HowTo DELETE & RECREATE a Tape Library in Spectrum Protect

Sometimes, we need to delete and recreate all references to a tape library under Spectrum Protect, maybe because we have replaced the HW (even if it is for the same model of library), or because we are running a Disaster Recovery test,
or like on my particular case: because I had a tape library logically partitioned, and I removed the partition and assigned all the tape library resources to my Spectrum Protect server.

The process is not extremely complex, nor trivial, therefore I will post the steps needed to achieve the full change.

My setup is a Spectrum Protect server v8.1.5 running under an LPAR with AIX v7.2, and my Tape Library is an IBM (Now Lenovo) TS3200 with 4 LTO Tape Drives.
Since I had the TS3200 partitioned in 2 logicalis libraries, the name of the tape library was TS3200_LL2 in my Spectrum Protect server (called spectre), and had 2 LTO tape drives assigned (DRIVE3 & DRIVE4).
After the change, the library under Spectrum Protect will be called TS3200, and will have all 4 drives assigned (DRIVE1 to DRIVE4).

I have put an easy to follow index, step-by-step, first I indicate where is the action performed (SP for Spectrum Protect, AIX for the OS, TS3200 for the physical library GUI interface, and MANUAL: hmm, for -pen & paper!-).

INDEX
1.- SP – DELETE TAPE DEVS
2.- SP – DEFINE LIB SP
3.- AIX – DELETE TAPE DEVICES
4.- AIX – RECREATE TAPE DEVICES
5.- AIX – Get the WWNs from the AIX DEVs
6.- TS3200 – Get the WWNs from the TS3200
7.- MANUAL – CORRELATE WWNs y DEVs
8.- AIX – RENAME TAPEDEVs to follow HW’s ORDER
9.- AIX – CHECK DEVs
10.- SP – DEFINE LIBRARY’s CONTROL PATH
11.- SP – DEFINE LIBRARY’s DRIVES
12.- SP – DEFINE LIBRARY’s PATHS
13.- SP – VERIFY (LOGICAL)
14.- SP – REVISE DEVCLASSES
15.- SP – REVISE SCRIPTS
16.- SP – FINAL VERIFY (PHYSICAL)
16.1.- Try the freshly modified scripts
16.2.- Try to use all the tape drives
16.3.- Check Tape Library HW
16.4.- Check and Backup SP Tape Library Definitions

NOTES
A.- What is a Tape Library Control Path
B.- Final Thoughts

bdr

1.- SP – DELETE TAPE DEVS

First, we delete all references to the old devices, so we find out what we have by issuing <query path>, <query drive> and <query library>, and then, we delete the old devices:

Protect: SERVER1>delete path SERVER1 DRIVE4 srctype=server desttype=drive library=TS3200_LL2
ANR1721I A path from SERVER1 to TS3200_LL2 DRIVE4 has been deleted.
Protect: SERVER1>delete path SERVER1 DRIVE3 srctype=server desttype=drive library=TS3200_LL2
ANR1721I A path from SERVER1 to TS3200_LL2 DRIVE3 has been deleted.
Protect: SERVER1>delete path SERVER1 TS3200_LL2 srctype=server desttype=library
ANR1721I A path from SERVER1 to TS3200_LL2 has been deleted.
Protect: SERVER1>delete drive TS3200_LL2 DRIVE4
ANR8412I Drive DRIVE4 deleted from library TS3200_LL2.
Protect: SERVER1>delete drive TS3200_LL2 DRIVE3
ANR8412I Drive DRIVE3 deleted from library TS3200_LL2.
Protect: SERVER1>delete library TS3200_LL2
ANR8410I Library TS3200_LL2 deleted.

2.- SP – DEFINE LIB SP

Then, we define the new library name, it’s only a high level object, as it doesn’t actually link to the HW until we define the Control Path (if you don’t know what a control path is, you can look at the NOTES section A.- What is a Tape Library Control Path at the bottom of this article).

Protect: SERVER1>define library TS3200 libtype=scsi serial=autodetect RESETDrives=yes shared=yes
ANR8400I Library TS3200 defined.

3.- AIX – DELETE TAPE DEVICES

[root@spectre:/]cfgmgr

[root@spectre:/]lsdev -c tape
rmt0 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt1 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt4 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
smc0 Available 14-T1-01 IBM 3573 Tape Medium Changer (FCP)
smc1 Available 14-T1-01 IBM 3573 Tape Medium Changer (FCP)

[root@spectre:/]rmdev -Rdl rmt0
rmt0 deleted
[root@spectre:/]rmdev -Rdl rmt1
rmt1 deleted
[root@spectre:/]rmdev -Rdl rmt3
rmt3 deleted
[root@spectre:/]rmdev -Rdl rmt4
rmt4 deleted
[root@spectre:/]rmdev -Rdl smc0
smc0 deleted
[root@spectre:/]rmdev -Rdl smc1
smc1 deleted

[root@spectre:/]lsdev -c tape
[root@spectre:/]

4.- AIX – RECREATE TAPE DEVICES

[root@spectre:/]cfgmgr

[root@spectre:/]lsdev -c tape
rmt0 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt1 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt2 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
smc0 Available 14-T1-01 IBM 3573 Tape Medium Changer (FCP)

5.- AIX – Get the WWNs from the AIX DEVs

[root@spectre:/]lsdev -c tape -F "name class location physloc description"
rmt0 tape 13-T1-01 U9009.42A.7803790-V5-C13-T1-W2005000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt1 tape 13-T1-01 U9009.42A.7803790-V5-C13-T1-W200B000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt2 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2002000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2008000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
smc0 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2002000E1115B46F-L1000000000000 IBM 3573 Tape Medium Changer (FCP)

6.- TS3200 – Get the WWNs from the TS3200

DEVICE WWNN             WWPN
DRIVE1 2001000E1115B46F-2002000E1115B46F
DRIVE2 2004000E1115B46F-2005000E1115B46F
DRIVE3 2007000E1115B46F-2008000E1115B46F
DRIVE4 200A000E1115B46F-200B000E1115B46F 

7.- MANUAL – CORRELATE WWNs y DEVs

rmt0 - drive2
rmt1 - drive4
rmt2 - drive1
rmt3 - drive3, OK
smc0 - drive1, OK, it's the one with the Control Path & appears as WWN-L1000... and identified as Tape Medium Changer.

8.- AIX – RENAME TAPEDEVs to follow HW’s ORDER

Call me finicky, but I cannot stand to have a device called rmt2 in AIX and DRIVE4 in the tape library.

