Upload
voliem
View
221
Download
2
Embed Size (px)
Citation preview
The Best Reliable Partner for High Availability
IBM Confidential © Copyright IBM Corporation 2008
AIX Version 6.1 Update
하순권 전문위원
**20082008 하반기하반기효과적인효과적인 시스템시스템 관리를관리를 위한위한 기술기술 세미나세미나
Maintenance Technical Support & Services Global Technology Services, IBM
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX Version 6.1 AIX Version 6.1
AIX Version 6.1 Operating SystemAIX Release PlanAIX 6 Kernel and Processor SupportAIX Service Strategy
Workload PartitionsApplication & System WPARsWPAR Live Application MobilityWorkload Partition Manager
System Management IBM Systems Director Console for AIXVMM dynamic variable page sizeRFC 2790 SNMP host resource groupsJFS2 internal snapshot
Installation, Backup, and RecoveryAIX graphical installerNetwork Install Manager NFSv4 support
Performance ManagementUnique tunable documentationRestricted tunablesAIX V6 out-of-the-box performanceAIO dynamic tunablesHardware performance monitors
Application Development and Dynamic DebugProbeVuePOSIX TracingTransport independent RPC library
Security, Authentication, and AuthorizationRole Based Access ControlTrusted AIXSecure by DefaultAIX Security Expert EnhancementsEncrypted File SystemTrusted Execution Environment Secure FTPPassword length and encryption algorithmsAIX Security Certifications
Continuous AvailabilityStorage protection keysConcurrent updatePaging Space VerificationLVM configuration and trace logsTrace Hook Range ExpansionAIX RAS FrameworkComponent DumpLive DumpFirmware Assisted DumpComponent Trace & Runtime Error Checking
NetworkingNetwork Data Administration Facility enhancementsNFS proxy serving enhancementsNetwork caching daemonInternet Group Management Protocol V3IPv6 RFC compliances
Hardware and Graphics SupportHardware support32 TB physical memory supportWithdrawal of the 32-bit kernelUFST version 5.0.1 font rasterizerX Window System Version 11 Release 7.1
National Language SupportNew locale supportEuro symbol supportOlson time zone supportUnicode 5.0 supportInternational Components for Unicode
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
Smooth Upgrade to AIX 6Smooth Upgrade to AIX 6
AIX 6 is binary compatible with AIX 5Lhttp://www.ibm.com/servers/aix/os/compatibility/ Ross A Mauri, System p GM
32- and 64-bit applications will continue to rununchanged on AIX 664-bit Kernel only Runs onPOWER4, PPC970, POWER5, POWER6 systemsFully exploits POWER6 Decimal Floating Point execution unitOpen beta provided early access to AIX 6 for over 6000 clients / ISVs
No charge upgrade for current AIX 5L clients with SWMANo additional out of pocket expense for clients
Upgrade processTools like alt disk installation and NIM minimize client riskMigration installation from AIX V4 & AIX V5
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX Service and Release StrategyAIX Service and Release Strategy
IBM significantly enhanced the AIX 5L™ / AIX 6 Release and Service Delivery strategy in 2007
The principal changes planned are:
24 months of support for each Technology Level=> More closely matches client deployment requirements
Service for entire period is provided by PTF, Interim Fix, and/or Service Pack=> PTF and Service Packs provide better flexibility for customer change management
New hardware within the same family will be supported onprevious Technology Levels for ease of migration.=> Allows clients to integrate new hardware within the same family into existing infrastructure without having to upgrade to and certify a new TL
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX 5L / AIX 6 Release Strategy* AIX 5L / AIX 6 Release Strategy* (AIX 5L V5.3 shown)(AIX 5L V5.3 shown)
Fall SpringSpringFallSpringFallSpringFallSpring 2007 2008 2009 2010 2011
Highlights:Two years of support Support is via PTF, Interim Fix or Service PackNo need to upgrade to latest TL for new HW support in the same HW family
Highlights:Two years of support Support is via PTF, Interim Fix or Service PackNo need to upgrade to latest TL for new HW support in the same HW family
HPSP HPSP HPSP
SP
TechnologyLevel 6
SP SP SP SP
HPSP HPSP HPSP
SP
TechnologyLevel 7
SP SP SP SP
HPSP HPSP HPSP
SP
TechnologyLevel 8
SP SP SP SP
HPSP HPSP HPSP
SP
TechnologyLevel 9
SP SP SP SP
HPSP HPSP HPSP
SP
TechnologyLevel 10
SP SP SP SP
Legend:
Service Pack -may include new HW support
Service Pack – AIX 5L fixes only
Interim Fix. Interim fixes will continue to be the method to provide immediate, short term relief for critical issues pending the release of a formal PTF
Support via Interim Fix, PTF, or Service Pack
New Technology Level - New HW/SW support and hardware exploitation
SP
HPSP
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
WorkloadPartitions
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Workload PartitionsAIX V6.1 Workload Partitions
Partitioned system capacity Each Workload Partition obtains aregulated share of system resources
Two types of WPARSystem WPARs have separate security and appear like a completely separate OS
Application WPARs are manageability wrappers around a single application
Resource controls for WPARCPU, memory, paging space, number of threads and number of processes
Shared system resourcesOperating System / Shared Library and TextProcessor / I/O Devices
WorkloadPartition
A
WorkloadPartition
C
WorkloadPartition
B
AIX Image
WorkloadPartition
DWorkloadPartition
E
Virtualized AIX OS environments within a single AIX image
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
Application WPAR
Role-based Access Control
AIX 6 System Image
System AdminSys Config
Sys Maint
Perf Mgmt
RBAC
Data Mgmt
SW Maint
Install
...
