[colug-432] Cloud-based nested virtualization or other "wrapping" alternatives
Roberto C. Sánchez
roberto at connexer.com
Tue Jun 21 14:41:53 EDT 2016
On Tue, Jun 21, 2016 at 02:24:58PM -0400, Jeff Frontz wrote:
> It would need to be a provider that offers HVM nesting, right? The
> provider would host my instance of a newer distro/kernel and then I'd nest
> the legacy kernel in an instance running under the newer distro. What I'm
> wondering is whether such a capability is even possible (i.e., do the
> processor primitives that support virtualization allow too much access to
> the physical hardware, and thus they're not exposed to the
> hosted/top-level instance?).
I don't know if it would be possible to nest that way. If I had to
implement a solution to what you describe I would look for a provider
that would let me provision a guest with only a private IP address. I
would then provision a second guest with a public IP and a private IP on
the same subnet as the first guest. I would make the first guest only
accessible through the second.
I personally would not want to try and get nested VMs working in the way
The other possibility would be to find a provider that lets you lease
dedicated hardware as opposed to just a VM, or to co-lo your own
hardware. Your requirements seem sufficiently specialized that should
probably bite the bullet and solve the problem properly, as opposed to
trying something that isn't well supported.
I did do some research and found this Xen wiki page:
The page makes it clear that this isn't an out-of-the-box feature. The
highlighted warning near the bottom of the page makes it clear that even
having nested virtualization enabled would be a danger to the admin of
the top-level host. I would be shocked if you found a provider that let
you do this without leasing the whole box. At that point, why bother
with nested virtualization?
Roberto C. Sánchez
More information about the colug-432