IWR - CERN Indico

Werbung
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Oracle Network Configuration
Dr. Doris Wochele (Karlsruhe)
LCG 3D Database Administrator Workshop
Thursday 23 March 2006
Rutherford Appleton Laboratory / UK
Institut für Wissenschaftliches Rechnen
IWR
Ideen
werden
Realität
Presentation Overview












23.3.2006
Recapitulation Oracle NET architecture
Naming Methods
The Listener
Get connected ..
Listener Control Utility
init-Parameter, sqlnet.ora, tnsnames.ora
Failover and Load Balancing
Connection Manager and Directory Server Concepts
Troubleshooting, Trace and Logging
Security
Client Types
Easy Connect
D.Wochele
IWR
Ideen
werde
nRealität
Oracle Net Architecture
Oracle Net
► is NO transport protocol
► is a software component between server and client
► is using a network protocol (TCP/IP)
The Application can be
► oracle client
► JDBC OCI Client with oracle client
► JDBC Thin Client without oracle client
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Naming Methods
► Oracle Names  no longer supported
► Local Naming
– define DB-connection in local files (sqlnet.ora, tnsnames.ora) on DB and every
client
► Directory Naming
– Set up a central LDAP Server to store all connection information
► Easy Connect Naming
– Identify the DB-connection completely in the connection-string
► External Naming
– NIS-Service or DCE Environment -> who is using this?
Tools
► Oracle Net Manager
– configure naming method, profiles, listeners
– $ORACLE_HOME/bin/netmgr
► Oracle Net Configuration Assistant
– $ORACLE_HOME/bin/netca
– basic tool, runs after installation
► Virtual IP Configuration Assistant
–
–
23.3.2006
CRS tool runs under root
map virtual IP to nodes
D.Wochele
IWR
Ideen
werde
nRealität
The Listener
Listener Details
► Control utility to start/stop and configure the listener
$ORACLE_HOME/bin/lsnrctl
► Configuration file for listener
$ORACLE_HOME/network/admin/listener.ora
► Server listener process. Read the configuration file “listener.ora” for information's
as port numbers or SID’s
$ORACLE_HOME/bin/tnslsnr
Listener Modes
► Database
Access to a database service
► Executable
Access to operation system executables (used by oracle)
► PLSExtProc Method of PL/SQL packages to access operating system
executables
SID_LIST_LISTENER_RACLINUX1 =
Question: Are external procedures necessary?
(SID_LIST =
Can we delete this entries?
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1)
(PROGRAM = extproc)
)
Ideen
werde
)
IWR nRealität
23.3.2006
D.Wochele
listener.ora
Is a local DB-Configuration file for...
► connection protocol addresses
► (static defined) services to listen for
► control parameters
► to name the listeners
(in RAC: listener_name_nodename)
Question: Do we need this for OEM?
Some Parameters
► LOG_DIRECTORY_listener_name (FILE)
► TRACE_LEVEL_listener_name (DIRECTORY,FILE,..)
► QUEUESIZE (Number of concurrent requests default=5)
► RECV_BUF_SIZE
Port Numbers
► 1521
► 1522-1540
► 1630,[1830]
► 2483,[2484]
23.3.2006
older oracle standard port
used for listeners
default for connection manager, [cman-admin]
official registered for TNS listener, [with SSL]
D.Wochele
IWR
Ideen
werde
nRealität
Example listener.ora
LISTENER_RACLINUX1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521)))
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.11)(PORT = 1521))
)
)
)
LISTENER2_RACLINUX1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.11)(PORT = 1522))
)
)
)
Example: 2 instances, each with 1 listener on different ports on a single server
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Get Connected with Listener
is a process on DB-Server to handle connections
DB-registration (pmon registers himself to the listerers )
►
►
►
►
►
►
►
►
read init-parameter
looks for TNS_ADMIN variable or looks in $ORACLE_HOME/network/admin
read sqlnet.ora to detect profile settings
uses local tnsnames.ora to detect listeners
read cman.ora if existent
tries to register DB-Services to the LISTENERS
or/and tries to register on Connection Manager for a service
default registers to Port 1521 or default „LISTENER“
Client connection
►
►
►
►
client looks for connection parameter in local tnsnames.ora (or EZconnect)
client broadcasts a request for connection to a service
listener brokers the request and forwards it to the database
listener starts server-process and delivers the address (or the address of
the dispatcher) to the client
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Listener Control Utility
►
►
►
►
$ORACLE_HOME/bin/lsnrctl
lsnrctl STOP [ listener_name]
lsnrctl START [ listener_name]
lsnrctl STATUS [ listener_name]
– is it started?
– where is the log or trace file?
► lsnrctl SERVICES
– what services are up/used?
– Is the load balanced ?
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
INIT Parameter
► SERVICE_NAMES
– list of possible client connection names
– default is global_dbname (DB_NAME+DB_DOMAIN)
Question: should we predefined common service names like atlas_geom,
atlas_calib?
► INSTANCE_NAME (= SID)
– set to identify the database instance to access.
– used by OEM or in administrative tools
► LOCAL_LISTENER
– identifies the listener for the local server instances for pmon register
process
– not necessary if Port 1521 is used (?) - i suggest to set it anyway!
► REMOTE_LISTENER
– identifies listeners on other instances (node 2 of RAC) for pmon
registration
– identifies global list of listeners
– needed to ensure failover
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
sqlnet.ora
Is a profile for...
► default domain to append to unqualified service names or net service names
► order of naming methods
► logging, tracing, routing
► security, access control
Example: NAMES.DIRECTORY_PATH= (TNSNAMES)
Parameter (can mostly be overwritten by client)
► SEND_BUF_SIZE, RECV_BUF_SIZE
– default 16k
– buffer size <Byte> = (network bandwidth <bit/sec> / 8) x (roundtrip time <msec> /
1000)
use an average „ping time“ as roundtrip time
– set in sqlnet.ora for all connections
– mostly only the receive buffer is set in the client connection string
► SQLNET.SEND_TIMEOUT
–
limits the send-data-process from db
► SQLNET.RECV_TIMEOUT
–
limits the send-data-process from client
► USE_DEDICATED_SERVER
–
23.3.2006
appends (SERVER=dedicated) to the connect data for a connect descriptor.
D.Wochele
IWR
Ideen
werde
nRealität
tnsnames.ora
Is a local connection-configuration file
► contains net service names mapped to connect descriptors
net_service_name=
(DESCRIPTION=
(ADDRESS=( protocol_address_information))
(CONNECT_DATA=
(SERVICE_NAME=service_name)))
some parameters
► SERVER=DEDICATED vs.SHARED
– as streams-user or admin use only DEDICATED
– as a short-time connection (like a web server) use SHARED.
– be sure not to use SHARED for fast sequences of SQL‘s
Question: What are the requirements of the experiment services?
► Use explicit service_name
(do not use GLOBAL_DBNAME) in RAC
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Example Server tnsnames.ora – Listeners
LISTENER_RACDB1 =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
)
LISTENER_RACDB2 =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521))
)
Question: You find often the real IP in addition here? Why?
LISTENERS_RACDB =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.11)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.11)(PORT = 1522))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521))
)
init-Parameter
racdb1.local_listener
= LISTENER_RACDB1
racdb1.remote_listener = LISTENER_RACDB2
Question: Is RACDB the „remote“ ?
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Example Server and Client tnsnames.ora – Services
RACDB1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = RACDB)
(INSTANCE_NAME = RACDB1)
)
)
RACDB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = raclinux1-vip.us.oracle.com)(PORT = 1522))
(LOAD_BALANCE = yes)
(FAILOVER = false)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = RACDB)
)
init-Parameter
)
service_names = RACDB, list of service names
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
RAC Failover an Load Balancing
Failover and load balancing are set in the connection parameters
Failover (Instance1 (I1) died)
► all new connects go to I2 and reestablishes client connections on I2
► no restore of session parameters or program variables
► all selects are re-executed on I2
► active transactions are rolled back
► DDL were canceled
► parameter (type, method, retries) for client TAF in tnsnames.ora
► see v$session for TAF status
► server side TAF policy (you do not have to encode TAF on the client
connection string)
Load Balancing
► shared server config.: balanced select of dispatchers
► dedicated server config. : balanced select of listeners
Cluster Interconnect
► not stable over cross-over CAT5 Cable  network switch
► CRS does not support a redundant Cluster Interconnect (with 2 network
cards or IP-addresses)
Question: What services should be run in shared/dedicated mode
Ideen
with or without TAF or LB?
werde
23.3.2006
D.Wochele
IWR
nRealität
Connection in a Private Network
node 1
public network
private network
IP1
VIP1
SAN
PIP1
VIP1,VIP
IP1, IP2 ?
network switch
PIP2
VIP2
IP2
Database:
Services A,B,C
Flash Rec Area
node 2
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
OCM Oracle Connection Manager
►
►
►
►
►
►
act as a TNS-proxy with access-control
additional installation
cmctl
$TNS_ADMIN/cman.ora
DB register with init-parameter REMOTE_LISTENER=proxy
tnsnames.ora
SOURCE_ROUTE=yes
proxy=(PROTOCOL=TCP)(HOST=lcgdbka1.fzk.de)(PORT=1541)
CMAN_KA=
(CONFIGURATION=
(ADRESS=(PROTOCOL=TCP)(HOST=lcgdbka1.fzk.de)(PORT=1541)
(RULE_LIST=
(RULE=(SRC=141.52.*)(DST=DB1.gridka.de)(SRV=*) (ACT=ACCEPT))
(PARAMETER_LIST=
(MAX_GATEWAY_PROCESSES=12)
(MIN_GATEWAY_PROCESSES=2)
(REMOTE_ADMIN=YES)
)
Question: Does cman fully support load balancing and failover?
)
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Connection in a Private Network
node 1
public network
private network
IP1
VIP1
SAN
PIP1
CMAN (IPxxxx)
NIC1
NIC2
network switch
Proxy
CMAN
PIP2
VIP2
IP2
Database:
Services A,B,C
Flash Rec Area
node 2
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Directory Server
► LDAP compliant directory server
► central repository for
– network information
– user policies
– user authentication and security
► ldap.ora on db-servers
and clients
assets and drawbacks
► a typical bottleneck!
► no distribution of client
config files
Question :
Is this a possible concept?
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Oracle Net Troubleshooting
► ping hostname_node1[2]
► check network cards and connection
–
–
–
–
–
–
►
►
►
►
ifconfig
ethtool
iperf
netstat
tcpdump
ethereal
tnsping service_name from server_node1[2]
tnsping service_name from client
lsnrctl services
sqlplus scott@service_name
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Trace and Logging
Sqlnet.log
► pmon registration to listener
tail -f listener.log --> 01-MAR-2006 16:11:46 *
service_update * RACDB1 * 0
Listener Log
► Set LOG_STATUS=ON (default=OFF)
► $ORACLE_HOME/network/admin/<SID>.log is default
► Contains listener commands
► Only client connects, no further information
Listener Trace
► much load, capture all NET-traffic
► for debugging only
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Security
Listener
► in 10g listener runs under OS authentication, listener password only
necessary to restrict remote control
► password accessible in listener.ora, protect by file-rights
► Set ADMIN_RESTRICTIONS_listener_name=ON allow no remote
parameter changes (only listener.ora)
#----ADDED BY TNSLSNR 13-MAR-2006 17:33:29--PASSWORDS_LISTENER_RACLINUX1 = 1DF5C2FD0FE9CFA2
SAVE_CONFIG_ON_STOP_LISTENER_RACLINUX1 = ON
LOGGING_LISTENER_RACLINUX1 = ON
#-------------------------------------------
► delete extproc–entry in listener.ora to prevent program-routines to act as
oracle-user ?
SQLNET
► using Certificate Authority for PKI ?
(Oracle Advanced Security supports CyberSafe, RADIUS, Kerberos, SSL,
Windows NT native authentication (NTS))
► using checksums ? (SQLNET.CRYPTO_CHECKSUM_SERVER)
► using encryption? (SQLNET.ENCRYPTION_SERVER)
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Client Types
► full client
► instant client
– installation involves copying a small number of files.
– less client-side requirements
– no loss of functionality or performance for applications deployed in
Instant Client mode.
– it is simple to package applications
– configuration files are read
(set TNS_ADMIN or $ORACLE_HOME to find them)
url="jdbc:oracle:oci:@//example.com:5521:bjava21"
url="jdbc:oracle:oci:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=dlsun242) (PORT=5521))
(CONNECT_DATA=(SERVICE_NAME=bjava21)))"
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Easy Connect
► CONNECT
username/ password@ host[: port][/ service_name][/ instance_name]
► no LDAP, no tnsnames.ora
► SQLNET.ora
– NAMES.DIRECTORY_PATH=(EZCONNECT)
► only client have to be 10g (you can connect to 9i)
► EZConnect Alias
– Client name resolution for service-name
(e.g. 141.52.167.211 cgcl1.fzk.de)
• DNS
• /etc/hosts
Examples:
connect scott/[email protected]:1521/service
JDBC:connect scott/tiger@//orcl.fzk.de:1521/service
► Easy Connect provides NO Failover or Load Balancing!
23.3.2006
D.Wochele
IWR
Ideen
werde
nRealität
Herunterladen