My previous blog post was an introduction to Oracle DBNest and the fundamental Linux technologies it is based on.It’s now the time to give it a try (This is not an in depth blog post as i’am just giving it a try so don’t expect to much :p) !
Ok first things first ! We need to have access to an oracle 20C database which is still in preview version.We need to provision a new single-node virtual machine database systems (using Logical Volume Manager as our storage management software)
If needing some guidance for doing that, here is a nice blog post .
After having access to our VM let’s enable DbNest !
We start by configuring the listener to route new connection to a dedicated broker managed by our database.
In listener.ora file set “dedicated_through_broker_LISTENER=on“
On the database instance just set the parameters :
- use_dedicated_broker=true
- dbnest_enable=CDB_RESOURCE_PDB_ALL (the CDB is created as a resource-only (or partial) nest (Integrated with only Linux cgroups) and each PDB within the CDB is created as a full nest, which includes both isolation and resource management).
That’s it ! And now we only have to restart our instance … and Boom ! It does not work anymore !
Let’s look at the trace file :
We can see that the creation of the different cgroups started and associated with the CPUSET,CPU ,CPUACCT and MEMORY subsystem /resource controller and then we receive an error “oradism spawn failed : [16] [0] [101] [65535]) ” . “oradism” is normally used to manage “Dynamic Intimate Shared Memory” feature (Allow dynamic SGA resizing) which is as i know specific to Solaris system and here we are using an Oracle Linux system.
UPDATE 21/10/2020 : Thanks Tanel Poder for the great insight on oradism : “Oracle’s oradism binary is used for any database instance operations that require root (initially created for Dynamic Intimate Shared Memory on Solaris, as you said, but now also on Linux, for elevating priority of some key background processes, changing hugepage counts and apparently for cgroups now too)”
UPDATE 03/11/2020 : For more information on what oradism can do please check my investigation on that
So it’s does not start so good for me as a first try 😦
When checking the oradism binary i spotted that the setuid root was not set
So i executed the “root.sh” script which is supposed to do that :
Ok let’s give it another try :
So we managed to open the CDB but we are still facing some problem with the PDB nest creation.
We can use the dbnest binary to get further information about the created nest :
So we can clearly see that we have 3 open nest, but none of them is associated with a new namespaces (as indicated by “no namespaces”).We can use the command “lsns” to confirm that there is no new namespaces created beside the initial ones :
Also custom FS isolation is not enabled as we haven’t specified it. So i decided to enable it by specifying the parameter “DBNEST_PDB_FS_CONF”. I created a new file “/u01/app/oracle/black_list.lst” and black listed the following directory :
DBNEST_NO_FS_ROOT_MODE
/bin
/usr/bin
/run/user/54322
After restarting the instance every thing is working now (Frankly i haven’t investigated the reason yet. UPDATE 04/11/2020 : The root cause was that the directory “/var/run/nscd” didn’t exist on my server for the full story check my investigation here )!
We can use the command “lsns” to list the new created namespaces :
So we clearly see that our PDB reside now in a newly created USER/Mount and PID namespaces. Let’s join the namespaces using dbnest enter !
We cannot create a shell as we blacklisted the “/bin” “/usr/bin” paths.
So i copied the content of the “/bin” directory to “/tmp/bin” and used nsenter -m -p -U -t to join the namespaces
The PDBs is now not able to see process outside it’s namespace and the black listed directory ! that’s great !
The Seccomp feature is also enabled for this PDBs in filter mode (“2”) , which mean that there is some syscall that are disabled (But which ones i have to check but not now. UPDATE 03/11/2020 : Finally i managed to check them here they are ) !
Another point as stated previously is that the different Nest are now integrated with “Linux cgroups” . Extract from “cgsnapshot -s“
Ok this was a first hands on and there is a lot of details to cover, i will try to cover some of them in the upcoming blog posts ! So stay tuned !
That’s it 🙂
Side note :
We can use dbnest to manage/create and experiment with Nests.
Example creating and opening a new nest :
We can see here using strace that our process PID is added to adequate cgroups and how the seccomp in filter mode is enabled using the prctl syscall when entering the test3 nest :
Hatem Mahmoud's blog 
Hi,
This article is great! Thanks for posting this amazing blog.
The “dbnest list” outputs before & after specifying “DBNEST_PDB_FS_CONF” and restarting instance are similar, they both have “no namespace”. Did you paste the wrong picture for capture-013.png? Or is it the intended one?
Hi,
Thanks, A new FULL nest (PDB00003) has been created in the later case to ensure PDB1 isolation (Using namespaces/Seccomp/Fs Isolation).
Extract from the alert.log :
alert_DB1019.log:DB Nest (PDB00001, PDB00001) open successful
alert_DB1019.log:PDB$SEED(2):DB Nest (PDB00002, 3325153775) open successful
alert_DB1019.log:PDB1(3):DB Nest (PDB00003, 1496129554) open successful
I overlooked that one. Thanks a lot.
[…] have already seen in my previous blog posts PART1 and PART2 what it’s Linux seccomp and how it’s used by oracle dbnest to enhance the multitenant […]
[…] my previous blog post A first hands on Oracle 20C DbNest (Preview) i encountered some problems when trying to start the PDB nest with the default internal path […]