Sunday Jan 19, 2014

OpenSCAP distributed with Oracle VM Server for x86

Security Compliance : true

We recently released Oracle VM Server for x86 3.2.7. For more information you can go here. In addition we also recently released Oracle Linux 6.5. Find the press release here and the link to the release notes here.

You will notice that for Oracle Linux we have updated the version of OpenSCAP to use the NIST SCAP 1.2 specification.

We have also decided to distribute OpenSCAP with Oracle VM Server for x86 so you will be able to use the same utility for security compliance checks that you may use with Oracle Linux and Oracle Solaris. Initially, the OpenSCAP package we are distributing with Oracle VM Server for x86 is available on the Oracle Public Yum Server, so you may start by using the oscap(8) - OpenSCAP command line tool after you've installed the openscap-utils RPM on your Dom0 test environment. If you are working on the technical security controls that are required by your organization for the approval to operate Oracle VM Server for x86, then you should understand that OpenSCAP is an effective tool to demonstrate security compliance to your authorizing official. However, you should carefully examine your organizations SCAP content and the implementation details such as the use of OVAL for compliance checks.

We typically recommend that you do not directly execute additional utilities within the Oracle VM Server management domain (i.e. the Dom0 domain), but checking security compliance requires careful limited access by your authorized administrators to produce the reports. The Oracle VM Security Guide for Release 3 explains the philosophy of protection for the installation of the Oracle VM Server using a small footprint:

"Oracle VM Server runs a lightweight, optimized version of Oracle Linux. It is based upon an updated version of the Xen hypervisor technology and includes Oracle VM Agent. The installation of Oracle VM Server in itself is secure: it has no unused packages or applications and no services listening on any ports except for those required for the operation of the Oracle VM environment."

Please note that you should report any potential security vulnerabilities in Oracle products following the instructions found here.

We posted some helpful details about Oracle Linux Errata and CVE information this time last year and you may also review the notifications of Oracle VM errata here. For the examples we are reviewing now, the use of OVAL checks is a part the traditional ways you would show that your servers are all compliant (locked-down or hardened) with relevant security settings in your checklists that reference the product security guides.

The Oracle Software Security Assurance Secure Configuration Initiative has established Oracle product security goals for both Secure Configuration and Security Guides. We have built in the security features with Oracle VM Server for x86 and you should expect that the default installation follows the software security assurance guidelines. Using OpenSCAP for security compliance checks may help you to show that the Oracle VM Server for x86 configuration is up to date with the latest details documented in the security guides for operating systems and server virtualization.

A standardized approach to security compliance is a goal that many organizations are working toward and includes a broad set of security controls typically found within a complete Risk Management Framework provided by the NIST RMF and other standards bodies within the international IT security community. When you begin to use OpenSCAP you will find that the standard SCAP content contains product specific technical security controls that are expected to be unique and have version dependencies as well. You will notice the standard SCAP content used with OpenSCAP on Oracle VM Server for x86 can produce valid securty compliance reports, but you must still understand the technical nuances for measuring compliance that show results for each test:

    True
    False  
    Error  
    Unknown  
    Not Applicable  
    Not Evaluated

Advantages to using a standardized approach for security compliance include considerations of "what is measured" and "how it is measured" to improve the precision, accuracy and ultimate effectiveness required to mitigate risks. The initial results that are produced using OpenSCAP for security compliance checks must be further examined to truly understand the meaning of 'true' or 'false' so that you can demonstrate the rationalization for applying any fixes to re-mediate a verifiable problem. The effectiveness of OpenSCAP depends on the thorough understanding of all the technical details at the early stages of your testing, so you will benefit by the complete coverage that may be repeated for all of your production Oracle VM Servers.

Automating system administration activities is a fundamental objective for on-premise and cloud computing architectures and we are working to standardize as much of the enterprise infrastructure components as possible to produce the most cost effective solutions using Oracle VM Server. The security compliance requirements of many organizations have increased reporting cycles that must be continuously monitored. With careful planning, OpenSCAP may be an effective tool for reporting your organizations IT security controls, but we want to review some of the basic concepts that you should be aware of.

We noted earlier that Dom0 is a special purpose management domain that is based on Xen built with Oracle Linux. The Oracle Linux and Oracle Solaris configurations share a common set of technical security controls that are useful to measure consistently with Oracle VM Server. However, the results you analyse requires historic perspectives and current insight to determine the relevance and criticality that is important to convey to the decision makers or authorizing officials in your organization.

One random example of a security compliance check that illustrates a number of considerations is related to CWE-264: Permissions, Privileges, and Access Controls. More specifically, as an exercise, we want to drill down to both CWE-275: Permission Issues and CWE-426: Untrusted Search Path potential problems.

To demonstrate how OpenSCAP can be used to report the results of a check related to CWE-275 and CWE-426 we can start by viewing the Red Hat 5 STIG Benchmark, Version 1, Release 4 from DISA:

[root@ovm327 ~]# wget 
  http://iase.disa.mil/stigs/os/unix/u_redhat_5_v1r4_stig_benchmark.zip

For brevity, we have extracted out the OVAL compliance item for 'STIG ID: GEN000960' that we show using the DISA STIG Viewer:

If you also want to test this, here is the raw XML

This looks simple enough, so let's see the result using OpenSCAP on Oracle VM Server for x86:

[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

We think we understand the result but let's view this differently just to be sure:

[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`
ls: /root/bin: No such file or directory
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /bin
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /sbin
drwxr-xr-x 3 root root 16384 Jan  2 12:45 /usr/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/sbin
drwxr-xr-x 2 root root 12288 Jan  2 12:45 /usr/sbin
[root@ovm327 ~]#

This looks good to us, but let's make the '/root/bin' directory that we intentionally want to violate the compliance check to see what happens:

[root@ovm327 ~]# mkdir -m 0777 /root/bin
[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /bin
drwxrwxrwx 2 root root  4096 Jan  2 13:55 /root/bin
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /sbin
drwxr-xr-x 3 root root 16384 Jan  2 12:45 /usr/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/sbin
drwxr-xr-x 2 root root 12288 Jan  2 12:45 /usr/sbin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
[root@ovm327 ~]#

We have reasonably good confirmation that the OVAL compliance check works the way we expect. However, if we look at the entire set of permissions that enforce the discretionary access control policy, we then realize that there are also permissions on the '/root' directory that prevent the write operations by 'others' in the '/root/bin' directory from succeeding:

[root@ovm327 ~]# ls -ldL /root /root/bin
drwxr-x--- 4 root root 4096 Jan  2 13:55 /root
drwxrwxrwx 2 root root 4096 Jan  2 13:55 /root/bin
[root@ovm327 ~]#

We are not suggesting that the mode '0777' permissions on the '/root/bin' are acceptable because we have safer permissions on the '/root' directory, but the example shows that the OVAL check does not completely test the security controls exactly how the kernel enforces the permissions. We should justifiably state that the result of the OVAL security compliance check '0777' permissions on the '/root/bin' directory is a 'condition negative' with a 'test outcome negative' (i.e. a true negative), but also continue to note our other observations related to the access control enforcement.

Before proceeding, we will clean up the problem we just temporarily created on our test server:

[root@ovm327 ~]# chmod 0700 /root/bin
[root@ovm327 ~]# ls -ldL /root /root/bin
drwxr-x--- 4 root root 4096 Jan  2 13:55 /root
drwx------ 2 root root 4096 Jan  2 13:55 /root/bin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

Hopefully you find this random security compliance check interesting and somewhat enlightening to illustrate what OpenSCAP can help you with. To continue, we decided to check a slightly different way to demonstrate the same security control:

[root@ovm327 ~]# wget
 https://git.fedorahosted.org/cgit/openscap.git/plain/dist/fedora/scap-fedora14-oval.xml

To simplify viewing the portion of the OVAL compliance entry we extracted it like we did with the DISA STIG item. If you also want to test this, here is the raw XML

Now we can show similar results using a slightly different implementation of the compliance check:

[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
[root@ovm327 ~]# chmod 0770 /root/bin
[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
[root@ovm327 ~]#

But we can also see that it is indeed a different check because it includes the test for group write permissions and the 'STIG ID: GEN000960' does not:

[root@ovm327 ~]# chmod 0770 /root/bin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

Again, let's fix the problem we temporarily created on our test server:

[root@ovm327 ~]# chmod 0700 /root/bin
[root@ovm327 ~]#

You should also review the CIS Oracle Solaris 11.1 Benchmark v1.0.0 and the CIS Red Hat Enterprise Linux 6 Benchmark v1.2.0 to see that they both have the same entry to 'Ensure root PATH Integrity (Scored)' that has an audit section showing script commands that step through multiple potential security compliance issues to check. It is a common practice to combine similar checks in a group, but you may need to parse out the results to obtain a discrete value for a singular check.

