Thursday, January 16, 2020

Mac OS X Catalina and Oracle Instant Client

If you have upgraded to the most recent Mac OS X Catalina, you may be seeing some issues trying to install and run the Oracle instant client.  This is part of new security put into OS X in the past few versions.

You may also being seeing this if you are just upgrading your instant client, which maybe you haven't done in a year or two.

Developer Cannot be Verified

After downloading the ZIP files from Oracle and installing the client, you try to run SQLPlus from the command line and you get the following error:
You can go to the Control Panel -> Security & Privacy -> General tab, and you will see a prompt asking if you would like to approve this application:
The problem with this method, is that every library and additional file related to the instant client also has to be approved.  So after you approve this, and then re-run sqlplus; you will get prompted for another file, and then another, and so on.

Extra File Attributes

If you note in the message, the file is being flagged since it was downloaded from the internet.  If we look at the files extra attributes we can see that they have all been flagged with "com.apple.quarantine"

$ ls -lg@
total 484136
-r-xr-xr-x@ 1 staff       5780 Feb 22  2019 BASIC_LICENSE
com.apple.quarantine       57 
-rw-r--r--@ 1 staff       1670 Aug 19 05:57 BASIC_README
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff       5780 Feb 22  2019 SQLPLUS_LICENSE
com.apple.quarantine       57 
-rw-r--r--@ 1 staff       1676 Sep  6 04:11 SQLPLUS_README
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff       9888 Aug 19 05:57 adrci
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff      40368 Aug 19 05:57 genezi
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff        342 Apr 24  2015 glogin.sql
com.apple.quarantine       57 
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.10.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.11.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.12.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.18.1 -> libclntsh.dylib.19.1
-rwxr-xr-x@ 1 staff   98137256 Aug 13 02:10 libclntsh.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff    4803832 Jul  7  2019 libclntshcore.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff    8349944 Aug  6 12:14 libnnz19.dylib
com.apple.quarantine       57 
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.10.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.11.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.12.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.18.1 -> libocci.dylib.19.1
-rwxr-xr-x@ 1 staff    1594048 Jul  5  2019 libocci.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff  125518764 Aug 19 05:57 libociei.dylib
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff     151980 Jul  3  2019 libocijdbc19.dylib
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff     100492 Aug 13 02:32 liboramysql19.dylib
com.apple.quarantine       57 
-rwxrwxrwx@ 1 staff    1322588 Sep  6 04:05 libsqlplus.dylib
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff    1659868 Jul  5  2019 libsqlplusic.dylib
com.apple.quarantine       57 
drwxr-xr-x@ 3 staff         96 Aug 19 05:57 network
com.apple.quarantine       57 
-rw-r--r--@ 1 staff    4210510 May 10  2019 ojdbc8.jar
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff       8528 Sep  6 04:11 sqlplus
com.apple.quarantine       57 
-rw-r--r--@ 1 staff    1680080 May 10  2019 ucp.jar
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff     150080 Aug 19 05:57 uidrvci
com.apple.quarantine       57 
-rw-r--r--@ 1 staff      74263 Apr 16  2019 xstreams.jar
com.apple.quarantine       57 
The at sign "@" is telling us that there are extra attributes on the files, and the OS security layer is using those attributes to apply rules about what can be run or not.

Simple Fix

So the easier fix is to just remove this attribute that is causing the security system to kick in.
NOTE, make sure you know where you downloaded the files from and that you are absolutely sure you are not introducing malware, ransomware, etc...

  1. Some of the files ship without WRITE rights so we will need to fix that first:
    $ cd instantclient_19_3
    $ chmod u+w *
  2. Next we will remove the extra attribute:
    $ cd ..
    $ xattr -r -d -s com.apple.quarantine instantclient_19_3
  3. Now SQLPlus should run without any issues:
    $ cd instantclient_19_3/
    $ ./sqlplus /nolog

    SQL*Plus: Release 19.0.0.0.0 - Production on Thu Jan 16 09:01:29 2020
    Version 19.3.0.0.0

    Copyright (c) 1982, 2019, Oracle.  All rights reserved.

    SQL> 
Pretty simple fix as apposed to having to go into the control panel and approve every library or tool you want to use in the instant client set.

Gary

12 comments:

  1. Thank you thank you thank you.

    I'd been hitting "allow" 4 times every time my python cx_Oracle script ran. Quite annoying. Fixed now. Added links to this article in README files so that I don't forget in the future.

    Cheers!
    Matt

    ReplyDelete
  2. Thanks! In my case the symlinks were also quarantined, which the xattr command (in that form) didn't change. But adding the "-s" option took care of those as well:

    xattr -r -d -s com.apple.quarantine instantclient_19_3

    ReplyDelete
    Replies
    1. Thanks, I updated the post with the -s option. Good catch!

      Delete
  3. Works great - just one edit:

    use:

    ````
    chmod -R u+w instantclient_19_3
    ````

    instead of :
    ````
    cd instantclient_19_3
    chmod u+w *
    ````

    ReplyDelete
  4. Thank you very much, Gary.

    I found the process of setting up Oracle client (and Python's library, cx_oracle) on Mac a horrible experience, and I was THIS close to calling it quits and deploying a simple Postgres for my needs before I found your blog post.

    Funny enough, I used to be an Oracle Dev/DBA but I have been mainly dealing with Redshift, Snowflake and MySQL during the last year. Now I know that I should count my blessings!

    I was merely trying to setup a dev environment for a personal project and automate its deployment (on OCI and using Autonomous thingies) but this whole process is a joke compared to the similar process for any other database. I have setup the same deployment on Google Cloud free tier and Big Query (neither of them are in my areas of expertise!) in just about an hour with less than 5% of the hassle for Oracle's!

    God help Oracle!

    ReplyDelete
  5. Life saver! Works on Big sur too.

    ReplyDelete