This chapter provides information that you must be aware of when working
with Tru64 UNIX 4.0G and TruCluster Software Products 1.6 Patch Kit-0004.
1.1 Patch Process Resources
HP provides Web sites to help you with the patching process:
To obtain the lastest patch kit for your operating system and cluste software:
To view or print the lastest version of the Patch Kit Installation Instructions or the Patch Summary and Release Notes for a specific patch kit:
To visit HP's main support page:
To visit the Tru64 UNIX homepage:
The following storage space is required to successfully install this
patch kit:
Base Operating System
Temporary Storage Space
A total of ~250 MB of storage space is required to untar patch kit.
We recommend that this kit not be placed in the
/
,
/usr
, or
/var
file systems because doing so may
unduly constrain the available storage space for the patching activity.
Permanent Storage Space
Up to ~103 MB of storage space in
/var/adm/patch/backup
is required for archived original files if you choose to install and revert
all patches.
See the
Patch Kit Installation Instructions
for more information.
Up to ~106 MB of storage space in
/var/adm/patch
is required for original files if you choose to install and revert all patches.
See the
Patch Kit Installation Instructions
for more
information.
Up to ~2160 KB of storage space is required in
/var/adm/patch/doc
for patch abstract and README documentation.
A total of ~176 KB of storage space is needed in
/usr/sbin/dupatch
for the patch management utility.
TruCluster
Temporary Storage Space
A total of ~250 MB of storage space is required to untar this patch
kit.
We recommend that this kit not be placed in the
/
,
/usr
, or
/var
file systems because doing so may
unduly constrain the available storage space for the patching activity.
Permanent Storage Space
Up to ~734 MB of storage space in
/var/adm/patch/backup
is required for archived original files if you choose to install and revert
all patches.
See the
Patch Kit Installation Instructions
for more information.
Up to ~753 MB of storage space in
/var/adm/patch
is required for original files if you choose to install and revert all patches.
See the
Patch Kit Installation Instructions
for more
information.
Up to ~1688 KB of storage space is required in
/var/adm/patch/doc
for patch abstract and README documentation.
A total of ~184 KB of storage space is needed in
/usr/sbin/dupatch
for the patch management utility.
1.3 Release Note for TruCluster Software Products
If you are installing only TCR patches, you MUST rebuild the kernel
and reboot the machine for the changes to take effect.
If removing only TCR
patches, you MUST also rebuild the kernel and reboot the machine for the changes
to take effect.
1.4 Files Listed as UNKNOWN Origin
If you install the latest patch kit, and run the Baselining feature
before you install any aggregate patches, you will get the following files
listed as having
UNKNOWN origin
.
This does not represent
an error with the operating system or any of the layered products.
Ignore
this message and proceed with your installation.
* list of changed files with unknown origin: ------------------------------------------ ./usr/.smdb./AFAADVANCED400.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED401.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED402.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED403.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED404.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED425.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVANCED435.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN400.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN401.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN402.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN403.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN404.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN425.scp_extension OSFBASE445 UNKNOWN ./usr/.smdb./AFAADVMAN435.scp_extension OSFBASE445 UNKNOWN * no missing files detected -------------------------
1.5 Release Note for Tru64 UNIX Patches 771.00 and 773.00
This patch delivers version V1.0-032 of the libots3 library. Version 2.0 of the libots3 library is delivered with the Compaq FORTRAN Compiler, Versions 5.3 ECO1 and 5.4, or the Developers Tool Kit (DTK) (OTABASE subset). If libots3 V2.0 is already installed on your system, and you install this patch, you will receive the following informational message:
Problem installing:
- Tru64_UNIX_V4.0G / Software Development Environment
Patches:
Patch 00XXX.00 - Fix for parallel processing support
library
./usr/shlib/libots3.so: is installed
by:
OTABASE212
and can not be replaced by this patch.
This patch will not be installed.
