Starting with AIX 7.1, CSM is no longer supported or available. It has been replaced by Distributed Systems Managment (DSM). Section 5.2 of the IBM AIX 7.1 Differences Guide Redbook provides details of the new DSM capabilities.
Fortunately DSM still provides access to the dsh command. I’ve written about how I’ve used this utility in the past. The new dsh command (and other tools) are provided in the new DSM filesets named dsm.core and dsm.dsh.
root@nim# lslpp -L dsm*
Fileset Level State Type Description (Uninstaller)
dsm.core 184.108.40.206 A F Distributed Systems Management
dsm.dsh 220.127.116.11 C F Distributed Systems Management
root@nim# lslpp -w /usr/bin/dsh
File Fileset Type
/usr/bin/dsh dsm.dsh Symlink
These filesets are NOT installed by default. You must manually install them. They can be found on your AIX 7.1 media.
If dsh is something you use, then I recommend you read the section on DSM in the Redbook. Also take a look at section 5.2.7 Using DSM and NIM, in which it describes how you can integrate DSM and NIM and completely automate the installation of AIX:
“The AIX Network Installation Manager (NIM) has been enhanced to work with the Distributed System Management (DSM) commands. This integration enables the automatic installation of new AIX systems that are either currently powered on or off.”
Although I’ve written about the dsh command before, there’s one usage I’ve not covered. And that is using dsh to manage users across a group of LPARs. In particular, changing a user’s password.
Before I go any further, I should state that for the following to work you must first configure ssh keys on your NIM master (or central mgmt AIX system) so that you can communicate with all of your AIX systems via SSH, as root, without being prompted for a password. Read my article on dsh to find out how to do this if necessary.
In the following example, I use dsh from my NIM master. It is my central point of control for my AIX environment.
My ssh keys for root on my NIM master have been generated and distributed to all of my LPARs.
root@nim# ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /.ssh/id_dsa.
Your public key has been saved in /.ssh/id_dsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ DSA 1024]----+
| ... .. . |
| . ..o .+ |
| o . =. .+ |
| . o = = = |
|E + o S . |
| . + + |
| . o . |
root@nim# ls -ltra
-rw------- 1 root system 214 17 Sep 2010 authorized_keys
drwxr-xr-x 7 root system 4096 16 Nov 11:43 ..
-rw-r--r-- 1 root system 3615 16 Nov 12:04 known_hosts
-rw-r--r-- 1 root system 601 16 Nov 12:06 id_dsa.pub
-rw------- 1 root system 672 16 Nov 12:06 id_dsa
drwx------ 2 root system 256 16 Nov 12:06 .
On my AIX LPARs, the authorized_keys file has been updated with the public ssh key from my NIM master:
root@aixlpar1 [/.ssh]# chmod 600 known_hosts authorized_keys
root@aixlpar1 [/.ssh]# ls -ltr
-rw------- 1 root system 406 Sep 29 15:30 known_hosts
-rw------- 1 root system 601 Nov 16 12:07 authorized_keys
root@aixlpar1 [/.ssh]# cat authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAPJpekVQgV2CTu5tCOsukwXwMrkfBabLAN7vwjgPk3S2p65COJkFwaDRWwBoK87cnMrrc7/GuOLdk/RiqYw1K8Z0d9RWnsymYrNm0MBALWioGGXwQ+YlLiYHIQsSArnajZOH6Ye36qz81uWNoj6u4xIxi/iGSYoU4x3UE/c/H833AAAAFQDKEtWVFk3G+KAyxUsI6FcpbJZqDQAAAIAVUVRak/s+X0mMElCaEs8Rh96GDfhorXWV1YzI0nbRo8QX2AMix+3LSdEmYCRn8TYpk1Udln3GG4gzy5oI/3Rd1RTWgAo+067LwytR6IJfwYt219Pwh2ktrm5iZu3c+yDBqQj6hsga2YIun5lxqYFy39CZNtslnR1wTx9uCcYkowAAAIEAuVFTsW9ugVM76CgluspNo0faz9xFo4DCOjCgye+k/ZqSDaNq6Xrvxktw+dkHuKHbhvofPgeiMrlqhdbrE0ovLUr8aadxArRhitnu10CFYbRwlrjAxyAaRwjD2pXG8M3a5D1XXAWDCDm6bEs5yxJqcl1wq+8UAhpKiS5yj2pwApk= root@nim
On the NIM master, the root user was configured for the DSH environment. The following entry was placed in roots .profile:
root@nim# cat /.profile
The following entry was placed in roots .kshrc file:
root@nim# cat /.kshrc
A /usr/local/etc/nodes file was created on the NIM master. This file contains a list of each of the nodes that dsh can communicate with from NIM:
root@nim# cat /usr/local/etc/nodes
The first time that the dsh command is run against a new host, the following message will be displayed. dsh uses the FQDN, and the FQDN needs to be added to the known_hosts file for ssh. Therefore you must make an ssh connection first with FQDN to the host:
root@nim# dsh uptime
aixlpar1.cg.com.au : Host key verification failed.
dsh: 2617-009 aixlpar1.cg.com.au remote shell had exit code 255
It is necessary to ssh directly to each node using its FQDN. This step is only required once for each node. For example:
root@nim# ssh aixlpar1.cg.com.au
The authenticity of host 'aixlpar1.cg.com.au (18.104.22.168)' can't be established.
RSA key fingerprint is 83:13:1d:cb:97:ee:00:7a:04:75:62:98:bd:e8:30:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'aixlpar1.cg.com.au ' (RSA) to the list of known hosts.
Last unsuccessful login: Tue Sep 27 03:04:33 GMT+10:00 2011 on ssh from 22.214.171.124
Last login: Wed Nov 16 12:08:08 GMT+11:00 2011 on /dev/pts/3 from nim
root@aixlpar1 [/root]# exit
Connection to aixlpar1.cg.com.au closed.
Now we can use the dsh command to run a command across all the nodes defined in the DSH_NODE_LIST. For example, the following command will run the uptime command on all nodes:
root@nim# dsh uptime
aixlpar1.cg.com.au : 12:14PM up 10 days, 22:32, 3 users, load average: 0.47, 0.53, 0.64
aixlpar2.cg.com.au : 12:14PM up 21 days, 21:13, 1 users, load average: 0.11, 0.31, 0.51
aixlpar3.cg.com.au : 12:14PM up 15 days, 20:33, 5 users, load average: 0.17, 0.43, 0.54
With dsh now configured, we can use it to perform several admin tasks from a central location. For example, the following commands will do the following:
1. Create a user, named cg, on all nodes.
2. Set cg’s password to abc123 using the chpasswd command.
3. Remove the ADMCHG flag for the user cg. This will stop them from being prompted to change their password on their first login attempt.
First I check that user does not exist on the AIX systems.
root@nim# dsh lsuser cg
aixlpar1: 3004-687 User "cg" does not exist.
aixlpar2: 3004-687 User "cg" does not exist.
aixlpar3: 3004-687 User "cg" does not exist.
aixlpar4: 3004-687 User "cg" does not exist.
aixlpar5: 3004-687 User "cg" does not exist.
I create the user with the mkuser command.
root@nim# dsh mkuser cg
I confirm that the user has been created on all the AIX systems, with the lsuser command.
root@nim# dsh lsuser cg
aixlpar1: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
aixlpar2: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
aixlpar3: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
I set the users password to abc123, using the chpasswd utility. I also remove the ADMCHG flag so that the user is not prompted to change their password on their first logon attempt.
root@nim# dsh 'echo cg:abc123 | chpasswd -c'
I confirm that I can logon with the new user with the specified password, on one of the AIX LPARs.
root@nim# ssh cg@aixlpar1
Last login: Thu Mar 1 20:05:01 CST 2012 on /dev/pts/1 from aix71
Another nice feature of dsh is the dshbak utility. This utility presents formatted output from the dsh command. For example:
root@nim 520 [/.ssh]# dsh errpt | dshbak
IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION
AA8AB241 1116110811 T O OPERATOR OPERATOR NOTIFICATION
A6DF45AA 1104135011 I O RMCdaemon The daemon is started.
2BFA76F6 1104134111 T S SYSPROC SYSTEM SHUTDOWN BY USER
9DBCFDEE 1104134111 T O errdemon ERROR LOGGING TURNED ON
IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION
DE9A52D1 1111012611 I S rmt10 AAA1
4865FA9B 1111012211 P H rmt10 TAPE OPERATION ERROR
DE9A52D1 1110233511 I S rmt0 AAA1
4865FA9B 1110225511 P H rmt0 TAPE OPERATION ERROR
DE9A52D1 1109180311 I S rmt0 AAA1
4865FA9B 1109180011 P H rmt0 TAPE OPERATION ERROR
DE9A52D1 1108180411 I S rmt2 AAA1
4865FA9B 1108180211 P H rmt2 TAPE OPERATION ERROR
DE9A52D1 1108165711 I S rmt6 AAA1
4865FA9B 1108165111 P H rmt6 TAPE OPERATION ERROR
A2205861 1102085311 P S SYSPROC Excessive interrupt disablement time
F7FA22C9 1031134111 I O SYSJ2 UNABLE TO ALLOCATE SPACE IN FILE SYSTEM
DE9A52D1 1030163411 I S rmt0 AAA1
4865FA9B 1030163411 P H rmt0 TAPE OPERATION ERROR
WARNING: Please be VERY CAREFUL when using the dsh command. Issuing the wrong command can cause damage to all your AIX LPARS!
The dsm.dsh package contains the following utilities:
# lslpp -f dsm.dsh | grep /usr/bin
/usr/bin/dcp -> /opt/ibm/sysmgt/dsm/bin/dcp
/usr/bin/dsh -> /opt/ibm/sysmgt/dsm/bin/dsh
/usr/bin/dping -> /opt/ibm/sysmgt/dsm/bin/dping
/usr/bin/dshbak -> /opt/ibm/sysmgt/dsm/bin/dshbak
If you are a fan of the dping command, you are going to be disappointed. Although the command is currently included in the dsm.dsh fileset, it probably won’t be for much longer.
The command works, “sort of”:
root@nim# dping aixlpar1
aixlpar1: ping (alive)
But if you run ‘dping –a’:
root@nim# dping -a
dping: 2651-095 CSM license has expired or has not been accepted. Run csmconfig -L if you have installed a new release.
the developers, dping is no longer
supported and will eventually be removed from the DSM package. The response
from the developers was as follows:
"The reason "dping -a" is failing with the license check is because the command is calling “/usr/bin/runact-api –c IBM.DmsCtrl::::isLicenseValid" and the license is not set. So the command fails. Since CSM is not supported anymore and went end of life. "
“... please consider the dping command as being "deprecated" code pending removal from the dsm.dsh package.”
When I asked why the command was listed in the AIX 7.1 online documentation if it was no longer available, I was informed: “We are in the process of working with component owner regarding the DOCs and updating them.”. At this stage I’ve not been able to find an alternative command (in AIX). If I find one, I’ll update this post.
If you are planning on migrating to AIX 7.1 please be aware that CSM is no longer supported or available with AIX 7.1. CSM is now ‘end of life’.