Finished installing CentOS 5.5 x86_64 on a new Dell tower workstation that has a quad core Intel processor and 8 GB of ram. BIOS has hardware virtualization support enabled. /proc/cpuinfo shows that all four cores have the vmx flag present.
I applied a lot of the National Security Agency guide for securing Red Hat Linux 5, testing the key applications I need as I went. At the end of the process I bring up VMM and it claims that the hardware doesn't support full virtualization.
I'm going to go back through the NSA guide today looking for settings that might have an impact. My goal is to find and back out 1 or more settings rather than start from scratch with a full reload.
Any ideas where I should focus my efforts?
Dave M
On 03/15/2011 12:54 PM, David McGuffey wrote:
Finished installing CentOS 5.5 x86_64 on a new Dell tower workstation that has a quad core Intel processor and 8 GB of ram. BIOS has hardware virtualization support enabled. /proc/cpuinfo shows that all four cores have the vmx flag present.
I applied a lot of the National Security Agency guide for securing Red Hat Linux 5, testing the key applications I need as I went. At the end of the process I bring up VMM and it claims that the hardware doesn't support full virtualization.
I'm going to go back through the NSA guide today looking for settings that might have an impact. My goal is to find and back out 1 or more settings rather than start from scratch with a full reload.
Any ideas where I should focus my efforts?
Dave M
Can you see if kvm modules are loaded:
lsmod | grep kvm
Example in my laptop (Intel C2D):
$ lsmod | grep kvm kvm_intel 41950 0 kvm 257356 1 kvm_intel
HTH
On Tue, 2011-03-15 at 21:21 +0100, Athmane Madjoudj wrote:
On 03/15/2011 12:54 PM, David McGuffey wrote:
Finished installing CentOS 5.5 x86_64 on a new Dell tower workstation that has a quad core Intel processor and 8 GB of ram. BIOS has hardware virtualization support enabled. /proc/cpuinfo shows that all four cores have the vmx flag present.
I applied a lot of the National Security Agency guide for securing Red Hat Linux 5, testing the key applications I need as I went. At the end of the process I bring up VMM and it claims that the hardware doesn't support full virtualization.
Can you see if kvm modules are loaded:
lsmod | grep kvm
Example in my laptop (Intel C2D):
$ lsmod | grep kvm kvm_intel 41950 0 kvm 257356 1 kvm_intel
HTH
I'll check tomorrow when I'm at the machine.
Dave M
On 03/15/2011 08:17 PM, David McGuffey wrote:
On Tue, 2011-03-15 at 21:21 +0100, Athmane Madjoudj wrote:
On 03/15/2011 12:54 PM, David McGuffey wrote:
Finished installing CentOS 5.5 x86_64 on a new Dell tower workstation that has a quad core Intel processor and 8 GB of ram. BIOS has hardware virtualization support enabled. /proc/cpuinfo shows that all four cores have the vmx flag present.
I applied a lot of the National Security Agency guide for securing Red Hat Linux 5, testing the key applications I need as I went. At the end of the process I bring up VMM and it claims that the hardware doesn't support full virtualization.
Can you see if kvm modules are loaded:
lsmod | grep kvm
Example in my laptop (Intel C2D):
$ lsmod | grep kvm kvm_intel 41950 0 kvm 257356 1 kvm_intel
HTH
I'll check tomorrow when I'm at the machine.
Did you verify that this was working before applying those settings in the NSA guide?
What does/is VMM "claiming" ... are you seeing only fully virtualized and not paravirtualized as a selection or what is the problem that you are encountering? I am not an expert on KVM, but when I install a KVM VM in Virtual Machine Manager, I have to select "Fully Virtualized" initally, then if I want to install the virtio (paravirtualized) drivers, I need to do it like this:
http://www.cyberciti.biz/faq/centos-rhel-linux-kvm-virtulization-tutorial/
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Virtualiza...
I am fairly sure that only if you are running Xen will you actually see a "Paravirtualized" selection in Virtual Machine Manager ... however I would suggest that you use KVM and not Xen as KVM is where RHEL Virtualization is moving towards and Xen is being moved away from.
The BIOS of many machines can "disable" virtual machine extensions (also called other things ... usually with Virtual, Virtual Technologies, or VT in the name). According to KVM (link below), sometimes certain settings do need to be turned off while others need to be on, so there may be a specific set of on and off that make it work on this type of machine.
So, it is possible for vmx to show up in the cpu flags but for it to be disabled. Specifically, some Dell machines need "Trusted Computer" or "Trusted Execution" enabled as well.
http://www.linux-kvm.org/page/FAQ#.22KVM:_disabled_by_BIOS.22_error
Verifying the latest version of the BIOS is installed can be very important for memory sizes greater than 4 GB of RAM and proper APIC operation on Linux as well. If you need to flash the BIOS on a Dell machine that has Linux installed, I use a "Free DOS" iso to boot from and put the Dell BIOS on my USB key, which is normally detected as C: or D: on my machines when booting the "Free Dos" ISO. I use fdfullcd.iso from here (use the LiveCD and do NOT install Free DOS on your main drive :D):
http://www.freedos.org/freedos/files/
Some machines (if Linux is supported on them) have the ability to flash the BIOS via Linux, but I normally do it via FreeDOS anyway. Here is the Dell Linux site with repositories if applicable:
There is a link on the right hand side named "Dell Community Repository" that goes here:
On Wed, 2011-03-16 at 03:36 -0500, Johnny Hughes wrote:
On 03/15/2011 08:17 PM, David McGuffey wrote:
...
Did you verify that this was working before applying those settings in the NSA guide?
No...the prototype worked A-OK on another machine with the same CentOS 5.5 DVD, so I focused on the security hardening process...my bad...won't do that again.
What does/is VMM "claiming" ... are you seeing only fully virtualized and not paravirtualized as a selection or what is the problem that you are encountering? I am not an expert on KVM, but when I install a KVM VM in Virtual Machine Manager, I have to select "Fully Virtualized" initally, then if I want to install the virtio (paravirtualized) drivers, I need to do it like this:
The selection for full/para virtualization is locked in para and all grayed out.
I am fairly sure that only if you are running Xen will you actually see a "Paravirtualized" selection in Virtual Machine Manager ... however I would suggest that you use KVM and not Xen as KVM is where RHEL Virtualization is moving towards and Xen is being moved away from.
Not running the xen kernel.
The BIOS of many machines can "disable" virtual machine extensions (also called other things ... usually with Virtual, Virtual Technologies, or VT in the name). According to KVM (link below), sometimes certain settings do need to be turned off while others need to be on, so there may be a specific set of on and off that make it work on this type of machine.
That must be the problem. Searching dmesg shows the following two lines next to each other: kvm: disabled by bios ksm: loaded
mobprobe kvm-intel also reports: .../weak-updates/kmod-kvm...
A search of that gives some guidance, but I'm sure the first challenge I have is to find the right bios settings, possibly updating the bios along the way.
So, it is possible for vmx to show up in the cpu flags but for it to be disabled. Specifically, some Dell machines need "Trusted Computer" or "Trusted Execution" enabled as well.
http://www.linux-kvm.org/page/FAQ#.22KVM:_disabled_by_BIOS.22_error
Verifying the latest version of the BIOS is installed can be very important for memory sizes greater than 4 GB of RAM and proper APIC operation on Linux as well. If you need to flash the BIOS on a Dell machine that has Linux installed, I use a "Free DOS" iso to boot from and put the Dell BIOS on my USB key, which is normally detected as C: or D: on my machines when booting the "Free Dos" ISO. I use fdfullcd.iso from here (use the LiveCD and do NOT install Free DOS on your main drive :D):
Thanks...that is probably what I'm going to have to do.
Dave M
-
Athmane Madjoudj -
David McGuffey -
Johnny Hughes