2_Oracle_Exalytics_ExaOverview

Oracle Exadata Database MachineKVM Virtualization Overview and Best Practicesfor On-Premises RoCE-Based SystemsExadata DevelopmentJune 2023Topics Covered•Use Cases•Exadata Virtualization Software Requirements •Exadata Isolation Considerations•Exadata KVM Sizing and Prerequisites•Exadata KVM Deployment Overview•Exadata KVM Administration and Operational Life Cycle •Migration, HA, Backup/Restore, Upgrading/Patching •Monitoring, Resource ManagementHigh-Performance Virtualized Database Platform Using KVM•Kernel-based Virtual Machine (KVM) hypervisor •Linux kernel-based type 2 hypervisor with improved performance•Exadata RoCE based systems only (X10M, X9M-2, X8M-2)•VMs provide CPU, memory, OS, and system admin isolation for consolidated workloads•Hosting, cloud, cross department consolidation, test/dev, non-database or third-party applications•Exadata VMs deliver near raw hardware performance•Database I/Os go directly to high-speed RDMA Network Fabric bypassing hypervisor•Combine with Exadata network and I/O prioritization to achieve unique full stack isolation•Trusted Partitions allow licensing by virtual machine•See Oracle Exadata Database Machine Licensing Information User's Guide Exadata VirtualizationFinance Cluster Sales Cluster Marketing Cluster•Dedicated Database Servers provide the best isolation •Virtualization has good isolation but requires more management overhead and resource usage•VMs have separate OS, memory, CPUs, and patching•Isolation without need to trust DBA, System Admin•Database consolidation in a single OS is highly efficient but less isolated•DB Resource manager isolation adds no overhead•Resources can be shared much more dynamically•But must trust admins to configure systems correctly•Best strategy is to combine VMs with database native consolidation•Multiple trusted DBs or Pluggable DBs in a VM•Few VMs per server to limit overhead of fragmenting CPUs/memory/software updates/patching etc.Exadata Consolidation OptionsM o r e I s o l a t i o n More Efficient Dedicated DB ServersVirtual Machines Many DBs in one Server Database MultitenantDatabase Server: Bare Metal / Physical versus Virtualized Software Architecture ComparisonVirtualizedDatabase ServerHostExadata(Linux w/ KVM,firmware)Guest-nExadata (Linux)Oracle GI/DBhomesGuest-2Exadata (Linux)Oracle GI/DBhomesGuest-1Exadata (Linux)Oracle GI/DBhomesBare Metal / PhysicalDatabase ServerExadata (Linux, firmware)Oracle GI/DB homesNo change to Storage Grid, Networking, or Other-vs -Differences Between Physical and VirtualDetails expanded throughout remaining slides TopicHow Virtual differs from Physical Reduced Licensing OptionUse Trusted Partitions to allocate OCPUs for Database License Cluster configurationSystem has one or more VM clusters, each with own Grid Infrastructure / Database software install Network IsolationUse Secure Fabric to isolate clusters while sharing underlying Exadata Storage Exadata storage configurationSeparate grid disks and ASM disk groups (DATA,RECO) for each cluster Database server disk configurationDefault file system sizes are small Grid Infrastructure and Database software homes attached as separate file systems Software UpdatesDatabase servers require separate KVM host (Linux, firmware) and KVM Guest (Linux) updates EXAchkRun once for KVM host + storage servers + switches, run once for each VM Cluster Enterprise Manager Enterprise Manager + Oracle Virtual Infrastructure plug-in + Exadata plug-inExadata KVM Requirements•Hardware•Exadata systems with RoCE interconnects (e.g., X10M, X9M-2, X8M-2)•Software•Review MOS 888828.1 for recommended and minimum required versions •KVM Host•Virtualization using Oracle Linux Kernel-based Virtual Machine (KVM)•KVM Host and KVM guests can run different Exadata database server versions•KVM Guests•Each guest runs Exadata database server software isolated from other guests•Each guest runs Grid Infrastructure and Database software isolated from other guestsExadata KVM Interoperability•Interoperability between KVM/RoCE and Xen/InfiniBand•KVM supported only with RoCE interconnects•Xen supported only with InfiniBand interconnects (e.g., X8, X7, etc.)•X8 and earlier upgraded to or freshly deployed with Exadata 19.3 and later continue to be based on Xen •Cannot inter-rack RoCE and InfiniBand•Separate KVM/RoCE and Xen/InfiniBand systems can be used in same Data Guard / GoldenGate configuration• E.g., KVM-based system as primary, separate Xen-based system as standby•Migration from Xen to KVM•Move database using Data Guard, GoldenGate, RMAN, ZDMExadata KVM Security Isolation Recommendations•Each VM RAC cluster has own Exadata grid disks and ASM Disk Groups•Setting Up Oracle ASM-Scoped Security on Oracle Exadata Storage Servers•https:///en/engineered-systems/exadata-database-machine/dbmsq/exadata-security-practices.html•802.1Q VLAN T agging for Client and Admin Ethernet Networks•Configured w/ OEDA during deployment (requires pre-deployment switch config)•Client network manual configuration possible post-deployment (MOS 2710712.1)•Private network isolation•Secure RDMA Fabric Isolation with Oracle Linux KVM•https:///en/engineered-systems/exadata-database-machine/dbmmn/managing-oracle-vm-guests-kvm.html•https:///en/engineered-systems/exadata-database-machine/dbmin/exadata-network-requirements.html•RESTful remote access for storage server administration through ExaCLIExadata Secure RDMA Fabric Isolation for RoCE•Exadata Secure Fabric for RoCE systems implements network isolation for Virtual Machines while allowing access to common Exadata Storage Servers•Each VM cluster is assigned a private network•VM clusters cannot communicate with each other•All VMs can communicate to the shared storageinfrastructure•Security cannot be bypassed•Enforcement done by the network card on every packet•Rules programmed by hypervisor automaticallyExadata KVM Sizing Recommendations•Maximum of 12 KVM guests per database server•Eighth Rack systems support maximum of 4 KVM guests per database server•Determine peak CPU, memory, disk space needed by each database•Perform sizing evaluation prior to deployment, configure in OEDA accordingly•Consider KVM host reserved memory•Consider KVM host reserved CPU•Consider KVM guest long-term local disk file system growth•Long lived KVM guests should budget for full space allocation (assume no benefit from sparseness and shareable reflinks)•Each VM cluster has its own grid disks and disk groups•Contact Oracle for sizing guidance•Cannot over-provision physical memory•Sum of all KVM guests + KVM host reserved memory <= installed physical memory•KVM Host Reserved Memory•KVM host reserves portion of installed memory•Not available to KVM guests, enforced by vm_maker•KVM Guest memory sizing•Total VM Memory Available•Allocate to single guest or divide among multiple guests •Minimum 16 GB memory for a guest•To support OS, GI/ASM, starter DB, few connections •VM Memory size can not be changed online •Guest restart requiredMemory Config Supported Platforms Installed Memory (GB)VM Memory (GB) 24 x 128 GB X10M3072280024 x 96 GB X10M2304209032 x 64 GB X9M2048187024 x 64 GB X10M, X9M, X8M1536139016 x 64 GB X9M102492012 x 64 GB X10M, X8M76866016 x 32 GB X10M, X9M51244012 x 32 GB X9M, X8M384328•CPU over-provisioning is allowed•Up to 2x over-provisioning permitted with multiple VMs•Exceptions -No CPU over-provisioning on X10M systems:•with 512GB memory, or•when Capacity-On-Demand is used•Large increase in cores with X10M•CPU over-provisioning use cases decrease significantly compared to previous Exadata hardware•Performance degradation may occur if all guests become fully active when over-provisioning •Number of vCPUs assigned to a VM can be changed online•KVM Host Reserved CPU•Host is allocated 4 vCPUs (2 cores) -Not available to guests•Eighth rack is allocated 2 vCPUs (1 core)•Guest CPU sizing (X10M 2x96-core CPUs)•Single guest vCPU•Minimum 4 vCPU•Maximum 380 vCPU•Sum of all guests’ vCPU•Max 380 vCPU if no over-provisioning•Max 760 vCPU if 2x over-provisioning1,2HardwareMin vCPUper guestMax vCPUper guestMax over-provision vCPUall guestsX10M43807601,2X9M-24124248X9M-2 Eighth462124X8M-2492184X8M-2 Eighth446921 –No CPU over-provisioning when Capacity-on-Demand is used2 –No CPU over-provisioning on systems with 512GB memory•KVM guest local file system disk space over-provisioning not recommended, but possible •Actual allocated space initially much lower than apparent space due to sparseness and shareable reflinks(with multiple VMs), but will grow over time as shared space diverges and becomes less sparse•Long lived KVM guests should budget for full space allocation (assume no benefit fromsparseness and shareable reflinks)•Over-provisioning may cause unpredictable out-of-space errors•Over-provisioning may prevent ability to restore disk image backup•X10M database server –2 x 3.84TB NVME drives configured RAID1•Default local disk space available for VMs 1.46 TiB, online resizable to 3.4 TiB•Option to add 2 x 3.84TB NVME drives RAID1, increase local disk space to 6.9 TiB•Default disk space used per KVM guest 228 GiB•KVM guest local disk space can be extended after initial deployment by adding local disk images •Disk space can be extended with shared storage (e.g., ACFS, DBFS, external NFS, OCI File Storage) for user files•Do not use shared storage for Oracle/Linux binaries/configuration/diagnostic files.Access/network issues may cause system crash or hang.•Spread disk groups for each VM cluster across all disks on all cells•Every VM cluster has its own grid disks•Disk group size for initial VM clusters should consider future VM additions•Using all space initially will require shrinking existing disk group before adding new•Enable ASM-Scoped Security to limit grid disk accessExadata Storage RecommendationVM Cluster ClusterNodesGrid Disks (DATA/RECO for all clusters on all disks in all cells)clu1db01vm01db02vm01DATAC1_CD_{00..11}_cel01 RECOC1_CD_{00..11}_cel01 DATAC1_CD_{00..11}_cel02 RECOC1_CD_{00..11}_cel02 DATAC1_CD_{00..11}_cel03 RECOC1_CD_{00..11}_cel03clu2db01vm02db02vm02DATAC2_CD_{00..11}_cel01 RECOC2_CD_{00..11}_cel01 DATAC2_CD_{00..11}_cel02 RECOC2_CD_{00..11}_cel02 DATAC2_CD_{00..11}_cel03 RECOC2_CD_{00..11}_cel03Deployment Specifications and LimitsCategory X8M-2X9M-2X10M VMs Max guests per database server12 (41)12 (41)12Memory Min GB per guest161616 Max GB per guest / all guests139021*********CPU/vCPU Min vCPU per guest444 Max vCPU per guest92124380 Max over-provisioned vCPU all guests1842487603,4Disk space Usable TiB per DB server for all guests 3.15 3.40/ 6.975 3.40/ 6.975 Used GiB per guest at deployment1412282281 –Eighth Rack systems maximum number of guests is 42 –Using maximum memory configuration3 –No CPU over-provisioning when Capacity-on-Demand is used4 –No CPU over-provisioning on systems with 512GB memory5 –When local disk expanded to 4 drivesDeployment OverviewOracle Exadata Deployment AssistantThe Oracle Exadata Deployment Assistant, also known as OEDA, is the only tool to create VMs on Exadata1.Create configuration with OEDA Configuration Tool2.Prepare customer environment for OEDA deployment•Configure DNS, configure switches for VLANs (if necessary)3.Prepare Exadata system for OEDA deployment•# switch_to_ovm.sh; applyElasticConfig.sh4.Deploy system with OEDA Deployment ToolDecide Virtual or Physical •Section to pick KVM•All Linux VM•All Linux Physical•Custom (some servers VM,some servers physical)•An individual database server is configured either VM or PhysicalDefine Clusters•Decide:1.Number of VM clusters to create2.Database servers and Cells that willmake up those VM clusters•Recommend using all cells for each cluster •What is a “VM cluster?”•One or more guests on differentdatabase servers running Oracle GI/RAC,each accessing the same shared Exadatastorage managed by ASM.Cluster Configuration•Each VM cluster has its own configuration•OS users and groups•VM size (memory, CPU)•Grid infrastructure version and software location•Exadata software version•ASM disk groups (and underlying storage grid disks)•Database version and software location•Starter database configuration•Client, Backup, and Admin networking configurationAdvanced Network Configuration•Admin and Client Networks 802.1Q VLAN T agging•To separate Admin and ClientNetworks traffic across VMs,use distinct VLAN ID and IPinfo for each cluster•Admin and Client Networkswitches must have VLAN tagconfiguration done beforeOEDA deploymentAdvanced Network Configuration•Private Network Secure Fabric•Secure RDMA Fabric Isolation uses RoCEVLANs to enable strict network isolationfor Oracle RAC clusters.•Multiple VM clusters share storage serverresources but cannot communicate witheach other.Installation Template•Verify proper settings for all VMclusters in Installation Template so the environment can be properly configured before deployment (DNS, switches, VLANs, etc.).Network RequirementsComponent Domain Network Example hostnameDatabase servers KVM host(one per database server)Mgmt eth0dm01dbadm01Mgmt ILOM dm01dbadm01-ilomKVM guest(one or more per databaseserver)Mgmt eth0dm01dbadm01vm01Client bondeth0dm01client01vm01Client VIP dm01client01vm01-vipClient SCAN dm01vm01-scanPrivate RoCE dm01dbadm01vm01-privStorage servers (same as physical)Mgmt eth0dm01celadm01 Mgmt ILOM dm01celadm01-ilom Private RoCE dm01celadm01-privSwitches (same as physical)Mgmt and Private dm01sw-adm,dm01sw-roceGuest Disk LayoutFile system Size Use/ (root)15G Root file system/u0120G Oracle BASE/u01/app/<ver>/grid50G Grid infrastructure software home/u01/app/oracle/product/<ver>/dbhome_150G Database software home/tmp3G/tmp/home4G User home directories/var2G/var/var/log18G System logs/var/log/audit1G System audit logs/crashfiles20G System kdump kernel crash vmcore/boot512M System bootOther LVM space44G LVDbSwap1, LVDbSys2,LVDbVar2,LVDoNotRemoveOrUseTOTAL228GExadata KVM Basic Maintenance•Primary maintenance tools•OEDACLI -OEDA Command Line Interface•vm_maker•Refer to Exadata Database Machine Maintenance Guide•Managing Oracle Linux KVM Guests•https:///en/engineered-systems/exadata-database-machine/dbmmn/managing-oracle-vm-guests-kvm.htmlExadata KVM Migration•Migrate databases on existing system to new Exadata KVM system •Methods•Create Data Guard standby on new Exadata KVM system, switchover (minimal downtime)•Duplicate existing databases to new Exadata KVM system•Back up existing databases, restore databases on new Exadata KVM system•Standard Exadata migration practices and considerations apply•Convert existing ROCE-based Exadata system deployed bare metal/physical to KVM •Methods•Back up existing databases, redeploy system to KVM, restore databases•Convert one or subset of database servers at a time to KVMBackup/Restore of Virtualized Environment•KVM host•Standard backup/restore practices to external location•KVM guest –Two Methods•Backup within KVM host: Snapshot the VM disk images and backup snapshot externally •Backup within KVM guest: Standard OS backup/restore practices apply•If over-provisioning local disk space -Restoring VM backup will reduce (may eliminate) space savings (i.e., relying on over-provisioning may prevent full VM restore)•Database backup/restore•Use standard Exadata MAA practices with RMAN, ZDLRA, and Cloud Storage•Refer to Exadata Database Machine Maintenance GuideComponent to update MethodStorage servers•Same as physical -run patchmgr from any server with ssh access to all storageservers or use Storage Server Cloud Scale Software Update feature.RDMA Network Fabricswitches•Same as physical -run patchmgr from any server with ssh access to all switches.Database server –KVM host •Run patchmgr from any server with ssh access to all KVM hosts.•KVM host update upgrades database server firmware.•KVM host reboot requires restart of all local VMs.•KVM guest software not updated during KVM host update.•KVM host/guest do not have to run same version, although specific update ordering may be required (see MOS 888828.1).Database server –KVM guest •Run patchmgr from any server with ssh access to all KVM guests. Typically done on a per-VM cluster basis (e.g., vm01 on all nodes, then vm02, etc.), or update all VMs on a KVM host before moving to next.Grid Infrastructure / Database •Use Fleet Patching and Provisioning (FPP), OEDACLI, or standard upgrade and patching methods apply, maintained on a per-VM cluster scope. GI/DB homes should be mounted disk images, like initial deployment.Updating SoftwareHealth Checks and Monitoring•Exachk(AHF) runs in KVM host and KVM guest•Run in one KVM host -evaluates all KVM hosts, cells, switches•Run in one KVM guest of each VM cluster -evaluates all KVM guests, GI/DB of that cluster•Exadata Storage Software Versions Supported by the Oracle Enterprise Manager Exadata Plug-in (MOS 1626579.1)•Exawatcher runs in KVM host and KVM guest•Database and Grid Infrastructure monitoring practices still apply•Considerations•KVM host is not sized to accommodate EM or custom agents•Exadata MAA failure/repair practices still applicable.•Refer to MAA Best Practices for Oracle Exadata Database Machine•Live Migration is not supported –use RAC to move workloads between nodesExadata MAA/HAResource Management•Exadata Resource Management practices still apply•Exadata IO and flash resource management are all applicable and useful•Within VMs and within a cluster, database resource management practices still apply •cpu_count still needs to be set at the database instance level for multiple databases in a VM.Recommended min cpu_count=2.•No local disk resource management and prioritization•IO intensive workloads should not use local disks•For higher IO performance and bandwidth, use ACFS or NFSExadata KVM / Xen ComparisonCategory KVM-based Xen-based Terminology kvmhost, guest dom0, domUHardware support X8M-2 through X10M (using RoCE switches)X2-2 through X8-2 (using InfiniBand switches) Hypervisor KVM (built in to UEK)XenVM management vm_maker, OEDACLI xm, OEDACLI, domu_makerDatabase server software update patchmgr using same ISO/yum repo for KVM host andguestspatchmgr using different ISO/yum repo fordom0 and domUsFile system configuration xfs ext4, and ocfs2 for EXAVMIMAGESOur mission is to help people see data in new ways, discover insights, unlock endless possibilities.。

案例1ORACLEANALYZE命令的使用ORACLEANALYZE命令是Oracle数据库中一种用于调优和优化数据库性能的工具。

它能够收集数据库对象的统计信息、诊断性能问题并提供解决方案。

在本文中，我们将讨论ORACLEANALYZE命令的使用以及相关的案例。

首先，ORACLEANALYZE命令可以通过以下方式使用：```ANALYZE TABLE table_name [PARTITION partition_name][ESTIMATE [SAMPLE] statistics_sample_size [PERCENT] [FOR PARTITION (partition)][DELETESTATISTICS][FORCE];```ORACLEANALYZE命令的功能主要有两个方面：统计信息收集和性能问题诊断。

1. 统计信息收集：通过使用ORACLEANALYZE命令，可以收集数据库对象的统计信息，例如表、索引和分区等。

统计信息对于查询优化和执行计划的选择非常重要。

通过收集统计信息，我们可以使Oracle优化器更准确地评估查询的成本，并选择效率最高的执行计划。

2. 性能问题诊断：ORACLEANALYZE命令还可以诊断性能问题，并提供相应的解决方案。

它可以识别出表和索引的性能问题，例如表中的高聚簇因子（cluster factor）或者索引的低选择性（selectivity）。

此外，ORACLEANALYZE命令还可以检测到过时的统计信息，以及需要重新收集统计信息的对象。

下面以一个具体的案例来说明ORACLEANALYZE命令的使用。

假设我们有一个名为"orders"的表，用于存储订单信息。

这个表有一个名为"order_date"的列，我们希望通过ORACLEANALYZE命令收集该列的统计信息，并对性能进行诊断。

首先，我们可以使用以下命令来收集统计信息：```ANALYZE TABLE orders ESTIMATE STATISTICS SAMPLE 10 PERCENT FOR COLUMNS (order_date);```上述命令中，我们使用了"ESTIMATE STATISTICS"子句来指定要收集统计信息，"SAMPLE 10 PERCENT"表示我们希望对10%的数据样本进行统计。

