2.1. Oracle VM Pre-Installation Tasks

2.1.1. Preparing the Oracle VM Management Server
2.1.2. Preparing the Management Network

This section describes any security configuration that must be applied before installation.

2.1.1. Preparing the Oracle VM Management Server

The Oracle VM management server must run one of the following operating systems:

  • Oracle Linux 5 Update 5 64-bit or later

  • Oracle Linux 6 64-bit or later

A default Oracle Linux installation has the firewall enabled (iptables on). It is recommended to leave all ports closed except the ones required by Oracle VM Manager. The required ports are:

  • for inbound web browser connection: TCP/7002 (HTTPS, preferred), TCP/7001 (HTTP)

  • for access to virtual machine consoles: TCP/15901 (secure VNC proxy)

  • for inbound connection from Oracle VM Servers: TCP/7002 (HTTPS, default), TCP/7001 (HTTP), UDP/123 (NTP)

  • for optional remote API access: TCP/54322 (Secure TCP over SSL, recommended), TCP/54321 (standard)

  • for outbound connection to Oracle VM Servers: TCP/8899 (Oracle VM Agent), TCP/5900-xxxx (VNC, 1 secure tunnel per VM)

  • for inter-server communication in clustered server pools: TCP/7777 (default OCFS2 port on storage network)

  • for SSH access: TCP/22 (likely open by default)

  • for CLI access using SSH: TCP/10000


The Oracle VM Command Line Interface (CLI) is part of Oracle VM as of version 3.2.1.


As part of the installation procedure, a script is included named createOracle.sh. You can run this script to perform a number of installation tasks in an automated way, including the standard firewall configuration. If you prefer or need to configure the firewall manually, follow these instructions.

Open the required ports in iptables as follows:

  1. Log on to the Oracle VM management server as the root user.

  2. At the command prompt, enter the appropriate command for each port to be opened; for example:

    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7001 -j ACCEPT
    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7002 -j ACCEPT
    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 15901 -j ACCEPT
    # iptables -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT 
    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 54321 -j ACCEPT
    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 54322 -j ACCEPT
  3. Save the iptables configuration.

    # service iptables save

    This does not require iptables to be restarted as the commands open the ports while iptables is running. The save ensures they are opened on reboot/restart in future.

    The diagram below illustrates the firewall rules and requirements for Oracle VM.

    This diagram illustrates the firewall rules in Oracle VM Manager.

2.1.2. Preparing the Management Network

All physical servers in the Oracle VM environment are connected to the management network. Oracle VM Manager and the Oracle VM Servers communicate over the management network through the Oracle VM Agent, which runs on each server.

Strictly speaking, none of the physical servers need to be reachable externally, so it is recommended that the management network uses a private subnet. This private subnet may be reachable from within your corporate network or a portion of it. If the management network is not a private subnet, or if further security hardening is required, you can restrict access to the IP addresses of the Oracle VM Servers only. The goal is to protect the management network so that it is not exposed to users and machines that do not need to access the physical Oracle VM environment.

In addition to firewall configurations in your corporate network, the use of a VLAN may further shield the management network from unauthorized access. If management network access from outside the corporate network is required, consider enabling it through a VPN tunnel.


For all firewall configurations in your corporate network you must reckon with the same port requirements as described above for iptables on the Oracle VM management server.


Depending on your server hardware and network resources you may want to further segregate network traffic by network role (management, storage, migration, virtual machines, heartbeat). The network model and its security implications are described in detail in Section 3.1, “Oracle VM Network Model”.