Read-Only Oracle Home in 23ai

 About Read-Only Oracle Homes 

            Alireza Kamrani 

              

Read-Only Oracle Homes (ROOH) were introduced in Oracle Database 18c and have become the recommended default structure for newer Oracle installations. The idea is to separate static, immutable binaries from instance-specific and writable files — making database software more secure, easier to manage, and simpler to patch or clone.

In 23ai:

With Oracle Database 23ai, an Oracle home is available in read/write mode by default. However, you can choose to configure an Oracle home in read-only mode after you have performed a software-only Oracle Database installation.

A read-only Oracle home does not imply that the file system and the Oracle home is in read-only mode. The file system and mount point should always be in read/write mode.

A read-only Oracle Home simplifies provisioning by implementing separation of installation and configuration.

In a read-only Oracle home, the configuration data and log files reside outside of the read-only Oracle home. 

Apart from the traditional ORACLE_BASE andORACLE_HOME directories, the following directories contain files that used to be in ORACLE_HOME:

• ORACLE_BASE_HOME
• ORACLE_BASE_CONFIG

Ensure that you enable read-only Oracle home before you create the database or listener.

When you run the roohctl script to enable a read-only Oracle home, the Oracle home file system will continue to be a read/write file system.

Note:

This feature does not affect how database administrators monitor, diagnose, and tune their system performance.

Key Benefits:

1. Simplified Patching

•Patch once → apply everywhere.

Since the binaries are immutable, you can:

•Maintain one gold (reference) home image.

•Deploy or patch by replacing the home instead of in-place patching.

•This makes rolling patching, cloning, and rollback operations much faster and safer.

2. Improved Security

•The home being read-only means:

•No accidental or malicious changes to Oracle binaries.

•Reduces attack surface since configuration and logs are stored elsewhere.

•Protects integrity of Oracle software from OS-level tampering.

3. Simplified Administration

•No need to separate writable and read-only files manually.

•Easier configuration management — all instance-specific writable files (e.g., listener config, tnsnames, sqlnet.ora) are automatically redirected to the appropriate directory under $ORACLE_BASE_HOME.

•Supports multiple databases or instances sharing a single home safely.

4. Faster Deployment and Cloning

•You can clone a read-only home simply by copying it to another server — no need to reconfigure.

•When you deploy, only instance-specific config is customized in $ORACLE_BASE_HOME.

•Great for cloud or fleet-managed environments.

5. Reduced Storage and Maintenance Overhead

•Shared read-only binaries across databases minimize duplication.

•Less storage needed for multiple homes.

•Easier to keep environments consistent (no “drift” between installations).

6. Better Compliance and Auditing

•Software binaries are immutable — simplifying validation for compliance (e.g., SOX, ISO, PCI).

•Changes to configuration are centralized and easier to track.

About Oracle Base Config

Both, in a read-only ORACLE_HOME and read/write ORACLE_HOME, the configuration files reside in a location known as ORACLE_BASE_CONFIG.

In a read/write ORACLE_HOME, the ORACLE_BASE_CONFIG path is the same as the ORACLE_HOME path because it is located at $ORACLE_HOME. However, in a read-only ORACLE_HOME, the ORACLE_BASE_CONFIG path is the same as ORACLE_BASE.

ORACLE_BASE_CONFIG/dbs contains the configuration files for ORACLE_HOME. Each file in the dbs directory contains $ORACLE_SID so that the directory can be shared by many different ORACLE_SIDs.

To print the ORACLE_BASE_CONFIG path, run the orabaseconfig command from the $ORACLE_HOME/bin directory:

$ setenv ORACLE_HOME /u01/app/oracle/product/23.0.0/dbhome_1

$ cd $ORACLE_HOME/bin

$ ./orabaseconfig

The orabaseconfig command returns the location of ORACLE_BASE_CONFIG irrespective of whether the home is a read-only ORACLE_HOME or a read/write ORACLE_HOME. 

For example, to know the location of configuration files like SPFILE and the password file, run orabaseconfig:

Example: Output in Read-Only ORACLE_HOME

$ ./orabaseconfig

/u01/app/oracle

Where, /u01/app/oracle is the ORACLE_BASE.

Example 12-4 Output in Read/Write ORACLE_HOME

$ ./orabaseconfig

/u01/app/oracle/product/23.0.0/dbhome_1

where, /u01/app/oracle/product/23.0.0/dbhome_1is the ORACLE_HOME.

Enabling a Read-Only Oracle Home

Configure your Oracle home as a read-only Oracle home after you have performed a software-only Oracle Database installation.

To enable a read-only Oracle home:

1. Perform a software-only Oracle Database installation.
2. Run the roohctl -enable script.
3. Run Oracle Database Configuration Assistant (Oracle DBCA) to create a database.

Note:

Ensure that you enable read-only Oracle home before you create the database or listener.

Software-Only Database Installation

1. Log in as the Oracle installation owner user account (oracle) that you want to own the software binaries.
2. Download the Oracle Database installation image files (db_home.zip) to a directory of your choice. For example, you can download the image files to the /tmp directory.
3. Create the Oracle home directory and extract the image files that you have downloaded in to this Oracle home directory. For example:
   
   $ mkdir -p /u01/app/oracle/product/19.0.0/dbhome_1
4. $ chown oracle:oinstall /u01/app/oracle/product/19.0.0/dbhome_1
5. $ cd /u01/app/oracle/product/19.0.0/dbhome_1
6. $ unzip -q /tmp/db_home.zip
   
   
   Note
   Ensure that the Oracle home directory path you create is in compliance with the Oracle Optimal Flexible Architecture recommendations. Also, unzip the installation image files only in this Oracle home directory that you created.
   
7. From the Oracle home directory, run the runInstaller command to start the Oracle Database installer. 
8. In the Select Configuration Option screen, select Set Up Software Only.
9. Select your installation type. Installation screens vary depending on the installation option you select. Respond to the configuration prompts as needed.

Run the roohctl Script

1. Go to the bin directory
   
   $ cd /u01/app/oracle/product/19.0.0/dbhome_1/bin
   
2. Run the roohctl script to enable read-only Oracle home.
   
   $ ./roohctl -enable 
   
3. On Oracle Real Application Clusters (Oracle RAC) installations, run the preceding roohctl script on every node of the cluster. Alternatively, run the roohctl script with the nodelistoption and provide the list of cluster nodes:
   
   $ ./roohctl –enable –nodelist comma_separated_list_of_nodes
   

Copying demo Directories to Oracle Base Home

In a read-only mode ORACLE_HOME, you must copy the demo directories listed in this topic from ORACLE_HOME to ORACLE_BASE_HOME.

Oracle Database contains various demo directories that include a variety of examples and product demonstrations that you can use to learn about the products, options, and features of Oracle Database. In a read-only mode ORACLE_HOME, you cannot use these demo directories in ORACLE_HOME because writes are performed to these demodirectories when they are used.

Many of the demo directories are not available by default. You must install Oracle Database Examples to view and use the examples and product demonstrations.

Copy the respective demo directory to the corresponding location in ORACLE_BASE_HOME. Now, you can use this copy of the demo directory.

You must copy the following demo directories from ORACLE_HOME to ORACLE_BASE_HOME:

• jdbc/demo
• odbc/demo
• ord/http/demo
• precomp/demo
• rdbms/demo
• sqlplus/demo
• xdk/demo

You must also create symbolic links for the odbc/demo, precomp/demo, rdbms/demo, and xdk/demo demo directories. See the "Creating Symbolic Links" section in this topic.

Copying demo Directories

For example, to copy the rdbms/demo directory from ORACLE_HOME to ORACLE_BASE_HOME, perform the following:

1. Login as the Oracle software owner user (oracle).
2. Check if the rdbms/demo directory is copied to ORACLE_BASE_HOME.
   
   $ ls -l -d $(orabasehome)/rdbms/demo
   
3. If the rdbms/demo directory has not been copied, then create it and copy it.
   
   $ mkdir -p $(orabasehome)/rdbms
4. $ cp -r $ORACLE_HOME/rdbms/demo $(orabasehome)/rdbms/demo
   

Similarly, copy all the demo directories listed earlier from ORACLE_HOME to ORACLE_BASE_HOME.

Creating Symbolic Links

You must create symbolic links for the odbc/demo, precomp/demo, rdbms/demo, and xdk/demo demodirectories.

For rdbms/demo, replace $ORACLE_HOME/rdbms/demo with a symbolic link to the copy.

1. Ensure that the symbolic link does not already exist.
   
   $ ls -l -d $ORACLE_HOME/rdbms/demo
   
2. If $ORACLE_HOME/rdbms/demo is still the original demo directory, rename it and replace it with the symbolic link.
   
   $ cd $ORACLE_HOME/rdbms
3. $ mv demo demo.installed
4. $ ln -s $(orabasehome)/rdbms/demo $ORACLE_HOME/rdbms/demo
   

For odbc/demo, replace $ORACLE_HOME/odbc/demo with a symbolic link to the copy.

1. Ensure that the symbolic link does not already exist.
   
   $ ls -l -d $ORACLE_HOME/odbc/demo
   
2. If $ORACLE_HOME/odbc/demo is still the original demo directory, rename it and replace it with the symbolic link.
   
   $ cd $ORACLE_HOME/odbc
3. $ mv demo demo.installed
4. $ ln -s $(orabasehome)/odbc/demo $ORACLE_HOME/odbc/demo
   

For precomp/demo, replace $ORACLE_HOME/precomp/demo with a symbolic link to the copy.

1. Ensure that the symbolic link does not already exist.
   
   $ ls -l -d $ORACLE_HOME/precomp/demo
   
2. If $ORACLE_HOME/precomp/demo is still the original demo directory, rename it and replace it with the symbolic link.
   
   $ cd $ORACLE_HOME/precomp
3. $ mv demo demo.installed
4. $ ln -s $(orabasehome)/precomp/demo $ORACLE_HOME/precomp/demo
   

The xdk/demo directory requires a symbolic link at $ORACLE_HOME/xdk/include pointing to $(orabasehome)/xdk/include after you copy the xdk/demo directory.

1. Ensure that the symbolic link does not already exist:
   $ ls -l -d $ORACLE_HOME/xdk/include
   
2. If the symbolic link does not exist, then, run the following command:
   
   $ ln -s $ORACLE_HOME/xdk/include $(orabasehome)/xdk/include
   

Note:

In the plsql/demo directory, ncmpdemo.sqlis unusable in read-only mode.

Copying the init.ora File

Copy the init.ora file from ORACLE_HOME to ORACLE_BASE_HOME.

1. Login as the Oracle software owner user (oracle).
2. Check if the init.ora file exists in ORACLE_BASE_HOME.
   
   $ ls $(orabasehome)/init.ora 
   
   If an init.ora file exists in ORACLE_BASE_HOME, then update this init.ora file to be in-sync with the$ORACLE_HOME/init.ora file.
3. If the init.ora file does not exist in ORACLE_BASE_HOME, then copy it from ORACLE_HOME.
   
   $ cp $ORACLE_HOME/init.ora $(orabasehome)/init.ora