This doesn’t usually happen when you just deploy a brand new tape library, since the serials & WWNs should be correlative, however, a couple of years down the line, and a couple of hardware replacements done, and the serials/WWNs are not correlative anymore, and therefore cfgmgr just creates the devices following an order which is not what we need or want. Most people will leave them as is, but I cannot, it produces me severe itch ;o)

Looking at the relationship we did on the previous step:

smc0 = OK (smc0 it’s fine, we only have 1 drive with a control path, so we leave it as-is)
rmt2 = rmt1 / drive1  (we need to rename rmt2 as rmt1)
rmt0 = rmt2 / drive2  (rmt0 as rmt2)
rmt3 = OK (Bonus! one of the devices matches the right drive out of pure probability!)
rmt1 = rmt4 / drive4  (and finally, rmt1 as rmt4)

[root@spectre:/]chdev -l rmt1 -a new_name=rmt4
rmt1 changed
[root@spectre:/]chdev -l rmt2 -a new_name=rmt1
rmt2 changed
[root@spectre:/]chdev -l rmt0 -a new_name=rmt2
rmt0 changed

9.- AIX – CHECK DEVs

We will check that the renaming of the devices matches the hardware descriptions:

[root@spectre:/]lsdev -c tape
rmt1 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt2 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt4 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
smc0 Available 14-T1-01 IBM 3573 Tape Medium Changer (FCP)
 [root@spectre:/]lsdev -c tape -F "name class location physloc description"
rmt1 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2002000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt2 tape 13-T1-01 U9009.42A.7803790-V5-C13-T1-W2005000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2008000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
rmt4 tape 13-T1-01 U9009.42A.7803790-V5-C13-T1-W200B000E1115B46F-L0 IBM 3580 Ultrium Tape Drive (FCP)
smc0 tape 14-T1-01 U9009.42A.7803790-V5-C14-T1-W2002000E1115B46F-L1000000000000 IBM 3573 Tape Medium Changer (FCP)

10.- SP – DEFINE LIBRARY’s CONTROL PATH

Protect: SERVER1>define path SERVER1 TS3200 srctype=server desttype=library device=/dev/smc0 online=yes autodetect=yes
ANR1720I A path from SERVER1 to TS3200 has been defined.

11.- SP – DEFINE LIBRARY’s DRIVES

Spectrum protect just uses the drives as a logical object for a device, it’s not until you create the PATHs that the physical tape device get associated with a drive.

Protect: SERVER1>define drive TS3200 DRIVE1
ANR8404I Drive DRIVE1 defined in library TS3200.
Protect: SERVER1>define drive TS3200 DRIVE2
ANR8404I Drive DRIVE2 defined in library TS3200.
Protect: SERVER1>define drive TS3200 DRIVE3
ANR8404I Drive DRIVE3 defined in library TS3200.
Protect: SERVER1>define drive TS3200 DRIVE4
ANR8404I Drive DRIVE4 defined in library TS3200.

12.- SP – DEFINE LIBRARY’s PATHS

Here is where we associate the OS tape devices with the SP drive objects

Protect: SERVER1>define path SERVER1 DRIVE1 srctype=server desttype=drive library=TS3200 online=yes device=/dev/rmt1 autodetect=yes
ANR1720I A path from SERVER1 to TS3200 DRIVE1 has been defined.
Protect: SERVER1>define path SERVER1 DRIVE2 srctype=server desttype=drive library=TS3200 online=yes device=/dev/rmt2 autodetect=yes
ANR1720I A path from SERVER1 to TS3200 DRIVE2 has been defined.
Protect: SERVER1>define path SERVER1 DRIVE3 srctype=server desttype=drive library=TS3200 online=yes device=/dev/rmt3 autodetect=yes
ANR1720I A path from SERVER1 to TS3200 DRIVE3 has been defined.
Protect: SERVER1>define path SERVER1 DRIVE4 srctype=server desttype=drive library=TS3200 online=yes device=/dev/rmt4 autodetect=yes
ANR1720I A path from SERVER1 to TS3200 DRIVE4 has been defined.

13.- SP – VERIFY (LOGICAL)

Verify that everything looks OK from the logical perspective

Protect: SERVER1>q path
Source Name Source Type Destination Destination On-Line
----------- ----------- ----------- ----------- ----------
SERVER1 SERVER TS3200 LIBRARY Yes
SERVER1 SERVER DRIVE1 DRIVE Yes
SERVER1 SERVER DRIVE2 DRIVE Yes
SERVER1 SERVER DRIVE3 DRIVE Yes
SERVER1 SERVER DRIVE4 DRIVE Yes Protect: SERVER1>q drive
Library Name Drive Name Device Type On-Line
------------ ------------ ----------- -------------------
TS3200 DRIVE1 LTO Yes
TS3200 DRIVE2 LTO Yes
TS3200 DRIVE3 LTO Yes
TS3200 DRIVE4 LTO Yes Protect: SERVER1>q library
Library Name Library Type Shared TS3200  SCSI       Yes

14.- SP – REVISE DEVCLASSES

Protect: SERVER1>q devclass
Device Cl Device Acc Storage Device Ty Format Est/Max Mount
ass Name ess Strate Pool C pe Capacity Limit
gy ount (MB)
--------- ---------- ------- --------- ------ -------- ------
DBBACK_FI Sequential 0       FILE      DRIVE  51,200.0     32
LEDEV
DISK Random 1
LTO_6 Sequential 3 LTO DRIVE DRIVES
 Protect: SERVER1>q devclass LTO_6 f=d
Device Class Name: LTO_6
Device Access Strategy: Sequential
Storage Pool Count: 3
Device Type: LTO
Format: DRIVE
...
Library: TS3200_LL2
Directory:
Server Name:
... Protect: SERVER1>update devclass LTO_6 library=TS3200
ANR2205I Device class LTO_6 updated.

15.- SP – REVISE SCRIPTS

Protect: SERVER1>q scr
Name            Description                     Managing profile
--------------- ------------------------------------- ----------
AUDIT_LIB       SP - Syncro Tape inventory with Tape library
BACKUP_DB       SP - BACKUP DB & Config
CHECKIN_ALL_LIB SP - CHECKIN ALL Tapes in the Library
CHECKIN_PRIVATE SP - CHECKIN Private Tapes
CHECKIN_SCRATCH SP - CHECKIN Scratch Tapes
CONTAINER_COPY  Run container copy pool operation
CONTAINER_RECL  Run container-copy reclamation
LABEL_TAPES     SP - LABEL New Tapes
PATHS_DOWN      SP - Bring DOWN PATHS & DRIVES of the Tape Library
PATHS_UP        SP - Bring UP PATHS & DRIVES of the Tape Library

As usual, we have a good number of scripts to perform actions with tapes, and as SP forces us to specify the LIB name in each command, we will have to change a few of this scripts to point to the new tape devices.

Also, as we now have 4 drives instead of 2, we will need to modify a couple of scripts to account for the extra tape drives. So, let’s go ahead and change three as an example:

