.Enabling nested virtualization no longer blocks live migration
Previously, the nested virtualization feature was incompatible with live migration. As a consequence, enabling nested virtualization on a RHEL 8 host prevented migrating any virtual machines (VMs) from the host, as well as saving VM state snapshots to disk. This update fixes the described problem, and the impacted VMs are now possible to migrate.
Description of problem:
Starting a libvirt domain with host-passthrough (equivalent to -cpu host) or
host-model (a CPU model expanded from "host" via query-cpu-model-expansion is
passed to -cpu) on a host with nested VMX enabled cannot be migrated, saved,
or snapshotted. The domain doesn't even need or want to use VMX.
This is a regression introduced in 3.1.0 by
commit d98f26073bebddcd3da0ba1b86c3a34e840c0fb8
Author: Paolo Bonzini <pbonzini>
AuthorDate: Wed Nov 14 10:38:13 2018 +0100
Commit: Paolo Bonzini <pbonzini>
CommitDate: Tue Nov 27 15:06:14 2018 +0100
target/i386: kvm: add VMX migration blocker
Nested VMX does not support live migration yet. Add a blocker
until that is worked out.
Nested SVM only does not support it, but unfortunately it is
enabled by default for -cpu host so we cannot really disable it.
Signed-off-by: Paolo Bonzini <pbonzini>
Unfortunately, VMX is automatically enabled for -cpu host too. The only
difference between SVM and VMX is that kvm_amd automatically enabled nested,
while it has to be enabled manually for kvm_intel.
Version-Release number of selected component (if applicable):
qemu-kvm-3.1.0-18.module+el8+2834+fa8bb6e2.x86_64
How reproducible:
100%
Steps to Reproduce:
1. modprobe -r kvm_intel
2. modprobe kvm_intel nested=1
3. /usr/libexec/qemu-kvm -cpu host -qmp stdin
4. {"execute":"qmp_capabilities"}
5. {"execute":"migrate","arguments":{"uri":"tcp://localhost:1234"}}
Alternatively via libvirt:
1. start a domain with either host-passthrough or host-model CPU
2. virsh managedsave $DOM
Actual results:
{"error": {"class": "GenericError", "desc": "Nested VMX virtualization does not support live migration yet"}}
or a corresponding libvirt error:
internal error: unable to execute QEMU command 'migrate': Nested VMX virtualization does not support live migration yet
Additional info:
Openstack uses host-model CPUs by default so it's just a matter of someone
enabled nested on the host and all VMs are doomed.
<jdenemar> bonzini: if we want to keep the check in I think we should make sure vmx is not added to -cpu host unless non-migratable features are requested
Description of problem: Starting a libvirt domain with host-passthrough (equivalent to -cpu host) or host-model (a CPU model expanded from "host" via query-cpu-model-expansion is passed to -cpu) on a host with nested VMX enabled cannot be migrated, saved, or snapshotted. The domain doesn't even need or want to use VMX. This is a regression introduced in 3.1.0 by commit d98f26073bebddcd3da0ba1b86c3a34e840c0fb8 Author: Paolo Bonzini <pbonzini> AuthorDate: Wed Nov 14 10:38:13 2018 +0100 Commit: Paolo Bonzini <pbonzini> CommitDate: Tue Nov 27 15:06:14 2018 +0100 target/i386: kvm: add VMX migration blocker Nested VMX does not support live migration yet. Add a blocker until that is worked out. Nested SVM only does not support it, but unfortunately it is enabled by default for -cpu host so we cannot really disable it. Signed-off-by: Paolo Bonzini <pbonzini> Unfortunately, VMX is automatically enabled for -cpu host too. The only difference between SVM and VMX is that kvm_amd automatically enabled nested, while it has to be enabled manually for kvm_intel. Version-Release number of selected component (if applicable): qemu-kvm-3.1.0-18.module+el8+2834+fa8bb6e2.x86_64 How reproducible: 100% Steps to Reproduce: 1. modprobe -r kvm_intel 2. modprobe kvm_intel nested=1 3. /usr/libexec/qemu-kvm -cpu host -qmp stdin 4. {"execute":"qmp_capabilities"} 5. {"execute":"migrate","arguments":{"uri":"tcp://localhost:1234"}} Alternatively via libvirt: 1. start a domain with either host-passthrough or host-model CPU 2. virsh managedsave $DOM Actual results: {"error": {"class": "GenericError", "desc": "Nested VMX virtualization does not support live migration yet"}} or a corresponding libvirt error: internal error: unable to execute QEMU command 'migrate': Nested VMX virtualization does not support live migration yet Additional info: Openstack uses host-model CPUs by default so it's just a matter of someone enabled nested on the host and all VMs are doomed.