Tuesday, January 29, 2008

How to Configure Solaris 10 Project Resource Controls for Oracle

Technorati Tags: oracle,solaris,howto,installation,install,resourcecontrols

This is not an all-inclusive installation guide – Oracle already has written that

Oracle® Database Installation Guide 10g Release 2 (10.2) for Solaris Operating System (SPARC 64-Bit) HTML

Oracle® Database Installation Guide 10g Release 2 (10.2) for Solaris Operating System (x86) HTML

Oracle® Database Installation Guide 10g Release 2 (10.2) for Solaris Operating System (x86-64) HTML

Rather this is to supplement Chapter 2, Preinstallation Tasks. Sections 2.54 – 2.6 inclusive. Oracle forgot to add, and continues to forget, the details on creating a project for Oracle and configuring resource controls for that project.

So, picking up from where you create the Oracle Inventory group, oinstall, and the database administrator group, dba. ( # groupadd oinstall # groupadd dba):

1.   Configure Kernel Parameters and Resource Controls

From the Oracle installation guide it is not clear which kernel parameters are supposed to use the new Solaris 10 resource control facility, and those which are to use the the /etc/system file.

The following table is ripped from the 10.2 installation guide and as it says in the doco, the kernel parameter and shell limit values shown in the following section are recommended values only.

For production database systems, Oracle recommends that you tune these values to optimize the performance of the system.

Refer to your operating system documentation for more information about tuning kernel parameters blah blah blah.

The table contains the four resource controls that replace the old entries in the /etc/system file for a specific kernel parameter. Note that the /etc/system file is still used for the parameters listed with an ‘NA’ in the Resource Control Column.

Kernel Parameter

Resource Control

Recommended Value




























I’ll ignore the kernel parameters in /etc/system – that’s documented already. Let’s take a look at the resource control settings instead. Much more interesting.

Before we start setting resource values, we first need to create a project for the Oracle installation:

1.1.   Create the group.dba project for Oracle

# projadd group.dba<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

You should now see the project listed by the projects command and in /etc/project

bash-3.00# projects -l group.dba


        projid : 100

        comment: ""

        users  : (none)

        groups : (none)


bash-3.00# cat /etc/project







Assuming all looks good, then proceed…

1.2.   Configure group.dba project Resource Controls

projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba

projmod -sK "project.max-sem-ids=(privileged,100,deny)" group.dba

projmod -sK "project.max-shm-ids=(privileged,100,deny)" group.dba

projmod -sK "project.max-sem-nsems=(privileged,256,deny)" group.dba


Just to check (for fun):

bash-3.00# projects -l group.dba


        projid : 100

        comment: ""

        users  : (none)

        groups : (none)

        attribs: project.max-sem-ids=(privileged,100,deny)





BTW, don’t use the prctl command to change the values (as shown in part of the installation guide) as the changed parameters do not persist after a system restart (as it says later in the installation guide after you have already followed their example and used prctl). Use projmod

1.3.   Create, or update oracle user with default project group.dba

1.3.1.          Create the Oracle user account, oracle, group.dba as default project

# useradd -g oinstall -G dba -m -d /export/home0/oracle -s /bin/bash -K project=group.dba oracle

Set the password of the oracle user:

# passwd -r files oracle

What’s with this –K value? From the sun man page doco:

-K key=value

Replace existing or add to a user's key=value pair attributes. Multiple -K options can be used to replace or add multiple key=value pairs. The generic -K option with the appropriate key can be used instead of the specific implied key options (-A, -P, -R, -p). See user_attr(4) for a list of valid key=value pairs. Values for these keys are usually found in man pages or other sources related to those keys. For example, see project(4) for guidance on values for the project key. Use the command ppriv(1) with the -v and -l options for a list of values for the keys defaultpriv and limitpriv.

Keys must not be repeated. Specifying a key= without a value removes an existing key=value pair.

The type key must be specified only without a value or with the role value. Specifying the type key without a value leaves the account as a normal user, with the role value changing from a normal user to a role user. As a role account, no roles (-R or roles=value) can be present.

Address : http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqjj?a=view

See user_attr(4) for a list of valid key=value pairs


1.3.2.          Update an existing oracle user default project to group.dba

There is an algorithm Solaris uses to determine the default project:

Determining a User's Default Project

To log in to the system, a user must be assigned a default project. A user is automatically a member of that default project, even if the user is not in the user or group list specified in that project.

Because each process on the system possesses project membership, an algorithm to assign a default project to the login or other initial process is necessary.

The algorithm is documented in the man page getprojent(3C).

The system follows ordered steps to determine the default project. If no default project is found, the user's login, or request to start a process, is denied.

The system sequentially follows these steps to determine a user's default project:

1. If the user has an entry with a project attribute defined in the /etc/user_attr extended user attributes database, then the value of the project attribute is the default project. See the user_attr(4) man page.

2. If a project with the name user.user-id is present in the project database, then that project is the default project. See the project(4) man page for more information.

3. If a project with the name group.group-name is present in the project database, where group-name is the name of the default group for the user, as specified in the passwd file, then that project is the default project. For information on the passwd file, see the passwd(4) man page.

4. If the special project default is present in the project database, then that project is the default project.

If you have already created the Oracle user you may find that while oracle is a member of the project, it’s default project is not group.dba.

You can use the usermod command to assign Oracle to the project.

# usermod -K project=group.dba oracle

You should now see in the /etc/user_attr file an entry for Oracle.

bash-3.00# cat /etc/user_attr


# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.

# Use is subject to license terms.


# /etc/user_attr


# execution attributes for profiles. see user_attr(4)


#ident  "@(#)user_attr  1.1     07/01/31 SMI"



adm::::profiles=Log Management

lp::::profiles=Printer Management

postgres::::type=role;profiles=Postgres Administration,All

root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no

oracle::::type=normal;project=group.dba<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />


Oracle’s default project according to the default project algorithm should now be group.dba

bash-3.00# su - oracle

Sun Microsystems Inc.   SunOS 5.10      Generic January 2005

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

-bash-3.00$ id -p

uid=101(oracle) gid=102(oinstall) projid=100(group.dba)



2.   Final Note and References

That should be enough to get you going – you can continue on with the Oracle installation guide 2.7 Identifying Required Software Directories.

For further details see Solaris 10 Reference Manual Collection,

man pages section 5: Standards, Environments, and Macros, resource_controls(5)



For other values that can be assigned to a project, see:

project(4) and man pages section 5: Standards, Environments, and Macros: resource_controls(5)



Solaris Containers-Resource Management and Solaris Zones: "Setting Resource Controls"



Solaris Containers-Resource Management and Solaris Zones, "Projects and Tasks (Overview)"



Details on the /etc/project file:

man pages section 4: File Formats: project(4)



1.4.   Commands Used With Projects and Tasks

The commands that are shown in the following table provide the primary administrative interface to the project and task facilities.

Man Page Reference



Displays project memberships for users. Lists projects from project database. Prints information on given projects. If no project names are supplied, information is displayed for all projects. Use the projects command with the -l option to print verbose output.


Executes the user's default shell or specified command, placing the execution command in a new task that is owned by the specified project. newtask can also be used to change the task and the project binding for a running process. Use with the -F option to create a finalized task.


Updates information in the password files. Use with the -K key=value option to add to user attributes or replace user attributes in local files.


Adds a new project entry to the /etc/project file. The projadd command creates a project entry only on the local system. projadd cannot change information that is supplied by the network naming service. Can be used to edit project files other than the default file, /etc/project. Provides syntax checking for project file. Validates and edits project attributes. Supports scaled values.


Modifies information for a project on the local system. projmod cannot change information that is supplied by the network naming service. However, the command does verify the uniqueness of the project name and project ID against the external naming service. Can be used to edit project files other than the default file, /etc/project. Provides syntax checking for project file. Validates and edits project attributes. Can be used to add a new attribute, add values to an attribute, or remove an attribute. Supports scaled values.


Deletes a project from the local system. projdel cannot change information that is supplied by the network naming service.


Adds default project definitions to the local files. Use with the -K key=value option to add or replace user attributes.


Deletes a user's account from the local file.


Modifies a user's login information on the system. Use with the -K key=value option to add or replace user attributes.


Friday, January 18, 2008

Obtaining the database version within SQL or PL/SQL

How do you get the version of the database you are connected to within a PL/SQL session?

Short answer

With the DBMS_UTILITY.DB_VERSION procedure, which returns database version information.

Long answer

This question caused me a bit of grief.

I had been writing a procedure to drop a users objects, so that developers could just clean out everything owned by a user without doing DROP USER and CREATE USER. After all, who wants to give developers the DROP USER privilege? Anyway, after spending a while sidetracked with SYS_CONTEXT function and the USERENV context, which would seem to be the logical place to find the database version detail, I eventually stumbled on to DBMS_UTILITY.DB_VERSION.

The following simple example program in PL/SQL demonstrates how to get the database version using PL/SQL.

using DBMS_UTILITY.DB_VERSION shows how the version and compatibility can be found.


l_version VARCHAR2(100);
l_compatibility VARCHAR2(100);
DBMS_UTILITY.db_version (version => l_version,
compatibility => l_compatibility);
DBMS_OUTPUT.put_line('Version: ' || l_version || ' Compatibility: ' || l_compatibility);

anonymous block completed

Version:  Compatibility: 8.1.7

Wednesday, January 9, 2008

How to run Oracle Windows services in a multi-home environment PROPERLY.

By default Oracle installs all windows products using a local administrator account. Any Oracle services are setup to run as LOCAL SYSTEM, and all path entries are added to the SYSTEM PATH. This means that the last Oracle product that gets installed is first in the system PATH.

You can change the order the homes appear in the path, and if some homes are even in the path by manually running the Oracle Installer after the last installation, and using the path options in the Installed Products section.

This is fine for a single Oracle home, but completely HOPELESS in a multi-home environment.

The Oracle binaries in different homes, and services, should run as different windows users – each home should have its own user, each with local Administrator privilege.

Each user then has the PATH (and possibly other environment variables like JRE_HOME or PERL5LIB) crafted specifically for the product in that home.

Services that are based in that home should run as that Oracle Home user.

Basically, treat the products as if they are running in a UNIX environment J

There are numerous benefits such as

1. Products using the correct support libraries, java, perl

2. LOCAL SYSTEM does not have certain network privileges, which prevents Oracle from using UNC path names. Running as an OS user allows RMAN and other processes to use UNC path names to connect to file systems on other servers

So, after installing a product, remove the oracle entries from the SYSTEM PATH, and add them to the USER PATH for the OS user that has been created to run the products in that Oracle Home.

The only variable that may make sense to leave in the system path is invPtr which point to the Oracle Installer inventory location.

With a shared inventory, you should use the latest version of the installer installed on the server. Of course you could go one step further and run multiple product inventories, and add invPtr as user-level environment variable, with invPtr pointing to the appropriate inventory.

When running services with local user accounts, grant the following local security policies, to the user. Use the Local Security Policy Manager in the Control Panel, administrative tools, or run: %SystemRoot%\system32\secpol.msc /s

In "User Rights Assignment" add the OS users to the following rights groups:

"logon as batch job"

"Run as a service"

"Replace a Process Level Token"

Follow up: There is a good discussion about this here: dizwells "NFS for Windows" post.