100813_106197_ppt

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1

ACSLS 8.3

Martin Ryder

Chris Morrison

George Noble


Program Agenda

What’s New

Installation

SELinux

Enhancements, Features and Utilities

Bug Fixes


What’s New with ACSLS 8.3

ACSLS on Solaris 11

ACSLS on Linux 6

Customer-defined

Installation Directories


Platform Support

SPARC Solaris-10 Update 10



X86 Solaris-10 Update 10



Oracle Linux 6.3

ACSLS 8.3 is supported on seven platforms


Solaris 10

ACSLS on Solaris-10 is fully functional

– All physical libraries and drives

– Logical Library Support

– The ACSLS GUI

– lib_cmd

– ACSLS HA 8.2.1

Full functionality


Solaris 11

Functional ACSLS features on Solaris-11


– Logical Library Support

– The ACSLS GUI

– lib_cmd

ACSLS HA 8.3 is in development

Full support, but without HA.


Linux 6

Functional ACSLS features on Linux 6


– The ACSLS GUI

– lib_cmd

Logical Libraries and HA are not supported


Linux 6

Includes support for FC-attached libraries: SL150, SL500

Uses the sg driver - no mchanger driver for Linux

The install_scsi_Linux.sh utility installs a rules file for udev

The mchanger links are created and maintained by udev

SCSI Library Support on Linux


Linux 6

The /dev/mchanger* links on Linux look different than those on Solaris

The link includes a unique identifier supplied by udev

Example: /dev/mchanger-3500104f0007a8532

Using the identifiers allows persistent device links for ACSLS

The targets of those links (/dev/sg<n>) are volatile

The links are automatically updated by udev

SCSI Library Support on Linux – mchanger links


Linux 6

# ./install_scsi_Linux.sh

Installing SCSI device(s) for Oracle StorageTek ACSLS.

Adding ACSLS rules for udev ...

Starting udev: [ OK ]

Successfully built the following...

/dev/mchanger-3500104f00079f9d2: STK SL500 V-1485 336-cells 10-drives

/dev/mchanger-3500104f0007a8532: STK SL500 V-1485 205-cells 6-drives

/dev/mchanger-3500104f000cc6a67: STK SL150 V-0182 59-cells 4-drives

Installation of SCSI device(s) successfully completed.

SCSI Library Support on Linux – install_scsi_Linux.sh


Java Support

Java 6

Java 7

Supported Java Versions


Browser Support

Firefox 22.0

Chrome 28.0

IE 8+ Requires a custom SSL certificate.

Tested Browsers with the ACSLS 8.3 GUI


Installation


Installation Packages

Solaris Sparc: V39783-01.zip

Solaris X86: V39784-01.zip

Linux: V39785-01.zip

Download from the Oracle eDelivery site


Installation Flexibility

Solaris:

# pkg_install.sh

Should the base directory be /export/home? (y/n) n

Enter the path to the base directory [?,q] /opt/home

Linux:

# rpm –ivh --prefix /opt/home STKacsls_8.3.0.i686.rpm

Customer decides where ACSLS resides.


PostgreSQL Installation

PostgreSQL 8.3 (Solaris)

PostgreSQL 8.4 (Linux)

PostgreSQL Versions



PostgreSQL 8.3

Solaris 10: PostgreSQL is already installed



Installed automatically with pkg_install.sh

– SUNWpostgr-83-server

– SUNWpostgr-83-client

– SUNWpostgr-83-server-data-root .

– SUNWpostgr-83-libs

– SUNWopenssl-libraries

Solaris 11: Five PostgreSQL packages to install



Setup the Yum Repository

# cd /etc/yum.repos.d

# server=public-yum.oracle.com

# repository=public-yum-repo

# wget http://$server/$repository

Linux: PostgreSQL must be downloaded

from the Oracle yum repository



# yum install unixODBC

# yum install glibc.i686

# yum install pam.i686

# yum install postgresql-libs.i686

# yum install libxml2

# yum install libxml2.i686

# yum install libstdc++.i686

# yum install postgresql.i686

Linux: Install 8 packages with yum



# cd /opt

# server=public-yum.oracle.com

# path=repo/OracleLinux/OL6/3/base/i386/

# pkg1=postgresql-odbc 08.04.02001.el6.i686.rpm

# wget http://$server/$path/$pkg1

# rpm -ivh $pkg1

Linux: Install PostgreSQL ODBC libraries



# pkg2=postgresql-server-8.4.11-1.el6_2.i686.rpm

# wget http://$server/$path/$pkg2

# rpm -ivh --nodeps $pkg2

Linux: Install PostgreSQL Server


ACSLS 8.3 Installation

User can install the entire product or selected subsystems.

User can install, re-install, or remove selected components.

User can now preserve an existing database

– If DB is not installed, it will be installed automatically.

– If DB is installed, user is prompted whether to re-install.

Added flexibility in install.sh



If user elects to install Logical Library support, then the following are

installed automatically.

– smce

– stmf

– surrogate

– rmi-registry

– WebLogic

– ACSLS GUI

– lib_cmd




If user elects not to install Logical Library support, then

– The user may elect to install the GUI

– Thu user may elect to install lib_cmd.

If the ACSLS GUI is already installed,

the user may elect

– to keep the existing GUI configuration

– to re-install/rebuild the GUI configuration

– to remove the GUI



SELinux


SELinux

Initially developed by the NSA in the late 1990s

Designed to meet common security goals

– Mandatory Access Control

– Type enforcement

– Role-based access control

– Multi-level security

Released with Linux Kernel 2.6.0 in 2003

Security Enhanced Linux


SELinux

POSIX Discretionary Access Control:

– user:group:other

– Read:write:execute

SELinux Mandatory Access Control:

– user:group:other

– user-role:type:level

– read:write:execute:append:create:remove:execmod

link:unlink:swapon:quotaon:mounton:rename:setattr

execut_no_trans:entrypoint:lock:unlock:ioctl

Mandatory Access Control (MAC)


SELinux

Every process runs in a security domain

– confined vs. unconfined

Every resource is identified by its type

– process vs. file.

Access is governed by specific policies.

Policies are enforced by the Linux kernel

A policy governs:

– The level of access within a domain

– for a specific resource type.

SELinux Policy Enforcement


SELinux

To disable enforcement

# setenforce 0

To enable enforcement

# setenforce 1

To disable enforcement across reboots:

– edit /etc/selinux/config:

– Change SELINUX=enforcing to SELINUX=permissive

SELinux Enforcement


SELinux

To view the current status of SELinux:

# sestatus

SELinux status: enabled

Current mode: enforcing

To view the actual rules that disallowed access:

# vi /var/log/audit/audit.log

Monitoring SELinux Enforcement


SELinux

To create a policy module in response to a failed operation:

# cd /var/log/audit

# audit2allow -a -M <ModuleName>

This creates a file: <ModuleName>.pp

To load the newly-created policy module:

# semodule -i <ModuleName.pp>

To unload a policy module:

# semodule -r <ModuleName>

Custom Policy Modules


SELinux

Three ACSLS policy modules are loaded

when you run install.sh on Linux:

– allowPostgr

– acsdb

– acsdb1

These policies extend access to resources that are

running in a confined domain (e.g. PostgreSQL )

for users acsss and acsdb.

ACSLS Policy Modules


Enhancements, Features, and Utilities


ACSLS 8.3 Enhancements

When a cleaning attempt fails, try to select another cleaning

cartridge to clean the drive.

Identify used-up (spent) cleaning cartridges in query clean, volrpt,

display volume, and the acsss_event.log.

More Robust Automatic Cleaning

Retry the failed dismount of a cleaning cartridge.

Ensure cleaning cartridges are used up before

their usage is maxed-out.



Support up to 16 partitions in an SL8500

Library Complex

The SL8500 now lets customers define partitions

in a library complex of multiple SL8500s

connected via pass-thru ports.

Support Library and Tape Drive Enhancements



Support T10000D Fibre Channel over Ethernet

(FCoE) Tape Drives

Note:

ACSLS 8.2 supports Fibre and FICON T10000D

tape drives.

Support Library and Tape Drive Enhancements



The SMF startup time limit for acsls is now adjustable.

Library configuration determines normal start-up time:

# $ACS_HOME/bin/calc_acsls_start_timeout.sh

If this calculated timeout is not sufficient:

a) Run acsss timeout to see the current timeout.

b) Edit ~/data/external/acsls_startup_policy

c) Assign a value in minutes to the line that begins:

additional_startup_time=

d) Run acsss timeout to see the new timeout value.

acsls_startup_policy (Solaris)



Customers can exempt startup recovery of troublesome libraries.

To exempt a particular ACS from offline-to-online recovery:

– Edit ~/data/external/acsls_startup_policy

– Remove the comment character (#) from the target ACS:

#ACS3_desired_startup_state_is_offline

ACS3_desired_startup_state_is_offline

acsls_startup_policy (Solaris)


ACSLS 8.3 Enhancements Improved status granularity with acsss_config



Improved granularity with acsss status

# acsss status

acsdb [online|offline]

smce [online|offline]

stmf [online|offline]

surrogate [online|offline]

rmi-registry [online|offline]

acsls [online|offline|starting]

weblogic [online|offline|starting|stopping]

The acsss utility



New status options

acsss a-status (Show the status of acsls)

acsss d-status (Show the status of acsdb)

acsss w-status (Show the status of weblogic)

acsss timeout (Set|Show the start time limit for acsls)

The acsss utility



– acsls_start.log (Linux)

– acsdb_start.log (Linux)

– chkloc.log (Captures errors from cron-activated chkloc.sh )

New diagnostic logs


ACSLS 8.3 Utilities

chkFB.sh: enables/disables fast-boot for Solaris

– Applies only to Solaris-11 X86 machines.

