Oracle 10g installation on Solaris October 13, 2009

# Pre-installation task:

# First of all following users and groups should be created

1. Group dba, oper (optional), oinstall
2. user oracle having oinstall as primary group

use the following commands to create required groups and user (as root user)

groupadd oinstall

groupadd dba
groupadd oper
useradd -g oinstall -G dba[,oper] -d /export/home/oracle -s /usr/bin/bash -m oracle
passwd -r files oracle

# if user nobody exists then

useradd nobody

# Now create a project for oracle so that all resources can be alloacated to this project as root user

projadd oracle

# kernel parameters: oracle recommends the following kernel parameters to be set to recommended value
# the values can be set in /etc/system file in solaris as the following syntax
# set parameter-name=value
# editing system file is deprecated and solaris recommends using projmod command to do so

1. Parameter Replaced by Resource Control Recommended Value

noexec_user_stack NA 1
semsys:seminfo_semmni project.max-sem-ids 100
semsys:seminfo_semmns NA 1024
semsys:seminfo_semmsl project.max-sem-nsems 256
semsys:seminfo_semvmx NA 32767
shmsys:shminfo_shmmax project.max-shm-memory 4294967295
shmsys:shminfo_shmmin NA 1
shmsys:shminfo_shmmni project.max-shm-ids 100
shmsys:shminfo_shmseg NA 10

# you can view the current values of this parameters as follows

prctl -n project.max-shm-memory -i project oracle

# you can set the values permanently by the following command (as root)

projmod -sK “project.max-shm-memory=(privileged,2G,deny)” oracle

# Directories

# create ORACLE_BASE directory

mkdir -p /mount_point/app/oracle_sw_owner
chown -R oracle:oinstall /mount_point/app/oracle_sw_owner
chmod -R 775 /mount_point/app/oracle_sw_owner

# now export the base directory as environment variable which will let oracle installer to handle
# creation of oracle_home and oraInventory directory

export ORACLE_BASE=/mount_point/app/oracle_sw_owner

# Storage option :

# if you plan to use file system as database storage you have to do the following. It is good practice
# that the database storage be in separate file system (i.e. in separate partition)

mkdir /mount_point/oradata
chown oracle:oinstall /mount_point/oradata
chmod 775 /mount_point/oradata

# if you plan to use recovery then you have to create a flash_recovery area

mkdir /mount_point/flash_recovery_area
chown oracle:oinstall /mount_point/flash_recovery_area
chmod 775 /mount_point/flash_recovery_area

# If you plan to use Automatic Storage Management (ASM) as storage option then you have to create a disk group and
# instance. you have to do the following in case of creating a disk group consisting of only one solaris partition/slice.
# To do so, first check whether the partition is mounted or not by

df -k

# if the partition is mounted then unmount it and remove the entry corresponding to that partition from /etc/vfstab

# now you set the ownership and permission of the partiton to oracle as follows (replace c0d0s4 accordingly)

chown oracle:dba /dev/dsk/c0d0s4
chmod 660 /dev/dsk/c0d0s4

# Now you have to set some environment variables for user oracle. edit the file .profile in oracle’s home diectory
# invoke

vi ~/.profile

umask 022
unset ORACLE_HOME

# activate this changes without restarting or relogin by invoking

. ./.profile

# To verify that the environment has been set correctly, enter the following commands. the first
# command will output 0022 and second will show the list of env. variables.

umask
env | more

# Now run the oracle universal installer invoking …

/path/to/oracle/runInstaller

orcl
# Universal Installer choice

1. Installation Method – Basic – /path/to/orahome – DBA group oinstall should be selected.
2. Inventory Directory – /path/to/inventoryDir – gorup oinstall need to be selected
3. Product-specific – see if every check succeded
4. make note of URLs of various web-based tools

# Installing Automatic storage management (single partition as disk group)

1. run universal installer
2. select Advanced Installation
3. specify home directory
4. select Configure … ASM in configuration option screen
5. Provide Disk group name
6. Redundancy level-external
7. The partition u have prapared earlier will appear as the candidate disk. select it and press next

# In database creation screen make note of database SID.
# After installation is finished the installer provides three URL’s

http://urmachine:1158/em (which is oracle enterprise manager)
http://urmachine:5560/isqlplus (iSQL*Plus web interface)
http://urmachine:5560/isqlplus/dba (iSQL*Plus DBA web interface)

# use first link and create a user and using that username and password u can login to second url
# and invoke sql statements using the web interface.

# the third url is for those users with dba privileges. this URL requires server authentication.
# to use this URL u have to create in iSQL*Plus DBA realm in oracle http server and grant webDba
# role to that user. To do so follow the following steps.

cd /path/to/oracle/home/ (i.e. $ORACLE_BASE/oracle/product/10.2.0/db_1)
cp oc4j/j2ee/isqlplus/application-deployments/isqlplus/config/jazn-data.xml config/
cp oc4j/j2ee/isqlplus/application-deployments/isqlplus/config/jazn.xml config/
jdk/bin/java -Djava.security.properties=$ORACLE_HOME/oc4j/j2ee/home/config/jazn.security.props -jar \
$ORACLE_HOME/oc4j/j2ee/home/jazn.jar -user “iSQL*Plus DBA/admin” -password welcome -shell

# this will start the oracle server’s authorization provider’s (JAZN) shell

jazn>

# at that shell invoke the following

jazn> adduser “iSQL*Plus DBA” username password
jazn> grantrole webDba “iSQL*Plus DBA” username

# check that that ur user is created

jazn> listusers “iSQL*Plus DBA”

# Now login with the username and password u’ve just created in the 3rd URL that oracle installer provided.
# u have to provide sysdba username and password again.

# We are almost done with oracle 10g basic installation in solaris. One problem I have encountered is that
# when I restarted my machine after installation I couldnot connect to database with the URLs. the following
# error show..

ORACLE not found. ORA-…. shared memory realm does not exist .Error 2. no such file or directory.

# this is because after reboot the database instance is not started. so to have all things starts up in system bootup
# provide a script as follows. before that you have to do something…

# open the file /var/opt/oracle/oratab in your favourite editor. at the end of this file all the databases are listed like this

orcl:/oracle/app/oracle/oracle/product/10.2.0/db_1:Y

# if you install 2 database then you’ll have 2 such lines in this file .if the lines contain N at the end this means
# this database won’t be started during system bootup. change it to Y as above to make the database instance to start
# at system bootup

vi /etc/init.d/dbora

#!/usr/bin/bash
ORA_HOME=$ORACLE_BASE/oracle/product/10.2.0/db_1orcl
ORA_OWNER=oracle
if [ ! -f $ORA_HOME/bin/dbstart ]
then
echo “Oracle startup: cannot start”
exit
fi
case “$1″ in
’start’) # Start the Oracle databases and listeners
su – $ORA_OWNER -c “$ORA_HOME/bin/dbstart $ORA_HOME”
su – $ORA_OWNER -c “$ORA_HOME/bin/lsnrctl start LISTENER”
su – $ORA_OWNER -c “$ORA_HOME/bin/emctl start dbconsole”
su – $ORA_OWNER -c “$ORA_HOME/bin/isqlplusctl start”
;;
’stop’) # Stop the Oracle databases and listeners
su – $ORA_OWNER -c “$ORA_HOME/bin/isqlplusctl stop”
su – $ORA_OWNER -c “$ORA_HOME/bin/emctl stop dbconsole”
su – $ORA_OWNER -c “$ORA_HOME/bin/lsnrctl stop”
su – $ORA_OWNER -c “$ORA_HOME/bin/dbshut $ORA_HOME”
;;
esac

# now change this ownership and permission as follows

chown root:sys /etc/init.d/dbora
chmod 744 /etc/init.d/dbora

# now do this so that this script is called everytime the system boots up or shuts down.

cp /etc/init.d/dbora /etc/rc0.d/K10dbora
chown root:sys /etc/rc0.d/K10dbora
chmod 744 /etc/rc0.d/K10dbora

cp /etc/init.d/dbora /etc/rc2.d/S99dbora
chown root:sys /etc/rc2.d/S99dbora
chmod 744 /etc/rc0.d/S99dbora

# one little thing just add the following things to ~/.profile of the user oracle

ORACLE_BASE=/path/to/oracle/base/u’ve/set/earlier; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/oracle/product/10.2.0/db_1; export ORACLE_HOME
ORACLE_SID=SID that you noted during installation; export ORACLE_SID
PATH=$PATH:/usr/local/bin:$ORACLE_HOME/bin; export PATH

# Now reboot your machine .. and you are done..

Binding NRPE with inetd/xinetd On Solaris 10 August 23, 2009

Modify the nrpe.cfg file with your settings:

vi /usr/local/nagios/etc/nrpe.cfg

With Solaris 10, we don’t use either inetd or xinetd, but SMF. Thankfully, we can convert inetd entires into the SMF repository with the inetconv command. So first, add the following entry to /etc/services:

nrpe 5666/tcp # NRPE

Then add the following line to the end of /etc/inet/inetd.conf:

nrpe stream tcp nowait nagios /usr/sfw/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i

Next, we need to convert it to SMF:

# inetconv
nrpe -> /var/svc/manifest/network/nrpe-tcp.xml
Importing nrpe-tcp.xml …Done
# inetconv -e
svc:/network/nrpe/tcp:default enabled

Check to make sure it went online:

# svcs svc:/network/nrpe/tcp:default
STATE STIME FMRI
online 15:53:39 svc:/network/nrpe/tcp:default
# netstat -a | grep nrpe
*.nrpe *.* 0 0 49152 0 LISTEN

Check the default installed parameters:

# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name=”nrpe”
endpoint_type=”stream”
proto=”tcp”
isrpc=FALSE
wait=FALSE
exec=”/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i”
arg0=”/usr/local/nagios/bin/nrpe”
user=”nagios”
default bind_addr=””
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
default tcp_wrappers=FALSE
default connection_backlog=10

Change it so that it uses tcp_wrappers:

# inetadm -m svc:/network/nrpe/tcp:default tcp_wrappers=TRUE

And check to make sure it took effect:

# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name=”nrpe”
endpoint_type=”stream”
proto=”tcp”
isrpc=FALSE
wait=FALSE
exec=”/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i”
arg0=”/usr/local/nagios/bin/nrpe”
user=”nagios”
default bind_addr=””
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=TRUE
default connection_backlog=10

[Optional but security concern]Modify your hosts.allow and hosts.deny to only allow your nagios server access to the NRPE port. Note that tcpd always looks at hosts.allow first, so even though we specify that everyone is rejected in the hosts.deny file, the ip addresses specified in hots.allow are allowed.
/etc/hosts.allow:

nrpe: LOCAL, 10.0.0.45

/etc/hosts.deny:

nrpe: ALL

Finally, check to make sure you have everything installed correctly (should return version information):

/usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.12
You may get CHECK_NRPE: Error – Could not complete SSL handshake. A quick solution to this either Download and install the SUNWcry and SUNWcryr packages, but they are export controled. (You are looking for the /usr/sfw/lib/libssl_extras.so.X.Y.Z library) or change line 222 of src/nrpe.c like this: – SSL_CTX_set_cipher_list(ctx,”ADH”); + SSL_CTX_set_cipher_list(ctx,”ADH:-ADH-AES256-SHA”); and recompile.

Optionally, modify any firewalls between your nagios server and the remote host to allow port 5666.
Don’t forget to configure your nagios server to check your new service.

issues while compiling NRPE on Sparc Solaris August 21, 2009

Normally at this point we would just run `cd nrpe-2.12; ./configure`. Unfortunately, the configure script can not find the SSH headers and libraries on Solaris 10. You get errors like this:

checking for SSL headers… configure: error: Cannot find ssl headers

checking for SSL libraries… configure: error: Cannot find ssl libraries

The answer to this is, of course, to tell configure where to find them:

cd nrpe-2.12
./configure –with-ssl=/usr/sfw/ –with-ssl-lib=/usr/sfw/lib/

Currently there is a bug in 2.12 that it assumes that all systems have 2 syslog facilities that Solaris doesn’t have, so if you try and compile it generates the following errors:

nrpe.c: In function `get_log_facility’:
nrpe.c:617: error: `LOG_AUTHPRIV’ undeclared (first use in this function)
nrpe.c:617: error: (Each undeclared identifier is reported only once
nrpe.c:617: error: for each function it appears in.)
nrpe.c:619: error: `LOG_FTP’ undeclared (first use in this function)
*** Error code 1
make: Fatal error: Command failed for target `nrpe’
Current working directory /usr/local/src/nrpe-2.12/src
*** Error code 1
make: Fatal error: Command failed for target `all’

Unfortunately, the fix at this time is to comment out the code that calls these two facilities, lines 616-619, in src/nrpe.c:

/*else if(!strcmp(varvalue,”authpriv”))
log_facility=LOG_AUTHPRIV;
else if(!strcmp(varvalue,”ftp”))
log_facility=LOG_FTP;*/

UPDATE: You no longer need to comment out these lines, just replace them with the following:

else if(!strcmp(varvalue,”authpriv”))
log_facility=LOG_AUTH;
else if(!strcmp(varvalue,”ftp”))
log_facility=LOG_DAEMON;

Now it will compile:

# make all
cd ./src/; make ; cd ..
gcc -g -O2 -I/usr/sfw//include/openssl -I/usr/sfw//include -DHAVE_CONFIG_H -o nrpe nrpe.c utils.c -L/usr/sfw/lib/ -lssl -lcrypto -lnsl -lsocket ./snprintf.o
gcc -g -O2 -I/usr/sfw//include/openssl -I/usr/sfw//include -DHAVE_CONFIG_H -o check_nrpe check_nrpe.c utils.c -L/usr/sfw/lib/ -lssl -lcrypto -lnsl -lsocket

*** Compile finished ***
NB:
More over if you want to compile other than default user and group (nagios and nagios) you need to change this on Makefile(primary one) and src/Makefile by your hand with the user you want.

Open-Solaris VPNC August 18, 2009

Connecting Opensolaris to a Cisco VPN, (thanks for the head start!) but some changes were needed for my system. (2008.11)

pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc

Download the tun/tap driver from Kazuyoshi.

run ./configure and then you will need to edit the Makefile (for x64 only!)

Change these options

modules: tun.o tap.o
$(LD) -r -o tun tun.o
$(LD) -r -o tap tap.o

to

modules: tun.o tap.o
$(LD) -melf_x86_64 -r -o tun tun.o
$(LD) -melf_x86_64 -r -o tap tap.o

Now you can run make & make install, or you can (at your own risk, they work for me!) download the pkg of both 32 and 64 bit kernels.

tuntap-0.2.5-opensolaris-i386.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)
tuntap-0.2.5-opensolaris-x86_64.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)

Next you need to get vpnc, I grabbed vpnc-0.5.3

pkg install SUNWgmake

Now edit the Makefile and change install to ginstall (on each cmd line), for example:

install -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

to

ginstall -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

Optionally change PREFIX from /usr/local to /usr

0.5.3 will not compile correct until you modify tunip.c changing (1061)

openlog(“vpnc”, LOG_PID | LOG_PERROR, LOG_DAEMON);

to

openlog(“vpnc”, LOG_PID, LOG_DAEMON);

Now you can run gmake & gmake install, or you can (at your own risk, they work for me!) download the pkg for vpnc.

vpnc-0.5.3-opensolaris-i386.pkg.gz(http://www.mediafire.com/?0tcwnx3e4xy)

edits to the vpnc-script (included in above package), to facilitate a working vpn..

commented out line 62 #IPROUTE=…

ADDED:

route add `echo “$INTERNAL_IP4_ADDRESS” | awk ‘{ printf “%s\n”,$1}’ FS=.`.0.0.0 “$INTERNAL_IP4_ADDRESS” -interface

to the end of the set_network_route() function (lets say your ip on the vpn is 192.168.0.140, this will route all 192.* through the vpn..

ADDED:

route $route_syntax_del default “$INTERNAL_IP4_ADDRESS”

to the end of the reset_default_route() function (disconnecting left some rouge route entries, it still leaves a few…but this gets things back to working order)
Now I have full vpn access to the cisco networks I normally connect to!

samba on solaris June 15, 2009

1.Make sure that /usr/sfw/bin and /usr/sfw/sbin are on the root user’s path.
2. Check your version of SAMBA installed:
/usr/sfw/sbin/smbd -V
Version 3.0.21b
3. By default, all files create by the windows server in the Solaris directories shared by SAMBA will be owned by user nobody. If you want to change this then you can force the ownership to another user. I created a user evault in group other for this purpose. Make sure that the user you choose has permission to write to the directories in the file systems that you are sharing with SAMBA. You can use the user root if you wish.
Create an entry in the SAMBA user database for the user with the below command:
smbpasswd -a username

4.Create the file /etc/sfw/smb.conf. Below is the /etc/sfw/smb.conf that I used. The SAM-FS file system was mounted as  and /share/Myshare and Myshare is the subdirectory I wanted to share.
[global]

workgroup = MY
server string = Samba Server
log file = /var/samba/log/samba_log.%m
security = SHARE/USER

hosts deny = ALL
hosts allow = 192.168.0.0/20 127.
; interfaces = eth1 lo
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
[Myshare]

comment = vaultstores
path = /share/myshare
force user = user
public = yes
browseable = yes
writeable =yes
valid users = users
force group = other
read only = No
guest ok = Yes

Note that once the file /etc/sfw/smb.conf exists SAMBA will start automatically when the system boots.
5. You should check the syntax of /etc/sfw/smb.conf using the command testparm. Assuming that all is well you can start SAMBA.
/etc/init.d/samba start