-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ora-host defaults #59
Conversation
Disable firewalld is a must or installer will fail. Also adding some additional needed RPMs from 19c installation guide and from runcluvfy post crsinst output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A key goal of a toolkit this is to be secure by default; having a properly-configured host firewall is a key part of this config. (I do have a playbook in development that sets up a RAC-compatible firewall, but is bare metal specific).
Regarding the packages, they appear to be already satisfied by package-level dependencies. For example, libaio-devel depends on libaio. glibc-devel depende on glibc, etc. I've done several installs from small default images, and not found any missing packages.
For firewalld as you have mentioned, if it's enabled then we must run some firewall configuration to enable interconnect communication between nodes (by default firewalld blocks it) otherwise the installer will fail. Maybe the alternative would be to make firewall_enabled as an external parameter that the user would provide instead of having it referenced internally by a role, if the user wants it enabled then we configure RAC enablement rules because as the toolkit stands now the installer will always fail unless some manual work is done before running it. Actually I see in the toolkit's user guide the following like "The disabling of the Linux firewall and SELinux, as recommended for Oracle database servers." which I think is not true. For the packages I know some of those I added might be redundant but the currently listed ones are not sufficient, the reason I am saying that is after I did an installation with the current packages I ran runcluvfy post crsinst and I got errors that some packages are missing. What I did is that I added the packages listed by runcluvfy and all the packages from the install guide. |
Tested this on RHEL 7.7. Error is:
Manually reproducing it in the server:
Matching metalink note: ”The root.sh Fails with ORA-29783:GPnP Attribute SET Failed With Error [CLSGPNP_NOT_FOUND] (Doc ID 2180883.1)” Fix - instead of disabling firewall entirely, following Ansible snippet has been proven to work on multiple BMS sites:
The o/p of before and after running the script is:
After:
In summary: Wholesale disabling of firewall is bug hammer that's not needed and could be counter productive w.r.t. security - we can surgically add the firewall rules as mentioned in previous comments and tested as noted above. |
I fully agree with your analysis, adding the accept rule for the interconnect network would work and we could then use firewalld to block access to port 80 on metadata server as well |
Hi, Opening up hosts in firewall:
was resolved by adding this into rac_lsnr_firewall/tasks/main.yml:
And then, calling that block to run on both nodes in install-sw.yml, like below:
Opening up HAIP addresses:Following error...:
matched with this metalink note: Our snippets:
from lmon trc file: /u01/app/oracle/diag/rdbms/orcl/orcl1/trace/orcl1_lmon_19696.trc:
Direct matches to snippets in 2528588.1. This was resolved by reusing snippets from Marc's experimental:
Summary:
And then, calling that block to run on both nodes in install-sw.yml, like below:
I will submit the firewall related changes in a new PR. Thanks P.S: |
Hello Ahmad,
Thanks for identifying the issues. |
Disable firewalld is a must or installer will fail. Also adding some additional needed RPMs from 19c installation guide and from runcluvfy post crsinst output.