Merge pull request #195 from ministryofjustice/DBA-569

Dba 569

Author: bill-buchan

.github/workflows/oracle-db-release-update.yml

@@ -1,5 +1,4 @@
 name: "Oracle: Release Update"
-run-name: "Oracle: ${{ github.event.inputs.TargetEnvironment }}-release-update"
 on:
   workflow_dispatch:
     inputs:
@@ -46,7 +45,7 @@ on:
         required: true
         type: choice
         options:
-          - "/u01/software/19c/patches"
+          - "/u02/stage"
       ComboPatch:
         description: "Combo Patch to Install (default = use value from environment configuration)"
         required: true
@@ -55,15 +54,16 @@ on:
           - "default"
           - "34773504:p34773504_190000_Linux-x86-64.zip:(19.18)"
           - "35370167:p35370167_190000_Linux-x86-64.zip:(19.20)"
+          - "36031453:p36031453_190000_Linux-x86-64.zip:(19.22)"
       OPatch:
         description: "OPatch Utility to Use (default = use value from environment configuration)"
         required: true
         type: choice
         options: 
           - "default"
-          - "6880880:p6880880_190000_Linux-x86-64.12.2.0.1.29.zip:(12.2.0.1.29)"
-          - "6880880:p6880880_190000_Linux-x86-64.12.2.0.1.32.zip:(12.2.0.1.32)"
           - "6880880:p6880880_190000_Linux-x86-64.12.2.0.1.36.zip:(12.2.0.1.36)"
+          - "6880880:p6880880_190000_Linux-x86-64.12.2.0.1.36.zip:(12.2.0.1.39)"
+          - "6880880:p6880880_190000_Linux-x86-64.12.2.0.1.41.zip:(12.2.0.1.41)"
       AWSSnapshot:
         description: "Number of Days to Keep AWS Snapshot of Primary Database Host"
         required: true
@@ -91,6 +91,8 @@ on:
         type: string
         default: "main"
 
+run-name: "Oracle: ${{ format('{0}-release-update-{1}',github.event.inputs.TargetEnvironment,tojson(inputs)) }}"
+
 env:
   ansible_config: operations/playbooks/ansible.cfg
   command: ansible-playbook operations/playbooks/oracle_release_update/playbook.yml
@@ -130,21 +132,18 @@ jobs:
           ref: ${{ github.event.inputs.SourceConfigVersion }}
           fetch-depth: 0
 
-      - name: Install yq
-        uses: dcarbone/install-yq-action@v1.1.1
+      - name: Checkout Role From modernisation-platform-configuration-management
+        uses: actions/checkout@v4
         with:
-            download-compressed: true
-            version: "v4.35.1"
-            force: true
-
-      - name: Count Standby Databases Configured In Ansible Inventory
-        id: countstandbydbs
-        working-directory: ${{ env.inventory }}
-        run: |
-            database_environment="environment_name_$(echo ${{ github.event.inputs.TargetEnvironment}} | sed 's/delius-core-dev/delius_core_development_dev/;s/delius-core-test/delius_core_test_test/;s/delius-core-training/delius_core_test_training/;s/delius-core-stage/delius_core_preproduction_stage/;s/delius-core-pre-prod/delius_core_preproduction_pre_prod/;s/delius-core-prod/delius_core_production_prod/')"
-            database_type=$(echo ${{ github.event.inputs.TargetHost }} | cut -d_ -f1)
-            high_availability_count=$(yq .high_availability_count.${database_type} group_vars/${database_environment}_all.yml)
-            echo "high_availability_count=$high_availability_count"
+          repository: ministryofjustice/modernisation-platform-configuration-management
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+                ansible/roles/secretsmanager-passwords
+                ansible/roles/get-ec2-facts
+                ansible/roles/get-modernisation-platform-facts
+          path: roles
+          ref: ${{ github.event.inputs.SourceConfigVersion }}
+          fetch-depth: 0
 
       - name: Checkout From hmpps-delius-operational-automation
         uses: actions/checkout@v4
@@ -153,6 +152,8 @@ jobs:
           sparse-checkout-cone-mode: false
           sparse-checkout: |
                            playbooks/oracle_release_update
+                           playbooks/delius_oem_metrics_setup
+                           common/*
                            ansible.cfg
           path: operations
           ref: ${{ github.event.inputs.SourceCodeVersion }}
@@ -176,13 +177,17 @@ jobs:
       - name: Run Release Update Playbook
         run: |
           export ANSIBLE_CONFIG=$ansible_config
+          # Link the checked out configuration roles to somewhere Ansible will be able to find them
+          ln -svf $PWD/roles/ansible/roles $PWD/operations/playbooks/oracle_release_update/roles
+          # Link the OEM Metrics Setup Play to allow it to be used as a role
+          ln -svf $PWD/operations/playbooks/delius_oem_metrics_setup/delius_oem_metrics_setup $PWD/roles/ansible/roles/delius_oem_metrics_setup
           $command -i $inventory \
-          -e target_hosts=${{ steps.prepareinventorynames.outputs.hosts }}
-          -e apply_mode=${{ github.event.inputs.ApplyMode }}
-          -e oracle_patch_directory=${{ github.event.inputs.OraclePatchDirectory }}
-          -e combo_patch_info=${{ github.event.inputs.ComboPatchInfo }}
-          -e opatch_info=${{github.event.inputs.Opatch }}
-          -e "keep_aws_snapshot='${{github.event.inputs.AWSSnapShot }}'"
-          -e high_availability_count=${{ steps.countstandbydbs.outputs.high_availability_count }}
-          -e gi_ru_patch_info=''
+          -e target_hosts=${{ steps.prepareinventorynames.outputs.hosts }} \
+          -e apply_mode=${{ github.event.inputs.ApplyMode }} \
+          -e oracle_patch_directory=${{ github.event.inputs.OraclePatchDirectory }} \
+          -e combo_patch_info='${{ github.event.inputs.ComboPatch }}' \
+          -e opatch_info='${{github.event.inputs.Opatch }}' \
+          -e "keep_aws_snapshot='${{github.event.inputs.AWSSnapShot }}'" \
+          -e high_availability_count=${{ steps.countstandbydbs.outputs.high_availability_count }} \
+          -e gi_ru_patch_info='' \
           -e ojvm_ru_patch_info=''

playbooks/oracle_release_update/deinstall_oracle.yml

@@ -0,0 +1,44 @@
+---
+- hosts: "{{ target_hosts }}"
+  gather_facts: no
+  become: yes
+  become_user: oracle
+  roles:
+    - deinstall_oracle
+
+# Run the following to Update OEM Targets *** only when inside of AWS ***
+# This playbook calls an SSM Automation to run the OEM Changes within the associated
+# Engineering Environment.   We loop through each host in the environment
+# where the deinstallation completed successfully.
+- hosts: localhost
+  gather_facts: no
+  become: no
+  tasks:
+    - include_vars:
+        file: release_update/vars/main.yml
+    - name: Run SSM Automation to Update OEM Targets
+      include: release_update/tasks/update_oem_targets.yml
+      vars:
+        update_host: "{{ item }}"
+        grid_home: "{{ oem_gi_home | replace('DO_NOT_DEINSTALL','NONE') }}"
+        database_home: "{{ oem_db_home | replace('DO_NOT_DEINSTALL','NONE') }}"
+        document_name: "oracle-delete-home-oem"
+      loop: "{{ target_hosts.split(',') }}"
+      run_once: yes
+      when:
+        - is_aws_environment
+        - ( groups[item][0] | default('UNDEFINED_TARGET') ) in deinstalled_targets
+
+# Run the following to Update OEM Targets *** only when run on non-AWS (e.g. local VMs) ***
+# This playbook runs on the Primary OEM Host directly since AWS IAM / Engineering Accounts
+# are not relevant if not running in AWS
+- hosts: "{{ groups['oem_primarydb'][0] }}"
+  gather_facts: no
+  become: yes
+  become_user: oracle
+  vars:
+    oracle_grid_new_oracle_home: "{{ hostvars.localhost.oem_gi_home }}"
+    oracle_database_new_oracle_home: "{{ hostvars.localhost.oem_db_home }}"
+    deletion_targets: "{{ hostvars.localhost.deinstalled_targets | default([]) }}"
+  roles:
+    - { role: update_oem_after_deinstall, when: not hostvars.localhost.is_aws_environment }

playbooks/oracle_release_update/deinstall_oracle/files/detect_oracle_home_in_use.sh

@@ -0,0 +1,104 @@
+
+#!/bin/bash
+#
+#  Run a number of checks to confirm that the Oracle Home we are about to deinstall is not being used.
+#
+
+DEINSTALL_HOME=$1
+
+# Determine current active database and grid homes
+. ~oracle/.bash_profile
+DB_ORACLE_HOME=${ORACLE_HOME}
+export ORAENV_ASK=NO
+export DB_SID=${ORACLE_SID}
+export ORACLE_SID=+ASM
+. oraenv >/dev/null
+GI_ORACLE_HOME=${ORACLE_HOME}
+export ORACLE_SID=${DB_SID}
+. oraenv >/dev/null
+
+if [[ $( ls -l /proc/*/exe 2>/dev/null | awk -F\-\> '{print $2}' | xargs dirname | grep -c "^${DEINSTALL_HOME}[/].*") -gt 0 ]];
+then
+   echo "Active processes found using ${DEINSTALL_HOME}."
+   exit 1
+fi
+
+if [[ $(grep -c "[^#].*${DEINSTALL_HOME}:.*" /etc/oratab) -gt 0 ]];
+then
+   echo "References to ${DEINSTALL_HOME} found in /etc/oratab."
+   exit 1
+fi
+
+if [[ $(grep "^ORA_CRS_HOME" /etc/init.d/init.ohasd | awk -F= '{print $2}') == "${DEINSTALL_HOME}" ]];
+then
+   echo "${DEINSTALL_HOME} used in /etc/init.d/init.ohasd."
+   exit 1
+fi
+
+if [[ $(. ~oracle/.bash_profile; srvctl config database | xargs -I {} srvctl config database -d {} | grep "Oracle home:" | cut -d: -f2 | sed 's/^ //') == "${DEINSTALL_HOME}" ]];
+then
+   echo "Oracle database server configuration contains ${DEINSTALL_HOME}."
+   exit 1
+fi
+
+IFS=$'\n'
+# When checking for references in the current DBS directory for Grid Infrastructure we can ignore the ab_+ASM.dat
+# mapping file as this may contain environment variables set at the time of previous upgrade/patching which are
+# not relevant.   This file is reset (to exclude these variables) by restarting ASM but this is not convenient in higher environments.
+for x in $(ls -1 ${GI_ORACLE_HOME}/dbs/* | grep -v ab_+ASM.dat | xargs grep "${DEINSTALL_HOME}" 2>/dev/null);
+do
+   echo "$x ${DEINSTALL_HOME}"
+   exit 1
+done
+
+# Check if the ASM mapping file contains any references to the old home other than the known obsolete environment settings
+for x in $(strings ${GI_ORACLE_HOME}/dbs/ab_+ASM.dat | grep "${DEINSTALL_HOME}" | grep -v ^oracleHome= | grep -v ^OPATCHAUTO_PERL_PATH= | grep -v ^HOME= | grep -v ^CLASSPATH=)
+do
+   echo "ab_+ASM.dat $x"
+   exit 1
+done
+
+
+# If there are old controlfile snapshots present these may contain reference to previous Oracle Homes
+# Simply create a new snapshot controlfile if required
+if [[ -f ${DB_ORACLE_HOME}/dbs/snapcf${ORACLE_SID}.f ]]; then
+
+   grep "${DEINSTALL_HOME}" ${DB_ORACLE_HOME}/dbs/snapcf${ORACLE_SID}.f > /dev/null
+   if [[ $? -eq 0 ]];
+   then  
+      rman target / <<EORMAN
+      backup current controlfile;
+      exit
+EORMAN
+   fi
+
+   # Sometimes it is necessary to repeat the above step to clear all references
+   grep "${DEINSTALL_HOME}" ${DB_ORACLE_HOME}/dbs/snapcf${ORACLE_SID}.f > /dev/null
+   if [[ $? -eq 0 ]];
+   then  
+      rman target / <<EORMAN
+      backup current controlfile;
+      exit
+EORMAN
+   fi
+fi
+
+# Check that the default RMAN SBT Channel is not pointing to the deinstall home
+rman target / <<EORMAN | grep "CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' PARMS" | awk -F= '{print $NF}' | tr -d ")';" | grep ${DEINSTALL_HOME}
+SHOW CHANNEL;
+exit;
+EORMAN
+if [[ $? -eq 0 ]];
+then  
+   echo "RMAN default channel contains ${DEINSTALL_HOME}"
+   exit 1
+fi
+
+for x in $(grep "${DEINSTALL_HOME}" ${DB_ORACLE_HOME}/dbs/* 2>/dev/null);
+do
+   echo "$x ${DEINSTALL_HOME}"
+   exit 1
+done
+
+# Otherwise exit success (Oracle Home to be deinstalled does not appear to be in use)
+exit 0

playbooks/oracle_release_update/deinstall_oracle/tasks/deinstall.yml

@@ -0,0 +1,24 @@
+---
+- name: Detect if {{ deinstall_home }} Still in Use
+  script: detect_oracle_home_in_use.sh "{{ deinstall_home }}"
+  become: yes
+  become_user: root
+  changed_when: false
+
+- name: Check if {{ deinstall_home }} Home Still Exists
+  stat:
+    path: "{{ deinstall_home }}"
+  register: home_exists
+
+- name: Deinstall {{ deinstall_home }} Home
+  include: deinstall_oracle_home.yml
+  vars:
+    oracle_home: "{{ deinstall_home }}"
+  when: home_exists.stat.exists
+
+- name: Remove {{ deinstall_home }} Software Directory
+  file:
+    state: absent
+    path: "{{ deinstall_home }}"
+  become: yes
+  become_user: root

playbooks/oracle_release_update/deinstall_oracle/tasks/deinstall_oracle_home.yml

@@ -0,0 +1,33 @@
+---
+# The Oracle Home may be de-installed with the deinstall tool
+
+- name: Define Temporary Location for Response File
+  tempfile:
+    path: /tmp
+    suffix: deinstall_response
+    state: directory
+  register: deinstalldir
+
+- name: Generate Response File for Deinstall
+  shell: |
+    cd {{ oracle_home }}/deinstall
+    ./deinstall -silent -checkonly -o {{ deinstalldir.path }}
+
+- name: Get Names of Response Files
+  find:
+    path: "{{ deinstalldir.path }}"
+  register: response_files
+
+- name: Get Name of Response File
+  set_fact:
+    response_file: "{{ response_files.files[0].path }}"
+
+- name: Deinstall {{ deinstall_home }} Oracle Home
+  shell: |
+    cd {{ oracle_home }}/deinstall
+    ./deinstall -silent -paramfile "{{ response_file }}"
+
+- name: Remove Response File
+  file:
+    path: "{{ response_file }}"
+    state: absent

playbooks/oracle_release_update/deinstall_oracle/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Deinstall Grid Infrastructure Software
+  when:
+    - oracle_grid_oracle_home is defined
+    - oracle_grid_oracle_home != 'DO_NOT_DEINSTALL'
+  block:
+    - name: Check Grid Infrastructure Home Format
+      fail:
+        msg: "Grid Infrastructure Oracle Home {{ oracle_grid_oracle_home }} does not match expected format."
+      when: not ( oracle_grid_oracle_home | regex_search("^/u01/app/grid/product/[0-9\.]+/grid$"))
+
+    - name: Deinstall Grid Infrastructure Home
+      include: deinstall.yml
+      vars:
+        deinstall_home: "{{ oracle_grid_oracle_home }}"
+
+- name: Deinstall Database Software
+  when:
+    - oracle_database_oracle_home is defined
+    - oracle_database_oracle_home != 'DO_NOT_DEINSTALL'
+  block:
+    - name: Check Database Home Format
+      fail:
+        msg: "Database Oracle Home {{ oracle_database_oracle_home }} does not match expected format."
+      when: not (oracle_database_oracle_home | regex_search("^/u01/app/oracle/product/[0-9\.]+/db$"))
+
+    - name: Deinstall Database Home
+      include: deinstall.yml
+      vars:
+        deinstall_home: "{{ oracle_database_oracle_home }}"
+
+- name: Check if inside AWS.
+  uri:
+    url: http://169.254.169.254/latest/meta-data
+    timeout: 20
+  register: aws_uri_check
+  failed_when: false
+  run_once: yes
+
+- set_fact:
+    is_aws_environment: "{{ aws_uri_check.status == 200 }}"
+  run_once: yes
+  delegate_to: localhost
+  delegate_facts: true
+
+# Set variables ready to run target deletion in next playbook
+# (The approach taken to delete these targets will differ between AWS and non-AWS environments)
+# NB: We use ansible_play_hosts to compile a list of targets which have not failed so far
+# as we do not want to delete targets for hosts where the deinstall has failed.
+- name: Prepare Ansible Controller Variables for OEM Target Deletion
+  set_fact:
+    oem_gi_home: "{{ oracle_grid_oracle_home }}"
+    oem_db_home: "{{ oracle_database_oracle_home }}"
+    deinstalled_targets: "{{ ansible_play_hosts }}"
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: yes

playbooks/oracle_release_update/deinstall_oracle/vars/main.yml

@@ -0,0 +1 @@
+---

playbooks/oracle_release_update/oracle_release_update/defaults/main.yml

@@ -0,0 +1,2 @@
+oracle_patch_directory: /u02/stage
+oracle_inventory: /u01/app/oraInventory

playbooks/oracle_release_update/oracle_release_update/files/get_catalog_upgrade_required.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Determine if an RMAN Catalog Upgrade is required
+
+. ~/.bash_profile
+
+CATALOG_PASSWORD=$(aws ssm get-parameters --region ${REGION} --with-decryption --name ${SSM_NAME} | jq -r '.Parameters[].Value')
+
+rman <<EORMAN
+connect catalog rman19c/${CATALOG_PASSWORD}
+exit;
+EORMAN