Acfs: it’s all about permissions

Acfs: it’s all about permissions

It all starts with creation of a database on a Database appliance which failed with the error

Validation of server pool succeeded.
Registering database with Oracle Restart
PRCR-1006 : Failed to add resource ora.demodb.db for demodb
PRCR-1071 : Failed to register or update resource ora.demodb.db
CRS-2566: User 'oracle' does not have sufficient permissions to operate on resource 'ora.redo.datastore.acfs', which is part of the dependency specification.
DBCA_PROGRESS : DBCA Operation failed.

 

One of the things … is it due to running on the ODA or is it a general cluster issue?
It was easy to verify as this customer had another ODA on which everything just works smoothly. So we started to compare the environments. One tiny little thing appeared to be different: the ACL.

On a working ODA:

[grid@ODA_A-1 ~]$ crsctl status resource ora.redo.datastore.acfs -p |grep ACL
ACL=owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x
[grid@ODA_A-1 ~]$ 

 

On this one:

[grid@ODA_B-1 ~]$ crsctl status resource ora.redo.datastore.acfs -p|grep ACL
ACL=owner:root:rwx,pgrp:root:r-x,other::r--
[grid@ODA_B-1 ~]$ 

Sooo there we have it.
The first intention to do is to do a crsctl modify or a crsctl setperm.
Let’s switch to a demo system as this is acfs and not oda related.

So it’s playtime!
On the demo environment we have an acfs volume:

[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs
NAME=ora.dg_advm.advmvol01.acfs
TYPE=ora.acfs.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on demo-rac12-01, ONLINE on demo-rac12-02, ONLINE on demo-rac12-03

[root@demo-rac12-01 ~]#

If we verify the ACL we see the same configuration as on the ODA:

[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep ACL
ACL=owner:root:rwx,pgrp:root:r-x,other::r--
[root@demo-rac12-01 ~]#

Yes I know, I did this as root and you could get this information as grid as well.
So let’s do the instinctive thing and try to modify the resource:

[root@demo-rac12-01 ~]# crsctl modify resource ora.dg_advm.advmvol01.acfs -attr "ACL='owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x'"
CRS-4995:  The command 'Modify  resource' is invalid in crsctl. Use srvctl for this command.
[root@demo-rac12-01 ~]#

And now we have to be careful with googling things. If you start googling this error, you will find several pages suggesting to use the -unsupported flag. But there is no reason to do so 🙂
By the way, this same errors is thrown to you if you try to crsctl setperm.

Let’s assume the cluster is right (he mostly is), then a srvctl modify must exist and indeed there is!

[root@demo-rac12-01 ~]# srvctl modify filesystem -h

Modifies the configuration for the file system.

Usage: srvctl modify filesystem -device <volume_device> [-user {[/+ | /-]<user> | <user_list>}] [-path <mountpoint_path>] [-node <node_list> | -serverpool <serverpool_list>] [-fsoptions <options>] [-description <description>] [-autostart {ALWAYS|NEVER|RESTORE}] [-force]
-device <volume_device> Volume device path
-user <user>|<user_list> Add (/+) or remove (/-) a single user, or replace the entire set of users (with a comma-separated list) authorized to mount and unmount the file system
-path <mountpoint_path> Mountpoint path
-node <node_list> Comma separated node names
-serverpool <serverpool_list> Comma separated list of server pool names
-fsoptions <fs_options> Comma separated list of file system mount options
-description <description> File system description
-autostart {ALWAYS|NEVER|RESTORE} File system autostart policy
-force Force modification (ignore dependencies)
-help Print usage
[root@demo-rac12-01 ~]#

So it seems we need to find out which device we’re using. This is simple:

[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep VOLUME_DEVICE
CANONICAL_VOLUME_DEVICE=/dev/asm/advmvol01-438
VOLUME_DEVICE=/dev/asm/advmvol01-438
[root@demo-rac12-01 ~]#

There we have it. So now it ‘s just syntax. Remember the difference in ACL, so we need to add user:oracle:r-x and sometimes we’re lucky, it’s not too hard.

[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl
ACL=owner:root:rwx,pgrp:root:r-x,other::r--
[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/srvctl modify filesystem -device /dev/asm/advmvol01-438 -user /+oracle
[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl
ACL=owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x
[root@demo-rac12-01 ~]# 

Removing it, isn’t too hard either:


[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/srvctl modify filesystem -device /dev/asm/advmvol01-438 -user /-oracle
[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl
ACL=owner:root:rwx,pgrp:root:r-x,other::r--
[root@demo-rac12-01 ~]#

 

As always, questions, remarks? find me on twitter @vanpupi

One thought on “Acfs: it’s all about permissions

Comments are closed.

Comments are closed.