As an additional consideration, let's shift our focus away from the differences within OVAL compliance definitions, to the different operating systems that the SCAP content was orignially written for. For this part of our testing we start up an Oracle Solaris 11.1 X86 instance running on a VM to demonstrate the OpenSCAP tests with the same OVAL compliance checks:

root@sol11:/root# pkg install security/compliance/openscap

root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
root@sol11:/root# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
root@sol11:/root# export PATH=$PATH:/tmp
root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`
drwxrwxrwt   5 root     sys          432 Jan  2 14:09 /tmp
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
root@sol11:/root# oscap oval eval GEN000960.xmlDefinition
oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
root@sol11:/root#

Now let's repeat the same OpenSCAP checks with a non-root user account:

admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
admin@sol11:~$ oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
admin@sol11:~$ export PATH=$PATH:/tmp
admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`
drwxrwxrwt   5 root     sys          432 Jan  2 14:09 /tmp
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
admin@sol11:~$ oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
admin@sol11:~$

We have discovered some additional interesting considerations when reviewing the OpenSCAP results executed on Oracle Solaris:

    The OVAL content appears to also work on Oracle Solaris 11.1
    The OVAL check is on the current PATH environment variable
    The OVAL check is for the current user shell or cron(1M) process running oscap(8)
    The OVAL check does not look for scripts that set the PATH for application run time environments
    The OVAL check does not account for more sophisticated access control technology

To further our understanding of the OVAL content, we decided to run the jOVAL tool which is not included with Oracle Solaris:

admin@sol11:~$ echo $PATH
/usr/bin:/usr/sbin:/tmp
admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o GEN000960.xml

----------------------------------------------------
jOVAL Definition Interpreter
Version: 5.10.1.2
Build date: Thursday, January  2, 2014 04:46:39 PM PST
Copyright (c) 2011-2013 - jOVAL.org

Plugin: Default Plugin
Version: 5.10.1.2
Copyright (C) 2011-2013 - jOVAL.org
----------------------------------------------------

Start Time: Fri Jan 02 16:50:05 2014

 ** parsing /home/admin/GEN000960.xml
     - validating xml schema.
 ** checking schema version
     - Schema version - 5.4
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                      
 ** saving data model to system-characteristics.xml.
 ** skipping Schematron validation
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                    
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:mil.disa.fso.rhel:def:77           true
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** skipping Schematron validation
 ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.

----------------------------------------------------
admin@sol11:~$ echo $PATH
/usr/bin:/usr/sbin:/tmp
admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m
  -o fedora-accounts_root_path_dirs_no_write.xml

----------------------------------------------------
jOVAL Definition Interpreter
Version: 5.10.1.2
Build date: Thursday, January  2, 2014 04:46:39 PM PST
Copyright (c) 2011-2013 - jOVAL.org

Plugin: Default Plugin
Version: 5.10.1.2
Copyright (C) 2011-2013 - jOVAL.org
----------------------------------------------------

Start Time: Fri Jan 02 16:50:30 2014

 ** parsing /home/admin/fedora-accounts_root_path_dirs_no_write.xml
     - validating xml schema.
 ** checking schema version
     - Schema version - 5.5
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                         
 ** saving data model to system-characteristics.xml.
 ** skipping Schematron validation
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                        
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.open-scap.f14:def:200855       false
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** skipping Schematron validation
 ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.

----------------------------------------------------
admin@sol11:~$

For now, this concludes our initial investigation of OpenSCAP to show the potential effectiveness on Oracle VM Server for x86 with careful consideration of the results you may observe with your SCAP content. You will also want to understand the XCCDF security checklists that are most often used to perform more complete security compliance checks with OpenSCAP in the same way you can check for STIG compliance:

# oscap xccdf eval --profile stig-rhel6-server --report report.html 
   --results results.xml --cpe ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml

We hope that the random security compliance example we chose will help to illustrate that the use of OpenSCAP is not a substitute for adequately proficient expertise for analyzing IT security controls, but it allows for the repetitive checks in your production Oracle VM Servers after you have completed sufficient testing. Please contact your Oracle representitives if you have any quetions or place service requests with Oracle Support when you encounter problems.

Finally, please remember that you should report any potential security vulnerabilities in Oracle products following the instructions found here.

Wednesday Oct 30, 2013

Oracle Linux and Oracle VM pricing guide

A few days ago someone showed me a pricing guide from a Linux vendor and I was a bit surprised at the complexity of it. Especially when you look at larger servers (4 or 8 sockets) and when adding virtual machine use into the mix.
I think we have a very compelling and simple pricing model for both Oracle Linux and Oracle VM. Let me see if I can explain it in 1 page, not 10 pages.

This pricing information is publicly available on the Oracle store, I am using the current public list prices. Also keep in mind that this is for customers using non-oracle x86 servers. When a customer purchases an Oracle x86 server, the annual systems support includes full use (all you can eat) of Oracle Linux, Oracle VM and Oracle Solaris (no matter how many VMs you run on that server, in case you deploy guests on a hypervisor). This support level is the equivalent of premier support in the list below.

Let's start with Oracle VM (x86) :
Oracle VM support subscriptions are per physical server on which you deploy the Oracle VM Server product.

  • (1) Oracle VM Premier Limited -> 1- or 2 socket server : $599 per server per year
  • (2) Oracle VM Premier -> more than 2 socket server (4, or 8 or whatever more) : $1199 per server per year

  • The above includes the use of Oracle VM Manager and Oracle Enterprise Manager Cloud Control's Virtualization management pack (including self service cloud portal, etc..)

    24x7 support, access to bugfixes, updates and new releases. It also includes all options, live migrate, dynamic resource scheduling, high availability, dynamic power management, etc

    If you want to play with the product, or even use the product without access to support services, the product is freely downloadable from edelivery.

    Next, Oracle Linux :
    Oracle Linux support subscriptions are per physical server.
    If you plan to run Oracle Linux as a guest on Oracle VM, VMWare or Hyper-v, you only have to pay for a single subscription per system, we do not charge per guest or per number of guests. In other words, you can run any number of Oracle Linux guests per physical server and count it as just a single subscription.

  • (1) Oracle Linux Network Support -> any number of sockets per server : $119 per server per year
  • Network support does not offer support services. It provides access to the Unbreakable Linux Network and also offers full indemnification for Oracle Linux.

  • (2) Oracle Linux Basic Limited Support -> 1- or 2 socket servers : $499 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem.

  • (3) Oracle Linux Basic Support -> more than 2 socket server (4, or 8 or more) : $1199 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem

  • (4) Oracle Linux Premier Limited Support -> 1- or 2 socket servers : $1399 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.

  • (5) Oracle Linux Premier Support -> more than 2 socket servers : $2299 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.

  • (6) Freely available Oracle Linux -> any number of sockets
  • You can freely download Oracle Linux, install it on any number of servers and use it for any reason, without support, without right to use of these extra features like Oracle Clusterware or ksplice, without indemnification. However, you do have full access to all errata as well. Need support? then use options (1)..(5)

    So that's it. Count number of 2 socket boxes, more than 2 socket boxes, decide on basic or premier support level and you are done. You don't have to worry about different levels based on how many virtual instances you deploy or want to deploy. A very simple menu of choices. We offer, inclusive, Linux OS clusterware, Linux OS Management, provisioning and monitoring, cluster filesystem (ocfs), high performance filesystem (xfs), dtrace, ksplice, ofed (infiniband stack for high performance networking). No separate add-on menus.

    NOTE : socket/cpu can have any number of cores. So whether you have a 4,6,8,10 or 12 core CPU doesn't matter, we count the number of physical CPUs.

    Tuesday Aug 27, 2013

    Single Instance/RAC Oracle VM templates update

    Superstar Saar just released a new set of Oracle VM templates. We (Oracle) just released 2 patch sets for the Oracle RDBMS - 11.2.0.4.0 and 11.2.0.2.11 (x86 and x86_64)

    Simultaneously, Saar updated his Oracle VM templates to include these latest patchsets as well for both architectures (x86 and x86_64).

  • 11.2.0.4.0 with OL5
  • 11.2.0.4.0 with OL6
  • 11.2.0.2.11 with OL5
  • 11.2.0.2.11 with OL6
  • These templates can be deployed on Oracle VM using the DeployCluster tool, all you need to do is create a very simple textfile with the parameters.

    All templates default to UEK2 2.6.39-400. The templates can be used to create Single Instance, Single Instance with HA (Oracle Restart) and Oracle RAC databases.

    The options vary from ASM, NFS, OCFS2 for db files, local filesystem, no DB, Clusterware only etc.

    Full stack, download, deploy. Production RDBMS code, Production Oracle Linux.

    http://www.oracle.com/technetwork/server-storage/vm/database-templates-12c-11gr2-1972804.html

    Simple Sample script:

    # cat netconfig.ini 
    NODE1=server3
    NODE1IP=10.0.0.4
    PUBADAP=eth0
    PUBMASK=255.255.255.0
    PUBGW=10.0.0.1
    DOMAINNAME=wimmekes.net  # May be blank
    DNSIP=10.0.0.1  # Starting from 2013 Templates allows multi value
    CLONE_SINGLEINSTANCE=yes  # Setup Single Instance
    

    and then # deploycluster -u admin -p mypassword -H localhost -M mydbvm1 -> done

    Thursday Aug 22, 2013

    A little sample snmp module for Oracle VM Server 3.2

    I was looking at snmp for a few days and decided to put together a little snmp module (extension) that would work on Oracle VM Server (3.2 and up). In 3.2 we started to include the net-snmp rpms to allow customers to monitor any given Oracle VM server with standard SNMP tools. Whether that be cacti, snmpwalk, even Oracle Enterprise Manager (snmp fetchlets) or whatever tool. The standard net-snmp installation will expose MIBs and return data pretty much exactly the same as what you would get when installing net-snmp on Oracle Linux and monitoring an Oracle Linux server.

    The little snmp module I added exposes a few extra Oracle VM specific objects. To start with I basically looked at the data you can see on the local console of the server (version, cluster state, management uuid,...). I created a custom MIB (falls in the oracle enterprise oid range ( 1.3.6.1.4.1.111.57.1.1 – 1.3.6.1.4.1.111.57.1.13 )) and packaged it all up in a little RPM (ovs-snmp.rpm) that can be installed in dom0.

    ovs-snmp is an extension to net-snmp. It is a dynamically loadable module that allows extra bits to be monitored in dom0 that are specific to Oracle VM. Once the RPM is installed, snmpd.conf must be updated to load the module at start of snmpd. When you restart the snmpd service, you then have access to an extra MIB.

