Oracle ASMFD: Migrate from ASMLIB to ASM Filter Driver

Executive Summary

Oracle ASMFD (ASM Filter Driver) is the replacement for ASMLIB in Oracle 12.1.0.2 and later, providing OS-level protection for ASM disk devices by filtering non-Oracle writes to ASM disks – preventing accidental or malicious overwrites. This article covers migrating an existing ASMLIB-based ASM environment to ASMFD: verifying the current ASMLIB configuration, creating a test table in an ASM tablespace to verify data integrity, labelling the disks for ASMFD, shutting down the cluster stack, running the migration, starting the stack with ASMFD, and validating that all disk groups are online and data is intact.

Prior to Oracle Grid Infrastructure (GI) release 12.1.0.2, ASM Library (ASMLIB) was the only method to access storage devices by means of ASM Disks and Diskgroups. There were serious limitations to this method. The ASM disks were owned by GI home owner and both the owner and any users belonging to an operating system group designated as the OSASM group could read from and write to ASM disks using OS commands like strings, echo, dd etc. This led to compromising the security of data as well as accidental corruption of the data in the ASM disks and ASM disks themselves.

With Oracle Grid Infrastructure release 12.1.0.2, Oracle has introduced a new component called Oracle Automatic Storage Management Filter Driver (Oracle ASMFD) which is installed with an Oracle Grid Infrastructure installation. It is intended to overcome the limitations mentioned earlier and replace traditional ASMLIB. ASMFD is currently available only on the Linux operating system and can be completely managed by the ASMCMD command Line interface.

Oracle ASMFD is a kernel module that resides in the I/O path of the Oracle ASM disks. ASMFD uses the filter driver to validate write I/O requests to Oracle ASM disks. Any write I/O requests that are not issued by Oracle software (e.g. using dd command) are not committed to ASM disks. Thus it helps to prevent users, including those with administrative privileges, from inadvertently overwriting Oracle ASM disks, thereby preventing corruption of the data stored on ASM disk(s) within the disk group(s). In case ASM disks have been configured on disk partitions, the filter protects the area on the disk managed by Oracle ASMFD, assuming the partition table is left untouched by the user.

Besides, Oracle ASMFD eliminates the need to rebind disk devices used with Oracle ASM each time the system is restarted.

If you have an existing Oracle ASM library driver (Oracle ASMLIB) configuration, and you want to employ ASMFD, you would need to configure Oracle ASMFD. This will remove Oracle ASMLIB and Oracle ASM devices will be configured to use Oracle ASMFD. In this article, I will demonstrate configuration of Oracle ASMFD in a standalone environment.

Currently, I have Oracle ASMLIB configured on my standalone system. OS user oracle is the owner of both GI home and Database home.

Overview:

Verify that currently ASMLIB has been configured and ASMFD is not configured yet
Create a table in an ASM tablespace
Migrate ASM disks to use ASMFD
Configure ASMFD
Start Clusterware stack
Verify that ASMFD has been successfully configured and ASM disks have been migrated
Set ASM_DISKSTRING and AFD_DISKSTRING to ‘AFD:*’
Validate that ASM Disk groups have migrated and are using ASMFD
Verify that our data is intact after migration
Verify that when filter is enabled it does not allow OS commands to alter the contents of ASM disks

Implementation:

Verify that currently ASMLIB has been configured and ASMFD is not configured yet

We can verify that Oracle ASMLIB is configured and driver for oracleasm is currently loaded.

[root@host01 ~]# lsmod | grep oracle

oracleasm 48660 1

[root@host01 ~]# oracleasm scandisks

[root@host01 ~]# oracleasm listdisks

ASMDISK01

ASMDISK02

ASMDISK03

ASMDISK04

ASMDISK05

ASMDISK06

ASMDISK07

ASMDISK08

ASMDISK09

ASMDISK10

Let’s check the permissions and location of ASM Disks.

The ASM Disks are block devices in /dev/oracleasm/disks owned by the GI owner “oracle” user. OS user oracle and anyone belonging to OS group “dba” (which maps to OSASM privilege) can read from and write to ASM disks. Thus the ASM disks are vulnerable to accidental Disk and or Data corruption.

[root@host01 disks]# ls -lrt /dev/oracleasm/disks

total 0

brw-rw---- 1 oracle dba 8, 6 Apr 20 11:02 ASMDISK01

brw-rw---- 1 oracle dba 8, 7 Apr 20 11:02 ASMDISK02

brw-rw---- 1 oracle dba 8, 8 Apr 20 11:02 ASMDISK03

brw-rw---- 1 oracle dba 8, 9 Apr 20 11:02 ASMDISK04

brw-rw---- 1 oracle dba 8, 10 Apr 20 11:02 ASMDISK05

brw-rw---- 1 oracle dba 8, 11 Apr 20 11:02 ASMDISK06

brw-rw---- 1 oracle dba 8, 12 Apr 20 11:02 ASMDISK07

brw-rw---- 1 oracle dba 8, 13 Apr 20 11:02 ASMDISK08

brw-rw---- 1 oracle dba 8, 14 Apr 20 11:02 ASMDISK09

brw-rw---- 1 oracle dba 8, 15 Apr 20 11:02 ASMDISK10

We can verify that ASMFD is not configured.

[oracle@host01 ~]$ asmcmd afd_lsdsk

Failed to load AFD library.

[oracle@host01 disks]$ asmcmd afd_state

ASMCMD-9526: The AFD state is 'NOT INSTALLED' and filtering is 'DEFAULT' on host

'host01.example.com'

ASM>SELECT SYS_CONTEXT('SYS_ASMFD_PROPERTIES', 'AFD_STATE') FROM DUAL;

SYS_CONTEXT('SYS_ASMFD_PROPERTIES','AFD_STATE')

--------------------------------------------------------------------------------

NOT AVAILABLE

Create a table in an ASM tablespace

Let’s find out candidate disks which are not part of any disk group yet.

[oracle@host01 ~]$ asmcmd lsdsk --candidate

Path

ORCL:ASMDISK05

ORCL:ASMDISK06

ORCL:ASMDISK07

ORCL:ASMDISK08

ORCL:ASMDISK09

ORCL:ASMDISK10

ASM> create diskgroup test external redundancy disk 'ORCL:ASMDISK10';

ORCL>create tablespace ASMTBS datafile '+TEST';

ORCL>create table hr.asm_tab tablespace ASMTBS as select * from hr.employees;

select count(*) from hr.asm_tab where last_name = 'King';

COUNT(*)

----------

Migrate ASM disks to use ASMFD

Let’s find out disks in DATA and TEST disk groups

[oracle@host01 disks]$ asmcmd lsdsk -G DATA

Path

ORCL:ASMDISK01

ORCL:ASMDISK02

ORCL:ASMDISK03

ORCL:ASMDISK04

[oracle@host01 disks]$ asmcmd lsdsk -G TEST

Path

ORCL:ASMDISK10

Let’s make a note of current disk discovery path. It currently points to ASMLIB disks.

[oracle@host01 disks]$ asmcmd dsget

parameter:ORCL:*

profile:ORCL:*

Make sure ASM is using SPFILE

[oracle@host01 disks]$ srvctl config asm

ASM home:

Password file: +DATA/orapwasm

ASM listener: LISTENER

Spfile: +DATA/ASM/ASMPARAMETERFILE/registry.253.872686839

ASM diskgroup discovery string: ORCL:*

Now, let’s start with the migration.

Update the ASM Disk discovery path to enable ASMFD lookup

Once we label the disk, it will show up as AFD: and that name will be used for disk discovery.

AS GI owner , set the ASM discovery string to include AFD.* as well:

[oracle@host01 root]$ asmcmd dsset 'ORCL:*','AFD:*'

[oracle@host01 disks]$ asmcmd dsget

parameter:ORCL:*, AFD:*

profile:ORCL:*,AFD:*

We have updated ASM disk discovery string. Now, when we configure ASMFD it would be able to discover and migrate the existing disks.

