Oracle Cloud Infrastructure – Monthly Update August 2022

O&M APM Synthetic Monitoring Enhancements

A new release is available with the following Synthetic Monitoring features. You can now:

  • Schedule the monitor run sequentially on each vantage point using the Round Robin option when creating a monitor. Previously, you could only run the monitor simultaneously on all selected vantage points. In addition, you can now use the Batched Round Robin option to schedule the monitor run sequentially on batches of vantage points. For more information, see Create a Monitor.
  • Use the Run Now option in the Actions menu on the Monitors page to run the monitor immediately instead of waiting for the next scheduled monitor run. For more information, see Create a Monitor.
  • Add a custom screenshot command to a .side script to capture custom (on-demand) screenshots at a particular instance in the script. You can also view and download custom screenshots similar to the functionality available for standard screenshots. For more information, see Create a Script.

Java Management 5.0 is Now Available

We’re pleased to announce that Java Management 5.0 is available. With this release, JMS has introduced the following capabilities:

  • Install a new Java runtime on any managed systems within a fleet
  • Simplify the installation of the Management agent using installation script
  • Support for unlimited management key installation without expiration

For more information about Java Management, see the Java Management user documentation.

Integration 3

For information about Integration 3 releases, see What’s New and Known Issues.

CLI, SDKs, and REST APIs now available for OCI Search Service with OpenSearch

The CLI, SDKs, and REST APIs are now available for OCI Search Service with OpenSearch.

For more information, see:

New Languages Supported for Speech

The following new languages are supported with this release:

  • English-Great Britain
  • English-Australia
  • English-India
  • French
  • Italian
  • German
  • Hindi

Optimizer Statistics Monitoring in Database Management

You can now monitor the optimizer statistics for a Managed Database, analyze the statistics collection tasks and Optimizer Statistics Advisor tasks, and implement Optimizer Statistics Advisor recommendations in Database Management. For more information, see Monitor and Analyze Optimizer Statistics.

New metrics added for GoldenGate service

New metrics were added for improved monitoring within the Oracle Cloud console. You can use per process metrics to create alarms for specific GoldenGate processes including extracts, replicats, distribution and receiver paths. Learn more.

Support for OCI ComputeO&M Operations Insights

Operations Insights Host Capacity Planning functionality now provides support for OCI Compute instances.

Operations Insights lets you view and analyze utilization trends for critical host resources such as CPU and memory. You can also analyze, compare, and contrast resource usage across hosts.

For more information, see Analyze Host Resources.

Oracle NoSQL Database Cloud : Availability of Child Tables

Table hierarchies (child tables) are available in the cloud. With the availability of table hierarchy, developers have additional flexibility when choosing the best data model to meet their business and application workload requirements. With child tables comes the ability to perform left outer join (nested table) queries.

Oracle NoSQL Database Cloud : Migrator updates

Enhanced the migrator do support importing files from DynamoDB. The process is simple, export your DynamoDB tables as JSON files to AWS S3, then grab those files and import them into Oracle NoSQL.

For more information refer OCI Documentation

Bare metal compute instances: reboot migration on demand and extend maintenance due date

When a bare metal instance is scheduled for reboot migration due to planned infrastructure maintenance, you can now proactively reboot migrate the instance before the maintenance due date.

You can also extend the maintenance due date for bare metal instances that are scheduled for reboot migration.

Single host SDDCs now available for Oracle Cloud VMware Solution

You can now create a single host SDDC using Oracle Cloud Infrastructure VMware Solution. You can use a single host SDDC as a lower-cost entry point, perform your testing and workload validation, and then later migrate to a full production deployment.

Other examples of single host SDDC use cases include:

  • Accelerated onboarding for proof-of-concept, or testing and development
  • Migration between on-premises and Oracle Cloud Infrastructure VMware Solution using VMware HCX, VMware vMotion for live migration, and cold migration
  • Disaster Recovery Evaluation with VMware Site Recovery (SRM) optimized for Oracle Cloud Infrastructure VMware Solution. (VMware SRM is purchased separately).

Single host SDDCs do not support production workloads.

For more information, see Setting Up a Single Host SDDC.

Cloud Shell now offers Private Access

Cloud Shell Private Access allows you to connect a Cloud Shell session to a private network so you can access resources in your private network without having the network traffic flow over public networks.

Blog Article

For more information, see Cloud Shell Private Access.

MySQL HeatWave: Auto reload of data in HeatWave cluster after MySQL upgrade

HeatWave now automatically reloads data from MySQL InnoDB after MySQL node restarts due to maintenance upgrades or planned restarts. With auto-reload capability, you no longer need to take manual steps after maintenance or a restart operation – this reduces the operational overhead and improves service availability.

DevOps Facilitates Service Managed Build Runner Access to Private Resources

You can now connect to self-hosted repositories stored in Bitbucket Server and GitLab Server. You can connect to your private Virtual Cloud Network (VCN) to access the self-hosted repositories with only private IP from the Managed Build stage. During the build, the service-managed build runner facilitates the connection from the build stage to your tenancy subnet. For more information see, Creating External Connections.

Support for Code Editor

You can now use Oracle Cloud Infrastructure (OCI) Code Editor to create and update functions based on:
• template functions written in different languages
• existing function code in remote Git repositories
• sample functions supplied with Oracle Functions that provide useful functionality out-of-the-box

See Creating Functions Using Code Editor.

CSI volume plugin is initial default for clusters running Kubernetes version 1.24 (or later)

With the announcement of support for Kubernetes version 1.24, the initial default storage class set for new clusters created by Container Engine for Kubernetes has changed from oci to oci-bv. As a result, the default volume plugin used to connect new clusters running Kubernetes version 1.24 (or later) to volumes from the Block Volume service is now the the CSI volume plugin rather than the FlexVolume volume plugin.

Existing clusters running Kubernetes version 1.23 (or earlier), and clusters upgraded to Kubernetes version 1.24, are unaffected.

For more information, see Provisioning PVCs on the Block Volume Service.

MySQL AutoPilot: Auto Error Recovery from MySQL failure

With Auto Error Recovery, now when MySQL fails and restarts, the HeatWave cluster automatically restarts, identifies the tables which were loaded prior to the failure, and reloads those tables automatically from MySQL. This reduces intervention on part of the user and also improves service uptime.

Block Volume scheduled backup limited to one per volume per day

Block Volume runs only one scheduled backup per volume per day. If more than one backup is scheduled for a volume on a particular day, the service runs only one of them, using the following priority:

  1. Yearly
  2. Monthly
  3. Weekly
  4. Daily

For more information about scheduled volume backups, see Policy-Based Backups.

Support for Kubernetes version 1.24.1

Container Engine for Kubernetes now supports Kubernetes version 1.24.1, in addition to versions 1.23.4 and 1.22.5. Oracle recommends you upgrade your Kubernetes environment to version 1.24.1. For more information about Kubernetes 1.24.1, see the Kubernetes Changelog.

Code Editor is now available

Oracle Cloud Infrastructure (OCI) Code Editor provides a rich, in-console editing environment that enables you to edit code and update service workflows and scripts without having to switch between the Console and your local development environment. At launch, Code Editor provides plug-in support for Resource Manager, Functions, and Data Science, with support for more OCI services to follow.

For more information, see Working with Code Editor.

OCI now supports intra-VCN routing

OCI now supports intra-VCN routing, which creates local routes for each VCN CIDR in all VCN route tables, new and existing, and also supports ingress routing on internet gateways and NAT gateways. Intra-VCN routing allows you to specify a next-hop private IP address within a VCN for traffic destined to an IP address range that overlaps or is a subset of the VCN’s CIDR. This enables new security and network virtualization use cases.

Additional features for the DevOps deployment specification file

The following new capabilities have been added tothe deployment specification file that allow you to define how commands get executed for an instance group deployment:
1.   Vault variables: The value for vault variables is retrieved from the vault secret and made available as environment variables for all the steps inside the deployment specification file.
2.   Multiline command: Both single and multiple line commands are now supported. Multiline commands essentially work like a bash script.
3.   On failure support: To gracefully exit the deployment stage, you can now specify a list of steps that must be run on failure.
4.   Shell override at step level: The deployment spec allows the shell to be used at the deployment specification global level. This enhancement allows the value to be overridden at the ‘step’ level.

OCI now supports using multiple IPv6 prefixes

OCI now supports the use of multiple IPv6 prefixes within a VCN and subnet, and IPv6 addresses from different prefixes can be assigned to a VNIC. You can choose between receiving a /56 GUA prefix allocated from Oracle,assigning a prefix from a range you own and have imported via the BYOIP verification process, or specify a ULA prefix.

You may assign 3 total IPv6 prefixes per VCN and subnet, and assign IPv6 addresses from up to 3 prefixes to a VNIC.  Up to one Oracle-allocated GUA prefix may be assigned to each VCN and any combination up to 3 total GUA (Oracle-allocated 1 or BYOIPv6 GUAs) or ULA prefixes may be assigned to the VCN. 

Documentation for this support is in Overview of VCNs and Subnets, IPv6 Addresses, and Bring Your Own IP.

Accelerated Data Science 2.6.3 is released

The following changes were made in this version.

  • Added prepare_save_deploy() method to the GenericModel class. Now you can prepare model artifacts and deploy the model within one command.
  •  Added support for binary payloads in model deployment.
  • Updated AutoMLModel, GenericModelLightgbmModel, PyTorchModel, SklearnModelTensorflowModel, and XgboostModel classes to support binary payloads in model deployment.
  • To limit job runtime, added the with_maximum_runtime_in_minutes() method in the CondaRuntime, DataFlowNotebookRuntime, DataFlowRuntime, GitPythonRuntime, NotebookRuntime, and ScriptRuntime classes.
  • Deprecated the ads.dataflow.DataFlow class. Use the ads.jobs.DataFlow class instead.
  • The ads.jobs.DataFlow class supports published conda environments.

For more information, see Data ScienceADS SDK, and ocifs SDK. Take a look at our Data Science blog.

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

Oracle Cloud Infrastructure – Monthly Update July 2022

Use GraalVM Enterprise in DevOps Build Pipelines

DevOps build pipelines enable you to use GraalVM Enterprise to build high-performance Java applications.

In the Managed Build stage, you can install and use GraalVM Enterprise components such as Native Image and Java Development Kit (JDK) by adding a simple YUM package manager command in your build specification file.

GraalVM Enterprise is available on Oracle Cloud Infrastructure (OCI) at no additional cost.

Support for VCN-native pod networking

You can now provide pods with IP addresses from a VCN’s CIDR block using the OCI VCN-Native Pod Networking CNI plugin. The OCI VCN-Native Pod Networking CNI plugin enables other resources within the same subnet (or a different subnet) to communicate directly with pods in a Kubernetes cluster. Pod IP addresses are directly routable from within the VCN, from other VCNs connected (peered) to that VCN, from on-premise networks, and from the internet.

Since pods are directly routable, you can use ‘native’ VCN functionality to:

  • Control access to and from pods using security rules defined as part of network security groups or security lists. The security rules apply to all pods in all the worker nodes connected to the pod subnet specified for a node pool.
  • Observe the traffic to, from, and between pods using VCN flow logs for troubleshooting and compliance auditing purposes.
  • Route incoming requests to pods based on routing policies specified by routing rules and route tables.

For more information, see Using the OCI VCN-Native Pod Networking CNI plugin for pod networking.

MySQL Database Service: Point in Time Restore (PITR)

You can now restore a standalone MySQL DB system to a specific point in time by using the Point in Time Restore (PITR) feature.
With PITR enabled, the MySQL binary log is safely archived outside the DB system hosts, allowing you to achieve a Recovery Point Objective (RPO) of approximately five minutes.
You can enable PITR in new or existing DB systems online without impacting the database operations.
For more information, see Restoring From a DB System.

Cloud Guard adds Log Insight Detector

Cloud Guard has added two new components that allow users to extend Cloud Guard functionality into log objects:

  • Data Sources allow Cloud Guard to define new sources of information that can be used to drive detections. See Setting Up Data Sources.
  • Log Insight Detector uses data source queries against these special data sources, to identify problems against monitored log objects, then surfacing the problems on the Cloud Guard Problems page. See Setting Up Log Insight Detector.

New region in Queretaro, Mexico

The Mexico Central (Queretaro) region is now available. The region identifier is mx-queretaro-1. The region key is QRO. This region has one availability domain. For information about regions, see Regions and Availability Domains. For instructions on how to subscribe to the new region, see Managing Regions.

Advanced BIOS settings for bare metal compute instances

When you create a bare metal compute instance, you can now configure advanced BIOS settings that let you optimize performance and reduce licensing costs. The following options are available:

  • Disable cores
  • Customize NUMA settings
  • Disable simultaneous multithreading
  • Enable or disable access control service
  • Enable or disable virtualization instructions
  • Enable or disable the input-output memory management unit (IOMMU)

For more information, see BIOS Settings for Bare Metal Instances.

Extend the reboot migration deadline for Compute VM instances scheduled for infrastructure maintenance

You can now extend the maintenance due date for Compute VM instances that are scheduled for reboot migration due to planned infrastructure maintenance. For more information, see Extending the Deadline for Reboot Migration.

New features added to Network Visualizer

Network Visualizer now allows you to export topology maps and a PDF with relevant resource information. You can also now see more types of resources, including mount targets and Kubernetes clusters. See the documentation for details.

Introducing Flexible Compute Shapes for Model Deployments

You can now use flexible compute shapes for model deployments. 

For APIs, see CreateModelDeployment, and ModelDeploymentInstanceShapeConfigDetails.
For more information, take a look at Data Science.

Media Flow service is now available

Media Flow is a fully managed service for processing media (video) source content, accessible using the Console, REST APIs, or CLI.

You can configure content processing workflows that can be used to process video source content. The processing includes, transcoding, thumbnail generation, ABR packaging, and integration with OCI AI Services such as Speech (for automatic transcription), Language (for NLP-based analysis of the transcript), and Vision (for object detection and text extraction).

Oracle Database Service for Azure

Oracle Database Service for Azure (ODSA) allows you to easily integrate Oracle Cloud Infrastructure’s Database service into your Azure cloud environment. ODSA uses a service-based approach, and is an alternative to manually creating complex cross-cloud deployments for your application stacks. Use ODSA to deploy Exadata, Oracle Base Database, and Oracle Autonomous Database resources that connect to your Azure account using the Oracle Interconnect for Microsoft Azure, a private tunnel connection between supported OCI and Azure regions.

For more information, see About Oracle Database Service for Azure.

Oracle Critical Patch Update (CPU) July 2022 for Oracle Java SE

Java Management supports the 18.0.2,17.0.4,11.0.16,8u341 releases part of the Oracle Critical Patch Update (CPU) July 2022 for Oracle Java SE.

Stack Monitoring CDB and PDB Support

Stack Monitoring can now discover and monitor Oracle Multitenant Container Databases (CDBs) and Pluggable Databases (PDBs) running on on-premises hosts or on OCI Compute instances.

For more information, see Stack Monitoring (Resource Discovery).

Media Streams is now available

Media Streams is a fully managed service for delivering and streaming of media (video) source content, accessible using the Console, REST APIs, or CLI.

You can deliver digital video packaged in a format such as HTTP Live Streaming (HLS) to viewers. You can ingest pre-packaged HLS packages or can use Media Flow to transcode and package a source video into a format suitable for streaming. Media Streams can be configured to act as the origin service or video distribution through Akamai.

For more information, see Media Streams.

OCI Network Firewall Service is now availabile

Oracle Cloud Infrastructure Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure virtual cloud network (VCN), powered by Palo Alto Networks®.

Network Firewall features include:

Oracle Cloud Infrastructure Network Firewall provides the following security features:

  • Stateful network filtering: Create stateful network filtering rules that allow or deny network traffic based on source IP (IPv4 and IPv6), destination IP (IPv4 and IPv6), port, and protocol.
  • Custom URL and FQDN filtering : Restrict ingress and egress traffic to a specified list of fully qualified domain names (FQDNs), including wild cards and custom URLs.
  • Intrusion Detection and Prevention (IDPS): Monitor your network for malicious activity. Log information, report, or block the activity.
  • SSL inspection: Decrypt and inspect TLS-encrypted traffic with ESNI support for security vulnerabilities. Encrypted Server Name Indication (ESNI) is a TLSv1.3 extension that encrypts the Server Name Indication (SNI) in the TLS handshake.
  • Inter-VCN traffic inspection: Route traffic between two VCNs through a network firewall.

For more information, see:

AWR Explorer for Operations Insights

You can now use AWR Explorer in Operations Insights to compare database performance data stored in AWR Hub. 

Using AWR Explorer in Operations Insights lets you:

  • View and analyze AWR data across different database systems
  • Easily identify performance trends without needing to toggle between hourly AWR reports
  • Visualize different aspects of Oracle Database performance data which can be helpful in detecting performance issues

CloudShell now offers GraalVM Enterprise JDK 17 and Native Image

Now you can easily use GraalVM Enterprise in Cloud Shell to build and test simple Java applications with Micronaut, Spring, and other microservices frameworks.

For more information, see Using GraalVM Enterprise in OCI Cloud Shell.

TCPS Support for Oracle Cloud Databases

You can now use the TCP/IP with Transport Layer Security (TCPS) protocol when enabling Database Management for Oracle Cloud Databases. For more information, see Enable Database Management for Oracle Cloud Databases

MySQL Database Service Support for MySQL Version 8.0.30

MySQL Database Service now supports MySQL 8.0.30. New MySQL DB systems are based on the latest MySQL Database version. MySQL Server upgrades for existing DB systems, such as from version 8.0.29 to 8.0.30, must be performed manually.

The new minor version includes improvements and bug fixes. For more information, see MySQL 8.0.30 Release Notes.

Exadata Cloud@Customer: Enhanced Control to Rollback or Retry Failed Guest VM Operating System Update

You need not mandatorily roll back if applying the Guest VM operating system update fails. A new option, in addition to the current rollback option, has been added to retry and apply the failed update. If you want to apply a different operating system image update on failure, then you will have to first roll back and then apply.

For more information, see: Using the Console to Rollback or Retry Failed Guest VM Operating System Update

BDS Updates to autoscaling and customer-managed encryption key features

Updates to BDS autoscaling and customer managed encryption key features:

  • Added schedule-based options for horizontal and vertical autoscaling on ODH clusters.
  • Use customer-managed encryption keys for BDS clusters.
  • Update existing clusters to use customer-managed encryption keys.

Exadata Cloud@Customer: Monthly ExaDB-C@C Infrastructure Security Maintenance

Security maintenance, performed alongside the quarterly maintenance, is executed once a month and includes fixes for vulnerabilities with CVSS scores greater than 7.

For more information, see: Overview of Monthly Security Maintenance

Introducing Runtime Configuration for Notebook Sessions

You can now set up your notebook sessions with your often used custom environment variables and Git repos to be ready for use when you open your notebook. See Using a Runtime Configuration.

For more information, see Data Science. Take a look at our Data Science blog.

More information please refer OCI Documentation.

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

What’s New in Oracle Cloud Infrastructure ?

Week of July 4th

Many IT and security leaders today are faced with complex IT infrastructures and growing cybersecurity threats. Download the recent ebook to discover the five trends in cloud security that can help reduce complexity and strengthen cyber resilience.

This new reference architecture walks you through using the graph capabilities built into the Oracle Database – so you do not need a separate Graph database to analyze data connections for common use cases like customer trends insights, fraud detection, improved traceability in smart manufacturing, and more.

Learn how you can use Resource Manager to access private resources on OCI or on-premises

Week of June 27th

Since its launch, OCI Dedicated Region now requires 60-75% less data center space and power on average, with a significantly lower entry price: a starting usage commitment of approximately $1 million a year for a typical customer. This is a unique opportunity for you to benefit from all OCI services within your own premises. Learn all about it and watch the announcement event.

After going public in 2020 and seeing a huge burst in sales during the coronavirus pandemic, Albertsons needed a fast and cost-effective way to scale its human resource operations for the company’s nearly 300,000 employees. They also required a secure method for external vs internal access. With its on-premises human resource (HR) applications nearing end of life, the $70 billion grocery giant decided to migrate those applications to Oracle Cloud Infrastructure (OCI). See how Albertsons leveraged OCI for their PeopleSoft deployment here and drill down into more detail about the unique network configuration here.

Watch this short podcast episode where we chat with Ian Brunton, Engineering Manager, Red Bull Racing about their partnership with OCI and how data and a performant cloud helps win races!

Follow this step-by-step tutorial to learn how to use Terraform to create and configure OCI resources such as instance pools and load balancers, and to configure autoscaling rules based on key usage metrics.

Week of June 20th

For apps using HTTP, HTTPS or HTTP/2, you can now leverage the new caching and compression service for OCI load balancers to render your web app faster and decrease the load on your backend servers. 

Centrally manage usage across all your organization’s tenancies, share subscription credits, and enforce common cost and governance policies.

The latest release of the OCI Big Data service boasts a slew of major features – including Autoscaling, support for AMD Flex shapes, preconfigured JupyterHub as well as Presto (Trino) that can be managed through Ambari, bootstrap scripts, patch management, and more.

This step-by-step tutorial walks you through installing Jenkins and setting up DR using OCI File Storage. This enables you to set up your Jenkins Controller with automatic failover to ensure reliable operations.

In this first in a series of Built & Deployed videos with Albertsons, we explore their footprint in OCI with and emphasis on their PeopleSoft deployment and the specifics of their multi-VCN architecture. See how they scaled quickly & cost effectively to meet pandemic demand with the help of OCI here

Week of June 13th

Cloud has evolved to the point that we are now living in a multicloud reality. Standards will help disparate clouds interact with each other much more easily and benefit the entire ecosytem.
Oracle is doing its part by following a Cloud Adoption Framework. Find out more about our updates here and see how we stack up to the competition here.

OCI new E4 DenseIO bare metal provides up to twice the number of cores – up to 128 cores, 2.5 times the memory – up to 2TB, and two times the networking – up to 100Gbps, compared to our previous generation of DenseIO2 instances. And with the newer generation of NVMe SSDs on E4 DenseIO, you get up to double the IOPS and 50% higher price-performance than DenseIO2 instances. E4 DenseIO supports both bare metal and our flexible compute virtual machine (VM) instances.

Find out how EZ Cloud reduced payment delays, and eliminated fraudulent transactions with their cloud-native A/P application on Oracle Cloud.

Check out the recent reference architecture to discover how you can deploy Microsoft Remote Desktop Services on OCI, providing a secured, HA environment for your users to be able to run their applications and desktops from the cloud.

 Our Karan Batta talks with Zoe Chilton, Head of Strategic Partnership, from Red Bull Racing about the latest on their partnership with Oracle to improve business efficiency and win more races.

Week of June 6th

Discover how Children’s Medical Research Institute (CMRI) uses Artificial Intelligence (AI) and OCI Data Science to advance healthcare research in curing children’s cancer. OCI helps CMRI make the most out of their data while improving efficiencies 30-50%.

The 11th Interconnect region between OCI and Azure Cloud is now live in Singapore, providing a private, dedicated low-latency connection and identity federation for multicloud use cases.

Read how this new integration allows you to fully provision your FastConnect virtual circuits with Colt all from a single pane of glass from within the Oracle Cloud Console. This new integration is available for both private and public peerings.

Watch the short video to discover how APL Logistics leveraged OCI to accelerate digitization, and reinvent the user experience of their legacy application, cutting costs and improving time-to-market. Learn more.

Week of May 30th

Earlier this week, Oracle introduces Network Firewall powered by PaloAlto Networks, Oracle Threat Intelligence, Oracle Cloud Guard Threat Detector, Oracle Security Zones, and Oracle Cloud Guard Fusion Applications Detector.  Watch this short video to see a demo of all the new services and capabilities and learn more here.

License Manager is a free service that makes it easier for you to Bring Your Own License (BYOL) to OCI with the following capabilities: Automating the license portability from on-prem license to cloud, tracking license utilization, and reporting BYOL resources that have licensing needs.

The new API Usage Plans provide organizations with insights into how their APIs are used by their internal developers and across their external ecosystem. In addition to monitoring their usage, organizations can also unlock new revenue streams by monetizing their APIs with usage plans and subscriptions.

For Premier League, data is bringing fans closer to the game. By leveraging OCI Data Science, Autonomous Data Warehouse and Analytics, they are able to brag and root for their favorite players and teams in new and exciting ways. In fact, data was used as the key driver in two new awards added this year, Most Improbable Comeback and Most Powerful Goal. Billions of data points across the season were crunched to confirm the winners… and this is just the start! Check out how this is calculated here.

Week of May 23rd

As more companies adopt multiple cloud providers to run their applications, you can now seamlessly connect Azure services, like Analytics and AI to Oracle Cloud services. Today, we have over 10 OCI and Azure cloud interconnect regions with more to come. See this latest reference architecture for PeopleSoft on OCI that includes a DR site on Azure.

Maven security scanning is now available as part of build pipelines in OCI DevOps service, as well as Helm chart deployments to Kubernetes clusters. We’ve also improved our other developer tools- with the new Interactive Mode in OCI CLI, and added BitBucket cloud support to the code repo (in addition to the available GitHub and Gitlab connectors).

Researchers in the University of Melbourne ingest, analyze and make predictions based on data from large volumes of Raspberry Pi edge IoT devices. Read this blog to discover their architecture, and watch the short video for an interesting example of running FoguBus2 on OCI, leveraging Oracle Autonomous Data Warehouse and Oracle Machine Learning.

Week of May 16th

Easily ingest, search, visualize, and analyze data using OCI Search service for OpenSearch – high performant solution with none of the management overhead.

Multicloud architectures allow organizations to leverage the best services from each cloud along with consistent deployment and management of workloads across environments. Check out our recent article on TechCrunch, as well as the new multicloud reference architecture and offering to help you navigate the brave new world of multicloud.

PUNCH Torino, formerly the global center of excellence for General Motors (GM), is using OCI High-Performance Computing (HPC) to design, model and simulate the next generation of zero-emission engines. Watch the short video to discover the architecture for their solution for predicting flow distribution, pressure loss, heat transfer, and combustion, as well as their performance on OCI.

Accelerate diagnosing of any network issues with Virtual test access point (VTAP) – a new network troubleshooting service that automatically copies traffic that traverses a specific point in the network and sends it to a packet collector or network analytics tool for further analysis.

Watch the video to discover their architecture combining remote desktop server, Autonomous Database (ADB) and APEX.

Disclaimer: The views expressed on this document are my own and do not necessarily reflect the views of Oracle.

How the Oracle OCI Proactively protect the customer workload in cloud from day one?

Current Challenge

Customer Engineer responsible for provisioning cloud resources might not be aware or not well trained for how to use the best security configuration as part of their cloud implementation. If the security is not follow during the starting phase then it always become very difficult to address later during the the cloud go live and often it became the reactive approach. The proactive approach to address the security from starting were missing in many CSP providers.

Oracle is helping to shift more of the security responsibilities from the customer to the cloud provider. 

Oracle OCI Gen2 Cloud built from ground level Built In Security Always On with Zero Trust Security Model

Oracle Security Zones

A service that helps ensures customers implement Oracle’s best practices for security by enforcing them from the start and removing the chance of configuration drift or someone violating them later. This brings clarity regarding what is needed to meet their security needs and removes guesswork from the equation when it comes to implementation.

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

Access the Security Zone in OCI

Security zone An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.                                          

Security zone recipe A collection of security zone policies.

Security zone policy A security requirement for resources in a security zone.

When you create and update resources in a security zone, OCI validates these operations against the list of policies defined in the security zone recipe.

High Level Proposed Architecture

Creating Security Zone

Your tenancy has a predefined recipe named “Maximum Security Recipe”, which includes all available security zone policies. Oracle manages this recipe and you can’t modify it.

In general, security zone policies align with these security principles:

  1. Resources can’t be moved from a security zone to a standard compartment because it might be less secure
  2. Data in a security zone can’t be copied to a standard compartment because it might be less secure.
  3. All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance in a security zone can’t use a boot volume that is not in a security zone.
  4. Resources in a security zone must not be accessible from the public internet.
  5. Resources in a security zone must be encrypted using customer-managed keys.
  6. Resources in a security zone must be regularly and automatically backed up.
  7. Resources in a security zone must use only configurations and templates approved by Oracle.

A security zone policy differs from an IAM policy in the following ways:

  • Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
  • A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
  • A security zone policy is validated regardless of which user is performing the operation.
  • A security zone policy denies certain actions; it doesn’t grant capabilities.
  • Administrators can’t create, modify, or disable security zone policies.

Verify the Security Zone

  1. You can’t create the bucket without customer managed keys.

It is suggesting you to follow the workflow to create secure bucket.

2. You can’t create the public bucket in security zone.

3. You can’t move the bucket from security zone to standard compartment.

4. You can’t add Internet Gateway in Security zone

Reference Architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

Keep your Cloud operation Cost lower with Oracle Bastion Service

Organization Challenges

We all know that customer infrastructure should not be publicly accessible to the Internet… But at the same time, Any operator who is an authenticated operator are regulated operator, should be able to access that infrastructure.

Today. The customers who have their target resources in Cloud, There are certain the customers are forced to use certain access networking patterns because of the absence of a native accessors !!! So either customers go for in a private subnet or they launched a jump box in the public subnet…

Then they have to muck with the security rules, routing rules, and stuff like that. And also they have to add the public SSH keys onto that jump box for the operators to jump to that Jump Box into their target resources.

The disadvantages of these excess networking patterns is that,

  1. The connections that are established are persistent, which definitely decrease your security posture because back surface is open for a long period of time.
  2. The operational overhead to harden these jump boxes, patching them periodically, and also at the same time, taking care of availability for your operators to get into your mission critical workloads. All of that overhead is on the customers.
  3. Also, such architectures work if you have a couple of resources here and there. But as your organization scales up, these architectures become very difficult to maintain. And there is always a risk of a security loophole. Security should be easy.
  4. This jump boxes, they are running 24×7 so definitely customers have to pay a cost for, for running these jump boxes.
  5. There is no auditability. So you don’t know as a customer who got into which target resource.
  6. Even with the best efforts that the customers put in, this whole architecture is not controlled through IAM. So whoever has, whichever operator has that, SSH keys onto the Jump Box, again forever access your target resources. So the overall story of the life-cycle management of who can access your target resources. It’s very difficult to maintain.

Oracle Cloud Infrastructure Bastion Service

So to solve these issues, Oracle have created the fully managed service which is the OCI Bastion service, which will help you in improving the security posture of your resources in OCI by providing secure as well as an ephemeral access to your private target resources. But then you will receive the services free of cost. This is a very core infrastructure security blood. You don’t have to choose between cost and security.

The access to the target resources via OCI Bastions is time-bound which definitely helps in increasing your overall security posture. And also the access is governed by the OCI IAM policies so only the users who have the right IAM policies can access your target resources. And once they leave the organization, all you have to do is you have to just remove those users from your groups in from your IAM groups and you’re done. You don’t have to do anything beyond that.

You can also restrict the incoming SSH connections to certain IPv4 address ranges, the administrative actions, like who/when created/deleted/updated/fetched bastion and session are recorded in OCI event and audit service and also in the Cloud Guard.

The end-users on their on-premises laptops or desktops or workstations can basically use any open SSH client, they can access the Bastion Service as a pass through to get into their target resources.

Use Cases

OCI Bastion product is built on top of OpenSSH/SSH so whatever is possible to OpenSSH is possible to this service.

Types of target resources which are going to be supported by OCI Bastion would be:

Private target compute host running either native OCI images or customer Linux Images and Windows OS.

Autonomous transaction processing, Autonomous data warehouse, MySQL DB, OKE instances. We also support communities.

You can manage the bastion and sessions that are created via the service. So basically what that means is, at any point of time, if you feel if you see that assertion has gone malicious, or let’s say you see that you are under attack. You can simply delete the sessions. You can pick out those malicious users. You can delete the whole bastion and to protect your particular target resources. So you have all of those capabilities.

Once the session is created, customers can use the session metadata to tunnel into the target resources via bastion from their on-premises terminals.

You can use OCI bastion to access your private target resources in OCI irrespective of whether the target resources has the Oracle Cloud Agent installed or not.

The session type depends on the target host.

Managed SSH sessions can only be created for a target host that is a Compute instance configured to run both the Oracle Cloud Agent and an OpenSSH server.

SSH port forwarding sessions do not require a running Oracle Cloud Agent or OpenSSH server on the target host, and can be used with resources like Autonomous Transaction Processing databases.

High Level Architecture

HOW TO USE OCI BASTION?

Go to the Identity & Security and choose the Bastion

Create Compute Resource

Create Bastion Resource

Create Managed SSH Session

Create Session Port Forwarding

Access Window Server using Session Port Frwd

Reference architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

How to protect your application servers or containers in Cloud?

Most of the industry have compliance and regulations from Government or Standard authority that very from industry to industry for maintain the security standard as part of their application services delivery to the end user and so the Security is the crucial decision factor before go live the application in most of the industry today.

I have seen the customers to validate the security issues in their app server image and application packages or build before they go live for production, Traditionally customer relaying on security scanning tools like Nessus, OpenVAS, OpenSCAP, Nmap, Wireshark, Metasploit, but the real challenges for customer start when they have large scale deployment and overhead to keep them operating to meet the Security SLA. Also With cloud world the more and more responsibility raised on the customer head.

Vulnerability scanning is a common compliance requirement (e.g., NIST 800-53 Rev.4 FISMA) for customers and a recommended security best practice for all organizations.

Challenges

Customers face challenges with scanning due to:

1. Disjointed vulnerability scanning tools— often, customers will buy or license multiple tools for scanning instances, containers, and applications. The total cost can add up, leaving customers to choose between cost and security.

2. Lots of manual processes to correct vulnerabilities—Customers must deploy, configure, and upgrade agents on their fleets, with large operational pain, and the potential for misconfiguration due to human error.

3. Large volume of alerts with a high false positive rate—Vulnerability reports can overwhelm customers with “noise”. Too many false positive findings will cause customers to get lost in the volume or get accustomed to it. As a result, this can reduce the time to resolution for critical issues or even worse, these critical issues can go unacknowledged.

Vulnerability Scanning Service

Oracle Cloud Infrastructure Vulnerability Scanning Service (OCI VSS) is simple, prescriptive, and tightly integrated with the OCI platform. VSS is available to all OCI customers that have paid accounts at no additional cost. The scanning platform includes default plugins and engines for instance and container scanning.

The Scanning service can identify several types of security issues in your compute instances :

  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
  • Industry-standard benchmarks published by the Center for Internet Security (CIS).

The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

The Scanning service can scan individual compute instances, or it can scan all compute instances within a compartment and its subcompartments. If you configure the Scanning service at the root compartment, then all compute instances in the entire tenancy are scanned.

The Scanning service detects vulnerabilities in the following platforms:

  1. Oracle Linux
  2. CentOS
  3. Ubuntu
  4. Windows (no CIS benchmarks)

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities

High Level Architecture

Key Service Concept

Scan Recipe

Scanning parameters for a type of cloud resource, including what information to examine and how often.

Target

One or more cloud resources that you want to scan using a specific recipe. Resources in a target are of the same type, such as compute instances.

Host Scan

Metrics about a specific cloud resource that was scanned, including the vulnerabilities that were found, their risk levels, and CIS benchmark compliance. The Scanning service uses a host agent to detect these vulnerabilities

Port Scan

Open ports that were detected on a specific cloud resource that was scanned. The Scanning service can detect open ports using a host agent, or using a network mapper that searches your public IP addresses

Vulnerabilities Report

Information about a specific type of vulnerability that was detected in one or more targets, like a missing update for an OS package.

Integration with Cloud Guard

You can view security vulnerabilities identified by the Scanning service in Cloud Guard. Cloud Guard alerting can help customers reduce the time from detection to remediation.

Access the Service from OCI Console

Configure the VSS for your tenancy or specific compartment

Create Compute Resource

Result & Remediate

Reference Resources

Whitepaper

Reference architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

Quick Start for OCI Vault

Historically customer store master encryption keys and secrets in Server configuration files or in code. As we all know that “Data Is the New Oil of the Digital Economy”. In cloud world customer have choice to choose the best option to secure their data and that is why cloud is more secure platform than on-premises.

In this article we will focus on the overview of service – OCI Vault, the types of offering based on the use case, key capabilities and how to use the Vault with various OCI services.

The Vault service helps you centrally manage the encryption keys that protect your data and the secret credentials that you use to access resources. Vaults securely store master encryption keys and secrets that you might otherwise store in configuration files or in code.

It lets you to centrally manage and control use of keys and secrets across a wide range of OCI services and applications. OCI Vault is a secure, resilient managed service that lets you focus on your data encryption needs without worrying about time-consuming administrative tasks such as hardware provisioning, software patching, and high availability.

Key Management uses hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification, to protect your keys. You can create master encryption keys protected either by HSM or software. With the HSM- protected keys, all the cryptographic operations and storage of keys are inside the HSM. With the software-protected keys, your encryption keys are stored and processed in software, but are secured at rest with a root key from HSM.

The following key management capabilities are available when you use the Vault service.

  • Create your own encryption keys that protects your data
  • Bring your own keys
  • Rotate your keys
  • Support for cross-region backup and restore for your Keys
  • Constrain permissions on keys using IAM policies
  • Integration to OCI internal services: Oracle Autonomous Database, Exadata Databases (without Oracle Data Guard enabled),Oracle Block Storage, Oracle File storage, Oracle Object Storage, Streaming and Container engine for Kubernetes

High Level Vault Service Integration Architecture

Get Started with Vault

1. Ensure that the limits for your tenancy allow for creation of the Vault type you intend to create.

2. Ensure that Oracle Identity and Access Management (IAM) policies have been created for the user account to have the necessary permissions to create a Vault. See IAM Policy Reference to construct a statement.

3. You first create a Vault by selecting Security from the Oracle Cloud Infrastructure Console, and then Vault.

Create a Vault and select from one of the two available Vault types that best fits your isolation and processing requirements:

  1. Virtual Private Vault: Chose a Virtual Private Vault if you require increased isolation on the HSM and dedicated processing of encrypt/decrypt operations.
  2. Vault (Default): Choose the default Vault if you are willing to accept a moderate isolation (multitenant partition in HSM) and shared processing for encrypt/decrypt operations.

4. Create the [Master Encryption] Key(s) inside your Vault. Master encryption keys can have one of two protection modes: HSM or software.

  • A master encryption key protected by an HSM is stored on an HSM and cannot be exported from the HSM. All cryptographic operations involving the key also happen on the HSM.
  • A master encryption key protected by software is stored on a server and can be exported from the server to perform cryptographic operations on the client instead of on the server. While at rest, the software-protected key is encrypted by a root key on the HSM.

5. Ensure that IAM policies for the service or entity calling Vault has the necessary permissions.

Example: allow service objectstorage-us-ashburn-1 to use keys in compartment

Use the key(s):

  • With native Oracle Cloud Infrastructure storage: When creating storage (bucket, file, volume), mark with “ENCRYPT USING CUSTOMER-MANAGED KEYS”, then select the Vault and the Master Encryption Key. Data in that bucket/volume/file storage will be encrypted with a data encryption key wrapped with the Master Encryption Key in Vault.
  • With crypto operations, using Command Line Interface (CLI) as an example: oci kms crypto encrypt –key-id –plaintext
  • Crypto operations are available in SDK and API as well. For more details, see Overview of Vault in the documentation.

6. Monitor your usage of operations with metrics in the console and Monitoring service. See the metrics and dimensions

Using Keys

You can directly submit data to Key Management APIs to encrypt and decrypt using your master encryption keys stored in the Vault.

Also, you can encrypt your data locally within your applications and OCI services using a method known as Envelope encryption.

With envelope encryption, you generate and retrieve Data Encryption Keys (DEK) from Key Management APIs. DEKs are not stored or managed in Key Management service but are encrypted by your Master Encryption Key. Your applications can use DEK to encrypt your data and store the encrypted DEK along with the data. When your applications want to decrypt the data, you should call decrypt to Key Management API on the encrypted DEK to retrieve the DEK. You can the decrypt your data locally with the DEK.

Key Management supports sending up to 4 KB of data to be encrypted directly. In addition, envelope encryption can offer significant performance benefits. When you encrypt data directly with Key Management APIs, it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller DEK go over the network. The DEK is used locally in your application or encrypting OCI service, avoiding the need to send the entire block of data.

OCI Offer two choice of Encryption for customer while provisioning the resources

Oracle Managed is the default encryption for many OCI services. Oracle Managed means data will be encrypted at rest with an encryption key whose lifecycle management is controlled by Oracle. Customers who don’t want to manage or access their encryption keys and are looking for an easiest way to protect all their data stored in OCI can choose Oracle Managed encryption.

Customer-Managed encryption is offered by OCI Vault—Key Management service where the customer controls and manages the keys that protect their data. In addition, customers who require elevated security and FIPS 140-2 Level 3 protection to meet compliance choose Customer Managed as the encryption keys are stored in hardware security modules (HSMs).

Create Resource with OCI Vault

For more information, see OCI Documentation 

Reference OCI Vault FAQ

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

OCI DRG functionality expanded in Oracle Cloud

DRG functionality has been expanded to include the following capabilities:

  • You can attach a DRG to more than one VCN to provide inter-VCN network connectivity. VCNs can be in the same or different tenancies. 
  • You can now assign a different route table and policy to each network resource attached to your DRG enabling granular routing control.  For instance, by connecting all your VCNs and on-premises networks to a single DRG used as a “Hub,” you have a single central gateway to configure traffic routing and Layer 3 isolation.  One possible use case of routing policy is directing all traffic passing thru the DRG to a network virtual appliance or firewall.
  • Your on-premises network connected to a DRG in one region can access networks connected to a DRG in a different region using a remote peering connection (RPC).
  • You can now enable equal cost multi-path (ECMP) routing towards your IPSec VPN and FastConnect connections to support active-active scenarios. ECMP is controlled on a per route table basis.
  • Remote peering connections can now connect DRGs in the same region or different tenancies.

Use case demonstration in Oracle Blog

Introducing global connectivity and enhanced cloud networking with the dynamic routing gateway

Latest OCI Release Notes update

OCI Networking Release Notes

Exadata Storage expansion

I got a chance to explore and involve in this DBMA Task. In this article, I will summarize and walk through a procedure about adding a new cell to an existing Exadata Database Machine.

Most of us knew the capabilities that Exadata Database Machine delivers. It’s a known fact that Exadata comes in different fixed rack size capacity:

    • 1/8 rack (2 db nodes, 3 cells),
    • quarter rack (2 db nodes, 3 cells),
    • half rack (4 db nodes, 7 cells) and
    • full rack (8 db nodes, 14 cells). 

When you want to expand the capacity, it must be in fixed size as well, like, 1/8 to quarter, quarter to
half and half to full.

 

With Exadata X5 Elastic configuration, one can also have customized sizing by extending capacity of the rack
by adding any number of DB servers or storage servers or combination of both, up to the maximum allowed capacity
in the rack.

Preparing to Extend Exadata Database Machine

Preparing to Extend Exadata Database Machine ◄===

[0] Validate the environment
Before starting the activity, collect the Exachk, and validate the environment.
Also, verify the current cell alert if any.

dcli -g /root/cell_group -l root "cellcli -e list alerthistory where endTime=null and alertShortName=Hardware and alertType=stateful and severity=critical"

[1] Ensure HW placed in the rack, and all necessary network and cabling requirements are completed.
(2 IPs from the management network is required for the new cell).

[2] Re-image or upgrade of cell image

2.1 Extract the imageinfo from one of the existing cell server.
2.2 Login to the new cell through ILOM, connect to the console as root user and get the imageinfo
2.3 If the image version on the new cell doesn’t match with the existing image version, either you
download the exact image version and re-image the new cell or upgrade the image on the existing servers.

Review “MOS Doc ID 2151671.1” if you want to reimage the new cell.

[3] Add the IP addresses acquired for the new cell to the /etc/oracle/cell/network-config/cellip.ora file on each DB node.

To do this, perform the steps below from the first 1 dB server in the cluster:

cd /etc/oracle/cell/network-config
cp cellip.ora cellip.ora.orig
cp cellip.ora cellip.ora-bak

[4] If ASR alerting was set up on the existing storage cells, configure cell ASR alerting for the cell being added

List the cell attributes required for configuring cell ASR alerting.
Run the following command from any existing storage grid cell:

CellCLI> list cell attributes snmpsubscriber

Apply the same SNMP values to the new cell by running the command below as the celladmin user,
as shown in the below example:

CellCLI> alter cell snmpSubscriber=((host='10.20.14.21',port=162,community=public))

[5] Configure cell alerting for the cell being added.

List the cell attributes required for configuring cell alerting.
Run the following command from any existing storage grid cell:

CellCLI> list cell attributes notificationMethod,notificationPolicy,
smtpToAddr,smtpFrom,smtpFromAddr,smtpServer,smtpUseSSL,smtpPort

Apply the same values to the new cell by running the command below as the celladmin user,
as shown in the example below:

CellCLI> alter cell notificationmethod='mail,snmp',notificationpolicy='critical,warning,clear',
smtptoaddr= 'dba@email.com',smtpfrom='Exadata',smtpfromaddr='dba@email.com',smtpserver='10.20.14.21',
smtpusessl=FALSE,smtpport=25

[6] Create cell disks on the cell being added

Log in to the cell as celladmin and run the following command:

CellCLI> create celldisk all

[7] Check that the flash log was created by default:

CellCLI> list flashlog

You should see the name of the flash log. It should look like cellnodename_FLASHLOG, and its status should be “normal”.If the flash log does not exist, create it using :

CellCLI> create flashlog all

[8] Check the current flash cache mode and compare it to the flash cache mode on existing cells:

CellCLI> list cell attributes flashcachemode

To change the flash cache mode to match the flash cache mode of existing cells, do the following:

1. If the flash cache exists and the cell is in WriteBack flash cache mode,
you must first flush the flash cache:

CellCLI> alter flashcache all flush

Wait for the command to return.

2. Drop the flash cache:

CellCLI> "drop flashcache all"

3. Change the flash cache mode:

CellCLI> alter cell flashCacheMode=writeback

The value of the flashCacheMode attribute is either writeback or writethrough.
The value must match the flash cache mode of the other storage cells in the cluster.

4. Create the flash cache:

CellCLI> create flashcache all

[9] Create grid disks on the cell being added.

—> Query the size and cachingpolicy of the existing grid disks from an existing cell.

CellCLI> list griddisk attributes name,asmDiskGroupName,cachingpolicy,size,offset
  • For each disk group found by the above command, create grid disks on the new cell that is being added to the cluster.
  • Match the size and the cachingpolicy of the existing grid disks for the disk group reported by the command above.
  • Grid disks should be created in the order of increasing offset to ensure similar layout and performance characteristics as the existing cells.
  • For example, the “list griddisk” command could return something like
    this:
DATAC1 default 5.6953125T 32M
DBFS_DG default 33.796875G 7.1192474365234375T
RECOC1 none 1.42388916015625T 5.6953582763671875T

When creating grid disks, begin with DATAC1, then RECOC1, and finally DBFS_DG using the following command:

CellCLI> create griddisk ALL HARDDISK PREFIX=DATAC1, size=5.6953125T, cachingpolicy='default',
comment="Cluster cluster-clux6 DR diskgroup DATAC1"

CellCLI> create griddisk ALL HARDDISK PREFIX=RECOC1,size=1.42388916015625T, cachingpolicy='none',
comment="Cluster cluster-clux6 DR diskgroup RECOC1"

CellCLI> create griddisk ALL HARDDISK PREFIX=DBFS_DG,size=33.796875G, cachingpolicy='default',
comment="Cluster cluster-clux6 DR diskgroup DBFS_DG"

CAUTION: Be sure to specify the EXACT size shown along with the unit (either T or G).

[10] Verify the newly created grid disks are visible from the Oracle RAC nodes.
Log in to each Oracle RAC node and run the following command:

$GI_HOME/bin/kfod op=disks disks=all | grep cellName_being_added

This should list all the grid disks created as above.

[11] Add the newly created grid disks to the respective existing ASM disk groups.

ALTER DISKGROUP disk_group_nameadd disk 'comma_separated_disk_names';

The command above kicks off an ASM rebalance at the default power level.
Monitor the progress of the rebalance by querying gv$asm_operation :

SQL> select * from gv$asm_operation;

Once the rebalance completes, the addition of the cell to the Oracle RAC is complete.

[12] Run the latest Exachk to ensure that the resulting configuration implements the latest best practices for Oracle Exadata.

Thank you Oracle ACE Syed Jaffar Hussain for sharing his experience

Thank you for visiting this blog 🙂

Manually take an ILOM snapshot

DBMA has to collect the ILOM snapshot as per the request from oracle support, As many of you might be asked by Oracle support to provide ILOM snapshot to troubleshoot Exadata Hardware issues.

I had to diagnose a hardware issue recently and was not able to use web interface because for firewall issue. Fortunately, you can generate ILOM snapshot using following CLI method.

[1] let’s connect and set the snapshot type to normal

Step 1 : Login to ILOM using root user.

[root@myclusterdb01 ~]# ssh myclustercel05-ilom
Password:
Oracle(R) Integrated Lights Out Manager
Version 3.2.7.30.a r112904
Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
Warning: HTTPS certificate is set to factory default.
Hostname: myclustercel05-ilom

Step 2 : Set snapshot dataset to normal.

-> set /SP/diag/snapshot dataset=normal
Set 'dataset' to 'normal'

Step 3 : Set snapshot output location.

-> set /SP/diag/snapshot dump_uri=sftp://root:"passowrd!"@10.21.101.22/tmp’

Set 'dump_uri' to 'sftp://root:"passowrd!"@10.21.101.22/tmp’

Step 4 : Change directory to snapshot

-> cd /SP/diag/snapshot
/SP/diag/snapshot

Step 5 : Check Status of snapshot , make sure its running

-> show
/SP/diag/snapshot

Targets:
Properties:
dataset = normal
dump_uri = (Cannot show property)
encrypt_output = false
result = Running

Step 6: Keep checking status till it’s completed. May take up to 10 mins

-> show
/SP/diag/snapshot
Targets:

Properties:
dataset = normal
dump_uri = (Cannot show property)
encrypt_output = false
result = Collecting data into

sftp://oracle@10.21.101.22/etc/snapshot/exa01dbadm01-ilom_XXXX30AG_2018-09-14T23-04-46.zip

TIMEOUT: /usr/local/bin/spshexec show /SP/bootlist
TIMEOUT: /usr/local/bin/create_ueficfg_xml

Snapshot Complete.
Done.

Step 7: Upload files to Oracle support.

oracle@10.21.101.22/tmp/exa01dbadm01-ilom_XXXX30AG_2018-09-14T23-04-46.zip

[2] let’s connect and set the snapshot type to full :

A full ILOM snapshot (which is the one Oracle support will most likely ask you) may (yes, “may”) reset the host as per the documentation :
Note – Using this option might reset the host operating system.
“Reset the host” meaning rebooting the host.

Fred mentioned in his blog that he did it few times on production cells and they have never been rebooted but this is something to keep in mind if you are asked to take a full ILOM snapshot of a database server. Indeed, a cell reboot would be transparent but this is a different story with a database server.

[root@myclusterdb01 ~]# ssh myclustercel05-ilom
Password:
Oracle(R) Integrated Lights Out Manager
Version 3.2.7.30.a r112904
Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
Warning: HTTPS certificate is set to factory default.
Hostname: myclustercel05-ilom
-> set /SP/diag/snapshot dataset=full

Set 'dataset' to 'full'

->

Then start the ILOM snapshot using the IP of the target system we will put 
the ILOM on and its root password
(it'll copy the ILOM snapshot in /tmp in the below example) :

-> set /SP/diag/snapshot dump_uri=sftp://root:root_password@10.11.12.13/tmp
Collecting a "full" dataset may reset the host. Are you sure (y/n)? y
Set 'dump_uri' to 'sftp://root@10.11.12.13/tmp'

Now that the ILOM snapshot has been started, 
you can monitor it using the below command :

-> show /SP/diag/snapshot

/SP/diag/snapshot
Targets:

Properties:
dataset = full
dump_uri = (Cannot show property)
encrypt_output = false
result = Running

Commands:
cd
set
show

->

After few minutes you should see the ILOM snapshot as completed :

-> show /SP/diag/snapshot

/SP/diag/snapshot
Targets:
Properties:
dataset = full
dump_uri = (Cannot show property)
encrypt_output = false
result = Collecting data into sftp://root@10.11.12.13/tmp/myclustercel07-ilom_1133FMM02D_2018-02-04T23-18-06.zip
Snapshot Complete.
Done.

Commands:
cd
set
show

->

This is actually quite a small file easy to transfer to MOS :

[root@myclusterdb01 ~]# du -sh /tmp/myclustercel07-ilom_1133FMM02D_2018-02-04T23-18-06.zip
2.5M /tmp/myclustercel07-ilom_1133FMM02D_2018-02-04T23-18-06.zip
[root@myclusterdb01 ~]#

Thank you Oracle ACE Fred Denis for sharing his experience

Thank you for visiting this blog 🙂