Monday Jul 15, 2013

Migrating from SUSE Linux to Oracle Linux - System Initialization

The iptables service defines rules for handling packets on a Linux system. It's usually a good idea to disable this service during installation of a Linux update to prevent malicious code from being installed by angry cats (image removed from blog). Once the update is installed securely, you can define the iptables rules and once again enable the service.

To find out, before you install an update to Oracle Linux, whether the iptables service is enabled, use the list option to the chkconfig command. It displays the status of Linux services at boot time. For example:

# chkconfig -- list
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
SUSE Linux to Oracle Linux: Guide for System Administrators

To check the status of only the iptables service, pipe in a little grep:

chkconfig -- list | grep iptables

This is just one of the tips provided by Manik Ahuja and Kamal Dodeja in their OTN technical article, ....

Tech Article: How to Initialize an Oracle Linux System

This is the first in a series of articles that outline the major steps in migrating from SUSE Linux to Oracle Linux. It focuses on registering your system, downloading the latest version of Oracle Linux, and performing some basic initialization steps. Stay tuned for more articles.

Tech Article: How to Initialize an Oracle Linux System

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Wednesday Jun 26, 2013

Linux-Containers — Part 1: Overview

Containers by Phil Parker, on Flickr
"Containers" by Phil Parker (CC BY 2.0).

Linux Containers (LXC) provide a means to isolate individual services or applications as well as of a complete Linux operating system from other services running on the same host. To accomplish this, each container gets its own directory structure, network devices, IP addresses and process table. The processes running in other containers or the host system are not visible from inside a container. Additionally, Linux Containers allow for fine granular control of resources like RAM, CPU or disk I/O.

Generally speaking, Linux Containers use a completely different approach than "classicial" virtualization technologies like KVM or Xen (on which Oracle VM Server for x86 is based on). An application running inside a container will be executed directly on the operating system kernel of the host system, shielded from all other running processes in a sandbox-like environment. This allows a very direct and fair distribution of CPU and I/O-resources. Linux containers can offer the best possible performance and several possibilities for managing and sharing the resources available.

Similar to Containers (or Zones) on Oracle Solaris or FreeBSD jails, the same kernel version runs on the host as well as in the containers; it is not possible to run different Linux kernel versions or other operating systems like Microsoft Windows or Oracle Solaris for x86 inside a container. However, it is possible to run different Linux distribution versions (e.g. Fedora Linux in a container on top of an Oracle Linux host), provided it supports the version of the Linux kernel that runs on the host. This approach has one caveat, though - if any of the containers causes a kernel crash, it will bring down all other containers (and the host system) as well.

For example, Oracle's Unbreakable Enterprise Kernel Release 2 (2.6.39) is supported for both Oracle Linux 5 and 6. This makes it possible to run Oracle Linux 5 and 6 container instances on top of an Oracle Linux 6 system. Since Linux Containers are fully implemented on the OS level (the Linux kernel), they can be easily combined with other virtualization technologies. It's certainly possible to set up Linux containers within a virtualized Linux instance that runs inside Oracle VM Server for Oracle VM Virtualbox.

Some use cases for Linux Containers include:

  • Consolidation of multiple separate Linux systems on one server: instances of Linux systems that are not performance-critical or only see sporadic use (e.g. a fax or print server or intranet services) do not necessarily need a dedicated server for their operations. These can easily be consolidated to run inside containers on a single server, to preserve energy and rack space.
  • Running multiple instances of an application in parallel, e.g. for different users or customers. Each user receives his "own" application instance, with a defined level of service/performance. This prevents that one user's application could hog the entire system and ensures, that each user only has access to his own data set. It also helps to save main memory — if multiple instances of a same process are running, the Linux kernel can share memory pages that are identical and unchanged across all application instances. This also applies to shared libraries that applications may use, they are generally held in memory once and mapped to multiple processes.
  • Quickly creating sandbox environments for development and testing purposes: containers that have been created and configured once can be archived as templates and can be duplicated (cloned) instantly on demand. After finishing the activity, the clone can safely be discarded. This allows to provide repeatable software builds and test environments, because the system will always be reset to its initial state for each run. Linux Containers also boot significantly faster than "classic" virtual machines, which can save a lot of time when running frequent build or test runs on applications.
  • Safe execution of an individual application: if an application running inside a container has been compromised because of a security vulnerability, the host system and other containers remain unaffected. The potential damage can be minimized, analyzed and resolved directly from the host system.

Note: Linux Containers on Oracle Linux 6 with the Unbreakable Enterprise Kernel Release 2 (2.6.39) are still marked as Technology Preview - their use is only recommended for testing and evaluation purposes.

