This post was co-authored by Tushar Kanakagiri and Sharath Babu, both engineers on the Citrix Director team.

This year began with the news of the Meltdown and Spectre security vulnerabilities that rattled the hardware industry. Since then, operating system vendors have released various patches, along with firmware updates to mitigate these hardware based vulnerabilities. However, these patches are known to have a potential performance impact that varies significantly (negligible to medium) depending upon the type of workload. Due to the nascent and unpredictable nature of performance impact, Citrix XenApp and XenDesktop administrators are investigating the impacts of these patches on their deployments and figuring out how to gauge them appropriately.

Fortunately, we have Citrix Director, the go-to console for historical and real time monitoring and troubleshooting. Its rich feature set can be used to gauge the performance impact of the Meltdown and Spectre patches in a XenApp and XenDesktop deployment.

How do you identify a potential performance impact of Meltdown and Spectre patches in XenApp and XenDesktop deployments using Citrix Director?

We conducted an experiment using two identical deployments — one with the mitigation patches installed and the other without. We used Citrix Director to identify possible performance implications.

We used the Resource Utilization feature of Director to monitor the course of the experiment. This feature provides insights into key metrics such as CPU usage, IOPs and Memory usage. For more details about the usage of this feature, see Monitor historical trends across a Site.

Administrators can use the above metrics to compare different data centres or servers to gauge the impact of the mitigation patches. Depending upon the workload on each data centre or server, administrators can perform scale tests and use these metrics to either reduce the workload or perform load balancing to achieve the required performance level.

Additionally, administrators can also arrive at baselines for these metrics and utilize Director’s Alerts and notifications feature to configure alerts accordingly. For more details about the usage of this feature, see Alerts and notifications.

NOTE:

  1. This is not a white sheet. Hence, intrinsic details of the experiments are not published.
  2. This blog is meant to provide guidance on the usage of Citrix Director to identify a potential performance impact because of the mitigation patches. This does not necessarily imply that XenApp and XenDesktop deployments are impacted.

Base parameters

Hardware Intel Xeon E5-2650 v2 @ 2.60GHz
Operating System Windows 2012 R2
Workload Browser sessions
Benchmark metrics CPU usage %, Memory usage %, IOPs

Experiment Results

CPU usage % without patches
CPU usage % with patches

Mitigation patches may result in extra CPU cycles spent in context switching, thus causing significant (~10%) difference in CPU usage % as seen above.

Average IOPs without patches
Average IOPs with patches

Since browser sessions alone were considered for workload, no significant difference was observed in the average IOPs metrics, however applications such as SQL server which have an extensive IOPs would have a greater impact.

Memory usage % without patches
Memory usage % with patches

Slight increase in memory (around 3%) was observed when patches were installed, however both the cases had approximately 95% utilization.

Conclusion 

Metrics Inference
CPU% There was a significant increase in CPU usage % on machines where mitigation patches where applied.
Average IOPs The effect of mitigation patches on this metric is predominantly application specific. Applications that are IOPs intensive such as SQL server see a significant increase in average.
Memory % There was no significant difference in memory usage % that could be attributed to mitigation patches.

XenApp and XenDesktop administrators can use this information obtained from Citrix Director to monitor their deployment and perform capacity management, therefore proactively strategizing for the effects of the Meltdown/Spectre mitigation patches. Based upon security best practices to mitigate risk, Citrix does not recommend operating without the patches applied.