Red Hat SummitChapter 21. Creating nested virtual machines
You can use nested virtual machines (VMs) if you require a different host operating system than what your local host is running. This eliminates the need for additional physical hardware.
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
For detailed descriptions of the supported and unsupported environments, see Support limitations for nested virtualization.
21.1. What is nested virtualization?
With nested virtualization, you can run virtual machines (VMs) within other VMs. A standard VM that runs on a physical host can also act as a second hypervisor and create its own VMs.
Nested virtualization terminology
- Level 0 (
L0) - A physical host, a bare-metal machine.
- Level 1 (
L1) -
A standard VM, running on an
L0physical host, that can act as an additional virtual host. - Level 2 (
L2) A nested VM running on an
L1virtual host.Important: The second level of virtualization severely limits the performance of an
L2VM. For this reason, nested virtualization is primarily intended for development and testing scenarios, such as:- Debugging hypervisors in a constrained environment
- Testing larger virtual deployments on a limited amount of physical resources
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
For detailed descriptions of the supported and unsupported environments, see Support limitations for nested virtualization.
21.2. Support limitations for nested virtualization
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
However, you can use a Windows virtual machine (VM) with the Windows Subsystem for Linux (WSL2) to create a virtual Linux environment inside the Windows VM. This use case is fully supported on RHEL 10 under specific conditions.
To learn more about the relevant terminology for nested virtualization, see What is nested virtualization?
Supported environments
To create a supported deployment of nested virtualization, create an L1 Windows VM on a RHEL 9 or RHEL 10 L0 host and use WSL2 to create a virtual Linux environment inside the L1 Windows VM. Currently, this is the only supported nested environment.
The L0 host must be an Intel or AMD system. Other architectures, such as ARM or IBM Z, are currently not supported.
You must use only the following operating system versions:
On the L0 host: | On the L1 VMs: |
|---|---|
| RHEL 10.0 and later | Windows Server 2019 and later with WSL2 |
| Windows 10 and later with WSL2 |
See Microsoft documentation for instructions on installing WSL2 and choosing supported Linux distributions.
To create a supported nested environment, use one of the following procedures:
Technology Preview environments
These nested environments are available only as a Technology Preview and are not supported.
The L0 host must be an Intel, AMD, or IBM Z system. Nested virtualization currently does not work on other architectures, such as ARM.
You must use only the following operating system versions for the deployment to work:
On the L0 host: | On the L1 VMs: | On the L2 VMs: |
|---|---|---|
| RHEL 10.0 and later | RHEL 9.6 and later | RHEL 9.6 and later |
| RHEL 10.0 and later | RHEL 10.0 and later | |
| Windows Server 2016 and later with Hyper-V | Windows Server 2019 and later | |
| Windows 10 and later with Hyper-V |
Creating RHEL L1 VMs is not tested when used in other Red Hat virtualization offerings. These include:
- Red Hat Virtualization
- Red Hat OpenStack Platform
- OpenShift Virtualization
To create a Technology Preview nested environment, use one of the following procedures:
Hypervisor limitations
-
Currently, Red Hat tests nesting only on RHEL-KVM. When RHEL is used as the
L0hypervisor, you can use RHEL or Windows as theL1hypervisor. -
When using an
L1RHEL VM on a non-KVML0hypervisor, such as VMware ESXi or Amazon Web Services (AWS), creatingL2VMs in the RHEL guest operating system has not been tested and might not work.
Feature limitations
-
Use of
L2VMs as hypervisors and creatingL3guests has not been properly tested and is not expected to work. -
Migrating VMs currently does not work on AMD systems if nested virtualization has been enabled on the
L0host. On an IBM Z system, huge-page backing storage and nested virtualization cannot be used at the same time.
modprobe kvm hpage=1 nested=1 dmesg |tail -1
# modprobe kvm hpage=1 nested=1 modprobe: ERROR: could not insert 'kvm': Invalid argument # dmesg |tail -1 [90226.508366] kvm-s390: A KVM host that supports nesting cannot back its KVM guests with huge pagesCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Some features available on the
L0host might be unavailable on theL1hypervisor.
21.3. Creating a nested virtual machine on Intel
Follow the steps below to enable and configure nested virtualization on an Intel host.
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
For detailed descriptions of the supported and unsupported environments, see Support limitations for nested virtualization.
Prerequisites
- An L0 RHEL 10 host running an L1 virtual machine (VM).
-
The hypervisor CPU must support nested virtualization. To verify, use the
cat /proc/cpuinfocommand on the L0 hypervisor. If the output of the command includes thevmxandeptflags, creating L2 VMs is possible. This is generally the case on Intel Xeon v3 cores and later. Ensure that nested virtualization is enabled on the L0 host:
cat /sys/module/kvm_intel/parameters/nested
# cat /sys/module/kvm_intel/parameters/nestedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the command returns 1 or Y, the feature is enabled. Skip the remaining prerequisite steps, and continue with the Procedure section.
If the command returns 0 or N but your system supports nested virtualization, use the following steps to enable the feature.
Unload the
kvm_intelmodule:modprobe -r kvm_intel
# modprobe -r kvm_intelCopy to Clipboard Copied! Toggle word wrap Toggle overflow Activate the nesting feature:
modprobe kvm_intel nested=1
# modprobe kvm_intel nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The nesting feature is now enabled, but only until the next reboot of the L0 host. To enable it permanently, add the following line to the
/etc/modprobe.d/kvm.conffile:options kvm_intel nested=1
options kvm_intel nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure
Configure your L1 VM for nested virtualization.
