SQLCLR in SQL Server 2017

Security of your databases has become the most important part of your job as a DBA. No one wants to be the next company to leak a list of customers, leak photos of children and their parents using your company’s product, or have a key marketing database released. Security is also a very complicated, multi-layered thing. There’s not a switch you can turn on to suddenly have good security. Additionally, you can be doing all the right things, and a few bad lines of application code can subvert all of the measures you have taken to protect your data.

With this is mind, Microsoft has made some big changes to CLR in SQL Server 2017. SQL CLR has always been an interesting area of the engine—it allows for the use of .NET code in stored procedures and user defined types. For certain tasks , it’s an extremely powerful tool—things like RegEx and geo functions can be much faster in native CLR than trying to do the equivalent operation in T-SQL. It’s always been a little bit of a security risk, since under certain configurations, CLR had access to resources outside of the context of the database engine. This was protected by boundaries defined in the CLR host policy. We had SAFE, EXTERNAL_ACCESS, and UNSAFE levels that we could set. SAFE simply limited access of the assembly to internal computation and local data access. For the purposes of this post, we will skip UNSAFE and EXTERNAL_ACCESS, but it is sufficed to say, these levels allow much deeper access to the rest of the server.

Code Access Security in .NET (which is used to managed these levels) has been marked obsolete. What does this mean? The boundaries that are marked SAFE, may not be guaranteed to provide security. So “SAFE” CLR may be able to access external resources, call unmanaged code, and acquire sysadmin privileges. This is really bad.

So What Now?

Microsoft is recommending enabling “CLR Strict Security” in SQL Server 2017, which means users cannot create any CLR assemblies unless they have elevated permissions. This could be a breaking change anywhere you want to use dynamic CLR. The user needs to have CREATE ASSEMBLY and one of the following options has to be true:

  • Database has the TRUSTWORTHY property on AND the database owner (DBO) has the UNSAFE ASSEMBLY permission on the server
  • Assembly is signed with a certificate or asymmetric key that has a corresponding login with the UNSAFE ASSEMBLY permission on the server

In short, the engine treats all CLR assemblies as unsafe, even if they are created with SAFE or EXTERNAL_ACCESS permission sets.

You will need to sign your assemblies. Also, if you try to restore a database with CLR assemblies into SQL Server 2017, you may run into issues if your assemblies are unsigned.

But Now I Have to Do Work?

What does this mean for you, the SQL DBA or Developer? This is a breaking change (and breaking changes are a BIG DEAL at Microsoft—they don’t like to break things unless there are really good reasons). This means if you are using CLR, and you want to move to SQL Server 2017 (or really, let’s face it, these security risks are in lower versions of the code), you need to work out a signing system for your CLR assemblies and possibly some key management infrastructure. You need to evaluate your older CLR code to ensure that none of it is running under UNSAFE or EXTERNAL_ACCESS (unless you want to turn off “CLR Strict Security”, which you really don’t want to do). Also, if you want to run SQL Server 2017 on Linux, you will be limited to the SAFE permission set.

We Only Have Third Party Apps…

Good luck with that. This is a big change, and we all know lots of smaller independent software vendors (ISVs) have just gotten around to supporting SQL Server 2014. In most of my work with ISVs, I haven’t seen a ton of CLR in most of the vendor apps. That being said, I’m  sure it exists in many ISV apps. The angle I would take as a DBA towards my ISV(s) is to use the “audit hammer” with the vendor. If you are not familiar with this approach to managing your vendors, you can mention that your internal audit process is now failing unsigned assemblies that can’t run under CLR Strict Security. This is probably accurate anyway—CLR has been an audit flag for years. I would also recommend doing a comprehensive testing process to ensure your CLR functions as you would expect.

Don’t Assume that Your Sessions Need to Be 500 Level

You know what people say about what happens when you assume something, right? Don’t be an ass and make assumptions. One trend I’ve seen in recent years from some conference is that the conferences tend to prefer super advanced, internals, deep-dive sessions. While these sessions are very cool, and we all like to totally geek out about internals and the inter-workings of the query optimizer, and secret trace flags that make SQL Server return all query results as emojis. (Dear Conor, can you work on that one Smile )

Screen Shot 2017-04-13 at 1.43.21 PM

Screen Shot 2017-04-13 at 1.41.42 PM

Anyway, while many of us in the SQL Server community have massive depth of knowledge about the product, and computer systems in general, it is important to realize that everyone attending SQL events is not an MCM, MVP, and MSCE. It’s great if you want to do a session on backup and restore, or how to install SQL Server (make sure to explain why you are doing each step). Topics like intro to T-SQL and Writing Your First Stored Procedure can be fantastic.