Protect: SERVER1>q scr AUDIT_LIB f=d
...
Name: AUDIT_LIB
Line Number: 5
Command: audit library TS3200_LL2 checklabel=barcode refresh=yes
Last Update by (administrator): CIJALBA
Last Update Date/Time: 06/09/17 10:18:54
Protect: SERVER1>upd scr AUDIT_LIB "audit library TS3200 checklabel=barcode refresh=yes" line=5
ANR1456I UPDATE SCRIPT: Command script AUDIT_LIB updated. Protect: SERVER1>q scr CHECKIN_ALL_LIB f=d
...
Name: CHECKIN_ALL_LIB
Line Number: 10
Command: checkin libvolume TS3200_LL2 status=scratch search=yes checklabel=barcode
Name: CHECKIN_ALL_LIB
Line Number: 20
Command: checkin libvolume TS3200_LL2 status=private search=yes checklabel=barcode
Protect: SERVER1>upd scr CHECKIN_ALL_LIB "checkin libvolume TS3200 status=scratch search=yes checklabel=barcode" line=10
ANR1456I UPDATE SCRIPT: Command script CHECKIN_ALL_LIB updated.
Protect: SERVER1>upd scr CHECKIN_ALL_LIB "checkin libvolume TS3200 status=private search=yes checklabel=barcode" line=20
ANR1456I UPDATE SCRIPT: Command script CHECKIN_ALL_LIB updated. Protect: SERVER1>q scr PATHS_DOWN f=d
...
Name: PATHS_DOWN
Line Number: 1
Command: upd path SERVER1 DRIVE3 srcty=server destt=drive library=TS3200_LL2 online=no
Name: PATHS_DOWN
Line Number: 5
Command: upd path SERVER1 DRIVE4 srcty=server destt=drive library=TS3200_LL2 online=no
Name: PATHS_DOWN
Line Number: 10
Command: upd drive TS3200_LL2 DRIVE3 online=no
Name: PATHS_DOWN
Line Number: 15
Command: upd drive TS3200_LL2 DRIVE4 online=no
Protect: SERVER1>upd scr PATHS_DOWN "upd drive TS3200 DRIVE4 online=no" line=40
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd drive TS3200 DRIVE3 online=no" line=35
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd drive TS3200 DRIVE2 online=no" line=30
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd drive TS3200 DRIVE1 online=no" line=25
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd path SERVER1 DRIVE4 srcty=server destt=drive library=TS3200 online=no" line=20
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd path SERVER1 DRIVE3 srcty=server destt=drive library=TS3200 online=no" line=15
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd path SERVER1 DRIVE2 srcty=server destt=drive library=TS3200 online=no" line=10
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd path SERVER1 DRIVE1 srcty=server destt=drive library=TS3200 online=no" line=5
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.
Protect: SERVER1>upd scr PATHS_DOWN "upd path SERVER1 TS3200 srcty=server destt=library online=no" line=1
ANR1456I UPDATE SCRIPT: Command script PATHS_DOWN updated.

At the end, I had to change a few scripts, but if you want to save yourself some time, or have a lot more scripts than I do, then it will be more efficient to redirect all scripts to a text file and manipulate it from the OS (In fact, this is a Best Practice which I recommend to do from time to time: Export your SP Scripts out of SP).

This is easily done with:

Protect: SERVER1>q scr * f=d > /tmp/scripts.txt
Output of command redirected to file '/tmp/scripts.txt'

And then just do a grep from the OS, you can check for the old name and the new name, util, you have modified all the scripts:

[root@spectre:/tmp]grep -c TS3200 scripts.txt
23
[root@spectre:/tmp]grep -c TS3200_LL2 scripts.txt
0

16.- SP – FINAL VERIFY (PHYSICAL)

16.1.- Try the freshly modified scripts:

Protect: SERVER1>run PATHS_DOWN
ANR1722I A path from SERVER1 to TS3200 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE1 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE2 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE3 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE4 has been updated.
ANR8467I Drive DRIVE1 in library TS3200 updated.
ANR8467I Drive DRIVE2 in library TS3200 updated.
ANR8467I Drive DRIVE3 in library TS3200 updated.
ANR8467I Drive DRIVE4 in library TS3200 updated.
ANR1462I RUN: Command script PATHS_DOWN completed successfully.
Protect: SERVER1>q path
Source Name Source Type Destination Destination On-Line
Name Type
----------- ----------- ----------- ----------- ----------
SERVER1 SERVER TS3200 LIBRARY No
SERVER1 SERVER DRIVE1 DRIVE No
SERVER1 SERVER DRIVE2 DRIVE No
SERVER1 SERVER DRIVE3 DRIVE No
SERVER1 SERVER DRIVE4 DRIVE No
Protect: SERVER1>q drive
Library Name Drive Name Device Type On-Line
------------ ------------ ----------- -------------------
TS3200 DRIVE1 LTO No
TS3200 DRIVE2 LTO No
TS3200 DRIVE3 LTO No
TS3200 DRIVE4 LTO No
Protect: SERVER1>run PATHS_UP
ANR1722I A path from SERVER1 to TS3200 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE1 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE2 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE3 has been updated.
ANR1722I A path from SERVER1 to TS3200 DRIVE4 has been updated.
ANR8467I Drive DRIVE1 in library TS3200 updated.
ANR8467I Drive DRIVE2 in library TS3200 updated.
ANR8467I Drive DRIVE3 in library TS3200 updated.
ANR8467I Drive DRIVE4 in library TS3200 updated.
ANR1462I RUN: Command script PATHS_UP completed successfully.
Protect: SERVER1>q path
Source Name Source Type Destination Destination On-Line
Name Type
----------- ----------- ----------- ----------- ----------
SERVER1 SERVER TS3200 LIBRARY Yes
SERVER1 SERVER DRIVE1 DRIVE Yes
SERVER1 SERVER DRIVE2 DRIVE Yes
SERVER1 SERVER DRIVE3 DRIVE Yes
SERVER1 SERVER DRIVE4 DRIVE Yes
Protect: SERVER1>q drive
Library Name Drive Name Device Type On-Line
------------ ------------ ----------- -------------------
TS3200 DRIVE1 LTO Yes
TS3200 DRIVE2 LTO Yes
TS3200 DRIVE3 LTO Yes
TS3200 DRIVE4 LTO Yes
Protect: SERVER1>run AUDIT_LIB
ANR1462I RUN: Command script AUDIT_LIB completed successfully.
Protect: SERVER1>q libv
ANR2034E QUERY LIBVOLUME: No match found using this criteria.
ANS8001I Return code 11.
Protect: SERVER1>run CHECKIN_ALL_LIB
ANR1462I RUN: Command script CHECKIN_ALL_LIB completed successfully.
Protect: SERVER1>q libv
Library Name Volume Name Status Owner Last Use Home El Device
ement Type
------------ ----------- ---------------- ---------- --------- ------- ------
TS3200 000001L6 Private SERVER1 4,118 LTO
TS3200 000004L6 Private SERVER1 4,123 LTO
TS3200 000006L6 Private SERVER1 4,119 LTO
TS3200 000007L6 Private SERVER1 4,125 LTO
TS3200 000009L6 Private SERVER1 4,136 LTO
TS3200 000010L6 Scratch 4,102 LTO
TS3200 000011L6 Private SERVER1 4,139 LTO
...

The scripts work OK.
OK!!!!!!!!!!

16.2.- Try to use all the tape drives:

If we are lucky, SP might launch a Space Reclamation process which will use 2 drives, otherwise by using a MOVE DATA command, we will use 2 tape drives at the same time one for READ and another for WRITE, so by issuing a couple of MOVE DATAs, we will try the 4 tape drives at once.

