DG備庫無法接受主庫歸檔日志之密碼文件
實驗目的:還原某個客戶案例,客戶審計需要,對主庫sys用戶進行鎖定,一小時后對sys用戶進行解鎖后,發現備庫無法接受主庫的歸檔日志
本篇文章,測試sys用戶與DG備庫接受歸檔有什么關系?
1. 實驗環境:
| 類別 |
主庫 |
備庫 |
| 軟件版本 |
11.2.0.4.0 |
11.2.0.4.0 |
| 是否RAC |
否 |
否 |
| Db_name |
ENMO |
|
| Db_unique_name |
ENMO |
dage |
| Service_name |
ENMO |
dage |
| Listener.ora |
192.168.20.128:1521/ENMO |
192.168.20.66:1521/dage |
| Tnsnames.ora |
ENMO |
DAGE |
| log_archive_config |
ENMO,dage |
|
| Log_Archive_dest_ x=service |
SERVICE=dage lgwr ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=dage |
|
| Log_desc_x |
ENABLE |
|
| Log_Archive_dest_ x=local |
|
LOCATION=/picclife/app/oracle/oradata/arch VALID_FOR=(ALL_LO GFILES,ALL_ROLES) DB_UNIQUE_NAME =dage |
| Log_desc_x |
|
enable |
1.1實驗環境檢測
--主庫操作
SYS > alter system switch logfile;
SYS@dage >select max(sequence#),thread# from v$archived_log group by thread#;
MAX(SEQUENCE#) THREAD#
-------------- ----------
1009 1
--主庫查詢
SELECT THREAD#,NAME,SEQUENCE#,APPLIED,REGISTRAR,CREATOR FROM V$ARCHIVED_LOG WHERE SEQUENCE#=1009
THREAD# NAME SEQUENCE# APPLIED REGISTR CREATOR
---------- ------------------------------------------------- --------- --------- ------- -------
1 /u01/app/oracle/oradata/arch/1_1009_960955299.log 1009 NO ARCH ARCH
1 dage 1009 NO LGWR LGWR
--備庫查詢
SYS@dage >SELECT THREAD#,NAME,SEQUENCE#,NAME,APPLIED,REGISTRAR,CREATOR FROM V$ARCHIVED_LOG WHERE SEQUENCE#=1009;
THREAD# NAME SEQUENCE# APPLIED REGISTR CREATOR
---------- ------------------------------------------------- --------- --------- ------- -------
1/picclife/app/oracle/oradata/arch1_1009_960955299.log 1009 NO RFS LGWR
解釋說明:備庫,當registrar=RFS且 applied=NO 代表遠程歸檔已接受,但日志未應用。
Memory 代表內存已應用但數據文件未更新,Yes代表接受且應用完畢
2. 測試
2.1測試對主庫修改sys密碼,對備庫的影響
--主庫操作
SYS > select sysdate from dual;
SYSDATE
-------------------
2018-05-03 08:57:55
SYS > alter user sys identified by sys;
SYS > alter system switch logfile;
SYS > select max(sequence#),thread# from v$archived_log group by thread#;
MAX(SEQUENCE#) THREAD#
-------------- ----------
1010 1
--備庫查詢
SYS@dage >SELECT THREAD#,NAME,SEQUENCE#,NAME,APPLIED,REGISTRAR,CREATOR FROM V$ARCHIVED_LOG WHERE SEQUENCE#=1010;
THREAD# NAME SEQUENCE# APPLIED REGISTR CREATOR
---------- ------------------------------------------------- --------- --------- ------- -------
1
/picclife/app/oracle/oradata/arch1_1010_960955299.log
1010 YES RFS LGWR
--主庫修改sys用戶密碼,主備狀態都不變的情況下,無異常,備庫可正常接受主庫的歸檔文件
--查詢主備之間的操作系統的密碼文件
[oracle@enmo dbs]$ strings orapwENMO
]\[Z
ORACLE Remote Password file
INTERNAL
6A75B1BBE50E66AB
[oracle@dage ~]$ sqlplus sys/sys@enmo as sysdba
[oracle@dage dbs]$ strings orapwdage
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
[oracle@dage ~]$ sqlplus sys/oracle@dage as sysdba
--發現主庫修改sys密碼后,對於操作系統口令文件也會改變,但是備庫即使應用了主庫修改sys日志的歸檔日志,也並未主動修改sys密碼口令,未改變
#重啟主庫,主庫切換日志,查詢備庫是否存在無法接受日志的情況
--備庫查詢
SYS@dage >SELECT THREAD#,NAME,SEQUENCE#,NAME,APPLIED,REGISTRAR,CREATOR FROM V$ARCHIVED_LOG WHERE SEQUENCE#=1016;
no rows selected
--主庫查詢
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
1
2 ORA-16191: Primary log shipping client not logged on standby
--由於本次實驗操作,知道由於密碼文件修改主備不一致造成的情況
--還原主庫操作,恢復主備之間的連通性
--主庫操作
SYS > alter user sys identified by oracle;
SYS > alter system switch logfile;
select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
1
2 ORA-16191: Primary log shipping client not logged on standby
alter system set log_archive_dest_state_2=defer;
alter system set log_archive_dest_state_2=enable;
System altered.
