Log4j remediation - add fixes needed to rollout OCT-2021 RU (19.13) and introduce install-ahf.sh
#104
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR bundles all of the fixes that needed to be done to remediate log4j vuln in BMX hosts, namely:
The
install-ahf.sh
is wrapped around @mfielding's AHF installer Ansible snippet at: https://b.corp.google.com/issues/210842382#comment5I am briefly describing here the various errors that were faced while rolling out 19.13 and the fixes that were needed to fix them:
Error 1:
Fix 1:
Add the following in:
install-oracle.sh
:GETOPT_OPTIONAL="$GETOPT_OPTIONAL,instance-ssh-key:,instance-hostname:,ntp-pref:,inventory-file:,compatible-rdbms:,instance-ssh-extra-args:"
Error 2:
Vanilla run of
install-oracle.sh
not installing latest RU, because recent changes done is not letting the value oforacle_rel
to be populated. Research details in: https://docs.google.com/document/d/1uYVmeYyH2dVazcNtVaWwp6g6Mr4t10OBf8IuwUuD8bI/edit#heading=h.55g4i2azkfhlFix 2:
Add following in
install-sw.yml
Error 3:
install-oracle.sh
exited when it couldn't find ahahi daemon.Fix 3:
Added
ignore_errors: yes
for the corresponding task in the fileroles/base-provision/tasks/main.yml
to let the installer continue.Error 4:
This was the most painstaking error to figure out. Turns out we are not following suggested OFA standard for ORACLE_BASE for GI as the same as the ORACLE_BASE for RDBMS.
Errors details are listed in https://b.corp.google.com/issues/211656972#comment24, but calling it out here fir visibility:
grid_base error 1: when running
gridSetup.sh
:grid_base error 2: when running
runInstaller
for DB_HOME installationgrid_base error 3: when patching:
Fix 4:
In light of the above errors, due to messed up permissions issue, added new code fix introducing a new variable called grid_base in the
roles/common/defaults/main.yml
and correspondingly modifiedroles/rac-gi-setup/templates/gridsetup.rsp.19.3.0.0.0.j2
, so that the GI_BASE is separate from RDBMS_BASEError 5:
As noted in: https://mikedietrichde.com/2021/04/22/oracle-19c-installation-with-19-11-0-ru-ojvm-and-some-other-fixes/ (especially the portion highlighted in: https://screenshot.googleplex.com/7XbsnHPzu2aXH4g) and in
SR 3-26257617871 : Error in invoking target 'irman ioracle idrdactl idrdalsnr idrdaproc' of makefile ins_rdbms.mk
, whenapplyOneOffs
is provided in conjunction withrunInstaller
, the installer fails with:Fix 5:
This is an ongoing bug since APR-2021 that's expected to be closed in the next quarter.
This left us with 2 options for 19.13 OCT'21 RU:
(1) Modify the existing codebase permanently to include a new logic for patching OJVM xeprately in the RDBMS_HOME
or
(2) Remove the
applyOneOffs
flag from the runInstaller command so that OJVM patch application shall be handled afterinstall-oracle.sh
finishes by exactly a single command:opatch apply
Went with (2) considering the introduction of additional logic and temporary nature of bug and removed the
applyOneOffs
.Error 6:
Not really an error, but added 19.13 patch metadata in the file
roles/common/defaults/main.yml
.The incorrect 19.13 patch metadata that is in #102 can be taken out and then submitted just for 12c & 18c after reverifying them.