Tuesday, April 26, 2016

Oracle Hybrid Cloud

Recently I presented together with Marcel Giacomini from Oracle on Oracle public, private and hybrid cloud. The hybrid cloud is a direction I personally feel the market will move towards very quickly. Even though cloud companies would like to see enterprises adopting a full cloud model I think a majority of the large enterprises and companies will take the route of hybrid cloud first.

To see more on the capabilities around hybrid cloud from Oracle have a look at the deck we presented during Advantage You.


Wednesday, April 20, 2016

Oracle Linux Unsupported Packages

When running Oracle Linux you do not have to purchase a support contract from Oracle. You are perfectly fine running Oracle Linux without purchasing the support. However, in general, when running Oracle Linux in a business environment you would like to have the option to call in support when needed. This means that most companies do purchase the support and use it whenever needed. A general misunderstanding is that everything shipped by Oracle is also supported by Oracle.

In fact some (a limited) parts are not supported by Oracle while at the same time you will be able to find them in the Oracle Linux distribution and you have the option to install them and use them. The general misconception comes from the fact that most people understand that when you download and install additional software that is not provided by Oracle you will not get support. At the same time they expect everything shipped by Oracle to be under the support contract.

In case you are in doubt if a specific part is under support you might want to check the “Unsupported Packages from ISO” at the Oracle Linux website. This list (current date – Do check the latest version) has  the following packages:

  1.  ccs
  2.  cluster-cim
  3.  cluster-glue-libs-devel
  4.  clusterlib-devel
  5.  cluster-snmp
  6.  cman
  7.  cmirror
  8.  cmirror-standalone
  9.  corosynclib-devel
  10.  ctdb
  11.  ctdb-devel
  12.  dlm
  13.  fence-agents-all
  14.  fence-virtd-checkpoint
  15.  foghorn
  16.  gfs2-utils
  17.  haproxy
  18.  ipvsadm
  19.  keepalived
  20.  libesmtp-devel
  21.  luci
  22.  lvm2-cluster
  23.  lvm2-cluster-standalone
  24.  N/A
  25.  omping
  26.  openaislib-devel
  27.  pacemaker
  28.  pacemaker-doc
  29.  pacemaker-libs-devel
  30.  pcs
  31.  piranha
  32.  python-repoze-what-quickstart
  33.  resource-agents
  34.  rgmanager
  35.  ricci
  36.  xfsdump
  37.  xfsprogs
  38.  xfsprogs-devel


Monday, March 28, 2016

virtualbox only showing 32 bits options

I received  my new laptop from my work this week. In general I tend to be not that happy with receive a new laptop from work because it takes some time from your day to get everything back working again. However, this time I was more disappointed than normal as it turned out that I was not able to run 64 bit guests on my laptop and only 32 bits options where available.

After some checking I found out that my OS was a 64 bit OS and everything should work as far as I could see. However, only 32 bits options where available. As it turns out Windows 7 in combination with virtualbox is not allowing you to run 64 bit guests when certain virtualization is not enabled in the bios of your machine.

After turning on "Intel Virtualization Technology" and "Intel VT-d feature" virtualbox again allowed for running 64 bit guests.


Just a small reminder for everyone who runs into this issue. In case you have this enabled and it is not working, make sure that you disable Hyper-V on windows.

For more background information on this you can refer to ticket 12350 on the virtualbox website. 

Sunday, March 06, 2016

Oracle Linux - Build a Private YUM Server

Most people working with Oracle Linux will have a way of updating systems by using YUM. When using Oracle Linux as a personal workstation or just a private test server it is perfectly good to use the public YUM server from Oracle.

In cases where you have a secured environment running production servers you most likely do not want to use a connection to a external system to get your updates. You would like to have a local copy of the YUM server. In those cases you can create a satellite YUM server. This will make sure that you always have an updated repository locally which is in sync with the public yum server from Oracle.

However, a second reason can exists to have a local YUM server. In cases where you develop your own RPM's and want to make them available to your Oracle Linux machines it is good practice to run your own local YUM server.

Building a local YUM server is quite easy and not a hard task, making the short investment to ensure you have a your own local YUM server for your self developed RPM's or for packages from other vendors needed in your landscape makes much sense.

The below diagram shows on a high level on how your deployment can look like, not including all firewall components and network components you should use to ensure a correct network zone model for security.

Create YUM Repository
Creating a YUM repository takes a number of steps. First of all you need to have a location where you will store the RPM's and the associated repository meta-data. In our case we know we want to make the YUM repository available via HTTP (using NGINX) at a later moment so we create a location like shown below for our company repository.

  mkdir /var/www/repos/companyrepo

The next step will be to ensure that you copy all the RPM's you want to include in your company repository to this location. As soon as they are moved to this location you will have to make this into a real repository. For this you will need some tooling installed on your server. You can do so by installing the below RPM's

  rpm -ivh deltarpm-3.6-3.el7.x86_64.rpm
  rpm -ivh python-deltarpm-3.6-3.el7.x86_64.rpm
  rpm -ivh createrepo-0.9.9-25.el7_2.noarch.rpm

As soon as you have the required tooling installed you can create a repository by executing the following commands:

  createrepo

That's it? yes, that is it. Nothing more to do. It will go through your RPM's stored and will create the needed information. You will find a new director named repodata which contains all the data needed for remote YUM clients to connects

Configure NGINX
Having your RPM's and the YUM metadata in the newly created repodata is great. However, what you want is to ensure your clients (servers) can connect to the YUM repository (in the diagram located on yum.company.com). To enable clienst to connect you will have to ensure that the location where you store this (in this example /var/www/repos/companyrepo) is available via HTTP.

As we do not need a heavy weight HTTP server we can use for example NGINX. To install NGINX on Oracle Linux you can refer to this blogpost which provide the needed guidance.

As soon as you have NGINX running you need to ensure that it will point to /var/www/repos/companyrepo . As an example you will need to undertake the following steps to complete the configuration of NGINX.

1) Create a file named companyrepo.conf in /etc/nginx/conf.d
  touch /etc/nginx/conf.d/companyrepo.conf

2) Edit the file with VI and ensure you have the below information in the file:
  server {
      listen       80;
      server_name  localhost;

      location / {
          root   /var/www/repos/companyrepo;
          index  index.html index.htm;
      }

      error_page   500 502 503 504  /50x.html;
      location = /50x.html {
          root   /usr/share/nginx/html;
      }
  }

3) Test if you can access this location on yum.company.com with a standard browser.

Configure Local Servers
As we now have a local YUM server running on yum.company.com and made it available via HTTP we can now configure the clients (servers) to connect to the local YUM repository and make use of it.

Make sure you have the below configuration in a .repo file in /etc/yum.repos.d . You can have other files in this location as well if required however the below content in a .repo file (for example companyyum.repo) will ensure you can connect to the local company YUM repository and use YUM for installing your own RPM's or RPM's from other vendors.

[COMPANYYUM]
   name=Local company YUM repository
   baseurl=yum.company.com/
   gpgcheck=0
   enabled=1


Update YUM Repository
In case you need to update your local yum server and want to add RPM's to it you do not have to go through the enture createrepo procedure. This can, in case you have a very large set of RPM's, take quite some time. In case you only want to add the new files to the YUM meta-data and make them available to users you can issue the below command instead.

  createrepo --update .

Now your server has the new RPM's availabel for YUM users to connect. In case you directly issue a yum command on one of your clients and it is unable to find the new package it might very well be that your client is having a cache of the repository data locally. This will not contain the new package. To make sure your client is doing a fresh grab of the repository data you will have to enforce the expiration of the local cache by issuing the below command on the client:

  yum clean expire-cache

The time the cache is kept is configured in /etc/yum.conf and by default it reads keepcache = 1 . This means that you might not run into this issue on every client. However, if your client already did an interaction with the YUM server that day it might have a cache that is not expired yet and might not find the package due to that reason. 

Wednesday, February 24, 2016

Oracle managed file transfer

Whenever someone asks a Linux administrator that a file will be generated on a regular basis and this needs to be transferred to another location, another server or even to another company the solution is commonly that a small bash script will be created. Over time one small bash script will become two scripts, will become a ten scripts and then become an unknown and undocumented number of scripts. Created one by one in an organic growth model. In essence we have to realize that even though this is a quick and dirty solution which is often being practiced this is not the correct solution.

When you are seriously looking for a managed way of securely transferring files you cannot rely on a number of bash scripts being started by cron. You will need to have a more solid solution. Oracle provides a solution from this in the form of MFT or Oracle Managed File Transfer. I recently wrote a paper on this which can be found on this site. Also a short slidedeck can be found on my slideshare page.

And, if you want a quick a dirty intro with a video, you can find one below.

And, even though I love to create a bash script under Linux and use this for my own systems at home, I have to admit that using a solution like that is not something you really want in a production environment. In case you really need to securely move files in an enterprise environment the MFT solution is something you should look at. 

ELBA-2016-0177 Oracle Linux 7 coreutils bug fix update

Oracle Linux Bug Fix Advisory ELBA-2016-0177


The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:




Description of changes:

  • [8.22-15.0.1.1]- clean up empty file if cp is failed [Orabug 15973168]
  • [8.22-15.1] - cp: prevent potential sparse file corruption (#1285365)


ELBA-2016-0198 Oracle Linux 7golang-github-cpuguy83-go-md2man

Oracle Linux Bug Fix Advisory ELBA-2016-0198

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:




Description of changes:

  • [1.0.4-2]- Build it for z-stream  related: #1300321
  • [1.0.4-1]- Rebase to 1.0.4   Deps import separatelly, not in one tarball resolves: #1300321
  • [1-5]- Update the spec file for RHEL, Remove devel subpackage, Bundle github.com/russross/blackfriday and github.com/shurcooL/sanitized_anchor_name into tarball, Use bundled dependencies to build md2man  resolves: #1211312
  • [1-4]-  Bump to upstream 2831f11f66ff4008f10e2cd7ed9a85e3d3fc2bed related: #1156492
  • [1-3]- Add commit and shortcommit global variable related: #1156492
  • [1-2]- Resolves: rhbz#1156492 - initial fedora upload, - quiet setup, - no test files, disable check
  • [1-1]- Initial package

ELBA-2016-0220 Oracle Linux 7 libvirt bug fix update

Oracle Linux Bug Fix Advisory ELBA-2016-0220

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:


  • x86_64: libvirt-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-client-1.2.17-13.0.1.el7_2.3.i686.rpm
  • x86_64: libvirt-client-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-config-network-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-config-nwfilter-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-interface-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-lxc-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-network-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-nodedev-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-nwfilter-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-qemu-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-secret-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-driver-storage-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-kvm-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-daemon-lxc-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-devel-1.2.17-13.0.1.el7_2.3.i686.rpm
  • x86_64: libvirt-devel-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-docs-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-lock-sanlock-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • x86_64: libvirt-login-shell-1.2.17-13.0.1.el7_2.3.x86_64.rpm
  • SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/libvirt-1.2.17-13.0.1.el7_2.3.src.rpm


Description of changes:

  • [1.2.17-13.0.1.el7_2.3] - Oracle files:docs/et.png Replace docs/et.png in tarball with blank image
  • [1.2.17-13.el7_2.3]- vmx: Adapt to emptyBackingString for cdrom-image (rhbz#1301892)

ELSA-2016-3519 Important Oracle Linux 6 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2016-3519

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:







Description of changes:

  • [3.8.13-118.3.2.el6uek]
    • - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Reorder nested NMI checks (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Improve nested NMI comments (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Switch stacks on userspace NMI entry (Andy Lutomirski) [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/paravirt: Replace the paravirt nop with a bona fide empty function (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}

ELSA-2016-3519 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2016-3519

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:



x86_64: kernel-uek-firmware-3.8.13-118.3.2.el7uek.noarch.rpm
x86_64: kernel-uek-doc-3.8.13-118.3.2.el7uek.noarch.rpm
x86_64: kernel-uek-3.8.13-118.3.2.el7uek.x86_64.rpm
x86_64: kernel-uek-devel-3.8.13-118.3.2.el7uek.x86_64.rpm
x86_64: kernel-uek-debug-devel-3.8.13-118.3.2.el7uek.x86_64.rpm
x86_64: kernel-uek-debug-3.8.13-118.3.2.el7uek.x86_64.rpm
x86_64: dtrace-modules-3.8.13-118.3.2.el7uek-0.4.5-3.el7.x86_64.rpm
SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-3.8.13-118.3.2.el7uek.src.rpm
SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/dtrace-modules-3.8.13-118.3.2.el7uek-0.4.5-3.el7.src.rpm


Description of changes:

  • [3.8.13-118.3.2.el7uek] 
    • - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMIdetection (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Reorder nested NMI checks (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Improve nested NMI comments (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/nmi/64: Switch stacks on userspace NMI entry (Andy Lutomirski) [Orabug: 22742507]  {CVE-2015-5157}
    • - x86/paravirt: Replace the paravirt nop with a bona fide empty function (Andy Lutomirski)  [Orabug: 22742507]  {CVE-2015-5157}

