Skip to Main Content
  • Questions

  • Production sanity check trigger on BEFORE SHUTDOWN - you'd think this would be an obvious need but...

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, David.

Asked: March 11, 2017 - 2:31 pm UTC

Last updated: March 14, 2017 - 3:26 am UTC

Version: 11.2.0.4

Viewed 1000+ times

You Asked

A small, innocent mistake this week led to an unscheduled production outage. I had SSH sessions going for both my dev and my prod instances. I wanted to bounce my dev and entered SHUTDOWN IMMEDIATE. A few minutes later the customer called.... Yes, I had mistakenly used the production session.

I've since searched for a sanity check solution that would require operator confirmation to proceed with the shutdown. IOW some procedure or trigger that would execute prior to the SHUTDOWN. If the IP address was production, and if the time was within normal business hours, prompt the user for an on-screen confirmation before proceeding.

The sticky bit (sorry for the pun) is that the client ssh session loses control once the SHUTDOWN statement executes. So I thought to drop the interactive control with a simpler file read. Have the BEFORE trigger shell out to host, and look for a particular one-line file. A simply Boolean check, if the file exists, don't do the shut down.

As always, thanks to all participants for any guidance.

and Connor said...

A database trigger is not going to help there, eg

SQL> create or replace trigger NOSHUT
  2  before shutdown on database
  3  begin
  4    raise_application_error(-20000,'no no no no');
  5  end;
  6  /

Trigger created.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.


You can see that the trigger did not halt the shutdown. You can see that the trigger did fire from the alert log.

Shutting down instance (immediate)
Stopping background process SMCO
Shutting down instance: further logons disabled
Sun Mar 12 10:59:07 2017
Stopping background process CJQ0
Stopping background process MMNL
Stopping background process MMON
Sun Mar 12 10:59:09 2017
Errors in file C:\ORACLE\diag\rdbms\np12\np12\trace\np12_ora_7004.trc:
ORA-00604: error occurred at recursive SQL level 1
ORA-20000: no no no no
ORA-06512: at line 2


but we shut down anyway.

So you really need a *process* driven mean to do this. For example, an approach could be to prohibit shutdown commands in SQL Plus via PRODUCT_USER_PROFILE. Then if you have grid installed, you can "enforce" that such operations are done by srvctl not sqlplus. If you dont have grid installed, then you might have a custom script which does:

- temporarily remove the row from PRODUCT_USER_PROFILE
- then shutdown
- reinstate the row on startup

or

- connect as a special user with a once only password that you dont know
- it does the shutdown

etc etc...Basically a means via which the level of confidence you have in not being able to make a mistake goes up.

Others welcome to add their thoughts.



Rating

  (4 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Muhammad Riaz, March 12, 2017 - 6:58 am UTC

How about changing SQL prompt using glogin.sql so that you know to which database you are connecting to?
Connor McDonald
March 13, 2017 - 2:53 am UTC

Good recommendation, although I have to admit, I've also the done the:

- click on wrong window
- hit "Paste"
- start to cry

sequence of events, even with the prompt staring me right in the face :-)

12c

A reader, March 13, 2017 - 8:08 am UTC

Could be achieved in 12c using sql translator ?
If yes pls elaborate.
Connor McDonald
March 14, 2017 - 3:26 am UTC

Unlikely, because 'shutdown' is not SQL as such.

SQL_STATEMENT_SHUTDOWN

It's been a good idea for years but...

David, March 13, 2017 - 1:54 pm UTC

Thank you. I've thought about blocking the command in the user profile as suggested, and that is likely my best option. Another useful suggestion elsewhere was to add a read loop into the procedure until after business hours, or until an environment variable changes state.

FWIW I'll throw this into the future enhancement bucket as well.

Nervous twitch

John Hawksworth, March 13, 2017 - 5:29 pm UTC

In three and a half years at my previous company, where I sometimes has numerous simultaneous sessions open, I only once came within a hair's breadth of doing something nasty to production.

I have a made it my business to develop a nervous twitch which oft causes me to repeatedly type
SELECT NAME FROM V$DATABASE;

I have also trained myself to never have a production session open for longer than necessary. I NEVER permit an interruption whilst working on prod, so that I can close the session ASAP. Intrusive managers are asked confirm that they're prioritising something over and above production. If a prod session is open, I never relax until it's closed.

In the end, no amount of "Do you really really mean it?" checks can prevent a mistake. Training yourself can. When was the last time a farmer left a gate open? It never happens, because they train themselves to simply not do it.

My three hap'orth...
Connor McDonald
March 14, 2017 - 3:24 am UTC

Thanks for the input.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library