There are two kinds of obvious passwords:
1. Dictionary words or common acronyms
2. Names or phrases that are in common use within your organisation
Fortunately there are some simple ways to prevent users making poor choices:
1. Enforce password history. This prevents a password from being re-used.
# chsec -f /etc/security/user -s default -a <setting>=<restriction>
histsize = 4
histexpire = 26
minage = 1
maxage = 52
maxexpired = 8
2. Set password pattern restrictions e.g. a password must have at least one capital letter or number
# chsec -f /etc/security/user -s default -a <setting>=<restriction>
logintimes =
pwdwarntime = 5
loginretries = 5
minalpha = 2
minother = 2
minlen = 8
mindiff = 4
maxrepeats = 2
3. Use a custom dictionary to prevent the use of words that are in common use in your organisation or are so common as to be easily guessed:
Create a text fileor use the standard "/usr/share/dict/words" file and create a list of banned words or terms e.g.
Vodafone01
1106HHAmsterdam
Discount!
Set the AIX default password restrictions to check these words when a user changes their password:
# chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words
Once the restrictions are in place the users are then prevented from choosing a word from this list:
$ passwd
Changing password for "test"
test's Old password:
test's New password: (the password entered is “test”)
3004-335 Passwords must not match words in the dictionary.
Sunday 31 August 2014
Friday 29 August 2014
Running a server in Turbocore Mode
You can configure a model 780 or 795 server to run in
TurboCore mode (rather than the standard MaxCore mode) in order to improve performance of processes that cannot take advantage of threading. In this mode up to half of the processor cores on each single-chip module (SCM) are disabled and their L3 cache is made available to the active processor cores on the chip, which provides a performance boost to the active cores.
The number of cores used in TurboCore mode is equal to the number of activated processors, but only up to a maximum of half the number of cores physically installed.
A server with 32 physical processor cores (14 activated), running in TurboCore mode. If you re-IPL the system and switch to MaxCore mode, you now have 14 processor cores running in MaxCore mode. The same is true if you switch from TurboCore to MaxCore mode.
If the server has an odd number of activated cores only half the number of physical cores will be available.
There are special rules that apply when ordering a 780 or 795 that is intended to be used in TurboCore mode. The server can be delivered ready configured in this mode.
The change applies to the entire server and not just an LPAR and is managed via the ASMI interface.
The number of cores used in TurboCore mode is equal to the number of activated processors, but only up to a maximum of half the number of cores physically installed.
A server with 32 physical processor cores (14 activated), running in TurboCore mode. If you re-IPL the system and switch to MaxCore mode, you now have 14 processor cores running in MaxCore mode. The same is true if you switch from TurboCore to MaxCore mode.
If the server has an odd number of activated cores only half the number of physical cores will be available.
There are special rules that apply when ordering a 780 or 795 that is intended to be used in TurboCore mode. The server can be delivered ready configured in this mode.
The change applies to the entire server and not just an LPAR and is managed via the ASMI interface.
Wednesday 27 August 2014
Analysing Java performance
A badly configured Java VM can affect the performance of your entire system.
The behaviour of the Java garbage collector can be an indication of configuration and performance problems, however in order to get this information you need to start your VM with some extra options:
Logging is activated with the "-verbose:gc" option and redirected to a file using the "-Xverbosegclog:< file >" option.
Verbose logging captures many types of GC events, including:
regular GC cycles
allocation failures
heap expansion and contraction
concurrent marking events
scavenger collections.
Verbose logs also show the approximate length of time many events take, the number of bytes processed (if applicable), and other relevant metrics.
For more information see the IBM Java performance page:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.doc.diagnostics.60/diag/tools/gcpd_verbosegc.html
The Java Performance Advisor is an automated Java testing tool and can be downloaded from:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Power%20Systems/page/Java%20Performance%20Advisor%20%28JPA%29
The behaviour of the Java garbage collector can be an indication of configuration and performance problems, however in order to get this information you need to start your VM with some extra options:
Logging is activated with the "-verbose:gc" option and redirected to a file using the "-Xverbosegclog:< file >" option.
Verbose logging captures many types of GC events, including:
regular GC cycles
allocation failures
heap expansion and contraction
concurrent marking events
scavenger collections.
Verbose logs also show the approximate length of time many events take, the number of bytes processed (if applicable), and other relevant metrics.
For more information see the IBM Java performance page:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.doc.diagnostics.60/diag/tools/gcpd_verbosegc.html
The Java Performance Advisor is an automated Java testing tool and can be downloaded from:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Power%20Systems/page/Java%20Performance%20Advisor%20%28JPA%29
NISTIR 7966 (Draft). Security of Automated Access. Management Using Secure Shell.
NIST (National Institute of Standards and Technology) has just published a draft version of their view on the correct way (best practices) to manage SSH keys:
http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
Tuesday 26 August 2014
Mounting a Windows filesystem on AIX
A lot of people don't realise that there are two optional AIX filesets on the Expansion DVD that enable you to mount a CIFS filesystem on AIX:
bos.cifs_fs.rte Runtime for SMBFS
bos.cifs_fs.smit SMIT Interface for SMBFS
Once installed you have to reboot your server to activate the kernel extension.
You should now see that the mount command now accepts the "-v cifs" argument, and that smitty mount also has CIFS as a valid choice from the F4 popup.
Example:
# mount -v cifs -n laptop/Andrew/Password /Users /mnt
# df /mnt
Filesystem 512-blocks Free %Used Iused %Iused Mounted on
laptop:/Users 1916172280 967849240 50% 0 0% /mnt
# ls -l /mnt
total 5
drwxr-xr-x 1 root system 16384 Aug 25 08:38 Andrew
drwxr-xr-x 1 root system 16384 May 27 09:20 Backup
drwxr-xr-x 1 root system 16384 Aug 30 2013 Default
drwxr-xr-x 1 root system 16384 Jun 04 09:57 Public
drwxr-xr-x 1 root system 16384 Jan 29 2014 andre_000
-rwxr-xr-x 1 root system 174 Aug 22 2013 desktop.ini
See the mount manual page for more options.
If you have the "samba-client" fileset installed you can also see what your Windows machines are sharing e.g.
# smbclient -L //laptop -U Andrew
Enter Andrew's password:
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
bos.cifs_fs.rte Runtime for SMBFS
bos.cifs_fs.smit SMIT Interface for SMBFS
Once installed you have to reboot your server to activate the kernel extension.
You should now see that the mount command now accepts the "-v cifs" argument, and that smitty mount also has CIFS as a valid choice from the F4 popup.
Example:
# mount -v cifs -n laptop/Andrew/Password /Users /mnt
# df /mnt
Filesystem 512-blocks Free %Used Iused %Iused Mounted on
laptop:/Users 1916172280 967849240 50% 0 0% /mnt
# ls -l /mnt
total 5
drwxr-xr-x 1 root system 16384 Aug 25 08:38 Andrew
drwxr-xr-x 1 root system 16384 May 27 09:20 Backup
drwxr-xr-x 1 root system 16384 Aug 30 2013 Default
drwxr-xr-x 1 root system 16384 Jun 04 09:57 Public
drwxr-xr-x 1 root system 16384 Jan 29 2014 andre_000
-rwxr-xr-x 1 root system 174 Aug 22 2013 desktop.ini
See the mount manual page for more options.
If you have the "samba-client" fileset installed you can also see what your Windows machines are sharing e.g.
