OS Preparation for Oracle Database
OS Configuration
kernel
[root@db ~]# uname -a
Linux db.egolife.com 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
hosts
[root@db ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.17.1.100 db.egolife.com db
172.29.88.135 wxbak.egolife.com wxbak
Database 11gR2
group and user
[root@db ~]# groupadd -g 501 oinstall
[root@db ~]# groupadd -g 502 dba
[root@db ~]# useradd -u 501 -g oinstall -G dba oracle
[root@db ~]# id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)
[root@db ~]# passwd oracle
kernel parameters
/proc/sys/.../file
: current value of these parameters; non persistent/etc/sysctl.conf
: configure file of these parameters; persistent during each startupsysctl -p
: persistent during each startup
parameters
shared memory, semaphores, file handles parameter, net parameter
[root@db ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
[root@db ~]# vim /etc/sysctl.conf
... ...
#2013-7-19 kernel setting for oracle database 11gR2
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 4294967295
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048576
[root@db ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 4294967295
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048576
resource limits
/etc/security.conf
: resource limits configuration file/etc/pam.d/login
: login settingsulimit
: utility to check or change resource limits
open file descriptors, number of processes available to a single user, size of the stack segment of the process.
[root@db ~]# ulimit -Sn; ulimit -Hn
1024
1024
[root@db ~]# ulimit -Su; ulimit -Hu
1024
62638
[root@db ~]# ulimit -Ss; ulimit -Hs
10240
unlimited
[root@db ~]# vim /etc/security/limits.conf
... ...
#2013-7-19 resource limits for oracle database 11gR2
oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 65536
oracle soft stack 10240
[root@db ~]# vim /etc/pam.d/login
... ...
#2013-7-19 shell limits for oracle database 11gR2
session required /lib64/security/pam_limits.so
session required pam_limits.so
managing packages
for Oracle Linux 6 and Red Hat Enterprise Linux 6 x86-64, the following packages (or later versions) must be installed:
- binutils-2.20.51.0.2-5.11.el6 (x86_64)
- compat-libcap1-1.10-1 (x86_64)
- compat-libstdc++-33-3.2.3-69.el6 (x86_64)
- compat-libstdc++-33-3.2.3-69.el6.i686
- gcc-4.4.4-13.el6 (x86_64)
- gcc-c++-4.4.4-13.el6 (x86_64)
- glibc-2.12-1.7.el6 (i686)
- glibc-2.12-1.7.el6 (x86_64)
- glibc-devel-2.12-1.7.el6 (x86_64)
- glibc-devel-2.12-1.7.el6.i686
- ksh
- libgcc-4.4.4-13.el6 (i686)
- libgcc-4.4.4-13.el6 (x86_64)
- libstdc++-4.4.4-13.el6 (x86_64)
- libstdc++-4.4.4-13.el6.i686
- libstdc++-devel-4.4.4-13.el6 (x86_64)
- libstdc++-devel-4.4.4-13.el6.i686
- libaio-0.3.107-10.el6 (x86_64)
- libaio-0.3.107-10.el6.i686
- libaio-devel-0.3.107-10.el6 (x86_64)
- libaio-devel-0.3.107-10.el6.i686
- make-3.81-19.el6
- sysstat-9.0.4-11.el6 (x86_64)
query packages installed
[root@db ~]# rpm -qa --queryformat "%{NAME}-%{VERSION}-%{RELEASE} (%{ARCH})\n" | egrep 'binutils|compat-db43|gcc|glibc|libgcc|libstdc++|libXi|libXp|libaio|libgomp|make|gdbm|sysstat|util-linux-ng|unzip|compat-libstdc++|compat-libstdc++|openmotif21|xorg-x11-libs-compat' | sort
automake-1.11.1-1.2.el6 (noarch)
binutils-2.20.51.0.2-5.28.el6 (x86_64)
binutils-devel-2.20.51.0.2-5.28.el6 (x86_64)
compat-db43-4.3.29-15.el6 (x86_64)
compat-glibc-2.5-46.2 (x86_64)
compat-glibc-headers-2.5-46.2 (x86_64)
compat-libstdc++-296-2.96-144.el6 (i686)
compat-libstdc++-33-3.2.3-69.el6 (x86_64)
gcc-4.4.6-3.el6 (x86_64)
