Oracle 18c/19c: Running a “read-only-Oracle-home” on a read-only-filesystem
In Oracle 18c Oracle introduced a new feature, called “read-only-Oracle-Home”. By configuring an Oracle-Home-directory of your RDBMS-installation as “read-only”, Oracle will place all the configuration files like spfile etc. outside the directory tree of your $ORACLE_HOME and will basically move them to “$ORACLE_BASE/dbs” and “$ORACLE_BASE/homes”. But if the software is “read-only”, can we place the $ORACLE_HOME-directory in a separate filesystem which will be mounted “read-only” during normal operation? This would help to avoid accidental modifications or an accidental removal of the software. Let’s test it.
TL, DR: Running a “read-only-Oracle-home” on a read-only-filesystem works, except for patching (software + datapatch for the first database). According to the information I got from Oracle Support it is not supported.
My test server is VirtualBox based VM, running Oracle Linux 7.6. I’ve got several filesystems for the Oracle stuff:
[root@dirac ~]# df -h |grep /u0 /dev/mapper/ol_orafs-lv_u02 15G 33M 15G 1% /u02 /dev/mapper/ol_orafs-lv_u01 30G 33M 30G 1% /u01 /dev/mapper/ol_orafs-lv_u00 35G 66M 35G 1% /u00 /dev/mapper/ol_rdbms19-lv_rdbms19 19G 33M 19G 1% /u00/app/oracle/product/19.0.0.0 [root@dirac ~]# mount |grep /u0 /dev/mapper/ol_orafs-lv_u02 on /u02 type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/ol_orafs-lv_u01 on /u01 type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/ol_orafs-lv_u00 on /u00 type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/ol_rdbms19-lv_rdbms19 on /u00/app/oracle/product/19.0.0.0 type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Usually, I store Oracle software in /u00, so it is a little bit larger than required in the current test. And you can see that there is a specific mount for my new Oracle Home (/u00/app/oracle/product/19.0.0.0).
The datafiles will be stored in /u01, /u02 serves as the location for the Fast-Recovery-Area (FRA).
Install RDBMS Software
The installation of the RDBMS software is straight-forward and does not differ to other installations, so I’ll skip the documentation of this step in this post.
Enable Read-Only Oracle Home
The tool for enabling a read-only-Oracle-HOME is “roohctl”.
oracle@dirac:~/ [rdbms19] echo $ORACLE_HOME /u00/app/oracle/product/19.0.0.0 oracle@dirac:~/ [rdbms19] roohctl -help Usage: roohctl [] [ ] Following are the possible flags: -help Following are the possible commands: -enable Enable Read-only Oracle Home [-nodeList List of nodes in a cluster environment]
(Roohctl -disable is available, too, but is not documented)
oracle@dirac:~/ [rdbms19] roohctl -enable Enabling Read-Only Oracle home. Update orabasetab file to enable Read-Only Oracle home. Orabasetab file has been updated successfully. Create bootstrap directories for Read-Only Oracle home. Bootstrap directories have been created successfully. Bootstrap files have been processed successfully. Read-Only Oracle home has been enabled successfully. Check the log file /u00/app/oracle/cfgtoollogs/roohctl/roohctl-190803AM092606.log for more details.
oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] cd $ORACLE_BASE oracle@dirac:/u00/app/oracle/ [rdbms19] ls -l total 8 drwxr-x---. 3 oracle oinstall 21 Aug 3 09:25 cfgtoollogs drwxr-xr-x. 2 oracle oinstall 6 Aug 3 09:20 checkpoints drwxr-x---. 2 oracle oinstall 6 Aug 3 09:26 dbs <-- contains spfiles, password files drwxrwxr-x. 23 oracle oinstall 4096 Aug 3 09:20 diag drwxr-xr-x. 2 oracle oinstall 20 Jun 14 23:21 etc drwxr-x---. 3 oracle oinstall 26 Aug 3 09:26 homes <-- contains home-specific files drwxr-xr-x. 3 oracle oinstall 22 Jun 14 23:22 product oracle@dirac:/u00/app/oracle/ [rdbms19] cd homes /u00/app/oracle/homes oracle@dirac:/u00/app/oracle/homes/ [rdbms19] ls -l total 0 drwxr-x---. 7 oracle oinstall 78 Aug 3 09:26 OraDB19Home1 oracle@dirac:/u00/app/oracle/homes/ [rdbms19] cd OraDB19Home1/ /u00/app/oracle/homes/OraDB19Home1 oracle@dirac:/u00/app/oracle/homes/OraDB19Home1/ [rdbms19] ls -l total 0 drwxr-x---. 3 oracle oinstall 18 Aug 3 09:26 assistants drwxr-x---. 2 oracle oinstall 6 Aug 3 09:26 dbs drwxr-x---. 2 oracle oinstall 6 Aug 3 09:26 install drwxr-x---. 5 oracle oinstall 43 Aug 3 09:26 network drwxr-x---. 4 oracle oinstall 30 Aug 3 09:26 rdbms
You can check wether your Oracle-Home is an R/O-Home by running
oracle@dirac:~/ [rdbms19] orabasehome /u00/app/oracle/homes/OraDB19Home1
When it returns your $ORACLE_HOME-directory, your home is not a read-only-Oracle-Home
The configuration information is stored in $ORACLE_HOME/install/orabasetab
oracle@dirac:/u00/app/oracle/product/19.0.0.0/install/ [rdbms19] cat orabasetab orabasetab file is used to track Oracle Home associated with Oracle Base /u00/app/oracle/product/19.0.0.0:/u00/app/oracle:OraDB19Home1:Y:
Enhancement request: Hello Oracle, please add a checkbox in the installer resp. a parameter in the response file so that the ORACLE_HOME can be made “read only” automatically during the installation.
Mount /u00/app/oracle/product/19.0.0.0/ read-only
After configuration the Oracle-Home as a read-only-Oracle-home we can mount the filesystem read-only.
Change /etc/fstab as root:
/dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs defaults 0 0 /dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs ro 0 0
Unmount and mount the filesystem
root@dirac:/home/oracle/ [rdbms19] umount /u00/app/oracle/product/19.0.0.0 root@dirac:/home/oracle/ [rdbms19] mount /u00/app/oracle/product/19.0.0.0 root@dirac:/home/oracle/ [rdbms19] exit exit
Test it:
oracle@dirac:~/ [rdbms19] cd $ORACLE_HOME oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] touch TEST touch: cannot touch ‘TEST’: Read-only file system
Which Software do we have installed?
oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] $ORACLE_HOME/OPatch/opatch lspatches OPatch could not create/open history file for writing. 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399) 29517242;Database Release Update : 19.3.0.0.190416 (29517242) OPatch succeeded. oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] cd oracle@dirac:~/ [rdbms19] $ORACLE_HOME/OPatch/opatch lspatches OPatch could not create/open history file for writing. 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399) 29517242;Database Release Update : 19.3.0.0.190416 (29517242) OPatch succeeded.
In the second line you can see the first issue with the R/O-filesystem:
OPatch wants to write into a history file which is located somewhere in the $ORACLE_HOME-tree. This is annoying, but no real loss of functionality.
Configure and start a listener
When not using $TNS_ADMIN, the Oracle Net config files are stored in $ORACLE_BASE/homes/<HOME_NAME>/network/admin.
In my case, configuring and starting the listener was straightforward and there were no issues, so I’ll skip the details.
Create a database
I’m using DBCA in this case and I’ll skip all the configuration steps in this post. There were no issues.
Patching the software
Let’s apply the release update RU 19.4 (July). Obviously, the file system with the Oracle software must be mounted read-write before patching the software:
For preparing patching, this means:
- Stop database instance and listener
- Unmount the filesystem /u00/app/oracle/product/19.0.0.0
- Mount the filesystem /u00/app/oracle/product/19.0.0.0 read-write
Changing the filesystem to read-write:
Modify /etc/fstab as root:
/dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs defaults 0 0 /dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs ro 0 0
Unmount and mount the filesystem:
root@dirac:/home/oracle/ [ROCDB] umount /u00/app/oracle/product/19.0.0.0 root@dirac:/home/oracle/ [ROCDB] mount /u00/app/oracle/product/19.0.0.0 root@dirac:/home/oracle/ [ROCDB] exit exit oracle@dirac:~/ [ROCDB] cdh oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] touch TEST oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] rm TEST
Patching the software is done as usual, simply run “opatch apply” for the patches to be applied.
oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] $ORACLE_HOME/OPatch/opatch lspatches 29834717;Database Release Update : 19.4.0.0.190716 (29834717) 29774421;OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421) 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399) OPatch succeeded.
Changing the filesystem back to read-only
Basically, reverting the changes in /etc/fstab from above and umount + mount the filesystem afterwards.
Run datapatch
After opening the database in upgrade mode, I’ll try to run datapatch:
oracle@dirac:~/ [ROCDB] $ORACLE_HOME/OPatch/datapatch -verbose SQL Patching tool version 19.4.0.0.0 Production on Sat Aug 3 13:48:52 2019 Copyright (c) 2012, 2019, Oracle. All rights reserved. Log file for this invocation: /u00/app/oracle/cfgtoollogs/sqlpatch/sqlpatch_10593_2019_08_03_13_48_52/sqlpatch_invocation.log Connecting to database…OK Gathering database info…done Note: Datapatch will only apply or rollback SQL fixes for PDBs that are in an open state, no patches will be applied to closed PDBs. Please refer to Note: Datapatch: Database 12c Post Patch SQL Automation (Doc ID 1585822.1) Bootstrapping registry and package to current versions…done Determining current state…done Current state of interim SQL patches: Interim patch 29774421 (OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421)): Binary registry: Installed PDB CDB$ROOT: Not installed PDB PDB$SEED: Not installed PDB ROPDB: Not installed Current state of release update SQL patches: Binary registry: 19.4.0.0.0 Release_Update 190626171128: Installed PDB CDB$ROOT: No release update patches installed PDB PDB$SEED: No release update patches installed PDB ROPDB: No release update patches installed Adding patches to installation queue and performing prereq checks…done Installation queue: For the following PDBs: CDB$ROOT PDB$SEED ROPDB No interim patches need to be rolled back Patch 29834717 (Database Release Update : 19.4.0.0.190716 (29834717)): Apply from 19.1.0.0.0 Feature Release to 19.4.0.0.0 Release_Update 190626171128 The following interim patches will be applied: 29774421 (OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421)) Error: prereq checks failed! patch 29517242: Archive::Zip->writeToFileNamed returned 4 patch 29774421: Archive::Zip->writeToFileNamed returned 4 patch 29834717: Archive::Zip->writeToFileNamed returned 4 Prereq check failed, exiting without installing any patches. Please refer to MOS Note 1609718.1 and/or the invocation log /u00/app/oracle/cfgtoollogs/sqlpatch/sqlpatch_10593_2019_08_03_13_48_52/sqlpatch_invocation.log for information on how to resolve the above errors. SQL Patching tool complete on Sat Aug 3 13:49:27 2019
==> So DataPatch does not work when the filesystem is read-only.
Datapatch creates scripts for applying and rolling back the changes and tries to write these scripts into the directory /u00/app/oracle/product/19.0.0.0/sqlpatch//.. which is inside $ORACLE_HOME and therefore cannot be written.
The obvious workaround is to change the filesystem back to read-only-mode after running datapatch.
I ran a second test with 2 unpatched 19c databases (19.3). After I had patched the software and the first database (a CDB in my case) I switched the filesystem back to read-only.
Then I ran datapatch for the second database (a Non-CDB). And datapatch completed without any issues (because the apply and rollback scripts were already there).
What does Oracle say?
There’s nothing in the docs so I raised a service request on this topic, but I had the impression that the support engineer did not really understand my question.
I don’t want to copy the SR into this post, but in short the communication was like:
Me: Can I set the filesystem with the $ORACLE_HOME in read-only-mode after I made the Oracle-Home a read-only-Oracle-Home (“roohctl -enable”)
Support: You don’t need to set the filesystem in read-only mode, there’s a feature “read-only-Oracle-Home”
Me: I know that there is this new feature, but can I set filesystem with the $ORACLE_HOME in read-only-mode after I made the Oracle-Home a read-only-Oracle-Home (“roohctl -enable”). This would prevent accidental modification or removal of the software
Support: This is not the purpose of the read-only home […] Starting with Oracle Database 18c, you can configure an Oracle home in read-only mode. …
Me: Once again, can I set the filesystem …
Support: No, it’s not supported.
I don’t want to blame the support guy. We are all human beings. There are good support engineers and bad support engineers. And good support engineers have bad days and not everyone knows every feature in detail. And sometimes there’s a lot of misunderstanding in such a conversation via My-Oracle-Support.
Conclusion:
- Running a read-only-Oracle-Home on a read-only-filesystem works, except for patching (software and first database)
- I got the information that it is not supported
- I consider the name of the feature, “read-only-Oracle-Home”, misleading. “Software-only-Oracle-Home” would have been a better name (in my opinion) because it describes better, what Oracle does: separating software and configuration files
Update (05-AUG-2019):
Wenn using the demos, you have to copy the directories containing information on the demos to ORACLE_BASE_HOME = ($ORACLE_BASE/homes/<HOME_NAME> and creating a link from your Oracle installation to the directory in ORACLE_BASE_HOME). This could be a solution for the issues with sqlpatch, too (not tested yet).
More Information:
- Oracle-Documentation – Database Installation Guide: https://docs.oracle.com/en/database/oracle/oracle-database/19/ladbi/configuring-read-only-oracle-homes.html#GUID-906DA159-AC83-4ACC-A8A6-5B4A39EB72
- Tim Hall (oracle-base.com) on “read-only-oracle-home”: https://oracle-base.com/articles/18c/read-only-oracle-homes-18c
Ad (Amazon-Partner-Link)