一、概述Oracle Application Express (APEX) 是一款基于Web的开发工具，可用于快速创建企业级的数据库驱动的应用程序。

它是Oracle数据库的一部分，可以快速地构建Web应用程序和报表。

二、概述在本文中，我们将探讨如何使用Oracle APEX开发一个简单的实例。

我们将使用一个假设的企业情景，并展示如何使用APEX来构建一个管理员工信息的应用程序。

三、设置环境1. 确保已安装Oracle数据库并启用了Oracle APEX。

2. 使用浏览器打开Oracle APEX的管理界面，创建一个新的应用程序。

四、创建数据表1. 在Oracle APEX的管理界面中，打开SQL Workshop，创建一个新的数据表。

2. 设计员工信息的数据表结构，包括尊称、性莂、出诞辰期、部门等字段。

3. 保存数据表并添加一些示例数据。

五、创建页面1. 在应用程序界面中，选择创建新的页面。

2. 选择一个合适的模板，例如标准的表格模板。

3. 关联刚刚创建的数据表，并选择需要显示的字段。

4. 保存页面并发布应用程序。

六、添加交互功能1. 在页面设计的界面中，添加一个新的按钮或信息，用于添加新的员工信息。

2. 在页面属性中，添加一个新的按钮动作，并配置为弹出一个模态对话框。

3. 设计模态对话框的界面，包括尊称、性莂、出诞辰期等输入字段。

4. 保存并发布应用程序。

七、测试应用程序1. 使用浏览器打开发布的应用程序，测试员工信息管理界面的功能。

2. 尝试添加新的员工信息，并验证数据是否能够正确地保存和显示。

3. 测试各种交互功能，例如搜索、分页等。

八、部署应用程序1. 当应用程序功能全部测试通过后，可以将应用程序部署到生产环境。

2. 设置应用程序的权限和访问控制，确保只有授权的用户能够访问。

3. 监控应用程序的性能和稳定性，及时处理可能出现的问题。

九、总结在本实例中，我们演示了如何使用Oracle APEX快速地开发一个简单的员工信息管理应用程序。

oracle中exist的用法在Oracle数据库中，EXISTS是一种用于检查子查询结果是否为空的关键字。

它可以用于WHERE子句或HAVING子句中，以便在查询中过滤掉不需要的数据。

在本文中，我们将深入探讨Oracle中EXISTS的用法，包括语法、示例和最佳实践。

语法EXISTS的语法如下：SELECT column1, column2, ...FROM table_nameWHERE EXISTS (SELECT column_name FROM table_name WHERE condition);其中，column1、column2等是要查询的列名，table_name是要查询的表名，condition是子查询中的条件。

如果子查询返回结果，则WHERE子句中的条件将被视为TRUE，否则将被视为FALSE。

示例让我们看一些使用EXISTS的示例。

1. 检查子查询结果是否为空假设我们有一个名为employees的表，其中包含员工的姓名和工资。

我们想要找到工资高于平均工资的员工。

我们可以使用以下查询：SELECT name, salaryFROM employees e1WHERE salary > (SELECT AVG(salary) FROM employees e2);但是，如果我们只想找到工资高于平均工资的员工中的前5个，我们可以使用EXISTS来实现：SELECT name, salaryFROM employees e1WHERE EXISTS (SELECT 1 FROM employees e2 WHERE e2.salary > (SELECT AVG(salary) FROM employees) AND e2.salary > e1.salary)AND ROWNUM <= 5;在这个查询中，我们使用了EXISTS来检查子查询的结果是否为空。

Consolidate with Oracle Exadata Manage Resources and Availability - CON7770Sue K. Lee, Director of DevelopmentRené Kundersma, Consulting Member of Tech. StaffOracle Server TechnologiesOct 1, 2014Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.Program AgendaIntroduction to Consolidation Oracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments12345Program AgendaIntroduction to Consolidation Oracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments12345Why Consolidate?•Efficient server and storage utilization–Each generation of servers and storage is more powerful–Typical database workload may not fully utilize hardware•Database workloads are often bursty, with long periods of low utilization –Lots of test, development, and (non-)critical databases – reduce hw footprint•Fewer systems to administer–Reduce maintenance effortsBridge not redundant = Single Point Of Failure More tenants than resourcesConsolidation Challenges•HA challenges–Conflicting HA requirements–Planned maintenance ‘difficult’•Database users apprehensive about consolidation–Users want security, isolation and performance guarantees •Workload surges from one application can affect others–Excessive CPU, PGA, or I/O usage–Surges can originate from heavy application usage or a runaway query •DBAs want to control resource usage–‘Get what you pay for’ and get consistent performanceMultiple Pluggable Databases share a Container Multitenant DatabaseBilling PDB Parts PDBSales PDB Assets PDBSingle Physical Container DatabaseProgram AgendaIntroduction to Consolidation Oracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments21345No Performance Bottlenecks for Consolidation and DBaaS▪Queryoffloadin storage – Data intensive query operationsoffloaded to storage CPUs– 100 GB/sec SQL data throughput – Storage Index data skipping▪Database storage compression – Hybrid Columnar for 10x DB sizereduction and faster analytics▪Database optimized PCI Flash – Smart caching of database data – 2.66 Million Database IOs/sec – Smart Flash log speeds transactions▪Database optimized and comprehensiveresource management– End-to-end prioritization fromapplication to DB to network to storage –Prioritization of CPU and IO bymultitenant pluggable database (12c)▪Database optimized messaging – SQL optimized InfiniBand protocol forhigh throughput low latency SQL –End-to-End prioritization of criticaldatabase messages (11.2.0.4), including log writes and RACApplication Servers OLTP/DW Load Drivers X4-2 / 250Gb memoryEnd UserConsolidation Test: Exadata vs. Non-ExadataApplication Servers OLTP/DW Load Drivers X4-2 / 250Gb memoryDatabase ServersEnd UserProgram AgendaIntroduction to ConsolidationOracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments2 134 5Exadata MAA Portfolio Redundant databaseservers, storageservers, network,powerActive standby systems, local HA and/or remote DRLog-based data replication with data consistency validationOnline patching, re-configuration and rolling upgradesActive-active DB clusters. Mirrored storage and flash.Local Standby Remote StandbyLAN /maaBRONZESILVER GOLD PLATINUMClusters and ReplicationApps ITI need a database for the new HR systemI require HA with automaticfailoverApps QA I need to copy aproductiondatabase fortestingThe cheapestconfiguration isfine.This is just fortestingBRONZESILVERGOLDPLATINUMClusters and Replication•Hardware Pool:–A machine or group of machines used as target consolidation platform•Guidelines–Do not assign different tiers to the same hardware pool –Minimum: Exadata X4-2 Half Rack•Critical smaller Hardware Pools should use standby –When more capacity is required than provided by a singlehardware pool, divide the target databases in that category into two separate groupsPlanning for Exadata Consolidation – Step 4Assign tiers to their hardware poolProgram AgendaIntroduction to ConsolidationOracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments2 134 5CellCLI> create key4bb27f70c17f88232c936ed1fc437049CellCLI> ASSIGN KEY FOR +ASM= 4bb27f70c17f88232c936ed1fc437049’ CellCLI> ALTER GRIDDISK ALL availableTo=\'+ASM\’Place key on the database server.Reduce Planned Maintenance Risk and▪Max 1 year in betweenProgram AgendaIntroduction to ConsolidationOracle Exadata - Optimized for Consolidation and DBaaS HA Tiers and Consolidation Planning Best Practices Operational Best Practices in a consolidated environment Managing Resources in Consolidated Environments2 134 5Performance TiersBRONZESILVER GOLD Low consolidationHigh performance isolation High consolidationMedium performance isolation Highest consolidationLowest performance isolationPLATINUMLowest consolidation density Highest performance isolation Private Jet1st ClassEconomy ClassResource ContentionDatabases consolidated on common hardware contend for •CPU•Memory•Flash Space and Bandwidth•Disk BandwidthHow can we guarantee resources for each databaseand achieve good consolidation density?Managing CPU24Instance D: 4 CPUsInstanceInstanceInstanceInstance CagingBest Practices•Keep the strategy simple–Initial cpu_count settings can be a guess•Monitor actual CPU usage and then tweak–cpu_count can be adjusted dynamically – no database bounce needed!–If over-subscribing, monitor the server to make sure it’s not over-loaded –Avoid large changes to cpu_count•cpu_count corresponds to CPU threads, not cores! •Beware of over-subscribing on SPARC T-Series processors •Don’t set cpu_count to 1–Makes database instance susceptible to hangs or poor performanceManaging MemoryNew in 12cPGA_AGGREGATE_LIMITPGA usage will not exceed this hard limit!Managing Exadata FlashExadata Smart Flash Cache•Exadata Flash provides impressive capacity and bandwidth* –45 TB space–100 GBps of scan throughput–~2M IOPS•Use Exadata Flash to–Cache frequently-used OLTP data–Accelerate scans, using excess flash resources–Accelerate log writes* For a full X4-2/8 rackExadata Smart Flash CacheWhy Exadata?•Other market offerings–All-flash storage: expensive–Disks with flash to accelerate writes and cache recently-used data: doesn’t support mixed workloads•Only Exadata guarantees that flash stores frequently-accessed OLTP data –Scans must not evict OLTP data from the cache–Only Exadata can identify OLTP from scan IOs!–All-flash storage guarantees this too, but at many times the price!Exadata Smart Flash CacheHow can you capitalize on 100 GBps of flash bandwidth? •Use up to 20% for OLTP workloads–Maximum sustainable rate by OLTP•Use the rest for scans!–Pre 11.2.2.3, mark tables with KEEP–11.2.2.3+, scans automatically use flash if there’s space•Scans use both flash and disks for maximum throughput–Using flash increases scan throughput by up to 5x!Flash BandwidthOLTP’s peak load only consumes 20% of flashthroughputUse excess throughput forscans!Flash Bandwidth。

产品介绍Oracle Analytics Server 是一款本地部署的自助服务可视化和增强人工智能(AI) 分析平台。

它提供了全方位的功能，包括快速显示数据集的关键洞察的AI，自动推荐分析新元素的数据丰富功能，支持传统和公民数据科学家的机器学习(ML) 功能，以及令人惊叹的数据可视化，可提供具有像素完美报告功能的仪表板。

Oracle Analytics Server 建立在久经考验的现代技术基础上，支持超高的工作负载和复杂部署，同时以较低的总拥有成本为企业的每个用户提供及时的洞察。

企业现在可以通过移动、平板电脑和所有现代浏览器为需要访问分析数据的所有用户提供易于使用的界面，通过导入或混合数据，执行分析或安全地分发报告来实现分析平台的现代化。

客户可以选择自管理本地部署或私有云部署Oracle Analytics Server，可以按计划管理升级，并实施自定义选项，如自定义外观/样式、元数据、消息传送等。

Oracle Analytics Server 是现有 Oracle 商业智能企业版客户的轻松升级选项。

主要特性•自助式数据可视化功能•带有解释的增强分析•数据流中的机器学习•数据丰富能力•强大的地理空间映射和可视化•简便易用的即席查询和分析•像素完美的企业报告•通用企业信息模型Oracle Analytics Server — 功能概览∙增强分析：Oracle Analytics Server 将机器学习和 AI 嵌入了分析过程的每个方面，从而支持深度洞察，让您可以轻松完成分析工作。

该解决方案能够显著增强从智能数据准备到数据探索的整体分析体验，并通过提供基于自然语言处理的现代对话式分析来简化用户体验。

在后台，Oracle Analytics Server 运行聚类、分类和关联以发现洞察。

只需单击一下，即可将这些令人惊叹的可视化效果内置到仪表板中。

∙数据丰富：Oracle Analytics Server 数据丰富功能可自动推荐数据元素，包括时间分析所需的值（月份，星期，工作日等），用于映射的地理空间值，用于对元素进行分类数据中的模式识别，并集成机器学习，通过用于洞察的算法丰富数据集。

Oracle Exadata存储索引介绍适用于：从V2到X5所有Exadata存储服务器。

目的：深入了解Exadata存储索引技术的发展,并了解在新版本中的特性。

内容：一、简介存储索引功能是在Exadata 11.2.1.2.0 版本（V2 ）上引入的新特性，它主配合智能扫描(smart scan)功能,来消除一个查询所不需要的IO请求。

它在内存中保存表数据的汇总信息，并通过内部机制来控制和访问这些数据结构。

当智能扫描功能启动时，存储索引像一个黑盒子一样提供强大的功能，给Exadata带来显著的性能增强。

随着Oracle虚拟化技术不断发展，存储索引技术也相应有了新的改变。

存储索引需要支持更多的虚拟地址空间，这样之前的架构就不能满足日益增长的物理磁盘空间和虚拟化的需求，因此，Oracle在12.1.2.1新版本中完全改变了技术架构，让其满足新的需求。

