pfSense VM fails to boot after upgrade to 6.8.0-rc8


Recommended Posts

On 12/13/2019 at 3:32 PM, joelones said:

@bastl

So I updated to 6.8 stable and decided to try this workaround. I did try the Skylake emulation for my AMD FX8320 and it didn't quite seem to like it very much and gave an unsupported CPU error when I tried to start the VM. I guess my CPU is either too old or lacks the instructions to emulate Skylake properly. Maybe I need to model an older Intel CPU, like Sandybridge or something?? I know my model is a Opteron_G5.

 

I had no choice but to opt for Emulated QEMU64 mode, hopefully the lack of AES-NI won't impact overall CPU performance with respect to VPN usage.

 

EDIT: I seem to have gotten pfSense to boot with AES-NI on my AMD wit this:

 


<cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Opteron_G5</model>
    <vendor>AMD</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='x2apic'/>
    <feature policy='require' name='tsc-deadline'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='bmi1'/>
    <feature policy='require' name='mmxext'/>
    <feature policy='require' name='fxsr_opt'/>
    <feature policy='require' name='cmp_legacy'/>
    <feature policy='require' name='cr8legacy'/>
    <feature policy='require' name='osvw'/>
    <feature policy='disable' name='rdtscp'/>
    <feature policy='disable' name='svm'/>
  </cpu>

 

I'm about to try going from rc7 to 6.8 - rc8 failed for me, but I didn't know why until now.  I currently have:

 

  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' cores='6' threads='1'/>
    <feature policy='require' name='topoext'/>
  </cpu>

will this work for my threadripper and maintain AES-NI support?  Thanks

 

<cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Opteron_G5</model>
    <vendor>AMD</vendor>
    <topology sockets='1' cores='6' threads='1'/>
	<feature policy='require' name='vme'/>
    <feature policy='require' name='x2apic'/>
    <feature policy='require' name='tsc-deadline'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='bmi1'/>
    <feature policy='require' name='mmxext'/>
    <feature policy='require' name='fxsr_opt'/>
    <feature policy='require' name='cmp_legacy'/>
    <feature policy='require' name='cr8legacy'/>
    <feature policy='require' name='osvw'/>
    <feature policy='disable' name='rdtscp'/>
    <feature policy='disable' name='svm'/>
  </cpu>

This is all way beyond my VM level so it's a blind cut & paste job for me.

  • Like 1
Link to comment
1 hour ago, DZMM said:

I'm about to try going from rc7 to 6.8 - rc8 failed for me, but I didn't know why until now.  I currently have:

This is all way beyond my VM level so it's a blind cut & paste job for me.

You should go back to page 1 and look for bastl's post with the Skylake emulation and use that.

 

The reason it didn't work for the previous poster was because his CPU is FX 8320 which came out before Skylake (so it can't emulate Skylake hence unsupported CPU). Threadripper works fine with Skylake emulation.

 

Generally, as long as your host CPU has AES NI + your emulating CPU also has AES NI + you don't disable it then it should have it.

 

 

 

  • Like 1
Link to comment
  • 2 weeks later...
On 12/12/2019 at 5:45 AM, bastl said:

I found a workaround for this!

 

The culprit is the cpu-mode "host-passthrough". If I switch to "Emulated QEMU64" the VM boots up again. Switching it in the gui should work if you havn't setup any special CPU flags. Another way is to edit the xml like the following:

 

change


  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' cores='2' threads='1'/>
  </cpu>

to


  <cpu>
    <topology sockets='1' cores='2' threads='1'/>
  </cpu>

also forces the CPU into emulated QEMU64 mode.

 

Another option is to emulate a Intel Skylake CPU for example with the following:


  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Skylake-Client</model>
    <topology sockets='1' cores='2' threads='1'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='disable' name='pcid'/>
    <feature policy='disable' name='hle'/>
    <feature policy='disable' name='erms'/>
    <feature policy='disable' name='invpcid'/>
    <feature policy='disable' name='rtm'/>
    <feature policy='disable' name='mpx'/>
    <feature policy='disable' name='spec-ctrl'/>
  </cpu>

 

Edit:

"AES-NI CPU Crypto" isn't supported on "Emulated QEMU64" mode. For future Pfsense versions this is a requirement if I remember correctly.

I also had this problem when upgrading to 6.8 and used your emulate a Intel Skylake CPU on my Threadripper as a workaround for now until this issue gets resolved. Thank You

  • Like 1
Link to comment
  • 5 weeks later...

Greetings everybody, so I have the same issue as others here, so I stayed with 6.7.2 hoping that maybe 6.8.1 would solve this

unfortunatly not, so besides the workaround (that may induce a loss in performance), will this be fixed ? or we shall wait for unraid 6.9?

thank you

regards

Link to comment
  • 1 month later...

I'm wonder.. it's a bug at unRaid software or Linux, and if we have any update date when it start works as worked at 6.7.2?

I bought hardware firewall because this bug long time ago, and I would like back with pfSense at unRaid, but I need work stable as before.

 

So with what is problem?

Link to comment
  • 3 months later...
  • 8 months later...
5 hours ago, potjoe said:

Just to follow up, host-passthrough mode seems to be working again for me under 6.9 with my ryzen 1600! 

 

Thank you for confirming! I came here to verify that the host-passthrough mode works before I upgrade to 6.9.

 

I have been holding back upgrading from 6.7.2 to 6.8.3 just for this reason.

Link to comment
  • 10 months later...
On 12/12/2019 at 2:45 AM, bastl said:

I found a workaround for this!

 

The culprit is the cpu-mode "host-passthrough". If I switch to "Emulated QEMU64" the VM boots up again. Switching it in the gui should work if you havn't setup any special CPU flags. Another way is to edit the xml like the following:

 

change

  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' cores='2' threads='1'/>
  </cpu>

to

  <cpu>
    <topology sockets='1' cores='2' threads='1'/>
  </cpu>

also forces the CPU into emulated QEMU64 mode.

 

Another option is to emulate a Intel Skylake CPU for example with the following:

  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Skylake-Client</model>
    <topology sockets='1' cores='2' threads='1'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='disable' name='pcid'/>
    <feature policy='disable' name='hle'/>
    <feature policy='disable' name='erms'/>
    <feature policy='disable' name='invpcid'/>
    <feature policy='disable' name='rtm'/>
    <feature policy='disable' name='mpx'/>
    <feature policy='disable' name='spec-ctrl'/>
  </cpu>

 

Edit:

"AES-NI CPU Crypto" isn't supported on "Emulated QEMU64" mode. For future Pfsense versions this is a requirement if I remember correctly.

This totally worked for me!!! by changing the XML, it booted right away to the install screen.

 

Thank you so much!

  • Haha 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.