PlasmaVMC Nested KVM & App Validation (Draft)

Nested KVM quick check

On host: cat /sys/module/kvm_intel/parameters/nested (or kvm_amd). Expect Y for enabled, N for disabled.
If disabled (Intel example):

boot.kernelModules = [ "kvm-intel" ];
boot.extraModprobeConfig = ''
  options kvm-intel nested=1
'';

For AMD, use kvm-amd and options kvm-amd nested=1. 3) Reboot once, verify again. 4) Inside a guest VM: prove nesting with a minimal KVM launch:

qemu-system-x86_64 -accel kvm -cpu host -m 512 -nographic \
  -kernel /run/current-system/kernel -append "console=ttyS0" < /dev/null

If it boots to kernel console, nesting works.

Topology: 2x app VMs on PrismNET, FiberLB front, FlashDNS record -> LB VIP.
Data: FlareDB SQL (guestbook-style) for metadata; ChainFire backs control-plane metadata.
Controls: CreditService Admission Control enforced on VM create (low quota); NightLight metrics exported.

Provision: create 2 VMs via PlasmaVMC API; attach PrismNET network; ensure watcher persists VM metadata to FlareDB.
Configure: deploy small web app on each VM that writes/reads FlareDB SQL; register DNS record in FlashDNS pointing to FiberLB listener.
Gate: set low wallet balance; attempt VM create/update to confirm CAS-based debit and rollback on failure.
Observe: ensure NightLight scrapes app + system metrics; add alerts for latency > target and billing failures.
Failover drills:
- Kill one app VM: FiberLB should reroute; CreditService must not double-charge retries.
- Restart PlasmaVMC node: watcher should replay state from FlareDB/ChainFire; VM lifecycle ops continue.
Exit criteria: all above steps pass 5x in a row; NightLight shows zero SLO violations; CreditService balances consistent before/after drills.

Full disk HA not covered; for disk replication we’d need distributed block (future).
Keep tests env-gated (ignored by default) so CI doesn’t require nested virt.