Protect: SERVER1>q vol stg=tapepool
Volume Name Storage Poo Device Cla Estimated Pct U Volume S
l Name ss Name Capacity til tatus
------------------------ ----------- ---------- --------- ----- --------
000002L6 TAPEPOOL LTO_6 8.9 T 10.7 Filling
000009L6 TAPEPOOL LTO_6 5.7 T 0.4  Filling
000014L6 TAPEPOOL LTO_6 9.5 T 0.0  Full
000019L6 TAPEPOOL LTO_6 5.7 T 0.0  Filling
000024L6 TAPEPOOL LTO_6 5.7 T 8.2  Filling
000031L6 TAPEPOOL LTO_6 5.7 T 37.9 Filling
...
Protect: SERVER1>move data 000014L6
ANR2232W This command will move all of the data stored on volume 000014L6 to other volumes within the same storage pool; the data
will be inaccessible to users until the operation completes.
Do you wish to proceed? (Yes (Y)/No (N)) Y
ANS8003I Process number 5 started.
Protect: SERVER1>q pr
Process Process Description Process Status
Number
-------- -------------------- -----------------------------------------------
5 Move Data Volume 000014L6 (storage pool TAPEPOOL), Target Pool TAPEPOOL, Moved Files: 0, 
Moved Bytes: 0 bytes, Deduplicated Bytes: 0 bytes, Unreadable Files: 0, Unreadable Bytes: 0
 bytes. Current Physical File (bytes): 2,033 bytes Waiting for mount of scratch volume (1 seconds).
Protect: SERVER1>q req
ANR8352I Requests outstanding:
ANR8308I 001: LTO volume 000014L6 is required for use in library TS3200; CHECKIN LIBVOLUME required within 20 minutes.
Protect: SERVER1>reply 1
ANR8499I Command accepted.

Update the status of the tapes in the library to be READWRITE (depends how how many tapes you have, careful since in the following example, I have made READW all my tapes, but might not be wise for your system if you have a big tape library, or different tape libraries –a better example should have been a and update each vol individually, but I am pressed for time ;o) –)

Protect: SERVER1>upd vol * access=readw
ANR2207I Volume 000001L6 updated.
ANR2207I Volume 000002L6 updated.
ANR2207I Volume 000003L6 updated.
...
ANR2207I Volume 000061L6 updated.
ANR2207I Volume 000062L6 updated.
ANR2207I Volume 000063L6 updated.

After a while, all the 4 drives had a tape mounted and where doing operations, so: The drives work fine.
OK!!!!!!!!!!

16.3.- Check Tape Library HW

Bad tapes or problems with barcodes can be checked using the SHOW SLOTS undocumented cmd:

Protect: SERVER1>show slots ts3200
PVR slot information for library TS3200.
Library : TS3200
Product Id : 3573-TL
Support module : 2
Mount count : 1
Drives : 4
Slots : 44
Changers : 1
Import/Exports : 3
.
Device : /dev/smc0
.
Drive 0, element 256
Drive 1, element 257
Drive 2, element 258
Drive 3, element 259
.
Changer 0, element 1
.
ImpExp 0, element number 16
ImpExp 1, element number 17
ImpExp 2, element number 18
Slot 0, status Allocated, element number 4096, barcode present, barcode value , devT=LTO, mediaT=436, elemT=ANY
Slot 1, status Allocated, element number 4097, barcode present, barcode value , devT=LTO, mediaT=436, elemT=ANY
Slot 2, status Allocated, element number 4098, barcode present, barcode value , devT=LTO, mediaT=436, elemT=ANY
...
Slot 42, status Allocated, element number 4138, barcode present, barcode value , devT=LTO, mediaT=436, elemT=ANY
Slot 43, status Allocated, element number 4139, barcode present, barcode value , devT=LTO, mediaT=436, elemT=ANY
.
slot element range 4096 - 4139

No problems in tapes or barcodes found.
OK!!!!!!!!!!

16.4.- Check and Backup SP Tape Library Definitions:

Now that we have redefined the tape library configuration and loaded the tapes, Issue a BACKUP DEVCONFIG and a BACKUP VOLHIST.

Protect: SERVER1> BACKUP VOLHISTORY
ANR2463I BACKUP VOLHISTORY: Server sequential volume history information was written to all configured history files. Protect: SERVER1> BACKUP DEVCONFIG
ANR2394I BACKUP DEVCONFIG: Server device configuration information was written to all device configuration files.

We should go to Spectrum Protects installation directory (by default /home/tsminst1), and look at the devconfig file (devconf.dat).

[root@spectre:/home/tsminst1]cat devconf.dat
/* Device Configuration */
DEFINE DEVCLASS DBBACK_FILEDEV DEVT=FILE FORMAT=DRIVE SHARE=NO MAXCAP=52428800K MOUNTL=32 DIR=/tsminst1/TSMbkup00,/tsminst1/TSMbkup01
DEFINE DEVCLASS LTO_6 DEVT=LTO FORMAT=DRIVE MOUNTL=DRIVES MOUNTWAIT=20 MOUNTRETENTION=5 PREFIX=ADSM LIBRARY=TS3200 WORM=NO DRIVEENCRYPTION=ALLOW LBPROTECT=NO
DEFINE SERVER SPECTRE COMMMETHOD=TCPIP HLADDRESS=10.1.1.207 LLADDRESS=1500
SET SERVERNAME SERVER1
DEFINE LIBRARY TS3200 LIBTYPE=SCSI WWN="2001000E1115B46F" SERIAL="A0L4U78W5927_LL0" SHARED=YES AUTOLABEL=NO RESETDRIVE=YES
DEFINE DRIVE TS3200 DRIVE1 ELEMENT=256 ONLINE=Yes WWN="2001000E1115B46F" SERIAL="A0WT025496"
DEFINE DRIVE TS3200 DRIVE2 ELEMENT=257 ONLINE=Yes WWN="2004000E1115B46F" SERIAL="A0WT038765"
DEFINE DRIVE TS3200 DRIVE3 ELEMENT=258 ONLINE=Yes WWN="2007000E1115B46F" SERIAL="A0WT046112"
DEFINE DRIVE TS3200 DRIVE4 ELEMENT=259 ONLINE=Yes WWN="200A000E1115B46F" SERIAL="A0WT045812"
/* LIBRARYINVENTORY SCSI TS3200 000001L6 4118 101*/
/* LIBRARYINVENTORY SCSI TS3200 000004L6 4123 101*/
...
/* LIBRARYINVENTORY SCSI TS3200 000062L6 4121 101*/
/* LIBRARYINVENTORY SCSI TS3200 000063L6 4105 101*/
DEFINE PATH SERVER1 TS3200 SRCTYPE=SERVER DESTTYPE=LIBRARY DEVICE=/dev/smc0 ONLINE=YES
DEFINE PATH SERVER1 DRIVE1 SRCTYPE=SERVER DESTTYPE=DRIVE LIBRARY=TS3200 DEVICE=/dev/rmt1 ONLINE=YES
DEFINE PATH SERVER1 DRIVE2 SRCTYPE=SERVER DESTTYPE=DRIVE LIBRARY=TS3200 DEVICE=/dev/rmt2 ONLINE=YES
DEFINE PATH SERVER1 DRIVE3 SRCTYPE=SERVER DESTTYPE=DRIVE LIBRARY=TS3200 DEVICE=/dev/rmt3 ONLINE=YES
DEFINE PATH SERVER1 DRIVE4 SRCTYPE=SERVER DESTTYPE=DRIVE LIBRARY=TS3200 DEVICE=/dev/rmt4 ONLINE=YES
SERVERBACKUPNODEID 1

OK!!!!!!!!!!

NOTES

A.- What is a Tape Library Control Path

A Tape Library Control Path it’s a logical path for a SCSI Medium Changer to send commands over to tape drives.

