We recommend that you enable nested virtualization on your host OS or OpenStack compute
node. Nested virtualization is enabled by default on Ubuntu but is
disabled by default on CentOS.
Use the following command to determine if nested virtualization
is enabled on your host OS. The result should be Y.
hostOS# cat /sys/module/kvm_intel/parameters/nested
hostOS# Y
Note: APIC virtualization (APICv) does not work well with nested
VMs such as those used with KVM. On Intel CPUs that support APICv
(typically v2 models, for example E5 v2 and E7 v2), you must disable
APICv on the host server before deploying vSRX Virtual Firewall.
To enable nested virtualization on the host OS:
- Depending on your host operating system, perform the following:
On CentOS, open the /etc/modprobe.d/dist.conf file in your default editor.
hostOS# vi /etc/modprobe.d/dist.conf
On Ubuntu, open the /etc/modprobe.d/qemu-system-x86.conf file in your default editor.
hostOS# vi /etc/modprobe.d/qemu-system-x86.conf
- Add the following line to the file:
hostOS# options kvm-intel nested=y enable_apicv=n
- Save the file and reboot the host OS.
- (Optional) After the reboot, verify that nested virtualization
is enabled.
hostOS# cat /sys/module/kvm_intel/parameters/nested
hostOS# Y
- On Intel CPUs that support APICv ( for example, E5 v2
and E7 v2), disable APICv on the host OS.
root@host# sudo rmmod kvm-intel
root@host# sudo sh -c “echo ’options kvm-intel enable_apicv=n’ >> /etc/modprobe.d/dist.conf”
root@host# sudo modprobe kvm-intel
- Optionally, verify that APICv is now disabled.
root@host# cat /sys/module/kvm_intel/parameters/enable_apicv
N