To determine what version of libots3 library is installed on your system, enter the following command:
#
what /usr/shlib/libots3.so
libots3.so:
libots3.a V2.0-094 GEM 27 Feb 2001
1.6 Release Note for Tru64 UNIX Patch 48.00
If the system-configurable parameter
lsm:lsm_V_ROUND_enhanced
is set (value = 1), the enhanced read round-robin policy is activated.
This new policy stores the last block accessed by the previous I/O request.
When returning for another block in round-robin (V_ROUND
)
mode, that value is compared to the current read.
If it is within a predefined,
user-configurable value (lsm:lsm_V_ROUND_enhance_proximity
),
then the same plex is used.
Otherwise, the next plex is used as for a normal
round-robin behavior.
The two new additional tunable parameters are
lsm_V_ROUND_enhanced
set to 0 by default (V_ROUND_enhanced
read is
not activated), and
lsm_V_ROUND_enhance_proximity
is set
to 512 by default.
Append tuning changes to the
/etc/sysconfigtab
file..
See the Tuning notes following for a description of the new
lsm_V_ROUND_enhanced
and
lsm_V_ROUND_enhance_proximity
tunable parameters.
These tunable parameters are configured in the
lsm
stanza.
For example:
lsm: lsm_V_ROUND_enhanced = 1 lsm_V_ROUND_enhance_proximity = 1024
Note
If you already have an
lsm
stanza in yoursysconfigtab
file, then only add the twolsm_V_ROUND
entries.
Tuning
The purpose of this patch is to increase performance with sequential
reads.
This patch introduces a new enhanced round-robin mode where the last
block read is now compared to the next block to read, and a check is added
to see if last block number-next block number is less than or equal to
lsm_V_ROUND_enhance_proximity
.
If it is, read from the same plex.
This is to attempt to hit the disk cache, and so increase performance.
The relevant tunable parameters are as follows:
sm_V_ROUND_enhanced
This variable activates
the new enhanced round robin read policy if it is set to TRUE (1).
Otherwise
the policy is deactivated.
The default is 0.
lsm_V_ROUND_enhance_proximity
This variable
indicates the proximity in which the last read and new read must lie in an
attempt to read data from the disk's cache by reading from the same plex.
The variable can be adjusted from 0 to 4096.
The default is 512.
1.7 Release Note for Tru64 UNIX Patch 750.00
This patch provides the X server support for the new 3DLabs Oxygen VX1 PCI graphics card. To obtain full support for this graphics card, you must also select Patch 255.00, which is the driver portion of the patch.
A list of supported platforms is available on the following web page:
http://www.compaq.com/alphaserver/products/options.html
1.8 Release Note for Tru64 UNIX Patch 196.00
This patch contains a solution for the following issue:
HP has advised owners of DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStations that HP has determined in laboratory testing that there is a theoretical possibility that during read and write operations to the floppy disk on these systems, a single byte of data may be inaccurately read or written without notice to the user or system. The potential for this anomaly exists only if floppy disk read or write operations are attempted while there is extremely heavy traffic on these Alpha systems' internal I/O buses.
Although HP has observed the anomaly only in laboratory tests designed to create atypical system stresses, including almost constant use of the floppy disk drive, HP has informed owners of the remote possibility that the anomaly could occur so that they may take precautions to prevent it.
We recommend that the solution be installed by all DS10, DS10L, ES40 AlphaServers, and XP900 AlphaStation customers.
The solution to this issue is also available as an individual,
manually installed patch kit named
floppy_CSP_v40g.tar.gz
,
available from:
http://ftp1.support.compaq.com/public/unix/v4.0g
1.9 Release Note for Tru64 UNIX Patch 683.00
This release note describes the behavior of
tar/pax/cpio
,
when a slash (/
) is specified at the end of an argument.
While extracting or listing an archive, if a
/
is
present at the end of an argument, then it would only act upon that particular
directory and not the contents in the directory.
