This is just a quick alert blog post for Friday with an OPatch Alert: Be aware of cleanup issues – and the JDK version. And thanks to several people who either commented or mailed me directly and asked if I could alert others as well.

Photo by Hugo Jehanne on Unsplash
OPatch cleanup issue
At first, you may have read earlier this week my article about patching my environments with the April 2020 bundle patches. For my patch activity, I’ve had to exchange my OPatch versions for 11.2.0.4, 12.2.0.1 and 19.7.0. And I guess, I would have had to do the same for 12.1.0.2 and for 18c.
Now, as I’m so well trained [irony and sarcasm!] in exchanging my OPatch version, I didn’t spend a second on reading the README. Yes, I confess – I was too lazy and thought, I know it anyways. Well … luckily some people read READMEs. And the day after posting my blog writeup I’ve received warning that the:
./opatch util cleanup
is broken in the current required opatch version. It does not only cleanup files you’d wanted to be cleaned up. But unfortunately also files it shouldn’t clean up. When you search on MOS with the obvious term “opatch util cleanup
” you won’t find what you are looking for.
But the readme – and now also the readme which you get with the download (it got updated the other day) has this big bold warning at the top lines:
!!!!!!!!!!!!! IMPORTANT - PLEASE READ !!!!!!!!!! CUSTOMERS ARE REQUESTED NOT TO RUN CLEANUP UTILITY COMMAND (./opatch util cleanup) AS THE CLEANUP UTILITY HAS A BUG WHICH MAY POTENTIALLY DELETE SYSTEM FILES. AFFECTED OPATCH RELEASES : 12.2.0.1.19/11.2.0.3.23 FIX WILL BE AVAILABLE IN RELEASE : 12.2.0.1.21/11.2.0.3.25 (Last week of April 2020) Note: No other opatch functionalities are impacted and customers can continue to use. !!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!
Well, lucky you if you read the README. Did you??
Bug and Versions affected
The README does not tell you the bug number, but a quick search in the bug database (and Miguel had it on his blog already, too) revealed:
- BUG 30362460 – OPATCH UTIL CLEANUP TRIES TO RECURSIVELY DELETE ALL FILES IN ROOT DIRECTORY INCLUDING /LIB
The bug is non-public. The issue exists at least since the mid-of-October 2019 version of opatch and affects the following opatch releases:
- 12.2.0.1.19 (which gets used for Oracle 12.1.0.2, 12.2.0.1, Oracle 18c and Oracle 19c)
- 11.2.0.3.23 (which gets used for Oracle 11.2.0.4)
It looks like as opatch tries to clean also system lib files in the root file system.
The real danger may be when you do this with your GI OPatch. Then you are ‘root
‘ …
I didn’t try it – but Erik mailed me this morning that he’s had a lot of trouble – and luckily the Unix sys admins had good backups … ouch!
When will this be fixed?
The next OPatch version which should be available end of April 2020 will include the fix for this issue. I will put up a blog post as soon as the new opatch version is available.
OPatch TDE Wallet Issue
[added Dec 9, 2020]
Following a discussion on Twitter, I learned that there is another terrible problem with OPatch in at least the .19 version – it wipes out your TDE Wallets (Keystores) as well. This can affect you especially in any of the cloud deployments, for instance ExaCS but also OCI. So please check your opatch version if you intend to do a cleanup.
Read more here:
OPatch JDK
Another customer alerted me this week about the JDK version OPatch delivers. It is quite a bit outdated. And Jonas’ question was whether he better should remove the OPatch directory after using it for a patch run. They use a security checking software, and it gives an alarm for the OPatch directory. I checked by myself and could confirm that the deployed version is quite old.
$ ./java -version
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)
[CDB2] oracle@hol:/u01/app/oracle/product/19/OPatch/jre/bin
Since the January 2020 Release Updates we deliver a current version of the JDK for the databases homes. Beforehand, you’ve had to take care by yourself. So with your January 2020 RU you’d get the JDK from Oct 2019, with the April 2020 RU you’ll get the JDK from January 2020. All fine.
I mailed my colleagues – and in less than 24 hours they confirmed that the new April 2020 version of opatch will include the same JDK the database RUs deliver. Thanks to my mates who reacted so quickly.
Further Information and Links
- Patching all my environments with the April 2020 Patch Bundles
- Patching all my environments with the January 2020 Patch Bundles
- Opatch download via patch 6880880
- OPatch readme – Important!
- Miguel Anjo’s Blog Post – he was the first one alerting me – THANKS!
- MOS Note: 2733960.1 – Alert: Exadata Cloud : “OPatch Util Cleanup” Removed all the TDE Database Wallets From the “/var/opt/oracle/dbaas_acfs/<DB_NAME>/*_wallet/*“ Location
–Mike
Hi Mike,
I’m not sure:
You write:”
Since the January 2020 Release Updates we deliver a current version of the JDK for the databases homes. Beforehand, you’ve had to take care by yourself. So with your January 2020 RU you’d get the JDK from Oct 2019, with the April 2020 RU you’ll get the JDK from January 2020. All fine”
Does “deliver” means it will applied, too? Is it mandatory to apply actual OJVM patches afterwards? I thought I’ve read this anywhere in your blog.
Cheers Peter
Hi Peter,
check your database home – the JDK will be updated after you applied the Jan 2020 or the Apr 2020 RU. You neither need OJVM nor anything to do extra.
Maybe I should write an additional blog post about it for clarification …
Cheers,
Mike
Hello Mike,
Maybe removing rid opatch version it is a better option than update read-me because people can easily bypass to read them 🙁
Hi Gabriel,
I agree very much – but you know … 🙁
Cheers,
Mike
hi mike,
Is there any documentation about whats’s new in opatch 29 etc?
Hi Mustafa,
I don’t think so. Maybe only the release notes shipped with opatch.
https://mikedietrichde.com/2020/07/17/datapatch-and-opatch-documentation-and-mos-note/
Cheers,
Mike
Hi Mike,
We have Oracle DB 19C installed on RHEL server and security detected old versions of java on below directories. Are we good to remove it without impacting the application itself? Appreciate your response. Thank you.
/opt/oracle/product/19c/dbhome_1/OPatch/jre/bin/java
/opt/oracle/product/19c/dbhome_1/jdk/bin/java
/opt/oracle/product/19c/dbhome_1/jdk/jre/bin/java
Hi Arman,
you need to patch them to an up-to-date JDK version. By default only the n-1 version will be delivered due to code-freeze constraints at the moment.
Thanks,
Mike