Skip to content

fix(prepare): keep KVM nested virtualization enabled#61

Merged
Aleksei Sviridkin (lexfrei) merged 1 commit into
mainfrom
fix/restore-nested-virt
Jul 9, 2026
Merged

fix(prepare): keep KVM nested virtualization enabled#61
Aleksei Sviridkin (lexfrei) merged 1 commit into
mainfrom
fix/restore-nested-virt

Conversation

@lexfrei

Copy link
Copy Markdown
Contributor

Summary

Restores KVM nested virtualization on hosts prepared by the example playbooks. Today the playbooks write /etc/modprobe.d/cozystack-kvm-nested.conf with options kvm_intel nested=0 and options kvm_amd nested=0 whenever KubeVirt is enabled, so every generic-Linux node loses nested virtualization by default.

The mechanism is not the problem. On a general-purpose Linux distribution kvm_intel and kvm_amd are loadable modules, so a modprobe.d drop-in genuinely takes effect when the module loads. The default is the problem. Nested virtualization is a capability real workloads depend on — running a hypervisor, a nested Kubernetes cluster, or an OS installer inside a VM — and turning it off for everyone withdraws that capability from every host the playbooks touch. The opt-out variable only helps operators who already know the drop-in exists.

CVE-2026-53359 and the closely related CVE-2026-46113 are use-after-free bugs in the KVM x86 shadow-paging MMU, and both are fixed in the kernel. A kernel needs both upstream patches to be fully covered. The fixes shipped in the stable kernels released on 2026-07-04 — 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260 — and in every later release on those branches, which are cumulative. Distributions maintaining their own backported kernels carry the same fixes in their patched packages. Running a current kernel is the remedy; taking a supported feature away from every user is not.

Changes

  • Drop the /etc/modprobe.d/cozystack-kvm-nested.conf drop-in and its companion removal task from examples/rhel/prepare-rhel.yml, examples/suse/prepare-suse.yml, and examples/ubuntu/prepare-ubuntu.yml.
  • Drop the sysfs read-back and the reboot-required warning that existed only to report on the mitigation.
  • Drop the cozystack_disable_kvm_nested variable. Nested virtualization is left at the kernel's own default.

Test plan

  • ansible-lint passes
  • ansible-test sanity passes
  • Tested on a live cluster (describe environment)
  • Idempotency verified (second run: changed=0)

The two unchecked boxes need a live host. This change only deletes tasks, returning the three playbooks to a byte-identical copy of their last released state, so the remaining coverage is the lint, sanity, and unit suites plus the existing E2E job.

The prepare playbooks dropped /etc/modprobe.d/cozystack-kvm-nested.conf
with `options kvm_intel nested=0` and `options kvm_amd nested=0` on
every host that enables KubeVirt, turning nested virtualization off by
default.

Nested virtualization is a capability real workloads depend on: running
a hypervisor, a nested Kubernetes cluster, or an OS installer inside a
VM. Switching it off for everyone withdraws that capability from every
host the playbooks touch, and the opt-out variable only helps operators
who already know the drop-in exists.

CVE-2026-53359 and the closely related CVE-2026-46113 are use-after-free
bugs in the KVM x86 shadow-paging MMU. Both are fixed upstream, and a
kernel needs both patches to be fully covered. The fixes landed in the
stable kernels released on 2026-07-04 -- 7.1.3, 6.18.38, 6.12.95,
6.6.144, 6.1.177, 5.15.211, 5.10.260 -- and in every later release on
those branches, which are cumulative. Updating the host kernel is the
remedy; taking a supported feature away from all users is not.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@lexfrei, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 25 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: acc24c89-331f-428c-9d5a-ff23723aba3e

📥 Commits

Reviewing files that changed from the base of the PR and between 52d637e and 1216e8f.

📒 Files selected for processing (3)
  • examples/rhel/prepare-rhel.yml
  • examples/suse/prepare-suse.yml
  • examples/ubuntu/prepare-ubuntu.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/restore-nested-virt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the tasks that disable KVM nested virtualization (CVE-2026-53359 mitigation) from the RHEL, SUSE, and Ubuntu Ansible playbooks. The reviewer notes that simply deleting these tasks will leave the /etc/modprobe.d/cozystack-kvm-nested.conf configuration file on already-prepared hosts. To avoid orphaned configurations, it is recommended to explicitly add a task to ensure this file is removed.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

I am having trouble creating individual review comments. Click here to see my feedback.

examples/rhel/prepare-rhel.yml (480-498)

medium

Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.

    - name: Remove KVM nested-virt drop-in
      ansible.builtin.file:
        path: /etc/modprobe.d/cozystack-kvm-nested.conf
        state: absent

examples/suse/prepare-suse.yml (454-472)

medium

Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.

    - name: Remove KVM nested-virt drop-in
      ansible.builtin.file:
        path: /etc/modprobe.d/cozystack-kvm-nested.conf
        state: absent

examples/ubuntu/prepare-ubuntu.yml (688-706)

medium

Since the playbook previously wrote /etc/modprobe.d/cozystack-kvm-nested.conf to disable nested virtualization, simply removing the task that writes it will leave the file on already-prepared hosts. To ensure nested virtualization is actually restored on existing hosts, we should explicitly remove this configuration file.

    - name: Remove KVM nested-virt drop-in
      ansible.builtin.file:
        path: /etc/modprobe.d/cozystack-kvm-nested.conf
        state: absent

@lexfrei Aleksei Sviridkin (lexfrei) merged commit 9053819 into main Jul 9, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant