A few weeks ago, I aquired a Dell Poweredge R720 server on Marketplace. It was a very good deal, with dual 8 core / 16 thread Intel Xeon processor (total 16c 32t), 192GB DDR3 ECC RAM and 2 512GB SATA SSDs. I needed this server to run nested VMs in a KVM hypervisor for Cisco Modeling Labs, to complete my CCNP ENCOR certification.
Nested virtualization is essentially running an hypervisor in a virtual machine, that could also run a virtual machine. It’s a virtual machine in a virtual machine. And this is exactly what Cisco Modeling Labs does if you want to run it as a VM. It creates a virtual machine for each router/switch/firewall/host you create. So it’s a VM in a VM.
As an aparte, Cisco Modeling Labs 2.x is a VERY hungry beast. 8vCPUs and 32GB RAM is the bare minimum to run NX-OS switches, so my old 6th gen Intel 4c/8t Core i7 couldn’t do the trick. It’s the sole reason why I had to buy this Poweredge machine.
Being a Red Hat guy, I installed RHEL 9 on the metal, with a minimal install, and I would then install KVM and the required tools to manage. I also added 6 x 512GB SSDs as storage space for VMs, cause I wanted to virtualize more than just CML.
So right after the minimal RHEL 9 install, I prepared the storage space with the right SELinux labels, registered the server with Red Hat (BTW, what a shitty registration system ¦-( ), installed KVM and tools using
# dnf install cockpit qemu-kvm qemu-img libvirt virt-install libvirt-client virt-manager cockpit-machines
Usually, on all the KVM hypervisors I installed, nested virtualization has never been a problem. It just worked out of the box, no questions asked. So I was extremely surprised when Cisco Modeling Labs installer told me that it couldn’t find virtualization extensions. I began looking everywhere I knew, and Googling the problem. At first, I checked the CPU did support the required extensions for nested VMs :
# cat /proc/cpuinfo | grep vmx
# cat /proc/cpuinfo | grep ept
It was the case, the output gave me the full extensions supported by my CPU, that included vmx and ept. So then I checked if nested virtualization was enabled:
# cat /sys/module/kvm_intel/parameters/nested
0
The output being 0 (disabled), I thought turning it on would do the trick:
# echo 1 > /sys/module/kvm_intel/parameters/nested
But it did not. No, the /sys filesystem is a pseudo-filesystem that merely outputs the current system parameters. It does not necessarily change the current system state, and it certainly does not load unloaded modules or activates disabled functions. So after googling a bit (a lot), I stumbled on the setting required to activate nested virtualization.
Essentially, I could load the module and activate it right away using the following commands:
# modprobe -r kvm_intel
# modprobe kvm_intel nested=1
(Replace “kvm_intel” by “kvm_amd” for AMD processors)
Then, to make sure nested virtualization is enabled after reboot, you have to specify it in the kvm module configuration file:
# vi /etc/modprobe.d/kvm.conf
Then add (or uncomment) the following line in the file:
options kvm_intel nested=1
Or if you have an AMD processor:
options kvm_amd nested=1
Just make sure you don’t enable both at once 😉
Now, to confirm the setting is permanently enabled, reboot your hypervisor, and check again the following:
# cat /sys/module/kvm_intel/parameters/nested
1
The output should be 1, meaning that nested virtualization is enabled.
So then, just like that, after freaking out that my 700$ server would have been unable to run what I asked it to run, I could finally go through with the installation of Cisco Modeling Labs.