Bring down the Clusterware stack

ORCL>shu immediate;

[root@host01 dev]# srvctl stop asm -f

[root@host01 dev]# crsctl stop has

CRS-2791: Starting shutdown of Oracle High Availability Services-managed resources on 'host01'

CRS-2673: Attempting to stop 'ora.evmd' on 'host01'

CRS-2673: Attempting to stop 'ora.LISTENER.lsnr' on 'host01'

CRS-2677: Stop of 'ora.LISTENER.lsnr' on 'host01' succeeded

CRS-2677: Stop of 'ora.evmd' on 'host01' succeeded

CRS-2673: Attempting to stop 'ora.cssd' on 'host01'

CRS-2677: Stop of 'ora.cssd' on 'host01' succeeded

CRS-2793: Shutdown of Oracle High Availability Services-managed resources on 'host01' has completed

CRS-4133: Oracle High Availability Services has been stopped.

Now, we are ready for the migration process.

Configure ASMFD

This step will deconfigure ASMLIB, configure ASMFD and migrate the disks from ASMLIB to ASMFD.

[root@host01 ~]# asmcmd afd_configure

Connected to an idle instance.

AFD-627: AFD distribution files found.

AFD-636: Installing requested AFD software.

AFD-637: Loading installed AFD drivers.

AFD-9321: Creating udev for AFD.

AFD-9323: Creating module dependencies - this may take some time.

AFD-9154: Loading 'oracleafd.ko' driver.

AFD-649: Verifying AFD devices.

AFD-9156: Detecting control device '/dev/oracleafd/admin'.

AFD-638: AFD installation correctness verified.

Modifying resource dependencies - this may take some time.

ASMCMD-9524: AFD configuration failed 'ERROR: OHASD start failed'

Modifying resource dependencies - this may take some time.

ASMCMD-9524: AFD configuration failed 'ERROR: OHASD start failed'

We can ignore the last error for now but we do have a working ASMFD now.

[root@host01 ~]# asmcmd afd_state

Connected to an idle instance.

ASMCMD-9526: The AFD state is 'LOADED' and filtering is 'DEFAULT' on host 'host01.example.com'

Note that the folder for oracleasm has been emptied and ASMFD has created a folder /dev/oracleafd where all the ASM disks are visible such that root is the owner of disks and only root can read from or write to ASM disks.

[[root@host01 dev]# cd /dev

ls -l |grep oraclea

drwxrwx--- 3 oracle dba 80 Apr 20 17:22 oracleafd

drwxr-xr-x 2 root root 40 Apr 20 17:15 oracleasm

[root@host01 oracleasm]# ls -l /dev/oracleasm/*

ls: /dev/oracleasm/*: No such file or directory

[root@host01 dev]# ls -l /dev/oracleafd/disks

total 40

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK01

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK02

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK03

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK04

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK05

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK06

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK07

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK08

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK09

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK10

The disks can now be viewed from ASM Filter Driver Module.

[root@host01 oracleasm]# asmcmd afd_lsdsk

Connected to an idle instance.

--------------------------------------------------------------------------------

Label Filtering Path

================================================================================

ASMDISK01 ENABLED /dev/sda6

ASMDISK02 ENABLED /dev/sda7

ASMDISK03 ENABLED /dev/sda8

ASMDISK04 ENABLED /dev/sda9

ASMDISK05 ENABLED /dev/sda10

ASMDISK06 ENABLED /dev/sda11

ASMDISK07 ENABLED /dev/sda12

ASMDISK08 ENABLED /dev/sda13

ASMDISK09 ENABLED /dev/sda14

ASMDISK10 ENABLED /dev/sda15

We can verify that the configuration process has stopped the ASMLIB kernel module

[root@host01 dev]# service oracleasm status

Checking if ASM is loaded: no

Checking if /dev/oracleasm is mounted: no

We are almost done with the migration as ASMFD is loaded and the existing disks are already mapped. Once we start the Clusterware stack, we will update few configuration settings to make ASMFD persistent.

Start Clusterware stack

1 2	[root@host01 disks]# crsctl start has CRS-4123: Oracle High Availability Services has been started.

