fix(prepare): keep KVM nested virtualization enabled#61
Conversation
The prepare playbooks dropped /etc/modprobe.d/cozystack-kvm-nested.conf with `options kvm_intel nested=0` and `options kvm_amd nested=0` on every host that enables KubeVirt, turning nested virtualization off by default. Nested virtualization is a capability real workloads depend on: running a hypervisor, a nested Kubernetes cluster, or an OS installer inside a VM. Switching it off for everyone withdraws that capability from every host the playbooks touch, and the opt-out variable only helps operators who already know the drop-in exists. CVE-2026-53359 and the closely related CVE-2026-46113 are use-after-free bugs in the KVM x86 shadow-paging MMU. Both are fixed upstream, and a kernel needs both patches to be fully covered. The fixes landed in the stable kernels released on 2026-07-04 -- 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260 -- and in every later release on those branches, which are cumulative. Updating the host kernel is the remedy; taking a supported feature away from all users is not. Signed-off-by: Aleksei Sviridkin <f@lex.la>
|
Warning Review limit reached
Next review available in: 25 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request removes the tasks that disable KVM nested virtualization (CVE-2026-53359 mitigation) from the RHEL, SUSE, and Ubuntu Ansible playbooks. The reviewer notes that simply deleting these tasks will leave the /etc/modprobe.d/cozystack-kvm-nested.conf configuration file on already-prepared hosts. To avoid orphaned configurations, it is recommended to explicitly add a task to ensure this file is removed.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
I am having trouble creating individual review comments. Click here to see my feedback.
examples/rhel/prepare-rhel.yml (480-498)
Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.
- name: Remove KVM nested-virt drop-in
ansible.builtin.file:
path: /etc/modprobe.d/cozystack-kvm-nested.conf
state: absentexamples/suse/prepare-suse.yml (454-472)
Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.
- name: Remove KVM nested-virt drop-in
ansible.builtin.file:
path: /etc/modprobe.d/cozystack-kvm-nested.conf
state: absentexamples/ubuntu/prepare-ubuntu.yml (688-706)
Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.
- name: Remove KVM nested-virt drop-in
ansible.builtin.file:
path: /etc/modprobe.d/cozystack-kvm-nested.conf
state: absent
Summary
Restores KVM nested virtualization on hosts prepared by the example playbooks. Today the playbooks write
/etc/modprobe.d/cozystack-kvm-nested.confwithoptions kvm_intel nested=0andoptions kvm_amd nested=0whenever KubeVirt is enabled, so every generic-Linux node loses nested virtualization by default.The mechanism is not the problem. On a general-purpose Linux distribution
kvm_intelandkvm_amdare loadable modules, so amodprobe.ddrop-in genuinely takes effect when the module loads. The default is the problem. Nested virtualization is a capability real workloads depend on — running a hypervisor, a nested Kubernetes cluster, or an OS installer inside a VM — and turning it off for everyone withdraws that capability from every host the playbooks touch. The opt-out variable only helps operators who already know the drop-in exists.CVE-2026-53359 and the closely related CVE-2026-46113 are use-after-free bugs in the KVM x86 shadow-paging MMU, and both are fixed in the kernel. A kernel needs both upstream patches to be fully covered. The fixes shipped in the stable kernels released on 2026-07-04 — 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260 — and in every later release on those branches, which are cumulative. Distributions maintaining their own backported kernels carry the same fixes in their patched packages. Running a current kernel is the remedy; taking a supported feature away from every user is not.
Changes
/etc/modprobe.d/cozystack-kvm-nested.confdrop-in and its companion removal task fromexamples/rhel/prepare-rhel.yml,examples/suse/prepare-suse.yml, andexamples/ubuntu/prepare-ubuntu.yml.cozystack_disable_kvm_nestedvariable. Nested virtualization is left at the kernel's own default.Test plan
ansible-lintpassesansible-test sanitypassesThe two unchecked boxes need a live host. This change only deletes tasks, returning the three playbooks to a byte-identical copy of their last released state, so the remaining coverage is the lint, sanity, and unit suites plus the existing E2E job.