vlambda博客
学习文章列表

2021年4月Oracle数据库补丁分析报告

点击上方"蓝字"
关注我们,享更多干货!

引言

编写目的

编写此文档为了更好地指导Oracle补丁安装工作,细化工作任务,规范安装升级操作。


背景

Oracle对于其产品每个季度发行一次安全补丁包CPU (Critical Patch Update)与PSU (Patch Set Update),通常是为了修复产品中的安全隐患,并可能包含对一些严重bug以及功能组件的修复。对于已知的安全漏洞及安全小组检测到的安全漏洞,本次通过安装数据库安全补丁的方式予以修复。


2021年4月Oracle数据库补丁分析报告
术语解释

数据库补丁包括补丁集(patchset)、补丁集更新(PSU)、临时补丁(one-off patch),在12C版本以后Oracle改变了过去的PSU为RUR (Release Update Revision),变ProactiveBP为 RU (Release Update)。

Database Patch Set Update

这就是DBA们常论道的PSU。Oracle选取在每个季度用户下载数量最多,并且得到验证具有较低风险的补丁放入到每个季度的PSU中,修复比较严重的一些问题,包含每个季度的CPU,是累积型的。针对数据库以及数据库客户端的重要修复。包括安全(CPU)内容。没有优化器修复,虽然在描述PSU的时候会用到数据库版本第5位,但实际上打完PSU后并不会真正改变数据库的版本,需要从opatch lsinventory确认。

注意:

(1) Windows上没有CPU和PSU,对于Windows和Exadata,Oracle使用Bundle Patch代替PSU,Bundle Patch会包含PSU的内容;

(2) 在11G之前有些PSU可以直接安装,而有些PSU则必须要求安装了上一个版本的PSU之后才能继续安装。比如对于10.2.0.4版本的数据库来说,PSU 10.2.0.4.4可以直接安装在最原始的10.2.0.4.0版本中,而最新的PSU 10.2.0.4.8则必须要求先安装10.2.0.4.4。更多信息参考PSU 附带的readme.txt;

(3) 从11.2.0.2版本开始,一个新的补丁策略被引入,11.2.0.1之后发布的Patch Set本身就是一个完整的安装包,不再需要基础的Release版本安装。

MOS站点中Oracle Recommended Patches — Oracle Database [ID 756671.1] 文档中查到各个产品版本最新的PSU。

查看PSU

$opatch lsinventory -bugs_fixed | grep -i ‘DATABASE PSU’

11g r2 and above

$ opatch lsinventory | grep “Patch Set Update”

Database Grid Infrastructure Patch Set Update

这就是GI PSU,适用于11.2.0.1以上的RAC DB 安装在Unix平台上 (包括单实例RAC)。补丁包括Grid Infrastructure的重要修复,也包括匹配的DB PSU,但不包括任何OJVM PSU,季度发行,在11.2以前叫CRS PSU,从11.2后不再发行。

OJVM Patch Set Update

这就是OJVM PSU, 适用于数据库版本11.1.0.7,11.2.0.3,11.2.0.4,12.1.0.1及以上所有平台。须知Windows平台有特殊的OJVM PSU覆盖补丁安装于Windows BP上。

2014年10月提出OJVM PSU,但是OJVM和JDBC有单独的补丁。

2015年1月之后OJVM PSU包括JDBC针对数据库的修复,在12c中的DBBP中包含了OJVM PSU。

Critical Patch Update

Oracle在2005年开始引入的产品安全更新策略,CPU最早的雏形出现在2005年,该项目致力于为客户周期性地提供累积性的补丁以修复安全漏洞。没有一个强制要求安装CPU的理由,Oracle仅仅是强烈推荐实施这些补丁以降低潜在的安全风险并降低受到骇客入侵成功的概率, 由月/年指定,如11.2.0.4 Jan 2015 SPU。这个指的就是CPU补丁。每季度发布一次,用来修复安全方面的一些补丁,是累积型的。目前(2012年10月)已经更名为Security Patch Update (SPU)。

这类问题本来不属于软件错误,在正常使用中不会出现任何问题。但是别有用心的人可以通过运行非常精巧设计的代码,绕过数据库系统的安全管理机制,达到非授权存取的目的。

分为Normal CPU和Molecular CPU(最早是从10.2.0.3 CPUJUL2007)For LINUX/UNIT 平台, CPU Bundle Patch For Windows平台。

PSU包含了最新的CPU, 从12.1.0.1开始CPU不再单独发布而是包含在PSU中发布。

Release Updates

从2017年7月开始,Oracle对数据库和GI(Grid Infrastructure) 12.2及之后版本的主动修补程序进行了更改。传统的“Patchset Update”和“Database Proactive Bundle Patch” 对于12.2数据库将不再发布。将采用新的发布方式Release Updates (Updates)和Release Update Revisions (Revisions)。

为了支持与安全相关的修复以及高优先级的非安全修复,将在每年的1月、4月、7月和10月每个季度发布一个Release Updates (Updates)。Oracle的季度发布的Updates包含客户最有可能遇到的错误的修复。

查询优化器错误修复,在之前版本的PSU以及BP中并不包含的这些修复被加入到Updates中,但是默认是禁用的。

Updates包含安全相关的补丁。

Updates会经过广泛的测试,包括功能测试、压力测试、性能测试以及破坏性测试。

及时应用Updates可以降低碰到已知问题的可能性。

Updates在RAC环境下可以使用rolling的方式不停机安装。

除了季度性发布的Updates, Release Update Revisions (Revisions) 也会每个季度发行,包含对Updates的回退修复以及包含最新的安全方面的修复。

在每个Update发布后的六个月内,会有2个针对这个Update的 Revisions。比如,Release.Update.1和Release.Update.2,这里"1"和"2"代表的是Revision。

补丁集涉及数据库版本和数据库字典的升级,并可能导致数据库某些特性(如执行计划)发生变化,属重大变更;补丁集更新是针对特定patchset的多个补丁合集,属重大变更;临时补丁是针对某个特定bug的修正或多个相关联的补丁合并(merge patch)。


2021年4月Oracle数据库补丁分析报告
任务描述

漏洞分析

与数据库相关的安全补丁共有18个,分别如下:

  1. 10 new security patches for Oracle Database Products

  2. 1 new security patch for Oracle Global Lifecycle Management

  3. No new security patches for Oracle Graph Server and Client, but third party patches are provided

  4. 4 new security patches for Oracle NoSQL Database

  5. 1 new security patch for Oracle REST Data Services

  6. No new security patches for Oracle Secure Backup, but third party patches are provided

  7. 2 new security patches for Oracle Spatial Studio

  8. No new security patches for Oracle TimesTen In-Memory Database, but third party patches are provided

这18个安全补丁中,只有10个是与Oracle数据库有关,所以我们重点分析这10个安全补丁。详细列表如下:

2021年4月Oracle数据库补丁分析报告

  1. 本次风险评分都不太高,没有上8分以上的,所以不是很严重的漏洞。

  2. 四个无需身份认证即可远程利用(不需要用户密码即可利用),这四个漏洞分别是:
    ① CVE-2020-5360仅影响安装了oracle客户端的程序,对于oracle数据库无影响;
    ② Workload Manager组件的CVE-2020-17527 ;
    ③ 安装了Dell第三方插件的CVE-2019-3740;
    ④ Oracle Application Express组件的CVE-2020-11023。
    这四个漏洞中,攻击复杂性都是Low,也就是容易被利用,如果数据库应用了这些组件,需要特别注意。

  3. 一个Java VM漏洞:CVE-2021-2234,Java VM的漏洞过去修复了很多,多数和反序列化有关,如果之前处置过,对权限细化管控,则无需担忧,Create Session权限是这个CVE 的条件,数据库权限严格管控,则无大风险。

  4. 一个本地Application Express漏洞:CVE-2020-7760和Oracle Apex相关,通过http协议攻击,但是需要有效的用户帐号,做好账户管理,风险不大。如果未使用APEX,则无需关注。

  5. CVE-2021-2245是Unified Audit-统一审计管理特性相关的漏洞,需要Create Audit Policy,一般数据库开自带审计较少,都是使用专门审计软件,所以风险最低,安全分是2.7分。

  6. CVE-2021-2035是通过数据库的Recovery备份组件进行攻击,需要DBA权限,管控这个权限可以降低风险,这个漏洞实现复杂度低,容易被攻击,风险评分4.1分,建议梳理数据库的权限,或者应用补丁修复。

  7. CVE-2021-2207是在执行RMAN备份恢复的时候,才会进行攻击,这个漏洞实现复杂度低,容易被攻击,风险评分2.3分,如果没有调用RMAN备份恢复,使用其他备份软件备份,不用关注,或者应用补丁修复。

  8. Valut小众组件漏洞:CVE-2021-2175是通过数据库的Database Vault钱包功能进行攻击,需要Create Any View, Select Any View权限,如果没有启用钱包功能,或者权限把控严格,无需关注。这个漏洞实现复杂度低,容易被攻击,如果启用了钱包功能,建议梳理数据库的权限,或者应用补丁修复。

  9. 查看是否安装APEX相关组件如下:

SQL> select comp_name,VERSION,STATUS from dba_registry where COMP_ID='APEX';

no rows selected

如上“no rows selected”就是未安装APEX组件。如果有返回值,就说明安装了APEX相关组件。

10. 查看Database Vault是否开启

SQL> select * from v$option where parameter ='Oracle Database Vault';

PARAMETER                      VALUE                  CON_ID

------------------------------ -----------------------------

Oracle Database Vault          FALSE                       0

Values的值为false,表示未启用。如果为true,表示已启用。

11. 查看是否安装OJVM组件

SELECT version, status FROM dba_registry WHERE comp_id='JAVAVM';

总结一下,远程无需用户帐号的漏洞风险高,如果安装了相应组件,则需要抓紧修复;本地的主要漏洞,做好权限管理,则风险不高。如果条件许可,可以根据数据库组件情况,进行统一修复。

数据安全漏洞给我们持续的警示就是:仅安装核心数据库组件,做好权限管理和帐号管控,多数风险可以自然免疫。

漏洞修复方案

前面的10个安全补丁,共涉及到如下版本:

  1. CVE-2020-5360 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  2. CVE-2020-17527 涉及版本:18c, 19c

  3. CVE-2019-3740 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  4. CVE-2021-2234 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  5. CVE-2021-2173 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  6. CVE-2021-2175 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  7. CVE-2021-2245 涉及版本:18c, 19c

  8. CVE-2021-2207 涉及版本:12.1.0.2, 12.2.0.1, 18c, 19c

  9. CVE-2020-11023 涉及版本:Prior to 20.2

  10. CVE-2020-7760 涉及版本:Prior to 20.2

此安全补丁涉及都是12c之后的版本,不涉及12c之前的版本,所以11204不受影响。

通过查看mos:Critical Patch Update (CPU) Program Apr 2021 Patch Availability Document (PAD) (Doc ID 2749094.1)。如何查某CVE-XXX-XXX 对应补丁或所存在的补丁集?可以看到补丁修复对应的如下内容:

2021年4月Oracle数据库补丁分析报告
2021年4月Oracle数据库补丁分析报告
2021年4月Oracle数据库补丁分析报告
2021年4月Oracle数据库补丁分析报告
2021年4月Oracle数据库补丁分析报告

在19c的Linux环境中,19.11.0.0.210420 Patch 32578973补丁集更新里包好了此漏洞。其他版本数据库对应的其他平台,都可以找到对应的补丁集。所以安装4月份的补丁集都可以解决上述安全漏洞。

如下为19c数据库对应的4月份补丁集,下载安装Patch 32578973即可。

2021年4月Oracle数据库补丁分析报告

安装补丁风险及措施

2021年4月Oracle数据库补丁分析报告

在正式安装补丁以前,我们会对补丁安装过程和结果进行验证,确保安装过程顺利,安装完成以后检测出的漏洞信息得到修复。


2021年4月Oracle数据库补丁分析报告
安装补丁

安装前配置

准备介质

p6880880_190000_Linux-x86-64.zip #下载opatch工具
p32578973_190000_Linux-x86-64.zip #最新的RU (11.2.0.4.15)

清理目录空间

为了避免后面tar备份目录的时候文件多、备份慢,在备份开始前,我们先清除一些无用文件。

# ls -aR /u01 2>/dev/null | awk '/\:$/{if(fileCount>999){print fileCount,dirName};dirName=substr($0,1,length($0)-1);fileCount=-2}{fileCount++}'
1857 /u01/app/19c/grid/rdbms/admin
1314 /u01/app/19c/grid/rdbms/audit
1018 /u01/app/grid/diag/asm/+asm/+ASM1/trace
1935 /u01/app/oracle/product/19c/dbhome_1/rdbms/admin

以上命令可以帮你找出/u01目录下超过1000个文件的子目录。其中/u01/app/19c/grid/rdbms/audit 下有1314个文件,较多。在确认目录底下的文件是无用文件后,可以根据一定规则进行删除。

[root@19crac1 admin]# cd /u01/app/19c/grid/rdbms/audit
[root@19crac1 audit]# ls |more
+ASM1_ora_100121_20200908154538702446063769.aud
+ASM1_ora_100184_20200908154539152235090011.aud
+ASM1_ora_100630_20201125163014067719816817.aud
+ASM1_ora_100934_20210316134908830130118521.aud
+ASM1_ora_101284_20201125163213718981508599.aud
+ASM1_ora_101416_20210316094908609015134946.aud
+ASM1_ora_102341_20210316135136641817191381.aud
+ASM1_ora_102400_20210316095204152886190410.aud
+ASM1_ora_10264_20210316105408692762235681.aud
+ASM1_ora_102697_20200908110610569001399504.aud
+ASM1_ora_103256_20201125163514002735145150.aud
+ASM1_ora_103571_20210316135408826914106141.aud
+ASM1_ora_103986_20201125163720408482724825.aud
+ASM1_ora_104059_20210316095408612329741588.aud
+ASM1_ora_104456_20200908110928077928635509.aud
+ASM1_ora_104545_20200908154544828744740864.aud
+ASM1_ora_104578_20200908154545265778216593.aud

