Oracle Exadata机介绍

闲聊Oracle一体机Exadata闲聊与关键字：分布式存储甲骨文在文章开始前先作个声明，本人并非专业技术人员，充其量只能算从业人员和技术爱好者。

本文也不是写给专业技术人员看的技术类文档，只是本人因为工作需要，在学习系统架构的过程中，自己的一些感触和体会，只是想分享给对和其他计算机技术感兴趣的人们，希望大家能一起探讨。

因此本文在谈到技术细节问题时，一定漏洞百出，敬请专业人士指正。

是公司研发的一款数据库一体机，关于的介绍文档，在网上能找到很多，它有很多特性，，，，等等，在本文中不对这些特性作详细说明。

本文探讨的只是在设计这款一体机时，借鉴了的开源实现等分布式计算集群的一些设计理念，使数据库的运行环境突破了传统基于共享存储的架构，创新的使用了基于的智能存储节点的架构，从而极大地提高了数据库在海量数据分析类应用的性能。

一、项目简单介绍：由于本文探讨的是和的相似处，因此先简单介绍下。

是开源软件基金会的一个项目的总称，它包含了，，，，等组件，它是基于和的论文发展起来的开源软件项目，而和是它的核心。

是一个开源的分布式文件系统，和单机文件系统一样，它也使用目录树结构，和单机文件系统不同的是，它的文件系统是跨越整个集群的，下图是它的架构集群是主从架构，它由一台节点和多台节点构成。

节点和节点都是标准的。

节点采用存储的方式，即内置多块大容量硬盘，节点可以多达上千台。

通常用于存储大文件，在中每个文件都被切割为固定大小的数据块，然后被分散存放于多台的硬盘上。

并且每个数据块都会有副本存放于远端机架的上，副本数一般设置为三个。

节点不存放实际的文件，而只存放整个文件系统的目录树等元数据。

当客户端需要访问存储于的某个文件时，首先需要访问节点，以取得文件存放的位置信息哪几台，以及在硬盘上的具体地址，然后根据这些目的地址对各上存放的数据并行地进行访问。

的这种分布式存储架构，主要有几个好处：、当存储空间不够时，只要简单增加节点，而系统自动会把数据块分配到新节点上，而无需人工干预。

Exadata 数据库一体机最好的Oracle 数据库运行平台• 运行数据仓库应用的最好平台 • 运行在线业务处理（ OLTP ）的最好平台 • 支持数据库整合的最好平台 • 独特的 架构决定了：• Exadata是运行Oracle 数据库速度最快，成本最低的 平台Copyright © 2011, Oracle Corporation and/or its affiliates– 1–Exadata 硬件体系架构由工业标准服务器作为计算节点和存储节点的可扩展网格架构 • 消除了长久以来在传统架构中存在的对于可扩展性，可用性和成本之间 的折衷处理 Database Grid• 8 Dual-processor x64 database servers 或 • 2 Eight-processor x64 database servers • 100 TB High Performance disk, or 336 TB High Capacity diskIntelligent Storage Grid• 14 High-performance low-cost storage serversInfiniBand Network• Redundant 40Gb/s switches • Unified server & storage network• 5.3 TB PCI Flash • Data mirrored across storage serversCopyright © 2011, Oracle Corporation and/or its affiliates– 2–标准化的配置简化了部署过程的复杂性• 所有的Exadata一体机都拥有以下的共同特性• • • • • 开箱即用 出厂前经过充分测试 大幅简化技术支持工作 没有差异化配置带来的问题 与Oracle 研发部门相同的配置• 直接运行现有 OLTP 和 DW 应用• Oracle 30年数据库经验的结晶 • 不需要特殊的 Exadata 认证 部署工作可以在 几天之内完成， 而不是传统上的 几个月• 充分融入现有的Oracle 价值链• 技术积累, 经验积累，已有人员，合作伙伴都可以充 分发挥– 3–Copyright © 2011, Oracle Corporation and/or its affiliates支持从小配置起步逐渐成长支持现场升级Quarter RackHalf RackFull Rack平衡的配置扩展方式保证 OLTP 和 DW 的良好扩展性Copyright © 2011, Oracle Corporation and/or its affiliates– 4–Exadata 存储扩展机柜用更便宜的价格得到更大的存储容量• 可以用于已有的 Exadata 数据库一体机和 SuperCluster 的存储容量扩展 • 与数据库一体机架构类似，只是把数据库服务 器换成了存储服务器 • 用于需要更大的存储容量而计算能力不需要同 步增长的场景• 磁盘备份 (最高支持 27 TB/hour) • 历史数据和归档数据管理 • 用数据库管理文件数据，二进制对象数据， XML数据，文档数据 • 图像和其他非结构化数据管理Copyright © 2011, Oracle Corporation and/or its affiliates– 5–Exadata存储扩展机柜支持在线扩充数据库一体机的存储容量Quarter Rack Half Rack Full Rack Multi Rack8+ RacksInfiniBand 432 TB Disk Connected 6.75 TB Flash 18 Storage Servers 216 CPU cores 典型应用场景：数据库备份，历史数据存储，外部文件存储，图像文件存储， XML存储Copyright © 2011, Oracle Corporation and/or its affiliates96 TB Disk 1.5 TB Flash 4 Storage Servers 48 CPU cores216 TB Disk 3.4 TB Flash 9 Storage Servers 108 CPU cores– 6–Exadata数据库一体机全部系列为 OLTP, 数据仓库和数据库整合应用而设计 Storage Expansion Exadata X2-8 Exadata X2-2Copyright © 2011, Oracle Corporation and/or its affiliates– 7–数据库一体机容量指标 (不考虑压缩技术的作用)X2-8 or X2-2 Full Rack Raw Disk Capacity Raw Flash Capacity1 Usable Mirrored Capacity 1,2 Usable Triple Mirrored Capacity1,3 High Perf Disk High Cap Disk High Perf Disk High Cap Disk High Perf Disk High Cap Disk 100 TB 336 TB 5.3 TB 45 TB 150 TB 30 TB 100 TB X2-2 Half Rack 50 TB 168 TB 2.6 TB 22.5 TB 75 TB 15 TB 50 TB X2-2 Quarter Rack 21.6 TB 72 TB 1.1 TB 9.5 TB 31.5 TB 6.5 TB 21.5 TB1- Capacity calculated using normal space terminology of 1 TB = 1024 * 1024 * 1024 * 1024 bytes. 2 - Actual space available for a database after mirroring (ASM normal redundancy) and allowing one disk (Quarter and Half) or two disks (Full Rack) of free space to automatically remirror after disk failures. 3 - Actual space available for the database computed after triple mirroring (ASM high redundancy).Copyright © 2011, Oracle Corporation and/or its affiliates– 8–数据库一体机 IO 性能指标X2-2 or X2-8 Full RackDisk Data Bandwidth1,3 Flash Cache Data Bandwidth1,3 Disk IOPS High Cap Disk Flash IOPS2,3 Data Load Rate4 High Perf Disk High Cap Disk High Perf Disk High Cap Disk High Perf DiskX2-2 Half Rack 12.5 GB/s 7 GB/s 37.5 GB/s 32 GB/s 25,000 12,500 750,000 6 TB/hrX2-2 Quarter 5.4 GB/s 3 GB/s 16 GB/s 13.5 GB/s 10,800 5,400 375,000 3 TB/hr25 GB/s 14 GB/s 75 GB/s 64 GB/s 50,000 25,000 1,500,000 12 TB/hr1 - Bandwidth is peak physical disk scan bandwidth achieved running SQL, assuming no compression. Effective data bandwidth will be much higher when compression is factored in. 2 - IOPS – Based on read IO requests of size 8K running SQL. Note that the IO size greatly effects flash IOPS. Others quote IOPS based on 2K, 4K or smaller IOs that are not relevant for databases. Exadata Flash read IOPS are so high they are typically limited by database server CPU, not IO. 3- Actual Performance varies by application. 4 – Exadata load rates are typically limited by database server CPU, not IO. Rates vary based on load method, indexes, data types, compression, and partitioningCopyright © 2011, Oracle Corporation and/or its affiliates– 9–Exadata 带来的技术创新Copyright © 2011, Oracle Corporation and/or its affiliates– 10 –Exadata 带来的技术创新Exadata 存储服务器软件•Intelligent storage•Smart Scan query offload •Scale-out storage+++•Hybrid Columnar Compression–10x compression for warehouses –15x compression for archivesCompressedprimary standbytestdev’tbackupUncompressed•Smart Flash Cache–Accelerates random I/O up to 30x –Doubles data scan rateData remains compressed for scans and in FlashBenefits Multiply一个简单的查询处理过程Exadata Storage GridSUMOptimizer Chooses Partitions andIndexes to Access10 TB scanned1 GB returned to serversOracle Database GridWhat were my sales yesterday?Select sum(sales) whereDate=’24-Sept’Scan compressedblocks in partitions/indexes Retrieve sales amounts for Sept 24Exadata 智能存储•Exadata 存储服务器除去简单的过滤条件外，还支持在存储中处理部分复杂的数据处理•带联接的条件过滤•增量备份数据过滤•I/O 优先级处理•存储索引•数据库级的数据安全处理•为扫描加密数据进行减负处理•数据挖掘模型评分计算•通常情况可以将回送到数据库服务器的数据量减小到十分之一ExadataIntelligent StorageGridExadata 存储索引没有额外负担的透明数据过滤•Exadata 存储索引在内存中保留范围数据•为特定列组合存储区间内的最大值和最小值•典型设置每MB 数据保持一条记录•通过结合查询条件和数据区间的最大最小值来消除不必要的磁盘I/O •完全由存储自动透明实现A B C D135583Min B = 1Max B =5TableIndexMin B = 3 Max B =8Select * from Table where B<2 -Only first set of rows can matchExadata 智能闪存缓存为OLTP 和DW 带来极限性能支撑提供超过企业级磁盘阵列系统五倍的离散I/O性能•Exadata 拥有5 TB 闪存•56 块不受磁盘控制器带宽限制的PCI 接口闪存卡•智能管理的闪存存储•智能闪存缓存只缓存热数据•可以有效避免大表顺序扫描导致的缓存刷新问题•在系统级用磁盘的价格提供闪存的速度•Exadata 闪存缓存可以做到:•在SQL 处理中实现超过每秒一百五十万次I/O 处理(8K)•实现低于一毫秒的响应时间Exadata 智能闪存日志通过使用闪存加速交易处理的响应时间•使用一种聪明的方式让闪存在数据库日志处理中发挥作用•闪存速度很快但是响应时间不稳定•受Erase cycles, wear leveling 等因素影响.•智能闪存日志把闪存作为磁盘控制器缓存的一个并行写入缓存进行工作•磁盘或闪存中任何一方先完成写入等效于写入成功缺省设置-不稳定的响应时间-最大响应时间包线很高开启智能闪存日志-响应时间提升3倍-最大响应时间包线显著降低Transaction Response TimesQ u e r y数据库操作变得更快更简单Backup, DR, Caching,Reorg, Clone混合列压缩工作原理•表中的数据以几千行为单位进行组织•压缩单元(CUs)•在压缩单元内部, 数据先以列的方式进行组织，然后对数据进行压缩•以列的方式组织数据有利于把类似的值组织在一起，增强了压缩的有效性•对于批量装载和查询的数据非常有效•尤其适用对于压缩过的数据有很少的修改需求•与传统的数据压缩算法（如Gzip, Bzip2 ）相比•典型情况下可以提供高达2倍的压缩比，同时提供10倍的处理性能•Exadata 存储服务器同时支持扫描压缩数据时的查询过滤，列数据筛选等操作•基于索引访问的数据存取直接向数据库返回压缩过的数据块，I 数据库的块缓冲区同时受益于压缩而节省的空间Reduces Table Size 4x to 40x4x to 50x Reduction CompressionUnit实际数据的压缩比举例•压缩比会因客户和数据的不同而不同•测算基于10家超大型公司提供的最大容量表的数据•平均业务收入> $60 B•平均压缩比达到13 倍•比较基数是Oracle已经很高效的存储格式Exadata I/O 资源管理为混合负载或多数据库共存环境提供保障•确保数据库带宽在不同数据库间按照规则正确分配•Database A: 33% I/O resources•Database B: 67% I/O resources•确保数据库带宽在不同用户和不同任务之间按照规则正确分配•Database A 内部:•报表: 60% of I/O resources•ETL: 40% of I/O resources•Database B内部:•交互应用: 30% of I/O resources •批处理作业: 70% of I/O resourcesExadata Cell InfiniBand Switch/NetworkDatabase A Database BExadata Cell Exadata Cell数据库整合的最佳选择•Exadata 数据库一体机多个数据库的承载平台•较大的系统内存总量支持多数据库同时运行•超强的性能确保混合负载（OLTP, DW, batch, reporting ）的运行效果•I/O 和CPU 资源管理实现不同应用间的工作负载隔离ERP CRM Warehouse Data MartHRExadata与竞争对手对比使用闪存加速后远远领先竞争对手数据同时装载入闪存倍的查询优化压缩功能有效的查询带宽在考虑压缩因素TeradataNetezza TwinFin 12ExadataQuery ThroughputGB/sec Uncompressed DataSingle RackFlashDiskFaster than DW Appliances75 GB/sec!Flash2650 4600 668019DiskDiskDis kFlash36Disk EMC Greenplum性能随着机架的扩展而同步的带extra bandwidth from Flash No Columnar Compression Storage Data Bandwidth(Uncompressed GB/sec)Flash比高端存储提供更高的性能DiskExadataX275 GB/sec!1 RackMultiple Racks更大的有效存储容量Exadata 10x Compression Teradata 1.4x Compression(block compression is archival)IBM Netezza TwinFin 2x to 4x Compression EMC VMAX3x Oracle Compression按照相同的有效容量评估全部配置可用的最大容量磁盘，使用最好的压缩比4X Racks 3X Racks7X for 265041X for 460020X for 66803.5X RacksEMC Greenplum DCA up to 4x CompressionTurkcell: 10x Compression, 10x Speedup250 TB warehouse compresses to 25 TB1 Exadata rack 25 TBcompressed data•50,000 Reports run 10x faster each month (avg 27 min to 3 min)• 1.5 Billion records (2-3 TB raw) loaded daily (data doubles yearly)•Redundancy/HA built-in10 storage racks 1 large SMP server250 TB raw data10:1advantageHitachi USP-V 5 RacksEMC DMX-45 RacksSoftbank Replaces 36 Teradata Racks3 Exadata racks up to 8x faster3 Exadata racks 150% more data capacity•Billions of CDRs processed in 7 hours (from 25 with Teradata)•Power, cooling, space savings •Maintenance charges slashed36 total racks Twice the operational cost of Exadata12:1advantageDBA。

Exadata Product Development98MTargetDEC ‘131B YahooDec ’16400M Friend Finder Dec ‘16150MeBayMay ‘14200M ExperianMar ’14 US Voters 191M, Dec 15150MAdobe Oct ‘1356MHome Depot Sep ‘1476M JPMCOct ‘1480M AnthemFeb ‘152M Vodafone Oct ‘1342M Cupid Media Jan ’13TBs IP Sony Nov ’14 2MOrangeFeb/Apr ‘1420MCredit Bureau 12MTelecomS. Korea Jan ‘1422MBenesse Education Jul ‘14Japan Espionage KasperskyJun ‘15400GB IP TheftHackingTeam Jul ‘15Carphone Warehouse Aug ’152.4M4MTalk TalkOct 1550MTurkish GovtApr ‘165M VTech Nov ‘1530M BSNL TelcoJournal Jul ‘15Kmart Oct ‘1511M PremeraBlue Cross Mar ‘1593M Mexico Voter Apr ‘16154MUS Voter Jun ‘1632M AshleyMadisonJul ’15US OPM, 22MJun ’15 15M T-MobileOct ’154.6MScottrade Oct ’1555M PhilippinesVoter list Apr ‘16Security Breaches: High Costs to Businesses and Customers (Records/Data Theft)3.2M Debit cardsOct ‘16SabreMar ‘16CIAApr ‘1777M Edmodo May ‘17143M EquifaxJuly ‘17 1.1B AadhaarJan ‘18340MExactisJun ‘18218M Zynga Sep ‘199M Easy JetMay ‘2098MTargetDEC ‘131B YahooDec ’16400M Friend Finder Dec ‘16150MeBayMay ‘14200M ExperianMar ’14 US Voters 191M, Dec 15150MAdobe Oct ‘1356MHome Depot Sep ‘1476M JPMC Oct ‘1480M AnthemFeb ‘152M Vodafone Oct ‘1342M Cupid Media Jan ’13TBs IP Sony Nov ’14 2MOrange Feb/Apr ‘1420MCredit Bureau 12MTelecomS. Korea Jan ‘1422MBenesse Education Jul ‘14Japan Espionage KasperskyJun ‘15400GB IP Theft HackingTeam Jul ‘15Carphone Warehouse Aug ’152.4M4MTalk TalkOct 1550MTurkish Govt Apr ‘165M VTech Nov ‘1530MBSNL TelcoJournal Jul ‘15Kmart Oct ‘1511M PremeraBlue Cross Mar ‘1593M Mexico Voter Apr ‘16154MUS Voter Jun ‘1632M AshleyMadisonJul ’15US OPM, 22MJun ’15 15M T-MobileOct ’154.6MScottrade Oct ’1555M PhilippinesVoter list Apr ‘16Security Breaches: High Costs to Businesses and Customers (Records/Data Theft) –Continuation Slide3.2M Debit cardsOct ‘16SabreMar ‘16CIAApr ‘1777M Edmodo May ‘17143M EquifaxJuly ‘17 1.1B Aadhaar Jan ‘18340MExactisJun ‘18218M Zynga Sep ‘199M Easy JetMay ‘203.2BCOMB Compilation of previously stolen credentials Jan ‘21Exadata security practices and built-in security protection is applicable to Exadata on-premises •Exadata Cloud (ExaDB-D, ExaDB-C@C and Autonomous Database) inherit the benefitsplus additional cloud software and securitycompliance is added•Additional security collateral for DB Cloud offerings can be found at:•https:///a/ocom/docs/en gineered-systems/exadata/exadata-cloud-at-customer-security-controls.pdf •https:///corporate/securit y-practices/cloud/Exadata Cloud in OCI attains the following compliances, certifications, and/or attestations:Audit Reports✓PCI DSS✓HIPAA✓ISO 27001✓SOC I/SOC II✓C5/CSA STAR✓FedRAMP Moderate/DISA IL5Exadata Platform provides the foundation for Exadata DB CloudAudit Data & EventLogsData SafeAudit VaultAlertsReportsPoliciesNetwork EncryptionOracleKey VaultTransparentData EncryptionDF11233 U*1$5Ha1qui %H1HSKQ112 A14FASqw34 £$1DF@£!1ah HH!DA45S& DD1Discover Sensitive DataData SafeData Masking and SubsettingTest DevData RedactionDatabase VaultUsersApplicationsDatabase FirewallVirtual Private DatabaseLabel SecurityReal Application SecurityEventsData Driven SecurityDatabase Security ControlsDetectPreventAssessDatabase SecurityOpen Season for Attacks on Hardware, Firmware and Supply Chain •Securing application and network perimeter is no longer sufficient •Attacks are more sophisticated and getting deeper into the hardware •Environments are more complex and distributed•Server subcomponents are more capable but “soft”•More interesting to hackers•More potential for vulnerabilities and exploits•Supply chains are at riskExadata End-to-End Security Through-Out The Supply Chain •Oracle supply chain is closely integrated and monitored •Oracle ownership of core Hardware and Firmware IP•Security audit for all design releases•Suppliers understand and adhere to Oracle security policies•Encrypted transmission of design data•Oracle controlled systems qualification tests and validation•All firmware and software is digitally signed and certified•Secure Trade Agreements Act (TAA) compliant manufacturing for system integrationEnd-to-End SecuritySecurity-optimized, Security-focused, Security-hardenedHighly Available ArchitectureOracle MAA Best Practices Built-InDatabase Aware System SoftwareUnique algorithms vastly improve OLTP, Analytics, ConsolidationExtreme Performance, Availability, and SecurityExadata Maximum Security Architecture (MSA) VisionMSA Solution Highlights✓Smaller Footprint✓Access Restrictions✓Principle of Least Privilege ✓Audit Rules✓System Hardening✓File Integrity Monitoring✓Security Administration Tool ✓Pre-scanned Full Stack✓Multi-tenet Isolation✓Boot Device Protection✓Fast Crypto Erase✓Security Enabled Linux✓Memory Protection KeysSecurityOptimizedSecurityFocusedSecurityHardenedExadata Security Value-Add Overview“The Oracle Autonomous Database, which completely automates provisioning, management, tuning, and upgrade processes of database instances without any downtime, not just substantially increases security and compliance of sensitive data stored in Oracle Databases but makes a compelling argument for moving this data to the Oracle Cloud.”KuppingerCole AnalystsExadata reduces the attack surface by only including the software components required specifically to run the Oracle database (e.g., minimum Linux distribution)Smaller Installation FootprintExadata OL8~1060 pkgs Standard OL8~8000 pkgsNano Linux Kernel InstallationSecurity: OptimizedExadata uses a custom, nano (micro) kernel with removed dependencies that reduce size and features that are not needed in an enterprise data center.•Fewer device drivers•Smaller footprint•Improved upgrade timeTypical OL8 UEK kernel::kernel-uek-5.4.17-2136.306.1.3.el8uek.x86_64•DomU kernel size 135MBExadata OL8 UEK kernel (23.1.0.0.0):kernel-ueknano-5.4.17-2136.315.5.8.el8uek.x86_64•DomU kernel size 77MBNetwork Access to Storage ServersSecurity: OptimizedSoftware includes the cellwallservice that implements afirewall on each storage server•The SSH server is configured torespond to connectionrequests only on themanagement network (NET0)and the RDMA Network Fabric•The Exadata Storage Servershave no direct connectivity tothe client networkNo Unnecessary Services -Implement Principle of Least Privilege Security: FocusedUnnecessary insecure services such as telnet, ftp are disabled in the systemSecurity best practices require that each process run with the lowest privileges needed to perform the task. The following processes now run as non-privileged users:•Smart Scan processes: Performing a smart scan predicate evaluation does not require rootprivileges.•user cellofl and group celltrace•Select ExaWatcher processes: Some of the ExaWatcher commands that collect iostat, netstat, ps, top, and other information have been modified to run without requiring root user privilege•user exawatch and group exawatchAccess Control For RESTful ServiceSecurity: FocusedOracle Exadata System Software release 19.1.0 introduces a new capability for users to configure access control lists on the HTTPs access to the RESTful service•Specify a list of IP addresses or subnet masks to control access to the RESTful service via HTTPs •If not used, RESTful service can be disabled altogether•Applies to both Oracle Exadata Database and Storage Server# lsof -i -P -n | grep LISTEN | grep javajava<pid> dbmsvc55u IPv4 40193 0t0 TCP *:7879 (LISTEN)# dbmcli -e alter dbserver httpsAccess=noneThis command requires restarting MS. Continue? (y/n): yStopping MS services...The SHUTDOWN of MS services was successful.Updating HTTPs access control list.Starting MS services...The STARTUP of MS services was successful.DBServer successfully altered# lsof -i -P -n | grep LISTEN | grep javaOperating System Activity MonitoringSecurity-Focused•Each Exadata server is configured with auditd to audit system-level activity•manage audits and generate reports use the auditctl command.•Exadata specific audit rules are stored in the /etc/audit/rules.d/01-exadata_audit.rules file[root@vm01 ~]# auditctl -l-a always,exit -F arch=b32 -Schmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat ,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod-a always,exit -F arch=b64 -Schmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat ,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access…Encrypting System Log Information (rsyslog)Security-Focused•Management Server (MS) on database and storage servers supports the syslogconf attribute.•The syslogconf attribute extends syslog rules for a database server.•The attribute can be used to designate that syslog messages be forwarded to a specific remote syslogd service.•On the MS, the forwarded messages are directed to a file, console, or management application, depending on the syslog configuration on the MS.•This enables system logs from different servers to be aggregated and mined in a centralized logging server for security auditing, data mining, and so on.•Use certificates and the syslogconf attribute to configure encryption of the syslog informationOracle Exadata Deployment Assistant (OEDA)Resecure MachinePassword Complexity Password AgingResecure MachinePassword Expiration PermissionsSecurity-HardenedImplement the available features and security plan post deployment via host_access_control/opt/oracle.cellos/host_access_control apply-defaults --strict_compliance_only•INACTIVE=0•Deny on login failure count set to 5•Account lock_time after one failed login attempt set to 600•Password history (pam_unix remember) set to 10•Password strength set to pam_pwquality.so minlen=15 minclass=4 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=8 maxrepeat=3 maxclassrepeat=4 local_users_only retry=3 authtok_type=•PermitRootLogin no•hard maxlogins 10•hmac-sha2-256,hmac-sha2-512 for both server and client•Password aging -M 60, -m 1, -W 7Subset of commands•access -User access from hosts, networks, etc.•auditd-options -Options for auditd•banner -Login banner management•fips-mode -FIPS mode for openSSH•idle-timeout -Shell and SSH client idle timeout control •pam-auth -PAM authentication settings •password-aging -Adjust current users' password aging •rootssh -Root user SSH access control•ssh-access -Allow or deny user and group SSH access •sshciphers -SSH cipher support control•ssh-macs -SSH supported MACs•sudo -User privilege control through sudoPre-scanned full stackSecurity-HardenedEvery Exadata release includes security and emergency fixes to address zero-day vulnerabilities discovered by our internal scanning tools.•Static/Dynamic code analyzing•Malware scans•Third-party software checks•Vulnerability scans•How to research Common Vulnerabilities and Exposures (CVE) for Exadata packages (Doc ID 2256887.1)•System hardening reviews (STIG)•Exadata OL8 System Hardening for STIG Security Compliance (Doc ID 2934166.1)•Exadata OL7 System Hardening for STIG Security Compliance (Doc ID 2614471.1)Customers take advantage of these fixes out of the box by just upgrading to the latest release •Number of issues reported should be much less compared to a custom configurationSecurity: Hardened Monthly Exadata Security Software Updates:•Security fixes •CVE mitigations•Future releases and dates are estimates only Exadata Releases CY2023JAN:22.1.721.2.20APR:23.1.122.1.1021.2.23JUL:23.1.422.1.13OCT:23.1.722.1.16FEB:22.1.821.2.21MAY:23.1.222.1.1121.2.24 (end)AUG:23.1.522.1.14NOV:23.1.822.1.17MAR:23.1.0 (new) 22.1.921.2.22JUN:23.1.322.1.12SEP:23.1.622.1.15DEC:23.1.922.1.18Common Vulnerabilities and Exposures (CVE) IDs issued across the international IT marketplace.That’s ~73 per day!Exadata Security Value Add:•Scanned images•Monthly releases26,448Oracle Linux CVE Mitigations for Exadata 22.1.xSecurity-Hardened0510152025303522.1.122.1.222.1.322.1.422.1.522.1.622.1.722.1.822.1.9N u m b e r o f M i t i g a t i o n s Exadata Release CVE Mitigations Per Release LOW MEDIUM HIGH CRITICALSecurity: Hardened “The Oracle Linux 8 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of the Department of Defense (DoD) information systems”Secure from Factory –Oracle Linux 8 STIG SCAP BenchmarkX9M KVM Guest on 23.1.0.0.0Delivered straight from the FACTORY!Standard Linux installation✓New (and existing) Security Features in ExadataMaximize Security, Maximize Performance, Maximum AvailabilityOracle Linux 8New in Exadata 23.1Oracle Exadata System Software 23.1.0 uses Oracle Linux 8 with the UEK6 kernel•Storage servers, bare-metal database servers, KVM hosts/guests, and OVM guests (DomU).•OVM management domains (Dom0) do not require Oracle Linux 8 and remain on Oracle Linux 7 with UEK5.•Rolling upgrade is supported from Oracle Linux 7 to Oracle Linux 8.OL8 Key security features:•Various SELinux improvements•Crypto-policies covers TLS, IPSec, SSH, DNSSec, and Kerberos protocols.•Modulus size for Diffie-Hellman parameters has been changed to 2048 bits.•DSA public key algorithms are disabled by default.•How to setup RSA SSH equivalence on Oracle Exadata nodes (Doc ID 2923095.1)•Default RSA key size increased to 3072 bits for the ssh-keygen toolCentralized Identification and Authentication of OS Users New in Exadata 23.1Database and storage server support for:•LDAP identity management systems•Kerberos authentication•Linux System Security Services Daemon (SSSD)•Pre-configured with Exadata-specific custom security profile•Customizations preserved across upgradesCentralizes accounts for enhanced security•Easier administration provisioning/deprovisioning•Easier password management•Enterprise security controlsSecurity Enabled Linux (SELinux)Feature Available in Exadata Software 21.2 onwards•The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which allows defining a security policy that provides granular permissions for all users, programs, processes, files, and devices.•The system should first be placed in permissive mode to see if any Access Vector Cache (AVC) denials would need to be addressed BEFORE going to enforcing mode./opt/oracle.cellos/host_access_control selinux --helpOptions:-h, --help show this help message and exit-e, --enforcing set the SELinux state to enforcing-p, --permissive set the SELinux state to permissive-d, --disabled set the SELinux state to disabled (Exadata default)-r, --relabel Set the system for relabling-c, --config Display the configured SELinux state-s, --status Display the current SELinux statusFeature Available in Exadata Software 20.1 onwards Exadata Secure Fabric for RoCE systems implements network isolation for Virtual Machines while allowing access to commonExadata Storage Servers•Each Exadata VM Cluster is assigned a private network •VMs cannot communicate with each other•All VMs can communicate to the shared storage infrastructure •Security cannot be bypassed•Enforcement done by the network card on every packet•Rules programmed by hypervisor automaticallyExadata Secure RDMA Fabric Isolation for RoCEFIPS 140-2 for Oracle Linux Kernel/SSH on Exadata Database Nodes Feature Available in Exadata Software 20.1 onwards/opt/oracle.cellos/host_access_control fips-mode --enable•Requires a reboot•STIG mitigation: The Oracle Linux operating system must implement NIST FIPS-validatedcryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.•STIG mitigation: The Oracle Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications./opt/oracle.cellos/host_access_control ssh-macs --secdefaults•STIG mitigation: The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.Management Server App Engine UpdateNew in Exadata Software 20.1Exadata 20.1 -Eclipse Jetty•Light-weight web server•Consumes considerably fewer system resources•Basic functionalities supported, extensible modules•Fewer CVE vulnerabilities –smaller attack vectors•Does not require a dedicated HTTP port for configuration purposesIntroduced in Exadata 19.3 for X7 and newerStorage Server Software Memory is partitioned with 16 colors •Four bits in each page table entry used to identify the color •Each thread is allowed to read/write and enable/disable to its matching color•Any access to a piece of memory that does not have the correct color traps the process•Protects against inadvertent software defects •Enabled out of the box with no tuning needed •Eliminates a class of potential memory corruptionsSecuring Storage Server Processes with Memory Protection KeysStorage BufferStorage BufferStorage BufferThread ThreadOther Security Processes for Storage ServersSecure Computing (seccomp) feature in Oracle Linux Kernel used to restrict system calls that can be made•Kernel has hundreds of system calls, most not needed by any given process•A seccomp filter defines whether a system call is allowed•Seccomp filters installed for cell server and offload processes automatically during upgrade •White-list set of system calls are allowed to be made from these processes•Seccomp performance additional validation of the argumentsDisabling SSH•Storage servers can be “locked” from SSH access•ExaCLI can still be used to perform operations•Communicates using HTTPS and REST APIs to a web service running on the server•Temporary access can be enabled for operational access if requiredExadata installs the system/software on alternating partitions•e.g. when upgrading to a newer version, the software is installed on the inactive partition and then booted to that partition This ensures a complete OS refresh is completed at each upgrade which minimizes the propagation of infected files.OS data is separate from database data •Database is safe from OS corruptionStorage Server Partition InstallationActive System Active SoftwareInactive SystemInactive Software M .2 S S DM .2 S S DAdvanced Intrusion Detection Environment (AIDE)•Help guard against unauthorized access to the files on your Exadata system.•AIDE creates a database of files on the system, and then uses that database to ensure file integrity and to detect system intrusions.# /opt/oracle.SupportTools/exadataAIDE -statusAIDE: daily cron is currently enabled.To add additional rules:Edit the file /etc/aide.confUpdate the AIDE database metadata.# /opt/oracle.SupportTools/exadataAIDE -uDatabase and Storage Server Secure Boot•Secure Boot is a method used to restrict which binaries can be executed to boot the system.•With Secure Boot, the system UEFI firmware will only allow the execution of boot loaders that carry the cryptographic signature of trusted entities•With each reboot of the server, every executed component is verified•This prevents malware from hiding embedded code in the boot chain•Intended to prevent boot-sector malware or kernel code injection•Hardware-based code signing•Extension of the UEFI firmware architecture•Can be enabled or disabled through the UEFI firmware•Restrict access to only the grid disks used by the Oracle ASM disk groups associated with a Oracle ASM cluster.•Restrict access for an Oracle Database instance to a specific set of grid disks.“Oracle Exadata Cloud@Customer uses the superior technology of Oracle Database as a cloud service delivered in our own data centers, meeting all of our data sovereignty and compliance requirements for the Regional Revitalization Cloud.”Norihito SendaNagoya BranchAdvanced Solution DepartmentCorporate Business HeadquartersNippon Telegraph and Telephone West Corporation (NTT WEST)Security Best PracticesThe security of a system is only as good as its weakest link•Regular scans should be run by YOU the owner of the system to ensure against any deviations from the delivered configurations•Maintaining the latest Software Update ensures the latest security vulnerabilities are mitigated•Tools and processes are there to assist in creating a secure environment, but must be used to actually create the secure environmentSecure Eraser•Provide a secure erasure solution for every component within Oracle Exadata Database Machine •Crypto-erase is used whenever possible and is fully compliant with the NIST SP-800-88r1 standard. Component Make or Model Erasure MethodCrypto eraseHard drive•8 TB hard drives on Oracle Exadata Database Machine X5•All hard drives on Oracle Exadata Database Machine X6 or laterHard drive All other hard drives1/3/7-Pass erase Flash device Flash devices on Oracle Exadata Database Machine X5 or later Crypto eraseFlash device All other flash devices7-pass eraseM.2 device Oracle Exadata Database Machine X7-2 or later Crypto eraseSecurity ReferencesOracle Exadata Database Machine Security FAQ•My Oracle Support (MOS) note: Doc ID 2751741.1Oracle Corporate Security Practices•https:///corporate/security-practices/Critical Patch Updates, Security Alerts and Bulletins•https:///technetwork/topics/security/alerts-086861.htmlOracle Corporate Security Blog•https:///security/Oracle Exadata Documentation•https:///en/engineered-systems/exadata-database-machine/books.htmlExadata Product Development Oracle CorporationSecurity MAA TeamThank You!。

EXADATA基础知识培训前言EXADATA是一款由Oracle公司开发的高性能数据库解决方案，其强大的处理能力和可靠性使其成为现代企业在数据管理方面的首选。

本次培训将介绍EXADATA的基础知识，包括其特点、架构以及使用方法，帮助您更好地理解和应用EXADATA。

第一章：EXADATA简介1.1 EXADATA的定义EXADATA是一种集成了硬件和软件的一体化数据库解决方案。

它将强大的存储和计算能力集中在一起，并通过高速网络进行连接，实现了高性能和可扩展性。

1.2 EXADATA的特点EXADATA具备以下几个显著特点：1）高性能：EXADATA通过优化的硬件设计和数据存储方式，实现了卓越的查询和分析性能，能够处理大规模的数据请求。

2）可靠性：EXADATA采用了多层次的数据备份和容错机制，确保数据的安全性和可恢复性。

它具备故障转移和自动恢复功能，能够最大程度地减少系统故障对业务的影响。

3）可扩展性：EXADATA支持弹性扩展，可以根据业务需求灵活地增加存储和计算资源，同时保持高性能和可用性。

1.3 EXADATA的应用场景EXADATA广泛应用于大型企业和数据库密集型应用中，特别适用于以下场景：1）大数据分析：由于其卓越的性能和可扩展性，EXADATA能够支持大数据分析任务，提供快速准确的查询结果。

2）在线事务处理（OLTP）：EXADATA具备高并发处理能力，能够支持高速在线事务处理系统的运行，提供稳定可靠的服务。

3）云计算环境：EXADATA可以作为云计算平台的一部分，为不同业务提供高性能的数据存储和处理能力。

第二章：EXADATA架构2.1 EXADATA硬件架构EXADATA的硬件架构由数据库服务器和存储服务器组成。

数据库服务器负责运行数据库实例和处理查询请求，而存储服务器则负责存储数据并提供快速的读写操作。

2.2 EXADATA软件架构EXADATA的软件架构包括数据库软件、操作系统和EXADATA存储软件。

月 8年2012．1 前言 (3)一Exadata 概述 (4)1Exadata简介 (4)2Exadata的配置及性能参数 (4)二Exadata特性 (5)1Smart Scan（智能扫描） (5)2Storage Index（存储索引） (14)3Flash Cache（智能闪存） (24)4Compression（压缩） & EHCC（Exadata Hybrid Columnar Compression） 285IORM（IO资源管理） (34)三Exadata监控 (37)1Exadata特性监控常用指标 (37)2如何查看指标 (38)四如何应用Exadata (38)1Exadata参数调整 (38)2在Exadata上开发注意事项 (38)413 ................................................... 应用总结42........................................... 总体总结4. Exadata前言1本文背景1.1前期东软-甲骨文公司组织了一次针对社保系统的Exadata联合应用测试，本文内容是本次Exadata测试的经验总结，其中包含了与Oracle技术人员交流经验应用、Oracle相关技术文档应用及个人测试经验总结。

本文简介1.2本文是关于ORACLE Exadata的一些特性介绍和应用Exadata的一些指南；本文不会涉及太多传统ORACLE DataBase已经具有的而非Exadata专有的一些特性介绍。

通过本文，读者可以了解ORACLE推出 Exadata的目的和初衷，简单了解Exadata 架构体系，了解Exdata的一些设计思路，了解其特性及其原理；了解Exadata 的适合应用场景，不适合应用场景，以及在Exadata下开发的一些注意事项（尤其是做Exadata项目主要设计、开发人员一定要了解Exadata，不要把它完全当作传统ORACLE数据库）。

Oracle数据库云服务器Exadata介绍杨建鑫Principal Sales Consultant内容•Exadata简介•Exadata技术发展与硬件架构•Exadata技术优势及软件架构•Exadata客户案例Oracle数据库云服务器Exadata运行Oracle数据库的最佳平台适合与下面场景的架构•数据仓库（Data Warehousing）•交易系统（OLTP）•数据库整合Exadata是为所有Oracle数据库应用设计的战略数据库平台Exadata 发展•Exadata Introduced•X2-2 CPU Refresh •40 Gb InfiniBand •PCI Flash Cards•X2-2 CPU Refresh •X2-8 64-core Servers•Sparc SuperCluster •3TB Disks•Smart Flash Cache •Storage Index •Columnar Compression•Smart Scan •InfiniBand Scaleout•Smart Memory Scan •Parallel Memory Affinity •Enterprise Manager 12c•Hardware DB Encryption•Automatic Service Request•Data Mining Offload •Storage Expansion Rack•X2-8 CPU Refresh •2TB DRAM per node•Solaris x86 •Reverse Offload •Smart Flash Logging将Oracle 的最佳实践与快速发展的硬件相结合独特的软件特性Future Optimizations•In-Memory OptimizedCompression•Memory-to-MemoryInfiniBand Messaging •Flash Cache for Writes20082009 2010 2011 2012数以千计的全球成功案例Rapid adoption in all geographies and industriesSpectacular Customer Results“Softbank created a warehouse up to8x faster while reducing costs 50%”—Keiichiro Shimizu, Softbank“Turkcell’s largest 250 TB DB is nowonly 27 TB with Exadata Compression”—Ferhat Sengonul, Turkcell“Performance improved17x with no changes toour application”—Jim Duffy, BNP ParibasExadata Growth“Exadata is the fastest growing product in Oracle’s history”-Oracle CEO, Larry EllisonExadata技术发展与硬件架构Exadata架构完整的系统 : 计算资源, 存储资源, 网络资源•数据库集群–基于Intel芯片架构的数据库服务器–Oracle Linux or Solaris 11–Oracle Database 11g–10 Gig Ethernet (to data center)•存储网格–基于Intel芯片架构存储服务器–504TB裸容量– 5.3TB Flash storage–Exadata Storage Server Software•InfiniBand网络–内部网络互联 ( 40 Gb/sec )Exadata 硬件架构Exadata 智能存储网格•14 x 高性能低成本存储服务器(2U)•高性能, 低成本, 冗余, 线性扩展•100 TB 高性能SAS 磁盘, 或 504 TB 高容量SAS 磁盘 •168 Intel cores in storage •5.3 TB PCI 闪存•跨存储服务器的数据镜像保护•超级性能 &开箱即用满配最大功耗14KW, 平均 9.8KW. 而通常一个高端的SMP 小机（不包含存储和交换机）就需要超过20KW 的功耗数据库网格InfiniBand 网络•冗余 40Gb/s 交换机 •服务器与存储的统一网络• 8台数据库服务器(X2-2)✓96 CPU cores (12 Cores per server,2x Six-CoreIntel X5675 Processors (3.06 GHz)✓768 GB memory （可扩展到912GB ）• 或2台数据库服务器(X2-8)✓160 CPU cores (80 Cores per server) ✓4 TB (2 TB per server)Exadata 低功耗Exadata 架构概述Exadata CellInfiniBand 交换网络单节点数据库RAC 数据库Exadata CellExadata Cell智能存储层数据库处理层 超高速并发网络层传统主机+存储的数据库架构的IO瓶颈问题•存储层：1）数据量不断增加，带来的IO瓶颈；2）随着数据长时间运行带来的数据分布不均匀，存在IO热点•网络层：传输带宽不足，无法快速传输大量数据到服务器•服务器层：接收过多数据进行处理，内存优势无法发挥Exadata–数据处理架构的革命打破数据带宽瓶颈•Exadata 提供更多的并发带宽-模块化存储单元CELL，高度并行的存储网格-带宽与容量成正比•Exadata 采用更高的单路带宽-InfiniBand提供40G bits/S的带宽，比高端阵列的光纤通道技术快5+倍•智能的存储、Exadata 传送更少的数据-数据查询过程被下移到智能存储层，传送到服务器中的数据只包括最相关的结果数据，显著的减少了发送到服务器的数据，减轻了服务器CPUs负荷。

5 Reasons to run your business on Exadata Oracle Exadata is the only platform that delivers optimum database performance and efficiency for mixed data, analytics, and OL TP workloads. With a full range of deployment options, itallows you to run your Oracle Database and data workloads where you want, how youwant —on-premises, in the Oracle Cloud,Cloud at Customer in your data center , or any combination of these models.Here are five top reasons to chooseExadata to run your business.“ ”We chose Oracle Exadata for its integrated hardware and software platform. It costs 31 percent less than products from other vendors, such as IBM and SAP . By running Oracle’s JD Edwards ERP system on Oracle Exadata, we’ve gained a high-performing, reliable, and scalable database platform that enabled us to create daily sales reports 60x faster,introduce products 36x f a ster, enhanceuser satisfaction, increase IT productivity by 40 percent, and reduce operating costs. D. V. Jachak, General Manager, IT, Sai Prasad GroupZheng Tao, Head of IT, Wumart Stores, Inc.By consolidating 92 percent of our IBM servers and four databases onto a single Oracle Exadata Database Machine, we gained an integrated, high-performing private cloudplatform to support e-business growth. We can process online orders 8x faster, and havereduced operating costs by over 100,000 USD per year. “ ”By consolidating 40 disparate databases on Oracle Exadata Database Machine, we boosted sales and production system performance up to 60 percent and cut initial installation costs by 60 percent. We also enhanced IT governance across the organization, and supported 10 billion USD in turnover via business expansion. Akio Yoshizawa, Senior Manager, IT Infrastructure Solutions Department, NSK Network and Systems Co. Ltd.“ “ Ziraat Bank was alwaysunder pressure to optimizeperformance, because anysmall addition to end-of-dayprocessing could negativelyimpact revenue and the bank’sreputation. Oracle Exadata took all the steam off. We decreased the overnight batch window by more than 60 percent, reduced disk usage by 8x and overallsystem utilization from 70percent to 30 percent, whileimproving uptime for our corebanking online transactionprocessing system. Serdar Mutlu, Manager, Database Systems, T.C. Ziraat Bankasi A.Ş.”Anantha Spirama, VP , Systems and Technology, Macy’s“ Applications, databases,and infrastructure all haveto work together in harmony.When we looked at othercloud providers, they offeredthese in pieces. It was up tous to craft a solution. Oracleoffered an integrated solutionfor me. It was a natural choice. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.。

2012年8月1 前言............................... 错误!未指定书签。

一Exadata概述....................... 错误!未指定书签。

1Exadata简介....................... 错误!未指定书签。

2Exadata的配置及性能参数 ........... 错误!未指定书签。

二Exadata特性....................... 错误!未指定书签。

1SmartScan（智能扫描）.............. 错误!未指定书签。

2StorageIndex（存储索引）........... 错误!未指定书签。

3FlashCache（智能闪存）............. 错误!未指定书签。

4Compression（压缩）&EHCC（ExadataHybridColumnarCompression）错误!未指定书签。

5IORM（IO资源管理） ................ 错误!未指定书签。

三Exadata监控....................... 错误!未指定书签。

1Exadata特性监控常用指标 ........... 错误!未指定书签。

2如何查看指标....................... 错误!未指定书签。

四如何应用Exadata................... 错误!未指定书签。

1Exadata参数调整................... 错误!未指定书签。

2在Exadata上开发注意事项........... 错误!未指定书签。

3应用总结........................... 错误!未指定书签。

4Exadata总体总结................... 错误!未指定书签。

1前言1.1本文背景前期东软-甲骨文公司组织了一次针对社保系统的Exadata联合应用测试，本文内容是本次Exadata测试的经验总结，其中包含了与Oracle技术人员交流经验应用、Oracle相关技术文档应用及个人测试经验总结。