这些技术的变化会在第六部分进行介绍。

二、使用条件在如下情况发生时，系统会使用存储索引:1. 查询语句使用智能扫描(Smart Scan)。

2. 查询语句中where子句至少有一个谓词。

3. 简单的操作符：<, <=, =, !=, >=, >, is NULL, is NOTNULL,between,in。

4. 支持的数据类型：number, float, date, varchar2。

5.谓词的值支持数值和绑定变量。

如下情况不会使用存储索引:1. 不支持lob列。

2. 谓词中包括函数。

比如用户自定函数或sysdate().3. 列上有加密。

也有其它一些情况会使用和不使用存储索引，在这里就不详细说明。

三、技术架构技术架构主要是解决存储索引是如果工作的问题。

在这里不会将Oracle的代码拿来讲解并说明这个功能是如何实现的。

只是通过简单的实例说明它是如何设计的。

存储索引是保存在内存中的数据结构，它不同与我们常见表数据的B*tree索引，可以通过索引的条目最终定位到我们需要访问的数据。

Exadata Product Development98MTargetDEC ‘131B YahooDec ’16400M Friend Finder Dec ‘16150MeBayMay ‘14200M ExperianMar ’14 US Voters 191M, Dec 15150MAdobe Oct ‘1356MHome Depot Sep ‘1476M JPMCOct ‘1480M AnthemFeb ‘152M Vodafone Oct ‘1342M Cupid Media Jan ’13TBs IP Sony Nov ’14 2MOrangeFeb/Apr ‘1420MCredit Bureau 12MTelecomS. Korea Jan ‘1422MBenesse Education Jul ‘14Japan Espionage KasperskyJun ‘15400GB IP TheftHackingTeam Jul ‘15Carphone Warehouse Aug ’152.4M4MTalk TalkOct 1550MTurkish GovtApr ‘165M VTech Nov ‘1530M BSNL TelcoJournal Jul ‘15Kmart Oct ‘1511M PremeraBlue Cross Mar ‘1593M Mexico Voter Apr ‘16154MUS Voter Jun ‘1632M AshleyMadisonJul ’15US OPM, 22MJun ’15 15M T-MobileOct ’154.6MScottrade Oct ’1555M PhilippinesVoter list Apr ‘16Security Breaches: High Costs to Businesses and Customers (Records/Data Theft)3.2M Debit cardsOct ‘16SabreMar ‘16CIAApr ‘1777M Edmodo May ‘17143M EquifaxJuly ‘17 1.1B AadhaarJan ‘18340MExactisJun ‘18218M Zynga Sep ‘199M Easy JetMay ‘2098MTargetDEC ‘131B YahooDec ’16400M Friend Finder Dec ‘16150MeBayMay ‘14200M ExperianMar ’14 US Voters 191M, Dec 15150MAdobe Oct ‘1356MHome Depot Sep ‘1476M JPMC Oct ‘1480M AnthemFeb ‘152M Vodafone Oct ‘1342M Cupid Media Jan ’13TBs IP Sony Nov ’14 2MOrange Feb/Apr ‘1420MCredit Bureau 12MTelecomS. Korea Jan ‘1422MBenesse Education Jul ‘14Japan Espionage KasperskyJun ‘15400GB IP Theft HackingTeam Jul ‘15Carphone Warehouse Aug ’152.4M4MTalk TalkOct 1550MTurkish Govt Apr ‘165M VTech Nov ‘1530MBSNL TelcoJournal Jul ‘15Kmart Oct ‘1511M PremeraBlue Cross Mar ‘1593M Mexico Voter Apr ‘16154MUS Voter Jun ‘1632M AshleyMadisonJul ’15US OPM, 22MJun ’15 15M T-MobileOct ’154.6MScottrade Oct ’1555M PhilippinesVoter list Apr ‘16Security Breaches: High Costs to Businesses and Customers (Records/Data Theft) –Continuation Slide3.2M Debit cardsOct ‘16SabreMar ‘16CIAApr ‘1777M Edmodo May ‘17143M EquifaxJuly ‘17 1.1B Aadhaar Jan ‘18340MExactisJun ‘18218M Zynga Sep ‘199M Easy JetMay ‘203.2BCOMB Compilation of previously stolen credentials Jan ‘21Exadata security practices and built-in security protection is applicable to Exadata on-premises •Exadata Cloud (ExaDB-D, ExaDB-C@C and Autonomous Database) inherit the benefitsplus additional cloud software and securitycompliance is added•Additional security collateral for DB Cloud offerings can be found at:•https:///a/ocom/docs/en gineered-systems/exadata/exadata-cloud-at-customer-security-controls.pdf •https:///corporate/securit y-practices/cloud/Exadata Cloud in OCI attains the following compliances, certifications, and/or attestations:Audit Reports✓PCI DSS✓HIPAA✓ISO 27001✓SOC I/SOC II✓C5/CSA STAR✓FedRAMP Moderate/DISA IL5Exadata Platform provides the foundation for Exadata DB CloudAudit Data & EventLogsData SafeAudit VaultAlertsReportsPoliciesNetwork EncryptionOracleKey VaultTransparentData EncryptionDF11233 U*1$5Ha1qui %H1HSKQ112 A14FASqw34 £$1DF@£!1ah HH!DA45S& DD1Discover Sensitive DataData SafeData Masking and SubsettingTest DevData RedactionDatabase VaultUsersApplicationsDatabase FirewallVirtual Private DatabaseLabel SecurityReal Application SecurityEventsData Driven SecurityDatabase Security ControlsDetectPreventAssessDatabase SecurityOpen Season for Attacks on Hardware, Firmware and Supply Chain •Securing application and network perimeter is no longer sufficient •Attacks are more sophisticated and getting deeper into the hardware •Environments are more complex and distributed•Server subcomponents are more capable but “soft”•More interesting to hackers•More potential for vulnerabilities and exploits•Supply chains are at riskExadata End-to-End Security Through-Out The Supply Chain •Oracle supply chain is closely integrated and monitored •Oracle ownership of core Hardware and Firmware IP•Security audit for all design releases•Suppliers understand and adhere to Oracle security policies•Encrypted transmission of design data•Oracle controlled systems qualification tests and validation•All firmware and software is digitally signed and certified•Secure Trade Agreements Act (TAA) compliant manufacturing for system integrationEnd-to-End SecuritySecurity-optimized, Security-focused, Security-hardenedHighly Available ArchitectureOracle MAA Best Practices Built-InDatabase Aware System SoftwareUnique algorithms vastly improve OLTP, Analytics, ConsolidationExtreme Performance, Availability, and SecurityExadata Maximum Security Architecture (MSA) VisionMSA Solution Highlights✓Smaller Footprint✓Access Restrictions✓Principle of Least Privilege ✓Audit Rules✓System Hardening✓File Integrity Monitoring✓Security Administration Tool ✓Pre-scanned Full Stack✓Multi-tenet Isolation✓Boot Device Protection✓Fast Crypto Erase✓Security Enabled Linux✓Memory Protection KeysSecurityOptimizedSecurityFocusedSecurityHardenedExadata Security Value-Add Overview“The Oracle Autonomous Database, which completely automates provisioning, management, tuning, and upgrade processes of database instances without any downtime, not just substantially increases security and compliance of sensitive data stored in Oracle Databases but makes a compelling argument for moving this data to the Oracle Cloud.”KuppingerCole AnalystsExadata reduces the attack surface by only including the software components required specifically to run the Oracle database (e.g., minimum Linux distribution)Smaller Installation FootprintExadata OL8~1060 pkgs Standard OL8~8000 pkgsNano Linux Kernel InstallationSecurity: OptimizedExadata uses a custom, nano (micro) kernel with removed dependencies that reduce size and features that are not needed in an enterprise data center.•Fewer device drivers•Smaller footprint•Improved upgrade timeTypical OL8 UEK kernel::kernel-uek-5.4.17-2136.306.1.3.el8uek.x86_64•DomU kernel size 135MBExadata OL8 UEK kernel (23.1.0.0.0):kernel-ueknano-5.4.17-2136.315.5.8.el8uek.x86_64•DomU kernel size 77MBNetwork Access to Storage ServersSecurity: OptimizedSoftware includes the cellwallservice that implements afirewall on each storage server•The SSH server is configured torespond to connectionrequests only on themanagement network (NET0)and the RDMA Network Fabric•The Exadata Storage Servershave no direct connectivity tothe client networkNo Unnecessary Services -Implement Principle of Least Privilege Security: FocusedUnnecessary insecure services such as telnet, ftp are disabled in the systemSecurity best practices require that each process run with the lowest privileges needed to perform the task. The following processes now run as non-privileged users:•Smart Scan processes: Performing a smart scan predicate evaluation does not require rootprivileges.