# smbclient -L //laptop -U Andrew
Enter Andrew's password:
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
Monday 25 August 2014
Managing you cron logs
Previous versions of AIX would keep writing to the same cronlog until either the disk filled, you restarted the process, or manually managed the file. AIX 6.1 introduced the "/etc/cronlog.conf" configuration file and it is now possible to automatically limit the size of the log file an to automatically rotate versions e.g.
logfile=/var/adm/cron.log
size=100K
rotate=4
archive=/usr/home
compress
Will write to "cron.log" and automatically rotate and compress it:
# ls -l /var/adm/cron.log*
-rw-rw-r-- 1 root cron 79986 Aug 25 14:00 /var/adm/cron.log
-rw-rw-r-- 1 root cron 15301 Aug 12 13:40 /var/adm/cron.log.0.Z
-rw-rw-r-- 1 root cron 15018 Aug 16 11:45 /var/adm/cron.log.1.Z
-rw-rw-r-- 1 root cron 14334 Aug 18 13:45 /var/adm/cron.log.2.Z
-rw-rw-r-- 1 root cron 14878 Aug 21 06:40 /var/adm/cron.log.3.Z
logfile=/var/adm/cron.log
size=100K
rotate=4
archive=/usr/home
compress
Will write to "cron.log" and automatically rotate and compress it:
# ls -l /var/adm/cron.log*
-rw-rw-r-- 1 root cron 79986 Aug 25 14:00 /var/adm/cron.log
-rw-rw-r-- 1 root cron 15301 Aug 12 13:40 /var/adm/cron.log.0.Z
-rw-rw-r-- 1 root cron 15018 Aug 16 11:45 /var/adm/cron.log.1.Z
-rw-rw-r-- 1 root cron 14334 Aug 18 13:45 /var/adm/cron.log.2.Z
-rw-rw-r-- 1 root cron 14878 Aug 21 06:40 /var/adm/cron.log.3.Z
Sunday 24 August 2014
AIX Introductory videos
Here are some nice short Youtube videos that give a nice gentle introduction to AIX:
https://www.youtube.com/playlist?list=PL9B56AF2EBE0F1432
https://www.youtube.com/playlist?list=PL9B56AF2EBE0F1432
Wednesday 20 August 2014
Check an RPM dependencies without having to install it
I have lost count of the number of times I have tried to install an RPM only to find that it has lots of dependencies and it takes a dozen or so attempts before I get to install it. If you use the "-qpR" flag you can actually see the contents of a package and its dependencies just by examining the RPM.
In this example you should only need to install "krb5-libs".
# rpm -qpR ./krb5-workstation-1.9.4-1.aix5.1.ppc.rpm
krb5-libs = 1.9.4-1
/sbin/install-info
info
/bin/sh
/bin/sh
libc.a(shr.o)
libcom_err.so
libgssapi_krb5.so
libgssrpc.so
libk5crypto.so
libkadm5clnt_mit.so
libkadm5srv_mit.so
libkdb5.so
libkrb5.so
libkrb5support.so
libpthreads.a(shr_comm.o)
libpthreads.a(shr_xpg5.o)
librtl.a(shr.o)
In this example you should only need to install "krb5-libs".
# rpm -qpR ./krb5-workstation-1.9.4-1.aix5.1.ppc.rpm
krb5-libs = 1.9.4-1
/sbin/install-info
info
/bin/sh
/bin/sh
libc.a(shr.o)
libcom_err.so
libgssapi_krb5.so
libgssrpc.so
libk5crypto.so
libkadm5clnt_mit.so
libkadm5srv_mit.so
libkdb5.so
libkrb5.so
libkrb5support.so
libpthreads.a(shr_comm.o)
libpthreads.a(shr_xpg5.o)
librtl.a(shr.o)
Remember to include a disclaimer in your herald
Many people forget to change the default "Welcome to AIX" login message, and message of the day and leave themseleves open to attackers claiming that they did not know this was a private system.
You should always change both the "/etc/security/login.cfg" and "/etc/motd" files because one is displayed before you login, and the other after you login.
# chsec -f /etc/security/login.cfg -s default -a herald="This is a private system\n\rLogin: "
If you are using Secure Shell:
1. create a login banner file.
# vi /etc/ssh/sshd-banner
2. Edit the sshd_config file.
# vi /etc/sshd/sshd_config
3. Add/edit the following line:
Banner /etc/ssh/sshd-banner
4. Restart the SSH daemon
# stopsrc -s sshd ; startsrc –s sshd
You should always change both the "/etc/security/login.cfg" and "/etc/motd" files because one is displayed before you login, and the other after you login.
# chsec -f /etc/security/login.cfg -s default -a herald="This is a private system\n\rLogin: "
If you are using Secure Shell:
1. create a login banner file.
# vi /etc/ssh/sshd-banner
2. Edit the sshd_config file.
# vi /etc/sshd/sshd_config
3. Add/edit the following line:
Banner /etc/ssh/sshd-banner
4. Restart the SSH daemon
# stopsrc -s sshd ; startsrc –s sshd
Tuesday 19 August 2014
An interesting book?
I have just finished reading the book "The decline and fall of IBM an American Idol".
It gives a very interesting account of the way in which IBM has changed since the days of the Watson dynasty, and highlights many of the problems faced by it today. I have to say that whilst I do agree with much of what the author says, I think that the second half of the book, which is little more than a collection of anonymous email rants is a bit tedious.
For those of you with a Kindle or the program on your laptop or tablet, you can find it here:
http://www.amazon.co.uk/Decline-Fall-IBM-American-Icon-ebook/dp/B00KRHWZ22/
It gives a very interesting account of the way in which IBM has changed since the days of the Watson dynasty, and highlights many of the problems faced by it today. I have to say that whilst I do agree with much of what the author says, I think that the second half of the book, which is little more than a collection of anonymous email rants is a bit tedious.
For those of you with a Kindle or the program on your laptop or tablet, you can find it here:
http://www.amazon.co.uk/Decline-Fall-IBM-American-Icon-ebook/dp/B00KRHWZ22/
Monday 18 August 2014
A simpler alternative HMC management interface
This project provides a simpler alternative command-line and menu-driven interface for managing your HMC: http://ezh.sourceforge.net/
Sunday 17 August 2014
An interesting alternative to DSH
ClusterSSH is a graphical cluster administration tool that runs from your Linux graphical desktop. Once you install the RPMs, share your pulic SSH keys, and define a cluster in "/etc/clusters", you can enter a command in the central console and it will be run siumultaneously on all the clients.
The software is a little quirky at present because you see all the terminals open on the desktop and the results appear on each screen as it is executed, however later versions may improve on this.
For more details and installation instructions see: http://www.unixmen.com/clusterssh-manage-multiple-ssh-sessions-on-linux/
This utility could help act as an AIX to Linux migration aid?
The software is a little quirky at present because you see all the terminals open on the desktop and the results appear on each screen as it is executed, however later versions may improve on this.
For more details and installation instructions see: http://www.unixmen.com/clusterssh-manage-multiple-ssh-sessions-on-linux/
This utility could help act as an AIX to Linux migration aid?
Wednesday 13 August 2014
Using Splitvg to make backups
If you need to backup a logical volume or volume group with the minimum amount of downtime the easiest way is to mirror it and then create a snapshot as follows:
mirrorvg [ -S | -s ] [ -Q ] [ -c copies] [ -m ] [ -p copyn=mirrorpool ] volumegroup [ physicalvolume ... ]
Now split off a copy of the mirror using the splitvg command
splitvg [ -y SnapVGname ] [ -c Copy ] [ -f ] [ -i ] VGname
This splits a single mirror copy of a fully mirrored volume group into a snapshot volume group. The original volume group VGname will stop using the disks that are now part of the snapshot volume group SnapVGname.
This method can also be used to split-off copies of one or more logical-volumes.
mirrorvg [ -S | -s ] [ -Q ] [ -c copies] [ -m ] [ -p copyn=mirrorpool ] volumegroup [ physicalvolume ... ]
Now split off a copy of the mirror using the splitvg command
splitvg [ -y SnapVGname ] [ -c Copy ] [ -f ] [ -i ] VGname
This splits a single mirror copy of a fully mirrored volume group into a snapshot volume group. The original volume group VGname will stop using the disks that are now part of the snapshot volume group SnapVGname.
