2.1 Oracle VM Pre-Installation Tasks

This section describes any security configuration that must be applied before installation.

2.1.1 Preparing the Oracle VM Management Server

The Oracle VM management server must run one of the following operating systems:

  • Oracle Linux (or Red Hat Enterprise Linux) 5 Update 5 64-bit or later.

  • Oracle Linux (or Red Hat Enterprise Linux) 6 64-bit or later.

  • Oracle Linux (or Red Hat Enterprise Linux) 7 64-bit or later.

A default Oracle Linux installation has the firewall enabled (iptables on). It is recommended to leave all ports closed except the ones required by Oracle VM Manager. The required ports are:

  • For inbound web browser connection: TCP/7002 (HTTPS, default).

  • For inbound connection from Oracle VM Servers: TCP/7002 (HTTPS, default), UDP/123 (NTP).

  • For outbound connection to Oracle VM Servers: TCP/8899 (Oracle VM Agent), TCP/6900-xxxx (VNC, 1 secure tunnel per virtual machine).

  • For SSH access: TCP/22 (likely open by default).

  • For CLI access using SSH: TCP/10000.

Note

The Oracle VM Manager Command Line Interface (CLI) is part of Oracle VM as of Release 3.2.

As part of the installation procedure, a script is included named createOracle.sh. You can run this script to perform a number of installation tasks in an automated way, including the standard firewall configuration. Note that if iptables has been disabled on the target host prior to the installation of Oracle VM Manager, this script does not automatically re-enable the iptables service. For the rules to take effect, you must ensure that the iptables service is enabled and running.

If you prefer or need to configure the firewall manually, follow these instructions.

Open the required ports in iptables as follows:

  1. Log on to the Oracle VM management server as the root user.

  2. At the command prompt, enter the appropriate command for each port to be opened; for example:

    # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7002 -j ACCEPT
    # iptables -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT 
  3. Save the iptables configuration.

    # service iptables save

    This does not require iptables to be restarted as the commands open the ports while iptables is running. The save ensures they are opened on reboot/restart in future.

    The diagram and table below illustrate the firewall rules and requirements for Oracle VM.

    This diagram illustrates the firewall rules in Oracle VM Manager. It shows a connection between the Oracle VM Manager Host and the Oracle VM Server Hosts marked 1. It shows a connection between the Oracle VM Server Hosts and the Oracle VM Manager Host marked 2. It shows a connection between a Client PC and the Oracle VM Manager Host marked 3. It shows a connection between a Client PC and the Oracle VM Server Hosts marked 4. It shows a connection between all of the Oracle VM Server Hosts marked 5. It shows Some Management Tools with a connection to the Oracle VM Manager Host marked 6.

    Table 2.1 Firewall Rules

    No.Component RelationshipPorts and DescriptionOptional

    1

    Oracle VM Manager to Oracle VM Server

    • TCP/8899 - HTTPS connection to the Oracle VM Agent.

    • TCP/6900-xxxx - Secure VNC connections to connect to the VNC Console for virtual machines running on each Oracle VM Server.

    • TCP/10000-xxxx - Secure serial connections to connect to the Serial Console for virtual machines running on each Oracle VM Server.

    No

    2

    Oracle VM Server to Oracle VM Manager

    • TCP/7002 - HTTPS connection from Oracle VM Agent to the Oracle VM Core WSAPI.

    • UDP/123 - NTP requests to an NTP server running on the Oracle VM Manager host.

    No

    3

    Client PC to Oracle VM Manager

    • TCP/7002 - HTTPS connection from web browser to Oracle VM Manager web user interface, or WSAPI.

    • TCP/10000 - SSH connection from SSH client to Oracle VM Manager CLI.

    • TCP/22 - SSH connection to Oracle VM Manager host for administrative work.

    No, although access to services should be limited to requirements

    4

    Client PC to Oracle VM Server

    • TCP/22 - SSH connection to Dom0 on each Oracle VM Server for administrative work.

    Yes

    5

    Oracle VM Server to Oracle VM Server

    • TCP/7777 - OCFS2 heartbeat communication for clustered server pools.

    • TCP/8002 - non-encrypted port to perform live virtual machine migrations.

    • TCP/8003 - Securely encrypted port to perform live virtual machine migrations.

    No

    6

    Some Management Tools to Oracle VM Manager

    • TCP/7002 - Access to the Web Services API over HTTPS may be required by some other management tools outside of the immediate Oracle VM product suite.

    • TCP/54322 - A deprecated legacy API port is still available in this release to cater for any applications that may not have switched over to the Web Services API. This port should be disabled unless you are aware of an application that absolutely requires it. In this case, you should also notify the application vendor that the application must be updated to use the correct API before the next release.

      You can ensure that access to this port is not available by checking your firewall rules. Usually you can do this on the Oracle VM Manager host by running iptables-save. If you need to disable access to this port, edit /etc/sysconfig/iptables.

    Yes


2.1.2 Preparing the Management Network

All physical servers in the Oracle VM environment are connected to the management network. Oracle VM Manager and the Oracle VM Servers communicate over the management network through the Oracle VM Agent, which runs on each server.

Strictly speaking, none of the physical servers need to be reachable externally, so it is recommended that the management network uses a private subnet. This private subnet may be reachable from within your corporate network or a portion of it. If the management network is not a private subnet, or if further security hardening is required, you can restrict access to the IP addresses of the Oracle VM Servers only. The goal is to protect the management network so that it is not exposed to users and machines that do not need to access the physical Oracle VM environment.

In addition to firewall configurations in your corporate network, the use of a VLAN may further shield the management network from unauthorized access. If management network access from outside the corporate network is required, consider enabling it through a VPN tunnel.

Note

For all firewall configurations in your corporate network you must reckon with the same port requirements as described above for iptables on the Oracle VM management server.

Note

Depending on your server hardware and network resources you may want to further segregate network traffic by network role (management, storage, migration, virtual machines, heartbeat). The network model and its security implications are described in detail in Section 3.1, “Oracle VM Network Model”.