Manage the nested virtualization constraint (original) (raw)

Linux

This document describes how to check whether nested virtualization is enabled, and how to modify the boolean constraint that controls whether nested virtualization is enabled for your organization, project, or folder.

A boolean constraint within an organization policy determines whether you can create nested VMs. The boolean constraint for nested virtualization is a restriction, which means that when it's enforced, it tells the organization policy to restrict the creation of nested VMs. Enforcing this constraint prevents Compute Engine from exposing virtualization extensions to VMs (L1 VMs). This means that while you can still create L1 VMs with configurations that enable nested virtualization, you can't run any nested VMs (L2 VMs) on those L1 VMs. For more information about boolean constraints, see Understanding constraints.

The Disable VM nested virtualization constraint is not enforced by default, so you do not have to modify any boolean constraint to enable nested virtualization. Even so, Google recommends explicitly setting the value of the constraint so that your organization, folders, and projects don't rely on the default setting. If your project is not subordinate to an organization, the constraint is not enforced by default and you can't change the constraint.

Before you begin

• If you haven't already, set up authentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
  Select the tab for how you plan to use the samples on this page:

Check whether nested virtualization is allowed

Permissions required for this task

To perform this task, you must have the followingpermissions:

• orgpolicy.policy.get on the organization, folder, or project

Check whether nested virtualization is allowed for an organization, folder, or project by using the Google Cloud console, the Google Cloud CLI, or REST.

Console

Check whether you can create nested VMs in your organization, folder, or project by checking if the boolean constraint for disabling nested virtualization is not enforced. If the Disable VM nested virtualizationconstraint is not enforced by the organization policy, then you can create nested VMs.

1. In the Google Cloud console, go to the Organization policies page.
   Go to Organization policies
2. In the organization, folder, and project selector, select the entity to view the organization policies for.
3. Select the Disable VM nested virtualization constraint to open thePolicy details page.
4. View the value for Enforcement:
   • If the value is Not enforced, then nested virtualization is enabled, and you can create nested VMs.
   • If the value is Enforced, then nested virtualization is disabled, and you can't create nested VMs.

gcloud

Check the value of the compute.disableNestedVirtualization boolean constraint by using the gcloud resource-manager org-policies describecommand.

If the Google Cloud CLI output does not show a value for booleanPolicy, then nested virtualization is allowed and you can create nested VMs.

If the Google Cloud CLI output value for booleanPolicy is enforced: true, then the organization policy is enforcing the disable nested virtualization constraint and you can't create nested VMs.

gcloud resource-manager org-policies
describe constraints/compute.disableNestedVirtualization
(--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID) --effective

Replace exactly one of the following:

• ORGANIZATION_ID: the ID of the organization to get the constraint value of. For a list of accessible organizations and their IDs, run the gcloud organizations listcommand.
• FOLDER_ID: the ID of the folder to get the constraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders listcommand.
• PROJECT_ID: the ID of the project to get the constraint value of. For a list of accessible projects and their IDs, run the gcloud projects list command.

REST

Use REST to check the value of thecompute.disableNestedVirtualization boolean constraint, which determines whether you can create nested VMs in your organization, folder, or project.

If the REST response doesn't return a value for "booleanPolicy"for the constraint, then nested virtualization is not disabled and you can create nested VMs.

If the value for "booleanPolicy" in the output is "enforced": true, then nested virtualization is disabled and you can't create nested VMs.

POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:getOrgPolicy

{ "constraint": "compute.disableNestedVirtualization" }

Replace the following:

• RESOURCE: the resource to get the organization policy for. Set to one of the following:
  • organizations: calls theorganizations.getOrgPolicy method
  • folders: calls the folders.getOrgPolicymethod
  • projects: calls the projects.getOrgPolicymethod
• RESOURCE_ID: the organization, folder, or project on which to check the status of the disable nested virtualization constraint

From within a Linux VM, you can run the command grep -c vmx /proc/cpuinfo to check if virtualization extensions are available to the VM. If this command returns 0, virtualization extensions aren't available and you can't run nested VMs. One reason for this might be because the Disable VM nested virtualization constraint is enforced by an organization policy. If you attempt to start a nested VM by using KVM, you might see an error message similar to the following: Could not access KVM kernel module: No such file or directory.

Modify the nested virtualization organization policy

Permissions required for this task

To perform this task, you must have the followingpermissions:

• orgpolicy.policy.get on the organization, folder, or project
• orgpolicy.policy.set on the organization, folder, or project

If you have the appropriate role, you can control whether an organization, folder, or project can create nested VMs. Control this enforcement by using the boolean constraint for nested virtualization.

Use the Google Cloud console, the Google Cloud CLI, or REST to enable nested virtualization for an organization, folder, or project.

Console

To enable nested virtualization, disable the enforcement of the Disable VM nested virtualization boolean constraint, and to disable nested virtualization, enable the enforcement of the boolean constraint.

1. In the Google Cloud console, go to the Organization policies page.
   Go to Organization policies
2. In the organization, folder, and project selector, select the entity to edit the organization policies for.
3. Select the Disable VM nested virtualization constraint to open thePolicy details page.
4. Click Edit, then select Customize.
5. Under Enforcement, select one of the following enforcement options for the Disable VM nested virtualization boolean constraint:
   • On: enable enforcement and disable nested virtualization
   • Off: disable enforcement and enable nested virtualization
6. Click Save.

gcloud

Use the gcloud resource-manager org-policiescommand to enable or disable enforcement of the compute.disableNestedVirtualization organization policy boolean constraint.

If you disable the compute.disableNestedVirtualization constraint by using the disable-enforce command, then you can create VMs that have nested virtualization enabled.

If you enable the constraint by using the enable-enforce command, then you can't create VMs that have nested virtualization enabled.

gcloud resource-manager org-policies
( disable-enforce | enable-enforce ) compute.disableNestedVirtualization
(--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID)

Replace exactly one of the following:

• ORGANIZATION_ID: the ID of the organization to modify the constraint value of. For a list of accessible organizations and their IDs, run the gcloud organizations listcommand.
• FOLDER_ID: the ID of the folder to modify the constraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders listcommand.
• PROJECT_ID: the ID of the project to modify the constraint value of. For a list of accessible projects and their IDs, run the gcloud projects list command.

REST

Use REST to modify the value of thecompute.disableNestedVirtualization boolean constraint, which determines whether you can create nested VMs in your organization, folder, or project.

POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:setOrgPolicy

{ "policy": { "booleanPolicy": { "enforced": ENFORCE }, "constraint": "constraints/compute.disableNestedVirtualization" } }

Replace the following:

• RESOURCE: the resource to modify the organization policy of. Set this to one of the following:
  • organizations: calls theorganizations.setOrgPolicy method
  • folders: calls the folders.setOrgPolicymethod
  • projects: calls the projects.setOrgPolicymethod
• RESOURCE_ID: the organization, folder, or project on which to check the status of the disable nested virtualization constraint
• ENFORCE: determines whether the organization policy enforces the compute.disableNestedVirtualization boolean constraint. Set to one of the following:
  • true: to enforce the constraint. With this setting you can't create VMs that have nested virtualization enabled.
  • false: to not enforce the constraint. With this setting, you can create VMs that have nested virtualization enabled.

What's next

• Enable nested virtualization on a VM
• Troubleshoot nested virtualization