How to Add and Delete Persistant Routes in AIX

Chatter-phone-300x234Wow, AIX does not like to make anything easy. Nor do they like to make things intuitive. Need to remove a route from AIX, well get ready to have one command to temporariliy remove a route and another command to remove the route for good. Same goes with adding a route. "Quit your bitching, and use Smitty", you say? Well smitty does not make anything any easier, especially since the UI likes to show you fields that you does not necessarily need you to use. Oh, plus they let you type in them. Asking me for a netmask when adding a static route does not seem like a crazy request to me? But jokes on you, you were not supposed to type anything there.

Anyway, I was tasked with cleaning up a few bad routes that were added to a handful of servers. Note that I was not interested in adding the routes temporarily before I added them as persistent routes. These were simple one liners that I felt very comfortable adding to the ODM right out the gate.

So first we need to check the ODM for the routes that we need to remove. In this example we want to delete the route fro 10.11.1.56, so lets find just that route. Note all of these are host routes.

# lsattr -El inet0 | grep 10.11.1.56
route host,-hopcount,0,,-if,en1,,,,-static,10.11.1.56,10.22.13.1 Route True

 

Now lets delete the route above

# chdev -l inet0 -a delroute=10.11.1.56,10.22.13.1

 

We have a second route to delete so lets kill that one too

# chdev -l inet0 -a delroute=10.11.1.57,10.22.13.1

 

Now lets add the correct routes – the format is as shown below

chdev -l inet0 -a route=host,-hopcount,1,-netmask,netmask,network,gateway

 

Now on a few of the servers I was working on I had to remove network routes as well as host routes. You need to know that the syntax is anoyingly different adding network routes. In the example below I first need to remove the network route.

chdev -l inet0 -a delroute="net,-hopcount,0,,,,,,-static,10.11.1.56,10.11.1.254"

 

Now lets add our new and correct route

chdev -l inet0 -a route="host,-hopcount,0,,,,,,-static,10.11.1.56,172.30.150.190"

Related articles

Basic AIX Performance Troubleshooting Commands
How to Add Multiple Routes in Linux Using ip Command Examples
PowerPath, AIX 5.3, and LTG: Solutions

How to Manage Password Aging in Solaris, AIX, and Linux

LogoIts possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.

So today we are going to configure a user password not to expire.

Lets start with Solaris. First lets unlock the account just in case.

passwd -d username

Now you can turn off password aging for a user with the command below.

passwd -x -1 username

You can then verify your config with the following.

passwd -s dmadmin

The output of the command above should look similar to what I have below. In this example our user id is myuser.

#passwd -s myuser
myuser  PS

Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.

#passwd -s myuser1
myuser1  PS    09/30/13     7    28     7

Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.

passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username

So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.

chuser account_locked=false username
chuser maxage=0 username
lsuser -f USERNAME | fgrep expires

Related articles

SuperUser in Linux
How to Unlock an account in Linux
How to Reset a Password on Unix
Much Todo About Linux/RHEL Passwords
Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files
How to disable an user account in Linux

AIX – Check Availiable Memory, Free Memory, and Used Memory in Gigabytes

Dunce-cap-2Dunce Cap… seriously is that a real thing. Have you or someone you know ever have had to wear one? Or is this just something made up for tv and movies… anyway I digress.

Everything is harder in AIX – like looking at memory statstics and viewing them in a normal human readable format (like gigabytes). Because apparently IBM knows best and like to show me free memory in 4k bytes (and filesystem sizes in 512-blocks).

Anyway while I was working on a production server with high memory usage found this nice little blog artice which contains a simple script for viewing availiable memory, free memory, and used memory in gigabtyes.

Link below:

http://karellen.blogspot.com/2012/01/available-used-and-free-memory-in-aix.html

And for my own selfish purposes I copied the script below — just in case the link above dies at somepoint.

#!/bin/ksh
memory=`prtconf -m | awk 'BEGIN {FS=" "} {print
$3/1024}'`
usedmem=`svmon -G | grep memory | awk 'BEGIN {FS=" "} {print
$3/256/1024}'`
freemem=`echo $memory-$usedmem | bc -l`

#
Conclusion
echo "Avai Mem: $memory GB"
echo "Free Mem: $freemem
GB"
echo "Used Mem: $usedmem GB"

 

Anyway.. AIX sucks and I hate it.

 

Related articles

New IBM servers meet Energy Star 2.0 guidelines
Sudosh Make Me a Sandwich: Install and Configure Sudosh in Solaris 9/10
IBM Power Systems with POWER7 and AIX & Linux Technical Sales Skills – v2 (000-225)

Disable SSH for SFTP Users in UNIX and Linux

Lego_IronManSFTP is a file transfer mechanism that is an extension of the SSH (Secure Shell) protocol and by design they share the same configuration file (/etc/ssh/sshd_config). By default when a user is given access to a server via SSH they also gain access to a server via SFTP. however it is pretty easy to disallow SFTP access with a couple short lines added to the end of the sshd_config.

In this example we could create a Unix group of "no-sftp" and add whatever users we want to into this group. Then drop the two lines below into the sshd_config and block sftp access

Match Group no-sftp
Subsystem   sftp  /bin/false

However lets consider the opposite scenario…

You have users that you want to be able to use SFTP to transfer files but you do not want to allow the user to login to the server. You can't just drop a couple lines in the sshd_config to allow sftp but not ssh, because ssh does not work this way. You also cannot just change the users shell to something like /bin/false, as this will also block SFTP access as well as SSH access. Note: It is for this very reason that I personally choose never to choose to use SFTP as a file transfer protocol… this is why we have VSFTP. By using a separate daemon with a separate config file you have a lot more control over your environment.

So how do you disable ssh only for these users you ask? Well lets look at Linux and Solaris first.

First drop the script below into /usr/local/bin/sftponly and make it executable.

#!/bin/bash
if [[ "$2" = *sftp-server ]]
then
        exec /bin/bash "$@"
else
        echo "User '$LOGNAME' is only allowed access via sftp."
        exit 1
fi

Now for any user that you need to block ssh access, just change their shell to /usr/local/bin/sftponly, and if they come in via any other method then SFTP they will be booted right off the box. But if they come in via SFTP its business as usual.

Now AIX is a bit different – here there is actually a built in mechanism for dealing with such a situation. Here you change the user's login shell to /usr/sbin/sftp-server which pretty much does the same thing (in regards to blocking ssh access) but without the fancy error message.

Note that this is obviously not an ideal solution, but if you are like me and you are stuck with a piss poor configuration and need to block SSH access without re-inventing the wheel, or breaking any existing processes.. and you need to do so quickly and easily this is the best solution for the money.

Related articles

Install and Configure SNMP on the Asus RT-AC66U Router
HomeLab: Simple DHCP Service Configuration on a Cisco Router
Secure File Transfer Protocol (sftp)
How to set up Chroot Sftp?
Options for file sharing via SSH in OS X

 

Basic AIX Performance Troubleshooting Commands

600px-Orange_x.svgWow, today I logged into my first AIX Server in about 4.5 years. It was a horrible experience. I’ve been working with Redhat/CentOS pretty much exculsively for so long, I was mostly helpless to do anything of importance on the CLI other than create a few users and move some files around.  None of the common commands that I am so used to using even exist in AIX.

Figured I would do a bit of homework and figure out how to do some basic troubleshooting before I was in a server down situation with no idea how to troubleshoot.

Checking Free Memory

To check free memory on a box use the svmon command.

svmon -G

Overall System Status

For this you will probably want to use topas, which is pretty simiar to top. Topas gives you a quick and dirty overview of what is going on on a system. Here you can find CPU usage, top processes, disk utililization. Check out the fancy screen shot below.

Top-ass1

List Volume Groups

Wow, Linux has really confused me on this one. Anyway, use lsvg

# lsvg -o
rootvg
crsrdb_bin
crsprdb_data
crsprdb_index
crsprdb_arch
crsprdb_rman

List Info About a Volume Group.

# lsvg rootvg

Display Names of all Logical Volumes in a Volume Group.

# lsvg -l rootvg

Display Physical Memory

# lsattr -El sys0 -a realmem

Finding Disk I/O Issues

Sar appears to be a fine option here. Especially since I am looking for percent busy. Iostat also exists on AIX, btw.

# sar -d 1 2

Show Network Throughput

The more I poke around the internet trying to figure out how to actually use AIX the more I keep running into topas. Anyway this one is a good one

#topas -E

I plan to have more of these one liners documented here in the future, but for now this is going to have to do.

Recovering from failed vxevac

Ilovebunt3-214x300

If you have ever evacuated disks in Veritas, every so often this will happen to hang.  Usually you terminate your session or who knows what.  Kinda like Joe Girardi's willingness to sacrifice outs for no good reason every time the Yankees hottest hitter is at the plate.  It happens, you can't explain it, you move on.  Back to technology – vxtask list shows no tasks, but you get errors trying to rerun the failed evac. 

 

For example:

Plex %5 in volume rman is locked by another utility

Plex rman-01 in volume rman is locked by another utility

Subdisk rman_7_tmp-01 in plex rman-01 is locked by another utility

vxprint -hf is our best friend, as it shows you any flags that are set

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   ATT1    –

pl %5           rman   ENABLED  11719399168 -     TEMPRM   SDMVTMP –

sd rman_6-01 %5         ENABLED  1953232896 9766166272 -    SDMVDST –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_1-01 rman-01 ENABLED 1953234688 0     -        -       –

sd rman_2-01 rman-01 ENABLED 1953232896 1953234688 -   -       –

sd rman_3-01 rman-01 ENABLED 1953232896 3906467584 -   -       –

sd rman_4-01 rman-01 ENABLED 1953232896 5859700480 -   -       –

sd rman_5-01 rman-01 ENABLED 1953232896 7812933376 -   -       –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

sd rman_7_tmp-01 rman-01 ENABLED 1953232896 11719399168 – -    –

sd rman_8-01 rman-01 ENABLED 1953232896 13672632064 -  -       -

We can see that we have flags set on the temporary plex (from the failed evac), the subdisk for the temporary plex, the main plex, the subdisk in the main plex, as well as the volume itself.  We need to clear flags to be able to finish re-start our evac.  I will also cut the lines on the vxprint that don't change for the purpose of shortening this post.

vxmend -g rman_dg clear all rman %5

So we cleared the volume and temp plex flags, here's the vxprint -htf output afterwards

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl %5           rman    ENABLED  11719399168 -     TEMPRM   -       –

sd rman_6-01 %5         ENABLED  1953232896 9766166272 -    SDMVDST –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

 

So now with the flags cleared we can remove the temporary plex

vxplex -g rman_dg -o rm dis %5

 

And once again our new vxprint -htf

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – SDMVSRC –

 

Great, now down to two flags, the one on the plex and the one on the source disk of our original evac.  Clearing flags from subdisks is a lot trickier than clearing flags from volumes and plexes.  Because the tutil0 flga is already set, we will need to force the clear.  We clear by setting it to "".

vxedit -g rman_dg -f set tutil0="" rman_6_tmp-01

 

Once again, vxprint -htf

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       -

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   SDMV1   –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – -     –

 

And lastly, we clear the flag on the plex.  Why in this order?   Because I'm writing this up after I fixed my issues.  In the interest of not editing vxprint outputs, it's like this.  In retrospect, this could have been cleared with the first one we ran in the beginning.

vxmend -g rman_dg clear all rman rman-01

 

And finally, the way a vxprint -htf should look when all is healthy.

v  rman    fsgen        ENABLED  15625864960 -     ACTIVE   -       –

pl rman-01 rman    ENABLED  15625864960 -     ACTIVE   -       –

sd rman_1-01 rman-01 ENABLED 1953234688 0     -        -       –

sd rman_2-01 rman-01 ENABLED 1953232896 1953234688 -   -       –

sd rman_3-01 rman-01 ENABLED 1953232896 3906467584 -   -       –

sd rman_4-01 rman-01 ENABLED 1953232896 5859700480 -   -       –

sd rman_5-01 rman-01 ENABLED 1953232896 7812933376 -   -       –

sd rman_6_tmp-01 rman-01 ENABLED 1953232896 9766166272 – -     –

sd rman_7_tmp-01 rman-01 ENABLED 1953232896 11719399168 – -    –

sd rman_8-01 rman-01 ENABLED 1953232896 13672632064 -  -       –

 

At this point, feel free to proceed with your evac again.  If you're wondering what the putil and tutil fields are, here is what I found courtesy of Symantec:

http://www.symantec.com/business/support/index?page=content&id=TECH15609

 

Guest Authored By: @momkvi

 

AIX Logical Volume and Disk Management Commands

Quick Commands:

lslv <logical volume> [-l,
m]

      
      Lists information about the
logical volumes.  The -l option lists the disks in the logical
volume.

lspv <physical volume>
[-l, M, p]

      
      Lists the disks on the server,
including the physical volume will give details about that disk.
The -l option will list the details of how the filesystems are
distributed on the disk.

lsvg <volume group> [-l]
Lists the volume groups on the
server, including the volume group name will give details about that
vg.
The -l option will list the logical volumes in the volume group.

lsvpcfg
      
      Lists each vpath and the hdisks
that make up the vpath

exportvg <volume
group>

      
      removes a volume group from a
machine

extendvg <volume group>
<physical volume>

Adds a new physical volume to an
existing volume group

importvg -y <volume group>
<physical volume>

add a
volume group to another machine

reducevg <volume group>
<physical volume>

Removes a physical volume from
a
volume group

lsdev -C -c disk
lists available disks (and the hdisk#) on the server

lscfg -vl hdisk

Shows advanced information on a disk

rmdev -dl hdisk#

 remove a disk

Sample Procedures:

Check to see if  all of the
logical volumes in a volume group are
mirrored

  • lsvg -l <vg_name>

Procedure to find disks/vpaths that
are unallocated

  • lspv|grep None
    • This will show pvs and whether they are asssociated with a
      volume group
    • Note:  For vpaths, the hdisks will show as none, but they
      may be allocated to a vpath – you must grep each hdisk with the lsvpcfg

Procedure to make a new lun available
to AIX

  • Allocate the new lun on the SAN
  • Run "cfgmgr"
  • Verify the new vpatch/hdisk by running "lsvpcfg"
    • There should be a new vpath and it should be available with no
      volume group – if not, rerun cfgmgr