Category Archives: UNIX/Linux

UNIX-like system

Linux Bash严重漏洞修复方法

9月25日Linux官方内置Bash中新发现一个非常严重安全漏洞(漏洞参考https://access.redhat.com/security/cve/CVE-2014-6271 ),黑客可以利用该Bash漏洞完全控制目标系统并发起攻击。考虑到公司有两台阿里云服务器,紧急给他们打了补丁,阿里云给出了详细的修复方式(修补方案http://bbs.aliyun.com/read/176977.html):

【修补方案】

  1. 为云服务器生成快照,以免操作后导致数据丢失等灾难
  2. 确认 Linux 系统的版本,并在修补方案中查找对应脚本
  3. 使用 root 登录服务器 ssh [email protected][服务器 ip]
  4. 执行修复脚本
  5. 关机睡觉

【实际操作】

//登录服务器
Marshall-MBP:~ Marshall$ ssh [email protected]
[email protected]'s password:
Last login: Mon Sep  1 14:50:28 2014 from xxx.xxx.xxx.xxx

Welcome to aliyun Elastic Compute Service!

-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory

//主机是 CentOS的,使用 yum更新
[[email protected] ~]# yum -y update bash
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.neusoft.edu.cn
 * extras: mirrors.btte.net
 * updates: mirror.neu.edu.cn
base                                                     | 3.7 kB     00:00
extras                                                   | 3.3 kB     00:00
extras/primary_db                                        |  19 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db             2% [                   ]  31 kB/s | 128 kB     02:49 ETAuupdates/primary_db                                               | 5.3 MB     00:22
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================
 Package         Arch              Version                     Repository          Size
========================================================================================
Updating:
 bash            x86_64            4.1.2-15.el6_5.1            updates            905 k

Transaction Summary
========================================================================================
Upgrade       1 Package(s)

Total download size: 905 k
Downloading Packages:
bash-4.1.2-15.el6_5.1.x86_64.rpm                                 | 905 kB     00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : bash-4.1.2-15.el6_5.1.x86_64                                         1/2
  Cleanup    : bash-4.1.2-15.el6_4.x86_64                                           2/2
  Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                         1/2
  Verifying  : bash-4.1.2-15.el6_4.x86_64                                           2/2

Updated:
  bash.x86_64 0:4.1.2-15.el6_5.1

Complete!

//成功后使用脚本检测,已修复
[[email protected] ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
[[email protected] ~]#

 

下面的都来自阿里云的Bug背景信息,看不看关系不大, 最关心的解决方式都在上面了:

【已确认被成功利用的软件及系统 
所有安装GNU bash 版本小于或者等于4.3的Linux操作系统。 

【漏洞描述】 
该漏洞源于你调用的bash shell之前创建的特殊的环境变量,这些变量可以包含代码,同时会被bash执行。 
 
【漏洞检测方法】
漏洞检测命令:env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

修复前
输出:
vulnerable
this is a test

使用修补方案修复后
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
特别提示:该修复不会有任何影响,如果您的脚本使用以上方式定义环境变量,修复后您的脚本执行会报错。

 

参考文章:

Linux Bash漏洞参考

Linux Bash严重漏洞修复紧急通知

ORA-600 [kqlnrc_1]错误分析

群里朋友提出一个问题:数据库遇到ORA-00600: internal error code, arguments: [kqlnrc_1], [0x7000000DCA26B38], [], [], [], [], [], []错误,请求解决。
MOS上关于ORA-600 [kqlnrc_1]错误有详细的文档说明:How To Find The Object That Causing ORA-600 [kqlnrc_1] [ID 1190673.1]

