Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How good is nested virt on the providers here?
New on LowEndTalk? Please Register and read our Community Rules.

How good is nested virt on the providers here?

For some time it seemed that providers had a problem enabling nested virtualization on KVM systems, with php-friends one of the first I saw offering it. Has there been a change in the underlying technology that has lowered the barriers to providers enabling it?

I see a few providers like php-friends, greencloudvps, a recent hosthatch offering enable nested virtualization for KVM.

Have any of you guys tried running nested KVM on those to see how good it is?

Comments

  • LowHostingLowHosting Member, Host Rep

    We do enable it by default on every KVM node, I don't see issues with it

    Thanked by 1k9banger02
  • @LowHosting said:
    We do enable it by default on every KVM node, I don't see issues with it

    Do you or your clients use it well enough to give it a thorough testing?

  • LowHostingLowHosting Member, Host Rep

    @k9banger02 said:

    @LowHosting said:
    We do enable it by default on every KVM node, I don't see issues with it

    Do you or your clients use it well enough to give it a thorough testing?

    Honestly, I don't think many people use it.

    Thanked by 1k9banger02
  • SmartHostSmartHost Member, Patron Provider

    No issues at all, we enable it on all our nodes, but not many clients seem to utilize it.

    ~ SMARTHOST

    Thanked by 1k9banger02
  • It's a niche to need it, usually boils down to running Windows or a specific filesystem need.

    Thanked by 1k9banger02
  • ralfralf Member

    I haven't extensively tested my system under load yet, but I have at least used nested KVMs on most of the VPS I have.

    For me the main use case is that I like to have encrypted routing between nodes set up on the host using wireguard, and then running my apps in isolated KVMs that each have very locked down networking environments enforced by the host, such even if they were hacked they can't do any real damage to anything else.

    I'm still in the process of setting this up on my VPS, but have been running a similar system on a smaller scale on my dedi and a couple of VPS.

    The plan is to have a bunch of access points using haproxy instances that can only communicate with the outside world via 80/443 that the host DNATs to the haproxy VM. They are also allowed explicit routing out to the web server VMs only on port 8080, and the other web server VMs on the ports needed to sync their databases. The only other open port is SSH, which is only routable from a different subnet.

    SSH access on the host is locked down to only wireguard connections (and then from a specific subnet) on machines where I have access to a virtual console, or by using iptables rules to only allow remote SSH from a handful of external IPs where my only option is to boot to a rescue image if I mess up the networking.

    One of the main reason for doing it this way is it allows me to have a very consistent setup on every VM, regardless of the provider of the underlying host, and the differences in networking setup (static / DHCP addresses being the main one) can be largely ignored just be installing their base debian template on the host and then installing wireguard and qemu/kvm and doing set-up that's pretty similar across all hosts, just with different IPs.

    Thanked by 1k9banger02
Sign In or Register to comment.