Cloud partition configuration compliance with AIX Runtime Expert [2015] by realbjornroden

Cloud partition configuration compliance with AIX Runtime Expert Björn Rodén works for IBM System Lab Services and member of IBM WW PowerCare Teams for Availability, Performance, and Security. Bjorn holds MSc, BSc and DiplSSc in Informatics and BCSc and DiplCSc in Computer Science, is a IBM Redbooks Platinum Author, IBM Certified Specialist etc, and has worked in different roles with architecting, designing, planning, leading, implementing, programming, and assessing high availability, resilient, secure, and high performance systems and solutions since 1990. © Copyright IBM Corporation 2015 Technical University/Symposia materials may not be reproduced in whole or in part without the prior written permission of IBM.

Thanks to: Prerna A, Zoltan J, Mohammed A H, Prasad P, Adarsha D, Ashok A N, Gabor P, et al

Session Objectives This session focus on how to leverage AIX Runtime Expert (ARTEX) to remedy configuration compliance challenges with automated provisioning in Cloud – Agenda • • • • •

Configuration compliance validation challenges AIX Runtime Expert basics Using checklists Develop your own checklist profiles Build your own catalogs

objective

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

You will learn how to use AIX Runtime Expert to create, use and automate validation with configuration checklists profiles

Life cycle

architecture, solution design, deployment, governance, system

maintenance and change management, skill building, migration and decommissioning …

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

A lot to analyze, plan, do and check…

DESIGN > BUILD > OPERATE > REPLACE

Configuration Compliance Challenges Assumption for automated provisiniong in Cloud (IaaS, PaaS) – Reduction in work effort required to provision, deploy and maintain virtual servers aka lpars – Reduction in requirement and dependency on deep skill to provision, deploy and maintain lpars

Knowledge of what and how to change configuration items during life cycle – First time static for initial Build and Deploy – After upgrading, updating applying patches – After determining workload/requirements requires configuration changes

Skill required to define appropriate configuration – – – –

Why change from system default and vendor provided settings What to change How to change How to validate changes remain in place

Skill to validate changes remain in place – Manual or automated (in-house, commercial, open source and/or built-in)

Performing scheduled validation checks – Job control, ad-hoc, process driven

Alerting on validation failures – Event driven

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Leverage the built-in AIX Runtime Expert (ARTEX) Reduce cost – From frequent verification and maintaining standardized system and software tunable settings

Mitigate risk – From running business critical live production systems with incorrect configuation – Incorrect system and software tunable settings can resulit in degraded system stability and availability for business applications and end users

Improve service – With IBM supported and simplified maintenance of standardized system and software tunable settings – Use checklist profiles with standardized and workload adapted recommended settings – Simplify continous verification that recommended settings continue to be in use

The AIX Runtime Expert fileset is artex.base.rte Introduced in AIX 6 Technology Level 4 http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.osdevice/artex_main.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

AIX Runtime Expert basics

Â© Copyright IBM Corporation 2015

AIX Runtime Expert (ARTEX) – Old versus New

Old Method: Custom shell scripts driving individual AIX commands and configuration repositories.

New Method: Single XML profile controlling any changeable tunable on a system. tuneable 1 tuneable 2

Custom Script 2

XML Profile

...

tuneable N Custom Script 1 Custom Script N

• • • • •

Set

Versus

Command Line Interfaces Shell environments /etc/<control files> /etc/tunables/* Object Data Manager

Extract

Validate

System A

System B

System N

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

System A

System B

System N

AIX Runtime Expert (ARTEX) – Base Architecture Extensible architecture with a programmable core engine SET GET

Configuration Profiles • • • • • •

XML files Based on Control Catalogs Supplies values Template to get (extract) values Can reside in LDAP or locally ISD AIX Profile Manager

Core Engine DIFF MERGE

Running AIX Instance

Control Catalogs • • •

XML files Programming Modules for the Core Engine Specifies parameter-value rules, processing sequences, environment variable details, file content management, etc.

artexget – extract runtime attributes from a running system based on a provided configuration profile artexset – set values on a system from a profile to take effect immediately or after system restart artexdiff – compare values between a running system and a profile, or compare between two profiles artexmerge – combine the contents of two or more profiles into a single profile artexlist – list configuration profiles that exist on a system artexremset - executes artexset command on one or more remote systems from NIM server Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

AIX Runtime Expert (ARTEX) AIX Runtime Expert (ARTEX) provides: – A simplified set of actions that can be used for collecting, applying, and verifying the runtime environment for one or more AIX instances

ARTEX executes multiple-component configuration commands: – – – –

As a single action Using a configuration profile checklist Can be used to apply identical system settings across multiple systems Can be used to collect current configuration on one system and check and/or apply on other systems

ARTEX can be extended and customized with user specified methods. ARTEX does not prevent the use of other methods to change system settings – Such as tools provided by AIX components, as Reliability Availability Serviceability (RAS), Security, or Kernel, which allow you to change settings within each component layer in order to tune the operating system to a particular need or requirement

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.osdevice/artex_main.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Use Cases Automation – Local artexset – can be set to check values upon reboot. If values differ, then artexset can be used to automatically re-set tunables to their desired value. – Installs – as part of the install process, an ARTEX profile can be downloaded from LDAP to the installed machine and artexset will set the system with a custom profile so that the newly installed system boots up into a tuned state. • Integrating with PowerVC Activation Engine to run after initial provisioning. • Integrating with Network Install Manager • Integrated in “Golden Image” first boot processing

– Remote artexset – from a NIM master, nim clients can be set to an ARTEX profile. The client machines can be set individually or as part of a NIM group. – Using the job scheduling and control.

Validation – artexdiff – allows the user to compare a running system against a profile. – Batch– the user can write a simple cron job to perform scheduled validation of the running system. – Logging – whenever artexset is executed, the ARTEX command will log the action for recording purposes. Included in the log is the UID of the user. – Compliance – artexdiff has an option that will log a special entry that a difference was found.

