AIX, HACMP, PowerVM: December 2010

PowerVM - WPAR /Creation/Remove/Restore/Clone

Creating a Sample Application WPAR:

mohi_aix7[/] > wparexec -n myapp '/usr/bin/ps -ef > /tmp/p.p'

mohi_aix7[/] > lspwar
Name State Type Hostname Directory RootVG WPAR
--------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no
myapp        T A myapp /

mohi_aix7[/] > cat /tmp/p.p
UID PID PPID C STIME TTY TIME CMD
root 1 0 10 05:27:44 pts/0 0:00 /usr/lib/corrals/vinit myapp /usr/bin/ps -ef > /tmp/p.p
root 9568376 1 9 05:27:44 pts/0 0:00 /usr/bin/ps -ef

Creating a Sample System WPAR:

mohi_aix7[/] > mkwpar -h mano_wpar -i -r -N address='172.29.149.65' -n mano_wpar -o /tmp/mano_wpar.out

mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
----------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar D S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

mohi_aix7[/] > lswpar -M mano_wpar
Name MountPoint Device Vfs Nodename Options
-------------------------------------------------------------------------
mano_wpar /wpars/mano_wpar /dev/fslv08 jfs2
mano_wpar /wpars/mano_wpar/home /dev/fslv09 jfs2
mano_wpar /wpars/mano_wpar/opt /opt namefs ro
mano_wpar /wpars/mano_wpar/proc /proc namefs rw
mano_wpar /wpars/mano_wpar/tmp /dev/fslv10 jfs2
mano_wpar /wpars/mano_wpar/usr /usr namefs ro
mano_wpar /wpars/mano_wpar/var /dev/fslv11 jfs2

mohi_aix7[/] > startwpar mano_wpar
Starting workload partition mano_wpar.
Mounting all workload partition file systems.
Loading workload partition.
Exporting workload partition devices.
Exporting workload partition kernel extensions.
Starting workload partition subsystem cor_mano_wpar.
0513-059 The cor_mano_wpar Subsystem has been started. Subsystem PID is 5046352.
Verifying workload partition startup.

mohi_aix7[/] > clogin mano_wpar
**************************************************************************
* Welcome to AIX Version 7.1!                                                                                                 *
* Please see the README file in /usr/lpp/bos for information pertinent to                                    *
* this release of the AIX Operating System.                                                                                *
**************************************************************************
# hostname
mano_wpar
# ifconfig -a
en0: flags=1e080863,480
inet 172.29.149.65 netmask 0xffffc000 broadcast 172.29.191.255
tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1
lo0: flags=e08084b,c0
inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
inet6 ::1%1/0
tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1

Backup/Remove/Restore/Clone of the WPAR:

Backup:
mohi_aix7[/] > savewpar -f /backup/manowpar.bk mano_wpar

Creating list of files to back up.

Backing up 2863 files

2863 of 2863 files (100%)
0512-038 savewpar: Backup Completed Successfully.

mohi_aix7[/] > ls -al /backup/manowpar.bk
-rw-r--r-- 1 root system 29286400 Dec 24 05:43 /backup/manowpar.bk
mohi_aix7[/] > du -sm /backup/manowpar.bk
27.93 /backup/manowpar.bk

Note: See the size of the total WPAR it is just a 27MB due to the /usr and /opt are derived from Global AIX.

Remove:
mohi_aix7[/] > clogin mano_wpar
*******************************************************************************
* Welcome to AIX Version 7.1!                                                                                                           *
* Please see the README file in /usr/lpp/bos for information pertinent to                                               *
* this release of the AIX Operating System.                                                                                           *
*******************************************************************************
Last login: Fri Dec 24 05:38:24 CST 2010 on /dev/Global from mohi_aix7

# shutdown -F

SHUTDOWN PROGRAM
Fri Dec 24 05:45:44 CST 2010
0513-044 The sshd Subsystem was requested to stop.

