Getting Oracle Instant Client, PHP, and oci8 all working

I had one hell of a game getting all of this working together, it didn’t help that the server has been CIS hardened, anyway, here is how I got it working, and one word of advice, everything seems very version picky.

This server is essentially running some web application under Apache, the app connects to 2 Oracle databases, one being older than the other, and the cause of much  trouble.

Server Build

I set selinux to permissive, once I had everything working I enabled it and troubleshooted until I got it working.

  • RHEL6.4 64-bit server install
  • CIS hardened
  • PHP 5.3.3 (cli) (built: Jul 12 2013 04:36:18)
  • Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
  • oci8 Version => 1.4.10
  • Oracle Run-time Client Library Version => 11.2.0.2.0
  • Oracle Instant Client Version => 11.2

Note: PECL shows that this version when installing- ”oci8  2.0.4 (devel) Extension for Oracle Database”

However, when “php -i|grep oci8” is run it shows “oci8 Version => 1.4.10”

Getting Instant Oracle Client, PHP, and oci8 working

Get php stuff

yum install php php-devel.x86_64 php-pear php-ldap

Download and install (You have to register at Oracle to do this) the Oracle Instant Client rpm’s

 rpm -ivh oracle-instantclient11.2-basic-11.2.0.2.0.x86_64.rpm
 rpm -ivh oracle-instantclient11.2-devel-11.2.0.2.0.x86_64.rpm
 rpm -ivh oracle-instantclient11.2-tools-11.2.0.2.0.x86_64.rpm

I needed to configure a proxy for PECL/pear

pear config-set http_proxy http://mrfoo:foopassword@proxy.local:80/

See if you get can get OCI8

 [root@foo modules]# pecl search oci8
 WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update
 Retrieving data...0%
 Matched packages, channel pecl.php.net:
 ======================================
 Package Stable/(Latest) Local
 oci8    2.0.4 (devel)         Extension for Oracle Database

If you can download and install it

 [root@foo modules]# pecl install oci8
 WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update
 downloading oci8-1.4.10.tgz ...
 Starting to download oci8-1.4.10.tgz (169,248 bytes)
 . ................done: 169,248 bytes
 10 source files, building
 running: phpize
 Configuring for:
 PHP Api Version:         20090626
 Zend Module Api No:      20090626
 Zend Extension Api No:   220090626
 Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib' if you're compiling with Oracle Instant Client [autodetect] : 
 building in /var/tmp/pear-build-root3ndIn0/oci8-1.4.10
 running: /var/tmp/oci8/configure --with-oci8
 checking for grep that handles long lines and -e... /bin/ 
 ---------------------------------SNIP --------------------------------------------

If you have CIS hardened, you may get this error when running the above

shtool at '/var/tmp/oci8/build/shtool' does not exist or is not executable

So do this and try again

mount -o remount,exec /var/tmp/

It should all make and install, but you may see this warning

configuration option "php_ini" is not set to php.ini location
 You should add "extension=oci8.so" to php.ini

PHP now keeps “ini” files in /etc/php.d/, it tells you this in the php.ini file

 ;;;;;;;;;;;;;;;;;;;;;;
 ; Dynamic Extensions ;
 ;;;;;;;;;;;;;;;;;;;;;;

 ;;;;
 ; Note: packaged extension modules are now loaded via the .ini files
 ; found in the directory /etc/php.d; these are loaded by default.
 ;;;;

So create a file there named “oci8.ini” with the following

 root@foo php.d]vi oci8.ini

 ; Enable oci8 extension module
  extension=oci8.so

Modify the php.ini file so Dev have some logging

display_startup_errors = On 
html_errors = On
date.timezone = America/Chicago
error_reporting = E_ALL | E_STRICT
display_errors = On

Restart apache, and then check if PHP & OCI8 are happy

 php -i| grep OCI8
 oci8
 oci8.connection_class => no value => no value
 oci8.default_prefetch => 100 => 100
 oci8.events => Off => Off
 oci8.max_persistent => -1 => -1
 oci8.old_oci_close_semantics => Off => Off
 oci8.persistent_timeout => -1 => -1
 oci8.ping_interval => 60 => 60
 oci8.privileged_connect => Off => Off
 oci8.statement_cache_size => 20 => 20

Looking good.

Now, with Selinux in enforcing mode, apache would start and run fine, however, database look ups using oci8 failed, I tried

setsebool -P httpd_can_network_connect on

…and it still failed, in the end I set apache (httpd) to permissive, note that overall the server is still in enforcing mode, you are just settings apache to permissive

semanage permissive -a httpd_t

Then stop/start httpd – note, reloading didn’t work, it had to be stopped and restarted, and then it all worked, now this probably isn’t the most secure way of getting apache working with selinux, but it’s a starting point.

Useful paths and commands

/usr/lib/oracle/11.2/client64/
/usr/lib64/php/modules

List selinux booleans status

 semanage boolean -l
 sestatus -b | grep httpd | grep on$

Find selinux contexts

ps -eZ|grep httpd
Advertisements

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s