Oracle 18c/19c: Running a “read-only-Oracle-home” on a read-only-filesystem

2019-08-03 Off By Markus Flechtner

In Oracle 18c Oracle introduced a new feature, called “read-only-Oracle-Home”. By configuring an Oracle-Home-directory of your RDBMS-installation as “read-only”, Oracle will place all the configuration files like spfile etc. outside the directory tree of your $ORACLE_HOME and will basically move them to “$ORACLE_BASE/dbs” and “$ORACLE_BASE/homes”. But if the software is “read-only”, can we place the $ORACLE_HOME-directory in a separate filesystem which will be mounted “read-only” during normal operation? This would help to avoid accidental modifications or an accidental removal of the software. Let’s test it. 

TL, DR: Running a “read-only-Oracle-home” on a read-only-filesystem works, except for patching (software + datapatch for the first database). According to the information I got from Oracle Support it is not supported.

My test server is VirtualBox based VM, running Oracle Linux 7.6. I’ve got several filesystems for the Oracle stuff:

 
 
 
 

 [root@dirac ~]# df -h |grep /u0
 /dev/mapper/ol_orafs-lv_u02           15G   33M   15G   1% /u02
 /dev/mapper/ol_orafs-lv_u01           30G   33M   30G   1% /u01
 /dev/mapper/ol_orafs-lv_u00           35G   66M   35G   1% /u00
 /dev/mapper/ol_rdbms19-lv_rdbms19     19G   33M   19G   1% /u00/app/oracle/product/19.0.0.0
 

 [root@dirac ~]# mount |grep /u0
 /dev/mapper/ol_orafs-lv_u02 on /u02 type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
 /dev/mapper/ol_orafs-lv_u01 on /u01 type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
 /dev/mapper/ol_orafs-lv_u00 on /u00 type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
 /dev/mapper/ol_rdbms19-lv_rdbms19 on /u00/app/oracle/product/19.0.0.0 type xfs (rw,relatime,seclabel,attr2,inode64,noquota) 

Usually, I store Oracle software in /u00, so it is a little bit larger than required in the current test. And you can see that there is a specific mount for my new Oracle Home (/u00/app/oracle/product/19.0.0.0).
The datafiles will be stored in /u01, /u02 serves as the location for the Fast-Recovery-Area (FRA).

Install RDBMS Software

The installation of the RDBMS software is straight-forward and does not differ to other installations, so I’ll skip the documentation of this step in this post.

Enable Read-Only Oracle Home

The tool for enabling a read-only-Oracle-HOME is “roohctl”.

oracle@dirac:~/ [rdbms19] echo $ORACLE_HOME
 /u00/app/oracle/product/19.0.0.0
 oracle@dirac:~/ [rdbms19] roohctl -help
 Usage:  roohctl [] [
 ]
 Following are the possible flags:
     -help
 Following are the possible commands:
     -enable Enable Read-only Oracle Home
         [-nodeList List of nodes in a cluster environment]

(Roohctl -disable is available, too, but is not documented)

oracle@dirac:~/ [rdbms19] roohctl -enable
 Enabling Read-Only Oracle home.
 Update orabasetab file to enable Read-Only Oracle home.
 Orabasetab file has been updated successfully.
 Create bootstrap directories for Read-Only Oracle home.
 Bootstrap directories have been created successfully.
 Bootstrap files have been processed successfully.
 Read-Only Oracle home has been enabled successfully.
 Check the log file /u00/app/oracle/cfgtoollogs/roohctl/roohctl-190803AM092606.log for more details.
oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] cd $ORACLE_BASE
 oracle@dirac:/u00/app/oracle/ [rdbms19] ls -l
 total 8
 drwxr-x---.  3 oracle oinstall   21 Aug  3 09:25 cfgtoollogs
 drwxr-xr-x.  2 oracle oinstall    6 Aug  3 09:20 checkpoints
 drwxr-x---.  2 oracle oinstall    6 Aug  3 09:26 dbs                    <-- contains spfiles, password files
 drwxrwxr-x. 23 oracle oinstall 4096 Aug  3 09:20 diag
 drwxr-xr-x.  2 oracle oinstall   20 Jun 14 23:21 etc
 drwxr-x---.  3 oracle oinstall   26 Aug  3 09:26 homes                <-- contains home-specific files
 drwxr-xr-x.  3 oracle oinstall   22 Jun 14 23:22 product
 oracle@dirac:/u00/app/oracle/ [rdbms19] cd homes
 /u00/app/oracle/homes
 oracle@dirac:/u00/app/oracle/homes/ [rdbms19] ls -l
 total 0
 drwxr-x---. 7 oracle oinstall 78 Aug  3 09:26 OraDB19Home1
 oracle@dirac:/u00/app/oracle/homes/ [rdbms19] cd OraDB19Home1/
 /u00/app/oracle/homes/OraDB19Home1
 oracle@dirac:/u00/app/oracle/homes/OraDB19Home1/ [rdbms19] ls -l
 total 0
 drwxr-x---. 3 oracle oinstall 18 Aug  3 09:26 assistants
 drwxr-x---. 2 oracle oinstall  6 Aug  3 09:26 dbs
 drwxr-x---. 2 oracle oinstall  6 Aug  3 09:26 install
 drwxr-x---. 5 oracle oinstall 43 Aug  3 09:26 network
 drwxr-x---. 4 oracle oinstall 30 Aug  3 09:26 rdbms

You can check wether your Oracle-Home is an R/O-Home by running

oracle@dirac:~/ [rdbms19] orabasehome
 /u00/app/oracle/homes/OraDB19Home1

When it returns your $ORACLE_HOME-directory, your home is not a read-only-Oracle-Home

The configuration information is stored in $ORACLE_HOME/install/orabasetab

oracle@dirac:/u00/app/oracle/product/19.0.0.0/install/ [rdbms19] cat orabasetab
 orabasetab file is used to track Oracle Home associated with Oracle Base
 /u00/app/oracle/product/19.0.0.0:/u00/app/oracle:OraDB19Home1:Y:

Enhancement request: Hello Oracle, please add a checkbox in the installer resp. a parameter in the response file so that the ORACLE_HOME can be made “read only” automatically during the installation.

Mount /u00/app/oracle/product/19.0.0.0/ read-only

After configuration the Oracle-Home as a read-only-Oracle-home we can mount the filesystem read-only.

Change /etc/fstab as root:

/dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs    defaults    0 0
 /dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs    ro    0 0

Unmount and mount the filesystem

root@dirac:/home/oracle/ [rdbms19] umount /u00/app/oracle/product/19.0.0.0
 root@dirac:/home/oracle/ [rdbms19] mount /u00/app/oracle/product/19.0.0.0
 root@dirac:/home/oracle/ [rdbms19] exit
 exit

Test it:

oracle@dirac:~/ [rdbms19] cd $ORACLE_HOME
 oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] touch TEST
 touch: cannot touch ‘TEST’: Read-only file system

Which Software do we have installed?

oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] $ORACLE_HOME/OPatch/opatch lspatches
 OPatch could not create/open history file for writing.
 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399)
 29517242;Database Release Update : 19.3.0.0.190416 (29517242)
 OPatch succeeded.
 oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [rdbms19] cd
 oracle@dirac:~/ [rdbms19] $ORACLE_HOME/OPatch/opatch lspatches
 OPatch could not create/open history file for writing.
 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399)
 29517242;Database Release Update : 19.3.0.0.190416 (29517242)
 OPatch succeeded.

In the second line you can see the first issue with the R/O-filesystem:
OPatch wants to write into a history file which is located somewhere in the $ORACLE_HOME-tree. This is annoying, but no real loss of functionality.

Configure and start a listener

When not using $TNS_ADMIN, the Oracle Net config files are stored in $ORACLE_BASE/homes/<HOME_NAME>/network/admin.

In my case, configuring and starting the listener was straightforward and there were no issues, so I’ll skip the details.

Create a database

I’m using DBCA in this case and I’ll skip all the configuration steps in this post. There were no issues.

Patching the software

Let’s apply the release update RU 19.4 (July). Obviously, the file system with the Oracle software must be mounted read-write before patching the software:

For preparing patching, this means:

  1. Stop database instance and listener
  2. Unmount the filesystem /u00/app/oracle/product/19.0.0.0
  3. Mount the filesystem /u00/app/oracle/product/19.0.0.0 read-write

Changing the filesystem to read-write:

Modify /etc/fstab as root:

/dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs    defaults    0 0
 /dev/mapper/ol_rdbms19-lv_rdbms19 /u00/app/oracle/product/19.0.0.0 xfs    ro    0 0

Unmount and mount the filesystem:

root@dirac:/home/oracle/ [ROCDB] umount /u00/app/oracle/product/19.0.0.0
 root@dirac:/home/oracle/ [ROCDB] mount /u00/app/oracle/product/19.0.0.0
 root@dirac:/home/oracle/ [ROCDB] exit
 exit
 oracle@dirac:~/ [ROCDB] cdh
 oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] touch TEST
 oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] rm TEST

Patching the software is done as usual, simply run “opatch apply” for the patches to be applied.

oracle@dirac:/u00/app/oracle/product/19.0.0.0/ [ROCDB] $ORACLE_HOME/OPatch/opatch lspatches
 29834717;Database Release Update : 19.4.0.0.190716 (29834717)
 29774421;OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421)
 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399)
OPatch succeeded.

Changing the filesystem back to read-only

Basically, reverting the changes in /etc/fstab from above and umount + mount the filesystem afterwards.

Run datapatch

After opening the database in upgrade mode, I’ll try to run datapatch:

oracle@dirac:~/ [ROCDB] $ORACLE_HOME/OPatch/datapatch -verbose
 SQL Patching tool version 19.4.0.0.0 Production on Sat Aug  3 13:48:52 2019
 Copyright (c) 2012, 2019, Oracle.  All rights reserved.
 Log file for this invocation: /u00/app/oracle/cfgtoollogs/sqlpatch/sqlpatch_10593_2019_08_03_13_48_52/sqlpatch_invocation.log
 Connecting to database…OK
 Gathering database info…done
 Note:  Datapatch will only apply or rollback SQL fixes for PDBs
        that are in an open state, no patches will be applied to closed PDBs.
        Please refer to Note: Datapatch: Database 12c Post Patch SQL Automation
        (Doc ID 1585822.1)
 Bootstrapping registry and package to current versions…done
 Determining current state…done
 Current state of interim SQL patches:
 Interim patch 29774421 (OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421)):
   Binary registry: Installed
   PDB CDB$ROOT: Not installed
   PDB PDB$SEED: Not installed
   PDB ROPDB: Not installed
 Current state of release update SQL patches:
   Binary registry:
     19.4.0.0.0 Release_Update 190626171128: Installed
   PDB CDB$ROOT:
     No release update patches installed
   PDB PDB$SEED:
     No release update patches installed
   PDB ROPDB:
     No release update patches installed
 Adding patches to installation queue and performing prereq checks…done
 Installation queue:
   For the following PDBs: CDB$ROOT PDB$SEED ROPDB
     No interim patches need to be rolled back
     Patch 29834717 (Database Release Update : 19.4.0.0.190716 (29834717)):
       Apply from 19.1.0.0.0 Feature Release to 19.4.0.0.0 Release_Update 190626171128
     The following interim patches will be applied:
       29774421 (OJVM RELEASE UPDATE: 19.4.0.0.190716 (29774421))
 Error: prereq checks failed!
   patch 29517242: Archive::Zip->writeToFileNamed returned 4
   patch 29774421: Archive::Zip->writeToFileNamed returned 4
   patch 29834717: Archive::Zip->writeToFileNamed returned 4
 Prereq check failed, exiting without installing any patches.
 Please refer to MOS Note 1609718.1 and/or the invocation log
 /u00/app/oracle/cfgtoollogs/sqlpatch/sqlpatch_10593_2019_08_03_13_48_52/sqlpatch_invocation.log
 for information on how to resolve the above errors.
 SQL Patching tool complete on Sat Aug  3 13:49:27 2019

==> So DataPatch does not work when the filesystem is read-only.

Datapatch creates scripts for applying and rolling back the changes and tries to write these scripts into the directory /u00/app/oracle/product/19.0.0.0/sqlpatch//.. which is inside $ORACLE_HOME and therefore cannot be written.

The obvious workaround is to change the filesystem back to read-only-mode after running datapatch.

I ran a second test with 2 unpatched 19c databases (19.3). After I had patched the software and the first database (a CDB in my case) I switched the filesystem back to read-only.
Then I ran datapatch for the second database (a Non-CDB). And datapatch completed without any issues (because the apply and rollback scripts were already there).

What does Oracle say?

There’s nothing in the docs so I raised a service request on this topic, but I had the impression that the support engineer did not really understand my question.
I don’t want to copy the SR into this post, but in short the communication was like:

Me: Can I set the filesystem with the $ORACLE_HOME in read-only-mode after I made the Oracle-Home a read-only-Oracle-Home (“roohctl -enable”)
Support: You don’t need to set the filesystem in read-only mode, there’s a feature “read-only-Oracle-Home”
Me: I know that there is this new feature, but can I set filesystem with the $ORACLE_HOME in read-only-mode after I made the Oracle-Home a read-only-Oracle-Home (“roohctl -enable”). This would prevent accidental modification or removal of the software
Support: This is not the purpose of the read-only home […] Starting with Oracle Database 18c, you can configure an Oracle home in read-only mode. …
Me: Once again, can I set the filesystem …
Support: No, it’s not supported.

I don’t want to blame the support guy. We are all human beings. There are good support engineers and bad support engineers. And good support engineers have bad days and not everyone knows every feature in detail. And sometimes there’s a lot of misunderstanding in such a conversation via My-Oracle-Support.

Conclusion:

  1. Running a read-only-Oracle-Home on a read-only-filesystem works, except for patching (software and first database)
  2. I got the information that it is not supported
  3. I consider the name of the feature, “read-only-Oracle-Home”, misleading. “Software-only-Oracle-Home” would have been a better name (in my opinion) because it describes better, what Oracle does: separating software and configuration files

Update (05-AUG-2019):

Wenn using the demos, you have to copy the directories containing information on the demos to ORACLE_BASE_HOME = ($ORACLE_BASE/homes/<HOME_NAME> and creating a link from your Oracle installation to the directory in ORACLE_BASE_HOME). This could be a solution for the issues with sqlpatch, too (not tested yet).

More Information:

Ad (Amazon-Partner-Link)