The Open-Source project "Linux Containers" (LXC) is driving the development of the technology behind this, which is based on the "Control Groups" (CGroups) and "Name Spaces" functionality of the Linux kernel. Oracle is actively involved in the Linux Containers development and contributes patches to the upstream LXC code base.

Control Groups provide means to manage and monitor the allocation of resources for individual processes or process groups. Among other things, you can restrict the maximum amount of memory, CPU cycles as well as the disk and network throughput (in MB/s or IOP/s) that are available for an application.

Name Spaces help to isolate process groups from each other, e.g. the visibility of other running processes or the exclusive access to a network device. It's also possible to restrict a process group's access and visibility of the entire file system hierarchy (similar to a classic "chroot" environment).

CGroups and Name Spaces provide the foundation on which Linux containers are based on, but they can actually be used independently as well.

A more detailed description of how Linux Containers can be created and managed on Oracle Linux will be explained in the second part of this article.

Additional links related to Linux Containers:

- Lenz Grimmer

Follow me on:
Personal Blog | Facebook | Twitter | Linux Blog |

Friday Jun 07, 2013

How to Get Started Using DTrace on Oracle Linux

I. hate. slow. code. (Image removed from blog.)

We all hate slow code. Bunch of princesses is what we've become. During the American Civil War, they had to deliver their text messages by horseback! It took weeks! And half the time, they got blown off their horse by a cannonball to the neck!

Today? Today we have to have our stuff back in milliseconds, or we start tweeting about it. So, if you're developing or deploying applications, how do you keep them performing at the speed to which we have become accustomed? DTrace, of course.

"But I'm a Linux guy," you say. "I don't DO Oracle Solaris."

That's fine. The folks at Oracle Solaris are not only wicked smart, they are generous. Now you can use DTrace on Oracle Linux. Let me point out, by the way, that DTrace is just as useful for sysadmins as it is for developers. In this video, taken a couple of years ago, Brendan Gregg explains how sysadmins can make their deployed applications run faster even after the developers who wrote them pushed back the last bits of their code:

Video Interview: How to Improve the Performance of Deployed Applications Using DTrace

Brendan Gregg describes the best ways for sysadmins to tune deployed applications to get more performance out of them in their particular computing environment.

Bonus: More info about Brendan Gregg plus links to his personal and professional blogs.

If you'd like to try DTrace on Oracle Linux, here are some resources to get you started.

What DTrace Probes Are Available on Oracle Linux?

If you are running Oracle Linux 6 with the DTrace-enabled Unbreakable Enterprise Kernel Release 2 (2.6.39), you can run this command to list all the DTrace probes available on your system:

dtrace -l

If you are not running that version of Oracle Linux, you can download it from the ol6_x86_64_Dtrace_latest channel on the Unbreakable Linux Network (ULN). For more info about installing and configuring DTrace, see the DTrace chapter in the Oracle Linux Administrator's Solutions Guide for Release 6.

For each probe listed by dtrace -l, the output includes a name, the portion of the program where it resides, and the Oracle Linux kernel module that does the probing. Once you have that, go to Chapter 11 of the DTrace Guide to find out what each probe does.

Article: How to Get Started Using DTrace on Oracle Linux

DTrace is a powerful tool, and it can do some amazing things. But it's not that difficult to get started doing simple things. You can build up from there. In this article, Richard Friedman gives you a high-level overview of DTrace and its major components:providers, modules, functions, and probes. He explains how you can use either one-liner commands on the command line, or write more complex instructions in scripts, using the D language. He provides simple examples for each. It's a great way to get your feet wet.

Article: How to Get Started Using DTrace on Oracle Linux
Bonus: Brendan Gregg's one liners for DTrace (some of the existing DTrace one-liners will require modification to work on Oracle Linux).

The DTrace Book

You can get all the info you need about DTrace through the Dynamic Tracing in Oracle Solaris, Mac OS X, and FreeBSD, by Brendan Gregg and Jim Mauro. Of course, you can also buy your own paper or electronic copy through any of the major retailers. (We're working on getting a good discount for the book, but you'll have to subscribe to the OTN Systems Community Newsletter to find out about it.)

Bonus:How the DTrace book got done, by Deirdre Straughan

DTrace Forums

Lots of developers and sysadmins are using Dtrace and posting their questions and tips on the DTrace Forum. Here's an example of one conversation:

Q: Unexpected output of dtrace script
m1436 wrote a dtrace script to monitor the bytes returned by the read() system call to the user programme, but was getting strange results. He includes the dtrace script and the strange output.