•user cellofl and group celltrace•Select ExaWatcher processes: Some of the ExaWatcher commands that collect iostat, netstat, ps, top, and other information have been modified to run without requiring root user privilege•user exawatch and group exawatchAccess Control For RESTful ServiceSecurity: FocusedOracle Exadata System Software release 19.1.0 introduces a new capability for users to configure access control lists on the HTTPs access to the RESTful service•Specify a list of IP addresses or subnet masks to control access to the RESTful service via HTTPs •If not used, RESTful service can be disabled altogether•Applies to both Oracle Exadata Database and Storage Server# lsof -i -P -n | grep LISTEN | grep javajava<pid> dbmsvc55u IPv4 40193 0t0 TCP *:7879 (LISTEN)# dbmcli -e alter dbserver httpsAccess=noneThis command requires restarting MS. Continue? (y/n): yStopping MS services...The SHUTDOWN of MS services was successful.Updating HTTPs access control list.Starting MS services...The STARTUP of MS services was successful.DBServer successfully altered# lsof -i -P -n | grep LISTEN | grep javaOperating System Activity MonitoringSecurity-Focused•Each Exadata server is configured with auditd to audit system-level activity•manage audits and generate reports use the auditctl command.•Exadata specific audit rules are stored in the /etc/audit/rules.d/01-exadata_audit.rules file[root@vm01 ~]# auditctl -l-a always,exit -F arch=b32 -Schmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat ,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod-a always,exit -F arch=b64 -Schmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat ,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access…Encrypting System Log Information (rsyslog)Security-Focused•Management Server (MS) on database and storage servers supports the syslogconf attribute.•The syslogconf attribute extends syslog rules for a database server.•The attribute can be used to designate that syslog messages be forwarded to a specific remote syslogd service.•On the MS, the forwarded messages are directed to a file, console, or management application, depending on the syslog configuration on the MS.•This enables system logs from different servers to be aggregated and mined in a centralized logging server for security auditing, data mining, and so on.•Use certificates and the syslogconf attribute to configure encryption of the syslog informationOracle Exadata Deployment Assistant (OEDA)Resecure MachinePassword Complexity Password AgingResecure MachinePassword Expiration PermissionsSecurity-HardenedImplement the available features and security plan post deployment via host_access_control/opt/oracle.cellos/host_access_control apply-defaults --strict_compliance_only•INACTIVE=0•Deny on login failure count set to 5•Account lock_time after one failed login attempt set to 600•Password history (pam_unix remember) set to 10•Password strength set to pam_pwquality.so minlen=15 minclass=4 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=8 maxrepeat=3 maxclassrepeat=4 local_users_only retry=3 authtok_type=•PermitRootLogin no•hard maxlogins 10•hmac-sha2-256,hmac-sha2-512 for both server and client•Password aging -M 60, -m 1, -W 7Subset of commands•access -User access from hosts, networks, etc.•auditd-options -Options for auditd•banner -Login banner management•fips-mode -FIPS mode for openSSH•idle-timeout -Shell and SSH client idle timeout control •pam-auth -PAM authentication settings •password-aging -Adjust current users' password aging •rootssh -Root user SSH access control•ssh-access -Allow or deny user and group SSH access •sshciphers -SSH cipher support control•ssh-macs -SSH supported MACs•sudo -User privilege control through sudoPre-scanned full stackSecurity-HardenedEvery Exadata release includes security and emergency fixes to address zero-day vulnerabilities discovered by our internal scanning tools.•Static/Dynamic code analyzing•Malware scans•Third-party software checks•Vulnerability scans•How to research Common Vulnerabilities and Exposures (CVE) for Exadata packages (Doc ID 2256887.1)•System hardening reviews (STIG)•Exadata OL8 System Hardening for STIG Security Compliance (Doc ID 2934166.1)•Exadata OL7 System Hardening for STIG Security Compliance (Doc ID 2614471.1)Customers take advantage of these fixes out of the box by just upgrading to the latest release •Number of issues reported should be much less compared to a custom configurationSecurity: Hardened Monthly Exadata Security Software Updates:•Security fixes •CVE mitigations•Future releases and dates are estimates only Exadata Releases CY2023JAN:22.1.721.2.20APR:23.1.122.1.1021.2.23JUL:23.1.422.1.13OCT:23.1.722.1.16FEB:22.1.821.2.21MAY:23.1.222.1.1121.2.24 (end)AUG:23.1.522.1.14NOV:23.1.822.1.17MAR:23.1.0 (new) 22.1.921.2.22JUN:23.1.322.1.12SEP:23.1.622.1.15DEC:23.1.922.1.18Common Vulnerabilities and Exposures (CVE) IDs issued across the international IT marketplace.That’s ~73 per day!Exadata Security Value Add:•Scanned images•Monthly releases26,448Oracle Linux CVE Mitigations for Exadata 22.1.xSecurity-Hardened0510152025303522.1.122.1.222.1.322.1.422.1.522.1.622.1.722.1.822.1.9N u m b e r o f M i t i g a t i o n s Exadata Release CVE Mitigations Per Release LOW MEDIUM HIGH CRITICALSecurity: Hardened “The Oracle Linux 8 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of the Department of Defense (DoD) information systems”Secure from Factory –Oracle Linux 8 STIG SCAP BenchmarkX9M KVM Guest on 23.1.0.0.0Delivered straight from the FACTORY!Standard Linux installation✓New (and existing) Security Features in ExadataMaximize Security, Maximize Performance, Maximum AvailabilityOracle Linux 8New in Exadata 23.1Oracle Exadata System Software 23.1.0 uses Oracle Linux 8 with the UEK6 kernel•Storage servers, bare-metal database servers, KVM hosts/guests, and OVM guests (DomU).•OVM management domains (Dom0) do not require Oracle Linux 8 and remain on Oracle Linux 7 with UEK5.•Rolling upgrade is supported from Oracle Linux 7 to Oracle Linux 8.OL8 Key security features:•Various SELinux improvements•Crypto-policies covers TLS, IPSec, SSH, DNSSec, and Kerberos protocols.•Modulus size for Diffie-Hellman parameters has been changed to 2048 bits.•DSA public key algorithms are disabled by default.•How to setup RSA SSH equivalence on Oracle Exadata nodes (Doc ID 2923095.1)•Default RSA key size increased to 3072 bits for the ssh-keygen toolCentralized Identification and Authentication of OS Users New in Exadata 23.1Database and storage server support for:•LDAP identity management systems•Kerberos authentication•Linux System Security Services Daemon (SSSD)•Pre-configured with Exadata-specific custom security profile•Customizations preserved across upgradesCentralizes accounts for enhanced security•Easier administration provisioning/deprovisioning•Easier password management•Enterprise security controlsSecurity Enabled Linux (SELinux)Feature Available in Exadata Software 21.2 onwards•The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which allows defining a security policy that provides granular permissions for all users, programs, processes, files, and devices.