This method can also be used to split-off copies of one or more logical-volumes.
Splitting copies of a logical volume
The splitlvcopy
command splits copies from one logical volume and creates a new and separate
logical volume from them. The general syntax of the splitlvcopy command is as follows:
splitlvcopy [ -f ] [ -y NewLogicalVolumeName
] [ -Y Prefix ] LogicalVolume
Copies [ PhysicalVolume ... ]
To split one copy of each logical partition
belonging to the logical volume named
“oldlv” which currently has 3 copies of
each logical partition, and create the logical volume “newlv”, use the splitlvcopy command as follows:
# splitlvcopy -y newlv oldlv 2
Each logical partition in the logical
volume “oldlv” now has two physical partitions.
Each logical partition in the logical
volume “newlv” now has one physical partition.
Mirroring is an LVM task that you perform
only on logical volumes to migrate data. The following example shows how to
create a mirror copy of a logical volume using the mklvcopy command:
# mklvcopy -e m -s y -k datalv 2 hdisk3 hdisk7
.
.
# splitlvcopy -y splitlv datalv 1
Importing a new Volume Group
Accidentally importing a disk that has a root volume group can have disasterous results on your AIX system because it renames the logical-volumes required to boot your system, therefore you should know something about a disk or disks before you attempt to import them.
Here are some handy LVM commands that help you to see what is on a disk(s) without importing:
List the maximum number of logical volumes allowed in the VG
# lqueryvg -p PVname -N
Show the PP size ?
# lqueryvg -p PVname -s
Show the number of free PPs in the VG
# lqueryvg -p PVname -F
Show the current number of LVs in the VG
# lqueryvg -p PVname -n
List the current number of PVs in the VG
# lqueryvg -p PVname -c
Display the total number of VGDAs for the VG
# lqueryvg -p PVname -D
List each LVID, LV name, state for each logical volume
# lqueryvg -p PVname -l
List each PVID, number of VGDAs and state for each PV in the VG
# lqueryvg -p PVname -P
List all the attributes with tags for the vG
# lqueryvg -p PVname -At
Show a physical volume' VGID
# lqueryvg -p PVname -v
Move a physical partition
# lmigratepp -g VGID -p old_PVID -n old_PPNum -P new_PVID -N new_PPNum
Retrive the VG name for a particular LV from ODM
# getlvodm -b LVID
Retrive all configured PVs from ODM
# getlvodm -C
Retrive the major number for a VGID from ODM
# getlvodm -d VGID
Retrive the logical volume allocation characteristics for a LVID from ODM
# getlvodm -c LVID
Retrive the free configured PVs from ODM
# getlvodm -F
Retrive the strip size for a LVID from ODM
# getlvodm -F LVID
Retrive the PV name for a PVID from ODM
# getlvodm -g PVID
Retrive all VG names from the ODM
# getlvodm -h
Retrive the VGID for a PVID from ODM
# getlvodm -j PVID
Retrive the LVs and LVIDs for a VG name or VGID from ODM
# getlvodm -L VGDescriptor
Retrive the LVID/LV Name for a LV Name or LVID from ODM
# getlvodm -l LVDescriptor
Retrive the mount point for a LVID from ODM
# getlvodm -m LVID
Retrive the stripe width for a LVID from ODM
# getlvodm -N LVID
Retrive the PVID/PN name for a PV name or PVID from ODM
# getlvodm -p PVDesciptor
Retrive the PV names, PVIDs and VGs of all configured PVs from ODM
# getlvodm -P
Retrive the relocatable flag for a LVID from ODM
# getlvodm -r LVID
Retrive the VG state for a VG from ODM
# getlvodm -s VGDescriptor
Retrive the timestamp for a VG from ODM
# getlvodm -T VGDescriptor
Retrive the VG name for a VGID from ODM
# getlvodm -t VGID
Retrive the auto-on value for a VG name or VGID from ODM
# getlvodm -v VGDesciptor
Retrive the VGID for a vG name
# getlvodm -v VGDesciptor
Retrive the PV names and PVIDs for a VG from ODM
# getlvodm -w VGDesciptor
How to retrive the LV type for a LVID from ODM
# getlvodm -y LVID
How to retrive the concurrent capable flag for a VG from ODM
# getlvodm -X VGDescriptor
How to retrive the auto-on concurrent flag for a VG from ODM
# getlvodm -x VGDescriptor
Display the contents of LVCB
# getlvcb -A LVName
List the number of copies of a LV from LVCB
# getlvcb -c LVName
List the file system name of a LV from LVCB
# getlvcb -f LVName
List the label of a LV from LVCB
# getlvcb -L LVName
Display the type of the file system from LVCB
# getlvcb -t LVName
Display the upper limit from LVCB
# getlvcb -u LVName
Here are some handy LVM commands that help you to see what is on a disk(s) without importing:
List the maximum number of logical volumes allowed in the VG
# lqueryvg -p PVname -N
Show the PP size ?
