Le 02/04/2020 à 22:52, Noah Meyerhans a écrit : > On Thu, Apr 02, 2020 at 10:55:16AM -0700, Ross Vandegrift wrote: >> I don't think just saying "yes" automatically is the best approach. But >> I'm not sure we can come up with a clear set of rules. Evaluating the >> use cases will involve judgment calls about size vs functionality. I >> guess I think that's okay. > > You certainly may be right. I wasn't able to convince myself either > way, which is why I posted for additional opinions. > >> The first two bugs are about nested virtualization. I like the idea of >> deciding to support that or not. I don't know much about nested virt, >> so I don't have a strong opinion. It seems pretty widely supported on >> our platforms. I don't know if it raises performance or security >> concerns. So these seem okay to me, as long as we decide to support >> nested virt, and there aren't major cons that I'm unaware of. > > IMO nested virtualization is not something I'd want to see in a > "production" environment. Hardware-assisted isolation between VMs is > critical for hosting mixed-trust workloads (e.g. VMs owned and > controlled by unrelated parties without a mutual trust relationship). > Current hardware virtualization extensions, e.g. Intel VTx, only have a > concept of a single level of virtualization. Nested virtualization is > implemented by trapping and emulating the CPU extensions, and by doing a > bunch of mapping of nested guest state to allow it to effectively run as > a peer VM of the parent guest in hardware. Some details at [1]. So not > only is it painfully complex, but it's also quite slow. > > This is not to say that there aren't any legitimate use cases for nested > virtualization. Only that I'm not sure it's something we want to be > optimizing for.
Nested virtualization makes practical sense if the host is passing the corresponding CPU feature from host to guest. Do we know which cloud providers support that ? egrep '(vmx|svm)' /proc/cpuinfo in a cloud instance can give the answer. IIRC Digital Ocean and AWS have it, but for instance Vultr does not. Personally I am a user of nested virtualization, for building images with packer in the cloud, but I am absolutely fine with having to install the standard kernel to get access to something like vhost-scsi for instance. Emmanuel -- You know an upstream is nice when they even accept m68k patches. - John Paul Adrian Glaubitz, Debian OpenJDK maintainer
