Oracle

Using Letsencrypt with OCI

Security is one of the biggest topics and concerns in the IT industry nowadays and since more and more services a hosted in cloud environments, the need for secure configurations increases steadily. One small part is to secure any connections in some way or another so that nobody can see your precious data just by capturing data streams. For generic TCP connections the most common way to do this is using Transport Layer Security, or short: TLS and in former times called Secure Socket Layer, short: SSL. And with the release of Let’s Encrypt it became easier to obtain TLS certificates that are widely accepted.

Updates

In September I was not able to provide a technical blog post. But that doesn’t mean I was lazy the whole time. There are some updates to the blog and my person. Hugo vs. Jekyll As you might have already noticed, my blog is quite small in footprint and probably renders very fast on your client. This may be due to the fact that I use a static website generator. In the past this was Jekyll. I was quite happy with that in general, but not with the fact that maintaining it’s runtime environment might cause some hassle if your’e not used to use Ruby everyday. It’s not that I’m not able to handle it, but managing all that dependency stuff and keeping an ruby env up to date is just nothing that I want to do if I just want to create a nice little blog.

System users in OCI

Once you are hosting an application in some environment, doesn’t matter if on-premises or in the cloud, you want to get notified by the application when soemthing happens or you need to take action. As an example let’s assume that may be a GitLab community edition you manage yourself in the Oracle Cloud Infrastructure. For this purpose there’s an Email Delivery Service which you can use to send mails from your cloud applications. For this to work you have to configure DKIM and SPF records for a DNS domain and configure aproved sender email addresses that may be used by your application. Maybe I’ll cover that in another blog post but that shouldn’t be addressed here now.

What time is it in heaven?

Maybe you have realized that when you deploy a compute instance in your favourite cloud environment that the “hardware” clock is set to UTC - which is the coordinated universal time. And that of course totally makes sense, since your cloud provider is operating a global business. That also isn’t a problem if you handle your times and dates in your Oracle database application properly with a timezone component. For this you can save time related data in the TIMESTAMP WITH TIME ZONE datatype. So you can easily at any time present the value in the desired timezone value.

Shared memory connection with godror

Recently I was playing around with the go programming language by google. Although I am not a fan of this company anymore for various reasons, the programming language is fun to work with. Especialy when it comes to development of CLI utilities it has quite some advantages and combines the ease of use like perl and the feature of producing a compiled binary like from C. Also I am a big fan of strictly typed languages.

DOAG Database 2024

Recently me and some of my colleages from Robotron visited the DOAG Database conference in Düsseldorf. I also spoke about Transparent Data Encryption and it’s little helpers on Oracle Engineered Systems. You may already have read about some of these in my blog in the past. I was happy that although during my speech nobody asked a question - which is kind of irritating since you can’t know if that’s out of misinterest or because you answered already everything - that afterwards some people told me it was a quite good and useful speech. Feedback is always welcome and I appreciate that!

Using terraform import to migrate resources

Terraform is a nice tool when managing infrastructures in your cloud environment. It becomes really powerful when it comes to mass deployment and managing resources where you don’t need to repeat yourself too much. I think many of us experienced the start of a project with singleton resources when we were bloody newbies. But as time passes by the need for a more scalable solution emerges and you need to transform that singleton into a more iterative manner of resource management.

QuickFix: SSH HMAC problems on ODA 19.22

Oracle lately introduced the Oracle Database Appliance Software Release 19.22 with the usual fixes and updates to all of it’s components. It also provides an eagerly awaited fix to the included ASR manager, so now you can use that again. But where’s light, there also may be some shadow. If you are using a newer version of PuTTY on Windows, a recent version of OpenSSH on macOS, you might get the following errors after patching the system to 19.22.

IPv6 and private subnets in OCI

IPv6 is raoming around since many years, it was launched in 1998. That’s 26 years ago and it is still not used by default in many locations. Why is that, especially when IPv6 is the recommended protocol for internet communication? Unfortunately IPv6 isn’t default even with modern cloud providers like Oracle with it’s OCI. Of course you will get a world wide usable and routed subnet if you like, but you have to enable it by yourself in the first place. You’ll get DHCPv6 for free with recurring adresses, so that you can name things even after a reboot. But in difference to IPv4 you’re not able to communicate with the internet if your resource is in a private subnet as shown in the diagram below.