Open the XML configuration of the VM. The following example opens the configuration of the Intel-L1 VM:
virsh edit Intel-L1
# virsh edit Intel-L1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the VM to use
host-passthroughCPU mode by editing the<cpu>element:<cpu mode='host-passthrough'/>
<cpu mode='host-passthrough'/>Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you require the VM to use a specific CPU model, configure the VM to use
customCPU mode. Inside the<cpu>element, add a<feature policy='require' name='vmx'/>element and a<model>element with the CPU model specified inside. For example:<cpu mode ='custom' match ='exact' check='partial'> <model fallback='allow'>Haswell-noTSX</model> <feature policy='require' name='vmx'/> ... </cpu>
<cpu mode ='custom' match ='exact' check='partial'> <model fallback='allow'>Haswell-noTSX</model> <feature policy='require' name='vmx'/> ... </cpu>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Create an L2 VM within the L1 VM. To do this, follow the same procedure as when creating the L1 VM.
21.4. Creating a nested virtual machine on AMD
Follow the steps below to enable and configure nested virtualization on an AMD host.
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
For detailed descriptions of the supported and unsupported environments, see Support limitations for nested virtualization.
Prerequisites
- An L0 RHEL 10 host running an L1 virtual machine (VM).
-
The hypervisor CPU must support nested virtualization. To verify, use the
cat /proc/cpuinfocommand on the L0 hypervisor. If the output of the command includes thesvmandnptflags, creating L2 VMs is possible. This is generally the case on AMD EPYC cores and later. Ensure that nested virtualization is enabled on the L0 host:
cat /sys/module/kvm_amd/parameters/nested
# cat /sys/module/kvm_amd/parameters/nestedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the command returns 1 or Y, the feature is enabled. Skip the remaining prerequisite steps, and continue with the Procedure section.
If the command returns 0 or N, use the following steps to enable the feature.
- Stop all running VMs on the L0 host.
Unload the
kvm_amdmodule:modprobe -r kvm_amd
# modprobe -r kvm_amdCopy to Clipboard Copied! Toggle word wrap Toggle overflow Activate the nesting feature:
modprobe kvm_amd nested=1
# modprobe kvm_amd nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The nesting feature is now enabled, but only until the next reboot of the L0 host. To enable it permanently, add the following to the
/etc/modprobe.d/kvm.conffile:options kvm_amd nested=1
options kvm_amd nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure
Configure your L1 VM for nested virtualization.
Open the XML configuration of the VM. The following example opens the configuration of the AMD-L1 VM:
virsh edit AMD-L1
# virsh edit AMD-L1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the VM to use
host-passthroughCPU mode by editing the<cpu>element:<cpu mode='host-passthrough'/>
<cpu mode='host-passthrough'/>Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you require the VM to use a specific CPU model, configure the VM to use
customCPU mode. Inside the<cpu>element, add a<feature policy='require' name='svm'/>element and a<model>element with the CPU model specified inside. For example:<cpu mode="custom" match="exact" check="none"> <model fallback="allow">EPYC-IBPB</model> <feature policy="require" name="svm"/> ... </cpu>
<cpu mode="custom" match="exact" check="none"> <model fallback="allow">EPYC-IBPB</model> <feature policy="require" name="svm"/> ... </cpu>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Create an L2 VM within the L1 VM. To do this, follow the same procedure as when creating the L1 VM.
21.5. Creating a nested virtual machine on IBM Z
Follow the steps below to enable and configure nested virtualization on an IBM Z host.
IBM Z does not really provide a bare-metal L0 host. Instead, user systems are set up on a logical partition (LPAR), which is already a virtualized system, so it is often referred to as L1. However, for better alignment with other architectures in this guide, the following steps refer to IBM Z as if it provides an L0 host.
To learn more about nested virtualization, see: What is nested virtualization?
In most environments, nested virtualization is only available as a Technology Preview in RHEL 10.
For detailed descriptions of the supported and unsupported environments, see Support limitations for nested virtualization.
Prerequisites
- An L0 RHEL 10 host running an L1 virtual machine (VM).
-
The hypervisor CPU must support nested virtualization. To verify this is the case, use the
cat /proc/cpuinfocommand on the L0 hypervisor. If the output of the command includes thesieflag, creating L2 VMs is possible. Ensure that nested virtualization is enabled on the L0 host:
cat /sys/module/kvm/parameters/nested
# cat /sys/module/kvm/parameters/nestedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the command returns 1 or Y, the feature is enabled. Skip the remaining prerequisite steps, and continue with the Procedure section.
If the command returns 0 or N, use the following steps to enable the feature.
- Stop all running VMs on the L0 host.
Unload the
kvmmodule:modprobe -r kvm
# modprobe -r kvmCopy to Clipboard Copied! Toggle word wrap Toggle overflow Activate the nesting feature:
modprobe kvm nested=1
# modprobe kvm nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The nesting feature is now enabled, but only until the next reboot of the L0 host. To enable it permanently, add the following line to the
/etc/modprobe.d/kvm.conffile:options kvm nested=1
options kvm nested=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure
- Create an L2 VM within the L1 VM. To do this, follow the same procedure as when creating the L1 VM.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}