1    Release Notes

This chapter provides information that you must be aware of when working with Tru64 UNIX 4.0G and TruCluster Software Products 1.6 Patch Kit-0004.

1.1    Patch Process Resources

HP provides Web sites to help you with the patching process:

1.2    Required Storage Space

The following storage space is required to successfully install this patch kit:

Base Operating System

TruCluster

1.3    Release Note for TruCluster Software Products

If you are installing only TCR patches, you MUST rebuild the kernel and reboot the machine for the changes to take effect. If removing only TCR patches, you MUST also rebuild the kernel and reboot the machine for the changes to take effect.

1.4    Files Listed as UNKNOWN Origin

If you install the latest patch kit, and run the Baselining feature before you install any aggregate patches, you will get the following files listed as having UNKNOWN origin. This does not represent an error with the operating system or any of the layered products. Ignore this message and proceed with your installation.

* list of changed files with unknown origin:
      ------------------------------------------
 
  ./usr/.smdb./AFAADVANCED400.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED401.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED402.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED403.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED404.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED425.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVANCED435.scp_extension     OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN400.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN401.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN402.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN403.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN404.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN425.scp_extension       OSFBASE445     UNKNOWN
  ./usr/.smdb./AFAADVMAN435.scp_extension       OSFBASE445     UNKNOWN
 
    * no missing files detected
      -------------------------

1.5    Release Note for Tru64 UNIX Patches 771.00 and 773.00

This patch delivers version V1.0-032 of the libots3 library. Version 2.0 of the libots3 library is delivered with the Compaq FORTRAN Compiler, Versions 5.3 ECO1 and 5.4, or the Developers Tool Kit (DTK) (OTABASE subset). If libots3 V2.0 is already installed on your system, and you install this patch, you will receive the following informational message:

Problem installing:

- Tru64_UNIX_V4.0G / Software Development Environment Patches:

Patch 00XXX.00 - Fix for parallel processing support library

./usr/shlib/libots3.so: is installed by:

OTABASE212 and can not be replaced by this patch.

This patch will not be installed.

To determine what version of libots3 library is installed on your system, enter the following command:

# what /usr/shlib/libots3.so

libots3.so:

libots3.a V2.0-094 GEM 27 Feb 2001

1.6    Release Note for Tru64 UNIX Patch 48.00

If the system-configurable parameter lsm:lsm_V_ROUND_enhanced is set (value = 1), the enhanced read round-robin policy is activated. This new policy stores the last block accessed by the previous I/O request. When returning for another block in round-robin (V_ROUND) mode, that value is compared to the current read. If it is within a predefined, user-configurable value (lsm:lsm_V_ROUND_enhance_proximity), then the same plex is used. Otherwise, the next plex is used as for a normal round-robin behavior.

The two new additional tunable parameters are lsm_V_ROUND_enhanced set to 0 by default (V_ROUND_enhanced read is not activated), and lsm_V_ROUND_enhance_proximity is set to 512 by default.

Append tuning changes to the /etc/sysconfigtab file.. See the Tuning notes following for a description of the new lsm_V_ROUND_enhanced and lsm_V_ROUND_enhance_proximity tunable parameters. These tunable parameters are configured in the lsm stanza. For example:

lsm:
lsm_V_ROUND_enhanced = 1
lsm_V_ROUND_enhance_proximity = 1024

Note

If you already have an lsm stanza in your sysconfigtab file, then only add the two lsm_V_ROUND entries.

Tuning

The purpose of this patch is to increase performance with sequential reads. This patch introduces a new enhanced round-robin mode where the last block read is now compared to the next block to read, and a check is added to see if last block number-next block number is less than or equal to lsm_V_ROUND_enhance_proximity. If it is, read from the same plex. This is to attempt to hit the disk cache, and so increase performance.

The relevant tunable parameters are as follows:

sm_V_ROUND_enhanced — This variable activates the new enhanced round robin read policy if it is set to TRUE (1). Otherwise the policy is deactivated. The default is 0.

lsm_V_ROUND_enhance_proximity — This variable indicates the proximity in which the last read and new read must lie in an attempt to read data from the disk's cache by reading from the same plex. The variable can be adjusted from 0 to 4096. The default is 512.

1.7    Release Note for Tru64 UNIX Patch 750.00

This patch provides the X server support for the new 3DLabs Oxygen VX1 PCI graphics card. To obtain full support for this graphics card, you must also select Patch 255.00, which is the driver portion of the patch.

A list of supported platforms is available on the following web page:

http://www.compaq.com/alphaserver/products/options.html

1.8    Release Note for Tru64 UNIX Patch 196.00

This patch contains a solution for the following issue:

HP has advised owners of DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStations that HP has determined in laboratory testing that there is a theoretical possibility that during read and write operations to the floppy disk on these systems, a single byte of data may be inaccurately read or written without notice to the user or system. The potential for this anomaly exists only if floppy disk read or write operations are attempted while there is extremely heavy traffic on these Alpha systems' internal I/O buses.

Although HP has observed the anomaly only in laboratory tests designed to create atypical system stresses, including almost constant use of the floppy disk drive, HP has informed owners of the remote possibility that the anomaly could occur so that they may take precautions to prevent it.

We recommend that the solution be installed by all DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStation customers.

The solution to this issue is also available as an individual, manually installed patch kit named floppy_CSP_v40g.tar.gz, available from:

http://ftp1.support.compaq.com/public/unix/v4.0g

1.9    Release Note for Tru64 UNIX Patch 683.00

This release note describes the behavior of tar/pax/cpio, when a slash (/) is specified at the end of an argument.

While extracting or listing an archive, if a / is present at the end of an argument, then it would only act upon that particular directory and not the contents in the directory. For example:

tar xvf foo.tar dir1/ or tar tvf foo.tar dir1/

1.10    Release Note for Tru64 UNIX Patch 1008.00

The following contains updates to the fixfdmn(8) reference page.

fixfdmn(8)                                                         fixfdmn(8)
NAME
 
  fixfdmn - Checks and repairs corrupted AdvFS domains
 
SYNOPSIS
 
  /sbin/advfs/fixfdmn [-mtype[,type]...] [-d directory] [-v number] [-a [-c]
  | -n] [-s {y | n}] [domain] [fileset]
 
  /sbin/advfs/fixfdmn -u directory domain
 
OPTIONS
 
  -a  Specifies that after repairing what it can, fixfdmn will attempt to
      activate the domain at the end of the run. This option cannot be used
      with the -n option.
 
  -c  Removes any clone filesets.  This option is only valid if used with the
      -a option.
 
  -d directory
      Specifies a directory to which the message log and undo files will be
      written. If the -d option is not used, the message and undo log files
      are put in the current working directory. The message log file is named
      fixfdmn.<domain>.log and the two undo files are named undo.<domain>.<#>
      and undoidx.<domain>.<#>,  where  # will cause a number to be appended to
      the filenames to make them unique. The numbers will be rotated sequen-
      tially from 0 (zero) through 9 if multiple undo files are created for
      the same domain. The undo file will have the same ending number as its
      corresponding undo index file.
 
  -m type[,type...]
      Specifies a list of types of metadata, one or more of which can be
      checked and repaired. The valid types are log, sbm, sync, bmt, frag,
      quota, and files. If you specify the fileset parameter, sync, log, sbm,
      and bmt are made invalid types for the -m option. If you do not specify
      -m, the default is to check all types.
 
      sync
          Corrects the magic number and synchronizes data across volumes (for
          example, volume numbers, mount IDs, mount states, domain IDs, and
          so on.)
 
      log Resets the transaction log so that it is not processed.
 
      sbm Synchronizes the sbm to the information in the bmt.
 
      bmt Corrects the bmt.
 
      frag
          Corrects frag file groups and free lists, and ensures that all file
          frags reside in the frag file.
 
      quota
          Checks and corrects sizes of quota files.
 
      files
          Verifies that directory metadata is correct.
 
  -n  Specifies that fixfdmn will check the domain and not do any repairs. It
      will report what problems were found and how it would have fixed them.
 
  -s {y | n}
      Specifies that "yes" or "no" should be answered to prompts when run
      from a script.
 
  -u directory
      Restores the domain to its previous state by undoing the effects of the
      last run of fixfdmn, using the most recent undo files in the specified
      directory.
 
  -v number
      Specifies the verbose mode level which controls the messages printed to
      stdout.
 
      0 = Only error messages
 
      1 = ( Default) Progress, errors, and summary messages
 
      2 = Progress messages, detailed error messages, fix information, and
      summary messages
 
OPERANDS
 
  domain
      The name of a corrupted domain to repair.
 
  fileset
      The name of the fileset to repair if only one fileset in this domain
      exhibits errors.  You may tell fixfdmn to check only that fileset and
      not specifically look for errors in other filesets.
 
DESCRIPTION
 
  The fixfdmn utility checks and repairs corrupt AdvFS domains and filesets.
 
  The fixfdmn utility is primarily concerned with fixing problems that have a
  limited scope. When a large portion of the domain is corrupted, there is
  very little fixfdmn can do, so it will recommend restoring data from backup
  or running the salvage(8) command.
 
  The fixfdmn utility uses the on-disk metadata to determine what corruptions
  exist in the domain. Only metadata will be repaired, as there is currently
  no way to check or repair the contents of users files.  Only those problems
  which prevent mounting the domain, or would result in a domain or system
  panic, will be repaired.
 
  After major areas of metadata are checked, and if a corruption was fixed,
  fixfdmn will prompt the user to determine if they want to continue looking
  for additional corruption.
 
  If fixfdmn detects an error in a clone fileset, the clone is marked out of
  sync and should not be used.
 
  If fixfdmn cannot recover the metadata for a specific file, the file may be
  truncated, moved, or deleted depending on the situation.  The fixfdmn util-
  ity will attempt to save as much of a file as possible.
 
  Every page fixfdmn changes will be saved to an undo file. If the user does
  not like the results of running fixfdmn, the user can undo the changes by
  running fixfdmn again with the -u option. If the file system containing the
  undo files runs out of space during the fixfdmn run, the user will be
  prompted on how to proceed. The user will  have the option to continue
  without the undo files, to continue adding more space to the domain
  containing the undo files, or to exit.
 
  Use the -m type option when you have information from a system/domain panic
  or output from verify or other tools which indicate where the corruption
  may be. This option limits the scope of what is checked and repaired.
 
NOTES
 
  The fixfdmn command will always clear the transaction log, even on a 
  noncorrupt domain unless the -n option is specified
 
  There must be a domain entry for this domain in /etc/fdmns. The fixfdmn
  command opens the block devices specified for the volumes in /etc/fdmns.
 
  If you need to repair the root domain, you must boot from CD-ROM and create
  the entry for the root domain under /etc/fdmns.
 
RESTRICTIONS
 
  You must be root to run fixfdmn.
 
  The fixfdmn command requires that the domain specified will have no
  filesets mounted.
 
  Although fixfdmn may report success, it does not guarantee that all corrup-
  tions have been eliminated.
 
  If a domain is mounted and written to after being repaired by fixfdmn,
  using the fixfdmn utility with the -u option will likely cause corruptions.
 
EXIT STATUS
 
  0 (Zero)
      Success.
 
  1 Corrupt
      Unable to repair all found corruptions
 
  2 Failure
      Program or system error
 
FILES
 
  /etc/fdmns
      Contains AdvFS domain directories and locks.
 
SEE ALSO
 
  Commands: salvage(8), umount(8), verify(8), vrestore(8)

1.11    Release Note for Tru64 UNIX Patch 1017.00

The new Russian keyboard comes with five extra keycaps. To enable any of those extra keycaps, the user will need to modify /usr/lib/X11/xkb/symbols/digital_russian. For example:

//    KEY <AD09> can be replaced by an extra keycap.
//    If you replace it with the extra keycap, please uncomment
//    the following definition and comment out the oringinal one.
//
//    key <AD09> {
//      symbols[Group1]=3D [               o,               O ],
//      symbols[Group2]=3D [     Ukrainian_i,     Ukrainian_I ]
//    };
    key <AD09> {
        symbols[Group1]=3D [               o,               O ],
        symbols[Group2]=3D [  Cyrillic_shcha,  Cyrillic_SHCHA ]
    };

1.12    Release Notes for Tru64 UNIX Patch 1107.00

These release notes contain information about Tru64 UNIX Patch 1107.00.

1.12.1    New sysconfig Tunable

Note

Read this release note completely and execute the /usr/sbin/javaexecutedata script before enabling this feature.

This patch kit introduces a new security feature called no execute heap/data, similar in concept to the Tru64 UNIX executable stack protection. When enabled, the feature prevents the execution of instructions that reside in heap or other data areas of process memory, providing additional protection against buffer overflow exploits.

In a buffer overflow exploit, an attacker feeds a privileged program an unexpectedly large volume of carefully constructed data through inputs such as command-line arguments and environment variables. If the program is not coded defensively, the attacker can overwrite areas of memory adjacent to the buffer. Depending upon the location of the buffer (stack, heap, data area), the attacker can deceive these programs into executing malicious code that takes advantage of the program's privileges, or alter a security-sensitive program variable to redirect program flow. With some expertise, such an attack can be used to gain root access to the system.

Enabling the executable_data tunable changes a potential system compromise into, at worst, a denial of service attack. A vulnerable program may still contain a buffer overflow, but an exploit that writes an instruction stream into the buffer and attempts to transfer control to those instructions will fail, because memory protection will prohibit instruction execution from that area of memory.

The new feature is implemented as a dynamic sysconfig tunable, executable_data in the proc subsystem. The supported settings allow a system administrator to cause requests from privileged processes for writable and executable memory to fail, or to be treated as a request for writable memory, and to optionally generate a message when such a request occurs. Many applications unnecessarily request write-execute memory directly, or because of the default of some underlying function acting on their behalf, but never execute from the memory. By substituting writable memory for the requested write-execute memory, the executable_data tunable allows such applications to benefit from the additional protection without requiring application modification.

Five settings are supported for the executable_data tunable:

0

Disabled, the default setting. All processes may allocate writable and executable memory.

5

The recommended setting. When a process executing as root or a process running a setuid application requests writable, executable memory, the request succeeds but the process receives only writable memory. No message is generated.

21

When a process executing as root or a process running a setuid application requests writable, executable memory, the request fails with an EACCES status and no message is generated.

37

When a process executing as root or a process running a setuid application requests writable, executable memory, the request succeeds, the process receives only writable memory, and a message is generated.

53

When a process executing as root or a process running a setuid application requests writable, executable memory, the request fails with an EACCES status and a message is generated.

No other settings are supported. Attempting to use unsupported settings can cause unexpected and undesirable application behavior.

Note

Before changing executable_data from the default value of 0, you must run the /usr/sbin/javaexecutedata script. Otherwise, privileged Java applications will fail in unpredictable ways. The Java language does not compile programs, but instead interprets them as they run. Unless marked as exempt, privileged applications written in Java will receive an error when they attempt to execute instructions residing in the unexecutable memory. The manner in which they handle the error is application-specific and thus unpredictable. If you plan to enable the executable_data tunable, you MUST use the /usr/sbin/javaexecutedata script.

Privileged Pascal programs that use nonlocal gotos may also fail. Such programs should also be marked as exempt, using the new chatr utility, as follows:

$chatr +ed enable priv_pascal_executable
  current values:
     64-bit COFF executable
     execute from data: disabled
  new values:
     64-bit COFF executable
     execute from data: enabled

This example demonstrates the failing behavior to expect for privileged processes if you set execute_data to 53 but do not run the /usr/sbin/javaexecutedata script. Other Java applications run with privilege may exhibit different (but still failing) behavior.

# java -classic -jar SwingSet2.jar
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
(...)
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
**Out of memory, exiting**

This example demonstrates the failing behavior to expect for privileged processes if you set execute_data to 37 but do not run the /usr/sbin/javaexecutedata script. Other Java applications run with privilege may exhibit different (but still failing) behavior.

# java -classic -jar SwingSet2.jar
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
 (...)
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
SIGSEGV   11*  segmentation violation
(...)
Abort (core dumped)

1.12.2    audit_tool Switches

The audit_tool switches -a, -r, and -u now allow the user to specify a UID or one of the following values:

n

Selects all records with a nonprivileged UID.

p

Selects all records with a privileged (root) UID.

u

Selects all records with an unassigned UID (useful with the -a switch).

In addition, the audit_tool switches -/ and -s now support regular expressions.

1.12.3    Security

A potential security vulnerability has been discovered where, under certain circumstances, system integrity may be compromised. This may be in the form of improper file access. HP has corrected this potential vulnerability.

1.12.4    sh noclobber Option and >| , >>| Constructs Added

A noclobber option similar to that already available with csh and ksh has been added to the Bourne shell.

When the noclobber option is used (set -C), the shell behavior for the redirection operators > and >> changes as follows:

1.12.5    ksh noclobber Behavior Clarified

For > with noclobber set, ksh will return an error rather than overwrite an existing file. If the specified file name is actually a symbolic link, the presence of the symbolic link satisfies the criteria file exists whether or not the symbolic link target exists and ksh returns an error. The >| construct will suppress these checks and create the file.

For >> with noclobber set, output is appended to the tail of an existing file. If the file name is actually a symbolic link to a nonexistent file, ksh returns an error. This is a behavior change. Because ksh does not have a >>| redirection override, create the symbolic link target before accessing it through >> if you depend on appending through a symbolic link.

1.12.6    csh noclobber Behavior Clarified

For > with noclobber set, csh will return an error rather than overwrite an existing file. If the specified file name is actually a symbolic link, the presence of the symbolic link satisfies the criteria file exists whether or not the symbolic link target exists, and csh returns an error. The >| construct will suppress these checks and create the file.

For >> with noclobber set, output is appended to the tail of an existing file. If the file does not exist, or the file name is actually a symbolic link whose target does not exist, csh returns an error rather than create the file. The >>|construct will suppress these checks and create the file.

1.12.7    sys_check(8) Update

The following is an update of the sys_check(8) reference page.

syscheck (8)
 
NAME
 
  sys_check, runsyscheck - Generates system configuration information and
  analysis
 
SYNOPSIS
 
  /usr/sbin/sys_check [options...]
 
OPTIONS
 
  -all
      Lists all subsystems, including security information and setld inven-
      tory verification.  This option may take a long time to complete.
 
  -debug
      Outputs debugging information to stderr (standard error output).
 
  -escalate [ xx ]
      Creates escalation files for reporting problems to your technical sup-
      port representative. This option produces one file,
      TMPDIR/escalate.tar, unless there are crash dump files; if so,
      it also creates two other files: TMPDIR/escalate_vmunix.xx.gz
      and TMPDIR/escalate_vmcore.xx.gz. If you use the -escalate
      option, sys_check runs with the -noquick option and collects the output
      in the escalate.tar file. Optionally, you can specify a number (xx)
      with the -escalate option to define a crash number.
 
      See  the ENVIRONMENT VARIABLES section for information on how you
      can set the value of TMPDIR.
 
  -evm
      Generates Event Manager (EVM) warnings. When EVM is configured, warn-
      ings are posted as EVM events identified by the string
      sys.unix.sys_check.warning. Six levels of priority ranging from 0-500
      are used, as follows:
 
        +  0 - Information only.
 
        +  100 - Note
 
        +  200 - Tuning Note
 
        +  300 - Tuning Suggestion
 
        +  400 - Operational
 
       +  500 - Warning
 
  -frame
      Produces frame HTML output, which consists of three files:
      sys_checkfr.html, sys_checktoc.html, and sys_check.html (unless you
      specify a different file name with the -name option).  This option
      cannot be used with the -nohtml option. The following options are
      available for use with the -frame option:
 
      -name name
          Specifies the name to use for the frame files output.  The default
          name is sys_check.
 
      -dir name
          Sets the directory for the frames output.  Used only with the
          -frame option.  The default is the current directory (.).
 
  -help or (-h)
      Outputs help information.
 
  -nohtml
      Produces text output, consisting of one text file, instead of the
      default HTML output. This option cannot be used with the -frame option.
 
  -noquick
      Outputs configuration data and the setld scan.  Excludes security
      information.
 
  -perf
      Outputs only performance data and excludes configuration data. This
      option takes less time to run than others.
 
  -v  Displays the sys_check version number.
 
  -warn
      Executes only the warning pass. This option takes less time to run than
      other options.
 
  -nowarn
      Executes only the data gathering pass.
 
DESCRIPTION
 
  The sys_check utility is a system census and configuration verification
  tool that is also used to aid in diagnosing system errors and problems. Use
  sys_check to create an HTML report of your system's configuration (software
  and hardware). The size of the HTML output that is produced by the
  sys_check utility is usually between .5 MB and 3 MB.
 
  The sys_check utility also performs an analysis of operating system parame-
  ters and attributes such as those that tune the performance of the system.
  The report generated by sys_check provides warnings if it detects problems
  with any current settings. Note that while sys_check can generate hundreds
  of useful warnings, it is not a complete and definitive check of the health
  of your system. The sys_check utility should be used in conjunction with
  event management and system monitoring tools to provide a complete overview
  and control of system status. Refer to  EVM(5)  for infor-
  mation on event management. Refer to the System Administration guide for
  information on monitoring your system.
 
  When used as a component of fault diagnosis, sys_check can reduce system
  down time by as much as 50% by providing fast access to critical system
  data. It is recommended that you run a full check at least once a week to
  maintain the currency of system data. However, note that some options will
  take a long time to run and can have an impact on system performance.  You
  should therefore choose your options carefully and run them during offpeak
  hours. At a minimum, perform at least one full run (all data and warnings)
  as a post-configuration task in order to identify configuration problems
  and establish a configuration baseline. The following table provides guide-
  lines for balancing data needs with performance impact.:
 
  ___________________________________________________________________________
  Option                          Run time                    Performance                 Recommended At
                                                                            impact
  ___________________________________________________________________________
 -warn, -perf                   Short.                           Minimal.                      Regular
                                                                                                                  updates, at
                                                                                                                  least weekly
  null - no options          Medium, perhaps        Some likely at              Run at least
  selected.                       15 to 45 minutes          peak system use.        once post-
                                        depending on pro-                                            installation
                                        cessor.                                                              and update
                                                                                                                 after major
                                                                                                                 configuration
                                                                                                                 changes. Update
                                                                                                                 your initial
                                                                                                                 baseline and
                                                                                                                 check warnings
                                                                                                                 regularly.
  -noquick, -all,           Long, perhaps 45        Very likely at                Use only when
  -escalate.                  minutes on fast,           peak use.                      troubleshooting
                                    large systems to                                                a system prob-
                                    hours on low-end                                              lem or escalat-
                                    systems.                                                             ing a problem
                                                                                                               to your techni-
                                                                                                               cal support
                                                                                                               representative.
  ___________________________________________________________________________
 
  You can run some sys_check options from the SysMan Menu or the
  /usr/sbin/sysman -cli command-line interface. Choose one of the following
  options from the menu:
 
       >- Support and Services
           | Create escalation report [escalation]
           | Create configuration report [config_report]
 
  Alternatively, use the config_report and escalation accelerators from the
  command line. Note that the escalation option should only be used in con-
  junction with a technical support request.
 
  The runsyscheck script will run sys_check as a cron task automatically if
  you do not disable the crontab entry in /var/spool/cron/crontabs/root.
  Check for the presence of an automatically generated log file before you
  create a new log as it may save time.
 
  When you run the sys_check utility without command options, it gathers con-
  figuration data excluding the setld scan and the security information and
  displays the configuration and performance data by default. It is recom-
  mended that you do this at least once soon after initial system configura-
  tion to create a baseline of system configuration, and to consider perform-
  ing any tuning recommendations.
 
  On the first run, the sys_check utility creates a directory named
  /var/recovery/sys_check. On subsequent runs, sys_check creates additional
  directories with a sequential numbering scheme:
 
    +  The previous sys_check directory is renamed to
       /var/recovery/sys_check.0 while the most recent data (that is, from
       the current run) is always maintained  in  /var/recovery/sys_check.
 
    +  Previous sys_check directories are renamed with an incrementing exten-
       sion; /var/recovery/sys_check.0 becomes /var/recovery/sys_check.1, and
       so on, up to /var/recovery/sys_check.5.
 
  There is a maximum of seven directories. This feature ensures that you 
  always have up to seven sets of data automatically. Note that if you only
  perform a full run once, you may want to save the contents of that direc-
  tory to a different location.
 
  Depending on what options you choose, the /var/recovery/sys_check.* 
  directories will contain the following data:
 
    +  Catastrophic recovery data, such as an /etc files directory, containing
       copies of important system files. In this directory, you will find
       copies of files such as /etc/group, /etc/passwd, and /etc/fstab.
 
    +  Formatted stanza files and shell scripts and that you can optionally
       use to implement any configuration and tuning recommendations gen-
       erated by a sys_check run. You use the sysconfigdb command or run the
       shell scripts to implement the stanza files. See the sysconfigdb(8)
       reference page for more information.
 
NOTES
 
  You must be root to invoke the sys_check utility from the command line;
  you must be root or have the appropriate privileges through Division of
  Privileges (DoP) to run Create Configuration Report and Create Escalation
  Report from the SysMan Menu. The sys_check utility does not change any sys-
  tem files.
 
  The sys_check utility is updated regularly. You can obtain the latest ver-
  sion of the sys_check utility from either of two sources:
 
    +  The most up-to-date version of the sys_check kit is located on the
       sys_check tool web site,
       http://www.tru64unix.compaq.com/sys_check/sys_check.html.
 
    +  You can also obtain sys_check from the patch kit, see
       http://www.support.compaq.com/patches/.
 
  You should run only one instance of sys_check at a time. The sys_check
  utility prevents the running of multiple instances of itself, provided that
  the value of the TMPDIR environment variable is /var/tmp, /usr/tmp, /tmp,
  or a common user-defined directory.  This avoids possible collisions when
  an administrator attempts to run sys_check while another administrator is
  already running it. However, no guarantees can be made for the case when
  two administrators set their TMPDIR environment variables to two different
  user-defined directories (this presumes that one administrator does not
  choose /var/tmp, /usr/tmp, or /tmp).
 
  The sys_check utility does not perform a total system analysis, but it does
  check for the most common system configuration and operational problems on
  production systems.
 
  Although the sys_check utility gathers firmware and hardware device revi-
  sion information, it does not validate this data.  This must be done by
  qualified support personnel.
 
  The sys_check utility uses other system tools to gather an analyze data. At
  present, sys_check prefers to use DECevent, and you should install and con-
  figure DECevent for best results.
 
  If DECevent is not present, the sys_check utility issues a warning message
  as a priority 500 EVM event and attempts to use uerf instead. In future
  releases, Compaq Analyze will also be supported on certain processors.
 
  Note that there are restrictions on using uerf, DECevent and Compaq Analyze
  that apply to:
 
    +  The version of UNIX that you are currently using.
 
    +  The installed version of sys_check.
 
    +  The type of processor.
 
EXIT STATUS
 
  The following exit values are returned:
 
  0   Successful completion.
 
  >0  An error occurred.
 
LIMITATIONS
 
  DECevent or Compaq Analyze may not be able to read the binary error log
  file if old versions of DECevent are being used  or if the binary.errlog
  file is corrupted.  If this problem occurs, install a recent version of
  DECevent and, if corrupted, recreate the binary.errlog file.
 
  HSZ controller-specific limitations include the following:
 
  HSZ40 and HSZ50 controllers:
      The sys_check utility uses a free LUN on each target in order to com-
      municate with HSZ40 and HSZ50 controllers. To avoid data gathering
      irregularities, always leave LUN 7 free on each HSZ SCSI target for
      HSZ40 and HSZ50 controllers.
 
  HSZ70, HSZ80 and HSG80 controllers:
      The sys_check utility uses a CCL port in order to communicate with
      HSZ70 controllers. If a CCL port is not available, sys_check will use
      an active LUN.  To avoid data gathering irregularities, enable the CCL
      port for each HSZ70 controller.
 
  The sys_check utility attempts to check the NetWorker backup schedule
  against the /etc/fstab file.  For some older versions of NetWorker, the
  nsradmin command contains a bug that prevents sys_check from correctly
  checking the schedule.  In addition, the sys_check utility will not
  correctly validate the NetWorker backup schedule for TruCluster Server.
 
EXAMPLES
 
   1.  The following command creates escalation files that are used to report
       problems to your technical support organization:
            # sys_check -escalate
 
   2.  The following command outputs configuration and performance informa-
       tion, excluding security information and the setld inventory, and pro-
       vides an analysis of common system configuration and operational prob-
       lems:
            # sys_check > file.html
 
   3.  The following command outputs all information, including configura-
       tion, performance, and security information and a setld inventory of
       the system:
            # sys_check -all > file.html
 
   4.  The following command outputs only performance information:
            # sys_check -perf > file.html
 
   5.  The following command provides HTML output with frames, including con-
       figuration and performance information and the setld inventory of the
       system:
            # sys_check -frame -noquick
 
   6.  The following command starts the SysMan Menu config_report task from
       the command line:
            # /usr/sbin/sysman config_report
 
       Entering this command invokes the SysMan Menu, which prompts you to
       supply the following optional information:
 
         +  Save to (HTML) - A location to which the HTML report should be
            saved, which is /var/adm/hostname_date.html by default.
 
         +  Export to Web (Default) - Export the HTML report to Insight
            Manager. Refer to  the System Administration manual for information on
            Insight Manager.
 
         +  Advanced options - This option displays another screen in which
            you can choose a limited number of run time options. The options
            are equivalent to certain command-line options listed in the
            OPTIONS section.
 
            In this screen, you can also specify an alternate temporary
            directory other than the default of /var/tmp.
 
         +  Log file - The location of the log file, which is
            /var/adm/hostname_date.log by default.
 
   7.  The following is an example of a stanza file advfs.stanza in
       /var/recovery/sys_check.*:
            advfs:
            AdvfsCacheMaxPercent=8
 
   8.  The following is an example of a shell script apply.kshin
       /var/recovery/sys_check.*:
            cd /var/cluster/members/member/recovery/sys_check/
            llist="advfs.stanza
            vfs.stanza "
            for stf in $llist; do
            print " $stf "
                    stanza=`print $stf | awk -F . '{print $1 }'`
            print "/sbin/sysconfigdb -m -f $stf $stanza"
                    /sbin/sysconfigdb -m -f $stf $stanza
            done
            print "The system may need to be rebooted for these
            changes to take effect"
 
ENVIRONMENT VARIABLES
 
  The following environment variables affect the execution of the sys_check
  utility. Normally, you only change these variables under the direction of
  your technical support representative, as part of a fault diagnosis pro-
  cedure.
 
  TMPDIR
      Specifies a default parent directory for the sys_check working sub-
      directory, whose name is randomly created; this working subdirectory is
      removed when sys_check exits. The default value for TMPDIR is /var/tmp.
 
  LOGLINES
      Specifies the number of lines of log file text that sys_check includes
      in the HTML output.  The default is 500 lines.
 
  BIGNUMFILE
      Specifies the number of files in a directory, above which a directory
      is considered excessively large.  The default is 15 files.
 
  BIGFILE
      Specifies the file size, above which a file is considered excessively
      large. The default is 3072 KB.
 
  VARSIZE
      Specifies the minimum amount of free space that sys_check requires in
      the TMPDIR directory.  The default is 15 MB and should not be reduced.
      The sys_check utility will not run if there is insufficient disk space.
 
  RECOVERY_DIR
      Specifies the location for the sys_check recovery data.  The default is
      /var/recovery.  The sys_check utility automatically cleans up data from
      previous command runs.  The typical size of the output generated by
      each sys_check utility run is 400 KB.  This data may be useful in
      recovering from a catastrophic system failure.
 
  ADHOC_DIR
      Specifies the location at which sys_check expects to find the text
      files to include in the HTML output.  The default is the /var/adhoc
      directory.
 
  TOOLS_DIR
      Specifies the location at which sys_check expects to find the binaries
      for the tools that it calls.  The default is /usr/lbin.
 
FILES
 
  /usr/sbin/sys_check
      Specifies the command path.
 
           Note
 
         This file may be a symbolic link.
 
  /usr/lbin/*
      Various utilities in this directory are used by sys_check.
 
           Note
 
         These files may be symbolic links.
 
  The sys_check utility reads many system files.
 
SEE ALSO
 
  Commands: dop(8), sysconfigdb(8), sysman_cli(8), sysman_menu(8)
 
  Miscellaneous: EVM(5), insight_manager(5)
 
  Books: System Administration, System Tuning

1.12.8    mountd Reference Page Update

The following are updates for the mountd( ) reference page:

SYNOPSIS
        mountd [-d] [-i] [-n] [-s] [-r] [-R] [exportsfile]
 
FLAGS
...
  -r    Have mountd listen for requests on a reserved port.  This is the default behavior.
 
  -R    mountd may listen on an unreserved port.

1.12.9    UFS Delayed Metadata mount Option

This new mount option allows for disabling synchronous metadata writes on a specified file system. The new mount option is delayed.

To maintain the file system's consistency, UFS metadata (such as inode, directory, and indirect blocks) is updated synchronously by default.

Metadata updates are typically performed synchronously to prevent file system corruption after a crash. The trade-off for file system integrity, however, is performance. In some cases, such as a file system serving as a cache, performance (faster metadata update) is more important than preserving data consistency across a system crash; for example, files under /tmp, or Web proxy servers such as Squid.

This has two results. One, multiple updates to one block become only a one block write as opposed to multiple writes of the same block with traditional synchronous metadata update. Two, users can experience much better responsiveness when they run metadata-intensive applications because metadata writes will not go out to the disk immediately, while users get their prompt back as soon as the metadata updates are queued.

Do not use the delayed option on the / or /usr file systems. Use the delayed option only on file systems that do not need to survive across a system crash.

Usage

To enable the delayed option, run:

mount -o delayed <device> <mount point>

or

mount -u -o delayed <mount point>

1.12.10    Changes to the rexecd Reference Page

The following are updates for the rexecd( ) reference page:

OPTIONS
 
  -s  Causes rexecd to check for the ptys keyword in the /etc/securettys file
      and to deny execution of the request if it is from root and on a pseudoterminal.
 
DESCRIPTION
 
   6.  The rexecd server then validates the user as is done at login time
       and, if started with the -s option, verifies that the /etc/securettys
       file is not set up to deny the user.  If the authentication was suc-
       cessful, rexecd changes to the user's home directory, and establishes
       the user and group protections for the user.  If any of these steps
       fail, the connection is aborted with a diagnostic message returned.

1.12.11    3DLabs Oxygen VXI Graphics Card

This patch provides the driver support for the 3DLabs Oxygen VX1 graphics card. To obtain full support for this graphics card, you must also select Patch 750.00, which is the X server portion of the patch.

If you have a system with this new graphics card, you will need to reconfigure and rebuild the kernel after installing this patch.

To reconfigure and rebuild the kernel, follow these steps:

  1. Shut down the system:

    # /usr/sbin/shutdown -h now

  2. Boot genvmunix to single-user mode:

    >>> boot -fi genvmunix -fl s

  3. After the system boots to single-user mode, mount the file systems, run the update command, and activate the swap partition:

    # sbin/bcheckrc

    # /sbin/update

    # /sbin/update

  4. Run doconfig to create a new kernel configuration file and rebuild the kernel:

    # /usr/sbin/doconfig

    Note

    Do not specify the -c option to doconfig. If you do, doconfig will use the existing kernel configuration file which will not have the appropriate controller entry for the 3DLabs Oxygen VX1 graphics card.

  5. Save the old /vmunix file and move the new kernel to /vmunix.

  6. Shut down the system:

    # /usr/sbin/shutdown -h now

  7. Boot the new kernel:

    >>> boot

If you remove this patch from your system after you have rebuilt the kernel to incorporate support for the 3DLabs Oxygen VX1 graphics card as described, you will need to rebuild the kernel again to restore generic VGA graphics support. To do this, follow the previous steps. The doconfig utility running on the original, unpatched genvmunix will not recognize the 3DLabs Oxygen VX1 graphics card, and will include generic VGA graphics support in the resulting kernel.

1.12.12    DEGPA-TA Gigabit Ethernet Device

This patch provides support for DEGPA-TA (1000BaseT) Gigabit Ethernet device. If you have a system with this new Ethernet device, you will need to reconfigure and rebuild the kernel after installing this patch.

To do this, follow these steps:

  1. Shut down the system:

    # /usr/sbin/shutdown -h now

  2. Boot genvmunix to single-user mode:

    >>> boot -fi genvmunix -fl s

  3. After the system boots to single-user mode, mount the file systems, run the update command, and activate the swap partition:

    # /sbin/bcheckrc

    # /sbin/update

    # /sbin/swapon -a

  4. Run doconfig to create a new kernel configuration file and rebuild the kernel:

    # /usr/sbin/doconfig

    Note

    Do not specify the -c option to doconfig. If you do, doconfig will use the existing kernel configuration file which will not have the appropriate controller entry for the new graphics card.

  5. Save the old /vmunix file and move the new kernel to /vmunix.

  6. Shut down the system:

    # /usr/sbin/shutdown -h now

  7. Boot the new kernel:

    >>> boot

If you remove this patch from your system after you have rebuilt the kernel to incorporate support for the new Ethernet card as described previously, you will need to rebuild the kernel. To do this, follow the previous steps. Thedoconfig running on the original, unpatched genvmunix will not recognize the new Ethernet driver.

1.13    Release Note for DEC 7000 Upgrades to AlphaServer 8400

This release note concerns systems that were upgraded from DEC 7000 to AlphaServer 8400 that have not installed the DWLPA-AA, DWLPB-AA, or the KFTIA. These are the I/O enhancements for the AlphaServer 8400.

Add the following information to the /sys/conf/SYSTEMNAME file:

bus             tiop0      at tlsb0     vector    tioperror
bus             pci0       at tiop0     slot  0
callout after_c "../bin/mkdata pci"
 
bus             isp0       at pci0      slot  0 vector    ispintr
controller      scsi0      at isp0      slot  0

You must do this every time you reconfigure.