Tuesday Jul 17, 2012

How to Protect Your Oracle Linux System from the Higgs Boson

Now that the Higgs Boson particle has been gently coaxed out of hiding, you know what's gonna happen, don't you? Your boss is gonna walk into your office and demand a plan for protecting your Oracle Linux system against it.

You could act like a smart aleck sysadmin and inform him or her that it took a team of scientists 10 years and 500 trillion collisions to get conclusive evidence of its existence, and let's not even talk about how difficult it was for God to create the elusive thing, but that would violate the first law of corporate survival:

Never, ever make your boss look stupid

Instead, jump out of your chair and say "OMG! I hadn't though of that!" Then read our latest article and use what you learn to write up a plan that will make your boss look real good to his or her boss. (Just make sure your name appears nowhere.)

Tips for Hardening an Oracle Linux Server

Lenz Grimmer and James Morris provide guidelines for:

  • Minimizing the software footprint
  • Minimizing active services
  • Locking down network services
  • Disabling or tightening use of SSH
  • Configuring mounts, file permissions, and ownerships
  • Managing Users and Authentication
  • Other Security Features and Tools
  • Cryptography
I hope you enjoy reading the article as much as I did. And good luck with your career.

- Rick

Website Newsletter Facebook Twitter

Friday Mar 23, 2012

How to subscribe to the free Oracle Linux errata yum repositories

Now that updates and errata for Oracle Linux are available for free (both as in beer and freedom), here's a quick HOWTO on how to subscribe your Oracle Linux system to the newly added yum repositories on our public yum server, assuming that you just installed Oracle Linux from scratch, e.g. by using the installation media (ISO images) available from the Oracle Software Delivery Cloud

You need to download the appropriate yum repository configuration file from the public yum server and install it in the yum repository directory. For Oracle Linux 6, the process would look as follows: as the root user, run the following command:

[root@oraclelinux62 ~]# wget http://public-yum.oracle.com/public-yum-ol6.repo \
-P /etc/yum.repos.d/
--2012-03-23 00:18:25--  http://public-yum.oracle.com/public-yum-ol6.repo
Resolving public-yum.oracle.com...
Connecting to public-yum.oracle.com||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1461 (1.4K) [text/plain]
Saving to: “/etc/yum.repos.d/public-yum-ol6.repo”

100%[=================================================>] 1,461       --.-K/s   in 0s      

2012-03-23 00:18:26 (37.1 MB/s) - “/etc/yum.repos.d/public-yum-ol6.repo” saved [1461/1461]
For Oracle Linux 5, the file name would be public-yum-ol5.repo in the URL above instead. The "_latest" repositories that contain the errata packages are already enabled by default — you can simply pull in all available updates by running "yum update" next:
[root@oraclelinux62 ~]# yum update
Loaded plugins: refresh-packagekit, security
ol6_latest                                                    | 1.1 kB     00:00     
ol6_latest/primary                                            |  15 MB     00:42     
ol6_latest                                                               14643/14643
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package at.x86_64 0:3.1.10-43.el6 will be updated
---> Package at.x86_64 0:3.1.10-43.el6_2.1 will be an update
---> Package autofs.x86_64 1:5.0.5-39.el6 will be updated
---> Package autofs.x86_64 1:5.0.5-39.el6_2.1 will be an update
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2 will be an update
---> Package cvs.x86_64 0:1.11.23-11.el6_0.1 will be updated
---> Package cvs.x86_64 0:1.11.23-11.el6_2.1 will be an update


---> Package yum.noarch 0:3.2.29-22.0.1.el6 will be updated
---> Package yum.noarch 0:3.2.29-22.0.2.el6_2.2 will be an update
---> Package yum-plugin-security.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-plugin-security.noarch 0:1.1.30-10.0.1.el6 will be an update
---> Package yum-utils.noarch 0:1.1.30-10.el6 will be updated
---> Package yum-utils.noarch 0:1.1.30-10.0.1.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                     Arch    Version                       Repository   Size
 kernel                      x86_64  2.6.32-220.7.1.el6            ol6_latest   24 M
 kernel-uek                  x86_64  2.6.32-300.11.1.el6uek        ol6_latest   21 M
 kernel-uek-devel            x86_64  2.6.32-300.11.1.el6uek        ol6_latest  6.3 M
 at                          x86_64  3.1.10-43.el6_2.1             ol6_latest   60 k
 autofs                      x86_64  1:5.0.5-39.el6_2.1            ol6_latest  470 k
 bind-libs                   x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  839 k
 bind-utils                  x86_64  32:9.7.3-8.P3.el6_2.2         ol6_latest  178 k
 cvs                         x86_64  1.11.23-11.el6_2.1            ol6_latest  711 k


 xulrunner                   x86_64  10.0.3-1.0.1.el6_2            ol6_latest   12 M
 yelp                        x86_64  2.28.1-13.el6_2               ol6_latest  778 k
 yum                         noarch  3.2.29-22.0.2.el6_2.2         ol6_latest  987 k
 yum-plugin-security         noarch  1.1.30-10.0.1.el6             ol6_latest   36 k
 yum-utils                   noarch  1.1.30-10.0.1.el6             ol6_latest   94 k

