Aix Service Strategy

7/28/2019 Aix Service Strategy

1/34

The AIX 5L Service Strategy

andBest Practices: AIX 5L Service

Scenarios and Tools

IBM Corporation


2/34

THE AIX 5L SERVICE STRATEGY AND BEST PRACTICES

aixseStrategywp020706.doc Page 2

Table of Contents

1 INTRODUCTION.................................................................................................4

1.1 NEW TERMS AND CONCEPTS .............................................................................51.1.1 Technology Level (TL) ............................................................................. 5

1.1.2 Service Pack (SP)..................................................................................... 51.1.3 Concluding Service Pack (CSP) ...............................................................6

1.1.4 Interim Fix (IF)........................................................................................ 6

2 MAINTENANCE STRATEGY MODELS...........................................................8

2.1 LATEST LEVEL .................................................................................................82.2 MAXIMUM STABILITY .......................................................................................9

2.3 YEARLY UPDATE..............................................................................................92.4 MODEL OVERVIEW .........................................................................................10

3 RELEASE SCHEDULES.................................................................................... 11

3.1 REDUCING THE AMOUNT OF CHANGE BETWEEN TECHNOLOGY LEVELS ............11

4 SECURITY FIXES.............................................................................................. 12

5 TESTING OF PTF UPDATES AND TECHNOLOGY LEVELS..................... 13

6 AIX 5L PACKAGING AND FIX ARCHITECTURE ....................................... 14

6.1 PTF................................................................................................................14

6.2 APAR............................................................................................................14

7 SYSTEM BACKUP AND RECOVERY.............................................................15

7.1 ALT_DISK_INSTALL.........................................................................................15

7.2 MKSYSB..........................................................................................................157.3 MULTIBOS.......................................................................................................16

8 PREVIEWING UPDATES ................................................................................. 17

9 TOOLS.................................................................................................................18

9.1 SUMA ...........................................................................................................189.1.1 Functional Highlights ............................................................................ 18

9.2 COMPARE_REPORT .........................................................................................189.2.1 Functional Highlights ............................................................................ 19

10 USAGE SCENARIOS ..................................................................................... 20

10.1 OVERVIEW .....................................................................................................20

10.1.1 Awareness.............................................................................................. 20


3/34



10.1.2 Decision................................................................................................. 2010.1.3 Implement .............................................................................................. 20

10.1.4 Verify .....................................................................................................2110.2 PROACTIVE MAINTENANCE WITH SUMA ........................................................ 22

10.2.1 Latest Level............................................................................................ 22

10.2.2 Maximum Stability ................................................................................. 2310.2.3 Yearly Update ........................................................................................2310.3 STANDALONE WITH INTERNET ACCESS..........................................................24

10.3.1 Download the latest fixes periodically (using suma command line) ........ 2410.3.2 Download a specific APAR (using suma SMIT easy menus) ................... 25

10.4 STANDALONE WITH NO INTERNET ACCESS.....................................................2710.4.1 Download the latest fixes (using compare_report command line)........... 27

10.4.2 Download a specific APAR (using the IBM Support Web site) ................ 2810.5 MORE THAN ONE SYSTEM WITH INTERNET ACCESS ........................................29

10.5.1 Download the latest fixes (setup suma on all NIM clients) ...................... 3010.5.2 Download the latest fixes (setup suma only on NIM master) ................... 30

10.6 MORE THAN ONE SYSTEM

WITH NO

INTERNET ACCESS

...................................3110.6.1 Download the latest fixes (compare_report using inventory from clients)31


4/34



1 IntroductionIn response to client feedback related to the frequency of required maintenance, and thedesire to maintain a more stable environment for longer periods of time, AIX 5L will

change some of its current service strategy directions and institute new release rules.

One issue that has made it increasingly difficult to control the amount of changeintroduced with an update is the increased activity in the service update stream between

maintenance levels. Delivering too many fixes in the update stream can cause instabilityand regression risk to existing function. Delivering fixes only for critical and pervasive

problems will help reduce the amount of risk when a service update is applied.

Another issue is the amount of change in Maintenance Levels and the frequency withwhich they are released. Starting in 2006, a Maintenance Level will be referred to as a

Technology Level and will only be released twice per year. The first Technology Levelof the year will be focused on hardware enablement for new systems and adapters that are

being introduced. The second Technology Level, released in the second half of the year,will include both hardware and software features. Having a year between major releases

of new software features also allows for more extensive testing of these releases.

For clients who wish to install only one major level per year, the concepts of a ServicePack and Concluding Service Pack will be introduced. A Concluding Service Pack will

allow support on a Technology Level for up to fourteen months from the date theTechnology Level was released.

Finally, to address security issues, fixes for security problems will be shipped on multiple

Technology Levels, so you will not be required to jump up a level just to patch a security

hole.

Note: Changes to the Fix Central Web site to reflect the new service strategy will be

made in early 2006, when the first Technology Level is released.


5/34



1.1 New Terms and Concepts1.1.1 Technology Level (TL)A Technology Level is the new term for the twice yearly releases which contain newhardware and software features, and service updates. The first TL will be restricted to

hardware features and enablement, as well as software service. The second TL willinclude new hardware features and enablement, software service, and new software

features, making it the larger of the two yearly releases. In the past, we have used theterm Maintenance Level (ML) even though the release contained code for new features

and functions. Technology Level is a more appropriate term for this code.

The Technology Level (e.g., 5300-04) will be displayed using the oslevel -r AIX 5Lcommand, just as this command can currently be used to display the Maintenance Level.

Starting in 2006, installing a Technology Level should be viewed as an all or nothing

operation, meaning that requisites will be added so that the whole Technology Level is

installed, and not allow a TL to be partially installed. The reason for this change is toavoid getting into unsupported configurations. Technology/Maintenance Levels aretested as a unit, with minimal testing of individual updates. We believe that most clients

install a new level as a unit, and supporting individual PTFs is no longer a focus. It ismore of a risk to have only half of a Technology Level installed than it is to install the

entire Technology Level, and as a result, install some additional updates that you feel youmight not need. It is preferred to have systems that are at a known tested level.

