Nested virtualization

Talia77 · November 12, 2022, 8:23am

Does qubes support nested virtualization? I would like to ask, for example, I install a debian of hvm in qubes, and then run ubuntu in debian, has anyone tried this? Can it be successful?

mila · November 12, 2022, 12:31pm

Hi there,
are You running qubes on a server instead of a pc ?
Then, is theorically possible: How to enable nested virtualization in KVM :: Fedora Docs
(but honestly I don’t know if it’s something easy to do in qubes…)

If not, I strongly say is not something useful at all, if not for simply test purpose (and at what price?)!

Oracle (not last born software house), use containers on HOST, not in VM (as tanzu): Oracle® Linux Oracle Linux Container Services for use with Kubernetes User's Guide - Oracle® Linux Oracle Linux Container Services for use with Kubernetes User's Guide

Do You think they are not enough smart?

Cheers,
M.

Talia77 · November 12, 2022, 12:43pm

My host is qubes and I want to try nested virtualization

mila · November 12, 2022, 1:39pm

well, of course bare metal virtualization is the best!
Cheers,
M.

aronowski · November 12, 2022, 2:13pm

There already were several attempts:

https://fishilico.github.io/generic-config/sysadmin/qubes-os.html#nested-virtualization

Though none of them worked for me. Still, maybe you’ll find them useful

Talia77 · November 12, 2022, 3:53pm

You misunderstood what I mean, qubes is still bare metal, but after opening a virtual machine in qubes, a virtual machine is opened in the virtual machine

mila · November 12, 2022, 4:24pm

Yep,
I know well what You where saying…
nested virtualization upon a bare metal virtualization, is different from a kernel zone based one…
From my point of view not really, because resource used by second one are slightly higher than other one… and that’s the reason I asked You on which hw You’d like to use it… but it’s not really important now…
aronowski has kindly pointed You to some other attempts done on qubes, so: good luck!

Cheers,
M.

brendanhoar · November 12, 2022, 9:59pm

Nested virtualization is considered both experimental in Xen as well as a potential security liability, and is therefore not supported in Qubes.

B

fsflover · November 13, 2022, 9:10pm

github.com/QubesOS/qubes-issues

Make Qubes work in VirtualBox

opened 03:03PM - 16 May 19 UTC

marmarek

T: enhancement C: other P: default

**The problem you're addressing (if any)** Qubes installer (and probably instal…led system too) fails to run inside VirtualBox. Known problems: - Xorg fails to start with `(EE) VESA(0): V_BIOS address 0x0 out of range` message - a lot of disk I/O errors, especially on heavy I/O (like the installation itself) Tried with Qubes 4.0.1. **Describe the solution you'd like** Fedora 25 runs fine with exactly the same VirtualBox configuration, so I guess it's either missing/misconfigured drivers shipped with Qubes, or Xen interfering with them. The easiest thing for start would be to try with Qubes 4.1 (updated drivers), but I guess it will not be enough. **Where is the value to a user, and who might that user be?** Generally running Qubes OS in a virtual machine is discouraged, as it does not offer protection from the host system. But there are use cases where it makes sense: - testing / playing / trying - running Qubes OS as a component in Genode (Sculpt OS), as an intermediate step in using Genode as isolation-provider for Qubes OS Note that VirtualBox only recently introduced nested virtualization and only for AMD CPUs. And AFAIK none of it include nested IOMMU. This means isolation within such Qubes instance is significantly weaker than bare metal one, as only PV is possible. **Describe alternatives you've considered** Alternative for Genode use case may be trying Seoul VMM, which works well with some Linux distributions. I don't know if it's able to run Xen (even with PV only). **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** Setting up a VirtualBox VM in Sculpt OS: https://genodians.org/m-stein/2019-03-07-vm-with-sculpt-ce-preview cc @nfeske