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
1
2 ORA-16191: Primary log shipping client not logged on standby
alter system switch logfile;
[oracle@enmo dbs]$ strings orapwENMO
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
>#.Y
8A8F025737A9097A
[oracle@dage dbs]$ strings orapwdage
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
--手工將sys用戶密碼口令文件傳輸至備庫
[oracle@enmo dbs]$ scp orapwENMO 192.168.20.66:/picclife/app/oracle/product/11.2.0/dbhome_1/dbs/orapwdage
--重置后,v$archive_dest dest_id=2無異常
--主庫操作
alter system set log_archive_dest_state_2=defer;
alter system set log_archive_dest_state_2=enable;
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
1
2
--再次修改SYS用戶密碼,測試
SYS > alter user sys identified by sys;
--備庫操作
#重啟備庫監聽,主庫切換日志,查詢備庫是否存在無法接受日志的情況
[oracle@dage ~]$ lsnrctl stop
[oracle@dage ~]$ lsnrctl start
--測試結果,無影響
--備庫操作
#對於備庫而言,外部的連接只有4個
[oracle@dage dbs]$ ps -ef|grep LOCAL=NO|grep -v grep
oracle 8682 1 0 15:03 ? 00:00:00 oracledage (LOCAL=NO)
oracle 8684 1 0 15:03 ? 00:00:00 oracledage (LOCAL=NO)
oracle 8696 1 0 15:03 ? 00:00:00 oracledage (LOCAL=NO)
oracle 8702 1 0 15:03 ? 00:00:00 oracledage (LOCAL=NO)
#kill 備庫所有的外部連接
[oracle@dage dbs]$ ps -ef|grep LOCAL=NO|grep -v grep|cut -c 9-15|xargs kill -9
[oracle@dage dbs]$ ps -ef|grep LOCAL=NO|grep -v grep
--主庫切換歸檔--日志無法傳輸過去,報錯不同
alter system switch logfile
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
2 ORA-03135: connection lost contact
--重置歸檔線程后,發現報錯與之前的報錯相同
--主庫操作
alter system set log_archive_dest_state_2=defer;
alter system set log_archive_dest_state_2=enable;
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
2 ORA-16191: Primary log shipping client not logged on standby
--還原上述操作
SYS > alter user sys identified by oracle;
[oracle@enmo dbs]$ scp orapwENMO 192.168.20.66:/picclife/app/oracle/product/11.2.0/dbhome_1/dbs/orapwdage
小結測試2.1
結論一:對於修改SYS用戶密碼而言,在主備之間數據庫實例狀態未改變的情況下,備庫能正常接受主庫的日志,但是當主備任何實例重啟或者主庫的歸檔遠程進程重置,新建立的連接都會導致備庫無法接受主庫的歸檔
結論二:在明確知道sys用戶密碼修改后,通過alter user sys identified by 重置原密碼,但是操作系統層面口令文件OrapwSID.ora文件不一致,也是白瞎,只能通過scp主庫操作系統層面sys密碼達到想要的效果
添加小測試:
測試備庫修改操作系統口令文件與主庫sys密碼口令文件不一致情況會如何
--備庫修改操作系統口令文件,kill主庫的遠程連接
--備庫操作
[oracle@dage dbs]$ orapwd file=orapwdage password=abc entries=10 ignorecase=y force=y
[oracle@dage dbs]$ sqlplus sys/abc@dage as sysdba
[oracle@dage dbs]$ ps -ef|grep LOCAL=NO|grep -v grep|cut -c 9-15|xargs kill -9
--主庫重置遠程歸檔
SYS > select dest_id,error from v$archive_dest;
DEST_ID ERROR
---------- -----------------------------------------------------------------
2 ORA-03135: connection lost contact
alter system set log_archive_dest_state_2=defer;
alter system set log_archive_dest_state_2=enable;
SYS > select dest_id,error from v$archive_dest;
2 ORA-16191: Primary log shipping client not logged on standby
結論三、對於主備而言,只要主備操作系統口令文件不一致,且主庫遠程歸檔參數需要重新建立連接,都會得到dest_id 無法連接備庫,解決方法,cp操作系統口令文件
2.2測試對主庫sys用戶進行鎖定,切換歸檔后測試
--備庫開啟MRP進程
SYS@dage >recover managed standby database disconnect;
SYS@dage >select process,client_process,sequence#,status,BLOCK#,BLOCKS from v$managed_standby;
PROCESS CLIENT_P SEQUENCE# STATUS BLOCK# BLOCKS
--------- -------- ---------- ------------ ---------- ----------
MRP0 N/A 1007 APPLYING_LOG 14740 82074
--主庫對sys用戶進行鎖定
SYS > alter user sys account lock;
SYS > select username,ACCOUNT_STATUS from dba_users where username='SYS';
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
SYS LOCKED
SYS > alter system switch logfile;
--備庫重啟庫后--查詢
SYS@dage >startup force;
SYS@dage >select username,ACCOUNT_STATUS from dba_users where username='SYS';
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
SYS LOCKED
--主庫操作,重置線程查詢狀態
alter system set log_archive_dest_state_2=defer;
alter system set log_archive_dest_state_2=enable;
SYS > select dest_id,error from v$archive_dest;
2 ORA-16191: Primary log shipping client not logged on standby
SYS > select severity,error_code,to_char(timestamp,'DD-MON-YYYY HH24:MI:SS') "timestamp" , message from v$dataguard_status where dest_id=2;
SEVERITY ERROR_CODE timestamp MESSAGE
--------------- ---------- -------------------- ----------------------------------------------------------------------
Error 16191 03-MAY-2018 10:10:50 PING[ARC2]: Heartbeat failed to connect to standby 'dage'. Error is 16191.
--主庫查詢歸檔參數
SYS > show parameter archive
log_archive_dest_2
SERVICE=dage lgwr ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=dage
SYS > host tnsping dage
OK (40 msec)
--主庫查詢alert日志
[oracle@enmo dbs]$ tail -200f /u01/app/oracle/diag/rdbms/enmo/ENMO/trace/alert_ENMO.log
Thu May 03 10:10:50 2018
Error 1017 received logging on to the standby
------------------------------------------------------------
Check that the primary and standby are using a password file
and remote_login_passwordfile is set to SHARED or EXCLUSIVE,
and that the SYS password is same in the password files. -密碼文件sys密碼相同!!!
returning error ORA-16191 --只能作為參考
--正常途徑以及無法自動主庫歸檔傳輸至備庫了
--一般情況下,scp操作系統口令文件就能解決問題,但是本次主備密碼文件一致
[oracle@enmo dbs]$ strings orapwENMO
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
#D}r
[oracle@dage dbs]$ strings orapwdage
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
#D}r
--通過處理gap歸檔的方法實現上述功能,原理理論分析:主庫修改了sys用戶密碼
--對主庫sys用戶進行解鎖
SYS > alter user sys account unlock;
SYS > alter system switch logfile;
SYS@dage >r
1* select username,ACCOUNT_STATUS from dba_users where username='SYS'
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
SYS LOCKED
--備庫sys用戶狀態不變,因為主庫的歸檔文件無法傳輸至備庫
--原理分析:主庫鎖定的日志傳輸至備庫,備庫sys用戶被鎖定,在備庫重啟后,主庫的遠程歸檔參數無法連接備庫,無法傳輸歸檔日志,主庫對sys用戶的解鎖操作,無法在備庫應用
--
--查詢主庫最新的歸檔日志
SYS > select max(sequence#),thread# from v$archived_log group by thread#;
MAX(SEQUENCE#) THREAD#
-------------- ----------
1032 1
select thread#,sequence#,name,applied from v$archived_log
THREAD# SEQUENCE# NAME APPLIED
-----------------------------------------------------------------------------------------------------------------------------------------
1 1029 dage YES
1 1030 /u01/app/oracle/oradata/arch/1_1030_960955299.log NO
1 1030 dage YES
1 1031 /u01/app/oracle/oradata/arch/1_1031_960955299.log NO
1 1032 /u01/app/oracle/oradata/arch/1_1032_960955299.log NO
--查詢備庫最后接受應用的歸檔日志
select thread#,sequence#,name,applied from v$archived_log
THREAD# SEQUENCE# NAME APPLIED
-----------------------------------------------------------------------------------------------------------------------------------------
1 1030 /picclife/app/oracle/oradata/arch1_1030_960955299.log YES
--為穩妥起見:對主庫1031/1032兩個日志文件手工拷貝
[oracle@enmo ~]$ scp /u01/app/oracle/oradata/arch/1_1031_960955299.log /u01/app/oracle/oradata/arch/1_1032_960955299.log 192.168.20.66:/picclife/app/oracle/oradata/.
--備庫注冊歸檔日志
RMAN> catalog start with '/picclife/app/oracle/oradata/';
--備庫重啟后,需手工啟動Mrp進程
SYS@dage >recover managed standby database disconnect from session;
--備庫查詢sys用戶狀態
SYS@dage >select username,ACCOUNT_STATUS from dba_users where username='SYS';
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
SYS OPEN
結論
當出現備庫無法接受主庫歸檔日志現象時:
主庫查詢視圖:select dest_id,error from v$archive_dest;
select severity,error_code,to_char(timestamp,'DD-MON-YYYY HH24:MI:SS') "timestamp" , message from v$dataguard_status where dest_id=2;
主備庫alert日志文件
主庫歸檔遠程參數log_archive_dest_xxx
log_archive_dest_state_2狀態
如果以上均OK,增加一個可能性,sys用戶狀態,及操作系統密碼文件是否一致
--本篇文檔主要考慮sys密碼文件造成備庫無法接受日志的情況,不詳細介紹log_archive_dest_xx參數