We do not recommend attempting to reject a Technology Level once it has been applied

to an AIX 5L system. Since Technology Levels are usually large (with respect to theamount of code shipped) it is faster and less risky to fall back to the previous level using

other methods. To fall back with a reboot, use alt_disk_install or the new multibosfunction shipped with 5300-03. To fall back with a restore, create a backup (mksysb) to

NIM or bootable media (CD, DVD, or tape) before applying the Technology Level.Having a good recovery plan in place is critical, especially when dealing with

maintenance windows on production systems. As with any new technology, carefultesting should be performed before putting a new Technology Level into production.

1.1.2 Service Pack (SP)The Service Pack concept will allow service-only updates (as known as PTFs) that are

released between Technology Levels to be grouped together for easier identification.These fixes will be for highly pervasive, critical, or security related issues. Service Packs

will be provided for the N and N-1 releases (e.g., V5.3 and V5.2) on the latestTechnology Level for each release (e.g. 5300-04 and 5200-08), and they will be released

approximately every 4-6 weeks after the release of a Technology Level.

Applying and rejecting an individual service update (PTF) is still a supported andrecommended method of removing an update if there is a problem or a regression after it

is installed. Since Service Packs can also be rejected, it is recommended that beforeapplying a Service Pack or PTF update, that all other updates on the system are


6/34



committed (put in the commit state) to allow for easy identification of the Service Packupdates. The commit operation (fastpath smitty commit) will remove saved files and

free up space in the /usr file system. It is also highly recommended that systemadministrators always preview an update (apply or commit) operation to ensure all

requisites are met before performing the actual operation. Set the PREVIEW only?

field in SMIT to yes to perform a preview operation once the updates for apply orreject have been selected.

Applying the latest level of available updates will move the system to the latest ServicePack. To see which Service Pack is currently installed, run the oslevel -s command.

Sample output for a V5.3 system, with Technology Level 4, and Service Pack 2 installedwould be:

oslevel s5300-04-02

Service Packs allow easier identification of a systems current level. Instead of referring

to a systems level as being at 5300-04 plus 15 PTFs, the system can be referenced tobe at the 5300-04-02 level. The oslevel -s command also has options to list installed

filesets that are less than or greater than the level contained within a Service Pack soadditional PTFs that have been applied can be easily identified.

In addition, Service Packs are cumulative, so if Service Pack 3 is applied, all of the

previous critical fixes from Service Packs 1 and 2 will also be applied. Critical FixPacks will no longer be shipped, since all of the updates that are contained in a Service

Pack have been deemed critical or pervasive.

1.1.3 Concluding Service Pack (CSP)Concluding Service Pack is the term that will identify the last Service Pack on aTechnology Level. The CSP will contain fixes for highly pervasive, critical, or security

related issues, just like an SP, but it may also contain fixes from the newly releasedTechnology Level that fall into these categories. Therefore, a CSP will contain a very

small subset of service that was just released as a part of a new Technology Level.

The Concluding Service Pack will be available shortly after a new Technology Level isreleased. For example (dates may change), if Technology Level 5300-04 is released in

February of 2006, the CSP for the previous release, 5300-03, will be availableapproximately 4-8 weeks later. It will have a specific level designation of CSP. For

example, the output of running the command oslevel -s would return 5300-03-CSP.

Concluding Service Packs will allow for extended service on a Technology Level throughthe utilization of Interim Fixes.

1.1.4 Interim Fix (IF)The term Interim Fix is used in AIX 5L as a replacement for emergency fix or efix inorder to simplify terminology across IBM and not cause confusion when dealing with


7/34



other products. While the term emergency fix is still applicable in some situations (a fixgiven in the middle of the night with minimal testing), the term Interim Fix is more

descriptive in that it implies a temporary state until an update can be applied that has beenthrough more extensive testing.

Interim fixes that address non-security related issues will be provided for the two mostrecent supported releases (e.g., V5.3 and V5.2) on the last two Technology Levels foreach release.

All interim fixes are applied using the emgr tool (also known as fixmgr). The emgr

tool has many benefits, including:

Standard way to apply all fixes. In the past, applying a fix or patch meant movingand replacing files manually. The emgrcommand will save and replace files, andhas other options, such as over mounting, to allow for testing.

Tracks fixes applied on a system. In the past, there was no way to tell if an efix(interim fix) was applied. Now, the emgr l command will list all of the interim

fixes on a system. No more overwriting fixes with service updates (PTFs). The emgrcommand

will lock a fileset and not allow an update to be applied that may overwrite aninterim fix.

For more information on the emgrcommand, see its man page (man emgr) or visit the

pSeries and AIX Information Center and search on Interim Fix ManagementSolution.


8/34



2 Maintenance Strategy ModelsThe type of maintenance strategy that you adopt depends on the timeliness and frequency

that you choose to move to the next Technology Level. This section describes differentoptions that may be considered.

As described earlier in this document, there will be only two AIX 5L releases per year.The examples below depict this by showing first half (e.g., 1H06) and second half

releases (e.g., 2H06).

When looking at the AIX Releases line below, the examples show a 1H06 release of

Technology Level 4 (TL4, also referred to as 5300-04) and a 2H06 release of TechnologyLevel 5 (TL5 or 5300-05). Roughly 4-8 weeks after the release of a TL, the Concluding

Service Pack (CSP) for the previous TL will be released. For example, CSP4, the CSPfor TL4, will be released approximately 4-8 weeks after TL5 is released.

In between Technology Levels, one or more Service Packs (SPs), a tested group of

PTFs, will be released in support of the current Technology Level.

2.1 Latest LevelThe Latest Level line shown below depicts a maintenance strategy model for clientswho are upgrading to hardware that requires a new Technology Level, or who wish to

utilize new hardware or software features being introduced in a TL. This model wouldtypically entail a move to a new TL shortly after its release.

The first half Technology Level (e.g., TL4, TL6, etc.) is a smaller TL since it is restrictedto hardware features and enablement, and software service. The second half TL (e.g.,

TL5) also includes new software features, and thus will be a larger release.

In between Technology Levels, Service Packs and interim fixes (to address security and

other issues) can be utilized in support of the current Technology Level.

Release Date

AIX Releases

Latest Level TL6TL4 SPs SPs

1H06 2H06 1H07

CSP5CSP4CSP3 SPs SPsTL4 TL5 TL6

TL5

. . .

. . .

. . .

. . .


9/34



2.2 Maximum StabilityNot all clients will move to a new Technology Level when it is released. For those

wishing to delay their adoption of a new TL by a period of six to eight months, and takeadvantage of the latest tested group of PTFs available in a Concluding Service Pack, the

Maximum Stability model may be appropriate.

In between Technology Levels, interim fixes (to address security and other issues) can be

utilized in support of the Technology Level that the system is running.

2.3 Yearly UpdateFor clients who are stable and wish to stay on a Technology Level for up to a year, they

may choose to adopt the Yearly Update model. This model shows an annual move to anew Technology Level, and thereby skips the direct move to one of the two TLs that are

released during the year, instead picking up this function when the next TL is installed, asTLs are cumulative.

In between Technology Levels, Service Packs (a tested group of PTFs), individualPTFs, and interim fixes (to address security and other issues) can be utilized to maintain

service on a Technology Level for up to one year.

When moving to a new TL annually, it is recommended to utilize a first half TL (e.g.,

TL4, TL6, etc.) because it has the advantage of being a smaller release. When installinga first half TL (e.g. TL6) it will contain all the new AIX 5L software enhancements that

were released with the previous TL (e.g. TL5), however TL5 will have already been inthe field for six to eight months, allowing it to become more stable.

Release Date

AIX Releases

IFML3

CSP3TL4

CSP4IF

TL5CSP5

IFMaximum Stability

IF

1H06 2H06 1H07

CSP5CSP4CSP3 SPs SPsTL4 TL5 TL6. . .

. . .

. . .

. . .

Release Date

AIX Releases

Yearly Update

1H06 2H06 1H07

CSP5CSP4CSP3 SPs SPs

IF

TL4 TL5 TL6

TL4 TL6CSP4PTFsPTFsSPs

. . .

. . .

. . .

. . .


10/34



2.4 Model OverviewThe diagram in this section shows a comparative view of the three models described.

In general, clients do not need to move to the latest Technology Level when it is released.The exception to this are clients who are upgrading hardware that requires the new TL, or

want to use new hardware or software features introduced in a TL. If a client is stable,they may choose to remain on a Technology Level as long as possible. Depending on

when the TL is released will indicate the total length of time it will be supported.

If a Concluding Service Pack is applied, then service will be offered via interim fixes sothat clients are not required to move to a new Technology Level. This will give clients a

maintenance only stream for 6-8 months after the release of a CSP.

The frequency of your maintenance window will determine how often you move to aTechnology Level. Some clients may choose to move to the Technology Level that is

released in the first half of the year (e.g. TL4, TL6, etc.) on a yearly basis since it will

have a considerably smaller amount of change than the second half Technology Level.And, by choosing to apply the first half TL as part of a yearly maintenance strategy, thisalso allows the larger second half TL an additional six months of field exposure andtesting before utilizing the new enhancements it contains.

These models can be modified to suit specific client environments.

Release Date

AIX Releases

Latest Level

Yearly Update

IFML3

CSP3TL4

CSP4IF

TL5CSP5

IF

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .Maximum Stability

TL6TL4 SPs SPs

IF

1H06 2H06 1H07

CSP5CSP4CSP3 SPs SPs

IF

TL4 TL5 TL6

TL5

TL4 TL6CSP4PTFsPTFsSPs


11/34



3 Release SchedulesThere will be two AIX 5L Technology Levels each year on the N and N-1 levels, with Nbeing the latest release (for example, AIX 5L V5.3) and N-1 being the previous release

(AIX 5L V5.2).

While the N release will always be fully enhanced, over time the N-1 release will see lessand less of hardware enablement and software features (much like what has happened

with AIX 5L V5.1 today). Fixes will still be produced and shipped for the N-1 release,but over time it will not be enhanced with new hardware enablement and software

features.

Technology Levels will be approximately six months apart, giving additional time fortesting, especially for the larger Technology Level that is released in the second half of

the year.

3.1 Reducing the Amount of Change between Technology LevelsAs we have seen in the past, changing too much code with a limited time to test can berisky. When a change is necessary to resolve a system crash or security problem, the fix

needs to be made available quickly. In such cases, an interim fix is initially released, andlater, after additional testing, the fix becomes available in a PTF update. However,

neither interim fixes nor service updates receive the level of testing of a TechnologyLevel.

Therefore, to improve stability between Technology Levels, and to reduce the amount of

change brought in by individual fixes, each APAR will now be closely scrutinized todecide if it meets the criteria of having a PTF update provided to address the issue. If an

APAR does not meet the criteria of being fixed in a service PTF, it will be fixed in thenext Technology Level, allowing it to go through a full integration test cycle.


12/34



4 Security FixesAIX 5L has always produced emergency fixes for security problems. These fixesusually go out with a CERT advisory for the three supported releases (e.g., V5.3, V5.2

and V5.1) on their latest Maintenance Level.

This process will change so that security fixes will now be shipped as interim fixes forthe last three Technology Levels on the two most recent supported releases (e.g., V5.3

and V5.2), thereby allowing clients to install a fix without updating to the latestTechnology Level. Since the oldest supported release (e.g., V5.1) does not change as

often, security fixes will only be provided for the latest TL.

For example, if a security problem was reported at the end of 2006, interim fixes wouldbe made available for 5300-03, 5300-04, 5300-05, 5200-07, 5200-08, 5200-09 and the

latest level of V5.1. In some cases, depending on the code affected, you will need toupdate to a CSP or latest level of a fileset for that component. Also, the same interim fix

may be appropriate for all levels of a release if the code has not changed since it wasinitially released.

Interim fixes for non-security related issues will be provided for the two most recent

supported releases (e.g., V5.3 and V5.2) on the last two Technology Levels for eachrelease, and on the latest level for the oldest supported release (e.g., V5.1).


13/34



5 Testing of PTF updates and Technology LevelsThe faster an update or fix is released, the less testing it is going to get. Some interimfixes, like security problems, will go thru more extensive regression testing because they

will be released to the general public. Other interim fixes will receive testing that is more

appropriate for the code change and severity of the problem. Your service representativewill be able to tell you the amount testing the interim fix has undergone. In some cases,the developer may choose to send the interim fix thru the Functional Verification Test

(FVT) suite before sending it out, if there is time and if this additional testing is deemednecessary based on the scope of the change and the severity of the problem.

There are four labs that perform different levels of testing:

FVT lab Functional Verification Test will test the component for any regressions. It

does not (in most cases) include integrated testing with other components. This isappropriate for a change that will only affect a single component, or have limited

interaction with other components.

ART lab This level of testing is required for all PTF updates that are shipped. PTFupdates go thru the ART lab (APAR Regression Test lab) and receive a longer period of

test time and integrated testing with thousands of test cases. PTF updates also receivemore integrated testing on different types of hardware made available in the ART lab.

Security Fix lab Runs a subset of ART lab tests on interim fixes for security problems.

System Test The System Test lab performs testing on each new Technology Level for

the N and N-1 level of AIX 5L (for example, V5.3 and V5.2). Because Technology

Levels are only released twice a year, this gives changes more time to be tested withother fixes. Technology Levels also receive additional testing with applications and aretested on the latest level of hardware and firmware, which is usually required for new

systems or upgrades. System Test takes over four months with each Technology Level.


14/34



6 AIX 5L Packaging and Fix ArchitectureAIX 5L packaging architecture divides the system into filesets, each of which contains agroup of logically related client deliverable files. For example, files required for TCP/IP

client functionality are packaged in the bos.net.tcp.client fileset, where files required for

TCP/IP server functionality are packaged in the bos.net.tcp.server fileset. Each fileset canbe separately installed and updated, allowing for more granular installation and smallerupdate packages. Changes to each fileset are tracked by a Version, Release,

Maintenance, and Fix level, referred to as a VRMF (e.g., bos.rte 5.3.0.0 which maps toVersion 5, Release 3, Maintenance level 0, and Fix level 0).

In addition to filesets in installp format, other installers are supported to allow installation

of other products and packages on AIX 5L. The InstallShield installer adds entries to thesame native database that installp uses, while the rpm installer has its own separate

database to store what has been installed.

Some AIX 5L commands display information that combines data from both databases.For example, lslpp L will display all the products that have been installed on the

system by the installp, rpm and InstallShield installers.

Filesets can have relationships to one another called requisites. For example, if filesetB needs fileset A to function, a requisite would be added requiring that fileset A is

installed along with fileset B. The lslpp p command can be used to list requisites forinstalled filesets.

6.1 PTFA PTF (Program Temporary Fix) is a fileset update at a specific VRMF level. PTF

numbers are only used for the purpose of distribution, and are not tracked in the AIX 5Lsoftware vital product database. Installed filesets and their VRMF levels are tracked by

AIX 5L.

6.2 APARAn APAR (Authorized Program Analysis Report) is a description of a problem and its

resolution. An APAR fix can involve one or more fileset updates (PTFs).

Some APARs are classified for certain conditions. These special classifications include:

Security - those related to Security issues. It is recommended that these beinstalled immediately.

HIPER/PE - those marked as HIPER (High Impact and/or Pervasive) or PE(PTFs in Error a PTF that causes a regression of previous existing function). Itis recommended that these be installed immediately if you utilize the function

affected by the problem. Although not all PEs are critical in nature, theirinstallation is recommended so the regression does not cause additional problems.


15/34



7 System Backup and RecoveryHaving a backup and recovery plan in place is one of the most important aspects ofsystem administration. Things can go wrong, everything from power outages and disk

drive failures, to a root user running commands in the wrong directory.

Performing system maintenance is one of the times that you want to be sure you have areliable and fast recovery scenario in place. Introducing any change to a system is a risk,

and some changes can be easier to back out than others. For example, the emgr -m(mount) option can be used when applying an interim fix, meaning that the interim fix

files are mounted over the target files instead of replacing them. This process of applyinga fix is very useful for special situations such as installing an interim fix containing libc.a,

because once executables run and link to libc.a it may be difficult to remove the interimfix and return to the original libc.a if problems are encountered. Utilizing the emgr

mount option allows a system reboot to restore the original files automatically since areboot will unmount all existing mounted files and only mount what is specified in

/etc/filesystems when the system is restarted.

Most files can be easily rolled back, since interim fixes and PTF updates are created toallow files to be easily restored. So even though it is recommended to have a backup

scenario in place, the first option for recovery when applying a PTF update or an interimfix should be to reject the update or to remove the interim fix.

Since the reject operation is not recommended for Technology Levels, a recovery plan

should be in place in case problems are encountered when upgrading to a new TL.

The AIX 5L alt_disk_install, mksysb, and multibos commands are also very useful for

backup and recovery planning.

7.1 alt_disk_installThe alt_disk_install command allows users a way to update the operating system to thenext release or Technology Level without taking the machine down for an extended

period of time. This can be done in two ways: by installing a mksysb image on a separatedisk, or by cloning the current system and then applying updates to get to the nextTechnology Level on a separate disk. If a problem is encountered with the new level, the

bootlistcommand can be run after the new disk has been booted, and the bootlist can bechanged to boot back to the original disk in order to get the system back to the original

level.

7.2 mksysbThe mksysb command creates a backup of the operating system (specifically, the root

volume group). You can use this backup to reinstall a system to its original state after ithas been corrupted. If you create the backup on tape, the tape is bootable and includes

the installation programs needed to install from the backup.


16/34



7.3 multibosBeginning with AIX 5L 5300-03, the multibos utility allows the root level administratorto create and maintain two bootable instances of the AIX 5L Base Operating System

(BOS) within the same root volume group (rootvg). This utility is provided primarily as

an upgrade vehicle.

The multibos utility allows the administrator to access, install maintenance, update, and

customize the standby instance of BOS (during setup or in subsequent customizationoperations) without affecting production on the running instance. Migration to later

releases of AIX 5L will be supported when they are available, so that will be a futureoption to keep in mind.

The file systems /, /usr, /var, /opt, and /home, along with the boot logical volume must

exist privately in each instance of BOS. The administrator has the ability to share or keepprivate all other data in the rootvg. As a general rule, shared data should be limited to file

systems and logical volumes containing data not affected by an upgrade or modificationof private data.

When updating the non-running BOS instance, it is best to first update the running BOSinstance with the latest available version ofmultibos (which is in the bos.rte.bosinst

fileset).


17/34



8 Previewing UpdatesWhen PTF updates are downloaded from the IBM Support Web site (Fix Central) orusing SUMA (Service Update Management Assistant), or retrieved from media, you

should always perform a preview installation before attempting any software install.

The preview option is available from SMIT, WebSM, and using the install_all_updatescommand (with the -p option). The preview option will verify that all of the updates are

available, including any requisite updates. While installp will always attempt to apply asmany updates as it can, it is not recommended to install any updates if everything is not

in place for a successful install, especially with Technology Levels.

Keeping updates in separate repositories (or LPP_SOURCES for NIM) is a good idea ifyou only want to apply specific updates to your machines. If you keep all of your

updates in one repository, you may get warnings about superseded updates when trying toapply specific fixes. The lppmgrcommand can help maintain your repository by

cleaning up superseded updates.


18/34



9 ToolsThere are numerous tools available to assist with keeping current software updates on

your system.

9.1 SUMAAs system administration becomes more time consuming and complex, it is often a

roadblock that prevents maintaining systems with current software fixes. The ServiceUpdate Management Assistant (SUMA) moves the system administrator away from the

manual task of retrieving maintenance updates from the Web. SUMA provides clientswith flexible, task-based options allowing them to perform unattended downloads of

AIX 5L software updates from the IBM Support Web site, thereby allowing clients tomove toward an automatic maintenance strategy which helps reduce the time spent on

system administration.

The SUMA AIX 5L Web site contains a technical white paper with a high-level overview

of SUMA functionality (http://www.ibm.com/servers/AIX/whitepapers/suma.htm l).

9.1.1 Functional HighlightsSUMA offers system administrators the power to setup the capability of automating thedownload of maintenance fixes onto a system and supports a comprehensive set of

features:

Automated task-based retrieval of multiple fix types (APAR, PTF, Critical,Security, Latest, Fileset, Maintenance Level)

Three task actions allow for download preview, actual download of updates, orcombining the download with a fix repository cleanup (utilizing lppmgr)

A scheduling module allows policies to be run at various intervals in order toconform to necessary maintenance windows

E-mail notification of update availability and task completion

Support for HTTP, HTTPS, and FTP transfer protocols and proxy servers

Filtering options allow comparisons against an installed software inventory or amaintenance level

9.2 Compare_reportThe AIX 5L compare_reportcommand allows clients to maintain a proactive fix strategyby providing them an easy way to ensure their systems are at the latest maintenance level

or latest level. A comparison can be done between the filesets installed on a standalonesystem and the contents of an image repository or a list of fixes available from the IBM

Support Web site to determine the fixes that need to be downloaded.

The following site contains additional details on using the compare_reportcommand:

http://www-912.ibm.com/eserver/support/fixes/techTips.html
http://www.ibm.com/servers/AIX/whitepapers/suma.htmlhttp://www-912.ibm.com/eserver/support/fixes/techTips.htmlhttp://www-912.ibm.com/eserver/support/fixes/techTips.htmlhttp://www.ibm.com/servers/AIX/whitepapers/suma.html


19/34



9.2.1 Functional HighlightsThe compare_reportcommand provides the following functions:

Compares the filesets installed on a system to a list of fixes available from theIBM Support Web site or a fix repository

Generates reports detailing which fixes are required for a system to be at the latestlevel or latest maintenance level

Reports may be uploaded to the Compare report page (select based on yourdesired OS level) on the IBM Support Web site

(http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2)and fixes may then be downloaded utilizing normal Web site interfaces
http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2


20/34



10 Usage Scenarios10.1 OverviewDetermining a method to keep your system up-to-date with AIX 5L software updates isan important part of system administration. By having a better idea of how to maintain

your system, you will be able to take advantage of the benefits of having current softwareupdates, including increased security and reliability benefits, as well as the reduced

downtime and total cost of ownership that come with keeping current fixes on a system.

When utilizing the scenarios in this section it is recommended to establish a process that

groups the steps into stages. These stages can provide a structure for business bestpractices and are described in general below:

10.1.1AwarenessThe Awareness stage centers on the ability to perform preventative maintenance by being

able to determine if a fix is available for your system. Examples include:

Being notified by an automated SUMA task that a specific fix or group of fixes isavailable or has been downloaded

Subscription service

Running the compare_reportcommand to determine the fixes available to get asystem to the latest level or latest maintenance level and being able to downloadthem

CERT Advisories

10.1.2DecisionThe Decision stage relates to assessing the business impact of installing the available

fixes. Examples include:

Performing a preview installation of the available fixes to gather informationabout requisite, space, and reboot requirements

Obtaining information about the fixes, such as what has been fixed or changed

Testing the fixes on non-production systems and confirming their readiness fordeployment. For example, adopting a level and a timeframe of testing on bronze,

silver, and gold systems. Or, to put it another way, a development system, a testsystem and a production system.

10.1.3ImplementThe Implement stage focuses on performing the deployment and installation of the

available fixes. Examples include:


21/34



Performing a NIM installation of clients within an available maintenance window

Using the alt_disk_install command to perform the update in order to minimizethe impact to the running system, and then planning the switch to the new

software level during the weekend

10.1.4 VerifyThe Verify stage involves utilizing tools to ensure that systems are in compliance withestablished criteria. Examples include:

Checking that a system is in compliance with the approved level of security fixes

Running the compare_reportcommand to confirm that two clients are at the samesoftware inventory level

Verifying that a systems level of software meets an established baseline


22/34

10.2 Proactive Maintenance with SUMAUsing some of the sample timeframes described in the Maintenance Strategy Models

section for when clients may choose to move to the next Technology Level, this sectiongives some recommendations for using SUMA to monitor for the availability of new

Technology Levels, Service Packs, and Concluding Service Packs.

10.2.1Latest LevelClients who choose to move to a new TL when it is released may find setting up thefollowing types of SUMA tasks helpful.

Check monthly for a new TL Since a TL is released approximately every 6 months, amonthly check may be appropriate. You may schedule a SUMA task with a command

similar to the one below to check monthly (for example, on the 15th

of every month at2:30am) whether a new TL has been released. An email notification will be sent with the

results of the check.

You may also elect to automatically download the filesets in this Technology Level bysetting Action equal to Download instead of Preview in the command below. In thiscase, the filesets will only be downloaded, and no installation will occur.

suma s 30 2 15 * * a Action=Preview a RqType=ML a RqName=5300-04 a

FilterML=5300-03 a NotifyEmail=bob.smith@host3

Note: Currently SUMA uses the previous terminology of ML (Maintenance Level)

instead of TL (Technology Level). Both will be supported in future versions.

This command performs a Preview (no download will occur) to check if TL 5300-04 has

been released. The FilterML setting specifies that the client already has filesets in the5300-03 level.

If 5300-04 has been released, the notification email will contain the list of filesets in TL5300-04 that would be or were downloaded. If 5300-04 is not yet available, the email

notification will contain a message similar to Invalid requested ML level:V530004.

Check weekly for a new SP Since a SP is released approximately every 4-6 weeks, a

weekly check may be appropriate. To check weekly (for example, every Thursday at3:00am) and receive an email notification indicating whether a new SP has been released,

and have the Service Pack automatically downloaded if it is found, you may schedule a

SUMA task with a command similar to:

suma s 0 3 * * 4 a Action=Download a RqType=SP a RqName=5300-04-01 a

FilterML=5300-04 a NotifyEmail=bob.smith@host3

This command will download Technology Level 5300-04, Service Pack 1, when itbecomes available. The FilterML setting specifies that the client already has filesets in

the 5300-04 level.


23/34



10.2.2Maximum StabilityClients following a Maximum Stability maintenance model may wish to monitor when

the Concluding Service Pack is released. When the CSP comes out, they could utilizeSUMA to download both the N-1 TL and its corresponding CSP.

Since those adhering to this model are not moving to the latest TL when it is released,they would not have to utilize SUMA to regularly check for the release of a TL or

Service Packs.

Check monthly for a new CSP Since a CSP is released approximately every 6 months,

a monthly check may be appropriate. You may schedule a SUMA task with a commandsimilar to the one below to check monthly (for example, on the 15

thof every month at

2:30am) whether a new CSP has been released. An email notification will be sent withthe results of the check.

You may also elect to automatically download the filesets in this CSP by setting Action

equal to Download instead of Preview in the command below. In this case, thefilesets will only be downloaded, and no installation will occur.

suma s 30 2 15 * * a Action=Preview a RqType=SP a RqName=5300-04-CSP

a FilterML=5300-04 a NotifyEmail=bob.smith@host3 a

DLTarget=/tmp/530004

The above suma command will return a SUMA task ID that may later be used to performan immediate download of a schedule task. For example, the following command could

be used to immediately download the 5300-04-CSP that had the Preview actionscheduled above to check for its release. (Assumes task ID of 4 was returned.)

suma x a Action=Download 4

Once you have been notified that a new CSP has been released, you can also perform an

immediate download of the corresponding TL using the following command:

suma x a Action=Download a RqType=ML a RqName=5300-04 a

FilterML=5300-03 a DLTarget=/tmp/530004

Note: Currently SUMA uses the previous terminology of ML (Maintenance Level)

instead of TL (Technology Level). Both will be supported in future versions.

The command will perform a download of the 5300-04 TL into the /tmp/530004

directory. Both the 5300-04 TL and CSP may then be installed at the same time byutilizing the SMIT menus found at the smitty install_all fast path.

10.2.3 Yearly UpdateClients following the Yearly Update maintenance model may wish to monitor when

Technology Levels and Concluding Service Packs are released.


24/34



The process of utilizing SUMA to automatically check for when a TL or CSP is releasedis similar to what is described in the preceding Latest Level (to check monthly for a

new TL) and Maximum Stability (to check monthly for a new CSP) sections, so pleaserefer to those sections.

10.3 Standalone with Internet accessThis scenario will detail the steps to retrieve the latest level of software updates for astandalone system running AIX 5L ML 5200-06.

Since the AIX 5L system has Internet access, it can use the AIX 5L suma command to

download updates.

Prior to running the suma command, any authentication should be performed to ensure

the system has Internet access. To verify the system is connected to the Internet, whichwill allow for the download of fixes from the IBM Support Web site, enter the following

command (performs a Preview download with no files being downloaded):

suma x a Action=Preview a RqType=Latest

If the following message is returned, the system is not authenticated to access the Internetand you should contact your administrator to determine the steps necessary to allow your

system to access the Internet.

0500-013 Failed to retrieve list from fix server.

10.3.1Download the latest fixes periodically (using suma command line)Perform the following steps to setup a SUMA task to download the latest updates

periodically:

1. To create and schedule a task (it will not run the task) that will check monthly (forexample, on the 15

thof every month at 2:30am) for the latest updates, and send email

notifications to users on a remote system, type:

suma s 30 2 15 * * a RqType=Latest a NotifyEmail=bob.smith@host3

Note: A task ID will be returned for this newly created task. This example will utilizeSUMA task defaults, as displayed by suma D, for any Field=Value pair not specified on

the command line. For example, with the task default of DLTarget=/usr/sys/inst.images,

the updates in installp format will be downloaded into /usr/sys/inst.images/installp/ppc.

A SUMA task has now been created and scheduled that will automatically run everymonth to check for the latest level of software updates available and download any new

updates found. The inventory of the system will be used to determine if more recentupdates are available.


25/34



2. If you wish to run this newly created task immediately, and perform a Previewoperation instead of a Download, type the following command to return a list of the latest

level updates that are available for the filesets installed on the system (assume task ID 2was returned from the task created in step 1):

suma x a Action=Preview 2

Note: Email notifications are only sent for scheduled tasks, not those run immediately.

2a. If you wish to return a list of all the latest updates, including those for filesets notinstalled on the system from which suma is being run, enter the following command,

which sets the FilterSysFile field to ignore the system inventory:

suma x a Action=Preview a FilterSysFile=/dev/null 2

3. If you wish to list information on the above SUMA task, type:

suma 1 2

10.3.2Download a specific APAR (using suma SMIT easy menus)Perform the following steps to download a specific APAR using the SUMA SMIT

menus:

1. Type the following smitty fast path to view the current SUMA task defaults. Thesewill be utilized as default values when performing operations from the SUMA Easymenu without being asked for.

smitty suma_task_defaults


26/34



Pay attention to Action (specify whether a Download or Preview is preferred) andDirectory for item storage (the DLTarget where the APAR will be downloaded). For

example, with the task default of DLTarget=/usr/sys/inst.images, updates in installpformat will be downloaded into /usr/sys/inst.images/installp/ppc.

There is no need to change the Type of item to request field value to APAR (fromthe default setting of Security) as this will automatically be changed to APAR once

the APAR selection is made from the Easy menu.

2. To access the Download Updates Now (Easy) menu, type:

smitty suma_easy


27/34



3. Select Download by APAR Number

4. Type the APAR number (e.g. IY12345), and press Enter.

The APAR will now be immediately downloaded into the DLTarget directory, if

available.

10.4 Standalone with no Internet accessThis scenario will detail the steps to retrieve the latest level of software updates for asystem running AIX 5L ML 5200-06. Since the AIX 5L system has no Internet access, it

can use the AIX 5L compare_reportcommand, along with a client having Internetaccess, to download updates.

10.4.1Download the latest fixes (using compare_report command line)Perform the following steps to download the latest updates:

1. Utilizing a client having Internet access, download the appropriate latest fix data filefrom the Compare report page of the IBM Support Web site by selecting the Data file

for AIX 5.2 link. This file contains a list of the latest available updates.

http://www-912.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2
http://www-912.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2http://www-912.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2


28/34



2. Copy the LatestFixData52 file to your AIX 5L system.

3. Run thecompare_report command to compare the filesets installed on the AIX 5L

system (-s option) with the filesets available in the latest fix data file (-r option) togenerate a report of the latest fixes not currently installed on your AIX 5L system. Using

the l option will generate a report file lowerthanlatest1.rpt (in /tmp by default) thatlists the filesets on the system that are at a lower level than the latest level.

/usr/sbin/compare_report s r /tmp/LatestFixData52 l

4. Upload the lowerthanlatest1.rpt report file to the Compare report page of the IBM

Support Web site. The PTF numbers contained in the report file will be used to provide

the requested fixes.

5. Use the normal IBM Support Web site interfaces to download the needed fixes.

10.4.2Download a specific APAR (using the IBM Support Web site)Perform the following steps to download a specific APAR using the IBM Support Website:


29/34



1. Go to the Specific fixes page for your desired OS level (e.g. AIX 5L V5.2).

http://www.ibm.com/eserver/support/fixes/search.jsp?system=2&release=5.2

Note: Future enhancements to the Fix Central Web site will allow for selection of a

Specific fix from the main Fix Central page for Unix servers.

2. Select to Search by APAR number.

3. Type in the APAR number (e.g. IY12345), and press Go.

4. Use the normal IBM Support Web site interfaces to download the APAR.

10.5 More than one system with Internet accessThis scenario will detail the steps to retrieve the latest level of software updates for

multiple systems running AIX 5L ML 5200-06.

Since the AIX 5L systems have Internet access, they can use the AIX 5L suma command

to download updates and NIM to distribute the updates to multiple systems.

Prior to running the suma command, any authentication should be performed to ensure

systems have Internet access. To verify systems are connected to the Internet, which willallow for the download of fixes from the IBM Support Web site, enter the following

command (performs a Preview download, with no files being downloaded):

suma x a Action=Preview a RqType=Latest
http://www.ibm.com/eserver/support/fixes/search.jsp?system=2&release=5.2http://www.ibm.com/eserver/support/fixes/search.jsp?system=2&release=5.2


30/34



If the following message is returned, the system is not authenticated to access the Internetand you should contact your administrator to determine the steps necessary to allow your

system to access the Internet.

0500-013 Failed to retrieve list from fix server.

10.5.1Download the latest fixes (setup suma on all NIM clients)To setup a SUMA task to download the latest updates periodically, the same steps

documented in the Standalone with Internet access section may be utilized.

Note: Depending on the number of systems you wish to maintain with the latest fixes,

you can either setup a suma task on all NIM clients, or setup a suma task only on theNIM master (described in the next section):

For a small number of NIM clients, it is recommended that a SUMA task be setup oneach NIM client. This provides the advantage of being able to download the specific

fixes that each client needs directly to the client automatically.

10.5.2Download the latest fixes (setup suma only on NIM master)For a large number of NIM clients, where it might not be feasible to setup a suma task oneach client, you may download all of the latest fixes available for each OS release level

by setting up suma tasks on the NIM master. The disadvantage of this approach is that itdoesnt utilize the client inventories to allow for download of only applicable clients

updates, but rather downloads all available updates for an OS release level.

Sample commands to do this, similar to the commands shown in the Standalone with

Internet access section, would be the following to create a new SUMA task:

suma s 30 2 15 * * a RqType=Latest a NotifyEmail=bob.smith@host3

Then to establish NIM lpp_source directories containing fixes for each OS release levelsupported by the NIM master, type (assuming task ID 2 was returned from the above

command):

suma x a Action=Preview a FilterSysFile=/dev/null a FilterML=5300-02 a

DLTarget=/lpp_source53 2

suma x a Action=Preview a FilterSysFile=/dev/null a FilterML=5200-06 a

DLTarget=/lpp_source52 2

Setting Action equal to Download instead of Preview in the command above will

perform the actual download and establish separate lpp_source directories on the NIMmaster that will support the various OS release levels of the NIM clients.


31/34



10.6 More than one system with no Internet access10.6.1Download the latest fixes (compare_report using inventory from clients)This scenario will detail the steps to retrieve the latest level of software updates for

multiple systems not having Internet access. The AIX 5L compare_reportcommand,along with a machine having Internet access, can be used to download updates.

Perform the following steps to download the latest updates:

1. Utilizing a machine having Internet access, download the appropriate latest fix data file

from the Compare report page of the IBM Support Web site by selecting the Data filefor AIX link. This file contains a list of the latest available updates. For example, for

AIX 5L V5.2 the file can be found here:

http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2

2. Copy the LatestFixData52 file to a NIM master so that it can be made available tomultiple NIM clients. (E.g. /52/LatestFixData52)
http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2http://www.ibm.com/eserver/support/fixes/FixReleaseInfo.jsp?system=2&release=5.2


32/34



3. NFS export the /52 directory to allow access by other NFS clients. Enter one of thefollowing commands as root to allow read-write access, so clients can later copy results

to the exported directory.

/usr/sbin/mknfsexp d /52 t rw

Or to give access to specific clients:

/usr/sbin/mknfsexp d /52 t rw c

Note: To stop exporting the directory to clients, type:

/usr/sbin/rmnfsexp d /52

4. NFS mount the directory on the client by typing the following on the client:

mount :/52 /mnt

5. Run the compare_reportcommand to compare the filesets installed on the AIX 5Lsystem (-s option) with the filesets available in the latest fix data file (-r option) to

generate a report of the latest fixes not currently installed on your AIX 5L system. Usingthe l option will generate a report file lowerthanlatest1.rpt (in the /tmp by default) that

lists the filesets on the system that are at a lower level than the latest level.

/usr/sbin/compare_report s r /mnt/LatestFixData52 l

6. Give the lowerthanlatest1.rpt report file a unique name (e.g. client1.rpt).

7. Copy the uniquely named report file to the NIM master (e.g. /mnt/client1.rpt) that willreceive the report files from all the NIM clients at specific OS release levels.

/usr/bin/cp /tmp/client1.rpt /mnt

8. Repeat steps 4-7 above for each NIM client or system that you wish to have installed

with the latest level of fixes, altering the unique name given in step 6 and the copycommand in step 7 (e.g. cp /tmp/client2.rpt /mnt, etc.).

Note: For a V5.3 system, step 2 would copy the LatestFixData53 file, and the other steps

would utilize a /53 directory so the AIX 5L V5.3 based files can be handled separatefrom the AIX 5L V5.2 based report files.

9. For each OS release level, combine all of the report files on the master into a single

file, sorting to remove duplicate entries, using a command similar to below:

cd /52; cat client1.rpt client2.rpt client3.rpt | sort u > full52.rpt

OR


33/34



cd /52; cat * | sort -u > full52.rpt

10. Upload the full52.rpt report file to the Compare report page of the IBM SupportWeb site (shown in step 1). The PTF numbers contained in the report file will be used to

provide the requested fixes.

11. Use the normal IBM Support Web site interfaces to download the needed fixes to anOS level location on the NIM master. For example, the fixes requested by full52.rpt can

be copied into a/lpp_source52 directory on the NIM master, the fixes requested byfull53.rpt can be copied into a/lpp_source53 directory, etc.

The different lpp_source directories will then hold the latest level of fixes for a specific

OS release level and can be used to support clients at varying OS release levels.

12. To setup a directory (e.g. /lpp_source52) as a NIM lpp_source resource, type thefollowing where 52_lpp is the NIM resource name being assigned:

nim -d define -t lpp_source -a server= -a location=/lpp_source52 52_lpp

13. To setup the NIM clients as a machine group (so they can be updated with one

command), type the following, where 52_client_grp is the name of the machine groupbeing created:

nim -o define -t mac_group -a add_member= \

-a add_member= 52_client_grp

For an environment with a large number of NIM clients it may be more convenient tosetup the machine group thru the SMIT menus instead of listing each client on the

command line. In this case, type:

smitty nim_mkgrp_standalone

14. To perform a NIM operation to update all software on a machine group of NIMclients or a single NIM client, type the following:

To update the 52_client_grp machine group, type:

nim -o cust -a lpp_source=52_lpp -a filesets=all 52_client_grp

To update a single client, type:

nim -o cust -a lpp_source=52_lpp -a filesets=all


34/34


IBM Corporation 2006

IBM CorporationMarketing CommunicationsSystems and Technology GroupRoute 100Somers, New York 10589

Produced in the United States of AmericaFebruary 2006

All Rights Reserved

This document was developed for productsand/or services offered in the United States.IBM may not offer the products, features, orservices discussed in this document in othercountries.

The information may be subject to changewithout notice. Consult your local IBMbusiness contact for information on theproducts, features and services available inyour area.

All statements regarding IBM future directionsand intent are subject to change or withdrawalwithout notice and represent goals andobjectives only.

IBM, the IBM logo, AIX 5L logo, AIX, AIX 5L,pSeries are trademarks or registeredtrademarks of International BusinessMachines Corporation in the United States orother countries or both. A full list of U.S.trademarks owned by IBM may be found at:http://www.ibm.com/legal/copytrade.shtml.

Other company, product, and service namesmay be trademarks or service marks of others.

Information concerning non-IBM products was

obtained from the suppliers of these productsor other public sources. Questions on thecapabilities of the non-IBM products should beaddressed with the suppliers.

The IBM home page on the Internet can befound at http://www.ibm.com.

The System p5 and~ p5 home page onthe Internet can be found athttp:www.ibm.com/systems/p.
http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/http://www.ibm.com/http://www.ibm.com/http://www.ibm.com/legal/copytrade.shtml

Aix Service Strategy

Documents

Transcript of Aix Service Strategy