為monitor打PSU4 (10.2.0.4.4)的步驟

最近在監控伺服器上新安裝了一個oracle 10.2.0.4,被安全科掃描出漏洞,
詳細資訊如下:
--------------------------------------
10.0.3.23

漏洞編號： 3661 CVE號： CVE-2009-0688 CVE-2009-2404 CVE-2010-0086 CVE-2010-0453 CVE-2010-0851 CVE-2010-0852 CVE-2010-0853 
漏洞名稱： Oracle 2010.04安全更新修復多個安全漏洞 漏洞型別： 資料庫測試 
風險級別： 高風險  依賴埠： 1521, 1541 
漏洞描述： 該指令碼透過資料庫的版本進行漏洞識別，可能存在誤報。
2010年04月Oracle釋出的重要補丁更新公告修復了Oracle 的47個安全漏洞，首次以甲骨文名義修補Oracle Sun Product Suite的16個安全漏洞。涉及的Oracle的產品包括Oracle Database、 Fusion Middleware、Collaboration Suite、E-Business Suite、Oracle Transportation Management、 Agile - Engineering Data Management、PeopleSoft/JDE、Communications Industry Suite、Life Sciences Industry Suite、Retail Industry Suite等。這些產品中的漏洞可能導致遠端執行任意程式碼、資訊洩漏或拒絕服務等嚴重後果。Oracle已經提供了補丁，請廣大使用者及時下載更新。 
解決方法： 1、最終解決方案：
目前廠商已經發布安全更新用於修復這些漏洞，請及時應用Oracle 2010.04月安全更新，補丁下載參考頁面地址如下：
http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html 
 
相關埠： 1521 
獲取資訊： 無 
--------------------------------------

根據上述連結,找到10.2.0.4上的最新的PSU為10.2.0.4.4 (PSU4 2010.4月釋出)
p9352164_10204_Linux-x86-64.zip

上述補丁的readme.html中提示Opatch必須是10.2.0.4.7或以上
You must use the OPatch 10.2 version 10.2.0.4.7 or later to apply this patch. Oracle recommends that you use the latest released OPatch 10.2, which is available for download from My Oracle Support patch 6880880 by selecting the 10.2.0.0.0 release.

檢視當前版本
[oracle@monitor OPatch]$ ./opatch --version
Invoking OPatch 10.2.0.4.2

到metalink下載 (6880880) 並提readme.html提示安裝10gR2最新opatch工具
步驟見後面的文件 (在安裝前先備份原OPatch目錄)

安裝完成後檢視版本
[oracle@monitor OPatch]$ ./opatch version
Invoking OPatch 10.2.0.5.1

OPatch Version: 10.2.0.5.1

OPatch succeeded.

由於monitor上的oracle是直接把其它的oracle目錄copy過來的,在copy時忽略了/etc/oraInst.loc檔案
查系統中現有補丁時報錯
[oracle@monitor ~]$ cd /oracle/product/10.2.0/db_1/OPatch/
[oracle@monitor OPatch]$ ls
docs  emdpatch.pl  jlib  opatch  opatch.ini  opatch.pl  opatchprereqs
[oracle@monitor OPatch]$ ./opatch lsinventory
Invoking OPatch 10.2.0.4.2

Oracle Interim Patch Installer version 10.2.0.4.2
Copyright (c) 2007, Oracle Corporation.  All rights reserved.

Oracle Home       : /oracle/product/10.2.0/db_1
Central Inventory : n/a
   from           :
OPatch version    : 10.2.0.4.2
OUI version       : 10.2.0.4.0
OUI location      : /oracle/product/10.2.0/db_1/oui
Log file location : n/a

OPatch cannot find a valid oraInst.loc file to locate Central Inventory.

OPatch failed with error code 104
[oracle@monitor OPatch]$

從另一個db上copy 檔案/etc/oraInst.loc過來
[root@monitor etc]# scp .
[root@monitor oracle]# scp -r .
[root@monitor oracle]# chown -R oracle.oinstall oraInventory/

再次檢查oracle的補丁,這次OK
[oracle@monitor OPatch]$ ./opatch lsinventory
Invoking OPatch 10.2.0.4.2

Oracle Interim Patch Installer version 10.2.0.4.2
Copyright (c) 2007, Oracle Corporation.  All rights reserved.

Oracle Home       : /oracle/product/10.2.0/db_1
Central Inventory : /home/oracle/oraInventory
   from           : /etc/oraInst.loc
OPatch version    : 10.2.0.4.2
OUI version       : 10.2.0.4.0
OUI location      : /oracle/product/10.2.0/db_1/oui
Log file location : /oracle/product/10.2.0/db_1/cfgtoollogs/opatch/opatch2011-09-26_19-13-55PM.log

Lsinventory Output file location : /oracle/product/10.2.0/db_1/cfgtoollogs/opatch/lsinv/lsinventory2011-09-26_19-13-55PM.txt

--------------------------------------------------------------------------------
Installed Top-level Products (2):

Oracle Database 10g                                                  10.2.0.1.0
Oracle Database 10g Release 2 Patch Set 3                            10.2.0.4.0
There are 2 products installed in this Oracle Home.

There are no Interim patches installed in this Oracle Home.

--------------------------------------------------------------------------------

OPatch succeeded.
[oracle@monitor OPatch]$

按照p9352164的readme.html步驟打補丁

$cd $ORACLE_HOME/OPatch
$./opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir /home/oracle/patches/9352164
$./opatch apply /home/oracle/patches/9352164
cd $ORACLE_HOME/rdbms/admin
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> STARTUP
SQL> @catbundle.sql psu apply
SQL> -- Execute the next statement only if this is the first 10.2.0.4 PSU applied in the Oracle home.
SQL> @utlrp.sql
SQL> QUIT

SELECT * FROM registry$history where ID = '6452863'

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> @recompile_precheck_jan2008cpu.sql
SQL> QUIT

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP UPGRADE
SQL> @view_recompile_jan2008cpu.sql
SQL> SHUTDOWN;
SQL> STARTUP;
SQL> QUIT

cd $ORACLE_HOME/rdbms/admin
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> @utlrp.sql

SQL> alter package schemaname.packagename compile;

 

/*** opatch工具升級步驟及注意事項
Patch summary:
--------------
README file for OPatch 10.2.0.5.1, the Oracle Interim Patching Tool.

This patch installs the "OPatch" utility. OPatch is used for patching
Oracle software. If you have an older version of opatch it is strongly
recommended to back it up.

OPatch is Oracle's only supported method of installing Interim
patches. It updates the central and per-product inventories with the
details of the patch.

How to install the utility:
---------------------------
To install this patch simply extract the file "zipped file"
using unzip or winzip, depending upon the platform. You should extract
the zip file directly under the ORACLE_HOME.

To check the version of the opatch utility installed in the above step,
go to the OPatch directory and run "opatch version"

How to run the utility:
-----------------------
OPatch tool requires JDK to be present in the Oracle Home.
It requires JDK version of 1.4.2 or higher for proper functioning.

It can be invoked directly using

    /opatch [] [options]

You can use the following command format to view help information:

    /opatch [] -help

OPatch can be manually invoked using Perl:

  /perl /opatch.pl [options]

You can use the following command format to view help information:

  /perl /opatch.pl  [] -help

There is a User's Guide in the 'docs' subdirectory that has full
details on running the tool. There is FAQ file in the same directory
that answers many of the common questions.

If you don't have Perl, you can download Perl from Metalink
() using Bug 2417872. Source code for perl
is also available from (the Comprehensive Perl
Archive Network). Links to binary versions of perl for supported
operating systems is also provided on the CPAN web site.

You can download the required version of JDK from

Special Instructions:
---------------------
Windows:
--------
  1) If your "Central Inventory" is not under
       C:\Program Files\oracle\inventory, please set env. var. INVENTORY_LOC
            to the value of the registry key
                

  2) Make sure you have java.exe in your PATH

========================================================================
***/