/etc/passwd
Ex: - test:!:206:1:Test user:/home/test:/usr/bin/ksh
Total 7 fields in /etc/passwd file
Username : password : uid : gid : comment : users home directory : users login shell
If password field show ! then it mean password is stored in some other file.
If shows * means user account is disable
The file is stored in etc and all the user have rights to read the file but it can only be written by the superuser. The file has each line as a record of an individual user. Each line contains 7 fields seperated by ":“.Which is also known as IFS (Internal Field Seperater) . Each line of /etc/passwd looks something like this...
root:x:0:0:root:/root:/bin/bash
i) First field shows the loginname of the user.
ii) Shows the password since shadowing is been used this field will only show "!" which indicates that the password is stored in /etc/shadow
iii) This shows the UID (user id) of the user which is unique to each user.
iv) This shows the GID (group id) of the user.
v) This field is used for user comments or user details,fed by chfn command. Hence "chfn" details are fed into this field.
vi) This field indicates the home or working directory of the user.
vii) This field determines the shell used by the user when ever he/she logs in
/etc/security/passwd
Ex: - sybase:
password = 1wanjkFCH3OMU
lastupdate = 1123694767
flags =
Users encrypted passwords are stored here. Total 4 Fields.
Password: -
Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
Lastupdate: -
Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed.
Flags: -
Specifies the restrictions applied by the login, passwd, and su commands. Following flags
ADMCHG: - Password was last changed by an administrator or root
ADMIN: - User password can only be change by administrator/root only.
NOCHECK: - None of the system password restrictions defined in the /etc/security/user file are enforced for this password.
/etc/security/user
Files contain users roles and security. Total 31 fields
account_locked Defines whether the account is locked. Locked accounts can not be used for
login. Possible values: true or false.
admin Defines the administrative status of the user. Possible values: true or false.
admgroups Lists the groups that the user administrates.
auth1 Defines primary authentication methods for a user. Commands login, telnet,
rlogin, and su support these authentication methods.
Possible values: SYSTEM, NONE, Token;Username.
SYSTEM :Describes normal password authentication in Version 3. Version 4 has
extended this definition to include loadable modules and an
authentication grammar. See SYSTEM attribute description below.
NONE :No authentication.
TOKEN; USERNAME: -A generic name for a custom authentication method
defined in /etc/security/login.cfg.
Example: - If auth1 is: auth1 = SYSTEM,mylogin;mary, And the stanza in
/etc/security/login.cfg is:
mylogin:
program = /etc/myprogram
This will do password authentication, and then invoke the program
/etc/myprogram with "mary" as the first parameter.
auth2 Defines the secondary authentication methods for a user. It is not a
requirement to pass this method to login. See auth1 description above for
examples.
SYSTEM Authenticate user weather it’s a local user login or domain user login. Describes
Version 4 authentication requirements. This attribute can be used to
describe multiple or alternate authentication methods. See authenticate()
routine and SYSTEM grammar manual pages.
Possible tokens:
files : local only authentication.
compat : local plus NIS authentication. Version 3 behavior
DCE : Distributed Computing Environment authentication.
Example:
SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
daemon Defines whether the user can execute programs using the system resource
controller (SRC). Possible values: true or false.
Dictionlist Defines the password dictionaries used when checking new passwords. The
format is a comma-separated list of absolute path names to dictionary files. A
dictionary file contains one word per line where each word has no leading or
trailing white space. Words should only contain 7 bit ASCII characters. All
dictionary files and directories should be write protected from everyone except
root. The default is valueless, which is equivalent to no dictionary checking.
Example dictionary: /usr/share/dict/words (Only available if text processing is
installed.)
expires Defines the expiration time for the user account. Possible values: a valid date in
the form MMDDHHMMYY or 0. If 0 the account does not expire. If 0101000070
the account is disabled. The range for YY is:
00 - 38 years 2000 thru 2038
39 - 99 years 1939 thru 1999
histexpire Defines the period of time in weeks that a user will not be able to reuse a
password. Possible values: an integer value between 0 and 260. 26
(approximately 6 months) is the recommended value. If previous password is
cms12 and if I enter histexpire=3 i.e 3 weeks, then user cannot reuse the same
password cms12 until 3 weeks are left. if histsize=2 he will not be able to
reuse the password until changes for atleast 2 times even if he has changed
password for 2 times, he will not allow to reuse the same password until 3 weeks
left. Ex: - histexpire = 52 – defines how long a password cannot be re-used
histsize Defines the number of previous passwords which cannot be reused. If I enter
histsize=2, and users current password say cms12, then he cannot use the same
password until he changes a password for atleast 2 times. Possible
values: an integer value between 0 and 50. Ex: - histsize = 20 – defines how
many previous passwords the system remembers
login Defines whether the user can login. Possible values : true or false.
logintimes Defines the times a user can login. The value is a comma separated list of items
as follows: [!][MMdd[-MMdd]]:hhmm-hhmm
[!]MMdd[-MMdd][:hhmm-hhmm] or
[!][w[-w]]:hhmm-hhmm or
[!]w[-w][:hhmm-hhmm]
where MM is a month number (00=January, 11=December), dd is the day of the
month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is
a weekday (0=Sunday, 6= Saturday).
loginretries The number of invalid login attempts before a user is not allowed to login.
Possible values: a positive integer or 0 to disable this feature. the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
maxage Defines the maximum number of weeks a password is valid. The default is 0,
which is equivalent to unlimited. Range: 0 to 52.
maxexpired Defines the maximum number of weeks after maxage that an expired password
can be changed by a user. After this defined time, only an administrative user can
change the password. The default is -1, which is equivalent to unlimited.
Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced.
(root is exempt from maxexpired.) Ex: - maxexpired = 4 – maximum time in
weeks a password can be changed after it expires
maxrepeats Defines the maximum number of times a given character can appear in a
password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
minage Defines the minimum number of weeks between password changes. The default is
0. Range: 0 to 52.
minalpha Defines the minimum number of alphabetic characters in a password. The
default is 0. Range: 0 to 8.
mindiff Defines the minimum number of characters in the new password that were not in
the old password. The default is 0. Range: 0 to 8.
minlen Defines the minimum length of a password. The default is 0. Range: 0 to 8.
minother Defines the minimum number of non-alphabetic characters in a password. The
default is 0. Range: 0 to 8.
pwdchecks You can specify a script to authenticate user password instead of using
/etc/security/passwd. Defines external password restriction methods used when
checking new passwords. The format is a comma-separated list of absolute path
names to methods and/or method path names relative to /usr/lib. A password
restriction method is a program module that is loaded by the password
restrictions code at runtime. All password restriction methods and directories
should be write protected from everyone except root. The default is valueless,
which is equivalent to no external password restriction methods.
pwdwarntime The number of days before a forced password change that a warning will be
given to the user informing them of the impending password change. Possible
values: a positive integer or 0 to disable this feature.
registry Describes where this user is administered. It is used whenever there is a
possibility of resolving a remotely administered user to the local administration
domain. This can happen when network services go down or network databases
are replicated locally. Possible values : files, NIS, or DCE
rlogin Defines whether the user account can be accessed by remote logins. Commands
rlogin and telnet support this attribute. Possible values: true or false.
su Defines whether other users can switch to this user account. Command su supports
this attribute. Possible values: true or false.
sugroups Defines which groups can switch to this user account. Alternatively you may
explicitly deny groups by preceding the group name with a ! character.Possible
values : A list of valid groups separated by commas, ALL, or .
tpath Defines the user's trusted path characteristics. Possible values:
nosak : The Secure Attention Key (SAK) key (^X^R) has no effect.
notsh : The SAK key logs you out. You can never be on the trusted path.
always : When you log in you are always on the trusted path.
on : The trusted path is entered when the SAK key is hit.
Note : This attribute only takes effect if the sak_enabled
attribute (in /etc/security/login.cfg) is set to
true for the port you are logging into.
ttys Defines which terminals can access the user account. Alternatively you may
explicitly deny terminals by preceding the terminal name with the ! character.
Possible values: List of device paths separated by commas, ALL or .
umask Defines the default umask for the user. Possible values: three-digit octal value.
Notes: Boolean values (i.e. true or false) may use any of the following values.
These values are not case sensitive. true, false, yes, no, always, never.
Ex: - A typical stanza looks like the following example for user dhs:
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
cmsadmin:
admin = true
maxage = 8
minlen = 6
minalpha = 2
minage = 1
admgroups = adm
To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
ttys = !/dev/tty0,ALL
/etc/profile
Sets the user environment at login time.
The $HOME/.profile file contains commands that the system executes when you log in. The .profile also provides variable profile assignments that the system sets and exports into the environment. The /etc/profile file contains commands run by all users at login.
After the login program adds the LOGNAME (login name) and HOME (login directory) variables to the environment, the commands in the $HOME/.profile file are executed, if the file is present. The .profile file contains the individual user profile that overrides the variables set in the profile file and customizes the user-environment profile variables set in the /etc/profile file. The .profile file is often used to set exported environment variables and terminal modes. The person who customizes the system can use the mkuser command to set default .profile files in each user home directory. Users can tailor their environment as desired by modifying their .profile file.
Note: The $HOME/.profile file is used to set environments for the Bourne and Korn shells. An equivalent environment for the C shell is the $HOME/.cshrc file.
Examples
The following example is typical of an /etc/profile file:
#Set file creation mask unmask 022
#Tell me when new mail arrives
MAIL=/usr/mail/$LOGNAME
#Add my /bin directory to the shell
search sequence
PATH=/usr/bin:/usr/sbin:/etc::
#Set terminal type
TERM=lft
#Make some environment variables global
export MAIL PATH TERM
$HOME/.hushlogin
If this file exist in root or any users home directory you can get /etc/motd or login message.
/etc/group
Ex: - sybase:!:201:Sybase
staff:!:1:ipsec,sybase,utsdev,utstest,utsusr,test,subrep,utsusrwc,utstalk,utssub
Total 4 fields in /etc/group
Group Name : group password : group id : group members
Group password ! means password is stored some where else in a file, doesn’t exist in AIX.
/etc/security/group
This file contain all the groups on system and there roles i.e. Who is administrator of group, who manages group users are defined here, extended group roles.
Adms: - Defines the group administrators. Administrators are users who can perform
administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin : - Defines the administrative status of the group.
Possible values are:
True Defines the group as administrative. Only the root user can change the
attributes of groups defined as administrative.
False Defines a standard group. The attributes of these groups can be changed
by the root user or a member of the security group. This is the default
value.
EX: - # more /etc/security/group
system:
admin = true
adms = cmsadmin
staff:
admin = false
bin:
admin = true
sys:
admin = true
adm:
admin = true
adms = cmsadmin
/etc/security/login.cfg
Contains configuration information for login and user authentication.
There are three types of stanzas: -
Port Defines the login characteristics of ports.
Authentication method Defines the authentication methods for users.
user configuration Defines programs that change user attributes.
Port Stanzas
Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:
herald
Specifies the initial message to be printed out when getty or login prompts for a login name. Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2
Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
Logindelay
Defines the delay factor (in seconds) between unsuccessful login attempts. If a user enter invalid password and if logindelay=3 i.e 3 seconds, then after invalid login user will get login prompt after 3 seconds i.e its wait for 3 sec between unsuccessful login. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
Logindisable
Defines the number of unsuccessful login attempts allowed before the port is locked. If this is set to 3, then port will be locked after 3 invalid login. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
Logininterval
Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. If logindisable is 3 and users enters 3 times invalid password, know the port will be get locked, but if Logininterval is set to 50 i.e 50 seconds, then before locking port system waits for 50 seconds and then port is locked. The value is a decimal integer string. The default value is 0.
loginreenable
Defines the time interval (in minutes) a port is unlocked after a system lock. If a port is locked and loginreenable is 1 i.e 1 minute, then ports get unlocked automatically after 1 minutes. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
Logintimes
Specifies the times, days, or both the user is allowed to access the system.
sak_enabled
Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
True SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false SAK processing is not enabled, so a trusted path cannot be established. This is the default value.
synonym
Defines other path names for the terminal. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.
For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.
Authentication Method Stanzas
auth_method is no longer used. Security methods should be configured in /usr/lib/security/methods.cfg
auth_method:
program = /any/program
program_64 = /any/program64
Auth_method corresponds to a custom authentication method specified in the SYSTEM attribute in /etc/security/user, and /any/program is the program to run in order to do the authentication. The program_64 attribute should be used for process running in 64 bit mode, /any/program64 is a 64 bit program.
These stanzas define the authentication methods for users assigned in the /etc/security/user file. The name of each stanza must be identical to one of the methods defined by the auth1 or the auth2 attribute in the /etc/security/user file.
Each stanza has one attribute:
Program
Contains the full path name of a program that provides primary or secondary authentication for a user. Program flags and parameters may be included.
Since the SYSTEM authentication method is supported directly by the login command and the su command, and the NONE method does not provide any authentication, neither requires definition. However, all other authentication methods must be defined in this file. Different authentication methods can be defined for each user.
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:
Logintimeout
Defines the time (in seconds) the user is given to type the password. The value is a decimal integer string. The default is a value of 60.
maxlogins
Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
shells
Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
Ex: -
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = "\n\* Unreserved Ticketing System's Restricted Area *\n\r* Unauthorized use of this system is prohibited*\n\r* All Invalid logins are monitored for audit,*\n\r improper use of this system is criminal offence *\n\rLogin: "
*/dev/console:
• synonym = /dev/tty0
usw:
shells = /bin/sh, /bin/bsh, /bin/csh, /bin/ksh, /bin/tsh, /bin/ksh93, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh,/us
r/bin/tsh, /usr/bin/ksh93, /usr/bin/rksh, /usr/bin/rksh93, /usr/sbin/uucp/uucico, /usr/sbin/sliplogin, /usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
auth_type = STD_AUTH
/etc/security/failedlogin
All failed login attempts are made here
/etc/security/lastlog
Defines the last login attributes for users.
time_last_login
The last time that the user successfully logged into the system. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.
tty_last_login
The last tty port that the user successfully logged into. Specifies the terminal on which the user last logged in. The value is a character string.
host_last_login
The host from which the user logged in from if the tty was not locally attached. This implies that the user used telnet or rlogin to log into the system. Specifies the host from which the user last logged in. The value is a character string.
unsuccessful_login_count
The number of attempts to log in as the user since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0
time_last_unsuccessful_login
The time that the last unsuccessful attempt to log in as the user was made. Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer.
tty_last_unsuccessful_login
The tty port of the last unsuccessful attempt to log in as the user was made. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string.
host_last_unsuccessful_login
The host from which the last unsuccessful attempt to log in as the user was made. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.