•The system should first be placed in permissive mode to see if any Access Vector Cache (AVC) denials would need to be addressed BEFORE going to enforcing mode./opt/oracle.cellos/host_access_control selinux --helpOptions:-h, --help show this help message and exit-e, --enforcing set the SELinux state to enforcing-p, --permissive set the SELinux state to permissive-d, --disabled set the SELinux state to disabled (Exadata default)-r, --relabel Set the system for relabling-c, --config Display the configured SELinux state-s, --status Display the current SELinux statusFeature Available in Exadata Software 20.1 onwards Exadata Secure Fabric for RoCE systems implements network isolation for Virtual Machines while allowing access to commonExadata Storage Servers•Each Exadata VM Cluster is assigned a private network •VMs cannot communicate with each other•All VMs can communicate to the shared storage infrastructure •Security cannot be bypassed•Enforcement done by the network card on every packet•Rules programmed by hypervisor automaticallyExadata Secure RDMA Fabric Isolation for RoCEFIPS 140-2 for Oracle Linux Kernel/SSH on Exadata Database Nodes Feature Available in Exadata Software 20.1 onwards/opt/oracle.cellos/host_access_control fips-mode --enable•Requires a reboot•STIG mitigation: The Oracle Linux operating system must implement NIST FIPS-validatedcryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.•STIG mitigation: The Oracle Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications./opt/oracle.cellos/host_access_control ssh-macs --secdefaults•STIG mitigation: The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.Management Server App Engine UpdateNew in Exadata Software 20.1Exadata 20.1 -Eclipse Jetty•Light-weight web server•Consumes considerably fewer system resources•Basic functionalities supported, extensible modules•Fewer CVE vulnerabilities –smaller attack vectors•Does not require a dedicated HTTP port for configuration purposesIntroduced in Exadata 19.3 for X7 and newerStorage Server Software Memory is partitioned with 16 colors •Four bits in each page table entry used to identify the color •Each thread is allowed to read/write and enable/disable to its matching color•Any access to a piece of memory that does not have the correct color traps the process•Protects against inadvertent software defects •Enabled out of the box with no tuning needed •Eliminates a class of potential memory corruptionsSecuring Storage Server Processes with Memory Protection KeysStorage BufferStorage BufferStorage BufferThread ThreadOther Security Processes for Storage ServersSecure Computing (seccomp) feature in Oracle Linux Kernel used to restrict system calls that can be made•Kernel has hundreds of system calls, most not needed by any given process•A seccomp filter defines whether a system call is allowed•Seccomp filters installed for cell server and offload processes automatically during upgrade •White-list set of system calls are allowed to be made from these processes•Seccomp performance additional validation of the argumentsDisabling SSH•Storage servers can be “locked” from SSH access•ExaCLI can still be used to perform operations•Communicates using HTTPS and REST APIs to a web service running on the server•Temporary access can be enabled for operational access if requiredExadata installs the system/software on alternating partitions•e.g. when upgrading to a newer version, the software is installed on the inactive partition and then booted to that partition This ensures a complete OS refresh is completed at each upgrade which minimizes the propagation of infected files.OS data is separate from database data •Database is safe from OS corruptionStorage Server Partition InstallationActive System Active SoftwareInactive SystemInactive Software M .2 S S DM .2 S S DAdvanced Intrusion Detection Environment (AIDE)•Help guard against unauthorized access to the files on your Exadata system.•AIDE creates a database of files on the system, and then uses that database to ensure file integrity and to detect system intrusions.# /opt/oracle.SupportTools/exadataAIDE -statusAIDE: daily cron is currently enabled.To add additional rules:Edit the file /etc/aide.confUpdate the AIDE database metadata.# /opt/oracle.SupportTools/exadataAIDE -uDatabase and Storage Server Secure Boot•Secure Boot is a method used to restrict which binaries can be executed to boot the system.•With Secure Boot, the system UEFI firmware will only allow the execution of boot loaders that carry the cryptographic signature of trusted entities•With each reboot of the server, every executed component is verified•This prevents malware from hiding embedded code in the boot chain•Intended to prevent boot-sector malware or kernel code injection•Hardware-based code signing•Extension of the UEFI firmware architecture•Can be enabled or disabled through the UEFI firmware•Restrict access to only the grid disks used by the Oracle ASM disk groups associated with a Oracle ASM cluster.•Restrict access for an Oracle Database instance to a specific set of grid disks.“Oracle Exadata Cloud@Customer uses the superior technology of Oracle Database as a cloud service delivered in our own data centers, meeting all of our data sovereignty and compliance requirements for the Regional Revitalization Cloud.”Norihito SendaNagoya BranchAdvanced Solution DepartmentCorporate Business HeadquartersNippon Telegraph and Telephone West Corporation (NTT WEST)Security Best PracticesThe security of a system is only as good as its weakest link•Regular scans should be run by YOU the owner of the system to ensure against any deviations from the delivered configurations•Maintaining the latest Software Update ensures the latest security vulnerabilities are mitigated•Tools and processes are there to assist in creating a secure environment, but must be used to actually create the secure environmentSecure Eraser•Provide a secure erasure solution for every component within Oracle Exadata Database Machine •Crypto-erase is used whenever possible and is fully compliant with the NIST SP-800-88r1 standard. Component Make or Model Erasure MethodCrypto eraseHard drive•8 TB hard drives on Oracle Exadata Database Machine X5•All hard drives on Oracle Exadata Database Machine X6 or laterHard drive All other hard drives1/3/7-Pass erase Flash device Flash devices on Oracle Exadata Database Machine X5 or later Crypto eraseFlash device All other flash devices7-pass eraseM.2 device Oracle Exadata Database Machine X7-2 or later Crypto eraseSecurity ReferencesOracle Exadata Database Machine Security FAQ•My Oracle Support (MOS) note: Doc ID 2751741.1Oracle Corporate Security Practices•https:///corporate/security-practices/Critical Patch Updates, Security Alerts and Bulletins•https:///technetwork/topics/security/alerts-086861.htmlOracle Corporate Security Blog•https:///security/Oracle Exadata Documentation•https:///en/engineered-systems/exadata-database-machine/books.htmlExadata Product Development Oracle CorporationSecurity MAA TeamThank You!。