gcc-c++-4.4.6-3.el6 (x86_64)
gcc-gfortran-4.4.6-3.el6 (x86_64)
gdbm-1.8.0-36.el6 (x86_64)
glibc-2.12-1.47.el6 (i686)
glibc-2.12-1.47.el6 (x86_64)
glibc-common-2.12-1.47.el6 (x86_64)
glibc-devel-2.12-1.47.el6 (x86_64)
glibc-headers-2.12-1.47.el6 (x86_64)
libaio-0.3.107-10.el6 (x86_64)
libgcc-4.4.6-3.el6 (i686)
libgcc-4.4.6-3.el6 (x86_64)
libgomp-4.4.6-3.el6 (x86_64)
libstdc++-4.4.6-3.el6 (x86_64)
libstdc++-devel-4.4.6-3.el6 (x86_64)
libXi-1.3-3.el6 (x86_64)
libXi-devel-1.3-3.el6 (x86_64)
libXinerama-1.1-1.el6 (x86_64)
libXinerama-devel-1.1-1.el6 (x86_64)
libXp-1.0.0-15.1.el6 (x86_64)
libXp-devel-1.0.0-15.1.el6 (x86_64)
make-3.81-19.el6 (x86_64)
sysstat-9.0.4-18.el6 (x86_64)
unzip-6.0-1.el6 (x86_64)
util-linux-ng-2.17.2-12.4.el6 (x86_64)
to be installed packages:
- compat-libcap1-1.10-1 (x86_64)
- glibc-devel-2.12-1.47.el6
- ksh
- libstdc++-4.4.6-3.el6
- libstdc++-devel-4.4.6-3.el6
- libaio-0.3.107-10.el6
- libaio-devel-0.3.107-10.el6, libaio-devel-0.3.107-10.el6 (x86_64)
- make-3.81-19.el6
OFA
[root@db ~]# mkdir -p /db/oracle/product/11.2.0/db_1
[root@db ~]# chown -R oracle:oinstall /db/oracle/product/11.2.0/db_1/
[root@db ~]# chmod -R 755 /db/oracle/
Profile
[root@db ~]# su - oracle
[oracle@db ~]$ vim .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
#2013-7-19 settings for oracle database 11gR2
export TMP=/tmp
export TMPDIR=$TMP
export ORACLE_BASE=/db/oracle
export ORACLE_HOME=/db/oracle/product/11.2.0/db_1
export ORACLE_SID=WXPROD
export PATH=$PATH:$ORACLE_HOME/bin
X Window System
nobody
Install Database
logon as oracle with X Manager or VNC
Basic Security
root account
[root@db ~]# useradd itsection
[root@db ~]# usermod -G 10 itsection
[root@db ~]# grep '^\s*[^# \t].*$' /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
itsection su test
[itsection@db ~]$ su -
Password:
[root@db ~]#
oracle su test
[oracle@db ~]$ su -
Password:
su: incorrect password
[oracle@db ~]$
ssh
use oracle as example
[root@db ~]# su - oracle
[oracle@db ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
e5:d9:51:82:97:d9:4d:11:1a:57:af:aa:5f:f0:36:e6 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| ..=.**|
| . +o= o|
| .... .|
| o o . . |
| S o o . |
| + |
| . * |
| . = . |
| ... E |
+-----------------+
[oracle@db ~]$ cd .ssh/
[oracle@db .ssh]$ ll
total 8
-rw-------. 1 oracle oinstall 1743 Jul 22 09:23 id_rsa
-rw-r--r--. 1 oracle oinstall 406 Jul 22 09:23 id_rsa.pub
[oracle@db .ssh]$ cat id_rsa.pub > authorized_keys
[oracle@db .ssh]$ chmod 600 authorized_keys
[root@db ~]# grep '^\s*[^# \t].*$' /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
[root@db ~]# service sshd restart
iptables
[root@db ~]# cat /etc/iptables.rule
# Generated by iptables-save v1.4.7 on Mon Jul 22 09:56:41 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 172.29.73.0/24 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 172.29.73.0/24 -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 172.29.73.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.29.88.135/32 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Mon Jul 22 09:56:41 2013
# Generated by iptables-save v1.4.7 on Mon Jul 22 09:56:41 2013
*nat
:PREROUTING ACCEPT [1:64]
:POSTROUTING ACCEPT [12:1378]
:OUTPUT ACCEPT [12:1378]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Mon Jul 22 09:56:41 2013
[root@db ~]# iptables-restore < /etc/iptables.rule
[root@db ~]# iptables-save > /etc/iptables.rule
[root@db ~]# cat /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
su - c "iptables-restore < /etc/iptables.rule"
blog comments powered by Disqus