Add an option to control nested virtualization #7408
Conversation
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
3c26210 to
f2847cb
Compare
|
I assume there isn't an option for KVM? We should take into consideration we may want to provide very fine-grained configurations in the medium term. Putting this into PlatformConfig looks wrong. This is a CPU feature, not a platform feature. |
We can directly add to the VM configuration as features or something? |
There is a workstream to expose fine-grained control over the CPU features. I think this belongs there. KVM can benefit from the fine-grained control. |
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
f2847cb to
1920b79
Compare
|
For the record: with current Cloud Hypervisor on Linux/KVM, nesting works out of the box including state save/resume and live-migration. It should work similar with MSHV. |
|
|
We could add a runtime configuration for kvm similar to MSHV which disables/enables the support explicitly. Then we can have similar behavior for both backends - and disabling nesting is a valid use case in case infrastructure maintainers are concerned about people breaking out of the VMX emulation for example |
vmm/src/vm_config.rs
Outdated
| #[cfg(target_arch = "x86_64")] | ||
| #[serde(default)] | ||
| pub amx: bool, | ||
| pub nested: bool, |
There was a problem hiding this comment.
How about nested_virt instead of just nested?
|
nit: there are multiple typos in the commit messages. |
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
1920b79 to
187ce24
Compare
|
@anirudhrb Please take another look. Thx |
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
We don't have a nested option for KVM - it's always enabled. Why do we need to make it an option for MSHV?
If you add the option to --cpu for MSHV then you need to do the same for KVM.
With MSHV we have to pass the flag during VM creations. The customers want to control that flow with CLI, that's why I raised the PR. Do you recommend adding feature guard around the nested feature, or recommend adding an extra argument like --mshv-cpu-feaures? |
You haven't explained why you can't have it turned on all the time. |
Customers does not wnat to turn on by default.
We can turn it on by default with no issue but customer does not want it default rather it wants to control in run-time. Do you also refer to turn it on by default with the CpuFeatures default initialization? Also in future we will have more Cpu features on MSVH that might need to be turned on the CLI. |
|
Okay. If you want to make it controllable then I think you should make it controllable for KVM as well - with a default of on. |
Just curious, If we add some features that is only available for MSHV, How do we do it? |
Probably something like |
|
Why not add a parameter to
For the record: Some operators are concerned about the increased attack surface of the KVM VMX emulator code. |
Exactly what I was getting at!
We've already shipped with a default of on - so we can't change that now. |
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
5 times, most recently
from
e9d670a to
f9107db
Compare
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
f9a65b5 to
ca35fa8
Compare
vmm/src/vm_config.rs
Outdated
| self.cpus.max_vcpus | ||
| } | ||
| } | ||
| pub(crate) fn to_hypervisor_vm_config(&self) -> hypervisor::HypervisorVmConfig { |
There was a problem hiding this comment.
Would it be more Rust idiomatic to do it like this:
impl From<&VmConfig> for hypervisor::HypervisorVmConfig {
fn from(value: &VmConfig) -> Self {
hypervisor::HypervisorVmConfig {
#[cfg(feature = "tdx")]
tdx_enabled: value.platform.as_ref().map(|p| p.tdx).unwrap_or(false),
#[cfg(feature = "sev_snp")]
sev_snp_enabled: value.is_sev_snp_enabled(),
#[cfg(feature = "sev_snp")]
mem_size: self.memory.total_size(),
nested: value.cpus.nested,
}
}
}and access it like
let hypervisor_vm_config = self
.vm_config
.as_ref()
.unwrap()
.lock()
.unwrap()
.deref()
.into();There was a problem hiding this comment.
Moved to lib.rs to avoid the following error:
implementation is not supported in traits or impls
consider moving the implementation out to a nearby module scope rustc
#file://cloud-hypervisor/vmm/src/vm_config.rs)
hypervisor
pub struct HypervisorVmConfig {}
HypervisorVmConfig is defined in Hypervisor crate.
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
Other than that one suggestion about Rust style I think this PR is ready to go.
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
3 times, most recently
from
140bb2f to
17fe8ed
Compare
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
docs/cpu.md needs an update.
Create HypervisorVmConfig early and pass the struct to VM creation API in the vmm crate. Getting rid of multiple conditional parameter. Signed-off-by: Muminul Islam <[email protected]>
Use mshv-{ioctls, bindings) with the latest versions
that have the nested MSHV support.
Signed-off-by: Muminul Islam <[email protected]>
Add an option in the CLI to enable nested support. Adding an option --cpu nested=on|off to the CPU argument to enable nested support for Microsoft Hypervisor. By default it is enabled for both KVM and MSHV. Signed-off-by: Muminul Islam <[email protected]>
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
17fe8ed to
d84129a
Compare
docs/cpu.md
Outdated
| running containerized workloads that require virtualization features within the | ||
| guest OS. | ||
|
|
||
| Note that nested virtualization may impact performance and should only be enabled |
There was a problem hiding this comment.
What evidence do you have that an Ln VM has worse performance on KVM when nested is turned on vs off? I know that Ln+1 is probably going to peform worse than Ln.
There was a problem hiding this comment.
One layer of virtualization may impact performance, not? I can remove this statement at all.
There was a problem hiding this comment.
But that's not what your saying in this paragraph - you're saying that the performance of this layer is affected. I acknowledge that higher layers will have worse performance but I don't have evidence that setting the CPUID fields to enable nesting on this layer will affect this layer.
There was a problem hiding this comment.
I think this whole section is too editorialised. It can simply be "Enable nested virtualization (default on). Nested virtualization is needed to access hardware virtualization by this guest. This option can only be changed on x86-64."
There was a problem hiding this comment.
Updated. Thank you
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
d84129a to
a92eb90
Compare
rbradford
changed the title
This patch connects the VMM and hypervisor to fully enable nested support for MSHV. Signed-off-by: Muminul Islam <[email protected]>
User can now disable nested virtualization for Intel and AMD if configured by the CLI. Signed-off-by: Muminul Islam <[email protected]>
This patch updates the documentation to reflect the newly added nested CPU feature option in the CLI. Signed-off-by: Muminul Islam <[email protected]>
russell-islam
force-pushed
the
muislam/mshv-nested-feature
branch
from
a92eb90 to
a5e7e7b
Compare
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
Thank you for your patience on this PR! We do need to be especially careful with adding APIs and things could affect our defaults.
5fb50ed
Thank you @rbradford for all your effort on this. Your thorough review was very helpful and some learning for me. |
github-project-automation
bot
moved this from 🆕 New
to ✅ Done
in Cloud Hypervisor Roadmap
6 participants
No description provided.