On Wed, 2011-03-16 at 03:36 -0500, Johnny Hughes wrote: > On 03/15/2011 08:17 PM, David McGuffey wrote: > > ... > > Did you verify that this was working before applying those settings in > the NSA guide? > No...the prototype worked A-OK on another machine with the same CentOS 5.5 DVD, so I focused on the security hardening process...my bad...won't do that again. > What does/is VMM "claiming" ... are you seeing only fully virtualized > and not paravirtualized as a selection or what is the problem that you > are encountering? I am not an expert on KVM, but when I install a KVM > VM in Virtual Machine Manager, I have to select "Fully Virtualized" > initally, then if I want to install the virtio (paravirtualized) > drivers, I need to do it like this: > The selection for full/para virtualization is locked in para and all grayed out. > I am fairly sure that only if you are running Xen will you actually see > a "Paravirtualized" selection in Virtual Machine Manager ... however I > would suggest that you use KVM and not Xen as KVM is where RHEL > Virtualization is moving towards and Xen is being moved away from. > Not running the xen kernel. > The BIOS of many machines can "disable" virtual machine extensions (also > called other things ... usually with Virtual, Virtual Technologies, or > VT in the name). According to KVM (link below), sometimes certain > settings do need to be turned off while others need to be on, so there > may be a specific set of on and off that make it work on this type of > machine. > That must be the problem. Searching dmesg shows the following two lines next to each other: kvm: disabled by bios ksm: loaded mobprobe kvm-intel also reports: .../weak-updates/kmod-kvm... A search of that gives some guidance, but I'm sure the first challenge I have is to find the right bios settings, possibly updating the bios along the way. > So, it is possible for vmx to show up in the cpu flags but for it to be > disabled. Specifically, some Dell machines need "Trusted Computer" or > "Trusted Execution" enabled as well. > > http://www.linux-kvm.org/page/FAQ#.22KVM:_disabled_by_BIOS.22_error > > Verifying the latest version of the BIOS is installed can be very > important for memory sizes greater than 4 GB of RAM and proper APIC > operation on Linux as well. If you need to flash the BIOS on a Dell > machine that has Linux installed, I use a "Free DOS" iso to boot from > and put the Dell BIOS on my USB key, which is normally detected as C: or > D: on my machines when booting the "Free Dos" ISO. I use fdfullcd.iso > from here (use the LiveCD and do NOT install Free DOS on your main drive > :D): Thanks...that is probably what I'm going to have to do. Dave M