# lqueryvg -p PVname -s
Show the number of free PPs in the VG
# lqueryvg -p PVname -F
Show the current number of LVs in the VG
# lqueryvg -p PVname -n
List the current number of PVs in the VG
# lqueryvg -p PVname -c
Display the total number of VGDAs for the VG
# lqueryvg -p PVname -D
List each LVID, LV name, state for each logical volume
# lqueryvg -p PVname -l
List each PVID, number of VGDAs and state for each PV in the VG
# lqueryvg -p PVname -P
List all the attributes with tags for the vG
# lqueryvg -p PVname -At
Show a physical volume' VGID
# lqueryvg -p PVname -v
Move a physical partition
# lmigratepp -g VGID -p old_PVID -n old_PPNum -P new_PVID -N new_PPNum
Retrive the VG name for a particular LV from ODM
# getlvodm -b LVID
Retrive all configured PVs from ODM
# getlvodm -C
Retrive the major number for a VGID from ODM
# getlvodm -d VGID
Retrive the logical volume allocation characteristics for a LVID from ODM
# getlvodm -c LVID
Retrive the free configured PVs from ODM
# getlvodm -F
Retrive the strip size for a LVID from ODM
# getlvodm -F LVID
Retrive the PV name for a PVID from ODM
# getlvodm -g PVID
Retrive all VG names from the ODM
# getlvodm -h
Retrive the VGID for a PVID from ODM
# getlvodm -j PVID
Retrive the LVs and LVIDs for a VG name or VGID from ODM
# getlvodm -L VGDescriptor
Retrive the LVID/LV Name for a LV Name or LVID from ODM
# getlvodm -l LVDescriptor
Retrive the mount point for a LVID from ODM
# getlvodm -m LVID
Retrive the stripe width for a LVID from ODM
# getlvodm -N LVID
Retrive the PVID/PN name for a PV name or PVID from ODM
# getlvodm -p PVDesciptor
Retrive the PV names, PVIDs and VGs of all configured PVs from ODM
# getlvodm -P
Retrive the relocatable flag for a LVID from ODM
# getlvodm -r LVID
Retrive the VG state for a VG from ODM
# getlvodm -s VGDescriptor
Retrive the timestamp for a VG from ODM
# getlvodm -T VGDescriptor
Retrive the VG name for a VGID from ODM
# getlvodm -t VGID
Retrive the auto-on value for a VG name or VGID from ODM
# getlvodm -v VGDesciptor
Retrive the VGID for a vG name
# getlvodm -v VGDesciptor
Retrive the PV names and PVIDs for a VG from ODM
# getlvodm -w VGDesciptor
How to retrive the LV type for a LVID from ODM
# getlvodm -y LVID
How to retrive the concurrent capable flag for a VG from ODM
# getlvodm -X VGDescriptor
How to retrive the auto-on concurrent flag for a VG from ODM
# getlvodm -x VGDescriptor
Display the contents of LVCB
# getlvcb -A LVName
List the number of copies of a LV from LVCB
# getlvcb -c LVName
List the file system name of a LV from LVCB
# getlvcb -f LVName
List the label of a LV from LVCB
# getlvcb -L LVName
Display the type of the file system from LVCB
# getlvcb -t LVName
Display the upper limit from LVCB
# getlvcb -u LVName
Tuesday 12 August 2014
AIX signals
Have you ever wondered what the kill signals do, well simply enter: kill -l for a list:
# kill -l
1) HUP 14) ALRM 27) MSG 40) bad trap 53) bad trap
2) INT 15) TERM 28) WINCH 41) bad trap 54) bad trap
3) QUIT 16) URG 29) PWR 42) bad trap 55) bad trap
4) ILL 17) STOP 30) USR1 43) bad trap 56) bad trap
5) TRAP 18) TSTP 31) USR2 44) bad trap 57) bad trap
6) LOST 19) CONT 32) PROF 45) bad trap 58) bad trap
7) EMT 20) CHLD 33) DANGER 46) bad trap 59) bad trap
8) FPE 21) TTIN 34) VTALRM 47) bad trap 60) GRANT
9) KILL 22) TTOU 35) MIGRATE 48) bad trap 61) RETRACT
10) BUS 23) IO 36) PRE 49) bad trap 62) SOUND
11) SEGV 24) XCPU 37) bad trap 50) bad trap 63) SAK
12) SYS 25) XFSZ 38) bad trap 51) bad trap
13) PIPE 26) bad trap 39) bad trap 52) bad trap
AIX also has a killall command that any user can run to kill all of his or her processes. The syntax is:
# killall <-Signal>
To list all the signal actions defined for process 11928, enter:
# procsig <Process>
HUP caught
INT caught
QUIT caught
ILL caught
TRAP caught
ABRT caught
EMT caught
FPE caught
KILL default RESTART
BUS caught
..
..
To see the current working directory for a process:
# procwdx 88473628847362: /home/root/
# kill -l
1) HUP 14) ALRM 27) MSG 40) bad trap 53) bad trap
2) INT 15) TERM 28) WINCH 41) bad trap 54) bad trap
3) QUIT 16) URG 29) PWR 42) bad trap 55) bad trap
4) ILL 17) STOP 30) USR1 43) bad trap 56) bad trap
5) TRAP 18) TSTP 31) USR2 44) bad trap 57) bad trap
6) LOST 19) CONT 32) PROF 45) bad trap 58) bad trap
7) EMT 20) CHLD 33) DANGER 46) bad trap 59) bad trap
8) FPE 21) TTIN 34) VTALRM 47) bad trap 60) GRANT
9) KILL 22) TTOU 35) MIGRATE 48) bad trap 61) RETRACT
10) BUS 23) IO 36) PRE 49) bad trap 62) SOUND
11) SEGV 24) XCPU 37) bad trap 50) bad trap 63) SAK
12) SYS 25) XFSZ 38) bad trap 51) bad trap
13) PIPE 26) bad trap 39) bad trap 52) bad trap
AIX also has a killall command that any user can run to kill all of his or her processes. The syntax is:
# killall <-Signal>
To list all the signal actions defined for process 11928, enter:
# procsig <Process>
HUP caught
INT caught
QUIT caught
ILL caught
TRAP caught
ABRT caught
EMT caught
FPE caught
KILL default RESTART
BUS caught
..
..
