Customizing a NIM Client Restore With a Post-Install Script

Customizing a NIM Client Restore With a Post-Install Script

 

 

After you’ve performed a NIM recovery—whether via a mksysb or a RTE (runtime environment) install—it’s likely you’ll further customize the newly built AIX LPAR to bring it to your standard AIX build. A lot of this post-installation work can be cut down by pushing out a post-install script via NIM where it can perform some of these tasks automatically. Your post-customization will reflect your own AIX build policy but you’d certainly want to:

  • Clear out messages/mail files
  • Clear out errpt
  • Change admin accounts and passwords
  • Remove any network services that hold the original hostname from starting up from inittab

No doubt you’ll have more customization you can do, but let’s stick with these four for this article.

I remember quite clearly quite a few years ago, I cloned a production AIX LPAR to a different LPAR so we could test an issue we had with a certain app. The LPAR came up, as did the sendmail service, sending out emails informing us the real production LPAR was starting up! I was on the phone answering calls for 30 minutes, trying to explain it was not the real prod box, but rather a clone of the box.

A post-install NIM script is executed directly after the mksysb is restored. The script when fully tested must be defined as a ‘script’ resource for NIM to use it. More on that later.

Prepare Your Script

A post-install script is an executable shell script that contains commands you’d do in any shell script. It’s also prudent to run the script to check for syntax and in debug mode:

set –x
set –n

Next, ensure the script works as expected. Test on another LPAR first and get the results you expected before unleashing it as part of your NIM recovery process.

Please note there will still be NFS mounts going on from the NIM master to the client when the post-install script is running, so don’t stop NFS as part of your script. If you do, you’ll be in limbo. NFS can be stopped from startup but we will look at that shortly.

Post-Install Script

On my system, all AIX LPARs use Kerberos network authentication. So I need to stop Kerberos coming up, as nobody will be able to login until I reconfigure the client. I also need to swap user authentication from Kerberos to local. As most of the changes will be done in inittab, let’s get that backed up first.

cp /etc/inittab /etc/inittab_nim

Remove the entry from inittab, using the command rmitab:

rmitab rckrb5

The rmitab will remove the whole field from inittab by parsing it the identifier to remove. This is the first field for the inittab entry, for example:

rckrb5:2:wait:/etc/rc.krb5 > /dev/console 2>&1

So the identifier in this output is: rckrb5

Next bring the users back to local authentication and set their password to their login ID and reset any failed login attempts. As there could be many users, it’s more efficient to do this via a for loop:

list="dxtans cxvip aylup aside"
for loop in $list
do

chuser registry=files SYSTEM=compat $loop
echo "${loop}:${loop}" | chpasswd -c

chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s  ${loop}

done

I also need to change the root password to a default one—whether the image is old and the original password forgotten or whether it’s new. I set the minage to zero to allow me to change the password. On our site, the root passwords are set to at least seven days before you can change a password.

chuser minage=0 root
echo "root:Pseries1" | /usr/bin/chpasswd -c

In my environment, we collect nmon stats, which by default go to :/opt/dump/nmon. As this image may be a new build, I certainly don’t want these hanging around. I also don’t care about old errpt messages or mails. So let’s get rid of them:

rm /opt/dump/nmon/*
errclear 0
rm /var/spool/mqueue/*

Sendmail has its own configuration file (sendmail.cf) that holds the hostname, which will now be different, so let’s stop sendmail (if it’s running) and disable it from /etc/rc.tcpip with the chrctcp command:

chrctcp -S -d sendmail

I also have various network services, again with their own configuration file, like DB2 (fmc), schedulers (roc1) and a netbackup client that gets started from inittab. Let’s remove them:

rmitab fmc
rmitab roc1
rmitab netbackup

Finally, let’s get rid of NFS from starting up. I like a clean sheet build! Remove it from inittab:

rmitab rcnfs

When an image is restored, I like to remind myself and others upon login that this is a newly restored image, so I put a message in the /etc/motd file, like so:

banner NOTE >> /etc/motd
cat <<mayday>>/etc/motd  
+++++++++++++++++++++++++++++++++++++++++++++ THIS IS A RESTORED IMAGE 
All network service apps have been removed from inittab 
original inittab called:/etc/inittab_nim 
sendmail has been commented out from rc.tcpip 
All aix admin passwords are local, same as your user-id 
root password has been changed, see: post_script on NIM Master to see it 
+++++++++++++++++++++++++++++++++++++++++++++ 
mayday </mayday>

This acts as a gentle reminder that other post-install work needs to be done, such as reconfiguring the network service apps to point to the new LPAR client.

Here’s the cut-down post-install script:

#!/bin/sh
# post_install
# do post install tasks
cp /etc/inittab /etc/inittab_nim
list="dxtans cxvip aylup aside"
for loop in $list
do
chuser registry=files SYSTEM=compat $loop
echo "${loop}:${loop}" | chpasswd -c
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s  ${loop}
done

chuser minage=0 root
echo "root:Pseries1" | /usr/bin/chpasswd -c

rm /opt/dump/nmon/*
errclear 0
rm /var/spool/mqueue/*
chrctcp -S -d sendmail
rmitab krckrb5
rmitab rcnfs
banner NOTE >> /etc/motd
cat <<mayday>>/etc/motd  
+++++++++++++++++++++++++++++++++++++++++++++ 
THIS IS  A RESTORED IMAGE 
All network service apps have been removed from inittab 
original inittab called:/etc/inittab_nim 
sendmail has been commented out for rc.tcpip 
All aix admin  passwords are local, same as your user-id 
root password has been changed, see: post_script on NIM Master to see it 
+++++++++++++++++++++++++++++++++++++++++++++ 
mayday </mayday>

The next task is getting NIM to recognize this script. This can be done either via the command line or via SMIT. For SMIT the menu path is:

smit nim
Perform NIM Administration Tasks
Manage Resources
Define  Resource
'Select Script'

Next, input the resource name (give it a unique and meaningful name like post_install), the server it resides on (typically this will be the NIM master) and the actual location of the script. In this example, the script (post_script) resides in: /export/resource.

Once done, review it with:

# lsnim -l post_install
post_install:
   class       = resources
   type        = script
   comments    = ran after migration/restore
   Rstate      = ready for use
   prev_state  = unavailable for use
   location    = /export/resource/post_script
   alloc_count = 0
   server      = master

Now when you go to restore an image via NIM, simply select F4 when you’re at the “Customization SCRIPT to run after installation” field when restoring to client, as shown in Figure 1.

In this screen shot, NIM will restore to the host my01prs6998. It will use the mksysb and spot from the host my01wrs6001. The post_install resource script will be used for the restore, as indicated in the ‘Customization script’ field.

Many More

You can run many commands post install within a script. I’ve highlighted just a few of them. This is a great way to customize and trim down a restored image. To keep an eye on how your restore is going, from the NIM master use:

# alog -f /usr/adm/ras/nimlog –o

Or

lsnim –l <nim_client> </nim_client>
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
AIX Undocumented AIX command lquerypv
Viewed 3384 times since Tue, Jul 17, 2018
DISK OPERATION ERROR in AIX
Viewed 13640 times since Thu, Feb 21, 2019
View mksysb content & restore individual files
Viewed 1653 times since Tue, Jul 17, 2018
Creating Normal,Big,Scalable VG on AIX
Viewed 14278 times since Fri, Feb 1, 2019
Authenticate AIX using MS DC’s kerberos servers (Active Directory)
Viewed 2016 times since Thu, Feb 21, 2019
Configure log file for cron daemon on AIX
Viewed 10236 times since Thu, Feb 21, 2019
Install and configure GNU watch (gwatch) on AIX
Viewed 7560 times since Thu, Feb 21, 2019
AIX, Security, System Admin↑ Generating random passwords
Viewed 2803 times since Fri, Apr 19, 2019
AIX Creating a Volume Group
Viewed 2331 times since Tue, Jul 17, 2018
Tunneling With SSH to Your Destination
Viewed 3939 times since Wed, May 30, 2018