Troubleshooting nested virtualization

Google runs basic nested virtualization boot and integration tests using specific Linux distributions and kernel/KVM versions. Additionally, these tests use a specific process. Before reporting the issue as a bug, reproduce the issue as follows:

  1. Use one of the tested operating systems on the Compute Engine instance that hosts your nested virtual machine (VM) instances. For a list of tested operating systems, see Tested operating systems.

  2. Use one of the standard procedures for creating a nested VM. For more information, see Creating nested VMs.

Can't start nested VM

If your project is part of an organization, your organization might have disabled the ability to create VMs with nested virtualization. Make sure that nested virtualization is allowed before you try to create a VM that has nested virtualization enabled.

Processor not displaying nested virtualization

If the grep -c vmx /proc/cpuinfo command returns 0 and reports that the VM is not enabled for nesting, make sure that you have started your VM with a CPU platform of Haswell or later. For more information, see Nested virtualization overview.

Can't exit nested VM

If you did not run screen before each nested VM session, you can either shut down the nested VM or stop the process from another terminal. To shut down the nested VM, run the poweroff command from within your nested VM. Alternatively, log into the host VM in another terminal and end the process, then run screen on the host VM before you start a new nested VM.

iptables not forwarding traffic

  • iptables resolve rules from top to bottom. Make sure your rules are higher priority than other rules.
  • Check that there are no conflicting rules intercepting your packets.
  • Consider flushing your iptables:

    1. First, set the default policies:

      sudo iptables -P INPUT ACCEPT
      sudo iptables -P FORWARD ACCEPT
      sudo iptables -P OUTPUT ACCEPT
      
    2. Next, flush all tables and chains, and delete non-default chains:

      sudo iptables -t nat -F
      sudo iptables -t mangle -F
      sudo iptables -F
      sudo iptables -X