根据文档说明,一步一步寻找问题的根源:
1.Trace文件中找到ORA-600报错,顺便看了下,是AIX上的10.2.0.4.0的库

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
 With the Partitioning, OLAP, Data Mining and Real Application Testing options
 ORACLE_HOME = /oracle/app/product/10.2.0/db_1
 System name: AIX
 Node name: tobadb88
 Release: 3
 Version: 5
 Machine: 00CCA0B44C00
 Instance name: han_tocco
 Redo thread mounted by this instance: 1
 Oracle process number: 85
 Unix process pid: 1737624, image: [email protected]
*** 2011-12-12 16:02:56.457
 ksedmp: internal or fatal error
 ORA-00600: internal error code, arguments: [kqlnrc_1], [0x7000000DCA26B38], [], [], [], [], [], []
 Current SQL statement for this session:

2.查询0x7000000DCA26B38
直接搜索没有任何结果,经分析,在trace文件内的handle对应的值字母为小写,故搜索不到,重新搜索即可找到INVALID对象:

SO: 7000005d0479c98, type: 53, owner: 7000005e51bf988, flag: INIT/-/-/0x00
 LIBRARY OBJECT LOCK: lock=7000005d0479c98 handle=7000000dca26b38 mode=S
 call pin=7000005d6d0e638 session pin=0 hpc=0000 hlc=0000
 htl=7000005d0479d18[7000005d9176060,7000005d9176060] htb=7000005d9176060 ssga=7000005d9175aa8
 user=70000060b786c98 session=70000060b786c98 count=1 flags=PNC/[0400] savepoint=0x1cb8
 LIBRARY OBJECT HANDLE: handle=7000000dca26b38 mtx=7000000dca26c68(0) cdp=0
 [email protected]_DBGIS
 hash=01539fc30d3e6ae740e53e09dddbce4a timestamp=04-25-2009 17:35:49
 namespace=TABL flags=REM/KGHP/TIM/SML/[02020000]
 kkkk-dddd-llll=0000-0001-0001 lock=S pin=S latch#=17 hpc=0002 hlc=0002
 lwt=7000000dca26be0[7000000dca26be0,7000000dca26be0] ltm=7000000dca26bf0[7000000dca26bf0,7000000dca26bf0]
 pwt=7000000dca26ba8[7000000dca26ba8,7000000dca26ba8] ptm=7000000dca26bb8[7000000dca26bb8,7000000dca26bb8]
 ref=7000000dca26c10[7000000dca26c10,7000000dca26c10] lnd=7000000dca26c28[7000000dca26c28,7000000dca26c28]
 LIBRARY OBJECT: object=7000000d69413b0
 type=SYNM flags=EXS/LOC[0005] pflags=[0000] status=INVL load=0

Library cache中的失效对象为CRM_INTF.NW_SYN_INTERFACE
由于不是自己的库,后面的compile过程无法实现,不过已经找到了失效对象,剩下的工作已经不再复杂。

总结:
大小写,空格,减号,下划线,每一点,一个细节,都要务必严谨。
BTW,我是通过status=INVL找到的,有时,换一种角度思考,也会有不错的效果。

64bit-AIX平台下,Oracle10g数据库 使用SQLPLUS登陆报错

登陆客户数据库报错:

SQL> conn xxx/xxx
 ERROR:
 ORA-01034: ORACLE not available
 ORA-27121: unable to determine size of shared memory segment
 IBM AIX RISC System/6000 Error: 13: Permission denied
 [zwq_kfdb1:/home/oraeye/enmotech]uname -a
 AIX zwq_kfdb1 1 6 00C5C4764C00

Google了下,很多文章说是由于“重建oracle用户和组引起的ORA-27121错误”,还有说是内存问题,需要重启。大致翻了一些,感觉都不太靠谱,故上MOS搜索,输入“ORA-27121”,第一篇文章即为:Cannot Use SQLPlus as a Non-Oracle User on AIX 64 Bit ORA-01034 and ORA-27121 [ID 1058928.1],内容如下:

Applies to:
Oracle Server – Enterprise Edition – Version: 10.2.0.3 to 11.1.0.7 – Release: 10.2 to 11.1
IBM AIX on POWER Systems (64-bit)
Symptoms
On AIX 64 Bit, using Oracle 10.2 or 11.1, unable to use SQLPLUS as any user other than the UNIX user Oracle. The following occurs:
ERROR:
ORA-01034: ORACLE not available
ORA-27121: unable to determine size of shared memory segment
IBM AIX RISC System/6000 Error: 13: Permission denied

Symptoms associated with this issue are:
– no errors in alert.log
– cannot connect to sqlplus other than as UNIX user oracle
– platform is 212 AIX 64 Bit
– errors that occur in a core dump are
ORA-1034: ORACLE not available
ORA-27121: unable to determine size of shared memory segment

Changes
Running Oracle version 10.2.0.3, 10.2.0.4, 11.1.0.6 or 11.1.0.7

Cause
Bug 6973208 which is a duplicate of Bug 6800649
Abstract: AIX: Client side “map:permission denied” or “sh: /usr/bin/procmap: not found”
============
Client side executables may report errors such as
sh: /usr/bin/procmap: not found
or if procmap exists but the client executable is setuid then
the client may report an error like:
map:permission denied

Solution
Apply Patch 6800649 for effected Oracle version
Workaround:
For the case “sh: /usr/bin/procmap: not found” install “procmap”.
This is an AIX executable. See Note:435576.1 for more details.
For the case of “map:permission denied” make sure that the client
executable is not marked as setuid to some other user.

解决方案:
修改oracle文件权限:

[xxx:/oracle10/app/product/db/10.2.0/bin]ls -l oracle
 -rwsr-s--x 1 oracle10 oinstall 133933734 Jan 16 2011 oracle

11gR2 INS-40724错误

在AIX 6.1上安装11gR2 RAC,无DNS,配置scan ip过程中出现错误:见截图
屏幕快照 2011 12 07 上午7 36 24

/etc/hosts配置如下:

192.168.4.54 xxx_aaaaaa_3_boot1
 192.168.5.54 xxx_aaaaaa_3_boot2
 138.199.10.15 xxx_aaaaaa_3_pers xxx_aaaaaa_3
 138.199.10.16 xxx_aaaaaa_3_svc xxx_aaaaaa3_vip
 192.168.6.55 xxx_crmsnn3_priv
192.168.4.55 xxx_aaaaaa_4_boot1 AIX要求的boot IP
 192.168.5.55 xxx_aaaaaa_4_boot2 AIX要求的boot IP
 138.199.10.17 xxx_aaaaaa_4_pers xxx_aaaaaa_4 主机的物理ip
 138.199.10.18 xxx_aaaaaa_4_svc xxx_aaaaaa4_vip 主机的浮动ip
 192.168.6.54 xxx_aaaaaa4_priv RAC的心跳IP
 138.199.10.19 bbbbb-scan

 

 

ifconfig:
 # ifconfig -a
 en0: inet 192.168.6.54 netmask 0xffffff00 broadcast 192.168.6.255
en2: inet 192.168.4.54 netmask 0xffffff00 broadcast 192.168.4.255
 inet 138.199.10.15 netmask 0xffffff00 broadcast 138.199.10.255
en6: inet 192.168.5.54 netmask 0xffffff00 broadcast 192.168.5.255
 inet 138.199.10.16 netmask 0xffffff00 broadcast 138.199.10.255
lo0: inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255

 

11gR2 RAC安装时,如要配置SCAN IP,可通过DNS/GNS或是直接配置/etc/hosts的方式,客户无DNS,只能通过配置/etc/hosts的方式解决,Oracle文档中可以看到对这种方式的描述:
However, in order to overcome the installation requirement without setting up a DNS-based SCAN resolution, you can use a hosts-file based workaround. In this case, you would use a typical hosts-file entry to resolve the SCAN to only 1 IP address and one IP address only. It is not possible to simulate the round-robin resolution that the DNS server does using a local host file. The host file look-up the OS performs will only return the first IP address that matches the name. Neither will you be able to do so in one entry (one line in the hosts-file). Thus, you will create only 1 SCAN for the cluster. (Note that you will have to change the hosts-file on all nodes in the cluster for this purpose.)注意,scan ip的配置需要写在每个节点上。

(文档:http://www.oracle.com/technetwork/database/clustering/overview/scan-129069.pdf

