Procedure to configure nested virtualization ============================================ Intel-based hosts ----------------- 1. List modules and ensure KVM Kernel modules are enabled on the physical host: $ lsmod | grep -i kvm kvm_intel 133627 0 kvm 435079 1 kvm_intel 2. Show information for `kvm_intel` module: $ modinfo kvm_intel | grep -i nested parm: nested:boolkvm 435079 1 kvm_intel 3. Ensure nested virt is persistent across reboots by adding it as a config directive: $ cat /etc/modprobe.d/dist.conf options kvm-intel nested=y 3. Temporarily remove the KVM Intel kernel module, enable nested virtualization to be persistent across reboots and add the Kernel module back: $ sudo rmmod kvm-intel $ sudo sh -c "echo 'options kvm-intel nested=1' \ >> /etc/modprobe.d/dist.conf" $ sudo modprobe kvm-intel 5. Check if the Nested KVM Kernel module option is enabled: $ cat /sys/module/kvm_intel/parameters/nested Y 6. Before you boot your level-1 guest (i.e. the guest hypervisor that runs the nested guest), expose virtualization extensions to it. The following exposes all the CPU features of host to your guest unconditionally: # This `virt-xml` tool is part of 'virt-install' package $ virt-xml guest-hyp \ --edit \ --cpu host-passthrough,clearxml=yes 7. Start your level-1 guest (i.e. guest hypervisor): $ virsh start guest-hyp --console 8. Ensure KVM extensions are enabled by checking if the character device `/dev/kvm` is present in the level-1 guest: >$ file /dev/kvm /dev/kvm: character special 9. Start your level-2 (or nested) guest: >$ virsh start nested-guest * * * NOTE: If the Intel hardware is sufficiently advanced (Intel Haswell processor or above which has newer hardware virt extensions), you might enable Shadow VMCS, APIC Virtualization on the physical host: $ cat /sys/module/kvm_intel/parameters/enable_shadow_vmcs Y $ cat /sys/module/kvm_intel/parameters/enable_apicv N $ cat /sys/module/kvm_intel/parameters/ept Y * * * Instructions for AMD -------------------- (1) Enable the 'nested' parameter for AMD Kernel module: $ cat /sys/module/kvm_amd/parameters/nested 0 $ rmmod kvm-amd $ modprobe kvm-amd nested=1 $ cat /sys/module/kvm_amd/parameters/nested 1 (2) To make the above value persistent across reboots, add an entry in /etc/modprobe.dist.conf so it looks as below: $ cat /etc/modprobe.d/dist.conf options kvm-amd nested=y