Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689216 - A guest with VMX enabled cannot be migrated [NEEDINFO]
Summary: A guest with VMX enabled cannot be migrated
Status: CLOSED DUPLICATE of bug 1559845
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Paolo Bonzini
QA Contact: Virtualization Bugs
Jiri Herrmann
Depends On:
Blocks: 1689227
TreeView+ depends on / blocked
Reported: 2019-03-15 12:58 UTC by Jiri Denemark
Modified: 2019-04-12 14:11 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.The `nested VMX` feature is disabled Currently, using the `nested VMX` host model does not work properly, and has therefore been disabled. This makes it impossible to use nested virtualization on Intel processors. If you require nested VMX, enable it manually by using the following command: # modprobe kvm_intel nested=1 Note that nested virtualization is currently provided as a Technology Preview in RHEL 8, and is therefore not supported.
Clone Of:
: 1689227 (view as bug list)
Last Closed: 2019-04-05 12:20:38 UTC
Type: Bug
Target Upstream Version:
jherrman: needinfo? (pbonzini)

Attachments (Terms of Use)

Description Jiri Denemark 2019-03-15 12:58:27 UTC
Description of problem:

Starting a libvirt domain with host-passthrough (equivalent to -cpu host) or
host-model (a CPU model expanded from "host" via query-cpu-model-expansion is
passed to -cpu) on a host with nested VMX enabled cannot be migrated, saved,
or snapshotted. The domain doesn't even need or want to use VMX.

This is a regression introduced in 3.1.0 by

    commit d98f26073bebddcd3da0ba1b86c3a34e840c0fb8
    Author:     Paolo Bonzini <>
    AuthorDate: Wed Nov 14 10:38:13 2018 +0100
    Commit:     Paolo Bonzini <>
    CommitDate: Tue Nov 27 15:06:14 2018 +0100

        target/i386: kvm: add VMX migration blocker

        Nested VMX does not support live migration yet.  Add a blocker
        until that is worked out.

        Nested SVM only does not support it, but unfortunately it is
        enabled by default for -cpu host so we cannot really disable it.

        Signed-off-by: Paolo Bonzini <>

Unfortunately, VMX is automatically enabled for -cpu host too. The only
difference between SVM and VMX is that kvm_amd automatically enabled nested,
while it has to be enabled manually for kvm_intel.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. modprobe -r kvm_intel
2. modprobe kvm_intel nested=1
3. /usr/libexec/qemu-kvm -cpu host -qmp stdin
4. {"execute":"qmp_capabilities"}
5. {"execute":"migrate","arguments":{"uri":"tcp://localhost:1234"}}

Alternatively via libvirt:
1. start a domain with either host-passthrough or host-model CPU
2. virsh managedsave $DOM

Actual results:

{"error": {"class": "GenericError", "desc": "Nested VMX virtualization does not support live migration yet"}}

or a corresponding libvirt error:

internal error: unable to execute QEMU command 'migrate': Nested VMX virtualization does not support live migration yet

Additional info:

Openstack uses host-model CPUs by default so it's just a matter of someone
enabled nested on the host and all VMs are doomed.

Comment 1 Paolo Bonzini 2019-03-15 13:01:03 UTC
It's intended. The workaround is to disable nested if they are not using it; it will be fixed in 8.1.

Comment 2 Paolo Bonzini 2019-03-15 13:07:48 UTC
<jdenemar> bonzini: if we want to keep the check in I think we should make sure vmx is not added to -cpu host unless non-migratable features are requested

Comment 7 Paolo Bonzini 2019-04-05 12:20:38 UTC
Done. Jiri (Herrman), this needs release notes.

*** This bug has been marked as a duplicate of bug 1559845 ***

Note You need to log in before you can comment on or make changes to this bug.