Re: What belongs in the Debian cloud kernel?

To: Noah Meyerhans <noahm@debian.org>, debian-cloud@lists.debian.org
Subject: Re: What belongs in the Debian cloud kernel?
From: Emmanuel Kasper <emmanuel@libera.cc>
Date: Fri, 3 Apr 2020 09:32:01 +0200
Message-id: <[🔎] 441b70b4-0069-b06f-1467-d62233309aaf@libera.cc>
In-reply-to: <[🔎] 20200402205207.GA13868@morgul.net>
References: <[🔎] 20200401191537.GA27071@morgul.net> <[🔎] 20200402175516.lhqq66cxjzhesqoh@vanvanmojo.kallisti.us> <[🔎] 20200402205207.GA13868@morgul.net>

Le 02/04/2020 à 22:52, Noah Meyerhans a écrit :
> On Thu, Apr 02, 2020 at 10:55:16AM -0700, Ross Vandegrift wrote:
>> I don't think just saying "yes" automatically is the best approach.  But
>> I'm not sure we can come up with a clear set of rules.  Evaluating the
>> use cases will involve judgment calls about size vs functionality.  I
>> guess I think that's okay.
> 
> You certainly may be right.  I wasn't able to convince myself either
> way, which is why I posted for additional opinions.
> 
>> The first two bugs are about nested virtualization.  I like the idea of
>> deciding to support that or not.  I don't know much about nested virt,
>> so I don't have a strong opinion.  It seems pretty widely supported on
>> our platforms.  I don't know if it raises performance or security
>> concerns.  So these seem okay to me, as long as we decide to support
>> nested virt, and there aren't major cons that I'm unaware of.
> 
> IMO nested virtualization is not something I'd want to see in a
> "production" environment.  Hardware-assisted isolation between VMs is
> critical for hosting mixed-trust workloads (e.g. VMs owned and
> controlled by unrelated parties without a mutual trust relationship).
> Current hardware virtualization extensions, e.g. Intel VTx, only have a
> concept of a single level of virtualization.  Nested virtualization is
> implemented by trapping and emulating the CPU extensions, and by doing a
> bunch of mapping of nested guest state to allow it to effectively run as
> a peer VM of the parent guest in hardware.  Some details at [1].  So not
> only is it painfully complex, but it's also quite slow.
> 
> This is not to say that there aren't any legitimate use cases for nested
> virtualization.  Only that I'm not sure it's something we want to be
> optimizing for.

Nested virtualization makes practical sense if the host is passing the
corresponding CPU feature from host to guest.

Do we know which cloud providers support that ?
egrep '(vmx|svm)' /proc/cpuinfo in a cloud instance can give the answer.

IIRC Digital Ocean and AWS have it, but for instance Vultr does not.

Personally I am a user of nested virtualization, for building images
with packer in the cloud, but I am absolutely fine with having to
install the standard kernel to get access to something like vhost-scsi
for instance.

Emmanuel

-- 
You know an upstream is nice when they even accept m68k patches.
  - John Paul Adrian Glaubitz, Debian OpenJDK maintainer

Reply to:

Follow-Ups:
- Re: What belongs in the Debian cloud kernel?
  - From: Bastian Blank <waldi@debian.org>

References:
- What belongs in the Debian cloud kernel?
  - From: Noah Meyerhans <noahm@debian.org>
- Re: What belongs in the Debian cloud kernel?
  - From: Ross Vandegrift <rvandegrift@debian.org>
- Re: What belongs in the Debian cloud kernel?
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Image Finder Updates
Next by Date: Re: What belongs in the Debian cloud kernel?
Previous by thread: Re: What belongs in the Debian cloud kernel?
Next by thread: Re: What belongs in the Debian cloud kernel?
Index(es):
- Date
- Thread