Wow, AIX does not like to make anything easy. Nor do they like to make things intuitive. Need to remove a route from AIX, well get ready to have one command to temporariliy remove a route and another command to remove the route for good. Same goes with adding a route. "Quit your bitching, and use Smitty", you say? Well smitty does not make anything any easier, especially since the UI likes to show you fields that you does not necessarily need you to use. Oh, plus they let you type in them. Asking me for a netmask when adding a static route does not seem like a crazy request to me? But jokes on you, you were not supposed to type anything there.
Anyway, I was tasked with cleaning up a few bad routes that were added to a handful of servers. Note that I was not interested in adding the routes temporarily before I added them as persistent routes. These were simple one liners that I felt very comfortable adding to the ODM right out the gate.
So first we need to check the ODM for the routes that we need to remove. In this example we want to delete the route fro 10.11.1.56, so lets find just that route. Note all of these are host routes.
# chdev -l inet0 -a delroute=10.11.1.56,10.22.13.1
We have a second route to delete so lets kill that one too
# chdev -l inet0 -a delroute=10.11.1.57,10.22.13.1
Now lets add the correct routes – the format is as shown below
chdev -l inet0 -a route=host,-hopcount,1,-netmask,netmask,network,gateway
Now on a few of the servers I was working on I had to remove network routes as well as host routes. You need to know that the syntax is anoyingly different adding network routes. In the example below I first need to remove the network route.
chdev -l inet0 -a delroute="net,-hopcount,0,,,,,,-static,10.11.1.56,10.11.1.254"
Now lets add our new and correct route
chdev -l inet0 -a route="host,-hopcount,0,,,,,,-static,10.11.1.56,172.30.150.190"
Its possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.
So today we are going to configure a user password not to expire.
Lets start with Solaris. First lets unlock the account just in case.
passwd -d username
Now you can turn off password aging for a user with the command below.
passwd -x -1 username
You can then verify your config with the following.
passwd -s dmadmin
The output of the command above should look similar to what I have below. In this example our user id is myuser.
#passwd -s myuser
myuser PS
Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.
#passwd -s myuser1
myuser1 PS 09/30/13 7 28 7
Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.
passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username
So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.
Dunce Cap… seriously is that a real thing. Have you or someone you know ever have had to wear one? Or is this just something made up for tv and movies… anyway I digress.
Everything is harder in AIX – like looking at memory statstics and viewing them in a normal human readable format (like gigabytes). Because apparently IBM knows best and like to show me free memory in 4k bytes (and filesystem sizes in 512-blocks).
Anyway while I was working on a production server with high memory usage found this nice little blog artice which contains a simple script for viewing availiable memory, free memory, and used memory in gigabtyes.
SFTP is a file transfer mechanism that is an extension of the SSH (Secure Shell) protocol and by design they share the same configuration file (/etc/ssh/sshd_config). By default when a user is given access to a server via SSH they also gain access to a server via SFTP. however it is pretty easy to disallow SFTP access with a couple short lines added to the end of the sshd_config.
In this example we could create a Unix group of "no-sftp" and add whatever users we want to into this group. Then drop the two lines below into the sshd_config and block sftp access
Match Group no-sftp Subsystem sftp /bin/false
However lets consider the opposite scenario…
You have users that you want to be able to use SFTP to transfer files but you do not want to allow the user to login to the server. You can't just drop a couple lines in the sshd_config to allow sftp but not ssh, because ssh does not work this way. You also cannot just change the users shell to something like /bin/false, as this will also block SFTP access as well as SSH access. Note: It is for this very reason that I personally choose never to choose to use SFTP as a file transfer protocol… this is why we have VSFTP. By using a separate daemon with a separate config file you have a lot more control over your environment.
So how do you disable ssh only for these users you ask? Well lets look at Linux and Solaris first.
First drop the script below into /usr/local/bin/sftponly and make it executable.
#!/bin/bash if [[ "$2" = *sftp-server ]] then exec /bin/bash "$@" else echo "User '$LOGNAME' is only allowed access via sftp." exit 1 fi
Now for any user that you need to block ssh access, just change their shell to /usr/local/bin/sftponly, and if they come in via any other method then SFTP they will be booted right off the box. But if they come in via SFTP its business as usual.
Now AIX is a bit different – here there is actually a built in mechanism for dealing with such a situation. Here you change the user's login shell to /usr/sbin/sftp-server which pretty much does the same thing (in regards to blocking ssh access) but without the fancy error message.
Note that this is obviously not an ideal solution, but if you are like me and you are stuck with a piss poor configuration and need to block SSH access without re-inventing the wheel, or breaking any existing processes.. and you need to do so quickly and easily this is the best solution for the money.
Wow, today I logged into my first AIX Server in about 4.5 years. It was a horrible experience. I’ve been working with Redhat/CentOS pretty much exculsively for so long, I was mostly helpless to do anything of importance on the CLI other than create a few users and move some files around. None of the common commands that I am so used to using even exist in AIX.
Figured I would do a bit of homework and figure out how to do some basic troubleshooting before I was in a server down situation with no idea how to troubleshoot.
Checking Free Memory
To check free memory on a box use the svmon command.
svmon -G
Overall System Status
For this you will probably want to use topas, which is pretty simiar to top. Topas gives you a quick and dirty overview of what is going on on a system. Here you can find CPU usage, top processes, disk utililization. Check out the fancy screen shot below.
List Volume Groups
Wow, Linux has really confused me on this one. Anyway, use lsvg
If you have ever evacuated disks in Veritas, every so often this will happen to hang. Usually you terminate your session or who knows what. Kinda like Joe Girardi's willingness to sacrifice outs for no good reason every time the Yankees hottest hitter is at the plate. It happens, you can't explain it, you move on. Back to technology – vxtask list shows no tasks, but you get errors trying to rerun the failed evac.
For example:
Plex %5 in volume rman is locked by another utility
Plex rman-01 in volume rman is locked by another utility
Subdisk rman_7_tmp-01 in plex rman-01 is locked by another utility
vxprint -hf is our best friend, as it shows you any flags that are set
We can see that we have flags set on the temporary plex (from the failed evac), the subdisk for the temporary plex, the main plex, the subdisk in the main plex, as well as the volume itself. We need to clear flags to be able to finish re-start our evac. I will also cut the lines on the vxprint that don't change for the purpose of shortening this post.
vxmend -g rman_dg clear all rman %5
So we cleared the volume and temp plex flags, here's the vxprint -htf output afterwards
Great, now down to two flags, the one on the plex and the one on the source disk of our original evac. Clearing flags from subdisks is a lot trickier than clearing flags from volumes and plexes. Because the tutil0 flga is already set, we will need to force the clear. We clear by setting it to "".
vxedit -g rman_dg -f set tutil0="" rman_6_tmp-01
Once again, vxprint -htf
v rman fsgen ENABLED 15625864960 - ACTIVE - -
pl rman-01 rman ENABLED 15625864960 - ACTIVE SDMV1 –
And lastly, we clear the flag on the plex. Why in this order? Because I'm writing this up after I fixed my issues. In the interest of not editing vxprint outputs, it's like this. In retrospect, this could have been cleared with the first one we ran in the beginning.
vxmend -g rman_dg clear all rman rman-01
And finally, the way a vxprint -htf should look when all is healthy.
At this point, feel free to proceed with your evac again. If you're wondering what the putil and tutil fields are, here is what I found courtesy of Symantec:
Lists information about the
logical volumes. The -l option lists the disks in the logical
volume.
lspv <physical volume>
[-l, M, p]
Lists the disks on the server,
including the physical volume will give details about that disk.
The -l option will list the details of how the filesystems are
distributed on the disk.
lsvg <volume group> [-l] Lists the volume groups on the
server, including the volume group name will give details about that
vg.
The -l option will list the logical volumes in the volume group.
lsvpcfg
Lists each vpath and the hdisks
that make up the vpath
exportvg <volume
group>
removes a volume group from a
machine
extendvg <volume group>
<physical volume> Adds a new physical volume to an
existing volume group
importvg -y <volume group>
<physical volume> add a
volume group to another machine
reducevg <volume group>
<physical volume> Removes a physical volume from
a
volume group
lsdev -C -c disk lists available disks (and the hdisk#) on the server
lscfg -vl hdisk
Shows advanced information on a disk
rmdev -dl hdisk#
remove a disk
Sample Procedures:
Check to see if all of the
logical volumes in a volume group are
mirrored
lsvg -l <vg_name>
Procedure to find disks/vpaths that
are unallocated
lspv|grep None
This will show pvs and whether they are asssociated with a
volume group
Note: For vpaths, the hdisks will show as none, but they
may be allocated to a vpath – you must grep each hdisk with the lsvpcfg
Procedure to make a new lun available
to AIX
Allocate the new lun on the SAN
Run "cfgmgr"
Verify the new vpatch/hdisk by running "lsvpcfg"
There should be a new vpath and it should be available with no
volume group – if not, rerun cfgmgr
Wow, AIX does not like to make anything easy. Nor do they like to make things intuitive. Need to remove a route from AIX, well get ready to have one command to temporariliy remove a route and another command to remove the route for good. Same goes with adding a route. "Quit your bitching, and use Smitty", you say? Well smitty does not make anything any easier, especially since the UI likes to show you fields that you does not necessarily need you to use. Oh, plus they let you type in them. Asking me for a netmask when adding a static route does not seem like a crazy request to me? But jokes on you, you were not supposed to type anything there.