A: kvh responds, explaining that the problem m1436 encountered is the result of a common misconception about copyin(). "It is intended to be used to copy content of userspace memory into a scratch buffer so that it can be accessed directly from within kernel space (where the DTrace core executes). That said, it is often interpreted as somehow being equivalent to malloc() whereas in reality it actually works like alloca() instead. So, what you are seeing is basically the artifact of the scratch buffer being overwritten with other data. ... in order for this to work, you should do things a bit differently.

The DTrace forum always has great discussions. Let me know if you find any that are worthy of highlighting. And good luck!

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Wednesday Apr 17, 2013

How the Oracle Linux Update Channels are Structured

Beer Taps by Jamie C2009, on Flickr
"Beer Taps" by Jamie C2009 (CC BY 2.0).

Oracle Linux distribution releases are identified by a major version like "Oracle Linux 6" or "Oracle Linux 5", followed by an update release number, e.g. "Oracle Linux 6 Update 3" or "Oracle Linux 6.3" in short. Every Oracle Linux distribution release is freely available as ISO installation images from the Oracle Software Delivery Cloud (formerly known as E-Delivery), as well as individual RPM packages, broken up by update releases. These are published via "channels" (or "yum repositories") from the Unbreakable Linux Network (ULN) and our public yum repository

Security patches and critical bug fixes (errata) for individual packages that are being released in between update releases are published immediately via the corresponding _latest yum repositories and ULN channels at the same time. If you want to ensure that your system is always up to date and fully patched, make sure to have it subscribed to the _latest channel (e.g. ol6_latest). And you don't even need to purchase a support subscription for that, if you use the public yum repositories!

Update releases of a major distribution version are primarily "checkpoints", an accumulation of all patches that have been published since the last update release has been made available. They help to reduce lengthy patch/update procedures that would have to be performed if you would always have to start a new installation from the very first release of a new major version. Update releases within a major version are binary compatible. An application that was installed and tested on Oracle Linux 6.1 will still run on Oracle Linux 6.4.

In addition to the _latest channel, ULN also provides so-called _patch channels, one per update release (e.g. ol6_u4_x86_64_patch for Oracle Linux 6.4 on x86_64). These _patch channels contain all RPM updates that have been published after a new update release (e.g. 6.4) has been released. They are kept up to date with each new update package that is made available. So they allow you to keep a certain update level of the distribution up to date without risking rolling forward to a new update release version automatically (which is what happens when your system is subscribed to the _latest repository).

However, one thing to keep in mind is that these channels actually stop receiving updates once a new update release (e.g. 6.4) has been made available. At this point you need to "go with the flow" and plan your update to the next update release (and its associated _patch channel), if you don't want to risk running an un-patched system.

I'd like to give you an alternative explanation of this channel structure, using software development and source code version control as an analogy. In revision control terms, you could consider the _latest channel the "trunk" of the distribution, a stream of packages that is always up to date and also rolls forward the distribution's update version in regular intervals. The _base channels could be considered "tags" or "snapshots" of the _latest package stream. They represent the state of a major distribution version (e.g. Oracle Linux 6) at a certain point in time, identified by a minor version number (e.g. 6.3). They are being packaged and released in the form of an ISO image as well. The _patch channels could be considered "branches" that are branched off a certain tag and are being kept up to date with the "trunk" until a new update release has been tagged.

I hope this explanation helps understanding the various channels and their purposes!

- Lenz Grimmer

Follow me on:
Personal Blog | Facebook | Twitter | Linux Blog |

Tuesday Apr 16, 2013

Evaluating Oracle Solaris and Oracle Linux From Your Laptop

Evaluating Oracle Linux From Inside VirtualBox

After importing your Oracle Linux virtual image, you can use the yum install command to download additional packages into your Linux environment. Yuli explains how.

But what's really cool about evaluating an OS from inside VirtualBox is that you can assign each virtual image a unique IP address, and have it communicate with the outside world as if it were its own physical machine on the network. Yuli describes how to do this, and also how to install guest additions to, for instance, share files between the guest and host systems.

Evaluating Oracle Solaris 11 From Inside VirtualBox

In this article Yuli shows you how to create and manage user accounts with either the GUI or the CLI, how to set up networking, and how to use the Service Management Facility (SMF) to, for instance, control SSH connections to the outside world.

Both article cover the basics to get you started, but also very valuable are the links that Yuli provides to help you move further along in your evaluation.

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Friday Apr 05, 2013

Migrating to Oracle Linux: How to Identify Applications To Move


One of the first things you need to make when migrating from SUSE Linux to Oracle Linux is an inventory of your applications. A package management tool such as Yet Another Setup Tool (YAST) is a big help here. So is the rpm command. Here are some ways to use it.

To List All The Installed Packages

Use the -qa option.

# rpm –qa

To Save the Output in a File

You can move that file to any location and, anytime later,search through the package list saved there to look for a package of interest:

# rpm –qa > rpmlist.txt

To Sort the Packages

To see the installed packages sorted by install time, use --last. The packages installed most recently will appear at the top of the list, followed by the standard packages installed during the original installation:

# rpm –qa --last

To Find Out If A Particular Component Is Installed

To find out whether a particular component is installed and what version it is, use the name option. For example:

# rpm –qa python

To Find Out What Dependencies a Package Has

Use the -qR option:

# rpm –qR python-2.6.0-8.12.2
python-base = 2.6.0
rpmlib(VersionedDependencies) <= 3.0.3-1

The Linux Migration Guide

You can find out more about migration steps with either rpm or YaST, including the benefits of migrating to Oracle Linux, by downloading the white paper from here:

Download the Oracle Linux Migration Guide

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Friday Feb 22, 2013

How to Configure the Linux Kernel's Out of Memory Killer


Operating systems sometimes behave like airlines. Since the airlines know that a certain percentage of the passengers won't show up for their flight, they overbook the flights. As anyone who has been to an airport in the last 10 years knows, they usually get it wrong and have to bribe some of us to get on the next flight. If the next flight is the next morning, we get to stay in a nice hotel and have a great meal, courtesy of the airline.

That's going to be my lodging strategy if I'm ever homeless.

Linux kernel does something similar. It allocates memory to its processes ahead of time. Since it knows that most of the processes won't use all the memory allocated to them, it over-commits. In other words, it allocates a sum total of memory that is more than it actually has. Once in a while too many processes claim the memory that the kernel promised them at the same time. When that happens, the Linux kernel resorts to an option that the airlines wish they had: it kills off processes one at a time. In fact, it actually has a name for this function: the out-of-memory killer.

Robert Chase explains.

How to Configure the Out of Memory Killer

Robert Chase describes how to examine your syslog and how to use the vmstat command for clues about which processes were killed, and why. He then shows you how to configure the OOM killer to behave the way you prefer. For instance, you can make certain processes less likely to be killed than others. Or more. Or you can instruct the kernel to reboot instead of killing processes.

More Oracle Linux Resources

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube

(psst! and don't forget to follow the Great Peruvian Novel!)

Thursday Feb 21, 2013

Can You Figure Out Which Teenager Took the Cash?


Dads like me are familiar with a phenomenon known as Silent Dollar Disappearance. This tends to occur when there is a confluence of money in your wallet and teenage children in your home. You never actually see it happen, but if you are paying attention, you might detect that it has happened. As when, for instance, you try to pay for beer and brats at the grocer. It becomes difficult to know for sure whether it was the teenagers. What if you already spent the money on something else? That's what my teenage daughters always said. Or perhaps you had a wallet malfunction, and it flew out. So difficult to pin-point the actual cause.

Linux, like any OS, is vulnerable to a similar phenomenon. It's called silent data corruption. It can be caused by faulty components, such as memory modules or storage systems. It can also be caused by -God forbid- administrative error. As with Silent Dollar Disappearance, it's difficult to detect when data corruption is actually happening. Or what the exact cause was. But, as with Dads and teenagers, you eventually figure out that it has happened.

It may be impossible to identify the culprit after the data has been corrupted, but it's not impossible to stop the culprit ahead of time. Oracle partnered with EMC and Emulex to do just that. And they were kind enough to explain how the did it and how you can benefit. In this article:

Preventing Silent Data Corruption in Oracle Linux

An excerpt ...

"Data integrity protection is not new. ECC and CRC are available on most, if not all, servers, storage arrays, and Fibre Channel host bus adapters (HBAs). But these checks protect the data only temporarily within a single component. They do not ensure that the data you intended to write does not become corrupt as it travels down the data path from the application running in the server to the HBA, the switch, the storage array, and then the physical disk drive. When data corruption occurs, most applications are unaware that the data that was stored on the disk is not the data that was intended to be stored.

"Over the last several years, EMC, Emulex, and Oracle have worked together to drive and implement the Protection Information additions to the T10 SBC standard, which enables the validation of data as it moves through the data path to ensure that silent data corruption does not occur."

Interesting stuff. Give it a read.

- Rick

Follow us on:
Blog | Facebook | Twitter | YouTube

(psst! and don't forget to follow the Great Peruvian Novel!)

Friday Jan 11, 2013

How to Install Oracle Linux from a USB Stick


If you want to install Oracle Linux from a USB drive, keep in mind that not all hardware supports USB device booting. Also, during the boot process you may have to instruct your BIOS to boot from that specific USB device. Finally, keep in mind that this method of installation is not officially sanctioned by Oracle support. You'll need an Oracle Linux 6.0 or higher system to produce the key. Earlier versions may work, but additional prerequisites may be required. The examples in this article assume a USB key device name of /dev/sdb1. Be sure to verify the device name of your USB key to avoid accident data loss.


  1. The first thing you will need is an ISO image of Oracle Linux. The quickest way to obtain an ISO image is from the Oracle Software Delivery Cloud
  2. You will need a desktop or server system running Oracle Linux in order to prepare your USB drive.
  3. You will also need to download this script to create the bootable USB drive.
  4. Your Oracle Linux system will also need the package syslinux installed. You can install syslinux using yum with the following command:
  5. yum install syslinux

Marking Partition One as Bootable

Once your prerequisites are in order, you need to designate partition one as bootable. Use the parted application, as in this example:

[root@host]# parted /dev/sdb 
GNU Parted 2.1 Using /dev/sdb Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) toggle 1 boot
(parted) quit
Information: You may need to update /etc/fstab.

The example above uses a USB key labelled /dev/sdb. The parted application will only accept device files without partition numbers. So, if we had selected /dev/sdb1 instead, we would have gotten an error message when we tried to write the changes to disk.

Creating the USB Key

Now you can start creating USB key via the script that you downloaded earlier. The script accepts two paths: first the source ISO file and then the USB key:

[root@host]# sh Install_OL_fromUSBStick_Script --reset-mbr /home/user/OL6.3.iso /dev/sdb1 
Verifying image... line 527: checkisomd5: command not found Are you SURE you want to continue?
Press Enter to continue or ctrl-c to abort
Size of DVD image: 2957
Size of images/install.img: 132
Available space: 31186
Copying DVD image to USB stick
    137834496 100%   10.87MB/s    0:00:12 (xfer#1, to-check=0/1)
sent 137851396 bytes  received 31 bytes  11028114.16 bytes/sec total size is 137834496  speedup is 1.00
sent 37 bytes  received 12 bytes  98.00 bytes/sec total size is 3100217344  speedup is 63269741.71 Updating boot config file Installing boot loader USB stick set up as live image!

Once the script is finished running you have a bootable USB drive that can install Oracle Linux. While booting, pay attention to your BIOS boot screens as they will often provide direction on how to select a specific boot device other than the ones in the standard boot sequence. For some older systems you may need to go directly into the BIOS setup utility to specify the USB device in your boot sequence. Once you have booted successfully off of your USB device and the installer starts installation will proceed just like an installation from regular DVD media.

- Robert Chase

Website Newsletter Facebook Twitter

Wednesday Jan 09, 2013

How to Treat an NFS File As a Block Storage Device


Wim actually beat me in blogging about this feature while I was on vacation, but I'd like to add a little more background about dm-nfs, which I gathered from our kernel developers:

What is dm-nfs?

The dm-nfs kernel module provides a device-mapper target that allows you to treat an NFS file as a block device. It provides loopback-style emulation of a block device using a regular file as backing storage. The backing file resides on a remote system and is accessed via the NFS protocol.

The general idea is to have a more-efficient-than-loop access to files on NFS. The device mapper module directly converts requests to the dm device into NFS RPC calls.

dm-nfs is used transparently by Oracle VM's Dom0 when mounting NFS-backed virtual disks. It essentially allows for asynchronous and direct I/O to an NFS-backed block device, which is a lot faster than normal NFS for virtual disks. The Xen block hotplug script has been modified on OVM to look for files which are on NFS filesystems. If the file is on NFS, OVM uses dm-nfs automatically, otherwise it falls back to using the regular (but slower) loop mount method.

The original dm-nfs module was written by Chuck Lever. It has been supported and used by Oracle VM since version 2.2 and is also included in the Unbreakable Enterprise Kernel for Oracle Linux.

Why this feature matters

This feature creates virtual disk devices (LUNs) where the data is stored in an NFS file instead of on local storage. Managed networked storage has many benefits over keeping virtual devices on a disk local to the physical host.

