This chapter gives an overview of the server and software provisioning and patching features introduced in Enterprise Manager 10gR2. This chapter contains the following:
Provisioning and patching features of the Enterprise Manager together make up the Lifecycle Management (Grid Automation) solution area of the Enterprise Manager. To read more about this solution area visit:
The provisioning and patching features of Enterprise Manager automate the deployment of software, applications, and patches. They make critical data center operations easy, efficient, and scalable resulting in lower operational risk and cost of ownership. The ability to provision and patch the entire software stack that includes the operating system, the middleware, database, third party software, and applications supplemented by comprehensive reporting tools make these features extremely significant entities in the overall System Management space.
As shown in Figure 13-1, Enterprise Manager covers the entire lifecycle management of software, applications, and servers. Enterprise Manager orchestrates the initial reference sandbox deployment and then the mass unattended deployment of gold images created from these reference deployments. The smaller lifecycle shown transcribed in the figure automates the ongoing patch lifecycle management of the various deployments. Right from proactively informing the administrators about the critical patches and vulnerabilities in the deployments, acquiring these patches to mass deployment and verification of these patches is automated by the Enterprise Manager. Going forward, as the computation demand for the resources decline, Enterprise Manager allows one to deactivate and de-provision the resources making them available for a different purpose.
Following are the advantages of using the provisioning and patching features in Enterprise Manager:
The provisioning and patching features provide a repeatable, reliable, and automated solution for performing mass, unattended, and schedulable deployment of
Software and servers based on Gold Images created using reference deployment or installation media
Software and operating system updates
Complex and multi-tier software like Oracle Real Application Clusters (RAC) and Application Server Clusters
Orchestrates not only provisioning of software but completely automates configuration of software and ensures zero-time for patching of mission critical systems by orchestrating rolling patching for complex multi-tier installation like Real Application Clusters (RAC) databases and Application Server clusters.
Allows new resources to be provisioned at short notice based on compliant and tested gold images.
Enterprise Manager's Critical Patch Facility proactively and regularly queries My Oracle Support for critical patches that have been released and notifies the administrators of only those patches applicable to them. It can also invoke the Patch application in context, and remedy the vulnerable installations. The Critical Patch Facility also supports an offline mode to serve the case of data centers that are not connected to the Internet.
Completely automates the patching operations across the stack. For example, for database patching, it takes care of shutting down and starting up database instances as required by the patch.
Allows multiple operations to be accommodated in a single change window.
Enterprise Manager also provides command-line interface support to all out-of-box provisioning and patching deployment procedures. These features can hence be invoked by custom scripts.
Software provisioning and patching features support SUDO and PAM authentication.
Single interface for multiple players. For example, component designers responsible for creating gold images based on corporate standards and the operators all use the same Enterprise Manager console.
Automation of repeatable installation and patching operations across the stack leads to substantial cost savings in terms of costs and man-hours.
Enterprise Manager provides provisioning and patching capabilities across the stack for:
Operating Systems, with Bare Metal Provisioning on Linux and operating system patching
Databases, with Real Application Clusters (RAC) provisioning, extension, and deletion and flexible patching for Oracle database and Oracle Real Application Clusters
Middleware, with application server J2EE, BPEL, and SOA provisioning and patching
Once the above entities are available in the software library, one of the following features can be used mass deployment. Note that these features require Oracle Management Agents to be present on the target machines where the software has to be provisioned.
Enterprise Manager provides the feature of provisioning software or applications.
The workflow of all the tasks that need to be performed for a particular life cycle management activity is encapsulated in a Deployment Procedure. A Deployment Procedure is a hierarchal sequence of provisioning steps, where each step may contain a sequence of other steps. It provides a framework where specific applications and procedures can be built. Oracle ships a set of best practices Deployment Procedures to accomplish provisioning and patching related tasks. Deployment Procedures can be extended and customized for customer needs. The Deployment Procedure to patch a single instance database differs from the one to patch a RAC environment or an Application Server.
Deployment Procedures can vary from one customer to another or a test installation to a production installation. Deployment Procedures take into account and resolve the reality that environments are often different with each having complexities across different tiers with multiple dependencies. The situation is further compounded by existing operational practices. In a typical data center, Deployment Procedures can involve a design time activity (typically performed by a Lead Administrator) and a runtime activity (typically performed by the Operator).
