RE: Question regarding sudo equivalents

From: Dimensional DBA <dimensional.dba_at_comcast.net>
Date: Mon, 13 Jun 2016 19:17:26 -0700
Message-ID: <000601d1c5e2$e55b6d30$b0124790$_at_comcast.net>



In lot of cases we turn around the execution concept and grant oracle the sudo privileges to run the commands.

Then automation controlled by the DBA instead of the sysadmin is used to deploy Oracle without human intervention.  

I have worked at some clients where Oracle Cloud Control with Oracle Configuration management is deployed and everything is automated through it.

In other places DBAs have written the puppet/chef deployment scripts and a central deployment repository is used.

In other clients the DBA team actually owned their own puppet/chef deployment services.  

I had one client which had puppet for OS level deployments and Chef for application level deployments for complete separation of duties. The choice of one or the other was based on the two teams. In that particular client the DBAs fell on the application side of the house where in a lot of companies they are seen as part of infrastructure but it really depends on the company.  

I have had a variety of clients use custom automation scripts put into other scheduling or administrative platforms or even a custom driven APEX app for determining deployments.  

There is a gamut of deployment mechanisms/reasons a team or company chooses one or the other. In a lot of cases it seems to really be driven by power and control instead of by what is best.  

IMHO, Sysadmins would prefer puppet, chef or Docker unless the company is driven by windows admins. The DBAs would prefer OEM or their own automation.  

Matthew Parker

Chief Technologist

Dimensional DBA

425-891-7934 (cell)

D&B 047931344

CAGE 7J5S7 Dimensional.dba_at_comcast.net

 <http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn

www.dimensionaldba.com <http://www.dimensionaldba.com/>  

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of John Mchugh
Sent: Monday, June 13, 2016 5:16 PM
To: william.muriithi_at_gmail.com
Cc: pete.sharman_at_oracle.com; oracle-l_at_freelists.org Subject: Re: Question regarding sudo equivalents  

Interesting thread....along the lines of automated provisioning where the database and grid infrastructure require root execution for root.sh and orainstRoot.sh what do most of you use? Or is it acceptable to run the provisioning scripts as root and 'su' to the specific oracle user to run the installation? By automation I mean no human intervention at all for provisioning purposes.  

thanks,

jpm    

On Jun 13, 2016, at 5:04 PM, William Muriithi <william.muriithi_at_gmail.com> wrote:

Evening Pete,
>
> If you need secured access to root (i.e. sudo-like functionality) what are
you using to get that access? The reason I'm asking is because I was on a call with a customer this morning and they said sudo was old hat and no-one in their industry uses it any more. Now that's the first I've heard of that, as just about every customer I've dealt with apart from this particular customer is using sudo quite happily. I occasionally run across PowerBroker, but that's about it. I'd be interested to find what people are using, particularly since Enterprise Manager supports sudo or PowerBroker to get this functionality, and if people are moving away from that we need to look at broadening what we support in the product.
>
>
>

That's interesting. First time I have heard that the industry is moving away from sudo, so I did a bit of digging and feel like that's not true. If there were more popular tools, they would be supported by puppet and ansible.

Below are the privilege escalation methods offered by ansible.

(default=sudo), valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo

The above is ansible supported methods. Other than pbrun, the rest are platform specific and not in wide use from the basic 10 min google research. I could be wrong though.

What platform is your client using? Will bet it may be Solaris and they therefore using pfexec. Anyway, think it's better to still use sudo for the following reason.

With sudo and freeipa, you can push sudo configuration across the data centre, like the way you can push GPO from active directory. Ah, and also prefer a product supported by operating system by default. Far secure that way.

Regards

William  

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Jun 14 2016 - 04:17:26 CEST

Original text of this message