Skip to content

feat: add playbooks for managing KVM nested virt#2415

Open
jackhodgkiss wants to merge 1 commit into
stackhpc/2025.1from
add-kvm-nested-virt-playbooks
Open

feat: add playbooks for managing KVM nested virt#2415
jackhodgkiss wants to merge 1 commit into
stackhpc/2025.1from
add-kvm-nested-virt-playbooks

Conversation

@jackhodgkiss

Copy link
Copy Markdown
Contributor

In response to CVE-2026-53359 1 it is possible to disable nested virtualisation whilst appropriate kernel patches are made available.

The two playbooks can be used to either enable or disable nested virtualisation. Hosts must have nova-compute disabled and empty prior to running these playbooks. See nova-compute-disable.yml and nova-compute-drain.yml playbooks to assist with this.

Ensure that admin-openrc.sh credentials are sourced prior to running the playbooks.

@jackhodgkiss jackhodgkiss self-assigned this Jul 7, 2026
@jackhodgkiss jackhodgkiss requested a review from a team as a code owner July 7, 2026 12:35
@github-actions github-actions Bot added the waiting-review PR is waiting for a review label Jul 7, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces two new Ansible playbooks to enable or disable KVM nested virtualization on compute hosts, acting as an early mitigation for CVE-2026-53359. The review feedback highlights several critical improvements for both playbooks: handling potential KeyError exceptions when the CPU vendor is unknown by using .get(), stopping the kolla-nova_libvirt-container before attempting to unload the KVM module to prevent locks, and safely defaulting ansible_facts.processor to prevent undefined variable errors in minimal environments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-enable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-enable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-enable-nested-virt.yml Outdated
@jackhodgkiss jackhodgkiss force-pushed the add-kvm-nested-virt-playbooks branch 2 times, most recently from bc7e8d7 to 4c6efa6 Compare July 7, 2026 13:29
@jackhodgkiss jackhodgkiss force-pushed the add-kvm-nested-virt-playbooks branch from 4c6efa6 to d3bbdd9 Compare July 7, 2026 15:08

@Alex-Welsh Alex-Welsh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor tweaks

Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-disable-nested-virt.yml Outdated
Comment thread etc/kayobe/ansible/maintenance/kvm-enable-nested-virt.yml Outdated
@github-actions github-actions Bot added waiting-author-response PR is waiting for the author to respond and removed waiting-review PR is waiting for a review labels Jul 7, 2026
In response to CVE-2026-53359 [1] it is possible to disable nested
virtualisation whilst appropriate kernel patches are made available.

The two playbooks can be used to either enable or disable nested
virtualisation. Hosts must have nova-compute disabled and empty prior to
running these playbooks. See `nova-compute-disable.yml` and
`nova-compute-drain.yml` playbooks to assist with this.

Ensure that `admin-openrc.sh` credentials are sourced prior to running
the playbooks.

[1]: https://www.openwall.com/lists/oss-security/2026/07/06/7

Signed-off-by: Jack Hodgkiss <jack@stackhpc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

waiting-author-response PR is waiting for the author to respond

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants