Table of Contents
AIX Post Install
After installing AIX you are presented with a very basic version of AIX in which everything is default. This article shows you what I tend to change on a system after a fresh install.
Change Root
Change root's password:
Issue this command when you're logged in as root:
- passwd
Change root's account
Through smitty:
- Set root's home directory to /home/root
- Set the 'su' group to netwheel
Set the command line as default user interface
Set the command line as the default user interface:
# /usr/dt/bin/dtconfig -d The Command line is now set as the default user interface. This interface will appear on login for all users of the system. To see this change take effect you must shutdown and restart your system.
Set the CDE environment as the default user interface:
# /usr/dt/bin/dtconfig -e The CDE environment is now set as the default user interface. This interface will appear on login for all users of the system. To see this change take effect you must shutdown and restart your system.
Configure the nameserver (DNS)
Smitty:
- Communications Applications and Services
- TCP/IP
- Further configuration
- Name Resolution
- Domain Nameserver (/etc/resolv.conf)
- Add a Nameserver
- Set / Show the Domain
Give the correct DNS server and domain name.
NTP
Through command line:
Edit /etc/ntp.conf :
# broadcastclient driftfile /etc/ntp.drift tracefile /etc/ntp.trace server ntp1.company.local
Check to see if it works and adjust the time if necessary:
bash-3.2# ntpdate ntp1.company.local 19 Jan 15:54:08 ntpdate[213254]: adjust time server 10.10.10.100 offset 0.074101 sec
Through smitty:
- Communications Applications and Services
- TCP/IP
- Further Configuration
- Server Network Services
- Other Available Services
- xntpd Subsystem
- Start Using the xntpd Subsystem
- BOTH
(smitty fastpath: “smitty xntpd”)
Configure etherchannel and VLAN
Of course, only do this if necessary. We're going to configure the etherchannel as a failover, with one default adapter and one backup adapter. This will create a new virtual ethernet adapter, on which we're going to configure a VLAN, which will also create a new adapter. This newly created adapter is the one which gets the interface configured.
Note: You might consider to remove all of your adapters before configuring this. If you do, remember that you'll need console access.
Remove network adapters:
rmdev -dl en0 rmdev -dl et0 rmdev -dl ent0
Do this for all network adapters available in the system:
lsdev | grep ^e
Then, rediscover them:
cfgmgr
Configure etherchannel
- Start smitty using the fastpath etherchannel
- Add An EtherChannel / Link Aggregation
Now it's time to select your primary ethernet adapter. Then you'll get this screen. Leave everything default, and only change the time-out and retry settings:
After you're done you also have to add a backup adapter. To do so choose for the smitty menu “Change / Show Characteristics of an EtherChannel / Link Aggregation” and choose the adapter you've just created. Than add a backup adapter like this:
Now we have a failover etherchannel configured.
Configure vlan
- Start smitty using the fastpath vlan
- Add a VLAN
Select the just added adapter and fill in the VLAN ID:
When you're done you have a new adapter on which interface you can configure TCP/IP:
As you can see you're working on interface 5, while there are only 4 adapters (eth0 - eth3).
NFS Access
Add a file system through smitty.
Check the filesystem:
- cat /etc/filesystems
/exports/install: dev = "/exports/install" vfs = nfs nodename = fileserver.company.local mount = true options = ro,bg,hard,intr,vers=3,proto=udp,nodev,nosuid account = false
Mount all filesystems
- mount -a
Resize filesystems
The default filesystems do not get much space, so it's necessary to resize them. In the table below you can see the defaults on an freshly installed system.
Filesystem | Default (5.3) | Default (6.1) | Preferred |
/ | 32 MB | 128 MB | 2048 MB |
/tmp | 64 MB | 64 MB | 1024 MB |
/var | 32 MB | 32 MB | 1024 MB |
/usr | 928 MB | 1536 MB | 4096 MB |
/opt | 64 MB | 96 MB | 10240 MB |
/home | 32 MB | 32 MB | 512 MB |
/var/adm/ras/platform | 832 MB | n.a. | n.a. |
/admin | n.a. | 128 MB | n.a. |
Total | 1984 MB | 2016 MB | 18944 MB |
Change the sizes of the filesystems with these commands:
- /usr/sbin/chfs -a size=4194304 /
- /usr/sbin/chfs -a size=2097152 /tmp
- /usr/sbin/chfs -a size=2097152 /var
- /usr/sbin/chfs -a size=8388608 /usr
- /usr/sbin/chfs -a size=20971520 /opt
- /usr/sbin/chfs -a size=1048576 /home
On newer versions of AIX you can adjust the sizes as well in, for example MB:
- /usr/sbin/chfs -a size=2048M /
The size and available free space on filesystems is viewable with this command:
- df -m
MOTD
Change the MOTD to your company welcome and or information banner:
******************************************************************************* * * * Welcome to <company> <environment> <node> * * * *******************************************************************************
Where: <company> = Your company <environment> = Develop, Testing, Acceptance, Production or FailOver Production <node> = Name
AIX Limitations
SWAP
The swap space by default is 512 MB and should be set to 4096 MB.
bash-3.2# lsps -a Page Space Physical Volume Volume Group Size %Used Active Auto Type hd6 hdisk1 rootvg 512MB 3 yes yes lv bash-3.2# chps -s 112 hd6 bash-3.2# lsps -a Page Space Physical Volume Volume Group Size %Used Active Auto Type hd6 hdisk1 rootvg 4096MB 1 yes yes lv
Note that the added Physical Partitions is dependent on the PP size, which was 32 MB.
Large files
By default, users are not allowed to use big files, which is not useful for root. Edit the limits file to adjust these settings.
- vi /etc/security/limits
And change roots settings:
default: fsize = 2097151 core = 2097151 cpu = -1 data = 262144 rss = 65536 stack = 65536 nofiles = 2000 root: fsize = -1 data = -1 stack = -1
Explanation:
fsize | Identifies the soft limit for the largest file a user's process can create or extend. |
core | Specifies the soft limit for the largest core file a user's process can create. |
cpu | Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use. |
data | Identifies the soft limit for the largest process data segment for a user's process. |
stack | Specifies the soft limit for the largest process stack segment for a user's process. |
rss | Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system. |
nofiles | Sets the soft limit for the number of file descriptors a user process may have open at one time. |
Increase parameter list
When copying a large amount of files or when scripting the parameter list of a command can become too large. To avoid the error:
The parameter list is too long.
adjust the ARG/ENV setting using smitty:
- System Environments
- Change / Show Characteristics of Operating System
- ARG/ENV list size in 4K byte blocks
Change this setting to 20 (80k). Be careful, setting this value too high may constrain system memory resources.
AIX Security
Login.cfg
Intruder lockout settings
The intruder lockout settings are set in login.cfg file and determined by these options:
* logindelay The delay (in seconds) between unsuccessful login attempts. * This delay is multiplied by the number of unsuccessful logins - * i.e. if the value is 2, then the delay between unsuccessful * logins will be 2 seconds, then 4 seconds, then 6 seconds, etc. * Set this attribute to 0 to disable this feature. * * logindisable The number of unsuccessful login attempts before this port is * locked. Used in conjunction with logininterval. Set this * attribute to 0 to disable this feature. * * logininterval The number of seconds during which logindisable unsuccessful * login attempts must occur for a port to be locked. * * loginreenable The number of minutes after a port is locked that it will be * automatically unlocked. Setting this attribute to 0 will cause * the port to remain locked until the administrator unlocks it.
So,
- vi /etc/security/login.cfg
And go the “default” section and edit the settings according to:
default: sak_enabled = false logintimes = logindisable = 4 logininterval = 60 loginreenable = 30 logindelay = 5
Add bash to valid shells
- vi /etc/security/login.cfg
And go to the “Other security attributes” part and add /bin/bash and /usr/bin/bash:
******************************************************************************* * * Other security attributes (usw stanza): * * shells The list of valid login shells for a user; chuser and chsh will * only change a user's login shell to one of the shells listed * here. * * maxlogins The maximum number of simultaneous logins allowed on the * system. * * logintimeout The number of seconds the user is given to enter their * password. * * auth_type Determines whether PAM or the standard UNIX authentication * mechanism will be used by PAM-aware applications. * Valid values: STD_AUTH, PAM_AUTH * ******************************************************************************* usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/k sh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd, /bin/bash,/usr/bin/bash maxlogins = 32767 logintimeout = 60 auth_type = STD_AUTH
User
Edit the file below and go to the “default” section to edit the new user default settings:
- vi /etc/security/user
default: admin = false login = false su = false daemon = true rlogin = true sugroups = admgroups = ttys = ALL auth1 = SYSTEM auth2 = NONE tpath = nosak umask = 022 expires = 0 SYSTEM = "compat" logintimes = pwdwarntime = 4 account_locked = false loginretries = 3 histexpire = 0 histsize = 24 minage = 1 maxage = 13 maxexpired = -1 minalpha = 5 minother = 3 minlen = 8 mindiff = 3 maxrepeats = 3 dictionlist = pwdchecks =
If you have accounts which may never expire (like service accounts) configure them like this: Also set the allora and allmondb accounts so they won't expire:
monitor: admin = false login = true expires = 0 backup: admin = false rlogin = true expires = 0
Profile
Set the default automatic logout in the /etc/profile file:
- vi /etc/profile
# @(#)27 1.20 src/bos/etc/profile/profile, cmdsh, bos530 8/9/94 12:01:38 # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # bos530 src/bos/etc/profile/profile 1.20 # # Licensed Materials - Property of IBM # # (C) COPYRIGHT International Business Machines Corp. 1989,1994 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # # COMPONENT_NAME: (CMDSH) Shell related commands # # FUNCTIONS: # # ORIGINS: 3, 26, 27 # # (C) COPYRIGHT International Business Machines Corp. 1989, 1994 # All Rights Reserved # Licensed Materials - Property of IBM # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # ################################################################ # System wide profile. All variables set here may be overridden by # a user's personal .profile file in their $HOME directory. However, # all commands here will be executed at login regardless. trap "" 1 2 3 readonly LOGNAME # Automatic logout, include in export line if uncommented TMOUT=600 # The MAILMSG will be printed by the shell every MAILCHECK seconds # (default 600) if there is mail in the MAIL system mailbox. MAIL=/usr/spool/mail/$LOGNAME MAILMSG="[YOU HAVE NEW MAIL]" # If termdef command returns terminal type (i.e. a non NULL value), # set TERM to the returned value, else set TERM to default lft. TERM_DEFAULT=lft TERM=`termdef` TERM=${TERM:-$TERM_DEFAULT} # If LC_MESSAGES is set to "C@lft" and TERM is not set to "lft", # unset LC_MESSAGES. if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ] then unset LC_MESSAGES fi export LOGNAME MAIL MAILMSG TERM TMOUT trap 1 2 3
N.B. Uncomment (and change) the TMOUT line and add it to export line!
Sendmail Privacy
Edit the /etc/sendmail.cfg file:
# privacy flags O PrivacyOptions=goaway
See Sendmail Security Quick Fixes for more information about sendmail security.
Don't forget to restart sendmail afterwards.
Prevent buffer overflow in chsh
Change permissions for /usr/bin/chsh:
chmod 500 chsh
Additional security
Throughout this document there are other security settings applied. Of course the root settings and the ssh settings.
AIX Performance
Study the settings below to see if they are applicable for you. Before applying them, please test these settings yourself. I've tested these settings on brand new, superfast JS22 blades, with maximum memory and CPU, and the disks are on a SAN, with a queue_depth of 8. You should make your own tests, to see what your bottlenecks are.
No TCP Acknowledgement delay
By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this setting issue:
bash-3.2# no -p -o tcp_nodelayack=1 Setting tcp_nodelayack to 1 Setting tcp_nodelayack to 1 in nextboot file
See here for more information about the setting. See here for more information about the no command.
Test results
Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818
N.B. Partly 100 Mb network, different subnets, done with WinSCP
Copy | Baseline default settings | tcp_nodelayack=1 |
12000 files (21,8 MB) | 19:47 minutes | 0:52 minutes |
500 files (87,5 MB) | 0:39 minutes | 0:28 minutes |
2 files (635 MB) | 03:07 minutes | 03:04 minutes |
Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818
N.B. 1 Gb network, different subnets, done with scp
Copy | Baseline default settings | tcp_nodelayack=1 |
12000 files (21,8 MB) | 0:24 minutes | 0:20 minutes |
500 files (87,5 MB) | 0:07 minutes | 0:10 minutes |
2 files (635 MB) | 0:28 minutes | 0:49 minutes |
And now back:
Copy | Baseline default settings | tcp_nodelayack=1 |
12000 files (21,8 MB) | 0:25 minutes | 0:26 minutes |
500 files (87,5 MB) | 0:09 minutes | 0:09 minutes |
2 files (635 MB) | 0:48 minutes | 0:46 minutes |
Conclusion
This setting really speeds up communication between Windows and AIX, but hardly does anything when between AIX boxes, it can even decrease network communication.
File System Direct IO
This should speed filesystem io up and to set it mount the filesystem with an additional option:
mount -i dio /mountpoint
Test results
Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818
N.B. Partly 100 Mb network, different subnets, done with WinSCP
Copy | Baseline default settings | filesystem dio | filesystem dio, tcp_nodelayack=1 |
12000 files (21,8 MB) | 19:47 minutes | 19:49 minutes | 0:59 minutes |
2 files (635 MB) | 03:07 minutes | 03:01 minutes | 03:02 minutes |
Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818
N.B. 1 Gb network, different subnets, done with scp
Copy | Baseline default settings | filesystem dio | filesystem dio, tcp_nodelayack=1 |
12000 files (21,8 MB) | 0:24 minutes | 0:32 minutes | 0:27 minutes |
2 files (635 MB) | 0:28 minutes | 0:59 minutes | 4:30 minutes |
Conclusion
This setting really slows down communication between AIX boxes, so I stopped the tests.
TCP Buffers
These settings should increase network performance as well. Some of these setting need new sessions and some even a reboot, so be careful you handle your test well:
/usr/sbin/no -p -o sb_max=6192000 /usr/sbin/no -p -o tcp_sendspace=4096000 /usr/sbin/no -p -o tcp_recvspace=4096000 /usr/sbin/no -p -o udp_sendspace=65536 /usr/sbin/no -p -o udp_recvspace=655360 /usr/sbin/no -p -o rfc1323=1 /usr/sbin/no -p -o ipqmaxlen=150 /usr/sbin/no -p -o clean_partial_conns=true
Test results
Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818
N.B. Partly 100 Mb network, different subnets, done with WinSCP
Copy | Baseline default settings | tcp buffers | tcp buffers, tcp_nodelayack=1 |
12000 files (21,8 MB) | 19:47 minutes | 19:55 minutes | 0:59 minutes |
500 files (87,5 MB) | 0:39 minutes | 0:38 minutes | 0:28 minutes |
2 files (635 MB) | 03:07 minutes | 03:00 minutes | 03:06 minutes |
Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818
N.B. 1 Gb network, different subnets, done with scp
Copy | Baseline default settings | tcp buffers | tcp buffers, tcp_nodelayack=1 |
12000 files (21,8 MB) | 0:24 minutes | 0:24 minutes | 0:20 minutes |
500 files (87,5 MB) | 0:07 minutes | 0:08 minutes | 0:14 minutes |
2 files (635 MB) | 0:28 minutes | 0:45 minutes | 1:00 minutes |
Conclusion
This setting increases network speed between Windows and AIX, but decreases network speed for large files between AIX boxes.
Queue_Depth
For some disks it could be nice to set a higher queue_depth (default = 1). For the procedure to change, see change_disk_properties_of_disks_in_use.
Test results
Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818
N.B. Partly 100 Mb network, different subnets, done with WinSCP
Copy | Baseline default settings | queue_depth=8 |
12000 files (21,8 MB) | 19:58 minutes | 19:47 minutes |
2 files (635 MB) | 02:59 minutes | 03:07 minutes |
Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818
N.B. 1 Gb network, different subnets, done with scp
Copy | Baseline default settings | queue_depth=8 | queue_depth=64 |
12000 files (21,8 MB) | 0:26 minutes | 0:24 minutes | 0:24 minutes |
2 files (635 MB) | 0:29 minutes | 0:28 minutes | 0:26 minutes |
Conclusion
It's really hard to draw a conclusion here. There is some performance increasing here, but… how higher you set the queue_depths, how higher the risk on data corruption. For database boxes, most vendors advice to not go above a queue_depth of 8, so that would be my suggestion here.
Additional Software
SSH
SSH and SSL Installation
Before SSH can be installed make sure you have SSL installed.
- uncompress openssl.9.8.802.tar.Z
- tar -xf openssl.9.8.802.tar
- smit
- Software Installation and Maintenance
- Install and Update Software
- Install Software
- Issue an “.” to search in the current directory for software.
Select the software with first F4 to get a list, and F7 to select the software from the list. Don't forget to accept the license agreement (also F4, last option).
You can download the latest openssh version here.
SSH X11 forwarding
X11 forwarding on AIX consists of several steps. First you'll have to change some settings on the AIX box, then do some things on your local workstation, and then of course, you'll have to test it.
Change the sshd_config file
Note: there are also changed settings for security purposes
- vi /etc/ssh/sshd_config and change the file according to:
# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none XauthLocation /usr/bin/X11/xauth # no default banner path Banner /etc/secure_banner # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
Change the ssh_config file
- vi /etc/ssh/ssh_config and change the file according to:
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # ForwardAgent no ForwardX11 yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any ConnectTimeout 30 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 Protocol 2 Cipher blowfish Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no
Restart the ssh daemon
Stop and start Ssshd
# /etc/rc.d/rc2.d/Ssshd stop # /etc/rc.d/rc2.d/Ssshd start
Don't forget to exit your current session, and login again!
Adjustments to your local desktop
Install a X-server and enable X11 forwarding in your SSH client. See CygWin - X op Windows for cywin and putty as client.
Test it
Log in and issue the command:
- xclock
If a little clock appears on your screen it works! If not, try to set the DISPLAY variable:
- export DISPLAY=<local ip address>:0.0
SSH X11 forwarding and SU
X authentication is based on cookies, secret little pieces of random data that only you and the X server know. So, when you su the user you su to need to know the cookie. To do so request your cookies and your display setting before you su:
>xauth list server1.company.local/unix:10 MIT-MAGIC-COOKIE-1 1c64ce9c5e07154d4403bf8b919635f2 server2.company.local/unix:10 MIT-MAGIC-COOKIE-1 0d219bf6b6b4ed805ad51b17f71d2e38 >echo $DISPLAY localhost:10.0
Now su, and import the cookie configuration and the DISPLAY variable:
>su - oracle oracle's Password: >xauth add server2.company.local/unix:10 MIT-MAGIC-COOKIE-1 0d219bf6b6b4ed805ad51b17f71d2e38 >export DISPLAY=localhost:10.0
RPMs
Before you can install RPMs you'll need the Redhat Package Manager. Install the rpm.rte in the same way as SSL and SSH.
This is the list of rpms that are currently being installed:
rpm | explanation |
bash | shell |
gcc | C compiler |
less | command to pipe output to, a bit more advanced than more |
lsof | lists open files |
sudo | switch user for one command |
RPMs are installed through this command:
- rpm -vi *.rpm
SUDO
For the sudo RPM, change the config file using the “visudo” command:
- bash-3.2# visudo
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL allmonxx ALL = NOPASSWD: /usr/bin/svmon %tsmgroup ALL = NOPASSWD: /usr/tivoli/tsm/client/ba/bin/dsmc, /usr/tivoli/tsm/client/ba/bin/dsmcad, /usr/tivoli/tsm.sh
Tar
Install newer version (version 1.21 or higher) from the tar command in order to create bigger tar archives (important for oracle rman backup archives)
bash-3.2# ls tar-1.22.tar.gz bash-3.2# gunzip tar-1.22.tar.gz bash-3.2# tar -xf tar-1.22.tar bash-3.2# ls tar-1.22 tar-1.22.tar bash-3.2# cd tar-1.22 bash-3.2# ls ABOUT-NLS ChangeLog.1 NEWS TODO configure m4 src AUTHORS INSTALL PORTS aclocal.m4 configure.ac po tests COPYING Makefile.am README build-aux doc rmt ChangeLog Makefile.in THANKS config.hin lib scripts bash-3.2# ./configure bash-3.2# make bash-3.2# make install
The new tar command is installed in /usr/local/bin
Unnecessary software
Software that is unnecessary:
- Alternate Disk Installation:
- bos.alt_disk_install.boot_i
- bos.alt_disk_install.rte
- Cluster Systems Management:
- csm.client
- csm.core
- csm.deploy
- csm.diagnostics
- csm.dsh
- csm.gui.dcem
- Sensor Resource Manager:
- rsct.core.gui
- rsct.core.lprm
- rsct.core.sensorrm
Not sure yet: According to KPMG security, but still figuring out why…
- AIX Security Hardening:
- bos.aixpert.cmds
- bos.aixpert.websm
Monitoring
Set the password for the allmon<xx> user to <password>
- passwd allmonxx
Remove the ADMCHG attribute from the user:
- vi /etc/security/passwd
Test the login and run svmon:
login as: allmonxx allmonxx@10.10.10.11's password: 1 unsuccessful login attempt since last login. Last unsuccessful login: Thu Jun 18 15:59:11 2009 on ssh from 10.10.10.10 Last login: Thu Jun 18 10:53:32 2009 on /dev/pts/2 from 10.10.10.10 ******************************************************************************* * * * Welcome to company production dbnode * * * ******************************************************************************* 1356-364 /usr/bin/X11/xauth: creating new authority file /home/allmonxx/.Xauthority $ sudo /usr/bin/svmon size inuse free pin virtual memory 8093696 7598696 495000 572834 1111159 pg space 131072 3519 work pers clnt pin 572834 0 0 in use 1110433 0 6488263 PageSize PoolSize inuse pgsp pin virtual s 4 KB - 7491688 3519 495314 1004151 m 64 KB - 6688 0 4845 6688 $
Backup
See here for a TSM AIX Client install Extra dependencies needed:
- xlC.rte
- xlC.aix50.rte
Both are included with the backupsoftware but have to be selected explicitly.
Additional Oracle configuration
In case the AIX server is going to run Oracle there are a few more requirements. Although most of them are described here, this is the official Oracle documentation.
Required filesets
Operating system filesets: The following operating system filesets are required:
- bos.adt.base
- bos.adt.lib
- bos.adt.libm
- bos.perf.libperfstat
- bos.perf.perfstat
- bos.perf.proctools
- xlC.aix50.rte:7.0.0.4 or later
- xlC.rte:7.0.0.1 or later
bash-3.2# lslpp -l bos.adt.base bos.adt.lib bos.adt.libm bos.perf.libperfstat bos.perf.perfstat bos.perf.proctools xlC.aix50.rte xlC.rte Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos bos.adt.base 5.3.0.62 COMMITTED Base Application Development Toolkit bos.adt.lib 5.3.0.61 COMMITTED Base Application Development Libraries bos.adt.libm 5.3.0.61 APPLIED Base Application Development Math Library bos.perf.libperfstat 5.3.0.61 COMMITTED Performance Statistics Library Interface bos.perf.perfstat 5.3.0.62 COMMITTED Performance Statistics Interface bos.perf.proctools 5.3.0.63 COMMITTED Proc Filesystem Tools xlC.aix50.rte 8.0.0.0 COMMITTED C Set ++ Runtime for AIX 5.0 xlC.rte 8.0.0.0 COMMITTED C Set ++ Runtime Path: /etc/objrepos bos.perf.libperfstat 5.3.0.50 COMMITTED Performance Statistics Library Interface bos.perf.perfstat 5.3.0.62 COMMITTED Performance Statistics Interface
Memory config
To adjust the settings to provide better performance when running oracle, run this commmand:
vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o lru_file_repage=0
See AIX Memory for the explanation of these settings.
Hdisk properties
Also for Oracle in combination with iqstor SAN you'll have to change the queue_depth settings:
Current disks: bash-3.2# lspv hdisk1 000131facfbfbd5b rootvg active hdisk2 none None Added disks: bash-3.2# cfgmgr bash-3.2# lspv hdisk1 000131facfbfbd5b rootvg active hdisk2 none None hdisk3 none None hdisk4 none None Current properties: bash-3.2# lsattr -El hdisk3 clr_q no Device CLEARS its Queue on error True location Location Label True lun_id 0x1000000000000 Logical Unit Number ID False max_transfer 0x40000 Maximum TRANSFER Size True node_name 0x290000092b27a231 FC Node Name False pvid none Physical volume identifier False q_err yes Use QERR bit True q_type simple Queuing TYPE True queue_depth 1 Queue DEPTH True reassign_to 120 REASSIGN time out value True rw_timeout 30 READ/WRITE time out value True scsi_id 0x10f00 SCSI ID False start_timeout 60 START unit time out value True ww_name 0x290000092b27a231 FC World Wide Name False Queue depth adjustment: bash-3.2# chdev -l hdisk3 -a queue_depth=8 hdisk3 changed New properties: bash-3.2# lsattr -El hdisk3 clr_q no Device CLEARS its Queue on error True location Location Label True lun_id 0x1000000000000 Logical Unit Number ID False max_transfer 0x40000 Maximum TRANSFER Size True node_name 0x290000092b27a231 FC Node Name False pvid none Physical volume identifier False q_err yes Use QERR bit True q_type simple Queuing TYPE True queue_depth 8 Queue DEPTH True reassign_to 120 REASSIGN time out value True rw_timeout 30 READ/WRITE time out value True scsi_id 0x10f00 SCSI ID False start_timeout 60 START unit time out value True ww_name 0x290000092b27a231 FC World Wide Name False bash-3.2#
After changing the queue depth you can create volume groups and filesystems. See AIX Storage (dutch) for more information on how to do that.