Oracle sudo privilege requirements for environments

This topic describes the rationale behind specific sudo privilege requirements for virtualizing Oracle Databases. 

Privilege 

Sources 

Targets 

Rationale 

ps | pargs 

Optional, Strongly Recommended 

Optional, Strongly Recommended 

Delphix auto-discovery uses the TNS_ADMIN environment variable of Oracle Listener processes with non-standard configurations to derive their connection parameters. A different user (oracle), rather than delphix_os user normally owns the oracle listener. The Delphix Engine needs sudo access to pargs on the Solaris OS or ps on other OSes to determine the environment variables of those Listener processes. 

This privilege is required for Auto-Discovery with non-default TNS_ADMIN locations. It is optional when using a standard TNS_ADMIN location, or if you choose to manually configure Oracle Homes, databases and listeners. 

mount/umount 

Not Required 

Required 

The Delphix Engine dynamically mounts and unmounts directories under the provisioning directory during VDB operations. This privilege is required because mount and umount are typically reserved for superuser. 

nfso

Not Required 

Required 

The Delphix Engine monitors NFS read and write sizes on an AIX target host. It uses the nfso command to query the sizes in order to optimize NFS performance for VDBs running on the target host. Only a superuser can issue the nfso command. 

$ORACLE_HOME/OPatch/datapatch 

Not Required 

Optional 

This is required to invoke Datapatch command with any environment user other than the Oracle user. 

Oracle mount options for RAC 

AIX 

cio,rw,bg,hard,nointr,timeo=600,proto=tcp,nosuid,noac 

For the AIX platform, depending on NFS version used, additional options vers=3 or vers=4.x is added (x varies depending on what that platform supports. e.g. vers=4 or vers=4.1) 

Linux (NFSv3) 

-t nfs rw,bg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,tcp,nosuid,sec=sys,vers=3,actimeo=0 

Linux (NFSv4) 

-t nfs4 rw,bg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,tcp,nosuid,sec=sys,actimeo=0 

  1. For both Single instance and RAC, "port=2049" option is added for all platforms. 

  1. For AIX, rsize=<value>,wsize=<value> options are added depending on the value returned by "/usr/sbin/nfso -o nfs_max_read_size" and "/usr/sbin/nfso -o nfs_max_write_size" commands. 

Oracle unmount options 

“-f” is used on all platforms and for Linux “-lf” is used if “-f” fails.

Oracle mount options for single instance 

AIX

cio,rw,bg,hard,intr,timeo=600,proto=tcp,nosuid 

For the AIX platform, depending on NFS version used, additional options vers=3 or vers=4.x is added (x varies depending on what that platform supports. e.g. vers=4 or vers=4.1) 

Linux (NFSv3) 

-t nfs rw,bg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,tcp,nosuid,sec=sys,vers=3 

Linux (NFSv4) 

-t nfs4 rw,bg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,tcp,nosuid,sec=sys 

Sudo file configuration examples for Oracle environments  

This topic provides a sample sudo file privilege configurations for using the Delphix Engine with various operating systems and the Oracle RDBMS. 

Requiretty settings

Delphix requires that the requiretty setting be disabled for all Delphix users with sudo privileges. 

Configuring sudo access on Linux for Oracle source and target environments

Sudo access to ps on the Linux operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN, the Delphix OS user delphix_os can derive connection parameters. 

Example: Linux /etc/sudoers entries for a Delphix Source 

Copy 
Defaults:delphix_os !requiretty 
delphix_os ALL=NOPASSWD:/bin/ps 

On a Linux target, sudo access to mount and umount is also required.  

Example: Linux /etc/sudoers file for a Delphix Target 

Copy 
Defaults:delphix_os !requiretty 
delphix_os ALL=NOPASSWD: \  
/bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir, /bin/ps 

Configuring sudo access on AIX for Oracle source and target environments 

Sudo access to ps on the AIX operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN, the Delphix OS user delphix_os can derive connection parameters.  

Example: AIX /etc/sudoers entries for a Delphix Source 

Copy 
Defaults:delphix_os !requiretty 
delphix_os ALL=NOPASSWD:/bin/ps 

In addition to sudo access to the mount, umount, and ps commands on AIX target hosts, Delphix also requires sudo access to nfso. This is required on target hosts for the Delphix Engine to monitor the NFS read-write sizes configured on the AIX system. Super-user access level is needed to run the nfso command. 

