AIX Version 6.1 Update - :: :: 데이터 전문가 지식포털 · PDF file · 2008-11-10Open beta provided early access to AIX 6 for over 6000 clients / ISVs No charge upgrade for

The Best Reliable Partner for High Availability

IBM Confidential © Copyright IBM Corporation 2008

AIX Version 6.1 Update

하순권 전문위원

[email protected]

**20082008 하반기하반기효과적인효과적인 시스템시스템 관리를관리를 위한위한 기술기술 세미나세미나

Maintenance Technical Support & Services Global Technology Services, IBM

IBM Confidential


© IBM Corporation 2008

AIX Version 6.1 AIX Version 6.1

AIX Version 6.1 Operating SystemAIX Release PlanAIX 6 Kernel and Processor SupportAIX Service Strategy

Workload PartitionsApplication & System WPARsWPAR Live Application MobilityWorkload Partition Manager

System Management IBM Systems Director Console for AIXVMM dynamic variable page sizeRFC 2790 SNMP host resource groupsJFS2 internal snapshot

Installation, Backup, and RecoveryAIX graphical installerNetwork Install Manager NFSv4 support

Performance ManagementUnique tunable documentationRestricted tunablesAIX V6 out-of-the-box performanceAIO dynamic tunablesHardware performance monitors

Application Development and Dynamic DebugProbeVuePOSIX TracingTransport independent RPC library

Security, Authentication, and AuthorizationRole Based Access ControlTrusted AIXSecure by DefaultAIX Security Expert EnhancementsEncrypted File SystemTrusted Execution Environment Secure FTPPassword length and encryption algorithmsAIX Security Certifications

Continuous AvailabilityStorage protection keysConcurrent updatePaging Space VerificationLVM configuration and trace logsTrace Hook Range ExpansionAIX RAS FrameworkComponent DumpLive DumpFirmware Assisted DumpComponent Trace & Runtime Error Checking

NetworkingNetwork Data Administration Facility enhancementsNFS proxy serving enhancementsNetwork caching daemonInternet Group Management Protocol V3IPv6 RFC compliances

Hardware and Graphics SupportHardware support32 TB physical memory supportWithdrawal of the 32-bit kernelUFST version 5.0.1 font rasterizerX Window System Version 11 Release 7.1

National Language SupportNew locale supportEuro symbol supportOlson time zone supportUnicode 5.0 supportInternational Components for Unicode

IBM Confidential



Smooth Upgrade to AIX 6Smooth Upgrade to AIX 6

AIX 6 is binary compatible with AIX 5Lhttp://www.ibm.com/servers/aix/os/compatibility/ Ross A Mauri, System p GM

32- and 64-bit applications will continue to rununchanged on AIX 664-bit Kernel only Runs onPOWER4, PPC970, POWER5, POWER6 systemsFully exploits POWER6 Decimal Floating Point execution unitOpen beta provided early access to AIX 6 for over 6000 clients / ISVs

No charge upgrade for current AIX 5L clients with SWMANo additional out of pocket expense for clients

Upgrade processTools like alt disk installation and NIM minimize client riskMigration installation from AIX V4 & AIX V5

IBM Confidential



AIX Service and Release StrategyAIX Service and Release Strategy

IBM significantly enhanced the AIX 5L™ / AIX 6 Release and Service Delivery strategy in 2007

The principal changes planned are:

24 months of support for each Technology Level=> More closely matches client deployment requirements

Service for entire period is provided by PTF, Interim Fix, and/or Service Pack=> PTF and Service Packs provide better flexibility for customer change management

New hardware within the same family will be supported onprevious Technology Levels for ease of migration.=> Allows clients to integrate new hardware within the same family into existing infrastructure without having to upgrade to and certify a new TL

IBM Confidential



AIX 5L / AIX 6 Release Strategy* AIX 5L / AIX 6 Release Strategy* (AIX 5L V5.3 shown)(AIX 5L V5.3 shown)

Fall SpringSpringFallSpringFallSpringFallSpring 2007 2008 2009 2010 2011

Highlights:Two years of support Support is via PTF, Interim Fix or Service PackNo need to upgrade to latest TL for new HW support in the same HW family

Highlights:Two years of support Support is via PTF, Interim Fix or Service PackNo need to upgrade to latest TL for new HW support in the same HW family

HPSP HPSP HPSP

SP

TechnologyLevel 6

SP SP SP SP

HPSP HPSP HPSP

SP

TechnologyLevel 7

SP SP SP SP

HPSP HPSP HPSP

SP

TechnologyLevel 8

SP SP SP SP

HPSP HPSP HPSP

SP

TechnologyLevel 9

SP SP SP SP

HPSP HPSP HPSP

SP

TechnologyLevel 10

SP SP SP SP

Legend:

Service Pack -may include new HW support

Service Pack – AIX 5L fixes only

Interim Fix. Interim fixes will continue to be the method to provide immediate, short term relief for critical issues pending the release of a formal PTF

Support via Interim Fix, PTF, or Service Pack

New Technology Level - New HW/SW support and hardware exploitation

SP

HPSP

IBM Confidential



WorkloadPartitions

IBM Confidential



AIX V6.1 Workload PartitionsAIX V6.1 Workload Partitions

Partitioned system capacity Each Workload Partition obtains aregulated share of system resources

Two types of WPARSystem WPARs have separate security and appear like a completely separate OS

Application WPARs are manageability wrappers around a single application

Resource controls for WPARCPU, memory, paging space, number of threads and number of processes

Shared system resourcesOperating System / Shared Library and TextProcessor / I/O Devices

WorkloadPartition

A

WorkloadPartition

C

WorkloadPartition

B

AIX Image

WorkloadPartition

DWorkloadPartition

E

Virtualized AIX OS environments within a single AIX image

IBM Confidential



Application WPAR

Role-based Access Control

AIX 6 System Image

System AdminSys Config

Sys Maint

Perf Mgmt

RBAC

Data Mgmt

SW Maint

Install

...

Global WPARWPAR Managment

Create/Destroy

Start/Stop

Modify

Meter

Resource Controls

Perf Mgmt

Install

...

System ServicesPrint

NFS

CIFS

Trace

LDAP

inittab

DRAF

...

System WPAR

Login Users & Groups

Role-based Access Control

WPAR AdminUser Mgmt

Data Mgmt

Install

RBAC

Perf Mgmt

WLM

Metering

...

WPAR ServicesPrint

NFS

CIFS

Trace

LDAP

inittab

DRAF

...

Application WPAR

Login

Users & Groups

Shared File Systems

/opt

/usrGlobal WPAR ResourcesProcessesIPCs

File SysNetwork

/ /usr /opt /home /tmp /var /nfs

NW I/FsDevices/proc

WPAR ResourcesProcessesIPCsNetwork Streams NW I/F Aliases

WPAR ResourcesProcessesIPCsNetwork Streams NW I/F Aliases

Shared Global Resources

AIX Workload Manager

WPAR ResourcesProcessesIPCsFile Sys / /home /tmp /var /nfs

Network Streams NW I/F AliasesImported Devices /dev/null /dev/tty /dev/console ...

AIX V6.1 Functional View of System & Application WPARs

IBM Confidential



Power Systems Flexible Resource ManagementPower Systems Flexible Resource Management

AIX 6 Workload Partitions complement PowerVM Logical Partitions

Workload Isolation

Eas

e of

Adm

inis

tratio

n

Micro-Partitions

AIX 5L V5.3 on POWER5

WorkloadPartitions

AIX V6.1 on POWER4

AIX Workload Manager

AIX 4.3.3 on POWER3

DedicatedLPARs

AIX 5L V5.1 on POWER4

IBM Confidential



WorkloadPartition

QA

AIX # 2

WorkloadPartition

Data Mining

AIX V6.1 Live Application MobilityAIX V6.1 Live Application Mobility

WorkloadPartition

Database

WorkloadPartition

Web

AIX # 1

WorkloadPartition

Dev

The ability to move a Workload Partition from one server to another

Provides outage avoidance and multi-system workload balancing

Workload Partition

ERP

Policy based automation can provide more efficient resource usage

WorkloadPartitionManager

Policy

WorkloadPartitionBilling

IBM Confidential



WPAR AIX OfferingsWPAR AIX Offerings

AIX (GA 11/2007)Base Workload Partitions (WPAR) functionality

– Separate regions of application space– Regulated share of system resources– Shared single instance of AIX 5L– Each WPAR can be separately administered

Elementary (single system) WPAR Management– Create, Start/stop, Delete WPAR via SMIT or command line

IBM Workload Partitions ManagerTM program product (GA 11/2007)5765-WPMCross System Management for Workload Partitions

– Create, Start/stop, Delete and Relocate WPARsAutomated, Policy-based Mobility

– Automatically relocate applications based on loadEnablement for Application Mobility

– Checkpoint/resume based on Meiosys technologyPart of the IBM System Director Family

WPAR Manager

IBM Confidential



AIX V6.1 System Management & File System / StorageAIX V6.1 System Management & File System / Storage

IBM Systems Director Console for AIX– http://<hostname>:5335/ibm/console or https://<hostname>:5336/ibm.console– Internet Explorer Version 7, and Mozilla Firefox– Systems Management Interface Tool (SMIT)– Distributed Command Execution Manager (DCEM)– Workload Partitions (WPAR)– ...