All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.
EX: -
root:
time_last_login = 1139610504
tty_last_login = ftp
host_last_login = ::ffff:10.128.0.52
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1136845660
tty_last_unsuccessful_login = ftp
host_last_unsuccessful_login = ::ffff:10.128.0.52
sybase:
time_last_login = 1139428239
tty_last_login = /dev/pts/6
host_last_login = loopback
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1139428235
tty_last_unsuccessful_login = /dev/pts/6
host_last_unsuccessful_login = loopback
/etc/environment
Sets up the user environment.
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. The exec subroutine allows the entire environment to be set at one time.
Environment variables are examined when a command starts running. The environment of a process is not changed by altering the /etc/environment file. Any processes that were started prior to the change to the /etc/environment file must be restarted if the change is to take effect for those processes. If the TZ variable is changed, the cron daemon must be restarted, because this variable is used to determine the current local time.
HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
NLSPATH
The full path name for message catalogs. The default is:
/usr/lib/nls/msg/%L/%N: /usr/lib/nls/msg/%L/%N.cat:
where %L is the value of the LC_MESSAGES category and %N is the catalog file name.
Note: See the chlang command for more information about changing message catalogs.
LC__FASTMSG
If LC_FASTMEG is set to false, POSIX-compliant message handling is performed. If LC__FASTMSG is set to true, it specifies that default messages should be used for the C and POSIX locales and that NLSPATH is ignored. If this variable is set to anything other than false or unset, it is considered the same as being set to true. The default value is LC__FASTMSG=true in the /etc/environment file.
LOCPATH
The full path name of the location of National Language Support tables. The default is /usr/lib/nls/loc and is set in the /etc/profile file. If the LOCPATH variable is a null value, it assumes that the current directory contains the locale files.
Note: All setuid and setgid programs will ignore the LOCPATH environment variable.
PATH
The sequence of directories that commands such as the sh, time, nice and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file. The TZ environment variable has the following format (spaces inserted for readability):
std offset dst offset, rule
The fields within the TZ environment variable are defined as follows:
std and dst
Designate the standard (std) and summer (dst) time zones. Only the std value along with the appropriate offset value is required. If the dst value is not specified, summer time does not apply. The values specified may be no less than three and no more than TZNAME_MAX bytes in length. The length of the variables corresponds to the %Z field of the date command; for libc and libbsd, TZNAME_MAX equals three characters. Any nonnumeric ASCII characters except the following may be entered into each field: a leading : (colon), a , (comma), a - (minus sign), a + (plus sign), or the ASCII null character.
Note: POSIX 1.0 reserves the leading : (colon) for an implementation-defined TZ specification. AIX disallows the leading colon, selecting CUT0 and setting the %Z field to a null string.
An example of std and dst format is as follows: EST5EDT
EST
Specifies Eastern U.S. standard time.
5
Specifies the offset, which is 5 hours behind Coordinated Universal Time (CUT).
EDT Specifies the corresponding summer time zone abbreviation.
Note: See "Time Zones" for a list of time zone names defined for the system.
offset Denotes the value added to local time to equal Coordinated Universal Time (CUT). CUT is the international time standard that has largely replaced Greenwich Mean Time. The offset variable has the following format:
hh:mm:ss
The fields within the offset variable are defined as follows:
hh
Specifies the dst offset in hours. This field is required. The hh value can range between the integers -12 and +11. A negative value indicates the time zone is east of the prime meridian; a positive value or no value indicates the time zone is west of the prime meridian.
mm
Specifies the dst offset detailed to the minute. This field is optional. If the mm value is present, it must be specified between 0 and 59 and preceded by a : (colon).
Ss
Specifies the dst offset detailed to the second. The ss field is optional. If the ss value is present, it must be specified between 0 and 59 and preceded by a : (colon).
An offset variable must be specified with the std variable. An offset variable for the dst variable is optional. If no offset is specified with the dst variable, the system assumes that summer time is one hour ahead of standard time.
As an example of offset syntax, Zurich is one hour ahead of CUT, so its offset is -1. Newfoundland is 1.5 hours ahead of eastern U.S. standard time zones. Its syntax can be stated as any of the following: 3:30, 03:30, +3:30, or 3:30:00.
rule The rule variable indicates when to change to and back from summer time. The rule variable has the following format:
start/time,end/time
The fields within the rule variable are defined as follows:
start
Specifies the change from standard to summer time.
end
Specifies the return to standard time from summer time.
Time
Specifies when the time changes occur within the time zone. For example, if the time variable is encoded for 2 a.m. then the time changes when the time zone reaches 2 a.m. on the date specified in the start variable.
EX: -
TZ=IST+5:30
LANG=en_US
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
# ODM routines use ODMDIR to determine which objects to operate on
# the default is /etc/objrepos - this is where the device objects
# reside, which are required for hardware configuration
ODMDIR=/etc/objrepos
/etc/security/environ
Defines the environment attributes for users.
If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes:
Usrenv
Defines variables to be placed in the user environment when the initial login command is given or when the su command resets the environment. The value is a list of comma-separated attributes. The default value is an empty string.
Sysenv
Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.
Examples :- A typical stanza looks like the following example for user dhs:
dhs:
usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600"
sysenv = "NAME=dhs@delos"
EX: -
default:
root:
daemon:
/etc/security/limits
Defines process resource limits for users.
Note: Changing the limit does not affect those processes that started by init, or alternatively, ulimits are only used by those processes that go through the login processes.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. A new-line character ends each attribute, and an additional new-line character ends each stanza. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size unlimited
File Descriptors unlimited
Note: Use a value of -1 to set a resource to unlimited.
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
fsize
Largest file size that can be created or extended, identifies the soft limit for the largest file a user's process can create or extend.
core
Largest core file size that can be created, Specifies the soft limit for the largest core file a user's process can create.
cpu
Amount of cpu time to be used by each process. Must log out and back in for the changes to take affect.
Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data
Identifies the soft limit for the largest process data segment for a user's process.
stack
Specifies the soft limit for the largest process stack segment for a user's process.
Rss
Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
Nofiles
Sets the soft limit for the number of file descriptors a user process may have open at one time.
core_hard
Specifies the largest core file a user's process can create.
cpu_hard
Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard
Identifies the largest process data segment for a user's process.
fsize_hard
Identifies the largest file a user's process can create or extend.
rss_hard
Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard
Specifies the largest process stack segment for a user's process.
nofiles_hard
Sets the soft limit for the number of file descriptors a user process may have open at one time.
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds.
EX: -
default:
fsize = -1
* 2097151
core = -1
* 2097151
cpu = -1
data = -1
* 262144
rss = -1
* 65536
stack = -1
* 65536
nofiles = 8000
root:
daemon:
/etc/shells
All valid shells are specify in this file.
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/etc/motd
Message of the day file
/etc/security/.ids
Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser and mkgroup commands.
Sample contents: 4 203 12 200
• 4 = administrative user id (mkuser -a)
• 203 = user id (mkuser)
• 12 = administrative group id (mkgroup -a)
• 200 = group id (mkgroup)
Ex: -
# more /etc/security/.ids
8 213 14 202
Check /etc/passwd, you will see the last uid will be 212 if above “more /etc/security/.ids”
Displays the second column output as 213. This means that this file contains the UID’s or GID’s for next user or group to be made on system user useradd or adduser, system will assign automatically UID as 213 to new user and updates the /etc/security/.ids’s file’s second colume to 214.
/etc/security/.profile
/usr/lib/security/mkuser.sys
This scripts is run during user creation process, this scripts creates users home directory, gives group and ownership rights to that home directory and at last copy the /etc/security/.profile to users home directory/.profile
cp /etc/security/.profile $1/.profile
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command.
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.
Example
A typical user stanza looks like the following:
Below are the default attribute which get assign automatically to user, while creating a new user i.e if u just enter the mkuser amrik; here if u r not specifying any attribute i.e Primary group, home directory, this attributes get set automatically, this means to say that below attribute is a default attribute if u not specify system will set it for u.
user:
pgroup = staff
groups = staff
shell = /usr/bin/ksh
home = /home/$USER
auth1 = SYSTEM
admin:
pgrp = system
groups = system
shell = /usr/bin/ksh
home = /home/$USER
pgroup: - Primary group of user belongs
groups: - secondary group, of whom this user will be member
shell: - Login shell, taken from number shell supported by shell stanza of
/etc/secuirity/login.cfg
home: - Users login home directory, it can modified also.
/etc/security/user.roles
Contains the list of roles for each user. The /etc/security/user.roles file contains the list of roles for each user. This is an ASCII file that contains a stanza for system users. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
This file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.
A stanza contains the following attribute:
roles Contains the list of roles for each user.
The user.roles file is kept separately from the /etc/security/user file for performance reasons. Several commands scan this database, so system performance increases with smaller files to scan (especially on systems with large numbers of users).
/etc/security/roles
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
Examples
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip
Saturday, September 25, 2010
Resume point....
· Upgradation of TL (technology level)
· Perform system startup and shutdown
· Installation of software and OS patches
· Adding new packages and applications when required by the developer.
· Creating file systems.
· Check and Repair File system
· Checking for error report on servers
· Sharing files by using nfs and mounting on client machines
· Create and manage user and group accounts
· Configuring Network Interfaces, Collect network device statistics.
· Scheduling the jobs using Crontab.
· Exporting volume group from one node to other and adding new disks to volume group.
· Replacing failed devices.
· Designing and managing disk space using AIX Logical Volume management.
· Adding / Removing Paging space
· Taking regular system backup using mksysb and volume group backups using savevg.
· Performance monitoring using vmstat, iostat, etc.
· Writing shell/perl scripts to accomplish day to day system administration task
· Providing L1 and L2 support for Linux
Thursday, September 2, 2010
AIX pocket Survival guide !
This is for my and your reference!
AIX Admin 101
PMR - Problem Management Record.
PTF - Program Temporary Fix
APAR - Authorized Program Analysis Report, specific release of PTF. eg IYnnnnn, IXnnnnn
ML - Maintenance Level, grouping of APAR. eg 5300-04 is ML 4
SP - Service Pack (starting aix 5.3 ML 3) eg 5300-03-01 is SP 1 on ML3
TL -
Fileset - group of files, eg bos.adt.libm
VRMF - Version, Release, Modification/Maintenance level, and Fix.
eg 5.2.0.60
smit
A lot of the sys admin task in AIX can be done thru smit (or smitty for TUI version). It can accept a parameter to get to a specific menu section right away.
Here are some example:
smit mktcpip # configure network parameters
smit chfs # change file system, eg grow/extend it.
smit lsprt # list printers (don't list all, may need to go thru long menu)
smit installp # Add new software
smit update # add patches
smit update_all # automatic add patches to existing sw, no complain if patch is not relevant
smitty fastpath:
Action Prefix Device Abbreviation
------ ------ ------ ------------
(add) mk (printer) prt
(change) ch (tty) tty
(list) ls (pty) pty
(remove) rm (disk) dsk
(cdrom) cdr
(diskette) dskt
(tape) tpe
(adapter) adp
lang
Keystrokes:
F3 or ESC, 3 Cancel, go back
F4 or ESC, 4 Provide list of items to choose from
F6 or ESC, 6 Show command that smit will actually run
F10 or ESC, 10 Exit smitty
Linux Affinity
AIX is affectionally known as It Ain't uniX. With version 5L that added Linux Affinity, it maybe called Ain't It linuX?
The linux toolkit does add lot of open source utilities for AIX, it even provides an rpm package manager to manipulate these open source tools. However, it is stuck in the past, circa 2002, and so many of the newer Linux updates are not available. For example, there is no rpmbuild but use the old rpm --recompile. There is no automatic patch to update the source codes from Source RPM. These deficiencies makes development in AIX extremely painful.
AIX Idiosyncrasies
If a file is held open by the OS with a running program, it will not allowed to be overwritten (think Windows). For example, /lib/security/NSS_LDAP and /usr/lib/netsvc/dynload/nss_ldap.so are modules loaded by the authentication subsystem, and these files are locked and cannot be upgraded.
Initial System Setup
smitty assist # init os setup assistant to config basic system param.
/usr/sbin/install_assist # what get launched automatically after init install reboot
FS Layout
AIX uses a pretty good volume manager out of the box. Every FS can be expanded on the fly, so no special work is really needed on initial setup. If you use /home as NFS mounted home dir, you may wish to update /etc/filesystems so that the the local disk is mounted as /localhoome or something.
Bundle Install
AIX that comes with the machine often don't have all the desired software packages installed. It maybe good to add some bundles before releasing the machine for general use.
eg: Add the Application Development bundle ::
/usr/lib/instl/sm_inst installp_cmd -a -Q -d '/nfshome/sa/aix53/cd1' -b 'App-Dev' -f 'all' '-c' '-N' '-g' '-X' '-G'
Other bundles that can be installed are:
AllDevicesKernels
Alt_Disk_Install
App-Dev
CC_EVAL.Graphics
CDE
GNOME
Graphics
KDE
Kerberos_5 (Expansion Pack)
Media-Defined
Mozilla (AIX Toolbox for Linux Applications, Mozilla CD)
PerfTools
Server
Note that not everything is in the first CD. Time for IBM to get with DVD media, no? :)
See also Config Files
Firmware/BIOS
When upgrading an older machine to new version of AIX, be sure to check the AIX release notes to ensure the machine in question is still supported, and whether any firmware update maybe needed.