    This extra MIB is documented in /usr/share/snmp/mibs/OVS-MIB.txt The raw oid range for the OVS extension is from 1.3.6.1.4.1.111.57.1.1 – 1.3.6.1.4.1.111.57.1.13. The module also contains a trap at 1.3.6.1.4.1.111.57.2.0. The trap is defined around ovsAgentState (Running/Stopped) and will allow an admin to monitor the state of the Oracle VM Server agent which is a critical component of every server installed and get a notification from the snmpd.

    If you copy the OVS-MIB.txt file over to another regular server and put the file in the same directory (/usr/share/snmp/mibs) then you can use the text version instead of the raw oid numbers. For instance : 1.3.6.1.4.1.111.57.1.1 is the same as : ORACLE-OVS-MIB::ovsType. This is more humanly readable.

    The following set of attributes are defined in the MIB :

    ovsType           : Oracle VM Server
    ovsVersion        : Version of Oracle VM Server installed
    ovsMaster         : Master node in serverpool?
    ovsClusterState   : Cluster configured / online?
    ovsClusterType    : NFS or Lun based
    ovsClusterStorage : the nfs mount or lun used for the server pool filesystem
    ovsManagerUUID    : UUID of the Oracle VM Manager instance
    ovsServerpoolName : serverpool name this server is a member of (or None)
    ovsServerpoolIP   : Virtual IP address of the serverpool master
    ovsAgentState     : Agent running or stopped
    ovsFreeMemory     : free memory available for Virtual Machines on this server
    ovsHostname       : hostname as known by the Oracle VM Manager instance
    
    vmTable           : table with an index listing all the currently running VMs
                        columns -> vmIndex, vmType
    

    example snmpd.conf file:

    # more /etc/snmp/snmpd.conf
    rocommunity public
    syslocation "hq"
    dlmod ovs /usr/lib64/ovs-snmp/ovs.so
    

    Some examples :

    # snmpwalk -v 1 -c public -O e localhost ORACLE-OVS-MIB::ovsAgentState
    ORACLE-OVS-MIB::ovsAgentState.0 = STRING: Running
    # snmpwalk -v 1 -c public -O e localhost 1.3.6.1.4.1.111.57.1.1
    SNMPv2-SMI::enterprises.111.57.1.1.0 = STRING: "Oracle VM Server
    "
    
    You can download the rpm from MOS, bug number is 17344092. At this point it's provided as-is, tech preview. Once I get some feedback on it we will consider integrating this.

    have fun

    Wednesday Aug 07, 2013

    Oracle VM templates for Database 12c 12.1.0.1.0 both single instance and rac

    Today we made available a few new Oracle VM templates on edelivery. A set of VM templates for database 12c and another set for database 11g 11.2.0.3.7.

    You can find more information on the otn pages here.

    A very important new feature added is the ability to deploy single instance database. In the past the database templates were focused on RAC deployments (Real Application Cluster) but because of popular demand, we also added support for Single Instance. With Single Instance you can really create a new VM with the database up and running in a matter of a few (very few) minutes, and with a very simple config file.

    Example config file for single instance :

    $ cat netconfig.ini 
    NODE1=dbsingle1
    NODE1IP=192.168.1.72
    PUBADAP=eth0
    PUBMASK=255.255.255.0
    PUBGW=192.168.1.1
    DOMAINNAME=wimmekes.net  # May be blank
    DNSIP=8.8.8.8  # Starting from 2013 Templates allows multi value
    CLONE_SINGLEINSTANCE=yes  # Setup Single Instance
    

    That's literally it. You don't need to do anything other than run a few Oracle VM CLI or UI commands and run deploycluster and you're all set. After a few minutes, the VM will be pingable and you can run sqlplus against the database running inside the VM.

    If you use the CLI, here is a sample workflow :

  • import the template
  • - importtemplate repository name=[reponame] url=[http://myurl/template.tbz] server=[servername]
  • create vm from template
  • - clone vm name=[templatename] destType=Vm destName=[vmname] serverpool=[serverpoolname]
  • Create new vnic
  • - create vnic name=[macaddress] network=[network] (list network, will show you the various networks)
  • remove old vnics (you could rename one or alter one but to simplify I just remove the old vnics of the cloned vm and add the newly created
  • - remove vnic name=[macaddr] from vm name=[vmname]
    - show vm name=[vmname] to see the attached vnics

    And that's it, now you can use that netconfig.ini example, edit it for your environment and run deploycluster:

    On top of single instance, the templates also expose or give you the ability to easily configure and enable many of the new rdbms 12c functionality :

    - Oracle Flex Cluster and/or Flex ASM, Hub/Leaf nodes
    - Container Database with x number of pluggable databases
    - Database Express
    - ACFS filesystem
    - Oracle Restart (single instance database with HA)
    - local or shared filesystem installs, including OCFS2 and ACFS
    - Admin Managed or Policy managed database creation with serverpools
    - OS kernel updated to the latest uek 2 version 2.6.39-400

    And all of the above are simple parameters in the config files. This can be 100% automated, 100% reproducible and you don't need to know how to configure them all yourself. As always, high quality work by Saar Maoz.

    Production ready, not trial, not using a random OS, all ready to go. Production-ready virtual appliances.

    Tuesday Jun 11, 2013

    ovm_utils 0.6.5

    Finally found some time to play with ovm_utils again and added another little tool to the package.

    ovm_utils is a collection of little tools I wrote over the last year or 2. They can help make command line use a little easier. Of course we have since introduced a real ovm_cli in Oracle VM Manager in 3.1 which is officially part of the product and officially supported. ovm_utils is provided as-is, for fun. If you find them useful, great, if not, oh well :-)

    ovm_logger (there's also a man page as part of the utilities man/man8/...) is a little tool that you can run as a daemon or just as a log dump tool. Oracle VM Manager runs most of it's tasks as jobs and handles most responses as events. So we have a joblog and an eventlog in the Oracle VM Manager database. When an action occurs from the UI or if an error gets reported from an agent, these things then create jobs and events. If you run the ovm_logger with -d, it will just start up, open the joblog and eventlog and dump the history to stdout, completed with the timestamp of when it occured. You probably want to re-direct that output to a file because it can be a lot of data.

    If you run ovm_logger by itself, (without -d) then it basically starts logging events and jobs as of the time you start the tool. Any new job or event that occurs from then on, will be displayed, until you cancel the tool, kill it or use ctrl-c.

    Examples :

    ./ovm_logger -u admin -p MyPassword -h localhost -X -d > /tmp/logoutput

    ./ovm_logger -u admin -p MyPassword -h localhost -X

    # ./ovm_logger -u admin -p Manager1 -h localhost -X 
    Oracle VM Log utility 0.6.4.
    Connecting with a secure connection.
    Connected.
    Tue Jun 11 03:48:34 PDT 2013  Oracle VM Log
    Tue Jun 11 03:48:34 PDT 2013  Oracle VM Manager Version : 3.2.3.521
    Tue Jun 11 03:48:34 PDT 2013  Oracle VM Manager IP      : 192.168.1.5
    Tue Jun 11 03:48:34 PDT 2013  Oracle VM Manager UUID    : 0004fb0000010000b66b471827b0b09d
    Tue Jun 11 03:49:04 PDT 2013  Job - Rediscover Server wcoekaer-srv1
    Tue Jun 11 03:49:29 PDT 2013  Job - Refresh File Server srv4nfs
    Tue Jun 11 03:49:39 PDT 2013  Job - Start Virtual Machine ol6u3apitest
    Tue Jun 11 03:49:54 PDT 2013  Event - Job Aborted
    Tue Jun 11 03:49:54 PDT 2013  (06/11/2013 03:49:51:970 AM)
    Due to Abort by user: admin
    Tue Jun 11 03:49:54 PDT 2013  Job - Discover Server thisonedoesntexist
    Tue Jun 11 03:49:54 PDT 2013  []
    Tue Jun 11 03:50:29 PDT 2013  Event - Job Internal Error (Operation)
    Tue Jun 11 03:50:29 PDT 2013  (06/11/2013 03:50:26:420 AM)
    OVMAPI_4010E Attempt to send command: get_api_version to server: 192.168.1.10 failed. OVMAPI_4004E Server Failed Command: get_api_version , Status: org.apache.xmlrpc.XmlRpcException: I/O error while communicating with HTTP server: Connection refused [Tue Jun 11 03:50:26 PDT 2013] [Tue Jun 11 03:50:26 PDT 2013]
    Tue Jun 11 03:50:29 PDT 2013  Job - Discover Server wcoekaer-srv3
    < Tue Jun 11 03:50:29 PDT 2013  [{OPERATION_NAME=Discover Manager Server Discover, JOB_STEP=Commit, SERVER_NAME=Unknown, EXIT_STATUS=Failed:OVMAPI_4010E Attempt to send command: get_api_version to server: 192.168.1.10 failed. OVMAPI_4004E Server Failed Command: get_api_version , Status: org.apache.xmlrpc.XmlRpcException: I/O error while communicating with HTTP server: Connection refused [Tue Jun 11 03:50:26 PDT 2013] [Tue Jun 11 03:50:26 PDT 2013], MANAGED_OBJECT_NAME=OVM Foundry : Discover Manager<235>}, {OPERATION_NAME=Discover Manager Server Discover, JOB_STEP=Rollback, SERVER_NAME=Unknown, EXIT_STATUS=DONE, MANAGED_OBJECT_NAME=OVM Foundry : Discover Manager<235>}]
    
    

    Anyway it's simple but it helps to easily do some form of audit on operations that happened and highlights errors in red.
    have fun...

    Sunday Apr 21, 2013

    Importing Oracle VM templates through a proxy

    I am working on a little tool that makes it easy to import an Oracle VM template in a more automated fashion, using python's built-in SimpleHTTPServer. While working on this, I realized that in many environments the Oracle VM Servers might be in an isolated network so that they don't have direct access to the intranet. We're talking about the management network here.

    One simple way around this, is to take one server that's on the same network as the Oracle VM Server's management network, for instance, the Oracle VM Manager system... and install something like TinyProxy on that machine. Then, use that servername as the proxy in Oracle VM Manager when you import a VM, VM Template or VM Assembly.

    TinyProxy can be found in the EPEL repository (http://fedoraproject.org/wiki/EPEL). The tinyproxy RPM will install without issue on Oracle Linux. It is very easy/simple to configure and this can be a good workaround or solution to make it easy to import templates or VMs while the servers are on a more isolated network.

    Tuesday Jan 22, 2013

    oracle vm 3.2.1 released!

    Pleased to announce the release of Oracle VM 3.2.1

    The press release is here. The documentation library can be found here.

    The release notes in the documentation show what's new and also a list of bugs fixed. Here's the summary of what's new :

    The new features and enhancements in Oracle VM Release 3.2.1 include:

    Performance, Scalability and Security

    Support for Oracle VM Server for SPARC: Oracle VM Manager can now be used to discover SPARC servers running Oracle VM Server for SPARC, and perform virtual machine management tasks.

    New Dom0 Kernel in Oracle VM Server for x86: The Dom0 kernel in Oracle VM Server for x86 has been updated so that it is now the same Oracle Unbreakable Enterprise Kernel 2 (UEK2) as used in Oracle Linux, for complete binary compatibility with drivers supported in Oracle Linux. Due to the specialized nature of the Oracle VM Dom0 environment (as opposed to the more general purpose Oracle Linux environment) some Linux drivers may not be appropriate to support in the context of Oracle VM, even if the driver is fully compatible with the UEK2 kernel in Oracle Linux. Do not install any additional drivers unless directed to do so by Oracle Support Services.

    Installation

    MySQL Database Support: MySQL Database is used as the bundled database for the Oracle VM Manager management repository for simple installations. Support for an existing Oracle SE/EE Database is still included within the installer so that you can perform a custom installation to take advantage of your existing infrastructure. Simple installation using the bundled MySQL Database is fully supported within production environments.

    Discontinued inclusion of Oracle XE Databases: Oracle VM Manager no longer bundles the Oracle XE database as a backend database. If you are currently running Oracle VM Manager using Oracle XE and you intend to upgrade you must first migrate your database to Oracle SE or Oracle EE.

    Oracle VM Server Support Tools: A meta-package is provided on the Oracle VM Server ISO enabling you to install packages to assist with support. These packages are not installed automatically as they are Oracle VM Server does not depend on them. Installation of the meta-package and its dependencies may assist with the resolution of support queries and can be installed at your own discretion. Note that the sudo package was previously installed as a dependency for Oracle VM Server, but that this package has now been made a dependency of the ovs-support-tools meta-package. If you require sudo on your Oracle VM Server installations, you should install the ovs-support-tools meta-package.

    Improved Usability

    Oracle VM Command Line Interface (CLI): The new Oracle VM Command Line Interface can be used to perform the same functions as the Oracle VM Manager Web Interface, such as managing all your server pools, servers and guests. The CLI commands can be scripted and run in conjunction with the Web Interface, thus bringing more flexibility to help you deploy and manage an Oracle VM environment. The CLI supports public-key authentication, allowing users to write scripts without embedding passwords, to facilitate secure remote login to Oracle VM Manager. The CLI also includes a full audit log for all commands executed using the facility. See the Oracle VM Command Line Interface User's Guide for information on using the CLI.

    Accessibility options: Options to display the UI in a more accessible way for screen readers, improve the contrast, or increase the font size. See Oracle VM Manager user interface Accessibility Features for more information.

    Health tab: Monitor the overall health and status of your virtualization environment and view historical statistics such as memory and CPU usage. See Health Tab for information on using the Health tab.

    Multi-select of objects: Select one or more objects to perform an action on multiple objects, for example, upgrading multiple Oracle VM Servers in one step, rather than upgrading them individually. See Multi-Select Functionality for information on using the multi-select feature.

    Search for objects: In many of the tab management panes and in some of the dialog boxes you can search for objects. This is of particular benefit to large deployments with many objects such as virtual machines or Oracle VM Servers. See Name Filters for information on using the search feature.

    Tagging of objects: It is now possible to tag virtual machines, servers and server pool objects within Oracle VM Manager to create logical groupings of items, making it easier to search for objects by tag.

    Alphabetized tables and other UI listings: Items listed in tables and other UI listings are now sorted alphabetically within Oracle VM Manager by default, to make it easier to find objects in larger deployments.

    Present repository to server pools: In addition to presenting a storage repository to individual Oracle VM Servers, you can now present a repository to all Oracle VM Servers in one or more server pools. See Presenting or Unpresenting a Storage Repository for more information.

    OCFS2 timout configuration: An additional attribute has been added to allow you to determine the timout in seconds for a cluster when configuring a clustered server pool within Oracle VM Manager.

    NFS refresh servers and access lists for non-uniform exports: For NFS configurations where different server pools are exposed to different exports, it is now possible to configure non-uniform exports and access lists to control how server pool refreshes are performed. For more information on this feature, please see NFS Access Groups for Non-uniform Exports.

    Configure multiple iSCSI access hosts: You can now configure multiple access hosts for iSCSI storage devices

    Sizes of disks, ISOs and vdisks: Oracle VM Manager now shows the sizes of disks, ISOs and vdisks within the virtual machine edit dialog, to make it easier to select a disk.

    Automated backups and easy restore: Oracle VM Manager installations taking advantage of the bundled MySQL Enterprise Edition Database include fully automated database backups and a quick restore tool that can help with easy database restoration.

    Serial console access: A serial console java applet has been included within Oracle VM Manager to allow serial console access to virtual machines running on both SPARC and x86 hardware. This facility complements the existing VNC-based console access to virtual machines running on x86 hardware.

    Set preferences for recurring jobs: Facilities have been provided within Oracle VM Manager to control the preferences for recurring jobs. These include the ability to enable, disable or set the interval for tasks such as refreshing repositories and file systems; and to control the Yum Update checking task.

    Processor Compatibility Groups: Since virtual machines can only be migrated between servers that use compatible processor types, Oracle VM Manager now provides the ability to define Processor Compatibility Groups to enable you to pick which servers a virtual machine can be migrated between.

    Configure additional Utility and Virtual Machine roles: New roles are now supported on Oracle VM Servers to control the type of functionality that the server will be responsible for. The Virtual Machine role is required in order for an Oracle VM Server to run a virtual machine. Oracle VM Servers configured with the Utility role are favoured for performing operations such as file cloning, importing of templates, the creation of repositories, and other operations not directly related to running a virtual machine.

    Directly import a virtual machine: It is now possible to directly import a virtual machine using Oracle VM Manager, no longer requiring that you first import to a template and then clone.

    Virtual machine start policy: You can now specify a start policy for a virtual machine, determining whether to always start the virtual machine on the server on which it has been placed, or to start the virtual machine on the best possible server in the server pool.

    Hot-add a VNIC to a virtual machine: It is now possible to add a VNIC directly to a running virtual machine from within Oracle VM Manager.

    Send messages to a virtual machine: Facilities have been provided within Oracle VM Manager to send messages directly to a virtual machine in the form of key-value pairs.

    NTP configuration: Ensuring that time is synchronized across all servers is important. Oracle VM Manager now provides a facility to bulk configure NTP across all servers.


    My personal favorites are (1) MySQL as a repository database (2) adding support for SPARC servers running Oracle VM for SPARC in Oracle VM Manager (3) the CLI server (4) Server Utility versus VM server roles (5) cluster timeout configuration (and a better default) (6) direct VM import and (7) serial console for a VM.

    have fun

    Sunday Jan 06, 2013

    oracle vm template config script example

    The programmatic way to extend Oracle VM Template Configure is to build your own module.

    To write your own module, you have to build an RPM that contains a configure script in a specific format, let's go through the steps to do this.

    Oracle VM template configure works very similar to the init.d and chkconfig script model. For template config we have the /etc/template.d directory, all the scripts go into /etc/template.d/scripts. Then symlinks are made to other subdirectories based on the type of target the scripts provide. At this point we handle configure and cleanup. When a script/module gets added using ovm-chkconfig, the header of the script is read to verify the name, priority and targets and then a symlink is made to the corresponding subdirectories under /etc/template.d.

    As an example, you have /etc/init.d/sshd which is the main sshd initscript and when sshd is enabled you will find a symlink in /etc/rc3.d/S55sshd to /etc/init.d/sshd. These symlinks are created by chkconfig when you enable or disable a service. The same thing goes for Oracle VM template config and the content of /etc/template.d/scripts. You will see /etc/template.d/scripts/ssh and since ssh (on my system) is enabled for the configure target, I have a symlink to /etc/template.d/configure.d/70ssh.

    Like init.d, the digit in front of the script name specifies the priority at which it should be run.

