Return-Path: Delivered-To: 2-oracle-l@orafaq.com Received: (qmail 22646 invoked from network); 22 Feb 2008 13:41:39 -0600 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by static-ip-69-64-49-119.inaddr.intergenia.de with SMTP; 22 Feb 2008 13:41:39 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id C74E980A41C; Fri, 22 Feb 2008 14:41:39 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19490-10; Fri, 22 Feb 2008 14:41:39 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 3F75180A28C; Fri, 22 Feb 2008 14:41:39 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Fri, 22 Feb 2008 14:06:14 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id B0D0F80B68A for ; Fri, 22 Feb 2008 14:06:14 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12866-07 for ; Fri, 22 Feb 2008 14:06:14 -0500 (EST) Received: from hs-out-0708.google.com (hs-out-0708.google.com [64.233.178.246]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id B4E2680B688 for ; Fri, 22 Feb 2008 14:06:13 -0500 (EST) Received: by hs-out-0708.google.com with SMTP id 55so639790hsc.2 for ; Fri, 22 Feb 2008 11:06:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=bmBN11Cij+em+JBgsrH1qJ2/NhvQ3k1/rUc06nfWrx0=; b=jGwAzrvJU74CaBREMBeGaPKVPQ/YiZ6IYDiTOeQTYHH6mzk51vhImKsW3YrLMa/6R0kj+3X6GjjJrfhzQO2qCov8cLZpf9/q3SSeqtm63RAXTVV0Dw5WP1Eoi5125sj9D7L0fFGQInUY2UUZE5ijRr256YWYIYS9rZkLfVR782U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=vA8e0VR9vgnvJX5KPH6hM4nLlVvIzKyjqkxpO/hT2BGII/dYHaerK3wo88SHHsjX7jKehCNeZHRm7eogzBNWNY2i964Sf7DIARbWVCqwBLyRxJWnUE9z2aNDcCJQXz3bSY2ZKF4pQDbcKl6Cso1EO06HJrPkaWgun60usLVmmgk= Received: by 10.100.241.17 with SMTP id o17mr624059anh.106.1203707172161; Fri, 22 Feb 2008 11:06:12 -0800 (PST) Received: by 10.100.4.20 with HTTP; Fri, 22 Feb 2008 11:06:12 -0800 (PST) Message-ID: Date: Fri, 22 Feb 2008 13:06:12 -0600 From: "Greg Norris" To: ORACLE-L Subject: Re: CRS/RAC external-procedure handling In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_772_10000165.1203707172162" References: X-archive-position: 5673 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: spikey.mcmarbles@gmail.com Precedence: normal Reply-to: spikey.mcmarbles@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l X-Virus-Scanned: Debian amavisd-new at localhost.localdomain ------=_Part_772_10000165.1203707172162 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline For anyone who's curious, I was indeed able to convince CRS to run our extproc listener as a restricted (non-DBA) user. The steps were actually fairly simple, although I took a number of detours along the way. 1. Create the listener in the usual manner via *netca*, and ensure that it's shutdown. 2. Convince your friendly neighborhood SysAdmin to run the following commands, which set the CRS ownership/permissions for the listener resource, as root. The specific resource name can be determined using the * crs_stat* utility... in my case it was * ora.dkds0602.LISTENER_EXTPROC_DKDS0602.lsnr*. $ crs_setperm RESOURCE -o USER $ crs_setperm RESOURCE -g GROUP $ crs_setperm RESOURCE -u user:oracle:r-x Once this is done, it's a straightforward matter of ensuring that the relevant file and directory permissions are set correctly (listener.ora, log/trace directories, external procedure libraries, etc.), after which the listener can be started normally via the *srvctl* command. My thanx to Dan Norris for pointing me in the right direction! On Thu, Feb 7, 2008 at 8:44 PM, Greg Norris wrote: > We're planning to migrate an existing application which requires an > external procedure into a recently-created 10.2.0.3 RAC environment on > Solaris 10. At this point we've created a separate IPC-only listener on > each node to handle extproc calls, and have validated that it allows us to > invoke the procedure successfully. > > The next thing we'd like to do is get the extproc listener running as a > limited OS user, rather than under the oracle account. Can anyone tell me > if this is possible when the listener is managed through CRS? We don't mind > writing a few scripts, if necessary, but would prefer not to duplicate the > CRS monitoring/restart infrastructure. > > My apologies if this is rather basic... I'll happily accept a pointer to > the FM to R. :) We're still a bit new to the whole CRS/RAC environment, and > it's entirely possible that I simply don't know where to look. > > Thanx! > -- "I'm too sexy for my code." - Awk Sed Fred. ------=_Part_772_10000165.1203707172162 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline For anyone who's curious, I was indeed able to convince CRS to run our extproc listener as a restricted (non-DBA) user.  The steps were actually fairly simple, although I took a number of detours along the way.
  1. Create the listener in the usual manner via netca, and ensure that it's shutdown.
  2. Convince your friendly neighborhood SysAdmin to run the following commands, which set the CRS ownership/permissions for the listener resource, as root.  The specific resource name can be determined using the crs_stat utility... in my case it was ora.dkds0602.LISTENER_EXTPROC_DKDS0602.lsnr.
$ crs_setperm RESOURCE -o USER
$ crs_setperm RESOURCE -g GROUP
$ crs_setperm RESOURCE -u user:oracle:r-x

Once this is done, it's a straightforward matter of ensuring that the relevant file and directory permissions are set correctly (listener.ora, log/trace directories, external procedure libraries, etc.), after which the listener can be started normally via the srvctl command.

My thanx to Dan Norris for pointing me in the right direction!


On Thu, Feb 7, 2008 at 8:44 PM, Greg Norris <spikey.mcmarbles@gmail.com> wrote:
We're planning to migrate an existing application which requires an external procedure into a recently-created 10.2.0.3 RAC environment on Solaris 10.  At this point we've created a separate IPC-only listener on each node to handle extproc calls, and have validated that it allows us to invoke the procedure successfully.

The next thing we'd like to do is get the extproc listener running as a limited OS user, rather than under the oracle account.  Can anyone tell me if this is possible when the listener is managed through CRS?  We don't mind writing a few scripts, if necessary, but would prefer not to duplicate the CRS monitoring/restart infrastructure.

My apologies if this is rather basic... I'll happily accept a pointer to the FM to R. :)  We're still a bit new to the whole CRS/RAC environment, and it's entirely possible that I simply don't know where to look.

Thanx!

--
"I'm too sexy for my code." - Awk Sed Fred.
------=_Part_772_10000165.1203707172162-- -- http://www.freelists.org/webpage/oracle-l