Hardware requirements
Internal memory
Memory should be at least 512 MB for Oracle 10g and 1GB for Oracle 11g.Check the amount of internal memory available to the system.
# grep MemTotal /proc/meminfoIf you do not meet the minimum requirements, you have to add more memory.
Swap space
The minimum is 1 GB swap space, but usually, the rule of thumb is to have approximately twice the amount of internal memory as swap space.Check the amount of swap space available to the system.
# grep SwapTotal /proc/meminfoIf you do not meet the minimum requirements, you can add swap space.
Temp space
The minimum temp space requirement is 400 MB. Temp space is usually stored in the /tmp partition. If /tmp is part of the root file system then the root file system should have at least 400 MB free space in addition to other space requirements.Check the /tmp space available to the system.
# df -k /tmp
Temp is too small
If /tmp is too small, you can temporarily create a tmp directory on another file system.Automatic Memory Management
Starting with Oracle Database 11g, the Automatic Memory Management feature requires more shared memory (/dev/shm) and file descriptors.The shared memory should be sized to be at least the greater of MEMORY_MAX_TARGET and MEMORY_TARGET for each Oracle instance on that computer.
To determine the amount of shared memory available, enter the following command:
# df -k /dev/shm/
MEMORY_MAX_TARGET and MEMORY_TARGET cannot be used when LOCK_SGA is enabled or with HugePages on Linux.
System architecture
To determine whether the system architecture can run the software, enter the following command:# grep "model name" /proc/cpuinfoThis does not tell you whether you should be running 32- or 64 bit Linux, just the architecture of the machine. To determine whether you are running 32- or 64-bit Linux, enter the following command:
# uname -mi
Oracle binaries
Reserve at least 1.5 GB for Oracle 10g binaries or 2 GB for a maximum install.Reserve at least 4.4 GB for Oracle 11g binaries.
Also reserve about 10 GB space for installation files and Oracle patches.
Oracle database files
Reserve at least 1.1 GB for Oracle 10g database files.Reserve at least 1.68 GB for Oracle 11g database files.
You probably want to reserve more than that because the database will grow over time. You can use a file system, an NFS partition or Oracle ASM disk groups.
Don’t create Oracle exports on an NFS file system because it’s terribly slow.
Software requirements
OS and kernel version
To determine which distribution and version of Linux is installed, enter the following command:# cat /proc/versionTo determine whether the required kernel is installed, enter the following command:
# uname -rThe output must show at least 2.6.9 for Oracle 10g or 2.6.18 for Oracle 11g.
Naming resolution
When you run Oracle Universal Installer, an error may occur if name resolution is not set up. To avoid this error, before you begin installation, you must ensure that host names are resolved only through the /etc/hosts file.# cat /etc/nsswitch.conf | grep hosts #hosts: db files ldap nis dns hosts: files dnsThe output of this command should contain an entry for files.
Verify that the host name has been set by using the hostname command as follows:
# hostnameVerify that the domain name has not been set dynamically by using the domainname command as follows:
# domainname (none)This command should not return any results (none).
Verify that the hosts file contains the fully qualified host name by using the following command:
# cat /etc/hosts | grep `eval hostname`
Make sure the localhost line (127.0.0.1) in /etc/hosts does not contain the hostname or fully qualified hostname.The output of this command should contain an entry for the fully qualified host name and for localhost.
Packages
You need to install certain software packages to support the Oracle binaries.Enable Oracle Public Yum Server on Unbreakable Linux
When installing Unbreakable Linux, you need to enable the Public Yum Repositories before you can install any packages.# cd /etc/yum.repos.d # wget http://public-yum.oracle.com/public-yum-el5.repo # vi public-yum-el5.repo :%s/enabled=0/enabled=1/gChange enabled=0 to enabled=1 for every repository you want to use.
Oracle 10g
- binutils-2.15.92.0.2-10.EL4
- compat-db-4.1.25-9
- control-center-2.8.0-12
- gcc-3.4.3-9.EL4
- gcc-c++-3.4.3-9.EL4
- glibc-2.3.4-2
- glibc-common-2.3.4-2
- gnome-libs-1.4.1.2.90-44.1
- libstdc++-3.4.3-9.EL4
- libstdc++-devel-3.4.3-9.EL4
- make-3.80-5
- pdksh-5.2.14-30
- sysstat-5.0.5-1
- xscreensaver-4.18-5.rhel4.2
Oracle 11g
- binutils-2.17.50.0.6
- compat-libstdc++-33-3.2.3
- compat-libstdc++-33-3.2.3 (32 bit)
- elfutils-libelf-0.125
- elfutils-libelf-devel-0.125
- gcc-4.1.2
- gcc-c++-4.1.2
- glibc-2.5-24
- glibc-2.5-24 (32 bit)
- glibc-common-2.5
- glibc-devel-2.5
- glibc-devel-2.5 (32 bit)
- glibc-headers-2.5
- ksh-20060214
- libaio-0.3.106
- libaio-0.3.106 (32 bit)
- libaio-devel-0.3.106
- libaio-devel-0.3.106 (32 bit)
- libgcc-4.1.2
- libgcc-4.1.2 (32 bit)
- libstdc++-4.1.2
- libstdc++-4.1.2 (32 bit)
- libstdc++-devel 4.1.2
- make-3.81
- numactl-devel-0.9.8.x86_64
- sysstat-7.0.2
- unixODBC-2.2.11
- unixODBC-2.2.11 (32 bit)
- unixODBC-devel-2.2.11
- unixODBC-devel-2.2.11 (32 bit)
Install Oracle 10g packages
# yum install binutils compat-db compat-libstdc++-33 \ control-center gcc gcc-c++ glibc glibc-common glibc-devel \ gnome-libs libaio libstdc++ libstdc++-devel libXp make pdksh \ sysstat xorg-x11-deprecated-libs xscreensaver
Install Oracle 11g packages
# yum install binutils compat-libstdc++-33 elfutils-libelf \ elfutils-libelf-devel gcc gcc-c++ glibc glibc-common glibc-devel \ glibc-headers ksh libaio libaio-devel libgcc libstdc++ \ libstdc++-devel make numactl-devel sysstat unixODBC unixODBC-develPress “y” to install when asked to do so.
The system will ask you to install a GPG key.
Press “y”.
Upgrade existing packages
It is recommended that you upgrade the packages to the latest available version.# yum upgrade # yum clean all
Extra packages
In addition to the packagelist Oracle provides, also ensure the following packages are installed to prevent several errors from occuring.Extra packages for Oracle 10g
compat-libstdc++-33
Install compat-libstdc++-33 to prevent the following error:Exception String: Error in invoking target 'all_no_orcl' of makefile '/u01/app/oracle/102/db/rdbms/lib/ins_rdbms.mk' Glibc-devel.i386
glibc-devel.i386
When installing Oracle you can get an error during the linking phase of the installer:Error in invoking target 'install' of makefile '/u01/app/oracle/oracle/102/db/ctx/lib/ins_ctx.mk'When looking at $ORACLE_HOME/install/make.log to trace the cause of the error you will find this line at the bottom:
/usr/bin/ld: crt1.o: No such file: No such file or directoryInstall glibc-devel.i386 to prevent this error.
libaio.i386 and .x86_64
Ensure to install the libaio-0.3.96 or a newer version, otherwise the OUI prerequisite check will fail.libXp
The libXp library is needed to prevent the error below after running runInstaller:Exception java.lang.UnsatisfiedLinkError: /tmp/OraInstall2005-06-15_07-36-25AM/jre/1.4.2/lib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or directory occurred.. java.lang.UnsatisfiedLinkError: /tmp/OraInstall2005-06-15_07-36-25AM/jre/1.4.2/lib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or directory
Extra packages for Oracle 11g
pdksh
Install at least pdksh-5.2.14.# yum install pdksh
Users and groups
Before you can install Oracle on Linux, two users and two or three Oracle groups should be present, depending on the choice of separation of administrative duties.Oracle groups
The Oracle Inventory group (oinstall)
This group owns the Oracle inventory, which is a catalog of all Oracle software installed on the system. Members of this group could be Linux administrators who install new versions of Oracle. To check if the oinstall group exists, run:# groupadd -g 501 oinstall
The OSDBA group (dba)
This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). The default name for this group is dba. To check if the oinstall group exists, run:# groupadd -g 502 dba
The OSOPER group (oper)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges (the SYSOPER privilege). By default, members of the OSDBA group also have the SYSOPER privilege.If you want to specify a separate OSOPER group, other than the default dba group, then you must choose the Custom installation type to install the software or start Oracle Universal Installer as a user that is not a member of the dba group. In this case, Oracle Universal Installer prompts you to specify the name of this group. The usual name chosen for this group is oper. To check if the oinstall group exists, run:
# groupadd -g 503 oper
Oracle users
The Oracle software owner
This user owns all of the software installed during the installation. This user must have the Oracle Inventory group (oinstall) as it’s primary group. It must also have the OSDBA (dba) and, if you decide to use it, OSOPER (oper) groups as secondary groups. Create the user and set the password.# useradd -m -u 501 -g oinstall -G dba,oper,users,wheel -d /home/oracle -s /bin/bash -c "Oracle Software Owner" oracle # passwd oracleGive the Oracle user sudo rights, by commenting requiretty and by uncommenting the wheel group without a password.
# visudo ... ... #Defaults requiretty ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL
Unprivileged user
When installing Oracle 10g, verify that the unprivileged user nobody exists on the system.The nobody user must own the external jobs (extjob) executable after the installation.
According to Metalink document 357575.1, the answer to the question what an unprivileged user is, is this:The need for the low privilege user is simply a security measure. The term unprivileged user, in many contexts, is used to refer to a non-DBA user; it’s a general term for a non super user.
As the purpose of the user is essentially to allow database users to execute external jobs, you should not use the oracle user.
The oracle user is a powerful user; obviously they can shut down the database, and have access to a number of resources, oracle and otherwise. You would not want to give any database user with privileges to schedule this job (actually create external job privs.) the ability to perform all oracle actions; at least not in a normal environment.
For security purposes, it is best to create a user with minimum privileges required to do the job. For example, if it reads from a specific directory, give them access to that directory, but not to the oracle binaries directory.
So an unprivileged local user must own the extjob executable. You can use any user name for this user.
Before installing the software, perform the following procedure to verify that the nobody user exists on the system:
To determine whether the user exists, enter the following command:
# id nobodyIf this command displays information about the nobody user, then you do not have to create that user.
If the nobody user does not exist, then enter the following command to create it:
# useradd nobody
Kernel parameters
In order for the Oracle database to function properly certain OS resources must be configured. By default, some of these are set too low. Linux allows these parameters to be modified dynamically, no reboot is required to activate the changes. The kernel parameters can be altered by modifying the values in the /proc pseudo file system.Do not change the value of a kernel parameter if it is already higher than required by Oracle.Below is a list of how to check, and if neccesary correct the kernel parameters.
semmsl, semmns, semopm and semmni
# sysctl -a | grep sem # echo 'kernel.sem = 250 32000 100 128' >> /etc/sysctl.conf
shmall
# sysctl -a | grep shmall # echo 'kernel.shmall = 2097152' >> /etc/sysctl.conf
shmmax
# sysctl -a | grep shmmax # echo 'kernel.shmall = 2097152' >> /etc/sysctl.conf
This value should be half the internal memory in bytes
shmmni
# sysctl -a | grep shmmni # echo 'kernel.shmmni = 4096' >> /etc/sysctl.conf
file-max
# sysctl -a | grep file-max # echo 'fs.file-max = 65536' >> /etc/sysctl.conf (10g) # echo 'fs.file-max = 6815744' >> /etc/sysctl.conf (11g)
ip_local_port_range
# sysctl -a | grep ip_local # echo 'net.ipv4.ip_local_port_range = 9000 65500' >> /etc/sysctl.conf
rmem_default
# sysctl -a | grep rmem_default # echo 'net.core.rmem_default = 1048576' >> /etc/sysctl.conf
rmem_max
# sysctl -a | grep rmem_max # echo 'net.core.rmem_max = 1048576' >> /etc/sysctl.conf (10g) # echo 'net.core.rmem_max = 4194304' >> /etc/sysctl.conf (11g)
wmem_default
# sysctl -a | grep wmem_default # echo 'net.core.wmem_default = 262144' >> /etc/sysctl.conf
wmem_max
# sysctl -a | grep wmem_max # echo 'net.core.wmem_max = 262144' >> /etc/sysctl.conf (10g) # echo 'net.core.wmem_max = 1048576' >> /etc/sysctl.conf (11g)
aio-max-nr
# sysctl -a | grep aio-max-nr # echo 'fs.aio-max-nr = 1048576' >> /etc/sysctl.conf (11g)
aio-max-nr limits concurrent outstanding requests and should be set to avoid I/O subsystem failures.To make the changes effective immediately, run:
# sysctl -p
Shell Limits
Ulimit
ulimit provides control over the resources available to processes started by the shell, on systems that allow such control.To check all current limits enter the command:
# ulimit -aTwo limits have to be increased for Oracle to be able to handle large amounts of files, the maximum number of open file descriptors and the maximum number of processes available to a single user. This can be done by adding these limits to /etc/profile:
# cat >> /etc/profile << EOF if [ $USER = "oracle" ]; then if [ $SHELL = "/bin/ksh" ]; then ulimit -p 16384 ulimit -n 65536 else ulimit -u 16384 -n 65536 fi fi EOFThis sets the maximum number of user processes to 16384 and the maximum number of open files to 64000.
