search

biemond / biemond-oradb

Puppet Oracle Database Module
Apache License 2.0
59 stars 113 forks source link

Permission issues with opatch #172

Closed finduramit closed 7 years ago

finduramit commented 7 years ago

Hello Puppet Version 4.10.4 mod 'biemond-oradb', ' 3.0.9' Red Hat Enterprise Linux Server release 7.3 (Maipo)

I am facing an issue while trying to apply database PSU patch on oracle 12.1.0.2 database using oradb::opatch It’s just a single instance database without any RAC/clusterware and there is only one database home.

We are using definition below in our class file 

   oradb::opatch{'25171037_db_patch':
  ensure                    => 'present',
  oracle_product_home       => '/oracle01/app/Oracle/product/12cR1',
  patch_id                  => '25171037',
  patch_file                => 'p25171037_121020_Linux-x86-64.zip',
  user                      => 'oracle',
  group                     => 'oracle',
  download_dir              => '/home/oracle',
  ocmrf                     => false,
  use_opatchauto_utility    => false,
  puppet_download_mnt_point => '/media/sf_software_mnt/patch',

Problem is when puppet agent run we get an error below 

Notice: I 'm applying patch 25171037 on the database home.
Notice: /Stage[main]/Uos_create_oradb::Apply_psu_patch/Notify[I 'm applying patch 25171037 on the database home.]/message: defined 'message' as 'I 'm applying patch 25171037 on the database home.'
Notice: /Stage[main]/Uos_create_oradb::Apply_psu_patch/Oradb::Opatch[25171037_db_patch]/File[/home/oracle/p25171037_121020_Linux-x86-64.zip]/mode: mode changed '0777' to '0775'
Info: search for patchid 25171037
Info: opatch_status for patch 25171037 command: /oracle01/app/Oracle/product/12cR1/OPatch/opatch lsinventory -patch_id -oh /oracle01/app/Oracle/product/12cR1 -invPtrLoc /etc/oraInst.loc
Info: opatch_status output NotFound for patchId 25171037
Info: opatch action: present with command /oracle01/app/Oracle/product/12cR1/OPatch/opatch apply -silent  -oh /oracle01/app/Oracle/product/12cR1 /home/oracle/25171037
chmod: changing permissions of ‘/home/oracle/25171037’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/suptools’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/suptools/orachk.zip’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/crs’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/crs/install’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/crs/install/tfa_setup’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/rdbms’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/rdbms/mesg’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/19769480/files/rdbms/mesg/oraus.msb’: Operation not permitted
.
.
.
chmod: changing permissions of ‘/home/oracle/25171037/25171037/etc/config’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/25171037/etc/config/composite.xml’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/25171037/etc/config/actions.xml’: Operation not permitted
chmod: changing permissions of ‘/home/oracle/25171037/25171037/etc/config/inventory.xml’: Operation not permitted
Argument(s) Error... Patch location is not valid for apply

Info: opatch result: Oracle Interim Patch Installer version 12.2.0.1.9
Copyright (c) 2017, Oracle Corporation.  All rights reserved.

ZOP-51: The patch location is not valid for apply, because it doesn't have correct metadata, or it points to a patch directory.
Please check the arguments and try again.

OPatch failed with error code 135

Error: Oracle Interim Patch Installer version 12.2.0.1.9
Copyright (c) 2017, Oracle Corporation.  All rights reserved.

ZOP-51: The patch location is not valid for apply, because it doesn't have correct metadata, or it points to a patch directory.
Please check the arguments and try again.

OPatch failed with error code 135

Error: /Stage[main]/Uos_create_oradb::Apply_psu_patch/Oradb::Opatch[25171037_db_patch]/Db_opatch[25171037 25171037_db_patch]/ensure: change from absent to present failed: Oracle Interim Patch Installer version 12.2.0.1.9
Copyright (c) 2017, Oracle Corporation.  All rights reserved.

ZOP-51: The patch location is not valid for apply, because it doesn't have correct metadata, or it points to a patch directory.
Please check the arguments and try again.

