Acfs: it’s all about permissions
It all starts with creation of a database on a Database appliance which failed with the error
1 2 3 4 5 6 |
Validation of server pool succeeded. Registering database with Oracle Restart PRCR-1006 : Failed to add resource ora.demodb.db for demodb PRCR-1071 : Failed to register or update resource ora.demodb.db CRS-2566: User 'oracle' does not have sufficient permissions to operate on resource 'ora.redo.datastore.acfs', which is part of the dependency specification. DBCA_PROGRESS : DBCA Operation failed. |
One of the things … is it due to running on the ODA or is it a general cluster issue?
It was easy to verify as this customer had another ODA on which everything just works smoothly. So we started to compare the environments. One tiny little thing appeared to be different: the ACL.
On a working ODA:
1 2 3 |
[grid@ODA_A-1 ~]$ crsctl status resource ora.redo.datastore.acfs -p |grep ACL ACL=owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x [grid@ODA_A-1 ~]$ |
On this one:
1 2 3 |
[grid@ODA_B-1 ~]$ crsctl status resource ora.redo.datastore.acfs -p|grep ACL ACL=owner:root:rwx,pgrp:root:r-x,other::r-- [grid@ODA_B-1 ~]$ |
Sooo there we have it.
The first intention to do is to do a crsctl modify or a crsctl setperm.
Let’s switch to a demo system as this is acfs and not oda related.
So it’s playtime!
On the demo environment we have an acfs volume:
1 2 3 4 5 6 7 |
[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs NAME=ora.dg_advm.advmvol01.acfs TYPE=ora.acfs.type TARGET=ONLINE , ONLINE , ONLINE STATE=ONLINE on demo-rac12-01, ONLINE on demo-rac12-02, ONLINE on demo-rac12-03 [root@demo-rac12-01 ~]# |
If we verify the ACL we see the same configuration as on the ODA:
1 2 3 |
[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep ACL ACL=owner:root:rwx,pgrp:root:r-x,other::r-- [root@demo-rac12-01 ~]# |
Yes I know, I did this as root and you could get this information as grid as well.
So let’s do the instinctive thing and try to modify the resource:
1 2 3 |
[root@demo-rac12-01 ~]# crsctl modify resource ora.dg_advm.advmvol01.acfs -attr "ACL='owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x'" CRS-4995: The command 'Modify resource' is invalid in crsctl. Use srvctl for this command. [root@demo-rac12-01 ~]# |
And now we have to be careful with googling things. If you start googling this error, you will find several pages suggesting to use the -unsupported flag. But there is no reason to do so 🙂
By the way, this same errors is thrown to you if you try to crsctl setperm.
Let’s assume the cluster is right (he mostly is), then a srvctl modify must exist and indeed there is!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@demo-rac12-01 ~]# srvctl modify filesystem -h Modifies the configuration for the file system. Usage: srvctl modify filesystem -device <volume_device> [-user {[/+ | /-]<user> | <user_list>}] [-path <mountpoint_path>] [-node <node_list> | -serverpool <serverpool_list>] [-fsoptions <options>] [-description <description>] [-autostart {ALWAYS|NEVER|RESTORE}] [-force] -device <volume_device> Volume device path -user <user>|<user_list> Add (/+) or remove (/-) a single user, or replace the entire set of users (with a comma-separated list) authorized to mount and unmount the file system -path <mountpoint_path> Mountpoint path -node <node_list> Comma separated node names -serverpool <serverpool_list> Comma separated list of server pool names -fsoptions <fs_options> Comma separated list of file system mount options -description <description> File system description -autostart {ALWAYS|NEVER|RESTORE} File system autostart policy -force Force modification (ignore dependencies) -help Print usage [root@demo-rac12-01 ~]# |
So it seems we need to find out which device we’re using. This is simple:
1 2 3 4 |
[root@demo-rac12-01 ~]# crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep VOLUME_DEVICE CANONICAL_VOLUME_DEVICE=/dev/asm/advmvol01-438 VOLUME_DEVICE=/dev/asm/advmvol01-438 [root@demo-rac12-01 ~]# |
There we have it. So now it ‘s just syntax. Remember the difference in ACL, so we need to add user:oracle:r-x and sometimes we’re lucky, it’s not too hard.
1 2 3 4 5 6 |
[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl ACL=owner:root:rwx,pgrp:root:r-x,other::r-- [root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/srvctl modify filesystem -device /dev/asm/advmvol01-438 -user /+oracle [root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl ACL=owner:root:rwx,pgrp:root:r-x,other::r--,user:oracle:r-x [root@demo-rac12-01 ~]# |
Removing it, isn’t too hard either:
1 2 3 4 5 |
[root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/srvctl modify filesystem -device /dev/asm/advmvol01-438 -user /-oracle [root@demo-rac12-01 ~]# /u01/app/12.1.0.2/grid/bin/crsctl status resource ora.dg_advm.advmvol01.acfs -p |grep -i acl ACL=owner:root:rwx,pgrp:root:r-x,other::r-- [root@demo-rac12-01 ~]# |
As always, questions, remarks? find me on twitter @vanpupi
One thought on “Acfs: it’s all about permissions”
thank you for this post. It helped me in Virtual box environment !