As root on the Control Workstation (as0000e1), which is the
primary name server for the Patent Server private network.
If this machine is already defined to NIM, insure the CPUID is either
correct or set to null.
A problem arises during the install if you swap one machine for
another after it was a NIM client. NIM knows what the old machine's
CPUID was and refuses to answer the nimclient requests the new machine
makes at the end of the install. The symptoms of this are error
messages in the install log on the new machine
(viewable by an "alog -t bosinst -o" command),
and the NIM resources are not unallocated after the install.
To check, as root on the Control Workstation (as0000e1), type
Another potential problem is insuring the network adapter's MAC address
is correct. For SP/2 nodes, it's in the SDR.
For example, to see what's it is for frame 3, node 1, type
It's also defined in the NIM definition. Type
Assuming the machine isn't defined to NIM yet, to do so,
as root on the Control Workstation (as0000e1), which is the
NIM server for the original SP/2, and has also been the NIM
server for the rest of the Patent Server machines.
(See the change Ed Geraghty made to the /usr/lpp/ssp/bin/setup_server
script in the unconfig_clients subroutine,
to not delete this NIM master's clients when SP/2 changes
are made to the SDR.)
Logon to root on the Control Workstation (as0000e1).
In the /spdata/sys1/install/scripts (or $s1) directory, you'll find
a bunch of handy scripts all named do<something>.sh,
which all write into a do.log file in the same directory,
so refer to the do.log file to see what's been done to the
different machines and when.
If you get the message
And lastly, if you get the message
To link in the /usr/local stuff from DFS,
To add the normal automation stuff, presuming of course you've done all of the
above steps, as root on the client machine, add these lines to crontab.
To keep the clock synchronized (if not already done by the PSSP software),
Making Changes to the Domain Name Server (DNS)
This presumes you are adding a machine to the Patent Server private network,
which is 192.168.56.00 through 255.
If you're doing another subnet, adjust which files you change accordingly.
1998042401 ; serial
and is the 4-digit year, month, day, and sequence number within the day
in case there's multiple updates that day.
This number is used by secondary name servers to indicate the need to
refresh their version of this file. The bigger the number, the newer
the file.
Defining a Machine to the Network Install Manager (NIM)
Warning! This section is for non-SP/2 nodes only.
If this is an SP/2 node, use the normal, SP/2 procedures
that are written up in the SP/2 manuals.
For example, for as0301e0/1, which is the S70 at frame 3, node 1,
when AIX 4.3.2 and PSSP 3.1 was installed on it, you'd type
spchvgobj -i bos.obj.ssp.432 -p PSSP-3.1 -v aix432 3 1 1
spbootins -r install 3 1 1
There's also a "Manual Node Conditioning" process that's too
involved to go into now. Just realize that SP/2 nodes are different.
lsnim -l <machine name>
If you see a "cpuid =" line, then type
nim -Fo change -a cpuid= <machine name>
to reset it.
splstdata -b 3 1 1
and see the "hdw_enet_addr" column.
lsnim -l as0301e0
and see the third word of the "if1" field. If it's zero, then
it's ok. NIM doesn't know the MAC address for this machine and will accept
anybody claiming to be this machine.
On the other hand, if the MAC address is wrong, NIM will put the
wrong thing in /etc/bootptab when you attempt to install AIX,
and the install will never get going.
Network Install Manager customization
rc=175
0042-175 c_script: An unexpected result was returned by "/usr/sbin/mount" command.
mount: 1831-008 giving up on:
as0000e1.patent.ibm.com:/export/nim/scripts/ar0146e1.script
The file access permissions do not allow the specified action.
The problem is that NIM puts an entry for the machine in the
Control Workstation's /etc/exports file, using the plural fully-qualified
I.P. name, but when the machine does its NFS mount to get its
customizion script, <.machine-name>.script, the NFS daemons
on the CWS do a reverse DNS lookup of the I.P. name, and the
way the name server is set up, gets the singular (patent.ibm.com)
domain, not the plural. (Did you follow all that?)
Installing AIX from the NIM Server
Warning! Again, this section is for non-SP/2 nodes only.
If this is an SP/2 node, use the normal, SP/2 procedures,
e.g. use the spmon GUI, select the node, then do a "network-boot"
using perspectives.
Remember, the dobosinst.sh script will allocate the defaultbosinst
bosinst_data resource,
which is at /spdata/sys1/install/bosinst_data/bosinst_data.default.
That file specifes
If you want something different that the above, unallocate the bosinst_data
resource from the NIM machine object before starting the install.
Establish Initial Working Environment
Give root a password!
A fresh AIX install leaves root password-less. Fix that first.
Give root a minimal /.profile and /.kshrc.
/.profile should be
export PATH=$PATH:/local/bin
export ENV=/.kshrc
/.kshrc should be
export PS1="<$(whoami)@$(hostname -s):"'$PWD> '
alias c='echo \\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n;clear'
set -o vi
That's 60 double-backslash-n's. To put these in affect right now, type
. /.profile
ksh
Increasing Paging Sizes
Sometimes after installing AIX, the default sizes one gets are too small.
Type
lsps -a
and insure you have at least 512MB.
To increase paging space,
chps -s28 hd6 (28 is the number of PP's to add)
This is what I had to do for the new SP/2 nodes in the second frame.
AIX gave me a default of 64MB paging, and with 16MB PP size, this
command adds 28*16=448MB more, to give me a total of 512MB paging space.
Adjust as appropriate for your situation.
Establish Name Service
To have consistent name service, insure /etc/resolv.conf contains
nameserver 192.168.56.65 <- This should already be there.
nameserver 192.168.56.76 <- Add this line.
search patent.ibm.com patents.ibm.com <- Replace the domain line with this.
Installing DCE & DFS
To define a machine (e.g. ar0080e0) to DCE & install and configure the
DCE & DFS client code,
Logon to root on the Control Workstation (as0000e1).
export target=ar0080e0 or whatever machine you're doing
Use as....e0 interface.
dce_login cell_admin
cd /spdata/sys1/install/default/lppsource/scripts/dce or cd $s2
./mkdceadmin.sh $target $target
Enter cell_admin's password when prompted.
If you get the message
./mkdceadmin.sh: host ar0080e0 is already registered... skipping
and you're sure you want to redefine the machine, for example,
you may be reinstalling or reconfiguring a machine that at one point
was already defined or partially defined, then type
rmdce -o admin -h $target -F -g all
and rerun the mkdceadmin command above.
dcecp -c group add root_principals -member /.../patent.ibm.com/hosts/ar0080e0/self
command.
If you ever want to insure all "self" principals are in the root_principals group
(perhaps somebody forgot to add one), you can type
dcecp -c account cat | grep self | xargs -n 1 dcecp -c group add root_principals -member
Now you're ready to install the DCE/DFS code on the client machine.
As root on the client machine, type
mount as0000e1:/spdata/sys1/install /mnt
To install the /local file system, which gives you some local tools
including perl, lockdown.sh, et cetera,
/mnt/default/lppsource/scripts/dce/mklocallv.sh
zcat /mnt/default/lppsource/scripts/dce/local.tar.Z | tar xvf -
cp /mnt/default/lppsource/scripts/dce/mkdcecl.pl /tmp
umount /mnt
/tmp/mkdcecl.pl
rm /tmp/mkdcecl.pl
To Install SSH, ADSM, PSSP Client code, and other AIX Filesets,
and To Apply Service
To install sshd, ADSM & and additional AIX filesets,
and to apply service
(presuming you've done the export target=ar0080e0, or whatever machine you're working with),
logon to root on the Control Workstation (as0000e1) and type
cd /spdata/sys1/install/scripts, or cd $s1
./dossh.sh $target
./doadsm.sh $target
./dogpmbase.sh $target
And if this is not an SP/2 node ('cause SP/2 nodes already have
the PSSP client code installed on them) and you want to be able to dsh
commands to this machine (currently, the only machines I don't
have set up like this, are the 3 machines on the external, Internet
network),
./dopssp_client.sh $target
Then do as the script instructs, by scp-ing these 4 files over
scp /etc/krb.conf root@$target:/etc/krb.conf
scp /etc/krb.realms root@$target:/etc/krb.realms
scp $target-new-srvtab root@$target:/etc/krb-srvtab
scp /.klogin root@$target:/.klogin
./doupdateall.sh $target
If this new machine is a new SP/2 node, or you've just installed the PSSP
client code as described above, then add this node's I.P. name to
the appropriate WCOLL files in the /dishes directory on the Control
Workstation. At a minimum, add it to the /dishes/all.all file,
so it will be in the set of machines to share the common /etc/rc.local
file (see below).
If you get the message
0042-001 nim: processing error encountered on "master":
ar0080e0.patent.ibm.com: A remote host refused an attempted connect operation.
0042-006 m_cust: (From_Master) rcmd A remote host refused an attempted connect operation.
then the "shell" service controlled by inetd is disabled by the
/local/bin/lockdown.sh script (normally run from crontab).
To "rearm" NIM, run /local/bin/rearm-nim.sh as root on the client
machine, ar0080e0 in this example.
0042-001 nim: processing error encountered on "master":
rshd: 0826-813 Permission is denied.
0042-006 m_cust: (From_Master) rcmd Error 0
or
0042-001 nim: processing error encountered on "master":
0042-001 m_cust: processing error encountered on "master":
0042-193 m_nnc_setup: ar0083e0.patent.ibm.com has no entry for as0000e0 in .rhosts or cannot resolve host id
or
0042-001 nim: processing error encountered on "master":
rshd: 0826-813 Permission is denied.
0042-006 m_cust: (From_Master) rcmd The socket name is already in use.
then check the /.rhosts file on the client machine.
Insure it contains
as0000e0.patent.ibm.com root
if it's an SP/2 node, else
as0000e1.patent.ibm.com root
if it's not an SP/2 node.
Newly-installed SP/2 nodes may get their /.rhosts file wiped out.
Other newly-installed machines may have only the as0000e0 line in it.
0042-001 nim: processing error encountered on "master":
0042-037 m_allocate: the state of "ar0084e0" prevents this operation
from succeeding
0042-001 nim: processing error encountered on "master":
0042-069 m_cust: the cust operation cannot be performed when
the target has a Cstate of "bos_inst_ready"
then check the client machine's NIM status, with a
nimclient -l $target
command. The Cstate line should be
Cstate = ready for a NIM operation
If it's not, say it still shows
Cstate = BOS installation has been enabled
and all the resources from the install are still allocated,
then what might have happened is that you've installed AIX
on a different computer that NIM thinks $target is.
In other words, there used to be a different processor
defined to NIM using your I.P. name.
If this is the case, you'll see a cpuid line in the lsnim output
that is wrong. If you reset that field with a
nim -Fo change -a cpuid= $target
or
$s2/doreset.sh $target
command, and have the client machine contact the NIM master, with say a
nimclient -d
from the client machine, the cpuid field will get filled in again
with something different.
If this isn't the case, then check the install log on the client
machine via
alog -t bosinst -o | more
Miscellaneous Tasks.
To install aixcops & lsattack, login as root on the client machine and type
# Aliases to health check distribution list, used by aixcops.
healthck: jasper@almaden.ibm.com
# Aliases to lsattack distribution list
security: jcday@almaden.ibm.com, healthck
# The original sendmail.cf had just DS in this line.
# I added our mail gateway alias. RAJ 4/7/1998
# DS
DSmailgw.patents.ibm.com
touch /etc/security/failedlogin
touch /usr/adm/sulog
chsec -f /etc/security/user -s default -a loginretries=5
chsec -f /etc/security/user -s default -a histsize=4
chsec -f /etc/security/user -s default -a maxage=26
chsec -f /etc/security/user -s default -a minalpha=1
chsec -f /etc/security/user -s default -a minother=1
chsec -f /etc/security/user -s default -a minlen=6
chsec -f /etc/security/user -s default -a mindiff=1
chsec -f /etc/security/user -s default -a maxrepeats=2
chmod 600 /.rhosts
Also insert these lines in the /etc/motd file.
* IBM Business Use Statement: *
* IBM's internal systems must be only used for conducting *
* IBM's business or for purposes authorized by IBM management. *
* Use is subject to audit at any time by IBM management. *
* *
* Highest Classification of Data allowed on this system is *
* UNCLASSIFIED *
Note that the permissions on /etc/motd don't allow write, so as
root, you need to force vi to write it with ":x!".
Create an /etc/rc.local file
It's very likely you should use the /etc/rc.local that's on
the Control Workstation.
That version is shared among the SP/2 nodes as well as almost
every other machine on the Patent site.
Modify it as appropriate for this new machine, and see the
directions in the beginning comments of the file,
on how to propogate it to all the machines that share it.
Essentially, you use the pcp command to propogate it.
rclocal:2:wait:/etc/rc.local > /dev/console 2>&1
#
# Hourly run the lockdown script to insure we stay secure.
18 * * * * /local/bin/lockdown.sh -quiet >> /tmp/lockdown.log
#
# Nightly resynch if need be, the /local/bin file system.
37 2 * * * /local/bin/resynch.local.bin.sh > /dev/null 2>&1
#
# Run aixcops monthly & lsattack (quietly, thus the wrapper) daily.
0 1 28 * * /aixcops/src/aixcops -e -b error -f /aixcops/src/umask.filter -m healthck -d -v 2>&1 >/dev/null
0 3 * * * /usr/lss/lsattack/lsattack-wrapper
#
# Remove old files, that is, not referenced in 30 days from known temp areas.
0 2 * * * find /tmp -atime +30 -exec rm -f {} \\; 2>/dev/null
0 2 * * * find /var/tmp -atime +30 -exec rm -f {} \\; 2>/dev/null
server 192.168.56.65
server 192.168.56.76