8.25 Disabling Paravirtualized Virtual Machines to Avoid Security Issues

Note

Important security information for the Oracle PCA hardware platform is available on My Oracle Support. For details, refer to the support article with Doc ID 2370398.1.

Paravirtualization is considered a less secure guest domain type. To keep your virtualized environment safe and secure, you should prevent paravirtualized guest VMs from starting and running within Oracle VM.

As of release 2.3.3, Oracle PCA includes a version of the Xen hypervisor that allows you to disable PV guests through a configuration file setting. However, to take advantage of this mechanism, you must first upgrade the compute nodes to the version of Oracle VM Server that ships with Oracle PCA Release 2.3.3. By default, PV guests are not disabled, because otherwise the Oracle VM upgrade would cause a variety of problems in existing PV guests. You must disable PV guests manually as described in this section.

Disabling PV Guests on Compute Nodes

  1. Using SSH and an account with superuser privileges, log into the active management node. From there, log into the compute node for which you want to disable PV guests. 

    # ssh root@10.100.1.101
root@10.100.1.101's password:
root@ovcamn05r1 ~]# ssh root@192.168.4.5
root@10.100.1.101's password:
root@ovcacn07r1 ~]#

  2. Open the file xend-config.sxp and locate the entry "xend-allow-pv-guests". 

    [root@ovcacn07r1 ~]# vi /etc/xen/xend-config.sxp
# -*- sh -*-
#
# Xend configuration file.
[...]
#
# By default allow PV guests to be created
#(xend-allow-pv-guests 1)

  3. Uncomment the line by removing the "#" and set the parameter to "0" to disable PV guests. Save the changes to the file. 

    # By default allow PV guests to be created
(xend-allow-pv-guests 0)

  4. Stop and start the xend service on the compute node for the new settings to take effect. 

    [root@ovcacn07r1 ~]# service xend stop
[root@ovcacn07r1 ~]# service xend status
xend daemon is stopped

[root@ovcacn07r1 ~]# service xend start
[root@ovcacn08r1 ~]# service xend status
xend daemon (pid 9641) is running...

    Any attempt to start a PV guest on a compute node with PV guests disabled, or to migrate a PV guest to it, results in a failure: "Error: PV guests disabled by xend".

    Note

    If secure VM migration is enabled – which is the default setting –, the wrong error message may be displayed. A known issue may lead to a confusing error message containing "[Errno 9] Bad file descriptor".

  5. Repeat this procedure for each of the remaining compute nodes to protect your entire Oracle PCA environment.

Copyright © 2013, 2020, Oracle and/or its affiliates. Legal Notices