What You See Is What You Get Element

Deploying Applications Quickly and Securely in an Enterprise Private Cloud with OpenStack (Part 2)

by Glynn Foster

This hands-on lab will take you through the basics of using OpenStack on Oracle Solaris 11 and installing applications into newly created virtual machine instances.

Published January 2015

Want to comment on this article? Post the link on Facebook's OTN Garage page.  Have a similar article to share? Bring it up on Facebook or Twitter and let's discuss.
Table of Contents
Lab Setup
Exercise 1: Provisioning a VM Instance
Exercise 2: Setting Up an Environment for Oracle Database
Exercise 3: Installing Oracle Database
Exercise 4: Running Oracle Database
Exercise 5: Automatically Restarting Oracle Database with Oracle Solaris Service Management Facility
Exercise 6: Ensuring Compliance with Oracle Solaris 11.2
Exercise 7: Creating an Oracle Database Unified Archive
Exercise 8: Securing our Virtual Environment
See Also
About the Author


This lab is Part 2 of a two-part series that explores how to deploy an enterprise private cloud using OpenStack. Please complete Part 1, "Deploying an Enterprise Private Cloud with OpenStack in 20 Minutes," before attempting to perform this lab.

This lab describes the tasks that were done during the Oracle OpenWorld 2014 session Hands-On Lab 9822. It will take you through the basics of using OpenStack on Oracle Solaris 11 and installing applications into newly created virtual machine (VM) instances.

OpenStack is a popular open source cloud infrastructure that has been integrated into Oracle Solaris 11.2. OpenStack includes a number of services that help you manage the compute, storage, and network resources in your data center through a central web-based dashboard.

Figure 1. OpenStack dashboard helps you manage resources.

Figure 1. OpenStack dashboard helps you manage resources.

The OpenStack services can be summarized as shown in Table 1:

Table 1. OpenStack services
Service Name Description
Nova Compute virtualization
Cinder Block storage
Neutron Software-defined networking (SDN)
Keystone Authentication between cloud services
Glance Image management and deployment
Horizon Web-based dashboard

During this lab, we will deploy a new VM instance using OpenStack and install Oracle Database 12c into it. After successfully installing the database and ensuring that it runs correctly, we will create a golden image with which to rapidly clone this environment across the cloud.

In the second half of this lab, we will explore some of the compliance and security features included in Oracle Solaris 11 and demonstrate a typical compliance lifecycle used in the cloud. We will also explore how to lock down VMs from an external attack.

Lab Setup

This lab requires the following set up:

  • Oracle Solaris 11.2 (root password is solaris11)
  • Host name of solaris and IP address range of
  • Oracle Solaris Image Packaging System repository clone at /repository/publishers/solaris
  • Oracle Database 12c installation files located in /root/ and an Oracle Database 12c installation response file located at /root/db_install.rsp

To start, open a terminal window on the host OS and start an SSH connection with root/solaris11 as the user/password combination:

# ssh root@10.158.56.x
Oracle Corporation      SunOS 5.11      11.2    June 2014

Exercise 1: Provisioning a VM Instance

Before we install Oracle Database, we need to create a VM instance in which to install it.

First, log in to the OpenStack Horizon dashboard by opening a browser and pointing it to the IP address mentioned earlier: http://10.158.56.x/horizon. Use dba/oracledba as the user/password combination to log in.

Figure 2. Login screen

Figure 2. Dashboard login screen

After you have successfully logged in, navigate to the Access & Security screen, where you can create a new SSH keypair:

Figure 3. Access and Security screen

Figure 3. Access & Security screen

There are no keypairs currently defined, so click the Import Keypair button to open the Import Keypair screen, which is shown in Figure 4.