I’m not saying the whole event needs to have 100 level sessions, but making an effort to reach out to people who are just getting started could go a long way to broadening the reach of a professional association.

PASS Summit Speaker Selection Changes—My Take

Monday PASS announced its changes to the speaker selection process, you can read the details here. This is a big change—there will be preselected speakers from a pool have folks who have a long track record of successfully speaking at PASS Summit. Is this a good thing or bad thing? I think it is a good thing, so long as it is implemented carefully. I don’t want to see new speakers get locked out of the speaking at Summit, but I also want to see good sessions from good speakers.
This change will allow PASS to better structure the conference. A good example of this is Nic Cain’s (b|t) idea for curated tracks. In order to have a “new DBA” or “new BI analyst” track, you need to have speakers collaborating with each other in order to build the complimentary track.

Another consideration is NDA content—a good example of this was last year. I would have loved to have done a talk about SQL Server on Linux, which I knew was going to be un-NDAed by Summit, however since submission is public, I couldn’t submit an abstract on it.

My advice for new speakers who want to speak at Summit? It’s the same as it’s always been—blog (note—the blogging part of this is important!) and speak about whatever interests you. Of course, you need to be strategic about submitting to a large conference like Summit, but to a local SQL Saturday, or a user group? Those organizers are begging for speakers. Additionally, consider speaking at PASS Virtual Chapters—they are many, and they meet every month, and there is no cost (other than your time) involved with speaking there.

As you develop as a speaker and writer, you’ll get better known, and develop your own niche. You will also get rejected. Getting rejected sucks—trust me, I submitted to three Summits before I was chosen (I was also nominated for MVP like 10x before getting it, but I digress). When you get rejected look at your abstracts and try to understand how you can make them better. Have a friend or colleague review them. This is an ongoing process.

I don’t think most speakers will notice a big difference with this new process. The speakers who are preselected, were likely going to get selected anyway. The big difference is they will have chosen their topic versus being subject to the whim of the program committee. If you’re a new speaker–speak as much as you can. VCs are free, and your local user group needs speakers. If you live in the middle of nowhere, a lot of user groups will welcome remote presentations. Hone your skills. Write some blog posts (you may have noticed this is my third blogging mention, fire up your keyboard). There’s a new version of SQL Server this year. Get inspired!

Azure Resource Locks are Your Friend in Development

One of the great advantages of the cloud computing is the ability to power off resources that are not in use to save some money. Sure, your production database servers should be running 24×7, but that VM, or SQL Data Warehouse you are developing against during the week? You can shut it down at 7 PM (1900 for the Europeans reading this) and not start it up. Azure even recently introduced an auto-shutdown feature for VMs.

Screen Shot 2017-03-24 at 8.55.37 AM

Unfortunately, there is no auto-startup feature, but that is easy enough to code using an Azure automation job.

This sounds great, can it walk my dog, too?

Unfortunately, there’s one problem with our awesome budget saving proposal. Sometimes developers have jobs that run beyond the time they leave the office. For example, last night at one of my clients a developer had an SSIS package running after he left, and it got killed when the SSIS machine auto-shutdown at 7. That isn’t good.

The solution for this is Azure resource locks—you can put a lock on any resource in Azure. A lock can do one of the two things—first there are delete locks which simply keep a resource from being deleted. It is not a bad idea to put a delete lock on all of your production resources to prevent any accidental deletion from happening. The second type of lock is a read-only lock, and these are a little more aggressive. You can’t do anything to a resource with a read-only lock—you can’t add a drive to a VM, you can’t resize, and most importantly, you can’t shutdown the resource.

You can use the portal, PowerShell, or CLI to create a lock. It’s a fairly simple construct that can be extremely beneficial. You can get current details for lock creation from the Azure Documentation.

My developers have access to the portal (thanks to role based access control and resource groups), so I’ve instructed them on how to place locks on resources, and how to remove them. As an administrator, you probably want to monitor for locks, to ensure that they aren’t left in place after they are needed.

You’re Speaking…and You Don’t Have Slides

I had this dream that other week. I was in the big room at PASS Summit, sitting in the audience. I was relaxed, as I thought I was presenting later in the day, when I quickly realized, due to the lack of speaker on the stage, that I was the next speaker, and the room was full. And I was playing with my laptop and I didn’t have a slide deck. In my dream, this talk was a 300 level session on troubleshooting SQL Server, something I feel like I could do pretty easily, you know with slides. Or a whiteboard.

criando-bons-slides-prof-jiani-cardoso-1-728

http://tse3.mm.bing.net/th?id=OIP.mek7WCJGE_T7QapryUckqQEsDh&pid=15.1

I woke up, before I started speaking. So, I’m not sure how I would have handled it—interpretive dance? I’m a pretty bad dancer. One thing, I will mention, and I saw my friend Allan Hirt (b|t) have to do this last month in Boston—really good (and really well rehearsed) speakers, can do a very good talk without their slides. Slides can be a crutch—one of the common refrains in Speaker Idol judging is don’t read your slides. It is bad form—do I sometimes read my slides? Yeah, everyone does occasionally. But when you want to deliver a solid technical message, the best way to do that is telling stories.

