[colug-432] Cloud-based nested virtualization or other "wrapping" alternatives

Roberto C. Sánchez roberto at connexer.com
Tue Jun 21 14:41:53 EDT 2016

On Tue, Jun 21, 2016 at 02:24:58PM -0400, Jeff Frontz wrote:
>    It would need to be a provider that offers HVM nesting, right?  The
>    provider would host my instance of a newer distro/kernel and then I'd nest
>    the legacy kernel in an instance running under the newer distro.  What I'm
>    wondering is whether such a capability is even possible (i.e., do the
>    processor primitives that support virtualization allow too much access to
>    the physical hardware, and thus they're not exposed to the
>    hosted/top-level instance?).
I don't know if it would be possible to nest that way.  If I had to
implement a solution to what you describe I would look for a provider
that would let me provision a guest with only a private IP address.  I
would then provision a second guest with a public IP and a private IP on
the same subnet as the first guest.  I would make the first guest only
accessible through the second.

I personally would not want to try and get nested VMs working in the way
you describe.

The other possibility would be to find a provider that lets you lease
dedicated hardware as opposed to just a VM, or to co-lo your own
hardware.  Your requirements seem sufficiently specialized that should
probably bite the bullet and solve the problem properly, as opposed to
trying something that isn't well supported.

I did do some research and found this Xen wiki page:


The page makes it clear that this isn't an out-of-the-box feature.  The
highlighted warning near the bottom of the page makes it clear that even
having nested virtualization enabled would be a danger to the admin of
the top-level host.  I would be shocked if you found a provider that let
you do this without leasing the whole box.  At that point, why bother
with nested virtualization?



Roberto C. Sánchez

More information about the colug-432 mailing list