IBM PowerVM: Add a virtual Ethernet adapter to an LPAR

A virtual Ethernet adapter is to be added to the LPAR aix01 with IBM PowerVM. The data in detail:

    • HMC: hmc01
    • managed system: ms25
    • LPAR: aix01
    • profile: standard
    • virtual slot number: 4
    • Port-VLAN-ID: 900
    • virtual Ethernet switch: ETHERNET0(default)
    • additional VLANs: none

The command on the associated HMC hmc01 is:

hscroot@hmc01:~> chhwres -m ms25 -r virtualio --rsubtype eth -o a -p aix01 -s 2 -a 'ieee_virtual_eth=0,port_vlan_id=900'
hscroot@hmc01:~>

If the currently used profile of the LPAR is not automatically synchronized, then the additional virtual Ethernet adapter should also be added to the profile:

hscroot@hmc01:~> chsyscfg -r prof -m ms25 -i 'lpar_name=aix01,name=standard,"virtual_eth_adapters+=""4/0/900///0"""'
hscroot@hmc01:~>

With our LPAR tool, the command to use looks like this:

$ lpar addeth aix01 4 900
$

The current profile is automatically adjusted.

Detailed information on the LPAR tool and virtual Ethernet adapters can be found here: Virtual Ethernet

Error when deleting a SEA

The following SEA on a virtual I/O server is no longer required:

$ lsdev -dev ent48
name             status      description
ent48            Available   Shared Ethernet Adapter
$

Attempting to delete the SEA using rmvdev fails with the following error message:

$ rmvdev -sea ent48

Some error messages may contain invalid information
for the Virtual I/O Server environment.

Method error (/usr/lib/methods/ucfgcommo):
        0514-062 Cannot perform the requested function because the
                 specified device is busy.

$

The SEA is still in use. One possibility is the use of LLDP. This can be checked with the lsdev command:

$ lsdev -dev ent48 -attr lldpsvc
value

yes
$

In this case LLDP is active on the SEA and must first be stopped before the SEA can be deleted. Stopping LLDP on the SEA can be easily done by changing the lldpsvc attribute to the value “no“:

$ chdev -dev ent48 -attr lldpsvc=no
ent48 changed
$

Another attempt to delete the SEA ent48 is now successful:

$ rmvdev -sea ent48
ent48 deletedError deleting a SEA
$

More information on SEAs can be found here: Shared Ethernet Adapter

Download AIX ISO images from IBM

This post shows how to download AIX installation ISO images from the IBM Entitled Systems Support website. A valid IBMid and a current IBM software maintenance agreement (SWMA) are required for the download. As an example we show the download of the AIX installation ISO images for AIX 7.2 TL5. However, ISO images for other AIX versions or other software, e.g. PowerHA, can also be downloaded in the same way.

AIX and other software can be downloaded from the IBM Entitled Systems Support website. The URL for the website is:

https://www.ibm.com/servers/eserver/ess

IBM Entitled Systems Support (ESS)
Click on “Log in” to log into IBM Entitled Systems Support (ESS)

In order to log in, you need a valid IBMid and a valid software maintenance contract. After clicking on the blue “Log in” button, a login mask appears.

Entitled Systems Support (ESS) Log in
Specify the IBMid and then click the “Continue” button.

After entering a valid IBMid and confirming with the “Continue” button, you will be asked for a password.

Entitled Systems Support (ESS) Password
After entering the password, log in with the “Log in” button.

After entering the password, the main page of Entitled Systems Support appears.

Entitled Systems Support
“My Entitled Software” can be selected to download software.

“My Entitled Software” should be selected to download software.

ESS My Entitled Software
To download AIX or other software, the “Software Downloads” link must be selected.

From the displayed selection of options, the “Software Downloads” link should be clicked.

ESS Software Downloads
Select category “AIX” and group “V7R2 (GA)” for AIX 7.2. Then click on the magnifying glass.

The software to be downloaded can be selected either by specifying the category, or the machine type, or by directly selecting a product. We show the variant “By category”, by selecting the category “AIX” and the desired version “V7R2 (GA)” for AIX 7.2.

ESS AIX 7.2 TL Support
To download a specific AIX 7.2 TL, “AIX 7.2 TL support” should be selected and then the selection should be confirmed with the “Continue” button.

From the list of available “AIX 7.2” products, “AIX 7.2 TL support” should be selected.

ESS AIX 7.2 TL5
Select the AIX 7.2 TLs 05 and confirm with “Continue”.

From the list of available packages, the package for the desired TL (AIX 7.2 TL05) should be selected. Pressing the “Continue” button confirms the selection.

Before the software can finally be downloaded, IBM’s general terms and conditions must be confirmed.

ESS Software Downloads Terms and Conditions
The general terms and conditions must be confirmed here.

Next you have to select whether the download should be done via the browser or with the help of the download director. We have decided to download using a browser.

ESS Software Download method
We select download with the browser and confirm with “Continue”.

Next, the available images are displayed. We select the install images “AIX v7.2 Install DVD 1”, “AIX v7.2 Install DVD 2” and “AIX v7.2 Install flash”.

ESS Software Download Start
Start the download of the AIX 7.2 TL5 ISO images by clicking “AIX v7.2 Install DVD 1” and “AIX v7.2 Install DVD 2”.

The progress of the download can be followed via the browser:

ESS Software Download Progress
Download progress via the browser.

PowerHA, PowerVM or any other software can be downloaded in the same way via IBM Entitled Systems Support (ESS). However, a valid software maintenance contract for the corresponding software is always required.

LPAR tool: Console

lpar console

A console can be opened for an LPAR at any time using the LPAR tool:

$ lpar console lpar01
Open in progress
Open completed.
PowerPC Firmware
SMS 1.7 (c) Copyright IBM Corp. 2000,2008 All rights reserved.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Main Menu
1. Select Language
2. Setup Remote IPL (Initial Program Load)
3. Change SCSI Settings
4. Select Console
5. Select Boot Options
…

To terminate a console session, the escape sequence “~.” used.

Some LPAR tool commands support opening a console via the “-c” (console) option:

    • Activating an LPAR with “lpar activate -c“.
    • Shutting down an LPAR with “lpar shutdown -c“.
    • Shutting down the operating system with “lpar osshutdown -c“.
    • Initiating a system dump for an LPAR with “lpar dumprestart -c“.

A presentation on the subject can be found here: Console with the LPAR tool

ANS1592E Failed to initialize SSL protocol.

During a TSM operation, the following error message occurs:

# dsmc q sess -se=TSM01
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 9.0
  Client date/time: 12/09/22   08:33:24
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Node Name: aixdbt01
ANS1592E Failed to initialize SSL protocol.

#

A possible cause is the missing certificate of the associated TSM instance, in the above case TSM01. The missing certificate can be found on the TSM server in the directory of the instance. The instance directory is usually given to the TSM server process (dsmserv) when it is started with the “-i” option:

# ps -ef|grep dsmser[v]
   tsm01 29295008        1 1198   Nov 08      - 54389:56 /opt/tivoli/tsm/server/bin/dsmserv -i /appdata/cf/TSM01 -o /appdata/cf/TSM01/TSM01.opt -q
#

In this case /appdata/cf/TSM01 is the instance directory. This directory contains the instance’s certificate in the cert256.arm file:

# ls -l /appdata/cf/TSM01/cert256.arm
-rw-r--r--    1 tsm01    tsm            1164 Apr 13 2021  /appdata/cf/TSM01/cert256.arm
#

The certificate cert256.arm should then be copied to the client system, we assume it has been copied to /tmp.

The dsmcert command for managing certificates is located under /usr/tivoli/tsm/client/ba/bin64. The certificate can then be installed (added) with the following call:

# cd /usr/tivoli/tsm/client/ba/bin64
# ./dsmcert -add -server TSM01 -file /tmp/cert256.arm
IBM Spectrum Protect
dsmcert utility
  dsmcert Version 8, Release 1, Level 9.0
  dsmcert date/time: 12/09/22   08:44:26
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Result : Success
#

Subsequent access to the TSM instance using e.g. “dsmc q sess” should then work:

# dsmc q sess -se=TSM01
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 9.0
  Client date/time: 12/09/22   08:44:55
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Node Name: aixdbt01
Session established with server TSM01: AIX
  Server Version 8, Release 1, Level 16.000
  Server date/time: 12/09/22   08:44:56  Last access: 12/09/22   03:02:56

IBM Spectrum Protect Server Connection Information

Home Server Name........: TSM01
Server Type.............: AIX
Archive Retain Protect..: "No"
Server Version..........: Ver. 8, Rel. 1, Lev. 16.0
Last Access Date........: 12/09/22   03:02:56
Delete Backup Files.....: "No"
Delete Archive Files....: "No"
Deduplication...........: "Server Only"

Node Name...............: aixdbt01
User Name...............: root

SSL Information.........: TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Secondary Server Information
Not configured for failover

#

Manage group membership on AIX with chgrpmem

AIX provides an elegant command to change user group membership: chgrpmem.

As an example we use the users user01, user02, …, and the group mygroup:

$ lsgroup mygroup
mygroup id=225 admin=false users= registry=files
$

The group mygroup currently has no members (users=””).

To add the two local users user01 and user02 to the group mygroup, the “-m” (member) option must be used. Then follows a plus sign “+” for add and a comma-separated list of user names. The last argument is the group:

# chgrpmem -m + user01,user02 mygroup
#
# lsgroup mygroup
mygroup id=225 admin=false users=user01,user02 registry=files
#

Using the equal sign “=” instead of the plus sign “+” overwrites the current list of users with the given list of user names:

# chgrpmem -m = user03,user04,user05 mygroup
# 
# lsgroup mygroup
mygroup id=225 admin=false users=user03,user04,user05 registry=files
#

Removing users is done by using a minus sign “” e.g. removing user04:

# chgrpmem -m - user04 mygroup
# 
# lsgroup mygroup
mygroup id=225 admin=false users=user03,user05 registry=files
#

However, removing a user from the member list of a group does not always have to be successful! We create the user user06 with primary group mygroup:

# mkuser pgrp=mygroup user06
# 
# lsgroup mygroup
mygroup id=225 admin=false users=user03,user05,user06 registry=files
#

The output of lsgroup shows that the user06 is also a member of the group mygroup. However, membership cannot be revoked in this case:

# chgrpmem -m - user06 mygroup
Cannot drop "user06" from primary group "mygroup".
#

A user must always have a primary group! The chgrpmem command can only be used to manage users’ additional memberships. The primary group can only be changed with the chuser command.

Note: The chgrpmem command and the “-a” option can also be used to change the administrators of a group. However, this is rarely used in practice and is therefore not addressed here.

LPAR tool 1.7.0.1 is now available

Version 1.7.0.1 of the LPAR tool is now available in our download area.

The new version supports the following new features, among others:

    • Installation of IFixes and updates on the HMC (hmc help updhmc)
    • System firmware updates (and more) of managed systems (ms help updatelic)
    • Display FLRT data with online query at IBM (hmc help flrt, ms help flrt, lpar help flrt)
    • Configuration of NTP on HMCs (hmc help ntp)

Versions for Linux, AIX and Macos are available.

All versions include a test license valid until September 30th, 2022.

So download, install and then try it out!

show_life_cycle: new URL for FLRT Lite data file

IBM has changed the URL for the FLRT Lite data file. From the old URL

https://www14.software.ibm.com/support/customercare/flrt/liteTable

the data file can no longer be obtained. The new URL is:

https://esupport.ibm.com/customercare/flrt/liteTable

For users of our show_life_cycle script, we have made the updated version of the script with the new URL available in our download area.

(Many thanks to Lutz Leonhardt for the hint.)

View IOS Version as normal User

On a virtual I/O server, the IOS version can be displayed as user padmin using the ioslevel command:

padmin> ioslevel
3.1.2.10
padmin>

As user root (after using oem_setup_env), the IOS version can be shown as follows:

# /usr/ios/cli/ioscli ioslevel
3.1.2.10
#

However, both commands do not work as a normal, non-privileged user:

$ ioslevel
ksh: ioslevel: not found.
$ /usr/ios/cli/ioscli ioslevel
Access to run command is not valid.

$

The IOS version is simply stored in a text file and can be easily displayed as a normal user with the cat command:

$ cat /usr/ios/cli/ios.level
3.1.2.10
$