A sample use case is the fast migration of guest VMs for load balancing or if a physical host requires maintenance. This functionality is also possible using iSCSI LUNs, but the advantage of dm-nfs is that you can manage new virtual drives on a local host system, rather than requiring a storage administrator to initialize new LUNs on the storage subsystem. Host administrators can handle their own virtual disk provisioning.

For durability and performance, dm-nfs uses asynchronous and direct I/O so all I/O operations are performed efficiently and coherently. Guest disk data is not double cached on the underlying host. If the underlying host crashes, there's a lower probability of data corruption. If the guest is frozen, a clean backup can be taken of the virtual disk, as you can be certain that its data has been fully written out.

How to use it

You use dm-nfs by first loading the kernel module, then using dmsetup to create a device mapper device on your file. The syntax is very similar to the dm-linear module.

The following sample code demonstrates how to use dmsetup to create a mapped device (/dev/mapper/$dm_nfsdev) for the file $filename that is accessible on a mounted NFS file system:

nblks=`stat -c '%s' $filename`
echo -n "0 $nblks nfs $filename 0" | dmsetup create $dm_nfsdev

Now you can mount /dev/mapper/$dm_nfsdev like any other filesystem image.

- Lenz Grimmer (Oracle Linux Blog)

Website Newsletter Facebook Twitter

Wednesday Sep 05, 2012

Is 'Old-School' the Wrong Way to Describe Reliable Security?


The Hotel Toronto apparently knows how to secure its environment.

"Built directly into the bedrock in 1913, the vault features an incredible 4-foot thick steel door that weighs 40 tonnes, yet can nonetheless be moved with a single finger. During construction, the gargantuan door was hauled up Yonge Street from the harbour by a team of 18 horses. "

1913. Those were the days. Sysadmins had to be strong as bulls and willing to shovel horse maneur. At least nowadays you don't have to be that strong. And, if you happen to be trying to secure your Oracle Linux environment, you may be able to avoid the shoveling, as well. Provided you know the tricks of the trade contained in these two recently published articles.

Tips for Hardening an Oracle Linux Server

General strategies for hardening an Oracle Linux server. Oracle Linux comes "secure by default," but the actions you take when deploying the server can increase or decrease its security. How to minimize active services, lock down network services, and many other tips. By Ginny Henningsen, James Morris and Lenz Grimmer.

Tips for Securing an Oracle Linux Environment

System logging with logwatch and process accounting with psacct can help detect intrusion attempts and determine whether a system has been compromised. So can using the RPM package manager to verifying the integrity of installed software. These and other tools are described in this second article, which takes a wider perspective and gives you tips for securing your entire Oracle Linux environment. Also by the crack team of Ginny Henningsen, James Morris and Lenz Grimmer.

- Rick

Website Newsletter Facebook Twitter

Wednesday Aug 15, 2012

It's Better with Btrfs


Two recently published articles to help you become proficient with the Btrfs file system in Oracle Linux:

How I Got Started with the Btrfs File System in Oracle Linux

By Margaret Bierman

Scalability and volume management. Write methodology and access. Tunables. Margaret describes these capabilities of the Btrfs file system, plus how it deals with redundant configurations, checksums, fault isolation and much more. She also walks you through the steps to create and set up a Btrfs file system so you can become familiar with it.

How I Use the Advanced Features of the Btrfs File System

By Margaret Bierman

How to create and mount a Btrfs file system. How to copy and delete files. How to create and manage a redundant file system configuration. How to check the integrity of the file system and its remaining capacity. How to take snapshots. How to clone. And more. In this article Margaret explores the more advanced features of the Btrfs file system.

Let us know what you think, and what you'd like to see Margaret write about in the future.

- Rick

Website Newsletter Facebook Twitter

Tuesday Jul 17, 2012

How to Protect Your Oracle Linux System from the Higgs Boson

Now that the Higgs Boson particle has been gently coaxed out of hiding, you know what's gonna happen, don't you? Your boss is gonna walk into your office and demand a plan for protecting your Oracle Linux system against it.

You could act like a smart aleck sysadmin and inform him or her that it took a team of scientists 10 years and 500 trillion collisions to get conclusive evidence of its existence, and let's not even talk about how difficult it was for God to create the elusive thing, but that would violate the first law of corporate survival:

Never, ever make your boss look stupid

Instead, jump out of your chair and say "OMG! I hadn't though of that!" Then read our latest article and use what you learn to write up a plan that will make your boss look real good to his or her boss. (Just make sure your name appears nowhere.)

