RHEL 7.4装Oracle 11.2.0.4 RAC的一些问题

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

 

一、要安装compat-libcap1.x86_64包:

yum install compat-libcap1.x86_64

否则root.sh会因为缺少库文件而报错

clscfg.bin: error while loading shared libraries: libcap.so.1: cannot open shared object file: No such file or directory Failed to create keys in the OLR, rc = 127, Message:

Failed to write the checkpoint:” with status:FAIL.Error code is 256

 

二、 在执行root.sh前要给GRID_HOME打补丁 ,补丁号18370031 否则因为RHEL 7修改了一些RC脚本会导致安装不上

报错如下:

 

The following environment variables are set as:
ORACLE_OWNER= oracle
ORACLE_HOME=  /u01/app/11.2.0/grid
 
Enter the full pathname of the local bin directory: [/usr/local/bin]:
The contents of “dbhome” have not changed. No need to overwrite.
The contents of “oraenv” have not changed. No need to overwrite.
The contents of “coraenv” have not changed. No need to overwrite.
 
Creating /etc/oratab file…
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root script.
Now product-specific root actions will be performed.
Using configuration parameter file: /u01/app/11.2.0/grid/crs/install/crsconfig_params
Creating trace directory
User ignored Prerequisites during installation
Installing Trace File Analyzer
OLR initialization – successful
root wallet
root wallet cert
root cert export
peer wallet
profile reader wallet
pa wallet
peer wallet keys
pa wallet keys
peer cert request
pa cert request
peer cert
pa cert
peer root cert TP
profile reader root cert TP
pa root cert TP
peer pa cert TP
pa peer cert TP
profile reader pa cert TP
profile reader peer cert TP
peer user cert
pa user cert
Adding Clusterware entries to inittab
ohasd failed to start
Failed to start the Clusterware. Last 20 lines of the alert log follow:
2018-03-08 10:20:24.544:
[client(17856)]CRS-2101:The OLR was formatted using version 3.

 

因为补丁18370031(Patch 18370031: RC SCRIPTS (/ETC/RC.D/RC.* , /ETC/INIT.D/* ) ON OL7 FOR CLUSTERWARE)   被 20433339( Patch 24333766: MERGE REQUEST ON TOP OF 11.2.0.4.0 FOR BUGS 18370031 20954311)
包含了, 所以目前应该只能下载到20433339了。

 

 

 

opatch napply -local 20433339



opatch lsinventory
Oracle Interim Patch Installer version 11.2.0.3.23
Copyright (c) 2020, Oracle Corporation.  All rights reserved.


Oracle Home       : /u01/app/11.2.0/grid
Central Inventory : /u01/app/oraInventory
   from           : /u01/app/11.2.0/grid/oraInst.loc
OPatch version    : 11.2.0.3.23
OUI version       : 11.2.0.4.0
Log file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/opatch2020-03-06_09-37-02AM_1.log

Lsinventory Output file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/lsinv/lsinventory2020-03-06_09-37-02AM.txt
--------------------------------------------------------------------------------
Local Machine Information::
Hostname: rac1
ARU platform id: 226
ARU platform description:: Linux x86-64

Installed Top-level Products (1): 

Oracle Grid Infrastructure 11g                                       11.2.0.4.0
There are 1 products installed in this Oracle Home.


Interim patches (1) :

Patch  24333766     : applied on Fri Mar 06 08:15:04 EST 2020
Unique Patch ID:  20433339
Patch description:  "OCW Interim patch for 24333766"
   Created on 30 Nov 2016, 12:56:34 hrs PST8PDT
   Bugs fixed:
     18370031, 20954311



--------------------------------------------------------------------------------

OPatch succeeded.

 

但是注意要打以上补丁先要将Opatch升级到最新,所以要安装前先去support.oracle.com下载2个包p6880880_112000_Linux-x86-64.zip和p24333766_112040_Linux-x86-64.zip。

三、安装fuser 命令

yum install psmisc

 

 

四、对于RHEL 7下的udev配置可以看这篇文章 https://gruffdba.wordpress.com/2017/02/20/udev-rules-for-asm-disks-on-rhel7/

这里顺便贴出来:

 

 

 

On this blog and elsewhere you will find UDEV rules examples for setting device ownership and naming consistency on older versions of Linux.

With RHEL7 some of the syntax has changed slightly.

This example was created using OEL7 with the Red Hat kernel, but should also work on Red Hat and CentOS.


First, log in as root and check the block device is visible on the Linux host:

[root@unirac02 ~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb /dev/sdb1
In this example I have created a device sdb, and as you can see I have created a partition header on it.

Next, make sure we can see the device’s SCSI ID:

[root@unirac02 ~]# /lib/udev/scsi_id -g -u /dev/sdb
36006016004503e0017f99d58603c7c1e
Next, we are going to create a UDEV rule for this SCSI ID in the file /etc/udev/rules.d/99-oracleasm.rules.

[root@unirac01 ~]# cat /etc/udev/rules.d/99-oracleasm.rules
KERNEL=="sd?", ENV{ID_SERIAL}=="36006016004503e0017f99d58603c7c1e", SYMLINK+="oracleasm/grid1", OWNER="oracle", GROUP="oinstall", MODE="0660"
If you have several devices to add, you can use the following script to automate the rule generation.

[root@unirac02 ~]# mydevs="sdb sdc sdd" ; export count=0 ; for mydev in $mydevs; do ((count+=1)) ; /lib/udev/scsi_id -g -u /dev/$mydev | awk '{print "KERNEL==\"sd?\", ENV{ID_SERIAL}==\""$1"\", SYMLINK+=\"oracleasm/disk"ENVIRON["count"]"\", OWNER=\"oracle\", GROUP=\"oinstall\", MODE=\"0660\""}' ; done
KERNEL=="sd?", ENV{ID_SERIAL}=="36006016004503e0017f99d58603c7c1e", SYMLINK+="oracleasm/disk1", OWNER="oracle", GROUP="oinstall", MODE="0660"
KERNEL=="sd?", ENV{ID_SERIAL}=="36006016004503e0017f99d58603d1a87", SYMLINK+="oracleasm/disk2", OWNER="oracle", GROUP="oinstall", MODE="0660"
KERNEL=="sd?", ENV{ID_SERIAL}=="36006016004503e0017f99d58603d246a", SYMLINK+="oracleasm/disk3", OWNER="oracle", GROUP="oinstall", MODE="0660"
With RHEL7, restarting the UDEV rules is slightly difference than previous releases:

[root@unirac02 ~]# /sbin/udevadm control --reload-rules
[root@unirac02 ~]# /sbin/udevadm trigger
Now check, and a new device should be visible under /dev/oracleasm

[root@unirac02 ~]# ls -al /dev/oracleasm/*
lrwxrwxrwx. 1 root root 6 Feb 20 18:38 /dev/oracleasm/grid1 -> ../sdb


一些相关文档:

 

Requirements for Installing Oracle 11.2.0.4 RDBMS on OL7 or RHEL7 64-bit (x86-64) (Doc ID 1962100.1)

 

APPLIES TO:

Oracle Database – Standard Edition – Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Oracle Database – Enterprise Edition – Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Oracle Database Cloud Schema Service – Version N/A and later
Oracle Database Exadata Cloud Machine – Version N/A and later
Oracle Cloud Infrastructure – Database Service – Version N/A and later
Linux x86-64

PURPOSE

This note explains the requirements that need to be met for a successful installation of Oracle 11gR2 RDBMS release 11.2.0.4 on Red Hat Enterprise Linux 7.0 (or higher 7.x version), 64-bit (x86-64).  These guidelines apply to cluster (RAC) or standalone / single instances.

It is NOT the purpose of this NOTE to repeat every “how-to” step that is presented in the 11gR2 Installation Guide manual. For example this NOTE does not include how to create the Linux OS account named “oracle”, nor does it cover how to set environment variables. Both are adequately covered in Chapter 2 “Oracle Database Pre-installation Requirements” of the 11gR2 Installation Guide manual.

You can download Oracle 11.2.0.4 software from My Oracle Support (patch 13390677)

SCOPE

This procedure is meant for those planning/installing Oracle 11gR2 RDBMS release 11.2.0.4.0 (or higher 11.2.0.x version) on Red Hat Enterprise Linux 7.0 (or higher 7.x version) on the 64-bit (x86-64) platform. Since it is the expressed goal to keep Oracle Linux (OL) functionally IDENTICAL to RHEL, this NOTE is also completely applicable to 64-bit (x86-64) OL 7.0 (or higher 7.x version).

This procedure is not meant for those planning/installing Grid Infrastructure (GI) or any other Oracle products.

DETAILS

Requirements for installing Oracle 11gR2 RDBMS release 11.2.0.4 64-bit on RHEL7 or OL7 64-bit (x86_64)

I. Hardware:
===========
1. Minimum Hardware Requirements
a.) At least 1.0 GB (1024MB) of physical RAM
b.) Swap disk space proportional to the system’s physical memory as follows:

 

RAM Swap Space
Between 1 GB and 2 GB 1.5 times the size of RAM
Between 2 GB and 16 GB Equal to the size of RAM
More than 16 GB 16 GB

 

NOTE: The above recommendations (from the 11.2 Database installation guide) are MINIMUM recommendations for installations. Further RAM and swap space may be required to tune/improve RDBMS performance.

c.) 1.0 GB (1024MB) of disk space (and less than 2TB of disk space) in the /tmp directory.
d.) approximately 4.4 GB of local disk space for the database software.
e.) approximately 1.7 GB of disk space for a preconfigured database that uses file system storage (optional).

2. Refer Note:236826.1 for details on certified filesystems for Oracle Database.

II. Software:
============
1. As is specified in section 1.3.2 of the Oracle Database Installation Guide for 11gR2 on Linux (part number E24321-02), Oracle recommends that you install the Linux operating system with the default software packages (RPMs) and do not customize the RPMs during installation. For additional information on “default-RPMs”, please see Note 376183.1, “Defining a “default RPMs” installation of the RHEL OS” or Note 401167.1, “Defining a “default RPMs” installation of the Oracle Enterprise Linux (OEL) OS”.

2.Linux Kernel Requirements

Oracle Linux 7.0 

  • Oracle Linux 7 with Unbreakable Enterprise Kernel : 3.8.13-33.el7uek.x86_64 or later
  • Oracle Linux 7 with the Red Hat Compatible kernel : 3.10.0-54.0.1.el7.x86_64 or later

Red Hat Enterprise Linux Server 7.0

  • Red Hat Enterprise Linux 7 : 3.10.0-54.0.1.el7.x86_64 or later

NOTE:

  • RHEL7 servers must be running Red Hat kernel 3.10.0-54.0.1.el7 (x86_64) or higher or 3.8.13-33.el7uek (x86_64) or higher with UEK kernel. OL7 servers must also be running kernel 3.8.13-33.el7uek (x86_64) or higher version. The product RHEL does not deliver UEK Kernel. Only in OL 7 UEK and RHCK Kernel is included.
  • It is observed there are hang issues in RHEL 7 with many CPU cores and more RAM, due NUMA was enabled. As a work around it is recommended to turn off NUMA.

3. Required OS Components (per Release Notes, and Install Guide)

a.) The exact version number details of this list are based upon 64-bit (x86_64) RHEL 7.0. When a higher “update” level is used, the RPM release numbers (such as 4.4.4-13) may be slightly different. Since updates of RHEL 7 are certified, this is fine so long as you are still using 64-bit Linux (x86_64) RHEL 7 RPMs.
b.) Some of the Install Guide requirements will already be present from the “default-RPMs” foundation of Linux that you started with:

 

compat-libstdc++-33-3.2.3
binutils-2.23.52.0.1-12.el7.x86_64
compat-libcap1-1.10-3.el7.x86_64
gcc-4.8.2-3.el7.x86_64
gcc-c++-4.8.2-3.el7.x86_64
glibc-2.17-36.el7.x86_64
glibc-devel-2.17-36.el7.x86_64
ksh
libaio-0.3.109-9.el7.x86_64
libaio-devel-0.3.109-9.el7.x86_64
libgcc-4.8.2-3.el7.x86_64
libstdc++-4.8.2-3.el7.x86_64
libstdc++-devel-4.8.2-3.el7.x86_64
libXi-1.7.2-1.el7.x86_64
libXtst-1.2.2-1.el7.x86_64
make-3.82-19.el7.x86_64
sysstat-10.1.5-1.el7.x86_64

4. Additional Required OS Components (per the runInstaller OUI)
a.) intentionally blank

5. Additional Required OS Components (per this NOTE)
a.) Please do not rush, skip, or minimize this critical step. This list is based upon a “default-RPMs” installation of 64-bit (x86_64) RHEL 6. Additional RPMs (beyond anything known to Oracle) may be needed if a “less-than-default-RPMs” installation of 64-bit (x86_64) RHEL Server 6 is performed. For more information, please refer to Note 376183.1, “Defining a “default RPMs” installation of the RHEL OS” or Note 401167.1, “Defining a “default RPMs” installation of the Oracle Enterprise Linux (OEL) OS”.
b.) Several RPMs will be required as prerequisites to those listed in section II.3.c:  

cpp-4.8.2-16.el7.x86_64
glibc-headers-2.17-55.el7.x86_64
mpfr-3.1.1-4.el7.x86_64

 6. Oracle Global Customer Support has noticed a recent trend with install problems that originates from installing too many RPMs. For example:
a.) installing your own JDK version (prior to execute the Oracle Software runInstaller) is not needed on Linux, and is not recommended on Linux. A pre-existing JDK often interferes with the correct JDK that the Linux Oracle Software runInstaller will place and use.
b.) installing more than the required version of the gcc / g++ RPMs often leads to accidentally using (aka enabling or activating) the incorrect one. If you have multiple RDBMS versions installed on the same Linux machine, then you will likely have to manage multiple versions of gcc /g++ . For more information, please see Note 444084.1, “Multiple gcc / g++ Versions in Linux”

7. All of the RPMs in section II. are on the Red Hat Enterprise Linux 7 64-bit (x86_64) distribution media.

III. Environment:
================
1. Modify your kernel settings in /etc/sysctl.conf (RedHat) as follows. If the current value for any parameter is higher than the value listed in this table, do not change the value of that parameter. Range values (such as net.ipv4.ip_local_port_range) must match exactly. 

kernel.shmall = physical RAM size / pagesize For most systems, this will be the value 2097152. See Note 301830.1 for more information.
kernel.shmmax = 1/2 of physical RAM. This would be the value 2147483648 for a system with 4GB of physical RAM. See Note:567506.1 for more information.
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 512 x processes (for example 6815744 for 13312 processes)
fs.aio-max-nr = 1048576
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048576

2. To activate these new settings into the running kernel space, run the “sysctl -p” command as root.

3. Set Shell Limits for the oracle User. Assuming that the “oracle” Unix user will perform the installation, do the following:

a.) Add the following settings to /etc/security/limits.conf

oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 65536
oracle soft stack 10240

b.) Verify the latest version of PAM is loaded, then add or edit the following line in the /etc/pam.d/login file, if it does not already exist: 

session required pam_limits.so

c.) Verify the current ulimits, and raise if needed.  This can be done many ways…adding the following lines to /etc/profile is the recommended method: 

if [ $USER = “oracle” ]; then
if [ $SHELL = “/bin/ksh” ]; then
ulimit -u 16384
ulimit -n 65536
else
ulimit -u 16384 -n 65536
fi
fi

 

4. The gcc-4.4.4 and gcc-c++-4.4.4 RPM items above will ensure that the correct gcc / g++ versions are installed. It is also required that you ensure that these correct gcc / g++ versions are active, and in-use. Ensure that the commands “gcc –version” and “g++ –version” each return “4.8.2”.

 

5. If any Java packages are installed on the system, unset the Java environment variables, for example JAVA_HOME.

6. The oracle account that is used to install Oracle 11.2.0.4 should not have the Oracle install related variables set by default. For example setting ORACLE_HOME, PATH, LD_LIBRARY_PATH to include Oracle binaries in .profile, .login file and /etc/profile.d should be completely avoided.
a.) Setting $ORACLE_BASE (not $ORACLE_HOME) is recommended, since it eases a few prompts in the OUI runInstaller tool.
b.) Following the successful install, it is recommended to set $ORACLE_HOME, and to set $PATH to include $ORACLE_HOME/bin at the beginning of the $PATH string.

7. By default, RHEL 7 x86_64 Linux is installed with SELinux as “enforcing”. This is fine for the 11gR2 installation process. However, to subsequently run “sqlplus”, switch SELinux to the “Permissive” mode. See NOTE 454196.1, “./sqlplus: error on libnnz11.so: cannot restore segment prot after reloc” for more details.

UPDATE: Internal testing suggests that there is no problem running “sqlplus” with SELinux in “enforcing” mode on RHEL7/OL7. The problem only affects RHEL5/OL5.

8. Log in as Oracle user and start the installation as follows: 

$ ./runInstaller -ignorePrereq

a.) It is best practice not to use any form of “su” to start the runInstaller, in order to avoid potential display-related problems.
b.) When performing the 11.2.0.4 installation, make sure to use the “runInstaller” version that comes with 11.2.0.4 software.
c.) When performing any subsequent 11.2.0.x patchset, make sure to use the “runInstaller” version that comes with the patchset.

Known Issue :

01) The installer needs to be launched with “-ignorePrereq” option due to unpublished bug 19947777. This issue occurs since Oracle Linux 7 was not released when Oracle database 11.2.0.4 was made available and hence was not certified. However, Oracle 11.2.0.4 is now certified on OL7. Refer Note 1962046.1 for details.

02) Compilation fails for target ‘relink_exe’ fails with “undefined reference to symbol ‘B_DestroyKeyObject’” error and is reported in unpublished bug 19692824. The solution is to install patch 19692824 as documented in Note 1965691.1.

ADDITIONAL NOTES
—————-
1. Supported distributions of the 32-bit (x86) Linux OS can run on on AMD64/EM64T and Intel Processor Chips that adhere to the x86_64 architecture
a.) Oracle 32-bit Database Server running on AMD64/EM64T with 32-bit OS is supported, but is NOT covered by this NOTE.
b.) Oracle 32-bit Database Server running on AMD64/EM64T with 64-bit OS is not certified and is not supported.
c.) Oracle 32-bit Database Client running on AMD64/EM64T with 64-bit OS is expected to be supported, but is NOT covered by this NOTE.

2. Asynchronous I/O on ext2 and ext3 file systems is supported if your scsi/fc driver supports that functionality. 

Note : Asynchronous I/O on Ext4 file system is supported with Oracle 10g onwards on OEL5.6 and later.
Reference : Oracle Linux, Filesystem & I/O Type Supportability (Note 279069.1)

3. No extra patch is required for the DIRECTIO support for x86_64.

4. No LD_ASSUME_KERNEL value should be used with the 11gR2 product.

5. The following rpm command can be used to distinguish between a 32-bit or 64-bit package.   

# rpm -qa –queryformat “%{NAME}-%{VERSION}-%{RELEASE} (%{ARCH})\n” | grep glibc-devel
glibc-devel-2.12-1.7(x86_64)
glibc-devel-2.12-1.7(i686)
Installation walk-through – Oracle Grid/RAC 11.2.0.4 on Oracle Linux 7 (Doc ID 1951613.1)

APPLIES TO:
Oracle Database – Enterprise Edition – Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Oracle Database Cloud Schema Service – Version N/A and later
Oracle Database Exadata Cloud Machine – Version N/A and later
Oracle Cloud Infrastructure – Database Service – Version N/A and later
Oracle Database Backup Service – Version N/A and later
Linux x86-64

PURPOSE

This document aims to provide clarity on the installation/patching processes required while installing Oracle Grid 11.2.0.4.0 and Oracle RAC 11.2.0.4.0 on Oracle Linux 7 by providing details on the steps taken to complete an example installation. For general recommendations, refer to Note 1962100.1 “Requirements for Installing Oracle 11.2.0.4 RDBMS on OL7 or RHEL7 64-bit (x86-64)”

SCOPE
This document is intended to complement the official Oracle documentation. If there are any incompatibilities between this document and the official Oracle documentation, they are unintentional, and should be ignored. This document is not meant to be a substitute for official documentation; care should be taken to ensure that all official documentation is reviewed thoroughly.

DETAILS
Operating System Installation & Setup – Recommendations

Yum Repository
Set up public-yum repository and enable the latest AddOns channels, e.g.

# cat /etc/yum.repos.d/public-yum-ol7.repo
[ol7_latest]
name=Oracle Linux $releasever Latest ($basearch)
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL7/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

[ol7_addons]
name=Oracle Linux $releasever Add ons ($basearch)
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL7/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

 

11gR2 preinstall RPM
Install 11gR2 preinstall rpm. The preinstall rpm installs all dependencies for the Oracle RDBMS server installation, and creates the oracle user and the dba and oinstall groups.

Oracle ASMLib
Download the certified oracleasmlib package from OTN (http://www.oracle.com/technetwork/server-storage/linux/asmlib/ol7-2352094.html)

Install oracleasm packages if oracleasmlib is to be used

 

yum install oracleasm-support.x86_64 oracleasmlib-2.0.8-2.el7.x86_64.rpm

 

Oracle Automatic Storage Management Cluster File System (Oracle ACFS)
For details on ACFS support, including required patches, refer to Note 1369107.1 (ACFS Support On OS Platforms (Certification Matrix)

Disk Naming Consistency
For consistent disk naming, install device-mapper-multipath along with associated dependencies (device-mapper-multipath-libs.x86_64)

 

yum install device-mapper-multipath

 

Multipathing

Start multipathd, and verify status e.g.

 

[root@xxxx ~]# systemctl start multipathd
[root@xxxx ~]# systemctl status multipathd


SELinux
Disable, e.g.

setenforce 0

Oracle Grid Infrastructure – Installation Notes
Patch 19404309

Note: It is presumed that the user has already reviewed the Oracle Grid Infrastructure Installation Guide and associated Release Notes; instructions and/or recommendations from those documents will not be repeated here.

After downloading the Oracle Grid Infrastructure software, and before attempting any installation, download Patch 19404309 from My Oracle Support, and apply the patch using the instructions in the patch README.

Patch 18370031

Download Patch 18370031 from My Oracle Support. Then, start an interactive Oracle Grid Infrastructure installation through the Oracle Universal Installer (OUI), but do not execute root.sh on any node until afterthe application of Patch 18370031. When the OUI prompts the user to execute the root.sh scripts*, Patch 18370031 should be applied by following the instructions in Section 2.3, Case 5 – Patching a Software Only GI Home Installation or Before the GI Home Is Configured – of the patch README. Note: The README should be reviewed in full, as it contains other requirements (e.g. upgrading OPatch, etc.).

* If executing a software-only installation, the patch should be applied after the installation concludes, but before any configuration is attempted.

Once Patch 18370031 has been applied, proceed with the remainder of the installation (or configuration).

Oracle Database/RAC – Installation Notes
Note: As the title suggests, this section applies both to installations of Oracle Database and Oracle Real Application Clusters (RAC).

Patch 19404309
Note: It is presumed that the user has already reviewed the Oracle Database, Oracle RAC Installation Guides and associated Release Notes; instructions and/or recommendations from those documents will not be repeated here.

After downloading the Oracle Database/RAC software, and before attempting any installation, download Patch 19404309 from My Oracle Support, and apply the patch using the instructions in the patch README.

Patch 19692824
During installation of Oracle Database or Oracle RAC on OL7, the following linking error may be encountered:

 

Error in invoking target ‘agent nmhs’ of makefile ‘<ORACLE_HOME>/sysman/lib/ins_emagent.mk’. See ‘<installation log>’ for details.
If this error is encountered, the user should select Continue. Then, after the installation has completed, the user must download Patch 19692824 from My Oracle Support and apply it per the instructions included in the patch README.

Installation/Home Cloning
Note: It may be possible to perform the above steps once, then use Oracle’s cloning technology to clone the installation/home. Further details are available in the cloning sections of the relevant Administration and Deployment guides:

Cloning Oracle Clusterware

Cloning Oracle RAC to Nodes in a New Cluster

Cloning Oracle Software

Devos加密病毒的oracle数据库恢复

某用户的oracle数据库因devos后缀加密病毒devos ransomware malware ,数据文件被全部加密:

 

该加密病毒的后缀为 SYSTEM01.DBF.id[2245DCEC-2700].[geerban@email.tg].Devos, 针对该病毒可以基于prm-dul恢复工具来恢复其中的数据,演示视频可以参考:

https://zcdn.parnassusdata.com/prm%20dul%20recover%20malware%20ransomware%20corrupted%20oracle%20datafile.mp4

 

PRM-DUL 绿色版自带JAVA运行环境

PRM-DUL 绿色版自带JAVA运行环境

https://zcdn.parnassusdata.com/DUL5108rc8_java.zip

 

Oracle中的SYS_NC00$ SYS_C000$ SYS_STU SYS_STS 和虚拟字段

SYS_NC00是一种系统自动生成的辅助列,在Oracle 12c以后大量出现在用户表中,其主要伴随一下这些功能出现:

 

  • row archival;
  • create index t_i on t(upper(v)); 函数索引
  • alter table xxx add (b integer default 1);  default 值

 

property:

0x0008 = virtual column(old)

0x0020 = hidden column(old)

0x00010000 = expression column(new)

default$: is overloaded to store index expression

name: is system generated. It is SYS_NC<5 digit intcol#>$

 

SYS_C000$ 伴随以下功能出现:

 

各种未指定名字的约束

 

CONSTRAINT constraint_name
Specify a name for the constraint. If you omit this identifier, then Oracle Database generates a name with the form SYS_Cn. Oracle stores the name and the definition of the integrity constraint in the USER_, ALL_, and DBA_CONSTRAINTS data dictionary views (in the CONSTRAINT_NAME and SEARCH_CONDITION columns, respectively).

 

The references_clause of the ref_constraint syntax lets you define a foreign key constraint on the REF column. This clause also implicitly restricts the scope of the REF column or attribute to the referenced table. However, whereas a foreign key constraint on a non-REF column references an actual column in the parent table, a foreign key constraint on a REF column references the implicit object identifier column of the parent table.

If you do not specify a constraint name, then Oracle generates a system name for the constraint of the form SYS_Cn.

https://docs.oracle.com/cd/B19306_01/server.102/b14200/clauses002.htm#sthref2891

 

 

SYS_STU  SYS_STS伴随多列统计信息出现 ; 其中STU代表用户创建的多列统计信息, STS是SYS_STS are system generated from the DECODE in ALL_STAT_EXTENSIONS

 

Create column groups for the customers_test table based on the usage information captured during the monitoring window.

For example, run the following query:

SELECT DBMS_STATS.CREATE_EXTENDED_STATS(user, ‘customers_test’) FROM DUAL;
Sample output appears below:

###########################################################################
EXTENSIONS FOR SH.CUSTOMERS_TEST
…………………………..
1. (CUST_CITY, CUST_STATE_PROVINCE,
COUNTRY_ID) :SYS_STUMZ$C3AIHLPBROI#SKA58H_N created
2. (CUST_STATE_PROVINCE, COUNTRY_ID):SYS_STU#S#WF25Z#QAHIHE#MOFFMM_ created
###########################################################################
The database created two column groups for customers_test: one column group for the filter predicate and one group for the GROUP BY operation.

 

用户所自行创建的虚拟列 其SYS.COL$ 的property一般等于65544

Oracle执行计划的IN-OUT字段含义

The In-Out Column  其代表执行步骤的 串行与并行输入输出情况

 

 

SERIAL (blank): Serial execution. Currently, SQL is not loaded in the OTHER column for this case.
SERIAL_FROM_REMOTE (S -> R): Serial execution at a remote site.
PARALLEL_FROM_SERIAL (S -> P): Serial execution. Output of step is partitioned or broadcast to parallel execution servers.
PARALLEL_TO_SERIAL (P -> S): Parallel execution. Output of step is returned to serial QC process.
PARALLEL_TO_PARALLEL (P -> P): Parallel execution. Output of step is repartitioned to second set of parallel execution servers.
PARALLEL_COMBINED_WITH_PARENT (PWP): Parallel execution; Output of step goes to next step in same parallel process. No interprocess communication to parent.
PARALLEL_COMBINED_WITH_CHILD (PWC): Parallel execution. Input of step comes from prior step in same parallel process. No interprocess communication from child.
https://docs.oracle.com/database/121/TGSQL/tgsql_interp.htm#TGSQL94734

 

Transaction recovery: lock conflict caught and ignored

Transaction recovery: lock conflict caught and ignored

 

之前有用户在11g上alert.log出现大量Transaction recovery: lock conflict caught and ignored,同时产生大量redo重做日志;观察AWR可以发现大量db block changes发生在UNDO$基础表上。

对于该问题可以尝试如下几种方案:

1、找出Dead Transaction并清理相关对象,如 https://dba010.com/2013/04/30/transaction-recovery-lock-conflict-caught-and-ignored/

 

 

ALERT.LOG:
.....
Transaction recovery: lock conflict caught and ignored
.....
And also some incident files are being created in $ORACLE_BASE/diag/rdbms/dbname/instancename/incident folder.
In my case the error started after SUPPLEMENTAL LOGGING enabled in a RAC environment. After disabling it the messages have not disappeared, but incident files are no longer being created.
1. Dead Trasaction
SQL> select b.name useg, b.inst# instid, b.status$ status, a.ktuxeusn
xid_usn, a.ktuxeslt xid_slot, a.ktuxesqn xid_seq, a.ktuxesiz undoblocks,
a.ktuxesta txstatus
from x$ktuxe a, undo$ b
where a.ktuxecfl like ‘%DEAD%’
and a.ktuxeusn = b.us#;
USEG	INSTID	STATUS	XID_USN	XID_SLOT	XID_SEQ	UNDOBLOCKS	TXSTATUS
_SYSSMU7_881277423$	1	3	7	13	1829999	1	ACTIVE
_SYSSMU8_4204495590$	1	3	8	32	3045564	1	ACTIVE
_SYSSMU10_1314081219$	1	3	10	3	11844457	1	ACTIVE
Transaction id is  XID_USN.XID_SLOT.XID_SEQ
So in our case, for the first row it will be 7.13.1829999
2.  Read transaction table from undo header.
ALTER SYSTEM DUMP UNDO HEADER ‘_SYSSMU7_881277423$’;
….
TRN TBL::
index  state cflags  wrap#    uel         scn            dba            parent-xid    nub     stmt_num    cmt
————————————————————————————————
0x00    9    0x03  0x1bf45c  0x000b  0x0000.789de808  0x00c242eb  0x0000.000.00000000  0x00000001   0x00c242eb  1367258143
0x01    9    0x00  0x1c031b  0x0014  0x0000.789e6018  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258225
0x02    9    0x00  0x1c147a  0x000e  0x0000.789e694b  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258230
0x03    9    0x00  0x1c06f9  0x0016  0x0000.789e601c  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258225
0x04    9    0x00  0x1c06c8  0x0009  0x0000.789e3566  0x00c242f9  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x05    9    0x00  0x1c1167  0x0015  0x0000.789e357f  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x06    9    0x00  0x1c2716  0x0017  0x0000.789e69e1  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258230
0x07    9    0x00  0x1c1045  0x000c  0x0000.789e1bdb  0x00c242eb  0x0000.000.00000000  0x00000001   0x00000000  1367258170
0x08    9    0x00  0x1c2614  0x0005  0x0000.789e357e  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x09    9    0x00  0x1bfa03  0x0021  0x0000.789e3574  0x00c242f9  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x0a    9    0x00  0x1bf712  0x001e  0x0000.789e3246  0x00c242f1  0x0000.000.00000000  0x00000001   0x00000000  1367258190
0x0b    9    0x00  0x1c1e01  0x0007  0x0000.789e1bd9  0x00c242eb  0x0000.000.00000000  0x00000001   0x00000000  1367258170
0x0c    9    0x00  0x1c08e0  0x000a  0x0000.789e3244  0x00c242f1  0x0000.000.00000000  0x00000006   0x00000000  1367258190
0x0d   10    0x90  0x1bec6f  0x0038  0x0000.789e783e  0x00c242fb  0x0000.000.00000000  0x00000001   0x00c242fb  0
0x0e    9    0x00  0x1c068e  0x0010  0x0000.789e694d  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258230
0x0f    9    0x00  0x1c151d  0x0012  0x0000.789e3578  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x10    9    0x00  0x1c26bc  0x0006  0x0000.789e69df  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258230
0x11    9    0x00  0x1c16eb  0x0000  0x0000.789cbd77  0x00c242eb  0x0000.000.00000000  0x00000001   0x00000000  1367257923
0x12    9    0x00  0x1c082a  0x001d  0x0000.789e357c  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x13    9    0x00  0x1c1459  0x001f  0x0000.789e7891  0x00c242fc  0x0000.000.00000000  0x00000001   0x00000000  1367258238
0x14    9    0x00  0x1c14b8  0x0003  0x0000.789e601a  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258225
0x15    9    0x00  0x1c0457  0x0020  0x0000.789e39d3  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258195
0x16    9    0x00  0x1c1326  0x0002  0x0000.789e601d  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258225
0x17    9    0x00  0x1c0db5  0x001c  0x0000.789e788a  0x00c242fc  0x0000.000.00000000  0x00000001   0x00000000  1367258238
0x18    9    0x00  0x1bffe4  0x001b  0x0000.789e400d  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258200
0x19    9    0x00  0x1c16e3  0x0001  0x0000.789e5fd2  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258225
0x1a    9    0x00  0x1bdbb2  0x0018  0x0000.789e400b  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258200
0x1b    9    0x00  0x1c1141  0x0019  0x0000.789e453a  0x00c242fa  0x0000.000.00000000  0x00000001   0x00000000  1367258204
0x1c    9    0x00  0x1bc9a0  0x0013  0x0000.789e788e  0x00c242fc  0x0000.000.00000000  0x00000001   0x00000000  1367258238
0x1d    9    0x00  0x1c02ef  0x0008  0x0000.789e357d  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
0x1e    9    0x00  0x1c0b6e  0x0004  0x0000.789e3250  0x00c242f9  0x0000.000.00000000  0x00000009   0x00000000  1367258190
0x1f    9    0x00  0x1c00ad  0xffff  0x0000.789e78a1  0x00c242fc  0x0000.000.00000000  0x00000001   0x00000000  1367258238
0x20    9    0x00  0x1c166c  0x001a  0x0000.789e39dd  0x00c242fa  0x0000.000.00000000  0x00000002   0x00000000  1367258195
0x21    9    0x00  0x1c160b  0x000f  0x0000.789e3576  0x00c242ec  0x0000.000.00000000  0x00000001   0x00000000  1367258192
EXT TRN CTL::
usn: 7
State# 10 means active transaction.
dba points to starting UNDO block address.
usn: Undo segment number
usn.index.wrap# gives transaction id.
An active transaction 0x0007.00d.001bec6f is available in slot 0x0d which has a dba of 0x00c242fb (12731131 in decimal)
3. Reading UNDO Block:
Identify fileID and blockID:
fileID:
select DBMS_UTILITY.DATA_BLOCK_ADDRESS_FILE(12731131) from x$dual;
3
blockID:
select DBMS_UTILITY.DATA_BLOCK_ADDRESS_BLOCK(12731131) from x$dual;
148219
Dumping block
alter system dump datafile 3 block 148219;
UNDO BLK: 
xid: 0x0007.00d.001bec6f  seq: 0x41f9 cnt: 0x6   irb: 0x5   icl: 0x0   flg: 0x0000
Rec Offset      Rec Offset      Rec Offset      Rec Offset      Rec Offset
—————————————————————————
0x01 0x1f98     0x02 0x1f2c     0x03 0x1d7c     0x04 0x1d10     0x05 0x1ca0    
0x06 0x1bfc    
*—————————–
* Rec #0x1  slt: 0x0d  objn: 0(0x00000000)  objd: 0  tblspc: 0(0x00000000)
*       Layer:   5 (Transaction Undo)   opc: 7  rci 0x00  
Undo type:  Regular undo    Begin trans    Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000Ext idx: 0
flg2: 0
*—————————–
uba: 0x00c242fa.41f9.37 ctl max scn: 0x0000.789b7668 prv tx scn: 0x0000.789bb8d7
txn start scn: scn: 0x0000.789e783e logon user: 88
prev brb: 12731116 prev bcl: 0
*—————————–
* Rec #0x2  slt: 0x0d  objn: 110769(0x0001b0b1)  objd: 110769  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1  rci 0x00  
Undo type:  Regular undo    User Undo Applied  Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000
*—————————–
KDO undo record:
KTB Redo
op: 0x04  ver: 0x01 
compat bit: 4 (post-11) padding: 1
op: L  itl: xid:  0x0012.01c.00322281 uba: 0x0102c5f0.3fa9.0a
flg: C—    lkc:  0     scn: 0x0000.789ca3f4
KDO Op code: LKR row dependencies Disabled
xtype: XA flags: 0x00000000  bdba: 0x038180fc  hdba: 0x018d64e2
itli: 1  ispac: 0  maxfr: 4858
tabn: 0 slot: 14 to: 0
*—————————–
* Rec #0x3  slt: 0x0d  objn: 110769(0x0001b0b1)  objd: 110769  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x02  
Undo type:  Regular undo    User Undo Applied  Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000
*—————————–
KDO undo record:
KTB Redo
op: 0x02  ver: 0x01 
compat bit: 4 (post-11) padding: 1
op: C  uba: 0x00c242fb.41f9.02
KDO Op code: URP row dependencies Disabled
xtype: XA flags: 0x00000000  bdba: 0x038180fc  hdba: 0x018d64e2
itli: 1  ispac: 0  maxfr: 4858
tabn: 0 slot: 14(0xe) flag: 0x2c lock: 1 ckix: 0
ncol: 9 nnew: 6 size: 0
col  1: [ 7]  78 71 04 1d 13 01 01
col  2: [ 2]  c1 13
col  3: [ 1]  80
col  4: [16]  10 e5 00 2e 10 d1 10 d0 10 d7 10 e3 10 db 10 d8
col  5: [174]
10 d0 10 ed 10 d0 10 e0 10 d8 10 e1 00 20 10 d0 00 2e 10 e0 00 2e 00 20 10
de 10 e0 10 dd 10 d9 10 e3 10 e0 10 d0 10 e2 10 e3 10 e0 10 d8 10 e1 00 20
10 e1 10 d0 10 d2 10 d0 10 db 10 dd 10 eb 10 d8 10 d4 10 d1 10 dd 00 20 10
dc 10 d0 10 ec 10 d8 10 da 10 d8 10 e1 00 20 10 e3 10 e4 10 e0 10 dd 10 e1
00 20 10 d2 10 d0 10 db 10 dd 10 db 10 eb 10 d8 10 d4 10 d1 10 d4 10 da 10
e1 00 20 10 d1 10 d0 10 e2 10 dd 10 dc 00 20 10 d2 10 d8 10 dd 10 e0 10 d2
10 d8 00 20 10 de 10 d4 10 e0 10 d0 10 dc 10 d8 10 eb 10 d4 10 e1 00 2e
col  6: [36]
00 54 00 01 04 0c 00 00 00 02 00 00 00 01 00 00 09 07 b0 63 00 10 09 00 00
00 00 00 00 00 00 00 00 00 00 00
*—————————–
* Rec #0x4  slt: 0x0d  objn: 89834(0x00015eea)  objd: 93214  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x03  
Undo type:  Regular undo    User Undo Applied  Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000
*—————————–
KDO undo record:
KTB Redo
op: 0x04  ver: 0x01 
compat bit: 4 (post-11) padding: 1
op: L  itl: xid:  0x000c.017.000d65d6 uba: 0x0103df2c.22a5.20
flg: C—    lkc:  0     scn: 0x0000.789c4694
KDO Op code: LKR row dependencies Disabled
xtype: XA flags: 0x00000000  bdba: 0x03833994  hdba: 0x0181f832
itli: 1  ispac: 0  maxfr: 4858
tabn: 0 slot: 7 to: 0
*—————————–
* Rec #0x5  slt: 0x0d  objn: 89834(0x00015eea)  objd: 93214  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1  rci 0x04  
Undo type:  Regular undo   Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000
*—————————–
KDO undo record:
KTB Redo
op: 0x02  ver: 0x01 
compat bit: 4 (post-11) padding: 1
op: C  uba: 0x00c242fb.41f9.04
KDO Op code: LMN row dependencies Disabled
xtype: XA flags: 0x00000000  bdba: 0x03833994  hdba: 0x0181f832
itli: 1  ispac: 0  maxfr: 4858
*—————————–
* Rec #0x6  slt: 0x0d  objn: 89703(0x00015e67)  objd: 92020  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1  rci 0x05  
Undo type:  Regular undo    User Undo Applied  Last buffer split:  No
Temp Object:  No
Tablespace Undo:  No
rdba: 0x00000000
*—————————–
KDO undo record:
irb points to last UNDO RECORD in UNDO block.
rci points to previous UNDO RECORD. if rci=0, it’s the first UNDO RECORD.
Recovery operation starts from irb and chain is followed by rci until rci is zero.
The transaction starts recovery from UNDO RECORD of 0x5.
4. Reading UNDO Records:
* Rec #0x5  slt: 0x0d  objn: 89834(0x00015eea)  objd: 93214  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x04  
….
* Rec #0x4  slt: 0x0d  objn: 89834(0x00015eea)  objd: 93214  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x03  
….
* Rec #0x3  slt: 0x0d objn: 110769(0x0001b0b1)  objd: 110769  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x02  
…
* Rec #0x2  slt: 0x0d  objn: 110769(0x0001b0b1)  objd: 110769  tblspc: 6(0x00000006)
*       Layer:  11 (Row)   opc: 1   rci 0x00  
…
objn means object id.
5. Find these objects
The following objects need recovery:
select * from dba_objects
where object_id in (89834,110769);
………………………………………………………..
This problem is Oracle Bug:9857702:
.....
Affects:
Product (Component) Oracle Server (Rdbms)  
Range of versions believed to be affected Versions >= 11.1 but BELOW 12.1  
Versions confirmed as being affected
•11.2.0.1 
•11.1.0.7 
Platforms affected Generic (all / most platforms affected)  
Fixed:
This issue is fixed in
•12.1 (Future Release) 
•11.2.0.2 (Server Patch Set) 
•11.1.0.7.8 Patch Set Update 
•11.1.0.7 Patch 40 on Windows Platforms  
.....
6. Workaround:
Recreate objects that need recovery.
Or drop them Smile

 

 

2、尝试设置 FAST_START_PARALLEL_ROLLBACK=HIGH 看是否能解决

 

3、尝试设置10513 LEVEL 2 事件,暂时屏蔽回滚事务

 

rman generate script set until time

echo 'run {'  >  test2.cmd
echo 'allocate channel t1' >> test2.cmd
echo 'set until time="to_date('\'''`date "+%Y-%m-%d %H:%M:%S"`''\'','\''YYYY-MM-DD hh24:mi:ss'\'')";' >> test2.cmd
echo 'set newname for database to '+datadg';'  >> test2.cmd
echo 'restore database;' >> test2.cmd
echo 'switch  datafile all;' >> test2.cmd
echo 'recover database;' >> test2.cmd
echo 'release channel t1;' >> test2.cmd
echo '}' >> test2.cmd

关于绿盟扫描ORACLE漏洞的问题 说几点看法

之前看了这篇文章 “坑爹”的绿盟数据库漏扫,求你专业一点 ,讲几点个人的看法。

因为近期国内勒索病毒问题频发,可以观测到QQ群内大量甲方人员提问关于绿盟扫描的问题。

文章的主旨是说 绿盟的ORACLE 数据库漏洞扫描的结果比较不靠谱,已经装了的补丁,扫描的结果仍是存在漏洞,让甲方的人员很苦恼。

 

绿盟号称是在企业安全市场占有率最高的公司,拥有自己的产品和服务,涉猎企业IT环境中的几乎所有的服务器、软件的安全问题,这几年由于安全问题越来越被重视,这类安全公司确实也跟着火了。

我曾经2013年在某省移动驻场负责维护几十套Oracle数据库,每季度都会收到绿盟发来的漏洞列表,第一次发来几千项,企信部领导“高度重视”,让我连夜排查并给出解决方案。当时大多数数据库版本是11203,且安装了较新的PSU,我发现漏洞里面居然还存在2009年的CVE高危漏洞,当时就纳闷Oracle自己在2009年公布的漏洞到现在咋还没修复呢?

通过原厂确认,首先Oracle不认可任何第三方软件的漏洞扫描结果,其次绿盟的漏洞扫描机制简单粗暴,基本上没有可信度,后来和甲方DBA达成共识:1、安装最新的PSU,2、通过技术手段屏蔽绿盟的扫描。

没想到现在都2019年了,这个问题依然存在,不知道产品经理是不是去岘港度假被抓了,看看苦逼DBA们被坑害的反馈吧:

首先说说绿盟漏扫的”业余“机制吧,通过数据库版本号直接去匹配Oracle官方的CVE漏洞列表,不会检测PSU。拜托,现在大多数科技公司都在应用AI、机器学习了,您还在通过几个数字匹配表格来定义企业的信息安全分数,真是太“LOW”,哪还有安全可言。

给出了一大堆漏洞,高危的红色,让领导瑟瑟发抖,我想绿盟可能还会觉得自己很牛X吧。然而却没有给出解决方案,最多丢一个Oracle 的CVE链接给你,自己去找补丁,各个补丁之间还可能冲突,对了这里是CPU,-_-||

无力吐槽!

给乙方DBA的建议:

1、不要浪费时间尝试根据不可信的漏洞列表一一去找单个的补丁,直接安装最新的PSU即可(不过最佳实践是次新,另外12.2改为RU)。

2、觉得不好交差,或者强迫症,可以通过防火墙、端口、数据库IP限制等方式限制绿盟机器的访问;

3、把“皮球”抛给现场的绿盟GG,让他们去跟甲方解释,承认这是绿盟漏扫软件的缺陷;

4、使用专业的数据库巡检平台检查数据库,从数据库的角度去排查安全问题。

给绿盟的建议:

1、希望绿盟专业一点,牢记“专功术业”的愿景,真正做到“成就所托”,不要学早期的360通过报大量高危漏洞吓唬用户来体现自身卑微的价值;

2、学习了解Oracle的补丁策略,弄清楚One of Patch、CPU、PSU、RU的区别以及大版本小版本的关系,分别修复了哪些CVE漏洞,如果真的存在漏洞,那么给出专家的方案,不要给个CVE链接草草了事,我相信这些需求相对来说比较容易,如果需要我们可以免费支持;

3、多听听业界的声音和用户的反馈,快速迭代改进产品,不然没有核心竞争力,分分钟被替代被超越。

最后还是诚恳的呼吁绿盟团队,尽快把自己产品的缺陷修复,完善各项功能,真正为国内企业信息安全建设贡献更多的力量,“专功术业,成就所托”。

 

 

结论是让绿盟在扫描上专业一点,改进产品。

评论里又绿盟的相关人员驳斥了文章观点,认为绿盟扫描结果不准确是因为 没有做登陆扫描。

 

@楼主,看你的描述,13年就接触数据库漏洞处理并接触了漏洞扫描器,不过看起来这么多年你也没有潜心研究漏洞扫描器原理、没有思考为啥这么多年误报问题一直无法解决、也没有尝试去找厂家研究扫描功能、也没有思考国内安全厂商的技术瓶颈与困境,给出可供参考的意见和建议,通篇只有闹骚满腹,无尽抱怨,看来你这么多年也没有进步,也没有看到别人的进步,希望你还是摆正心态,踏实做事。

完全站在dba的角度去考虑安全,实话说挺无知的
1.先搞清楚基于网络的漏洞扫描原理,存活判别,应用识别,发包探测和回应到底能获取目标对象多少信息?
2.登录扫描原理,登录目标对象后到底能获取多少信息,是否会执行命令?什么情况下执行poc
3.想问问lz,哪个大厂的漏扫可以精准判断oracle漏洞?如果都不行,自己有思考过原因何在吗?光在这里瞎bb

楼主难道不知道登录扫描么?给建议,据说绿盟登录扫描很早就实现了,楼主没用过么?怪不得不知道,发文章

首先,远程扫描返回的banner不带patch,其次,还有登陆扫描的功能。
但,更多的情况是甲方不愿意把数据库的登陆方式交给除了数据库厂家外的其他乙方。吃得咸鱼抵得渴,不提供密码,扫描结果不准确那就自己受着。所以,涉密的东西还是甲方或者相关厂家自己做吧,别什么都赖给别人,自己不作为还怪别人呢。

太可怕了,lz 6年还没搞懂什么是登录扫描

 

 

上面陈述了一些问题,这里讲讲我的看法,一家之言

 

  1. 没有做登陆扫描,主要原因一般是甲方人员并不放心把账户密码给来做扫描的技术人员;以人之常情而论,我相信90%的甲方同学并不愿意做登陆扫描
  2. 因为 第一点的这个情况,导致绿盟的扫描结果,大多数情况下不准确和无价值
  3. 打一个不恰当的比方,用户去医院看病,医生让验血/拍片,但用户都不愿意验血/拍片;因为不愿意验血/拍片,所以医生几乎没有可参考的信息
  4. 在这种情况下,医生罗列了所有病人可能患的病症,列可能性嘛,多列一些总不会错
  5. 用户面对医生罗列的一大堆病症可能性,无所适从

 

这里划分一下责任:

  1. 这里可以看到,甲方的责任在于虽然有配合扫描漏洞的义务,但并不乐意真的提供账号密码来做登陆扫描。
  2. 绿盟方面可能没有强调登陆扫描的重要性, 实际上 不做登陆扫描的话 , 报告可以认为是没意义的,但这件事也就不用做了
  3. 绿盟方面因为要在没有可能获得完整信息的情况下,给出报告。强行罗列了其可以确定的可能性,这导致维护方最后要么不处理,要么很吃瘪

 

最后说几点建议:

 

  1. 如果甲方同意做漏洞扫描,就该开放账户密码给绿盟。绿盟在做扫描前应该确认这一点,如果甲方不愿意提供,那么强行去做这些事,可以说是走过场的形式主义
  2. 国内大部分非外企或上市企业使用的要么是盗版ORACLE,要么从来不购买ORACLE标准服务;这种情况下做漏洞扫描,即便出了准确结果,甲方也并没有合法途径去获得相关的安全性补丁,从网上的非官方渠道下载一些补丁,岂不是更不安全? 所以对于使用盗版ORACLE或者从不购买ORACLE标准服务的甲方,从法理上不建议去做这些漏洞扫描。这类甲方应当适当提高内网安全系数,避免ORACLE有暴露在外的可能性
  3. ORACLE每季度都会出新的PSU/SPU(以前叫CPU 即安全补丁),虽然重要度可能并不均匀(例如一年中只有一个季度发布了适应面很广,影响很大的漏洞);但可以说永远可能会发现新的安全漏洞;如果是顶级的企业,无所谓人力成本,当然可能每年升级个几次,但一般来说是不可能的,成本不可控
  4. 就Maclean的经验来看,中国和美国的顶级银行或企业都并不会如第三条这样做,打SPU的情况都是少数,除非特别需要
  5. 目前阶段,国内的主要安全趋势还是做好内网安全,能把弱密码和低版本的Windows/Linux全干掉,把无密码的MongoDB/Redis干掉,已经功德无量了
  6. 如果还有同学被绿盟的问题难住,可以耐心看下网上的许多评论,耐心和领导说明;毕竟我们纯技术人员,能做的事,或者说能做到的事并不多啊!

 

 

 

prm dul恢复oracle数据库数据表 中文最简易说明

 

 

 

软件下载地址: https://zcdn.parnassusdata.com/DUL5108.zip

本软件为JAVA编写,可用于WINDOWS LINUX(红帽,Centos,Ubuntu) AIX SOLARIS HPUX

 

但必须先安装 JDK 1.8 !!!

 

JDK 下载地址:

 

LINUX X86: http://zcdn.parnassusdata.com/jdk-8u201-linux-i586.rpm 32位LIUNX
LIUNX X86-64: http://zcdn.parnassusdata.com/jdk-8u91-linux-x64.rpm 64位LIUNX

Windows X86: http://zcdn.parnassusdata.com/jdk-8u201-windows-i586.exe 32位Windows
Windows X86-64: http://zcdn.parnassusdata.com/jdk-8u181-windows-x64.exe 64位Windows

目前的操作系统,基本都是64位的,推荐用64位JDK!!

确认JAVA 版本,打开命令行,在windows上是cmd

java -version

解压DUL5108.zip

Windows双击prm.bat
Linux 在满足X-Windows的条件下运行sh prm.sh,可以安装XSHELL Xmanager等远程图形化客户端:
xmanager 下载地址:
xmanager 4 https://zcdn.askmaclean.com/Xme4.exe
xmanager 6 https://zcdn.askmaclean.com/Xme6.exe

选择字典模式,
加入所有数据文件即可!! 必须加入所有你找的到的数据文件,所有的属于整个数据库的数据文件!!
不要加入其他数据库的数据文件!!

所有数据文件!!
所有数据文件!!
不要只加入SYSTEM01.DBF!!
不要只加入SYSTEM01.DBF!!
不要只加入你认为有问题的数据文件!!
不要只加入你认为有问题的数据文件!!
所有数据文件!!
所有数据文件!!
必须包含 SYSTEM01.DBF!!
必须包含 SYSTEM01.DBF!!
必须包含 SYSTEM01.DBF!!

如何找到所有数据文件???
在命令行中
sqlplus / as sysdba
conn / as sysdba
shutdown immediate;
startup mount;
select name from v$datafile;

最简单模式下不用选择任何参数,只要加入数据文件!!

ctrl+A 选择目录下所有dbf/ora文件!!

双击查看表中的样例数据,
这只是样例数据!!不是全部数据!!
这只是样例数据!!不是全部数据!!
这只是样例数据!!不是全部数据!!

找到你要的用户名,下面查看重要表是否有数据!!
你看到的只是样例数据!!不是全部数据!!
你看到的只是样例数据!!不是全部数据!!

社区版最多抽1万行,可能会略多于1万行!!!
社区版最多抽1万行,可能会略多于1万行!!!
社区版最多抽1万行,可能会略多于1万行!!!
社区版最多抽1万行,可能会略多于1万行!!!

右键unload 数据抽取到文件。
抽取完 就给你 这个文件的路径了!!!
抽取完 就给你 这个文件的路径了!!!
抽取完 就给你 这个文件的路径了!!!
按照路径去 就能看到这个文件!!!!

建议使用databridge数据搭桥模式!!
建议使用databridge数据搭桥模式!!
建议使用databridge数据搭桥模式!!
不推荐用 unload 抽取模式!!

数据搭桥模式,在新数据库/目标数据库新建一个用户,
create user pd1 identified by oracle;
grant dba to pd1;

注意给dba权限!!!!
注意给dba权限!!!!
注意给dba权限!!!!

没有新数据库,那就自己建一个!! 用dbca命令,新建一个!!
注意字符集要和原来数据库一样!!!!

注意目标数据库监听是否打开了???????
注意目标数据库监听是否打开了???????
确保 监听打开了, 服务注册了!!!!
确保 监听打开了, 服务注册了!!!!

选择你想要的表空间!!!

可以数据搭桥整个用户,整个用户,整个用户下的所有表!!!!
不是只能一张张表抽!!!
不是只能一张张表抽!!!
可以数据搭桥整个用户,整个用户,整个用户下的所有表!!!!

点用户名,右键,数据搭桥整个用户下所有表!!!

可以将用户的表结构,索引,主键约束,视图,存储过程,包,触发器,sequence序列导出成ddl文本!!
可以将用户的表结构,索引,主键约束,视图,存储过程,包,触发器,sequence序列导出成ddl文本!!
可以将用户的表结构,索引,主键约束,视图,存储过程,包,触发器,sequence序列导出成ddl文本!!

右键用户 ,选择一个可用的数据搭桥用户,最后给你一个文本文件!!!
右键用户 ,选择一个可用的数据搭桥用户,最后给你一个文本文件!!!
右键用户 ,选择一个可用的数据搭桥用户,最后给你一个文本文件!!!

导出ddl功能,要购买了企业版授权,才能生效!!!!
导出ddl功能,要购买了企业版授权,才能生效!!!!
导出ddl功能,要购买了企业版授权,才能生效!!!!

数据搭桥默认将varchar字段,修改为varchar(4000),以保证一定可以插入成功!!!
如果不希望使用varchar(4000),可以用上一步(导出表结构ddl)生成的建表语句先建表!!
如果不希望使用varchar(4000),可以用上一步(导出表结构ddl)生成的建表语句先建表!!
数据搭桥会直接插入数据到目标表,而不自己创建表!!!!

如果还有问题可以找我们 电话 13764045638 QQ 47079569 !!!

使用PRM DUL软件快速恢复被勒索病毒 恶意软件加密的ORACLE数据库数据文件

为什么可以恢复这些被加密的ORACLE数据库数据文件?

因为这些文件一般比较大,超过300MB。导致恶意加密软件要加密它们时要花费大量时间和CPU,因此这些勒索软件一般仅部分加密其内容。

通过PRM-DUL的强大功能,可以恢复出其中绝大部分未被加密的内容。

PRM DUL download: https://zcdn.parnassusdata.com/DUL5108.zip

 

 

 

 

 

沪ICP备14014813号

沪公网安备 31010802001379号