Paravirtualization (PVM) is considered a less secure guest domain type. To keep your virtualized environment safe and secure, you should prevent paravirtualized guest VMs from starting and running within Oracle VM.
As of Release 3.4.5, the Xen hypervisor allows you to disable PVM guests through a configuration file setting. After you upgrade your servers to Oracle VM Server Release 3.4.5, PVM guests are not disabled by default, because that would cause a variety of problems in existing PVM guests. Oracle recommends that you switch to PV-HVM guests and disable PVM guests as described in this section.
As of Release 3.4.6, support for PVM guests is removed. With the removal of PVM guest support, the following new behavior restrictions exist:
A new virtual machine cannot be created of the PVM doman type from the Oracle VM Manager Web Interface, Oracle VM Manager Command Line Interface, or Oracle VM Web Services API.
An existing virtual machine of the PVM domain type can be converted to a supported type from the Oracle VM Manager Web Interface, Oracle VM Manager Command Line Interface, or Oracle VM Web Services API.
During server discovery, warnings are raised for each virtual machine of the PVM domain type. The warnings appear of type "vm.unsupported.domain" on the Error Conditions subtab of the Health tab. The error event cannot be acknowledged by the user.
NoteExisting virtual machines of the PVM domain type continue to work as before; however, the error event that is raised goes away only after the PVM domain type issue is resolved.
After editing the domain type to a supported type, the event is then acknowledged.
If you have existing PVM guests, you should convert them to HVM with PV drivers before you disable PVM on your Oracle VM Servers. For details about changing the guest virtualization mode, please consult the Support Note with ID 2247664.1.
Disabling PVM Guests on Oracle VM Server
Using SSH, log into the Oracle VM Server.
Open the file
xend-config.sxpand locate the entry "xend-allow-pv-guests".vi /etc/xen/xend-config.sxp # -*- sh -*- # # Xend configuration file. [...] # # By default allow PV guests to be created #(xend-allow-pv-guests 1)
Uncomment the line by removing the "
#" and set the parameter to "0" to disable PV guests. Save the changes to the file.# By default allow PV guests to be created (xend-allow-pv-guests 0)
Stop and start the xend service on the Oracle VM Server for the new settings to take effect.
# service xend stop # service xend status xend daemon is stopped # service xend start # service xend status xend daemon (pid 9641) is running...
Any attempt to start a PVM guest on an Oracle VM Server with PVM guests disabled, or to migrate a PVM guest to it, results in a failure: "
Error: PV guests disabled by xend".NoteIf secure VM migration is enabled – which is the default setting –, the wrong error message may be displayed. A known issue may lead to a confusing error message containing "[Errno 9] Bad file descriptor".
Repeat these steps for each of the remaining Oracle VM Servers to protect your entire virtualized environment.