Tips for Hardening an Oracle Linux Server

Lenz Grimmer and James Morris provide guidelines for:

  • Minimizing the software footprint
  • Minimizing active services
  • Locking down network services
  • Disabling or tightening use of SSH
  • Configuring mounts, file permissions, and ownerships
  • Managing Users and Authentication
  • Other Security Features and Tools
  • Cryptography
I hope you enjoy reading the article as much as I did. And good luck with your career.

- Rick

Website Newsletter Facebook Twitter

Friday Mar 23, 2012

How to subscribe to the free Oracle Linux errata yum repositories

Now that updates and errata for Oracle Linux are available for free (both as in beer and freedom), here's a quick HOWTO on how to subscribe your Oracle Linux system to the newly added yum repositories on our public yum server, assuming that you just installed Oracle Linux from scratch, e.g. by using the installation media (ISO images) available from the Oracle Software Delivery Cloud

You need to download the appropriate yum repository configuration file from the public yum server and install it in the yum repository directory. For Oracle Linux 6, the process would look as follows: as the root user, run the following command:

[root@oraclelinux62 ~]# wget \
-P /etc/yum.repos.d/
--2012-03-23 00:18:25--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1461 (1.4K) [text/plain]
Saving to: “/etc/yum.repos.d/public-yum-ol6.repo”

100%[=================================================>] 1,461       --.-K/s   in 0s      

2012-03-23 00:18:26 (37.1 MB/s) - “/etc/yum.repos.d/public-yum-ol6.repo” saved [1461/1461]
For Oracle Linux 5, the file name would be public-yum-ol5.repo in the URL above instead. The "_latest" repositories that contain the errata packages are already enabled by default — you can simply pull in all available updates by running "yum update" next:
[root@oraclelinux62 ~]# yum update
Loaded plugins: refresh-packagekit, security
ol6_latest                                                    | 1.1 kB     00:00     
ol6_latest/primary                                            |  15 MB     00:42     
ol6_latest                                                               14643/14643
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package at.x86_64 0:3.1.10-43.el6 will be updated
---> Package at.x86_64 0:3.1.10-43.el6_2.1 will be an update
---> Package autofs.x86_64 1:5.0.5-39.el6 will be updated
---> Package autofs.x86_64 1:5.0.5-39.el6_2.1 will be an update
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package cvs.x86_64 0:1.11.23-11.el6_0.1 will be updated
---> Package cvs.x86_64 0:1.11.23-11.el6_2.1 will be an update


---> Package yum.noarch 0:3.2.29-22.0.1.el6 will be updated
---> Package yum.noarch 0:3.2.29-22.0.2.el6_2.2 will be an update
---> Package yum-plugin-security.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-plugin-security.noarch 0:1.1.30-10.0.1.el6 will be an update
---> Package yum-utils.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-utils.noarch 0:1.1.30-10.0.1.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                     Arch    Version                       Repository   Size
 kernel                      x86_64  2.6.32-220.7.1.el6            ol6_latest   24 M
 kernel-uek                  x86_64  2.6.32-300.11.1.el6uek        ol6_latest   21 M
 kernel-uek-devel            x86_64  2.6.32-300.11.1.el6uek        ol6_latest  6.3 M
 at                          x86_64  3.1.10-43.el6_2.1             ol6_latest   60 k
 autofs                      x86_64  1:5.0.5-39.el6_2.1            ol6_latest  470 k
 bind-libs                   x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  839 k
 bind-utils                  x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  178 k
 cvs                         x86_64  1.11.23-11.el6_2.1            ol6_latest  711 k


 xulrunner                   x86_64  10.0.3-1.0.1.el6_2            ol6_latest   12 M
 yelp                        x86_64  2.28.1-13.el6_2               ol6_latest  778 k
 yum                         noarch  3.2.29-22.0.2.el6_2.2         ol6_latest  987 k
 yum-plugin-security         noarch  1.1.30-10.0.1.el6             ol6_latest   36 k
 yum-utils                   noarch  1.1.30-10.0.1.el6             ol6_latest   94 k

Transaction Summary
Install       3 Package(s)
Upgrade      96 Package(s)

Total download size: 173 M
Is this ok [y/N]: y
Downloading Packages:
(1/99): at-3.1.10-43.el6_2.1.x86_64.rpm                       |  60 kB     00:00     
(2/99): autofs-5.0.5-39.el6_2.1.x86_64.rpm                    | 470 kB     00:01     
(3/99): bind-libs-9.7.3-8.P3.el6_2.2.x86_64.rpm               | 839 kB     00:02     
(4/99): bind-utils-9.7.3-8.P3.el6_2.2.x86_64.rpm              | 178 kB     00:00     