比如说,这个目录下面,都是 *.aud文件,是以sysdba登录后产生的文件,一定时间以前的,其实已经没有参考价值,因此,可以以时间及扩展名为条件进行删除:

[root@19crac1 audit]# find  /u01/app/19c/grid/rdbms/audit  -name "*.aud"  -mtime +30 | xargs rm -rf

以上命令可以删除/u01/app/19c/grid/rdbms/audit目录下,修改时间(mtime)超过30天(+30), 名字为"*.aud"的文件。

运行完毕后,文件量会大幅下降。方便后面备份。

tar命令备份ORACLE_HOME

通过tar命令对ORACLE_HOME备份,两个节点都要备份。

[root@19crac1 ~]# tar -cvf /u01.tar /u01/

把tar文件找一个目录空间充足的路径,以上放在了 / 目录下。

升级OPatch工具

升级到19.11.0.0.0要求的opatch版本为12.2.0.1.24及以上,未升级前的opatch版本如下:

备份任意1个节点的opatch即可,删除所有节点中旧的opatch,然后升级opatch,2个节点的oracle和grid用户都需要执行删除、升级操作:

[root@19crac1 soft]# tar -cvf OPatch.old.tar OPatch 
[root@19crac1 soft]# rm -rf OPatch

Grid用户:

[root@19crac1 ~]# cd /soft/
[root@19crac1 soft]# ll
total 2716640

-rw-r--r-- 1 root root 2661075097 May  2 21:34 p32578973_190000_Linux-x86-64.zip

-rw-r--r-- 1 root root  120761121 May  2 21:31 p6880880_190000_Linux-x86-64.zip

[root@19crac1 soft]# cd /u01/app/19c/grid/

[root@19crac1 grid]# rm -rf OPatch/
[root@19crac1 grid]# unzip /soft/p6880880_190000_Linux-x86-64.zip -d .
[root@19crac1 grid]# chown grid:oinstall -R OPatch/
[root@19crac1 grid]# chmod -R 755 OPatch/

Oracle用户:

[root@19crac1 grid]# cd /u01/app/oracle/product/19c/dbhome_1/
[root@19crac1 dbhome_1]# rm -rf OPatch/
[root@19crac1 dbhome_1]# unzip /soft/p6880880_190000_Linux-x86-64.zip -d .
[root@19crac1 dbhome_1]# chown oracle:oinstall -R OPatch/
[root@19crac1 dbhome_1]# chmod -R 755 OPatch/

验证opatch版本

[root@19crac1 OPatch]# ./opatch version
OPatch Version: 12.2.0.1.24

OPatch succeeded.

升级RU

上传补丁包

2个节点都需要上传,解压。

[root@19crac1 soft]# chown grid:oinstall p32578973_190000_Linux-x86-64.zip 
[root@19crac1 soft]# chmod 755 p32578973_190000_Linux-x86-64.zip
[root@19crac1 soft]# su - grid
Last login: Wed May 5 15:23:58 CST 2021
[grid@19crac1 ~]$ cd /soft/
[grid@19crac1 soft]$ unzip p32578973_190000_Linux-x86-64.zip
[root@19crac2 soft]# chmod -R 777 32578973/

冲突检测

Grid的ORACLE_HOME检测:

[root@19crac1 soft]# su - grid
Last login: Wed May 5 15:23:58 CST 2021

$/u01/app/19c/grid/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32545013
$/u01/app/19c/grid/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32579761
$/u01/app/19c/grid/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32576499
$/u01/app/19c/grid/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32585572
$/u01/app/19c/grid/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32584670

Oracle的ORACLE_HOME检测:

[root@19crac1 soft]# su - oracle
Last login: Wed May 5 15:25:15 CST 2021 on pts/0
$/u01/app/oracle/product/19c/dbhome_1/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32545013
$/u01/app/oracle/product/19c/dbhome_1/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /soft/32578973/32545008/32579761

确保以上检测都会出现“Prereq “checkConflictAgainstOHWithDetail” passed.” passed字样,即检查通过。

升级RU

为1节点安装RU:

[root@19crac1 ~]# /u01/app/19c/grid/OPatch/opatchauto apply /soft/32578973/32545008/                                                                                                     

OPatchauto session is initiated at Wed May 5 21:58:31 2021

System initialization log file is /u01/app/19c/grid/cfgtoollogs/opatchautodb/systemconfig2021-05-05_09-58-33PM.log.

Session log file is /u01/app/19c/grid/cfgtoollogs/opatchauto/opatchauto2021-05-05_09-59-23PM.log
The id for this session is A15P

Executing OPatch prereq operations to verify patch applicability on home /u01/app/19c/grid

Executing OPatch prereq operations to verify patch applicability on home /u01/app/oracle/product/19c/dbhome_1
Patch applicability verified successfully on home /u01/app/oracle/product/19c/dbhome_1

Patch applicability verified successfully on home /u01/app/19c/grid


Executing patch validation checks on home /u01/app/19c/grid
Patch validation checks successfully completed on home /u01/app/19c/grid


Verifying SQL patch applicability on home /u01/app/oracle/product/19c/dbhome_1
SQL patch applicability verified successfully on home /u01/app/oracle/product/19c/dbhome_1


Preparing to bring down database service on home /u01/app/oracle/product/19c/dbhome_1
Successfully prepared home /u01/app/oracle/product/19c/dbhome_1 to bring down database service


Performing prepatch operations on CRS - bringing down CRS service on home /u01/app/19c/grid
Prepatch operation log file location: /u01/app/grid/crsdata/19crac1/crsconfig/crs_prepatch_apply_inplace_19crac1_2021-05-05_10-01-17PM.log

CRS service brought down successfully on home /u01/app/19c/grid


Start applying binary patch on home /u01/app/19c/grid

Binary patch applied successfully on home /u01/app/19c/grid

Performing postpatch operations on CRS - starting CRS service on home /u01/app/19c/grid
Postpatch operation log file location: /u01/app/grid/crsdata/19crac1/crsconfig/crs_postpatch_apply_inplace_19crac1_2021-05-05_10-07-38PM.log
CRS service started successfully on home /u01/app/19c/grid

Preparing home /u01/app/oracle/product/19c/dbhome_1 after database service restarted

No step execution required.........

OPatchAuto successful.


--------------------------------Summary--------------------------------

Patching is completed successfully. Please find the summary as follows:

Host:19crac1

RAC Home:/u01/app/oracle/product/19c/dbhome_1

Version:19.0.0.0.0

Summary:

==Following patches were SKIPPED:


Patch: /soft/32578973/32545008/32576499

Reason: This patch is not applicable to this specified target type - "rac_database"


Patch: /soft/32578973/32545008/32585572

Reason: This patch is not applicable to this specified target type - "rac_database"


Patch: /soft/32578973/32545008/32584670

Reason: This patch is not applicable to this specified target type - "rac_database"


Patch: /soft/32578973/32545008/32579761

Log: /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_21-55-24PM_1.log

Reason: /soft/32578973/32545008/32579761 is not required to be applied to oracle home /u01/app/oracle/product/19c/dbhome_1


Patch: /soft/32578973/32545008/32545013

Log: /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_21-55-24PM_1.log

Reason: /soft/32578973/32545008/32545013 is not required to be applied to oracle home /u01/app/oracle/product/19c/dbhome_1


Host:19crac1

CRS Home:/u01/app/19c/grid

Version:19.0.0.0.0

Summary:

==Following patches were SUCCESSFULLY applied:


Patch: /soft/32578973/32545008/32545013

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_22-02-35PM_1.log


Patch: /soft/32578973/32545008/32576499

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_22-02-35PM_1.log


Patch: /soft/32578973/32545008/32579761

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_22-02-35PM_1.log


Patch: /soft/32578973/32545008/32584670

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_22-02-35PM_1.log


Patch: /soft/32578973/32545008/32585572

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_22-02-35PM_1.log



OPatchauto session completed at Wed May  5 22:11:57 2021

Time taken to complete the session 13 minutes, 26 seconds

[root@19crac1 ~]#

为2节点安装RU:

[root@19crac2 ~]# /u01/app/19c/grid/OPatch/opatchauto apply /soft/32578973/32545008/

遇到报错,解决后,重新执行:

[root@19crac2 ~]# /u01/app/19c/grid/OPatch/opatchauto resume

注册补丁:

cd /u01/app/oracle/product/19c/dbhome_1/OPatch/OPatch
./datapatch -verbose

OJVM应用补丁

1节点应用:

[root@19crac1 ~]# su - oracle
Last login: Wed May 5 23:15:43 CST 2021
[oracle@19crac1 ~]$ cd /soft/32578973/32399816/
[oracle@19crac1 32399816]$ /u01/app/
19c/ grid/ oracle/ oraInventory/
[oracle@19crac1 32399816]$ /u01/app/oracle/product/19c/dbhome_1/OPatch/opatch apply
Oracle Interim Patch Installer version 12.2.0.1.24
Copyright (c) 2021, Oracle Corporation. All rights reserved.


Oracle Home : /u01/app/oracle/product/19c/dbhome_1
Central Inventory : /u01/app/oraInventory
from : /u01/app/oracle/product/19c/dbhome_1/oraInst.loc
OPatch version : 12.2.0.1.24
OUI version : 12.2.0.7.0
Log file location : /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatch/opatch2021-05-05_23-56-42PM_1.log

Verifying environment and performing prerequisite checks...

OPatch continues with these patches:   32399816 


Do you want to proceed? [y|n]

y

User Responded with: Y

All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.

(Oracle Home = '/u01/app/oracle/product/19c/dbhome_1')



Is the local system ready for patching? [y|n]

y

User Responded with: Y

Backing up files...

Applying interim patch '32399816' to OH '/u01/app/oracle/product/19c/dbhome_1'


Patching component oracle.javavm.server, 19.0.0.0.0...

Patching component oracle.javavm.server.core, 19.0.0.0.0...

Patching component oracle.rdbms.dbscripts, 19.0.0.0.0...

Patching component oracle.rdbms, 19.0.0.0.0...

Patching component oracle.javavm.client, 19.0.0.0.0...

Patch 32399816 successfully applied.

Log file location: /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatch/opatch2021-05-05_23-56-42PM_1.log

OPatch succeeded.
[oracle@19crac1 32399816]$

2节点应用:

[root@19crac2 ~]# su - oracle
Last login: Wed May 5 23:41:47 CST 2021
[oracle@19crac2 ~]$
[oracle@19crac2 ~]$
[oracle@19crac2 ~]$ cd /soft/32578973/32399816/
[oracle@19crac2 32399816]$ /u01/app/oracle/product/19c/dbhome_1/OPatch/opatch apply
Oracle Interim Patch Installer version 12.2.0.1.24
Copyright (c) 2021, Oracle Corporation. All rights reserved.


Oracle Home : /u01/app/oracle/product/19c/dbhome_1
Central Inventory : /u01/app/oraInventory
from : /u01/app/oracle/product/19c/dbhome_1/oraInst.loc
OPatch version : 12.2.0.1.24
OUI version : 12.2.0.7.0
Log file location : /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatch/opatch2021-05-06_00-01-31AM_1.log

Verifying environment and performing prerequisite checks...

OPatch continues with these patches:   32399816 


Do you want to proceed? [y|n]

y

User Responded with: Y

All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.

(Oracle Home = '/u01/app/oracle/product/19c/dbhome_1')



Is the local system ready for patching? [y|n]

y

User Responded with: Y

Backing up files...

Applying interim patch '32399816' to OH '/u01/app/oracle/product/19c/dbhome_1'


Patching component oracle.javavm.server, 19.0.0.0.0...

Patching component oracle.javavm.server.core, 19.0.0.0.0...

Patching component oracle.rdbms.dbscripts, 19.0.0.0.0...

Patching component oracle.rdbms, 19.0.0.0.0...

Patching component oracle.javavm.client, 19.0.0.0.0...

Patch 32399816 successfully applied.

Log file location: /u01/app/oracle/product/19c/dbhome_1/cfgtoollogs/opatch/opatch2021-05-06_00-01-31AM_1.log

OPatch succeeded.

将RU升级信息等写入到数据库中

sqlplus / as sysdba
SQL> startup upgrade
SQL> alter pluggable database all open upgrade;
SQL> quit
cd $ORACLE_HOME/OPatch
./datapatch -verbose
sqlplus / as sysdba
SQL> shutdown immediate;
SQL> startup
SQL> alter pluggable database all open;

编译无效对象

SQL> @?/rdbms/admin/utlrp.sql

升级后检查

[grid@19crac1 ~]$ crsctl stat res -t

--------------------------------------------------------------------------------

Name           Target  State        Server      State details

--------------------------------------------------------------------------------

Local Resources

--------------------------------------------------------------------------------

ora.LISTENER.lsnr

ONLINE ONLINE 19crac1 STABLE
ONLINE ONLINE 19crac2 STABLE
ora.chad
ONLINE ONLINE 19crac1 STABLE
ONLINE ONLINE 19crac2 STABLE
ora.net1.network
ONLINE ONLINE 19crac1 STABLE
ONLINE ONLINE 19crac2 STABLE
ora.ons
ONLINE ONLINE 19crac1 STABLE
ONLINE ONLINE 19crac2 STABLE
ora.proxy_advm
OFFLINE OFFLINE 19crac1 STABLE

               OFFLINE OFFLINE      19crac2            STABLE

-------------------------------------

-------------------------------------------

Cluster Resources

--------------------------------------------------------------------------------

ora.19crac1.vip

1 ONLINE ONLINE 19crac1 STABLE
ora.19crac2.vip
1 ONLINE ONLINE 19crac2 STABLE
ora.ASMNET1LSNR_ASM.lsnr(ora.asmgroup)
1 ONLINE ONLINE 19crac1 STABLE
2 ONLINE ONLINE 19crac2 STABLE
ora.DATADG.dg(ora.asmgroup)
1 OFFLINE OFFLINE STABLE
2 ONLINE ONLINE 19crac2 STABLE
ora.LISTENER_SCAN1.lsnr
1 ONLINE ONLINE 19crac1 STABLE
ora.OCRDG.dg(ora.asmgroup)
1 ONLINE ONLINE 19crac1 STABLE
2 ONLINE ONLINE 19crac2 STABLE
ora.asm(ora.asmgroup)
1 ONLINE ONLINE 19crac1 Started,STABLE
2 ONLINE ONLINE 19crac2 Started,STABLE
ora.asmnet1.asmnetwork(ora.asmgroup)
1 ONLINE ONLINE 19crac1 STABLE
2 ONLINE ONLINE 19crac2 STABLE
ora.cvu
1 ONLINE ONLINE 19crac1 STABLE
ora.ora19c.db
1 OFFLINE OFFLINE STABLE
2 OFFLINE OFFLINE Instance Shutdown,ST
ABLE
ora.qosmserver
1 ONLINE ONLINE 19crac1 STABLE
ora.scan1.vip

      1        ONLINE  ONLINE       19crac1            STABLE

-------------------------------------

-------------------------------------------

1节点:

[root@19crac1 ~]# /u01/app/oracle/product/19c/dbhome_1/OPatch/opatch lspatches
The user is root. OPatch cannot continue if the user is root.

OPatch failed with error code 255
[root@19crac1 ~]# su - oracle
Last login: Thu May 6 00:01:26 CST 2021
[oracle@19crac1 ~]$ /u01/app/oracle/product/19c/dbhome_1/OPatch/opatch lspatches

32399816;OJVM RELEASE UPDATE: 19.11.0.0.210420 (32399816)

32579761;OCW RELEASE UPDATE 19.11.0.0.0 (32579761)

32545013;Database Release Update : 19.11.0.0.210420 (32545013)

OPatch succeeded.
[oracle@19crac1 ~]$ logout

[root@19crac1 ~]# su - grid

Last login: Thu May  6 00:11:16 CST 2021 on pts/3

[grid@19crac1 ~]$ /u01/app/19c/grid/OPatch/opatch lspatches

32585572;DBWLM RELEASE UPDATE 19.0.0.0.0 (32585572)

32584670;TOMCAT RELEASE UPDATE 19.0.0.0.0 (32584670)

32579761;OCW RELEASE UPDATE 19.11.0.0.0 (32579761)

32576499;ACFS RELEASE UPDATE 19.11.0.0.0 (32576499)

32545013;Database Release Update : 19.11.0.0.210420 (32545013)

OPatch succeeded.

2节点:

[oracle@19crac2 32399816]$ /u01/app/oracle/product/19c/dbhome_1/OPatch/opatch lspatches

32399816;OJVM RELEASE UPDATE: 19.11.0.0.210420 (32399816)

32579761;OCW RELEASE UPDATE 19.11.0.0.0 (32579761)

32545013;Database Release Update : 19.11.0.0.210420 (32545013)

OPatch succeeded.
[oracle@19crac2 32399816]$ logout

[root@19crac2 ~]# su - grid

Last login: Thu May  6 00:01:20 CST 2021

[grid@19crac2 ~]$ /u01/app/19c/grid/OPatch/opatch lspatches

32585572;DBWLM RELEASE UPDATE 19.0.0.0.0 (32585572)

32584670;TOMCAT RELEASE UPDATE 19.0.0.0.0 (32584670)

32579761;OCW RELEASE UPDATE 19.11.0.0.0 (32579761)

32576499;ACFS RELEASE UPDATE 19.11.0.0.0 (32576499)

32545013;Database Release Update : 19.11.0.0.210420 (32545013)

OPatch succeeded.

补丁回退

还原grid和Oracle的ORACLE_HOME,两节点分别执行。

[root@19crac2 /]# rm -rf /u01
[root@19crac2 /]# tar -xvf u01.tar

2021年4月Oracle数据库补丁分析报告
报错

遇到了两次OPATCHAUTO-68061 报错。

成功在1节点上给Oracle打补丁之后,去2节点打的时候报错了。

/u01/app/oraInventory/ContentsXML/oui-patch.xml (Permission denied)’ 报错

Start applying binary patch on home /u01/app/19c/grid

Failed while applying binary patches on home /u01/app/19c/grid

Execution of [OPatchAutoBinaryAction] patch action failed, check log for more details. Failures:

Patch Target : 19crac2->/u01/app/19c/grid Type[crs]

Details: [

---------------------------Patching Failed---------------------------------

Command execution failed during patching in home: /u01/app/19c/grid, host: 19crac2.

Command failed: /u01/app/19c/grid/OPatch/opatchauto apply /soft/32578973/32545008/ -oh /u01/app/19c/grid -target_type cluster -binary -invPtrLoc /u01/app/19c/grid/oraInst.loc -jre /u01/app/19c/grid/OPatch/jre -persistresult /u01/app/19c/grid/opatchautocfg/db/sessioninfo/sessionresult_19crac2_crs_1.ser -analyzedresult /u01/app/19c/grid/opatchautocfg/db/sessioninfo/sessionresult_analyze_19crac2_crs_1.ser
Command failure output:

==Following patches FAILED in apply:


Patch: /soft/32578973/32545008/32545013

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_23-24-50PM_1.log

Reason: Failed during Patching: oracle.opatch.opatchsdk.OPatchException: ApplySession failed in system modification phase... 'ApplySession::apply failed: java.io.IOException: oracle.sysman.oui.patch.PatchException: java.io.FileNotFoundException: /u01/app/oraInventory/ContentsXML/oui-patch.xml (Permission denied)' 


After fixing the cause of failure Run opatchauto resume


]

OPATCHAUTO-68061: The orchestration engine failed.

OPATCHAUTO-68061: The orchestration engine failed with return code 1

OPATCHAUTO-68061: Check the log for more details.

OPatchAuto failed.

OPatchauto session completed at Wed May  5 23:27:19 2021

Time taken to complete the session 11 minutes, 59 seconds

opatchauto failed with error code 42

原因:很明显是权限原因。

解决:直接给文件/u01/app/oraInventory/ContentsXML/oui-patch.xml 777 权限:
Chmod 777 /u01/app/oraInventory/ContentsXML/oui-patch.xml

ORACLE_HOME/inventory/oneoffs/32545013 is corrupted 报错

Execution of [OPatchAutoBinaryAction] patch action failed, check log for more details. Failures:

Patch Target : 19crac2->/u01/app/19c/grid Type[crs]

Details: [

---------------------------Patching Failed---------------------------------

Command execution failed during patching in home: /u01/app/19c/grid, host: 19crac2.

Command failed: /u01/app/19c/grid/OPatch/opatchauto apply /soft/32578973/32545008/ -oh /u01/app/19c/grid -target_type cluster -binary -invPtrLoc /u01/app/19c/grid/oraInst.loc -jre /u01/app/19c/grid/OPatch/jre -persistresult /u01/app/19c/grid/opatchautocfg/db/sessioninfo/sessionresult_19crac2_crs_1.ser -analyzedresult /u01/app/19c/grid/opatchautocfg/db/sessioninfo/sessionresult_analyze_19crac2_crs_1.ser
Command failure output:

==Following patches FAILED in apply:


Patch: /soft/32578973/32545008/32545013

Log: /u01/app/19c/grid/cfgtoollogs/opatchauto/core/opatch/opatch2021-05-05_23-31-11PM_1.log

Reason: Failed during Analysis: CheckNApplyReport Failed, [ Prerequisite Status: FAILED, Prerequisite output:
The details are:
Unable to create patchObject
Possible causes are:
ORACLE_HOME/inventory/oneoffs/32545013 is corrupted. PatchObject constructor: Input file "/u01/app/19c/grid/inventory/oneoffs/32545013/etc/config/actions" or "/u01/app/19c/grid/inventory/oneoffs/32545013/etc/config/inventory" does not exist.
]

After fixing the cause of failure Run opatchauto resume


]

OPATCHAUTO-68061: The orchestration engine failed.

OPATCHAUTO-68061: The orchestration engine failed with return code 1

OPATCHAUTO-68061: Check the log for more details.

OPatchAuto failed.

OPatchauto session completed at Wed May  5 23:31:16 2021

Time taken to complete the session 0 minute, 30 seconds

opatchauto failed with error code 42

原因:ORACLE_HOME/inventory/oneoffs/32545013 is corrupted 损坏了。

解决:1节点的已经安装成功,拷贝1节点的目录32545013至2节点响应目录。


关于作者

樊卓卓,云和恩墨西区交付团队技术顾问,超过7年的Oracle DBA经验,曾服务于运营商、电力、银行、国税、制造、广电等行业,拥有PGCA、PGCE、OBCA、OBCP多项认证,擅长Oracle数据库升级迁移、备份恢复、故障诊断。

墨天轮原文链接:https://www.modb.pro/db/61872(复制到浏览器或者点击“阅读原文”立即查看)


END


推荐阅读:

推荐下载:


由A CDU(中国DBA联盟 )和墨天轮联合出品的全新视频节目「数据三分钟」已发布多期,快速了解数据行业动态,快关注我们的视频号看看吧! ↓↓↓


点击下图查看更多 ↓

云和恩墨大讲堂 | 一个分享交流的地方


请备注:云和恩墨大讲堂

  点个“在看” 
你的喜欢会被看到❤