Each tape library has at least one control path, and for example on an AIX OS, the tape drive with the control path, will create 2 devices, one for Tape Drive and one for the Tape Medium Changer (in this example rmt1 and smc0 are really the same physical device):

[root@spectre:/tmp]lsdev -c tape
rmt1 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt2 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt3 Available 14-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
rmt4 Available 13-T1-01 IBM 3580 Ultrium Tape Drive (FCP)
smc0 Available 14-T1-01 IBM 3573 Tape Medium Changer (FCP)

There is a catch here, and that is: if the tape drive with the control path is taken down, all the tape librarie’s drives will stop working, as the communications bus with the library is down.

In that case, and while we replace/repair the hardware, we will have to change the control path over to another drive, and perhaps reconfigure the device in AIX and Spectrum Protect.

We can have more than one control path in a library to eliminate single points of failure (as this is a clear SPOF in a several drives tape library), however it comes at a price, as at least in IBM libraries, an extra licence must be purchased, to enable Control Path Failover (CPF). In some cases, having CPF also enables Data Path Failover (DFP), which includes load balancing of the HBAs.

B.- Final Thoughts

Well, Phewww, now that was a bit of a long ride, wasn’t it? It’s not actually complex, it’s just a matter or order, and if done in the right sequence (and after having devoured a few red books, and technical guides) it’s pretty straight-forward.

Just try not perform this procedure very often, as it does take a few hours work, and while the process is being done Spectrum Protect cannot use the library (you can do it quicker if you script the lot, of course, and for Disaster Recovery it is recommended, because one or two hours saved in time might make a huge difference).

I hope you have enjoyed the procedure, and any comments or steps which can be done better are always welcome, so if you have suggestions, post them here to <<Give the sysadmin a shout!>>

Advertisements

Revisando Vulnerabilidades en AIX

IBM tiene una herramienta para reportar vulnerabilidades en sus productos, llamada Fix Level Recommendation Tool o FLRT (herramienta de recomendación de parches).

https://www-304.ibm.com/support/customercare/flrt/

Para AIX en particular, disponemos del  Security APAR Information, o el Security Bulletin information for AIX 7.2, 7.1, 6.1, 5.3, and VIOS

https://www-304.ibm.com/webapp/set2/flrt/doc?page=security

Para facilitar la comprobación de nuestros sistemas, tenemos el script en korn shell flrtvc.ksh, el cual nos obsequia con informes en varios tipos de formatos (CSV para importar en excel u otros, personalizados, compacto, detallado, etc).

Los prerequisitos de este script son los siguientes:

1.- access to internet to retrieve the latest vulnerability CSV listing (aparCSV)
2.- wget
3.- curl

Los puntos 2 y 3 son fácilmente obtenibles, si hemos configurado yum en nuestro AIX (yum install wget curl).

Algunos ejemplos de ejecución del script flrtvc:

[root@aixtest:/home/admin]./flrtvc.ksh | cut -c 1-110
Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL
bos.acct|7.2.1.0|sec||NOT FIXED - (caccelstat) Vulnerabilities in bellmail / caccelstat / iostat / l
bos.acct|7.2.1.0|sec||NOT FIXED - (iostat) Vulnerabilities in bellmail / caccelstat / iostat / lquer
bos.acct|7.2.1.0|sec||NOT FIXED - (vmstat) Vulnerabilities in bellmail / caccelstat / iostat / lquer
bos.cluster.rte|7.2.1.0|hiper||NOT FIXED - CAA:SLOW GOSSIP RECEIPT ON BOOT MAY CAUSE PARTITIONED CLU
bos.mp64|7.2.1.1|hiper||NOT FIXED - getsockname() returns incorrect NameLength|7.2.1.0-7.2.1.1|IV914
bos.mp64|7.2.1.1|hiper||NOT FIXED - PROBLEMS CAN OCCUR WITH THREAD_CPUTIME AND THREAD_CPUTIME_FAST|7
bos.mp64|7.2.1.1|hiper||NOT FIXED - CRASH OR POTENTIAL DATA LOSS AFTER REMOVING LARGE JFS2 FILES ON
bos.mp64|7.2.1.1|hiper||NOT FIXED - SYSTEM CRASH WHEN USING PROCFS FOR PROCESSES CLOSING MANY FILES|
bos.mp64|7.2.1.1|sec||NOT FIXED - IBM has released AIX and VIOS iFixes in response to the vulnerabil
bos.net.tcp.bind_utils|7.2.1.1|sec||NOT FIXED - There is a vulnerability in BIND that impacts AIX.|7
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - There is a vulnerability in bellmail that impacts A
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - Vulnerabilities in BIND impact AIX|7.2.1.0|CVE-2016
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - There are two vulnerabilities in BIND that impact A
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - Vulnerability in bellmail affects AIX|7.2.1.0-7.2.1
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - (bellmail) Vulnerabilities in bellmail / caccelstat
bos.net.tcp.ntp|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in NTPv3 and NTPv4 that
bos.net.tcp.ntpd|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in NTPv3 and NTPv4 that
bos.net.tcp.tcpdump|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in tcpdump that impa
bos.rte.archive|7.2.1.0|sec||NOT FIXED - (restbyinode) Vulnerabilities in bellmail / caccelstat / io
bos.rte.lvm|7.2.1.0|sec||NOT FIXED - (lquerypv) Vulnerabilities in bellmail / caccelstat / iostat /
devices.fcp.disk.rte|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERRORS WITH CERTA
devices.pci.77102224.com|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERRORS WITH C
devices.pciex.df1060e214103404.com|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERR
devices.vdevice.ibm.l-lan.rte|7.2.1.0|hiper||NOT FIXED - CRASH IN VIOENT_INIT_LS_TIMER WHEN POLL_UPL
devices.vdevice.ibm.vfc-client.rte|7.2.1.0|hiper||NOT FIXED - Potential data loss using Virtual FC w
java7_64.jre|7.0.0.370|sec||NOT FIXED - There are multiple vulnerabilities in IBM SDK Java Technolog
java7_64.sdk|7.0.0.370|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<7.0.0.4
java7_64.sdk|7.0.0.370|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<7.0.0.5
java7_64.sdk|7.0.0.370|sec||NOT FIXED - There are multiple vulnerabilities in IBM SDK Java Technolog
openssh.base.client|6.0.0.6201|sec||NOT FIXED - AIX OpenSSH Vulnerability|4.0.0.5200-6.0.0.6201|CVE-
openssh.base.client|6.0.0.6201|sec||NOT FIXED - Vulnerabilities in OpenSSH affect AIX|4.0.0.5200-6.0
openssl.base|1.0.2.800|sec||NOT FIXED - There is a vulnerability in OpenSSL used by AIX|1.0.2.500-1.
openssl.base|1.0.2.800|sec||NOT FIXED - Vulnerability in OpenSSL affects AIX|1.0.2.500-1.0.2.1100|CV
...
[root@aixtest:/home/admin]./flrtvc.ksh -v | pg
////////////////////////////////////////////////////////////
// IBM FLRTVC (v0.7.3) Report
// Server: aixtest
// Date: Fri Feb 9 10// Report by: root
// Vulnerable Filesets: 22
// Total Vulnerabilities: 54
// Total Fixes (not shown): 22
////////////////////////////////////////////////////////////

--------------------------------------------------------------------------------
bos.acct - 7.2.1.0 - Vulnerabilities (3)
--------------------------------------------------------------------------------

(1) NOT FIXED - (caccelstat) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)

Type: sec
Score: CVE-2017-1692:8.4
Versions: 7.2.1.0-7.2.1.0
APARs/CVEs: IV97811
Last Update: 02/05/2018
Bulletin: http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
Fixed In: 7200-01-04

(2) NOT FIXED - (iostat) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)
Type: sec
Score: CVE-2017-1692:8.4
Versions: 7.2.1.0-7.2.1.1
APARs/CVEs: IV97898
Last Update: 02/05/2018
Bulletin: http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
Fixed In: 7200-01-04
...

Francamente, yo la encuentro una herramienta fantástica, que puede ahorrarnos un montón de tiempo cuando necesitamos efectuar un control de vulnerabilidades en alguno de nuestros sistemas.

El listado de parámetros completo de la herramienta es el siguiente:

Usage flrtvc: Change delimiter for compact reporting
 ./flrtvc.ksh -d '||'

Usage flrtvc: Generate full reporting (verbose mode)
 ./flrtvc.ksh -v

Usage flrtvc: Choose custom apar.csv file to use
 ./flrtvc.ksh -f myfile.csv

Usage flrtvc: Only show specific filesets in verbose mode
 ./flrtvc.ksh -vg printers

Usage flrtvc: Show only hiper results
 ./flrtvc.ksh -t hiper

Usage flrtvc: Custom lslpp and emgr outputs
 ./flrtvc.ksh -l lslpp.txt -e emgr.txt

Flags:

-d = Change delimiter for compact reporting
-f = Enter a custom aparCSV file in local filesystem
-q = Quiet mode, hide compact reporting header
-s = Skip download and locate 'apar.csv' filename in current directory
-v = Verbose, full report (for piping to email)
-g = Filter filesets for specific phrase, useful for verbose mode
-t = Type of APAR [hiper | sec]
-l = Enter a custom LSLPP output file, must match lslpp -Lqc
-e = Enter a custom EMGR output file, must match emgr -lv3
-x = Skip EFix processing
-a = Show all fixed and non-fixed HIPER/Security vulnerabilities.

Logrotate 4 & 5.- Support & Common Errors

NOTE:  This is a follow-up, from the previous post: Logrotate 3.- Logrotate checks

4.- Logrotate Support

Disclaimer (IBM Unsupported):  IBM stand on opensource utilities is that they are not directly supported by IBM, this is IBM Support’s page for logrotate (dated 06 June 2011):

http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796

So, IBM will not provide any PMR Support on Open Source Software (and this is completely logical, as it’s not an IBM product), but still, you can get community based support at the developerWorks pages, and for this forum-based support, you can go to:

IBMDeveloperWorks: Forum Directory >‎ dW >‎ AIX and UNIX >‎ Forum: AIX Open Source Software

And in that forum, exists an specific YUM topic:

IBMDeveloperWorks: Forum Directory >‎ dW >‎ AIX and UNIX >‎ Forum: AIX Open Source Software >‎ Topic: yum for AIX Toolbox

5.- Fixing logrotate errors

5.1.- config file logrotate.conf errors

[root@aix72:/home/admin]logrotate -vf /etc/logrotate.conf
error: cannot stat /etc/logrotate.conf: A file or directory in the path name does not exist.

Cannot stat means that the config file is NOT FOUND, so revise that /etc/logrotate exists and has the right access rights (if it doesn’t, look for it in /opt/freeware/etc and copy it to /etc)

5.2.- config directory logrotate.d errors

[root@aix72:/home/admin]logrotate -vf /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
error: cannot stat /etc/logrotate.d: A file or directory in the path name does not exist.
removing last 0 log configs

Cannot stat means that the config directory is NOT FOUND, so revise that /etc/logrotate.d exists and has the right access rights (if it doesn’t, look for it in /opt/freeware/etc and copy it to /etc)

5.3.- files in directory logrotate.d errors

[root@aix72:/opt/freeware/etc]logrotate -v /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d
reading config file yum
error: yum:6 unknown group 'root'
error: found error in /var/log/yum.log , skipping
removing last 1 log configs
error: /etc/logrotate.conf:23 unknown group 'utmp'
error: found error in /var/log/wtmp , skipping
removing last 1 log configs
error: /etc/logrotate.conf:31 unknown group 'utmp'
error: found error in /var/log/btmp , skipping
removing last 1 log configs

Handling 0 logs

This errors are usually caused at installation time of logrotate in AIX, since the config files require some modifications:

error: yum:6 unknown group 'root'
error: found error in /var/log/yum.log , skipping

It complains against the line 6 of /etc/logrotate.d/yum file, since in AIX there isn’t a “root” group, it is “system“, so modify the file:

/var/log/yum.log {  
  missingok 
  notifempty 
  size 30k 
  yearly 
  create 0600 root root 
}

for the file:

/var/log/yum.log {
  missingok
  notifempty
  size 30k
  yearly
  create 0600 root system
}
error: /etc/logrotate.conf:23 unknown group 'utmp' 
error: found error in /var/log/wtmp , skipping

It complains against the line 23 of /etc/logrotate.conf file, since in AIX there isn’t a “utmp” group, and in fact wtmp is not located in /var/log/wtmp, but in /var/adm/wtmp but in any case, we can just refer to the steps in 2.1 to fix it by deleting the wtmp lines in /etc/logrotate.conf.

error: /etc/logrotate.conf:31 unknown group 'utmp'
error: found error in /var/log/btmp , skipping

It complains against the line 31 of /etc/logrotate.conf file, since in AIX there isn’t a “utmp” group, and in fact AIX does not have a btmp, so we can just refer to the steps in 2.1 to fix it by deleting the wtmp lines in /etc/logrotate.conf.

 

That covers the most common Logrotate config errors in AIX. I’m sure that you will find some more obscure ones to entertain yourself with, as it is often the case!

On the next post, it will be time for step 6.- Advanced Logrotate for AIX.  See you then, and thanks for reading!

Logrotate 3.- Logrotate checks

NOTE:  This is a follow-up, from the previous post:  Logrotate 2.- Configure logrotate for AIX

To check that logrotate is configured and working OK, all we need to do is call logrotate from the command line telling it to verbose it’s internal checks ( -v ) and to check the config file ( /etc/logrotate.conf ), like the following:

[root@aix72:/home/admin]/usr/sbin/logrotate -v /etc/logrotate.conf
reading config file /etc/logrotate.conf
including /etc/logrotate.d      
reading config file failedlogin 
reading config file sysadmin    
reading config file wtmp        
reading config file yum         

Handling 6 logs

rotating pattern: /etc/security/failedlogin 5242880 bytes (2 rotations)
empty log files are rotated, old logs are removed
considering log /etc/security/failedlogin
 log does not need rotating        

rotating pattern: /home/admin/log/check_all.log 1048576 bytes (2 rotations)
empty log files are rotated, old logs are removed
considering log /home/admin/log/check_all.log 
 log does not need rotating         

rotating pattern: /var/adm/wtmp 5242880 bytes (2 rotations)
empty log files are rotated, old logs are removed
switching euid to 4 and egid to 4
considering log /var/adm/wtmp 
 log does not need rotating   
switching euid to 0 and egid to 0

rotating pattern: /var/log/yum.log yearly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/yum.log 
 log does not need rotating      

Once we have checked that the config is OK, we can check the rotation by Forcing rotation with the -f or –force flag:

[root@aix72:/etc/logrotate.d]logrotate -vf /etc/logrotate.conf
 reading config file /etc/logrotate.conf
 including /etc/logrotate.d
 reading config file failedlogin
 reading config file sysadmin
 reading config file wtmp
 reading config file yum
 Handling 6 logs

rotating pattern: /home/admin/log/check_all.log forced from command line (2 rotations)
 empty log files are rotated, old logs are removed
 considering log /home/admin/log/check_all.log
 log does not need rotating

rotating pattern: /home/admin/log/start_all.log forced from command line (1 rotations)
 empty log files are rotated, old logs are removed
 considering log /home/admin/log/start_all.log
 log does not need rotating

rotating pattern: /home/admin/log/stop_all.log forced from command line (1 rotations)
 empty log files are rotated, old logs are removed
 considering log /home/admin/log/stop_all.log
 log does not need rotating

rotating pattern: /var/log/yum.log forced from command line (4 rotations)
 empty log files are not rotated, old logs are removed
 considering log /var/log/yum.log log needs rotating rotateCount is 4
 dateext suffix '-20170226'
 glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
 glob finding old rotated logs failed
 renaming /var/log/yum.log to /var/log/yum.log-20170226
 creating new /var/log/yum.log mode = 0600 uid = 0 gid = 0

Logrotate is configured OK and it seems to work fine, so if it’s not executing properly, we will have to check it’s schedule on the crontab.

NOTE: Notice that when we configure the rotation to be on size, the –force option cannot force this rotation, so to force rotation on stanzas where size has been used, just lower the size attribute temporarily (size 10k instead of 5M, for example).

3.1- Logrotate individual files/logs check

To check logrotate’s config for a particular file, we will have to identify it first in the /etc/logrotate.d directory, for example to check the config for yum’s logs:

[root@aix72:/etc/logrotate.d]logrotate -vf /etc/logrotate.d/yum
reading config file /etc/logrotate.d/yum

Handling 1 logs

rotating pattern: /var/log/yum.log forced from command line (no old logs will be kept)
empty log files are not rotated, old logs are removed
considering log /var/log/yum.log
 log does not need rotating

To check the config for a specific log, but we don’t see a logrotate file stored by its name in /etc/logrotate.d, we will have to dig it out (for example let’s look for start_all.log):

[root@aix72:/home/admin]grep start_all.log /etc/logrotate.d/*
/etc/logrotate.d/sysadmin:/home/admin/log/start_all.log

OK, so it looks like the logrotate config for start_all.log resides in the /etc/logrotate.d/sysadmin file, so now we can check it:

[root@aix72:/etc/logrotate.d]logrotate -vf /etc/logrotate.d/sysadmin
reading config file /etc/logrotate.d/sysadmin

Handling 3 logs

rotating pattern: /home/admin/log/check_all.log forced from command line (2 rotations)
empty log files are rotated, old logs are removed
considering log /home/admin/log/check_all.log
 log does not need rotating

rotating pattern: /home/admin/log/start_all.log forced from command line (1 rotations) 
empty log files are rotated, old logs are removed
considering log /home/admin/log/start_all.log
 log does not need rotating

rotating pattern: /home/admin/log/stop_all.log forced from command line (1 rotations)
empty log files are rotated, old logs are removed
considering log /home/admin/log/stop_all.log
 log does not need rotating

So, as always, an important part of a configuration (the most important, actually) is to check that our new config works just as we expected it.

And now we have seen how to check all the logrotate config, how to force the log rotation, and how to check individual logrotate config files, so with this three checks we should be able to perform config-test-change-retest until our friend logrotate does what we expect it to.

On the step 4, I will talk about logrotate documentation & support, and step 5 will show how to fix common logrotate errors. See you soon.

Logrotate 2.- Configure logrotate for AIX

NOTE:  This is a follow-up, from the previous post: AIX 6L+ , AIX 7DevOps and Logrotate on AIX

Logrotate is a utility from RHEL, and therefore it comes preconfigured for RHEL & fedora, so after installing it using yum, we need to adapt it to work in our AIX system.

2.1- Fix logrotate.conf invalid entries

By default, logrotate’s main config file treats logs of wtmp & btmp, but since we can treat wtmp separately, and btmp is not implemented in AIX, we can just comment out or better still, delete those lines from /etc/logrotate.conf:

[root@aix72:/etc/logrotate.d]vi /etc/logrotate.conf
 # see "man logrotate" for details
 # rotate log files weekly
 weekly

# keep 4 weeks worth of backlogs
 rotate 4

# create new (empty) log files after rotating old ones
 create

# use date as a suffix of the rotated file
 dateext

# uncomment this if you want your log files compressed
 #compress

# RPM packages drop log rotation information into this directory
 include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here      
/var/log/wtmp {
 monthly
 create 0664 root utmp
 minsize 1M
 rotate 1
 }

/var/log/btmp {
 missingok
 monthly
 create 0600 root utmp
 rotate 1
 }

NOTE: There is also a good idea to put a line like the following to the bottom of /etc/logrotate.conf to sepparate the default system config from future additions:

# Installed by Carlos Ijalba, 2017. Put new generic logconfigs below this line: ##########

 

2.2- Fix the log rotation for yum

By default, logrotate comes configured to treat yum logs, but we need to change the owner group of the yum logs in RHEL (root) for AIX default system group (system), so we edit the file /etc/logrotate.d/yum, and change line 6 last root entry for system:

[root@aix72:/etc/logrotate.d]cat /etc/logrotate.d/yum
 /var/log/yum.log {
 missingok
 notifempty
 size 30k
 yearly
 create 0600 root system
 }

2.3- Setup logrotate schedule in crontab

And the last step, will be to configure the contab entry for logrotate execution, by default it is planned daily, but we can configure it more often, and even set up customized logrotates for specific applications, by defining new logrotate config files in different directories and invoking them specifically.

In this example we will just configure daily rotation at day’s change ( 00:00 hours ) so we edit crontab ( crontab -e ) and add the following line after skulker (it makes sense, as skulker does system’s cleanup by deleting old files and logs, so it might save logrotate some extra work):

0 0 * * * /etc/logrotate

Done, so now we can go to the step 3, to check that logrotate works OK.

 

2.4- Add logrotate controls for our logs

Logrotate has loads of options, and even supports mini-scripting previous,during, and post-rotation, etc. Full documentation and examples can be found here:

https://linux.die.net/man/8/logrotate

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-log_rotation.html

If we want to add some simple logrotation configuration, we can add for example the following 3 files to /etc/logrotate.d directory to deal with supposed logs from some of our administration scripts (called check_all.ksh, start_all.ksh & stop_all.ksh):

[root@aix72:/etc/logrotate.d]vi /etc/logrotate.d/check_all
 # log rotation for check_all.ksh sysadmin script:
 /home/admin/log/check_all.log {
 missingok
 daily
 rotate 2
 size 2M
 }
[root@aix72:/etc/logrotate.d]vi /etc/logrotate.d/start_all
 # log rotation for start_all.ksh sysadmin script:
 /home/admin/log/start_all.log {
 missingok
 rotate 1
 size 1M
 }
[root@aix72:/etc/logrotate.d]vi /etc/logrotate.d/stop_all
 # log rotation for stop_all.ksh sysadmin script:
 /home/admin/log/stop_all.log {
 rotate 1
 compress
 size 1M
 }

And the options are quite self-explanatory: in this case missingok will not report an error when the log file does not exist, daily rotates the log everyday (can be daily, weekly, monthly, annual), rotate X keeps X additional versions of the log, so rotate 2 will keep the original log, plus a log.1 and a log.2 copies (ex: rotate 2 == keep 2 additional copies), size 1M rotates the log when this one becomes bigger than 1MB (can be 10k, 10M, etc).