Testing – artexset – has a rollback option. If the recently set system shows poor or unexpected behavior, the user can instruct ARTEX to rollback to the previous ARTEX setting. http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.apmgr/apmgr_kickoff.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Terminology Profiles – the checklists – Profile is shorthand for Configuration Profiles are used to describe specific configuration values. – Profiles have multiple uses: • Used to set values on a running system. • Used to extract values on a running system. • Used as a comparison template against a running system.

– Profiles are in XML format

Catalogs – the methods – A definition file which maps profile-elements to target platform commands and configuration actions. – Catalogs are in XML format – Element-to-Command maps for: • Set • Extract • Compare

Core engine – the parser – Parses configuration profiles. – Reads elements and associated values, and maps the requests to Catalog descriptions for tunables. – From the Profile-Catalog parse, builds and executes AIX configuration commands to: • Set • Extract • Compare Extensible Markup Language (XML) is a markup language much like HTML with a similar syntax as both are derived from SGML (ISO 8879). Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

AIX Runtime Expert and RBAC AIX Runtime Expert commands can be used with Role Based Access Control (RBAC) to give non root users the ability to execute the commands. AIX Runtime Expert does not create any new role, aix.system.config.artex authorization will be added to the SysConfig role: – The aix.system.config.artex.read authorization allows the execution of the artexlist and artexmerge commands. The artexget and artexdiff commands are also allowed, but only to obtain the profile values: • The values cannot be captured from the system (that is the artexget command cannot be run with the –r, –n or –p flags, and artexdiff command can only be run between two profiles)

– The aix.system.config.artex.get authorization allows all operations allowed by the artex.system.config.read authorization, and additionally allows the unrestricted execution of the artexget and artexdiff command – The aix.system.config.artex.set authorization allows all operations allowed by the artex.system.config.get authorization and additionally allows the execution of the artexset command

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.osdevice/artex_rbac.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Configuration integration validation / setting PowerVC Activation Engine bootstrap script (CloudInit user-data scripts >> PowerVC 1.2.3) AIX firstboot script by init Network Install Manager customize operation LDAP store of Profiles Job scheduler / cron continous validation

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

PowerVC Activation Engine bootstrap Currently Configuration script is used by CloudInit (Linux) Server metadata key-value pairs used by both by cloud_init or the traditional activation engine (AIX) The “metadata” values entered in PowerVC at deploy Are passed to the newly deployed LPAR/VM in the meta_data.json file via a virtual optical device, found under: /tmp/activation-engine-*/openstack/latest Extract the attribute-value pair data from the meta_data.json file with key word "meta“, and colon separated from attribute-value pairs enclosed with brackets such as {“Key": “Value"} , such as: “meta”:{“artexprofile:”profilea”} artexprofile

profilea

In the LPAR/VM to capture as a “Golden” image, do the below before capturing 1. Add a pointer to the script /opt/ibm/ae/AS/vmcsys-net/activate.py to have your script execute after networking is configured, before the Main section start. 2. Custom script can be called postinstall.sh in this example, located in /opt/local on the source and deployed LPAR/VM.

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

def postinstall(): try: subprocess.call("/opt/local/postinstall.sh", shell=True) except OSError, e: pass def main(): activator = Activator() activator.action() postinstall() © Copyright IBM Corporation 2015

Using Checklists

Â© Copyright IBM Corporation 2015

Sample configuration checklist items Description

Required Settings

firmware Ethernet adapter microcode FibreChannel adapter microcode Version efix efix crashdump device storage keys limits POWER7 Prefetch Tuning smt errorlog maxuproc batch_tlb(IV25649m03) vmm_mpsize_support(IV25649m03) minperm% maxclient% maxperm% strict_maxclient v_pinshm esid_allocator strict_maxperm page_steal_method lru_poll_interval lgpg_size lgpg_regions shm_1tb_unsh_enable lock_interrupt_mask iodone_distr_disable max_xfer_size num_cmd_elems dyntrk fc_err_recov reserve_policy queue_depth max_transfer chksum_offload rxdesc_que_sz rxbuf_pool_sz chksum_offload jumbo_frames transmit_q_elem receive_q_elem rfc1323 thread thread ipqmaxlen somaxconn sb_max tcp_ephemeral_high tcp_ephemeral_low udp_ephemeral_high udp_ephemeral_low tcp_recvspace tcp_sendspace udp_recvspace udp_sendspace

AH760_062 EP0170 202307 7100-02-02-1316 IV41067m2a IV63992s1b estimated * 2 disabled -1 for all off 1 Log Size 10485760 bytes / Memory Buffer 327680 bytes 30000 0 1 3% (default) 90% (default) 90% (default) 1 (default) 1 1 (default) 0 (default) 1 (default) 10 (default) 16777216 91000 0 (default) 1 0 0x200000 2048 yes fast_fail no_reserve 32 0x200000 no 2048 4096 yes (default) yes 4096 8192 1 off on 512 16384 10526720 65500 9000 65500 9000 65536 65536 10526720 1052672

