Customizing a NIM Client Restore With a Post-Install Script
Customizing a NIM Client Restore With a Post-Install Script
After you’ve performed a NIM recovery—whether via a mksysb or a RTE (runtime environment) install—it’s likely you’ll further customize the newly built AIX LPAR to bring it to your standard AIX build. A lot of this post-installation work can be cut down by pushing out a post-install script via NIM where it can perform some of these tasks automatically. Your post-customization will reflect your own AIX build policy but you’d certainly want to:
- Clear out messages/mail files
- Clear out errpt
- Change admin accounts and passwords
- Remove any network services that hold the original hostname from starting up from inittab
No doubt you’ll have more customization you can do, but let’s stick with these four for this article.
I remember quite clearly quite a few years ago, I cloned a production AIX LPAR to a different LPAR so we could test an issue we had with a certain app. The LPAR came up, as did the sendmail service, sending out emails informing us the real production LPAR was starting up! I was on the phone answering calls for 30 minutes, trying to explain it was not the real prod box, but rather a clone of the box.
A post-install NIM script is executed directly after the mksysb is restored. The script when fully tested must be defined as a ‘script’ resource for NIM to use it. More on that later.
Prepare Your Script
A post-install script is an executable shell script that contains commands you’d do in any shell script. It’s also prudent to run the script to check for syntax and in debug mode:
set –x set –n
Next, ensure the script works as expected. Test on another LPAR first and get the results you expected before unleashing it as part of your NIM recovery process.
Please note there will still be NFS mounts going on from the NIM master to the client when the post-install script is running, so don’t stop NFS as part of your script. If you do, you’ll be in limbo. NFS can be stopped from startup but we will look at that shortly.
Post-Install Script
On my system, all AIX LPARs use Kerberos network authentication. So I need to stop Kerberos coming up, as nobody will be able to login until I reconfigure the client. I also need to swap user authentication from Kerberos to local. As most of the changes will be done in inittab, let’s get that backed up first.
cp /etc/inittab /etc/inittab_nim
Remove the entry from inittab, using the command rmitab:
rmitab rckrb5
The rmitab will remove the whole field from inittab by parsing it the identifier to remove. This is the first field for the inittab entry, for example:
rckrb5:2:wait:/etc/rc.krb5 > /dev/console 2>&1
So the identifier in this output is: rckrb5
Next bring the users back to local authentication and set their password to their login ID and reset any failed login attempts. As there could be many users, it’s more efficient to do this via a for loop:
list="dxtans cxvip aylup aside"
for loop in $list
do
chuser registry=files SYSTEM=compat $loop
echo "${loop}:${loop}" | chpasswd -c
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s ${loop}
done
I also need to change the root password to a default one—whether the image is old and the original password forgotten or whether it’s new. I set the minage to zero to allow me to change the password. On our site, the root passwords are set to at least seven days before you can change a password.
chuser minage=0 root echo "root:Pseries1" | /usr/bin/chpasswd -c
In my environment, we collect nmon stats, which by default go to :/opt/dump/nmon. As this image may be a new build, I certainly don’t want these hanging around. I also don’t care about old errpt messages or mails. So let’s get rid of them:
rm /opt/dump/nmon/* errclear 0 rm /var/spool/mqueue/*
Sendmail has its own configuration file (sendmail.cf) that holds the hostname, which will now be different, so let’s stop sendmail (if it’s running) and disable it from /etc/rc.tcpip with the chrctcp command:
chrctcp -S -d sendmail
I also have various network services, again with their own configuration file, like DB2 (fmc), schedulers (roc1) and a netbackup client that gets started from inittab. Let’s remove them:
rmitab fmc rmitab roc1 rmitab netbackup
Finally, let’s get rid of NFS from starting up. I like a clean sheet build! Remove it from inittab:
rmitab rcnfs
When an image is restored, I like to remind myself and others upon login that this is a newly restored image, so I put a message in the /etc/motd file, like so:
banner NOTE >> /etc/motd cat <<mayday>>/etc/motd +++++++++++++++++++++++++++++++++++++++++++++ THIS IS A RESTORED IMAGE All network service apps have been removed from inittab original inittab called:/etc/inittab_nim sendmail has been commented out from rc.tcpip All aix admin passwords are local, same as your user-id root password has been changed, see: post_script on NIM Master to see it +++++++++++++++++++++++++++++++++++++++++++++ mayday </mayday>
This acts as a gentle reminder that other post-install work needs to be done, such as reconfiguring the network service apps to point to the new LPAR client.
Here’s the cut-down post-install script:
#!/bin/sh
# post_install
# do post install tasks
cp /etc/inittab /etc/inittab_nim
list="dxtans cxvip aylup aside"
for loop in $list
do
chuser registry=files SYSTEM=compat $loop
echo "${loop}:${loop}" | chpasswd -c
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s ${loop}
done
chuser minage=0 root
echo "root:Pseries1" | /usr/bin/chpasswd -c
rm /opt/dump/nmon/*
errclear 0
rm /var/spool/mqueue/*
chrctcp -S -d sendmail
rmitab krckrb5
rmitab rcnfs
banner NOTE >> /etc/motd
cat <<mayday>>/etc/motd
+++++++++++++++++++++++++++++++++++++++++++++
THIS IS A RESTORED IMAGE
All network service apps have been removed from inittab
original inittab called:/etc/inittab_nim
sendmail has been commented out for rc.tcpip
All aix admin passwords are local, same as your user-id
root password has been changed, see: post_script on NIM Master to see it
+++++++++++++++++++++++++++++++++++++++++++++
mayday </mayday>
The next task is getting NIM to recognize this script. This can be done either via the command line or via SMIT. For SMIT the menu path is:
smit nim Perform NIM Administration Tasks Manage Resources Define Resource 'Select Script'
Next, input the resource name (give it a unique and meaningful name like post_install), the server it resides on (typically this will be the NIM master) and the actual location of the script. In this example, the script (post_script) resides in: /export/resource.
Once done, review it with:
# lsnim -l post_install post_install: class = resources type = script comments = ran after migration/restore Rstate = ready for use prev_state = unavailable for use location = /export/resource/post_script alloc_count = 0 server = master
Now when you go to restore an image via NIM, simply select F4 when you’re at the “Customization SCRIPT to run after installation” field when restoring to client, as shown in Figure 1.
In this screen shot, NIM will restore to the host my01prs6998. It will use the mksysb and spot from the host my01wrs6001. The post_install resource script will be used for the restore, as indicated in the ‘Customization script’ field.
Many More
You can run many commands post install within a script. I’ve highlighted just a few of them. This is a great way to customize and trim down a restored image. To keep an eye on how your restore is going, from the NIM master use:
# alog -f /usr/adm/ras/nimlog –o
Or
lsnim –l <nim_client> </nim_client>
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word