This chapter provides information that you must be aware of when working
with Tru64 UNIX Version 4.0F and TruCluster Software Products Version 1.6 Patch Kit-0008.
1.1 Patch Process Resources
HP provides Web sites to help you with the patching process:
To obtain the lastest patch kit for your operating system and cluster software:
To view or print the lastest version of the Patch Kit Installation Instructions or the Patch Summary and Release Notes for a specific patch kit:
To visit HP's main support page:
To visit the Tru64 UNIX homepage:
The following storage space is required to successfully install this
patch kit:
Base Operating System
Temporary Storage Space
A total of ~250 MB of storage space is required to untar this patch
kit.
It is recommended that this kit not be placed in the
/,
/usr, or
/var
file systems because this may unduly
constrain the available storage space for the patching activity.
Permanent Storage Space
Up to ~37 MB of storage space in
/var/adm/patch/backup
may be required for archived original files if you choose to install and
revert all patches.
See the
Patch Kit Installation Instructions
for more information.
Up to ~40 MB of storage space in
/var/adm/patch
may
be required for original files if you choose to install and revert all patches.
See
Patch Kit Installation Instructions
for more information.
Up to ~2236 KB of storage space is required in
/var/adm/patch/doc
for patch abstract and README documentation.
A total of ~176 KB of storage space is needed in
/usr/sbin/dupatch
for the patch management utility.
TruCluster Software Products
Temporary Storage Space
A total of ~250 MB of storage space is required to untar this patch
kit.
It is recommended that this kit not be placed in the
/,
/usr, or
/var
file systems because this may unduly
constrain the available storage space for the patching activity.
Permanent Storage Space
Up to ~37 MB of storage space in
/var/adm/patch/backup
may be required for archived original files if you choose to install and
revert all patches.
See the
Patch Kit Installation Instructions
for more information.
Up to ~40 MB of storage space in
/var/adm/patch
may
be required for original files if you choose to install and revert all patches.
See the
Patch Kit Installation Instructions
for more
information.
Up to ~2018 KB of storage space is required in
/var/adm/patch/doc
for patch abstract and README documentation.
A total of ~176 KB of storage space is needed in
/usr/sbin/dupatch
for the patch management utility.
1.3 Files Listed as UNKNOWN Origin
If you install the latest patch kit, and run the Baselining feature
before you install any aggregate patches, you will get the following files
listed as having
UNKNOWN origin.
This does not represent
an error with the operating system or any of the layered products.
Ignore
this message and proceed with the installation.
* list of changed files with unknown origin:
------------------------------------------
./usr/.smdb./AFAADVANCED400.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED401.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED402.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED403.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED404.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED425.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVANCED435.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN400.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN401.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN402.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN403.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN404.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN425.scp_extension OSFBASE440 UNKNOWN
./usr/.smdb./AFAADVMAN435.scp_extension OSFBASE440 UNKNOWN
* no missing files detected
If you want to apply NHD3 on V4.0F then it should be done before the
Patch Kit-0008 installation.
The installation path of V 4.0F to Patch Kit-0008
to NHD3 is not supported in Patch Kit-0008 and may lead to an inconsistent
state.
The correct installation path is V4.0F to NHD3 to Patch Kit-0008.
1.5 Inclusion of Base Level in tar File Name
With this release, the name of the
tar
file containing
the patch distribution has been expanded to include the baselevel for which
this kit was built.
This formerly internal baselevel number has become a common
way of identifying kits.
For complete information, see Section 1.3 of the
Patch Kit Installation Instructions.
1.6 Release Note for TruCluster Server
If you are installing only TCR patches, you MUST rebuild the kernel
and reboot the machine for the changes to take effect.
If removing only TCR
patches, you MUST also rebuild the kernel and reboot the machine for the changes
to take effect.
1.7 Release Note for DEC 7000 Upgrades to AlphaServer 8400
This release note concerns systems that were upgraded from DEC 7000 to AlphaServer 8400 that have not installed the DWLPA-AA, DWLPB-AA, or the KFTIA. These are the I/O enhancements for the AlphaServer 8400.
Add the following information to the
/sys/conf/SYSTEMNAME
file:
bus tiop0 at tlsb0 vector tioperror bus pci0 at tiop0 slot 0 callout after_c "../bin/mkdata pci" bus isp0 at pci0 slot 0 vector ispintr controller scsi0 at isp0 slot 0
You must do this on every reconfiguration of the system.
1.8 Release Notes for Tru64 UNIX Patches 476.00 and 351.00
The following release notes provide Visual Threads Upgrade information
and updated information for the
quotacheck(8)fsck(8),
and
fstab(4)1.8.1 Visual Threads Upgrade Required
Visual Threads users will need to upgrade to the latest version of Visual
Threads for the race detection rules to work.
The Visual Threads upgrade is
available from
http://www.tru64unix.compaq.com/visualthreads
and will be available
in the next Developer's Tooklit Supplement.
1.8.2 quotacheck(8), fsck(8), and fstab(4) Reference Pages
quotacheck(8) Reference Page Update
SYNOPSIS
/usr/sbin/quotacheck [-guv] filesystem ...
OLD> /usr/sbin/quotacheck -a [-guv] [-l number]
NEW> /usr/sbin/quotacheck -a [-guv] [-l number] [-t [no]type]
FLAGS
OLD> -a Checks all file systems identified in the /etc/fstab file
as read/write with disk quotas.
NEW> -a Checks all UFS and AdvFS file systems identified in the
/etc/fstab file as read/write with userquota and/or
groupquota options specified, and a pass number of 1 or
greater. If the -t option is specified, only the file systems
of the specified type will be checked. Alternatively, if
type is prefixed with 'no', then the valid file systems in
the /etc/fstab file that do not have that type will be
checked.
OLD> -l number Specifies the number of times to perform disk quota
checking.
NEW> -l number Specifies the maximum number of parallel quotacheck
processes to run at one time.
NEW> -t [no]type
NEW> Specifies the file system type. The supported file systems are
as follows:
advfs - Advanced File System (AdvFS)
ufs - UNIX File System (UFS)
See fstab(4) for a description of file system types. If
the 'no' prefix is used, all of the above file types
except the one specified are checked.
Note, the -t flag is only valid when used with the -a flag.
DESCRIPTION
OLD> The quotacheck command examines each specified file system, builds a
table of current disk usage, and compares this table against that
stored in the disk quota file for the file system. If any
inconsistencies are detected, both the quota file and the current
system copy of the incorrect quotas are updated. Each file system
must be mounted with quotas enabled.
NEW> The quotacheck command examines each specified file system, builds a
table of current disk usage, and compares this table against that
stored in the disk quota file for the file system. If any
inconsistencies are detected, both the quota file and the current
system copy of the incorrect quotas are updated.
OLD> The quotacheck command runs parallel passes on file systems using
the number specified in the fsck field of the file system's entry in
the /etc/fstab file. The quotacheck command only checks file
systems with pass number 1 or higher in the fsck field. A file
system with no pass number is not checked.
NEW> The quotacheck -a command runs parallel passes on file systems using
the number specified in the /etc/fstab pass number field. The
quotacheck command only checks file systems with pass number 1 or
higher in the fsck field. A file system with no pass number is
not checked.
OLD> For both UFS file systems and AdvFS filesets, you should assign the
root file system a fsck field value of 1, and a value of 2 or
higher to other file systems. See fstab(4) for more information.
NEW> For both UFS file systems and AdvFS filesets, you should assign the
root file system a pass number of 1, and a value of 2 or higher
to other file systems. See fstab(4) for more information.
OLD> The quotacheck command checks only file systems that have the
userquota or groupquota option specified in the /etc/fstab file.
NEW> The quotacheck command checks only file systems that are mounted.
UFS file systems must also have userquota and/or groupquota options
specified in the /etc/fstab file. The userquota and groupquota
options are only needed for AdvFS file systems if quotas are
actually going to be enforced or if they are to be selected with the
-a option.
fsck(8) Reference Page Update
OLD> When the system boots, the fsck program is automatically
run with the -p flag. The program reads the /etc/fstab file to
determine which file systems to check. Only partitions that
are specified in the fstab file as being mounted ``rw'' or
``ro'' and that have a non-zero pass number are checked.
File systems that have a pass number 1
(usually only the root file system) are checked one at a time.
When pass 1 completes, all the remaining file systems are
checked, with one process running per disk drive.
NEW> When the system boots, the fsck program is automatically
run with the -p flag. The program reads the /etc/fstab file to
determine which file systems to check. Only partitions that
are specified in the fstab file as being mounted ``rw'' or
``ro'' and that have a non-zero pass number are checked.
File systems that have a pass number 1
(usually only the root file system) are checked one at a time.
When pass 1 completes, the remaining pass numbers are processed
with one parallel fsck process running per disk drive in the
same pass.
NEW> The per disk drive logic is based on the /dev/disk/dsk0a
syntax where different partition letters are treated as being
on the samedisk drive. Partitions layered on top of an LSM
device may not follow this naming convention. In this case
unique pass numbers in /etc/fstab may be used to sequence fsck
checks.
fstab(4) Reference Page Update
userquota [=filename] and groupquota [=filename]
If quotas are to be enforced for users or groups,
one or both of the options must be specified. If
userquota is specified, user quotas are to be enforced.
If groupquota is specified, group:
OLD> quotas are to be enforced.
NEW> quotas are to be enforced (also see quotaon and quotaoff(8)).
OLD> For UFS file systems, the sixth field (fsck) is used by
the fsck command to determine the order in which file system
checks are done at reboot time. For the root file system,
specify 1 in the fsck field. For other UFS file systems,
specify 2 or higher in the fsck field. Each UFS file system
should have a unique fsck value.
NEW> For UFS file systems, the sixth field (pass number) is
used by the fsck and quotacheck commands to determine the
order in which file system checks are done at reboot time.
For the root file system, specify 1 in the fsck field. For
other UFS file systems specify 2 or higher in the pass number
field.
OLD> For AdvFS filesets, the sixth field is a pass number
field that allows the quotacheck command to perform all of the
consistency checks needed for the fileset. For the root file
system, specify 1 in the fsck field. Each AdvFS fileset in
an AdvFS file domain should have a unique fsck value, which
should be 2 or higher.
NEW> For AdvFS filesets, the sixth field is a pass number
field that allows the quotacheck command to perform all of the
consistency checks needed for the fileset. For the root file
system, specify 1 in the fsck field. For other AdvFS file
systems specify 2 or higher in the pass number field.
OLD> File systems that are on the same disk are checked
sequentially, but file systems on different disks are
checked at the same time to utilize parallelism available
in the hardware. If the sixth field is not present or zero,
a value of 0 is returned and the fsck command
assumes that the file system does not need to be checked.
NEW> File systems that are on the same disk or domain are checked
sequentially, but file systems on different disks or
domains but with the same or greater than 1 pass number are
checked at the same time to utilize parallelism available in
the hardware. When all the file systems in a pass have
completed their checks, then the file systems with the
numerically next higher pass number will be processed.
NEW> The UFS per disk drive logic is based on the
/dev/disk/dsk0a syntax where different partition letters
are treated as being on the same disk drive. Partitions
layered on top of an LSM device may not follow this naming
convention. In this case unique pass numbers may be used
to sequence fsck and quotacheck processing. If the sixth
field is not present or zero, a value of 0 is returned
and the fsck command assumes that the file system does
not need to be checked.
1.9 Release Note for Tru64 UNIX Patch 315.00
This is a release note for the Enhanced Round Robin Sequential Read Patch.
If the system configurable parameter
lsm:lsm_V_ROUND_enhanced
is
set
(value = 1) the enhanced read round robin
policy is activated.
This new policy stores the last block accessed by the
previous I/O request.
When returning for another block in round robin (V_ROUND) mode, that value is compared to the current read.
If it
is within a predefined, user-configurable value (lsm:lsm_V_ROUND_enhance_proximity), then the same plex is used.
Otherwise the next plex is used
as for a normal round robin behavior.
The two new additional tunable parameters are
lsm_V_ROUND_enhanced
set to 1 by default (V_ROUND
read is activated)
and
lsm_V_ROUND_enhance_proximity
is set to 512 by default.
Append any tuning changes to/etc/sysconfigtab.
See
the TUNING notes below for a description of the new
lsm_V_ROUND_enhanced
and
lsm_V_ROUND_enhance_proximity
tunables.
These tunables are configured in the
lsm
stanza.
For
example:
lsm:
lsm_V_ROUND_enhanced = 1
lsm_V_ROUND_enhance_proximity = 1024
Note
If you already have an
lsmstanza in yoursysconfigtabfile, add the twolsm_V_ROUNDentries.
TUNING
The purpose of this patch is to increase performance with sequential
reads.
This patch introduces a new enhanced round robin mode where the last
block read is now compared to the next block to read and a check is added
to see if last block number-next block number is less than or equal to
lsm_V_ROUND_enhance_proximity.
If it is, read from the same plex.
This is to attempt to hit the disk cache, and so increase performance.
The relevant tunable variables are as follows:
lsm_V_ROUND_enhanced
This variable activates the new enhanced round robin read policy if it is set to TRUE (1). Otherwise the policy is deactivated.
DEFAULT = 1
lsm_V_ROUND_proxmity
This variable provides the proximity in which the last read and new read most lie in an attempt to read data from the disk's cache by reading from the same plex. The variable can be adjusted from 0 to 4096.
DEFAULT = 512
1.10 Release Note for Tru64 UNIX Patch 351.00
For more information about the functionality provided and special installation
instructions related to this patch, please refer to the online
README
file located at:
http://www.service.digital.com/patches/
From this directory, click on the following link:
duv40fwlseco2.README
Note
It may be necessary to navigate additional directories below this top-level URL to find the specific
READMEfile related to this patch.
1.11 Release Note for Tru64 UNIX Patch 592.00
This patch contains a solution for the following issue:
HP has advised owners of DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStations that HP has determined in laboratory testing that there is a theoretical possibility that during read and write operations to the floppy disk on these systems, a single byte of data may be inaccurately read or written without notice to the user or system. The potential for this anomaly exists only if floppy disk read or write operations are attempted while there is extremely heavy traffic on these Alpha systems' internal input/output busses.
Although HP has observed the anomaly only in laboratory tests designed to create atypical system stresses, including almost constant use of the floppy disk drive, HP has informed owners of the remote possibility that the anomaly could occur so that they may take precautions to prevent it.
HP recommends that the solution be installed by all DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStation customers.
The solution to this issue is also available as an individual, manually
installed patch kit named
floppy_CSP_v40g.tar.gz, available
from:
http://ftp1.support.compaq.com/public/unix/v4.0g
1.12 Release Note for Tru64 UNIX Patches 1197.00 and 1199.00
This patch delivers version V1.0-032 of the libots3 library. Version 2.0 of the libots3 library is delivered with the Compaq FORTRAN Compiler, Versions 5.3 ECO1 and 5.4, or the Developers Tool Kit (DTK) (OTABASE subset). If libots3 V2.0 is already installed on your system, and you install this patch, you will receive the following informational message:
Problem installing:
- Tru64_UNIX_V4.0F / Software Development Environment
Patches:
Patch 00XXX.00 - Fix for parallel processing support
library
./usr/shlib/libots3.so: is installed
by:
OTABASE212
and can not be replaced by this patch.
This patch will not be installed.
To determine what version of libots3 library is installed on your system, execute the following command:
#
what /usr/shlib/libots3.so
libots3.so:
libots3.a V2.0-094 GEM 27 Feb 2001
1.13 Release Note for Tru64 UNIX Patch 1331.00
This patch provides the X server support for the new 3DLabs Oxygen VX1 PCI graphics card. In order to obtain full support for this graphic card, you must also select Patch 1493.00, which is the driver portion of the patch.
A list of supported platforms is available on the following web page:
http://www.compaq.com/alphaserver/products/options.html
1.14 Release Note for Tru64 UNIX Patch 1414.00
This release note contains the new
fixfdmn(8)
NAME
fixfdmn - Checks and repairs corrupted AdvFS domains
SYNOPSIS
/sbin/advfs/fixfdmn [-mtype[,type]...] [-d directory] [-v number] [-a [-c]
| -n] [-s {y | n}] [domain] [fileset]
/sbin/advfs/fixfdmn -u directory domain
OPTIONS
-a Specifies that after repairing what it can, fixfdmn will attempt to
activate the domain at the end of the run. This option cannot be used
with the -n option.
-c Removes any clone filesets. This option is only valid if used with the
-a option.
-d directory
Specifies a directory to which the message log and undo files will be
written. If the -d option is not used, the message and undo log files
are put in the current working directory. The message log file is named
fixfdmn.<domain>.log and the two undo files are named undo.<domain>.<#>
and undoidx.<domain>.<#> where # will cause a number to be appended to
the filenames to make them unique. The numbers will be rotated sequen-
tially from 0 (zero) through 9 if multiple undo files are created for
the same domain. The undo file will have the same ending number as its
corresponding undo index file.
-m type[,type...]
Specifies a list of types of metadata, one or more of which can be
checked and repaired. The valid types are log, sbm, sync, bmt, frag,
quota and files. If you specify the fileset parameter, sync, log, sbm,
and bmt are made invalid types for the -m option. If you do not specify
-m, the default is to check all types.
sync
Corrects the magic number and synchronizes data across volumes (for
example, volume numbers, mount ids, mount states, domain ids, and
so on.)
log Resets the transaction log so it is not processed.
sbm Synchronizes the sbm to the information in the bmt.
bmt Corrects the bmt.
frag
Corrects frag file groups and free lists and ensures that all file
frags reside in the frag file.
quota
Checks and corrects sizes of quota files.
files
Verifies that directory metadata is correct.
-n Specifies that fixfdmn will check the domain and not do any repairs. It
will report what problems were found and how it would have fixed them.
-s {y | n}
Specifies that "yes" or "no" should be answered to prompts when run
from a script.
-u directory
Restores the domain to its previous state by undoing the effects of the
last run of fixfdmn, using the most recent undo files in the specified
directory.
-v number
Specifies the verbose mode level which controls the messages printed to
stdout.
0 = Only error messages
1 = ( Default) Progress, errors and summary messages
2 = Progress messages, detailed error messages, fix information and
summary messages
OPERANDS
domain
The name of a corrupted domain to repair.
fileset
The name of the fileset to repair if only one fileset in this domain
exhibits errors. You may tell fixfdmn to check only that fileset and
not specifically look for errors in other filesets.
DESCRIPTION
The fixfdmn utility checks and repairs corrupt AdvFS domains and filesets.
The fixfdmn utility is primarily concerned with fixing problems that have a
limited scope. When a large portion of the domain is corrupted, there is
very little fixfdmn can do, so it will recommend restoring data from backup
or running the salvage(8) command.
The fixfdmn utility uses the on-disk metadata to determine what corruptions
exist in the domain. Only metadata will be repaired, as there is currently
no way to check or repair the contents of users files. Only those problems
which prevent mounting the domain, or would result in a domain or system
panic, will be repaired.
After major areas of metadata are checked, and if a corruption was fixed,
fixfdmn will prompt the user to determine if they want to continue looking
for additional corruption.
If fixfdmn detects an error in a clone fileset, the clone is marked out of
sync and should not be used.
If fixfdmn cannot recover the metadata for a specific file, the file may be
truncated, moved, or deleted depending on the situation. The fixfdmn util-
ity will attempt to save as much of a file as possible.
Every page fixfdmn changes will be saved to an undo file. If the user does
not like the results of running fixfdmn, the user can undo the changes by
running fixfdmn again with the -u option. If the file system containing the
undo files runs out of space during the fixfdmn run, the user will be
prompted on how to proceed. The user will have the option to continue
without the undo files, to continue adding more space to the domain
containing the undo files, or to exit.
Use the -m type option when you have information from a system/domain panic
or output from verify or other tools which indicate where the corruption
may be. This option limits the scope of what is checked and repaired.
NOTES
The fixfdmn command will always clear the transaction log, even on a non-
corrupt domain unless the -n option is specified
There must be a domain entry for this domain in /etc/fdmns. The fixfdmn
command opens the block devices specified for the volumes in /etc/fdmns.
If you need to repair the root domain, you must boot from CD-ROM and create
the entry for the root domain under /etc/fdmns.
RESTRICTIONS
You must be root to run fixfdmn.
The fixfdmn command requires that the domain specified will have no
filesets mounted.
Although fixfdmn may report success, it does not guarantee that all corrup-
tions have been eliminated.
If a domain is mounted and written to after being repaired by fixfdmn,
using the fixfdmn utility with the -u option will likely cause corruptions.
EXIT STATUS
0 (Zero)
Success.
1 Corrupt
Unable to repair all found corruptions
2 Failure
Program or system error
FILES
/etc/fdmns
Contains AdvFS domain directories and locks.
SEE ALSO
Commands: salvage(8), umount(8), verify(8), vrestore(8)
1.15 Release Note for Tru64 UNIX Patch 1320.00 and 1323.00
This patch updates the BIND version from V4 to V8.3.4 in order to provide
a more secure version of BIND.
In particular, it addresses the vulnerability
described in SSRT2400, for which HP had previously published a workaround.
The BINDv8 shipped here does not include the
dnskeygen
utility and thus cannot generate its own transaction keys.
However, it can
be configured to participate as a slave in a zone transfer that uses transaction
keys.
BINDv8 uses a configuration file with a different name and format than
that of BINDv4.
The
/usr/sbin/named-bootconf
utility will
convert the BINDv4
named.boot
file to a BINDv8
named.conf
file.
After installing this patch, you must use the
/usr/sbin/named-bootconf
utility to convert your configuration file.
Connect to the directory that contains the
named.boot
file, normally
/etc/namedb, then run
the conversion utility as shown:
/usr/sbin/named-bootconf < /etc/namedb/named.boot > /etc/namedb/named.conf
Then use
/usr/sbin/rcmgr
to insert the correct configuration
filename in the BIND starting arguments, as shown:
/usr/sbin/rcmgr set BIND_SERVERARGS -c /etc/namedb/named.conf
At this point you may now stop the old server (if you have not already),
and start the new
named.
Use these commands:
/sbin/init.d/named stop /sbin/init.d/named start
If at any time you rerun
bindsetup
or
bindconfig, make sure to run these
/usr/sbin/named-bootconf
and
/usr/sbin/rcmgr
commands again afterward.
Updated versions of the BIND Configuration Guide and the Network Administration: Services guide can be found on the Tru64 UNIX documentation website, http://h30097.www3.hp.com/docs/pub_page/doc_list.html.
Updated reference pages ship with this patch kit.
1.16 Release Note for Tru64 UNIX Patch 1421.00
A new Russian keyboard comes with 5 extra keycaps.
To enable any of
the extra keycaps, you will need to modify the
/usr/lib/X11/xkb/symbols/digital_russian
file.
For example,
// KEY <AD09> can be replaced by an extra keycap.
// If you replace it with the extra keycap, please uncomment
// the following definition and comment out the original one.
//
// key <AD09> {
// symbols[Group1]=3D [ o, O ],
// symbols[Group2]=3D [ Ukrainian_i, Ukrainian_I ]
// };
key <AD09> {
symbols[Group1]=3D [ o, O ],
symbols[Group2]=3D [ Cyrillic_shcha, Cyrillic_SHCHA ]
};
1.17 Release Notes for Tru64 UNIX Patch 1493.00
This section contains release notes for Patch 1493.00.
1.17.1 Update to the
getsockopt (2)accept(2)getsockname(2)getpeername(2)
This patch updates the
getsockopt(2)accept(2)getsockname(2)getpeername(2)
The
option_value
or
option_len
parameter
is invalid; or the socket is shut down.
These changes were not made to the on line reference pages.
1.17.2 New Security Feature, No Execute Heap/Data
Caution
Read this release note completely and execute the
/usr/sbin/javaexecutedatascript before enabling this feature.
This patch kit introduces a new security feature called no execute heap/data, similar in concept to Tru64 UNIX's executable stack protection. When enabled, the feature prevents the execution of instructions that reside in heap or other data areas of process memory, providing additional protection against buffer overflow exploits.
In a buffer overflow exploit, an attacker feeds a privileged program an unexpectedly large volume of carefully constructed data through inputs such as command-line arguments and environment variables. If the program is not coded defensively, the attacker can overwrite areas of memory adjacent to the buffer. Depending upon the location of the buffer (stack, heap, data area), the attacker can deceive these programs into executing malicious code that takes advantage of the program's privileges, or alter a security-sensitive program variable to redirect program flow. Such an attack can be used to gain root access to the system.
Enabling the
executable_data
tunable changes a potential
system compromise into, at worst, a denial of service attack.
A vulnerable
program may still contain a buffer overflow, but an exploit that writes an
instruction stream into the buffer and attempts to transfer control to those
instructions will fail, because memory protection will prohibit instruction
execution from that area of memory.
The new feature is implemented as a dynamic
sysconfig
tunable,
executable_data
in the
proc
subsystem.
The supported settings allow a system administrator to cause requests
from privileged processes for writable and executable memory to fail, or to
be treated as a request for writable memory, and to optionally generate a
message when such a request occurs.
Many applications unnecessarily request
write-execute memory directly, or because of the default of some underlying
function acting on their behalf, but never execute from the memory.
By substituting
writable memory for the requested write-execute memory, the
executable_data
tunable allows such applications to benefit from the additional
protection without requiring application modification.
Five settings are supported for the
executable_data
tunable:
Disabled, the default setting. All processes may allocate writable and executable memory.
The recommended setting.
When a process executing
as root or a process running a
setuid
application requests
writable, executable memory, the request succeeds but the process receives
only writable memory.
No message is generated.
When a process executing as root or a process
running a
setuid
application requests writable, executable
memory, the request fails with an EACCES status and no message is generated.
When a process executing as root or a process
running a
setuid
application requests writable, executable
memory, the request succeeds, the process receives only writable memory, and
a message is generated.
When a process executing as root or a process
running a
setuid
application requests writable, executable
memory, the request fails with an EACCES status and a message is generated.
No other settings are supported. Attempting to use unsupported settings can cause unexpected and undesirable application behavior.
Note
Before changing
executable_datafrom the default value of 0, you must run the/usr/sbin/javaexecutedatascript. Otherwise, privileged java applications will fail in unpredictable ways. The Java language does not compile programs, but instead interprets them as they run. Unless marked as exempt, privileged applications written in Java will receive an error when they attempt to execute instructions residing in the unexecutable memory. The manner in which they handle the error is application-specific and thus unpredictable. If you plan to enable theexecutable_datatunable, you MUST use the/usr/sbin/javaexecutedatascript.
Privileged Pascal programs that use non-local gotos may also fail. Such programs should also be marked as exempt, using the new chatr utility as follows:
$chatr +ed enable priv_pascal_executablecurrent values:64-bit COFF executableexecute from data: disablednew values:64-bit COFF executableexecute from data: enabled
This example demonstrates the failing behavior to expect for privileged
processes if you set
execute_data
to 53 but do not run
the
/usr/sbin/javaexecutedata
script.
Other Java applications
run with privilege may exhibit different (but still failing) behavior.
#java -classic -jar SwingSet2.jarProcess 1185 Invalid write/execute mmap call denied.Process 1185 Invalid write/execute mmap call denied.Process 1185 Invalid write/execute mmap call denied.(...)Process 1185 Invalid write/execute mmap call denied.Process 1185 Invalid write/execute mmap call denied.**Out of memory, exiting**
This example demonstrates the failing behavior to expect for privileged
processes if you set
execute_data
to 37 but do not run
the
/usr/sbin/javaexecutedata
script.
Other Java applications
run with privilege may exhibit different (but still failing) behavior.
#java -classic -jar SwingSet2.jarProcess 1185 Invalid write/execute mmap call modified.Process 1185 Invalid write/execute mmap call modified.(...)Process 1185 Invalid write/execute mmap call modified.Process 1185 Invalid write/execute mmap call modified.Process 1185 Invalid write/execute mmap call modified.SIGSEGV 11* segmentation violation(...)Abort (core dumped)
A potential security vulnerability has been discovered, where under certain circumstances, system integrity may be compromised. This may be in the form of improper file access. HP has corrected this potential vulnerability.
In addition the following changes were made:
shell inline input files are more secure
sh noclobber and new constructs added
Updated sh, csh and ksh
The updated shells in this kit all implement the following changes when processing shell inline input files:
File permissions allow only read and write for owner
If excessive inline input file name collisions occur the the following error message will be returned:
Unable to create temporary file
sh noclobber option and >| , >>| constructs added
A
noclobber
option similar to that already available
with
csh
and
ksh
has been added to the
Bourne shell.
When the
noclobber
option is used (set
-C), the shell behavior for the redirection operators >
and >>
changes
as follows:
For >
with
noclobber
set,
sh
will return an error rather than overwrite an existing file.
If the specified
file name is actually a symlink, the presence of the symlink satisfies the
criteria
file exists
whether or not the symlink target
exists, and
sh
returns an error.
The >| construct will
suppress these checks and create the file.
For >>
with
noclobber
set, output is appended
to the tail of an existing file.
If the file name is actually a symlink whose
target does not exist,
sh
returns an error rather than
create the file.
The >>| construct will suppress these checks and create the
file.
ksh noclobber behavior clarified
For >
with
noclobber
set,
ksh
returns an error rather than overwrite an existing file.
If the file name
is actually a symlink, the presence of the symlink satisfies the criteria
file exists
whether or not the symlink target exists, and
ksh
returns an error.
The >| construct will suppress these checks
and create the file.
For >>
with
noclobber
set, output is appended to
the tail of an existing file.
If the file name is actually a symlink to a
non-existent file,
ksh
returns an error.
csh noclobber behavior clarified
For >
with
noclobber
set,
csh
returns an error rather than overwrite an existing file.
If the file name
is actually a symlink, the presence of the symlink satisfies the criteria
file exists
whether or not the symlink target exists, and
csh
returns an error.
The >! construct will suppress these checks
and create the file.
1.17.4 New sys_check Reference Page
NAME
sys_check, runsyscheck - Generates system configuration information and
analysis
SYNOPSIS
/usr/sbin/sys_check [options...]
OPTIONS
-all
Lists all subsystems, including security information and setld inven-
tory verification. This option may take a long time to complete.
-debug
Outputs debugging information to stderr (standard error output).
-escalate [ xx ]
Creates escalation files for reporting problems to your technical sup-
port representative. This option produces one file,
TMPDIR/escalate.tar unless there are crash dump files; if so,
it also creates two other files: TMPDIR/escalate_vmunix.xx.gz
and TMPDIR/escalate_vmcore.xx.gz. If you use the -escalate
option, sys_check runs with the -noquick option and collects the output
in the escalate.tar file. Optionally, you can specify a number (xx)
with the -escalate option to define a crash number.
See also the ENVIRONMENT VARIABLES section for information on how you
can set the value of TMPDIR.
-evm
Generates Event Manager (EVM) warnings. When EVM is configured, warn-
ings are posted as EVM events identified by the string
sys.unix.sys_check.warning. Six levels of priority ranging from 0-500
are used, as follows:
+ 0 - Information only.
+ 100 - Note
+ 200 - Tuning Note
+ 300 - Tuning Suggestion
+ 400 - Operational
+ 500 - Warning
-frame
Produces frame HTML output, which consists of three files:
sys_checkfr.html, sys_checktoc.html, and sys_check.html (unless you
specify a different file name with the -name option). This option
cannot be used with the -nohtml option. The following options are
available for use with the -frame option:
-name name
Specifies the name to use for the frame files output. The default
name is sys_check.
-dir name
Sets the directory for the frames output. Used only with the
-frame option. The default is the current directory (.).
-help or (-h)
Outputs help information.
-nohtml
Produces text output, consisting of one text file, instead of the
default HTML output. This option cannot be used with the -frame option.
-noquick
Outputs configuration data and the setld scan. Excludes security
information.
-perf
Outputs only performance data and excludes configuration data. This
option takes less time to run than others.
-v Displays the sys_check version number.
-warn
Executes only the warning pass. This option takes less time to run than
other options.
-nowarn
Executes only the data gathering pass.
DESCRIPTION
The sys_check utility is a system census and configuration verification
tool that is also used to aid in diagnosing system errors and problems. Use
sys_check to create an HTML report of your system's configuration (software
and hardware). The size of the HTML output that is produced by the
sys_check utility is usually between .5 MB and 3 MB.
The sys_check utility also performs an analysis of operating system parame-
ters and attributes such as those that tune the performance of the system.
The report generated by sys_check provides warnings if it detects problems
with any current settings. Note that while sys_check can generate hundreds
of useful warnings, it is not a complete and definitive check of the health
of your system. The sys_check utility should be used in conjunction with
event management and system monitoring tools to provide a complete overview
and control of system status. Refer to the EVM(5) reference page for infor-
mation on event management. Refer to the System Administration guide for
information on monitoring your system.
When used as a component of fault diagnosis, sys_check can reduce system
down time by as much as 50% by providing fast access to critical system
data. It is recommended that you run a full check at least once a week to
maintain the currency of system data. However, note that some options will
take a long time to run and can have an impact on system performance. You
should therefore choose your options carefully and run them during off-peak
hours. As a minimum, perform at least one full run (all data and warnings)
as a post-configuration task in order to identify configuration problems
and establish a configuration baseline. The following table provides guide-
lines for balancing data needs with performance impact.
___________________________________________________________________________
Option Run time Performance Recommended At
impact
___________________________________________________________________________
-warn, -perf Short. Minimal. Regular updates,
at least weekly
null - no Medium, perhaps Some likely at Run at least once
options 15 to 45 minutes peak system use. post-installation
selected. depending on and update
processor. after major
configuration
changes. Update
your initial
baseline and
check warnings
regularly.
-noquick, -all, Long, perhaps 45 Very likely at Use only when
-escalate. minutes on fast, peak use. troubleshooting
large systems to a system problem
hours on low-end or escalating
systems. a problem to your
technical support
representative.
___________________________________________________________________________
You can run some sys_check options from the SysMan Menu or the
/usr/sbin/sysman -cli command-line interface. Choose one of the following
options from the Menu:
>- Support and Services
| Create escalation report [escalation]
| Create configuration report [config_report]
Alternatively, use the config_report and escalation accelerators from the
command line. Note that the escalation option should only be used in con-
junction with a technical support request.
The runsyscheck script will run sys_check as a cron task automatically if
you do not disable the crontab entry in /var/spool/cron/crontabs/root.
Check for the presence of an automatically generated log file before you
create a new log, as it may save time.
When you run the sys_check utility without command options, it gathers con-
figuration data excluding the setld scan and the security information and
displays the configuration and performance data by default. It is recom-
mended that you do this at least once soon after initial system configura-
tion to create a baseline of system configuration, and to consider perform-
ing any tuning recommendations.
On the first run, the sys_check utility creates a directory named
/var/recovery/sys_check. On subsequent runs, sys_check creates additional
directories with a sequential numbering scheme:
+ The previous sys_check directory is renamed to
/var/recovery/sys_check.0 while the most recent data (that is, from
the current run) is always maintained in
/var/recovery/sys_check.
+ Previous sys_check directories are renamed with an incrementing exten-
sion; /var/recovery/sys_check.0 becomes /var/recovery/sys_check.1, and
so on, up to /var/recovery/sys_check.5.
There is a maximum of seven directories. This feature ensures that you
always have up to seven sets of data automatically. Note that if you only
perform a full run once, you may want to save the contents of that direc-
tory to a different location.
Depending on what options you choose, the /var/recovery/sys_check.*
directories will contain the following data:
+ Catastrophic recovery data, such as an etcfiles directory, containing
copies of important system files. In this directory, you will find
copies of files such as /etc/group, /etc/passwd, and /etc/fstab.
+ Formatted stanza files and shell scripts and that you can optionally
use to implement any configuration and tuning recommendations gen-
erated by asys_check run. You use the sysconfigdb command or run the
shell scripts to implement the stanza files. See the sysconfigdb(8)
reference page for more information.
NOTES
You must be root to invoke the sys_check utility from the command line;
you must be root or have the appropriate privileges through Division of
Privileges (DoP) to run Create Configuration Report and Create Escalation
Report from the SysMan Menu. The sys_check utility does not change any sys-
tem files.
The sys_check utility is updated regularly. You can obtain the latest ver-
sion of the sys_check utility from either of two sources:
+ The most up-to-date version of the sys_check kit is located on the
sys_check tool web site,
http://www.tru64unix.compaq.com/sys_check/sys_check.html
+ You can also obtain sys_check from the patch kit, see
http://www.support.compaq.com/patches/.
You should run only one instance of sys_check at a time. The sys_check
utility prevents the running of multiple instances of itself, provided that
the value of the TMPDIR environment variable is /var/tmp, /usr/tmp, /tmp,
or a common user-defined directory. This avoids possible collisions when
an administrator attempts to run sys_check while another administrator is
already running it. However, no guarantees can be made for the case when
two administrators set their TMPDIR environment variables to two different
user-defined directories (this presumes that one administrator does not
choose /var/tmp, /usr/tmp, or /tmp).
The sys_check utility does not perform a total system analysis, but it does
check for the most common system configuration and operational problems on
production systems.
Although the sys_check utility gathers firmware and hardware device revi-
sion information, it does not validate this data. This must be done by
qualified support personnel.
The sys_check utility uses other system tools to gather an analyze data. At
present, sys_check prefers to use DECevent and you should install and con-
figure DECevent for best results.
If DECevent is not present, the sys_check utility issues a warning message
as a priority 500 EVM event and attempts to use uerf instead. In future
releases, Compaq Analyze will also be supported on certain processors.
Note that there are restrictions on using uerf, DECevent and Compaq Analyze
that apply to:
+ The version of UNIX that you are currently using.
+ The installed version of sys_check.
+ The type of processor.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
LIMITATIONS
DECevent or Compaq Analyze may not be able to read the binary error log
file if old versions of DECevent are being used or if the binary.errlog
file is corrupted. If this problem occurs, install a recent version of
DECevent and, if corrupted, recreate the binary.errlog file.
HSZ controller-specific limitations include the following:
HSZ40 and HSZ50 controllers:
The sys_check utility uses a free LUN on each target in order to com-
municate with HSZ40 and HSZ50 controllers. To avoid data gathering
irregularities, always leave LUN 7 free on each HSZ SCSI target for
HSZ40 and HSZ50 controllers.
HSZ70, HSZ80 and HSG80 controllers:
The sys_check utility uses a CCL port in order to communicate with
HSZ70 controllers. If a CCL port is not available, sys_check will use
an active LUN. To avoid data gathering irregularities, enable the CCL
port for each HSZ70 controller.
HSV controller-specific limitations include the following:
The sys_check utility uses the SANscript utility (sssu) to collect data
from the Enterprise controller. This utility is included with the
Enterprise Package Kit. Please install this utility in /usr/lbin and
ensure that it has execute permissions.
The sys_check utility cannot dynamically determine the SAN appliance or
appliances used to manage your Enterprise storage.To do so, create the
file /etc/enterprise.txt with the element name, the user name, and the
password (separated by colons) of the SAN appliance as shown below;
these values may contain embedded spaces. Set the permissions of this
file to 600.
element:user:password
element 1:user 1:password
The sys_check utility attempts to check the NetWorker backup schedule
against the /etc/fstab file. For some older versions of Networker, the
nsradmin command contains a bug that prevents sys_check from correctly
checking the schedule. In addition, the sys_check utility will not
correctly validate the NetWorker backup schedule for TruCluster services.
EXAMPLES
1. The following command creates escalation files that are used to report
problems to your technical support organization:
# sys_check -escalate
2. The following command outputs configuration and performance informa-
tion, excluding security information and the setld inventory, and pro-
vides an analysis of common system configuration and operational prob-
lems:
# sys_check > file.html
3. The following command outputs all information, including configura-
tion, performance, and security information and a setld inventory of
the system:
# sys_check -all > file.html
4. The following command outputs only performance information:
# sys_check -perf > file.html
5. The following command provides HTML output with frames, including con-
figuration and performance information and the setld inventory of the
system:
# sys_check -frame -noquick
6. The following command starts the SysMan Menu config_report task from
the command line:
# /usr/sbin/sysman config_report
Entering this command invokes the SysMan Menu, which prompts you to
supply the following optional information:
+ Save to (HTML) - A location to which the HTML report should be
saved, which is /var/adm/hostname_date.html by default.
+ Export to Web (Default) - Export the HTML report to Insight
Manager. Refer to the System Administration for information on
Insight Manager.
+ Advanced options - This option displays another screen in which
you can choose a limited number of run time options. The options
are equivalent to certain command line options listed in the
OPTIONS section.
In this screen, you can also specify an alternate temporary
directory other than the default of /var/tmp.
+ Log file - The location of the log file, which is
/var/adm/hostname_date.log by default.
7. The following is an example of a stanza file advfs.stanza in
/var/recovery/sys_check.*:
advfs:
AdvfsCacheMaxPercent=8
8. The following is an example of a shell script apply.kshin
/var/recovery/sys_check.*:
cd /var/cluster/members/member/recovery/sys_check/
llist="advfs.stanza
vfs.stanza "
for stf in $llist; do
print " $stf "
stanza=`print $stf | awk -F . '{print $1 }'`
print "/sbin/sysconfigdb -m -f $stf $stanza"
/sbin/sysconfigdb -m -f $stf $stanza
done
print "The system may need to be rebooted for these
changes to take effect"
ENVIRONMENT VARIABLES
The following environment variables affect the execution of the sys_check
utility. Normally, you only change these variables under the direction of
your technical support representative, as part of a fault diagnosis pro-
cedure.
TMPDIR
Specifies a default parent directory for the sys_check working sub-
directory, whose name is randomly created; this working subdirectory is
removed when sys_check exits. The default value for TMPDIR is /var/tmp.
LOGLINES
Specifies the number of lines of log file text that sys_check includes
in the HTML output. The default is 500 lines.
BIGNUMFILE
Specifies the number of files in a directory, above which a directory
is considered excessively large. The default is 15 files.
BIGFILE
Specifies the file size, above which a file is considered excessively
large. The default is 3072 KB.
VARSIZE
Specifies the minimum amount of free space that sys_check requires in
the TMPDIR directory. The default is 15 MB and should not be reduced.
The sys_check utility will not run if there is insufficient disk space.
RECOVERY_DIR
Specifies the location for the sys_check recovery data. The default is
/var/recovery. The sys_check utility automatically cleans up data from
previous command runs. The typical size of the output generated by
each sys_check utility run is 400 KB. This data may be useful in
recovering from a catastrophic system failure.
ADHOC_DIR
Specifies the location at which sys_check expects to find the text
files to include in the HTML output. The default is the /var/adhoc
directory.
TOOLS_DIR
Specifies the location at which sys_check expects to find the binaries
for the tools that it calls. The default is /usr/lbin.
FILES
/usr/sbin/sys_check
Specifies the command path.
Note
This file may be a symbolic link.
/usr/lbin/*
Various utilities in this directory are used by sys_check.
Note
These files may be symbolic links.
The sys_check utility reads many system files.
SEE ALSO
Commands: dop(8), sysconfigdb(8), sysman_cli(8), sysman_menu(8)
Miscellaneous: EVM(5), insight_manager(5)
Books: System Administration, System Tuning
This is regarding the behavior of
tar/pax/cpio, when
a slash (/) is specified at the end of an argument.
While extracting or listing
an archive, if a slash (/) is present at the end of an argument (for example,
tar xvf foo.tar dir1/
or
tar tvf foo.tar dir1/),
then it only acts upon that particular directory and not the contents in the
directory.
If multiple slashes are used while creating an archive (for example,
tar cvf foo.tar dir1/////////), previously all these slashes were
put in the archive header.
Now it will put only one slash for any directory
entry in the header.
If a single slash is specified while creating the archive,
it still picks up all the contents as usual.
The
pax
and
cpio
commands behave
in a similar way.
1.17.6 Changes to rexecd Reference Page
This patch contains changes to the
rexecd
reference
page.
OPTIONS
-s Causes rexecd to check for the ptys keyword in the /etc/securettys file
and to deny execution of the request if it is from root and on a pseudoterminal.
DESCRIPTION
6. The rexecd server then validates the user as is done at login time
and, if started with the -s option, verifies that the /etc/securettys
file is not setup to deny the user. If the authentication was suc-
cessful, rexecd changes to the user's home directory, and establishes
the user and group protections for the user. If any of these steps
fail, the connection is aborted with a diagnostic message returned.
1.17.7 mountd Reference Page Update
The following is an update for the
mountd
reference
page.
SYNOPSIS
mountd [-d] [-i] [-n] [-s] [-r] [-R] [exportsfile]
FLAGS
...
-r Have mountd listen for requests on a reserved port. This is the default behavior.
-R mountd may listen on an unreserved port.
1.17.8 UFS Delayed Metadata mount Option
This new
mount
option allows for disabling synchronous
metadata writes on a specified file system.
The new
mount
option name is
delayed.
To maintain the file system's consistency, UFS metadata (such as inode, directory, and indirect blocks) is updated synchronously by default.
Metadata updates are typically performed synchronously to prevent file
system corruption after a crash.
The trade-off for this file system integrity,
however, is performance.
In some cases, such as a file system serving as
a cache, performance (faster metadata update) is more important than preserving
data consistency across a system crash; for example, files under
/tmp
or Web proxy servers such as Squid.
This means two things. One is that multiple updates to one block becomes only one block write, as opposed to multiple writes of the same block with traditional synchronous metadata update. The other is that users can experience much better responsiveness when they run metadata intensive applications because metadata writes will not go out to the disk immediately while users get their prompt back as soon as the metadata updates are queued.
This
delayed
option should not be used on the
/
or
/usr
file systems.
It should be used only
on file systems that do not need to survive across a system crash.
To enable the
delayed
option, run:
mount -o delayed
or
mount -u -o delayed
1.17.9 3DLabs Oxygen VX1 Graphics Card
This patch provides the driver support for the 3DLabs Oxygen VX1 graphics card. In order to obtain full support for this graphics card, you must also select Patch 1331.00, which is the X server portion of the patch.
If you have a system with this new graphics card, you will need to reconfigure and rebuild the kernel after installing this patch.
To reconfigure and rebuild the kernel, follow these steps:
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot genvmunix to single-user mode:
>>>
boot -fi genvmunix -fl s
After the system boots to single-user mode, mount the file
systems, run the
update
command, and activate the swap
partition:
#
sbin/bcheckrc
#
/sbin/update
#
/sbin/update
Run
doconfig
to create a new kernel configuration
file and rebuild the kernel:
#
/usr/sbin/doconfig
Note
Do not specify the
-coption todoconfig. If you do,doconfigwill use the existing kernel configuration file which will not have the appropriate controller entry for the 3DLabs Oxygen VX1 graphics card.
Save the old
/vmunix
file and move the
new kernel to
/vmunix.
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot the new kernel:
>>>
boot
If you remove this patch from your system after you have rebuilt the
kernel to incorporate support for the 3DLabs Oxygen VX1 graphics card as
described you will need to rebuild the kernel again to restore generic VGA
graphics support.
To do this, follow the steps given previously.
The
doconfig
utitlity running on the original, unpatched
genvmunix
will not recognize the 3DLabs Oxygen VX1 graphics card and will
include generic VGA graphics support in the resulting kernel.
1.17.10 PCI To Ethernet/Graphics Combo Adapter (3X-DEPVD-AA)
This patch provides the driver support for the PCI To Ethernet/Graphics
Combo Adapter (3X-DEPVD-AA) (also known as the ITI6021E Fast Ethernet NIC
3D Video Combination Adapter, InterServer Combo, or JIB).
To obtain full support
for the PCI To Ethernet/Graphics Combo Adapter (3X-DEPVD-AA), you must also
select Patch 1326.00, which is the X server portion of the patch.
1.17.11 DEGPA-TA Gigabit Ethernet Device
This patch provides support for DEGPA-TA (1000BaseT) Gigabit Ethernet device. If you have a system with this new Ethernet device, you will need to reconfigure and rebuild the kernel after installing this patch.
To do this, follow these steps:
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot genvmunix to single-user mode:
>>>
boot -fi genvmunix -fl s
After the system boots to single-user mode, mount the file
systems, run the
update
command, and activate the
swap partition:
#
/sbin/bcheckrc
#
/sbin/update
#
/sbin/swapon -a
Run
doconfig
to create a new kernel configuration
file and rebuild the kernel:
#
/usr/sbin/doconfig
Note
Do not specify the
-coption todoconfig. If you do,doconfigwill use the existing kernel configuration file which will not have the appropriate controller entry for the new graphics card.
Save the old
/vmunix
file and move the
new kernel to
/vmunix.
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot the new kernel:
>>>
boot
If you remove this patch from your system after you have rebuilt the
kernel to incorporate support for the new Ethernet card as described previously,
you will need to rebuild the kernel.
To do this, follow the steps given previously.
The
doconfig
running on the original, unpatched genvmunix
will not recognize the new Ethernet driver.
1.17.12 Intelligent I/O Disks with mnemonic ri
If Patch 1493.00 is installed on a system with Intelligent I/O (I2O)
disks that use the device identifier,
mnemonic ri, Patch
1386.00 should also be installed if the user uses the
diskconfig
utility.
Without Patch 1386.00, the
diskconfig
utility will not recognize or configure the Intelligent I/O (I2O) disks.
1.17.13 Virtual Memory Problem
Installing Patch 1493.00 on a system running Tru64 UNIX Versions 4.0D
through 4.0F may cause the system to crash if you run an application that
maps a large number of file system objects into virtual memory using the
mmap(2) function call.
This problem may occur with large threaded
applications, such as the Netscape Enterprise Web Server, which use this technique
to improve performance and scalability.
To avoid this problem, disable the kernel's virtual memory (vm:) subsystem attribute
vm-map-index-enable
after installing the patch and before rebooting the system.
The attribute
is disabled when its value is set to zero at boot time.
Enter the following commands at the shell prompt (when logged in as
root) to add or modify the
vm-map-index-enable
attribute
entry in the
/etc/sysconfigtab
file:
$ su root
$ cat << _EOF_ > /tmp/vm.stanza
> vm:
> vm-map-index-enabled=0
> _EOF_
$ sysconfigdb -m -f /tmp/vm.stanza vm
$rm -f /tmp/vm.stanza
$ reboot
See the
sysconfigdb(8) reference page for additional
information.
This problem will be fixed in the next release of the patch kits.
1.17.14 PCI To Ethernet/Graphics Combo Adapter
This patch provides support for the PCI To Ethernet/Graphics Combo Adapter (3X-DEPVD-AA). If you have a system with this adapter, you will need to reconfigure and rebuild the kernel after installing this patch. To do this, follow these steps:
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot
genvmunix
to single-user mode:
>>>
boot -fi genvmunix -fl s
After the system boots to single-user mode, mount the file
systems, run the
update
command, and activate the
swap
partition:
#
/sbin/bcheckrc
#
/sbin/update
#
/sbin/swapon -a
Run
doconfig
to create a new kernel configuration
file and rebuild the kernel:
#
/usr/sbin/doconfig
Note
Do not specify the
-coption todoconfig. If you do,doconfigwill use the existing kernel configuration file, which will not have the appropriate controller entry for the PCI To Ethernet/Graphics Combo Adapter.
Save the old
/vmunix
file and move the
new kernel to
/vmunix.
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot the new kernel:
>>>
boot
If you remove this patch from your system after you have rebuilt the kernel, to incorporate support for the PCI To Ethernet/Graphics Combo Adapter as previously described, you will need to rebuild the kernel again to restore generic VGA graphics support. To do this, follow the steps previously given.
If
doconfig
is running on the original kernel, the
unpatched
genvmunix
will not recognize the PCI To Ethernet/Graphics
Combo Adapter and will include generic VGA graphics support in the resulting
kernel.
1.17.15 Pleiades II Switches
This patch fixes a problem with the Pleiades II switches, where the switch ports would consume target IDs on the adapter's SCSI bus.
To determine if target IDs are being consumed by the switch, look at
the contents of the
/etc/emx.info
file.
If a FC Port Name
exists that does not start with 0x0050 (a HSG80) or a 0x0010 (a KGPSA), it
is most likely a switch entry consuming the target ID (or an unsupported FC
device exists on the fabric).
To remove the switch entry from the
emx
target ID
mappings, in addition to installing this patch, the
/sys/data/emx_data.c
file must be modified to contain the switch entry to be deleted
(by setting the target ID to -1).
See the reference pages for
emx
and
emx_data.c
for instructions on modifying
the
emx_data.c
file.
After the
emx_data.c
file has been modified, the kernel must be regenerated and the resulting kernel
booted.
1.17.16 I/O Throttling/Smooth Sync
Note
Smooth Sync is for UNIX File System (UFS) only.
Note
To activate I/O Throttling/Smooth Sync, you must install Patch 299.00.
The new
mount
options are
smsync2
and
throttle.
The
smsync2
option enables
an alternate
smsync
policy in which dirty pages do not
get flushed until they have been dirty and idle for the
smoothsync
age period (the default 30 is seconds).
The default policy is
to flush dirty pages after being dirty for the
smoothsync
age period, regardless of continued modifications to the page.
Note that
mmaped pages always use this default policy, regardless of the
smsync2
setting.
For example, change the /etc/fstab
entries from:
/dev/rz12e /mnt/test ufs rw 0 2
to:
/dev/rz12e /mnt/test ufs rw,smsync2,throttle 0
2
Note
If you choose not to use
smsync2(which does not affectmmapbuffers), remove thesmsync2option from the previous string.
Append any tuning changes to
/etc/sysconfigtab.
See the TUNING notes that follow for a description of the new
io-throttle-shift
and
io-throttle-maxmzthruput
tunables.
These
tunables are configured in the
vfs
stanza.
The following
three lines are an example:
vfs:
io-throttle-shift = 1
io-throttle-maxmzthruput = 1
When removing this patch, follow these steps:
Remove the lines added in the previous example to
/etc/inittab.
Remove any additions to
/etc/fstab
you
may have made (see previous instructions).
Failure to remove
/etc/inittab
and
/etc/fstab
modifications may result in
unknown attribute
messages, particularly upon system reboot.
TUNING
The purpose of this patch is to minimize system stalls resulting from
a heavy system I/O load.
This patch introduces a
smoothsync
approach to writing delayed I/O requests and introduces I/O throttling.
Using
smoothsync
allows each dirty page to age for
a specified time period before getting pushed to disk.
This allows more opportunity
for frequently modified pages to be found in the cache, which decreases the
net I/O load.
Also, as pages are enqueued to a device after having aged sufficiently,
as opposed to getting flushed by the update daemon, spikes are minimized in
which large numbers of dirty pages are locked on the device queue.
I/O throttling further addresses the concern of locking dirty pages on the device queue. It enforces a limit on the number of delayed I/O requests allowed to be on the device queue at any point in time. This allows the system to be more responsive to any synchronous requests added to the device queue, such as a read or the loading of a new program into memory. This may decrease the duration of process stalls for specific dirty buffers, as pages remain available until placed on the device queue.
The relevant tunable variables are:
smoothsync-age
This variable can be adjusted from 0 (off) up to 300.
This is the number
of seconds a page ages before becoming eligible for being flushed to disk
via the smoothsync mechanism.
A value of 30 corresponds to the "guarantee"
provided by the traditional UNIX update mechanism.
Increasing this value
increases the exposure of lost data should the system crash, but can decrease
net I/O load (to improve performance) by allowing the dirty data to remain
in cache longer.
In some environments, any data that is not up to date is
useless; these are prime candidates for an increased
smoothsync-age
value.
The default value of
smoothsync-age
is 30.
io-throttle-shift
The greater the number of requests on an I/O device queue, the longer
the time required to process those requests and make those pages and device
available.
The number of concurrent delayed I/O requests on an I/O device
queue can be throttled by setting the
io-throttle-shift
tunable.
The throttle value is based on this tunable and the calculated I/O
completion rate.
The throttle value is proportional to the time required
to process the I/O device queue.
The correspondences between
io-throttle-shift
values and the time to process the device queue are:
io-throttle-shift time to process device queue (sec)
------------------------------------------------------------------- -2 0.25
-1 0.5
0 1
1 2
2 4
For example, an
io-throttle-shift
value of 0 corresponds
to accommodating 1 second of I/O requests.
The valid range for this tunable
is [-4..4] (not all values are shown in the previous table; you can extrapolate).
The default value of
io-throttle-shift
is 1.
Environments
particularly sensitive to delays in accessing the I/O device might consider
reducing the
io-throttle-shift
value.
io-maxmzthruput
This is a toggle that trades off maximizing I/O throughput against maximizing the availability of dirty pages. Maximizing I/O throughput works more aggressively to keep the device busy, but within the constraints of the throttle. Maximizing the availability of dirty pages is more aggressive at decreasing stall time experienced when waiting for dirty pages.
The environment in which you might consider setting
io-maxmzthruput
off
(0) is one in which I/O is confined to a small number of I/O-intensive
applications, such that access to a specific set of pages becomes more important
for overall performance than does keeping the I/O device busy.
The default
value of
io-maxmzthruput
is 1.
Environments particularly
sensitive to delays in accessing sets of frequently used dirty pages might
consider setting
io-maxmzthruput
to 0.
1.17.17 Granularity Hint Regions Restriction Removal
This patch removes a Granularity Hint Regions (also called GH chunks) restriction which may be encountered on AlphaServerTMTM DS20 and ES40 systems running the Tru64 UNIX Version 4.0F release. This restriction can reduce performance for certain database applications.
The following error message on the system's console terminal (also logged
in
/var/adm/messages) indicates possible performance loss
for applications using GH chunks:
gh_chunks value of # invalid
where # is a number that varies depending on memory size.
To remove the GH chunks restriction, you need to modify your target kernel configuration file (and rebuild the kernel) and change the state of a console firmware environment variable. To make these changes, follow these steps:
Follow the steps in Section 4.5.3 of the Guide to System Adminstration, with the following exceptions:
In step 4, edit the configuration file and add the following line immediately
before the first line starting with
makeoptions:
makeoptions LOADADDR="fffffc0000430000"
In step 6, instead of
/usr/sbin/shutdown -r now,
add the following line:
/usr/sbin/shutdown -h now
Check the console firmware version:
P00>>>
show version
If the version is not Version 5.5 or later, you need to upgrade your firmware to Version 5.5 or later.
Change the value of the
console_memory_allocation
environment variable from
old
to
new
and reset the system:
P00>>>
set console_memory_allocation new
P00>>>
init
Boot the new kernel:
P00>>>
boot
If the new kernel fails to boot use one of the following procedures:
P00>>>
set console_memory_allocation old
P00>>>
init
P00>>>
boot -fi vmunix.save
or:
P00>>>
boot -fi genvmunix
Correct the error and repeat the previous procedure.
Additional Information
If you encounter the following error message, you have most likely attempted to boot a kernel with the old load address:
Bootstrap address collision, image loading aborted
To boot old kernels:
P00>>>
set console_memory_allocation old
P00>>>
init
P00>>>
boot
Note
The generic kernel (
/genvmunix) will boot withconsole_memory_allocationset to old or new.
The patch kit installs a new
/usr/sbin/sizer
command.
If you rebuild the kernel using Section 4.5.1 or 4.5.2 of the
System Administration Manual, the new sizer will automatically
adjust the kernel's load address.
Note
If you customized your existing configuration file,
doconfigallows you to edit the new configuration file so you can restore your customizations.