Archive for September, 2013

Sep 27

ORA-01031 ERROR when Using Sqlplus

Normally when you install the Oracle database software you should not have any problems like this but this happened to me because I cloned a system and it happens that we use different "dba" groups on different servers.

As I understand it the install binaries are linked to the "oinstall" or "dba" or your equivalent group specific to your environment used at the time of the install. So if you run the same binaries on a different server you lose the luxury of doing an un-authenticated login with sqlplus. This was difficult to track down so I documented my fix.

You can simulate this error very easily by taking your user out of the "dba" group or removing the group completely.

Error message ORA-01031: insufficient privileges  as follow:

$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Thu Sep 26 11:28:33 2013
Copyright (c) 1982, 2011, Oracle.  All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name: ^C

Temporarily you can fix it by adding your user to the group you know worked on the source system:

# grep ag /etc/group
agprd::313:agprd_o
agdev1::305:agprd_o

$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Thu Sep 26 11:28:58 2013
Copyright (c) 1982, 2011, Oracle.  All rights reserved.
Connected to an idle instance.

Permanent fix as follow.  Update the config.s file and relink.

$ tail -1 /etc/group
#agdev1::305:agprd_o

$ pwd
/u01/app/oracle/product/11.2.0/dbhome_1/rdbms/lib
$ diff config.s /tmp/config.s
23c23
< .ascii "agprd\0"
---
> .ascii "agdev1\0"

$ relink as_installed

$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Thu Sep 26 11:55:29 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to an idle instance.

Comments Off on ORA-01031 ERROR when Using Sqlplus
comments

Sep 23

Solaris 11 Firewall

While trying to clone a production stack for development I got a little paranoid and added some firewall rules to avoid some accidental communication between the stacks. Mainly my concern was about the poorly documented process for cloning as well as the poor use of VLAN's in the client's environment. Below is a quick and dirty way to add some IPF rules to Solaris 11.

Check current rules:

# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

Enable a custom policy:

# svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
# svccfg -s ipfilter:default listprop firewall_config_default/policy
firewall_config_default/policy astring     custom

Custom policy file:

# svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "/etc/ipf/ipf.conf"
# svccfg -s ipfilter:default listprop firewall_config_default/custom_policy_file
firewall_config_default/custom_policy_file astring /etc/ipf/ipf.conf

Run the firewall service:

# svcadm refresh ipfilter:default
# svcs -a | grep ipfilter
disabled Sep_20 svc:/network/ipfilter:default

# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: disabled since September 20, 2013 12:21:20 PM PDT
Reason: Disabled by an administrator.
 See: http://support.oracle.com/msg/SMF-8000-05
 See: man -M /usr/share/man -s 5 ipfilter
Impact: This service is not running.

# svcadm enable svc:/network/ipfilter:default

# svcs -xv svc:/network/ipfilter:default
svc:/network/ipfilter:default (IP Filter)
 State: online since September 23, 2013 05:46:51 AM PDT
 See: man -M /usr/share/man -s 5 ipfilter
 See: /var/svc/log/network-ipfilter:default.log
Impact: None.

Some commands to check with:

# ipfstat |grep blocked
 input packets: blocked 0 passed 176 nomatch 176 counted 0 short 0
output packets: blocked 0 passed 161 nomatch 161 counted 0 short 0
 input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0

# ipfstat -io |head
empty list for ipfilter(out)
empty list for ipfilter(in)

Try adding a rule:

# echo "block in on ipmp1 proto tcp from 10.200.0.0/32 to any" | ipf -f -

# ipfstat -io
empty list for ipfilter(out)
block in on ipmp1 proto tcp from 10.200.0.0/32 to any

Ok that did nothing. Lets try a better mask.

# echo "block in on ipmp1 proto tcp from 10.200.0.0/16 to any" | ipf -f -
# Timeout, server usli-dsdb-ag11.dev.asg.ad not responding.

Hmm that worked. I dropped myself out. Nice.

Get in through the LDOM console and flush the rules:

 # ipf -F a
# ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)

Trying a more realistic rule:

# echo "block in quick from 10.200.53.110/31 to any" | ipf -f -
# ipfstat -io
block in quick from 10.200.43.70/31 to any

Yep that worked as my ping failed...

# ping 10.200.53.110

Persistency:

# ipf -f /etc/ipf/ipf.conf

# tail /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.

I thought ipf -f should add it to the file but it did not.  So I added manually and that worked after a reboot.

# tail -2 /etc/ipf/ipf.conf
block in quick from 10.200.43.70/31 to any
block in quick from 10.200.53.110/31 to any

References:
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html

http://docs.oracle.com/cd/E19253-01/816-4554/ezecx/index.html

http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html#scrolltoc

1
comments

Sep 22

Solaris Server Graphics

Mostly I try to install the absolute minimum graphics software on a server.  Most installs should be possible without graphics.  For instance installing an Oracle database you can use silent mode and a response file.

Now and then you can't get around this.  If you have the luxury of just remotely displaying a xterm back to your Unix desktop (or Windows with X-Window software like Xming etc) then that should be enough.  If you have a slow link over a WAN then displaying X remotely becomes quite impossible.  This is because of the way the X-Window system updates pixels, keyboard and mouse clicks.  In this case you can try VNC.

Note since you have installed minimal graphics software on the server you should not expect a nice GNOME type desktop awaiting you upon a successful VNC connection.

This is an example of using VNC to connect to a Solaris 11 LDOM.

Install VNC server:

# pkg search vncserver
INDEX ACTION VALUE PACKAGE
basename file usr/bin/vncserver pkg:/x11/server/xvnc@1.1.0-0.175.1.0.0.24.1317

root@host11:~# pkg install pkg:/x11/server/xvnc@1.1.0-0.175.1.0.0.24.1317

Run VNC Server as the user you need to use:

dev1_a@host11:~$ vncserver
You will require a password to access your desktops.
Password:
Verify:
New 'host11:2 (dev1)' desktop is host11:2

Creating default startup script /export/home/dev1/.vnc/xstartup
Starting applications specified in /export/home/dev1/.vnc/xstartup
Log file is /export/home/dev1/.vnc/host11:2.log

Now connect with your VNC client to host11:2.

Comments Off on Solaris Server Graphics
comments