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

max_xfer_size

0x200000

num_cmd_elems

2048

dyntrk

yes

fc_err_recov

fast_fail

ARTEX checklist sample <?xml version="1.0" encoding="UTF-8"?> <Profile origin="reference" version="1.0"> <Catalog id="noParam" version="2.1"> <Parameter name="tcp_fastlo" value="1" readOnly="false"/> <Parameter name="udp_recvspace" value="655360" readOnly="false"/> <Parameter name="udp_sendspace" value="65536" readOnly="false"/> <Parameter name="tcp_mssdflt" value="1460" readOnly="false"/> <Parameter name="tcp_pmtu_discover" value="1" readOnly="false"/> <Parameter name="udp_pmtu_discover" value="1" readOnly="false"/> <Parameter name="sockthresh" value="85" readOnly="false"/> </Catalog> <Catalog id="vmoParam" version="2.1"> <Parameter name="vmm_mpsize_support" value="1" readOnly="false" applyType='nextboot' reboot='true'/> <Parameter name="esid_allocator" value="1" readOnly="false"/> </Catalog> <Catalog id="iooParam" version="2.1"> <Parameter name="lvm_bufcnt" value="16" readOnly="false" applyType='nextboot' reboot='false'/> <Parameter name="pv_min_pbuf" value="1024" readOnly="false" applyType='nextboot' reboot='false'/> <Parameter name="j2_dynamicBufferPreallocation" value="256" readOnly="false" applyType='nextboot' reboot='false'/> <Parameter name="j2_nBufferPerPagerDevice" value="1024" readOnly="false" applyType='nextboot' reboot='false' </Catalog> <Catalog id="viosdevattrParam" version="2.0"> <Parameter name="max_xfer_size" value="0x200000" applyType="nextboot"><Target class="devfcs" instance="fcs0"/></Parameter> <Parameter name="num_cmd_elems" value="1000" applyType="nextboot"><Target class="devfcs" instance="fcs0"/></Parameter> <Parameter name="lg_term_dma" value="0x800000" applyType="nextboot"><Target class="devfcs" instance="fcs0"/></Parameter> <Parameter name="max_xfer_size" value="0x200000" applyType="nextboot"><Target class="devfcs" instance="fcs1"/></Parameter> <Parameter name="num_cmd_elems" value="1000" applyType="nextboot"><Target class="devfcs" instance="fcs1"/></Parameter> <Parameter name="lg_term_dma" value="0x800000" applyType="nextboot"><Target class="devfcs" instance="fcs1"/></Parameter> <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter <Parameter </Catalog> </Profile>

name="fc_err_recov" value="fast_fail" applyType="nextboot"><Target class="devfscsi" instance="fscsi0"/></Parameter> name="dyntrk" value="1" applyType="nextboot"><Target class="devfscsi" instance="fscsi0"/></Parameter> name="fc_err_recov" value="fast_fail" applyType="nextboot"><Target class="devfscsi" instance="fscsi1"/></Parameter> name="dyntrk" value="1" applyType="nextboot"><Target class="devfscsi" instance="fscsi1"/></Parameter> name="max_transfer" value="0x100000" applyType="nextboot"><Target class="devhdisk" instance="hdisk0"/></Parameter> name="queue_depth" value="32" applyType="nextboot"><Target class="devhdisk" instance="hdisk0"/></Parameter> name="reserve_policy" value="no_reserve" applyType="nextboot"><Target class="devhdisk" instance="hdisk0"/></Parameter> name="max_transfer" value="0x100000" applyType="nextboot"><Target class="devhdisk" instance="hdisk1"/></Parameter> name="queue_depth" value="32" applyType="nextboot"><Target class="devhdisk" instance="hdisk1"/></Parameter> name="reserve_policy" value="no_reserve" applyType="nextboot"><Target class="devhdisk" instance="hdisk1"/></Parameter> name="max_transfer" value="0x100000" applyType="nextboot"><Target class="devhdisk" instance="hdisk2"/></Parameter> name="queue_depth" value="32" applyType="nextboot"><Target class="devhdisk" instance="hdisk2"/></Parameter> name="reserve_policy" value="no_reserve" applyType="nextboot"><Target class="devhdisk" instance="hdisk2"/></Parameter> name="max_transfer" value="0x100000" applyType="nextboot"><Target class="devhdisk" instance="hdisk3"/></Parameter> name="queue_depth" value="32" applyType="nextboot"><Target class="devhdisk" instance="hdisk3"/></Parameter> name="reserve_policy" value="no_reserve" applyType="nextboot"><Target class="devhdisk" instance="hdisk3"/></Parameter>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Checking AIX LPAR configuration # artexdiff -rcf txt checklist_sample.xml noParam:tcp_fastlo 1 noParam:udp_recvspace 655360 noParam:udp_sendspace 65536 vmoParam:vmm_mpsize_support 1 iooParam:lvm_bufcnt 16 iooParam:pv_min_pbuf 1024 iooParam:j2_dynamicBufferPreallocation 256 iooParam:j2_nBufferPerPagerDevice 1024

| | | | | | | |

-rc Compare actual with expected, and only display when not the same value

0 42080 9216 2 9 512 16 512

# artexdiff -rf txt checklist_sample.xml noParam:tcp_fastlo noParam:udp_recvspace noParam:udp_sendspace noParam:tcp_mssdflt noParam:tcp_pmtu_discover noParam:udp_pmtu_discover noParam:sockthresh vmoParam:vmm_mpsize_support vmoParam:esid_allocator iooParam:lvm_bufcnt iooParam:pv_min_pbuf iooParam:j2_dynamicBufferPreallocation iooParam:j2_nBufferPerPagerDevice viosdevattrParam:max_xfer_size devfcs=fcs0 viosdevattrParam:num_cmd_elems devfcs=fcs0 viosdevattrParam:lg_term_dma devfcs=fcs0 viosdevattrParam:max_xfer_size devfcs=fcs1 viosdevattrParam:num_cmd_elems devfcs=fcs1 viosdevattrParam:lg_term_dma devfcs=fcs1 viosdevattrParam:fc_err_recov devfscsi=fscsi0 viosdevattrParam:dyntrk devfscsi=fscsi0 viosdevattrParam:fc_err_recov devfscsi=fscsi1 viosdevattrParam:dyntrk devfscsi=fscsi1 viosdevattrParam:max_transfer devhdisk=hdisk0 viosdevattrParam:queue_depth devhdisk=hdisk0 viosdevattrParam:reserve_policy devhdisk=hdisk0 Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

-f Text format CSV format XML format

Actual

Expected 1 655360 65536 1460 1 1 85 1 1 16 1024 256 1024 0x200000 1000 0x800000 0x200000 1000 0x800000 fast_fail 1 fast_fail 1 0x100000 32 no_reserve

| | | | | | | | | | | | | | | | | | | | | | | | | |

0 42080 9216 1460 1 1 85 2 1 9 512 16 512 0x200000 1000 0x800000 0x200000 1000 0x800000 fast_fail 1 fast_fail 1 0x100000 32 no_reserve © Copyright IBM Corporation 2015