客户的问题如何解决呢?
首先在google上搜索,资源较少,但是搜到了这一篇:
https://forums.oracle.com/forums/thread.jspa?threadID=1093100
其中的回答是:
Define a public interface with a subnet matching the SCAN VIP or choose a SCAN VIP with a subnet matching the public interface.
这一块已经配置过了。google上没有什么太多的资源,进而继续在MOS上寻找,查找对应错误号,发现下面这一篇:
Solutions for Typical 11gR2 Grid Infrastructure/RAC Database runInstaller Issues [ID 1056713.1]
P: [INS-40724] No locally defined network interface matches the SCAN VIP subnet.
S: Public IP and SCAN VIP should be in same subnet, and public IP should be primary IP on a NIC.
前一句与之前论坛上的一致,但是后一句也同样重要,Public IP应为NIC上的主IP。

再次查看配置信息,发现如下问题:
1.en2上,Primary IP应配置为138.199.10.15
2.en6上的vip应该在配置完后才会出现,之所以现在出现,是由于手动配置的原因,需要删除
3.两节点/etc/hosts文件中的scan ip配置需要重新对比下,需要保证一致。

总结:
在遇到问题的时候,首先搜过google,没有合适的答案的时候,去搜索MOS,基本上这两步之后答案就可以找到。在查找的过程中,一定要认真仔细,不放过任何半句话。

部署Oracle osw(OS Watcher)

Linux操作系统上的IO、内存、CPU变化如何监控呢?Oracle提供的OS Watcher可以帮助我们监控这些数据,不过我们并不能实时的通过图形看到这部分数据的变化,需要通过命令生成图形。虽然有点后知后觉,不过起码也算时“监控”了。
安装方式非常简单,从Oracle官方网站下载osw安装包,解压缩即可。

[[email protected] tmp]# cd osw/
 [[email protected] osw]# ls
 [[email protected] osw]# ls
 osw301.tar
 [[email protected] osw]# tar -xvf osw301.tar
 ./
 ./osw/
 ./osw/Exampleprivate.net
 ./osw/OSWatcher.sh
 ./osw/OSWatcherFM.sh
 ./osw/OSWgREADME.txt
 ./osw/README.txt
 ./osw/iosub.sh
 ./osw/mpsub.sh
 ./osw/oswg.jar
 ./osw/oswib.sh
 ./osw/oswlnxio.sh
 ./osw/oswlnxtop.sh
 ./osw/oswnet.sh
 ./osw/oswrds.sh
 ./osw/oswsub.sh
 ./osw/pssub.sh
 ./osw/startOSW.sh
 ./osw/stopOSW.sh
 ./osw/tarupfiles.sh
 ./osw/topaix.sh
 ./osw/topsub.sh
 ./osw/vmsub.sh
 ./osw/tmp/
 ./osw/src/
 ./osw/src/coe_logo.gif
 ./osw/src/missing_graphic.gif
 ./osw/src/oswg_input.txt
 ./osw/src/OSW_profile.htm
 ./osw/src/Thumbs.db
 ./osw/src/tombody.gif
 ./osw/src/watch.gif

sow需要用到java,对java的版本有要求。这个要求可能根据osw的版本不同而有区别。我下载的osw包内对java的版本要求为1.4.2以上,我的是1.6.0.

[[email protected] osw]# java -version
 java version "1.6.0"
 OpenJDK Runtime Environment (build 1.6.0-b09)
 OpenJDK Client VM (build 1.6.0-b09, mixed mode)

启动OSW非常简单。只要运行startOSW.sh就可以了。该shell 需要2个参数,第一个参数指定采样时间间隔,第二个指定存储数据的时间。缺省情况下(如果不输入参数),OSW采样以30秒为间隔,存储24小时的数据.
我设置的间隔时间为10秒,保留时间为240小时,生成的log保存在osw目录下的osw.log文件中。

read more »

Page 1 of 512345
普人特福的博客cnzz&51la for wordpress,cnzz for wordpress,51la for wordpress