Transaction Summary
Install       3 Package(s)
Upgrade      96 Package(s)

Total download size: 173 M
Is this ok [y/N]: y
Downloading Packages:
(1/99): at-3.1.10-43.el6_2.1.x86_64.rpm                       |  60 kB     00:00     
(2/99): autofs-5.0.5-39.el6_2.1.x86_64.rpm                    | 470 kB     00:01     
(3/99): bind-libs-9.7.3-8.P3.el6_2.2.x86_64.rpm               | 839 kB     00:02     
(4/99): bind-utils-9.7.3-8.P3.el6_2.2.x86_64.rpm              | 178 kB     00:00     


(96/99): yelp-2.28.1-13.el6_2.x86_64.rpm                      | 778 kB     00:02     
(97/99): yum-3.2.29-22.0.2.el6_2.2.noarch.rpm                 | 987 kB     00:03     
(98/99): yum-plugin-security-1.1.30-10.0.1.el6.noarch.rpm     |  36 kB     00:00     
(99/99): yum-utils-1.1.30-10.0.1.el6.noarch.rpm               |  94 kB     00:00     
Total                                                306 kB/s | 173 MB     09:38     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Retrieving key from http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
Importing GPG key 0xEC551F03:
 Userid: "Oracle OSS group (Open Source Software group) "
 From  : http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : yum-3.2.29-22.0.2.el6_2.2.noarch                                1/195 
  Updating   : xorg-x11-server-common-1.10.4-6.el6_2.3.x86_64                  2/195 
  Updating   : kernel-uek-headers-2.6.32-300.11.1.el6uek.x86_64                3/195 
  Updating   : 12:dhcp-common-4.1.1-25.P1.el6_2.1.x86_64                       4/195 
  Updating   : tzdata-java-2011n-2.el6.noarch                                  5/195 
  Updating   : tzdata-2011n-2.el6.noarch                                       6/195 
  Updating   : glibc-common-2.12-1.47.el6_2.9.x86_64                           7/195 
  Updating   : glibc-2.12-1.47.el6_2.9.x86_64                                  8/195 


  Cleanup    : kernel-firmware-2.6.32-220.el6.noarch                         191/195 
  Cleanup    : kernel-uek-firmware-2.6.32-300.3.1.el6uek.noarch              192/195 
  Cleanup    : glibc-common-2.12-1.47.el6.x86_64                             193/195 
  Cleanup    : glibc-2.12-1.47.el6.x86_64                                    194/195 
  Cleanup    : tzdata-2011l-4.el6.noarch                                     195/195 

  kernel.x86_64 0:2.6.32-220.7.1.el6                                                 
  kernel-uek.x86_64 0:2.6.32-300.11.1.el6uek                                         
  kernel-uek-devel.x86_64 0:2.6.32-300.11.1.el6uek                                   

  at.x86_64 0:3.1.10-43.el6_2.1                                                      
  autofs.x86_64 1:5.0.5-39.el6_2.1                                                   
  bind-libs.x86_64 32:9.7.3-8.P3.el6_2.2                                             
  bind-utils.x86_64 32:9.7.3-8.P3.el6_2.2                                            
  cvs.x86_64 0:1.11.23-11.el6_2.1                                                    
  dhclient.x86_64 12:4.1.1-25.P1.el6_2.1                                             


  xorg-x11-server-common.x86_64 0:1.10.4-6.el6_2.3                                   
  xulrunner.x86_64 0:10.0.3-1.0.1.el6_2                                              
  yelp.x86_64 0:2.28.1-13.el6_2                                                      
  yum.noarch 0:3.2.29-22.0.2.el6_2.2                                                 
  yum-plugin-security.noarch 0:1.1.30-10.0.1.el6                                     
  yum-utils.noarch 0:1.1.30-10.0.1.el6                                               


At this point, your system is fully up to date. As the kernel was updated as well, a reboot is the recommended next action.

If you want to install the latest release of the Unbreakable Enterprise Kernel Release 2 as well, you need to edit the .repo file and enable the respective yum repository (e.g. "ol6_UEK_latest" for Oracle Linux 6 and "ol5_UEK_latest" for Oracle Linux 5) manually, by setting enabled to "1". The next yum update run will download and install the second release of the Unbreakable Enterprise Kernel, which will be enabled after the next reboot.






Wednesday Mar 21, 2012

Want to Patch your Red Hat Linux Kernel Without Rebooting?

Patched Tube by Morten Liebach
Patched Tube by Morten Liebach (CC BY 2.0)

Are you running Red Hat Enterprise Linux? Take back your weekend and say goodbye to lengthy maintenance windows for kernel updates! With Ksplice, you can install kernel updates while the system is running. Stay secure and compliant without the hassle.

To give you a taste of one of the many features that are included in Oracle Linux Premier Support, we now offer a free 30-day Ksplice trial for RHEL systems. Give it a try and bring your Linux kernel up to date without rebooting (not even once to install it)!

For more information on this exciting technology, read Wim's OTN article on using Oracle Ksplice to update Oracle Linux systems without rebooting.

Watch Waseem Daher (one of the Ksplice founders) telling you more about Ksplice zero downtime updates in this screencast "Zero Downtime OS Updates with Ksplice"

- Lenz

Friday Mar 16, 2012

Oracle Linux Forum

This forum includes live chat so you can tell Wim, Lenz, and the gang what you really think.

Linux Forum - Tuesday March 27

Since Oracle recently made Release 2 of its Unbreakable Enterprise Kernel available (see Lenz's blog), we're following up with an online forum with Oracle's Linux executives and engineers. Topics will be:

9:30 - 9:45 am PT
Oracle's Linux Strategy

Edward Screven, Oracle's Chief Corporate Architect and Wim Coekaerts, Senior VP of Linux and Virtualization Engineering, will explain Oracle's Linux strategy, the benefits of Oracle Linux, Oracle's role in the Linux community, and the Oracle Linux roadmap.

9:45 - 10:00 am PT
Why Progressive Insurance Chose Oracle Linux

John Dome, Lead Systems Engineer at Progressive Insurance, outlines why they selected Oracle Linux with the Unbreakable Enterprise Kernel to reduce cost and increase the performance of database applications.

10:00 - 11:00 am PT
What's New in Oracle Linux

Oracle engineers walk you through new features in Oracle Linux, including zero-downtime updates with Ksplice, Btrfs and OCFS2, DTrace for Linux, Linux Containers, vSwitch and T-Mem.

11:00 am - 12:00 pm PT
Get More Value from your Linux Vendor

Why Oracle Linux delivers more value than Red Hat Enterprise Linux, including better support at lower cost, best practices for deployments, extreme performance for cloud deployments and engineered systems, and more.

Date: Tuesday, March 27, 2012
Time: 9:30 AM PT / 12:30 PM ET
Duration: 2.5 hours
Register here.

- Rick

Tuesday Mar 13, 2012

Who the Linux Developer Met on His Way to St. Ives

For some reason I still remember this nursery riddle:

"As I was going to Saint Ives
I met a man with seven wives
Each wife had seven sacks
Each cat had seven cats
Each cat had seven kits
How many were going to St Ives?

The answer, of course, is one. More about the riddle here.

Little did I know, when I first learned it, that this rhyme would help me understand the Oracle Exadata Database Machine. Miss Blankenship, please forgive me:

As I was going to St Ives
I met a man with 8 Oracle Exadata Machines
Each machine had 8 sockets
Each socket had 8 cores
Each core had 2 threads
How many CPU's were going to St Ives?

If your i-phone has hobbled you to the point that you can no longer do simple arithmetic in your head, you can get the answer to that riddle by listening to these podcasts (the first one even provides notes):

Podcast: How Oracle Linux Was Optimized for the Oracle Exadata Database Machine

Turns out that when you use off-the-shelf components to build a NUMA system like the Exadata, you lower your hardware costs, but you increase the software work that must be done to optimize the system. Oracle Linux already had a set of optimizations well suited to this task. Chris Mason, director of Linux kernel engineering at Oracle, describes the process engineering used to optimize Exadata's integrated stack, touching everything from storage, to networking, the CPU, I/O speeds, and finally the application. Great Q&A, too.

Podcast: What's So Great About Oracle's Unbreakable Enterprise Kernel?

It's easy to replace your tired rust-bucket of a Linux kernel with the chromed-out Unbreakable Enterprise Kernel from Oracle, but why would you? Sergio Leunissen, Oracle Vice President, and Lenz Grimmer, blogger extraordinaire, explain why it's worth your time to use the Unbreakable Linux Kernel. Sergio and Lenz explain why Oracle went to the trouble to engineer its own kernel, what's included in Release 2, how it is tested, how it is optimized for the Oracle stack, the close relationship with the Linux community, and what benefits it brings developers and sysadmins.

Where to Get It, How to Use It

As you may have already heard, Release 2 of Oracle's Unbreakable Enterprise Kernel for Linux is now available. Here are some resources to help you get started.

- Rick with Todd Trichler





Wednesday Jan 25, 2012

Does Your Weekend Workload Look Like This?

We have a couple of resources to help you dive under.

Article: How Dell Migrated From SUSE Linux to Oracle Linux

In June of 2010, Dell made the decision to migrate 1,700 systems from SUSE Linux to Oracle Linux, while leaving the hardware and application layers unchanged. Suzanne Zorn worked with Jon Senger and Aik Zu Shyong, from Dell, to understand exactly how Dell did it. In this article, they describe Dell's server environment, the migration process, and what they learned. The article covers:

  • Preparation, including the use of a "scratch" area
  • Archiving configuration files
  • Conversion of MPIO to PowerPath with a custom script
  • Re-imaging the new OS and installing with kickstart
  • Restoring the configuration files
  • Adjusting profiles
  • Restarting database and applications, and verifying correct operation.

More about Oracle Linux here.

Demo: Update the Oracle Linux Kernel with Ksplice

Waseem Daher uses the command line to demonstrate how you can use Ksplice to install kernel updates to Oracle Linux without rebooting, even while your applications are still running. He also shows you how to use the Uptrack utility in Ksplice to manage your Linux packages more easily. It's only 18 minutes long, and well worth your time.

Why big wave surfers do it.

- Rick

Tuesday Sep 27, 2011

Linux-Related Content and Roadmap at Oracle OpenWorld

Interested in the Oracle Linux strategy and roadmap direct from Wim Coekaerts, VP of Linux Engineering at Oracle? Find out where and when, plus how other companies like Cisco and Intel are using Oracle Linux. Here's the summary of Linux-related content at Oracle OpenWorld:

Focus on Oracle Linux

The summary covers:

  • Keynotes
  • General Session
  • Oracle Linux and Oracle VM Customer Forum

- Rick

Monday Sep 05, 2011

Recommened Linux sysadmin/developer reading: the Ksplice blog

In July, Oracle acquired Ksplice, a small company based in Cambridge, MA. If you haven't heard about Ksplice yet, it's some very cool technology that enables you to patch a running Linux kernel without rebooting. Ksplice support is now included in our Premier Linux Support offerings. Check this Getting Started with Oracle Ksplice page for details.

The Ksplice Blog which used to live on the Ksplice home page has now been migrated to the Oracle Blogs. It's a treasure-trove of useful information for Linux system administrators and developers, make sure to subscribe to it!

Here are some recent entries and there's more to come!

Wednesday Aug 31, 2011

Save disk space on Linux by cloning files on Btrfs and OCFS2

Rebecca W: Dolly
"Dolly" by Rebecca W (CC BY-SA 2.0).

Btrfs and OCFS2 are two very advanced file systems for Linux. Btrfs is a next-generation local file system for Linux, and it provides a number of nice features like snapshots and subvolumes, dynamic resizing and built-in RAID functionality. OCFS2 is the ideal candidate for creating cluster file systems that can be shared across multiple machines (but it can also be used for local storage).

There is one neat little feature that both Btrfs and OCFS2 have in common — they are capable of creating "lightweight" copies ("snapshots" or "clones") of a file.

In this case the file system does not create a new link pointing to an existing inode, it rather creates a new inode that shares the same disk blocks as the original file. This means that this operation only works within the boundaries of the same file system or subvolume. The outcome looks very much like a copy of the source file, but the actual data blocks have not been duplicated. Due to the copy-on-write nature, a modification of any one of the files will not be visible in the other file. Note that this should not be confused with hard links – this web page provides a good explanation of the differences.

For Btrfs, you can invoke this feature by using the cp(1) utility with the --reflink option, which was added to the GNU coreutils in version 7.5 (released in Aug. 2009):

cp --reflink <source file> <destination file>

Adding support for the reflink implementation of OCFS2 to cp still seems to be under development. For now, you need to download and install a separate reflink binary from here. It works like the ln(1) utility:

reflink <source file> <destination file>

Wim covered OCFS2 reflink in more detail in a blog post a while ago and there is another example for OCFS2 on our Wiki.

These kind of file clones save disk space and allow copy operations to perform much quicker than actually copying entire files. This can be quite useful if you need to create copies of very large files that differ very little from each other, e.g. virtual machine disk images. In this case the disk space savings can be quite significant!


Rick Ramsey
Kemer Thomson
and members of the OTN community


« March 2015
Blogs We Like