But since the above scripts are all part of a set of administration scripts all kept in /home/admin, in this case, it will be a better idea to just add the three stanzas all in the same config file, say sysadmin, as follows :

[root@aix72:/etc/logrotate.d]vi /etc/logrotate.d/sysadmin
 # log rotation for sysadmin scripts located in /home/admin
 #

# log rotation for check_all.ksh sysadmin script:
 /home/admin/log/check_all.log {
 missingok
 daily
 rotate 2
 size 1M
 }

# log rotation for start_all.ksh sysadmin script:
 /home/admin/log/start_all.log {
 missingok
 rotate 1
 weekly
 size 10k
 }

# log rotation for stop_all.ksh sysadmin script:
 /home/admin/log/stop_all.log {
 rotate 1
 compress
 size 10k
 }

Done, so now we can go to the step 3.1, to check that logrotate works OK with our new config file.

But of course, step 3 and successive, will be food for the next post…

Instalar YUM en AIX v7.2+

Una de las novedades de AIX v7.2 es que por fín IBM ha sacado un bundle para poder instalar yum bajo AIX. Y viene preconfigurado para usar el repositorio de IBM AIX Toolbox, BONUS!

Para instalar YUM en AIX, primero tenemos que actualizar el rpm a la v4.13 o superior, la última siempre se puede bajar de:

ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/INSTALLP/ppc/rpm.rte

O directamente desde el servidor AIX en donde lo vamos a instalar (más cómodo si disponemos de conexión a internet en dicho servidor), en cualquier caso bajaremos el rpm y también el último bundle de yum:

[root@tsm_srv:/software]ftp ftp.software.ibm.com
Connected to dispsd-40-www3.boulder.ibm.com.
220-*********************************************************************
220-* IBMs internal systems must only be used for conducting IBMs       *
220-* business or for purposes authorized by IBM management.            *
220-*                                                                   *
220-* Use is subject to audit at any time by IBM management.            *
220-*                                                                   *
220-* Important Please read                                             *
220-*                                                                   *
220-* Machine Code updates provided through this site are available     *
220-* only for IBM machines that are under warranty or an IBM hardware  *
220-* maintenance service agreement Code for operating systems or other *
220-* software products is available only where entitled under the      *
220-* applicable software warranty or IBM software maintenance          *
220-* agreement. All code (including Machine Code updates, samples,     *
220-* fixes or other software downloads)provided through this site      *
220-* is subject to the terms of the license agreements which           *
220-* govern the use of the associated code. Some exceptions may        *
220-* apply.IBM reserves the right to change, modify or withdraw its    *
220-* offerings,policies and practices at any time.                     *
220-*********************************************************************
220-
220 service.boulder.ibm.com FTP server (Version wu-2.6.2.1(5) Custom Tue Aug 17 13:28:23 MDT 2010) ready.
Name (ftp.software.ibm.com:root): ftp
331 Guest login ok, send any password.
Password: aaaa@bbbb.com
230 Guest login ok, access restrictions apply.
ftp> cd /aix/freeSoftware/aixtoolbox/INSTALLP/ppc
ftp> bin
200 Type set to I
ftp> get rpm.rte
200 PORT command successful.
150 Opening BINARY mode data connection for rpm.rte (354266 bytes).
226 Transfer complete.
355464 bytes received in 5.399 seconds (64.3 Kbytes/s)
local: rpm.rte remote: rpm.rte
ftp> cd /aix/freeSoftware/aixtoolbox/ezinstall/ppc
ftp> get yum_bundle.tar
200 PORT command successful
150 Opening BINARY mode data connection for yum_bundle.tar (54886400 bytes)
226 Transfer complete
54886400 bytes received in 106.1 seconds (505.4 Kbytes/s)
local: yum_bundle.tar remote: yum_bundle.tar
ftp> bye

Una vez bajado, lo instalamos:

[root@tsm_srv:/software]installp -aXYgd . rpm.rte
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.

Selected Filesets
-----------------
rpm.rte 4.13.0.3 # RPM Package Manager


Una vez instalado el rpm actualizado, ya podemos instalar el bundle especial de YUM (también está disponible por FTP directamente desde un navegador):

ftp://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/yum_bundle.tar

Lo desempaquetamos:

[root@tsm_srv:/software]tar -xvf yum_bundle.tar
x curl-7.44.0-1.aix6.1.ppc.rpm, 584323 bytes, 1142 media blocks.
x db-4.8.24-3.aix6.1.ppc.rpm, 2897799 bytes, 5660 media blocks.
x gdbm-1.8.3-5.aix5.2.ppc.rpm, 56991 bytes, 112 media blocks.
...

Instalamos todos los RPMs que vienen en el bundle:

[root@tsm_srv:/software]rpm -Uvh *.rpm
# Preparing... ########################################### [100%]
1:python ########################################### [ 9%]
2:pysqlite ########################################### [ 18%]
3:python-iniparse ########################################### [ 27%]
...

Y ya tenemos yum:

[root@tsm_srv:/software]yum --version
3.4.3
  Installed: yum-3.4.3-5.noarch at 2018-08-28 15:31
Built    : None at 2017-08-03 07:56
Committed: Sangamesh Mallayya  at 2017-08-04

[root@tsm_srv:/software]yum repolist
AIX_Toolbox                                                                                               | 2.9 kB  00:00:00
AIX_Toolbox/primary_db                                                                                    | 1.0 MB  00:00:00
AIX_Toolbox_72                                                                                            | 2.9 kB  00:00:00
AIX_Toolbox_72/primary_db                                                                                 |  20 kB  00:00:00
AIX_Toolbox_noarch                                                                                        | 2.9 kB  00:00:00
AIX_Toolbox_noarch/primary_db                                                                             |  51 kB  00:00:00
repo id                                                  repo name                                                         status
AIX_Toolbox                                              AIX generic repository                                            1,686
AIX_Toolbox_72                                           AIX 7.2 specific repository                                          38
AIX_Toolbox_noarch                                       AIX noarch repository                                               105
repolist: 1,829

Una vez instalados los rpms se pueden borrar (guardar el lpp de rpm.rte y el bundle.tar, para poderlo instalar en otro servidor sin tenerlo que volver a bajar).

Gracias IBM, y gracias Sangamesh!

Por fin ya podemos decir que rpm en AIX está “deprecated“.

NOTA: si tienes problemas con la instalación, conviene revisar la documentación oficial de IBM al respecto, ya que de vez en cuando el proceso cambia ligeramente. Ésta la puedes encontrar aquí (de hecho, en la última actualización, se puede bajar yum.sh script, el cual baja e instala los paquetes descritos en este artículo):

ftp://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/README-yum

;o)

Artículo actualizado: 29/08/2018, ya que desde que publiqué el artículo en 2016, ha habido cambios en el procedimiento.

Create a free website or blog at WordPress.com.

Up ↑