Example: AIX /etc/sudoers File for a Delphix Target 

Copy 
Defaults:delphix_os !requiretty 
 delphix_os ALL=NOPASSWD: \ 
 /usr/sbin/mount, \ 
 /usr/sbin/umount, \ 
 /usr/sbin/mkdir, \ 
 /usr/sbin/rmdir, \ 
 /usr/sbin/nfso, \ 
 /usr/bin/ps 

Examples of Limiting sudo access for the Delphix OS user

In situations where security requirements prohibit giving the Delphix user root privileges to mount, unmount, make a directory, and remove directory on the global level, it is possible to configure the sudoers file to provide these privileges only on specific mount points or from specific Delphix Engines, as shown in these two examples. 

Info: The Delphix Engine tests its ability to run the mount command using sudo on the target environment by issuing the sudo mount command with no arguments. Many of the examples shown in this topic do not allow that. This causes a warning during environment discovery and monitoring but otherwise does not cause a problem. If your VDB operations succeed, it is safe to ignore this warning. 

Similarly, the ps or pargs command is used for target environment operations such as initial discovery and refresh. The most restrictive sudo setups might not allow the commands ps (pargs). Delphix can still function without these privileges, although auto-discovery may not work. 

However, some users configure the security on the target environments to monitor sudo failures and lockout the offending account after some threshold. In those situations, the failure of the sudo commands might cause the delphix_os account to become locked. One workaround for this situation is to increase the threshold for locking out the user account. Another option is to modify /etc/sudoers to permit the delphix_os user to run ps (pargs), and mount command without parameters. 

Note that the following examples are for illustrative purposes and the sudo file configuration options are subject to change. 

Example 1 

This example restricts the delphix_os user's use of sudo privileges to the directory /oracle

Note that wildcards are allowed for the options on mount and umount because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file-system being mounted from the Delphix Engine. 

Example /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS) 

Copy 
Defaults:delphix_os !requiretty 
 delphix_os ALL=(root) NOPASSWD: \ 
 /bin/mount  *        /oracle/*, \ 
 /bin/umount *        /oracle/*, \ 
 /bin/umount          /oracle/*, \ 
 /bin/mkdir -p        /oracle/*, \ 
 /bin/mkdir -p -m 755 /oracle/*, \ 
 /bin/mkdir           /oracle/*, \ 
 /bin/rmdir           /oracle/*, \ 
 /bin/ps 

Example /etc/sudoers File Configuration on the Source Environment to grant Super-User privileges when running ps 

Copy 
Defaults:delphix_os !requiretty 
delphix_os ALL=(root) NOPASSWD: /bin/ps 

Example 2 

This example restricts the delphix_os user's use of sudo privileges to the directory /oracle, restricts the mount commands to a specific Delphix Engine hostname and IP, and does not allow user-specified options for the umount command. 

This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Engines. 

A Second Example of Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only (Linux OS) 

Copy 
Defaults:delphix_os !requiretty 
 delphix_os ALL=(root) NOPASSWD: \ 
 /bin/mount            /oracle/*, \ 
 /bin/mount *          /oracle/*, \ 
 /bin/mount           <delphix-server-ip>*   /oracle/*, \ 
 /bin/mount *         <delphix-server-ip>*   /oracle/*, \ 
 /bin/mount "", \ 
 /bin/umount          /oracle/*, \ 
 /bin/umount *        /oracle/*, \ 
 /bin/mkdir, \ 
 /bin/rmdir, \ 
 /bin/ps 

Example 3 

This example adds the following entries in /etc/sudoers to allow the delphix_os user to run datapatch as the user oracle without needing to enter the password and with no additional privileges: 

Copy 
Cmnd_Alias ORACLE_CMDS =/u01/app/oracle/product/19.7.0.0/dbhome_1/OPatch/datapatch 
Defaults!ORACLE_CMDS env_keep += "ORACLE_HOME ORACLE_SID ORACLE_UNQNAME" 
delphix_os ALL=(oracle) NOPASSWD: ORACLE_CMDS 

It is important to note that the environment variables necessary for Delphix (ORACLE_HOME, ORACLE_SID and ORACLE_UNQNAME) to successfully invoke the datapatch command must be preserved using the env_keep option, otherwise the command invocation may fail.