We can verify that driver for ASMFD has been loaded.

root@host01 oracleasm]# lsmod | grep oracle

oracleafd 221120 1

root@host01 dev]# srvctl start asm

Verify that ASMFD has been successfully configured and ASM disks have been migrated

ASM> SELECT SYS_CONTEXT('SYS_ASMFD_PROPERTIES', 'AFD_STATE') FROM DUAL;

SYS_CONTEXT('SYS_ASMFD_PROPERTIES','AFD_STATE')

-----------------------------------------------------------------------------------------------------------

CONFIGURED

ASM> select name, path, total_mb, free_mb from v$asm_disk;

NAME PATH TOTAL_MB FREE_MB

--------------- -------------------- ---------- ----------

AFD:ASMDISK09 0 0

AFD:ASMDISK08 0 0

AFD:ASMDISK05 0 0

AFD:ASMDISK07 0 0

AFD:ASMDISK06 0 0

ASMDISK01 AFD:ASMDISK01 3914 3865

ASMDISK02 AFD:ASMDISK02 3914 3862

ASMDISK03 AFD:ASMDISK03 3914 3867

ASMDISK04 AFD:ASMDISK04 3914 3871

ASMDISK10 AFD:ASMDISK10 3914 3761

Set ASM_DISKSTRING and AFD_DISKSTRING to ‘AFD:*’

Currently, parameter ASM_DISKSTRING points to both ASMLIB and ASMFD disks. Since ASMLIB has been deconfigured, we can remove ORCL:* from the parameter so that the parameter points to ASMFD disks only.

ASMFD disks only.

ASM>sho parameter diskstring

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

asm_diskstring string ORCL:*, AFD:*

[oracle@host01 ~]$ asmcmd dsget

parameter:ORCL:*, AFD:*

profile:ORCL:*,AFD:*

ASM>ALTER SYSTEM set asm_diskstring = 'AFD:*';

[oracle@host01 ~]$ asmcmd dsget

parameter:AFD:*

profile:AFD:*

We can also set discovery string for ASMFD disks to ‘AFD:*’

ASM>ALTER SYSTEM AFD_DISKSTRING SET 'AFD:*';

[oracle@host01 ~]$ asmcmd afd_dsget

AFD discovery string: 'AFD:*'

ASM>SELECT SYS_CONTEXT('SYS_ASMFD_PROPERTIES', 'AFD_DISKSTRING') FROM DUAL;

SYS_CONTEXT('SYS_ASMFD_PROPERTIES','AFD_DISKSTRING')

-----------------------------------------------------------------------------------------------------------

'AFD:*'

[oracle@host01 ~]$ srvctl config asm

ASM home:

Password file: +DATA/orapwasm

ASM listener: LISTENER

Spfile: +DATA/ASM/ASMPARAMETERFILE/registry.253.872686839

ASM diskgroup discovery string: AFD:*

Validate that ASM Diskgroups have migrated and are using ASMFD

[oracle@host01 ~]$ srvctl status diskgroup -diskgroup DATA

Disk Group DATA is running on host01

[oracle@host01 ~]$ srvctl status diskgroup -diskgroup TEST

Disk Group TEST is running on host01

Validate if the diskgroups are migrated and using ASMFD

[oracle@host01 ~]$ asmcmd lsdsk -G DATA

Path

AFD:ASMDISK01

AFD:ASMDISK02

AFD:ASMDISK03

AFD:ASMDISK04

[oracle@host01 ~]$ asmcmd lsdsk -G TEST

Path

AFD:ASMDISK10

root@host01 disks]# crsctl stat res -t

--------------------------------------------------------------------------------

Name Target State Server State details

--------------------------------------------------------------------------------

Local Resources

--------------------------------------------------------------------------------

ora.DATA.dg

ONLINE ONLINE host01 STABLE

ora.LISTENER.lsnr

ONLINE ONLINE host01 STABLE

ora.TEST.dg

OFFLINE OFFLINE host01 STABLE

ora.asm

ONLINE ONLINE host01 Started,STABLE

ora.ons

OFFLINE OFFLINE host01 STABLE

--------------------------------------------------------------------------------

Cluster Resources

--------------------------------------------------------------------------------

ora.cssd

1 ONLINE ONLINE host01 STABLE

ora.diskmon

1 OFFLINE OFFLINE STABLE

ora.evmd

1 ONLINE ONLINE host01 STABLE

-------------------------------------------------------------------------------

[oracle@host01 ~]$ asmcmd afd_scan

[oracle@host01 ~]$ asmcmd afd_lsdsk

--------------------------------------------------------------------------------

Label Filtering Path

================================================================================

ASMDISK01 ENABLED /dev/sda6

ASMDISK02 ENABLED /dev/sda7

ASMDISK03 ENABLED /dev/sda8

ASMDISK04 ENABLED /dev/sda9

ASMDISK05 ENABLED /dev/sda10

ASMDISK06 ENABLED /dev/sda11

ASMDISK07 ENABLED /dev/sda12

ASMDISK08 ENABLED /dev/sda13

ASMDISK09 ENABLED /dev/sda14

ASMDISK10 ENABLED /dev/sda15

Verify that our data is intact after migration

ORCL> select tablespace_name, file_name from dba_data_files where tablespace_name = 'ASMTBS' ;

TABLESPACE_NAME FILE_NAME

------------------------------ ------------------------------

ASMTBS +TEST/ORCL/DATAFILE/asmtbs.256.877540769

ORCL> select count(*) from hr.asm_tab where last_name = 'King';

COUNT(*)

----------

Let’s explore the disks located under /dev/oracleafd/disks/ .

These are actually just the text files owned by root pointing to the actual disks on which the ASM disks are configured as opposed to ASMLIB disks which were block devices owned by GI owner.

[root@host01 disks]# file /dev/oracleafd/disks/ASM*

/dev/oracleafd/disks/ASMDISK01: ASCII text

/dev/oracleafd/disks/ASMDISK02: ASCII text

/dev/oracleafd/disks/ASMDISK03: ASCII text

/dev/oracleafd/disks/ASMDISK04: ASCII text

/dev/oracleafd/disks/ASMDISK05: ASCII text

/dev/oracleafd/disks/ASMDISK06: ASCII text

/dev/oracleafd/disks/ASMDISK07: ASCII text

/dev/oracleafd/disks/ASMDISK08: ASCII text

/dev/oracleafd/disks/ASMDISK09: ASCII text

[root@host01 disks]# ls -l /dev/oracleafd/disks/ASM*

total 40

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK01

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK02

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK03

-rw-r--r-- 1 root root 10 Apr 20 17:22 ASMDISK04

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK05

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK06

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK07

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK08

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK09

-rw-r--r-- 1 root root 11 Apr 20 17:22 ASMDISK10

[root@host01 disks]# cat /dev/oracleafd/disks/ASM*

/dev/sda6

/dev/sda7

/dev/sda8

/dev/sda9

/dev/sda10

/dev/sda11

/dev/sda12

/dev/sda13

/dev/sda14

/dev/sda15

[root@host01 log]# ls -l /dev/sda*

brw-r----- 1 root disk 8, 0 Apr 20 17:14 /dev/sda

brw-r----- 1 root disk 8, 1 Apr 20 17:14 /dev/sda1

brw-r----- 1 root disk 8, 10 Apr 20 17:14 /dev/sda10

brw-r----- 1 root disk 8, 11 Apr 20 17:14 /dev/sda11

brw-r----- 1 root disk 8, 12 Apr 20 17:14 /dev/sda12

brw-r----- 1 root disk 8, 13 Apr 20 17:14 /dev/sda13

brw-r----- 1 root disk 8, 14 Apr 20 17:14 /dev/sda14

brw-r----- 1 root disk 8, 15 Apr 27 11:23 /dev/sda15

brw-r----- 1 root disk 8, 2 Apr 20 17:14 /dev/sda2

brw-r----- 1 root disk 8, 3 Apr 20 17:14 /dev/sda3

brw-r----- 1 root disk 8, 4 Apr 20 17:14 /dev/sda4

brw-r----- 1 root disk 8, 5 Apr 20 17:14 /dev/sda5

brw-r----- 1 root disk 8, 6 Apr 27 10:52 /dev/sda6

brw-r----- 1 root disk 8, 7 Apr 20 17:14 /dev/sda7

brw-r----- 1 root disk 8, 8 Apr 20 17:14 /dev/sda8

brw-r----- 1 root disk 8, 9 Apr 20 17:14 /dev/sda9

Verify that when filter is enabled it does not allow OS commands to alter the contents of ASM disks

We can check that filtering is enabled on AFD disks.

[oracle@host01 ~]$ asmcmd afd_scan

[oracle@host01 ~]$ asmcmd afd_lsdsk

--------------------------------------------------------------------------------

Label Filtering Path

================================================================================

ASMDISK01 ENABLED /dev/sda6

ASMDISK02 ENABLED /dev/sda7

ASMDISK03 ENABLED /dev/sda8

ASMDISK04 ENABLED /dev/sda9

ASMDISK05 ENABLED /dev/sda10

ASMDISK06 ENABLED /dev/sda11

ASMDISK07 ENABLED /dev/sda12

ASMDISK08 ENABLED /dev/sda13

ASMDISK09 ENABLED /dev/sda14

ASMDISK10 ENABLED /dev/sda15

Now non-root users have no way to read directly from ASM disks using OS command “strings”. Root user can still read the content of ASM disks cirectly.

[oracle@host01 disks]$ strings /dev/sda15 | grep King

strings: /dev/sda15: Permission denied

[root@host01 log]# strings /dev/sda15 | grep King

King

For ASM disk writes, we get a layer of protection for both root and non-root users. I will demonstrate it for both “echo” and “dd” commands.

[oracle@host01 disks]$ echo 'corrupt' > /dev/sda15

bash: /dev/sda15: Permission denied

When we try to write to underlying disk using “echo” as a root user, although the echo command is successful, the I/O were rejected by ASMFD which can be confirmed by looking into /var/log/messages.

[root@host01 log]# echo 'corrupt' > /dev/sda15

[root@host01 log]# more /var/log/messages

....

quest_fn: write IO on ASM managed device (major=8/minor=15) not supported i=10

start=186868143 seccnt=4

pstart=186868143 pend=194884515

Apr 27 11:28:51 host01 kernel: Buffer I/O error on device sda15, logical block 0

Apr 27 11:28:51 host01 kernel: lost page write due to I/O error on sda15

....

Similarly when we try to modify contents of ASM disk using ‘dd‘ command, GI owner is denied permission where command succeeds for root without any effect though as can again be verified from /var/log/messages.

[oracle@host01 disks]$ dd if=/dev/zero of=/dev/sda6 count=100 bs=2M

dd: opening `/dev/sda6': Permission denied

[root@host01 log]# dd if=/dev/zero of=/dev/sda15 count=10 bs=2M

10+0 records in

10+0 records out

20971520 bytes (21 MB) copied, 0.013702 seconds, 1.5 GB/s

[root@host01 log]# more /var/log/messages

...

Apr 27 11:34:06 host01 kernel: F 4306319.693/150427060406 pdflush[363] afd_mkrequest_fn: write IO on ASM managed device (major=8/minor=15) not supported i=10 start=186868143 seccnt=4 pstart=186868143 pend=194884515

Let us disable filter for all disks

[oracle@host01 root]$ asmcmd afd_filter -d

[oracle@host01 root]$ asmcmd afd_lsdsk

--------------------------------------------------------------------------------

Label Filtering Path

================================================================================

ASMDISK01 DISABLED /dev/sda6

ASMDISK02 DISABLED /dev/sda7

ASMDISK03 DISABLED /dev/sda8

ASMDISK04 DISABLED /dev/sda9

ASMDISK05 DISABLED /dev/sda10

ASMDISK06 DISABLED /dev/sda11

ASMDISK07 DISABLED /dev/sda12

ASMDISK08 DISABLED /dev/sda13

ASMDISK09 DISABLED /dev/sda14

ASMDISK10 DISABLED /dev/sda15

Now that filter is disabled, let us try to perform write I/O on ASMDISK10.

It can be seen although non-root user can still not write to ASM disk but root user can alter the contents of ASM Disks leading to corruption of Data in the ASM Disks and ASM disks themselves.

[oracle@host01 disks]$ echo 'corrupt' > /dev/sda15

bash: /dev/sda15: Permission denied

[root@host01 log]# echo 'corrupt' > /dev/sda15

[root@host01 ~]# strings /dev/sda15 | grep corrupt

corrupt

[oracle@host01 disks]$ dd if=/dev/zero of=/dev/sda15 count=100 bs=2M

dd: opening `/dev/sda6': Permission denied

[root@host01 ~]# dd if=/dev/zero of=/dev/sda15 count=1000 bs=2M

1000+0 records in

1000+0 records out

2097152000 bytes (2.1 GB) copied, 4.38152 seconds, 479 MB/s

ORCL>alter system flush buffer_cache;

System altered.

ORCL>select count(*) from hr.asm_tab where last_name = 'King';

select count(*) from hr.asm_tab where last_name = 'King'

ERROR at line 1:

ORA-01578: ORACLE data block corrupted (file # 2, block # 130)

ORA-01110: data file 2: '+TEST/ORCL/DATAFILE/asmtbs.256.877540769'

ASM>select name, STATE from v$asm_diskgroup;

NAME STATE

------------------------------ -----------

DATA MOUNTED

ASM>alter diskgroup test mount;

alter diskgroup test mount

ERROR at line 1:

ORA-15032: not all alterations performed

ORA-15017: diskgroup "TEST" cannot be mounted

ORA-15040: diskgroup is incomplete

ASM> select name, path, total_mb, free_mb from v$asm_disk;

NAME PATH TOTAL_MB FREE_MB

--------------- -------------------- ---------- ----------

AFD:ASMDISK10 0 0

AFD:ASMDISK09 0 0

AFD:ASMDISK08 0 0

AFD:ASMDISK05 0 0

AFD:ASMDISK07 0 0

AFD:ASMDISK06 0 0

ASMDISK01 AFD:ASMDISK01 3914 3865

ASMDISK02 AFD:ASMDISK02 3914 3862

ASMDISK03 AFD:ASMDISK03 3914 3867

ASMDISK04 AFD:ASMDISK04 3914 3871

10 rows selected.

Conclusion:

Oracle Automatic Storage Management Filter Driver (Oracle ASMFD) can overcome the limitations of and replace traditional ASMLIB. When filter is enabled,

– Contents of ASMFD disks can only be read using OS commands by root user

– Contents of ASMFD disks cannot be altered using OS commands by any user

Thus, any write I/O performed to ASM disks by will be validated by the filter and corruption of data on ASM disks by non-oracle software will be eliminated.

References:

FAQs: Oracle Automatic Storage Management Filter Driver (Oracle ASMFD)

1. What is Oracle ASMFD and how is it different from ASMLIB?

Oracle ASMFD (ASM Filter Driver) is a kernel module that sits between Oracle ASM and the operating system’s storage drivers, filtering out non-Oracle writes to ASM disk devices. ASMLIB (ASM Library) was the previous library-based approach for the same purpose – providing ASM disk discovery and protection. ASMFD replaces ASMLIB from Oracle Grid Infrastructure 12.1.0.2 onwards. Key differences: ASMFD is integrated with Oracle Grid Infrastructure (no separate ASMLIB RPM required), provides kernel-level filtering that ASMLIB does not, and supports AFD disk naming (AFD:diskname) for disk discovery.

2. Is migration from ASMLIB to ASMFD required in Oracle 12.1.0.2+?

ASMLIB continues to work in Oracle 12.1.0.2+ – migration to ASMFD is not mandatory but is recommended for new installations. Oracle recommends ASMFD for new deployments, and some Oracle Engineered Systems require it. Migration is advisable when upgrading Grid Infrastructure versions as ASMLIB support may be deprecated in future releases. The migration requires a cluster stack downtime but is non-destructive to the ASM disk data.