For example:
tar xvf foo.tar dir1/ or tar tvf foo.tar dir1/
1.10 Release Note for Tru64 UNIX Patch 1008.00
The following contains updates to the
fixfdmn
(8)
reference page.
fixfdmn(8) fixfdmn(8)
NAME
fixfdmn - Checks and repairs corrupted AdvFS domains
SYNOPSIS
/sbin/advfs/fixfdmn [-mtype[,type]...] [-d directory] [-v number] [-a [-c]
| -n] [-s {y | n}] [domain] [fileset]
/sbin/advfs/fixfdmn -u directory domain
OPTIONS
-a Specifies that after repairing what it can, fixfdmn will attempt to
activate the domain at the end of the run. This option cannot be used
with the -n option.
-c Removes any clone filesets. This option is only valid if used with the
-a option.
-d directory
Specifies a directory to which the message log and undo files will be
written. If the -d option is not used, the message and undo log files
are put in the current working directory. The message log file is named
fixfdmn.<domain>.log and the two undo files are named undo.<domain>.<#>
and undoidx.<domain>.<#>, where # will cause a number to be appended to
the filenames to make them unique. The numbers will be rotated sequen-
tially from 0 (zero) through 9 if multiple undo files are created for
the same domain. The undo file will have the same ending number as its
corresponding undo index file.
-m type[,type...]
Specifies a list of types of metadata, one or more of which can be
checked and repaired. The valid types are log, sbm, sync, bmt, frag,
quota, and files. If you specify the fileset parameter, sync, log, sbm,
and bmt are made invalid types for the -m option. If you do not specify
-m, the default is to check all types.
sync
Corrects the magic number and synchronizes data across volumes (for
example, volume numbers, mount IDs, mount states, domain IDs, and
so on.)
log Resets the transaction log so that it is not processed.
sbm Synchronizes the sbm to the information in the bmt.
bmt Corrects the bmt.
frag
Corrects frag file groups and free lists, and ensures that all file
frags reside in the frag file.
quota
Checks and corrects sizes of quota files.
files
Verifies that directory metadata is correct.
-n Specifies that fixfdmn will check the domain and not do any repairs. It
will report what problems were found and how it would have fixed them.
-s {y | n}
Specifies that "yes" or "no" should be answered to prompts when run
from a script.
-u directory
Restores the domain to its previous state by undoing the effects of the
last run of fixfdmn, using the most recent undo files in the specified
directory.
-v number
Specifies the verbose mode level which controls the messages printed to
stdout.
0 = Only error messages
1 = ( Default) Progress, errors, and summary messages
2 = Progress messages, detailed error messages, fix information, and
summary messages
OPERANDS
domain
The name of a corrupted domain to repair.
fileset
The name of the fileset to repair if only one fileset in this domain
exhibits errors. You may tell fixfdmn to check only that fileset and
not specifically look for errors in other filesets.
DESCRIPTION
The fixfdmn utility checks and repairs corrupt AdvFS domains and filesets.
The fixfdmn utility is primarily concerned with fixing problems that have a
limited scope. When a large portion of the domain is corrupted, there is
very little fixfdmn can do, so it will recommend restoring data from backup
or running the salvage(8) command.
The fixfdmn utility uses the on-disk metadata to determine what corruptions
exist in the domain. Only metadata will be repaired, as there is currently
no way to check or repair the contents of users files. Only those problems
which prevent mounting the domain, or would result in a domain or system
panic, will be repaired.
After major areas of metadata are checked, and if a corruption was fixed,
fixfdmn will prompt the user to determine if they want to continue looking
for additional corruption.
If fixfdmn detects an error in a clone fileset, the clone is marked out of
sync and should not be used.
If fixfdmn cannot recover the metadata for a specific file, the file may be
truncated, moved, or deleted depending on the situation. The fixfdmn util-
ity will attempt to save as much of a file as possible.
Every page fixfdmn changes will be saved to an undo file. If the user does
not like the results of running fixfdmn, the user can undo the changes by
running fixfdmn again with the -u option. If the file system containing the
undo files runs out of space during the fixfdmn run, the user will be
prompted on how to proceed. The user will have the option to continue
without the undo files, to continue adding more space to the domain
containing the undo files, or to exit.
Use the -m type option when you have information from a system/domain panic
or output from verify or other tools which indicate where the corruption
may be. This option limits the scope of what is checked and repaired.
NOTES
The fixfdmn command will always clear the transaction log, even on a
noncorrupt domain unless the -n option is specified
There must be a domain entry for this domain in /etc/fdmns. The fixfdmn
command opens the block devices specified for the volumes in /etc/fdmns.
If you need to repair the root domain, you must boot from CD-ROM and create
the entry for the root domain under /etc/fdmns.
RESTRICTIONS
You must be root to run fixfdmn.
The fixfdmn command requires that the domain specified will have no
filesets mounted.
Although fixfdmn may report success, it does not guarantee that all corrup-
tions have been eliminated.
If a domain is mounted and written to after being repaired by fixfdmn,
using the fixfdmn utility with the -u option will likely cause corruptions.
EXIT STATUS
0 (Zero)
Success.
1 Corrupt
Unable to repair all found corruptions
2 Failure
Program or system error
FILES
/etc/fdmns
Contains AdvFS domain directories and locks.
SEE ALSO
Commands: salvage(8), umount(8), verify(8), vrestore(8)
1.11 Release Note for Tru64 UNIX Patch 1017.00
The new Russian keyboard comes with five extra keycaps.
To enable any
of those extra keycaps, the user will need to modify
/usr/lib/X11/xkb/symbols/digital_russian
.
For example:
// KEY <AD09> can be replaced by an extra keycap. // If you replace it with the extra keycap, please uncomment // the following definition and comment out the oringinal one. // // key <AD09> { // symbols[Group1]=3D [ o, O ], // symbols[Group2]=3D [ Ukrainian_i, Ukrainian_I ] // }; key <AD09> { symbols[Group1]=3D [ o, O ], symbols[Group2]=3D [ Cyrillic_shcha, Cyrillic_SHCHA ] };
1.12 Release Notes for Tru64 UNIX Patch 1107.00
These release notes contain information about Tru64 UNIX Patch 1107.00.
1.12.1 New sysconfig Tunable
Note
Read this release note completely and execute the
/usr/sbin/javaexecutedata
script before enabling this feature.
This patch kit introduces a new security feature called
no
execute heap/data
, similar in concept to the Tru64 UNIX executable
stack protection.
When enabled, the feature prevents the execution of instructions
that reside in heap or other data areas of process memory, providing additional
protection against buffer overflow exploits.
In a buffer overflow exploit, an attacker feeds a privileged program an unexpectedly large volume of carefully constructed data through inputs such as command-line arguments and environment variables. If the program is not coded defensively, the attacker can overwrite areas of memory adjacent to the buffer. Depending upon the location of the buffer (stack, heap, data area), the attacker can deceive these programs into executing malicious code that takes advantage of the program's privileges, or alter a security-sensitive program variable to redirect program flow. With some expertise, such an attack can be used to gain root access to the system.
Enabling the
executable_data
tunable changes a potential
system compromise into, at worst, a denial of service attack.
A vulnerable
program may still contain a buffer overflow, but an exploit that writes an
instruction stream into the buffer and attempts to transfer control to those
instructions will fail, because memory protection will prohibit instruction
execution from that area of memory.
The new feature is implemented as a dynamic
sysconfig
tunable,
executable_data
in the
proc
subsystem.
The supported settings allow a system administrator to cause requests
from privileged processes for writable and executable memory to fail, or to
be treated as a request for writable memory, and to optionally generate a
message when such a request occurs.
