Nested Virtualization in Windows 10

Nested Virtualization lets you run a Hypervisor inside of a Virtual Machine. Windows 10 Build 10565 introduced Nested Virtualization. Whether you need it or not, here is some information that might interest you.

By Anand Khanse

Container inside Container: About Nested Virtualization in Windows

Earlier you could create parallel containers – as many as your main memory would allow and use them for different purposes. Microsoft has now released the feature of nested virtualization with its latest Insider Build numbered 10565. The feature of nested virtualization in Windows allows you to create containers inside containers. Though the feature is not yet perfect, here is what you need to know.

Related: A Quick Guide to Nested Virtualization

Virtualization using Hyper V

Windows supports Droka – that lets you create simple containers that you can use in parallel or to create Hyber V containers that are considered better than simple containers. Though you can create Windows Containers in parallel, often they end up using the same libraries and resources. In this case, one or more of “Bad” containers may end create a jam by holding up resources and not releasing them for other containers to use. That is the only drawback that led to introduction of Hyper V containers.

Hyper V containers create everything separately for each virtual atmosphere. That is, even the OS is recreated and provided to the applications running in that virtual compartment. This means that there are not common virtual resources and hence no conflicts.

Nested virtualizations in Windows are made possible using Hyper V. You may try other things but Microsoft says that currently the nested virtualization will work only with Hyper V containers. So you have to be careful to create one container and then create another inside the first container. If you try to use any other hypervisor or try to create another Hyper V container in parallel to what you’ve already created, it might not work. It raises a question in my mind though – are parallel containers not possible in Windows then? I will talk about it in the next section as well.

Related: What Is Network Virtualization?

Nested Virtualization – What is it and how to implement?

As said earlier, you can create a Hyper V container. This container will make sure that other hypervisors are not allowed to see it. That is, only the container will appear as the CPU and the actual CPU might not be visible to other hypervisors so that you cannot even create another container in parallel. The doubt in this case is whether you can create two or more Hyper V containers in parallel or you get to create containers only inside the first container that you created.

Microsoft’s blog says that once you create a Hyper V container, it won’t allow other hypervisors to install any more Hyper V containers as they won’t be able to see the real CPU. You cannot create more containers outside the container you already created? Then, when you run other virtualizers, they will think that the container is the actual CPU and create a virtual container inside that container.

That is nested virtualization – where you have containers inside containers – that too, each one completely independent of another: no shared libraries or drivers. Sounds good except for that one doubt of parallel containers. Here is the image I borrowed from Microsoft to demonstrate the working of nested virtualization

Related: 5 Types of Virtualization You Should Know About

Coming to implementation of the nested virtualization, there are a variety of factors to be checked. Some examples are:

  1. Amount of RAM (remember that RAM is a limiting factor; you can create only as many containers as your RAM can hold)
  2. Is your processor supported? (MS says only Intel VT-X are supported at the moment)
  3. Dynamic memory must be off
  4. Keeping tab on runtime memory and more

There are a host of issues at this point which Microsoft may take care of in later phases. But to try the nested virtualization, it has developed a PowerShell script that you can invoke from GitHub.