3. What does the AFD disk naming convention mean in Oracle ASMFD?

When ASMFD is configured, Oracle ASM disk devices are named with the AFD: prefix – for example, AFD:DATA_0001. This replaces the ORCL: prefix used by ASMLIB. The ASM_DISKSTRING parameter must be updated to ‘AFD:*’ to discover ASMFD disks, and AFD_DISKSTRING must also be set. The AFD: names appear in v$asm_disk and v$asm_diskgroup views after successful migration. Old ORCL: names in ASM_DISKSTRING should be removed after confirming all disks have migrated.

4. Can I roll back from ASMFD to ASMLIB?

Rolling back from ASMFD to ASMLIB is possible but complex – it requires bringing down the cluster stack, deconfiguring ASMFD, reconfiguring ASMLIB, updating the disk discovery parameters back to ORCL:*, and restarting the cluster. The ASM disk data itself is not modified during either migration direction, so the data is safe. However, a rollback should only be considered in a test environment or as an emergency measure – plan the migration thoroughly and test it in a non-production environment before applying to production.

Register for Simple Talk

Oracle ASMFD: Migrate from ASMLIB to ASM Filter Driver

Executive Summary

Overview:

Implementation:

Verify that currently ASMLIB has been configured and ASMFD is not configured yet

Create a table in an ASM tablespace

Migrate ASM disks to use ASMFD

Make sure ASM is using SPFILE

Update the ASM Disk discovery path to enable ASMFD lookup

Bring down the Clusterware stack

Configure ASMFD

Start Clusterware stack

Verify that ASMFD has been successfully configured and ASM disks have been migrated

Set ASM_DISKSTRING and AFD_DISKSTRING to ‘AFD:*’

Validate that ASM Diskgroups have migrated and are using ASMFD

Verify that our data is intact after migration

Verify that when filter is enabled it does not allow OS commands to alter the contents of ASM disks

Conclusion:

FAQs: Oracle Automatic Storage Management Filter Driver (Oracle ASMFD)

1. What is Oracle ASMFD and how is it different from ASMLIB?

2. Is migration from ASMLIB to ASMFD required in Oracle 12.1.0.2+?

3. What does the AFD disk naming convention mean in Oracle ASMFD?

4. Can I roll back from ASMFD to ASMLIB?

About the author

Policy-Managed Oracle RAC One Node Databases

Duplicate Point-In-Time Recovered PDB Using Backup

Re-registering Databases In A Cluster With srvctl: Problems and Solutions

Oracle ASMFD: Migrate from ASMLIB to ASM Filter Driver

Executive Summary

Overview:

Implementation:

Verify that currently ASMLIB has been configured and ASMFD is not configured yet

Create a table in an ASM tablespace

Migrate ASM disks to use ASMFD

Make sure ASM is using SPFILE

Update the ASM Disk discovery path to enable ASMFD lookup

Bring down the Clusterware stack

Configure ASMFD

Start Clusterware stack

Verify that ASMFD has been successfully configured and ASM disks have been migrated

Set ASM_DISKSTRING and AFD_DISKSTRING to ‘AFD:*’

Validate that ASM Diskgroups have migrated and are using ASMFD

Verify that our data is intact after migration

Verify that when filter is enabled it does not allow OS commands to alter the contents of ASM disks

Conclusion:

FAQs: Oracle Automatic Storage Management Filter Driver (Oracle ASMFD)

1. What is Oracle ASMFD and how is it different from ASMLIB?

2. Is migration from ASMLIB to ASMFD required in Oracle 12.1.0.2+?

3. What does the AFD disk naming convention mean in Oracle ASMFD?

4. Can I roll back from ASMFD to ASMLIB?

Recommended

Subscribe for more

About the author

Policy-Managed Oracle RAC One Node Databases

Duplicate Point-In-Time Recovered PDB Using Backup

Re-registering Databases In A Cluster With srvctl: Problems and Solutions