– ACSLS disables this feature by default.

– Fast boot must be disabled for mchanger and qlt drivers.

Fast-boot control with chkFB.sh (Solaris X86)


ACSLS 8.3 Utilities

chkGui.sh checks the following:

– Is WebLogic running?

– Is the SlimGUI application deployed?

– Does a localhost http request to SlimGUI return success?

– Is a firewall utility (ipfilter or iptables) running?

– Does firewall policy accept input from ports 7001 and 7002?

Check GUI status with chkGui.sh


ACSLS 8.3 Utilities

Diagnostic files added to the get_diags payload.

– SELinux audit log.

– Solaris SMF start/stop logs

– Linux init.d start logs (acsls and acsdb)

– WebLogic AdminServer.log

– Resource and Cluster checks for HA installs

– Date and time of get_diags snapshot.

The get_diags utility


ACSLS 8.3 Utilities

Supported on both Linux and Solaris systems

Bug 16788436: "-v" option showed only the first HBA

Changes to output for "-v" (verbose) option

No changes for default or "-p" (programmatic) option

The probeFibre.sh utility


ACSLS 8.3 Utilities

Emulex LP11002-M4 HBA is attached.

WWPN: 10000000c951d23c

STK SL500 LUN 0 WWPN: 500104f00079f9c9 WWNN: 500104f00079f9c8

STK SL150 LUN 1 WWPN: 500104f000cc6a68 WWNN: 500104f000cc6a67

STK SL150 LUN 1 WWPN: 500104f000cc6699 WWNN: 500104f000cc6698

STK SL500 LUN 0 WWPN: 500104f0007a8533 WWNN: 500104f0007a8532

WWPN: 10000000c951d23d

QLogic 375-3356-02 HBA is attached.

WWPN: 2100001b320c2b19

QLogic 375-3356-01 HBA is attached.

WWPN: 210000e08b94060b

WWPN: 210100e08bb4060b

“probeFibre.sh –v” on Solaris


ACSLS 8.3 Utilities

Model QLA2342 HBA is attached.

WWPN: 210000e08b865829

WWPN: 210100e08ba65829

STK SL150 LUN 1 WWPN: 500104f000cc6a68 WWNN: 500104f000cc6a67

STK SL500 LUN 0 WWPN: 500104f0007a8533 WWNN: 500104f0007a8532

STK SL500 LUN 0 WWPN: 500104f00079f9c9 WWNN: 500104f00079f9c8

STK SL150 LUN 1 WWPN: 500104f000cc6699 WWNN: 500104f000cc6698


WWPN: 210000e08b91e2a1

WWPN: 210100e08bb1e2a1


WWPN: 210000e08b8329a3

WWPN: 210100e08ba329a3

“probeFibre.sh –v” on Linux


ACSLS 8.3 Utilities

Includes updates (post 8.2) for Oracle GIT

Improved handling and correction of status and location,

especially for absent or misplaced volumes

Most updates are now integrated and happen automatically

The script can still be useful to correct pre-existing issues

(such as records imported by db_import.sh)

The fixVol.sh utility


Bug Fixes


Bug Fixes in ACSLS 8.3

For acsss_config, added cleanup of database records for logical

libraries when an ACS is removed from the configuration

– NOTE: this does not clean up all FC information

– Best practice: delete any logical libraries first

Logical Library Support



On Move Medium by FC clients, destination slot was not

recorded correctly by ACSLS (impacted dismount and “eject”

operations)

Absent logical volumes caused problems for FC clients

– Clients would find drives or slots reported

as full, although no volume was present.

Logical Library Support



When a dismount failed and the cartridge was left in the drive, the

vol_id in the drive database record was cleared.

Mount requests could hang in limbo when auto cleaning failed.

Always report cleaning failures because of spent

cleaning cartridges.

A volume being mounted from a reserved cell

could be marked absent

Mounts and Dismounts



Allow a reserved cell to be updated to inaccessible by audit.

Send an LSM Inoperative Event after LSM Not Ready.

CSI_MULTI_HOMED_CLient on x86 - Client

IP address had octets in reverse order.

Other ACSLS Functions


Questions?



Documents

100813_106197_ppt