I’m doing a talk next month in Belgium (April 10, in Gent), right before SQL Bits. It’s going to be about what not to do in DR. My slide deck is mostly going to be pictures, and I’m going to tell stories—stories from throughout my career, and some stores from friends. It’s going to be fun, names will be changed to protect the guilty.

So my question and guidance for you dear readers, is to think about what you would do if the projector failed and you did not have a whiteboard. I can think of a number of talks I can do without a whiteboard–in India last year, another instructor and I demonstrated Azure networking by using our bodies as props. What would you do in this situation?

Monitoring Availability Groups—New Tools from Solarwinds

As I mentioned in my post a couple of weeks ago, monitoring the plan cache on a readable secondary replica can be a challenge. My customer was seeing dramatically different performance, depending on whether a node was primary or secondary. As amazing as the Query Store in SQL Server 2016 is, it does not allow you to view statistics from the readable secondary. So that leaves you writing xQuery to mine the plan cache DMVs for the query information you are trying to identify.

My friends at Solarwinds (Lawyers: see disclaimer at bottom of post) introduced version 11.0 of Database Performance Analyzer (DPA, a product you may remember as Ignite) which has full support for Availability Group monitoring. As you can see in the screenshot below, DPA gives a nice overview of the status of your AG, and also lets you dig into the performance on each node.

image

There are a host of other features in their new releases, which you can check out some of their new hybrid features in their flagship product Orion. Amongst these features, a couple jumped out at me—there is now support for Amazon RDS and Azure SQL Database in DPA, and there is some really cool correlation data that will let your compare performance across your infrastructure. So, when you the DBA is arguing with the SAN, network, and VM teams about where the root cause of the performance problem, this tool can quickly isolate the root cause of the issue. With less fighting. These are great products, give them a look.

Disclaimer: I was not paid for this post, but I do paid work for SolarWinds on a regular basis.

SQL Clone—Win Fabulous Prizes!!!

Want a chance to win a really cool prize (5 Amazon Dots, and a copy of SQL Clone), while learning about a cool product from Redgate? My friends at Redgate are in the process of releasing a really awesome tool call SQL Clone. So what is SQL Clone?

Screen Shot 2017-03-06 at 10.29.34 AM

One of the challenges I’ve faced through my career as a DBA is the ability to have a reliable copy of a production database to test against. Sure, when I worked at Comcast we had dev, qa, test, and prod environments, but many of the smaller organizations I worked for and consult with, don’t have that luxury. Even when I was at Comcast, the overwhelming cost of storage really limited our ability to maintain consistent development platforms.

So what is the solution? SQL Clone offers a virtual copies of your  database, in seconds, whilst only taking up 40 MB of disk space. How does it do it? Redgate stores pointers to your database in the copy. This means you can have one copy of your database and multiple clones, so that different parts of your dev team can work together in harmony. This data will grow a bit as each developer queries the data, but if you dealing with very large (> 5TB) or even just pretty big databases, this can greatly reduce your storage cost and increate developer productivity.

To learn more about Red Gate SQL Clone, check out this video:
  
 https://youtu.be/1zI2Oj9EZM8

You can see Grant Fritchey yell at an Amazon Alexa to create a clone of a database. It’s that easy.

So for the contest:

I’d like you to comment on what skill you would build using the echo dot. This can be anything, but database related ideas are likely better, as Redgate will be the judge. Here are some of my ideas:

  • Build a database using SQL Clone Smile
  • Rebuild the statistics on the data warehouse
  • Yell at Joey to go ride his bike
  •  

    For legal purposes you can read the terms and conditions here.

http://www.red-gate.com/products/dba/sql-clone/entrypage/competition-terms-and-conditions

SQL Bits Precon: SQL Server on Linux—A Brave New World

My first European trip this year includes two of my favorite bike races, the Tour of Flanders (or as my Belgian friends call it, the Ronde van Vlaanderen) and Paris-Roubaix. In the week between on Wednesday, I will be doing a full day of training at SQLBITS in Telford. I’ve had the good luck to be working with SQL Server on Linux since very early days of the development process, and am looking forward to sharing that knowledge with attendees.

 

insert-promptI

In this full day training session you will learn about the Linux operating system. Some of the topics we’ll talk about include:

  • Operating system architecture
  • Security Model
  • File manipulation
  • Common commands and using them together
  • Bash and Korn shells
  • Shell scripting
  • File systems and Volume Managers
  • Clustering in Linux
    You will also lean about technologies in SQL Server.
  • Monitoring O/S performance 
  • Proper SQL Server configuration
  • Automating deployment
  • Deploying High Availability and Disaster Recovery
    Whether you are new to Linux and UNIX and want to get started, or if you can awk and sed your way through a maze, this precon will have something for you.

DBCC Clonedatabase and Very Large Databases

One of the recent feature introductions to SQL Server is dbcc clonedatabase, a feature that lets you create a “data-less” clone of you database. All of the statistics and objects come into your cloned database, however none of the data does. This is perfect for development or performance tuning exercises, where you want all the metadata, but do not want the security risk of dealing with production data.

Recently I had the opportunity to use clonedatabase on a very large database. I was concerned about the size of the data files and how this would impact space on my volumes. Books Online is fairly clear, but I wanted to see for myself.

Note All files in the target database will inherit the size and growth settings from the model database. File name convention: The file names for the destination database will follow the source_file_name _underscore_random number convention. If the generated file name already exists in the destination folder, DBCC CLONEDATABASE will fail

So my thought in reading that, is that the same number of data files will be created in the clone, just with the settings in model. Let’s test that out.

The first thing I did was create a new database, and then add a few data files to it. I made them 20 MB, which is a different size than model—just for testing purposes.

image

Next, I ran the clone database command.

image

Then connect to the clone and look at the data files

image

I can see that all of the files were created, in the same location as the files on the source database, except with the size settings of model. While this shouldn’t be a big deal for most, if you do like I recommend and make model a reasonable size for your environment, and you happen to be tight on drive space, you could fill up a volume. So just be aware when using clonedatabase particularly with databases that have a lot of data files in them.

SQL Server on Linux Clustering—A Few Other Notes

So I was chatting with fellow MVP Allan Hirt (b|t) about the cluster build that I wrote about yesterday, and I had a few more realizations about the Linux HA process as it stands right now. I haven’t talked to the the Linux product team at Microsoft about this, but I hope to in the near future to get a better idea of where things are headed. So these are my notes as of now, strictly relating to failover cluster instances (FCI), AlwaysOn Availablity Groups are coming, but are not in the latest CTPs of SQL Server on Linux.

It was faster than building a Windows cluster

It took me a while, I laughed, I cried, I cursed a lot, but if I look at the time it took for me to actually build the cluster and install SQL Server, it was a much faster process. Much of this comes down to the efficiency of the SQL Server installation process on Linux, which is as simple as running yum install mssql-server (mostly). Which leads me to my next point..

Installation options would be nice

The cluster building process is a little kludgy. Basically, you install two standalone instances of SQL Server, and then remove the data files from one them, and copy them into your NFS share. Having the option to do the equivalent of an “Add Node” install, would mean you wouldn’t need to worry about cleaning up your second node.

There’s no cluster validation, explicitly

This is a bit scarier, or easier depending on your view point. There are tests at various parts of the process to make sure things are working. For example, the first step of building your Linux cluster is to authorize the nodes to take part in the cluster, which validates certain security and network settings. However, the storage validation consists of starting and stopping SQL Server on each node to make sure it can talk to the storage and startup. Given that Microsoft doesn’t own the clusterware for this solution, I’m not sure how much they can enhance that, or if they will. This is a good open question.

There’s no dns

(Happy Late Birthday Kris!) One interesting thing I realized after talking to Allan was that I did all of my networking setup through the /etc/hosts file on each individual node. I remember doing this for RAC, and I think it may be a requirement of Pacemaker, but you will still want to make a DNS entry for your cluster identifier. When you do this on Windows, if you are using Active Directory for DNS, the installation does this for you. Not in Linux, you will need to do this yourself.

Screen Shot 2017-01-04 at 11.40.26 AM

Get comfortable with command line and scripting

There’s no cluster wizard to get you through the process. I think this isn’t a huge deal—Denny and I were talking yesterday about how relatively easy it would be to script the whole process in bash (I’m holding off until I find out if Microsoft is doing this), and most Linux sysadmins are really comfortable with writing bash scripts. But if you aren’t comfortable with Linux and the command line, now is the time to brush up, before things go prod.

Summary

We are in the very early days of this process, there is much that will likely change. From a functional and conceptual perspective, this is very similar to the way a SQL Server Failover Cluster works in Windows, but the implementation is quite different. I’d like to see things resemble Windows a bit more, at least from a SQL Server perspective, but we’ll see where the product heads.

%d bloggers like this: