Skip to main content

VIO Server Update Tips and Tricks

Last month I presented on VIOS Top Tips to the Power Virtual Users Group. During and after that presentation I picked up some tips that I would like to share here. Many thanks to those who asked questions and provided suggestions during the session. Further reading added a few more tips as well. The tips below are for VIO servers that are not running in an SSP cluster. If you’re using an SSP cluster then please pay careful attention to the instructions in the readme file specific to SSPs.

1. Taking a Snap for a VIO Server

As padmin
snap

This creates /home/padmin/snap.pax.Z. You will need to rename this file to TS????.snap.pax.X where TS???? is the problem number for the case you open with IBM. You can then upload the snap to IBM.

For dual VIO, you should take a snap on both VIO servers so IBM gets the complete picture.

2. Preparing for Updates

I always do my updates by logging into the VIO server via the HMC. I ssh to the HMC then use vtmenu to get a list of servers and LPARs and select the VIO server I want to work on. That protects me if something happens to the network on the VIO during my updates. Additionally, although all of my updates live on an NFS server I copy them into a local filesystem and do the update from there.  This protects me if there is a network or NFS issue during the update process.
I also always take a clone before I start. I have a second disk in the system that I use for this.

# lspv | grep root
hdisk1          00c47b30dbc9df98                    altinst_rootvg
hdisk2          00c47b309395f3d4                    rootvg          active

To take the clone I do the following:

exportvg altinst_rootvg
alt_disk_copy -V -B -d hdisk1

If I have to back out later then I set the bootlist to hdisk1 and reboot the VIO on the old version. If your rootvg is mirrored, then you can unmirror it and take a clone to the disk that was freed up.

3. updateios Command

Most of us are familiar with the updateios command. This is how we put on updates to a VIO server within a version (i.e. v3.0 to 3.1). This is typically done using the updateios -dev /path -install command. I put all my VIOS updates into a directory and run updateios against that.

updateios -dev /updates/vios31314 -install -accept

I also do my SSH, SSL and Java updates the same way:

updateios -dev /updates/javasshssl -install -accept

Until recently I didn’t use updateios for putting on efixes, but it turns out that you can and should install efixes that way.

On VIO 3.1.3.14 there is a patch for lscore which can be downloaded from:
ftp.software.ibm.com/aix/ifixes.security/lscore_fix.tar

Now I put the efix into its own directory (only copy the epkg.Z file for 3.1.3.14). To determine the correct file open the Advisory.asc file and search for the level you are running. In my case it is 3.1.3.14 and there is a line in the file that shows:

3.1.3.14    IJ36810s3a.211217.epkg.Z  key_w_fix

So the file I need to copy into a directory is: IJ36810s3a.211217.epkg.Z.

Now point at that directory as follows:

cd /usr/local/software/lscore_fix
# ls -l
-rw-r-----    1 root     staff         21670 Feb 04 16:01 IJ36810s3a.211217.epkg.Z

exit to padmin
updateios -commit
updateios -install -accept -dev /usr/local/software/flrtfixes/lscore_fix-vio

On VIO 3.1.3.14 there are two efixes that are needed (as of 2/7/2022)—the one for lscore above and openssh_fix14. You can still use emgr to check these are installed as follows:

# emgr -P
PACKAGE                                                  INSTALLER   LABEL
======================================================== =========== ==========
bos.rte.security                                         installp    IJ36810s3a
openssh.base.client                                      installp    41617s9a
openssh.base.server                                      installp    41617s9a
 
# emgr -l
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1    S    IJ36810s3a 02/04/22 16:36:11            IJ36810 Potential security issue
2    S    41617s9a   02/04/22 16:38:26            Ifix for CVE-2021-41617

Prior to any updates (efix or other) you should always run a commit to make sure everything is committed:

 updateios -commit

For updates you should also remove any efixes. That way your update won’t fail due to a locked fileset. Once the update is installed and committed you can run FLRTVC (Fix level recommendation tool vulnerability checker) to determine which efixes need to be installed.

To remove an efix you can also use updateios.

First run lssw to make sure you have the label correct.

At the very end I currently see:

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ==========
1    S    IJ36810s3a 02/04/22 16:36:11            IJ36810 Potential security issue
2    S    41617s9a   02/04/22 16:38:26            Ifix for CVE-2021-41617

To remove the SSH fix I would use:

updateios -remove 41617s9a

If your update fails don’t forget to run “updateios -cleanup” to make sure you clean up.

The log file for efixes will be in /var/adm/ras/emgr.log even though you are using updateios to install the fixes.

4. Java, SSH and SSL

These need to be updated regularly. Java patches can be found at Fix Central and SSH/SSL are found at the AIX Web Download Pack Programs site. You will need an IBM site login id to get them. As of Feb 7, 2022 the latest versions (32 bit and 64 bit) are:

SSH                8.1.102.2104
SSL                1.1.1.1200
Java7             7.0.0.700
Java8             8.0.0.700
There is also a patch for SSH (openssh_fix14) which can be downloaded from IBM at ftp.software.ibm.com/aix/ifixes.security/openssh_fix14.tar.

5. Diagnosing Update Failures

The /home/padmin/install.log file is critical to understanding what happened. If you plan to retry the updateios command then take a copy of this file first as it may get overwritten. In particular look in the file for “Installation Summary for FAILED.” There are many reasons an update can fail including losing your network connection, a bad rootvg disk, insufficient memory, efix or ifix that has locked a fileset, and missing files or directories. You should never get rid of the default directories such as /etc/perf or /home/padmin/config as these (and the files in them) are often used in updates.

6. LWI Nonstop

If you see this running or messages about waiting for it to exit then you still have systems directory installed. If systems director is not being used (which in v3 it is not) then you can remove it.

7. Fixpack Versus Servicepack and Minipack

VIOS 3.1.3.14 is available as either a fixpack or a servicepack. The fixpack allows you to upgrade from v3.1.0.0 to v3.1.3.14. The servicepack (which is really a minipack) only allows the update from v3.1.3.10 to v3.1.3.14. I always download the full fixpack plus any prereqs so am sure I have everything I may need.

Hopefully you find these updates to the tips and tricks helpful. Additional information and links can be found at the IBM Support Portal.

References

  1. VIOS Snap
  2. Uploading VIOS Snap to IBM
  3. updateios
  4. updateios and efixes
  5. FLRTVC
  6. FLRTVC hiper.csv file
  7. IBM Support Portal
  8. IBM Power Virtual User Group
  9. UK PowerVM Virtual User Group
  10. AIX Web Download Pack

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.