Many applications unnecessarily request
write-execute memory directly, or because of the default of some underlying
function acting on their behalf, but never execute from the memory.
By substituting
writable memory for the requested write-execute memory, the
executable_data
tunable allows such applications to benefit from the additional
protection without requiring application modification.
Five settings are supported for the
executable_data
tunable:
0
Disabled, the default setting.
All processes may allocate writable and
executable memory.
5
The recommended setting.
When a process executing as root or a process
running a
setuid
application requests writable, executable
memory, the request succeeds but the process receives only writable memory.
No message is generated.
21
When a process executing as root or a process running a
setuid
application requests writable, executable memory, the request fails
with an EACCES status and no message is generated.
37
When a process executing as root or a process running a
setuid
application requests writable, executable memory, the request succeeds,
the process receives only writable memory, and a message is generated.
53
When a process executing as root or a process running a
setuid
application requests writable, executable memory, the request fails
with an EACCES status and a message is generated.
No other settings are supported. Attempting to use unsupported settings can cause unexpected and undesirable application behavior.
Note
Before changing
executable_data
from the default value of 0, you must run the/usr/sbin/javaexecutedata script
. Otherwise, privileged Java applications will fail in unpredictable ways. The Java language does not compile programs, but instead interprets them as they run. Unless marked as exempt, privileged applications written in Java will receive an error when they attempt to execute instructions residing in the unexecutable memory. The manner in which they handle the error is application-specific and thus unpredictable. If you plan to enable theexecutable_data
tunable, you MUST use the/usr/sbin/javaexecutedata
script.
Privileged Pascal programs that use nonlocal gotos may also fail.
Such
programs should also be marked as exempt, using the new
chatr
utility, as follows:
$chatr +ed enable priv_pascal_executable
current values:
64-bit COFF executable
execute from data: disabled
new values:
64-bit COFF executable
execute from data: enabled
This example demonstrates the failing behavior to expect for privileged
processes if you set
execute_data
to 53 but do not run
the
/usr/sbin/javaexecutedata
script.
Other Java applications
run with privilege may exhibit different (but still failing) behavior.
# java -classic -jar SwingSet2.jar
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
(...)
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
**Out of memory, exiting**
This example demonstrates the failing behavior to expect for privileged
processes if you set
execute_data
to 37 but do not run
the
/usr/sbin/javaexecutedata
script.
Other Java applications
run with privilege may exhibit different (but still failing) behavior.
# java -classic -jar SwingSet2.jar
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
(...)
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
SIGSEGV 11* segmentation violation
(...)
Abort (core dumped)
The
audit_tool
switches
-a
,
-r
, and
-u
now allow the user to specify a UID
or one of the following values:
n
Selects all records with a nonprivileged UID.
p
Selects all records with a privileged (root) UID.
u
Selects all records with an unassigned UID (useful with the
-a
switch).
In addition, the
audit_tool
switches
-/
and
-s
now support regular expressions.
1.12.3 Security
A potential security vulnerability has been discovered where, under
certain circumstances, system integrity may be compromised.
This may be in
the form of improper file access.
HP has corrected this potential vulnerability.
1.12.4 sh noclobber Option and >| , >>| Constructs Added
A
noclobber
option similar to that already available
with
csh
and
ksh
has been added to
the Bourne shell.
When the
noclobber
option is used (set -C
), the shell behavior for the redirection operators
>
and
>>
changes as follows:
For
>
with
noclobber
set,
sh
will return an error rather than overwrite an
existing file.
If the specified file name is actually a symbolic link, the
presence of the symbolic link satisfies the criteria
file exists
whether or not the symbolic link target exists and
sh
returns an error.
The
>|
construct will suppress
these checks and create the file.
For
>>
with
noclobber
set, output is appended to the tail of an existing file.
If the file name
is actually a symbolic link whose target does not exist,
sh
returns an error rather than create the file.