    The most important and complex part is writing your own script for your own application. Our scripts are in python, theoretically you could write it in a different language, as long as the input, output and argument handling remains the same. The examples here will all be in python. Each script has 2 main part : (1) the script header which contains information like script name, targets, priorities and description and (2) the actual script which has to handle a small set of parameters. You can take a look at the existing scripts for examples.

    (1) script header
    Aside from a copyright header that suits your needs, the script headers require a very specific comment block, here is an example :

    ### BEGIN PLUGIN INFO
    # name: network
    # configure: 50
    # cleanup: 50
    # description: Script to configure template network.
    ### END PLUGIN INFO
    

    You have to use the exact same format. Provide your own script name, which will be used when calling ovm-chkconfig, the targets (right now we implement configure and cleanup) and the priority for your script. The priority will specify in what order the scripts get executed. You do not have to implement all targets, if you have a configure target but not cleanup, that is OK, same goes for cleanup versus configure. It is up to you. The configure target gets called when a first boot/initial start of the VM happens, cleanup happens when you manually initiate a cleanup in your VM or when you want to restore the VM to its original state.

    ### BEGIN PLUGIN INFO
    # name: [script name]
    # [target]: [priority]
    # [target]: [priority]
    # description: a description and can
    #   cross multiple lines.
    ### END PLUGIN INFO
    

    Now for the body of the script. Basically the main requirement is that it accepts a [target] parameter. Let's say we have script called foo that needs to be run at configure time, then the script (/etc/template.d/scripts) will have to accept and understand handling the parameter configure. If you also want to call it for cleanup, then it has to handle cleanup. You can have your script handle any other arguments, this is totally up to you, they are optional for our purposes. There is one optional parameter which is useful to implement and this is -e or --enumerate. ovm-template-config uses this to be able to enumerate the parameters for a target for your script.

    Here is the firewall example:

    # ovm-template-config --human-readable --enumerate configure --script firewall
    [('41',
      'firewall',
      [{u'description': u'Whether to enable network firewall: True or False.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.firewall'}])]
    
    and if you run the script manually :

    # ./firewall configure -e
    [{"hidden": true, "description": "Whether to enable network firewall: True or False.", "key": "com.oracle.linux.network.firewall"}]
    

    In other words, the firewall script lists the parameters it expects when run as a configure target.

    Now here is an example of the script body, in python. It implements the configure and cleanup target and handles the enumerate argument. Part of the magic is handled in templateconfig.cli.

    try:
        import json
    except ImportError:
        import simplejson as json
    from templateconfig.cli import main
    
    
    def do_enumerate(target):
        param = []
        if target == 'configure':
            param += []
        elif target == 'cleanup':
            param += []
        return json.dumps(param)
    
    
    def do_configure(param):
        param = json.loads(param)
        return json.dumps(param)
    
    
    def do_unconfigure(param):
        param = json.loads(param)
        return json.dumps(param)
    
    
    def do_cleanup(param):
        param = json.loads(param)
        return json.dumps(param)
    
    
    if __name__ == '__main__':
        main(do_enumerate, {'configure': do_configure, 'cleanup': do_cleanup})
    

    So now you can fill this out with your own parameters and code. Again taking the firewall script as an example, to add expected keys :

    def do_enumerate(target):
        param = []
        if target == 'configure':
            param += [{'key': 'com.oracle.linux.network.firewall',
                       'description': 'Whether to enable network firewall: True or False.',
                       'hidden': True}]
        return json.dumps(param)
    

    The above shows that this script expect the key com.oracle.linux.firewall to be set and what the default is, along with a description. Add this for each key/value pair that you expect for your script and then afterwards it is easy to understand what the input to your script needs to be, again by running ovm-template-config.

    To execute actions at configure time, based on values set, here's a do_configure() example:

    def do_configure(param):
        param = json.loads(param)
        firewall = param.get('com.oracle.linux.network.firewall')
        if firewall == 'True':
            shell_cmd('service iptables start')
            shell_cmd('service ip6tables start')
            shell_cmd('chkconfig --level 2345 iptables on')
            shell_cmd('chkconfig --level 2345 ip6tables on')
        elif firewall == 'False':
            shell_cmd('service iptables stop')
            shell_cmd('service ip6tables stop')
            shell_cmd('chkconfig --level 2345 iptables off')
            shell_cmd('chkconfig --level 2345 ip6tables off')
        return json.dumps(param)
    

    When the script is called, you can use param.get() to retrieve key/value variables and then just make use of it. Just like in the firewall example, you can do whatever you want, call out other commands, add more python code, it's up to you...

    It is also possible to alter keys or add new keys which then get sent back. So if you want your script to communicate values back which can be retrieved later through the manager API, for instance with ovm_vmmessage -q, you can simply to this :

    param['key'] = 'some value'
    

    Key can be an existing key, or a new one.

    And that's really it... for the script. Next up is packaging.

    In order to install and configure these template configure scripts, they have to be packaged in an RPM, with a specific naming convention. Package the script(s), there can be more than one, as ovm-template-config-[scriptname]. Ideally in the post install of the RPM you want to add the script automatically. Execute # /usr/sbin/ovm-chkconfig --add [scriptname]. When de-installing a script/RPM, remove it at un-install time, # /usr/sbin/ovm-chkconfig --del [scriptname].

    Here is an example of an RPM spec file that can be used:

    Name: ovm-template-config-example
    Version: 3.0
    Release: 1%{?dist}
    Summary: Oracle VM template example configuration script.
    Group: Applications/System
    License: GPL
    URL: http://www.oracle.com/virtualization
    Source0: %{name}-%{version}.tar.gz
    BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
    BuildArch: noarch
    Requires: ovm-template-config
    
    %description
    Oracle VM template example configuration script.
    
    %prep
    %setup -q
    
    %install
    rm -rf $RPM_BUILD_ROOT
    make install DESTDIR=$RPM_BUILD_ROOT
    
    %clean
    rm -rf $RPM_BUILD_ROOT
    
    %post
    if [ $1 = 1 ]; then
        /usr/sbin/ovm-chkconfig --add example
    fi
    
    %preun
    if [ $1 = 0 ]; then
        /usr/sbin/ovm-chkconfig --del example
    fi
    
    %files
    %defattr(-,root,root,-)
    %{_sysconfdir}/template.d/scripts/example
    
    %changelog
    * Tue Mar 22 2011 Zhigang Wang  - 3.0-1
    - Initial build.
    

    Modify the content to your liking, change the name example to your script name, and add whatever else dependencies you might have or whatever files need to be bundled along with this. If you want to bundle executables or scripts that live in other locations, that's allowed. As you can see from the spec file, it automatically called ovm-chkconfig --add and --del at post-install and pre-uninstall time of the RPM.

    In order to create RPMs, you have to install rpmbuild, # yum install rpm-build.

    To make it easy, here's a Makefile you can use and help automate all of this :

    DESTDIR=
    PACKAGE=ovm-template-config-example
    VERSION=3.0
    
    help:
    	@echo 'Commonly used make targets:'
    	@echo '  install    - install program'
    	@echo '  dist       - create a source tarball'
    	@echo '  rpm        - build RPM packages'
    	@echo '  clean      - remove files created by other targets'
    
    dist: clean
    	mkdir $(PACKAGE)-$(VERSION)
    	tar -cSp --to-stdout --exclude .svn --exclude .hg --exclude .hgignore \
    	    --exclude $(PACKAGE)-$(VERSION) * | tar -x -C $(PACKAGE)-$(VERSION)
    	tar -czSpf $(PACKAGE)-$(VERSION).tar.gz $(PACKAGE)-$(VERSION)
    	rm -rf $(PACKAGE)-$(VERSION)
    
    install:
    	install -D example $(DESTDIR)/etc/template.d/scripts/example
    
    rpm: dist
    	rpmbuild -ta $(PACKAGE)-$(VERSION).tar.gz
    
    clean:
    	rm -fr $(PACKAGE)-$(VERSION)
    	find . -name '*.py[cdo]' -exec rm -f '{}' ';'
    	rm -f *.tar.gz
    
    .PHONY: dist install rpm clean
    

    Create a directory, copy over your script, the spec file and this Makefile. Run # make dist, to create a src tarball of your code and then # make rpm. This will generate an RPM in the RPMS/noarch directory. For instance: /root/rpmbuild/RPMS/noarch/ovm-template-config-test-3.0-1.el6.noarch.rpm

    Next you can take this RPM and install it on a target system.

    # rpm -ivh  /root/rpmbuild/RPMS/noarch/ovm-template-config-test-3.0-1.el6.noarch.rpm
    Preparing...                ########################################### [100%]
       1:ovm-template-config-tes########################################### [100%]
    

    And as you can see, it's added to the ovm-chkconfig list :

    # ovm-chkconfig --list|grep testtest                 on:75       
    off         off         on:25       off         off         off         off        
    

    One point of caution : the configure scripts get executed very early on in the bootstage. ovmd is executed as S00ovmd. This is well before many other services are (1) configured, (2) running. So if your product requires services like network connectivity or others to be up and running, then you have to split up the configuration into two parts. First, use the above to gather configuration data remotely, store it in a way that you can use it, and then add your own /etc/init.d scripts which can take this data afterwards. So you can have your own init scripts executed at a late stage when the services you depend on are available.

    That's really all there is to it. Thanks to Zhigang for example code I have used here.

    Saturday Jan 05, 2013

    Using Oracle VM messages to configure a Virtual Machine.

    In the previous blog entry, I walked through the steps on how to set up a VM with the necessary packages to enable Oracle VM template configuration. The template configuration scripts are add-ons one can install inside a VM running in an Oracle VM 3 environment. Once installed, it is possible to enable the configuration scripts and shutdown the VM so that after cloning or reboot, we go through an initial setup dialog.

    At startup time, if ovmd is enabled, it will start executing configuration scripts that need input to configure and continue. It is possible to send this configuration data through the virtual console of the VM or through the Oracle VM API. To use the Oracle VM API to send configuration messages, you have two options :

    (1) use the Oracle VM CLI. As of Oracle VM 3.1, we include an Oracle VM CLI server by default when installing Oracle VM Manager. This process starts on port 10000 on the Oracle VM Manager node and acts as an ssh server. You can log into this cli using the admin username/password and then execute cli commands.

    # ssh admin@localhost -p 10000
    admin@localhost's password: 
    OVM> sendVmMessage Vm name=ol6u3apitest key=foo message=bar log=no
    Command: sendVmMessage Vm name=ol6u3apitest key=foo message=bar log=no
    Status: Success
    Time: 2012-12-27 09:04:29,890 PST
    

    The cli command for sending a message is sendVmMessage Vm name=[vmname] key=[key] message=[value]

    If you do not want to log the out of the commands then add log=no

    (2) use the Oracle VM utilities. If you install the Oracle VM Utilities, see here to get started, then :

    # ./ovm_vmmessage -u admin -p ######## -h localhost -v ol6u3apitest -k foo -V bar
    Oracle VM VM Message utility 0.5.2.
    Connected.
    VM : 'ol6u3apitest' has status :  Running.
    Sending message.
    Message sent successfully.
    

    The ovm_vmmessage command connects to Oracle VM Manager and sends a key/value pair to the VM you select.

    ovm_vmmessage -u [adminuser] -p [adminpassword] -h [managernode] -v [vmname] -k [key] -V [value]

    These two commands basically allow the admin user to send simple key - value pair messages to a given VM. This is the basic mechanism we rely on to remotely configure a VM using the Oracle VM template config scripts.

    For the template configuration we provide, and depending on the scripts you installed, there is a well-defined set of variables (keys) that you can set, listed below. In our scripts we have one variable that is required and this has to be set/send at the end of the configuration. This is configuring the root password. Everything else is optional. Sending the root password variable triggers the reconfiguration to execute. As an example, if you install the ovm-template-config-selinux package, then part of the configuration can be to set the selinux mode. The variable is com.oracle.linux.selinux.mode and the values can be enforcing,permissive or disabled. So to set the value of SELinux, you basically send a message with key com.oracle.linux.selinux.mode and value enforcing (or so..).

    # ./ovm_vmmessage -u admin -p ######## -h localhost -v ol6u3apitest \
            -k com.oracle.linux.selinux.mode -V enforcing
    

    Do this for every variable you want to define and at the end send the root password.

    # ./ovm_vmmessage -u admin -p ######## -h localhost -v ol6u3apitest \ 
            -k com.oracle.linux.root-password -V "mypassword"
    

    Once the above message gets sent, the ovm-template-config scripts will set up all the values and the VM will end up in a configured state. You can use this to send ssh keys, set up extra users, configure the virtual network devices etc.. To get the list of configuration variables just run # ovm-template-config --human-readable --enumerate configure and it will list the variables with a description like below.

    It is also possible to selectively enable and disable scripts. This work very similar to chk-config. # ovm-chkconfig --list will show which scripts/modules are registered and whether they are enabled to run at configure time and/or cleanup time. At this point, the other options are not implemented (suspend/resume/..). If you have installed datetime but do not want to have it run or be an option, then a simple # ovm-chkconfig --target configure datetime off will disable it. This allows you, for each VM or template, to selectively enable or disable configuration options. If you disable a module then the output of ovm-template-config will reflect those changes.

    The next blog entry will talk about how to make generic use of the VM message API and possible extend the ovm-template-configure modules for your own applications.

    [('30',
      'selinux',
      [{u'description': u'SELinux mode: enforcing, permissive or disabled.',
        u'hidden': True,
        u'key': u'com.oracle.linux.selinux.mode'}]),
     ('41',
      'firewall',
      [{u'description': u'Whether to enable network firewall: True or False.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.firewall'}]),
     ('50',
      'datetime',
      [{u'description': u'System date and time in format year-month-day-hour-minute-second, e.g., "2011-4-7-9-2-42".',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.datetime'},
       {u'description': u'System time zone, e.g., "America/New_York".',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.timezone'},
       {u'description': u'Whether to keep hardware clock in UTC: True or False.',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.utc'},
       {u'description': u'Whether to enable NTP service: True or False.',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.ntp'},
       {u'description': u'NTP servers separated by comma, e.g., "time.example.com,0.example.pool.ntp.org".',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.ntp-servers'},
       {u'description': u'Whether to enable NTP local time source: True or False.',
        u'hidden': True,
        u'key': u'com.oracle.linux.datetime.ntp-local-time-source'}]),
     ('50',
      'network',
      [{u'description': u'System host name, e.g., "localhost.localdomain".',
        u'key': u'com.oracle.linux.network.hostname'},
       {u'description': u'Hostname entry for /etc/hosts, e.g., "127.0.0.1 localhost.localdomain localhost".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.host.0'},
       {u'description': u'Network device to configure, e.g., "eth0".',
        u'key': u'com.oracle.linux.network.device.0'},
       {u'depends': u'com.oracle.linux.network.device.0',
        u'description': u'Network device hardware address, e.g., "00:16:3E:28:0F:4E".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.hwaddr.0'},
       {u'depends': u'com.oracle.linux.network.device.0',
        u'description': u'Network device MTU, e.g., "1500".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.mtu.0'},
       {u'choices': [u'yes', u'no'],
        u'depends': u'com.oracle.linux.network.device.0',
        u'description': u'Activate interface on system boot: yes or no.',
        u'key': u'com.oracle.linux.network.onboot.0'},
       {u'choices': [u'dhcp', u'static'],
        u'depends': u'com.oracle.linux.network.device.0',
        u'description': u'Boot protocol: dhcp or static.',
        u'key': u'com.oracle.linux.network.bootproto.0'},
       {u'depends': u'com.oracle.linux.network.bootproto.0',
        u'description': u'IP address of the interface.',
        u'key': u'com.oracle.linux.network.ipaddr.0',
        u'requires': [u'com.oracle.linux.network.bootproto.0',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.0',
        u'description': u'Netmask of the interface.',
        u'key': u'com.oracle.linux.network.netmask.0',
        u'requires': [u'com.oracle.linux.network.bootproto.0',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.0',
        u'description': u'Gateway IP address.',
        u'key': u'com.oracle.linux.network.gateway.0',
        u'requires': [u'com.oracle.linux.network.bootproto.0',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.0',
        u'description': u'DNS servers separated by comma, e.g., "8.8.8.8,8.8.4.4".',
        u'key': u'com.oracle.linux.network.dns-servers.0',
        u'requires': [u'com.oracle.linux.network.bootproto.0',
                      [u'static', u'none', None]]},
       {u'description': u'DNS search domains separated by comma, e.g., "us.example.com,cn.example.com".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.dns-search-domains.0'},
       {u'description': u'Network device to configure, e.g., "eth0".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.device.1'},
       {u'depends': u'com.oracle.linux.network.device.1',
        u'description': u'Network device hardware address, e.g., "00:16:3E:28:0F:4E".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.hwaddr.1'},
       {u'depends': u'com.oracle.linux.network.device.1',
        u'description': u'Network device MTU, e.g., "1500".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.mtu.1'},
       {u'choices': [u'yes', u'no'],
        u'depends': u'com.oracle.linux.network.device.1',
        u'description': u'Activate interface on system boot: yes or no.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.onboot.1'},
       {u'choices': [u'dhcp', u'static'],
        u'depends': u'com.oracle.linux.network.device.1',
        u'description': u'Boot protocol: dhcp or static.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.bootproto.1'},
       {u'depends': u'com.oracle.linux.network.bootproto.1',
        u'description': u'IP address of the interface.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.ipaddr.1',
        u'requires': [u'com.oracle.linux.network.bootproto.1',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.1',
        u'description': u'Netmask of the interface.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.netmask.1',
        u'requires': [u'com.oracle.linux.network.bootproto.1',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.1',
        u'description': u'Gateway IP address.',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.gateway.1',
        u'requires': [u'com.oracle.linux.network.bootproto.1',
                      [u'static', u'none', None]]},
       {u'depends': u'com.oracle.linux.network.bootproto.1',
        u'description': u'DNS servers separated by comma, e.g., "8.8.8.8,8.8.4.4".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.dns-servers.1',
        u'requires': [u'com.oracle.linux.network.bootproto.1',
                      [u'static', u'none', None]]},
       {u'description': u'DNS search domains separated by comma, e.g., "us.example.com,cn.example.com".',
        u'hidden': True,
        u'key': u'com.oracle.linux.network.dns-search-domains.1'}]),
     ('60',
      'user',
      [{u'description': u'Name of the user on which to perform operation.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.name.0'},
       {u'description': u'Action to perform on the user: add, del or mod.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.action.0'},
       {u'description': u'User ID.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.uid.0'},
       {u'description': u'User initial login group.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.group.0'},
       {u'description': u'Supplementary groups separated by comma.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.groups.0'},
       {u'description': u'User password.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.password.0',
        u'password': True},
       {u'description': u'New name of the user.',
        u'hidden': True,
        u'key': u'com.oracle.linux.user.new-name.0'},
       {u'description': u'Name of the group on which to perform operation.',
        u'hidden': True,
        u'key': u'com.oracle.linux.group.name.0'},
       {u'description': u'Action to perform on the group: add, del or mod.',
        u'hidden': True,
        u'key': u'com.oracle.linux.group.action.0'},
       {u'description': u'Group ID.',
        u'hidden': True,
        u'key': u'com.oracle.linux.group.gid.0'},
       {u'description': u'New name of the group.',
        u'hidden': True,
        u'key': u'com.oracle.linux.group.new-name.0'}]),
     ('70',
      'ssh',
      [{u'description': u'Host private rsa1 key for protocol version 1.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-key'},
       {u'description': u'Host public rsa1 key for protocol version 1.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-key-pub'},
       {u'description': u'Host private rsa key.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-rsa-key'},
       {u'description': u'Host public rsa key.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-rsa-key-pub'},
       {u'description': u'Host private dsa key.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-dsa-key'},
       {u'description': u'Host public dsa key.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.host-dsa-key-pub'},
       {u'description': u'Name of the user to add a key.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.user.0'},
       {u'description': u'Authorized public keys.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.authorized-keys.0'},
       {u'description': u'Private key for authentication.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.private-key.0'},
       {u'description': u'Private key type: rsa, dsa or rsa1.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.private-key-type.0'},
       {u'description': u'Known hosts.',
        u'hidden': True,
        u'key': u'com.oracle.linux.ssh.known-hosts.0'}]),
     ('90',
      'authentication',
      [{u'description': u'System root password.',
        u'key': u'com.oracle.linux.root-password',
        u'password': True,
        u'required': True}])]
    

