LATEST TOPICS

An Encounter with ASM Filter Driver (ASMFD): Oracle GI 12c New Feature

Introduction

With Oracle Grid Infrastructure release 12.1.0.2, Oracle has introduced a new GI component called ASM Filter Driver (ASMFD).

Here, I am presenting my first encounter with Oracle ASM Filter Driver (ASMFD).

In its simplest form, ASMFD is the technical replacement for the existing Oracle ASM Library Driver (ASMLIB) that provides access to storage devices by means of ASM Disks and Diskgroups.

Now, the obvious question. Why a new driver and what is new in there?

The Answer is:

ASM Filter Driver (ASMFD) is a OS Kenrnal module and an integral component of the Grid Infrastructure Release 12.1.0.2 and can be completely managed by the ASMCMD command Line interface unlike the legacy ASM Library Driver (ASMLIB) which is a OS module independent of the Grid Infrastructure framework.

ASM Filter Driver also facilitates the validation of write I/O requests to ASM disks and rejects any write requests which is INVALID. This helps in ensuring that unauthorized I/O writes would not be commited to ASM disks.

So, what does that mean?

Take a look at the file permission for the ASM Disks configured with ASM Filter Driver

-bash-3.2# ls -lrt /dev/oracleafd/disks/
total 16
-rw-r--r-- 1 root root 10 Oct  7 12:28 ASM_DATA01
-rw-r--r-- 1 root root 10 Oct  7 12:28 ASM_FLASH02
-rw-r--r-- 1 root root 10 Oct  7 12:28 ASM_FLASH01
-rw-r--r-- 1 root root 10 Oct  7 12:28 ASM_DATA02

Can you observe the difference?

Yes, all the ASM Disks are owned by root and only root has the write permission. This prevents unautorized (INVALID) write requets from getting commited to ASM Disks.

In earlier release of GI, the ASM disks were owned by the GI owner, which was volatile to accidental Disk and or Data corruption.

To further confirm ASMFD works as it was mentioned, I tried to manually corrupt the ASM disk. However, as it promised that did not happen :)

[oracle@labserver disks]$ echo "corrupt" >> ASM_DATA01
-bash: ASM_DATA01: Permission denied

Here is, what the official doc says about ASMFD

Oracle ASM Filter Driver (Oracle ASMFD) is a kernel module that resides in the I/O path of the Oracle ASM disks. Oracle ASM uses the filter driver to validate write I/O requests to Oracle ASM disks.

The Oracle ASMFD simplifies the configuration and management of disk devices by eliminating the need to rebind disk devices used with Oracle ASM each time the system is restarted.

The Oracle ASM Filter Driver rejects any I/O requests that are invalid. This action eliminates accidental overwrites of Oracle ASM disks that would cause corruption in the disks and files within the disk group. For example, the Oracle ASM Filter Driver filters out all non-Oracle I/Os which could cause accidental overwrites.

After installation of Oracle Grid Infrastructure, you can optionally configure Oracle ASMFD for your system. If ASMLIB is configured for an existing Oracle ASM installation, then you must explicitly migrate the existing ASMLIB configuration to Oracle ASMFD.

Conclusion:

ASM Filter Driver (ASMFD) is the recommended replacement for ASM Library Driver (ASMLib) and it provides more secure access to ASM Disks.

Follow up: Additional points based on the comments from Rijesh

The disks located under /dev/oracleafd/disks/ are just the LABELS which actually points to the actual disks on which the ASM disks are configured.

[oracle@labserver bin]$ cd /dev/oracleafd/disks/
[oracle@labserver disks]$ ls -lrt
total 20
-rw-r--r-- 1 root root 10 Dec 31 20:28 FLASH02
-rw-r--r-- 1 root root 10 Dec 31 20:28 FLASH01
-rw-r--r-- 1 root root 10 Dec 31 20:28 DATA02
-rw-r--r-- 1 root root 10 Dec 31 20:28 DATA01
-rw-r--r-- 1 root root 10 Dec 31 20:28 FLASH03
[oracle@labserver disks]$ cat DATA01
/dev/sdd1

However, if ASMFD disk filtering is ENABLED, it would not even allow and reject any I/O to these actual disks which are not coming by means of Oracle Database.

[oracle@labserver bin]$  $ORACLE_HOME/bin/asmcmd afd_lsdsk
--------------------------------------------------------------------------------
Label                     Filtering   Path
================================================================================
DATA01                      ENABLED   /dev/sdd1
DATA02                      ENABLED   /dev/sde1
FLASH01                     ENABLED   /dev/sdf1
FLASH02                     ENABLED   /dev/sdg1
FLASH03                     ENABLED   /dev/sdl1

[oracle@labserver bin]$ dd if=/dev/zero of=/dev/sdd1 count=100 bs=2M
dd: opening `/dev/sdd1': Permission denied


[root@labserver ~]$dd if=/dev/zero of=/dev/sdd1 count=100 bs=2M
100+0 records in
100+0 records out
209715200 bytes (210 MB) copied, 1.34228 seconds, 156 MB/s

Even if dd command was successful, the I/O were rejected by ASMFD. We can confirm it by looking in to /var/log/messages.

Dec 31 20:54:18 labserver kernel: F 4295719.382/141231152413 pdflush[369]  afd_mkrequest_fn: write IO on ASM managed device (major=8/minor=49)  not supported i=1 start=33102 seccnt=1  pstart=63  pend=31455270

Reference:

Administering ASM Filter Driver

2 Comments
  1. Rijesh Chandran
    • Abu Fazal Abbas
%d bloggers like this:
Visit Us On LinkedinVisit Us On TwitterVisit Us On Google PlusCheck Our Feed