KVM is a virtualization technology that’s integrated into the Linux kernel. A system with KVM enabled can act as a type-1 hypervisor, provided the processor supports it.
KVM can be used to create nested virtual machines on compatible hardware. This lets you create VMs inside VMs to accommodate more complex use cases. Consider a virtualized development environment that runs on your host. You might need to run virtual device emulators within that environment, nested two levels deep from the bare metal hardware.
This article will show you how to set up nested KVM virtualization and test that it’s working. Before continuing, check you’ve got a functioning KVM installation available and that you’re familiar with creating new KVM virtual machines.
Checking Whether Nested Virtualization Is Enabled
Nested virtualization is supported by most modern processor families that offer hardware virtualization. You can check whether nesting is already enabled on your hypervisor by using the
cat command to read one of the following paths, depending on whether you’ve got an Intel or AMD system:
# Intel $ cat /sys/module/kvm_intel/parameters/nested # AMD $ cat /sys/module/kvm_amd/parameters/nested
The output should be either
Y means you’re good to go – nested virtualization is already turned on. You can skip down to the “Activating Nested Virtualization For a Guest” section below. If you see
N in your terminal, it’s time to enable nesting in KVM’s kernel module.
Enabling Nested Virtualization
Nesting is controlled by a KVM kernel module parameter. You can change the parameter by editing
/etc/modprobe.d/qemu-system-x86.conf. On some systems, this file could be called
You’ll probably see a single line similar to one of these:
options kvm_intel options kvm_intel nested=0 options kvm_amd options kvm_amd nested=0
Any one of these variants means KVM is active but nesting is disabled.
To enable nesting, simply add or change the
nested parameter so it has
1 as its value:
# Intel systems only options kvm_intel nested=1 # AMD systems only options kvm_amd nested=1
Next you need to reload the KVM kernel module to apply your change. You should stop any running virtual machines before you do this.
# Unload the module $ sudo modprobe -r kvm_intel # Reload the module with new settings $ sudo modprobe kvm_intel
kvm_amd instead of
kvm_intel if you have an AMD processor.
Now repeat the command from earlier to check whether nesting is enabled. You should get
Y as the output.
# Intel $ cat /sys/module/kvm_intel/parameters/nested Y # AMD $ cat /sys/module/kvm_amd/parameters/nested Y
This method permanently enables nested virtualization. It will persist across reboots until you remove
nested=1 from the KVM module’s parameters.
Activating Nested Virtualization For a Guest
Guest virtual machines can only use nested virtualization when they’re configured with a CPU mode that supports it. The guest needs a CPU definition that exactly matches the physical hardware on your host.
Most guests will work when the CPU mode is set to
host-model, which is usually the default. This means the guest receives a CPU definition that’s similar to your host’s. In some cases you might need to use the
host-passthrough mode that exactly passes through all the characteristics of the host CPU.
You can check and change a guest’s CPU type by retrieving its manifest with
virsh. First run the
virsh command to launch an interactive shell. Then type
list --all to retrieve all your VMs:
virsh # list --all Id Name State ------------------------------ - ubuntu22.04 shut off - win10 shut off
edit <vm-name> to open the manifest of a named VM:
virsh # edit ubuntu22.04
Within the file, find the line that starts with
<cpu mode=. Change it to one of these:
<cpu mode='host-model' check='partial' /> <cpu mode='host-passthrough' check='none' />
Save and close the file, then type
exit into the virsh shell to close it. The guest should now be ready to start its own nested guests. Try changing modes if there seems to be a problem.
Checking a Guest Can Nest
Most operating systems can tell you whether they can create a VM. Run the following command within your VM to check whether a Linux guest has access to virtualization:
cat /proc/cpuinfo | grep "svm|vmx"
Virtualization is available if you get some output with
vmx highlighted in red. SVM will show up on AMD machines; VMX appears for Intel.
Now install a virtualization technology within the guest. You should find you can start a new nested VM. Here’s a screenshot showing an Ubuntu virtual machine that is itself running an Alpine guest using nested KVM:
Nested guests come with a few limitations. Some KVM features become unavailable for guests that have started a nested VM. You won’t be able to migrate, save, or load these virtual machines, until the nested VM is stopped.
The actual effect of trying to perform one of these operations is undefined. Some systems could withstand it; others may cause a kernel panic. Always try to shutdown your nested guests before performing an operation on VMs above them in the chain.
Nested virtualization provides more power and flexibility. You can sandbox technologies that need their own virtualization to function, such as IDEs that launch device emulators.
Getting nesting to work with KVM is normally straightforward. Any troubleshooting should begin by checking the
nested parameter is enabled for your KVM kernel module. After that, check the CPU model assigned to your guest and verify you’re using a compatible second-level hypervisor within the VM.