Go to main content

Oracle^® Advanced Support Gateway Security Guide

Exit Print View

» ...Documentation Home » Oracle^® Advanced Support ... » Oracle Advanced Support Gateway Security Guide » Implementation Changes to a Customer System » KVM Compute Nodes

Updated: April 2024

Oracle^® Advanced Support Gateway Security Guide

Document Information

Oracle Advanced Support Gateway Security Guide

About the Gateway

General Requirements

Changes to the Security Guide Since the Last Release

Firewall Port Requirements

External Connection

TLS VPN and the Gateway

Alternative External Connection Option

Controlling Remote VPN Access

Customer Access to the Gateway

Internal Connection

Firewall Rules: Ports and Protocols

Firewall Rules for External Traffic

Firewall Rules for External Traffic Through the Encrypted VPN Tunnel

Firewall Rules for Internal Traffic

Firewall Rules Between the Gateway and the Customer Network

Firewall Rules for Gateway Hardware Self-Monitoring

Firewall Rules Between the Gateway and Exadata

Firewall Rules Between the Gateway and ZDLRA

Firewall Rules Between the Gateway and ZFS

Firewall Rules Between the Gateway and Exalogic

Firewall Rules Between the Gateway and SuperCluster

Firewall Rules Between the Gateway and Exalytics

Firewall Rules Between the Gateway and Oracle Database Appliance

Firewall Rules Between the Gateway and Oracle Big Data Appliance

Firewall Rules Between the Gateway and Oracle Private Cloud Appliance

Firewall Rules Between the Gateway and Oracle Standalone Hosts

Firewall Rules Between the Gateway and Oracle Third-Party Hosts

Implementation Changes to a Customer System

The Monitoring Matrix

Implementation Impact on the Environment

All Systems With An Agent Deployed

Engineered Systems Storage Cells

Engineered System Cisco Switches

Engineered System InfiniBand Switches

Engineered System PDU's

Engineered Systems Compute Nodes (Physical Implementation) and Virtual Machines

OVS Compute Nodes

KVM Compute Nodes

Exalogic Compute Nodes (Physical Implementation) and Exalogic Virtual Machines / Control Virtual Machines

ZFS Storage Array Storage Heads

Utilization Impact Risk of OEM Cloud Control Agent on Monitored Systems

Server Prerequisites for Monitoring Deployment

Server Prerequisites for Monitoring Deployment

Monitoring Access: an Overview

User Privileges

Solaris 11 Initial Setup User RBAC Profile

Solaris 10 Initial Setup User RBAC Profile

Solaris sudo Profile

Linux sudo Profile

ILOM User Privileges

Storage Prerequisites for Monitoring Deployment

Monitoring Deployment: an Overview

Oracle ZFS Storage Appliances

Sample Logging Messages

Managing ASR Audit Logs

About ASR Audit Logs

Viewing ASR Audit Logs

Downloading ASR Audit Logs

Installing the Gateway

Gateway Infrastructure Maintenance and Change Management Process

Understanding Responsibilities

Customer Responsibilities

Oracle Responsibilities

Generating a Change Management Request

Understanding the Change Management Workflow

Understanding Maintenance Activities

Language:

KVM Compute Nodes

Install or upgrade the Oracle Autonomous Health Framework (AHF) to a minimum version of 23.10.

The storage requirement for AHF is 2GB of space in /opt and a minimum of 6GB (with a recommendation of 10GB) on /EXAVMIMAGES.
Configure Oracle Autonomous Health Framework (AHF) to auto-update from the Gateway when a new version is available.
Configure Oracle Autonomous Health Framework (AHF) to communicate to all KVM Nodes via socket for data collection.

The Oracle Linux 7 Server used within an Engineered System that is running the virtualized stack has strict policies that do not permit the installation of agents on the systems. These nodes will have the ILOMs configured to send traps to the Gateway for ASR. A user (orarom) will be created on the KVM Server and granted the following privileges in the sudoers file:

<user> ALL= NOPASSWD: /usr/bin/virsh list*, /usr/bin/virsh dominfo*, /usr/bin/virsh nodememstats*, /usr/bin/virsh domstats*, /usr/bin/virsh capabilities, /usr/bin/virsh domblklist*, /usr/bin/virsh domiflist*, /usr/bin/virsh domifstat*, /usr/bin/virsh vcpupin*, /bin/virsh cpu-stats*, /bin/virsh domblkstat*, /bin/virsh dommemstat*, /bin/virsh nodeinfo, /sbin/dmsetup info, /sbin/service --status-all, /usr/sbin/dmidecode, /sbin/ethtool, /usr/bin/ipmitool, /usr/sbin/imageinfo, /usr/local/bin/imageinfo, /opt/oracle/bda/bin/imageinfo, /opt/exadata_ovm/vm_maker, /usr/sbin/brctl, /sbin/fdisk -l*, /bin/virsh domblkinfo*, /usr/bin/lvs*, /usr/bin/smartctl*, /usr/sbin/ibnetdiscover, /usr/sbin/sminfo, /sbin/dmsetup info*, /bin/cat /etc/iscsi/iscsid.conf, /usr/bin/systemctl stop oracle-oasgagent.service, /usr/bin/systemctl start oracle-oasgagent.service, /usr/bin/systemctl restart oracle-oasgagent.service, /usr/bin/systemctl status oracle-oasgagent.service, /sbin/service oasgagent start, /sbin/service oasgagent stop, /sbin/service oasgagent restart, /sbin/service oasgagent status

This list of commands is used by the Oracle Enterprise Manager (OEM) targets to read information about the system, relay the information to OEM, and manage the oasg_agent.

Note - The profile may be updated if the option for Oracle to retain sudo privilege is granted.

Copyright © 2024, Oracle and/or its affiliates.