Wait for '....Halt completed....' before stopping.
Error reporting has stopped.
Advanced Accounting has stopped...
Process accounting has stopped.
nfs_clean: Stopping NFS/NIS Daemons
0513-004 The Subsystem or Group, nfsd, is currently inoperative.
0513-044 The biod Subsystem was requested to stop.
0513-004 The Subsystem or Group, rpc.lockd, is currently inoperative.
0513-044 The rpc.statd Subsystem was requested to stop.
0513-004 The Subsystem or Group, gssd, is currently inoperative.
0513-004 The Subsystem or Group, nfsrgyd, is currently inoperative.
0513-004 The Subsystem or Group, rpc.mountd, is currently inoperative.
0513-004 The Subsystem or Group, ypbind, is currently inoperative.
0513-044 The qdaemon Subsystem was requested to stop.
0513-044 The writesrv Subsystem was requested to stop.
0513-044 The clcomd Subsystem was requested to stop.
0513-044 The ctrmc Subsystem was requested to stop.
0513-044 The IBM.ERRM Subsystem was requested to stop.
0513-044 The IBM.AuditRM Subsystem was requested to stop.
All processes currently running will now be killed...
Unmounting the file systems...

....Halt completed....

mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar D S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

mohi_aix7[/] > rmwpar mano_wpar
rmwpar: Removing file system /wpars/mano_wpar/var.
rmlv: Logical volume fslv11 is removed.
rmwpar: Removing file system /wpars/mano_wpar/usr.
rmwpar: Removing file system /wpars/mano_wpar/tmp.
rmlv: Logical volume fslv10 is removed.
rmwpar: Removing file system /wpars/mano_wpar/proc.
rmwpar: Removing file system /wpars/mano_wpar/opt.
rmwpar: Removing file system /wpars/mano_wpar/home.
rmlv: Logical volume fslv09 is removed.
rmwpar: Removing file system /wpars/mano_wpar.
rmlv: Logical volume fslv08 is removed.

mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

Restore:

mohi_aix7[/] > restwpar -f /backup/manowpar.bk
New volume on /backup/manowpar.bk:
Cluster size is 51200 bytes (100 blocks).
The volume number is 1.
The backup date is: Fri Dec 24 05:43:19 CST 2010
Files are backed up by name.
The user is root.
x 2919 ./.savewpar_dir/wpar.spec
x 4666 ./.savewpar_dir/image.data
x 182289 ./.savewpar_dir/backup.data
The total size is 189874 bytes.
The number of restored files is 3.
.
.
.
.
.
.
The file system has read permission only.
rm: 0653-609 Cannot remove /usr/idebug.
The file system has read permission only.
Finished processing all filesets. (Total time: 0 secs).

+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
ibmdebugger 7.1.0.0 ROOT APPLY FAILED
ibmdebugger 7.1.0.0 ROOT CLEANUP SUCCESS
syncroot: Error synchronizing installp software.
syncroot: Returns Status = FAILURE
Workload partition mano_wpar created successfully.
mkwpar: 0960-390 To start the workload partition, execute the following as root: startwpar [-v] mano_wpar
mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar D S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

mohi_aix7[/] > startwpar mano_wpar
Starting workload partition mano_wpar.
Mounting all workload partition file systems.
Loading workload partition.
Exporting workload partition devices.
Exporting workload partition kernel extensions.
Starting workload partition subsystem cor_mano_wpar.
0513-059 The cor_mano_wpar Subsystem has been started. Subsystem PID is 11075780.
Verifying workload partition startup.

mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar A S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

Note: We have sucessfully restored the WPAR

Clone:

mohi_aix7[/] > restwpar -h cloned_wpar -n cloned_wpar -d /wpars/cloned_wpar -r -U -M "-N address=172.29.149.66" -f /backup/manowpar.bk
New volume on /backup/manowpar.bk:
Cluster size is 51200 bytes (100 blocks).
The volume number is 1.
The backup date is: Fri Dec 24 05:43:19 CST 2010
Files are backed up by name.
The user is root.
x 2919 ./.savewpar_dir/wpar.spec
x 4666 ./.savewpar_dir/image.data
x 182289 ./.savewpar_dir/backup.data
The total size is 189874 bytes.
The number of restored files is 3.
mkwpar: Creating file systems...
.
.
.
.
.
.
The file system has read permission only.
rm: 0653-609 Cannot remove /usr/idebug/readme/README.debug.
The file system has read permission only.
rm: 0653-609 Cannot remove /usr/idebug/readme.
The file system has read permission only.
rm: 0653-609 Cannot remove /usr/idebug.
The file system has read permission only.
Finished processing all filesets. (Total time: 0 secs).

+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
ibmdebugger 7.1.0.0 ROOT APPLY FAILED
ibmdebugger 7.1.0.0 ROOT CLEANUP SUCCESS
syncroot: Error synchronizing installp software.
syncroot: Returns Status = FAILURE
Copying network name resolution configuration...
/etc/resolv.conf
/etc/hosts
/etc/netsvc.conf
Workload partition cloned_wpar created successfully.
mkwpar: 0960-390 To start the workload partition, execute the following as root: startwpar [-v] cloned_wpar
mohi_aix7[/] > lswpar
Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------------
cloned_wpar D S cloned_wpar /wpars/cloned_wpar no
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar A S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

mohi_aix7[/] > lswpar -M cloned_wpar
Name MountPoint Device Vfs Nodename Options
----------------------------------------------------------------------------
cloned_wpar /wpars/cloned_wpar /dev/wlv7 jfs2
cloned_wpar /wpars/cloned_wpar/home /dev/wlv8 jfs2
cloned_wpar /wpars/cloned_wpar/opt /opt namefs ro
cloned_wpar /wpars/cloned_wpar/proc /proc namefs rw
cloned_wpar /wpars/cloned_wpar/tmp /dev/wlv9 jfs2
cloned_wpar /wpars/cloned_wpar/usr /usr namefs ro
cloned_wpar /wpars/cloned_wpar/var /dev/wlv10 jfs2

mohi_aix7[/] > startwpar cloned_wpar
Starting workload partition cloned_wpar.
Mounting all workload partition file systems.
Loading workload partition.
Exporting workload partition devices.
Exporting workload partition kernel extensions.
Starting workload partition subsystem cor_cloned_wpar.
0513-059 The cor_cloned_wpar Subsystem has been started. Subsystem PID is 11272208.
Verifying workload partition startup.

mohi_aix7[/] > lswpar

Name State Type Hostname Directory RootVG WPAR
-----------------------------------------------------------------------
cloned_wpar A S cloned_wpar /wpars/cloned_wpar no
hema_wpar A S hema_wpar /wpars/hema_wpar no
mano_wpar A S mano_wpar /wpars/mano_wpar no
mohi_wpar A S mohi_wpar /wpars/mohi_wpar no

mohi_aix7[/] > lswpar -M cloned_wpar
Name MountPoint Device Vfs Nodename Options
----------------------------------------------------------------------------
cloned_wpar /wpars/cloned_wpar /dev/wlv7 jfs2
cloned_wpar /wpars/cloned_wpar/home /dev/wlv8 jfs2
cloned_wpar /wpars/cloned_wpar/opt /opt namefs ro
cloned_wpar /wpars/cloned_wpar/proc /proc namefs rw
cloned_wpar /wpars/cloned_wpar/tmp /dev/wlv9 jfs2
cloned_wpar /wpars/cloned_wpar/usr /usr namefs ro
cloned_wpar /wpars/cloned_wpar/var /dev/wlv10 jfs2

mohi_aix7[/] > clogin cloned_wpar
*********************************************************************
* Welcome to AIX Version 7.1!                                                                                       *
* Please see the README file in /usr/lpp/bos for information pertinent to                         *
* this release of the AIX Operating System.                                                                      *
*********************************************************************
Last login: Fri Dec 24 05:38:24 CST 2010 on /dev/Global from mohi_aix7

# hostname
cloned_wpar
# ifconfig -a
en0: flags=1e080863,480
inet 172.29.149.66 netmask 0xffffc000 broadcast 172.29.191.255
tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1
lo0: flags=e08084b,c0
inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
inet6 ::1%1/0
tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1

NIM Server Build

1) Identify Resources

lppsource – 3 GB per Version or Release level of AIX

SPOT – 200 MB Per Version or Release level of AIX

Server – Lots of disk. Start with 3 GB per client + 3 GB per level of AIX.

Clients

Network Interfaces

bosinst.data – install from scratch, migration

image.data – optional

2) Create NIM VG and File system

smitty mkvg à create exportvg

smitty crfs à create /export file system (large file enabled JFS, or JFS2)

You may or may not want to create additional filesystems for other NIM resources

Typically:

lppsources: /export/aix_level (e.g. aix_520)

SPOT: /export/aixlevel_SPOT (e.g. aix520_SPOT)

Images: /export/images (used for mksysb images)

You will need to add the images directory to /etc/exports with root access from your LPARs. Be sure to run exportfs –a to recreate the /etc/xtab file

Other resources: /export/nim (e.g. bosinst.data …)

3) Create NIM Server

Install the following filesets if not already on the NIM master

bos.sysmgt.nim.client

bos.sysmgt.nim.master

bos.sysmgt.nim.spot

Configure primary network and start the NIM daemons

smitty nim --> Configure the NIM Environment --> Advanced Configuration --> Initialize NIM Master Only

Configure Network Installation Management Master Fileset

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* Network Name [PublicTokenRing]

* Primary Network Install Interface [tr0] +

Allow Machines to Register Themselves as Clients? [yes] +

Alternate Port Numbers for Network Communications

(reserved values will be used if left blank)

Client Registration [] #

Client Communications [] #

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

Create/Define NIM lppsource and SPOT:

Do this for each level of AIX being used.

smitty nim --> Configure the NIM Environment --> Advanced Configuration --> Create NIM Basic Installation resources --> Create a LPPSOURCE and SPOT --> Select the master

Create Basic Installation Resources

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[TOP] [Entry Fields]

* Resource SERVER master

* Input device for installation images [cd0] +

(specify the device on the resource server)

* LPP_SOURCE Name [aix_520]

* LPP_SOURCE Directory [/export/aix_520] +

Create new file system for LPP_SOURCE? [no] +

File system SIZE (MB) [650] #

VOLUME GROUP for new file system [/exportvg] +

* SPOT Name [AIX52_SPOT]

* SPOT Directory [/export/aix52_SPOT] +

Create new file system for SPOT? [no] +

File system SIZE (MB) [350] #

VOLUME GROUP for new file system [exportvg] +

Remove all newly added NIM definitions [no] +

and filesystems if any part of this

operation fails?

[BOTTOM]

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

Define NIM Clients:

The client systems need to be defined in the /etc/hosts file prior to these installation steps. Do this for every NIM Client.

smitty nim --> Configure the NIM Environment --> Advanced Configuration --> Define NIM Clients Machines --> Add a NIM client

Define a Machine

Type or select a value for the entry field.

Press Enter AFTER making all desired changes.

[Entry Fields]

* Host Name of Machine [mohisystem]

(Primary Network Install Interface)

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

4) Load all of AIX CD filesets into lppsources for every level of AIX supported:

smitty bffcreate --> select cd

Copy Software to Hard Disk for Future Installation

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* INPUT device / directory for software /dev/cd0

* SOFTWARE package to copy [all] +

* DIRECTORY for storing software package [/export/aix_520]

DIRECTORY for temporary storage during copying [/tmp]

EXTEND file systems if space needed? yes +

Process multiple volumes? yes +

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

5) Download fixes from IBM to a temporary directory, like /export/aix520/fixes. Unzip the fixes. Use “smitty bffcreate” to copy fixes from /export/aix520/fixes to /export/aix_520/installp/ppc. You may need to run “inutoc .” in the /export/aix_520 directory.

6) Update the NIM Server with the latest fixes

smitty update_all -->install device = /export/aix_520 -->

Update Installed Software to Latest Level (Update All)

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* INPUT device / directory for software /export/aix_520

* SOFTWARE to update _update_all

PREVIEW only? (update operation will NOT occur) no +

COMMIT software updates? no +

SAVE replaced files? yes +

AUTOMATICALLY install requisite software? yes +

EXTEND file systems if space needed? yes +

VERIFY install and check file sizes? no +

DETAILED output? no +

Process multiple volumes? yes +

ACCEPT new license agreements? yes +

Preview new LICENSE agreements? no +

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

7) *** Critical Step *** Update the SPOT

smitty nim --> Perform NIM administration tasks --> Manage Resources à

Perform operations on NIM resources à Select the SPOT from list à Select update_all from the list à

Customize a SPOT

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* Resource Name 52spot

Fixes (Keywords) update_all

* Source of Install Images [aix520] +

Expand file systems if space needed? yes +

Force no +

installp Flags

PREVIEW only? (install operation will NOT occur) no +

COMMIT software updates? no +

SAVE replaced files? yes +

AUTOMATICALLY install requisite software? yes +

OVERWRITE same or newer versions? no +

VERIFY install and check file sizes? no +

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

8) Create bosinst.data for install and migration. The install will be used for mksysb installs or from scratch installs.

cp /var/adm/ras/bosinst.data /export/nim/bosinst.migrate

cp /var/adm/ras/bosinst.data /export/nim/bosinst.install

Edit the bosinst files

control_flow:

CONSOLE = Default

INSTALL_METHOD = migrate ( or “overwrite” for mksysb installs or new installs)

PROMPT = yes

EXISTING_SYSTEM_OVERWRITE = no (Yes for mksysb or install)

INSTALL_X_IF_ADAPTER = yes

RUN_STARTUP = no (do you want Install Assistant at boot?)

RM_INST_ROOTS = no

ERROR_EXIT =

CUSTOMIZATION_FILE =

TCB = yes (ALWAYS have this as yes)

INSTALL_TYPE =

BUNDLES =

SWITCH_TO_PRODUCT_TAPE =

RECOVER_DEVICES = Default

BOSINST_DEBUG = no

ACCEPT_LICENSES = yes (always have this as yes)

INSTALL_64BIT_KERNEL = yes (default is no. Turn to yes if the machine is 64 bit capable)

INSTALL_CONFIGURATION =

DESKTOP = CDE

INSTALL_DEVICES_AND_UPDATES = yes

IMPORT_USER_VGS = yes

ENABLE_64BIT_KERNEL = yes (default is no, turn to yes if 64 bit capable)

CREATE_JFS2_FS = yes (default is no, turn to yes)

ALL_DEVICES_KERNELS = yes

GRAPHICS_BUNDLE = yes

DOC_SERVICES_BUNDLE = yes

NETSCAPE_BUNDLE = yes

HTTP_SERVER_BUNDLE = no

KERBEROS_5_BUNDLE = no

SERVER_BUNDLE = yes

ALT_DISK_INSTALL_BUNDLE = yes (default is no, you will want this)

REMOVE_JAVA_118 = no

Define the bosinst.data files as a resource. Do once for each file

Smitty nim --> perform NIM administration tasks --> Manage resources --> define a resource --> select bosinst_data

Define a Resource

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* Resource Name [bosinst_migrate]

* Resource Type bosinst_data

* Server of Resource [master] +

* Location of Resource <t/nim/bosinst.migrate] /

Comments []

Source for Replication [] +

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

9) Create other network interface resources

Smitty nim --> perform NIM administration tasks --> manage networks --> define a network --> Select network type

Define a Network

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[Entry Fields]

* Network Name [privateTokenRing]

* Network Type eth

* Network IP Address [10.10.16.0]

* Subnetmask [255.255.255.0]

Default Gateway for this Network [10.10.16.1]

Other Network Type +

Comments []

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

10) On Clients, Initialize NIM environment

Install bos.sysmgt.nim.client

Define the system as a NIM client

smitty nim_client --> configure Network Installation Manager client fileset

Configure Network Installation Management Client Fileset

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

[TOP] [Entry Fields]

* Machine Name [napoli]

* Primary Network Install Interface [en0] +

* Host Name of Network Install Master [nim-server]

Hardware Platform Type chrp

Kernel to use for Network Boot [up] +

Ethernet Interface Options

Network Speed Setting [] +

Network Duplex Setting [] +

Comments [44P in India Office]

Alternate Port Numbers for Network Communications

(reserved values will be used if left blank)

Client Registration [] #

Client Communications [] #

[BOTTOM]

F1=Help F2=Refresh F3=Cancel F4=List

Esc+5=Reset F6=Command F7=Edit F8=Image

F9=Shell F10=Exit Enter=Do

You are now ready to do NIM Tasks.

Other NIM Server Notes

The NIM server must be at the highest level of AIX in the NIM environment.

When fixes are required by a system, the following steps should be taken.

1) Download the fixes to a temporary directory.

2) Use “smitty bffcreate” to add them to the appropriate lppsource

You may need to run “inutoc .” in the directory to recreate the table of contents file

3) On the NIM Server, do a “smitty update_all” using the lppsource as the installation device

4) Update the SPOT for the lppsource

5) Update the NIM Client

Power 7 - Versioned WPARs

Versioned WPARs are AIX 5.2 WPARs that you create on top of AIX 7.1 base operating system. Applications running in an AIX 5.2 WPAR use AIX 5.2 commands and libraries. If you have applications that have not been certified on newer versions of AIX, the AIX 5.2 commands and libraries provides a way to run them in an AIX 5.2 environment on top of AIX 7.1. Such a setup allows running those applications on currently available hardware that might not support the use of AIX 5.2 as the base operating system. A versioned WPAR is always a system WPAR, and is not shared. Versioned WPARs own writable /opt and /usr file systems.

Following are the prerequisites for Versioned WPARs

• Versioned WPARs only support POWER7™ hardware.
• Versioned WPARs can be installed only on an AIX 7.1 operating system.
• The latest available, and supported version of AIX 5.2 is technology level (TL) 10, and service pack (SP) 8. Therefore, any backup image that is used to create an AIX 5.2 WPAR must be from an AIX 5.2 system running the latest version.

Sample Screen Shots:

AIX6 - EFS

AIX6 Encrypted filesystem

EFS is built into JFS2, EFS is a feature of JFS2 and not a new FS

We can,
- create new filesystem with EFS enabled
- Enable on existing filesystem
- Not for / /usr /var /opt

We can use this for encrypting the data files and not for the OS related files.

we can make,
All files in filesystem secure (inheritance)
Or
Just secure the important files

Access via a password
Can be connected to your login password (Not safe as root or SU can access)
Or
A different password --> root can't access this data !!!

Pre-requisites
1. Fully secure network
- Ban telnet (tn) or ftp
- openssh and secureFTP are recommended

2. RBAC activated
lsattr -El sys0 -a enhanced_RBAC
chdev -l sys0 -a enhanced_RBAC=true plus a reboot

3. CryptiLite in C (Clic) cryptographic library
on the first Expansion Pack CD
Install file called clic.rte with smitty installp

4. Enable Encrypted filesystem
efsenable -a
it will prompt you for the password
ls -l /var/efs --> Here you can see the informations

Exercise:
# lsattr -El sys0 -a enhanced_RBAC --> enable the RBAC
Install the clic.rte from the first expansion pack cd
# efsenable -a --> set the password
# crfs -v jfs2 -g rootvg -m /secret -a size=1G -a efs=yes --> Create the efs
# mount /secret
# lsfs -q /secret --> To confirm the EFS flag
# efsmgr -s -E /secret --> enables inheritance for this EFS filesystem /secret
# echo "Hello, world!" > /secret/hello

Now you will get the following error,
Cannot find the requested security attribute.
ksh: /secret/hello: 0403-005 Cannot create the specified file.

so we have to do the following things,
#efskeymgr -o ksh
root's EFS password:*******

WoW!!! Now you are able to create a file
#echo "Hello, world!" > /secret/hello

Note: If you exit from the console then you can't access this again.
Note: Any one can create/access his own EFS files but not others.

# efskeymgr -n --> To change the EFS password for the current user. (Default password is UNIX password hence we must change this EFS password to avoid the access from root/SU).

Backup of EFS:

- Must not put un-encrypted file on to the backup
- Have to have the keystore (password) to open the files
- Key holder uses enhanced backup tools, to save the raw encrypted data using:

backup -Z and restore -Z
tar -Z
pax -Z
cpio -Z

Either,

- Directly to backup media (or)

- Archive to an encrypted data to regular file system, for a system admin backup

Examples:

# tar cvf /tmp/backup/unsafe.tar /secret/hello

# tar cZvf /tmp/backup/safe.tar /secret/hello

# cat /tmp/backup/unsafe.tar ---> You can see the content of the file as plain text

# cat /tmp/backup/safe.tar ---> it will be in the form of unknown characters hence it is safe.

The keystore (password) location for the EFS,

/var/efs

Not large so backup everything

Backup the keystore for a particular user,
/var/efs/users/USERNAME/keystore

Note: it is an encrypted binary file

AIX6 - isnapshot

AIX6 JFS2 - Internal Snapshot:

Snapshot:
Taking a backup of your filesystem in a single pointing time and how quickly we can recover.

Create a 1GB file system under rootvg with internal snapshot option as "yes" as follows,
# crfs -v jfs2 -g rootvg -a size=1G -a isnapshot=yes -m /green
# mount /green
# cd /green
# vi file1 <--- Enter some lines here and save
# vi file2 <--- Enter some lines here and save
# ls -l --> make sure the files are there

run the command to create a snapshot of the filesystem
"/usr/sbin/snapshot -o snapfrom='/green' -n 'Snap1'
(or)
open the pconsole of the machine and follow the below screen shots

# cd /green
# cd .snapshot/
# ls -l --> Here you can see the directory Snap1
# cd Snap1
# ls -l --> you can see the file1 and file2 are available here too

You can delete the files (file1 and file2) from /green and restore them from /green/.snapshot/Snap1

# cd /green
# rm file1 file2

# cd /green/.snapshot/Snap1
# cp file1 file2 /green

Note: You can't remove the snapshot files (/green/.snapshot/Snap1) directly since it is "Read-only file system"

# snapshot -d -n Snap1 /green --> Please careful while running this command.

AIX6 - JFS2 "no log" option

AIX JFS2 with no log:

JFS2 filesystem with "no log" option will perform faster than "with log" option.

We can test this by doing the following exercise:

Create two filesystems,

#crfs -v jfs2 -g rootvg -a size=1G -A yes -a isnapshot=yes -m /red
#crfs -v jfs2 -g rootvg -a size=1G -A yes -a isnapshot=yes -m /blue

now open 2 different consoles one for red and another for blue,

mount one with "no log" and another "with log" option as below,
on first console:
#mount -o log=NULL /red

try to create more files by using a script and note down the time.

on second console:
#mount /blue

try to create more files by using a script and note down the time.

Now you can see that the filesystem without log option is creating a files 60 times faster.

Conclusion:

1. We can use this "no log" option in our ftp directories and where we have original copies are in different location/machine hence we can save significant time.

2. Where we can copy the data from one disk to another new disk (thousands/millions of files) then we can create a filesystem with "no log" option and start transfer the files. once the transfer completes then we can enable the "log" option and remounting the filesystem so that we can save more time.

AIX6 - RBAC

Role Based Access Control (RBAC):
One of the main feature of the AIX6.

Giving others a ROOT PASSWORD, SUID programs and other tricks are very bad for security.
Enhanced RBAC is the answer to overcome the above situation

1. Make ROOT programs, root only (perms = rwx------)
2. Then use Kernal enforce RBAC for access
3. Use RBAC commands to add
    a) New roles to users to gain access to limited function (eg: Manage, Delete, Add)
    b) Start controlling new commands/application (eg: NMON)
4. Enabling RBAC is simple
    a) chdev -l sys0 -a enhanced_RBAC=true
    b) Then REBOOT

Commands and Purpose:

lsrole -a All --> To list all the available roles
Eg:
AccountAdmin
BackupRestore
DomainAdmin
FSAdmin (Filesystem Admin)
SecPolicy
SysBoot
SysConfig
isso (Informations Security officer)
sa (System Administrator)
so (System Operator)

lsrole FSadmin --> To list what is inside the FSAdmin Role

lsauth aix.fs.manage.change --> To list what is inside the aix.fs.manage.change Authorization

lssecattr -c -a accessauths All --> To list all the commands related to RBAC access authorization

Eg:
/usr/sysv/bin/lprm accessauths=aix.device.config.printer
/usr/sysv/bin/lpstat accessauths=aix.device.config.printer

lssecattr -c -a accessauths ALL |grep aix.fs.manage.change --> To list only the Fislsystem related attributes

Sample Exercise:
Enable the "Filesystem Expansion" permission to normal user "mohi":

Login as root:
1. chuser roles=FSAdmin mohi
2. setkst --> To update the kernel otherwise the above command will not effect.

Login as mohi:
1. swrole FSAdmin --> Switch role to effect the recent changes
it will prompt for password

thats it !! now the user "mohi" can increase the /var filesystem.

Enable to Access the NMON application/command for the user "mohi":
Login as root:
p10:root:/> ls -l /usr/bin/nmon
-rwx------ 1 root system 616360 Dec 12 08:32 /usr/bin/nmon

Currently "root" only can run the "nmon" hence now We are going to give the permission to user "mohi" to run this "nmon"

Current Permission for "mohi":
login as "mohi":
$ nmon
ksh: nmon: cannot execute

Login as root:
1. We need to add this nmon into our RBAC database
2. mkauth custom, mkauth custom.nmon --> Creates a new custom authority for "nmon"
3. setsecattr -c accessauths=custom.nmon /usr/bin/nmon --> Include the nmon program into the RBAC security attribute.
4. mkrole authorizations=custom.nmon nmonrole --> Creates a new role for the above nmon authority
5. chuser roles=nmonrole mohi --> Assigning the new role to the user "mohi"
6. setkst --> update the Kernel

Login as "mohi"
1. swrole nmonrole
it will prompt for password
thats it!! now "mohi" can also run the nmon program !!!

AIX6 - pconsole

IBM system director console (or) pconsole is one of the new feature comes with AIX6.

It is a webbased sysadmin tool for AIX6 servers.
eg: http://servername:5336/ibm/console
We can use this pconsole as a replacement of WebSM.

Sample Login Screenshot: