11gR2 rac中使用者角色分離及常見oracle bin程式及ASM磁碟許可權問題彙總

1. 11gR2 RAC 角色分離資訊

11gR2中安裝oracle 叢集件和資料庫軟體中的一些group進行簡單的介紹。

   oinstall : 這個group是GI 和RDBMS軟體的擁有者。

   dba : 這個group是資料庫的dba group, 對資料庫具有最高許可權。

   asmdba : 這個group是asm例項的dba group, 可以啟動/關閉例項，掛載/解除安裝asm 磁碟組。

   asmadmin: 這個group是asm的管理員group,它包含asmdba的全部許可權，同時還可以增加/刪除 asm 磁碟，磁碟組等。

2. ASM共享磁碟及orale/grid使用者及GI_HOME/RDBMS_HOME bin目錄的oracle程式正確許可權

------------GI及RDBMS軟體安裝完成，未DBCA建立資料庫時的許可權：

[root@bys1 ~]# su - oracle

[oracle@bys1 ~]$ cd $ORACLE_HOME/bin

[oracle@bys1 bin]$ ls -al oracle   --RDBMS_HOME的

-rwsr-s--x 1 oracle oinstall 239626665 Nov  9 21:31 oracle

[grid@bys1 ~]$ cd $ORACLE_HOME/bin

[grid@bys1 bin]$ ls -al oracle   --GRID_HOME的

-rwsr-s--x 1 grid oinstall 209914471 Nov  9 19:07 oracle

[grid@bys1 bin]$ crsctl query crs activeversion

Oracle Clusterware active version on the cluster is [11.2.0.4.0]

------------DBCA建立資料庫後的正確許可權示例，即正常的許可權：

[oracle@bys1 bin]$ ls -al oracle

-rwsr-s--x 1 oracle asmadmin 239626665 Nov  9 21:31 oracle

[grid@bys1 ~]$ cd $ORACLE_HOME/bin

[grid@bys1 bin]$ ls -al oracle

-rwsr-s--x 1 grid oinstall 209914471 Nov  9 19:07 oracle

[grid@bys1 bin]$ id oracle

uid=502(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),506(asmdba)

[grid@bys1 bin]$ id grid

uid=501(grid) gid=501(oinstall) groups=501(oinstall),504(asmadmin),506(asmdba),507(asmoper)

3.RAC中常見的因GI/RDBMS HOME中oracle程式許可權或者ASM使用的磁碟許可權有問題引起的問題彙總：

3.1 sqlplus登陸時報錯：ORA-12547: TNS:lost contact

在RAC中常見的還有oracle程式的許可權不對，

ORA-12547 Errors

The error ORA-12547 indicates that the communication channel has been broken. It's most often thrown because the other end of the process went away unexpectedly.

參考MOS文件：

Note 1307075.1 Oracle Database Fails to Start with Error ORA-12547

Note 381566.1 connect / as sysdba Fails with Ora-12547 And Tns-12514

ORA-12537 / ORA-12547 or TNS-12518 if Listener (including SCAN Listener) and Database are Owned by Different OS User (文件 ID 1069517.1)

Note 744512.1 Ora-12547: Tns:Lost Contact Creating Database After Clean Installation

導致 Scan VIP 和 Scan Listener（監聽程式）出現故障的最常見的 5 個問題 (文件 ID 1602038.1)

3.2 安裝完GI與RDBMS軟體，未使用DBCA建立資料庫。使用手動恢復資料庫方法，此時rdmbs_home下oracle程式許可權問題引發的錯誤

RMAN> restore controlfile from '/home/oracle/fulldb_SCTTEST_900418795_84';

Starting restore at 06-JAN-16

using target database control file instead of recovery catalog

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=98 instance=scttest1 device type=DISK

channel ORA_DISK_1: restoring control file

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 01/06/2016 13:20:29

ORA-19870: error while restoring backup piece /home/oracle/fulldb_SCTTEST_900418795_84

ORA-19504: failed to create file "+DATA/scttest/controlfile/control01.ctl"

ORA-17502: ksfdcre:3 Failed to create file +DATA/scttest/controlfile/control01.ctl

ORA-15001: diskgroup "DATA" does not exist or is not mounted

ORA-15055: unable to connect to ASM instance

ORA-01034: ORACLE not available

ORA-27123: unable to attach to shared memory segment

其它類似報錯型別：

SQL> create spfile='+DATA/jdedb/spfilejdedb1.ora' from pfile;

create spfile='+DATA/jdedb/spfilejdedb1.ora' from pfile

*

ERROR at line 1:

ORA-17502: ksfdcre:4 Failed to create file +DATA/jdedb/spfilejdedb1.ora

ORA-15001: diskgroup "DATA" does not exist or is not mounted

ORA-15040: diskgroup is incomplete

檢視alert日誌：

Mon Nov 07 14:12:19 2016

Decreasing number of real time LMS from 2 to 0

Mon Nov 07 14:17:50 2016

ORA-15025: could not open disk "/dev/raw/raw2"

ORA-27041: unable to open file

Linux-x86_64 Error: 13: Permission denied

Additional information: 9

Mon Nov 07 14:17:50 2016

SUCCESS: diskgroup DATA was dismounted

ERROR: diskgroup DATA was not mounted

3.3 ASM使用的磁碟許可權問題導致的報錯

11.2.0.3中報錯資訊如下：

ORA-15045:ASM file name '+DATA1' is not in reference form

ORA-17502:ksfdcre:5 Failed to create file +DATA1

ORA-15081:failed to submit an I/0 operation to a disk;

[oracle@bys1 bin]$ ls -al /dev/sdc /dev/sdd  --這可以看到只有GRID使用者可讀寫，要修改。

brw-r----- 1 grid asmadmin 8, 32 Apr 11 19:24 /dev/sdc

4.LINUX “suid”和“sgid”許可權簡介

 Linux 許可權模型有兩個專門的位，叫做“suid”和“sgid”。當設定了一個可執行程式的“suid”這一位時，它將代表可執行檔案的所有者執行，而不是代表啟動程式的人執行。

關於6751許可權的說明：

6751分別指定了ugoa的許可權：

第一位6是suid+sgid許可權

第二位7代表g（組）有讀、寫、執行許可權

第三位5代表o（其它使用者）有讀、執行許可權

第四位1代表a（所有者、組、其它使用者）有執行許可權

詳細可以參考其它BLOG：

http://www.cnblogs.com/snake-hand/p/3161511.html

http://blog.csdn.net/xiaocainiaoshangxiao/article/details/17378611

----------------------------本文內容參考MOS文件：

Oracle Database Fails to Start with Error ORA-12547 (文件 ID 1307075.1)

"Connected to an Idle Instance" Message when Connecting Bequeath to a Running Instance (文件 ID 435044.1)

Troubleshooting when srvctl can't start RAC instance, but sqlplus can start it (文件 ID 844272.1)    

    10gR2 Database Creation Fails with 11gR2 ASM storage: ORA-15045, ORA-17502, ORA-15081 [ID 1384180.1]

    Database Creation on 11.2 Grid Infrastructure with Role Separation ( ORA-15025, KFSG-00312, ORA-15081 ) (文件 ID 1084186.1)

    ORA-00600 [kfioTranslateIO03] [17090] (Doc ID 1336846.1)

    ORA-15183 Unable to Create Database on Server using 11.2 ASM and Grid Infrastructure (文件 ID 1054033.1)

    Startup Instance Failed with ORA-27140 ORA-27300 ORA-27301 ORA-27302 and ORA-27303 on skgpwinit6 (文件 ID 1274030.1)

https://blogs.oracle.com/Database4CN/entry/%E4%BB%BB%E5%8A%A1%E8%A7%92%E8%89%B2%E5%88%86%E7%A6%BB_job_role_separation_%E7%AE%80%E4%BB%8B

---------------------