github.com/QubesOS/qubes-issues

There is no information about nested VMs on Qubes on FAQ or DOCs

opened 07:55PM - 06 Jul 17 UTC

johnandrewny

help wanted C: doc T: task

#### Qubes OS version 3.2 #### FAQ ### Expected behavior: Information about …nested VMs and if is possible with Qubes VM Manager on FAQ or DOCs ### Actual behavior: There is no information about nested VMs on Qubes XEN ### Steps to reproduce the behavior: Search about nested VMs on FAQ or DOCs ### General notes: A lot of people needs nested vm, there is some links: https://www.reddit.com/r/Qubes/comments/5tbe3e/nested_virtualization/ https://serverfault.com/questions/858039/when-creating-vm-with-virt-manager-on-xen-under-debian-9-stretch-receive-the-err --- #### Related issues:

github.com/QubesOS/qubes-issues

Consider adding "Try Qubes in a Virtual Machine" button on website

opened 01:38AM - 16 Aug 16 UTC

andrewdavidwong

T: enhancement help wanted C: website

On 2016-08-15 16:21, Andrew Clausen wrote: > Hi Pixel, > > On 9 August 2016 at… 13:59, pixel fairy <pixelfairy@[...].com> wrote: > > > virtualbox doesnt support nested virtualization. > > > > vmware-fusion does, so qubes runs fine in that. the only issue is the low > > resolution. vmwares drivers complain if you run them on a xen kernel, so > > your stuck with low res. > > Yes, I finally confirmed that this works. I will be recommending this > to my students. > > Perhaps this advice ought to be somewhere on the Qubes website. > Specifically, most people will want to try Qubes out before making a > big investment in finding a well-supported laptop. So perhaps the > "Getting Started" page [1] could have a "Try Qubes inside a virtual > machine" button next to the live usb option under "Try Qubes". > > Kind regards, > Andrew > > [1] https://www.qubes-os.org/getting-started/ [Full thread](https://groups.google.com/d/topic/qubes-devel/96V85GaogRc/discussion)

renehoj · November 13, 2022, 9:22pm

I think they are asking about running a VM in Qubes, not running Qubes in a VM.

You can run Qubes in a VM if it’s configured to allow nested virtualization, but it doesn’t work the other way.

In xen.xml the host-passthough for vmx and svm is disabled, maybe it would work if you enabled it. It’s probably not a good idea to change the settings, it could make it pointless to use Qubes at all.

Talia77 · November 13, 2022, 11:06pm

What I want to ask is to install vm in qubes to achieve nesting, rather than installing qubes in a virtual machine. Several friends above misunderstood what I mean. According to the official documentation of xen, I found that nested virtualization has recently become is disabled in several versions, is it true? Is there a way to enable it?

enmus · November 13, 2022, 11:25pm

This could help you. Read before accusing me I didn’t understand you too

Talia77 · November 13, 2022, 11:27pm

Hello, I don’t mean to accuse you, I just clarify it again, so that everyone can discuss the same goal smoothly

brendanhoar · November 14, 2022, 12:53am

With the current version of Xen used by Qubes, including newer Xen versions available not yet used by Qubes, there is little to no hope for reliably running a VM in a VM on a Qubes system.

B

renehoj · November 14, 2022, 5:29am

<!-- disable nested HVM -->
<feature name='vmx' policy='disable'/>
<feature name='svm' policy='disable'/>

You probably need to start with enabling that part of xen.xml

Keep in mind, it’s disabled for a reason.

zithro · December 7, 2022, 6:20am

So, what are the results ? I’m curious !

I know that you want to nest domUs from within Qubes, but here are my notes on my attempts to run Qubes from an existing non-Qubes dom0 (like running Qubes from AWS), which when you think of it is pretty similar :

the nested dom0, aka L1-dom0 (so the Debian HVM in your case), must have “nestedhvm=1” and “hap=1” in the config file
in my case, only PV nested domUs (your Ubuntu) work. HVM = 100% CPU usage + “VMEXIT” errors filling up L1-dom0 xl dmesg ; PVHVM = crash on boot

I tried in march though so maybe there are news on this, will retry.
I also have to investigate the linked posts, and the vmx/svm thingy.

But again, I would gladly like to read about your findings !

Insurgo · January 2, 2024, 9:36pm

Insurgo · January 20, 2024, 7:27pm

Upstream bug tracking and past discussions Nested Virtualization on Xen Revamp (&25) · Epics · xen-project · GitLab