On Wed, 2011-03-16 at 03:36 -0500, Johnny Hughes wrote:
On 03/15/2011 08:17 PM, David McGuffey wrote:
...
Did you verify that this was working before applying those settings in the NSA guide?
No...the prototype worked A-OK on another machine with the same CentOS 5.5 DVD, so I focused on the security hardening process...my bad...won't do that again.
What does/is VMM "claiming" ... are you seeing only fully virtualized and not paravirtualized as a selection or what is the problem that you are encountering? I am not an expert on KVM, but when I install a KVM VM in Virtual Machine Manager, I have to select "Fully Virtualized" initally, then if I want to install the virtio (paravirtualized) drivers, I need to do it like this:
The selection for full/para virtualization is locked in para and all grayed out.
I am fairly sure that only if you are running Xen will you actually see a "Paravirtualized" selection in Virtual Machine Manager ... however I would suggest that you use KVM and not Xen as KVM is where RHEL Virtualization is moving towards and Xen is being moved away from.
Not running the xen kernel.
The BIOS of many machines can "disable" virtual machine extensions (also called other things ... usually with Virtual, Virtual Technologies, or VT in the name). According to KVM (link below), sometimes certain settings do need to be turned off while others need to be on, so there may be a specific set of on and off that make it work on this type of machine.
That must be the problem. Searching dmesg shows the following two lines next to each other: kvm: disabled by bios ksm: loaded
mobprobe kvm-intel also reports: .../weak-updates/kmod-kvm...
A search of that gives some guidance, but I'm sure the first challenge I have is to find the right bios settings, possibly updating the bios along the way.
So, it is possible for vmx to show up in the cpu flags but for it to be disabled. Specifically, some Dell machines need "Trusted Computer" or "Trusted Execution" enabled as well.
http://www.linux-kvm.org/page/FAQ#.22KVM:_disabled_by_BIOS.22_error
Verifying the latest version of the BIOS is installed can be very important for memory sizes greater than 4 GB of RAM and proper APIC operation on Linux as well. If you need to flash the BIOS on a Dell machine that has Linux installed, I use a "Free DOS" iso to boot from and put the Dell BIOS on my USB key, which is normally detected as C: or D: on my machines when booting the "Free Dos" ISO. I use fdfullcd.iso from here (use the LiveCD and do NOT install Free DOS on your main drive :D):
Thanks...that is probably what I'm going to have to do.
Dave M