ARTEX checklist sample Profile origin="reference" readOnly="true" version="1.0"> <Catalog id="vmoParam" version="2.1"> <Parameter name="batch_tlb" value="0" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="vmm_mpsize_support" value="1" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="minperm%" value="3" /> <Parameter name="maxclient%" value="90" /> <Parameter name="maxperm%" value="90" readOnly="true"/> <Parameter name="strict_maxclient" value="1" readOnly="true"/> <Parameter name="v_pinshm" value="1" readOnly="true"/> <Parameter name="esid_allocator" value="1" readOnly="true"/> <Parameter name="strict_maxperm" value="0" readOnly="true"/> <Parameter name="page_steal_method" value="1" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="lru_poll_interval" value="10" readOnly="true"/> <Parameter name="lgpg_size" value="16777216" readOnly="true"/> <Parameter name="lgpg_regions" value="91000" readOnly="true"/> <Parameter name="shm_1tb_unsh_enable" value="0" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="thrpgio_npages" value="1024" readOnly="true" /> <Parameter name="thrpgio_inval" value="1024" readOnly="true" /> </Catalog> <Catalog id="schedoParam" version="2.1"> <Parameter name="lock_interrupt_mask" value="1" readOnly="true"/> </Catalog> <Catalog id="iooParam" version="2.1"> <Parameter name="iodone_distr_disable" value="0" readOnly="true"/> </Catalog> <Catalog id="noParam" version="2.1"> <Parameter name="rfc1323" value="1" readOnly="true"/> <Parameter name="ipqmaxlen" value="512" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="somaxconn" value="16384" readOnly="true"/> <Parameter name="sb_max" value="10526720" readOnly="true"/> <Parameter name="tcp_ephemeral_high" value="65500" readOnly="true"/> <Parameter name="tcp_ephemeral_low" value="9000" readOnly="true"/> <Parameter name="udp_ephemeral_high" value="65500" readOnly="true"/> <Parameter name="udp_ephemeral_low" value="9000" readOnly="true"/> <Parameter name="tcp_recvspace" value="65536" readOnly="true"/> <Parameter name="tcp_sendspace" value="65536" readOnly="true"/> <Parameter name="udp_recvspace" value="10526720" readOnly="true"/> <Parameter name="udp_sendspace" value="1052672" readOnly="true"/> </Catalog> <Catalog id="errdemonParam" version="2.0"> <Parameter name="logsize" value="10485760" readOnly="true"/> <Parameter name="membuffsize" value="327680" readOnly="true"/> </Catalog> <Catalog id="chdev.sys0Param" version="2.0"> <Parameter name="maxuproc" value="30000" readOnly="true"/> </Catalog> </Profile>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Checking AIX LPAR configuration

root@lsof # artexdiff -c -f txt specific_XYZ1_readOnly.xml specific_XYZ1_readOnly.xml | System Values vmoParam:batch_tlb 0 vmoParam:vmm_mpsize_support 1 vmoParam:maxclient% 90 vmoParam:maxperm% 90 vmoParam:v_pinshm 1 vmoParam:lgpg_size 16777216 vmoParam:lgpg_regions 91000 noParam:rfc1323 1 noParam:ipqmaxlen 512 noParam:somaxconn 16384 noParam:sb_max 10526720 noParam:tcp_ephemeral_high 65500 noParam:tcp_ephemeral_low 9000 noParam:udp_ephemeral_high 65500 noParam:udp_ephemeral_low 9000 noParam:tcp_recvspace 65536 noParam:tcp_sendspace 65536 noParam:udp_recvspace 10526720 noParam:udp_sendspace 1052672 errdemonParam:logsize 10485760 errdemonParam:membuffsize 327680 chdev.sys0Param:maxuproc 30000

| | | | | | | | | | | | | | | | | | | | | |

Expected

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

1 3 80 80 0 0 0 0 100 1024 1048576 65535 32768 65535 32768 16384 16384 42080 9216 1048576 32768 131072

Actual

ARTEX commands

Â© Copyright IBM Corporation 2015

artexlist Outputs a list of profiles from the local system or LDAP server or outputs a list of catalogs that are installed on the local system Examples using artexlist operation – The following example illustrates how to use artexlist to list the sample profiles from the default path /etc/security/artex/samples: • artexlist

– The following example illustrates how to list the profiles using environment variable ARTEX_PROFILE_PATH: • ARTEX_PROFILE_PATH="/tmp:/$HOME/profiles" artexlist

– The following example illustrates how to list the profiles from /data/profiles directory: • artexlist /data/profiles

– The following example illustrates how to list the profiles from an LDAP server and from a local system: • artexlist -l

– The following example illustrates how to list the ARTEX catalogs installed on the system: • artexlist –c

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexlist.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

artexget The artexget command lists the configuration and tuning parameter information from a specified profile or from the system Examples using artexget operation – The following example illustrates how to output the parameter (attribute) and value pairs from the profile1.xml profile that is stored on an LDAP server: • artexget ldap://profile1.xml

– The following example illustrates how to output the values of parameters after the next system restart from the system using the local_profile.xml profile: • artexget -n local_profile.xml

– The following example illustrates how to output the current values of the parameters in text format from the system using the local_profile.xml profile (other formats are csv and xml): • artexget -r -f txt local_profile.xml

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexget.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

artexset The artexset command applies an AIX Runtime Expert profile to a system. The profile contains values for parameters that are to be set on the system. Examples using artexset operation – The following example illustrates how to set all parameters defined in the profile local_profile.xml: • artexset -l all local_profile.xml

– The following example illustrates how to check the correctness of the ldap_profile.xml profile stored on an LDAP server: • artexset -t ldap://ldap_profile.xml

– The following example illustrates how to enable applying the profile /tmp/boot_profile.xml at every system restart: • artexset -b /tmp/boot_profile.xml

– The following example illustrates how to disable applying a profile at every system restart: • artexset -x

– The following example illustrates how to rollback the parameters to the values prior to previous issue of the artexset command: • artexset -u

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexset.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

artexdiff The artexdiff command compares the parameters and values between two profiles or between a profile and a system. Examples using artexdiff operation – The following example illustrates how to compare the parameters and values between two profiles: • artexdiff profile1.xml profile2.xml