The
>>|
construct
will suppress these checks and create the file.
1.12.5 ksh noclobber Behavior Clarified
For
>
with
noclobber
set,
ksh
will return an error rather than overwrite an existing file.
If the specified file name is actually a symbolic link, the presence of the
symbolic link satisfies the criteria
file exists
whether
or not the symbolic link target exists and
ksh
returns
an error.
The
>|
construct will suppress these
checks and create the file.
For
>>
with
noclobber
set, output
is appended to the tail of an existing file.
If the file name is actually
a symbolic link to a nonexistent file,
ksh
returns an
error.
This is a behavior change.
Because
ksh
does not
have a
>>|
redirection override, create the symbolic link
target before accessing it through
>>
if you depend on
appending through a symbolic link.
1.12.6 csh noclobber Behavior Clarified
For
>
with
noclobber
set,
csh
will return an error rather than overwrite an existing file.
If the specified file name is actually a symbolic link, the presence of the
symbolic link satisfies the criteria
file exists
whether
or not the symbolic link target exists, and
csh
returns
an error.
The
>|
construct will suppress these checks and
create the file.
For
>>
with
noclobber
set, output
is appended to the tail of an existing file.
If the file does not exist, or
the file name is actually a symbolic link whose target does not exist,
csh
returns an error rather than create the file.
The
>>|
construct will suppress these checks and create the file.
1.12.7 sys_check(8) Update
The following is an update of the
sys_check
(8) reference
page.
syscheck (8)
NAME
sys_check, runsyscheck - Generates system configuration information and
analysis
SYNOPSIS
/usr/sbin/sys_check [options...]
OPTIONS
-all
Lists all subsystems, including security information and setld inven-
tory verification. This option may take a long time to complete.
-debug
Outputs debugging information to stderr (standard error output).
-escalate [ xx ]
Creates escalation files for reporting problems to your technical sup-
port representative. This option produces one file,
TMPDIR/escalate.tar, unless there are crash dump files; if so,
it also creates two other files: TMPDIR/escalate_vmunix.xx.gz
and TMPDIR/escalate_vmcore.xx.gz. If you use the -escalate
option, sys_check runs with the -noquick option and collects the output
in the escalate.tar file. Optionally, you can specify a number (xx)
with the -escalate option to define a crash number.
See the ENVIRONMENT VARIABLES section for information on how you
can set the value of TMPDIR.
-evm
Generates Event Manager (EVM) warnings. When EVM is configured, warn-
ings are posted as EVM events identified by the string
sys.unix.sys_check.warning. Six levels of priority ranging from 0-500
are used, as follows:
+ 0 - Information only.
+ 100 - Note
+ 200 - Tuning Note
+ 300 - Tuning Suggestion
+ 400 - Operational
+ 500 - Warning
-frame
Produces frame HTML output, which consists of three files:
sys_checkfr.html, sys_checktoc.html, and sys_check.html (unless you
specify a different file name with the -name option). This option
cannot be used with the -nohtml option. The following options are
available for use with the -frame option:
-name name
Specifies the name to use for the frame files output. The default
name is sys_check.
-dir name
Sets the directory for the frames output. Used only with the
-frame option. The default is the current directory (.).
-help or (-h)
Outputs help information.
-nohtml
Produces text output, consisting of one text file, instead of the
default HTML output. This option cannot be used with the -frame option.
-noquick
Outputs configuration data and the setld scan. Excludes security
information.
-perf
Outputs only performance data and excludes configuration data. This
option takes less time to run than others.
-v Displays the sys_check version number.
-warn
Executes only the warning pass. This option takes less time to run than
other options.
-nowarn
Executes only the data gathering pass.
DESCRIPTION
The sys_check utility is a system census and configuration verification
tool that is also used to aid in diagnosing system errors and problems. Use
sys_check to create an HTML report of your system's configuration (software
and hardware). The size of the HTML output that is produced by the
sys_check utility is usually between .5 MB and 3 MB.
