr/lib/tuned/virtual-guest/tuned.conf file and append  "transparent_hugepages=never " in  vm section to disable THP.   
    #cp /usr/lib/tuned/virtual-guest/tuned.conf /usr/lib/tuned/virtual-guest/tuned.conf.bkp_original
    #vi /usr/lib/tuned/virtual-guest/tuned.conf
    [main]
    include=throughput-performance
    [vm]
    transparent_hugepages=never                       

  3. Reboot the server and verify the outcome.

    #cat /sys/kernel/mm/transparent_hugepage/enabled
    always madvise [never]                             ← THP Disabled   
Transparent Huge Pages cannot be enabled or disabled on a running machine and requires a reboot.

  THP status in other UEK kernel versions

  • UEK3 disabled by default .
    [root@ol6 ~]# grep -i CONFIG_TRANSPARENT_HUGEPAGE /boot/config-3.8.13-118.6.2.el6uek.x86_64
    # CONFIG_TRANSPARENT_HUGEPAGE is not set   
  • UEK4 enabled by default.
    [root@ol7 ~]# grep -i CONFIG_TRANSPARENT_HUGEPAGE /boot/config-4.1.12-37.2.2.el7uek.x86_64
    CONFIG_TRANSPARENT_HUGEPAGE=y
    CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y

   


请使用浏览器的分享功能分享到微信等