Global WPARWPAR Managment
Create/Destroy
Start/Stop
Modify
Meter
Resource Controls
Perf Mgmt
Install
...
System ServicesPrint
NFS
CIFS
Trace
LDAP
inittab
DRAF
...
System WPAR
Login Users & Groups
Role-based Access Control
WPAR AdminUser Mgmt
Data Mgmt
Install
RBAC
Perf Mgmt
WLM
Metering
...
WPAR ServicesPrint
NFS
CIFS
Trace
LDAP
inittab
DRAF
...
Application WPAR
Login
Users & Groups
Shared File Systems
/opt
/usrGlobal WPAR ResourcesProcessesIPCs
File SysNetwork
/ /usr /opt /home /tmp /var /nfs
NW I/FsDevices/proc
WPAR ResourcesProcessesIPCsNetwork Streams NW I/F Aliases
WPAR ResourcesProcessesIPCsNetwork Streams NW I/F Aliases
Shared Global Resources
AIX Workload Manager
WPAR ResourcesProcessesIPCsFile Sys / /home /tmp /var /nfs
Network Streams NW I/F AliasesImported Devices /dev/null /dev/tty /dev/console ...
AIX V6.1 Functional View of System & Application WPARs
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
Power Systems Flexible Resource ManagementPower Systems Flexible Resource Management
AIX 6 Workload Partitions complement PowerVM Logical Partitions
Workload Isolation
Eas
e of
Adm
inis
tratio
n
Micro-Partitions
AIX 5L V5.3 on POWER5
WorkloadPartitions
AIX V6.1 on POWER4
AIX Workload Manager
AIX 4.3.3 on POWER3
DedicatedLPARs
AIX 5L V5.1 on POWER4
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
WorkloadPartition
QA
AIX # 2
WorkloadPartition
Data Mining
AIX V6.1 Live Application MobilityAIX V6.1 Live Application Mobility
WorkloadPartition
Database
WorkloadPartition
Web
AIX # 1
WorkloadPartition
Dev
The ability to move a Workload Partition from one server to another
Provides outage avoidance and multi-system workload balancing
Workload Partition
ERP
Policy based automation can provide more efficient resource usage
WorkloadPartitionManager
Policy
WorkloadPartitionBilling
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
WPAR AIX OfferingsWPAR AIX Offerings
AIX (GA 11/2007)Base Workload Partitions (WPAR) functionality
– Separate regions of application space– Regulated share of system resources– Shared single instance of AIX 5L– Each WPAR can be separately administered
Elementary (single system) WPAR Management– Create, Start/stop, Delete WPAR via SMIT or command line
IBM Workload Partitions ManagerTM program product (GA 11/2007)5765-WPMCross System Management for Workload Partitions
– Create, Start/stop, Delete and Relocate WPARsAutomated, Policy-based Mobility
– Automatically relocate applications based on loadEnablement for Application Mobility
– Checkpoint/resume based on Meiosys technologyPart of the IBM System Director Family
WPAR Manager
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 System Management & File System / StorageAIX V6.1 System Management & File System / Storage
IBM Systems Director Console for AIX– http://<hostname>:5335/ibm/console or https://<hostname>:5336/ibm.console– Internet Explorer Version 7, and Mozilla Firefox– Systems Management Interface Tool (SMIT)– Distributed Command Execution Manager (DCEM)– Workload Partitions (WPAR)– ...
VMM dynamic variable page size– AIX V6.1 VMM on POWER6 dynamically promote pages to a larger page size– vmo tunable page size promotion aggressiveness factor vmm_default_pspa = 0 (default on POWER6)– vm_pattr() system call for applications– vmm_mpsize_support=2 using multiple page sizes per segment (default on POWER6)
RFC 2790 SNMP host resource groups– Simple Network Management Protocol with Distributed Program Interface Version 2– Two additional SNMP-DPI-2 hosts for Running Software (hrSWRun), and Running Software
Performance (hrSWRunPerf) information group (Management Information Bases (MIBs))JFS2 internal snapshot
– Create snapshots within the source file system: crfs -a isnapshot=yes ...– max 64 generations in /fsmountpoint/.snapshot/<snapshotname>
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 System Management & File System / StorageAIX V6.1 System Management & File System / Storage
IBM Systems Director Console for AIX– http://<hostname>:5335/ibm/console or https://<hostname>:5336/ibm.console– Internet Explorer Version 7, and Mozilla Firefox– Systems Management Interface Tool (SMIT)– Distributed Command Execution Manager (DCEM)– Workload Partitions (WPAR)– ...
VMM dynamic variable page size– AIX V6.1 VMM on POWER6 dynamically promote pages to a larger page size– vmo tunable page size promotion aggressiveness factor vmm_default_pspa = 0 (default on POWER6)– vm_pattr() system call for applications– vmm_mpsize_support=2 using multiple page sizes per segment (default on POWER6)
RFC 2790 SNMP host resource groups– Simple Network Management Protocol with Distributed Program Interface Version 2– Two additional SNMP-DPI-2 hosts for Running Software (hrSWRun), and Running Software
Performance (hrSWRunPerf) information group (Management Information Bases (MIBs))JFS2 internal snapshot
– Create snapshots within the source file system: crfs -a isnapshot=yes ...– max 64 generations in /fsmountpoint/.snapshot/<snapshotname>
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
Enterprise Edition for AIXEnterprise Edition for AIX
A new product that provides a single integrated systems management interface for managing virtualized environments:
Discover IT components and their relationshipsProvides a visual representation of the componentsMonitor utilization and configuration changesCollect and report resource usage
These tools are provided in a integrated bundle that include functionality specifically tailored for AIX & Power Systems
Tivoli® Application Dependency Discovery ManagerIBM Tivoli MonitoringIBM Usage and Accounting Mgr Virtualization Edition for System pWPAR Manager
System 1
TADDM discovery of System p™ Topology via HMC
A common prerequisite for all the above products is DB2® 9.1, which is also included in the offering
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 System Management & File System / Storage IIAIX V6.1 System Management & File System / Storage II
Disabling JFS2 logging– Temporary file systems need not to pay performance penalty of sync. commits of metadata to log:
File systems used by compilers for scratch space, backup applications during restore and non-migration install operations
– mount -o log=NULL /mnt -- /etc/filesystems stanza log=NULLLimit number of threads per process & Limit number of processes per user
– RLIMIT_THREADS and RLIMIT_NPROC default initialization from /etc/security/limits– ulimit -r / -u (-H) [ threads (per process) / processes (per user)]– mkuser threads=# threads_hard=# / chuser
AIX Print Spooler Administration Command Enhancement– mkque, mkquedev, lsque, lsquedev, rmque and rmquedev work against /etc/qconfig.bin digest– Performance will be enhanced when adding and removing print queues
Increase default size of argument area– ARG_MAX and NCARGS increased from 24 KB (6 x 4 KB) to 1 MB (256 x 4 KB) in limits.h & param.h– lsattr -R -l sys0 -a ncargs
Threading: pthread default 1:1– AIXTHREAD_SCOPE=S (System)
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Performance ManagementAIX V6.1 Performance ManagementUnique Tunable Documentation
– Full list of system tunable parameters and details of their useare no longer available at AIX documentation or man pages level
– Tunable description message for the tuning commands vmo, ioo, schedo, raso, no, and nfsocan be displayed through the new -h <tunable> option
Restricted tunables– Some tunables are now classified as restricted use tunables– Only displayed with the -F option (force) of vmo, ioo, schedo, raso, no, and nfso– Distinctive separator line ##Restricted tunables– SMIT panel "Tuning Development Parameters"– Changes need to be confirmed and errors are locked by /etc/tunables/nextboot
AIX V6 out-of-the-box performance– New default values for tunables: VMM, sys0 (I/O Pacing by default), NFS
AIO Dynamic Tunables– ioo command to maintain AIO dynamic tuneables / tunables are persistent across reboots
Hardware Performance Management Toolkit enhancements– XML output file format for hpmstat and hpmcount Visual Performance Analyzer (VPA)
http://www.alphaworks.ibm.com.tech/vpa– Support for Scaled Performance Utilization Resources Register ( spurr) for POWER6
Electrical power and thermal dissipation management technology– spurr value scales as a function of the degree of processor throttling– Time base nomalization [-b time | purr | spurr]
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Dynamic Tracing with AIX V6.1 Dynamic Tracing with ProbeVueProbeVueTrace existing programs without recompiling
Dynamic placement of trace probesFor debugging and performance analysisDynamic tracing language called VueInitial support for “C” programs
Initial Set of Probe ManagersAIX system callKernel function tracing
– Probes in most kernel functions (at entry and exit points)
User process tracing– Probes at entry and exit points of user-mode application functions– Application calls to library functions
#!/usr/bin/probevue/* countreads.v */
@@syscall.$1.read.entry {
count++;}@@interval.*.clock.100{
printf(“Number of reads = %d\n”, count);count = 0;
}
# countreads.v 404Number of reads = 22Number of reads = 0Number of reads = 1Number of reads = 17…..
Formatted I/O
User Kernel
Probe Location
User Process CodeSome thread hits probe point (1) Branches to probe
code (2)
Probe code
(3)Returns to probe point
(4)
Thread continues
execution(5)
Trace Consumer
Trace Fileor
Trace OutputTrace Buffers
E-code
“Vue” probe code example
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Application Development & System DebugAIX V6.1 Application Development & System Debug
ProbeVue– Dynamic Tracing: Capability to insert trace points at run-time– Performance analysis as well as problem debugging– Vue programming language script tells ProbeVue where to trace, when to trace and what to trace– Probe Managers are providers of probe points that can be instrumented by ProbeVue
Portable Operating System Interface (POSIX) Tracing– Application debugging, fault analysis, and performance measurement tool for user applications– Implements Tracing Option Group, an optional functionality, defined within IEEE Std 1003.1-2001.– Dependent upon precompiled-in trace hooks in the application being instrumented– Traced process / Controller Process / Analyzer Process
Transport independent RPC library– Formal support of TI-RPC routines as ported from the ONC+ 2.2 source distribution– Isolating applications from any specific transport feature and as such used by AIX NFS– Formal support for RPCSEC_GSS security version of the General Security Services (GSS) API– RPCSEC_GSS routines are used by the AIX Network Data Administration Facility (NDAF) solution
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Security: Role Based Access ControlAIX V6.1 Security: Role Based Access Control
Authorizations– Mechanism to grant access to
commands or certain functionality. Context aware.
Roles– A container for authorizations
that can be assigned to a user.
Privileges– Process attribute that allows process to
bypass a security restriction. Not context aware.
Provides greater security and increased administration flexibilityRoles
DBA
BACKUP
AIX ResourcesUsers
aix
devicefsnetworkprocrassecuritysystemwpar
bootconfiginstallstat
create “create boot image”Halt “halt the system”Info “display boot informationReboot “reboot the system”Shutdown “shutdown the system”
# lssecattr -c -F /usr/sbin/bootinfo/usr/sbin/bootinfo:
accessauths = aix.system.boot.infoinnateprivs = PV_DAC_R,PV_DAC_W,PV_DEV_CONFIG,PV_KER_RAS
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 SecurityAIX V6.1 Security
Role Based Access Control (RBAC)– chdev -l sys0 -a enhanced_RBAC=true– Authorization: Dotted notation denotes hierarchy (aix.system.boot.info ...)– Roles: Container for authorizations assigned to a user– Main pre-defined AIX Roles: (swrole creates new role session)
ISSO Information Systems Security OfficerSA System Administrator, SO System Operator
Trusted AIX (Multi Level Security)– DAC - traditional Discretionary Access Control– MAC - Bell-LaPadula's Mandatory Access Control (system defined)– MIC - Biba's Mandatory Integrity Control (system defined)– Labels on objects, subjects, labeled printing, labeled networking– New Installtime-only option
Secure by Default (SbD)– New security installation option– Installs a minimal set of software– Deletes components that use weak authorization– Utilizes AIXpert to harden system after install – Bottom Up Approach
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX Security Expert EnhancementsAIX Security Expert Enhancements
Single control point for over 300 AIX security settings
Security settings can be exported and used by multiple systems via LDAP
Security Hardening focus areas:
Password AdministrationLogin PolicyRemove SUID Network Tuning IP Security (firewall) port scansAudit /etc/inittab/etc/rc.tcpip/etc/inetd.confMiscellaneous
First included with AIX 5.3 Technology Level 5 in August 2006
SOX-COBITThe United States Congress enacted the 'Sarbanes-Oxley Act of 2002 to protect investors by improving the accuracy and reliability of financial information disclosed by corporations
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Encrypted File SystemAIX V6.1 Encrypted File System
Embedded in JFS2Integrated into user / group administrationAutomatic key store creation on user creationKey store open on loginRoot Admin / Root Guard Modecrfs | chfs -a efs=yes,user key managment efskeymgrUnique AES (Advanced EncryptionStandard ) symmetric key to en/decrypt every fileRSA (Rivest, Shamir, Adleman) private/public keypair to protect each symmetric keyKey stores in PKCS12 format.No keys stored in clear in kernel memoryBackup in encrypted or clear formats
Always encrypted on disk
Data in clear in memory.
VMM
J2
Filesystem
CLiC
Crypto Lib
User and Group Key Stores
Crypto Kernext
Kernel ucred open key store
Login Authentication Module
Key Store
Mgt Cmds
BOS Cmds
Backup/Restore
Cp, mv, crfs, etc
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Encrypted File System (EFS)AIX V6.1 Encrypted File System (EFS)
Key Cache
EncryptedFile
File System Layer
Clear File accessEdit abcLogs in
Keystore Memory
password generates access key,
access key opens keystore
keystore contains user's private and public key
(current and old ones)
each file's datablocks are encryptedsymmetrically using individual keys, stored in their EAs
those symm. keys are "enveloped" withauthorized users' public keys
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Trusted ExecutionAIX V6.1 Trusted ExecutionSignature based system integrity (offline) / Run time integrity (in-flight) verificationTrusted Signature Database (TSD) holds cert_tag, signature & hashRun time security policy on SHA-256 hash: EXEC, SHLIB, SCRIPT, KERNEXTReplaces Trusted Computing Base (TCB)Single command: trustchk
Executable/Module
Memory
Run Time Integrity Check
Hash/SignatureDatabase
CalculateHash
Policy EngineEg: Disallow loads on non-match
System Integrity Check
CertificatesDatabase
Integrity CheckerTool
System Integrity StatusTrojan Horse Detection
SignatureDatabase
Install Time population
vs.
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Security IIAIX V6.1 Security IIAIX Security Expert (aixpert)
– Introduced in AIX 5.3TL05 (53H)– Standardized Security Hardening Tool for AIX– Security Rules defined in XML via GUI / stored in LDAP repository– Focus in AIX 6 is policy compliance (SOX/COBIT, ...)
Encrypted File System (EFS)– Embedded in JFS2, integrated with user authentication– Root Admin / Root Guard Mode– crfs | chfs -a efs=yes, user key managment efskeymgr– Advanced Encryption Standard (AES) symmetric key to
en/decrypt every file– RSA (Rivest, Shamir, Adleman) private/public keypair to protect each symmetric key
Trusted Execution– Signature based system integrity (offline) / Run time integrity (in-flight) verification– Trusted Signature Database (TSD) holds cert_tag, signature & hash– Run time security policy on SHA-256 hash: EXEC, SHLIB, SCRIPT, KERNEXT
Secure FTP– ftp and ftpd are secured using Transport Layer Security TLS protocol– Based on OpenSSL: command and data channel are encrypted
Password length and encryption algorithms– Loadable Password Algorithm (LPA) /etc/security/pwdalg.cfg; MD5, SHA and Blowfish– 255 character limit for password / passphrase
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX & Power Systems Security Certifications Plans*AIX & Power Systems Security Certifications Plans*
AIX 5200-06 CAPP/EAL4+Application: 01/11/05Final report: 10/26/05Certificate: 12/14/05
AIX 5L 5200-05 andPitbull LSPP/EAL4+
Application :01/11/05Final report submitted: 03/06Certificate: 05/16/06
AIX 5300-05 LSPP/EAL4+
Pitbull product Supports P5, P4Certificate: 01/16/07
Pitbull MLS Ported to AIX 5300-03
Pitbull product available tocustomers Dec 31, 05
AIX 5300-04 CAPP/EAL4+Supports P5, P4Certificate: 12/12/06
AIX 6100CAPP/RBPP/LSPP/EAL4+
BSI-DSZ-CC-0461MLS capabilities integrated intostandard AIX product One certification for 3 PPSupports P6, P5, P4VIOS 1.5
Certification HistoryAIX 4.2 C2: Apr 24, 1997AIX 4.3 C2: May 06, 1998AIX 5.2 CAPP/EAL4+: Nov 04, 2002AIX 5.2 ML1 CAPP/EAL4+: Sep 08, 2003POWER4 HW/FW CC EAL4+: Jan 26, 2004AIX 5.2 ML6 CAPP/EAL4+: Dec 14, 2005AIX 5.2 ML5 Pitbull LSPP: May 16, 2006AIX 5.3 ML4 & VIOS CAPP: Dec 12, 2006AIX 5.3 ML5 Pitbull LSPP: Jan 16, 2007POWER6 HW/FW CC EAL4+: Nov 07, 2007
VIOS 1.3 EAL4+Included with AIX 5300-04CAPP/EAL4+Certificate: 12/12/06
POWER6 Hardware EAL4
MicroPartitioningFlexible Service ProcessorBulk Power Components
*All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
http://www.bsi.de/zertifiz/zert/aktuelle.htm
Legend
AIX 5L V5.2AIX 5L V5.3AIX V6.1 (Planned)VIOSPOWER6
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
IBM LPAR Architecture for Power6 received CC IBM LPAR Architecture for Power6 received CC EAL4+ Security Certification at Nov. 7, 2007 !EAL4+ Security Certification at Nov. 7, 2007 !
The new certificatecovers:
– P6 Hypervisor(Micro-Partitioning)
– Flexible ServiceProcessor (FSP)
– Bulk powercomponents
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
Currently, data is accessible by all kernel code and is subject to corruption by faulty codeSubstantial amount of code, consisting of both IBM and third party code
UserCode
UserData
Files
WS DB2KernelCode
KernelData
JFS2 LVM VMM . . . SCSI ENT FC . . . PPath Artic VxFS . . .
ApplicationAddress Space
AIX Drivers Third Party DriversAIX Kernel
UNIX Kernel Address Space
AIX V6.1 Virtual Memory Protection Domains AIX V6.1 Virtual Memory Protection Domains
AIX Protection Domains will isolate data and protect against corruptionEnabled through POWER6 H/W & provides isolation between subsystems or subsystems classes
Initially provide up to 8 domains w/POWER6 and a larger number with future H/WMore domains brings finer-grain isolation and better protection
Extensible to applications to protect against corruption within the applicationAIX will provide enablement with future H/W to allow applications to exploit domains
UserCode
UserData
Files
WS DB2KernelCode
KernelData
JFS2 LVM VMM . . . SCSI ENT FC . . . PPath Artic VxFS . . .
ApplicationAddress Space
AIX Drivers Third Party DriversAIX Kernel
AIX V6.1 Kernel Address Space
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Functional Recovery Routines AIX V6.1 Functional Recovery Routines
Improved Operating System Reliability
Kernel issues can be handled without crashing the systemRecovery routines can validate data, diagnose root causeFirst failure data capture for software problems
Staged implementationstarting with AIX 6
Recovery ManagerLimited number of Functional Recovery Routines
MainlineCode
FRR
RecoveryManager
Retrypoint
1. Exception
2. Callback
3. Update
4. Retry
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Concurrent UpdateAIX V6.1 Concurrent UpdateCapability to put some patches on without rebootingStaged starting with AIX Version 6.1Initial implementation will be via Interim FixesMethod: Functional redirection within the in-memory image of the OS
Suspended
AIX 5L Operating System
Kernel Space
User Space
Kernel Modules Table of Contents
aact
mallocsocket
raschkm_thread
vmmove
Kernel PatchHeap
updated module
Patch Creator
- Resolved Symbols- TOC consistency
Patch Manager
PatchLoader
malloc
Processing:Running
malloc
/unix file
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Continuous Availability (RAS)AIX V6.1 Continuous Availability (RAS)
Kernel Storage Protection Keys– POWER6™ processor storage protection keys
prevent inadvertent memory overlays in both the kernel and the application space– Storage protection keys application programming interface (API) introduced with AIX V5.3 Technology
Level 06 (5300-06) to support storage protection keys for user space applications– /usr/inlcude/sys/skeys.h header file; Key-Set in Authority Mask Register (AMR)– Enabled by default; smitty skeyctl fastpath
Concurrent Update– 70 - 80 % of kernel / kext code eligible; new interim file type for emgr command– kpatch() functional redirection within the in-memory image of the OS
Paging Space Verification– Improves FFDC capability in respect to paging space data corruption problems– Checksum computed on page out and saved in pinned memory array– Checksum re-computed on page in and compared with value in array
LVM Configuration and Trace Logs– alog -t [ lvmcfg | lvmt | lvmgs ]
Trace Hook Range Expansion– Expanded trace hook ID range from 12 bits to 16 bits: 4096 --> 65536 (- 7680) hooks
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Continuous Availability (RAS) IIAIX V6.1 Continuous Availability (RAS) II
Component Framework– Granular approach to RAS– Register components to enable specific RAS features such as trace, dump and error checking features– Runtime Error Checking errctrl / Component Trace ctctrl / Component Dump dumpctrl– Persistent component attributes: components not yet created | persist across reboots
-n (now) -p (new) -P (reboot) -x (delete) --> /var/adm/ras/raspertuneComponent Dump
– dumpctrl -qc -c all (interface command to system and component (live) dump)Live Dump
– Components, registered as live dump enabled / Small dumps that do not require system restart– Live dump repository (dumpctl -s) located at /var/adm/ras/livedump / 7 attributes– livedumpstart -c [+]<component>[+]
Firmware Assisted Dump– Minimizing work done by failing OS. Freeze memory and reboot system prior to dump memory to disk– Traditional: before partition re-initialization / FWAD: during partition restart / sysdumpdev -t fw-assisted
Component Trace & Runtime Error Checking– HEA, USB, VMM, MPIO, TCPIP, NFSv4, cachfs, ...
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX 6 RAS Component FrameworkAIX 6 RAS Component Framework
Component RAS Framework
Component Trace Component DumpRuntime Error Checking
errctrl ctctrl dumpctrl
Live Dump System Dump
Traditional Framework
Minidump
Firmwareassisted
dump
Classicdump
Paralleldump
AIX 6.1POWER6
AIX 5.3TL05
AIX 5.3TL03
AIX
System Trace
LightWeightMemory Trace
CT PrivateBuffersTrace
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
dumpctrldumpctrl sample outputsample output
# dumpctrl -qc-----------------------------------------------+------+-----------+------------
| Have | Live Dump | System DumpComponent Name |Alias | /level | /level
-----------------------------------------------+------+-----------+------------lvm | NO | ON/3 | ON/3
.rootvg | NO | ON/3 | ON/3.metadata | NO | ON/3 | ON/3
.lvs | NO | ON/3 | ON/3.fslv00 | NO | ON/3 | ON/3.fslv01 | NO | ON/3 | ON/3.fslv02 | NO | ON/3 | ON/3.fslv03 | NO | ON/3 | ON/3.fslv04 | NO | ON/3 | ON/3.fslv05 | NO | ON/3 | ON/3
... lines missing for clarity
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
ctctrlctctrl sample outputsample output
# ctctrl -c lfs -q -r---------------------------------------+-------+-------+-------+---------------
| Have |Mem Trc|Sys Trc| Buffer sizeComponent name | alias | /level| /level| /Allocated---------------------------------------+-------+-------+-------+---------------lfs | NO | ON/3 | ON/3 | 0/ NO
filesystem._0 | NO | ON/3 | ON/3 | 0/ NO.__1 | NO | ON/3 | ON/3 | 0/ NO._admin_9 | NO | ON/3 | ON/3 | 0/ NO._home_8 | NO | ON/3 | ON/3 | 0/ NO._opt_11 | NO | ON/3 | ON/3 | 0/ NO._proc_10 | NO | ON/3 | ON/3 | 0/ NO._tmp_5 | NO | ON/3 | ON/3 | 0/ NO._usr_2 | NO | ON/3 | ON/3 | 0/ NO._var_4 | NO | ON/3 | ON/3 | 0/ NO
.kdm | NO | ON/3 | ON/3 | 0/ NO
.pile | NO | ON/3 | ON/3 | 0/ NO
# ctctrl -c lfs -q -r---------------------------------------+-------+-------+-------+---------------
| Have |Mem Trc|Sys Trc| Buffer sizeComponent name | alias | /level| /level| /Allocated---------------------------------------+-------+-------+-------+---------------lfs | NO | ON/3 | ON/3 | 0/ NO
filesystem._0 | NO | ON/3 | ON/3 | 0/ NO.__1 | NO | ON/3 | ON/3 | 0/ NO._admin_9 | NO | ON/3 | ON/3 | 0/ NO._home_8 | NO | ON/3 | ON/3 | 0/ NO._opt_11 | NO | ON/3 | ON/3 | 0/ NO._proc_10 | NO | ON/3 | ON/3 | 0/ NO._tmp_5 | NO | ON/3 | ON/3 | 0/ NO._usr_2 | NO | ON/3 | ON/3 | 0/ NO._var_4 | NO | ON/3 | ON/3 | 0/ NO
.kdm | NO | ON/3 | ON/3 | 0/ NO
.pile | NO | ON/3 | ON/3 | 0/ NO
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 NetworkingAIX V6.1 NetworkingNetwork Data Administration Facility (NDAF)
– Integration of NDAF to base AIX V6.1 distribution / new commands– Provides secure centralized management of NFS V4 distributed file systems including data placement,
replication, and data and namespace administration.NFS proxy serving enhancements
– Use an NFS proxy server to potentially extend NFS data access over slower or less reliable networks with improved performance and reduced network traffic to the back-end server where the data resides
– Comprehensive RPCSEC_GSS Kerberos support from client to proxy and back-end communication– NFSv3 exports for back-end NFSv4 exports
Network caching daemon– Network-based applications require resolving an Internet hostname to an IP address and vice-versa– netcd improves performance for resolver lookups & can cache user and group info provided by NIS server
Internet Group Management Protocol Version 3 (IGMPv3)– Used by hosts and multicast routers to establish multicast group memberships within physical network.– AIX V6.1 provides host side function, group member part and not the multicast router– Allows for source filtering: receive packets only from specific source addresses, or from all but specific
source addresses.IPv6 RFC compliances
– RFC 4007 - IPv6 Scoped Address Architecture / RFC 4443 - Internet Control Message Protocol ICMPv6
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 Hardware & Graphics SupportAIX V6.1 Hardware & Graphics Support
AIX V6.1 exclusively supports 64-bitCommon Hardware Reference Platform (CHRP) machines:PowerPC 970, POWER4, POWER5, POWER6
– prtconf | grep ’Processor Type’AIX V6.1 withdrawals support for following processor architectures:RS64, POWER3, 604eAIX V6.1 VMM is enhanced to address a maximum of 32 TB RAM
– Architectural limit in AIX V5.3 used to be 16 TBUniversal Font Scaling Technology (UFST) version 5.0.1 font rasterizer
– Licensed from the Monotype Imaging company (http://www.monotypeimaging.com).– Reads, interprets and processes hinted font data to rapidly generate scaled character bitmaps,
graymaps or grid-aligned outlines.X Window System Version 11 Release 7.1
– AIX V6.1 contains X Windows libraries, headers and some applications updated to X11R7.1– X Window System terminal emulator xterm program / X Display Manager xdm program updated
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX V6.1 National Language SupportAIX V6.1 National Language Support
Olson Time Zone Support – Zone names by continent or ocean / name of location
Updated ICU4C 3.6– International Components for Unicode
internationalization package www.icu-project.orgUnicode 5.0 compliance
– 99,000 glyphs in total www.unicode.orgAzerbaijani support for AIX
– AZ_AZ 30 million native Azerbaijani speakersMaltese support for AIX
– MT_MT 400.000 people in Republic of MaltaUrdu support for AIX
– UR_IN, UR_PK 100 million people in 20countries using Urdu as first or second language
Welsh locale– CY_GB 20% of Wales population (3 million) speak Welsh
Additional Euro symbol support– Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta,
Poland, Slovakia, Slovenia, Bulgaria, and Romania
IBM Confidential
The Best Reliable Partner for High Availability
© IBM Corporation 2008
AIX 6 and POWER6AIX 6 and POWER6The next step in the evolution of UNIXThe next step in the evolution of UNIX®®
Mainframe-inspired technologies
Innovative features forvirtualization,security,systems management andreliability, availability, serviceability
Strong future roadmap and IBM commitment
Make No Compromises. Accept No Limitations.