Using the NIM service handler with the NIM Alternate Disk Migration tool

This article describes how to use nimsh with nimadm to migrate to IBM® AIX® version 7.1.

Chris Gibson (cgibson@au1.ibm.com), AIX and Power Systems Client Technical Specialist, IBM

Image of chris

Chris Gibson is a Power Systems Client Technical Specialist at IBM Systems and Technology Group, located in Melbourne, Australia. He is a co-author of several IBM Redbooks® on AIX. Chris contributes to the AIX community through his AIX blog and Twitter (@cgibbo).



15 October 2013

Also available in Chinese

Introduction

I have written about the Network Install Manager Alternate Disk Migration (nimadm) tool several times (refer to the Resources section of this article). Each time, I have discussed how to use the tool to migrate from one version of AIX to another. Up until recently if you wanted to use this tool to migrate a Network Installation Management (NIM) client, you would need to enable rshd on the client system. For some customers this is a problem. They are unable to or simply forbidden to enable this service, even for a short duration, because of their organization's stringent security policies. As a result, some security-sensitive sites had to find other ways and means of migrating to new versions of AIX.

Starting with AIX 6.1 TL8 and AIX 7.1 TL2, the nimadm tool now supports the NIM service handler (nimsh) protocol. Using this protocol allows AIX migrations to be performed without enabling rshd on the NIM client. This article describes how to use nimsh with nimadm to migrate to AIX version 7.1.


What is the NIM service handler?

Believe it or not, nimsh has been around for almost ten years. It was first introduced as a new feature with AIX 5L V5.2 ML 07 and AIX 5L V5.3 (in 2004). This new feature was called the NIM Service Handler (NIMSH). This new service eliminated the need for classic 'r' commands during NIM client communication. For environments where the standard rsh protocols were not considered secure enough, using nimsh was considered to be a best practice and was implemented widely.

The NIM service handler provides a "wrapper" for NIM commands. Only the commands registered with nimsh (residing in the /usr/lpp/bos.sysmgt/nim/methods directory) are run as root; anything else is denied execution. Although nimsh eliminates the need for rsh, in the default configuration, it does not provide trusted authentication based on key encryption. It is possible to use cryptographic authentication with nimsh by configuring nimsh to use OpenSSL. When you install OpenSSL on a NIM client, Secure Sockets Layer (SSL) socket connections are established during nimsh service authentication. Enabling OpenSSL provides SSL key generation and includes all cipher suites supported in SSL version 3. Refer to the Resources section for detailed information on configuring nimsh to use OpenSSL.

The NIM client daemon (nimsh) installs as part of the bos.sysmgt.nim.client file set. The nimsh client daemon logs data to the /var/adm/ras/nimsh.log file.

There are two ports involved in nimsh communication. These ports are referred to as the primary (port 3901) and secondary (port 3902) ports. The primary port listens for service requests. Coincidently, SAP also prefers to use the same port numbers as nimsh. Refer to Chris's AIX blog on nimsh and SAP for more information on this and how you can handle this situation.

The nimsh subsystem is registered with the System Resource Controller (SRC). The SRC group name is nimclient and the subsystem defined is called nimsh.

It is possible to have a mixture of NIM clients using either rshd or nimsh. However, it is best to use nimsh for all NIM client communication and avoid rshd completely.


Configuring nimsh

If you have not configured your AIX systems to use nimsh in the past, then you might need to perform the following steps so that the NIM client can communicate with the NIM master over nimsh. Perform these steps on the NIM client to reconfigure the NIM client. First, we move any previous (old) /etc/niminfo configuration file out of the way and then we use the niminit command to reconfigure the NIM client and enable nimsh as the communication protocol used by the NIM client. Finally, we confirm that the nimsh subsystem is now active.

# mv /etc/niminfo /etc/niminfo.old 
# niminit -a master=nim1 -a name=`hostname # stopsrc -s nimsh 
# smit nim_config_services 
* Communication Protocol used by client [nimsh] + 
# lssrc -s nimsh 
Subsystem  Group       PID        Status 
nimsh      nimclient   6029524    active

On the NIM master, verify that the NIM client connect stanza now shows nimsh instead of shell.

# lsnim -l aix61 
aixlpar61: 
    class           = machines 
    type            = standalone 
    locked          = 9502758 
    connect                     = nimsh 
    platform        = chrp 
    netboot_kernel  = 64 
    if1             = network1 aixlpar61 0 
    cable_type1     = N/A 
    Cstate          = alt_disk_mig operation is being performed 
    prev_state      = ready for a NIM operation 
    Mstate          = currently running 
    lpp_source      = aix71 
    spot            = aix71spot
    cpuid           = 00C8E4244C00 
    control         = master 
    Cstate_result   = reset

Verify that the NIM master can communicate with the NIM master over nimsh, using the nim –o showlog command. This command should return the contents of the NIM install log file (/var/adm/ras/nim.installp) on the NIM client.

# nim -o showlog aix61
BEGIN:Thu Mar 24 01:29:36 2011:032401293611
Command line is:
/usr/sbin/installp -u -e /var/adm/ras/nim.installp -b -f \
/tmp/.workdir.3014756.2686976_1/.genlib.installp.list.2686976
+-----------------------------------------------------------------------------+
                    Pre-deinstall Verification...
+-----------------------------------------------------------------------------+
done
…etc…
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
bos.sysmgt.nim.master       6.1.0.0         USR         DEINSTALL   SUCCESS
END:Thu Mar 24 01:29:49 2011:032401294911

If nimsh is not functioning on the NIM client, then you will receive an error similar to the following example.

# nim -o showlog aix61
0042-001 nim: processing error encountered on "master":
0042-006 m_showlog: (From_Master) connect 
A remote host did not respond within the timeout period.
nconn: connect() failed, errno is 78
aix61: A remote host did not respond within the timeout period.

Using nimsh with nimadm

In this section, we will use nimsh and nimadm to migrate an AIX version 6.1 system to AIX version 7.1. The following AIX versions, levels, and fixes were installed:

NIM Master: 7100-02-01-1245 + IV46746m2c (Allow NIMADM with NIMSH and NIM CACHE)*
NIM Client: 6100-08-01-1245

Note: You'll need interim fix IV46746m2c installed in order for this to work. Without it, the nimadm operation will fail. The interim fix was installed on the NIM master only. You need to contact the IBM support centre to obtain the fix.

root@nim1[/tmp] # emgr -e IV46746m2c.130826.epkg.Z
root@nim1[/tmp] # emgr -l
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1    S    IV46746m2c 08/27/13 12:39:55            Allow NIMADM with NIMSH and NIM CACHE

The NIM client is installed with AIX 6.1 TL8 SP1. A spare disk is available for the migration. The nimsh subsystem is active.

root@aix61[/] # oslevel -s
6100-08-01-1245
root@aix61[/] # lspv
hdisk0          00c8e424e56b6006      rootvg     active
hdisk1                       00f6050a2cd79ef8                                        None
root@aix61[/] # lssrc -s nimsh
Subsystem       Group           PID          Status
  nimsh                       nimclient                   3539094                 active

The NIM master is installed with AIX 7.1 TL2 SP1. The NIM client definition shows nimsh as the connection protocol. The NIM master is able to communicate with the NIM client using nimsh.

root@nim1[/] # oslevel -s
7100-02-01-1245
root@nim1[/] # lsnim -l aix61
aix61:
   class          = machines
   type           = standalone
   connect   = nimsh
   platform       = chrp
   netboot_kernel = 64
   if1            = network1 aix61 0
   cable_type1    = N/A
   Cstate         = ready for a NIM operation
   prev_state     = ready for a NIM operation
   Mstate         = currently running
   cpuid          = 00C8E4245C00
   Cstate_result  = reset
root@nim1[/] # nim -o showlog aix61
BEGIN:Thu Mar 24 01:29:36 2011:032401293611
Command line is:
/usr/sbin/installp -u -e /var/adm/ras/nim.installp -b -f \
/tmp/.workdir.3014756.2686976_1/.genlib.installp.list.2686976
+-----------------------------------------------------------------------------+
                    Pre-deinstall Verification...
+-----------------------------------------------------------------------------+
done
…etc…
Installation Summary
--------------------
Name                        Level           Part        Event       Resul
-------------------------------------------------------------------------------
bos.sysmgt.nim.master       6.1.0.0         USR         DEINSTALL   SUCCESS
END:Thu Mar 24 01:29:49 2011:032401294911

The rshd (shell) daemon is disabled on the NIM client. There is no .rhosts file in the root user's home directory (/), and the shell service is commented out in /etc/inetd.conf. This prevents the NIM master from connecting to the NIM client using rsh.

root@aix61[/] # ls -ltr .rhosts
ls: 0653-341 The file .rhosts does not exist.
root@aix61[/] # grep rshd /etc/inetd.conf
#shell  stream  tcp6    nowait  root    /usr/sbin/rshd  rshd
root@nim1[/] # rsh aix61 date
aix61: A remote host refused an attempted connect operation.

I migrated the NIM client from AIX 6.1 TL8 SP1 to AIX 7.1 TL2 SP1, using nimadm as follows.

root@nim1[/] # nimadm -j nimvg -c aix61 -s aix71spot -l aix71 -d
hdisk1 -Y
Initializing the NIM master.
Initializing NIM client aix61.
Verifying alt_disk_migration eligibility.
Initializing log: /var/adm/ras/alt_mig/aix61_alt_mig.log
Starting Alternate Disk Migration.
+-----------------------------------------------------------------------------+
Executing nimadm phase 1.
+-----------------------------------------------------------------------------+
Cloning altinst_rootvg on client, Phase 1.
Client alt_disk_install command: alt_disk_copy -j -M 7.1 -P1 -d "hdisk1"
Calling mkszfile to create new /image.data file.
Checking disk sizes.
LOGICAL_VOLUME= hd11admin
FS_LV= /dev/hd11admin
Creating cloned rootvg volume group and associated logical volumes.
...etc...
Generating a list of files
for backup and restore into the alternate file system...
Phase 1 complete.
+-----------------------------------------------------------------------------+
Executing nimadm phase 2.
+-----------------------------------------------------------------------------+
Creating nimadm cache file systems on volume group nimvg.
Checking for initial required migration space.
Creating cache file system /aix61_alt/alt_inst
...etc...
+-----------------------------------------------------------------------------+
Executing nimadm phase 3.
+-----------------------------------------------------------------------------+
Syncing client data to cache ...
+-----------------------------------------------------------------------------+
Executing nimadm phase 4.
+-----------------------------------------------------------------------------+
nimadm: There is no user customization script specified for this phase.
+-----------------------------------------------------------------------------+
Executing nimadm phase 5.
+-----------------------------------------------------------------------------+
Saving system configuration files.
Checking for initial required migration space.
Setting up for base operating system restore.
/aix61_alt/alt_inst
Restoring base operating system.
Merging system configuration files.
...etc...
+-----------------------------------------------------------------------------+
Executing nimadm phase 6.
+-----------------------------------------------------------------------------+
Installing and migrating software.
Updating install utilities.
+-----------------------------------------------------------------------------+
Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
...etc...
install_all_updates: Checking for recommended maintenance level 7100-02.
install_all_updates: Executing /usr/bin/oslevel -rf, Result = 7100-02
install_all_updates: Verification completed.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Result = SUCCESS
Known Recommended Maintenance Levels
------------------------------------
Restoring device ODM database.
+-----------------------------------------------------------------------------+
Executing nimadm phase 7.
+-----------------------------------------------------------------------------+
nimadm: There is no user customization script specified for this phase.
+-----------------------------------------------------------------------------+
Executing nimadm phase 8.
+-----------------------------------------------------------------------------+
Creating client boot image.
bosboot: Boot image is 53248 512 byte blocks.
Writing boot image to client's alternate boot disk hdisk1.
+-----------------------------------------------------------------------------+
Executing nimadm phase 9.
+-----------------------------------------------------------------------------+
Adjusting client file system sizes ...
Adjusting size for /
...etc...
+-----------------------------------------------------------------------------+
Executing nimadm phase 10.
+-----------------------------------------------------------------------------+
Unmounting client mounts on the NIM master.
forced unmount of /aix61_alt/alt_inst/var
...etc...
Removing cache file system /aix61_alt/alt_inst/var
+-----------------------------------------------------------------------------+
Executing nimadm phase 11.
+-----------------------------------------------------------------------------+
Cloning altinst_rootvg on client, Phase 3.
Client alt_disk_install command: alt_disk_copy -j -M 7.1 -P3 -d "hdisk1"
## Phase 3 ###################
Verifying altinst_rootvg...
Modifying ODM on cloned disk.
forced unmount of /alt_inst/var
...etc...
Bootlist is set to the boot disk: hdisk1 blv=hd5
+-----------------------------------------------------------------------------+
Executing nimadm phase 12.
+-----------------------------------------------------------------------------+
Cleaning up alt_disk_migration on the NIM master.
Cleaning up alt_disk_migration on client aix61.

After the nimadm operation is complete, we restarted the NIM client on its alternaterootvg disk. The client reboots and comes up running AIX 7.1 TL2 SP1, as expected.

root@aix61[/] # oslevel -s
6100-08-01-1245
root@aix61[/] # lspv
hdisk0       00c8e424e56b6006    rootvg      active
hdisk1                00f6050a2cd79ef8               altinst_rootvg
root@aix61[/] # shutdown -Fr
root@aix61[/] # lspv
hdisk0       00c8e424e56b6006      old_rootvg
hdisk1                 00f6050a2cd79ef8                    rootvg             active

root@aix61[/] # oslevel -s
  7100-02-01-1245

Overall, this is not very different from any other nimadm operation. The only items you need to check are whether you have the correct AIX levels (and the necessary interim fix) installed and whether the NIM master can communicate with the NIM client over nimsh.

The nimadm log file, on the NIM master, is still at the same location and can be referenced when you need to troubleshoot a migration. On the NIM client, you can view the /var/adm/ras/nimsh.log file for an audit trail of all nimsh communication between the NIM master and client. For example:

root@aix61[/] # tail –f /var/adm/ras/nimsh.log
Mon Aug 26 23:50:25 2013	success: we got 1st write query is 0
Mon Aug 26 23:50:25 2013	success: we got 2nd write local id is 00C8E4244C00
Mon Aug 26 23:50:25 2013	success: we got 3rd write remote id is 00F604884C00
Mon Aug 26 23:50:25 2013	success: we got 4th write command is cd /alt_inst/var && 
/usr/sbin/restore -xqf /alt_inst/tmp/alt_mig.tmpbackup.6291574 > /dev/null || 
> /alt_inst/alt_disk_mig_rfail.6291574
Mon Aug 26 23:50:25 2013	passing OpenSSL setting of 0
Mon Aug 26 23:50:25 2013	authenticated client using standard host methods
Mon Aug 26 23:50:25 2013	sending ack to client
Mon Aug 26 23:50:25 2013	setting descriptors to include 2nd port
Mon Aug 26 23:50:25 2013	command to exec  __  cd /alt_inst/var &&
/usr/sbin/restore -xqf /alt_inst/tmp/alt_mig.tmpbackup.6291574 > /dev/null ||
> /alt_inst/alt_disk_mig_rfail.6291574
Mon Aug 26 23:50:26 2013	file descriptor is 5
Mon Aug 26 23:50:26 2013	file descriptor is : 5
Mon Aug 26 23:50:26 2013	family is : 24 (AF_INET6)
Mon Aug 26 23:50:26 2013	source port is : 1023
Mon Aug 26 23:50:26 2013	source addr is : ::ffff:172.29.154.111
Mon Aug 26 23:50:26 2013	source hostname is: nim1 (FQDN)
Mon Aug 26 23:50:26 2013	source hostname is: nim1 (node-only)
Mon Aug 26 23:50:26 2013	getting 2nd port

Based on my tests, using nimsh adds around 20 minutes to the overall migration time, when compared with rsh. Your mileage might vary.

NIMSH+NIMADM

============

Start: Fri Aug 30 14:37 EET 2013

End: Fri Aug 30 15:47 EET 2013

1 hr 10 min

SHELL+NIMADM

============

Start: Sun Sep 1 20:01 EET 2013

Finish: Sun Sep 1 20:53 EET 2013

52 min


Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=947798
ArticleTitle=Using the NIM service handler with the NIM Alternate Disk Migration tool
publish-date=10152013