This section describes any security configuration that must be applied before installation.
The Oracle VM management server must run one of the following operating systems:
Oracle Linux 5 Update 5 64-bit or later
Oracle Linux 6 64-bit or later
A default Oracle Linux installation has the firewall enabled
(iptables on). It is recommended to leave all
ports closed except the ones required by Oracle VM Manager. The required
ports are:
for inbound web browser connection: TCP/7002 (HTTPS, preferred), TCP/7001 (HTTP)
for access to virtual machine consoles: TCP/15901 (secure VNC proxy)
for inbound connection from Oracle VM Servers: TCP/7002 (HTTPS, default), TCP/7001 (HTTP), UDP/123 (NTP)
for optional remote API access: TCP/54322 (Secure TCP over SSL, recommended), TCP/54321 (standard)
for outbound connection to Oracle VM Servers: TCP/8899 (Oracle VM Agent), TCP/5900-xxxx (VNC, 1 secure tunnel per VM)
for inter-server communication in clustered server pools: TCP/7777 (default OCFS2 port on storage network)
for SSH access: TCP/22 (likely open by default)
for CLI access using SSH: TCP/10000
The Oracle VM Command Line Interface (CLI) is part of Oracle VM as of version 3.2.1.
As part of the installation procedure, a script is included
named createOracle.sh. You can run this
script to perform a number of installation tasks in an
automated way, including the standard firewall configuration.
If you prefer or need to configure the firewall manually,
follow these instructions.
Open the required ports in iptables as follows:
Log on to the Oracle VM management server as the
rootuser.At the command prompt, enter the appropriate command for each port to be opened; for example:
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7001 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7002 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 15901 -j ACCEPT # iptables -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 54321 -j ACCEPT # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 54322 -j ACCEPT
Save the
iptablesconfiguration.# service iptables save
This does not require
iptablesto be restarted as the commands open the ports whileiptablesis running. The save ensures they are opened on reboot/restart in future.The diagram below illustrates the firewall rules and requirements for Oracle VM.
All physical servers in the Oracle VM environment are connected to the management network. Oracle VM Manager and the Oracle VM Servers communicate over the management network through the Oracle VM Agent, which runs on each server.
Strictly speaking, none of the physical servers need to be reachable externally, so it is recommended that the management network uses a private subnet. This private subnet may be reachable from within your corporate network or a portion of it. If the management network is not a private subnet, or if further security hardening is required, you can restrict access to the IP addresses of the Oracle VM Servers only. The goal is to protect the management network so that it is not exposed to users and machines that do not need to access the physical Oracle VM environment.
In addition to firewall configurations in your corporate network, the use of a VLAN may further shield the management network from unauthorized access. If management network access from outside the corporate network is required, consider enabling it through a VPN tunnel.
For all firewall configurations in your corporate network
you must reckon with the same port requirements as described
above for iptables on the Oracle VM
management server.
Depending on your server hardware and network resources you may want to further segregate network traffic by network role (management, storage, migration, virtual machines, heartbeat). The network model and its security implications are described in detail in Section 3.1, “Oracle VM Network Model”.
