Anda di halaman 1dari 7

Introduction:-.............................................................................. Determining fenced User-id of a DB2 instance................................... Advantage of Fenced mode process (db2fmp):-................................ Case Studies:-............................................................................. Case 1:....................................................................................

Case 2:.................................................................................... Summary....................................................................................

Db2fmp process mechanism & reported issues

Introduction:To add an extra layer of security and to control the scope of user-defined functions (UDFs) and stored procedures, you should create a new user name in which fenced UDFs and stored procedures will execute differently than those of the DB2 instance or other database users. This is the db2 fenced mode process (hence the abbreviation db2fmp) and to prevent any problematic code inside a routine from accessing and messing around database resources because it takes advantage of Inter-process communications (IPCs) and DB2 is not prepared to handle User code errors. So, Fenced routines are protected from bringing the DB2 engine down. When we address about a routine it applies to both stored procedures and user-defined functions (UDFs). DB2 SQL/PL stored procedures are always run as trusted stored procedures. But while loading the Java routine it relies on an external Java Virtual Machine (JVM). Note: db2fmp process replaced both the db2udf and db2dari processes that were used in previous versions of DB2.

Determining fenced User-id of a DB2 instance


When you create a DB2 instance in UNIX, you have to specify a fenced user-id different than instance name (both are same as an existing users in the operating system). However, to determine fenced User-id of a DB2 instance. The way is to run the db2pd utility and look for fenced expression. You can also look at the user and group id of the file .fenced in $INSTANCE_OWNER_HOME/sqllib/adm directory and this tells you which is fenced user id.

$ db2pd -fmp |grep -i fenced Trusted Path: /db2inst1/sqllib/function/unfenced Fenced User: db2fenc1 OR $ ls -ld $HOME/sqllib/adm/.fenced -r--r--r-- 1 db2fenc1 db2fgrp1 0 Oct 11 2009 /db2inst1/sqllib/adm/.fenced

For windows platform, fenced User-id is same as instance owner. In fact, the concept of fenced User-id is really for UNIX platforms.

Advantage of Fenced mode process (db2fmp): Add extra layer of security No messing around database resources To prevent poorly coded functions from crashing DB2 Routine will run into a separate address space than those of instance owner Existing fenced mode process will be used to process the call like in case of java routines it eliminates the need to start the JVM over and over again KEEPFENCED set to be NO when developing stored procedures in Development environment, so developer will always get a fresh copy of the stored procedures In Production environment, always set this parameter to YES, as it can greatly impact the performance Here, I show common problems to help you to resolve db2fmp related configuration.

Case Studies:Case 1:
We took a clean instance bounce (gracefully stop & start the instance) and while starting the application it returns: SQL1131N DARI (Stored Procedure) process has been terminated abnormally.

DB2 diagnostic logs having such entries:

2010-08-29-06.19.37.699630+330 E1851553A528 LEVEL: Warning PID : 319946 TID : 29569 PROC : db2sysc 0 INSTANCE: ominst1 NODE : 000 DB : OM APPHDL : 0-409 APPID: GA0E5CA9.AB7C.100829003439 AUTHID : OMUSER EDUID : 29569 EDUNAME: db2agent (OM) 0 FUNCTION: DB2 UDB, routine_infrastructure, sqlerReturnFmpToPool, probe:2000 DATA #1 : String, 55 bytes Sending a signal to clean up NOT THREADED FMP process: DATA #2 : Process ID, 4 bytes 590030 2010-08-29-06.19.37.699757+330 E1852082A600 LEVEL: Error PID : 319946 TID : 29569 PROC : db2sysc 0

INSTANCE: ominst1 NODE : 000 DB : OM APPHDL : 0-409 APPID: GA0E5CA9.AB7C.100829003439 AUTHID : OMUSER EDUID : 29569 EDUNAME: db2agent (OM) 0 FUNCTION: DB2 UDB, routine_infrastructure, sqlerRemoveAllIPCforRow, probe:10 DATA #1 : String, 32 bytes Freeing IPC resource explicitly: DATA #2 : Process ID, 4 bytes 590030 DATA #3 : Hexdump, 4 bytes 0x078000000120FFC0 : 0000 0000 .... 2010-08-29-06.19.37.699901+330 E1852683A503 LEVEL: Error PID : 319946 TID : 29569 PROC : db2sysc 0 INSTANCE: ominst1 NODE : 000 DB : OM APPHDL : 0-409 APPID: GA0E5CA9.AB7C.100829003439 AUTHID : OMUSER EDUID : 29569 EDUNAME: db2agent (OM) 0 FUNCTION: DB2 UDB, routine_infrastructure, sqlerRemoveAllIPCforRow, probe:20 DATA #1 : String, 22 bytes IPC resources Address: DATA #2 : Pointer, 8 bytes 0x0780000010050080 2010-08-29-06.19.37.700036+330 I1853187A431 LEVEL: Severe PID : 319946 TID : 29569 PROC : db2sysc 0 INSTANCE: ominst1 NODE : 000 DB : OM APPHDL : 0-409 APPID: GA0E5CA9.AB7C.100829003439 AUTHID : OMUSER EDUID : 29569 EDUNAME: db2agent (OM) 0 FUNCTION: DB2 UDB, routine_infrastructure, sqlerDeallocFmpIPC, probe:10 RETCODE : ZRC=0x00000051=81 2010-08-29-06.19.37.700162+330 E1853619A1380 LEVEL: Error PID : 319946 TID : 29569 PROC : db2sysc 0 INSTANCE: ominst1 NODE : 000 DB : OM APPHDL : 0-409 APPID: GA0E5CA9.AB7C.100829003439 AUTHID : OMUSER EDUID : 29569 EDUNAME: db2agent (OM) 0 FUNCTION: DB2 UDB, routine_infrastructure, sqlerRemoveAllIPCforRow, probe:30 DATA #1 : String, 29 bytes Number of IPC resource found: DATA #2 : signed integer, 4 bytes 1 DATA #3 : String, 29 bytes Number of IPC resource freed: DATA #4 : signed integer, 4 bytes 1 CALLSTCK: [0] 0x090000000516454C pdLog + 0x88 [1] 0x090000000593C3E0 sqlerRemoveAllIPCforRow__FP11sqlerFmpRowb + 0x530 [2] 0x090000000593A360 sqlerRemoveFmpFromTable__FP11sqlerFmpRowb + 0x2F4 [3] 0x0900000005939F24 @135@sqlerShutdownFMP__FP11sqlerFmpRowP14sqlerFmpHandleP13sqlerFmpTableP8sqeAge ntbT5 + 0x680 [4] 0x0900000005937964 sqlerReturnFmpToPool__FcT1P14sqlerFmpHandleP8sqeAgent + 0x11BC [5] 0x09000000079FE388 sqlerInvokeFencedRoutine__FP13sqlerFmpParms + 0x1488 [6] 0x0900000004E5C9DC sqlriInvokeInvoker__FP10sqlri_ufob + 0x5F4 [7] 0x0900000005145868 sqlricall__FP8sqlrr_cb + 0x100 [8] 0x09000000050E6960 sqlriSectInvoke__FP8sqlrr_cbP12sqlri_opparm +

0xFFFFFFFFFFFFF938 [9] 0x09000000050C23CC sqlrr_process_execute_request__FP8sqlrr_cbi + 0xFFFFFFFFFFFFFDA8

Also Process listing doesnt showing db2fmp process is running for this instance at this moment. But db2fmp process that runs on DB server for User fenced-routines.

In process listing db2fmp process is appearing and running for cusinst1 instance another one, but it doesnt seem for underlying instance which is ominst1 in this case. As we know, in routine calls DB2 can use fenced mode process. Now DB2 enables and appears the fenced mode process (db2fmp) for this instance (ominst1) after calling the db size info procedure.

Case 2:
In a database server, GET_DBSIZE_INFO procedure was failing with error and doesnt calculate the database size and capacity. After exploring the database server, it found wrong permission on Fenced user Home Path Also fence user home path should have proper permission once I saw root was having permission on fenced user home path. With this db2 call get_dbsize_info package was not giving db size info and failing error. After setting proper permission on user home path it worked that way.

$ ls -ld $HOME/sqllib/adm/.fenced -r--r--r-- 1 db2fenc1 db2fgrp1 $ grep db2fenc1 /etc/passwd

0 Oct 11 2009 /db2inst1/sqllib/adm/.fenced

db2fenc1:!:112:103::/home/db2fenc1:/usr/bin/ksh $ ls -ld /home/db2fenc1 drwxr-xr-x 2 root system 256 Dec 04 2005 /home/db2fenc1

$ chown db2fenc1: db2fgrp1 /home/db2fenc1 $ ls -ld /home/db2fenc1 drwxr-xr-x 2 db2fenc1 db2fgrp1 256 Dec 04 2005 /home/db2fenc1

Summary
As SQL1131 is a generic message that can be generated in a variety of ways.