(96/99): yelp-2.28.1-13.el6_2.x86_64.rpm                      | 778 kB     00:02     
(97/99): yum-3.2.29-22.0.2.el6_2.2.noarch.rpm                 | 987 kB     00:03     
(98/99): yum-plugin-security-1.1.30-10.0.1.el6.noarch.rpm     |  36 kB     00:00     
(99/99): yum-utils-1.1.30-10.0.1.el6.noarch.rpm               |  94 kB     00:00     
Total                                                306 kB/s | 173 MB     09:38     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Retrieving key from
Importing GPG key 0xEC551F03:
 Userid: "Oracle OSS group (Open Source Software group) "
 From  :
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : yum-3.2.29-22.0.2.el6_2.2.noarch                                1/195 
  Updating   : xorg-x11-server-common-1.10.4-6.el6_2.3.x86_64                  2/195 
  Updating   : kernel-uek-headers-2.6.32-300.11.1.el6uek.x86_64                3/195 
  Updating   : 12:dhcp-common-4.1.1-25.P1.el6_2.1.x86_64                       4/195 
  Updating   : tzdata-java-2011n-2.el6.noarch                                  5/195 
  Updating   : tzdata-2011n-2.el6.noarch                                       6/195 
  Updating   : glibc-common-2.12-1.47.el6_2.9.x86_64                           7/195 
  Updating   : glibc-2.12-1.47.el6_2.9.x86_64                                  8/195 


  Cleanup    : kernel-firmware-2.6.32-220.el6.noarch                         191/195 
  Cleanup    : kernel-uek-firmware-2.6.32-300.3.1.el6uek.noarch              192/195 
  Cleanup    : glibc-common-2.12-1.47.el6.x86_64                             193/195 
  Cleanup    : glibc-2.12-1.47.el6.x86_64                                    194/195 
  Cleanup    : tzdata-2011l-4.el6.noarch                                     195/195 

  kernel.x86_64 0:2.6.32-220.7.1.el6                                                 
  kernel-uek.x86_64 0:2.6.32-300.11.1.el6uek                                         
  kernel-uek-devel.x86_64 0:2.6.32-300.11.1.el6uek                                   

  at.x86_64 0:3.1.10-43.el6_2.1                                                      
  autofs.x86_64 1:5.0.5-39.el6_2.1                                                   
  bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2                                             
  bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2                                            
  cvs.x86_64 0:1.11.23-11.el6_2.1                                                    
  dhclient.x86_64 12:4.1.1-25.P1.el6_2.1                                             


  xorg-x11-server-common.x86_64 0:1.10.4-6.el6_2.3                                   
  xulrunner.x86_64 0:10.0.3-1.0.1.el6_2                                              
  yelp.x86_64 0:2.28.1-13.el6_2                                                      
  yum.noarch 0:3.2.29-22.0.2.el6_2.2                                                 
  yum-plugin-security.noarch 0:1.1.30-10.0.1.el6                                     
  yum-utils.noarch 0:1.1.30-10.0.1.el6                                               


At this point, your system is fully up to date. As the kernel was updated as well, a reboot is the recommended next action.

If you want to install the latest release of the Unbreakable Enterprise Kernel Release 2 as well, you need to edit the .repo file and enable the respective yum repository (e.g. "ol6_UEK_latest" for Oracle Linux 6 and "ol5_UEK_latest" for Oracle Linux 5) manually, by setting enabled to "1". The next yum update run will download and install the second release of the Unbreakable Enterprise Kernel, which will be enabled after the next reboot.






Wednesday Mar 21, 2012

Want to Patch your Red Hat Linux Kernel Without Rebooting?

Patched Tube by Morten Liebach
Patched Tube by Morten Liebach (CC BY 2.0)

Are you running Red Hat Enterprise Linux? Take back your weekend and say goodbye to lengthy maintenance windows for kernel updates! With Ksplice, you can install kernel updates while the system is running. Stay secure and compliant without the hassle.

To give you a taste of one of the many features that are included in Oracle Linux Premier Support, we now offer a free 30-day Ksplice trial for RHEL systems. Give it a try and bring your Linux kernel up to date without rebooting (not even once to install it)!

For more information on this exciting technology, read Wim's OTN article on using Oracle Ksplice to update Oracle Linux systems without rebooting.

Watch Waseem Daher (one of the Ksplice founders) telling you more about Ksplice zero downtime updates in this screencast "Zero Downtime OS Updates with Ksplice"

- Lenz


Logan Rosenstein
and members of the OTN community


« October 2015
Blogs We Like