RS/6000 / pSeries machine firmware is typically updated when AIX is still running. Many older machines does not support firmware update in SMS. Old hardware or firmware have tendency to crap out in a boot process giving error 20EE000B (unable to find boot device), even when boot from the CD for the initial install works fine. The saving grace is that one can boot and reinstall the old OS should machine become unbootable.
# show firmware version, sample output included
# the last 6 digit of the firmware is a date code YYMMDD
lscfg -vp
grep -p Platform
Platform Firmware:
ROM Level.(alterable).......3R040323
Version.....................RS6K
System Info Specific.(YL)...U0.1-P1/Y1
Physical Location: U0.1-P1/Y1
# copy new firmware from CDROM into a new dir /tmp/fwupdate
# inside the microcode dir in the CDROM are subdir for each machine type
# refer to the doc inside this dir for full details on firware upgrade.
cp /mnt/cdrom/microcode/... /tmp/fwupdate
# run checksum on the firmware image.
sum vvYYMMDD.img
# perform the update, it will reboot the machine automatically when done
cd /usr/lpp/diagnostics/bin
./update_flash -f /tmp/fwupdate/3R041029.img
Boot Time Troubleshooting
RC scripts executed at startup:
/etc/rc.d/rcN.d/
same as solaris, Snn--- script, but there is nothing in here from basic OS.
normal run level is 2. Placed S74autofs and S89sshd in rc2.d .
/etc/rc.d/rc script is the one that source all the rcN.d,
but this script doesn't seems to exist by default,
had to be copied from another 4.3.3 machine and then it was fine.
For some unknown reason, init script for AIX 5.3 doesn't seems to run
correctly!! (eg, opensshd script will create log, but fail to start)
AIX default system config is to have a few named rc scripts,
they are all started by init as per /etc/inittab:
/etc/rc.tcpip # tcp config, but could not start sshd from here at boot, so placed in rc2.d/S89sshd.
/etc/rc.nfs # includes NIS, rcp
/etc/rc.emcpower # emc added their own startup script here, which is called form /etc/inittab.
Single User/Maintenance Mode
For servers with Service Processor:
Power off machine
Navigate the Service Processor menu (avail only when machine is off, from serial console):
go to (2) system power control menu
go to (7) Boot Mode Menu (some system list it as AIX/Linux mode config)
go to (2) Service Mode boot from Saved List (to enable Maintenance Mode, diff than SMS mode).
Power on machine.
Kernel will boot, then ask which options to boot to, choose single user mode (maintenance mode has less capability).
To install new OS to system, change system to get into System Management Service (SMS) mode. Then choose to boot from cdrom (first CD for OS install).
A note about the old desktop machines (eg 43P-140 604e-332 PowerPC 760):
When machine first boot, it will display various number on the various terminal.
eg. 0 for ASCII console (dumb terminal), 1 on first graphics video, 2 on second graphics video.
Press the number corresponding to the video that you wish to use.
This setting is "memorized" by the system, prompt again only when a there is hardware config change.
To get into the graphical System Management Service (SMS) mode, press F1 as soon as the double beep "dirip-dirip" chirps happens (and the keyboard icons is displayed).
You better be quick, do it before the long chime of the speaker test happens (the fifth/last icon in startup: speaker icon).
If using ASCII console, F-keys are simulated via ESC+Number keys. The graphical icons won't appear, but the equivalent text will be displayed progressively across the screen:
memory keyboard network scsi speaker
Pressing F8 will go to the open firmware OK prompt. There are only a few commands accepted:
devalias
printenv
setenv
boot [DEVICE]
boot disk will do a normal boot from hard drive. This is the default action if open firmware is not explicitly invoked.
boot cd will boot from the cdrom and run the installer program, whereby it will prompt for install config info.
There is also option to get into maintenance mode (?? It is NOT boot -s !!)
More info about open firmware: IEEE 1275.
SMS has entry to define boot device scan sequence, which is based on SCSI (lowest ID first). However, actual boot is according to Open Firmware boot command, so which device is booted depends on what the alias for disk is defined as. In summary, ignore the SCSI id boot sequence in SMS.
Some system require pressing F5 instead of F1 to get into SMS mode. If you are lucky, some will display what key to press to get into what mode right before the hardware scan progress, eg:
1 = SMS Menu 5 = Default Boot List
6 = Stored Boot List 8 = Open Firmware Prompt
IBM RS/6000 hardware is pretty finiky and OS support may not be available for some machines. AIX 5.2 will no support any machines with ISA bus. Some 43P have such bus and thus can only run AIX 5.1 as latest OS. Other 43P that don't have ISA bus can run the newer AIX. If you wish to install Linux, expect even more finickyness, as there are lot of small modifications between motherboards of different serial numbers. Linux may run on one 43P, but not another that looks the same. ie: don't install Linux on these putters!
Random Daily Sys Admin Tasks
See if system has ASync IO feature installed:
lslpp -l
grep -i asyn # list bos.rte.aio package installation
lppchk -c # check to ensure all fileset are installed correctly
lsdev -C -t aio # list whether async io is avail as device
smitty chgaio # smit interface to activate aio, reboot req.
---
smitty chtz # change timezone info
# /etc/environments TZ=PST8PDT
date -u # display internal system clock (in CUT/GMT).
# reboot was recomended, but all future login will see
# corect TZ. cron and stuff may not update till reboot.
---
AIX WebSM, default port is 9090 (/etc/services)
To disable, use /usr/websm/bin/wsmserver -disable; -enable will re-enable it.
HTTP server, started in /etc/inittab !
So it will respawn if it is just killed, edit inittab to free up port 80!
EMC navisphere agent also started in inittab, I guess it is the AIX way.
it calls /etc/rc.agent
----
ibm option number for universal (oem) cabinet rack mount rail part. OEM means 3rd party cabinet. IBM cabinet rails are fixed length!
p5 9113-550 :: 7162 IBM/OEM RACK-MOUNT DR.RAIL KIT 1 168.00
p5 510 :: 7166 IBM/OEM RACK-MOUNT DR.RAIL KIT 1 150.00
Storage
Disk/Volume Management/Filesystem
AIX has probably the most admin-friendly Logical Volume Manager and Filesystem of all the major Unices out there. It use a single LVM for every FS. Every FS is extendable online without the need to unmount. It does have lot of commands that are needed to manipulate the system though. But if you just need to get more space on a given FS/partition, just use smit chfs.
TLA name eg sample cmd
--- ------------- ------------------------ --------------
PP physical part
LP logical part
PV physical vol hdisk0 hdisk1 lspv
VG volume group rootvg appvg lsvg mkvg extendvg
LV logical vol /dev/hd0 /dev/hd9var lslv mklv
FS filesystem / /var lsfs mount
hdiskN are physical hard drives (or RAID device?)
/dev/hdN are FS level mountable device, these are created by the LVM.
/dev/hdN are subcomponents of VG such as rootvg.
smit vg # display and set logical volume group info
lsdev -Cc adapter # list many adapters, include fc, scsi, ide, pci, LPAR virtual, usb, graphics
lsdev -Cc disk # list hard disks. eg hdisk0 hdisk1
rmdev -dl hdisk2 # remove a named disk from config, often needed when san disk has been
# changed on the storage server side. after rm, rescan the bus.
lsvg # list all VG present in system
lsvg rootvg # VG space usage and free, PP size, etc
lsvg -l rootvg # list LP content of rootvg
lsvg -p rootvg # list PP used and free for a VG
# when LV/FS need to be extended.
extendvg -f rootvg hdisk8 # allocate physical hd to VG rootvg
smitty vg # smitty for Vol Grp, allow remove vg
mklv -y'appvol00' appvg 1 # create logical volume (after volume group defined via mkvg)
# if -y is not given, a generic volume name will be assigned.
# This step isn't strictly needed, mkfs will create generic vol as needed.
mkvg -f -y'appvg' hdisk2 hdisk3 # create a VG appvg from 2 physical hd
mkvg # original Vol Grp (Max 32 PV, 255 LV)
mkvg -B # Big Volume Group (Max 128 PV, 512 LV, 4.3.1+)
mkvg -S # Scalable Vol Group (Max 1024 PV, 256 LV, 5.2+)
smit fs # best to use smit to create a fs, many parameters.
# it typically call cffs -v jfs2
reorgvg # reorganize PP w/in vol grp
lsfs # list fs on machine, kinda like mount,
# diff output, only list fs in /etc/filesystems.
chfs -a size=+1 /dev/hd2 # grow a file system, size mult of 512 bytes, but
# always rounded up to integer number of PP
# 8 mb, 64 mb, etc (see lsvg rootvg pp size)
# to add 256mb, use size=+524288
# 256 * 1024*1024 / 512 = 524288 blocks
# ie, use size val of [ X MB * 2048 (constant) ]
chfs -a size=+1 /tmp # /dev/hd2 can be substituted by the fs mount pt.
smitty chfs # will see SIZE for more accurate resizing.
# count is # of 512 bytes block,
# value is absolute num only.
# Can also strink fs while mounted (at least tested in 5.3)
lslv hd1 # info of LV hd1 (find from mount
# what fs it belongs to).
cplv # copy LV
chlv # change LV,
# cplv + chlv = move Log Vol b/w Vol Grp.
lspv # list PVID (physical volume id) and vg on disk
lspv -l hdisk0 # list what fs are on a given disk
# good to check to ensure fs does not span more
# than one disk unecessarily, to reduce disk
# crash damage.
migratepv -l LVname oldPV newPV # move a fs w/in same vol grp, but diff hd. eg
migratepv -l paging00 hdisk1 hdisk2 # migrate pagin, can take a while!
varyonvg VGname # vary on a vol grp, needed before VG is accessible,
# typically automatica with most commands now
varyoffvg VGname # vary off, ie, make vol grp offline.
exportvg VGname # disociate /etc/filesystems etc from the computer,
# making the VG available for mount by another computer
importvg -y VGname hdiskN # reimport the VG. Remember the vary cmd.
lqueryvg -p hdisk0 -v # Determine the VG ID# on hdisk0
lqueryvg -p hdisk0 -L # Show all the LV ID#/names in the VG on hdisk0
lqueryvg -p hdisk0 -P # Show all the PV ID# that reside in the VG on hdisk0
getlvodm -u rootvg # Determine if ODM and VGDA data are correct (in sync)
chvg -u rootvg # unlick rootvg (maybe locked during crash, ODM problems)
getlvodm/putlvodm # disk ODM repair related.
smitty mklvcopy # smitty fastPath for making mirrors
# work on each logical volume, eg hd1
# Lot of menu options then, but don't like it much,
# not obvious how to make 2 disk mirror identically.
# maybe one don't have to, as it will be mapped blocks anyway
# not like solaris that match cylinder allocation, but solaris maybe more resilient
# aix wants to find where to place vol (center of disk, etc).
# Maybe multiple copies of a logical vol inside same volume group (and potnetially
# same disk!
# aix book p 210
mirrorvg rootvg # mirror whole volume group, simple one command does it.
# aix book p 202
istat /opt # show inode status
ipl_varyon -i # Determine which disk(PV) is the boot drive
Other ref: Advanced Horizons AIX File Info
swap / paging
/etc/swpaspaces # config file
swapon -a # activate all swap spaces
swapon /dev/paging00 # activate additional device
swapoff /dev/paging00 # deactivate
chps -s16 hd6 # change attrib of paging space
# add 16 PP to existing paging space in /dev/hd6
# PP size determined by lslv hd6", eg 256, 512 MB
chps -d8 hd6 # remove 8 PP to existing paging space in LV hd6
mkps -s16 rootvg -a -n # add new paging space worth 16 PP to
# vg called rootvg,
# -a = activate at once,
# -n = active on reboot.
mkps -s32 datavg hdisk1 # add new paging space on diff vg, specifying
# which disk to put it on.
rmps paginig00 # remove the whole paging space from sys
lsps -a # list paging space stat
shrinkps # 5L, shrink paging space (script)
# not sure why need this??
svmon # view current vm usage. Need perfagent.tools
Connectivity (Network)
Serial/Console Port
DB9 connector wiring is slightly different than Sun. Use a real null modem cable. "Psseudo" cable from sun DB9-RJ45 adaptors and ribbon cable don't work. One will see text and be able to type text, but it won't accept the login, even when password is right. can't loging!! Terminal is VT100, none of the flow control stuff, but that probably don't matter. Also, for running system, when NULL modem is connected to serial, it should automatically display new text and prompt for login. ribbon cable probably don't work at all here.
P4 and older machines use standard 9600 for serial port. But new POWER5 machines, they changed serial port to use 19200!! All other settings are same as before.
Dumb Terminal
The tip command exist on AIX, but it is slightly different than Solaris.
# aix tip host spec, typically placed in /etc/remote-file
# with a /etc/remote file defining its location
# alternatively, env var REMOTE can define location of this remote-file
#
# aix tip escape sequence is same as solaris.
# ~? produces full list.
# ~^D terminate the connection.
#
# tty0 is the system console, like Solaris Serial A, not usually usable as dumb terminal emulator
# tty1 is the serial port labeled T2, the equi of serial B in Solaris.
#
# IBM AIX serial connection is slightly diff than Sun, req NULL modem cable.
# This emulated TIP does not fully act as dumb terminal :(
# Depending on the state of the machine, and whether tip session is established first,
# or the cable is connected first, text may or may not be visible :(
# So, tip in aix can probably only work as dumb terminal for sun and hp machines,
# and the most reliable console is still a dumb terminal.
#
# eg usage, runnable as normal user:
# export REMOTE=$HOME/etc/remote-file
# tip dumb19200
# tip -9600 serial1
#
#
dumb9600
direct connect at 9600 bps,br#9600:dv=/dev/tty1
dumb19200
direct connect at 19200 bps,br#19200:dv=/dev/tty1
serial0
dumbterminal:dv=/dev/tty0
serial1
tty1
dumbterminal:dv=/dev/tty1
tty
dumbterminal:br#19200:dv=/dev/tty
#
# The serial ports ttyp0...ttyp9,ttypa...ttypf do not usually exist
#
ttyp0
dumbterminal:br#19200:dv=/dev/ttyp0
ttyp1
dumbterminal:br#19200:dv=/dev/ttyp1
ttyp2
dumbterminal:br#19200:dv=/dev/ttyp2
ttyp3
dumbterminal:br#19200:dv=/dev/ttyp3
ttyp9
dumbterminal:br#19200:dv=/dev/ttyp9
ttypa
dumbterminal:br#19200:dv=/dev/ttypa
ttypb
dumbterminal:br#19200:dv=/dev/ttypb
ttypc
dumbterminal:br#19200:dv=/dev/ttypc
ttypf
dumbterminal:br#19200:dv=/dev/ttypf
cu Connect Unix.
Opening a serial line may need some file config, cli below get error :(
I guess need to get minicom/telix or some other similar program from the Linux world.
cu -s9600 -l/dev/ttyp1
-s speed
-l device line
cu commands:
~%b send a break
~%! give shell
~. end session, logout user.
NIC
ifconfig
netstat -i
lsdev
grep -i ether # see Ethernet devices and drirver.
# entX = h/w card.
# enX = ethernet (DIX II framing) for IP
# etX = ethernet (IEEE 802.3) for SNA, don't bother :)
lsattr -R -l ent0 -a media_speed # show capabilities of ent0
lsattr -EH -l ent0 -a media_speed # show current settings
lsattr -D -l ent0 # show all def val for Eth dev.
chdev -P -l ent0 -a media_speed=100_Full_Duplex # change to forced full 100
chdev -P -l ent0 -a media_speed=Auto_Negotiation # change to auto negotiate for speed duplex
# effective after reboot !!!
smitty mktcpip # configure/change ip of interface, default route, netmask
# permanently set ip option for interface
# smitty just run mktcpip cmd:
/usr/sbin/mktcpip
-h'HOSTNAME'
-a'HOST.IP'
-m'HOST.IP.NETMASK'
-i'NIC' # eg en0, "standard network interface"
-n'DNS.SERVER.IP' # may want to add more to /etc/resolv.conf
-d'DNS.DOMAIN.NAME' # eg titaniumleg.com
-g'DEF.GATEWAY.IP'
-A'no' # Start now? no or yes # just omit it.
eg:
mktcpip -h'aix01' -a'10.215.11.101' -m'255.255.255.0' -i'en0' -n'10.215.2.1' -d'titaniumleg.com' -g'10.215.11.1'
Network Services
lssrc -a # list all services and their status
startsrc # start network service
stopsrc # stop network service
-g # group
-s # subsystem, g or s is largely how AIX define the service.
-a #
-D # Debug
startsrc -g nis # start NIS service group
startsrc -s rcp.mountd # rpc/mount service
startsrc -s xntpd # start ntp daemon
# init script starts it from /etc/rc.tcpip
startsrc -s sendmail -a -bd # start mail server to allow inbound mail.
# essentially, do sendmail -bd, makes it a
# daemon listening on port 25 for mail services.
startsrc -s iptrace -a "/tmp/iptrc.bin" # start ip tracing facility,
# -a = stor in file (binary).
stopsrc -s iptrace # stop tracing after problem is reproduced.
DNS
/etc/resolv.conf # main config file, like other Unix.
accept up to 3 name servers
change server after TimeOut (def of 5 sec), retry (def = 3),
so 5+10+20+40=75 sec.
eg:
domain hybridauto.com
nameserver 10.210.2.11
nameserver 10.210.2.12
nameserver 165.87.201.244
search hybridauto.com
search titaniumleg.com
search titaniumlegcorp.com
namerslv -s # run cmd to see settings are understood by system.
DNS resolution depends on file /etc/netsvc.conf
hosts=local,nis,bind
and env var NSORDER=local,bind
AIX 4.3 accepts bind4 and bind8
NIS
chypdom -B titaniumleg.com # set the NIS domain for the machine
# it proabably edit /etc/rc.nfs to run cmd domainname
domainname # show the NIS domain
smitty yp # general YP NIS config
smitty mkclient # configure machine as NIS client
rmyp -c # remove yp client config
lssrc -s ypbind # display active vs inoperative NIS
stopsrc -s ypbind # nis client process
startsrc -s ypbind
# /etc/rc.nfs is where the ypbind is set to use specific server (if not broadbcast)
startsrc -g nis # start nis server daemon
stopsrc -g nis
CD
AIX does not have a /etc/nsswitch.conf, instead use /etc/netsvc.conf
and /etc/irs.conf (Information Retrieval System, bind 8 code base, used in FreeBSD also).
Also, changes to irs.conf doesn't seems to be effective till next reboot.
At least that seems to be the case with automount entry,
restarting autofs a/o secldapclntd didn't refresh it.
May want to try these commands in /usr/sbin
flush-secldapclntd
restart-secldapclntd
stop-secldapclntd
start-secldapclntd
ls-secldapclntd
eg of irs.conf
Okay, here a real sample of /etc/irs.conf from an AIX 5.3 machine:
hosts dns continue
hosts nss_ldap continue
hosts nis continue
hosts local
services nss_ldap continue
services nis continue
services local
networks dns continue
networks nss_ldap continue
networks nis continue
networks local
netgroup nss_ldap continue
netgroup nis continue
netgroup local
protocols nss_ldap continue
protocols nis continue
protocols local
###
### http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/cmds/aixcmds1/autom
ount.htm
###
automount nis_ldap
##automount nis
##automount files
##automount nis_ldap nis files
eg of /etc/netsvc.conf
# bind Uses BIND/DNS services for resolving names
# local Searches the local /etc/hosts file for resolving names
# nis Uses NIS services for resolving names. NIS must be running if you specify this option
# nis+ Uses NIS plus services for resolving names. NIS plus must be running if you specify this option
# ldap Uses LDAP services for resolving names
# ldap_nis Uses LDAP NIS services for resolving names
# bind4 Uses BIND/DNS services for resolving only IPv4 addresses
# bind6 Uses BIND/DNS services for resolving only IPv6 addresses
# local4 Searches the local /etc/hosts file for resolving only IPv4 addresses
# local6 Searches the local /etc/hosts file for resolving only IPv6 addresses
# nis4 Uses NIS services for resolving only IPv4 addresses
# nis6 Uses NIS services for resolving only IPv6 addresses
# nis+4 Uses NIS plus services for resolving only IPv4 addresses
# nis+6 Uses NIS plus services for resolving only IPv6 addresses
# ldap4 Uses LDAP services for resolving only IPv4 addresses
# ldap6 Uses LDAP services for resolving only IPv6 addresses
# ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
hosts = nis_ldap, nis, bind, local
NFS
nfso -a # show all nfs options and current value
nfso -o varname[=val] # display/set nfs option.
nfso -o nfs_use_reserved_ports=1
# AIX default does not use port <1024, which result in auth error.
# http://www.faqs.org/faqs/aix-faq/part3/
# only needed for /net with certain solaris version?
Manual NFS mount can be added to /etc/filesystems ::
/nethome:
dev = "/vol/vol1/users"
vfs = nfs
nodename = netapp
mount = true
options = rw,fg,soft,intr,nosuid
account = false
/Import:
dev = "/vol/vol1/depot"
vfs = nfs
nodename = netapp
mount = false
options = ro,fg,hard,intr,nosuid
account = false
mount -o vers=2,proto=tcp,wsize=8192,rsize=8192,llock,soft,intr netapp:/vol/vol1/users /nethome
mount -o vers=2,proto=tcp,wsize=8192,rsize=32768,llock,soft,intr desktop:/mnt/cdrom /mnt/rcdrom
mount -o ro -v cdrfs /dev/cd0 /cdrom
startsrc -g autofs # start autofs service group.
stopsrc -g autofs # stop autofs service group.
# autofs group has only 1 subsystem, so -s or -g is same
startsrc -s automountd # start automount service, more reliable than -g autofs !!
automount is started in the /etc/rc.nfs script.
An alternative is to use the Sun style script (aix supports them, but nothing added
by default), eg in /etc/rc.d/rc2.d/S74autofs, have something like:
/usr/sbin/automount -M /home /-
# monitor /home (for user),
# /- will give the /net/HOST access like sol (and other direct mount)
# aix 5.1 no longer support the -M param
aix 5.1L ML 3, automount started in /etc/rc.nfs as:
/usr/sbin/automount -f /etc/auto_master -D ARCH=SC_AIX
# auto_master had only "+auto_master"
# remember that /home may be a mounted fs, so may wan to use /nethome.
# /net will work okay without -M /- .
# automount will call the automountd process, massage the mount points, and exit.
# do NOT start automountd on the CLI manually, it will not interface with mount correctly.
/etc/exports # export files, similar to HP-UX, Linux
eg content of the file:
/usr -ro,root=admin-desktop"
exportfs -a # export everything
exportfs -v # display active exports
exportfs -i /tmp # manually /tmp w/o entry in exportfs
startrc -g nfs # start mountd, etc
lsauthent # list authenticaltion methods
mknfs -B # start nfs service now and at boot?
Printing
Use smit to add printer, prints to windows print server easily (provided the windows print server has Unix printing services setup):
smitty, Print Spooling, (AIX Print Spooling, choose it if it pops up),
Add a Print Queueus, type is remot, std processing :
Name of Queue to add --> Use printer name maching remote queue name (ie win prt name)
Hostname of remote server --> Windows print server name
Name of queue on remote server --> Windows printer name.
Type of print spooler on remote server --> System V
CLI:
/usr/lib/lpd/pio/etc/piomisc_ext mkpq_remote_ext -q 'QueueName' -h 'Hostname' -r 'RemoteQueueName' -t 'att' -C 'FALSE' -d 'description'
To see what printers are installed, use:
/usr/bin/lsallq # brief listing of printer name only
/usr/lib/lpd/pio/etc/piolsvp -p # listing with queue server and description
/bin/lpstat # query windows print server on printer status, but names are truncated
Sys Config
General SA Commands
oslevel -rq # list all known and recommended ML
oslevel -r # which ML (maint level) machine is at.
oslevel -l 4.3.3.0 # list fileset missing to bring machine to specified level.
oslevel -l 5200-02 -r # aix 5L is weired wrt oslevel -l
oslevel -s # service pack, in addition to ML, not avail on all sys.
# ( -s is new flag starting ca 2006, aix 5.3 ML 3? not in base 5.3)
uname -a # ver info, also with val of -m at the end
uname -m # some sort of machine code, includes serial number of the machine:
# 000F2C9A4C00 embeds serial 00F2C9A4 (jc)
# 000750AC4C00 embeds serial 10-750AC (vs -u opt)
uname -u # serial number (of management frame).
# IBM,0110750AC embeds serial 10-750ac (targa, 4.3 )
uname -L # first number = the LPAR partition number
# OS is running inside of.
errpt # generate ERRor rePorT. This is more detailed than syslog.
errpt -a # all entries, detailed view. Default is brief listing only.
errpt -A # Abreviated detailed view.
-D # Collapse duplicate entries.
watch cmd -o logfile # similar to truss cmd, but can't watch existing pid
truss # exist for 5.x, in /bin
topas # top/monitor clone
vmstat
sar
istat
slibclean
svmon
----
NIM Network Install Manager
- Network installation of aix, equiv of solaris jumpstart
- r-cmd to control remote machine
Config Files
/etc/passwd
/etc/security/passwd # similar to shadow file
/etc/security/login # dictate shells that are valid shell for various process.
# if user shell not listed here, ftp will fail.
/etc/ftpaccess # set ftp access priviledges, allow/deny access, etc.
/etc/nologin # tmp disable login, presence of file set this behaviour
/etc/filesystems # instead of /etc/fstab
# /etc/syslog.conf
# can start syslog simply as: /usr/sbin/syslogd
# kill -HUP reload config file, adding note to error level (it whines).
#
# ensure the two columns are separated by TAB, not spaces
# or syslogd will fail to log silently!!
# AIX 5.x works okay with spaces now.
# IBM don't seems to have any standard, there are no default settings.
# *.info /var/adm/syslog_info.log
*.notice /var/adm/syslog_notice.log rotate size 100k files 4
# *.warning /var/adm/syslog_warning.log
# *.err /var/adm/syslog_err.log
*.crit /var/adm/syslog_crit.log
# create files as follows:
# touch /var/adm/syslog_info.log /var/adm/syslog_crit.log
# touch /var/adm/syslog_notice.log
# touch /var/adm/syslog_warning.log /var/adm/syslog_err.log
# really just need crit and notice
# warning and notice are same, both just marginally smaller than info.
# /etc/filesystems
/:
dev = /dev/hd4
vol = "root"
mount = automatic
check = false
free = true
vfs = jfs2
log = /dev/hd8
type = bootfs
/home-old:
dev = /dev/hd1
vol = "/home"
mount = true
check = true
free = false
vfs = jfs2
log = /dev/hd8
/usr:
dev = /dev/hd2
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
type = bootfs
vol = /usr
free = false
/var:
dev = /dev/hd9var
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
type = bootfs
vol = /var
free = false
/tmp:
dev = /dev/hd3
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
vol = /tmp
free = false
/proc:
dev = /proc
vol = "/proc"
mount = true
check = false
free = false
vfs = procfs
/opt:
dev = /dev/hd10opt
vol = "/opt"
mount = true
check = true
free = false
vfs = jfs2
log = /dev/hd8
/lhome:
dev = /dev/vol1
vfs = jfs2
log = /dev/loglv00
mount = true
options = rw
account = false
/home_na:
dev = "/vol/vol1/users"
vfs = nfs
nodename = na_data
mount = true
options = rw,fg,hard,intr,nosuid
account = false
/mnt/import:
dev = "/vol/vol1/depot"
vfs = nfs
nodename = na_data
mount = true
options = rw,fg,hard,intr,nosuid
account = false
/mnt/cdrom:
dev = "/dev/cd0"
vfs = cdrfs
mount = false
check = false
options = ro
vol = "/mnt/cdrom"
free = false
Hardware commands
lspci
lsattr
Hot swap PCI cards, or hot remove. Essentailly, issue command to identify, then power off a given pci slot, then reactivate it again.
smit, devices, pci hot plug manager
shutdown -F # shutdown right away, no delay time
-r # reboot
-m # maintenance mode
shutdown -r +5 "msg to users" # +5 = 5 minutes later.
lsattr # list attributes
-D # display def val
-R # display range of legal values
-E # display Effective vall (current settings)
-l name # specify dev logical name
-a attr # specify attribute of NAME logical dev
lsattr -El sys0 # show lot of hardware info, include mem
lsattr -El sys0 -a realmem # get specifically the memory attribute, in KB.
lsdev -Cc processor # see number of processor on machine (may not be numbered in sequence)
lsattr -El proc0 # find processor speed
pmcycles -m # list total number of CPU. installed in /bin by bos.pmapi.
# AIX 5.2 and above, CD #1.
A note about IBM processors.
POWER4 and POWER5 processor are typically packed in a processor card as a Dual Chip Module (DCM). The processor card has a single physical "CPU" in the traditional sense of touchable chip, but internally it has two cores and is marketed as a 2-way processor.
The CPU listed by the output of pmcycles -m is similar to the Intel Hyperthreadig tech whereby a processor can run more than one thread at a time, it is not a physicall processor per se, but available to the programmer.
Thus, a fully populated 4-way processor P5-550 would have 2 DCM processor card (two 2-way processor cards), lsdev -Cc processor will show 4 processors, and pmcycles -m will show 8 CPU.
REF: IBM redbook-p5-550.pdf
lscfg # list config
# ses are internal scsi disks
# scsi includes int and ext disks
# procX are CPUs
# fca = Fiber Channel HBA
lscfg -vp # lot more detailed info, eg: use to search for fca
lscfg
grep disk # see number and size of HD
lsslot -c pci -a # list pci slot info
lsdev # list devices
cfgmgr # rescan bus and install driver for new devices
# eg when new device made available over SAN
-S # scan serially (instead of parallel)
-v # verbose, print more status info
# Note that emc come with its wrapper script to do the work.
bootinfo -y # 32 v 64-bit enabled
# NOTE: bootinfo is runnable by root only.
-K # current kernel mode
# show kernel native bits,
# NOTE: 32-bit can run 64 bit app anyway.
-r # real memory in system in KB
-s hdisk0 # disk size in MB
bootinfo -b # last boot dev
bootinfo -m # machine model code
-p # hw platform (type of bus, etc)
-r # show real memory in sys, in Kb
----
LPAR sysmtem
From HMC (hardware manager console), cmds in /opt/hsc/bin
query_cecs # list all online managed sys
get_cec_state -m # find curret state of sys
get_op_panel -m # get operator panel lcd code
get_cec_mtms -m # frame type and serial number, buggy.
Package/Software Management
lslpp -h bos.rte # show fileset history (from package mgnt?)
lslpp -L bos.rte # snapshot of main levele and statet of fileset
lslpp -f bos.rte # see what files are installed by a given fileset.
lslpp -l bos.net.nfs.client # show fileset revision level
lppchk -v # chk see if any lpp product are broken, obsolete, missing
lslpp -l
grep vacpp # show all fileset info about the ibm compiler
installp flags
a apply update (def action)
c commit
g recursively install prereq
X eXpand (local) FS is more space is needed.
d file specify the location of the media file ( . for current dir).
p preview only, nothing will actually be done.
eg:
installp -qa -d . -X all # apply updates
installp -rB -X all # reject updates
installp -c -g -X all # commit updates
smitty install_commit # same as above.
installp -qac -N all -d . # install w/ commit on, no backup, no simple roll back.
installp -u [filesetname] # uninstall comitted lpp product
installp -iq -d /dev/cd0 all # display supplemental info abouut ML patch in cd
installp -qA -d /dev/cd0 all # display APAR info
IBM Software iFOR licensing commands
i4cfg -list # list license services status
i4blt # license management for visual age. no param = help
-r 6 # print report type 6. see help for more types.
-lp # list licenses
-lp -i # list licenses with extra info, such as time stamp
-s # prod license status
-a # add/enroll a produt
-d # delete license
-v # opt vendor info (for some custom lic, used by VA C++
-p # opt product info
-U # update license
-T # specify number of user, cn license only
eg
14blt -a -f /usr/vac/c44aix_cn.lic -T 10 -R "registration_comment_avoid_space"
# enroll a license. -T 10 inidcates number of licenses.
i4blt -U -v "'IBM Software Solutions Toronto'" -p "'VisualAge C++ Professional' 6.0.n" -T 100
# Update license to allow 100 users. Only for _cn license type.
# Be very careful about quotes! Name with spaces need additional
# single quotes around them!!! Awful syntax and very cryptic error messge!!
i4blt -d -n server_name -v "'vendor name with space'" -p "'product name' product_version" -t timestamp
i4blt -d -v "'IBM Software Solutions Toronto'" -p "'VisualAge C++ Professional' 6.0.n" -t 1022291809
i4blt -d -v "'IBM Software Solutions Toronto'" -p "'C for AIX' 6.0.n" -t 1022291952
# delete a license.
# -t is timestapm retrieved from output of i4blt -lp -i
License files are located in
/usr/vac/*.lic
/usr/vacpp/*.lic
The files type are:
C C++ license file names
cforaix_cn vacpp_cn = concurrent nodelock LUM license
_c _c = concurrent network
_n _n = simple nodelock
The First line of file is actually command for license enrollment.
Visual Age compiler license file installation requires the package bos.adt.libm For 5.1L, it is in CD 4/6. However, its install need to kick started from CD 1, by requesting the install of all all componets of bos.adt, which is not installed by default.
Applying ML
http://techsupport.services.ibm.com/server/mlfixes/43/
http://techsupport.services.ibm.com/server/mlfixes/43/11/00to11.html
get aix ML (Maintenance Level patch) and instructions on installing it.
inutoc ./usr/sys/inst.images/
installp -acgXd ./usr/sys/inst.images bos.rte.install
smit update_all #
cd /home_sc/sa/share/aix43.ml/433.noLevel_to_11
inutoc . # this creates the .toc file
installp -acgXd . bos.rte.install # install the basic os patch ?
smit update_all # add the other patches
oslevel -r # + reboot
If getting APAR fixes with a series of .bff files, use
(touch .toc, chmod 777 .toc)
inutoc .
and then smitty update_all on the dir to install all the patches.
java 1.4 download, they came in .tar.gz format.
strangely, it seems that I have to use tar xf from aix to correctly extract the archive.
it become a backup/restore file which "smitty installp" as "Install Software"
with path to the file as dir location will work.
May actually need to specify the full name of the installp image filename in the path.
tar off from solaris doesn't seems to work!!
Software Patches
aka Program Temporary Fix
instfix -i # show applied APAR fix
instfix -i
grep AIX_ML # fix done by ML patch
instfix -i -k IY78933 # see if a given IY APAR fix had been applied.
instfix -ivq
grep xlC.aix5.*rte
sort -u # list installed xlC runtime environment
/usr/lib/instl/sm_inst instfix_cmd -d '/lhome/root/vacpp7_rte8' -f 'IY78993' -c -N -X
# install the specific IY78933 from the RunTimeEnv v8 for "xlC v7"
# this can be done over NFS dir, provided .toc is created correctly
# and stored on this NFS source.
# The downloaded PTF file vacpp.70.aix.nov2005.ptf.tar.Z need to be extracted
# which produce a series of .bff files in backup/restore format.
/usr/lib/instl/sm_inst installp_cmd -a -Q -c -N -g -X -G \
-d '/nfshome/sa/share/aixX.smit/aix_vacpp_rte7_nov2005/extract' -f _all_latest
# install the whole RunTimeEnv v8 for "xlC v7"
/usr/lib/instl/sm_inst installp_cmd -a -c -N -g -X \
-d '/nfshome/sa/share/aixX.smit/aix_vacpp_rte7_nov2005/extract' -f _update_all
# apply relevant updates from RunTimeEnv v8 for "xlC v7"
# it will not display failure msg when optional debugger
# components are not installed.
Example: Installing and Patching IBM Visual Age c++
copy cdrom image
run smit
use dir of
cdrom/usr/sys/inst.images
eg /nethome/sa/software/VisualAge_5.0.2_cd/usr/sys/inst.images
/nethome/sa/software/VisualAge_5.0.2_cd/usr/sys/mvCD
NOTE: use inst.images first, then mvCD.
mvCD may have complain of wrong path, but it generally list more stuff and install more programs, even when some may fail.
mvCD may be listing all software in the whole CD set, not just a given CD.
mvCD would fail if content is network path and no CD media change is possible.
actually, aix5l book suggest use of inst.images dir (build .toc before install if obtaining as tar is normal procedure.)
use F7 or ESC,7 to toggle selection.
can use keyword "all" to select all subpackages.
but note that it will not currectly detect os level and then cause fialure notices.
Applying patches :
/nethome/sa/software/VisualAge_patch_to_5.0.2.7
it is like installing normal software, but the tar didn't have a .toc file.
thru smit, there was an entry to list software in media, run it so that it created a .toc file.
After that, install the patch as software (via smit update_all), which generate commands like:
geninstall -I "a -cgNqwX -J" -Z -d /nethome/sa/software/VisualAge_patch_March2003_runtimePTF -f File 2>&1
File:
xlC.adt.include 6.0.0.0
xlC.aix50.rte 6.0.0.0
xlC.aix50.rte 6.0.0.5
xlC.msg.en_US.rte 6.0.0.0
xlC.rte 6.0.0.0
geninstall -I "a -cgNqwX -J" -Z -d /nethome/sa/software/VisualAge_patch_March2003PTF -f File 2>&1
Adding international LOCALE
smitty lang (System Environments,Manage Language Environment),
go to "Add Additional Language Environments"
Then there are two possibilities:
- CULTURAL convention to install
This add support for desired lang (already supported language can be
found from "locale -a")
- LANGUAGE translation to install
This add system error message for many different software packages
installed on the machine. Not typically needed for dev/test of intl lang
support.
Instead of putting CD into machine CD-ROM drive, one can specify network shared CD-ROM
such as /net/tin-sun/cdrom, but it will NOT prompt to change CD,
and any language locale pack selected not avail on network path will simply not be queue for
install, so not even error message. If the CD has nothing about the related
language, it will display error. Most International language locale start
with CD #5.
----
Can use Remove Lang Env to see list of installed lang translation locale.
Sometime adding a language locale complain missing file set pre-req. do:
cd directy to the dir with the bos.loc.com file, and install it manually.
smitty installp on any of the CD doesn't show option to add this fileset!
cd /share/aix5.2/disk1/usr/sys/inst.images
installp -acgXd . bos.loc.com
lslpp -l
grep bos.loc.com
bos.loc.com.CN 5.2.0.30 COMMITTED Common Locale Support -
bos.loc.com.utf 5.2.0.50 COMMITTED Common Locale Support - UTF-8
[...]
May also need to put in CD #1 and use smitty installp, and add the necessary
bos.iconv set appropriate to the desired language.
---
other locale/intl related cmd:
chlang es_ES # change to use spanish from spain... update .profile, effective after re-login.
# but I don't see the effects...
chkbd
lsfont
lskbd
Ref: Understanding Locale from AIX online ref.
Loose ends
AIX dev env does not use LD_LIBRARY_PATH, but instead use LIBPATH
Places to get freeware for aix.
http://silcon.silcon.com/~baspence/AIXtip/freeware.htm
http://aixpdslib.seas.ucla.edu/ [recommended by esj]
monitor # top like tool for real time monitor
# t = top processes
# a = toggle view mode
# ? = help
portmon
Reference
rootvg.net AIX portal, lot of sutff!
IBM Online documentation at http://publib.boulder.ibm.com/infocenter/pseries/
Service Guide for RS/6000 F80 (Ch 4 and 5 have 4 digits LED error code for boot time hardware/firmware problem). http://publib16.boulder.ibm.com/pseries/en_US/infocenter/base/hardware_docs/pdf/380568.pdf
RS/6000 Diagnostic LEDs (BITS code, 3 digits used in older, small machines). BIST Error Code
AIX Toolbox for Linux
Download specific IBM fileset Specify OS version and "specific fixes", and it will bring a search page that allows retrieval of a specific version of a given fileset. eg bos.net.nfs.client 5.3.0.50.
AIX Admin 101
PMR - Problem Management Record.
PTF - Program Temporary Fix
APAR - Authorized Program Analysis Report, specific release of PTF. eg IYnnnnn, IXnnnnn
ML - Maintenance Level, grouping of APAR. eg 5300-04 is ML 4
SP - Service Pack (starting aix 5.3 ML 3) eg 5300-03-01 is SP 1 on ML3
TL -
Fileset - group of files, eg bos.adt.libm
VRMF - Version, Release, Modification/Maintenance level, and Fix.
eg 5.2.0.60
smit
A lot of the sys admin task in AIX can be done thru smit (or smitty for TUI version). It can accept a parameter to get to a specific menu section right away.
Here are some example:
smit mktcpip # configure network parameters
smit chfs # change file system, eg grow/extend it.
smit lsprt # list printers (don't list all, may need to go thru long menu)
smit installp # Add new software
smit update # add patches
smit update_all # automatic add patches to existing sw, no complain if patch is not relevant
smitty fastpath:
Action Prefix Device Abbreviation
------ ------ ------ ------------
(add) mk (printer) prt
(change) ch (tty) tty
(list) ls (pty) pty
(remove) rm (disk) dsk
(cdrom) cdr
(diskette) dskt
(tape) tpe
(adapter) adp
lang
Keystrokes:
F3 or ESC, 3 Cancel, go back
F4 or ESC, 4 Provide list of items to choose from
F6 or ESC, 6 Show command that smit will actually run
F10 or ESC, 10 Exit smitty
Linux Affinity
AIX is affectionally known as It Ain't uniX. With version 5L that added Linux Affinity, it maybe called Ain't It linuX?
The linux toolkit does add lot of open source utilities for AIX, it even provides an rpm package manager to manipulate these open source tools. However, it is stuck in the past, circa 2002, and so many of the newer Linux updates are not available. For example, there is no rpmbuild but use the old rpm --recompile. There is no automatic patch to update the source codes from Source RPM. These deficiencies makes development in AIX extremely painful.
AIX Idiosyncrasies
If a file is held open by the OS with a running program, it will not allowed to be overwritten (think Windows). For example, /lib/security/NSS_LDAP and /usr/lib/netsvc/dynload/nss_ldap.so are modules loaded by the authentication subsystem, and these files are locked and cannot be upgraded.
Initial System Setup
smitty assist # init os setup assistant to config basic system param.
/usr/sbin/install_assist # what get launched automatically after init install reboot
FS Layout
AIX uses a pretty good volume manager out of the box. Every FS can be expanded on the fly, so no special work is really needed on initial setup. If you use /home as NFS mounted home dir, you may wish to update /etc/filesystems so that the the local disk is mounted as /localhoome or something.
Bundle Install
AIX that comes with the machine often don't have all the desired software packages installed. It maybe good to add some bundles before releasing the machine for general use.
eg: Add the Application Development bundle ::
/usr/lib/instl/sm_inst installp_cmd -a -Q -d '/nfshome/sa/aix53/cd1' -b 'App-Dev' -f 'all' '-c' '-N' '-g' '-X' '-G'
Other bundles that can be installed are:
AllDevicesKernels
Alt_Disk_Install
App-Dev
CC_EVAL.Graphics
CDE
GNOME
Graphics
KDE
Kerberos_5 (Expansion Pack)
Media-Defined
Mozilla (AIX Toolbox for Linux Applications, Mozilla CD)
PerfTools
Server
Note that not everything is in the first CD. Time for IBM to get with DVD media, no? :)
See also Config Files
Firmware/BIOS
When upgrading an older machine to new version of AIX, be sure to check the AIX release notes to ensure the machine in question is still supported, and whether any firmware update maybe needed.
RS/6000 / pSeries machine firmware is typically updated when AIX is still running. Many older machines does not support firmware update in SMS. Old hardware or firmware have tendency to crap out in a boot process giving error 20EE000B (unable to find boot device), even when boot from the CD for the initial install works fine. The saving grace is that one can boot and reinstall the old OS should machine become unbootable.
# show firmware version, sample output included
# the last 6 digit of the firmware is a date code YYMMDD
lscfg -vp
grep -p Platform
Platform Firmware:
ROM Level.(alterable).......3R040323
Version.....................RS6K
System Info Specific.(YL)...U0.1-P1/Y1
Physical Location: U0.1-P1/Y1
# copy new firmware from CDROM into a new dir /tmp/fwupdate
# inside the microcode dir in the CDROM are subdir for each machine type
# refer to the doc inside this dir for full details on firware upgrade.
cp /mnt/cdrom/microcode/... /tmp/fwupdate
# run checksum on the firmware image.
sum vvYYMMDD.img
# perform the update, it will reboot the machine automatically when done
cd /usr/lpp/diagnostics/bin
./update_flash -f /tmp/fwupdate/3R041029.img
Boot Time Troubleshooting
RC scripts executed at startup:
/etc/rc.d/rcN.d/
same as solaris, Snn--- script, but there is nothing in here from basic OS.
normal run level is 2. Placed S74autofs and S89sshd in rc2.d .
/etc/rc.d/rc script is the one that source all the rcN.d,
but this script doesn't seems to exist by default,
had to be copied from another 4.3.3 machine and then it was fine.
For some unknown reason, init script for AIX 5.3 doesn't seems to run
correctly!! (eg, opensshd script will create log, but fail to start)
AIX default system config is to have a few named rc scripts,
they are all started by init as per /etc/inittab:
/etc/rc.tcpip # tcp config, but could not start sshd from here at boot, so placed in rc2.d/S89sshd.
/etc/rc.nfs # includes NIS, rcp
/etc/rc.emcpower # emc added their own startup script here, which is called form /etc/inittab.
Single User/Maintenance Mode
For servers with Service Processor:
Power off machine
Navigate the Service Processor menu (avail only when machine is off, from serial console):
go to (2) system power control menu
go to (7) Boot Mode Menu (some system list it as AIX/Linux mode config)
go to (2) Service Mode boot from Saved List (to enable Maintenance Mode, diff than SMS mode).
Power on machine.
Kernel will boot, then ask which options to boot to, choose single user mode (maintenance mode has less capability).
To install new OS to system, change system to get into System Management Service (SMS) mode. Then choose to boot from cdrom (first CD for OS install).
A note about the old desktop machines (eg 43P-140 604e-332 PowerPC 760):
When machine first boot, it will display various number on the various terminal.
eg. 0 for ASCII console (dumb terminal), 1 on first graphics video, 2 on second graphics video.
Press the number corresponding to the video that you wish to use.
This setting is "memorized" by the system, prompt again only when a there is hardware config change.
To get into the graphical System Management Service (SMS) mode, press F1 as soon as the double beep "dirip-dirip" chirps happens (and the keyboard icons is displayed).
You better be quick, do it before the long chime of the speaker test happens (the fifth/last icon in startup: speaker icon).
If using ASCII console, F-keys are simulated via ESC+Number keys. The graphical icons won't appear, but the equivalent text will be displayed progressively across the screen:
memory keyboard network scsi speaker
Pressing F8 will go to the open firmware OK prompt. There are only a few commands accepted:
devalias
printenv
setenv
boot [DEVICE]
boot disk will do a normal boot from hard drive. This is the default action if open firmware is not explicitly invoked.
boot cd will boot from the cdrom and run the installer program, whereby it will prompt for install config info.
There is also option to get into maintenance mode (?? It is NOT boot -s !!)
More info about open firmware: IEEE 1275.
SMS has entry to define boot device scan sequence, which is based on SCSI (lowest ID first). However, actual boot is according to Open Firmware boot command, so which device is booted depends on what the alias for disk is defined as. In summary, ignore the SCSI id boot sequence in SMS.
Some system require pressing F5 instead of F1 to get into SMS mode. If you are lucky, some will display what key to press to get into what mode right before the hardware scan progress, eg:
1 = SMS Menu 5 = Default Boot List
6 = Stored Boot List 8 = Open Firmware Prompt
IBM RS/6000 hardware is pretty finiky and OS support may not be available for some machines. AIX 5.2 will no support any machines with ISA bus. Some 43P have such bus and thus can only run AIX 5.1 as latest OS. Other 43P that don't have ISA bus can run the newer AIX. If you wish to install Linux, expect even more finickyness, as there are lot of small modifications between motherboards of different serial numbers. Linux may run on one 43P, but not another that looks the same. ie: don't install Linux on these putters!
Random Daily Sys Admin Tasks
See if system has ASync IO feature installed:
lslpp -l
grep -i asyn # list bos.rte.aio package installation
lppchk -c # check to ensure all fileset are installed correctly
lsdev -C -t aio # list whether async io is avail as device
smitty chgaio # smit interface to activate aio, reboot req.
---
smitty chtz # change timezone info
# /etc/environments TZ=PST8PDT
date -u # display internal system clock (in CUT/GMT).
# reboot was recomended, but all future login will see
# corect TZ. cron and stuff may not update till reboot.
---
AIX WebSM, default port is 9090 (/etc/services)
To disable, use /usr/websm/bin/wsmserver -disable; -enable will re-enable it.
HTTP server, started in /etc/inittab !
So it will respawn if it is just killed, edit inittab to free up port 80!
EMC navisphere agent also started in inittab, I guess it is the AIX way.
it calls /etc/rc.agent
----
ibm option number for universal (oem) cabinet rack mount rail part. OEM means 3rd party cabinet. IBM cabinet rails are fixed length!
p5 9113-550 :: 7162 IBM/OEM RACK-MOUNT DR.RAIL KIT 1 168.00
p5 510 :: 7166 IBM/OEM RACK-MOUNT DR.RAIL KIT 1 150.00
Storage
Disk/Volume Management/Filesystem
AIX has probably the most admin-friendly Logical Volume Manager and Filesystem of all the major Unices out there. It use a single LVM for every FS. Every FS is extendable online without the need to unmount. It does have lot of commands that are needed to manipulate the system though. But if you just need to get more space on a given FS/partition, just use smit chfs.
TLA name eg sample cmd
--- ------------- ------------------------ --------------
PP physical part
LP logical part
PV physical vol hdisk0 hdisk1 lspv
VG volume group rootvg appvg lsvg mkvg extendvg
LV logical vol /dev/hd0 /dev/hd9var lslv mklv
FS filesystem / /var lsfs mount
hdiskN are physical hard drives (or RAID device?)
/dev/hdN are FS level mountable device, these are created by the LVM.
/dev/hdN are subcomponents of VG such as rootvg.
smit vg # display and set logical volume group info
lsdev -Cc adapter # list many adapters, include fc, scsi, ide, pci, LPAR virtual, usb, graphics
lsdev -Cc disk # list hard disks. eg hdisk0 hdisk1
rmdev -dl hdisk2 # remove a named disk from config, often needed when san disk has been
# changed on the storage server side. after rm, rescan the bus.
lsvg # list all VG present in system
lsvg rootvg # VG space usage and free, PP size, etc
lsvg -l rootvg # list LP content of rootvg
lsvg -p rootvg # list PP used and free for a VG
# when LV/FS need to be extended.
extendvg -f rootvg hdisk8 # allocate physical hd to VG rootvg
smitty vg # smitty for Vol Grp, allow remove vg
mklv -y'appvol00' appvg 1 # create logical volume (after volume group defined via mkvg)
# if -y is not given, a generic volume name will be assigned.
# This step isn't strictly needed, mkfs will create generic vol as needed.
mkvg -f -y'appvg' hdisk2 hdisk3 # create a VG appvg from 2 physical hd
mkvg # original Vol Grp (Max 32 PV, 255 LV)
mkvg -B # Big Volume Group (Max 128 PV, 512 LV, 4.3.1+)
mkvg -S # Scalable Vol Group (Max 1024 PV, 256 LV, 5.2+)
smit fs # best to use smit to create a fs, many parameters.
# it typically call cffs -v jfs2
reorgvg # reorganize PP w/in vol grp
lsfs # list fs on machine, kinda like mount,
# diff output, only list fs in /etc/filesystems.
chfs -a size=+1 /dev/hd2 # grow a file system, size mult of 512 bytes, but
# always rounded up to integer number of PP
# 8 mb, 64 mb, etc (see lsvg rootvg pp size)
# to add 256mb, use size=+524288
# 256 * 1024*1024 / 512 = 524288 blocks
# ie, use size val of [ X MB * 2048 (constant) ]
chfs -a size=+1 /tmp # /dev/hd2 can be substituted by the fs mount pt.
smitty chfs # will see SIZE for more accurate resizing.
# count is # of 512 bytes block,
# value is absolute num only.
# Can also strink fs while mounted (at least tested in 5.3)
lslv hd1 # info of LV hd1 (find from mount
# what fs it belongs to).
cplv # copy LV
chlv # change LV,
# cplv + chlv = move Log Vol b/w Vol Grp.
lspv # list PVID (physical volume id) and vg on disk
lspv -l hdisk0 # list what fs are on a given disk
# good to check to ensure fs does not span more
# than one disk unecessarily, to reduce disk
# crash damage.
migratepv -l LVname oldPV newPV # move a fs w/in same vol grp, but diff hd. eg
migratepv -l paging00 hdisk1 hdisk2 # migrate pagin, can take a while!
varyonvg VGname # vary on a vol grp, needed before VG is accessible,
# typically automatica with most commands now
varyoffvg VGname # vary off, ie, make vol grp offline.
exportvg VGname # disociate /etc/filesystems etc from the computer,
# making the VG available for mount by another computer
importvg -y VGname hdiskN # reimport the VG. Remember the vary cmd.
lqueryvg -p hdisk0 -v # Determine the VG ID# on hdisk0
lqueryvg -p hdisk0 -L # Show all the LV ID#/names in the VG on hdisk0
lqueryvg -p hdisk0 -P # Show all the PV ID# that reside in the VG on hdisk0
getlvodm -u rootvg # Determine if ODM and VGDA data are correct (in sync)
chvg -u rootvg # unlick rootvg (maybe locked during crash, ODM problems)
getlvodm/putlvodm # disk ODM repair related.
smitty mklvcopy # smitty fastPath for making mirrors
# work on each logical volume, eg hd1
# Lot of menu options then, but don't like it much,
# not obvious how to make 2 disk mirror identically.
# maybe one don't have to, as it will be mapped blocks anyway
# not like solaris that match cylinder allocation, but solaris maybe more resilient
# aix wants to find where to place vol (center of disk, etc).
# Maybe multiple copies of a logical vol inside same volume group (and potnetially
# same disk!
# aix book p 210
mirrorvg rootvg # mirror whole volume group, simple one command does it.
# aix book p 202
istat /opt # show inode status
ipl_varyon -i # Determine which disk(PV) is the boot drive
Other ref: Advanced Horizons AIX File Info
swap / paging
/etc/swpaspaces # config file
swapon -a # activate all swap spaces
swapon /dev/paging00 # activate additional device
swapoff /dev/paging00 # deactivate
chps -s16 hd6 # change attrib of paging space
# add 16 PP to existing paging space in /dev/hd6
# PP size determined by lslv hd6", eg 256, 512 MB
chps -d8 hd6 # remove 8 PP to existing paging space in LV hd6
mkps -s16 rootvg -a -n # add new paging space worth 16 PP to
# vg called rootvg,
# -a = activate at once,
# -n = active on reboot.
mkps -s32 datavg hdisk1 # add new paging space on diff vg, specifying
# which disk to put it on.
rmps paginig00 # remove the whole paging space from sys
lsps -a # list paging space stat
shrinkps # 5L, shrink paging space (script)
# not sure why need this??
svmon # view current vm usage. Need perfagent.tools
Connectivity (Network)
Serial/Console Port
DB9 connector wiring is slightly different than Sun. Use a real null modem cable. "Psseudo" cable from sun DB9-RJ45 adaptors and ribbon cable don't work. One will see text and be able to type text, but it won't accept the login, even when password is right. can't loging!! Terminal is VT100, none of the flow control stuff, but that probably don't matter. Also, for running system, when NULL modem is connected to serial, it should automatically display new text and prompt for login. ribbon cable probably don't work at all here.
P4 and older machines use standard 9600 for serial port. But new POWER5 machines, they changed serial port to use 19200!! All other settings are same as before.
Dumb Terminal
The tip command exist on AIX, but it is slightly different than Solaris.
# aix tip host spec, typically placed in /etc/remote-file
# with a /etc/remote file defining its location
# alternatively, env var REMOTE can define location of this remote-file
#
# aix tip escape sequence is same as solaris.
# ~? produces full list.
# ~^D terminate the connection.
#
# tty0 is the system console, like Solaris Serial A, not usually usable as dumb terminal emulator
# tty1 is the serial port labeled T2, the equi of serial B in Solaris.
#
# IBM AIX serial connection is slightly diff than Sun, req NULL modem cable.
# This emulated TIP does not fully act as dumb terminal :(
# Depending on the state of the machine, and whether tip session is established first,
# or the cable is connected first, text may or may not be visible :(
# So, tip in aix can probably only work as dumb terminal for sun and hp machines,
# and the most reliable console is still a dumb terminal.
#
# eg usage, runnable as normal user:
# export REMOTE=$HOME/etc/remote-file
# tip dumb19200
# tip -9600 serial1
#
#
dumb9600
direct connect at 9600 bps,br#9600:dv=/dev/tty1
dumb19200
direct connect at 19200 bps,br#19200:dv=/dev/tty1
serial0
dumbterminal:dv=/dev/tty0
serial1
tty1
dumbterminal:dv=/dev/tty1
tty
dumbterminal:br#19200:dv=/dev/tty
#
# The serial ports ttyp0...ttyp9,ttypa...ttypf do not usually exist
#
ttyp0
dumbterminal:br#19200:dv=/dev/ttyp0
ttyp1
dumbterminal:br#19200:dv=/dev/ttyp1
ttyp2
dumbterminal:br#19200:dv=/dev/ttyp2
ttyp3
dumbterminal:br#19200:dv=/dev/ttyp3
ttyp9
dumbterminal:br#19200:dv=/dev/ttyp9
ttypa
dumbterminal:br#19200:dv=/dev/ttypa
ttypb
dumbterminal:br#19200:dv=/dev/ttypb
ttypc
dumbterminal:br#19200:dv=/dev/ttypc
ttypf
dumbterminal:br#19200:dv=/dev/ttypf
cu Connect Unix.
Opening a serial line may need some file config, cli below get error :(
I guess need to get minicom/telix or some other similar program from the Linux world.
cu -s9600 -l/dev/ttyp1
-s speed
-l device line
cu commands:
~%b send a break
~%! give shell
~. end session, logout user.
NIC
ifconfig
netstat -i
lsdev
grep -i ether # see Ethernet devices and drirver.
# entX = h/w card.
# enX = ethernet (DIX II framing) for IP
# etX = ethernet (IEEE 802.3) for SNA, don't bother :)
lsattr -R -l ent0 -a media_speed # show capabilities of ent0
lsattr -EH -l ent0 -a media_speed # show current settings
lsattr -D -l ent0 # show all def val for Eth dev.
chdev -P -l ent0 -a media_speed=100_Full_Duplex # change to forced full 100
chdev -P -l ent0 -a media_speed=Auto_Negotiation # change to auto negotiate for speed duplex
# effective after reboot !!!
smitty mktcpip # configure/change ip of interface, default route, netmask
# permanently set ip option for interface
# smitty just run mktcpip cmd:
/usr/sbin/mktcpip
-h'HOSTNAME'
-a'HOST.IP'
-m'HOST.IP.NETMASK'
-i'NIC' # eg en0, "standard network interface"
-n'DNS.SERVER.IP' # may want to add more to /etc/resolv.conf
-d'DNS.DOMAIN.NAME' # eg titaniumleg.com
-g'DEF.GATEWAY.IP'
-A'no' # Start now? no or yes # just omit it.
eg:
mktcpip -h'aix01' -a'10.215.11.101' -m'255.255.255.0' -i'en0' -n'10.215.2.1' -d'titaniumleg.com' -g'10.215.11.1'
Network Services
lssrc -a # list all services and their status
startsrc # start network service
stopsrc # stop network service
-g # group
-s # subsystem, g or s is largely how AIX define the service.
-a #
-D # Debug
startsrc -g nis # start NIS service group
startsrc -s rcp.mountd # rpc/mount service
startsrc -s xntpd # start ntp daemon
# init script starts it from /etc/rc.tcpip
startsrc -s sendmail -a -bd # start mail server to allow inbound mail.
# essentially, do sendmail -bd, makes it a
# daemon listening on port 25 for mail services.
startsrc -s iptrace -a "/tmp/iptrc.bin" # start ip tracing facility,
# -a = stor in file (binary).
stopsrc -s iptrace # stop tracing after problem is reproduced.
DNS
/etc/resolv.conf # main config file, like other Unix.
accept up to 3 name servers
change server after TimeOut (def of 5 sec), retry (def = 3),
so 5+10+20+40=75 sec.
eg:
domain hybridauto.com
nameserver 10.210.2.11
nameserver 10.210.2.12
nameserver 165.87.201.244
search hybridauto.com
search titaniumleg.com
search titaniumlegcorp.com
namerslv -s # run cmd to see settings are understood by system.
DNS resolution depends on file /etc/netsvc.conf
hosts=local,nis,bind
and env var NSORDER=local,bind
AIX 4.3 accepts bind4 and bind8
NIS
chypdom -B titaniumleg.com # set the NIS domain for the machine
# it proabably edit /etc/rc.nfs to run cmd domainname
domainname # show the NIS domain
smitty yp # general YP NIS config
smitty mkclient # configure machine as NIS client
rmyp -c # remove yp client config
lssrc -s ypbind # display active vs inoperative NIS
stopsrc -s ypbind # nis client process
startsrc -s ypbind
# /etc/rc.nfs is where the ypbind is set to use specific server (if not broadbcast)
startsrc -g nis # start nis server daemon
stopsrc -g nis
CD
AIX does not have a /etc/nsswitch.conf, instead use /etc/netsvc.conf
and /etc/irs.conf (Information Retrieval System, bind 8 code base, used in FreeBSD also).
Also, changes to irs.conf doesn't seems to be effective till next reboot.
At least that seems to be the case with automount entry,
restarting autofs a/o secldapclntd didn't refresh it.
May want to try these commands in /usr/sbin
flush-secldapclntd
restart-secldapclntd
stop-secldapclntd
start-secldapclntd
ls-secldapclntd
eg of irs.conf
Okay, here a real sample of /etc/irs.conf from an AIX 5.3 machine:
hosts dns continue
hosts nss_ldap continue
hosts nis continue
hosts local
services nss_ldap continue
services nis continue
services local
networks dns continue
networks nss_ldap continue
networks nis continue
networks local
netgroup nss_ldap continue
netgroup nis continue
netgroup local
protocols nss_ldap continue
protocols nis continue
protocols local
###
### http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/cmds/aixcmds1/autom
ount.htm
###
automount nis_ldap
##automount nis
##automount files
##automount nis_ldap nis files
eg of /etc/netsvc.conf
# bind Uses BIND/DNS services for resolving names
# local Searches the local /etc/hosts file for resolving names
# nis Uses NIS services for resolving names. NIS must be running if you specify this option
# nis+ Uses NIS plus services for resolving names. NIS plus must be running if you specify this option
# ldap Uses LDAP services for resolving names
# ldap_nis Uses LDAP NIS services for resolving names
# bind4 Uses BIND/DNS services for resolving only IPv4 addresses
# bind6 Uses BIND/DNS services for resolving only IPv6 addresses
# local4 Searches the local /etc/hosts file for resolving only IPv4 addresses
# local6 Searches the local /etc/hosts file for resolving only IPv6 addresses
# nis4 Uses NIS services for resolving only IPv4 addresses
# nis6 Uses NIS services for resolving only IPv6 addresses
# nis+4 Uses NIS plus services for resolving only IPv4 addresses
# nis+6 Uses NIS plus services for resolving only IPv6 addresses
# ldap4 Uses LDAP services for resolving only IPv4 addresses
# ldap6 Uses LDAP services for resolving only IPv6 addresses
# ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
hosts = nis_ldap, nis, bind, local
NFS
nfso -a # show all nfs options and current value
nfso -o varname[=val] # display/set nfs option.
nfso -o nfs_use_reserved_ports=1
# AIX default does not use port <1024, which result in auth error.
# http://www.faqs.org/faqs/aix-faq/part3/
# only needed for /net with certain solaris version?
Manual NFS mount can be added to /etc/filesystems ::
/nethome:
dev = "/vol/vol1/users"
vfs = nfs
nodename = netapp
mount = true
options = rw,fg,soft,intr,nosuid
account = false
/Import:
dev = "/vol/vol1/depot"
vfs = nfs
nodename = netapp
mount = false
options = ro,fg,hard,intr,nosuid
account = false
mount -o vers=2,proto=tcp,wsize=8192,rsize=8192,llock,soft,intr netapp:/vol/vol1/users /nethome
mount -o vers=2,proto=tcp,wsize=8192,rsize=32768,llock,soft,intr desktop:/mnt/cdrom /mnt/rcdrom
mount -o ro -v cdrfs /dev/cd0 /cdrom
startsrc -g autofs # start autofs service group.
stopsrc -g autofs # stop autofs service group.
# autofs group has only 1 subsystem, so -s or -g is same
startsrc -s automountd # start automount service, more reliable than -g autofs !!
automount is started in the /etc/rc.nfs script.
An alternative is to use the Sun style script (aix supports them, but nothing added
by default), eg in /etc/rc.d/rc2.d/S74autofs, have something like:
/usr/sbin/automount -M /home /-
# monitor /home (for user),
# /- will give the /net/HOST access like sol (and other direct mount)
# aix 5.1 no longer support the -M param
aix 5.1L ML 3, automount started in /etc/rc.nfs as:
/usr/sbin/automount -f /etc/auto_master -D ARCH=SC_AIX
# auto_master had only "+auto_master"
# remember that /home may be a mounted fs, so may wan to use /nethome.
# /net will work okay without -M /- .
# automount will call the automountd process, massage the mount points, and exit.
# do NOT start automountd on the CLI manually, it will not interface with mount correctly.
/etc/exports # export files, similar to HP-UX, Linux
eg content of the file:
/usr -ro,root=admin-desktop"
exportfs -a # export everything
exportfs -v # display active exports
exportfs -i /tmp # manually /tmp w/o entry in exportfs
startrc -g nfs # start mountd, etc
lsauthent # list authenticaltion methods
mknfs -B # start nfs service now and at boot?
Printing
Use smit to add printer, prints to windows print server easily (provided the windows print server has Unix printing services setup):
smitty, Print Spooling, (AIX Print Spooling, choose it if it pops up),
Add a Print Queueus, type is remot, std processing :
Name of Queue to add --> Use printer name maching remote queue name (ie win prt name)
Hostname of remote server --> Windows print server name
Name of queue on remote server --> Windows printer name.
Type of print spooler on remote server --> System V
CLI:
/usr/lib/lpd/pio/etc/piomisc_ext mkpq_remote_ext -q 'QueueName' -h 'Hostname' -r 'RemoteQueueName' -t 'att' -C 'FALSE' -d 'description'
To see what printers are installed, use:
/usr/bin/lsallq # brief listing of printer name only
/usr/lib/lpd/pio/etc/piolsvp -p # listing with queue server and description
/bin/lpstat # query windows print server on printer status, but names are truncated
Sys Config
General SA Commands
oslevel -rq # list all known and recommended ML
oslevel -r # which ML (maint level) machine is at.
oslevel -l 4.3.3.0 # list fileset missing to bring machine to specified level.
oslevel -l 5200-02 -r # aix 5L is weired wrt oslevel -l
oslevel -s # service pack, in addition to ML, not avail on all sys.
# ( -s is new flag starting ca 2006, aix 5.3 ML 3? not in base 5.3)
uname -a # ver info, also with val of -m at the end
uname -m # some sort of machine code, includes serial number of the machine:
# 000F2C9A4C00 embeds serial 00F2C9A4 (jc)
# 000750AC4C00 embeds serial 10-750AC (vs -u opt)
uname -u # serial number (of management frame).
# IBM,0110750AC embeds serial 10-750ac (targa, 4.3 )
uname -L # first number = the LPAR partition number
# OS is running inside of.
errpt # generate ERRor rePorT. This is more detailed than syslog.
errpt -a # all entries, detailed view. Default is brief listing only.
errpt -A # Abreviated detailed view.
-D # Collapse duplicate entries.
watch cmd -o logfile # similar to truss cmd, but can't watch existing pid
truss # exist for 5.x, in /bin
topas # top/monitor clone
vmstat
sar
istat
slibclean
svmon
----
NIM Network Install Manager
- Network installation of aix, equiv of solaris jumpstart
- r-cmd to control remote machine
Config Files
/etc/passwd
/etc/security/passwd # similar to shadow file
/etc/security/login # dictate shells that are valid shell for various process.
# if user shell not listed here, ftp will fail.
/etc/ftpaccess # set ftp access priviledges, allow/deny access, etc.
/etc/nologin # tmp disable login, presence of file set this behaviour
/etc/filesystems # instead of /etc/fstab
# /etc/syslog.conf
# can start syslog simply as: /usr/sbin/syslogd
# kill -HUP reload config file, adding note to error level (it whines).
#
# ensure the two columns are separated by TAB, not spaces
# or syslogd will fail to log silently!!
# AIX 5.x works okay with spaces now.
# IBM don't seems to have any standard, there are no default settings.
# *.info /var/adm/syslog_info.log
*.notice /var/adm/syslog_notice.log rotate size 100k files 4
# *.warning /var/adm/syslog_warning.log
# *.err /var/adm/syslog_err.log
*.crit /var/adm/syslog_crit.log
# create files as follows:
# touch /var/adm/syslog_info.log /var/adm/syslog_crit.log
# touch /var/adm/syslog_notice.log
# touch /var/adm/syslog_warning.log /var/adm/syslog_err.log
# really just need crit and notice
# warning and notice are same, both just marginally smaller than info.
# /etc/filesystems
/:
dev = /dev/hd4
vol = "root"
mount = automatic
check = false
free = true
vfs = jfs2
log = /dev/hd8
type = bootfs
/home-old:
dev = /dev/hd1
vol = "/home"
mount = true
check = true
free = false
vfs = jfs2
log = /dev/hd8
/usr:
dev = /dev/hd2
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
type = bootfs
vol = /usr
free = false
/var:
dev = /dev/hd9var
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
type = bootfs
vol = /var
free = false
/tmp:
dev = /dev/hd3
vfs = jfs2
log = /dev/hd8
mount = automatic
check = false
vol = /tmp
free = false
/proc:
dev = /proc
vol = "/proc"
mount = true
check = false
free = false
vfs = procfs
/opt:
dev = /dev/hd10opt
vol = "/opt"
mount = true
check = true
free = false
vfs = jfs2
log = /dev/hd8
/lhome:
dev = /dev/vol1
vfs = jfs2
log = /dev/loglv00
mount = true
options = rw
account = false
/home_na:
dev = "/vol/vol1/users"
vfs = nfs
nodename = na_data
mount = true
options = rw,fg,hard,intr,nosuid
account = false
/mnt/import:
dev = "/vol/vol1/depot"
vfs = nfs
nodename = na_data
mount = true
options = rw,fg,hard,intr,nosuid
account = false
/mnt/cdrom:
dev = "/dev/cd0"
vfs = cdrfs
mount = false
check = false
options = ro
vol = "/mnt/cdrom"
free = false
Hardware commands
lspci
lsattr
Hot swap PCI cards, or hot remove. Essentailly, issue command to identify, then power off a given pci slot, then reactivate it again.
smit, devices, pci hot plug manager
shutdown -F # shutdown right away, no delay time
-r # reboot
-m # maintenance mode
shutdown -r +5 "msg to users" # +5 = 5 minutes later.
lsattr # list attributes
-D # display def val
-R # display range of legal values
-E # display Effective vall (current settings)
-l name # specify dev logical name
-a attr # specify attribute of NAME logical dev
lsattr -El sys0 # show lot of hardware info, include mem
lsattr -El sys0 -a realmem # get specifically the memory attribute, in KB.
lsdev -Cc processor # see number of processor on machine (may not be numbered in sequence)
lsattr -El proc0 # find processor speed
pmcycles -m # list total number of CPU. installed in /bin by bos.pmapi.
# AIX 5.2 and above, CD #1.
A note about IBM processors.
POWER4 and POWER5 processor are typically packed in a processor card as a Dual Chip Module (DCM). The processor card has a single physical "CPU" in the traditional sense of touchable chip, but internally it has two cores and is marketed as a 2-way processor.
The CPU listed by the output of pmcycles -m is similar to the Intel Hyperthreadig tech whereby a processor can run more than one thread at a time, it is not a physicall processor per se, but available to the programmer.
Thus, a fully populated 4-way processor P5-550 would have 2 DCM processor card (two 2-way processor cards), lsdev -Cc processor will show 4 processors, and pmcycles -m will show 8 CPU.
REF: IBM redbook-p5-550.pdf
lscfg # list config
# ses are internal scsi disks
# scsi includes int and ext disks
# procX are CPUs
# fca = Fiber Channel HBA
lscfg -vp # lot more detailed info, eg: use to search for fca
lscfg
grep disk # see number and size of HD
lsslot -c pci -a # list pci slot info
lsdev # list devices
cfgmgr # rescan bus and install driver for new devices
# eg when new device made available over SAN
-S # scan serially (instead of parallel)
-v # verbose, print more status info
# Note that emc come with its wrapper script to do the work.
bootinfo -y # 32 v 64-bit enabled
# NOTE: bootinfo is runnable by root only.
-K # current kernel mode
# show kernel native bits,
# NOTE: 32-bit can run 64 bit app anyway.
-r # real memory in system in KB
-s hdisk0 # disk size in MB
bootinfo -b # last boot dev
bootinfo -m # machine model code
-p # hw platform (type of bus, etc)
-r # show real memory in sys, in Kb
----
LPAR sysmtem
From HMC (hardware manager console), cmds in /opt/hsc/bin
query_cecs # list all online managed sys
get_cec_state -m # find curret state of sys
get_op_panel -m # get operator panel lcd code
get_cec_mtms -m # frame type and serial number, buggy.
Package/Software Management
lslpp -h bos.rte # show fileset history (from package mgnt?)
lslpp -L bos.rte # snapshot of main levele and statet of fileset
lslpp -f bos.rte # see what files are installed by a given fileset.
lslpp -l bos.net.nfs.client # show fileset revision level
lppchk -v # chk see if any lpp product are broken, obsolete, missing
lslpp -l
grep vacpp # show all fileset info about the ibm compiler
installp flags
a apply update (def action)
c commit
g recursively install prereq
X eXpand (local) FS is more space is needed.
d file specify the location of the media file ( . for current dir).
p preview only, nothing will actually be done.
eg:
installp -qa -d . -X all # apply updates
installp -rB -X all # reject updates
installp -c -g -X all # commit updates
smitty install_commit # same as above.
installp -qac -N all -d . # install w/ commit on, no backup, no simple roll back.
installp -u [filesetname] # uninstall comitted lpp product
installp -iq -d /dev/cd0 all # display supplemental info abouut ML patch in cd
installp -qA -d /dev/cd0 all # display APAR info
IBM Software iFOR licensing commands
i4cfg -list # list license services status
i4blt # license management for visual age. no param = help
-r 6 # print report type 6. see help for more types.
-lp # list licenses
-lp -i # list licenses with extra info, such as time stamp
-s # prod license status
-a # add/enroll a produt
-d # delete license
-v # opt vendor info (for some custom lic, used by VA C++
-p # opt product info
-U # update license
-T # specify number of user, cn license only
eg
14blt -a -f /usr/vac/c44aix_cn.lic -T 10 -R "registration_comment_avoid_space"
# enroll a license. -T 10 inidcates number of licenses.
i4blt -U -v "'IBM Software Solutions Toronto'" -p "'VisualAge C++ Professional' 6.0.n" -T 100
# Update license to allow 100 users. Only for _cn license type.
# Be very careful about quotes! Name with spaces need additional
# single quotes around them!!! Awful syntax and very cryptic error messge!!
i4blt -d -n server_name -v "'vendor name with space'" -p "'product name' product_version" -t timestamp
i4blt -d -v "'IBM Software Solutions Toronto'" -p "'VisualAge C++ Professional' 6.0.n" -t 1022291809
i4blt -d -v "'IBM Software Solutions Toronto'" -p "'C for AIX' 6.0.n" -t 1022291952
# delete a license.
# -t is timestapm retrieved from output of i4blt -lp -i
License files are located in
/usr/vac/*.lic
/usr/vacpp/*.lic
The files type are:
C C++ license file names
cforaix_cn vacpp_cn = concurrent nodelock LUM license
_c _c = concurrent network
_n _n = simple nodelock
The First line of file is actually command for license enrollment.
Visual Age compiler license file installation requires the package bos.adt.libm For 5.1L, it is in CD 4/6. However, its install need to kick started from CD 1, by requesting the install of all all componets of bos.adt, which is not installed by default.
Applying ML
http://techsupport.services.ibm.com/server/mlfixes/43/
http://techsupport.services.ibm.com/server/mlfixes/43/11/00to11.html
get aix ML (Maintenance Level patch) and instructions on installing it.
inutoc ./usr/sys/inst.images/
installp -acgXd ./usr/sys/inst.images bos.rte.install
smit update_all #
cd /home_sc/sa/share/aix43.ml/433.noLevel_to_11
inutoc . # this creates the .toc file
installp -acgXd . bos.rte.install # install the basic os patch ?
smit update_all # add the other patches
oslevel -r # + reboot
If getting APAR fixes with a series of .bff files, use
(touch .toc, chmod 777 .toc)
inutoc .
and then smitty update_all on the dir to install all the patches.
java 1.4 download, they came in .tar.gz format.
strangely, it seems that I have to use tar xf from aix to correctly extract the archive.
it become a backup/restore file which "smitty installp" as "Install Software"
with path to the file as dir location will work.
May actually need to specify the full name of the installp image filename in the path.
tar off from solaris doesn't seems to work!!
Software Patches
aka Program Temporary Fix
instfix -i # show applied APAR fix
instfix -i
grep AIX_ML # fix done by ML patch
instfix -i -k IY78933 # see if a given IY APAR fix had been applied.
instfix -ivq
grep xlC.aix5.*rte
sort -u # list installed xlC runtime environment
/usr/lib/instl/sm_inst instfix_cmd -d '/lhome/root/vacpp7_rte8' -f 'IY78993' -c -N -X
# install the specific IY78933 from the RunTimeEnv v8 for "xlC v7"
# this can be done over NFS dir, provided .toc is created correctly
# and stored on this NFS source.
# The downloaded PTF file vacpp.70.aix.nov2005.ptf.tar.Z need to be extracted
# which produce a series of .bff files in backup/restore format.
/usr/lib/instl/sm_inst installp_cmd -a -Q -c -N -g -X -G \
-d '/nfshome/sa/share/aixX.smit/aix_vacpp_rte7_nov2005/extract' -f _all_latest
# install the whole RunTimeEnv v8 for "xlC v7"
/usr/lib/instl/sm_inst installp_cmd -a -c -N -g -X \
-d '/nfshome/sa/share/aixX.smit/aix_vacpp_rte7_nov2005/extract' -f _update_all
# apply relevant updates from RunTimeEnv v8 for "xlC v7"
# it will not display failure msg when optional debugger
# components are not installed.
Example: Installing and Patching IBM Visual Age c++
copy cdrom image
run smit
use dir of
cdrom/usr/sys/inst.images
eg /nethome/sa/software/VisualAge_5.0.2_cd/usr/sys/inst.images
/nethome/sa/software/VisualAge_5.0.2_cd/usr/sys/mvCD
NOTE: use inst.images first, then mvCD.
mvCD may have complain of wrong path, but it generally list more stuff and install more programs, even when some may fail.
mvCD may be listing all software in the whole CD set, not just a given CD.
mvCD would fail if content is network path and no CD media change is possible.
actually, aix5l book suggest use of inst.images dir (build .toc before install if obtaining as tar is normal procedure.)
use F7 or ESC,7 to toggle selection.
can use keyword "all" to select all subpackages.
but note that it will not currectly detect os level and then cause fialure notices.
Applying patches :
/nethome/sa/software/VisualAge_patch_to_5.0.2.7
it is like installing normal software, but the tar didn't have a .toc file.
thru smit, there was an entry to list software in media, run it so that it created a .toc file.
After that, install the patch as software (via smit update_all), which generate commands like:
geninstall -I "a -cgNqwX -J" -Z -d /nethome/sa/software/VisualAge_patch_March2003_runtimePTF -f File 2>&1
File:
xlC.adt.include 6.0.0.0
xlC.aix50.rte 6.0.0.0
xlC.aix50.rte 6.0.0.5
xlC.msg.en_US.rte 6.0.0.0
xlC.rte 6.0.0.0
geninstall -I "a -cgNqwX -J" -Z -d /nethome/sa/software/VisualAge_patch_March2003PTF -f File 2>&1
Adding international LOCALE
smitty lang (System Environments,Manage Language Environment),
go to "Add Additional Language Environments"
Then there are two possibilities:
- CULTURAL convention to install
This add support for desired lang (already supported language can be
found from "locale -a")
- LANGUAGE translation to install
This add system error message for many different software packages
installed on the machine. Not typically needed for dev/test of intl lang
support.
Instead of putting CD into machine CD-ROM drive, one can specify network shared CD-ROM
such as /net/tin-sun/cdrom, but it will NOT prompt to change CD,
and any language locale pack selected not avail on network path will simply not be queue for
install, so not even error message. If the CD has nothing about the related
language, it will display error. Most International language locale start
with CD #5.
----
Can use Remove Lang Env to see list of installed lang translation locale.
Sometime adding a language locale complain missing file set pre-req. do:
cd directy to the dir with the bos.loc.com file, and install it manually.
smitty installp on any of the CD doesn't show option to add this fileset!
cd /share/aix5.2/disk1/usr/sys/inst.images
installp -acgXd . bos.loc.com
lslpp -l
grep bos.loc.com
bos.loc.com.CN 5.2.0.30 COMMITTED Common Locale Support -
bos.loc.com.utf 5.2.0.50 COMMITTED Common Locale Support - UTF-8
[...]
May also need to put in CD #1 and use smitty installp, and add the necessary
bos.iconv set appropriate to the desired language.
---
other locale/intl related cmd:
chlang es_ES # change to use spanish from spain... update .profile, effective after re-login.
# but I don't see the effects...
chkbd
lsfont
lskbd
Ref: Understanding Locale from AIX online ref.
Loose ends
AIX dev env does not use LD_LIBRARY_PATH, but instead use LIBPATH
Places to get freeware for aix.
http://silcon.silcon.com/~baspence/AIXtip/freeware.htm
http://aixpdslib.seas.ucla.edu/ [recommended by esj]
monitor # top like tool for real time monitor
# t = top processes
# a = toggle view mode
# ? = help
portmon
Reference
rootvg.net AIX portal, lot of sutff!
IBM Online documentation at http://publib.boulder.ibm.com/infocenter/pseries/
Service Guide for RS/6000 F80 (Ch 4 and 5 have 4 digits LED error code for boot time hardware/firmware problem). http://publib16.boulder.ibm.com/pseries/en_US/infocenter/base/hardware_docs/pdf/380568.pdf
RS/6000 Diagnostic LEDs (BITS code, 3 digits used in older, small machines). BIST Error Code
AIX Toolbox for Linux
Download specific IBM fileset Specify OS version and "specific fixes", and it will bring a search page that allows retrieval of a specific version of a given fileset. eg bos.net.nfs.client 5.3.0.50.
Subscribe to:
Comments (Atom)