In our case, let's use the SSH public key of our global zone. First, run the following command to get the key, and then enter the key into the Public Key field of the Import Keypair screen.

root@solaris:~# cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Khp4Th5VcKQW4LttqzKAR8O60gj43cB0CbdpiizEhXEbVgjI7IlnZlo9i
uK9JUi/gPhg2lTOhISgJoelorQ== root@solaris

Figure 4. Import Keypair screen


Figure 4. Import Keypair screen

After successfully importing the SSH keypair, let's now create a network for this instance. Choose Networks from the menu to get the following screen:

Figure 5. Networks screen

Figure 5. Networks screen

There are no networks currently defined, so let's create a network. First, click the Create Network button.

Let's create a network called mynetwork with a subnet called mysubnet using the address range. This means that instances that choose this network will be created within this range starting at

Figure 6. Create Network screen


Figure 6. Create Network screen

After we create our network, we should see it listed in the Networks screen:

Figure 7. Networks screen

Figure 7. Networks screen

Now we are ready to launch a new instance. Choose Instances from the menu to get the following screen:

Figure 8. Instances screen

Figure 8. Instances screen

Let's launch a new instance by clicking the Launch Instance button.

We will call our instance myinstance. We will give it an Oracle Solaris non-global zone flavor called medium. A flavor represents the size of the resources that we should give this instance. We can see in Figure 9 that we will get a root disk of 10 GB and 2,048 MB of RAM. We will choose to boot this instance from the image we uploaded in Part 1 that's stored in Glance, which is called Base Zone.

Figure 9. Launch Instance screen

Figure 9. Launch Instance screen

When we are happy with the Details tab, we can move onto the Access & Security tab. There, you can see that our keypair has been preselected, so you can immediately move on to the Networking tab. There, select mynetwork as our network. Then click the Launch button.

Figure 10. Networking tab

Figure 10. Networking tab

After a little bit of time, we can see that our instance has successfully booted. Depending on what you chose for your subnet address space, your instance might have a slightly different IP address.

Figure 11. Screen showing the instance's status is active

Figure 11. Screen showing the instance's status is "active"

We are now ready to log in to this instance. In this lab, we took the simple path of just setting up an internal network topology. In a typical cloud environment, we would set up an external network through which VMs could communicate with the outside world. To access these VMs, we will need to access them through the global zone.

root@solaris:~# ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 89:64:96:91:67:ab:6b:35:58:37:35:b8:ab:f3:e5:98.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
Last login: Thu Sep 11 00:33:57 2014
Oracle Corporation      SunOS 5.11      11.2    June 2014
root@host-192-168-66-3:~# ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/dhcp      inherited  ok           --
root@host-192-168-66-3:~# exit
Connection to closed.

Exercise 2: Setting Up an Environment for Oracle Database

Now that we have successfully provisioned an instance, let's install Oracle Database. There are a number of required prerequisites that we need to meet first in order to install the database, and that's what we'll do in this exercise. In this lab, we will meet the minimum requirements and install the database silently using a response file (as opposed to doing a graphical installation).

Let's start by adding a new user called oracle and assigning that user two groups: oinstall and dba.

# useradd -m oracle
80 blocks
# groupadd oinstall
# groupadd dba
# usermod -g oinstall -G dba oracle

Next, we need to set up appropriate resource controls by creating a new project called user.oracle. In our case, we need to increase the default maximum number of file descriptors a given process can use.

# projadd user.oracle
# projmod -U oracle -sK "process.max-file-descriptor=(basic,65536,deny)" user.oracle
# projmod -U oracle -sK "project.max-shm-memory=(priv,8589934592,deny)" user.oracle

Let's also ensure that the correct software dependencies are installed. In Oracle Solaris 11.2, a new package called oracle-rdbms-server-12-1-preinstall was added that provides all the dependent packages that you need for an Oracle Database installation. Let's install this package.

# pkg install oracle-rdbms-server-12-1-preinstall
Packages to install: 11
            Services to change:  2
       Create boot environment: No
Create backup boot environment: No
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                              11/11       254/254      5.0/5.0    0B/s

PHASE                                          ITEMS
Installing new actions                       644/644
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

Our next step is to create a location in which we will install Oracle Database. For convenience, we will install to the existing ZFS root pool, but we will create a new dataset for this.

# zfs create rpool/apps
# zfs set mountpoint=/apps rpool/apps
# zfs list rpool/apps
rpool/apps   31K  31.4G    31K  /apps

Also, let's initially create an oracle subdirectory and ensure that the oracle user has the appropriate privileges.

# mkdir /apps/oracle
# chown -R oracle:dba /apps

Finally, let's set the password of the oracle user to solaris11 and log in to the account.

# passwd oracle
# su - oracle

Exercise 3: Installing Oracle Database

The first thing we need to do is download the Oracle Database installation files. After accepting the license agreement on the Oracle Database Software Downloads page, download to a writable location (for example, to $HOME of the oracle user or to a /tmp directory) the .zip files that are appropriate for your architecture.

Once the files have been downloaded, unpack the .zip files.

$ scp root@* .
$ unzip '*.zip'
$ cd database

We will use a response file to silently install the database. For this installation, we will be installing the Enterprise Edition with a database-only installation (as opposed to a database installation and configuration). Create a db_install.rsp response file with the following contents:


This response file can be tailored for your own environment, as required.

Now we are ready to run the Oracle Database installer.

$ ./runInstaller -silent -responseFile /export/home/oracle/db_install.rsp
Starting Oracle Universal Installer...

Checking Temp space: must be greater than 180 MB.   Actual 796 MB    Passed
Checking swap space: must be greater than 150 MB.   Actual 1749 MB    Passed
[WARNING] [INS-13014] Target environment does not meet some optional requirements.
 CAUSE: Some of the optional prerequisites are not met. See logs for details. 
 ACTION: Identify the list of failed prerequisite checks from the log: 
/tmp/OraInstall2014-09-28_02-25-07PM/installActions2014-09-28_02-25-07PM.log. Then 
either from the log file or from installation manual find the appropriate 
configuration to meet the prerequisites and fix it manually.
You can find the log of this install session at:

The installer will run through a long list of checks to ensure the environment meets the requirements before installing Oracle Database. Some of the optional requirements might fail; do not worry about this—if you wait a few minutes, the installation should succeed. You can always check the contents of /apps/oraInventory/logs/installActions*.log to ensure that Oracle Database has been successfully installed:

The installation of Oracle Database 12c was successful.
Please check '/apps/oraInventory/logs/silentInstall2014-09-28_02-25-07PM.log' for more details.

As a root user, execute the following script(s):
        1. /apps/oraInventory/orainstRoot.sh
        2. /apps/oracle/oracledb12c/root.sh

Successfully Setup Software.

After the installation has finished, we need to quickly run a few scripts as the root account, as suggested by the installer, and then log back in to the oracle account again.

$ logout
# /apps/oracle/oraInventory/orainstRoot.sh
Changing permissions of /apps/oracle/oraInventory.
Adding read,write permissions for group.
Removing read,write,execute permissions for world.

Changing groupname of /apps/oracle/oraInventory to oinstall.
The execution of the script is complete.
# /apps/oracle/oracledb12c/root.sh
Check /apps/oracle/oracledb12c/install/root_solaris_2014-09-28_14-51-55.log for the output of root script
# su - oracle

Exercise 4: Running Oracle Database

Let's check to see that Oracle Database was installed by testing it, and then set up a default environment that we can use for this database. First, set up the following environmental variables:

$ export ORACLE_BASE=/apps/oracle
$ export ORACLE_HOME=/apps/oracle/oracledb12c
$ export ORACLE_SID=orcl
$ export LD_LIBRARY_PATH=/apps/oracle/oracledb12c/lib
$ export PATH=/apps/oracle/oracledb12c/bin:$PATH

Let's also associate the site identifier (ORACLE_SID) with the database home (ORACLE_HOME) by updating the /var/opt/oracle/oratab file to add the following line:


Let's also create an initialization parameter file for ORACLE_SID by creating it at /apps/oracle/oracledb12c/dbs/initorcl.ora with the following contents:


Now we can check to see if our Oracle Database instance is working by starting it and running a few SQL*Plus commands:

$ dbstart /apps/oracle/oracledb12c
Processing Database instance "orcl": log file /apps/oracle/oracledb12c/startup.log
$ sqlplus /nolog

SQL*Plus: Release Production on Sun Sep 28 16:43:38 2014

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

SQL> connect / as sysdba
SQL> create database orcl;

Database created.

SQL> connect orcl as sysdba;
Enter password: solaris11
SQL> create table participants(
  2  first_name varchar2(25) not null,
  3  last_name varchar2(25) not null);

Table created.

SQL> describe participants;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 FIRST_NAME                                NOT NULL VARCHAR2(25)
 LAST_NAME                                 NOT NULL VARCHAR2(25)

SQL> exit
Disconnected from Oracle Database 12c Enterprise Edition Release - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

Now that we have seen that it works, let's stop the database instance.

$ dbshut /apps/oracle/oracle12c

Exercise 5: Automatically Restarting Oracle Database with Oracle Solaris Service Management Facility

It would be nice if the golden image that we're creating for OpenStack could automatically start Oracle Database upon first boot. To achieve this, we will integrate it with the Oracle Solaris Service Management Facility, which manages system services on Oracle Solaris 11 and provides high availability in the event of a software or hardware failure.

The first thing we'll do is to create a Service Management Facility manifest. This is a description of the service, and how it should be started or stopped. Oracle Solaris 11 provides a convenient way to create this manifest in its simplest form by using the svcbundle command. Let's run that command and provide start and stop methods, as follows:

# svcbundle -s service-name=site/oracledb12c \
  -s start-method="dbstart /apps/oracle/oracledb12c" \
  -s stop-method="dbshut /apps/oracle/oracledb12c" -o oracledb12c.xml

This will output a file called oracledb12c.xml with a basic template that we can add to manually, if desired. In our case, we want to modify it slightly to ensure that the oracle user runs the database and to set the appropriate environmental variables. To do this, we need to add a method context to each exec_method for start and stop.

Edit oracledb12c.xml and find the <exec_method> XML tag. Modify it to use the following instead:

<exec_method timeout_seconds="60" type="method" name="start"
            exec="dbstart /apps/oracle/oracledbc12c">
               <method_credential user="oracle" group="dba"/>
                  <envvar name="ORACLE_BASE" value="/apps/oracle"/>
                  <envvar name="ORACLE_HOME" value="/apps/oracle/oracledb12c"/>
                  <envvar name="ORACLE_SID" value="orcl"/>
                  <envvar name="LD_LIBRARY_PATH" value="/apps/oracle/oracledb12c/lib"/>
                  <envvar name="PATH" value="/apps/oracle/oracledb12c/bin"/>
        <exec_method timeout_seconds="60" type="method" name="stop"
            exec="dbshut /apps/oracle/oracledb12c">
               <method_credential user="oracle" group="dba"/>
                  <envvar name="ORACLE_BASE" value="/apps/oracle"/>
                  <envvar name="ORACLE_HOME" value="/apps/oracle/oracledb12c"/>
                  <envvar name="ORACLE_SID" value="orcl"/>
                  <envvar name="LD_LIBRARY_PATH" value="/apps/oracle/oracledb12c/lib"/>
                  <envvar name="PATH" value="/apps/oracle/oracledb12c/bin"/>

We now need to validate the file to make sure that we haven't made any errors.

# svccfg validate oracledb12c.xml

Finally, let's copy this file over to the site Service Management Facility manifest location and restart the manifest-import service:

# mv oracledb12c.xml /lib/svc/manifest/site
# svcadm restart manifest-import
STATE          STIME    FMRI
online          6:55:38 svc:/site/oracledb12c:default

We can check to see whether the Oracle Database is running by running the following command:

# svcs oracledb12c

A listing of the running processes confirms that it is running.

Exercise 6: Ensuring Compliance with Oracle Solaris 11.2

The OpenSCAP security-reporting framework was delivered in Oracle Solaris 11.1. SCAP (Secure Content Automation Protocol) is an open standard for configuration management and reporting originally built for the US Department of Defense and US National Institute of Standards and Technology. While development of the framework was seeded by the public sector, the SCAP ecosystem is rapidity being adopted by most major vendors as a standard way to represent system configuration and security controls.

Oracle Solaris 11.2 wraps OpenSCAP in a convenient new command called compliance(1M). This new compliance command currently has three major options:

  • guide: Create a "step by step" guide that describes how to meet a compliance standard (sometimes called a benchmark).
  • assess: Assess the system against a series of security checks contained in a standard. The assess subcommand outputs an XML file that can be imported into compliance management tools.
  • report: Convert the XML assessment into a human-readable HTML file. This XML-to-HTML file is an XML translation and can be modified to meet the needs of your organization.

Starting with Oracle Solaris 11.2, three important security/compliance standards are delivered:

  • PCI-DSS: Oracle's mapping of PCI-DSS to system configuration and security controls. This reporting profile was cocreated by the Oracle Solaris engineering team and a leading PCI-DSS QSA (auditor). There are around 200 controls in this standard.
  • Solaris Baseline: This maps to the Oracle Solaris "secure by default" security profile, which is an "out of the box" security posture which should meet most customers' risk profiles. A freshly installed system should pass this profile.
  • Solaris Recommended: This recommended policy is close to the security posture of the CIS Security Benchmark, which was developed by Oracle for CIS. This recommended benchmark can take longer to run, but it provides more stringent checks and addresses risks not in the baseline standards.

Let's start by running a compliance report on our existing Oracle Database VM instance. We can generate an assessment for the Solaris Baseline posture:

# compliance assess
Assessment will be named 'solaris.Baseline.2014-09-29,14:52'
        Package integrity is verified

        The OS version is current

        Package signature checking is globally activated

        All local filesystems are ZFS

Address Space Layout Randomization (ASLR) is enabled

        Check all default audit properties

Let's take a look at what the compliance command reports:

# compliance list

Now we are ready to generate a report on this assessment.

# compliance report

Let's copy this compliance report output into the document root of Apache so we can view it through a web browser:

# cp /var/share/compliance/assessments/solaris*/report.html /var/apache2/2.2/htdocs/

Now open up a web browser and navigate to http://10.158.56.x/report.html.

Figure 12. Viewing the compliance report in a browser

Figure 12. Viewing the compliance report in a browser

Now, instead of using Solaris Baseline benchmark, we'll run a report against the PCI-DSS benchmark:

# compliance assess -b pci-dss
Assessment will be named 'pci-dss.Solaris_PCI-DSS.2014-09-29,15:14'

After the initial report has been completed, we can also create a PCI-DSS compliance guide, which is a document that describes Oracle Solaris security controls mapped to PCI-DSS security standards. This document is useful in determining how to configure an Oracle Solaris system or as an artifact for security auditors.

# compliance guide -b pci-dss 

Exercise 7: Creating an Oracle Database Unified Archive

Unified Archives are a new feature added in Oracle Solaris 11.2 that provide system cloning and disaster recovery capabilities. They are the foundation of what is installed when deploying a new VM instance in OpenStack, and they are integrated into the Glance image management service.

Let's start by capturing a Unified Archive of our existing instance.

# archiveadm create myinstance.uar

Now, we need to set some environmental variables so that we can upload this archive to Glance.

# export OS_AUTH_URL=http://localhost:5000/v2.0/
# export OS_PASSWORD=glance
# export OS_USERNAME=glance
# export OS_TENANT_NAME=service

After we have set up these environmental variables, we can import the Unified Archive into Glance.

# glance image-create --container-format bare --disk-format raw --is-public true \
--name "DB Zone" --property architecture=sparc64 \
--property hypervisor_type=solariszones \
--property vm_mode=solariszones < myinstance.uar 
| Property                   | Value                                |
| Property 'architecture'    | sparc64                              |
| Property 'hypervisor_type' | solariszones                         |
| Property 'vm_mode'         | solariszones                         |
| checksum                   | 336bdfe5f76876fe24907e35479101e7     |
| container_format           | bare                                 |
| created_at                 | 2014-09-11T00:52:14.269232           |
| deleted                    | False                                |
| deleted_at                 | None                                 |
| disk_format                | raw                                  |
| id                         | b42e47ee-d8dc-e50c-d6e0-9206d761ce41 |
| is_public                  | True                                 |
| min_disk                   | 0                                    |
| min_ram                    | 0                                    |
| name                       | DB Zone                              |
| owner                      | f17341f0a2a24ec9ec5f9ca497e8c0cc     |
| protected                  | False                                |
| size                       | 1277245440                           |
| status                     | active                               |
| updated_at                 | 2014-09-11T00:52:42.352947           |

Having uploaded our new image to Glance, we can now deploy it to newly created VM instances. Navigate to the Launch Instances screen in Horizon again, and launch a new instance. Choose DB Zone for Image Name instead of Base Zone, as we did previously.

Exercise 8: Securing Our Virtual Environment

Let's assume that we've run our compliance checks and have an environment that has been approved by our auditors, and we have captured it and uploaded to OpenStack. In Oracle Solaris 11, the ability was added to create read-only environments through immutable non-global and global zones. This is a feature that provides a tamper-proof environment that can changed only with security privileges.

There are a number of different options in terms of read-only capability: We can lock down everything, we can fix only the configuration of a particular system, or we can have a flexible configuration with some constraints.

To create an immutable zone, we need to create a new flavor in Horizon. Log out of the dba user and log in as admin/secrete. From the OpenStack dashboard (Horizon), navigate to the Admin-> Flavor page. We can either update an existing one of the Oracle Solaris flavors or create a new one. Let's create a new one called Immutable Solaris non-global Zone, as shown in Figure 13.

Figure 13. Creating a new flavor

Figure 13. Creating a new flavor

Make sure you use the Flavor Access tab to include the projects that you want to use this flavor.

Then from the More menu in the table, select View Extra Specs.

Figure 14. Using the More menu

Figure 14. Using the More menu

This will bring up a screen like the one shown in Figure 15.

Figure 15. Flavor Extra Specs screen

Figure 15. Flavor Extra Specs screen

Because we are creating a new flavor from scratch, we have to also set up the type of zone this will be. Select Create and fill in the information shown in Figure 16 to set up a non-global zone:

Figure 16. Setting up the zone

Figure 16. Setting up the zone

Then do the same again and create a key-value pair for zonecfg:file-mac-profile with the value being flexible-configuration, fixed-configuration (as shown in Figure 17), or strict.

Figure 17. Creating a key-value pair

Figure 17. Creating a key-value pair

Now, by creating a new VM instance using this flavor, we can look at the configuration of the non-global zone that has been created, as follows:

# zonecfg -z instance-0000000f info
zonename: instance-0000000f
zonepath: /system/zones/instance-0000000f
brand: solaris
autoboot: false
autoshutdown: shutdown
file-mac-profile: fixed-configuration

Congratulations on making it this far and finishing the lab. Thanks again for joining us!

See Also

Also see these additional resources:

About the Author

Glynn Foster is a principal product manager for Oracle Solaris. He is responsible for a number of technology areas including OpenStack, the Oracle Solaris Image Packaging System, installation, and configuration management.

Revision 1.0, 01/14/2015

Follow us:
Blog | Facebook | Twitter | YouTube