AIX Post Install: o o o o o o o
AIX Post Install: o o o o o o o
AIX Post Install: o o o o o o o
1
The purpose is to create a Standard Operating Environment which can be installed
through NIM, and offers all functionality as configured on 5.3:
Although the paragraphs will refer to more necessary when necessary the overall
document on which this article is based is AIX Post Install. That document was created
on AIX 5.3 and gives a lot of background information. This document adds specific
information for AIX 6.1, but does not copy the background information which is also
valid for AIX 5.3. So, in conclusion, if you need more information the AIX Post Install is
your best place to start.
Installation
The installation is performed through NIM and the version installed is:
6100-04-03-1009
which was released in February 2010. During the install I accepted all default settings.
Default Configuration
Change Root
Note:
DNS
Setup DNS by editing the 'resolv.conf' configuration file:
# vi /etc/resolv.conf
nameserver 10.10.10.100
nameserver 10.10.10.101
search intranet.company.nl company.local
Note:
• The search entry can have up to a maximum of 1024 characater strings for the
DomainName variable.
• The first DomainName variable is interpreted as the default domain name.
• The DomainName variable is the name of a domain that should be included in the
search list.
• The domain entry and search entry are mutually exclusive. If both entries are
used, the one that appears last will override the other.
NTP
Timezone
Setup the timezone through 'smitty':
• System Environments
o Change / Show Date, Time, and Time Zone
Change Time Zone Using System Defined Values
Select your country (NL - Netherlands)
Select your time zone name (Europe/Amsterdam -
(GMT+01:00/GMT+02:00) Central Europe)
Confirm
NTP Config
Setup NTP by editing the 'ntp.conf' configuration file:
# vi /etc/ntp.conf
#broadcastclient
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
server ntp.company.nl
Set the Time
# ntpdate ntp.company.nl
3 Mar 10:02:29 ntpdate[250036]: step time server 10.10.10.100 offset
0.975368 sec
# ntpdate ntp.company.nl
3 Mar 10:02:39 ntpdate[250040]: adjust time server 10.10.10.100 offset
0.000045 sec
NTP Service
Configure the NTP service to start automatically through 'smitty xntpd':
Reboot
To completely setup time and related services correctly reboot since the timezone change
requires one.
NFS
Add the company NFS share through 'smitty manfs'
Check
There is a new filesystem defined in /etc/filesystems:
/exports/install:
dev = "/exports/install"
vfs = nfs
nodename = fileserver.company.nl
mount = true
options = ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
account = false
Filesystems
When AIX gets installed the filesystem gets a certain amount of space dependent on the
size of the disk and what is installed:
# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 320.00 154.38 52% 12990 25% /
/dev/hd2 2144.00 355.22 84% 39261 31% /usr
/dev/hd9var 192.00 17.66 91% 6439 57% /var
/dev/hd3 64.00 61.55 4% 24 1% /tmp
/dev/hd1 32.00 31.62 2% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 96.00 12.57 87% 1886 37% /opt
/dev/livedump 256.00 255.64 1% 4 1%
/var/adm/ras/livedump
# chfs -a size=2G /
# chfs -a size=4G /usr
# chfs -a size=1G /var
# chfs -a size=1G /tmp
# chfs -a size=512M /home
# chfs -a size=10G /opt
Result:
# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 2048.00 1882.11 9% 12990 3% /
/dev/hd2 4096.00 2306.92 44% 39261 7% /usr
/dev/hd9var 1024.00 849.48 18% 6441 4% /var
/dev/hd3 1024.00 1021.37 1% 24 1% /tmp
/dev/hd1 512.00 511.55 1% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 10240.00 10155.02 1% 1886 1% /opt
/dev/livedump 256.00 255.64 1% 4 1%
/var/adm/ras/livedump
Additional Software
Download the latest rpms:
IBM AIX Toolbox for Linux Applications Information page Actual FTP download site
Get SSH and SSL from the AIX installation and expansion DVDs.
...<cut>...
Installation Summary
--------------------
Name Level Part Event
Result
-----------------------------------------------------------------------
--------
rpm.rte 3.0.5.51 USR APPLY
SUCCESS
rpm.rte 3.0.5.51 ROOT APPLY
SUCCESS
openssl.base 0.9.8.1100 USR APPLY
SUCCESS
openssl.base 0.9.8.1100 ROOT APPLY
SUCCESS
openssh.base.client 5.2.0.5300 USR APPLY
SUCCESS
openssh.base.server 5.2.0.5300 USR APPLY
SUCCESS
openssh.base.client 5.2.0.5300 ROOT APPLY
SUCCESS
openssh.base.server 5.2.0.5300 ROOT APPLY
SUCCESS
Install RPMS
This is a selection of RPMS I like to install on an AIX system:
# rpm -iv *.rpm
bash-3.2-1
gcc-4.2.0-3
gettext-0.10.40-8
less-382-1
lsof-4.61-3
sudo-1.6.9p15-2noldap
tar-1.14-2
vim-common-6.3-1
vim-enhanced-6.3-1
vim-minimal-6.3-1
which-2.14-1
# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start
After restarting your session you can issue 'xclock' to see if it's working.
See CygWin - X op Windows to see how to setup your local Windows installation for
X11 forwarding.
Oracle Requirements
Oracle has a few requirements when installed on an AIX box, and one of them is not
installed by default: bos.adt.libm. The package can be installed using the NIM server:
bash-3.2# lslpp -l bos.adt.libm
lslpp: Fileset bos.adt.libm not installed.
See AIX NIM for more information on how to install software using a NIM server.
Tuning
AIX Limitations
For system stability reasons AIX has a few limitations which interfere (within our
company) with production processes.
SWAP
By default, the swap space is defined as 512 MB which is a little bit low when oracle,
websphere or any other demanding application is running.
Set the paging space to 4 GB for better performance:
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active
Auto Type Chksum
hd6 hdisk0 rootvg 512MB 2 yes
yes lv 0
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active
Auto Type Chksum
hd6 hdisk0 rootvg 4096MB 1 yes
yes lv 0
Large Files
By default no one on the system is allowed to work with large files to prevent the
filesystems from becoming full too fast, but we need root to work with large files. To do
so, adjust the /etc/security/limits and these lines in the root section:
root:
fsize = -1
data = -1
stack = -1
Network
By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this
setting issue:
bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file
In AIX Post Install are extended tests regarding AIX performance and more background
information.
Memory
When running Oracle the memory is better adjusted to meet the demands Oracle can
make:
bash-3.2# vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o
lru_file_repage=0
Setting minperm% to 5 in nextboot file
Modification to restricted tunable maxperm%, confirmation required
yes/no yes
Setting maxperm% to 90 in nextboot file
Modification to restricted tunable maxclient%, confirmation required
yes/no yes
Setting maxclient% to 90 in nextboot file
Modification to restricted tunable lru_file_repage, confirmation
required yes/no yes
Setting lru_file_repage to 0 in nextboot file
Setting minperm% to 5
Setting maxperm% to 90
Warning: a restricted tunable has been modified
Setting maxclient% to 90
Warning: a restricted tunable has been modified
Setting lru_file_repage to 0
Warning: a restricted tunable has been modified
Unnecessary Software
Software that is unnecessary:
Unnecessary Services
After disabling all subservers don't forget to refresh the inetd daemon:
refresh -s inetd
Unnecessary Subsystems
Use these commands to stop and disable susbsystems that are automatically started by
AIX but are not needed:
bash-3.2# chrctcp -S -d inetd
bash-3.2# chrctcp -S -d snmpd
bash-3.2# chrctcp -S -d hostmibd
bash-3.2# chrctcp -S -d snmpmibd
bash-3.2# chrctcp -S -d aixmibd
bash-3.2# chrctcp -S -d writesrv
bash-3.2# chrctcp -S -d qdaemon
User Environment
Profile
I used AIX Profile to setup the profile for all users.
Home Directory
I used AIX Home Directory to setup the automatic creation of home directories for users.
Security
AIX Security
Intruder Lockout
To prevent brute force account hacking enable intruder lockout. This can be done by
editing '/etc/security/login.cfg':
default:
sak_enabled = false
logintimes =
logindisable = 4
logininterval = 60
loginreenable = 30
logindelay = 5
For more information about these settings please check this page.
Valid Shells
Add bash to the list of valid shells, which can be done in the same file,
'/etc/security/login.cfg':
usw:
shells =
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr
/bin/bsh,/usr/bin/csh,/u
sr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/u
sr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin
/snappd,/bin/bash,/usr/bin/bash
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
Root Login
Set, in the same file, that root is allowed to login, 'vi /etc/security/user':
root
login = true
Automatic Timeout
Set an automatic timeout for sessions of one hour, 'vi /etc/profile':
...<cut>....
# Automatic logout, include in export line if uncommented
TMOUT=3600
...<cut>...
export LOGNAME MAIL MAILMSG TERM TMOUT
...<cut>...
Sendmail Privacy
Edit the /etc/sendmail.cf file to minimize the information sendmail shows on connection:
# privacy flags
O PrivacyOptions=goaway
See Sendmail Security Quick Fixes for more information about sendmail security.
LDAP
LDAP authentication has been setup as described in AIX LDAP authentication on
eDirectory.
Sudo
Sudo security has been setup as described in Sudo.
Root
You now have to make the final changes to the root account. Since you now have sudo
rights for LDAP users root should no longer be allowed to login, except in emergencies.
So, make sure users are allowed to 'su' to root and that root is only allowed a local login.
You can change that in 'smitty users':
Also, don't forget to change the '/etc/ssh/sshd_config' to make sure root is not allowed to
log in over ssh as well:
PermitRootLogin yes
Syslog
Syslog has been setup as described in SYSLOG.