To see the current working directory for a process:
# procwdx 88473628847362: /home/root/
To display the current stack of process 11928, enter:
# procstack 11928
8847362: -ksh
0xd022da40 waitpid(??, ??, ??) + 0x1c0
0x1000945c job_wait(??) + 0xfc
0x10029ef0 xec_switch(??, ??, ??, ??, ??) + 0x4d0
0x1002ba70 sh_exec(??, ??, ??) + 0x3f0
0x100016f8 exfile() + 0x498
0x100008ac main(??, ??) + 0x58c
0x10000168 __start() + 0x68
0xd022da40 waitpid(??, ??, ??) + 0x1c0
0x1000945c job_wait(??) + 0xfc
0x10029ef0 xec_switch(??, ??, ??, ??, ??) + 0x4d0
0x1002ba70 sh_exec(??, ??, ??) + 0x3f0
0x100016f8 exfile() + 0x498
0x100008ac main(??, ??) + 0x58c
0x10000168 __start() + 0x68
Monday 11 August 2014
Removing Sockets
If a client-server application hangs you may need to kill it and remove the connection before you can try again. In this case you also need to remove the hung socket, rather than waiting for it to time-out and CLOSE_WAITs will not go away unless you boot the system. They also consume lot of CPU and can cause the system to hang.
# netstat -Aan
shows you the partners of the session, the routing table is used to determine which adapter is to be used to get that packet across the network to the partner
Once you have the client and server addresses you can run: netstat -rn and see which route rule is taken. The entry to the left to the "IF" Column tells you which which adapter is being used.
Now from the rmsock you determined that the process of that established connection is a process call MTproc (could be anything) with a pid of nnnnn that has to use enI (from IF column) to send packet.
If there are no rules than the default applies
Assuming your server ip address is 12.46.67.8 and the TCPCB address you used is something like
f1000e0001a413b8 tcp4 0 0 12.46.67.8.45179 12.46.67.182 ESTABLISHED
# rmsock f1000e0001a413b8 tcpcb. Tels you the process is MTproc
Now check the "IF" column in the netstat -rn output and see which adapter is being used.
Next use the rmsock command to check who is holding the process.
# rmsock <addr of PCB> tcpcb
It can also checked as follows:
# netstat -Aan | grep 2100
f1000e0000da93b0 tcp4 0 0 127.0.0.1.2100 *.* LISTEN
f1000e0000d9b600 udp4 0 0 127.0.0.1.2100 *.*
f1000e0000662100
f1000e000066e008 stream 0 0 0 f1000e0000662100 0 0
# rmsock f1000e0000da93b0 tcpcb
The socket 0xda9008 is being held by proccess 4653166
# ps -fp 4653166
user 4653166 1 0 05:41:12 pts/1 0:00 /MYAPPXXX
Killing this process should release the socket.
# netstat -Aan
shows you the partners of the session, the routing table is used to determine which adapter is to be used to get that packet across the network to the partner
Once you have the client and server addresses you can run: netstat -rn and see which route rule is taken. The entry to the left to the "IF" Column tells you which which adapter is being used.
Now from the rmsock you determined that the process of that established connection is a process call MTproc (could be anything) with a pid of nnnnn that has to use enI (from IF column) to send packet.
If there are no rules than the default applies
Assuming your server ip address is 12.46.67.8 and the TCPCB address you used is something like
f1000e0001a413b8 tcp4 0 0 12.46.67.8.45179 12.46.67.182 ESTABLISHED
# rmsock f1000e0001a413b8 tcpcb. Tels you the process is MTproc
Now check the "IF" column in the netstat -rn output and see which adapter is being used.
Next use the rmsock command to check who is holding the process.
# rmsock <addr of PCB> tcpcb
It can also checked as follows:
# netstat -Aan | grep 2100
f1000e0000da93b0 tcp4 0 0 127.0.0.1.2100 *.* LISTEN
f1000e0000d9b600 udp4 0 0 127.0.0.1.2100 *.*
f1000e0000662100
f1000e000066e008 stream 0 0 0 f1000e0000662100 0 0
# rmsock f1000e0000da93b0 tcpcb
The socket 0xda9008 is being held by proccess 4653166
# ps -fp 4653166
user 4653166 1 0 05:41:12 pts/1 0:00 /MYAPPXXX
Killing this process should release the socket.
Subscribe to:
Posts (Atom)