Oracle 21c New Feature - Database Nest (DbNest)

Database Nest ("DbNest") is infrastructure that enables a database instance to run in a protected and virtualized environment by isolating operating system resources and filesystems for CDBs and PDBs.  The feature is implemented as a Linux-specific package that provides hierarchical containers called "nests".  A CDB resides within a single parent nest, while each PDB resides in individual child nests created within the parent.

Linux processes in a PDB nest have their own process ID (PID) number spaces and cannot access PIDs in other nests.  This prevents a malicious user in one database from accessing other databases on the same system.

DbNest is considered a security feature, and is detailed in the Oracle Database Security Guide (ref).  Without DbNest, it is possible that users of one PDB can somehow access another PDB’s data in memory, since both PDBs are part of the same CDB that owns all of the processes.  (While this is an unheard-of problem, it is theoretically possible).  To prevent accidental data exposures like this, DbNest uses Linux resource isolation, namespaces, and control groups.

Nests are created and managed automatically.  You (the DBA) don't need to worry about it.  All you need to do is enable the feature and let Oracle do the work.  That said, it's always good to understand what's happening.

A PDB nest is automatically closed when that PDB is closed, and automatically deleted when that PDB is unplugged or deleted.  All nests are deleted whenever the CDB is shutdown, and recreated on startup: the CDB nest is started with the CDB, and each PDBs' nest is started when that PDB is opened.

The maximum number of nests per CDB is 4,000 and the maximum number per host is 8,142.  These limits are not a problem for on-prem deployments: Enterprise Edition with the Oracle Multitenant option only allows 252 PDB per CDB, which means a total of 253 nests.  Deploying on Oracle engineered systems (EE-ES) allows up to 4,096 PDBs so you have the ability to create more PDB than nests.

DbNest can be enabled or disabled using initialization parameter DBNEST_ENABLE (ref).  A value of NONE disables the feature.  The only other allowable value CDB_RESOURCE_PDB_ALL enables the feature.  Once enabled a separate nest is created for the CDB and for each mounted PDB.  Nests are automatically created for any future PDB you create. 

The only other init.ora parameter related to DbNest is DBNEST_PDB_FS_CONF (ref).  This is optional and often not set.  It is used to define an optional configuration file where you can list all locations that should be mounted or blacklisted inside the nest.  The parameter is optional because DbNest automatically mounts all filesystems required by the CDB nest and each PDB nest.  This parameter can be set at the CDB but not PDB level.

DbNest relies heavily on the Linux cgroup feature, which has been part of every Linux kernel since 2.6.24.  Each cgroup is a named subset of processors and memory, and each Oracle instance can be bound or constrained to its assigned cgroup. 

There is no cgroup on a Linux server by default, so every Oracle instance on the server shares all of the processors.  In most on-prem deployments this sharing is what you want, because dividing resources means each instance has access to fewer resources and runs slower.  In cloud deployments, however, it may be advantageous to isolate instances from each other in order to meet service level objectives and ensure predictable performance. 

The Linux cgroup feature can be thought of as a type of instance caging.  Actually, Oracle 11g R2 introduced a separate feature called Instance Caging which basically lets you limit an instance to some number of CPUs, but you cannot tell it which CPUs as you can with cgroup.  Instance Caging requires Database Resource Manager, but cgroup does not.  Instance Caging allows you to oversubscribe CPU resources so that on a server with 16 Hyperthreads and 3 databases you might allocate 8 threads to each of your three databases.

Instance Caging and cgroup are not perfect solutions for Oracle Multitenant databases.  All PDB in the CDB will share the same processors and memory chips.  To that end, Oracle introduced DbNest.  DbNest is basically an implementation of cgroup for Oracle Multitenant.

The cgroup feature is automatically used by DbNest.  Basically, if you are going to setup DbNest for a multitenant database, then you don’t need to manually setup cgroup.  It happens automatically.

Comments

Post a Comment

Popular posts from this blog

Using DBGen to Generate TPC-H Test Data

Image
In this post I describe the Data Base Generator (DBGen) utility in terms of what it is, how to install it, and how to use it.   This post assumes a Linux operating system.   There are different build procedures for DBGen on Windows, but the concepts carry over. DBGen is used to create a TPC-H schema (i.e., it provides the CREATE TABLE statements) and to generate the data.   DBGen is used in official TPC-H benchmarking, but it can also be used in informal TPC-H-like benchmarking.   The schema and data is compatible with most 3 rd party benchmarking tools like HammerDB, so even if you plan to run a TPC-H-like test using HammerDB you may still use DBGen to create the schema and data. The  CREATE TABLE   statements are ANSI standard SQL and can be run in any DBMS without editing.   There are no SQL statements for indexes or foreign key constraints provided by DBGen since those types of objects are not required.   The data is created as delimited...
Read more

Oracle 21c Caching Solutions

This blog post reviews all of the caching solutions available in Oracle Database 21c.  I dive into several of the caching solutions, but I do try to keep things relatively short-and-sweet here.  I have other blogs dedicated to each caching solution. I don't mean the Oracle SGA or PGA.   I mean optional features you can enable to enhance performance. The content of this blog post is applicable to Oracle 12g, 18c, 19c, and 21c.   Some of the caching solutions were available in Oracle 11g, but I did not regression test my examples back that far. There have been no new caching solutions in Oracle 12g R2 through 21c.   One solution in particular, the In-Memory Column Store, has received some major enhancements.   I briefly describe it here, but the deep dive is in another blog post. Summary of Oracle Caching Solutions Oracle 21c includes six caching features as listed in my table below.   I've listed them in order from newest on top to oldest at t...
Read more

TPC-like Database Benchmarking Tools

Image
  This post describes five popular tools for benchmarking relational databases: HammerDB, Quest Benchmark Factory, SwingBench, pgbench, and Oracle RAT.  Previously, I described TPC and TPC-like benchmarks for relational databases.   Recall a benchmark is "like" a TPC benchmark if it follows some of the rules but not all of them.   The tools described in this post follow some of the TPC's rules so we call them "TPC-like".   Publishing results is generally not allowed by commercial DBMS vendors, and use of the benchmark trademark is also restricted. Ok then, let's look at the most commonly used benchmarking tools for relational databases. HammerDB is my #1 choice for benchmarking relational databases.   HammerDB supports every major DBMS on Linux and Windows including bare metal, VM, and cloud.   This means you can use one tool for all environments.   You can even compare performance across platforms or DBMS, such as comparing Oracle on Linux...
Read more