OPatch failed with error code 135

Info: Oradb::Opatch[25171037_db_patch]: Unscheduling all events on Oradb::Opatch[25171037_db_patch]
Info: Class[Uos_create_oradb::Apply_psu_patch]: Unscheduling all events on Class[Uos_create_oradb::Apply_psu_patch]
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 6.29 seconds

I figured out that this is being generated from db_opatch.rb line 45 

Puppet.info "opatch action: #{action} with command #{command}"

if opatch_auto == true

output = `export ORACLE_HOME=#{oracle_product_home_dir}; chmod -R +r #{extracted_patch_dir}; cd #{oracle_product_home_dir}; #{command}`

else

output = `su - #{user} -c 'export ORACLE_HOME=#{oracle_product_home_dir}; chmod -R +r #{extracted_patch_dir}; cd #{oracle_product_home_dir}; #{command}'`

end

Puppet.info "opatch result: #{output}"

I can see that problem is that puppet downloads the patch zip file as root user and extract the zip file which results in the patch folder still being owned by the “root” user. Now opatch cannot read these files and hence the error message. so unless the owner of patch directory is changed to oracle this will fail. 

[root@vbrel701 manifests]# cd /home/oracle/
[root@vbrel701 oracle]# ls -ltr
total 300812
drwxrwxr-x. 12 root   root         203 Mar  7 20:37 25171037       <<<<<owner is root
-rw-rw-r--.  1 root   root       88344 Apr 18 20:02 PatchSearch.xml  <<<<<owner is root 
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Videos
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Templates
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Public
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Pictures
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Music
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Downloads
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Documents
drwxr-xr-x.  2 oracle oracle         6 Jun 21 14:55 Desktop
drwxr-xr-x.  2 oracle oracle         6 Jun 28 10:33 oraInventory
-rw-r--r--.  1 oracle oracle      1143 Jun 28 14:41 create_TESTDB01.sql
-rw-r--r--.  1 oracle oracle       246 Jun 28 14:43 post_TESTDB01.sql
-rwxrwxr-x.  1 root   root   307929405 Jun 29 15:18 p25171037_121020_Linux-x86-64.z  <<<<<owner is root ip
[root@vbrel701 oracle]#

Please can you suggest if this is a bug or am I doing something wrong?

Many Thanks

biemond commented 7 years ago

Hi,

indeed I do this , https://github.com/biemond/biemond-oradb/blob/puppet4_3_data/manifests/opatch.pp#L73

can you use opatch_auto , which should be run by root. but maybe the extract look at opatch auto and use the user or as root.

finduramit commented 7 years ago

Hello

I tried using opatch auto but that gave me the same error message. 

class uos_create_oradb::apply_psu_patch {
oradb::opatch{'25171037_db_patch':
  ensure                              => 'present',
  oracle_product_home        => '/oracle01/app/Oracle/product/12cR1',
  patch_id                            => '25171037',
  patch_file                           => 'p25171037_121020_Linux-x86-64.zip',
  user                                   => 'oracle',
  group                                 => 'oracle',
  download_dir                      => '/home/oracle',
  ocmrf                                  => false,
  use_opatchauto_utility         => true, 
  puppet_download_mnt_point => '/media/sf_software_mnt/patch',  }}

What I have found that in the file opatch.pp if I add two below lines in the first “if” block it then works fine. Is there any other way to fix this? I would use the oradb module as it is. 

            user      => $user,
            group     => $group,

case $facts['kernel'] {
    'Linux', 'SunOS': {
      if $ensure == 'present' {
        if $remote_file == true {
          exec { "extract opatch ${patch_file} ${title}":
            command   => "unzip -n ${download_dir}/${patch_file} -d ${download_dir}",
            require   => File["${download_dir}/${patch_file}"],
            creates   => "${download_dir}/${patch_id}",
            path      => $exec_path,
**       user      => $user,    **
**        group     => $group, **
            logoutput => false,
            before    => Db_opatch["${patch_id} ${title}"],
          }
        } else {
          exec { "extract opatch ${patch_file} ${title}":
            command   => "unzip -n ${puppet_download_mnt_point}/${patch_file} -d ${download_dir}",
            creates   => "${download_dir}/${patch_id}",
            path      => $exec_path,
            user      => $user,
            group     => $group,
            logoutput => false,
            before    => Db_opatch["${patch_id} ${title}"],
          }  }  }
biemond commented 7 years ago

that is strange with opatch auto it extracts and runs as root.

maybe split up this to this and make it readonly for everyone output_pre = chmod -R +r #{extracted_patch_dir} output = su - #{user} -c 'export ORACLE_HOME=#{oracle_product_home_dir}; cd #{oracle_product_home_dir}; #{command}'

finduramit commented 7 years ago

Hello

Thanks for your quick reply. Problem is, it extract the patch as root but before changing the folder permission user is switched using su - $user . This $user might not have access to change folder permissions.

I got it to work now after changing the file opatch.pp with two lines that I mentioned above.

Just one last question the “oradb::opatch” does not perform post install steps i.e “%./datapatch –verbose” ? Is there a way to do this using biemond-oradb-puppet4_3 ?

Regards

biemond commented 7 years ago

Hi,

root should extract it ( because of some previous issue ) . and root is allowed to do chmod -R +r #{extracted_patch_dir} and give read only access to all after that the patch should be applied as root or not, it just should work.

thanks

finduramit commented 7 years ago

Hello Thanks for your quick reply. opatch works fine for me now.

is there a way to do the post install sqlpatch step in the PSU using the datapatch utility ?

Regards Amit

biemond commented 7 years ago

great,

that will be hard, I don't know if the patch has one and I don't know how to check if it is already applied.

finduramit commented 7 years ago

Datapatch is the new command by Oracle that sits in the opatch directory. It needs to be executed after every PSU. So once the psu is applied and database is started, oracle documentation says execute below command

% ./datapatch -verbose

This will take care of whatever sql that needs to be loaded into the database after PSU patching. There is no checking needed as data patch will handle that automatically.

So after oradb::opatch this is a simple step to start the database and execute above command. I see if i am able to write this code myself, I am new to puppet so might take a while :-)

biemond commented 7 years ago

Thanks , good to know. mostly I do patching before I create a database.

On a running DB it will be hard too automate this. Mostly you need to plan this, make a backup, stop db, patch, startdb and then this. So I guess this will always be a manual action and I think creating DB after the patch should not require this patch.

biemond commented 7 years ago

simple patching works like this: Stop the database Execute opatch apply Start the database Execute datapatch [-verbose] done

Alternatively you can also execute opatchauto, as this runs both the opatch and the datapatch subsequently.

opatchauto should do the trick

finduramit commented 7 years ago

Hi

Thanks for your quick reply. Please can you tell me how do I use opatchauto to achieve this?

I tried below code, but this applied the opatch patch but did not execute datapatch afterwards.

oradb::opatch{'25171037_db_patch': ensure => 'present', oracle_product_home => '/oracle01/app/Oracle/product/12cR1', patch_id => '25171037', patch_file => 'p25171037_121020_Linux-x86-64.zip', user => 'oracle', group => 'oracle', download_dir => '/home/oracle', use_opatchauto_utility => true, puppet_download_mnt_point => '/media/sf_software_mnt/patch', }

Thanks

finduramit commented 7 years ago

I just checked Oracle document says opatch auto must be run from a grid infrastructure home so for a single instance, non RAC database this will not work.

biemond commented 7 years ago

ok, good to know.

so the patch was still applied and executed by root. Still we need to find out how we can do this in the normal puppet flow with a running DB. I don't see a solution

sivasamysubramaniam commented 7 years ago

Sorry, I opened an another issue for this permission problem. Can you add those two lines which Amit mentioned into opatch.pp to make oracle owner extract and own the patches?

biemond commented 7 years ago

that is not a good solution , it goes wrong with multiple oracle home

I will do the chmod as root and remove it from oracle command

sivasamysubramaniam commented 7 years ago

Ok..thanks Ed.. I am fine with it..

biemond commented 7 years ago

So I fixed it and also added fuser creation which was required by opatch. see 7ee746c0a62ea5133b8acbe8851a64601e72cd6f you can download the latest oradb version from github

see https://github.com/biemond/biemond-oradb-vagrant-12.1-CDB-puppet4_3/blob/master/puppet/environments/development/manifests/site.pp#L124

I will also check grid patching

==> dbcdb: Notice: /Stage[main]/Oradb_cdb/Oradb::Opatch[25171037_db_patch]/Exec[extract opatch p25171037_121020_Linux-x86-64.zip 25171037_db_patch]/returns: executed successfully
==> dbcdb: Info: search for patchid 25171037
==> dbcdb: Info: opatch_status for patch 25171037 command: /oracle/product/12.1/db/OPatch/opatch lsinventory -patch_id -oh /oracle/product/12.1/db -invPtrLoc /etc/oraInst.loc
==> dbcdb: Info: opatch_status output NotFound for patchId 25171037
==> dbcdb: Info: opatch action: present with command /oracle/product/12.1/db/OPatch/opatch apply -silent  -oh /oracle/product/12.1/db /var/tmp/install/25171037
==> dbcdb: Info: opatch result: Oracle Interim Patch Installer version 12.2.0.1.9
==> dbcdb: Copyright (c) 2017, Oracle Corporation.  All rights reserved.
==> dbcdb:
==> dbcdb:
==> dbcdb: Oracle Home       : /oracle/product/12.1/db
==> dbcdb: Central Inventory : /oracle/oraInventory
==> dbcdb:    from           : /oracle/product/12.1/db/oraInst.loc
==> dbcdb: OPatch version    : 12.2.0.1.9
==> dbcdb: OUI version       : 12.1.0.2.0
==> dbcdb: Log file location : /oracle/product/12.1/db/cfgtoollogs/opatch/opatch2017-07-09_13-53-06PM_1.log
finduramit commented 7 years ago

Many Thanks Just tested all seems to work fine now. I am working on developing our local version to patch a running DB with PSU that we can use every patching cycle.

biemond commented 7 years ago

nice , let me know if you know a flow which works well with a running DB instance.

SujitKJSingh commented 5 years ago

This error could also be there because of multiple patches in one patch directory, in that case go-to that main patch directory simply use napply.

umaha01 commented 4 years ago

Hello All, On this same subject - i have a scenario - if any of you have some insight can you please share it back.

  1. I am using oradb.opatch module to apply patches to RAC environments
  2. With opatchauto command, we can just specify patches location and it will apply all the patches.
  3. PSU JAN2020 - 30501910 (Main PatchID), and associated SUB PATCHIDs -> 30557433, 30489227
  4. I have applied patches using opatchauto of opatch.pp module @ 30501910 Level (Which applied all sub patches successfully.
  5. Following this - for all puppet runs it is reporting below messages: Info: search for patchid 30501910 Info: opatch_status for patch 30501910 command: /appl/grid/19.0.0.0/OPatch/opatch lsinventory -patch_id -oh /appl/grid/19.0.0.0 -invPtrLoc /etc/oraInst.loc Info: opatch_status output NotFound for patchId 30501910 The reason because that Parent Id is not found on the opatch lsinventory.
  6. puppet facts are as below after patching: "/appl/grid/19.0.0.0": [ { "patch_id": "30484981", "patch_desc": "OJVM RELEASE UPDATE: 19.6.0.0.200114 (30484981)" }, { "patch_id": "30557433", "patch_desc": "Database Release Update : 19.6.0.0.200114 (30557433)" }, { "patch_id": "30489227", "patch_desc": "OCW RELEASE UPDATE 19.6.0.0.0 (30489227)" } NOW MY QUESTION? How to ensure puppet moves forward without trying to apply the same patches, it is trying and giving an output "Patches are already applied".

Appreciate your inputs and insights around this.