- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Best practices with Oracle and root access
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:21 AM
тАО02-09-2006 06:21 AM
Best practices with Oracle and root access
IMHO - no one other then a sysadmin needs root access.
I don't want this to be a rant, I'm looking for official doc(s)...so I can give to 1 Oracle admin who thinks he should have root access on the systems he supports.
Main reason - he doesn't want to "bother" us to run the root.sh script when doing installs or changes...
IMHO - why is it called root.sh - because Oracle (and SAP) want you to get a sysadmin to run that script for you.
Like I said, I don't need your opinions (as I'm sure they will be for the most part the same as mine) but I need some sort of document - and if it is from Orcale - so much the better - because this one DBA swears by everything put out by Oracle - IE - if Oracle says do this - he does.
Thanks...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:38 AM
тАО02-09-2006 06:38 AM
Re: Best practices with Oracle and root access
I'm pretty the manual(s) tell you to run root.sh, etc as root, or get one to run it for you, and that's about the whole of it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:38 AM
тАО02-09-2006 06:38 AM
Re: Best practices with Oracle and root access
I'm pretty sure the manual(s) tell you to run root.sh, etc as root, or get one to run it for you, and that's about the whole of it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:45 AM
тАО02-09-2006 06:45 AM
Re: Best practices with Oracle and root access
We don't give DBAs root access - ever.
We set up sudo rules for them to allow them to *only* do what they need to do.
If the don't tell us everything they need to do they have to wait until the next iterartion of the sudoers rule.
In emergencies we give them a "temp" rule to do what they need and then remove it when done.
My $0.02,
Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:52 AM
тАО02-09-2006 06:52 AM
Re: Best practices with Oracle and root access
(BTW, I did a quick Yahoo! search and didn't find anything useful as far as a best practice document on the subject.)
Jeff Traigle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 06:57 AM
тАО02-09-2006 06:57 AM
Re: Best practices with Oracle and root access
My general method of heading DBA's off at the pass is "Give my your sys and system passwords." Generally they look at me like I'm insane. I can't be allowed access to their database! If they do give me their passwords, I immediately tell them that I have no need of those passwords and their release of the passwords indicates that they are not nearly security conscious enough to be granted super-user passwords.
Either way, they can't win.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 07:38 AM
тАО02-09-2006 07:38 AM
Re: Best practices with Oracle and root access
Personally though - SysAdmins and really good UNIX persons make the best and most efficient Oracle DBAs. If you are a "good" DBA and you've no idea about the underlying OS and infrasrtcuture that you are runing your instance on - then how can you ensure your instance(s) is getting the best and proper environment. There are also tools/routines/teechniques that a UNIX/Admin savvy DBA can call/utilize to further improve productivity.
My few cents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 08:09 AM
тАО02-09-2006 08:09 AM
Re: Best practices with Oracle and root access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 08:42 AM
тАО02-09-2006 08:42 AM
Re: Best practices with Oracle and root access
Generally the installer creates a new /etc/oratab or modifies it. It also creates or modifies the /var/opt/oracle file. For these reasons, they require root. (That's my guess, anyway.) You can get around that, if you wanted, by making permissions of those files appropriate for them to run as oracle. (Whether you should do this is really a question for you, not me.)
The script generally only takes a few seconds to run, it doesn't take a whole lot of time. I let our DBA's run this as root-priviledged themselves. (Sorry Clay) That doesn't mean I let them do anything else, I only trust them about as far as I can throw them...
In the past, they used to always call to have us run the file.
Hope it helps
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 08:59 AM
тАО02-09-2006 08:59 AM
Re: Best practices with Oracle and root access
Oh and Shalom to you.
Oracle can be massively screwed up by having root access.
My Oracle DBA had root in Chicago because he was my backup. He never used it for dba tasks.
Note that Oracle sets up shared memory segments that you can view with the ipcs commands.
If the oracle dba does anything to a shared memory segment, runs the wrong utility as root or whatever, the segment is locked, the oracle user and database can not access it and the database crashes.
Very bad.
Now a doc. Or two.
http://www.google.co.il/group/comp.databases.oracle/browse_thread/thread/4ff31a8dfc6b58b7/16389f4eef802332%2316389f4eef802332?sa=X&oi=groupsr&start=2&num=3
Running root as internal
http://www.google.co.il/group/comp.databases.oracle.server/browse_thread/thread/d4d9a00908613f2c/475969081dafefd4%23475969081dafefd4?sa=X&oi=groupsr&start=1&num=3
A potential horror story:
http://lists.suse.com/archive/suse-oracle/2003-Mar/0189.html
http://www.oracle.com/technology/tech/linux/vmware/cookbook/stage2b_sles.html
The oracle dba's main reason is to not have to be root to run root.sh?
From experience and thats more important than any doc. You are right and he or she is wrong.
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 09:06 AM
тАО02-09-2006 09:06 AM
Re: Best practices with Oracle and root access
In regards to the root.sh script, as you are aware this is only run once during the install. DBAs do not need root access, EVER!
If this is such a worry, put them in sudoers for a limited time - until the database install is complete. Then yank him out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 09:08 AM
тАО02-09-2006 09:08 AM
Re: Best practices with Oracle and root access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 02:22 PM
тАО02-09-2006 02:22 PM
Re: Best practices with Oracle and root access
├в Should DBA have root access├в , this should not be a subject of a document of ├в Best Practices├в .
Because a DBA will not require root access to perform his daily database administration tasks. Oracle, for example, has several tools with which you can administer Oracle itself, almost negating the need for a UNIX login altogether. One of these on the high-end being Enterprise manager, and on the other low-end being the Oracle client.
DBA's should have non-root access to the servers and would require a some sudo access. To run root.sh will not be a frequent job. It will be on new installations and patches which would be once in 6 months or so. DBA├в s require server access to troubleshoot their own backups and space issues.
It will be a good practice to build up a good rapport between the DBA├в s and Sysadmin teams in the events when some of the tasks of one team require the other team to run the jobs. This should be considered as sharing rather than ├в I don├в t want to bother you all the time├в .
Another issue is server accountability within a given IT organization. How secure have you made your server. If the DBA's and Sysadmin's reported to the same supervisor, it will be a bad idea to share root access across food chains.
I once worked in an organisation where I was UNIX Sysadmin and the DBA. I also, worked at one firm where I had dba access with no root access. And I can say as a DBA with non-root access I could perform my instance admin tasks without any issues.
Indira A
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 05:00 PM
тАО02-09-2006 05:00 PM
Re: Best practices with Oracle and root access
Sample output from root.sh is enclosed below (to get an idea of what it does) during Oracle upgrade from 8i to 9i:
Enter the full pathname of the local bin directory: [/usr/local/bin]: press enter
(Backup the following three files)
The file "dbhome" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying dbhome to /usr/local/bin ...
The file "oraenv" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying oraenv to /usr/local/bin ...
The file "coraenv" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying coraenv to /usr/local/bin ...
Adding entry to /etc/oratab file...
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root.sh script
Yes you are right: It is called root.sh - because Oracle (and SAP) want you to get a sysadmin to run that script for you.
Oracle admin and OS admin are two different roles and should be performed by two differnt people. However in some organization it is done by one for shortage of manpower.
The reason given by DBA in this case does not hold. If DBA has to bother sysadm then he has to; especially in this case when sysadm would like OS to be protected from all quarter.
sks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-09-2006 10:15 PM
тАО02-09-2006 10:15 PM
Re: Best practices with Oracle and root access
The question is not just about root.sh...
Yesterday, for example, I recovered a Production database and loose a day of work because of data corruption in the morning.
The solution was to place the 07 February end of the day database backup, change the system date BACKWARD from 09 to 08 February and redo all Wednesday work. Because I'm the system and database administrator, I didn't need to call anybody to change the date form me.
So, you won't find any satisfactory document about this question but in my opinion, in your situation you should avoid giving him direct access to root.
Best Regards,
Eric Antunes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 12:56 AM
тАО02-10-2006 12:56 AM
Re: Best practices with Oracle and root access
You epitomize the ideal System Administrator - who's also a Database Administrator. There are now actually enterprises out there who value (and require) System Admins also act as DBA's or vice versa. This increases the efficiency of overall administration of a system - by cutting the proverbial "how many XYZ Company IT hands is needed to fix a lightbulb" -
And some CIOs are now actually discovering that Small IT Shop techniques (i.e. IT Staff responsible for multipe roles) also apply to big IT shops.
And it cuts cost too! ;^)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 02:20 AM
тАО02-10-2006 02:20 AM
Re: Best practices with Oracle and root access
With Oracle, for example, the DBA must know until where he can increase the SGA without hurting the whole system (Paging out, etc...) and to achieve this he must be a system administrator too.
Best Regards,
Eric Antunes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 03:31 AM
тАО02-10-2006 03:31 AM
Re: Best practices with Oracle and root access
Well....you can get away with that in smaller organizations.
But we literally have dozens of DBAs & over a hundred SAs - of all UNIX flavors
We can't afford to do this.
sudo is our huckleberry.
My $0.02,
Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 03:41 AM
тАО02-10-2006 03:41 AM
Re: Best practices with Oracle and root access
And with today's OSes and RDBMSes starting to get to be easily managed and with an abundance of tools - these new breed of CIOs/IT leaders actually know what is really required in an Organization and what each staff can actually do. In organizations I consult with - I have seen SysAdmin to Servers Ratio drop from 1:5 to 1:50 in the last five years. I've also seen consolidation of roles like - ersthwhile Storage Admin, Network Admin and UNIX System Admin positions now being handled by a lone person. And DBA's are increasingly provided with UNIX Admin and Storage Admin skills and roles as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 03:44 AM
тАО02-10-2006 03:44 AM
Re: Best practices with Oracle and root access
I respectfully disagree.. Specialization is everything. To prove my point.. An oracle recover is SCN based not time based, you can choose to recover to a point in time of course.
Without knowing the details of your recovery situation I'd say that your data loss of 1 day was most probably avoidable...
Send me your configuration and details and I'll be happy to review it for availability.
kennethinbox-forums@yahoo.com
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 03:55 AM
тАО02-10-2006 03:55 AM
Re: Best practices with Oracle and root access
That is not the subject of this thread but, the SCN recovery would have only give me 100 minutes of data more (a few material transactions and a dozen of documents) since the corruption happened at 10H40 AM. But I'm considering the SCN (archivelog mode) recovery for other reasons...
Best Regards,
Eric Antunes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 05:21 AM
тАО02-10-2006 05:21 AM
Re: Best practices with Oracle and root access
We would fail SOX if the ORACLE DBA had Root privileges. OR if the Superuser had DBA privileges.
Rory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 05:24 AM
тАО02-10-2006 05:24 AM
Re: Best practices with Oracle and root access
It's a good thing that you spelled out that you weren't interested in opinions!!
;^)
Pete
(N/A, please)
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 09:08 PM
тАО02-10-2006 09:08 PM
Re: Best practices with Oracle and root access
with Oracle 10g and ASM/OMF, you don't need any special privileges for the DBA.
DBAs no longer need to manage files and drives individually. Instead, disk groups can be created consisting of disks and their assigned files.
Essentialy, the combination of OMF and ASM eliminates the need for a DBA to specify the file name and location for the physical database files when creating a new database, as well as in other database operations - you simply identify the destination disk group, and oracle takes care of the rest. ASM can also be extended to support other administrative procedurees, including backup/recovery and disk management.
I find the diskgroup concept very interesting such that diskgroup is like a logical volume, like a filesystem but only for database files.
It is said that "ASM is for DBA's for managing database data what Filesystems are for SA's for managing disk"
hope this helps!
kind regards
yogeeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-10-2006 09:11 PM
тАО02-10-2006 09:11 PM
Re: Best practices with Oracle and root access
see also metalink Note:265633.1
Subject: ASM Technical Best Practices
kind regards
yogeeraj