The sys_check utility also performs an analysis of operating system parame-
ters and attributes such as those that tune the performance of the system.
The report generated by sys_check provides warnings if it detects problems
with any current settings. Note that while sys_check can generate hundreds
of useful warnings, it is not a complete and definitive check of the health
of your system. The sys_check utility should be used in conjunction with
event management and system monitoring tools to provide a complete overview
and control of system status. Refer to EVM(5) for infor-
mation on event management. Refer to the System Administration guide for
information on monitoring your system.
When used as a component of fault diagnosis, sys_check can reduce system
down time by as much as 50% by providing fast access to critical system
data. It is recommended that you run a full check at least once a week to
maintain the currency of system data. However, note that some options will
take a long time to run and can have an impact on system performance. You
should therefore choose your options carefully and run them during offpeak
hours. At a minimum, perform at least one full run (all data and warnings)
as a post-configuration task in order to identify configuration problems
and establish a configuration baseline. The following table provides guide-
lines for balancing data needs with performance impact.:
___________________________________________________________________________
Option Run time Performance Recommended At
impact
___________________________________________________________________________
-warn, -perf Short. Minimal. Regular
updates, at
least weekly
null - no options Medium, perhaps Some likely at Run at least
selected. 15 to 45 minutes peak system use. once post-
depending on pro- installation
cessor. and update
after major
configuration
changes. Update
your initial
baseline and
check warnings
regularly.
-noquick, -all, Long, perhaps 45 Very likely at Use only when
-escalate. minutes on fast, peak use. troubleshooting
large systems to a system prob-
hours on low-end lem or escalat-
systems. ing a problem
to your techni-
cal support
representative.
___________________________________________________________________________
You can run some sys_check options from the SysMan Menu or the
/usr/sbin/sysman -cli command-line interface. Choose one of the following
options from the menu:
>- Support and Services
| Create escalation report [escalation]
| Create configuration report [config_report]
Alternatively, use the config_report and escalation accelerators from the
command line. Note that the escalation option should only be used in con-
junction with a technical support request.
The runsyscheck script will run sys_check as a cron task automatically if
you do not disable the crontab entry in /var/spool/cron/crontabs/root.
Check for the presence of an automatically generated log file before you
create a new log as it may save time.
When you run the sys_check utility without command options, it gathers con-
figuration data excluding the setld scan and the security information and
displays the configuration and performance data by default. It is recom-
mended that you do this at least once soon after initial system configura-
tion to create a baseline of system configuration, and to consider perform-
ing any tuning recommendations.
On the first run, the sys_check utility creates a directory named
/var/recovery/sys_check. On subsequent runs, sys_check creates additional
directories with a sequential numbering scheme:
+ The previous sys_check directory is renamed to
/var/recovery/sys_check.0 while the most recent data (that is, from
the current run) is always maintained in /var/recovery/sys_check.
+ Previous sys_check directories are renamed with an incrementing exten-
sion; /var/recovery/sys_check.0 becomes /var/recovery/sys_check.1, and
so on, up to /var/recovery/sys_check.5.
There is a maximum of seven directories. This feature ensures that you
always have up to seven sets of data automatically. Note that if you only
perform a full run once, you may want to save the contents of that direc-
tory to a different location.
Depending on what options you choose, the /var/recovery/sys_check.*
directories will contain the following data:
+ Catastrophic recovery data, such as an /etc files directory, containing
copies of important system files. In this directory, you will find
copies of files such as /etc/group, /etc/passwd, and /etc/fstab.
+ Formatted stanza files and shell scripts and that you can optionally
use to implement any configuration and tuning recommendations gen-
erated by a sys_check run. You use the sysconfigdb command or run the
shell scripts to implement the stanza files. See the sysconfigdb(8)
reference page for more information.