ELBA-2016-3517 Oracle Linux 6 net-tools bug fix update

Oracle Linux Bug Fix Advisory ELBA-2016-3517

The following updated rpms for Oracle Linux 6 have been uploaded to the Unbreakable Linux Network:


i386: net-tools-1.60-110.0.1.el6_2.i686.rpm
x86_64: net-tools-1.60-110.0.1.el6_2.x86_64.rpm
SRPMS: http://oss.oracle.com/ol6/SRPMS-updates/net-tools-1.60-110.0.1.el6_2.src.rpm

Description of changes:

  • [1.60-110.0.1] make 'hostname' work with IPv6 addresses (John Haxby) [orabug 21749871]
In case you want to view the source code online you can check the github archive 

Friday, February 19, 2016

Networking security zones

One of the security best practices is to ensure you have segregation in your network design. Ensuring you place certain servers in certain network sections to ensure network segregation. Most people do understand the DMZ principle and apply this when creating an architecture for deploying new servers and services into a network. Having a DMZ is indeed good practice, however you can build upon this principle.

Having a enterprise wide definition of network zoning is a good practice. Even though people will have different opinions about the setup and one a case by case basis you can create different "blueprints". The below zoning model for network segragation is an example of how this can be done. As stated, not "the" model, rather a possible model which an give you some guidance in creating your own zoning model which is applicable to your enterprise situation.


The following zones are defined:

Un-trusted zone:
Un-trusted zone can hold systems that connect to “unknown” parties in a uncontrolled area. As an example, the un-trusted zone can hold systems that are connected to the public internet. The Un-trusted zone cannot hold data and can only hold stateless systems. Systems in the un-trusted zone can connect (in a controlled manner) to systems in the semi-trusted zone directly.

Semi-trusted zone:
Semi-trusted zone can hold systems that connect to “unknown” parties in a controlled area. As an example, the semi-trusted zone can hold systems that connect to a customer network or a third party network. The semi-trusted zone cannot hold data and can only hold stateless systems. Systems in the semi-trusted zone can connect (in a controlled manner) to systems in the trusted zone directly.

Trusted zone:
Trusted zone can hold systems that connect to the semi-trusted zone and is generally used for hosting databases and data-storage applications. As an example, the trusted zone can hold a database which provides support to applications in the semi-trusted zone. Systems in the trusted zone can connect (in a controlled manner) to systems in the fully trusted zone directly.

Fully trusted zone:
Fully trusted zone holds generic systems that are used for management, support and control. As an example Oracle Enterprise Manager will be hosted in the trusted zone.

Oracle Enterprise Manager purge options

When working with Oracle Enterprise manager 13C and working with the software library you do have the need from time to time to clean up things. When removing things from the software library it is however good to realize one thing, you only remove the link in the software library to the file located on the disk.

This means that you do NOT delete the file physically from the disk and this means you will not free space on your storage when you delete files in the Oracle Enterprise Manager software Library. When working with small scripts this might not be an issue, however for cases where you work with templates for virtuals machines this can be significant.

Deleting implies you will free space on storage. As you might notice this is not happening. To ensure you delete it also from storage you will have to first delete the file from the software library and then do a purge action to free the storage and physically delete them from the Oracle Management Repository.

The screenshot above shows the actual purge action you will need to undertake to free storage and delete the files physically from the Oracle Management Repository.

Thursday, February 18, 2016

ELBA-2016-0205 Oracle Linux 7 python-pyudev bug fix update

Oracle Linux Bug Fix Advisory ELBA-2016-0205

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:



  • x86_64: python-pyudev-0.15-7.el7_2.1.noarch.rpm
  • SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/python-pyudev-0.15-7.el7_2.1.src.rpm

Description of changes:

  • [0.15-7.1] Added systemd-libs requirement for libudev, Resolves: rhbz#1291562

ELBA-2016-0203 Oracle Linux 7 libunwind bug fix update

Oracle Linux Bug Fix Advisory ELBA-2016-0203

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:




Description of changes:

  • [1.2-5.el7_2.2] Fix update from EPEL version [bz#1289950] Resolves: bz#1289950 (libunwind in RHEL 7.2 has a smaller release than the last libunwind package in EPEL-7)
  • [1.2-5] Version bumped [bz#1238864] Resolves: bz#1238864 libunwind: bump version to win against existing branches
  • [1.1-2] lu-Fix-rpmdiff-failure.patch [bz#1229359],  lu-Fix-buffer-overflow-reported-by-Coverity.patch [bz#1233114], Resolves: bz#1229359 (Fix multilib support), Resolves: bz#1233114, (fix off-by-one in dwarf_to_unw_regnum (CVE-2015-3239))
  • [1.1-1] Import to RHEL