VMM dynamic variable page size– AIX V6.1 VMM on POWER6 dynamically promote pages to a larger page size– vmo tunable page size promotion aggressiveness factor vmm_default_pspa = 0 (default on POWER6)– vm_pattr() system call for applications– vmm_mpsize_support=2 using multiple page sizes per segment (default on POWER6)

RFC 2790 SNMP host resource groups– Simple Network Management Protocol with Distributed Program Interface Version 2– Two additional SNMP-DPI-2 hosts for Running Software (hrSWRun), and Running Software

Performance (hrSWRunPerf) information group (Management Information Bases (MIBs))JFS2 internal snapshot

– Create snapshots within the source file system: crfs -a isnapshot=yes ...– max 64 generations in /fsmountpoint/.snapshot/<snapshotname>

IBM Confidential



AIX V6.1 System Management & File System / StorageAIX V6.1 System Management & File System / Storage

IBM Systems Director Console for AIX– http://<hostname>:5335/ibm/console or https://<hostname>:5336/ibm.console– Internet Explorer Version 7, and Mozilla Firefox– Systems Management Interface Tool (SMIT)– Distributed Command Execution Manager (DCEM)– Workload Partitions (WPAR)– ...

VMM dynamic variable page size– AIX V6.1 VMM on POWER6 dynamically promote pages to a larger page size– vmo tunable page size promotion aggressiveness factor vmm_default_pspa = 0 (default on POWER6)– vm_pattr() system call for applications– vmm_mpsize_support=2 using multiple page sizes per segment (default on POWER6)

RFC 2790 SNMP host resource groups– Simple Network Management Protocol with Distributed Program Interface Version 2– Two additional SNMP-DPI-2 hosts for Running Software (hrSWRun), and Running Software

Performance (hrSWRunPerf) information group (Management Information Bases (MIBs))JFS2 internal snapshot

– Create snapshots within the source file system: crfs -a isnapshot=yes ...– max 64 generations in /fsmountpoint/.snapshot/<snapshotname>

IBM Confidential



Enterprise Edition for AIXEnterprise Edition for AIX

A new product that provides a single integrated systems management interface for managing virtualized environments:

Discover IT components and their relationshipsProvides a visual representation of the componentsMonitor utilization and configuration changesCollect and report resource usage

These tools are provided in a integrated bundle that include functionality specifically tailored for AIX & Power Systems

Tivoli® Application Dependency Discovery ManagerIBM Tivoli MonitoringIBM Usage and Accounting Mgr Virtualization Edition for System pWPAR Manager

System 1

TADDM discovery of System p™ Topology via HMC

A common prerequisite for all the above products is DB2® 9.1, which is also included in the offering

IBM Confidential



AIX V6.1 System Management & File System / Storage IIAIX V6.1 System Management & File System / Storage II

Disabling JFS2 logging– Temporary file systems need not to pay performance penalty of sync. commits of metadata to log:

File systems used by compilers for scratch space, backup applications during restore and non-migration install operations

– mount -o log=NULL /mnt -- /etc/filesystems stanza log=NULLLimit number of threads per process & Limit number of processes per user

– RLIMIT_THREADS and RLIMIT_NPROC default initialization from /etc/security/limits– ulimit -r / -u (-H) [ threads (per process) / processes (per user)]– mkuser threads=# threads_hard=# / chuser

AIX Print Spooler Administration Command Enhancement– mkque, mkquedev, lsque, lsquedev, rmque and rmquedev work against /etc/qconfig.bin digest– Performance will be enhanced when adding and removing print queues

Increase default size of argument area– ARG_MAX and NCARGS increased from 24 KB (6 x 4 KB) to 1 MB (256 x 4 KB) in limits.h & param.h– lsattr -R -l sys0 -a ncargs

Threading: pthread default 1:1– AIXTHREAD_SCOPE=S (System)

IBM Confidential



AIX V6.1 Performance ManagementAIX V6.1 Performance ManagementUnique Tunable Documentation

– Full list of system tunable parameters and details of their useare no longer available at AIX documentation or man pages level

– Tunable description message for the tuning commands vmo, ioo, schedo, raso, no, and nfsocan be displayed through the new -h <tunable> option

Restricted tunables– Some tunables are now classified as restricted use tunables– Only displayed with the -F option (force) of vmo, ioo, schedo, raso, no, and nfso– Distinctive separator line ##Restricted tunables– SMIT panel "Tuning Development Parameters"– Changes need to be confirmed and errors are locked by /etc/tunables/nextboot

AIX V6 out-of-the-box performance– New default values for tunables: VMM, sys0 (I/O Pacing by default), NFS

AIO Dynamic Tunables– ioo command to maintain AIO dynamic tuneables / tunables are persistent across reboots

Hardware Performance Management Toolkit enhancements– XML output file format for hpmstat and hpmcount Visual Performance Analyzer (VPA)

http://www.alphaworks.ibm.com.tech/vpa– Support for Scaled Performance Utilization Resources Register ( spurr) for POWER6

Electrical power and thermal dissipation management technology– spurr value scales as a function of the degree of processor throttling– Time base nomalization [-b time | purr | spurr]

IBM Confidential



AIX V6.1 Dynamic Tracing with AIX V6.1 Dynamic Tracing with ProbeVueProbeVueTrace existing programs without recompiling

Dynamic placement of trace probesFor debugging and performance analysisDynamic tracing language called VueInitial support for “C” programs

Initial Set of Probe ManagersAIX system callKernel function tracing

– Probes in most kernel functions (at entry and exit points)

User process tracing– Probes at entry and exit points of user-mode application functions– Application calls to library functions

#!/usr/bin/probevue/* countreads.v */

@@syscall.$1.read.entry {

count++;}@@interval.*.clock.100{

printf(“Number of reads = %d\n”, count);count = 0;

}

# countreads.v 404Number of reads = 22Number of reads = 0Number of reads = 1Number of reads = 17…..

Formatted I/O

User Kernel

Probe Location

User Process CodeSome thread hits probe point (1) Branches to probe

code (2)

Probe code

(3)Returns to probe point

(4)

Thread continues

execution(5)

Trace Consumer

Trace Fileor

Trace OutputTrace Buffers

E-code

“Vue” probe code example

IBM Confidential



AIX V6.1 Application Development & System DebugAIX V6.1 Application Development & System Debug

ProbeVue– Dynamic Tracing: Capability to insert trace points at run-time– Performance analysis as well as problem debugging– Vue programming language script tells ProbeVue where to trace, when to trace and what to trace– Probe Managers are providers of probe points that can be instrumented by ProbeVue

Portable Operating System Interface (POSIX) Tracing– Application debugging, fault analysis, and performance measurement tool for user applications– Implements Tracing Option Group, an optional functionality, defined within IEEE Std 1003.1-2001.– Dependent upon precompiled-in trace hooks in the application being instrumented– Traced process / Controller Process / Analyzer Process

Transport independent RPC library– Formal support of TI-RPC routines as ported from the ONC+ 2.2 source distribution– Isolating applications from any specific transport feature and as such used by AIX NFS– Formal support for RPCSEC_GSS security version of the General Security Services (GSS) API– RPCSEC_GSS routines are used by the AIX Network Data Administration Facility (NDAF) solution

IBM Confidential



Security

IBM Confidential



AIX V6.1 Security: Role Based Access ControlAIX V6.1 Security: Role Based Access Control

Authorizations– Mechanism to grant access to

commands or certain functionality. Context aware.

Roles– A container for authorizations

that can be assigned to a user.

Privileges– Process attribute that allows process to

bypass a security restriction. Not context aware.

Provides greater security and increased administration flexibilityRoles

DBA

PRINT

BACKUP

AIX ResourcesUsers

aix

devicefsnetworkprocrassecuritysystemwpar

bootconfiginstallstat

create “create boot image”Halt “halt the system”Info “display boot informationReboot “reboot the system”Shutdown “shutdown the system”

# lssecattr -c -F /usr/sbin/bootinfo/usr/sbin/bootinfo:

accessauths = aix.system.boot.infoinnateprivs = PV_DAC_R,PV_DAC_W,PV_DEV_CONFIG,PV_KER_RAS

IBM Confidential



AIX V6.1 SecurityAIX V6.1 Security

Role Based Access Control (RBAC)– chdev -l sys0 -a enhanced_RBAC=true– Authorization: Dotted notation denotes hierarchy (aix.system.boot.info ...)– Roles: Container for authorizations assigned to a user– Main pre-defined AIX Roles: (swrole creates new role session)

ISSO Information Systems Security OfficerSA System Administrator, SO System Operator

Trusted AIX (Multi Level Security)– DAC - traditional Discretionary Access Control– MAC - Bell-LaPadula's Mandatory Access Control (system defined)– MIC - Biba's Mandatory Integrity Control (system defined)– Labels on objects, subjects, labeled printing, labeled networking– New Installtime-only option

Secure by Default (SbD)– New security installation option– Installs a minimal set of software– Deletes components that use weak authorization– Utilizes AIXpert to harden system after install – Bottom Up Approach

IBM Confidential



AIX Security Expert EnhancementsAIX Security Expert Enhancements

Single control point for over 300 AIX security settings

Security settings can be exported and used by multiple systems via LDAP

Security Hardening focus areas:

Password AdministrationLogin PolicyRemove SUID Network Tuning IP Security (firewall) port scansAudit /etc/inittab/etc/rc.tcpip/etc/inetd.confMiscellaneous

First included with AIX 5.3 Technology Level 5 in August 2006

SOX-COBITThe United States Congress enacted the 'Sarbanes-Oxley Act of 2002 to protect investors by improving the accuracy and reliability of financial information disclosed by corporations

IBM Confidential



AIX V6.1 Encrypted File SystemAIX V6.1 Encrypted File System

Embedded in JFS2Integrated into user / group administrationAutomatic key store creation on user creationKey store open on loginRoot Admin / Root Guard Modecrfs | chfs -a efs=yes,user key managment efskeymgrUnique AES (Advanced EncryptionStandard ) symmetric key to en/decrypt every fileRSA (Rivest, Shamir, Adleman) private/public keypair to protect each symmetric keyKey stores in PKCS12 format.No keys stored in clear in kernel memoryBackup in encrypted or clear formats

Always encrypted on disk

Data in clear in memory.

VMM

J2

Filesystem

CLiC

Crypto Lib

User and Group Key Stores

Crypto Kernext

Kernel ucred open key store

Login Authentication Module

Key Store

Mgt Cmds

BOS Cmds

Backup/Restore

Cp, mv, crfs, etc

IBM Confidential



AIX V6.1 Encrypted File System (EFS)AIX V6.1 Encrypted File System (EFS)

Key Cache

EncryptedFile

File System Layer

Clear File accessEdit abcLogs in

Keystore Memory

password generates access key,

access key opens keystore

keystore contains user's private and public key

(current and old ones)

each file's datablocks are encryptedsymmetrically using individual keys, stored in their EAs

those symm. keys are "enveloped" withauthorized users' public keys

IBM Confidential



AIX V6.1 Trusted ExecutionAIX V6.1 Trusted ExecutionSignature based system integrity (offline) / Run time integrity (in-flight) verificationTrusted Signature Database (TSD) holds cert_tag, signature & hashRun time security policy on SHA-256 hash: EXEC, SHLIB, SCRIPT, KERNEXTReplaces Trusted Computing Base (TCB)Single command: trustchk

Executable/Module

Memory

Run Time Integrity Check

Hash/SignatureDatabase

CalculateHash

Policy EngineEg: Disallow loads on non-match

System Integrity Check

CertificatesDatabase

Integrity CheckerTool

System Integrity StatusTrojan Horse Detection

SignatureDatabase

Install Time population

vs.

IBM Confidential



AIX V6.1 Security IIAIX V6.1 Security IIAIX Security Expert (aixpert)

– Introduced in AIX 5.3TL05 (53H)– Standardized Security Hardening Tool for AIX– Security Rules defined in XML via GUI / stored in LDAP repository– Focus in AIX 6 is policy compliance (SOX/COBIT, ...)

Encrypted File System (EFS)– Embedded in JFS2, integrated with user authentication– Root Admin / Root Guard Mode– crfs | chfs -a efs=yes, user key managment efskeymgr– Advanced Encryption Standard (AES) symmetric key to

en/decrypt every file– RSA (Rivest, Shamir, Adleman) private/public keypair to protect each symmetric key

Trusted Execution– Signature based system integrity (offline) / Run time integrity (in-flight) verification– Trusted Signature Database (TSD) holds cert_tag, signature & hash– Run time security policy on SHA-256 hash: EXEC, SHLIB, SCRIPT, KERNEXT

Secure FTP– ftp and ftpd are secured using Transport Layer Security TLS protocol– Based on OpenSSL: command and data channel are encrypted

Password length and encryption algorithms– Loadable Password Algorithm (LPA) /etc/security/pwdalg.cfg; MD5, SHA and Blowfish– 255 character limit for password / passphrase

IBM Confidential



AIX & Power Systems Security Certifications Plans*AIX & Power Systems Security Certifications Plans*

AIX 5200-06 CAPP/EAL4+Application: 01/11/05Final report: 10/26/05Certificate: 12/14/05

AIX 5L 5200-05 andPitbull LSPP/EAL4+

Application :01/11/05Final report submitted: 03/06Certificate: 05/16/06

AIX 5300-05 LSPP/EAL4+

Pitbull product Supports P5, P4Certificate: 01/16/07

Pitbull MLS Ported to AIX 5300-03

Pitbull product available tocustomers Dec 31, 05

AIX 5300-04 CAPP/EAL4+Supports P5, P4Certificate: 12/12/06

AIX 6100CAPP/RBPP/LSPP/EAL4+

BSI-DSZ-CC-0461MLS capabilities integrated intostandard AIX product One certification for 3 PPSupports P6, P5, P4VIOS 1.5

Certification HistoryAIX 4.2 C2: Apr 24, 1997AIX 4.3 C2: May 06, 1998AIX 5.2 CAPP/EAL4+: Nov 04, 2002AIX 5.2 ML1 CAPP/EAL4+: Sep 08, 2003POWER4 HW/FW CC EAL4+: Jan 26, 2004AIX 5.2 ML6 CAPP/EAL4+: Dec 14, 2005AIX 5.2 ML5 Pitbull LSPP: May 16, 2006AIX 5.3 ML4 & VIOS CAPP: Dec 12, 2006AIX 5.3 ML5 Pitbull LSPP: Jan 16, 2007POWER6 HW/FW CC EAL4+: Nov 07, 2007

VIOS 1.3 EAL4+Included with AIX 5300-04CAPP/EAL4+Certificate: 12/12/06

POWER6 Hardware EAL4

MicroPartitioningFlexible Service ProcessorBulk Power Components

*All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

http://www.bsi.de/zertifiz/zert/aktuelle.htm

Legend

AIX 5L V5.2AIX 5L V5.3AIX V6.1 (Planned)VIOSPOWER6

IBM Confidential



IBM LPAR Architecture for Power6 received CC IBM LPAR Architecture for Power6 received CC EAL4+ Security Certification at Nov. 7, 2007 !EAL4+ Security Certification at Nov. 7, 2007 !

The new certificatecovers:

– P6 Hypervisor(Micro-Partitioning)

– Flexible ServiceProcessor (FSP)

– Bulk powercomponents

IBM Confidential



RAS

IBM Confidential



Currently, data is accessible by all kernel code and is subject to corruption by faulty codeSubstantial amount of code, consisting of both IBM and third party code

UserCode

UserData

Files

WS DB2KernelCode

KernelData

JFS2 LVM VMM . . . SCSI ENT FC . . . PPath Artic VxFS . . .

ApplicationAddress Space

AIX Drivers Third Party DriversAIX Kernel

UNIX Kernel Address Space

AIX V6.1 Virtual Memory Protection Domains AIX V6.1 Virtual Memory Protection Domains

AIX Protection Domains will isolate data and protect against corruptionEnabled through POWER6 H/W & provides isolation between subsystems or subsystems classes

Initially provide up to 8 domains w/POWER6 and a larger number with future H/WMore domains brings finer-grain isolation and better protection

Extensible to applications to protect against corruption within the applicationAIX will provide enablement with future H/W to allow applications to exploit domains

UserCode

UserData

Files

WS DB2KernelCode

KernelData

JFS2 LVM VMM . . . SCSI ENT FC . . . PPath Artic VxFS . . .

ApplicationAddress Space

AIX Drivers Third Party DriversAIX Kernel

AIX V6.1 Kernel Address Space

IBM Confidential



AIX V6.1 Functional Recovery Routines AIX V6.1 Functional Recovery Routines

Improved Operating System Reliability

Kernel issues can be handled without crashing the systemRecovery routines can validate data, diagnose root causeFirst failure data capture for software problems

Staged implementationstarting with AIX 6

Recovery ManagerLimited number of Functional Recovery Routines

MainlineCode

FRR

RecoveryManager

Retrypoint

1. Exception

2. Callback

3. Update

4. Retry

IBM Confidential



AIX V6.1 Concurrent UpdateAIX V6.1 Concurrent UpdateCapability to put some patches on without rebootingStaged starting with AIX Version 6.1Initial implementation will be via Interim FixesMethod: Functional redirection within the in-memory image of the OS

Suspended

AIX 5L Operating System

Kernel Space

User Space

Kernel Modules Table of Contents

aact

mallocsocket

raschkm_thread

vmmove

Kernel PatchHeap

updated module

Patch Creator

- Resolved Symbols- TOC consistency

Patch Manager

PatchLoader

malloc

Processing:Running

malloc

/unix file

IBM Confidential



AIX V6.1 Continuous Availability (RAS)AIX V6.1 Continuous Availability (RAS)

Kernel Storage Protection Keys– POWER6™ processor storage protection keys

prevent inadvertent memory overlays in both the kernel and the application space– Storage protection keys application programming interface (API) introduced with AIX V5.3 Technology

Level 06 (5300-06) to support storage protection keys for user space applications– /usr/inlcude/sys/skeys.h header file; Key-Set in Authority Mask Register (AMR)– Enabled by default; smitty skeyctl fastpath

Concurrent Update– 70 - 80 % of kernel / kext code eligible; new interim file type for emgr command– kpatch() functional redirection within the in-memory image of the OS

Paging Space Verification– Improves FFDC capability in respect to paging space data corruption problems– Checksum computed on page out and saved in pinned memory array– Checksum re-computed on page in and compared with value in array

LVM Configuration and Trace Logs– alog -t [ lvmcfg | lvmt | lvmgs ]

Trace Hook Range Expansion– Expanded trace hook ID range from 12 bits to 16 bits: 4096 --> 65536 (- 7680) hooks

IBM Confidential



AIX V6.1 Continuous Availability (RAS) IIAIX V6.1 Continuous Availability (RAS) II

Component Framework– Granular approach to RAS– Register components to enable specific RAS features such as trace, dump and error checking features– Runtime Error Checking errctrl / Component Trace ctctrl / Component Dump dumpctrl– Persistent component attributes: components not yet created | persist across reboots

-n (now) -p (new) -P (reboot) -x (delete) --> /var/adm/ras/raspertuneComponent Dump

– dumpctrl -qc -c all (interface command to system and component (live) dump)Live Dump

– Components, registered as live dump enabled / Small dumps that do not require system restart– Live dump repository (dumpctl -s) located at /var/adm/ras/livedump / 7 attributes– livedumpstart -c [+]<component>[+]

Firmware Assisted Dump– Minimizing work done by failing OS. Freeze memory and reboot system prior to dump memory to disk– Traditional: before partition re-initialization / FWAD: during partition restart / sysdumpdev -t fw-assisted

Component Trace & Runtime Error Checking– HEA, USB, VMM, MPIO, TCPIP, NFSv4, cachfs, ...

IBM Confidential



AIX 6 RAS Component FrameworkAIX 6 RAS Component Framework

Component RAS Framework

Component Trace Component DumpRuntime Error Checking

errctrl ctctrl dumpctrl

Live Dump System Dump

Traditional Framework

Minidump

Firmwareassisted

dump

Classicdump

Paralleldump

AIX 6.1POWER6

AIX 5.3TL05

AIX 5.3TL03

AIX

System Trace

LightWeightMemory Trace

CT PrivateBuffersTrace

IBM Confidential



dumpctrldumpctrl sample outputsample output

# dumpctrl -qc-----------------------------------------------+------+-----------+------------

| Have | Live Dump | System DumpComponent Name |Alias | /level | /level

-----------------------------------------------+------+-----------+------------lvm | NO | ON/3 | ON/3

.rootvg | NO | ON/3 | ON/3.metadata | NO | ON/3 | ON/3

.lvs | NO | ON/3 | ON/3.fslv00 | NO | ON/3 | ON/3.fslv01 | NO | ON/3 | ON/3.fslv02 | NO | ON/3 | ON/3.fslv03 | NO | ON/3 | ON/3.fslv04 | NO | ON/3 | ON/3.fslv05 | NO | ON/3 | ON/3

... lines missing for clarity

IBM Confidential



ctctrlctctrl sample outputsample output

# ctctrl -c lfs -q -r---------------------------------------+-------+-------+-------+---------------

| Have |Mem Trc|Sys Trc| Buffer sizeComponent name | alias | /level| /level| /Allocated---------------------------------------+-------+-------+-------+---------------lfs | NO | ON/3 | ON/3 | 0/ NO

filesystem._0 | NO | ON/3 | ON/3 | 0/ NO.__1 | NO | ON/3 | ON/3 | 0/ NO._admin_9 | NO | ON/3 | ON/3 | 0/ NO._home_8 | NO | ON/3 | ON/3 | 0/ NO._opt_11 | NO | ON/3 | ON/3 | 0/ NO._proc_10 | NO | ON/3 | ON/3 | 0/ NO._tmp_5 | NO | ON/3 | ON/3 | 0/ NO._usr_2 | NO | ON/3 | ON/3 | 0/ NO._var_4 | NO | ON/3 | ON/3 | 0/ NO

.kdm | NO | ON/3 | ON/3 | 0/ NO

.pile | NO | ON/3 | ON/3 | 0/ NO

# ctctrl -c lfs -q -r---------------------------------------+-------+-------+-------+---------------

| Have |Mem Trc|Sys Trc| Buffer sizeComponent name | alias | /level| /level| /Allocated---------------------------------------+-------+-------+-------+---------------lfs | NO | ON/3 | ON/3 | 0/ NO

filesystem._0 | NO | ON/3 | ON/3 | 0/ NO.__1 | NO | ON/3 | ON/3 | 0/ NO._admin_9 | NO | ON/3 | ON/3 | 0/ NO._home_8 | NO | ON/3 | ON/3 | 0/ NO._opt_11 | NO | ON/3 | ON/3 | 0/ NO._proc_10 | NO | ON/3 | ON/3 | 0/ NO._tmp_5 | NO | ON/3 | ON/3 | 0/ NO._usr_2 | NO | ON/3 | ON/3 | 0/ NO._var_4 | NO | ON/3 | ON/3 | 0/ NO

.kdm | NO | ON/3 | ON/3 | 0/ NO

.pile | NO | ON/3 | ON/3 | 0/ NO

IBM Confidential



AIX V6.1 NetworkingAIX V6.1 NetworkingNetwork Data Administration Facility (NDAF)

– Integration of NDAF to base AIX V6.1 distribution / new commands– Provides secure centralized management of NFS V4 distributed file systems including data placement,

replication, and data and namespace administration.NFS proxy serving enhancements

– Use an NFS proxy server to potentially extend NFS data access over slower or less reliable networks with improved performance and reduced network traffic to the back-end server where the data resides

– Comprehensive RPCSEC_GSS Kerberos support from client to proxy and back-end communication– NFSv3 exports for back-end NFSv4 exports

Network caching daemon– Network-based applications require resolving an Internet hostname to an IP address and vice-versa– netcd improves performance for resolver lookups & can cache user and group info provided by NIS server

Internet Group Management Protocol Version 3 (IGMPv3)– Used by hosts and multicast routers to establish multicast group memberships within physical network.– AIX V6.1 provides host side function, group member part and not the multicast router– Allows for source filtering: receive packets only from specific source addresses, or from all but specific

source addresses.IPv6 RFC compliances

– RFC 4007 - IPv6 Scoped Address Architecture / RFC 4443 - Internet Control Message Protocol ICMPv6

IBM Confidential



AIX V6.1 Hardware & Graphics SupportAIX V6.1 Hardware & Graphics Support

AIX V6.1 exclusively supports 64-bitCommon Hardware Reference Platform (CHRP) machines:PowerPC 970, POWER4, POWER5, POWER6

– prtconf | grep ’Processor Type’AIX V6.1 withdrawals support for following processor architectures:RS64, POWER3, 604eAIX V6.1 VMM is enhanced to address a maximum of 32 TB RAM

– Architectural limit in AIX V5.3 used to be 16 TBUniversal Font Scaling Technology (UFST) version 5.0.1 font rasterizer

– Licensed from the Monotype Imaging company (http://www.monotypeimaging.com).– Reads, interprets and processes hinted font data to rapidly generate scaled character bitmaps,

graymaps or grid-aligned outlines.X Window System Version 11 Release 7.1

– AIX V6.1 contains X Windows libraries, headers and some applications updated to X11R7.1– X Window System terminal emulator xterm program / X Display Manager xdm program updated

IBM Confidential



AIX V6.1 National Language SupportAIX V6.1 National Language Support

Olson Time Zone Support – Zone names by continent or ocean / name of location

Updated ICU4C 3.6– International Components for Unicode

internationalization package www.icu-project.orgUnicode 5.0 compliance

– 99,000 glyphs in total www.unicode.orgAzerbaijani support for AIX

– AZ_AZ 30 million native Azerbaijani speakersMaltese support for AIX

– MT_MT 400.000 people in Republic of MaltaUrdu support for AIX

– UR_IN, UR_PK 100 million people in 20countries using Urdu as first or second language

Welsh locale– CY_GB 20% of Wales population (3 million) speak Welsh

Additional Euro symbol support– Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta,

Poland, Slovakia, Slovenia, Bulgaria, and Romania

IBM Confidential



AIX 6 and POWER6AIX 6 and POWER6The next step in the evolution of UNIXThe next step in the evolution of UNIX®®

Mainframe-inspired technologies

Innovative features forvirtualization,security,systems management andreliability, availability, serviceability

Strong future roadmap and IBM commitment

Make No Compromises. Accept No Limitations.

IBM Confidential



감사합니다.감사합니다.Q & AQ & A

Documents

AIX Version 6.1 Update - :: :: 데이터 전문가 지식포털 · PDF file · 2008-11-10Open beta provided early access to AIX 6 for over 6000 clients / ISVs No charge upgrade for