by Glynn Foster
Published January 2015
This lab is Part 2 of a two-part series that explores how to deploy an enterprise private cloud using OpenStack. Please complete Part 1, "Deploying an Enterprise Private Cloud with OpenStack in 20 Minutes," before attempting to perform this lab.
This lab describes the tasks that were done during the Oracle OpenWorld 2014 session Hands-On Lab 9822. It will take you through the basics of using OpenStack on Oracle Solaris 11 and installing applications into newly created virtual machine (VM) instances.
OpenStack is a popular open source cloud infrastructure that has been integrated into Oracle Solaris 11.2. OpenStack includes a number of services that help you manage the compute, storage, and network resources in your data center through a central web-based dashboard.
Figure 1. OpenStack dashboard helps you manage resources.
The OpenStack services can be summarized as shown in Table 1:Table 1. OpenStack services
|Neutron||Software-defined networking (SDN)|
|Keystone||Authentication between cloud services|
|Glance||Image management and deployment|
During this lab, we will deploy a new VM instance using OpenStack and install Oracle Database 12c into it. After successfully installing the database and ensuring that it runs correctly, we will create a golden image with which to rapidly clone this environment across the cloud.
In the second half of this lab, we will explore some of the compliance and security features included in Oracle Solaris 11 and demonstrate a typical compliance lifecycle used in the cloud. We will also explore how to lock down VMs from an external attack.
This lab requires the following set up:
solarisand IP address range of 10.158.56.0/21
/root/and an Oracle Database 12c installation response file located at
To start, open a terminal window on the host OS and start an SSH connection with
root/solaris11 as the user/password combination:
# ssh email@example.com Password: Oracle Corporation SunOS 5.11 11.2 June 2014
Before we install Oracle Database, we need to create a VM instance in which to install it.
First, log in to the OpenStack Horizon dashboard by opening a browser and pointing it to the IP address mentioned earlier:
dba/oracledba as the user/password combination to log in.
Figure 2. Dashboard login screen
After you have successfully logged in, navigate to the Access & Security screen, where you can create a new SSH keypair:
Figure 3. Access & Security screen
There are no keypairs currently defined, so click the Import Keypair button to open the Import Keypair screen, which is shown in Figure 4.
In our case, let's use the SSH public key of our global zone. First, run the following command to get the key, and then enter the key into the Public Key field of the Import Keypair screen.
root@solaris:~# cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Khp4Th5VcKQW4LttqzKAR8O60gj43cB0CbdpiizEhXEbVgjI7IlnZlo9i SEFpJlnZrFQC8MU2L7Hn+CD5nXLT/uK90eAEVXVqwc4Y7IVbEjrABQyB74sGnJy+SHsCGgetjwVrifR9fkxFHg jxXkOunXrPMe86hDJRpZLJFGYZZezJRtd1eRwVNSHhJdZmUac7cILFJen/wSsM8TOSAkh+ZWEhwY3o08nZg2IW dMImPbwPwtRohJSH3W7XkDE85d7UZebNJpD9kDAw6OmXsY5CLgV6gEoUExZ/J4k29WOrr1XKR3jiRqQlf3Kw4Y uK9JUi/gPhg2lTOhISgJoelorQ== root@solaris
Figure 4. Import Keypair screen
After successfully importing the SSH keypair, let's now create a network for this instance. Choose Networks from the menu to get the following screen:
Figure 5. Networks screen
There are no networks currently defined, so let's create a network. First, click the Create Network button.
Let's create a network called
mynetwork with a subnet called
mysubnet using the 192.168.66.0/24 address range. This means that instances that choose this network will be created within this range starting at 192.168.66.3.
Figure 6. Create Network screen
After we create our network, we should see it listed in the Networks screen:
Figure 7. Networks screen
Now we are ready to launch a new instance. Choose Instances from the menu to get the following screen:
Figure 8. Instances screen
Let's launch a new instance by clicking the Launch Instance button.
We will call our instance
myinstance. We will give it an Oracle Solaris non-global zone flavor called
medium. A flavor represents the size of the resources that we should give this instance. We can see in Figure 9 that we will get a root disk of 10 GB and 2,048 MB of RAM. We will choose to boot this instance from the image we uploaded in Part 1 that's stored in Glance, which is called
Figure 9. Launch Instance screen
When we are happy with the Details tab, we can move onto the Access & Security tab. There, you can see that our keypair has been preselected, so you can immediately move on to the Networking tab. There, select
mynetwork as our network. Then click the Launch button.
Figure 10. Networking tab
After a little bit of time, we can see that our instance has successfully booted. Depending on what you chose for your subnet address space, your instance might have a slightly different IP address.
Figure 11. Screen showing the instance's status is "active"
We are now ready to log in to this instance. In this lab, we took the simple path of just setting up an internal network topology. In a typical cloud environment, we would set up an external network through which VMs could communicate with the outside world. To access these VMs, we will need to access them through the global zone.
root@solaris:~# ssh firstname.lastname@example.org The authenticity of host '192.168.66.3 (192.168.66.3)' can't be established. RSA key fingerprint is 89:64:96:91:67:ab:6b:35:58:37:35:b8:ab:f3:e5:98. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.66.3' (RSA) to the list of known hosts. Last login: Thu Sep 11 00:33:57 2014 Oracle Corporation SunOS 5.11 11.2 June 2014 root@host-192-168-66-3:~# ipadm NAME CLASS/TYPE STATE UNDER ADDR lo0 loopback ok -- -- lo0/v4 static ok -- 127.0.0.1/8 lo0/v6 static ok -- ::1/128 net0 ip ok -- -- net0/dhcp inherited ok -- 192.168.66.3/24 root@host-192-168-66-3:~# exit logout Connection to 192.168.66.3 closed.
Now that we have successfully provisioned an instance, let's install Oracle Database. There are a number of required prerequisites that we need to meet first in order to install the database, and that's what we'll do in this exercise. In this lab, we will meet the minimum requirements and install the database silently using a response file (as opposed to doing a graphical installation).
Let's start by adding a new user called
oracle and assigning that user two groups:
# useradd -m oracle 80 blocks # groupadd oinstall # groupadd dba # usermod -g oinstall -G dba oracle
Next, we need to set up appropriate resource controls by creating a new project called
user.oracle. In our case, we need to increase the default maximum number of file descriptors a given process can use.
# projadd user.oracle # projmod -U oracle -sK "process.max-file-descriptor=(basic,65536,deny)" user.oracle # projmod -U oracle -sK "project.max-shm-memory=(priv,8589934592,deny)" user.oracle
Let's also ensure that the correct software dependencies are installed. In Oracle Solaris 11.2, a new package called
oracle-rdbms-server-12-1-preinstall was added that provides all the dependent packages that you need for an Oracle Database installation. Let's install this package.
# pkg install oracle-rdbms-server-12-1-preinstall Packages to install: 11 Services to change: 2 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 11/11 254/254 5.0/5.0 0B/s PHASE ITEMS Installing new actions 644/644 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 1/1
Our next step is to create a location in which we will install Oracle Database. For convenience, we will install to the existing ZFS root pool, but we will create a new dataset for this.
# zfs create rpool/apps # zfs set mountpoint=/apps rpool/apps # zfs list rpool/apps NAME USED AVAIL REFER MOUNTPOINT rpool/apps 31K 31.4G 31K /apps
Also, let's initially create an
oracle subdirectory and ensure that the
oracle user has the appropriate privileges.
# mkdir /apps/oracle # chown -R oracle:dba /apps
Finally, let's set the password of the oracle user to
solaris11 and log in to the account.
# passwd oracle # su - oracle
The first thing we need to do is download the Oracle Database installation files. After accepting the license agreement on the Oracle Database Software Downloads page, download to a writable location (for example, to
$HOME of the
oracle user or to a
/tmp directory) the
.zip files that are appropriate for your architecture.
Once the files have been downloaded, unpack the
$ scp email@example.com:/files/* . $ unzip '*.zip' $ cd database
We will use a response file to silently install the database. For this installation, we will be installing the Enterprise Edition with a database-only installation (as opposed to a database installation and configuration). Create a
db_install.rsp response file with the following contents:
oracle.install.responseFileVersion=/oracle/install/rspfmt_dbinstall_response_schema_v12.1.0 oracle.install.option=INSTALL_DB_SWONLY ORACLE_HOSTNAME=solaris UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/apps/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/apps/oracle/oracledb12c ORACLE_BASE=/apps/oracle oracle.install.db.InstallEdition=EE oracle.install.db.DBA_GROUP=dba oracle.install.db.BACKUPDBA_GROUP=dba oracle.install.db.DGDBA_GROUP=dba oracle.install.db.KMDBA_GROUP=dba SECURITY_UPDATES_VIA_MYORACLESUPPORT=false DECLINE_SECURITY_UPDATES=true oracle.installer.autoupdates.option=SKIP_UPDATES
This response file can be tailored for your own environment, as required.
Now we are ready to run the Oracle Database installer.
$ ./runInstaller -silent -responseFile /export/home/oracle/db_install.rsp Starting Oracle Universal Installer... Checking Temp space: must be greater than 180 MB. Actual 796 MB Passed Checking swap space: must be greater than 150 MB. Actual 1749 MB Passed [WARNING] [INS-13014] Target environment does not meet some optional requirements. CAUSE: Some of the optional prerequisites are not met. See logs for details. /tmp/OraInstall2014-09-28_02-25-07PM/installActions2014-09-28_02-25-07PM.log ACTION: Identify the list of failed prerequisite checks from the log: /tmp/OraInstall2014-09-28_02-25-07PM/installActions2014-09-28_02-25-07PM.log. Then either from the log file or from installation manual find the appropriate configuration to meet the prerequisites and fix it manually. You can find the log of this install session at: /apps/oraInventory/logs/installActions2014-09-28_02-25-07PM.log
The installer will run through a long list of checks to ensure the environment meets the requirements before installing Oracle Database. Some of the optional requirements might fail; do not worry about this—if you wait a few minutes, the installation should succeed. You can always check the contents of
/apps/oraInventory/logs/installActions*.log to ensure that Oracle Database has been successfully installed:
The installation of Oracle Database 12c was successful. Please check '/apps/oraInventory/logs/silentInstall2014-09-28_02-25-07PM.log' for more details. As a root user, execute the following script(s): 1. /apps/oraInventory/orainstRoot.sh 2. /apps/oracle/oracledb12c/root.sh Successfully Setup Software.
After the installation has finished, we need to quickly run a few scripts as the
root account, as suggested by the installer, and then log back in to the
oracle account again.
$ logout # /apps/oracle/oraInventory/orainstRoot.sh Changing permissions of /apps/oracle/oraInventory. Adding read,write permissions for group. Removing read,write,execute permissions for world. Changing groupname of /apps/oracle/oraInventory to oinstall. The execution of the script is complete. # /apps/oracle/oracledb12c/root.sh Check /apps/oracle/oracledb12c/install/root_solaris_2014-09-28_14-51-55.log for the output of root script # su - oracle
Let's check to see that Oracle Database was installed by testing it, and then set up a default environment that we can use for this database. First, set up the following environmental variables:
$ export ORACLE_BASE=/apps/oracle $ export ORACLE_HOME=/apps/oracle/oracledb12c $ export ORACLE_SID=orcl $ export LD_LIBRARY_PATH=/apps/oracle/oracledb12c/lib $ export PATH=/apps/oracle/oracledb12c/bin:$PATH
Let's also associate the site identifier (
ORACLE_SID) with the database home (
ORACLE_HOME) by updating the
/var/opt/oracle/oratab file to add the following line:
Let's also create an initialization parameter file for
ORACLE_SID by creating it at
/apps/oracle/oracledb12c/dbs/initorcl.ora with the following contents:
Now we can check to see if our Oracle Database instance is working by starting it and running a few SQL*Plus commands:
$ dbstart /apps/oracle/oracledb12c Processing Database instance "orcl": log file /apps/oracle/oracledb12c/startup.log $ sqlplus /nolog SQL*Plus: Release 188.8.131.52.0 Production on Sun Sep 28 16:43:38 2014 Copyright (c) 1982, 2014, Oracle. All rights reserved. SQL> connect / as sysdba Connected. SQL> create database orcl; Database created. SQL> connect orcl as sysdba; Enter password: solaris11 Connected. SQL> create table participants( 2 first_name varchar2(25) not null, 3 last_name varchar2(25) not null); Table created. SQL> describe participants; Name Null? Type ----------------------------------------- -------- ---------------------------- FIRST_NAME NOT NULL VARCHAR2(25) LAST_NAME NOT NULL VARCHAR2(25) SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 184.108.40.206.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
Now that we have seen that it works, let's stop the database instance.
$ dbshut /apps/oracle/oracle12c
It would be nice if the golden image that we're creating for OpenStack could automatically start Oracle Database upon first boot. To achieve this, we will integrate it with the Oracle Solaris Service Management Facility, which manages system services on Oracle Solaris 11 and provides high availability in the event of a software or hardware failure.
The first thing we'll do is to create a Service Management Facility manifest. This is a description of the service, and how it should be started or stopped. Oracle Solaris 11 provides a convenient way to create this manifest in its simplest form by using the
svcbundle command. Let's run that command and provide start and stop methods, as follows:
# svcbundle -s service-name=site/oracledb12c \ -s start-method="dbstart /apps/oracle/oracledb12c" \ -s stop-method="dbshut /apps/oracle/oracledb12c" -o oracledb12c.xml
This will output a file called
oracledb12c.xml with a basic template that we can add to manually, if desired. In our case, we want to modify it slightly to ensure that the oracle user runs the database and to set the appropriate environmental variables. To do this, we need to add a method context to each
exec_method for start and stop.
oracledb12c.xml and find the
<exec_method> XML tag. Modify it to use the following instead:
<exec_method timeout_seconds="60" type="method" name="start" exec="dbstart /apps/oracle/oracledbc12c"> <method_context> <method_credential user="oracle" group="dba"/> <method_environment> <envvar name="ORACLE_BASE" value="/apps/oracle"/> <envvar name="ORACLE_HOME" value="/apps/oracle/oracledb12c"/> <envvar name="ORACLE_SID" value="orcl"/> <envvar name="LD_LIBRARY_PATH" value="/apps/oracle/oracledb12c/lib"/> <envvar name="PATH" value="/apps/oracle/oracledb12c/bin"/> </method_environment> </method_context> </exec_method> <exec_method timeout_seconds="60" type="method" name="stop" exec="dbshut /apps/oracle/oracledb12c"> <method_context> <method_credential user="oracle" group="dba"/> <method_environment> <envvar name="ORACLE_BASE" value="/apps/oracle"/> <envvar name="ORACLE_HOME" value="/apps/oracle/oracledb12c"/> <envvar name="ORACLE_SID" value="orcl"/> <envvar name="LD_LIBRARY_PATH" value="/apps/oracle/oracledb12c/lib"/> <envvar name="PATH" value="/apps/oracle/oracledb12c/bin"/> </method_environment> </method_context> </exec_method>
We now need to validate the file to make sure that we haven't made any errors.
# svccfg validate oracledb12c.xml
Finally, let's copy this file over to the site Service Management Facility manifest location and restart the
# mv oracledb12c.xml /lib/svc/manifest/site # svcadm restart manifest-import STATE STIME FMRI online 6:55:38 svc:/site/oracledb12c:default
We can check to see whether the Oracle Database is running by running the following command:
# svcs oracledb12c
A listing of the running processes confirms that it is running.
The OpenSCAP security-reporting framework was delivered in Oracle Solaris 11.1. SCAP (Secure Content Automation Protocol) is an open standard for configuration management and reporting originally built for the US Department of Defense and US National Institute of Standards and Technology. While development of the framework was seeded by the public sector, the SCAP ecosystem is rapidity being adopted by most major vendors as a standard way to represent system configuration and security controls.
Oracle Solaris 11.2 wraps OpenSCAP in a convenient new command called
compliance(1M). This new compliance command currently has three major options:
guide: Create a "step by step" guide that describes how to meet a compliance standard (sometimes called a benchmark).
assess: Assess the system against a series of security checks contained in a standard. The
assesssubcommand outputs an XML file that can be imported into compliance management tools.
report: Convert the XML assessment into a human-readable HTML file. This XML-to-HTML file is an XML translation and can be modified to meet the needs of your organization.
Starting with Oracle Solaris 11.2, three important security/compliance standards are delivered:
Let's start by running a compliance report on our existing Oracle Database VM instance. We can generate an assessment for the Solaris Baseline posture:
# compliance assess Assessment will be named 'solaris.Baseline.2014-09-29,14:52' Package integrity is verified Test_1.1 fail The OS version is current Test_1.2 fail Package signature checking is globally activated Test_1.3 pass All local filesystems are ZFS Test_2.1 pass Address Space Layout Randomization (ASLR) is enabled Test_6.6 pass Check all default audit properties Test_7.1 pass
Let's take a look at what the compliance command reports:
# compliance list Benchmarks: pci-dss solaris Assessments: solaris.Baseline.2014-09-29,14:52
Now we are ready to generate a report on this assessment.
# compliance report /var/share/compliance/assessments/solaris.Baseline.2014-09-29,14:52/report.html
Let's copy this compliance report output into the document root of Apache so we can view it through a web browser:
# cp /var/share/compliance/assessments/solaris*/report.html /var/apache2/2.2/htdocs/
Now open up a web browser and navigate to
Figure 12. Viewing the compliance report in a browser
Now, instead of using Solaris Baseline benchmark, we'll run a report against the PCI-DSS benchmark:
# compliance assess -b pci-dss Assessment will be named 'pci-dss.Solaris_PCI-DSS.2014-09-29,15:14' ...
After the initial report has been completed, we can also create a PCI-DSS compliance guide, which is a document that describes Oracle Solaris security controls mapped to PCI-DSS security standards. This document is useful in determining how to configure an Oracle Solaris system or as an artifact for security auditors.
# compliance guide -b pci-dss /var/share/compliance/guides/pci-dss.html
Unified Archives are a new feature added in Oracle Solaris 11.2 that provide system cloning and disaster recovery capabilities. They are the foundation of what is installed when deploying a new VM instance in OpenStack, and they are integrated into the Glance image management service.
Let's start by capturing a Unified Archive of our existing instance.
# archiveadm create myinstance.uar
Now, we need to set some environmental variables so that we can upload this archive to Glance.
# export OS_AUTH_URL=http://localhost:5000/v2.0/ # export OS_PASSWORD=glance # export OS_USERNAME=glance # export OS_TENANT_NAME=service
After we have set up these environmental variables, we can import the Unified Archive into Glance.
# glance image-create --container-format bare --disk-format raw --is-public true \ --name "DB Zone" --property architecture=sparc64 \ --property hypervisor_type=solariszones \ --property vm_mode=solariszones < myinstance.uar +----------------------------+--------------------------------------+ | Property | Value | +----------------------------+--------------------------------------+ | Property 'architecture' | sparc64 | | Property 'hypervisor_type' | solariszones | | Property 'vm_mode' | solariszones | | checksum | 336bdfe5f76876fe24907e35479101e7 | | container_format | bare | | created_at | 2014-09-11T00:52:14.269232 | | deleted | False | | deleted_at | None | | disk_format | raw | | id | b42e47ee-d8dc-e50c-d6e0-9206d761ce41 | | is_public | True | | min_disk | 0 | | min_ram | 0 | | name | DB Zone | | owner | f17341f0a2a24ec9ec5f9ca497e8c0cc | | protected | False | | size | 1277245440 | | status | active | | updated_at | 2014-09-11T00:52:42.352947 | +----------------------------+--------------------------------------+
Having uploaded our new image to Glance, we can now deploy it to newly created VM instances. Navigate to the Launch Instances screen in Horizon again, and launch a new instance. Choose
DB Zone for Image Name instead of
Base Zone, as we did previously.
Let's assume that we've run our compliance checks and have an environment that has been approved by our auditors, and we have captured it and uploaded to OpenStack. In Oracle Solaris 11, the ability was added to create read-only environments through immutable non-global and global zones. This is a feature that provides a tamper-proof environment that can changed only with security privileges.
There are a number of different options in terms of read-only capability: We can lock down everything, we can fix only the configuration of a particular system, or we can have a flexible configuration with some constraints.
To create an immutable zone, we need to create a new flavor in Horizon. Log out of the
dba user and log in as
admin/secrete. From the OpenStack dashboard (Horizon), navigate to the Admin-> Flavor page. We can either update an existing one of the Oracle Solaris flavors or create a new one. Let's create a new one called
Immutable Solaris non-global Zone, as shown in Figure 13.
Figure 13. Creating a new flavor
Make sure you use the Flavor Access tab to include the projects that you want to use this flavor.
Then from the More menu in the table, select View Extra Specs.
Figure 14. Using the More menu
This will bring up a screen like the one shown in Figure 15.
Figure 15. Flavor Extra Specs screen
Because we are creating a new flavor from scratch, we have to also set up the type of zone this will be. Select Create and fill in the information shown in Figure 16 to set up a non-global zone:
Figure 16. Setting up the zone
Then do the same again and create a key-value pair for
zonecfg:file-mac-profile with the value being
fixed-configuration (as shown in Figure 17), or
Figure 17. Creating a key-value pair
Now, by creating a new VM instance using this flavor, we can look at the configuration of the non-global zone that has been created, as follows:
# zonecfg -z instance-0000000f info zonename: instance-0000000f zonepath: /system/zones/instance-0000000f brand: solaris autoboot: false autoshutdown: shutdown bootargs: file-mac-profile: fixed-configuration ...
Congratulations on making it this far and finishing the lab. Thanks again for joining us!
Also see these additional resources:
Glynn Foster is a principal product manager for Oracle Solaris. He is responsible for a number of technology areas including OpenStack, the Oracle Solaris Image Packaging System, installation, and configuration management.
|Revision 1.0, 01/14/2015|