Completed config option to allow nested virtualization

Brady Wilkin · Brady Wilkin · commit 7821838d72a8 · 2025-05-04T16:16:46.000-05:00
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -4846,6 +4846,8 @@ protected long getMemoryFreeInKBs(Domain dm) throws LibvirtException {
     }
 
     private boolean canBridgeFirewall(final String prvNic) {
+        if (getAllowNestedVMAccess())
+            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
         final Script cmd = new Script(securityGroupPath, timeout, LOGGER);
         cmd.add("can_bridge_firewall");
         cmd.add("--privnic", prvNic);
diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -329,6 +329,9 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
 
     public static final ConfigKey<Integer> PUBLIC_IP_ADDRESS_QUARANTINE_DURATION = new ConfigKey<>("Network", Integer.class, "public.ip.address.quarantine.duration",
             "0", "The duration (in minutes) for the public IP address to be quarantined when it is disassociated.", true, ConfigKey.Scope.Domain);
+    
+    public static final ConfigKey<Boolean> AllowNestedVMAccess = new ConfigKey<>("Advanced", Boolean.class, "allow.nested.vm.access",
+            "false", "Allows nested VM access by bypassing security group restrictions. Use with caution.", true, ConfigKey.Scope.Global);
 
     private Random rand = new Random(System.currentTimeMillis());
 
@@ -2453,6 +2456,10 @@ public static ConfigKey<Boolean> getSystemvmpublicipreservationmodestrictness()
         return SystemVmPublicIpReservationModeStrictness;
     }
 
+    public static ConfigKey<Boolean> getAllowNestedVMAccess() {
+        return AllowNestedVMAccess;
+    }
+
     @Override
     public boolean canPublicIpAddressBeAllocated(IpAddress ip, Account newOwner) {
         PublicIpQuarantineVO publicIpQuarantineVO = publicIpQuarantineDao.findByPublicIpAddressId(ip.getId());
diff --git a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java
@@ -491,4 +491,14 @@ public void checkIfIpResourceCountShouldBeUpdatedTestIpIsAssociatedToVpcAndNotDe
 
         Assert.assertTrue(result);
     }
+
+    @Test
+    public void testCanBridgeFirewallWithNestedVMAccessEnabled() {
+        // Force config to return true for AllowNestedVMAccess
+        Mockito.doReturn(true).when(ipAddressManager).getAllowNestedVMAccessConfig();
+
+        boolean result = ipAddressManager.canBridgeFirewall("eth0");
+
+        Assert.assertTrue("Should return true when AllowNestedVMAccess is enabled", result);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -4846,6 +4846,8 @@ protected long getMemoryFreeInKBs(Domain dm) throws LibvirtException {`
`4846`	`4846`	`}`
`4847`	`4847`
`4848`	`4848`	`private boolean canBridgeFirewall(final String prvNic) {`
	`4849`	`+ if (getAllowNestedVMAccess())`
	`4850`	`+ return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall`
`4849`	`4851`	`final Script cmd = new Script(securityGroupPath, timeout, LOGGER);`
`4850`	`4852`	`cmd.add("can_bridge_firewall");`
`4851`	`4853`	`cmd.add("--privnic", prvNic);`
Original file line number	Diff line number	Diff line change
`@@ -491,4 +491,14 @@ public void checkIfIpResourceCountShouldBeUpdatedTestIpIsAssociatedToVpcAndNotDe`
`491`	`491`
`492`	`492`	`Assert.assertTrue(result);`
`493`	`493`	`}`
	`494`	`+`
	`495`	`+ @Test`
	`496`	`+ public void testCanBridgeFirewallWithNestedVMAccessEnabled() {`
	`497`	`+ // Force config to return true for AllowNestedVMAccess`
	`498`	`+ Mockito.doReturn(true).when(ipAddressManager).getAllowNestedVMAccessConfig();`
	`499`	`+`
	`500`	`+ boolean result = ipAddressManager.canBridgeFirewall("eth0");`
	`501`	`+`
	`502`	`+ Assert.assertTrue("Should return true when AllowNestedVMAccess is enabled", result);`
	`503`	`+ }`
`494`	`504`	`}`