In the Oracle documentation, the number of open files is set to 65536. During configuration of the kernel parameters, file-max was also set to 65536, which would enable the Oracle user to use up all the file handles available to the system. Therefore it’s better to lower this value a little.
Securing PAM
PAM is an abbreviation for Pluggable Authentication Modules. On most Linux systems you have two directories on your system “/etc/pam.d/” and “/etc/security/”. /etc/pam.d/ is where the modules are located and /etc/security/ is where some of the configuration files for some of these modules are.In certain kinds of attacks, the attacker doesn’t attempt to gain access, but instead tries to break a certain part of your computer’s operation. You can protect against certain types of DoS attacks by modifying /etc/security/limits.conf. This file sets limits on system resources for each user. Since several major daemons, including the web, name and ftp servers, may run as a particular user, this has the effect of stopping many attacks against these applications from crippling the entire machine.
To limit the processes and open files of the Oracle user execute the following:
# cat >> /etc/security/limits.conf << EOF oracle soft nproc 2047 oracle hard nproc 16384 oracle soft nofile 1024 oracle hard nofile 65536 EOFThe last step is to modify the PAM module.
# cat >> /etc/pam.d/login << EOF session required pam_limits.so EOFThis will invoke the limits shared library during login.
Software directories
You must identify or create the following directories for the Oracle software:- Oracle inventory directory
- Oracle base directory
- Oracle data directory
- Oracle flash recovery directory (optional)
Oracle Directories
Create the required Oracle directories and set the correct permissions.# mkdir -p /opt/oraInventory # chmod -R 770 /opt/oraInventory # chown -R oracle:oinstall /opt/oraInventory # mkdir -p /opt/oracle/app # mkdir -p /opt/oracle/admin # mkdir -p /opt/oracle/diag (11g) # mkdir -p /opt/oracle/oradata # mkdir -p /opt/oracle/flash_recovery_area # chmod -R 770 /opt/oracle # chown -R oracle:oinstall /opt/oracle
Oracle user environment variables
Login as user oracle and add some variables to the bash profile.Oracle 10g
$ cat >> /home/oracle/.bash_profile << EOF export ORACLE_BASE=/opt/oracle export ORACLE_HOME=\$ORACLE_BASE/app/102/db export ORACLE_HOME_LISTNER=\$ORACLE_HOME export TNS_ADMIN=\$ORACLE_HOME/network/admin export PATH=\$ORACLE_HOME/bin:\$ORACLE_HOME/OPatch:\$PATH EOF
Oracle 11g
$ cat >> /home/oracle/.bash_profile << EOF export ORACLE_BASE=/opt/oracle export ORACLE_HOME=\$ORACLE_BASE/app/112/db export ORACLE_HOME_LISTNER=\$ORACLE_HOME export TNS_ADMIN=\$ORACLE_HOME/network/admin export PATH=\$ORACLE_HOME/bin:\$ORACLE_HOME/OPatch:\$PATH EOF
No comments:
Post a Comment
Thank for showing interest in giving comments/feedback/suggestions
Note: Only a member of this blog may post a comment.