Oracle related rants (and lots of off-topic stuff)…
Following on from my post on AntiVirus Software and Apple Macs, I decided to add antivirus to my desktop machines also. I chose ClamAV because it is part of the Fedora repository. I wrote a quick note about installing ClamAV on Fedora and Enterprise Linux (RHEL, Oracle Linux, CentOS etc.).
Not surprisingly, scans revealed no viruses on any of my Fedora machines.
Cheers
Tim…
I have been playing around with Fedora 17 beta in preparation for my server upgrades when it is released at the end of the month. While I was at it, I did my typical articles for Fedora.
I’ll run through them again when the final release drops, then officially put them live.
Cheers
Tim…
Last month I wrote about a problem I saw with scsi_id and UDEV in OL5.8. As it screwed up all my UDEV rules is was a pretty important issue for me. It turned out this was due to a mainline security fix (CVE-2011-4127) affecting the latest kernels of both RHEL/OL5 and RHEL/OL6. The comments on the previous post show a couple of workarounds.
Over the weekend I started to update a couple of articles that mentioned UDEV rules (here and here) and noticed the problem had dissapeared. I updated two VMs (OL5.8 and OL6.2) with the latest changes, including the UEK updates and ran the tests again and here’s what I got.
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 (Tikanga) # uname -r 2.6.39-100.6.1.el5uek # scsi_id -g -u -s /block/sda/sda1 SATA_VBOX_HARDDISK_VB535d493d-7a44eb0f_ # # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 (Santiago) # uname -r 2.6.39-100.6.1.el6uek.x86_64 # /sbin/scsi_id -g -u /dev/sda1 1ATA_VBOX_HARDDISK_VB2b5dc561-4ae6e154 #
So it looked like normal service had been resumed. 🙂 Unfortunately, the MOS Note 1438604.1 associated with this issue is still not public, so I couldn’t tell if this was a unilateral change in UEK, or part of a mainline fix for the previous change.
To check I fired up a CentOS 6.2 VM with the latest kernel updates and switched an Oracle Linux VM to the latest RHEL compatible kernel and did the test on both. As you can see, they both still don’t report the scsi_id for partitions.
# cat /etc/redhat-release CentOS release 6.2 (Final) # uname -r 2.6.32-220.13.1.el6.x86_64 # /sbin/scsi_id -g -u /dev/sda1 # # cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 (Santiago) # uname -r 2.6.32-220.13.1.el6.x86_64 # /sbin/scsi_id -g -u /dev/sda1 #
It could be the associated fix has not worked through the mainline to RHEL and CentOS yet. I’ll do a bit of digging around to see what is going on here.
Cheers
Tim…
I’ve put the last two articles in the RHSCA certification series live.
These took a little bit of time because I was in denial (and ill for a couple of weeks). When I put the previous batch of articles live, I mentioned these objectives were the ones I knew least about. That’s mostly because my standard operating procedure for Oracle servers is to disable SELinux and turn off the firewall. I reached out to the OakTable to see what Oracle do on their engineered solutions (Exadata and ODA) and it seems the answer depends on which part of the solution you are discussing (RAC nodes or storage cells) and the age/patch level of the kit software you have.
In the early releases it was very much SELinux and firewall disabled. Later release have SELinux in permissive mode on some components and the firewall enabled on some components.
Running SELinux in permissive mode seems a bit pointless to me, unless you are investigating what policies need to be changed in order to switch to enforcing it at a later date. I’m still not convinced about the relevance of SELinux for a database server at this point, but my opinion may change as I get more familiar with it. It is quite literally an uneducated opinion at this point. 🙂
Now I’ve completed the revision notes for the RHCSA exam I guess I should think about taking the exam. I’ve just checked the Red Hat website and the earliest I could sit the exam in Birmingham is July. Unfortunately I’m out of the country for much of July, so it would appear the middle of August is probably going to be the first real opportunity. Most other cities have a couple of dates a month, but not here. Once again Birmingham proves itself to be at the arse-end of British I.T. 🙁
Cheers
Tim…
I’ve just tried the alpha of Fedora 17 to see if the GNOME 3 software rendering works and it did. You may recall, since updating my graphics card I’ve been forced to use the fallback mode on Fedora 16. I’m quite keen to move back to proper GNOME 3, which looks like it will be possible when F17 is released.
On a VM it seems a little on the slow side, so I hope this isn’t an indication that it will be annoying on my desktop. I guess time will tell. Fingers crossed though.
Cheers
Tim…
Lenz Grimmer blogged today about the release of the “oracle-rdbms-server-11gR2-preinstall” package, the Oracle Linux 6 version of the “oracle-validated” package we know and love.
I did a run through of an installation using it and it does exactly what it says it will. I’ve modified my 11gR2 installation on OL6 article accordingly.
Cheers
Tim…
I’ve just put another batch of Linux articles live.
As before, they are focussing on the RHCSA exam objectives, so a lot of it is pretty basic information.
The Firewall and SELinux objectives are the only ones left now. These two objectives were the main reasons I decided to start this process. I left them until last because I figured if I started with them, I might never get round to doing the other articles. 🙂
As far as the Linux firewall goes, if it can’t be done with the point and click GUI (or TUI), I don’t do it, so taking a look at iptables from the command line has been on my list for a very long time. The RHCSA objective suggests using the GUI/TUI interface should be sufficient, since it says, “using system-config-firewall or iptables”. In contrast, the RHCE objectives explicitly mention iptables, possibly suggesting tasks that may not be possible from the GUI? The question is, how much do I trust my own judgement on this matter? I would prefer go in to the RHCSA exam with too much information, rather than not enough, so I guess I’ll take a look at iptables from the command line before attempting the RHCSA exam.
I know even less about SELinux than I do about the firewall. For Oracle installations I typically disable it. 🙂 So I guess this objective is going to be a magical mystery tour. 🙂
If anyone has sat the RHCSA exam for RHEL6, I would be interested to hear your thoughts on the Firewall and SELinux objectives. I think I’ve got a pretty good handle on the other objectives, but I’m kinda shooting in the dark with these two. It would be a shame to waste £400 on a failed exam. 🙂
Cheers
Tim…
I just did an update from Oracle Linux 5.7 to 5.8 on one of my VirtualBox RAC installations and things are not looking to clever at the moment. After a reboot, the ASM instances and therefore the database instances wouldn’t restart. A quick look showed the ASM disks were not visible. On this installation I was using UDEV, rather than ASMLib. In checking the UDEV rules I noticed the scsi_id command on OL5.8 doesn’t report an ID for partitions on disks, only the disks themselves. For example, on OL5.7 I get this,
# /sbin/scsi_id -g -u -s /block/sdb/sdb1 SATA_VBOX_HARDDISK_VBd306dbe0-df3367e3_ #
On OL5.8 I get this,
# /sbin/scsi_id -g -u -s /block/sdb/sdb1 #
If I run it against the disk, rather than the partition it works fine.
This has literally just happened, so I’ve done no further investigation, but I thought it was worth putting out there in case anyone was about to start an OS update on something they cared about. 🙂
At this point I’m not discounting that I’ve screwed up somewhere. My next plan is to install three clean VMs (OL 5.6, 5.7 and 5.8) and check the output of scsi_id on each of them. If that turns out OK, then I’ve screwed something else and you can probably ignore this post. I might not get to try it out until tomorrow. Either way, I’ll update this post with the results of that test.
Cheers
Tim…
Update 1: It’s definitely changed. See the following.
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.6 (Tikanga) # /sbin/scsi_id -g -u -s /block/sda/sda1 SATA_VBOX_HARDDISK_VB54dff07f-931ce4d7_ # # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.7 (Tikanga) # /sbin/scsi_id -g -u -s /block/sda/sda1 SATA_VBOX_HARDDISK_VBx180d717-f896e661_ # # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.8 (Tikanga) # /sbin/scsi_id -g -u -s /block/sda/sda1 #
Update 2: As John Sobecki correctly pointed out in the comments, the title of the post is misleading. UDEV is not at fault here. The problem is the “/sbin/scsi_id” command is behaving differently, which is making my rules useless. The UDEV issue is the symptom, not the cause. The post is clearly focusing on the scsi_id issue, but I’ve picked a pretty bad title to go with it. 🙂
Update 3: John Sobecki pointed me at “[block] fail SCSI passthrough ioctls on partition devices CVE-2011-4127”, a mainline kernel security fix that seems to be the cause of this. It affects all new kernels which include this change (RHEL5/6, UEK etc). Oracle are testing the impact of this. Initially ASMLib and OCFS seem unaffected.
Update 4: MOS Note 1438604.1 (currently in review) contains more information about this issue. ASMLib and OCFS are unaffected by CVE-2011-4127, so ASMLib should probably be used in preference to UDEV with newer kernels.
Update 5: I’ve altered all the articles on my site to reference the parent (disk) device, rather than the partition device, which makes the UDEV rules work fine again. Thanks to Bryan Wood and Joachim for their suggestions.
I put a few more Linux articles live yesterday.
As before, they are targeted at the level of information needed for the RHCSA exam, so nothing really new for long time users of Linux.
I also changed the introductory article to include the exam objectives, each linking to the relevant article for that objective. I didn’t want to break things down to one article per objective, because I think there is too much crossover, so this seemed the best solution.
Writing this basic Linux stuff can be a little dull compared to writing about new Oracle features. Sometimes I feel like writing, “just read the bloody ‘man/info’ page!” 🙂 I considered giving up a couple of times, then I got a rash of simple Linux questions and it seemed like destiny when I could easily answer them by pointing to an article I was currently writing. I guess in the past I’ve been a little dismissive of these types of questions. It’s easy to forget that Linux is still very new to lots of people. I tend to think of Oracle DBAs as having a reasonable UNIX background, but there are a lot of Oracle DBA types who never venture far from Windows, so maybe this stuff is more useful than it seems at first sight.
I guess I’m about two thirds of the way through the RHCSA notes now.
Cheers
Tim…
I’ve been involved in a number of blog comment, email and twitter exchanges over the last few months about the 11gR2 on RHEL6/OL6 certification issue.
The last time I blogged specifically about it was in October and it’s now over 6 months since Red Hat completed their part in the certification of 11gR2 on RHEL6, yet still no news.
In the course of these conversations I’ve come across a number of ridiculous conspiracy theories, as well as statements from people who know a hell of a lot more about Oracle platform certification than me. It’s worth saying at this point that none of the sources of these ideas are current Oracle employees, so they are not privy to “inside” information. Same goes for me. I’m just another person trying to figure out what is going on.
Here are some of the points from the last few months that stand out to me:
Of course, nobody on the outside really knows what is going on and I imagine anyone on the inside would be looking for a new job if they let slip. From this point on I will follow the advice of people far more qualified than me and assume that “Oracle 11gR2 will never be certified on RHEL6/OL6”. If by some fluke it does happen, then it will be a happy surprise.
To end this depressing post on a lighter note, this is one of my recent tweets on the subject…
Cheers
Tim…
PS. I purposely didn’t attribute names to these points. Not everyone wants to be outed to the world, especially when their opinions were expressed via email.
Update: It’s finally certified. See here.