Nested Virtualization of Windows Hyper-V on XCP-ng
- 
 Hello everyone, I am trying to setup a vm with Threat Pursuit 
 https://github.com/fireeye/ThreatPursuit-VM#installation-install-script
 It a custom open source vm with some utilities for forensics.It is based on windows and it installs Desktop Docker, which has some issues....  I have enabled nested virtualization at xen orchestra and followed the info of the error. At another vm with enabled nested virtualization i was capable of running a virtualbox vm inside the vm, so i suppose nested virtualization works. Anyone have faced this issue? Windows 10 vm with desktop docker? 
- 
 anyone using desktop docker with win10 vm? 
 No one?
- 
 I am not, maybe someone in the community, I don't know  
- 
 @alexanderk Hello fellow traveler in the quest to make nested Hyper-V virtualization work on XCP-ng. A few of us have tried without success. At present, ESXi seems to be the champion for running a nested Windows VM with Hyper-V enabled to run all of the cool new Windows features such as containers, Windows Subsystem for Linux V2 (WSL2) etc. in the guest. The success of ESXi to do this was apparently due to collaboration between VMware and Microsoft rather than a lucky break. Nested virtualization on XCP-ng does work for some guest OSes, but so far, the showstopper seems to be that a Windows Hyper-V bus driver won't load in the guest. See this thread: https://xcp-ng.org/forum/topic/4070/uefi-setting-on-vm-for-nested-virtualization?_=1622861000688 I presume this means that the Windows guest is not finding the correct state as presented by the XCP-ng guest VM or some other incompatibility. The upstream Xen code has various CPU mask settings etc. to turn on nested virtualization, but it is not so clear in XenServer or XCP-ng what might fully enable this capability and make Hyper-V happy. Last I checked, Citrix Hypervisor (aka XenServer) only supports nested virtualization for one particular use case with a partner product. If you or somebody else here does get it to work, I'd certainly be interested to hear how. 
- 
 We can always create a detailed but report on XCP repo, then we can (from there) try to ask upstream Xen and see what could be done  Obviously, this cost time and effort, so more the community bring stuff, higher is the probably to get a result at some point! 
- 
 @olivierlambert how can we create this report? i can provide everything from my issue 
- 
 By opening an issue on https://github.com/xcp-ng/xcp and trying to reproduce it on "vanilla" Xen (eg any Arch Linux or Debian with a recent version of Xen) with xltoolstack.
- 
 @olivierlambert @AlexanderK As Olivier requested, I set up a basic Xen Hypervisor configuration using Debian 10.9 (Buster) following the tutorial here https://wiki.xenproject.org/wiki/Xen_Project_Beginners_Guide in my home lab. It took a bit of work since the documentation is outdated and not entirely clear, but I was able to get a basic Windows 10 VM running on that. I then added the nested virtualization parameters from here https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen to the VM config file. [Next section edited retrospectively.] Nested Hyper-V installs and all the guest Hyper-V drivers load on the parent Xen platform, but Hyper-V does not activate following the finishing reboot. I have commented the working xl toolstack config file: windows.cfg detailing my findings if you would like me to upload that somewhere. Seems like we need to find out if it is possible to set the cpuid and hap parameters from xe vm-param-set platform:<param>=value in order to flip the appropriate switches in the underlying hypervisor. (There doesn't seem to be a documented way to fully activate the needed support right now from the xe toolstack.) It does look like all of the viridian parameters are available. Viridian exposes various interfaces and features that Hyper-V requires. The cpuid param appears to cause the guest OS to become unaware that it is running on a hypervisor. Please let me know if you'd like me to upload the working xl config file someplace. Nested virtualization was but an interesting parlor trick before, but the architecture of modern Windows is rapidly making it an essential feature for running fully functional Windows VMs. 
- 
 First, thanks for taking time to test it  So did you check with the viridian param if it works on XCP-ng? Obviously, we'd love to document this behavior if it's just an extra param to add on the VM record! About the config file, you might be able to paste it directly here? Otherwise, go for https://paste.vates.fr/ 
- 
 @xcp-ng-justgreat can you make a guide? what have you done and it is working? Will save time and will be really appreciated 
- 
 @olivierlambert @AlexanderK Unfortunately, I could not make it work on XCP-ng. I tried entering the same name/key pairs under the VM platform category, but it does not look like the xe toolstack maps them correctly to the hypervisor. I didn't find documentation for applying them from xe. The success was only realized in Xen hypervisor. 
- 
 Please share the exact key/values you used to make it work on "vanilla" Xen. It could be trivial to "port" it to XCP-ng, but for that we need that you share what you found  
- 
 @olivierlambert @AlexanderK I pasted my xl config file here: https://paste.vates.fr/?449c18ba665cd704#GzDDKa4fui6jqbvG7ssT5TpH7uj8uBVrg7zojpGqYmu7 
- 
 @olivierlambert @AlexanderK One final thing, here is the Xen reference manual link for the xl config file parameters (I learned a lot reading it.) https://xenbits.xen.org/docs/unstable/man/xl.cfg.5.html The outstanding issue appears to be whether or not there is a corresponding setting configurable from the xe toolstack to turn on all of the required parameter/value pairs as implemented by my test configuration on the pure Xen hypervisor. If so, we should then be able to make nested virtualization of Hyper-V work on XCP-ng. 
- 
 As long as we know exactly what's missing, we can fix it  
- 
 @olivierlambert said in Windows 10 Vm and Desktop Docker Issue: As long as we know exactly what's missing, we can fix it  can't wait for the fix 
- 
 It's still unclear what parameter is missing on XAPI vs libxl, waiting for more details from @XCP-ng-JustGreat  
- 
 @AlexanderK can you share the VM record here please? (the one that's nested but doesn't work with Docker). A simple output of xe vm-param-list uuid=<VM UUID>will do it.Just checked the xlconfig posted by @XCP-ng-JustGreat, and I can already answer for some parameters, but I'd like to check if they are already used or not (egplatform:viridiancan be set totrueif it's not already the case)
- 
 
- 
 Can you try with a Windows 10 template from the start? 