For more information about deployment procedures, see the Deployment Procedures Best Practices White Paper and "Using Enterprise Manager For Grid Automation With Deployment Procedures" in the Oracle Enterprise Manager Advanced Configuration Guide available on OTN.
The cloning application was used during the earlier versions of Enterprise Manager to clone Oracle software either from reference installation or using gold images in software library. These have been replaced by the more flexible deployment procedures.
Use the cloning feature to clone older versions of applications such as Application Server 22.214.171.124. Use the cloning wizard available from the Grid Control Console to perform cloning operations.
It is recommended that you use deployment procedures for provisioning and patching operations.
For more information about cloning, see Cloning, Provisioning RAC & AS Environments Using Enterprise Manager 10g based Cloning.
Note:For cloning, the Cloning wizard will not be supported from Enterprise Manager version 10.2.0.4.
Bare metal or Operating System provisioning application provides server lifecycle management to build, manage, and optimize server infrastructure. The application:
Automates deployment of consistent, certified Linux operating system images along with larger number of servers.
Leads to faster, unattended deployment of software and operating systems.
Allows provisioning of middleware, Clusterware, Real Application cluster (RAC) etc.
Provides a template-based approach for provisioning a variety of Linux configurations servers (RedHat 3.0/4.0, SuSE/SLES9). This also ensures compliance to standards and consistency across all deployments.
Reduces errors with standardized gold image-based server provisioning.
Supports heterogeneous hardware and network configuration.
Automatically discovers bare metal and live target servers for provisioning.
Especially for Oracle software, the application encodes best practices out-of-the-box for patching.
Results in considerable reduction in manual labor that leads to substantial cost savings.
Note:Ensure that the targets being provisioned are managed by agent versions 10.2.0.2 or higher.
For detailed use cases and capabilities of the Bare Metal Provisioning application, refer to the Best Practices for Grid Control based Bare Metal Provisioning White Paper.
The above-mentioned provisioning deployment procedures can also be executed through EMCLI. For more information, see Chapter 2 in the Oracle Enterprise Manager Advanced Configuration Guide.
Following are the basic elements associated with provisioning.
Components represent the primary building blocks that may be combined with other components as needed, to specify the complete software configuration or image that is provisioned on target machines. A component can represent operating system software, Oracle software or any third party software and applications. Software components are individually maintained within the Oracle Software Library. Versions, states, and maturity levels can be associated with each component.
Directives can be imagined as instructions to cook the final image (recipe) using components (ingredients). These are constructs used to associate scripts with software components and images. These scripts contain directions on how to interpret and process the contents of a particular component or an image. Directives encapsulate the script, the command line used to invoke the script, and the script configuration properties. They capture everything required for invoking the script on a machine during a provisioning operation. Directives are usually categorized based on the provisioning life cycle phases they are targeted for, or the actions they perform. Imagine Directives as set of executable instructions that run from a supported shell (for example, borne-again, Perl, Python), programming language (for example, Java), or execution framework or interpreter (such as “make” or “ant”). Directives are contained within a file stored in the Oracle Software Library and referenced from the software components that employ them.
Components and Directives are used by Deployment Procedures (both out-of-box and custom procedures) to mass deploy software and applications on to target servers.
An image can be viewed as a set of components and may include directives that form the required software configuration, which is deployed on the target machines. An image contains the complete software stack from operation system to application, in the form of its components and is used for provisioning servers from ground up with the entire stack provisioned on them. Images reference the components they logically contain by version (rather than include them directly). Images are stored in the Oracle Software Library and versions, states, and maturity levels can be associated with them.
Enterprise Manager allows a shared location accessible from the Oracle Management Server (OMS) to serve as a Software Library. Software library serves as the central repository for metadata and binary content for components, images, and directives. It allows maintaining versions, maturity levels, and states of components, directives, and images.
Note:For server provisioning, other basic elements like Network Profiles and Assignments are required. Refer to the Concepts section in the Best Practices for Grid Control based Bare Metal Provisioning White Paper.
Following are the one-time configuration activities for using the provisioning features.
For both software and server provisioning the user needs to perform a one-time activity of setting up a Software Library. For server provisioning additional elements like Boot server, Stage server, and RPM repository have to be configured as required by the provisioning application. Once configured, the same elements will be used for any software or server-provisioning operation performed using the provisioning application.
Once the environment is ready, the user can use the Enterprise Manager user interface to create components, directives, or images for deploying them onto the target servers. This is explained in Figure 13-2.
You can use either tested reference installations or installation media to create software components from the Enterprise Manager User Interface. The RPM repository is used for creating the out-of-box operating system components that one needs to provision on the bare metal or live servers. You can use the Enterprise Manager User Interface to create Directives and other server provisioning constructs like Storage templates, Hardware templates, and Network templates.
The reusable entities created above are stored in the Software Library.
These reusable entities can then be used by deployment procedures for deployment or mixed and matched to create deployable images for the hardware servers, which are again stored in the software library.
The images or components can then be deployed on test or production environments.
Manually applying software patches to maintain the latest and most secure IT environment can become a full-time job. With Enterprise Manager's deployment management tools, you can quickly see the patches available for the components in your enterprise, find out which have not been applied and which are critical, then bring those deployments up to the latest patch level with out-of-box best practices.
The enriched patching application offers an "end-to-end" patching solution that works seamlessly across a wide range of product patches and customer environments. The patching application automates the deployment of patches for the Oracle Database, including Clusterware and Oracle RAC, as well as Oracle Application Server. Also, Out-of-box procedures are provided for patching Operating Systems - Linux (Oracle Enterprise Linux, RHAT, and SUSE), Solaris, and Windows.
Using a direct link to My Oracle Support patch repository, the Critical Patch Facility identifies the critical patches that have been released for the Oracle software running in your specific systems, and notifies administrators of only those patches that are applicable to their environment. Once a patch is identified, Grid Control can orchestrate the download and deploy it on multiple targets automatically.
Enterprise Manager provides the following patching features:
Patching Through Deployment Procedures
Application of Critical Patch Updates
Linux Host Patching
Accessing Patching Pages in Grid Control
Deployment procedures are the best practices for orchestration of patching Oracle Software such as Databases including Real Application Clusters, Clusterware, Automated Storage Management, Application Servers, and Operating Systems. The Deployment procedure-based infrastructure has been leveraged to increase the power and flexibility of Oracle patching for complex multi-tier environments. The out-of-box Deployment Procedures are Oracle-provided best practices that can be customized for specific needs. Users can enable and disable or add custom steps for specific actions and create the best practice for their environment. This activity is a one-time design activity typically of the lead DBA, which can be the standard and carried over by the operator for the entire environment.
Deployment procedures also support secure host authentication using sudo or PAM. The entire exercise can be run in the command line (CLI) mode, thereby making it possible to integrate with the existing scripts. Refer to Enterprise Manager Advanced Configuration for details on Using Deployment Procedures.
Note:For patching Oracle Management Agents, use the patch wizard, which can be accessed by clicking the Patch Agent link under Patching section in the Deployments page.
The Library to store patches, directives or components. Can be used in offline mode of patching. You can upload patches to Software library using the View/Upload Patch link.
Refer to Using the Software Library section in Oracle Enterprise Manager Advanced Configuration for details on Software Library.
Lists all critical advisories with their corresponding areas of impact.
Critical Patch Advisories also provides support for "remedies," in that you can select an advisory and view the calculated remediation paths from the context of that advisory, as well as the affected Oracle homes.
Allows you to connect to My Oracle Support through Grid Control, search and download the required patches, and apply.
Allows you to perform all the patching activities through Software Library. Even when you are not connected to My Oracle Support, you can search, download, and apply patches.
My Oracle Support
Searches My Oracle Support Web site for Oracle patches and patch sets. Or use Grid Control to search after you provide your My Oracle Support Web site user name and password.
Helps you configure My Oracle Support, patching, proxy connection, and offline patching settings.
Note that if you are accessing a proxy server to get to My Oracle Support, you will need to provide proper authentication and credentials.
Patching through Deployment Procedure
Oracle ships a set of best practices Deployment Procedures to accomplish provisioning and patching related tasks. Deployment Procedures can be extended and customized for customer needs. This allows:
Patching Oracle Management Agents through the Patch Agent link. This applies agent-specific patches and also generic patches like CORE or DST patches on the Agent.
Automates patch applications on shared agents when they are NFS-mounted. During Shared Agent Patching, patches the central location where the agent is installed, shuts down and starts up the shared agents, and executes any pre/post-patching scripts (if specified).
Support for SUDO/PAM-based patching
Deployment procedures Secure host authentication for patching using SUDO/PAM.
This feature notifies users by identifying Criticality on the targets across the Target pages.
Oracle Home Credentials
When you override preferred credentials, you can choose to either specify one set of credentials for all Oracle homes, or specify different credentials for each home.
Provides a powerful central reporting framework that produces detail and summary reports on patch deployments and non-compliant installations. Supports both out-of-box and ad hoc reporting to satisfy different customer needs.
The Library to store patches, directives or components. Can be used in offline mode of patching. You can upload patches to Software library using the View/Upload Patch link.
Refer to Using the Software Library section in the Oracle Enterprise Manager Advanced Configuration for details on Software Library.
You can use Grid Control to manage Oracle Critical Patch updates:
Assess Vulnerabilities: This helps identify the Oracle Software affected by the advisory. The list displays comprehensive detail on the Critical Patch applicable on specific products under version and platform. This also displays the affected Oracle Homes.
Grid control automates the entire process of critical patch application. It performs an assessment of vulnerabilities by examining your enterprise configuration to determine which Oracle homes have not applied one or more of these critical patches. Grid Control provides a list of critical patch advisories and the Oracle homes to which the critical patches should be applied.
Some Oracle software patches have been identified as critical. To help ensure a secure and reliable configuration, all relevant and current critical patches should be applied to the appropriate targets in your enterprise.
From the summary of patch advisories, you can navigate for more information about a particular patch, and get a list of the Oracle homes to which the patch has not been applied. Then you can launch the Grid Control Patch tool to download and deploy the patches to multiple targets.
User Notification: This feature notifies users by identifying Criticality on the targets across the Target pages. Also, with the notification and reporting one can receive notifications and reports for the Critical Patch advisory and its assessment.
Application of critical patches: The patch application process is automated directly form the assessment and the patch is downloaded from My Oracle Support and orchestrated:
Directly automate the patch application process using procedures
Download patches directly from My Oracle Support and apply
Schedule to apply patches on multiple targets simultaneously
Configuration update: After applying the patch, the configuration is updated with the latest and reports can be generated based on the applied patches.
See Also:"Managing Critical Patch Advisories" in the Grid Control online help and Oracle Enterprise Manager Advanced Configuration.
The Critical Patch Facility enables administrators to simply download the Critical Patch metadata from My Oracle Support and upload it to the repository. This metadata can then be used by the "RefreshFromMyOracleSupport" job for performing Critical Patch calculations in offline mode. Administrators will be alerted to security updates—even if the Management Service is not connected to My Oracle Support.
Some data centers are not connected to the outside world. The Critical Patch Facility's offline mode makes it easy to keep your environment patched to the latest level. Subsequent patching can be done in offline mode as well, using the Software Library infrastructure.
To access the Critical Patch Advisories pages in Grid Control:
Click the Deployments tab, then click the link for the number of Patch Advisories in the Critical Patch Advisories for Oracle Homes section.
Navigate to Grid Control Home page, then click the link for the number of Patch Advisories in the Critical Patch Advisories for Oracle Homes section.
This takes you to the Patch Advisories page, where you can view advisories, patch sets, and patches to apply, as well as affected Oracle homes and available "remedies."
The patching application automates the deployment of Oracle patches for the application server and Management Agents. The application takes care of appropriate shutdown and startup of services and also allows execution of pre and post patching scripts to serve different use cases. Such flexibility makes mass deployment of interim patches and patchsets feasible even in complex multi-tier environments.
The "Patch Linux Hosts" tool, a powerful new feature in Grid Control, facilitates the automated management of Linux hosts in an enterprise. Use this feature to keep the Linux hosts in your enterprise up to date with vital software updates from your Linux vendor.Patch Linux Hosts uses a reference-based grouped patching model, where you can create one or more reference package repositories containing up-to-date versions of various packages, and associate a group of Linux hosts with these package repositories.The Patch Linux Hosts tool uses package repositories to patch the hosts as well as to monitor the deviation of the packages installed on the hosts. You can create different groups suited to your administrative needs and even associate different package repositories with different priorities for each group. You can independently control when and how often to update the hosts in the group, and how to determine their compliance with respect to the package repositories.
Note:To use this feature, make sure you have the following:
Licenses for the Provisioning and Patch Automation Pack
Linux Management Pack
"Operator" privileges on the host that you want to patch
Ability to do sudo to the root user
The Linux patching feature provides the following functionalities:
Setting up and managing RPM Repositories by subscribing to Unbreakable Linux network (ULN) channels
Setting up and managing custom RPM Repositories and channels (cloning channels, copying packages from one channel into another, and deleting channels)
Setting up Linux Patching Group to update a group of Linux hosts and compliance reporting from the Linux Patching group
Scheduling Patching for non-compliant groups
Managing Configuration file channels (creating/deleting channels, uploading files, and copying files from one channel into another)
Patching through deployment procedures and emergency patching
Undo Patching feature
Enhanced Linux Patching feature of Enterprise Manager supports the Unbreakable Linux Network (ULN) subscribers through EM. ULN provides access to Linux software patches, updates and fixes for its customers. Oracle provides three levels of Unbreakable Linux support:
Network Support - access to patches and updates via ULN
Basic Support - access to patches and updates via ULN, 24x7 support, complete Linux server lifecycle management
Premier Support - access to patches and updates via ULN, 24x7 support, Linux server lifecycle management, backporting, lifetime support
The Linux RPM Repository Server Setup page in Enterprise Manager allows you to set up a RPM repository server for Linux patching. You can select the Host to setup the RPM repository server and register the host to the Unbreakable Linux Network (ULN).
Linux Host Patching Groups: You can group a set of Linux hosts together to update all at once. Each group is associated with one or more package repositories that contain all the certified and appropriate versions of the software packages for the hosts of that group. Each group is configured with an update schedule for a recurring job to run to update the hosts with the associated package repositories.
See Also:"Creating a New Linux Host Group" in the Grid Control online help
RPM Repository: RPM repository is a directory that contains RPM packages. The RPM repository is accessible via http or ftp. A RPM repository can be organized to contain packages from multiple channels.
Custom Channel: A custom channel is a channel created by the user to store a set of custom RPM packages. Custom channels can be added to the RPM repository.
Configuration Channel: A channel that is created by the user to store a set of Linux configuration files. Configuration channels can be used in the Linux patching application user interface to update configuration files on Linux hosts.
Compliance and automatic updates: The compliance page contains information on the number of hosts in a group that are in compliance, as well as the number of "rogue" packages on a particular host. You can see metrics and charts to measure compliance for all Linux Host Patching Groups, as well as historical compliance data.
Emergency Patching: This feature gives you the option of performing "forced" updates, outside of the established schedule, to immediately respond to critical bugs or security alerts for all configured Linux hosts.
Undo Patching: This feature adds flexibility by allowing you to roll back the software to its previous stable version, or even de-install the unstable version completely if that software version was found to be unsuitable or to have a bug or security vulnerability.
Patching through Deployment Procedures: You can use deployment procedures to set up RPM repository, patch linux hosts, and perform other custom patching procedures.
Enterprise Manager supports patching of Solaris, Linux, and Windows Operating Systems. For Solaris, you can directly connect to the vendor's Website and download patches.
In addition to proactive patching method mentioned in the section above, Enterprise Manager also supports ad-hoc patching of Linux, Windows and Solaris operating systems using native patching methods.
To access the patching pages in Grid Control:
Click the Deployments tab, then click the links found under the Patching section:
Patching Through Deployment Procedures - This link takes you to the Deployment Procedure Manager page. Deployment procedures are best practices provided by Oracle for various Provisioning and Patching tasks. Procedures created by Oracle cannot be edited, but can be extended using 'Create Like', so that you can customize the procedure to fit your environment.
View/Upload Patch - This link takes you to the Patch Cache page and it provides a list of patches available in the Management Repository. These are patches that have been either automatically downloaded from My Oracle Support or manually uploaded to the patch cache.
Patch Linux Hosts - This link takes you to the Patch Linux Hosts page and helps keep Linux hosts up-to-date with vendor updates.
Patch Agent - This link takes you to the Agent Patching wizard.
Click Setup, then click Patching Setup from the navigation pane. From this page, you can configure your settings for My Oracle Support and patching, proxy connection, offline patching, and Linux Staging server.