Cloning an OCI Vault secured PDB - Part II

Last year I tried to duplicate a TDE encrypted pluggable database from one Exadata Cloud Machine to another into a separate CDB which is not a standby system of the first one. Normally this is not a big problem, because you can copy over the encryption key(s) from the source within the clone command. But that does not work when your encryption keys are stored in the OCI Vault service. Just for refresh, this is the error you’ll get if you try.

Oracle PDBs in a Data Guard environment

Oracle introduced it’s container based database configuration with Oracle 12.1, which dates back to the year of 2013. So it’s ten years in the wild and the adoption process is still in progress as not all of my customers have migrated to the new architecture yet, even if is enforced with the upcoming 23c release. Although this architectural change has brought a variety of useful features that make the daily business for an DBA a lot easier, there are some problems in combination with Data Guard.

SQLcl and wallet authentication

In the recent months I was involved in a large project that is run in Oracle Cloud Infrastructure and of course includes some Oracle databases on Exadatas. As per best practice I have set up an operations compute instance that is used to run maintenance scripts against the databases running on these machines. To use that I have installed SQLcl from the official Oracle Linux repositories because the tool would get updated automatically when the host is updated via os management. I also installed the instant client via the repositories for the same reason.

Cloning an OCI Vault secured PDB

On some days you just want want to perform a simple task, one you have done several times before and know that it will not take too much time to complete. But sometimes you will face a new challenge and spend a whole day to fix an issue that can’t be fixed. Such a day was today. What happened? I wanted to clone a PDB via DB link from a source CDB to a target CDB. So far so easy, isn’t it?

DIY bastion for Oracle OCI

Recently I was restructuring my Oracle OCI private tenant to be only built using terraform. I mainly did this because I need to learn that beast for work but I am also interested in the technology by myself. Of course my main hosting machine for the blog is a nice little Ampere A1 VM that resides in a private subnet, let’s call it web01. The internet facing part is a free load balancer that handles all the TLS encryption. To access the internal VM via SSH I didn’t want to use the OCI Bastion service, because it is limited to a session duration of 3 hours and I don’t want to always create a new session when I’m working on the server.

TIL: SQLcl is not a full replacement yet

Today I learned, that the famous SQLcl is not a full replacement for the loved SQL*Plus yet. I encoutered an issue when using a local wallet to authenticate to the database. That becomes handy when you need a connection via SQL*Net instead of the local bequeath authentication, like with dgmgrl when you want to perform a switchover operation. With an inhouse tool I have generated wallet entries with the EZ-Connect String to avoid managing a tnsnames.ora file. With SQL*Plus I can use these entries in the following way:

TIL: Migrate a PDB from backup including datafile movement

Today I learned an improvement for the way to migrate a non-container 12c database from a backup to a new container based database infrastructure in version 19 with all the glory of Oracle managed files (OMF). Of course that’s pretty simple anyways, but sometimes reading the documentation more intensely helps improving the methods you use on a daily basis. So let’s just for completeness describe the way to create a pluggable database as a clone from a database backup of a non-cdb. At first, we need to create a dummy instance and duplicate the database.

Beware of R1 - Updated

The Good Recently I discovered a critical issue when installing a new Oracle cluster for a customer on Oracle Linux systems. The hardware are shiny new blade systems and I started with the latest and greatest software components which are certified for the Oracle Enterprise Edition and Real Application Cluster. Of course the OS would be Oracle Linux 8.7 with the famous Unbreakable Enterprise Kernel which is at version 7 since this year. In April 2023 Oracle relased the release update 1 which of course brings some enhancements and fixes. Business as usual as you would think.

Instance caging vs. CPU pooling

When working with Oracle databases the common recommended methods to restrict the usage of cpu resources are the so called instance caging and hard partitioning using something like Oracle Linux Virtualization Manager. The last one comes with some resource wastage though, because you have to handle multiple operating systems for multiple databases. So let’s assume that is some sort of last resort for the licensing dilemma. Instead, many of us like to have multiple databases coupled together in one operating environment and want to have some measures to tame the herd. For that there are several layers where you can put constraints on your databases, beginning with limiting the number of sessions a database can handle. But to reduce a databases cpu usage to a specific load and/or a subset of your Multi-Core/Multi-Stocket system, there currently are two methods commonly used. Look at the end of this article to see how I implemented the testing method.