Enabling Nested Virtualization - Questions

[harmonyp]

https://pve.proxmox.com/wiki/Nested_Virtualization

To enable it looks like I need to run the following

echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf
modprobe -r kvm_intel
modprobe kvm_intel

Will this take an affect on my servers in any way? Is there a chance some of the running virtual machines will lock up/crash/reboot?


There is a note

VMs with nesting active (vmx/svm flag) cannot be live-migrated!

The problem is I can't actually find those flags in the "Extra CPU Flags:" GUI

Also in regards to the CPU host flag to host I noticed on benchmarks I got about a 5-10% increase on CPU scores. What are the main downsides of enabling this on all virtual machines other than the above issue of live migration (when combined with nesting)

 

[t.lamprecht]

It does not explicitly advises that, but rather says:

and reboot or reload the kernel module

I'd prefer the reboot way.

The problem is I can't actually find those flags in the "Extra CPU Flags:" GUI

Just edit the CPU and check the "Advanced" box:

 

[t.lamprecht]

What are the main downsides of enabling this on all virtual machines other than the above issue of live migration (when combined with nesting)

The OS in the VM can act quite differently, some software may not like detecting such virtualization flags, other even needs it.

Questions is, why would you blanket enable it?

 

[harmonyp]

The OS in the VM can act quite differently, some software may not like detecting such virtualization flags, other even needs it.

Questions is, why would you blanket enable it?

I don't know that's what I am asking because I see some large VPS providers like OVH have VM-x/AMD-V Enabled

Running the following will blanket enable it? To my understanding doing the following but not enabling the flags will cause no changes?

echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf
modprobe -r kvm_intel
modprobe kvm_intel

Also the only flag I can find in regards to nesting through the GUI is for Intel only hv-evmcs

 

[t.lamprecht]

I don't know that's what I am asking because I see some large VPS providers like OVH have VM-x/AMD-V Enabled

It is definitively nicer for users of VMs, as they can do nested VMs themself - even if that should be rather done for testing or if really necessary, it does not helps for performance (prefer containerization). From a resource usage POV the hoster has no disadvantage when enabling it, the VPS user can use the same amount of resources (not 100% true but wait for the next but)
But, it increases attack surfaces, there were definitively issues in the past that could be leveraged if nesting was enabled, but would not be a problem if nesting was disabled.

I use it a lot for testing, and there it is really great and useful, if I'd provide VMs for untrusted users I'd re-think enabling it.

Running the following will blanket enable it? To my understanding doing the following but not enabling the flags will cause no changes?

At least for those VMs which are set to CPU type host, yes.

 

[harmonyp]

Ok thanks for the replies. I tried enabling it

root@hostname:~# echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf
root@hostname:~# modprobe -r kvm_intel
modprobe: FATAL: Module kvm_intel is in use.

I presume there is still no way of getting around this error without first shutting down all virtual machines?

Also ignore my last question about hv-evmcs didn't notice it was something else. vmx flag is for what?

 

[t.lamprecht]

I presume there is still no way of getting around this error without first shutting down all virtual machines?

In a cluster you could also use live-migration, but on a standalone node yes, you need to shutdown the VMs, at which point's it's cleaner to bring the node up-to-date and reboot it.

vmx flag is for what?

The VMX flag stands for Virtual Machine Extensions, and tells the OS that the CPU supports virtualization instructions.