By Wcoekaer-Oracle on May 13, 2014
A minimal Oracle Linux install contains a really small set of RPMs but typically not enough for a product to install on and a full/complete install contains way more packages than you need. While a full install is convenient, it also means that the likelihood of having to install an errata for a package is higher and as such the cost of patching and updating/maintaining systems increases.
In an effort to make it as easy as possible, we have created a number of pre-install RPM packages which don't really contain actual programs but they 're more or less dummy packages and a few configuration scripts. They are built around the concept that you have a minimal OL installation (configured to point to a yum repository) and all the RPMs/packages which the specific Oracle product requires to install cleanly and pass the pre-requisites will be dependencies for the pre-install script.
When you install the pre-install RPM, yum will calculate the dependencies, figure out which additional RPMs are needed beyond what's installed, download them and install them. The configuration scripts in the RPM will also set up a number of sysctl options, create the default user, etc. After installation of this pre-install RPM, you can confidently start the Oracle product installer.
We have released a pre-install RPM in the past for the Oracle Database (11g, 12c,..) and Oracle Enterprise Manager 12c agent. And we now also released a similar RPM for E-Business R12.
Enable the Java SE 7 ULN channel for Oracle Linux 6
- Start with a server or desktop installed with Oracle Linux 6 and registered with ULN (http://linux.oracle.com) for updates
This is typically using uln_register on your system.
- Log into ULN, go to the Systems tab for your server/desktop and click on Manage Subscriptions
-> Ensure your system is registered to the "Oracle Linux 6 Add ons (x86_64)" channel (it should appear in the 'Subscribed channels' list)
if your system is not registered with the above channel, add it :
-> Click on "Oracle Linux 6 Add ons (x86_64)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels. -> Click on Save Subscriptions
- In order to register with the 'Java SE 7' channel, you first have to install a yum plugin to enable access to channels with licenses
# yum install yum-plugin-ulninfo Loaded plugins: rhnplugin This system is receiving updates from ULN. ol6_x86_64_addons | 1.2 kB 00:00 ol6_x86_64_addons/primary | 44 kB 00:00 ol6_x86_64_addons 177/177 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package yum-plugin-ulninfo.noarch 0:0.2-9.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: yum-plugin-ulninfo noarch 0.2-9.el6 ol6_x86_64_addons 13 k Transaction Summary ======================================================================================================================== Install 1 Package(s) Total download size: 13 k Installed size: 23 k Is this ok [y/N]: y Downloading Packages: yum-plugin-ulninfo-0.2-9.el6.noarch.rpm | 13 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : yum-plugin-ulninfo-0.2-9.el6.noarch 1/1 Verifying : yum-plugin-ulninfo-0.2-9.el6.noarch 1/1 Installed: yum-plugin-ulninfo.noarch 0:0.2-9.el6 Complete!
- In future versions of Oracle Linux 6, this RPM will become part of the base channel and at that point you will no longer need to register with the Add ons channel to install yum-plugin-ulninfo
- Add the Java SE 7 channel subscription to your system in ULN
-> Click on "Java SE 7 for Oracle Linux 6 (x86_64) (Public)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels
-> Click on Save Subscriptions
-> A popup will appear with the EULA for Java SE 7, click on Accept or Decline
- Now your system has access to the Java SE 7 channel. You can verify this by executing :
# yum repolist Loaded plugins: rhnplugin, ulninfo This system is receiving updates from ULN. ol6_x86_64_JavaSE7_public: By downloading the Java software, you acknowledge that your use of the Java software is subject to the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX (which you acknowledge you have read and agree to) available at http://www.java.com/license. ol6_x86_64_JavaSE7_public | 1.2 kB 00:00 ol6_x86_64_JavaSE7_public/primary | 1.9 kB 00:00 ol6_x86_64_JavaSE7_public 2/2 repo id repo name status ol6_x86_64_JavaSE7_public Java SE 7 for Oracle Linux 6 (x86_64) (Public) 2 ol6_x86_64_UEKR3_latest Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64) - Latest 122 ol6_x86_64_addons Oracle Linux 6 Add ons (x86_64) 177 ol6_x86_64_ksplice Ksplice for Oracle Linux 6 (x86_64) 1,497 ol6_x86_64_latest Oracle Linux 6 Latest (x86_64) 25,093 repolist: 26,891
- To install Java SE 7 on your system, simply us yum install :
# yum install jdk Loaded plugins: rhnplugin, ulninfo This system is receiving updates from ULN. ol6_x86_64_JavaSE7_public: By downloading the Java software, you acknowledge that your use of the Java software is subject to the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX (which you acknowledge you have read and agree to) available at http://www.java.com/license. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package jdk.x86_64 2000:1.7.0_51-fcs will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: jdk x86_64 2000:1.7.0_51-fcs ol6_x86_64_JavaSE7_public 117 M Transaction Summary ======================================================================================================================== Install 1 Package(s) Total download size: 117 M Installed size: 193 M Is this ok [y/N]: y Downloading Packages: jdk-1.7.0_51-fcs.x86_64.rpm | 117 MB 02:27 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2000:jdk-1.7.0_51-fcs.x86_64 1/1 Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... tools.jar... localedata.jar... jfxrt.jar... Verifying : 2000:jdk-1.7.0_51-fcs.x86_64 1/1 Installed: jdk.x86_64 2000:1.7.0_51-fcs Complete!
- You now have a completely install Java SE 7 on your Oracle Linux environment.
# ls /usr/java/jdk1.7.0_51/ bin COPYRIGHT db include jre lib LICENSE man README.html release src.zip THIRDPARTYLICENSEREADME-JAVAFX.txt THIRDPARTYLICENSEREADME.txt
We have also decided to distribute OpenSCAP with Oracle VM Server for x86 so you will be able to use the same utility for security compliance checks that you may use with Oracle Linux and Oracle Solaris. Initially, the OpenSCAP package we are distributing with Oracle VM Server for x86 is available on the Oracle Public Yum Server, so you may start by using the oscap(8) - OpenSCAP command line tool after you've installed the openscap-utils RPM on your Dom0 test environment. If you are working on the technical security controls that are required by your organization for the approval to operate Oracle VM Server for x86, then you should understand that OpenSCAP is an effective tool to demonstrate security compliance to your authorizing official. However, you should carefully examine your organizations SCAP content and the implementation details such as the use of OVAL for compliance checks.
We typically recommend that you do not directly execute additional utilities within the Oracle VM Server management domain (i.e. the Dom0 domain), but checking security compliance requires careful limited access by your authorized administrators to produce the reports. The Oracle VM Security Guide for Release 3 explains the philosophy of protection for the installation of the Oracle VM Server using a small footprint:
"Oracle VM Server runs a lightweight, optimized version of Oracle Linux. It is based upon an updated version of the Xen hypervisor technology and includes Oracle VM Agent. The installation of Oracle VM Server in itself is secure: it has no unused packages or applications and no services listening on any ports except for those required for the operation of the Oracle VM environment."
Please note that you should report any potential security vulnerabilities in Oracle products following the instructions found here.
We posted some helpful details about Oracle Linux Errata and CVE information this time last year and you may also review the notifications of Oracle VM errata here. For the examples we are reviewing now, the use of OVAL checks is a part the traditional ways you would show that your servers are all compliant (locked-down or hardened) with relevant security settings in your checklists that reference the product security guides.
The Oracle Software Security Assurance Secure Configuration Initiative has established Oracle product security goals for both Secure Configuration and Security Guides. We have built in the security features with Oracle VM Server for x86 and you should expect that the default installation follows the software security assurance guidelines. Using OpenSCAP for security compliance checks may help you to show that the Oracle VM Server for x86 configuration is up to date with the latest details documented in the security guides for operating systems and server virtualization.
A standardized approach to security compliance is a goal that many organizations are working toward and includes a broad set of security controls typically found within a complete Risk Management Framework provided by the NIST RMF and other standards bodies within the international IT security community. When you begin to use OpenSCAP you will find that the standard SCAP content contains product specific technical security controls that are expected to be unique and have version dependencies as well. You will notice the standard SCAP content used with OpenSCAP on Oracle VM Server for x86 can produce valid securty compliance reports, but you must still understand the technical nuances for measuring compliance that show results for each test:
True False Error Unknown Not Applicable Not Evaluated
Advantages to using a standardized approach for security compliance include considerations of "what is measured" and "how it is measured" to improve the precision, accuracy and ultimate effectiveness required to mitigate risks. The initial results that are produced using OpenSCAP for security compliance checks must be further examined to truly understand the meaning of 'true' or 'false' so that you can demonstrate the rationalization for applying any fixes to re-mediate a verifiable problem. The effectiveness of OpenSCAP depends on the thorough understanding of all the technical details at the early stages of your testing, so you will benefit by the complete coverage that may be repeated for all of your production Oracle VM Servers.
Automating system administration activities is a fundamental objective for on-premise and cloud computing architectures and we are working to standardize as much of the enterprise infrastructure components as possible to produce the most cost effective solutions using Oracle VM Server. The security compliance requirements of many organizations have increased reporting cycles that must be continuously monitored. With careful planning, OpenSCAP may be an effective tool for reporting your organizations IT security controls, but we want to review some of the basic concepts that you should be aware of.
We noted earlier that Dom0 is a special purpose management domain that is based on Xen built with Oracle Linux. The Oracle Linux and Oracle Solaris configurations share a common set of technical security controls that are useful to measure consistently with Oracle VM Server. However, the results you analyse requires historic perspectives and current insight to determine the relevance and criticality that is important to convey to the decision makers or authorizing officials in your organization.
One random example of a security compliance check that illustrates a number of considerations is related to CWE-264: Permissions, Privileges, and Access Controls. More specifically, as an exercise, we want to drill down to both CWE-275: Permission Issues and CWE-426: Untrusted Search Path potential problems.
To demonstrate how OpenSCAP can be used to report the results of a check related to CWE-275 and CWE-426 we can start by viewing the Red Hat 5 STIG Benchmark, Version 1, Release 4 from DISA:
[root@ovm327 ~]# wget http://iase.disa.mil/stigs/os/unix/u_redhat_5_v1r4_stig_benchmark.zip
For brevity, we have extracted out the OVAL compliance item for 'STIG ID: GEN000960' that we show using the DISA STIG Viewer:
If you also want to test this, here is the raw XML
This looks simple enough, so let's see the result using OpenSCAP on Oracle VM Server for x86:
[root@ovm327 ~]# oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: true Evaluation done. [root@ovm327 ~]#
We think we understand the result but let's view this differently just to be sure:
[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'` ls: /root/bin: No such file or directory drwxr-xr-x 2 root root 4096 Jan 2 12:45 /bin drwxr-xr-x 2 root root 4096 Jan 2 12:45 /sbin drwxr-xr-x 3 root root 16384 Jan 2 12:45 /usr/bin drwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/bin drwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/sbin drwxr-xr-x 2 root root 12288 Jan 2 12:45 /usr/sbin [root@ovm327 ~]#
This looks good to us, but let's make the '/root/bin' directory that we intentionally want to violate the compliance check to see what happens:
[root@ovm327 ~]# mkdir -m 0777 /root/bin [root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'` drwxr-xr-x 2 root root 4096 Jan 2 12:45 /bin drwxrwxrwx 2 root root 4096 Jan 2 13:55 /root/bin drwxr-xr-x 2 root root 4096 Jan 2 12:45 /sbin drwxr-xr-x 3 root root 16384 Jan 2 12:45 /usr/bin drwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/bin drwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/sbin drwxr-xr-x 2 root root 12288 Jan 2 12:45 /usr/sbin [root@ovm327 ~]# oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: false Evaluation done. [root@ovm327 ~]#
We have reasonably good confirmation that the OVAL compliance check works the way we expect. However, if we look at the entire set of permissions that enforce the discretionary access control policy, we then realize that there are also permissions on the '/root' directory that prevent the write operations by 'others' in the '/root/bin' directory from succeeding:
[root@ovm327 ~]# ls -ldL /root /root/bin drwxr-x--- 4 root root 4096 Jan 2 13:55 /root drwxrwxrwx 2 root root 4096 Jan 2 13:55 /root/bin [root@ovm327 ~]#
We are not suggesting that the mode '0777' permissions on the '/root/bin' are acceptable because we have safer permissions on the '/root' directory, but the example shows that the OVAL check does not completely test the security controls exactly how the kernel enforces the permissions. We should justifiably state that the result of the OVAL security compliance check '0777' permissions on the '/root/bin' directory is a 'condition negative' with a 'test outcome negative' (i.e. a true negative), but also continue to note our other observations related to the access control enforcement.
Before proceeding, we will clean up the problem we just temporarily created on our test server:
[root@ovm327 ~]# chmod 0700 /root/bin [root@ovm327 ~]# ls -ldL /root /root/bin drwxr-x--- 4 root root 4096 Jan 2 13:55 /root drwx------ 2 root root 4096 Jan 2 13:55 /root/bin [root@ovm327 ~]# oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: true Evaluation done. [root@ovm327 ~]#
Hopefully you find this random security compliance check interesting and somewhat enlightening to illustrate what OpenSCAP can help you with. To continue, we decided to check a slightly different way to demonstrate the same security control:
[root@ovm327 ~]# wget https://git.fedorahosted.org/cgit/openscap.git/plain/dist/fedora/scap-fedora14-oval.xml
To simplify viewing the portion of the OVAL compliance entry we extracted it like we did with the DISA STIG item. If you also want to test this, here is the raw XML
Now we can show similar results using a slightly different implementation of the compliance check:
[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: true Evaluation done. [root@ovm327 ~]# chmod 0770 /root/bin [root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: false Evaluation done. [root@ovm327 ~]#
But we can also see that it is indeed a different check because it includes the test for group write permissions and the 'STIG ID: GEN000960' does not:
[root@ovm327 ~]# chmod 0770 /root/bin [root@ovm327 ~]# oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: true Evaluation done. [root@ovm327 ~]#
Again, let's fix the problem we temporarily created on our test server:
[root@ovm327 ~]# chmod 0700 /root/bin [root@ovm327 ~]#
You should also review the CIS Oracle Solaris 11.1 Benchmark v1.0.0 and the CIS Red Hat Enterprise Linux 6 Benchmark v1.2.0 to see that they both have the same entry to 'Ensure root PATH Integrity (Scored)' that has an audit section showing script commands that step through multiple potential security compliance issues to check. It is a common practice to combine similar checks in a group, but you may need to parse out the results to obtain a discrete value for a singular check.
As an additional consideration, let's shift our focus away from the differences within OVAL compliance definitions, to the different operating systems that the SCAP content was orignially written for. For this part of our testing we start up an Oracle Solaris 11.1 X86 instance running on a VM to demonstrate the OpenSCAP tests with the same OVAL compliance checks:
root@sol11:/root# pkg install security/compliance/openscap root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'` drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bin drwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbin root@sol11:/root# oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: true Evaluation done. root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: true Evaluation done. root@sol11:/root# export PATH=$PATH:/tmp root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'` drwxrwxrwt 5 root sys 432 Jan 2 14:09 /tmp drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bin drwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbin root@sol11:/root# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: false Evaluation done. root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: false Evaluation done. root@sol11:/root#
Now let's repeat the same OpenSCAP checks with a non-root user account:
admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'` drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bin drwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbin admin@sol11:~$ oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: true Evaluation done. admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: true Evaluation done. admin@sol11:~$ export PATH=$PATH:/tmp admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'` drwxrwxrwt 5 root sys 432 Jan 2 14:09 /tmp drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bin drwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbin admin@sol11:~$ oscap oval eval GEN000960.xml Definition oval:mil.disa.fso.rhel:def:77: false Evaluation done. admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml Definition oval:org.open-scap.f14:def:200855: false Evaluation done. admin@sol11:~$
We have discovered some additional interesting considerations when reviewing the OpenSCAP results executed on Oracle Solaris:
The OVAL content appears to also work on Oracle Solaris 11.1 The OVAL check is on the current PATH environment variable The OVAL check is for the current user shell or cron(1M) process running oscap(8) The OVAL check does not look for scripts that set the PATH for application run time environments The OVAL check does not account for more sophisticated access control technology
To further our understanding of the OVAL content, we decided to run the jOVAL tool which is not included with Oracle Solaris:
admin@sol11:~$ echo $PATH /usr/bin:/usr/sbin:/tmp admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o GEN000960.xml ---------------------------------------------------- jOVAL Definition Interpreter Version: 220.127.116.11 Build date: Thursday, January 2, 2014 04:46:39 PM PST Copyright (c) 2011-2013 - jOVAL.org Plugin: Default Plugin Version: 18.104.22.168 Copyright (C) 2011-2013 - jOVAL.org ---------------------------------------------------- Start Time: Fri Jan 02 16:50:05 2014 ** parsing /home/admin/GEN000960.xml - validating xml schema. ** checking schema version - Schema version - 5.4 ** skipping Schematron validation ** creating a new OVAL System Characteristics file. ** gathering data for the OVAL definitions. Collecting object: FINISHED ** saving data model to system-characteristics.xml. ** skipping Schematron validation ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:mil.disa.fso.rhel:def:77 true ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** skipping Schematron validation ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl. ---------------------------------------------------- admin@sol11:~$ echo $PATH /usr/bin:/usr/sbin:/tmp admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o fedora-accounts_root_path_dirs_no_write.xml ---------------------------------------------------- jOVAL Definition Interpreter Version: 22.214.171.124 Build date: Thursday, January 2, 2014 04:46:39 PM PST Copyright (c) 2011-2013 - jOVAL.org Plugin: Default Plugin Version: 126.96.36.199 Copyright (C) 2011-2013 - jOVAL.org ---------------------------------------------------- Start Time: Fri Jan 02 16:50:30 2014 ** parsing /home/admin/fedora-accounts_root_path_dirs_no_write.xml - validating xml schema. ** checking schema version - Schema version - 5.5 ** skipping Schematron validation ** creating a new OVAL System Characteristics file. ** gathering data for the OVAL definitions. Collecting object: FINISHED ** saving data model to system-characteristics.xml. ** skipping Schematron validation ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:org.open-scap.f14:def:200855 false ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** skipping Schematron validation ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl. ---------------------------------------------------- admin@sol11:~$
For now, this concludes our initial investigation of OpenSCAP to show the potential effectiveness on Oracle VM Server for x86 with careful consideration of the results you may observe with your SCAP content. You will also want to understand the XCCDF security checklists that are most often used to perform more complete security compliance checks with OpenSCAP in the same way you can check for STIG compliance:
# oscap xccdf eval --profile stig-rhel6-server --report report.html --results results.xml --cpe ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
We hope that the random security compliance example we chose will help to illustrate that the use of OpenSCAP is not a substitute for adequately proficient expertise for analyzing IT security controls, but it allows for the repetitive checks in your production Oracle VM Servers after you have completed sufficient testing. Please contact your Oracle representitives if you have any quetions or place service requests with Oracle Support when you encounter problems.
Finally, please remember that you should report any potential security vulnerabilities in Oracle products following the instructions found here.
lxc by default uses /container as the directory to store container images and metadata. /container/[containername]/rootfs and /container/[containername]/config. You can specify an alternative pathname using -P. To make it easy I added an extra disk to my VM that I use to try out containers (xvdc) and then just mount that volume under /container.
- Create btrfs volume
If not yet installed, install btrfs-progs (yum install btrfs-progs)
# mkfs.btrfs /dev/xvdc1 # mount /dev/xvdc1 /containerYou can auto-mount this at startup by adding a line to /etc/fstab
/dev/xvdc1 /container btrfs defaults 0 0
- Create a container
# lxc-create -n OracleLinux59 -t oracle -- -R 5.9This creates a btrfs subvolume /container/OracleLinux59/rootfs
Use the following command to verify :
# btrfs subvolume list /container/ ID 260 gen 33 top level 5 path OracleLinux59/rootfs
- Start/Stop container
# lxc-start -n OracleLinux59
This starts the container but without extra options your current shell becomes the console of the container.
Add -c [file] and -d for the container to log console output to a file and return control to the shell after starting the container.
# lxc-start -n OracleLinux59 -d -c /tmp/OL59console # lxc-stop -n OracleLinux59
- Clone a container using btrfs's snapshot feature which is built into lxc
# lxc-clone -o OracleLinux59 -n OracleLinux59-dev1 -s Tweaking configuration Copying rootfs... Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev1/rootfs' Updating rootfs... 'OracleLinux59-dev1' created # btrfs subvolume list /container/ ID 260 gen 34 top level 5 path OracleLinux59/rootfs ID 263 gen 34 top level 5 path OracleLinux59-dev1/rootfs
This snapshot clone is instantaneous and is a copy on write snapshot.
You can test space usage like this :
# btrfs filesystem df /container Data: total=1.01GB, used=335.17MB System: total=4.00MB, used=4.00KB Metadata: total=264.00MB, used=25.25MB # lxc-clone -o OracleLinux59 -n OracleLinux59-dev2 -s Tweaking configuration Copying rootfs... Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev2/rootfs' Updating rootfs... 'OracleLinux59-dev2' created # btrfs filesystem df /container Data: total=1.01GB, used=335.17MB System: total=4.00MB, used=4.00KB Metadata: total=264.00MB, used=25.29MB
- Adding Oracle Linux 6.5
# lxc-create -n OracleLinux65 -t oracle -- -R 6.5 lxc-create: No config file specified, using the default config /etc/lxc/default.conf Host is OracleServer 6.5 Create configuration file /container/OracleLinux65/config Downloading release 6.5 for x86_64 ... Configuring container for Oracle Linux 6.5 Added container user:oracle password:oracle Added container user:root password:root Container : /container/OracleLinux65/rootfs Config : /container/OracleLinux65/config Network : eth0 (veth) on virbr0 'oracle' template installed 'OracleLinux65' created
- Install an RPM in a running container
# lxc-attach -n OracleLinux59-dev1 -- yum install mysql Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mysql.i386 0:5.0.95-3.el5 set to be updated .. Complete!
This connects to the container and executes # yum install mysql inside the container.
- Modify container resource usage
# lxc-cgroup -n OracleLinux59-dev1 memory.limit_in_bytes 53687091 # lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus 0-3 # lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus 0,1
Assigns cores 0 and 1. You can also use a range 0-2,...
# lxc-cgroup -n OracleLinux59-dev1 cpu.shares 1024 # lxc-cgroup -n OracleLinux59-dev1 cpu.shares 100 # lxc-cgroup -n OracleLinux59-dev1 cpu.shares 100 # lxc-cgroup -n OracleLinux59-dev1 blkio.weight 500 # lxc-cgroup -n OracleLinux59-dev1 blkio.weight 20
A list of resource control parameters : http://docs.oracle.com/cd/E37670_01/E37355/html/ol_subsystems_cgroups.html#ol_cpu_cgroups
Lenz has created a Hands-on lab which you can find here : https://wikis.oracle.com/display/oraclelinux/Hands-on+Lab+-+Linux+Containers
Dwight's one of the major contributors to lxc. One of the things he did a while back, was adding support in lxc-create to understand how to create Oracle Linux images. All you have to do is provide a version number and it will figure out which yum repos to connect to on http://public-yum.oracle.com and download the required rpms and install them in a local subdirectory. This is of course superconvenient and incredibly fast. So... I played with that briefly this morning and here's the very short summary.
Start out with a standard Oracle Linux 6.5 install and uek3. Make sure to add/install lxc if it's not yet there (yum install lxc) and you're good to go.
*note - you also have to create /container for lxc - so also do mkdir /container after you install lxc, thank Tony for pointing this out.
# lxc-create -n ol65 -t oracle -- -R 6.5.
That's it. lxc-create will know this is an Oracle Linux container, using OL6.5's repository to create the container named ol65.
lxc-create automatically connects to public-yum, figures out which repos to use for 6.5, downloads all required rpms and generates the container. At the end you will see :
Configuring container for Oracle Linux 6.5 Added container user:oracle password:oracle Added container user:root password:root Container : /container/ol65/rootfs Config : /container/ol65/config Network : eth0 (veth) on virbr0 'oracle' template installed 'ol65' created
Now all you need to do is :
lxc-start --name ol65
And you are up and running with a new container. Very fast, very easy.
If you want an OL5.9 container (or so) just do lxc-create -n ol59 -t oracle -- -R 5.9. Done. lxc has tons of very cool features, which I will get into more later. You can use this model to import images into docker as well, instead of using febootstrap.
# lxc-create -n ol65 -t oracle -- -R 6.5 # tar --numeric-owner -jcp -C /container/ol65/rootfs . | \ docker import - ol6.5 # lxc-destroy -n ol65
Since docker relies on cgroups and lxc, it should be easy with uek3. We provide official support for lxc, we are in fact a big contributor to the lxc project (shout out to Dwight Engen) and the docker website says that you need to be on 3.8 for it to just work. So, OL6.5 + UEK3 seems like the perfect combination to start out with.
Here are the steps to do few very simple things:
- Install Oracle Linux 6.5 (with the default UEK3 kernel (3.8.13))
- To quickly play with docker you can just use their example
(*) if you are behind a firewall, set your HTTP_PROXY
-> If you start from a Basic Oracle Linux 6.5 installation, install lxc first. Your out-of-the-box OL should be configured to access the public-yum repositories.
# yum install lxc
-> ensure you mount the cgroups fs
# mkdir -p /cgroup ; mount none -t cgroup /cgroup
-> grab the docker binary
# wget https://get.docker.io/builds/Linux/x86_64/docker-latest -O docker # chmod 755 docker
-> start the daemon
(*) again, if you are behind a firewall, set your HTTP_PROXY setting (http_proxy won't work with docker)
# ./docker -d &-> you can verify if it works
# ./docker version Client version: 0.7.0 Go version (client): go1.2rc5 Git commit (client): 0d078b6 Server version: 0.7.0 Git commit (server): 0d078b6 Go version (server): go1.2rc5
-> now you can try to download an example using ubuntu (we will have to get OL up there :))
# ./docker run -i -t ubuntu /bin/bash
this will go and pull in the ubuntu template and run bash inside
# ./docker run -i -t ubuntu /bin/bash WARNING: IPv4 forwarding is disabled. root@7ff7c2bae124:/#
and now I have a shell inside ubuntu!
-> ok so now on to playing with OL6. Let's create and import a small OL6 image.
-> first install febootstrap so that we can create an image
# yum install febootstrap
-> now you have to point to a place where you have the repoxml file and the packages on an http server. I copied my ISO content over to a place
I will install some basic packages in the subdirectory ol6 (it will create an OL installed image - this is based on what folks did for centos so it works the same (https://github.com/dotcloud/docker/blob/master/contrib/mkimage-centos.sh)
# febootstrap -i bash -i coreutils -i tar -i bzip2 -i gzip \ -i vim-minimal -i wget -i patch -i diffutils -i iproute -i yum ol6 ol6 http://wcoekaer-srv/ol/ # touch ol6/etc/resolv.conf # touch ol6/sbin/init
-> tar it up and import it
# tar --numeric-owner -jcpf ol6.tar.gz -C ol6 . # cat ol6.tar.gz | ./docker import - ol6
List the image
# ./docker images # ./docker images REPOSITORY TAG IMAGE ID CREATED SIZE ol6 latest d389ed8db59d 8 minutes ago 322.7 MB (virtual 322.7 MB) ubuntu 12.04 8dbd9e392a96 7 months ago 128 MB (virtual 128 MB)
And now I have a docker image with ol6 that I can play with!
# ./docker run -i -t ol6 ps aux WARNING: IPv4 forwarding is disabled. USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 1.0 0.0 11264 656 ? R+ 23:58 0:00 ps aux
Way more to do but this all just worked out of the box!
# ./docker run ol6 /bin/echo hello world WARNING: IPv4 forwarding is disabled. hello world
That's it for now. Next time, I will try to create a mysql/ol6 image and various other things.
This really shows the power of containers on Linux and Linux itself. We have all these various Linux distributions but inside lxc (or docker) you can run ubuntu, debian, gentoo, yourowncustomcrazything and it will just run, old versions of OL, newer versions of OL, all on the same host kernel.
I can run OL6.5 and create OL4, OL5, OL6 containers or docker images but I can also run any old debian or slackware images at the same time.
The ISOs are also being mirrored to public external mirror sites, one of them is my own mirror site.
Release notes are here.
Another, much simpler option, is just using yum. It is very easy to take a server and create directories and expose these through apache as repositories. You can have a simple yum config on each server pointing to a few specific repositories. It requires some manual effort in terms of creating directories, downloading packages and creating local repo files but it's easy to do and for many people a preferred solution.
There are also a good number of customers that just connect their servers directly to ULN or to our free update server public-yum. Just to re-iterate, our public-yum servers have all the errata and updates available for free.
Now we added another option. Many of our customers have switched from a competing Linux vendor and they had familiarity with their management tools. Switching to Oracle for support is very easy since we don't require changes to the installed servers but we also want to make sure there is a very easy and almost transparent switch for the management tools as well. While Oracle Enterprise Manager is our preferred way of managing systems, we now are offering Spacewalk 2.0 to our customers. The community project can be found here. We have made a few changes to ensure easy and complete support for Oracle Linux, tested it with public-yum, etc.. You can find the rpms in our public-yum repos at http://public-yum.oracle.com/repo/OracleLinux/OL6/. There are repositories for spacewalk server and then for each version (OL5,OL6) and architecture (x86 and x86-64) we have the client repositories as well. Spacewalk itself is only made available for OL6 x86-64.
Documentation can be found here.
I set it up myself and here are some quick steps on how you can get going in just a matter of minutes:
Spacewalk Server Installation :
1) Installing an Oracle Database
Use an existing Oracle Database or install a new Oracle Database (Standard or Enterprise Edition) [at this time use 11g, we will add support for 12c in the near future]. This database can be installed on the spacewalk server or on a separate remote server.
While Oracle XE might work to create a small sample POC, we do not support the use of Oracle XE, spacewalk repositories can become large and create a significant database workload.
Customers can use their existing database licenses, they can download the database with a trial licence from http://edelivery.oracle.com or Oracle Linux subscribers (customers) will be allowed to use the Oracle Database as a spacewalk repository as part of their Oracle Linux subscription at no additional cost.
|NOTE : spacewalk requires the database to be configured with the UTF8 characterset. |Installation will fail if your database does not use UTF8. |To verify if your database is configured correctly, run the following command in sqlplus: | |select value from nls_database_parameters where parameter='NLS_CHARACTERSET'; |This should return 'AL32UTF8'
2) Configure the database schema for spacewalk
Ideally, create a tablespace in the database to hold the spacewalk schema tables/data;
create tablespace spacewalk datafile '/u01/app/oracle/oradata/orcl/spacewalk.dbf' size 10G autoextend on;
Create the database user spacewalk (or use some other schema name) in sqlplus.
create user spacewalk identified by spacewalk; grant connect, resource to spacewalk; grant create table, create trigger, create synonym, create view, alter session to spacewalk; grant unlimited tablespace to spacewalk; alter user spacewalk default tablespace spacewalk;
4) Spacewalk installation and configuration
Spacewalk server requires an Oracle Linux 6 x86-64 system. Clients can be Oracle Linux 5 or 6, both 32- and 64bit. The server is only supported on OL6/64bit.
The easiest way to get started is to do a 'Minimal' install of Oracle Linux on a server and configure the yum repository to include the spacewalk repo from public-yum.
Once you have a system with a minimal install, modify your yum repo to include the spacewalk repo.
edit /etc/yum.repos.d/public-yum-ol.repo and add the following lines at the end of the file :
[spacewalk] name=spacewalk baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/spacewalk20/server/$basearch/ gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 gpgcheck=1 enabled=1
Install the following pre-requisite packages on your spacewalk server :
oracle-instantclient11.2-basic-188.8.131.52.0-1.x86_64 oracle-instantclient11.2-sqlplus-184.108.40.206.0-1.x86_64 rpm -ivh oracle-instantclient11.2-basic-220.127.116.11.0-1.x86_64 rpm -ivh oracle-instantclient11.2-sqlplus-18.104.22.168.0-1.x86_64The above RPMs can be found on the Oracle Technology Network website :
As the root user, configure the library path to include the Oracle Instant Client libraries :
cd /etc/ld.so.conf.d echo /usr/lib/oracle/11.2/client64/lib > oracle-instantclient11.2.conf ldconfig
Install spacewalk :
# yum install spacewalk-oracleThe above yum command should download and install all required packages to run spacewalk on your local server.
| NOTE : if you did a full, desktop or workstation installation, | you have to remove the JTA package | BEFORE installing spacewalk-oracle (rpm -e --nodeps jta)
Once the installation completes, simply run the spacewalk configuration tool and you are all set. (make sure to run the command with the 2 arguments)
spacewalk-setup --disconnected --external-db
Answer the questions during the setup, ensure you provide the current database user (example : spacewalk) and password (example : spacewalk) and database server hostname (the standard hostname of the server on which you have deployed the Oracle database)
At the end of the setup script, your spacewalk server should be fully configured and you can log into the web portal. Use your favorite browser to connect to the website : http://[spacewalkserverhostname]
The very first action will be to create the main admin account.
Release 5.1 introduces a number of bug fixes and smaller changes but the most interesting one is definitely increased support for html5-based client access. In SGD 5.0 we added support for Apple iPads using Safari to connect to SGD and display your session right inside the browser. The traditional model for SGD is that you connect using a webbrowser to the webtop and applications that are displayed locally using a local client (tta). This client gets installed the first time you connect. So in the traditional model (which works very well...) you need a webbrowser, java and the tta client. With the addition of html5 support, there's no longer a need to install a local client, in fact, there is also no longer a need to have java installed. We currently support Chrome as a browser to enable html5 clients. This allows us to enable html5 on the android devices and also on desktops running Chrome (Windows, MacOS X, Linux).
Connections will work transparently across proxy servers as well. So now you can run any SGD published app or desktop right from your webbrowser inside a browser window. This is very convenient and cool.
This pricing information is publicly available on the Oracle store, I am using the current public list prices. Also keep in mind that this is for customers using non-oracle x86 servers. When a customer purchases an Oracle x86 server, the annual systems support includes full use (all you can eat) of Oracle Linux, Oracle VM and Oracle Solaris (no matter how many VMs you run on that server, in case you deploy guests on a hypervisor). This support level is the equivalent of premier support in the list below.
Let's start with Oracle VM (x86) :
Oracle VM support subscriptions are per physical server on which you deploy the Oracle VM Server product.
24x7 support, access to bugfixes, updates and new releases. It also includes all options, live migrate, dynamic resource scheduling, high availability, dynamic power management, etc
If you want to play with the product, or even use the product without access to support services, the product is freely downloadable from edelivery.
Next, Oracle Linux :
Oracle Linux support subscriptions are per physical server.
If you plan to run Oracle Linux as a guest on Oracle VM, VMWare or Hyper-v, you only have to pay for a single subscription per system, we do not charge per guest or per number of guests. In other words, you can run any number of Oracle Linux guests per physical server and count it as just a single subscription.
So that's it. Count number of 2 socket boxes, more than 2 socket boxes, decide on basic or premier support level and you are done. You don't have to worry about different levels based on how many virtual instances you deploy or want to deploy. A very simple menu of choices. We offer, inclusive, Linux OS clusterware, Linux OS Management, provisioning and monitoring, cluster filesystem (ocfs), high performance filesystem (xfs), dtrace, ksplice, ofed (infiniband stack for high performance networking). No separate add-on menus.
NOTE : socket/cpu can have any number of cores. So whether you have a 4,6,8,10 or 12 core CPU doesn't matter, we count the number of physical CPUs.
As many of you know, we are now using a CDN to distribute the RPMS for public-yum globally so you should have good bandwidth everywhere to freely access the RPMs.
We have worked closely with Microsoft to ensure that we can deploy Oracle Linux inside their Azure platform (and also just in general on Hyper-v). Part of the work is to provide templates that include Oracle products such as Oracle RDBMS and Oracle WebLogic on Oracle Linux in Azure. This is a similar concept as Oracle VM templates. You can go through the catalog on Azure, select a template and a few minutes later you end up with a complete running Virtual Machine. These templates with Oracle products are available for both Windows and Oracle Linux environments.
Microsoft has a free trial offering which I tried out last night (with my personal account) and within a few minutes and no prior knowledge of how their environment works, I had an Oracle Linux 6 update 4 instance up and running. Logged in using ssh. They have a very easy to navigate portal. We have configured Oracle Linux out of the box with public-yum for updates. So if you need an enterprise grade Linux distribution on Azure that comes with free updates/errata and fast connectivity to the update servers, go use Oracle Linux. And the nice thing is, if you need support for some of those VM's deployed, you just pay for those VM's you want support for.
This is also nice for ISVs that want to provide their own application solutions in Azure, they can use Oracle Linux and embed it in their VM with their app and, again, an enterprise grade solution that can be freely used without signing contracts with us, and be current with updates and errata. If the ISV then wants support, they can resell Oracle Linux subscriptions. This is a very simple, open, hassle-free solution.
It is very easy to get started with this and play around with the new features. Just takes a few steps :
Oracle Linux is freely downloadable from http://edelivery.oracle.com/linux. Oracle Linux is free to use on as many systems as you want, is freely re-distributable without changing the CD/ISO content (so including our cute penguin), provides free security errata and bugfix errata updates. You only need to pay for a support subscription for those systems that you want/need support for, not for other systems. This allows our customers/users to run the exact same software on test and dev systems as well as production systems without having to maintain potentially two kinds of repositories. All systems can run the exact same software all the time.
The free yum repository for security and bugfix errata is at http://public-yum.oracle.com. This site also contains a few other repositories :
Now, back to UEK3 beta. Just a few steps are needed to get started.
I will assume you have already installed Oracle Linux 6 (update 4) on a system and it is configured to use public-yum as the repository.
First download and enable the beta repository.
# cd /etc/yum.repos.d/ # wget http://public-yum.oracle.com/beta/public-yum-ol6-beta.repo # sed -i s/enabled=0/enabled=1/g public-yum-ol6-beta.repo
You don't have to do sed you can just edit (vi/emacs) the repo file and manually set it to 1 (enable). Now you can just run yum update
# yum update
This will install UEK3 (3.8.13-13) and it will update any relevant packages that are required to be on a later version as well. At this point you should reboot into UEK3.
New features introduced in UEK3 are listed in our release notes. There are tons of detailed improvements in the kernel since UEK2 (3.0 based). Kernelnewbies is an awesome site that keeps a nice list of changes for each version. We will add more detail to our release notes over time but for those that want to browse through all the changes, check it out.
To try out dtrace, you need to install the dtrace packages. We introduced USDT in UEK3's version of dtrace, there is some information in the release notes about the changes.
# yum install dtrace-utils
To try out lxc, you need to install the lxc packages. lxc is capable of using Oracle VM Oracle Linux templates as a base image to create a container.
# yum install lxc
Simultaneously, Saar updated his Oracle VM templates to include these latest patchsets as well for both architectures (x86 and x86_64).
These templates can be deployed on Oracle VM using the DeployCluster tool, all you need to do is create a very simple textfile with the parameters.
All templates default to UEK2 2.6.39-400. The templates can be used to create Single Instance, Single Instance with HA (Oracle Restart) and Oracle RAC databases.
The options vary from ASM, NFS, OCFS2 for db files, local filesystem, no DB, Clusterware only etc.
Full stack, download, deploy. Production RDBMS code, Production Oracle Linux.
Simple Sample script:
# cat netconfig.ini NODE1=server3 NODE1IP=10.0.0.4 PUBADAP=eth0 PUBMASK=255.255.255.0 PUBGW=10.0.0.1 DOMAINNAME=wimmekes.net # May be blank DNSIP=10.0.0.1 # Starting from 2013 Templates allows multi value CLONE_SINGLEINSTANCE=yes # Setup Single Instance
and then # deploycluster -u admin -p mypassword -H localhost -M mydbvm1 -> done
Wim Coekaerts is the Senior Vice President of Linux and Virtualization Engineering for Oracle. He is responsible for Oracle's complete desktop to data center virtualization product line and the Oracle Linux support program.
You can follow him on Twitter at @wimcoekaerts