This chapter provides an overview of the server and software provisioning and patching features offered by Enterprise Manager Grid Control. This chapter contains the following:
The provisioning and patching features together make up the Lifecycle Management (Grid Automation) solution area of Enterprise Manager Grid Control. To read more about this solution area, access the following URL:
The provisioning and patching features of Enterprise Manager Grid Control automate the deployment of software, applications, and patches using robust, out-of-box deployment procedures. These provisioning and patching deployment procedures make critical data center operations easy, efficient, and scalable resulting in lower operational risk and cost of ownership. The ability to provision and patch the entire software stack that includes the operating system, the middleware, database, third party software, and applications supplemented by comprehensive reporting tools make these features extremely significant entities in the overall System Management space.
As shown in Figure 12-1, using provisioning and patching deployment procedures, Enterprise Manager Grid Control covers the entire lifecycle management of software, applications, and servers. The deployment procedures orchestrate the initial reference sandbox deployment and then the mass unattended deployment of gold images created from these reference deployments.
The smaller lifecycle shown transcribed in the figure automates the ongoing patch lifecycle management of the various deployments. Right from proactively informing the administrators about the critical patches and vulnerabilities in the deployments, acquiring these patches to mass deployment and verification of these patches is automated by the Enterprise Manager Grid Control.
Going forward, as the computation demand for the resources decline, Enterprise Manager Grid Control allows you to deactivate and de-provision the resources making them available for a different purpose.
The following are the advantages of using the provisioning and patching deployment procedures in Enterprise Manager Grid Control:
Provides a repeatable, reliable, and automated solution for performing mass, unattended, and schedulable deployment of
Software and servers based on Gold Images created using reference deployment or installation media
Software and operating system updates
Complex and multi-tier software like Oracle Real Application Clusters (RAC) and Fusion Middleware Clusters
Orchestrates not only provisioning of software but completely automates configuration of software and ensures zero-time for patching of mission critical systems by orchestrating rolling patching for complex multi-tier installation like Real Application Clusters (RAC) databases and Fusion Middleware clusters.
Allows new resources to be provisioned at short notice based on compliant and tested gold images.
Automates the patching operations across the stack. For example, for database patching, it takes care of shutting down and starting up database instances as required by the patch.
Allows multiple operations to be accommodated in a single change window.
Supports SUDO, PAM, and Privilege Delegation authentication.
Offers a single interface for multiple players. For example, component designers responsible for creating Gold Images based on corporate standards and the operators all use the same Enterprise Manager Grid Control console.
Provides automation of repeatable installation and patching operations across the stack leads to substantial cost savings in terms of costs and man-hours.
Provides Critical Patch Facility that proactively and regularly queries My Oracle Support for critical patches that have been released and notifies the administrators of only those patches applicable to them. The Critical Patch Facility also supports an offline mode to serve the case of data centers that are not connected to the Internet.
Enterprise Manager Grid Control also provides command-line interface support to all out-of-box provisioning and patching deployment procedures. These features can hence be invoked by custom scripts.
Enterprise Manager Grid Control also allows you to customize these default deployment procedures to suit your requirements.
Enterprise Manager Grid Control provides provisioning and patching capabilities across the stack for:
Operating Systems, with Bare Metal Provisioning on Linux and operating system patching
Databases, with Real Application Clusters (RAC) provisioning, extension, and deletion; Grid Infrastructure provisioning for standalone servers and clustered environments; and flexible patching for Oracle Database and Oracle Real Application Clusters
Middleware, with Oracle Fusion Middleware provisioning, Oracle SOA Suite provisioning, and SOA Artifacts provisioning, BPEL provisioning, Oracle Service Bus provisioning
Note that these features require Oracle Management Agents to be present on the destination hosts where the software has to be provisioned.
Bare metal or Operating System provisioning application provides server lifecycle management to build, manage, and optimize server infrastructure. The application:
Automates deployment of consistent, certified Linux operating system images along with larger number of servers on physical and virtual servers.
Automates deployment of hypervisors and virtual machines.
Provides a template-based approach for provisioning a variety of Linux configurations servers (RedHat 3.0/4.0, SuSE/SLES9). This also ensures compliance to standards and consistency across all deployments.
Reduces errors with standardized gold image-based server provisioning.
Supports heterogeneous hardware and network configuration.
Automatically discovers bare metal and live target servers for provisioning.
Especially for Oracle software, the application encodes best practices out-of-the-box for patching.
Results in considerable reduction in manual labor that leads to substantial cost savings.
For detailed use cases and capabilities of the Bare Metal Provisioning application, refer to the Oracle Enterprise Manager Administrator's Guide for Software and Server Provisioning and Patching available at:
The provisioning and patching deployment procedures offered by Enterprise Manager Grid Control are default procedures that have been created considering all the best practices in the industry. The steps embedded within a deployment procedure ensure that they meet all your provisioning and patching requirements. You can, of course, use them with the default settings to provision or patch your targets in the environment, however, you also have the choice of customizing them to include additional custom steps, disable unwanted steps, and use authentication tools to run some steps as another user.
You can also customize the deployment procedures to run them as another user, ignore the steps that require special privileges, add new steps, run custom scripts as part of the procedure, implement different error handling methods, and so on. You can run the above-mentioned deployment procedures using EMCLI commands.
For information about customization of deployment procedures, see Oracle Enterprise Manager Administrator's Guide for Software and Server Provisioning and Patching available at:
Following are the basic elements associated with provisioning.
Components represent the primary building blocks that may be combined with other components as needed, to specify the complete software configuration or image that is provisioned on target machines. A component can represent operating system software, Oracle software or any third party software and applications. Software components are individually maintained within the Oracle Software Library. Versions, states, and maturity levels can be associated with each component.
Directives can be imagined as instructions to cook the final image (recipe) using components (ingredients). These are constructs used to associate scripts with software components and images. These scripts contain directions on how to interpret and process the contents of a particular component or an image. Directives encapsulate the script, the command line used to invoke the script, and the script configuration properties. They capture everything required for invoking the script on a machine during a provisioning operation. Directives are usually categorized based on the provisioning life cycle phases they are targeted for, or the actions they perform. Imagine Directives as set of executable instructions that run from a supported shell (for example, borne-again, Perl, Python), programming language (for example, Java), or execution framework or interpreter (such as “make” or “ant”). Directives are contained within a file stored in the Oracle Software Library and referenced from the software components that employ them.
Components and Directives are used by Deployment Procedures (both out-of-box and custom procedures) to mass deploy software and applications on to target servers.
An image can be viewed as a set of components and may include directives that form the required software configuration, which is deployed on the target machines. An image contains the complete software stack from operation system to application, in the form of its components and is used for provisioning servers from ground up with the entire stack provisioned on them. Images reference the components they logically contain by version (rather than include them directly). Images are stored in the Oracle Software Library and versions, states, and maturity levels can be associated with them.
Enterprise Manager allows a shared location accessible from the Oracle Management Server (OMS) to serve as a Software Library. Software library serves as the central repository for metadata and binary content for components, images, and directives. It allows maintaining versions, maturity levels, and states of components, directives, and images.
Note:For server provisioning, other basic elements like Network Profiles and Assignments are required. Refer to the Concepts section in the Best Practices for Grid Control based Bare Metal Provisioning White Paper.
Following are the one-time configuration activities for using the provisioning features.
For both software and server provisioning the user needs to perform a one-time activity of setting up a Software Library. For server provisioning additional elements like Boot server, Stage server, and RPM repository have to be configured as required by the provisioning application. Once configured, the same elements will be used for any software or server-provisioning operation performed using the provisioning application.
Once the environment is ready, the user can use the Enterprise Manager user interface to create components, directives, or images for deploying them onto the target servers. This is explained in Figure 12-2.
You can use either tested reference installations or installation media to create software components from the Enterprise Manager User Interface. The RPM repository is used for creating the out-of-box operating system components that one needs to provision on the bare metal or live servers. You can use the Enterprise Manager User Interface to create Directives and other server provisioning constructs like Storage templates, Hardware templates, and Network templates.
The reusable entities created above are stored in the Software Library.
These reusable entities can then be used by deployment procedures for deployment or mixed and matched to create deployable images for the hardware servers, which are again stored in the software library.
The images or components can then be deployed on test or production environments.
Manually applying software patches to maintain the latest and most secure IT environment can become a full-time job. With Enterprise Manager's deployment management tools, you can quickly see the patches available for the components in your enterprise, find out which have not been applied and which are critical, then bring those deployments up to the latest patch level with out-of-box best practices.
The enriched patching application offers an "end-to-end" patching solution that works seamlessly across a wide range of product patches and customer environments. The patching application automates the deployment of patches for the Oracle Database, including Clusterware and Oracle RAC, as well as Oracle Application Server. Also, Out-of-box procedures are provided for patching Operating Systems - Linux (Oracle Enterprise Linux, RHAT, and SUSE), Solaris, and Windows.
Using a direct link to My Oracle Support patch repository, the Critical Patch Facility identifies the critical patches that have been released for the Oracle software running in your specific systems, and notifies administrators of only those patches that are applicable to their environment. Once a patch is identified, Grid Control can orchestrate the download and deploy it on multiple targets automatically.
Enterprise Manager provides the following patching features:
Patching Through Deployment Procedures
Linux Host Patching
Accessing Patching Pages in Grid Control
My Oracle Support is now integrated with Enterprise Manager Grid Control. This integration provides system administrators with a single console that personalizes their support experience along with seamless management of their IT environments. In the My Oracle Support console, you can view patch recommendations, create patch plans for organizing rollouts, validate conflicts, download an existing merged patch, request a new patch, and directly automate the deployment of patches.
The Patch Recommendations region provides a single view of all Security and Recommended patches that should be deployed across your environment. Patch Plans provide end-to-end patch automation by identifying patches and the affected targets, validating conflicts, merging available patches, or by automating the deployments. You can now validate conflicts, download existing merged patches or a send a new merge request from a single integrated console.
Deployment procedures are the best practices for orchestration of patching Oracle Software such as Databases including Real Application Clusters, Clusterware, Automated Storage Management, Application Servers, and Operating Systems. The Deployment procedure-based infrastructure has been leveraged to increase the power and flexibility of Oracle patching for complex multi-tier environments. The out-of-box Deployment Procedures are Oracle-provided best practices that can be customized for specific needs. Users can enable and disable or add custom steps for specific actions and create the best practice for their environment. This activity is a one-time design activity typically of the lead DBA, which can be the standard and carried over by the operator for the entire environment.
Deployment procedures also support secure host authentication using sudo or PAM. The entire exercise can be run in the command line (CLI) mode, thereby making it possible to integrate with the existing scripts. Refer to Enterprise Manager Advanced Configuration for details on Using Deployment Procedures.
Note:For patching Oracle Management Agents, use the patch wizard, which can be accessed by clicking the Patch Agent link under Patching section in the Deployments page.
The Library to store patches, directives or components. Can be used in offline mode of patching. You can upload patches to Software library using the View/Upload Patch link.
Refer to Using the Software Library section in Oracle Enterprise Manager Advanced Configuration for details on Software Library.
Lists all critical advisories with their corresponding areas of impact.
Critical Patch Advisories also provides support for "remedies," in that you can select an advisory and view the calculated remediation paths from the context of that advisory, as well as the affected Oracle homes.
Allows you to connect to My Oracle Support through Grid Control, search and download the required patches, and apply.
Allows you to perform all the patching activities through Software Library. Even when you are not connected to My Oracle Support, you can search, download, and apply patches.
My Oracle Support
Searches My Oracle Support Web site for Oracle patches and patch sets. Or use Grid Control to search after you provide your My Oracle Support Web site user name and password.
Helps you configure My Oracle Support, patching, proxy connection, and offline patching settings.
Note that if you are accessing a proxy server to get to My Oracle Support, you will need to provide proper authentication and credentials.
Patching through Deployment Procedure
Oracle ships a set of best practices Deployment Procedures to accomplish provisioning and patching related tasks. Deployment Procedures can be extended and customized for customer needs. This allows:
Patching Oracle Management Agents through the Patch Agent link. This applies agent-specific patches and also generic patches like CORE or DST patches on the Agent.
Automates patch applications on shared agents when they are NFS-mounted. During Shared Agent Patching, patches the central location where the agent is installed, shuts down and starts up the shared agents, and executes any pre/post-patching scripts (if specified).
Support for SUDO/PAM-based patching
Deployment procedures Secure host authentication for patching using SUDO/PAM.
This feature notifies users by identifying Criticality on the targets across the Target pages.
Oracle Home Credentials
When you override preferred credentials, you can choose to either specify one set of credentials for all Oracle homes, or specify different credentials for each home.
Provides a powerful central reporting framework that produces detail and summary reports on patch deployments and non-compliant installations. Supports both out-of-box and ad hoc reporting to satisfy different customer needs.
The Library to store patches, directives or components. Can be used in offline mode of patching. You can upload patches to Software library using the View/Upload Patch link.
Refer to Using the Software Library section in the Oracle Enterprise Manager Advanced Configuration for details on Software Library.
You can use Grid Control to manage Oracle Patch Recommendations. These include security patches that address security vulnerabilities across all targets managed by Oracle Enterprise Manager and all other recommended patches.
Assess Vulnerabilities: This helps identify the Oracle Software affected by the advisory. The list displays comprehensive details on the Patch Recommendations applicable on specific products under version and platform. This also displays the affected Oracle Homes.
Grid control automates the entire process of critical patch application. It performs an assessment of vulnerabilities by examining your enterprise configuration to determine which Oracle homes have not applied one or more of these critical patches. Grid Control provides a list of critical patch advisories and the Oracle homes to which the critical patches should be applied.
Some Oracle software patches have been identified as critical. To help ensure a secure and reliable configuration, all relevant and current critical patches should be applied to the appropriate targets in your enterprise.
From the summary of patch advisories, you can navigate for more information about a particular patch, and get a list of the Oracle homes to which the patch has not been applied. Then you can launch the Enterprise Manager Grid Control Patch tool to download and deploy the patches to multiple targets.
User Notification: This feature notifies users by identifying Criticality on the targets across the Target pages. Also, with the notification and reporting one can receive notifications and reports for the Patch Recommendations and its assessment.
Application of recommended patches: The patch application process is automated directly form the assessment and the patch is downloaded from My Oracle Support and orchestrated:
Directly automate the patch application process using procedures
Download patches directly from My Oracle Support and apply
Schedule to apply patches on multiple targets simultaneously
Configuration update: After applying the patch, the configuration is updated with the latest and reports can be generated based on the applied patches.
See Also:"Managing Patch Recommendations" in the Enterprise Manager Grid Control online help and Oracle Enterprise Manager Advanced Configuration.
The Patch Recommendation feature enables administrators to simply download the Recommendation XML from My Oracle Support and upload it to the repository. Click Setup > Patching Setup > Online and Offline Settings and downloaded the Recommendation XML which can then be used by the "RefreshFromMyOracleSupport" job for performing Critical Patch calculations in offline mode. Administrators will be alerted to security updates—even if the Management Service is not connected to My Oracle Support.
Some data centers are not connected to the outside world. The Patch Recommendation offline mode feature makes it easy to keep your environment patched to the latest level. Subsequent patching can be done in offline mode as well, using the Software Library infrastructure.
To access the Patch Recommendation pages in Enterprise Manager Grid Control:
Click the Deployments tab, then click the Security Recommendations link in the Recommended Security Patches section.
Click Deployments and then click the Patches & Updates tab.
Click My Oracle Support and then click the Patches & Updates tab.
Click the Security Recommendations link on the Enterprise Manager Grid Control Home page.
This takes you to the My Oracle Support page, where you can view advisories, patch sets, and patches to apply, as well as affected Oracle homes and available "remedies."
The patching application automates the deployment of Oracle patches for the application server and Management Agents. The application takes care of appropriate shutdown and startup of services and also allows execution of pre and post patching scripts to serve different use cases. Such flexibility makes mass deployment of interim patches and patchsets feasible even in complex multi-tier environments.
The "Patch Linux Hosts" tool, a powerful new feature in Grid Control, facilitates the automated management of Linux hosts in an enterprise. Use this feature to keep the Linux hosts in your enterprise up to date with vital software updates from your Linux vendor.Patch Linux Hosts uses a reference-based grouped patching model, where you can create one or more reference package repositories containing up-to-date versions of various packages, and associate a group of Linux hosts with these package repositories.The Patch Linux Hosts tool uses package repositories to patch the hosts as well as to monitor the deviation of the packages installed on the hosts. You can create different groups suited to your administrative needs and even associate different package repositories with different priorities for each group. You can independently control when and how often to update the hosts in the group, and how to determine their compliance with respect to the package repositories.
Note:To use this feature, make sure you have the following:
Licenses for the Provisioning and Patch Automation Pack
Linux Management Pack
"Operator" privileges on the host that you want to patch
Ability to do sudo to the root user
The Linux patching feature provides the following functionalities:
Setting up and managing RPM Repositories by subscribing to Unbreakable Linux network (ULN) channels
Setting up and managing custom RPM Repositories and channels (cloning channels, copying packages from one channel into another, and deleting channels)
Setting up Linux Patching Group to update a group of Linux hosts and compliance reporting from the Linux Patching group
Scheduling Patching for non-compliant groups
Managing Configuration file channels (creating/deleting channels, uploading files, and copying files from one channel into another)
Patching through deployment procedures and emergency patching
Undo Patching feature
Enhanced Linux Patching feature of Enterprise Manager supports the Unbreakable Linux Network (ULN) subscribers through EM. ULN provides access to Linux software patches, updates and fixes for its customers. Oracle provides three levels of Unbreakable Linux support:
Network Support - access to patches and updates via ULN
Basic Support - access to patches and updates via ULN, 24x7 support, complete Linux server lifecycle management
Premier Support - access to patches and updates via ULN, 24x7 support, Linux server lifecycle management, backporting, lifetime support
The Linux RPM Repository Server Setup page in Enterprise Manager allows you to set up a RPM repository server for Linux patching. You can select the Host to setup the RPM repository server and register the host to the Unbreakable Linux Network (ULN).
Linux Host Patching Groups: You can group a set of Linux hosts together to update all at once. Each group is associated with one or more package repositories that contain all the certified and appropriate versions of the software packages for the hosts of that group. Each group is configured with an update schedule for a recurring job to run to update the hosts with the associated package repositories.
See Also:"Creating a New Linux Host Group" in the Grid Control online help
RPM Repository: RPM repository is a directory that contains RPM packages. The RPM repository is accessible via http or ftp. A RPM repository can be organized to contain packages from multiple channels.
Custom Channel: A custom channel is a channel created by the user to store a set of custom RPM packages. Custom channels can be added to the RPM repository.
Configuration Channel: A channel that is created by the user to store a set of Linux configuration files. Configuration channels can be used in the Linux patching application user interface to update configuration files on Linux hosts.
Compliance and automatic updates: The compliance page contains information on the number of hosts in a group that are in compliance, as well as the number of "rogue" packages on a particular host. You can see metrics and charts to measure compliance for all Linux Host Patching Groups, as well as historical compliance data.
Emergency Patching: This feature gives you the option of performing "forced" updates, outside of the established schedule, to immediately respond to critical bugs or security alerts for all configured Linux hosts.
Undo Patching: This feature adds flexibility by allowing you to roll back the software to its previous stable version, or even de-install the unstable version completely if that software version was found to be unsuitable or to have a bug or security vulnerability.
Patching through Deployment Procedures: You can use deployment procedures to set up RPM repository, patch linux hosts, and perform other custom patching procedures.
Enterprise Manager supports patching of Solaris, Linux, and Windows Operating Systems. For Solaris, you can directly connect to the vendor's Website and download patches.
In addition to proactive patching method mentioned in the section above, Enterprise Manager also supports ad-hoc patching of Linux, Windows and Solaris operating systems using native patching methods.
To access the patching pages in Grid Control:
Click the Deployments tab, then click the links found under the Patching section:
Patching Through Deployment Procedures - This link takes you to the Deployment Procedure Manager page. Deployment procedures are best practices provided by Oracle for various Provisioning and Patching tasks. Procedures created by Oracle cannot be edited, but can be extended using 'Create Like', so that you can customize the procedure to fit your environment.
View/Upload Patch - This link takes you to the Patch Cache page and it provides a list of patches available in the Patch Cache as well as the Software library. These are patches that have been either automatically downloaded from My Oracle Support or manually uploaded to the patch cache.
Patch Linux Hosts - This link takes you to the Patch Linux Hosts page and helps keep Linux hosts up-to-date with vendor updates.
Patch Agent - This link takes you to the Agent Patching wizard.
Click Setup, then click Patching Setup from the navigation pane. From this page, you can configure your settings for My Oracle Support and patching, proxy connection, offline patching, and Linux Staging server.