Author Archive: Martin Berger

Oracle Cloud Infrastructure – one DRG to many VCNs – arrived in Zurich / Switzerland – Upgrade Time!

Author: Martin Berger 26. May 2021

One of my OCI favorites is finally arrived in Oracle Cloud Infrastructure data center eu-zurich-1 – the possibility to attach one Dynamic Routing Gateway DRG to multiple Virtual Cloud Networks VCNs. To see how it works, Simo has written three blog posts where it’s very well described. Now it’s time to upgrade my existing DRG!

Oracle’s OCI documentation:

Dynamic Routing Gateways (DRGs) (oracle.com)

How to upgrade an existing DRG? See here – just click on the images to see the details.

Step 1 – verify on an existing DRG if your region is ready – if yes, press the Upgrade DRG button

As you can see here, in this version of DRG, there is the existing IPSec connection listed.

Step 2 – Do you really want to upgrade the DRG? Sure!

Step 3 – The UI View changes, new Resources are created

After some minutes, the DRG view has changed, now the Virtual Cloud Network attachments are visible. New resources like DRG Route Tables and Route Distributions are created.

Step 4 – What about the existing VPN Tunnel?

Verify if the existing tunnel is still running and try to connect to be sure that the routing work properly. It works – nice!

[opc@linux-free ~]$ sudo oci-metadata | grep ociAdName
ociAdName: eu-zurich-1-ad-1

1 2	[opc@linux-free ~]$ sudo oci-metadata \| grep ociAdName ociAdName: eu-zurich-1-ad-1

Summary

To attach a single DRG to multiple VCNS opens new possibilities in network design. Read the manual properly to understand how components like DRG Route Tables and DRG Attachments are working. Well done, well done, Oracle!

Uncategorized

Oracle EM13c in Oracle Cloud Infrastructure – sending Mail Notifications by Email Delivery Service

Author: Martin Berger 17. May 2021

For the Trivadis Oracle Enterprise Manager Training, we setup and Oracle EM13c in the Oracle Cloud Infrastructure. One student exercise is, to setup notification rules. Therefore a mail server is required. In Oracle Cloud Infrastructure, there is an Email Delivery service available which fits best: Overview of the Email Delivery Service (oracle.com)

I have tried to setup a local postfix mail gateway which used the NAT gateway address as sender’s address. But the NAT gateway addresses are blacklisted in spam services like spamhaus.com. Even Microsoft doesn’t want to allow these mails send by the NAT gateway. You can see my attempts at the bottom of this blog post.

Setup

Subnet	Component	Purpose
Public	Virtual Machine	Bastion Server, SSH Access, Apache Guacamole
Private	Virtual Machine	Oracle Enterprise Manager EM13c – OMS
Private	Database System	Oracle Enterprise Manager EM13c – Repository

Email Delivery Service Prerequisites

The configuration for this service has to be done as non-federated user. If you want to use the service as a federated user, you get this message: Email Delivery is not available with your current permissions. Please Contact Support for further assistance.

IAM User

This is why I have created a IAM user called email-delivery-service-user. The user needs these permissions to manage the email delivery service.

email-delivery-service-user
email-delivery-service-group
email-delivery-service-policy	Allow group Email-Delivery-Service-Group to manage approved-senders in compartment training:o-em Allow group Email-Delivery-Service-Group to use email-family in compartment training:o-em

SMTP Credentials

Additional a SMTP credential for this user is created. This SMTP credentials are used for Oracle Enterprise Manager EM13c mail server configuration. Identity >> Users >> User Details >> SMTP Credentials. Copy the provided OCID and password temporary for later use.

Email Delivery Service Setup

Login in Oracle Cloud Infrastructure user interface as previous created user to configure the approved sender list. Developer Services >> Email Delivery. Add the mail address what you want to use for OEM communication to the approved sender list. Take care at the policy. Here in this case, the user is only allowed to do it in the O-EM called sub-compartment. Now we are ready to configure the Oracle Enterprise Manager EM13c.

The SMTP server is visible on the Email Configuration page and depends on your region. In my case, the SMTP endpoint in data center Zurich is used: smtp.email.eu-zurich-1.oci.oraclecloud.com.

Oracle Enterprise Manager EM13c – Mail Servers Configuration

In Setup >> Notifications >> Mail Servers, we add a new mail server.

Host	SMTP host provided by OCI
Port	587
User Name	SMTP Credentials user name
Password	SMTP Credentials password
Use Secure Connections	TLS, if available

Set the Sender Identity, the Sender’s Email Address corresponds to the entry in the deliver approved sender list.

Oracle Enterprise Manager EM13c – Mail Servers Test

The configuration is done, we can test it. Test Mail Servers – click on the image for more details. After some seconds, you see a confirmation at the top that the test succeeded. Verify your mailbox for the test message. That’s all folks.

Addendum – Spamhaus and Outlook.com

Before I used the Email Delivery Service, the first try was to configure postfix as local mail agent, there is a good manual available here: Oracle Linux: Install the Postfix Email Server. But this was not successful. When I tried to send mails to my companies’ address or to an outlook.com (hotmail.ch is one of them), I always got a SMTP error: Client host [152.67.94.216] blocked using Spamhaus

May 14 16:17:28 oem1 postfix/pickup[31819]: 7DBC740C1B10: uid=1000 from=<op******@jurasuedfuss.com> 
May 14 16:17:28 oem1 postfix/cleanup[4193]: 7DBC740C1B10: message-id=<609e8678.uDmiR55B+z2ROrGf%op******@jurasuedfuss.com> 
May 14 16:17:28 oem1 postfix/qmgr[31820]: 7DBC740C1B10: from=<op********@jurasuedfuss.com>, size=480, nrcpt=1 (queue active) 
May 14 16:17:28 oem1 postfix/smtp[4197]: 7DBC740C1B10: to=<m*******@hotmail.ch>, relay=eur.olc.protection.outlook.com[104.47.8.33]:25, 
delay=0.15, delays=0.04/0.01/0.08/0.03, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.8.33] 
said: 550 5.7.1 Service unavailable, Client host [152.67.94.216] blocked using Spamhaus. To request removal from this list 
see https://www.spamhaus.org/query/ip/152.67.94.216 (AS3130). [AM5EUR03FT029.eop-EUR03.prod.protection.outlook.com] (in reply to MAIL FROM command)) 
May 14 16:17:28 oem1 postfix/smtp[4197]: 7DBC740C1B10: lost connection with eur.olc.protection.outlook.com[104.47.8.33] while sending RCPT TO 
May 14 16:17:28 oem1 postfix/cleanup[4193]: A0D69401C6BA: message-id=<20210514141728.A0D69401C6BA@op******@jurasuedfuss.com> 
May 14 16:17:28 oem1 postfix/qmgr[31820]: A0D69401C6BA: from=<>, size=2901, nrcpt=1 (queue active) 
May 14 16:17:28 oem1 postfix/bounce[4198]: 7DBC740C1B10: sender non-delivery notification: A0D69401C6BA 
May 14 16:17:28 oem1 postfix/qmgr[31820]: 7DBC740C1B10: removed 
May 14 16:17:28 oem1 postfix/local[4199]: A0D69401C6BA: to=<op*******@jurasuedfuss.com>, relay=local, delay=0.01, delays=0/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir) 
May 14 16:17:28 oem1 postfix/qmgr[31820]: A0D69401C6BA: removed

May 14 16:17:28 oem1 postfix/pickup[31819]: 7DBC740C1B10: uid=1000 from=<op******@jurasuedfuss.com>

May 14 16:17:28 oem1 postfix/cleanup[4193]: 7DBC740C1B10: message-id=<609e8678.uDmiR55B+z2ROrGf%op******@jurasuedfuss.com>

May 14 16:17:28 oem1 postfix/qmgr[31820]: 7DBC740C1B10: from=<op********@jurasuedfuss.com>, size=480, nrcpt=1 (queue active)

May 14 16:17:28 oem1 postfix/smtp[4197]: 7DBC740C1B10: to=<m*******@hotmail.ch>, relay=eur.olc.protection.outlook.com[104.47.8.33]:25,

delay=0.15, delays=0.04/0.01/0.08/0.03, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.8.33]

said: 550 5.7.1 Service unavailable, Client host [152.67.94.216] blocked using Spamhaus. To request removal from this list

see https://www.spamhaus.org/query/ip/152.67.94.216 (AS3130). [AM5EUR03FT029.eop-EUR03.prod.protection.outlook.com] (in reply to MAIL FROM command))

May 14 16:17:28 oem1 postfix/smtp[4197]: 7DBC740C1B10: lost connection with eur.olc.protection.outlook.com[104.47.8.33] while sending RCPT TO

May 14 16:17:28 oem1 postfix/cleanup[4193]: A0D69401C6BA: message-id=<20210514141728.A0D69401C6BA@op******@jurasuedfuss.com>

May 14 16:17:28 oem1 postfix/qmgr[31820]: A0D69401C6BA: from=<>, size=2901, nrcpt=1 (queue active)

May 14 16:17:28 oem1 postfix/bounce[4198]: 7DBC740C1B10: sender non-delivery notification: A0D69401C6BA

May 14 16:17:28 oem1 postfix/qmgr[31820]: 7DBC740C1B10: removed

May 14 16:17:28 oem1 postfix/local[4199]: A0D69401C6BA: to=<op*******@jurasuedfuss.com>, relay=local, delay=0.01, delays=0/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)

May 14 16:17:28 oem1 postfix/qmgr[31820]: A0D69401C6BA: removed

152.67.94.216 is the public IP address from the Oracle Cloud Infrastructure NAT gateway, first I did a removal request online at spamhaus.org – the URL was provided in the error message. And 2hrs later, I got a message and confirmed my request.

Two things:

my company syncs their spam filter on a regular base, so after a while, I was able to send notifications to my personal company mail address
but for the Hotmail (Outlook.com) address, it did still not work: Unfortunately, messages from [152.67.94.216] weren’t sent. Please contact your Internet service provider since part of their network is on our block list (S3140)

May 14 18:30:35 oem1 postfix/smtpd[3000]: connect from op****@jurasuedfuss.com[10.0.1.10]
May 14 18:30:35 oem1 postfix/smtpd[3000]: 1D39A40C1B10: client=op****@jurasuedfuss.com[10.0.1.10]
May 14 18:30:35 oem1 postfix/cleanup[3003]: 1D39A40C1B10: message-id=<823497502.17.1621009835108@op****@jurasuedfuss.com>
May 14 18:30:35 oem1 postfix/smtpd[3000]: disconnect from op****@jurasuedfuss.com[10.0.1.10]
May 14 18:30:35 oem1 postfix/qmgr[31820]: 1D39A40C1B10: from=<*****>, size=677, nrcpt=1 (queue active)
May 14 18:30:35 oem1 postfix/smtp[3918]: 1D39A40C1B10: to=<ma*****@hotmail.ch>, relay=eur.olc.protection.outlook.com[104.47.14.33]:25, delay=0.1, 
delays=0/0/0.08/0.02, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.14.33] 
said: 550 5.7.1 Unfortunately, messages from [152.67.94.216] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). 
You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR04FT028.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM command))
May 14 18:30:35 oem1 postfix/smtp[3918]: 1D39A40C1B10: lost connection with eur.olc.protection.outlook.com[104.47.14.33] while sending RCPT TO
May 14 18:30:35 oem1 postfix/cleanup[3003]: 39D73401C6BA: message-id=<20210514163035.39D73401C6BA@op****@jurasuedfuss.com>
May 14 18:30:35 oem1 postfix/bounce[5010]: 1D39A40C1B10: sender non-delivery notification: 39D73401C6BA

May 14 18:30:35 oem1 postfix/smtpd[3000]: connect from op****@jurasuedfuss.com[10.0.1.10]

May 14 18:30:35 oem1 postfix/smtpd[3000]: 1D39A40C1B10: client=op****@jurasuedfuss.com[10.0.1.10]

May 14 18:30:35 oem1 postfix/cleanup[3003]: 1D39A40C1B10: message-id=<823497502.17.1621009835108@op****@jurasuedfuss.com>

May 14 18:30:35 oem1 postfix/smtpd[3000]: disconnect from op****@jurasuedfuss.com[10.0.1.10]

May 14 18:30:35 oem1 postfix/qmgr[31820]: 1D39A40C1B10: from=<*****>, size=677, nrcpt=1 (queue active)

May 14 18:30:35 oem1 postfix/smtp[3918]: 1D39A40C1B10: to=<ma*****@hotmail.ch>, relay=eur.olc.protection.outlook.com[104.47.14.33]:25, delay=0.1,

delays=0/0/0.08/0.02, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.14.33]

said: 550 5.7.1 Unfortunately, messages from [152.67.94.216] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140).

You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR04FT028.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM command))

May 14 18:30:35 oem1 postfix/smtp[3918]: 1D39A40C1B10: lost connection with eur.olc.protection.outlook.com[104.47.14.33] while sending RCPT TO

May 14 18:30:35 oem1 postfix/cleanup[3003]: 39D73401C6BA: message-id=<20210514163035.39D73401C6BA@op****@jurasuedfuss.com>

May 14 18:30:35 oem1 postfix/bounce[5010]: 1D39A40C1B10: sender non-delivery notification: 39D73401C6BA

So I tried to contact Microsoft on the same way with a support request:

And some minutes later I git the answer: Not qualified for mitigation.

Summary

This is quite simple: If you are in the cloud – use the cloud services.

Uncategorized

OCI Cloud Performance Management for On-Premises Databases – Part 2 – Database Configuration

Author: Martin Berger 8. March 2021

In the part 1 of this blog post series, we have installed the Management Agent. Now it’s time to add the database. For this case an agent plug-in has to be installed first before we can configure the database.

More information about the management agent administration: https://docs.oracle.com/en-us/iaas/management-agents/doc/management-agents-administration-tasks.html

This is a small blog post series

Part 1 shows the installation of the Management Agent on an on-premises system
Part 2 describes how to manage this Oracle database in OCI
Part 3 watches behind the scenes for billing, job execution etc. – coming soon…

My Setup

An OCI Tenant in datacenter EU-FRANKFURT-1
An empty compartment called datacenter-kestenholz
An on-premises database called CDB114, running on Oracle Linux 7
OCI Management Agent up and running

The goal is to handle the on-premises database in OCI. Output from the Trivadis TVD-Basenv(TM) framework which show the database up and running:

TYPE (Cluster|DG)  : SID/PROCESS  STATUS      HOME      [2021-02-22 08:05:03]
-----------------------------------------------------------------------------
Dummy rdbms_ee     : rdbms19      n/a         /u01/app/oracle/product/19.0.0/dbhome_1

DB-instance (N|N)  : CDB144       open        /u01/app/oracle/product/19.0.0/dbhome_1

Listener           : LISTENER     up          /u01/app/oracle/product/19.0.0/dbhome_1

TYPE (Cluster|DG) : SID/PROCESS STATUS HOME [2021-02-22 08:05:03]

-----------------------------------------------------------------------------

Dummy rdbms_ee : rdbms19 n/a /u01/app/oracle/product/19.0.0/dbhome_1

DB-instance (N|N) : CDB144 open /u01/app/oracle/product/19.0.0/dbhome_1

Listener : LISTENER up /u01/app/oracle/product/19.0.0/dbhome_1

Service Plug-In Deployment

From the agent page, we select the Management Agent to see the details. Click on Deploy Plug-Ins.

Select the plug-in for the database management, press Update to deploy it on the management agent.

Now you see the confirmation that the deployment process is initiated.

After some seconds, you can see on the top right of the agent overview page, that the service plug-in is installed.

Register the External Database

In External Database menu, we register an external container database first. Be sure that the right compartment is selected.

Set the compartment and display name and click Register.

More about this process: https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/externalcreating.htm

Connect to the External Database

After registration, the container database is added, but not connected. In this step we create a connector to setup the database in OCI.

Set display name, DNS hostname, port and service first.

The connector type cannot be changed, select the management agent from the connector agent id list, specify database connection credentials. I use the database schema SYSTEM. Click on Connect to External Container Database.

After some minutes, the work request is done and the database is connected. The database is in state Available.

We repeat the steps above to add the three external Pluggable Databases on the same way.

Enable Database Management

Before Database Management from OCI can be used, it has to be enabled. This is done on the page where the external Container Database is visible. According Oracle’s license handling, this has to be done manually. You can select between BYOL and License Included. After some minutes, the database management is enabled and the agent is updated. More about licensing and pricing in the next blog post number 3 which is coming soon.

Database Management – Database Groups and Fleet Summary

When Database Management is enabled in OCI for all Container and Pluggable Databases, the management agent starts to collect database related data. We can organized the external databases in groups.

In Database Management menu, create a new database group. In my case I named it Datacenter_Kestenholz which contains the previous added external databases.

When Database Management is enabled in OCI for all Container and Pluggable Databases, the Management Agent starts to collect database related data. Some moments later, the dashboard has the first values.

Note: The Container Database is not shown in the Fleet Summary dashboard at the moment, only Pluggable Databases are listed with performance data etc. – I will open a SR to clarify it.

Summary Part 2

When the Management Agent is up and running, adding a database is straight forward. But we have to clarify the license situation first. More about licensing and cost in the next blog post part 3.

Uncategorized

Oracle Cloud Infrastructure – A small and secure Development Environment – Next Level: Terraform

Author: Martin Berger 1. March 2021

In a previous blog post I wrote how to build a small and secure development environment in Oracle Cloud Infrastructure with an OpenVPN entry point and a compute instance in a private setup. Now there is the Terraform code available in GitHub to setup it on an easy and reusable way:

terraform-examples/oci/openvpnas at main · Trivadis/terraform-examples (github.com)

What you get

After executing the code, you will get this setup here:

an OpenVPN Access Server from OCI Marketplace
a Compute Instance

Prerequisites

Oracle OCI CLI installed and configured
Terraform up and running
Git client installed

SSH Key Access

An example private and public SSH key to get access on the compute instance in the private subnet is provided in subdirectory SSH, if you want to use your own SSH key – which is highly recommended – just replace the public key variable in file variables.tf with your own key:

variable "ssh_public_key" {
	default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbytm9y7UigHeV2L0vUXWqFiplf9ntG9VMUBGwEoWATV6Ir/4udvObm/6dFCltVmvHVWD5XdbXWvyz9is69jH3Cb2hOUtyZMeXJBTtXnMuC0HaN7zHmrV6qfkQDiRpJNHCEpD3LhAL2VG7tViqCC9rSTEfezKibjGXVl1R606xp57oduuT1V4g82+BLYKdEsDAfgVLI8z23dSYyzd3Kb6ikqG+9wSA1KWWb051KE8ofRtL+FD5cZ/uGLwhczIbMaEZjHs5Zv5L9kWKUU4nBIxv4RN2QjbpFQ+EoTVVZqPeT1eILKEuOFPy5s42AA1an4FMdSoLmEuRtC0sIoR5L5kj imported-openssh-key"
  type        = string
}

variable "ssh_public_key" {

default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbytm9y7UigHeV2L0vUXWqFiplf9ntG9VMUBGwEoWATV6Ir/4udvObm/6dFCltVmvHVWD5XdbXWvyz9is69jH3Cb2hOUtyZMeXJBTtXnMuC0HaN7zHmrV6qfkQDiRpJNHCEpD3LhAL2VG7tViqCC9rSTEfezKibjGXVl1R606xp57oduuT1V4g82+BLYKdEsDAfgVLI8z23dSYyzd3Kb6ikqG+9wSA1KWWb051KE8ofRtL+FD5cZ/uGLwhczIbMaEZjHs5Zv5L9kWKUU4nBIxv4RN2QjbpFQ+EoTVVZqPeT1eILKEuOFPy5s42AA1an4FMdSoLmEuRtC0sIoR5L5kj imported-openssh-key"

type = string

}

Some Code Snippets

Terraform State File

In file backend.tf, the Terraform state is set to local, there is also an example to store your state file in OCI Object Store. Please prepare the bucket first according the documentation here: Using Object Storage for State Files (oracle.com). Example:

# define remote state file for terraform
terraform {
  required_version = ">= 0.13.0"
  backend "http" {
    update_method = "PUT"
    address       =  "https://objectstorage.eu-zurich-1.oraclecloud.com/p/............./b/terraform_state_file/o/terraform.tfstate"
  }
}

# define remote state file for terraform

terraform {

required_version = ">= 0.13.0"

backend "http" {

update_method = "PUT"

address = "https://objectstorage.eu-zurich-1.oraclecloud.com/p/............./b/terraform_state_file/o/terraform.tfstate"

}

Compute Instance Image

The compute instance as defined in compute.tf uses this images according your location – for other data centers or images, follow here is the link where all images are listed: https://docs.us-phoenix-1.oraclecloud.com/images/

variable "linux_image_ocid" {
  type = map(any)

  default = {
    # See https://docs.us-phoenix-1.oraclecloud.com/images/
    # Oracle-provided image "Oracle-Linux-7.8-2020.04.17-0"
    eu-zurich-1    = "ocid1.image.oc1.eu-zurich-1.aaaaaaaa5ganyj57k2dqyik4m4btpuq23le3e7clh56rjhgz6fekvtoyazqa"
    eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavz6p7tyrczcwd5uvq6x2wqkbwcrjjbuohbjomtzv32k5bq24rsha"
    eu-amsterdam-1 = "ocid1.image.oc1.eu-amsterdam-1.aaaaaaaaie5km236l53ymcvpwufyb2srtc3hw2pa6astfjdafzlxxdv5nfsq"
    us-ashburn-1   = "ocid1.image.oc1.iad.aaaaaaaahjkmmew2pjrcpylaf6zdddtom6xjnazwptervti35keqd4fdylca"
  }
}

variable "linux_image_ocid" {

type = map(any)

default = {

# See https://docs.us-phoenix-1.oraclecloud.com/images/

# Oracle-provided image "Oracle-Linux-7.8-2020.04.17-0"

eu-zurich-1 = "ocid1.image.oc1.eu-zurich-1.aaaaaaaa5ganyj57k2dqyik4m4btpuq23le3e7clh56rjhgz6fekvtoyazqa"

eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavz6p7tyrczcwd5uvq6x2wqkbwcrjjbuohbjomtzv32k5bq24rsha"

eu-amsterdam-1 = "ocid1.image.oc1.eu-amsterdam-1.aaaaaaaaie5km236l53ymcvpwufyb2srtc3hw2pa6astfjdafzlxxdv5nfsq"

us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaahjkmmew2pjrcpylaf6zdddtom6xjnazwptervti35keqd4fdylca"

}

OpenVPN Marketplace Image

variable "mp_listing_id" {
  description = "OCI Marketplace Listing ID"
  default     = "ocid1.appcataloglisting.oc1..aaaaaaaafbgwdxg5j6jnyfhbcxvd62iabcraaf6bwu2u2nhrddztrrle66lq"
  type        = string
}

variable "mp_listing_resource_id" {
  description = "OCI Marketplace Listing Resource ID"
  default     = "ocid1.image.oc1..aaaaaaaa4ozqggnywlp3e3wzvu5x3aoohkt6cwm2pumgpn2tlzroj756azma"
  type        = string
}

variable "mp_listing_resource_version" {
  description = "OCI Marketplace Listing Version"
  default     = "AS_2.8.3"
  type        = string
}

variable "mp_listing_id" {

description = "OCI Marketplace Listing ID"

default = "ocid1.appcataloglisting.oc1..aaaaaaaafbgwdxg5j6jnyfhbcxvd62iabcraaf6bwu2u2nhrddztrrle66lq"

type = string

}

variable "mp_listing_resource_id" {

description = "OCI Marketplace Listing Resource ID"

default = "ocid1.image.oc1..aaaaaaaa4ozqggnywlp3e3wzvu5x3aoohkt6cwm2pumgpn2tlzroj756azma"

type = string

}

variable "mp_listing_resource_version" {

description = "OCI Marketplace Listing Version"

default = "AS_2.8.3"

type = string

}

Let’s Terraform it

0: Clone GitHub Directory

And go to openvpnas subdirectory.

$ git clone https://github.com/Trivadis/terraform-examples.git
Cloning into 'terraform-examples'...
remote: Enumerating objects: 241, done.
remote: Counting objects: 100% (241/241), done.
remote: Compressing objects: 100% (155/155), done.
remote: Total 241 (delta 130), reused 155 (delta 72), pack-reused 0
Receiving objects: 100% (241/241), 230.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (130/130), done.
Checking connectivity... done.

$ cd terraform-examples/oci/openvpnas

$ git clone https://github.com/Trivadis/terraform-examples.git

Cloning into 'terraform-examples'...

remote: Enumerating objects: 241, done.

remote: Counting objects: 100% (241/241), done.

remote: Compressing objects: 100% (155/155), done.

remote: Total 241 (delta 130), reused 155 (delta 72), pack-reused 0

Receiving objects: 100% (241/241), 230.16 KiB | 0 bytes/s, done.

Resolving deltas: 100% (130/130), done.

Checking connectivity... done.

$ cd terraform-examples/oci/openvpnas

1st: Set Variables

export TF_VAR_tenancy_ocid=<your_tenancy_ocid>
export TF_VAR_user_ocid=<your_username_OCID>                              
export TF_VAR_private_key_path=<your_ssh_private_key>   
export TF_VAR_fingerprint=<your_public_key_fingerprint>
export TF_VAR_region=<your_OCI_region>                           
export TF_VAR_compartment_name=<your_compartment_name>
export TF_VAR_compartment_description=<your_compartment_description>
export TF_VAR_compartment_master_ocid=<your_OCID of the master compartment>
export TF_VAR_openvpn_admin_password=<your_openvpn_inital_password_for_user_openvpnadmin>

export TF_VAR_tenancy_ocid=<your_tenancy_ocid>

export TF_VAR_user_ocid=<your_username_OCID>

export TF_VAR_private_key_path=<your_ssh_private_key>

export TF_VAR_fingerprint=<your_public_key_fingerprint>

export TF_VAR_region=<your_OCI_region>

export TF_VAR_compartment_name=<your_compartment_name>

export TF_VAR_compartment_description=<your_compartment_description>

export TF_VAR_compartment_master_ocid=<your_OCID of the master compartment>

export TF_VAR_openvpn_admin_password=<your_openvpn_inital_password_for_user_openvpnadmin>

2nd: terraform init, plan and apply

$ terraform init
$ terraform plan
$ terraform apply

$ terraform init

$ terraform plan

$ terraform apply

Login and Go!

And after some minutes – you can get access to the OpenVPN Administrator Dashboard or get your client or profile. All required information like OpenVPN Access Server public IP, URL etc. are provided in the Terraform output.

Login into the compute instance with the private key and the private subnet IP address when the VPN tunnel is up and running:

Links and Documents

A good point to start: Terraform: Set Up a Simple Infrastructure with OCI Terraform (oracle.com)
Getting started with the Terraform OCI Provider: Getting Started (oracle.com)
Hashicorp Documentation: Docs overview | hashicorp/oci | Terraform Registry
Blog post by Lucas Jellema with the first steps: Very first steps in Oracle Cloud Infrastructure as Code with Terraform – AMIS, Data Driven Blog – Oracle & Microsoft Azure

Summary

Setup an Oracle Cloud Infrastructure with Terraform is a good way to start in the IaC – Infrastructure as Code – world. Feel free to use this code a base for your next project. What’s your next level? Mine is to integrate the code in the Oracle Cloud Resource Manager – stay tuned!

Uncategorized

OCI Cloud Performance Management for On-Premises Databases – Part 1 – Management Agent Installation

Author: Martin Berger 22. February 2021

The OCI Management Agent service collects data from services and sources for monitoring and management in Oracle Cloud Infrastructure. In this blog post series I will show you how you can monitor and manage an on-premises Oracle databases in OCI. The communication between an agent and OCI requires an Agent Install Key and is based on HTTPS. Service Plugins extend a Management Agent for example for Oracle database performance monitoring and management or log analytics.

This is a small blog post series

Part 1 shows the installation of the Management Agent on an on-premises system
Part 2 describes how to manage this Oracle database in OCI
Part 3 watches behind the scenes for billing, job execution etc.

My Setup

An OCI Tenant in datacenter EU-FRANKFURT-1
An OCI compartment called datacenter-kestenholz
An on-premises Container Database called CDB114, running on Oracle Linux 7
Three on-premises Pluggable Databases

The goal is to manage the on-premises database in Oracle Cloud Infrastructure OCI. Output from the Trivadis TVD-Basenv(TM) framework which show the database up and running:

TYPE (Cluster|DG)  : SID/PROCESS  STATUS      HOME      [2021-02-22 08:05:03]
-----------------------------------------------------------------------------
Dummy rdbms_ee     : rdbms19      n/a         /u01/app/oracle/product/19.0.0/dbhome_1

DB-instance (N|N)  : CDB144       open        /u01/app/oracle/product/19.0.0/dbhome_1

Listener           : LISTENER     up          /u01/app/oracle/product/19.0.0/dbhome_1

TYPE (Cluster|DG) : SID/PROCESS STATUS HOME [2021-02-22 08:05:03]

-----------------------------------------------------------------------------

Dummy rdbms_ee : rdbms19 n/a /u01/app/oracle/product/19.0.0/dbhome_1

DB-instance (N|N) : CDB144 open /u01/app/oracle/product/19.0.0/dbhome_1

Listener : LISTENER up /u01/app/oracle/product/19.0.0/dbhome_1

Prerequisites for Management Agent Installation

Oracle Linux 6 or higher
Red Hat Enterprise Linux 6 or higher
CentOS 6 or 7
SUSE Linux Enterprise Server 12 or 15
Windows Server 2012 R2, 2016 or 2019

There are other prerequisites on the target server like the correct Java version (e.g. version 11 does not work) and sudo permissions. For the complete list of prerequisites, see here:

https://docs.oracle.com/en-us/iaas/management-agents/doc/perform-prerequisites-deploying-management-agents.html#GUID-BC5862F0-3E68-4096-B18E-C4462BC76271

Setup for OCI Management Agent

It is recommended to handle the agents in a separate user group and with policies. This allows us to define the Management Agent management on an fine granular level.

Group AGENT_ADMINS

According the documentation, I have created an user group called AGENT_ADMINS.

Policy Datacenter_Kestenholz_Agent_Policy

A new policy is created that allows the admin group to interact with the management agents, handle keys etc.

ALLOW GROUP AGENT_ADMINS TO MANAGE management-agents IN COMPARTMENT datacenter-kestenholz
ALLOW GROUP AGENT_ADMINS TO MANAGE management-agent-install-keys IN COMPARTMENT datacenter-kestenholz
ALLOW GROUP AGENT_ADMINS TO READ METRICS IN COMPARTMENT datacenter-kestenholz
ALLOW GROUP AGENT_ADMINS TO READ USERS IN TENANCY

ALLOW GROUP AGENT_ADMINS TO MANAGE management-agents IN COMPARTMENT datacenter-kestenholz

ALLOW GROUP AGENT_ADMINS TO MANAGE management-agent-install-keys IN COMPARTMENT datacenter-kestenholz

ALLOW GROUP AGENT_ADMINS TO READ METRICS IN COMPARTMENT datacenter-kestenholz

ALLOW GROUP AGENT_ADMINS TO READ USERS IN TENANCY

Dynamic Group Management_Agent_Dynamic_Group

New added agents in the compartment belong automatically to this group. Replace the OCID with the OCID for your compartment.

Policy Datacenter_Kestenholz_Agent_Communication_Policy

A policy is required that allows the agents to communicate with the OCI endpoints. This policy is important, otherwise you run in an communication error (see below in section troubleshooting).

ALLOW DYNAMIC-GROUP Management_Agent_Dynamic_Group TO MANAGE management-agents IN COMPARTMENT datacenter-kestenholz
ALLOW DYNAMIC-GROUP Management_Agent_Dynamic_Group TO USE METRICS IN COMPARTMENT datacenter-kestenholz

1 2	ALLOW DYNAMIC-GROUP Management_Agent_Dynamic_Group TO MANAGE management-agents IN COMPARTMENT datacenter-kestenholz ALLOW DYNAMIC-GROUP Management_Agent_Dynamic_Group TO USE METRICS IN COMPARTMENT datacenter-kestenholz

Install On-Premises Management Agent

Create Agent Install Key

Go to Management Agent Menu / Downloads and Keys, create a new Agent Install Key. Set the compartment and the time how long the key is valid. In this example, I need to replace the key after one month.

When click on Download Key to File, a textfile is created with the ManagementAgentInstallKey and all other (optional) parameters which can be used for install. You can use this file as responsefile template later.

Download the Software and Transfer it to the Target Server

I use the Agent for Linux and transferred it to the target on-premises server into a stage directory as OS user root.

[root@bifangstrasse stage]# ll
total 8128
-rw-r--r--. 1 root root 8323072 Feb 21 20:38 oracle.mgmt_agent.rpm

[root@bifangstrasse stage]# ll

total 8128

-rw-r--r--. 1 root root 8323072 Feb 21 20:38 oracle.mgmt_agent.rpm

Create a Local Response File

This is an example of a simple two-lines response file for agent installation in the same folder where the rpm is located, called input.rsp. The parameter managementAgentInstallKey is visible in the OCI web interface, the CredentialWalletPassword is your password for the wallet.

managementAgentInstallKey = MS4wLHVzLWFzaGJ1cm4tMSxvY2lkMS50ZW5hbmN5-<YOUR_AGENT_KEY_HERE>
CredentialWalletPassword = W3lcome#1

1 2	managementAgentInstallKey = MS4wLHVzLWFzaGJ1cm4tMSxvY2lkMS50ZW5hbmN5-<YOUR_AGENT_KEY_HERE> CredentialWalletPassword = W3lcome#1

RPM Installation

As OS user root (or a user with sudo permissions) – install the rpm file. Here you can see that the minimum required Java version is not met.

[root@bifangstrasse stage]# 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Checking pre-requisites
        Checking if any previous agent service exists
        Checking if OS has systemd or initd
        Checking available disk space for agent install
        Checking if /opt/oracle/mgmt_agent directory exists
        Checking if 'mgmt_agent' user exists
        Checking agent version
        Checking Java version
                JAVA_HOME is not set or not readable to root
                Trying default path /usr/bin/java
                Agent only supports JDK 8 with a miniumum upgrade version JDK 8u162. Please set your preferred path in JAVA_HOME
error: %prein(oracle.mgmt_agent-210114.0548-1.x86_64) scriptlet failed, exit status 1
error: oracle.mgmt_agent-210114.0548-1.x86_64: install failed

[root@bifangstrasse stage]#

Verifying... ################################# [100%]

Preparing... ################################# [100%]

Checking pre-requisites

Checking if any previous agent service exists

Checking if OS has systemd or initd

Checking available disk space for agent install

Checking if /opt/oracle/mgmt_agent directory exists

Checking if 'mgmt_agent' user exists

Checking agent version

Checking Java version

JAVA_HOME is not set or not readable to root

Trying default path /usr/bin/java

Agent only supports JDK 8 with a miniumum upgrade version JDK 8u162. Please set your preferred path in JAVA_HOME

error: %prein(oracle.mgmt_agent-210114.0548-1.x86_64) scriptlet failed, exit status 1

error: oracle.mgmt_agent-210114.0548-1.x86_64: install failed

After installing the jdk-8u281-linux-x64.rpm to update the server Java version, the installer runs fine.

[root@bifangstrasse stage]# rpm -Uhv jdk-8u281-linux-x64.rpm
warning: jdk-8u281-linux-x64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:jdk1.8-2000:1.8.0_281-fcs        ################################# [100%]
Unpacking JAR files...
        tools.jar...
        plugin.jar...
        javaws.jar...
        deploy.jar...
        rt.jar...
        jsse.jar...
        charsets.jar...
        localedata.jar...

[root@bifangstrasse stage]# java -version
java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)

[root@bifangstrasse stage]# rpm -Uhv jdk-8u281-linux-x64.rpm

warning: jdk-8u281-linux-x64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY

Verifying... ################################# [100%]

Preparing... ################################# [100%]

Updating / installing...

1:jdk1.8-2000:1.8.0_281-fcs ################################# [100%]

Unpacking JAR files...

tools.jar...

plugin.jar...

javaws.jar...

deploy.jar...

rt.jar...

jsse.jar...

charsets.jar...

localedata.jar...

[root@bifangstrasse stage]# java -version

java version "1.8.0_281"

Java(TM) SE Runtime Environment (build 1.8.0_281-b09)

Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)

2nd try – successful

[root@bifangstrasse stage]# rpm -ihv oracle.mgmt_agent.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Checking pre-requisites
        Checking if any previous agent service exists
        Checking if OS has systemd or initd
        Checking available disk space for agent install
        Checking if /opt/oracle/mgmt_agent directory exists
        Checking if 'mgmt_agent' user exists
        Checking agent version
        Checking Java version
                JAVA_HOME is not set or not readable to root
                Trying default path /usr/bin/java
                Java version: 1.8.0_281 found at /usr/bin/java
Updating / installing...
   1:oracle.mgmt_agent-210114.0548-1  ################################# [100%]

Executing install
        Unpacking software zip
        Copying files to destination dir (/opt/oracle/mgmt_agent)
        Initializing software from template
        Creating 'mgmt_agent' daemon
        Agent Install Logs: /opt/oracle/mgmt_agent/installer-logs/installer.log.0

        Setup agent using input response file (run as any user with 'sudo' privileges)
        Usage:
                sudo /opt/oracle/mgmt_agent/agent_inst/bin/setup.sh opts=[FULL_PATH_TO_INPUT.RSP]

Agent install successful

[root@bifangstrasse stage]# rpm -ihv oracle.mgmt_agent.rpm

Verifying... ################################# [100%]

Preparing... ################################# [100%]

Checking pre-requisites

Checking if any previous agent service exists

Checking if OS has systemd or initd

Checking available disk space for agent install

Checking if /opt/oracle/mgmt_agent directory exists

Checking if 'mgmt_agent' user exists

Checking agent version

Checking Java version

JAVA_HOME is not set or not readable to root

Trying default path /usr/bin/java

Java version: 1.8.0_281 found at /usr/bin/java

Updating / installing...

1:oracle.mgmt_agent-210114.0548-1 ################################# [100%]

Executing install

Unpacking software zip

Copying files to destination dir (/opt/oracle/mgmt_agent)

Initializing software from template

Creating 'mgmt_agent' daemon

Agent Install Logs: /opt/oracle/mgmt_agent/installer-logs/installer.log.0

Setup agent using input response file (run as any user with 'sudo' privileges)

Usage:

sudo /opt/oracle/mgmt_agent/agent_inst/bin/setup.sh opts=[FULL_PATH_TO_INPUT.RSP]

Agent install successful

Agent Configuration

Run the install script with the created response file as additional parameter. The agent will be started automatically.

[root@bifangstrasse stage]# /opt/oracle/mgmt_agent/agent_inst/bin/setup.sh opts=/stage/input.rsp

Executing configure

        Parsing input response file
        Generating communication wallet
        Validating install key
        Generating security artifacts
        Registering Management Agent

Starting agent...
Agent started successfully


Agent setup completed and the agent is running.
In the future agent can be started by directly running: sudo systemctl start mgmt_agent

Please make sure that you delete /stage/input.rsp or store it in secure location.

[root@bifangstrasse stage]# /opt/oracle/mgmt_agent/agent_inst/bin/setup.sh opts=/stage/input.rsp

Executing configure

Parsing input response file

Generating communication wallet

Validating install key

Generating security artifacts

Registering Management Agent

Starting agent...

Agent started successfully

Agent setup completed and the agent is running.

In the future agent can be started by directly running: sudo systemctl start mgmt_agent

Please make sure that you delete /stage/input.rsp or store it in secure location.

A systemd service is created.

[root@bifangstrasse stage]# systemctl list-units --type=service --state=active | grep mgmt_agent
mgmt_agent.service                 loaded active running mgmt_agent

1 2	[root@bifangstrasse stage]# systemctl list-units --type=service --state=active \| grep mgmt_agent mgmt_agent.service loaded active running mgmt_agent

Verify the Management Agent in Oracle Cloud Infrastructure

Immediately after the setup, the Management Agent is visible with status Active in OCI and starts uploading data.

Agent details:

Troubleshooting

Management Agent logfiles are located in directory /opt/oracle/mgmt_agent/agent_inst/log.

[root@bifangstrasse log]# ls -latr
total 64
drwxr-x---. 7 mgmt_agent mgmt_agent    68 Feb 21 21:23 ..
-rw-r-----. 1 mgmt_agent mgmt_agent     5 Feb 21 21:24 mgmt_agent.pid
-rw-r-----. 1 mgmt_agent mgmt_agent  3631 Feb 21 21:24 wrapper.log
-rw-r-----. 1 mgmt_agent mgmt_agent     0 Feb 21 21:24 mgmt_agent_errors.log
-rw-r-----. 1 mgmt_agent mgmt_agent     0 Feb 21 21:24 mgmt_agent_work.log
-rw-r-----. 1 mgmt_agent mgmt_agent    75 Feb 21 21:24 agent.pid
-rw-r-----. 1 mgmt_agent mgmt_agent  1679 Feb 21 21:24 startup.info
drwxr-x---. 2 mgmt_agent mgmt_agent   246 Feb 21 21:24 .
-rw-r-----. 1 mgmt_agent mgmt_agent     8 Feb 21 21:24 mgmt_agent.status
-rw-r-----. 1 mgmt_agent mgmt_agent     8 Feb 21 21:24 mgmt_agent.java.status
-rw-r-----. 1 mgmt_agent mgmt_agent 31966 Feb 21 21:25 mgmt_agent.log
-rw-r-----. 1 mgmt_agent mgmt_agent  5091 Feb 21 21:25 mgmt_agent_client.log

[root@bifangstrasse log]# ls -latr

total 64

drwxr-x---. 7 mgmt_agent mgmt_agent 68 Feb 21 21:23 ..

-rw-r-----. 1 mgmt_agent mgmt_agent 5 Feb 21 21:24 mgmt_agent.pid

-rw-r-----. 1 mgmt_agent mgmt_agent 3631 Feb 21 21:24 wrapper.log

-rw-r-----. 1 mgmt_agent mgmt_agent 0 Feb 21 21:24 mgmt_agent_errors.log

-rw-r-----. 1 mgmt_agent mgmt_agent 0 Feb 21 21:24 mgmt_agent_work.log

-rw-r-----. 1 mgmt_agent mgmt_agent 75 Feb 21 21:24 agent.pid

-rw-r-----. 1 mgmt_agent mgmt_agent 1679 Feb 21 21:24 startup.info

drwxr-x---. 2 mgmt_agent mgmt_agent 246 Feb 21 21:24 .

-rw-r-----. 1 mgmt_agent mgmt_agent 8 Feb 21 21:24 mgmt_agent.status

-rw-r-----. 1 mgmt_agent mgmt_agent 8 Feb 21 21:24 mgmt_agent.java.status

-rw-r-----. 1 mgmt_agent mgmt_agent 31966 Feb 21 21:25 mgmt_agent.log

-rw-r-----. 1 mgmt_agent mgmt_agent 5091 Feb 21 21:25 mgmt_agent_client.log

Example error when the policy for agent communication is not set properly:

Error:
<--> Endpoint:       management-agent.eu-frankfurt-1.oci.oraclecloud.com:-1
     opc-request-id: US3E76CLWXAJYY5YH6Y37BOULWGHCTT1
     StartTime:      2021-02-21 20:12:44,529 GMT
     Status:         404 Not Found
     Headers:        Content-Length=111
                     opc-request-id=US3E76CLWXAJYY5YH6Y37BOULWGHCTT1/01E0A8DF939076673DF971035E99E335/5BB6AA66C5811DC0CA68288F16327F47
                     Date=Sun, 21 Feb 2021 20:12:44 GMT
                     Content-Type=application/json
     ErrorBody:
{
  "code" : "NotAuthorizedOrNotFound",
  "message" : "Authorization failed or requested resource not found."
}
     EndTime:        2021-02-21 20:12:44,795 GMT

Error:

<--> Endpoint: management-agent.eu-frankfurt-1.oci.oraclecloud.com:-1

opc-request-id: US3E76CLWXAJYY5YH6Y37BOULWGHCTT1

StartTime: 2021-02-21 20:12:44,529 GMT

Status: 404 Not Found

Headers: Content-Length=111

opc-request-id=US3E76CLWXAJYY5YH6Y37BOULWGHCTT1/01E0A8DF939076673DF971035E99E335/5BB6AA66C5811DC0CA68288F16327F47

Date=Sun, 21 Feb 2021 20:12:44 GMT

Content-Type=application/json

ErrorBody:

{

"code" : "NotAuthorizedOrNotFound",

"message" : "Authorization failed or requested resource not found."

}

EndTime: 2021-02-21 20:12:44,795 GMT

From My Oracle Support: OCI : Management Agent Status Reporting As “Not Available” Post Installation (Doc ID 2745566.1)

Summary Part 1

The Management Agent installation and integration is easy to setup when all prerequisites are met. For troubleshooting you have full access on the agent logs. See you for blog post 2, where I try to integrate the on-premises Oracle databases into OCI.

Uncategorized