    Configure Oracle Linux 6.3 as an Oracle VM template

    I have been asked a few times how one can make use of the Oracle VM API to configure an Oracle Linux VM running on top of Oracle VM 3. In the next few blog entries we will go through the various steps. This one will start at the beginning and get you to a completely prepared VM.

  • Create a VM with a default installation of Oracle Linux 6 update 3
  • You can freely download Oracle Linux installation images from http://edelivery.oracle.com/linux. Choose any type of installation you want, basic, desktop, server, minimal...

    Oracle Linux 6.3 comes with kernel 2.6.39-200.24.1 (UEK2)

    # uname -a
    Linux ol6u3 2.6.39-200.24.1.el6uek.x86_64 #1 SMP Sat Jun 23 02:39:07 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
    

  • Update the VM to the latest version of UEK and in general as a best practice update to the latest patches and reboot the VM
  • Oracle Linux updates are freely available on our public-yum site and the default install of Oracle Linux 6.3 already points to this location for updates.

    # yum update 
    # reboot
    # uname -a
    Linux ol6u3 2.6.39-300.17.3.el6uek.x86_64 #1 SMP Wed Dec 19 06:28:03 PST 2012 x86_64 x86_64 x86_64 GNU/Linux
    

    There is an extra kernel module required for the Oracle VM API to work, the ovmapi kernel module provides the ability to communicate messages back and forth between the host and the VM and as such between Oracle VM Manager, through the VM API to the VM and back. We included this kernel module in the 2.6.39-300 kernel to make it easy. There is no need to install extra kernel modules or keep kernel modules up to date when or if we have a new update. The source code for this kernel module is of course part of the UEK2 source tree.

  • Enable the Oracle Linux add-on channel
  • After reboot, download the latest public-yum repo file from public-yum which contains more repositories and enable the add-on channel which contains the Oracle VM API packages:

    inside the VM :

    # cd /etc/yum.repos.d
    # rm public-yum-ol6.repo    <- (replace the original version with this newer version)
    # wget http://public-yum.oracle.com/public-yum-ol6.repo
    

  • Edit the public-yum-ol6.repo file to enable the ol6_addons channel.
  • Find the ol6_addons section and change enabled=0 to enabled=1.

    [ol6_addons]
    name=Oracle Linux $releasever Add ons ($basearch)
    baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/addons/$basearch/
    gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
    gpgcheck=1
    enabled=1
    

    Save the file.

  • Install the Oracle VM API packages
  • # yum install ovmd xenstoreprovider python-simplejson ovm-template-config
    

    This installs the basic necessary packages on Oracle Linux 6 to support the Oracle VM API. xenstore provider is the library which communicates with the ovmapi kernel infrastructure. ovmd is a daemon that handles configuration and re-configuration events and provides a mechanism to send/receive messages between the VM and the Oracle VM Manager.

  • Add additional configuration packages you want
  • In order to be able to create a VM template that includes basic OS configuration system scripts, you can decide to install any or all of the following :

    ovm-template-config-authentication : Oracle VM template authentication configuration script.
    ovm-template-config-datetime       : Oracle VM template datetime configuration script.
    ovm-template-config-firewall       : Oracle VM template firewall configuration script.
    ovm-template-config-network        : Oracle VM template network configuration script.
    ovm-template-config-selinux        : Oracle VM template selinux configuration script.
    ovm-template-config-ssh            : Oracle VM template ssh configuration script.
    ovm-template-config-system         : Oracle VM template system configuration script.
    ovm-template-config-user           : Oracle VM template user configuration script.
    

    Simply type # yum install ovm-template-config-... to install whichever you want.

  • Enable ovmd
  • To enable ovmd (recommended) do :

    # chkconfig ovmd on 
    # /etc/init.d/ovmd start
    
  • Prepare your VM for first boot configuration
  • If you want to shutdown this VM and enable the first boot configuration as a template, execute :

    # ovmd -s cleanup
    # service ovmd enable-initial-config
    # shutdown -h now
    

    After cloning this VM or starting it, it will act as a first time boot VM and it will require configuration input through the VM API or on the virtual VM console.

    My next blog will go into detail on how to send messages through the Oracle VM API for remote configuration and also how to extend the scripts.

    Wednesday Jul 11, 2012

    Oracle VM VirtualBox virtual appliance images for Oracle VM 3.1.1 server and Manager

    I updated the Oracle VM VirtualBox appliances for Oracle VM Manager. It now contains the latest release+patch Oracle VM Manager 3.1.1 build 365. Alongside the Manager VM I also created a preconfigured server setup. Oracle VM Server 3.1.1 build 365. The nice thing with this combination is that you can effectively run a smaller server pool on your desktop or laptop if you have a decent amount of RAM. I managed to create a 2 node server pool. Basically run the Manager VM + 2 server VMs on one 8gb macbook. Of course it wasn't terribly fast or useful to run anything serious but it was good enough to test HA and show off the functionality.

    The VM's can be downloaded here. There are a few important things :

  • You can only run ParaVirtualized guests in the server VMs
  • I precreated nfs directories and started the nfs server bits in the Manager VM so you can use the Manager as an nfs repository for shared storage to the servers
  • I created a yum directory and updated httpd.conf on the Manager VM so that you can use and test the yum update facilities
  • You can add extra virtual disks to the server and they will show up as local storage for local repositories
  • iscsi target modules are installed on the Manager VM so you can also test out iscsi if you want to
  • It is highly recommended that you first start with the Manager VM to run in 4GB and then you can, if you want, drop it to about 3GB in size
  • The servers can run in as little as 700Mb-1GB
  • Use STATIC ip addresses for these VMs
  • Since this is build 365, the Oracle VM CLI (ssh) server is also installed in the Manager VM!
  • note : when creating the VM in VirtualBox, go into the netowrk settings of the VM and make sure that your virtual network is associated with the correct physical network. These VMs were exported on a Linux server with the virtual networks bound to eth0 as a device. On a Mac or a Windows PC this is likely a different name so to be safe just modify this before starting the VM

    The Manager VM is like the previous version 3.0. The VM starts and does an auto-login into Xwindows and there is a readme file that opens up in firefox and a login button that starts firefox to the local management port for Oracle VM.

    the server root password and ovs-agent password (to discover the server is ovsroot)

    Sunday Jun 24, 2012

    Oracle VM 3.1.1 build 365 released

    A few days ago we released a patch update for Oracle VM 3.1.1 (build 365).

    Oracle VM Manager 3.1.1 Build 365 is now available from My Oracle Support patch ID 14227416

    Oracle VM Server 3.1.1 errata updates are, as usual, released on ULN in the ovm3_3.1.1_x86_64_patch channel.

    Just a reminder, when we publish errata for Oracle VM, the notifications are sent through the oraclevm-errata maillist. You can sign up here.

    Some of the bugfixes in 3.1.1 :

    14054162 - Removes unnecessary locks when creating VNICs in a multi-threaded operation.
    14111234 - Fixes the issue when discovering a virtual machine that has disks in a un-discovered repository or has un-discovered physical disks.
    14054133 - Fixes a bug of object not found where vdisks are left stale in certain multi-thread operations.
    14176607 - Fixes the issue where Oracle VM Manager would hang after a restart due to various tasks running jobs in the global context.
    14136410 - Fixes the stale lock issue on multithreaded server where object not found error happens in some rare situations.
    14186058 - Fixes the issue where Oracle VM Manager fails to discover the server or start the server after the server hardware configuration (i.e. BIOS) was modified.
    14198734 - Fixes the issue where HTTP cannot be disabled.
    14065401 - Fixes Oracle VM Manager UI time-out issue where the default value was not long enough for storage repository creation.
    14163755 - Fixes the issue when migrating a virtual machine the list of target servers (and "other servers") was not ordered by name.
    14163762 - Fixes the size of the "Edit Vlan Group" window to display all information correctly.
    14197783 - Fixes the issue that navigation tree (servers) was not ordered by name.

    I strongly suggest everyone to use this latest build and also update the server to the latest version.
    have at it.

    Sunday Jun 03, 2012

    Oracle VM RAC template - what it took

    In my previous posting I introduced the latest Oracle Real Application Cluster / Oracle VM template. I mentioned how easy it is to deploy a complete Oracle RAC cluster with Oracle VM. In fact, you don't need any prior knowledge at all to get a complete production-ready setup going.

    Here is an example... I built a 4 node RAC cluster, completely configured in just over 40 minutes - starting from import template into Oracle VM, create VMs to fully up and running Oracle RAC. And what was needed? 1 textfile with some hostnames and ip addresses and deploycluster.py.

    The setup is a 4 node cluster where each VM has 8GB of RAM and 4 vCPUs. The shared ASM storage in this case is 100GB, 5 x 20GB volumes. The VM names are racovm.0-racovm.3. The deploycluster script starts the VMs, verifies the configuration and sends the database cluster configuration info through Oracle VM Manager to the 4 node VMs. Once the VMs are up and running, the first VM starts the actual Oracle RAC setup inside and talks to the 3 other VMs. I did not log into any VM until after everything was completed. In fact, I connected to the database remotely before logging in at all.

    # ./deploycluster.py -u admin -H localhost --vms racovm.0,racovm.1,racovm.2,racovm.3 --netconfig ./netconfig.ini

    Oracle RAC OneCommand (v1.1.0) for Oracle VM - deploy cluster - (c) 2011-2012 Oracle 
    Corporation (com: 26700:v1.1.0, lib: 126247:v1.1.0, var: 1100:v1.1.0) - v2.4.3 - wopr8.wimmekes.net
    (x86_64) Invoked as root at Sat Jun 2 17:31:29 2012 (size: 37500, mtime: Wed May 16 00:13:19 2012) Using: ./deploycluster.py -u admin -H localhost --vms racovm.0,racovm.1,racovm.2,racovm.3
    --netconfig ./netconfig.ini INFO: Login password to Oracle VM Manager not supplied on command line or environment
    (DEPLOYCLUSTER_MGR_PASSWORD), prompting... Password: INFO: Attempting to connect to Oracle VM Manager... INFO: Oracle VM Client (3.1.1.305) protocol (1.8) CONNECTED (tcp) to Oracle VM Manager (3.1.1.336) protocol (1.8) IP (192.168.1.40)
    UUID (0004fb0000010000cbce8a3181569a3e) INFO: Inspecting /root/rac/deploycluster/netconfig.ini for number of nodes defined... INFO: Detected 4 nodes in: /root/rac/deploycluster/netconfig.ini INFO: Located a total of (4) VMs; 4 VMs with a simple name of: ['racovm.0', 'racovm.1', 'racovm.2', 'racovm.3'] INFO: Verifying all (4) VMs are in Running state INFO: VM with a simple name of "racovm.0" is in a Stopped state, attempting to start it...
    OK. INFO: VM with a simple name of "racovm.1" is in a Stopped state, attempting to start it...
    OK. INFO: VM with a simple name of "racovm.2" is in a Stopped state, attempting to start it...
    OK. INFO: VM with a simple name of "racovm.3" is in a Stopped state, attempting to start it...
    OK. INFO: Detected that all (4) VMs specified on command have (5) common shared disks between
    them (ASM_MIN_DISKS=5) INFO: The (4) VMs passed basic sanity checks and in Running state, sending cluster details
    as follows: netconfig.ini (Network setup): /root/rac/deploycluster/netconfig.ini buildcluster: yes INFO: Starting to send cluster details to all (4) VM(s)....... INFO: Sending to VM with a simple name of "racovm.0".... INFO: Sending to VM with a simple name of "racovm.1"..... INFO: Sending to VM with a simple name of "racovm.2"..... INFO: Sending to VM with a simple name of "racovm.3"...... INFO: Cluster details sent to (4) VMs... Check log (default location /u01/racovm/buildcluster.log) on build VM (racovm.0)... INFO: deploycluster.py completed successfully at 17:32:02 in 33.2 seconds (00m:33s) Logfile at: /root/rac/deploycluster/deploycluster2.log
    my netconfig.ini
    # Node specific information
    NODE1=db11rac1
    NODE1VIP=db11rac1-vip
    NODE1PRIV=db11rac1-priv
    NODE1IP=192.168.1.56
    NODE1VIPIP=192.168.1.65
    NODE1PRIVIP=192.168.2.2
    NODE2=db11rac2
    NODE2VIP=db11rac2-vip
    NODE2PRIV=db11rac2-priv
    NODE2IP=192.168.1.58
    NODE2VIPIP=192.168.1.66
    NODE2PRIVIP=192.168.2.3
    NODE3=db11rac3
    NODE3VIP=db11rac3-vip
    NODE3PRIV=db11rac3-priv
    NODE3IP=192.168.1.173
    NODE3VIPIP=192.168.1.174
    NODE3PRIVIP=192.168.2.4
    NODE4=db11rac4
    NODE4VIP=db11rac4-vip
    NODE4PRIV=db11rac4-priv
    NODE4IP=192.168.1.175
    NODE4VIPIP=192.168.1.176
    NODE4PRIVIP=192.168.2.5
    # Common data
    PUBADAP=eth0
    PUBMASK=255.255.255.0
    PUBGW=192.168.1.1
    PRIVADAP=eth1
    PRIVMASK=255.255.255.0
    RACCLUSTERNAME=raccluster
    DOMAINNAME=wimmekes.net
    DNSIP=
    # Device used to transfer network information to second node
    # in interview mode
    NETCONFIG_DEV=/dev/xvdc
    # 11gR2 specific data
    SCANNAME=db11vip
    SCANIP=192.168.1.57
    

    last few lines of the in-VM log file :

    2012-06-02 14:01:40:[clusterstate:Time :db11rac1] Completed successfully in 2 seconds 
    (0h:00m:02s) 2012-06-02 14:01:40:[buildcluster:Done :db11rac1] Build 11gR2 RAC Cluster 2012-06-02 14:01:40:[buildcluster:Time :db11rac1] Completed successfully in 1779 seconds
    (0h:29m:39s)

    From start_vm to completely configured : 29m:39s. The other 10m was the import template and create 4 VMs from template along with the shared storage configuration.

    This consists of a complete Oracle 11gR2 RAC database with ASM, CRS and the RDBMS up and running on all 4 nodes. Simply connect and use. Production ready.

    Oracle on Oracle.

    Tuesday May 29, 2012

    New Oracles VM RAC template with support for oracle vm 3 built-in

    The RAC team did it again (thanks Saar!) - another awesome set of Oracle VM templates published and uploaded to My Oracle Support.

    You can find the main page here.

    What's special about the latest version of DeployCluster is that it integrates tightly with Oracle VM 3 manager. It basically is an Oracle VM frontend that helps start VMs, pass arguments down automatically and there is absolutely no need to log into the Oracle VM servers or the guests. Once it completes, you have an entire Oracle RAC database setup ready to go.

    Here's a short summary of the steps :

  • Set up an Oracle VM 3 server pool
  • Download the Oracle VM RAC template from oracle.com
  • Import the template into Oracle VM using Oracle VM Manager repository -> import
  • Create a public and private network in Oracle VM Manager in the network tab
  • Configure the template with the right public and private virtual networks
  • Create a set of shared disks (physical or virtual) to assign to the VMs you want to create (for ASM/at least 5)
  • Clone a set of VMs from the template (as many RAC nodes as you plan to configure)
  • With Oracle VM 3.1 you can clone with a number so one clone command for, say 8 VMs is easy.
  • Assign the shared devices/disks to the cloned VMs
  • Create a netconfig.ini file on your manager node or a client where you plan to run DeployCluster
  • This little text file just contains the IP addresses, hostnames etc for your cluster. It is a very simple small textfile.
  • Run deploycluster.py with the VM names as argument
  • Done.

    At this point, the tool will connect to Oracle VM Manager, start the VMs and configure each one,

  • Configure the OS (Oracle Linux)
  • Configure the disks with ASM
  • Configure the clusterware (CRS)
  • Configure ASM
  • Create database instances on each node.
  • Now you are ready to log in, and use your x node database cluster. x No need to download various products from various websites, click on trial licenses for the OS, go to a Virtual Machine store with sample and test versions only - this is production ready and supported.

    Software. Complete.

    example netconfig.ini :

    # Node specific information
    NODE1=racnode1
    NODE1VIP=racnode1-vip
    NODE1PRIV=racnode1-priv
    NODE1IP=192.168.1.2
    NODE1VIPIP=192.168.1.22
    NODE1PRIVIP=10.0.0.22
    NODE2=racnode2
    NODE2VIP=racnode2-vip
    NODE2PRIV=racnode2-priv
    NODE2IP=192.168.1.3
    NODE2VIPIP=192.168.1.23
    NODE2PRIVIP=10.0.0.23
    # Common data
    PUBADAP=eth0
    PUBMASK=255.255.255.0
    PUBGW=192.168.1.1
    PRIVADAP=eth1
    PRIVMASK=255.255.255.0
    RACCLUSTERNAME=raccluster
    DOMAINNAME=mydomain.com
    DNSIP=
    # Device used to transfer network information to second node
    # in interview mode
    NETCONFIG_DEV=/dev/xvdc
    # 11gR2 specific data
    SCANNAME=racnode12-scan
    SCANIP=192.168.1.50
    
    About

    Wim Coekaerts is the Senior Vice President of Linux and Virtualization Engineering for Oracle. He is responsible for Oracle's complete desktop to data center virtualization product line and the Oracle Linux support program.

    You can follow him on Twitter at @wimcoekaerts

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today