– The following example illustrates how to compare the parameters and values between the ldap_profile.xml profile stored on LDAP server and the system: • artexdiff ldap://ldap_profile.xml

– The following example illustrates how to create a new profile with the parameters and values from an input profile that are different from the system: • artexdiff -p profile.xml > diff_profile.xml

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexdiff.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

artexmerge The artexmerge command merges two or more profiles. Examples using artexmerge operation – The following example illustrates how to use artexmerge to combine profiles located on a LDAP server and on a local file system: • artexmerge /tmp/no_profile1.xml ldap://ldap_raso_profile.xml /data/nfs_profile.xml

– The following example illustrates how to combine two profiles with duplicate parameters and save as merged_profile.xml(NOTE): • artexmerge -f profile1.xml profile2.xml > merged_profile.xml

-f Indicates to force the merge (artexmerge). If two or more profiles contain the same parameter with different values, indicates to use the value of the parameter included in the last profile.

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexmerge.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

artexremset

artexremset command executes artexset command on one or more remote systems. Examples using artexremset operation – The following example illustrates how to execute the artexremset command on a client machine, using a profile located on a NIM master: • artexremset nim_profile.xml client1

– The following example illustrates how to execute the artexremset command on multiple client machines, using a profile located on an LDAP server: • artexremset -L ldap://profile1.xml client1 mac_group1 client2

– The following example illustrates how to output the results of the remote artexremset command associated with each individual client machine from a NIM master: • artexremset -D profile1.xml client1 client2

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.cmds1/artexremset.htm

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

SMIT menues for AIX Runtime Expert

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

SMIT operations for AIX Runtime Expert

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Build your own checklist profiles

Â© Copyright IBM Corporation 2015

AIX Runtime Expert profiles (checklists) Profiles are used to – Set values on a running system, extract values for a running system, and compare values against a running system or against another profile

A profile can represent a full set of controls or a subset of controls and their values – Configuration profiles are standard XML files – Using AIX Runtime Expert you can manage profiles and apply them on the defined system

Example parameter declaration and value to check: <Catalog id="noParam"> <Parameter name="tcp_recvspace" value="16384" /> <Parameter name="tcp_sendspace" value="16384" /> </Catalog>

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.osdevice/artex_profiles.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

A working checklist

# artexdiff -r -f txt no_checklist.xml no_checklist.xml | System Values noParam:rfc1323 noParam:ipqmaxlen noParam:somaxconn noParam:sb_max noParam:tcp_ephemeral_high noParam:tcp_ephemeral_low noParam:udp_ephemeral_high noParam:udp_ephemeral_low noParam:tcp_recvspace noParam:tcp_sendspace noParam:udp_recvspace noParam:udp_sendspace

1 512 16384 10526720 65500 9000 65500 9000 65536 65536 10526720 1052672

| | | | | | | | | | | |

0 100 16384 1048576 65500 9000 65500 9000 65536 131072 42080 9216

Checklist for network optins (no) from CMDB

Description

Required Settings

rfc1323

ipqmaxlen

512

somaxconn

16384

sb_max

10526720

tcp_ephemeral_high

65500

tcp_ephemeral_low

9000

udp_ephemeral_high

65500

udp_ephemeral_low

9000

tcp_recvspace

65536

tcp_sendspace

65536

udp_recvspace

10526720

udp_sendspace

1052672

# cat no_checklist.xml <?xml version="1.0" encoding="UTF-8"?>  <Profile origin="reference" readOnly="true" version="1.0"> <Catalog id="noParam" version="2.1"> <Parameter name="rfc1323" value="1" readOnly="true"/> <Parameter name="ipqmaxlen" value="512" readOnly="true" applyType='nextboot' reboot='true'/> <Parameter name="somaxconn" value="16384" readOnly="true"/> <Parameter name="sb_max" value="10526720" readOnly="true"/> <Parameter name="tcp_ephemeral_high" value="65500" readOnly="true"/> <Parameter name="tcp_ephemeral_low" value="9000" readOnly="true"/> <Parameter name="udp_ephemeral_high" value="65500" readOnly="true"/> <Parameter name="udp_ephemeral_low" value="9000" readOnly="true"/> <Parameter name="tcp_recvspace" value="65536" readOnly="true"/> <Parameter name="tcp_sendspace" value="65536" readOnly="true"/> <Parameter name="udp_recvspace" value="10526720" readOnly="true"/> <Parameter name="udp_sendspace" value="1052672" readOnly="true"/> </Catalog> </Profile>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

checklist – DIFF ONLY

# artexdiff -r –c -f txt /etc/security/artex/checklists/checklist_XYZ_2015-02-11.xml /etc/security/artex/checklists/checklist_XYZ_2015-02-11.xml | System Values vmoCatalog-v1-2:lgpg_regions 91000 noParam:rfc1323 1 noParam:ipqmaxlen 512 noParam:sb_max 10526720 noParam:tcp_sendspace 65536 noParam:udp_recvspace 10526720 noParam:udp_sendspace 1052672 errdemonParam:logsize 10485760 errdemonParam:membuffsize 327680 chdev.sys0Param:maxuproc 30000 mcodeCatalog-v1-2:sys AH760_062

| | | | | | | | | | |

7700 0 100 1048576 131072 42080 9216 1048576 32768 131072 AH760_079

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

checklist – ALL # artexdiff -r -f txt etc/security/artex/checklists/checklist_XYZ_2015-02-11.xml / etc/security/artex/checklists/checklist_XYZ_2015-02-11.xml | System Values vmoCatalog-v1-2:batch_tlb 0 vmoCatalog-v1-2:vmm_mpsize_support 1 vmoCatalog-v1-2:minperm% 3 vmoCatalog-v1-2:maxclient% 90 vmoCatalog-v1-2:maxperm% 90 vmoCatalog-v1-2:strict_maxclient 1 vmoCatalog-v1-2:v_pinshm 1 vmoCatalog-v1-2:esid_allocator 1 vmoCatalog-v1-2:strict_maxperm 0 vmoCatalog-v1-2:page_steal_method 1 vmoCatalog-v1-2:lru_poll_interval 10 vmoCatalog-v1-2:lgpg_size 16777216 vmoCatalog-v1-2:lgpg_regions 91000 vmoCatalog-v1-2:shm_1tb_unsh_enable 0 vmoCatalog-v1-2:thrpgio_npages 1024 vmoCatalog-v1-2:thrpgio_inval 1024 schedoCatalog-v1-2:lock_interrupt_mask 1 iooCatalog-v1-2:iodone_distr_disable 0 noParam:rfc1323 1 noParam:ipqmaxlen 512 noParam:somaxconn 16384 noParam:sb_max 10526720 noParam:tcp_ephemeral_high 65500 noParam:tcp_ephemeral_low 9000 noParam:udp_ephemeral_high 65500 noParam:udp_ephemeral_low 9000 noParam:tcp_recvspace 65536 noParam:tcp_sendspace 65536 noParam:udp_recvspace 10526720 noParam:udp_sendspace 1052672 errdemonParam:logsize 10485760 errdemonParam:membuffsize 327680 chdev.sys0Param:maxuproc 30000 dscrctlCatalog-v1-2:os_default_pd 0x1 oslevelCatalog-v1-2:oslevelis 7100-02-02-1316 mcodeCatalog-v1-2:sys AH760_062 skeyctlCatalog-v1-2:skeyctl_kernel disabled skeyctlCatalog-v1-2:skeyctl_user disabled smtctlCatalog-v1-2:smtctl_enabled disabled sysdumpszCatalog-v1-3:sysdumpsz_change OK

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

0 1 3 90 90 1 1 1 0 1 10 16777216 7700 0 1024 1024 1 0 0 100 16384 1048576 65500 9000 65500 9000 65536 131072 42080 9216 1048576 32768 131072 0x1 7100-02-02-1316 AH760_079 disabled disabled disabled OK

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

devENT.xml – DIFF AFTER GET ONLY # artexget -r devProfile_adapter_ethernet_physical.xml > devENT.xml # artexdiff -r -f txt devENT.xml devENT.xml | System Values devCatalog.adapter.ethernet.1Gbps:chksum_offload devent=ent0 devCatalog.adapter.ethernet.1Gbps:chksum_offload devent=ent1 devCatalog.adapter.ethernet.1Gbps:chksum_offload devent=ent2 devCatalog.adapter.ethernet.1Gbps:chksum_offload devent=ent3 devCatalog.adapter.ethernet.1Gbps:rxbuf_pool_sz devent=ent0 devCatalog.adapter.ethernet.1Gbps:rxbuf_pool_sz devent=ent1 devCatalog.adapter.ethernet.1Gbps:rxbuf_pool_sz devent=ent2 devCatalog.adapter.ethernet.1Gbps:rxbuf_pool_sz devent=ent3 devCatalog.adapter.ethernet.1Gbps:rxdesc_que_sz devent=ent0 devCatalog.adapter.ethernet.1Gbps:rxdesc_que_sz devent=ent1 devCatalog.adapter.ethernet.1Gbps:rxdesc_que_sz devent=ent2 devCatalog.adapter.ethernet.1Gbps:rxdesc_que_sz devent=ent3

ent0 ent1 ent2 ent3

Available Available Available Available

01-00 01-01 04-00 04-01

2-Port 2-Port 2-Port 2-Port

10/100/1000 10/100/1000 10/100/1000 10/100/1000

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Base-TX Base-TX Base-TX Base-TX

no no no no 4096 4096 4096 4096 2048 2048 2048 2048

| | | | | | | | | | | |

PCI-Express PCI-Express PCI-Express PCI-Express

no no no no 4096 4096 4096 4096 2048 2048 2048 2048

Adapter Adapter Adapter Adapter

(14104003) (14104003) (14104003) (14104003)

devFC.xml – DIFF AFTER GET ONLY # artexget -r devProfile_adapter_fibre_physical.xml > devFC.xml # artexdiff -r -f txt devFC.xml devFC.xml | System Values devCatalog.adapter.fibre.fcs:max_xfer_size devfcs=fcs0 devCatalog.adapter.fibre.fcs:max_xfer_size devfcs=fcs1 devCatalog.adapter.fibre.fcs:max_xfer_size devfcs=fcs2 devCatalog.adapter.fibre.fcs:max_xfer_size devfcs=fcs3 devCatalog.adapter.fibre.fcs:num_cmd_elems devfcs=fcs0 devCatalog.adapter.fibre.fcs:num_cmd_elems devfcs=fcs1 devCatalog.adapter.fibre.fcs:num_cmd_elems devfcs=fcs2 devCatalog.adapter.fibre.fcs:num_cmd_elems devfcs=fcs3 devCatalog.adapter.fibre.fscsi:dyntrk devfscsi=fscsi0 devCatalog.adapter.fibre.fscsi:dyntrk devfscsi=fscsi1 devCatalog.adapter.fibre.fscsi:dyntrk devfscsi=fscsi2 devCatalog.adapter.fibre.fscsi:dyntrk devfscsi=fscsi3 devCatalog.adapter.fibre.fscsi:fc_err_recov devfscsi=fscsi0 devCatalog.adapter.fibre.fscsi:fc_err_recov devfscsi=fscsi1 devCatalog.adapter.fibre.fscsi:fc_err_recov devfscsi=fscsi2 devCatalog.adapter.fibre.fscsi:fc_err_recov devfscsi=fscsi3

fcs0 fcs1 fcs2 fcs3

Available Available Available Available

02-00 02-01 05-00 05-01

8Gb 8Gb 8Gb 8Gb

PCI PCI PCI PCI

Express Express Express Express

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Dual Dual Dual Dual

Port Port Port Port

FC FC FC FC

0x200000 0x200000 0x200000 0x200000 2048 2048 2048 2048 yes yes yes yes fast_fail fast_fail fast_fail fast_fail

Adapter Adapter Adapter Adapter

| | | | | | | | | | | | | | | |

0x200000 0x200000 0x200000 0x200000 2048 2048 2048 2048 yes no yes no fast_fail delayed_fail fast_fail delayed_fail

devCHECK.xml – GET ONLY # artexmerge -f devENT.xml devFC.xml devDISK.xml >devCHECK.xml # artexget -r -t txt devCHECK.xml Parameter name Parameter value Instance ------------------- ----------------- ----------------------##Begin: devCatalog.adapter.ethernet.1Gbps chksum_offload no devent=ent0 chksum_offload no devent=ent1 chksum_offload no devent=ent2 chksum_offload no devent=ent3 rxbuf_pool_sz 4096 devent=ent0 rxbuf_pool_sz 4096 devent=ent1 rxbuf_pool_sz 4096 devent=ent2 rxdesc_que_sz 2048 devent=ent0 rxdesc_que_sz 2048 devent=ent1 rxdesc_que_sz 2048 devent=ent2 ##End: devCatalog.adapter.ethernet.1Gbps ##Begin: devCatalog.adapter.fibre.fscsi dyntrk yes devfscsi=fscsi0 dyntrk no devfscsi=fscsi1 dyntrk yes devfscsi=fscsi2 dyntrk no devfscsi=fscsi3 fc_err_recov fast_fail devfscsi=fscsi0 delayed_fail devfscsi=fscsi1 fc_err_recov fc_err_recov fast_fail devfscsi=fscsi2 fc_err_recov delayed_fail devfscsi=fscsi3 ##End: devCatalog.adapter.fibre.fscsi ##Begin: devCatalog.adapter.fibre.fcs max_xfer_size 0x200000 devfcs=fcs0 max_xfer_size 0x200000 devfcs=fcs1 max_xfer_size 0x200000 devfcs=fcs2 max_xfer_size 0x200000 devfcs=fcs3 num_cmd_elems 2048 devfcs=fcs0 num_cmd_elems 2048 devfcs=fcs1 num_cmd_elems 2048 devfcs=fcs2 num_cmd_elems 2048 devfcs=fcs3 ##End: devCatalog.adapter.fibre.fcs ##Begin: devCatalog.disk reserve_policy no_reserve devhdisk=hdisk0 reserve_policy single_path devhdisk=hdisk200 queue_depth 16 devhdisk=hdisk0 queue_depth 32 devhdisk=hdisk1 queue_depth 2 devhdisk=hdisk187 max_transfer 0x100000 devhdisk=hdisk0 max_transfer 0x200000 devhdisk=hdisk1 max_transfer 0x40000 devhdisk=hdisk200 Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Additional Action Properties -------------------- -------------------NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT

NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT

How to SET device attribute values with AIX Runtime Expert

1. Create a new profile from the sample profile using artexget command (e.g. run_viosdevattrProfile.xml) #

artexget -r /etc/security/artex/samples/viosdevattrProfile.xml > devCHECK.xml

2. Modify the new devCHECK.xml file using any editor . # vi devCHECK.xml

– Then modify the fc_err_recov parameter from "delayed_fail" to "fast_fail" for next reboot <Parameter name="fc_err_recov" value="fast_fail" applyType="nextboot"> <Target class="devfscsi" instance="fscsi0"/> </Parameter> ...

3. Compare the new profile values with the running values using artexdiff command as follows # artexdiff -r -f txt -c devCHECK.xml devCHECK.xml| System Values viosdevattrParam:fc_err_recov devfscsi=fscsi0 ...

fast_fail | delayed_fail

4. Apply the profile to the system, run the following command: # artexset -c devCHECK.xml 0590-206 A manual post-operation is required for the changes to take effect Please reboot the system

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

How to change user login attribute values (1/3)

In this example we will create a new login configuration setup profile 1. Use the artexget command to GET the current settings: – artexget -p login.cfgProfile.xml > new_login.cfgProfile.xml

2. Check your current settings under /etc/security/login.cfg default: sak_enabled = false logintimes = logindisable = 0 logininterval = 0 loginreenable = 0 logindelay = 0

3. Edit the new file, run vi new_login.cfgProfile.xml and change <Parameter name="logindelay" value="0"> to <Parameter name="logindelay" value="2"> <Parameter name="logindisable" value="0"> to <Parameter name="logindisable" value="3">

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.baseadmn/doc/baseadmndita/artex_profile_elem.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

How to change user login attribute values (2/3)

Apply the new rules use the artexset command: – artexset -c new_login.cfgProfile.xml

– To apply a profile every time the system restarts to maintain a consistent configuration, use the -b option: artexset -b new_login.cfgProfile.xml Check the new setting in /etc/security/login.cfg, e.g. grep -p default /etc/security/login.cfg: default: sak_enabled = false logintimes = logindisable = 3 logininterval = 0 loginreenable = 0 logindelay = 2

Note: The restricted parameters are supported as read-only parameters. Therefore, the values of these parameters can be retrieved with the artexget command, but cannot be set with the artexset command (require creating a specific catalog first). http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/artexset.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

How to change user login attribute values (3/3)

To extend the custom profile, create a new profile using the artexget command: – artexget -p ./mkuser.defaultProfile.xml > new_mkuser.defaultProfile.xml

– In this case, change the default umask setting to 027: <Parameter name="umask" value="027"/>

Merge the two (2) custom files using the artexmerge command: – artexmerge new_login.cfgProfile.xml new_mkuser.defaultProfile.xml > new_profile.xml

Run the artexget command to view the profile and verify that it is a valid profile: – artexget new_profile.xml

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/artexget.htm http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/artexmerge.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Check settings on NIM clients

Create a script file, such as in /exports/scripts/artex2, it can be a single command(NOTE): /usr/bin/artexget -r -f txt /etc/security/artex/samples/viosdevattrProfile.xml

Define a script resource pointing to the /exports/scripts/artex2 script named artex2: nim -o define -t script -a server=master -a location=/export/scripts/artex2 artex2

Allocate the script to the NIM client (in this example machine resource name nimclient123): nim -o allocate -a script=artex2 nimclient123

Execute the script: nim -o cust nimclient123 Component name ----------------viosdevattrParam viosdevattrParam viosdevattrParam viosdevattrParam ...

Parameter name ------------------reserve_policy reserve_policy reserve_policy queue_depth

Parameter value ----------------no_reserve no_reserve no_reserve 3

Additional Action ----------------------NEXTBOOT NEXTBOOT NEXTBOOT NEXTBOOT

Monitor progress and output: nim –o showlog –a full_log –a log_type=script –a verbose=5 nimclient123 add_to_LIST: listptr=0x200012c0; str=-a; get_list_space: listptr=0x200012c0 nim_malloc: size = 3 SPACE nim_malloc: space = 537058952 add_to_LIST: listptr=0x200012c0; str=verbose=5; get_list_space: listptr=0x200012c0 ...

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.install/nim_op_cust.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Build your own catalogs

AIX Runtime Expert catalogs Catalogs are used – As the mechanism that defines and specifies configuration controls that can be operated on

AIX Runtime Expert fileset provides – Existing read-only catalogs, located in the /etc/security/artex/catalogs directory, that identify values that can be modified • Do not modify these catalogs

– Each catalog contains parameters for one component. – The names of the catalogs describe the components that are contained in the catalog – The <Description> XML element in each catalog provides a description of the catalog

Catalogs contains in XML format: 1. Configuration methods Different operations in configuration methods 2. Parameter definitions Binding parameters to configuration methods

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.osdevice/artex_writing_catalog.htm Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Writing AIX Runtime Expert Catalogs Sample catalog

The catalog files contain the parameter definitions and binding information to configuration methods that describe the commands used to retrieve or set parameter values. Catalog files are local to the system which is being tuned and configured.

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Extending an existing catalog # cat iooCatalog.xml <?xml version="1.0" encoding="UTF-8"?> <Catalog id="iooCatalog" version="1.0" inherit="iooParam"> <ParameterDef name="iodone_distr_disable" cfgmethod="ioo" type="integer“></ParameterDef> </Catalog>

# cat iooProfile.xml <?xml version="1.0" encoding="UTF-8"?> <Profile origin="reference" readOnly="true" version="1.0"> <Catalog id="iooCatalog" version="1.0"> <Parameter name="iodone_distr_disable" value="0" readOnly="true"/> </Catalog> </Profile>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Custom Profile for custom Catalog nameofProfile.xml <?xml version="1.0" encoding="UTF-8"?> <Profile origin="reference" readOnly="true" version="1.0"> <Catalog id="nameofcatalogCatalog" version="1.0"> <Parameter name="variablename1" value="stringvaluehere" readOnly="true"/> <Parameter name="variablename2" value="integervaluehere" readOnly="true"/> </Catalog> </Profile>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Building catalog # cat nameofCatalog.xml <?xml version="1.0" encoding="UTF-8"?> <Catalog id="nameofcatalogCatalog" version="1.0"> <CfgMethod id="configmethod"> <Get type="current"> <Command>LC_MESSAGES=C COMMAND TO GET HERE</Command> <Filter>FILTER COMMAND HERE, output "attribute=value"</Filter> <Mask name="1" value="2">(.*)=(.*)</Mask> </Get> <Get type="nextboot"> <Command>LC_MESSAGES=C COMMAND TO GET HERE</Command> <Filter>FILTER COMMAND HERE, output "attribute=value"</Filter> <Mask name="1" value="2">(.*)=(.*)</Mask> </Get> <Set type="permanent"> <Command>LC_MESSAGES=C COMMAND TO SET HERE</Command> <Argument>PARAMETERS TO COMMAND TO SET HERE</Argument> </Set> <Set type="nextboot"> <Command>LC_MESSAGES=C COMMAND TO SET HERE</Command> <Argument>PARAMETERS TO COMMAND TO SET HERE</Argument> </Set> </CfgMethod> <ParameterDef name="variablename1" type="string" cfgmethod="configmethod"></ParameterDef> <ParameterDef name="variablename2" type="integer" cfgmethod="configmethod"></ParameterDef> </Catalog>

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Sample profiles and catalogs provided as-is Packaged by: tar cvf - catalogs checklists README.txt | gzip -c > ARTEX.tar.gz

Drop me an email if you want to be Move the bundle tarzipped file to the partitionChange part of our customer community Change directory to /etc/security/artex Unpack the bundle: evaluating ARTEX Verify/update /etc/security/artex/artex.conf line for ARTEX_PROFILE_PATH to read

As root user (or equivalent rights with RBAC) 1. 2. 3. 4.

gunzip -c ARTEX.tar.gz|tar xvf –

ARTEX_PROFILE_PATH

Verify the checklist

/etc/security/artex/checklists

roden@ae.ibm.com

artexdiff -r -f txt checklist_XYZ2_2015-02-11.xml

Two step to create the dynamic device checklist profiles • Ethernet

We can also assist building your specific checklists and Update devENT.xml with checklist attribute values integration. deployment artexdiff -r -f txt devENT.xml Fibre Channel Do’s artexget -r devProfile_adapter_fibre_physical.xml > devFC.xml artexget -r devProfile_adapter_ethernet_physical.xml > devENT.xml

•

Update devFC.xml with checklist attribute values Use supported levels

of AIX 6.1 or 7.1 Install APAR IV71809 • DISK artexget -r devProfile_disk.xml > devDISK.xml From customers input we now have Design Change Requests (DCRs) Update devDISK.xml with checklist attribute values enhancing and artexdiff, such as (for your tracking): artexdiff -r -f txt artexget devDISK.xml DCR# MR0216156512 7. Merge and use artexmerge -f devENT.xml devFC.xml devDISK.xml >devCHECK.xml DCR# MR0218151213 artexdiff -r -f txt devFC.xml

artexdiff -r -f txt devCHECK.xml

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Thank you – Tack !

Björn Rodén roden@ae.ibm.com http://www.linkedin.com/in/roden Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Please fill out an evaluation!

@ IBMtechU

Some great prizes to be won!

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

Continue growing your IBM skills

Björn Rodén @ IBM Edge 2015 May 11-15 The Venetian Las Vegas, Nevada

IBM Systems Lab Services and Training