Close Menu
Oracle Tools

PRVG-1901, PRVH-0185, PRVH-0516 — Fleet Maintenance Fails with /tmp noexec

HenriqueBy 5 Mins Read

This post is also available in: Português (Portuguese (Brazil))

While applying a patch through Fleet Maintenance in Oracle Enterprise Manager, the job fails during the verification step with the following errors:

'/tmp/' ...FAILED (PRVG-1901, PRVH-0185, PRVH-0516)

Post-check for Oracle Restart configuration was unsuccessful.

PRVG-1901 : failed to setup CVU remote execution framework directory
"/tmp/CVU_19_oracle_2024-03-29_13-44-24_34146/" on nodes "cealomhmbrh1"
Please select a different work area for the framework

PRVH-0185 : Path "/tmp/CVU_19_oracle_2024-03-29_13-44-24_34146/" does not allow
execution on node "cealomhmbrh1".
Cannot run program "/tmp/CVU_19_oracle_2024-03-29_13-44-24_34146/exectask.sh":
error=13, Permission denied

PRVH-0516 : failed to retrieve CVU remote execution framework version from node
"cealomhmbrh1" during an attempt to setup remote execution framework directory
"/tmp/CVU_19_oracle_2024-03-29_13-44-24_34146/"
cealomhmbrh1 : /bin/sh: /tmp/CVU_19_oracle_2024-03-29_13-44-24_34146//exectask.sh:
Permission denied

The job stops completely. No patch is applied. The key detail is error=13, Permission denied — the OS is blocking execution of a script that Fleet Maintenance itself created in /tmp.

Why It Happens

Fleet Maintenance uses the CVU (Cluster Verification Utility) to run pre and post-patch checks. During this process, CVU creates a temporary directory under /tmp, extracts helper scripts (such as exectask.sh), and tries to execute them from there.

The failure occurs when /tmp is mounted with the noexec option in /etc/fstab:

tmpfs  /tmp  tmpfs  defaults,noexec,nosuid  0 0

With noexec active, the Linux kernel blocks any attempt to execute binaries or scripts from that filesystem — regardless of file permissions. The result is Permission denied with error=13, which CVU surfaces as PRVG-1901 + PRVH-0185 + PRVH-0516.

💡 Mounting /tmp with noexec is a hardening practice recommended by the CIS Benchmark and STIG. It is common in production environments with strict security policies — which is exactly why this error shows up on servers that “were working fine before.”

Diagnosis

Before taking any action, confirm that /tmp is actually mounted with noexec:

mount | grep /tmp

Expected output when the problem exists:

tmpfs on /tmp type tmpfs (rw,nosuid,noexec,relatime)

Or using findmnt:

findmnt /tmp
TARGET SOURCE FSTYPE OPTIONS
/tmp   tmpfs  tmpfs  rw,nosuid,noexec,relatime

If noexec appears in the options, the cause is confirmed.

Solution

You have two main options: an immediate workaround (no reboot required) or a permanent fix by redirecting the CVU working directory. Choose based on your environment’s security requirements.

Option 1 — Temporary remount of /tmp (immediate workaround)

⚠️ Warning: This command temporarily removes the noexec restriction from /tmp. The change does not survive a reboot. If your server enforces a security policy that requires noexec, consult your security team before applying this in production.

sudo mount -o remount,exec /tmp

Confirm the option was removed:

mount | grep /tmp

With the remount applied, go back to OEM and click Retry on the failed job. CVU will be able to create and execute its scripts under /tmp without issues.

Option 2 — Redirect the CVU working directory (permanent fix)

CVU respects the CV_DESTLOC environment variable, which redirects the temporary directory to another filesystem — one without noexec. This is the cleanest approach when you cannot or do not want to change the mount options for /tmp.

Set the variable in the oracle user profile:

echo 'export CV_DESTLOC=/u01/app/oracle/tmp' >> /home/oracle/.bash_profile
mkdir -p /u01/app/oracle/tmp
chmod 755 /u01/app/oracle/tmp

Make sure the filesystem where /u01 is mounted does not have noexec:

findmnt /u01

Then restart the OEM agent on the node so the variable is loaded:

$AGENT_HOME/bin/emctl stop agent
$AGENT_HOME/bin/emctl start agent

💡 This option keeps noexec on /tmp and does not compromise the server’s security policy.

Option 3 — Permanently remove noexec from /tmp in fstab

⚠️ Warning: This permanently removes the noexec restriction from /tmp, reducing the server’s hardening level. Evaluate with your security team before applying.

Edit /etc/fstab and remove the noexec option from the /tmp line:

tmpfs  /tmp  tmpfs  defaults,noexec,nosuid  0 0

tmpfs  /tmp  tmpfs  defaults,nosuid  0 0

Apply without a reboot:

sudo mount -o remount /tmp

Quick Reference

mount | grep /tmp

sudo mount -o remount,exec /tmp

echo 'export CV_DESTLOC=/u01/app/oracle/tmp' >> /home/oracle/.bash_profile
mkdir -p /u01/app/oracle/tmp && chmod 755 /u01/app/oracle/tmp

Important Note

This error is not specific to patch 19.21. Any Fleet Maintenance operation that invokes CVU — gold image deploy, Grid Infrastructure upgrade, rollback — will fail with PRVG-1901 / PRVH-0185 / PRVH-0516 on any server with /tmp noexec. Fix it once, and it stays fixed for all future operations.

References

  • Oracle Support — Doc ID 2061121.1: CVU Failures: PRVH-0185 Path Does Not Allow Execution (verify)
  • Oracle Clusterware Administration and Deployment Guide — CVU Environment Variables
Share.

Related Posts

Add A Comment
Leave A Reply