Author Archives: Martin

About Martin

A guy that likes databases, operating systems, rock climbing, snowboarding.

UKOUG Tech13

I will be presenting on two topics at the UKOUG Tech13 conference in Manchester.

<a href="http://www cialis discount paris.tech13.ukoug.org/default.asp?p=10186&dlgact=shwprs&prs_prsid=8591&day_dayid=73″>Goodbye KVM… Hello KVM – Monday (2nd December) @ 16:50 in Exchange 7 (45 mins) – If you use virtualisation in your “home lab”, but have never considered KVM then this session is aimed at you.

Pitfalls, Pain and Pleasure with RAC Connectivity – Wednesday (4th December) @ 08:30 in Exchange 10 (45 mins) – If you plan to implement Fast Connection Failover (FCF) for your connection pools to 11gR2 databases then there are some valuable “lessons learnt” in this presentation. If you’ve already implemented FCF to 11gR2 databases there’s still probably a few useful points covered.

Hope to see you there.

Creating That Just Scanned Look

Have you ever found yourself being asked to provide a scan of a document that you’ve printed and signed? Have you ever found yourself in that position without a printer and/or scanner?

That happened to me recently. I’d been asked to provide a signed copy of document and so I pasted an image of my signature in the appropriate place in the electronic (word processor) document, generated a PDF from the document and emailed it to those concerned.

An hour or so later I got a response stating that the document was not acceptable as it had been “electronically signed”. I responded pointing out that it was a little behind the times to be demanding scans of hand signed documents and asked whether or not it would be acceptable if I took the time to make the PDF appear to be a scan of a piece of paper that I had signed.

I didn’t get a written response to my question, but received a phone call explaining why asking for a scan of a signed copy of a print out of a word processed document was to protect me from fraudulent activity. After questioning what additional security regarding my identity they were getting, considering they already had a scan of my passport, I took on the challenge of creating a PDF that appeared to be scanned…

May I introduce the excellent www.lookslikescanned.com. As it says, “Beat the bureaucrats.”

I sent the new document and shortly after was informed that everything was now in order. What a mad world!

It seems worth pointing out that the PDF you download from www achat de cialis en suisse.lookslikescanned.com after it has been “scanned” has some embedded data that could give you away if the person receiving the PDF is really on the ball. Having spotted this it seemed prudent to generate a PDF from the PDF before emailing it.

Resource Manager Privilege Management Bug

When working with Oracle Database Resource Manager recently I ran into what seemed like unexpected behaviour and turned out to be bug 13101791 as documented in MOS ID 13101791.8. The note states workaround as “none”, but that depends on what you view as an acceptable workaround.

The bug description starts:

The Resource Manager consumer group is not changed to the right one when it is granted via a role.

That gives a high level view of the issue, but there are some subtleties that seem worth noting.

Demonstration

  • SESSION 1 is SYS and is used to grant privileges and manage the Resource Manager configuration
  • SESSION 2 is a test user named MARTIN and is used to verify the Resource Manager behaviour by logging in and checking the assigned consumer group

Validation of the current privileges for switching consumer group

SESSION 1> select * from dba_rsrc_consumer_group_privs;

GRANTEE      GRANTED_GROUP                  GRA INI
------------ ------------------------------ --- ---
PUBLIC       DEFAULT_CONSUMER_GROUP         YES YES
SYSTEM       SYS_GROUP                      NO  YES
PUBLIC       LOW_GROUP                      NO  NO

3 rows selected.

Validation of the current privileges for switching consumer group

SESSION 1> select * from dba_rsrc_group_mappings;

ATTRIBUTE         VALUE        CONSUMER_GROUP   STATUS
----------------- ------------ ---------------- -------
SERVICE_NAME      DBRM_SRV1    GOLD_GROUP
ORACLE_USER       SYS          SYS_GROUP
ORACLE_USER       SYSTEM       SYS_GROUP
ORACLE_FUNCTION   BACKUP       BATCH_GROUP
ORACLE_FUNCTION   COPY         BATCH_GROUP
ORACLE_FUNCTION   DATALOAD     ETL_GROUP

6 rows selected.

Connection as user MARTIN to service DBRM_SRV1 and verification of consumer group

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     OTHER_GROUPS              dbrm_srv1

Nothing unexpected here – MARTIN does not have permission to switch to GOLD_GROUP, so he can’t.

Granting MARTIN permission to switch to GOLD_GROUP directly

SESSION 1> exec dbms_resource_manager_privs.grant_switch_consumer_group(grantee_name => 'martin',consumer_group => 'GOLD_GROUP',grant_option => FALSE)

PL/SQL procedure successfully completed.

Querying V$SESSION for MARTIN (no reconnection)

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     GOLD_GROUP                dbrm_srv1

Revoking from MARTIN permission to switch to GOLD_GROUP directly

SESSION 1> exec dbms_resource_manager_privs.revoke_switch_consumer_group(revokee_name => 'martin',consumer_group => 'GOLD_GROUP')

PL/SQL procedure successfully completed.

Querying V$SESSION for MARTIN (no reconnection)

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     OTHER_GROUPS              dbrm_srv1

Again, not too surprising here – Granting and revoking the privilege to be in GOLD_GROUP to user MARTIN results in him moving both into and out of the GOLD_GROUP.

Creating a ROLE named APP_ROLE and granting that to MARTIN

SESSION 1> create role app_role;

Role created.

SESSION 1> grant app_role to martin;

Grant succeeded.

Enable the newly granted APP_ROLE for user MARTIN in current session

SESSION 2> set role all;

Role set.

SESSION 2> select role from session_roles;

ROLE
-----------------------
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
APP_ROLE

Granting APP_ROLE permission to switch to GOLD_GROUP directly

SESSION 1> exec dbms_resource_manager_privs.grant_switch_consumer_group(grantee_name => 'app_role',consumer_group => 'GOLD_GROUP',grant_option => FALSE)

PL/SQL procedure successfully completed.

Querying V$SESSION for MARTIN (no reconnection)

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     OTHER_GROUPS              dbrm_srv1

Validation of the current privileges for switching consumer group

SESSION 1> select * from dba_rsrc_consumer_group_privs;

GRANTEE      GRANTED_GROUP                  GRA INI
------------ ------------------------------ --- ---
PUBLIC       DEFAULT_CONSUMER_GROUP         YES YES
APP_ROLE     GOLD_GROUP                     NO  NO
SYSTEM       SYS_GROUP                      NO  YES
PUBLIC       LOW_GROUP                      NO  NO

4 rows selected.

Testing switching consumer group manually using DBMS_SESSION.SWITCH_CURRENT_CONSUMER_GROUP

SESSION 2> var old_group varchar2(10)
SESSION 2> exec dbms_session.switch_current_consumer_group('GOLD_GROUP',:old_group,FALSE)

PL/SQL procedure successfully completed.

Querying V$SESSION for MARTIN (no reconnection)

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     GOLD_GROUP                dbrm_srv1

So the consumer group was successfully switched

Revoking from APP_ROLE permission to switch to GOLD_GROUP directly

SESSION 1> exec dbms_resource_manager_privs.revoke_switch_consumer_group(revokee_name => 'app_role',consumer_group => 'GOLD_GROUP')

PL/SQL procedure successfully completed.

Querying V$SESSION for MARTIN (no reconnection)

SESSION 2> select username, resource_consumer_group, service_name from v$session where sid = sys_context('userenv','sid');

USERNAME   RESOURCE_CONSUMER_GROUP   SERVICE_NAME
---------- ------------------------- ---------------
MARTIN     OTHER_GROUPS              dbrm_srv1

Summary

When the privilege to switch consumer group is granted to a user and a session is connected to a service that maps to the same consumer group the session is automatically switched to the consumer group. However, when the privilege to switch consumer group is granted to a role the same behaviour is not observed and the session is only switched to the consumer group when specified to do so manually.

Conclusions

MOS 13101791.8 states that the bug is fixed in 12.1.0.1 and 11.2.0.4. I haven’t tested to verify this. I expect the vast majority of organisations are not yet running these versions and so it seems worth discussing workarounds. The two options that occur to me are:

  1. Granting the privilege to switch at a user level – Depending on the number of database users, the rate of new users and the method with which they are provisioned this could be more or less painful.
  2. Use a logon trigger to call dbms_session.switch_current_consumer_group to switch to the desired consumer group – I’m less keen on this option, but the appropriateness over workaround (1) would depend on the specifics of the environment.

ReaR MAC Address Mix-Up

Relax and Recover (ReaR) is a great tool for facilitating Linux bare-metal recovery. In works really well, however, there is a bug in the 1.14 release (it seems the same issue is present in 1.15, but I didn’t test yet) that effects restores for many bonded Ethernet interface configurations.

Problem

After the recovery of an Exadata compute node using ReaR I saw the following message during the boot process:

Bringing up interface bond1:  Device eth2 has different MAC address than expected, ignoring.

Examination of /etc/sysconfig/network-scripts/ifcfg-eth2 and dmesg showed that sure enough the MAC address in /etc/sysconfig/network-scripts/ifcfg-eth2 did not match that of the device… Hmmm.

A quick look in the restore log file revealed:

2013-09-02 20:20:47 Including finalize/GNU/Linux/30_create_mac_mapping.sh
2013-09-02 20:20:48 Including finalize/GNU/Linux/41_migrate_udev_rules.sh
2013-09-02 20:20:48 Including finalize/GNU/Linux/42_migrate_network_configuration_files.sh
2013-09-02 20:20:48 SED_SCRIPT: ';s/<original mac address removed>/<new mac address removed>/g;s/<ORIGINAL MAC ADDRESS REMOVED>/<NEW MAC ADDRESS REMOVED>/g'

Just to be clear the parts in < and > have been removed by me and represent place-holders for the MAC addresses. First in lower case and then upper case.

Cause

The cause of the issue is in 30_create_mac_mapping.sh, which is responsible for creating a MAC address mapping file (if needed). The MAC address mapping file ($CONFIG_DIR/mappings/mac) is created to handle situations where the restore is to a different host, or at least one where the MAC addresses for the network cards are different to those on the system that was backed up.

The 30_create_mac_mapping.sh script is really very simple and compares the MAC address in the restored ifcfg-<interface> files (if there are any) with the MAC addresses in /sys/class/net/<interface>/address. If there is a difference then it writes the old and current MAC addresses to the MAC address mapping file ($CONFIG_DIR/mappings/mac[1]) for later use by 42_migrate_network_configuration_files.sh. All good, right? Well, a problem can come about when dealing with bonded interfaces. Specifically, when in active-backup mode with fail_over_mac set to none (0 has the same meaning). In this configuration /sys/class/net/<interface>/address reports the same value for all slaves of a bond.

So, given that when booting into recovery mode ReaR attempts to create the network configuration at the time the ReaR boot ISO was created (via script 60-network-devices.sh), if you had bonded interfaces at the point you created the ReaR boot ISO, then you’ll have them in recovery mode, which means that when 30_create_mac_mapping.sh runs it will write MAC addresses to $CONFIG_DIR/mappings/mac, and then shortly after 42_migrate_network_configuration_files.sh will run and update the ifcfg-<interface> files, setting the MAC address for all interfaces in a given bond to the same value, which is not correct.

Solution

After initially thinking that I was going to need to come up with a patch for ReaR that would handle bonded interfaces appropriately, and I thinking that’s more complicate than it might sound, I had another look at 30_create_mac_mapping.sh and realised that if I create an empty $CONFIG_DIR/mappings/mac file (valid in my case as the MAC addresses have not changed when doing a straight restore to the same host) then ReaR will not create a new file, or add records to the existing file, and there will be no attempt to update the MAC addresses in the ifcfg-<interface> scripts.

The above worked and so a fix for the MAC address mix-up with bonded interfaces, when restoring to a host with the same MAC addresses, is to run the following command[1] before running “rear recover”:

# touch /etc/rear/mappings/mac

Footnotes
[1] – $CONFIG_DIR is a variable used in Relax and Recover, but note that your $CONFIG_DIR might not be /etc/rear

Relax and Recover

Relax and Recovery (ReaR) is great. It does exactly what it needs to do with the minimum of fuss.

What?

I’ll start by explaining what ReaR does and does not do. The “does not” part is important as many people I’ve spoken with about ReaR have been confused about exactly what it does.

The main purpose of ReaR is to create a bootable image, based on what is currently installed on a Linux host, that can be used to partition disks and retrieve a backup of the system. There are options for where to create the bootable image and what to do with it after it has been created.

The bootable image can be a USB device, an ISO file or a number of other options.

If you create a bootable image on a USB device then you may also wish to create a backup of your system on the same device, which ReaR will support.

When creating a bootable image as an ISO file you have a multitude of options for what do to with the file in order to get it off the box so that it can be used for recovery. The two options I have used are rsync and TSM.

The misconception I mentioned earlier is the belief that ReaR will backup your system. It can do that, but it is not a given and depends on your configuration acheter du cialis 5.

If ReaR isn’t backing up the system, what will?

ReaR will work with tar, rsync and a number of 3rd party commercial backup solutions. Again, I have used rsync and TSM.

Why?

You might be asking yourself why this is important/useful.

Imagine your beloved machine has suffered a death by file system corruption. You have a backup of the system, but what next? You need a way of getting the backup data back on disk. I know a number of places that do not restore full systems, but rather rebuild them if something goes horribly wrong with the operating system. I can see the value in the approach, however, it relies on you knowing what the state of the system was. For example:

  1. What configuration changes have been made since the installation?
  2. What additional software has been installed?
  3. What scripts have been put in place?

The list goes on.

It is totally possible to manage all that, but you have to be proactive. It’s a problem that won’t solve itself.

If you don’t have details of all the customisations then wouldn’t it be really nice to be able to run a command to pull back the contents of all your local file systems as they were at the point of the last backup, allowing you to simply reboot and be back in business? That’s what ReaR will do for you 🙂

Example Procedure

The following is an example of the produce to protect a system with ReaR and TSM during some operating system patching activities (assumes TSM is already installed):

  1. Install ReaR (rpms are available here).
  2. Configure ReaR to use TSM and to create an ISO file by updating /etc/rear/local.conf with a line of OUTPUT=ISO and another with BACKUP=TSM.
  3. Run “rear -v mkrescue” to create the bootable ISO and send it to TSM (mkbackup would have the same effect in this case as TSM will be handling the file system backups independently – I feel mkrescue makes it clearer what you’re doing).
  4. Perform a incremental backup of your file systems with TSM using “dsmc inc …”.
  5. Do your patching activity.

If all goes well then you don’t need to boot from the ReaR ISO and restore you operating system. But, let’s say it didn’t go well. Your system will no longer boot and there’s no immediately obvious way forward. You decide to restore. The procedure is:

  1. Restore the ReaR ISO to a location that will allow you to present it to the server. This is most likely to be your desktop so you can present the ISO file as a virtual CD-ROM over the ILOM interface.
  2. Present the ISO to the host to be recovered.
  3. Boot the host from the ISO – It is highly likely that you’ll need to change the boot order or get a pop-up menu to select the ISO as the boot media.
  4. Select “Recover <hostname>” at the grub prompt.
  5. Log in as root (password not required).
  6. Run “rear -v recover” and answer the interactive prompts.

Issues

Since starting to use ReaR I have encountered two problems:

  1. When recovering a host that used an ext4 file system for /boot I found myself facing at message of “Error 16: Inconsistent filesystem structure.” from grub. After a bit of digging around and trying to understand what the issue was I ended up modifying the /var/lib/rear/layout/disklayout.conf ReaR file to change the file system type for /boot from ext4 to ext2. I initially tried ext3, but as the system did not use ext3 for any of the file systems the module was not available.
  2. The version of ReaR that I was using had a bug (tracked on GitHub) that affected systems that do not have a separate /boot partition. There is a patch for the bug available, but if like me you’re happy to have a manual workaround, you need to perform the following actions after the restore completes:
# chroot /mnt/local
# PATH=/bin:/sbin:/usr/bin
# grub-install <disk path>
# exit
# reboot

Finally, it’s worth mentioning that ReaR is written in shell and is open source.

Host & ASM Instance Name Mismatch (Again)

I’ve just installed 12c (I’m a little slow off the mark) and during the installation process I hit the screen below and thought, “That’s a good idea.”

Root Password 12c GI Install

However, near the end of the installation I noticed that the ASM instance numbers did not match up with the numeric identifiers in my hostnames as shown in the table below:

Hostname ASM Instance
c01db01 +ASM1
c01db02 +ASM3
c01db03 +ASM2

This looked familiar, but I still didn’t like it, so I addressed the issue by running rootcrs.pl -deconfig -force [-lastnode] on my database servers and then running root.sh manually in the order that matched the hostnames.

Moving VM Storage

Just a brief note to remind myself next time that this is very easy and just 3 commands…

All my VMs run on Logical Volumes (LV) created on the VM host. Every once in a while I want to move the storage for a VM from a particular Volume Group (VG) to another and doing so is very straightforward:

Create a new LV in the destination VG

lvcreate -L <requied size> -n <lv name> <path to vg>

Copy the original LV to the new LV

dd if=<path to original lv> of=<path to new lv> bs=4k

Note the use of 4k blocksize acheter cialis 20mg en france. The default is 512 bytes.

Update the VM configuration

virsh edit <vm name>