[root@foo ~]# virsh start bar
error: Failed to start domain bar
error: the CPU is incompatible with host CPU: Host CPU does not provide required features: spec-ctrl

After a recent CentOS update and reboot, certain VMs refused to start, bailing out with the error message above. The interwebz didn’t really offer much in terms of advice. After talking to people with more clue, a working theory was formed: the version combination of kernel/libvirt/kvm/qemu is messed up. Rolling back to an older version was not an option.

The root cause is Intel’s Spectre vulnerability and its mitigation. The fix proved to be surprisingly simple. Simply edit the VM definition (“virsh edit foo”) and remove “-IBRS” from the CPU definition. Bear in mind that this does disable the Indirect Branch Restricted Speculation mitigation, so consider this a security disclaimer.

To recap:

  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>Haswell-noTSX-IBRS</model>
  </cpu>

becomes

  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>Haswell-noTSX</model>
  </cpu>

I’m not sure how this CPU model definition came to be. Did updating libvirt update the definition? Was the definition automatically detected when the VM was created, and did it stop working after an upgrade?