NOTES
You must be root to invoke the sys_check utility from the command line;
you must be root or have the appropriate privileges through Division of
Privileges (DoP) to run Create Configuration Report and Create Escalation
Report from the SysMan Menu. The sys_check utility does not change any sys-
tem files.
The sys_check utility is updated regularly. You can obtain the latest ver-
sion of the sys_check utility from either of two sources:
+ The most up-to-date version of the sys_check kit is located on the
sys_check tool web site,
http://www.tru64unix.compaq.com/sys_check/sys_check.html.
+ You can also obtain sys_check from the patch kit, see
http://www.support.compaq.com/patches/.
You should run only one instance of sys_check at a time. The sys_check
utility prevents the running of multiple instances of itself, provided that
the value of the TMPDIR environment variable is /var/tmp, /usr/tmp, /tmp,
or a common user-defined directory. This avoids possible collisions when
an administrator attempts to run sys_check while another administrator is
already running it. However, no guarantees can be made for the case when
two administrators set their TMPDIR environment variables to two different
user-defined directories (this presumes that one administrator does not
choose /var/tmp, /usr/tmp, or /tmp).
The sys_check utility does not perform a total system analysis, but it does
check for the most common system configuration and operational problems on
production systems.
Although the sys_check utility gathers firmware and hardware device revi-
sion information, it does not validate this data. This must be done by
qualified support personnel.
The sys_check utility uses other system tools to gather an analyze data. At
present, sys_check prefers to use DECevent, and you should install and con-
figure DECevent for best results.
If DECevent is not present, the sys_check utility issues a warning message
as a priority 500 EVM event and attempts to use uerf instead. In future
releases, Compaq Analyze will also be supported on certain processors.
Note that there are restrictions on using uerf, DECevent and Compaq Analyze
that apply to:
+ The version of UNIX that you are currently using.
+ The installed version of sys_check.
+ The type of processor.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
LIMITATIONS
DECevent or Compaq Analyze may not be able to read the binary error log
file if old versions of DECevent are being used or if the binary.errlog
file is corrupted. If this problem occurs, install a recent version of
DECevent and, if corrupted, recreate the binary.errlog file.
HSZ controller-specific limitations include the following:
HSZ40 and HSZ50 controllers:
The sys_check utility uses a free LUN on each target in order to com-
municate with HSZ40 and HSZ50 controllers. To avoid data gathering
irregularities, always leave LUN 7 free on each HSZ SCSI target for
HSZ40 and HSZ50 controllers.
HSZ70, HSZ80 and HSG80 controllers:
The sys_check utility uses a CCL port in order to communicate with
HSZ70 controllers. If a CCL port is not available, sys_check will use
an active LUN. To avoid data gathering irregularities, enable the CCL
port for each HSZ70 controller.
The sys_check utility attempts to check the NetWorker backup schedule
against the /etc/fstab file. For some older versions of NetWorker, the
nsradmin command contains a bug that prevents sys_check from correctly
checking the schedule. In addition, the sys_check utility will not
correctly validate the NetWorker backup schedule for TruCluster Server.
EXAMPLES
1. The following command creates escalation files that are used to report
problems to your technical support organization:
# sys_check -escalate
2. The following command outputs configuration and performance informa-
tion, excluding security information and the setld inventory, and pro-
vides an analysis of common system configuration and operational prob-
lems:
# sys_check > file.html
3. The following command outputs all information, including configura-
tion, performance, and security information and a setld inventory of
the system:
# sys_check -all > file.html
4. The following command outputs only performance information:
# sys_check -perf > file.html
5. The following command provides HTML output with frames, including con-
figuration and performance information and the setld inventory of the
system:
# sys_check -frame -noquick
6. The following command starts the SysMan Menu config_report task from
the command line:
# /usr/sbin/sysman config_report
Entering this command invokes the SysMan Menu, which prompts you to
supply the following optional information:
+ Save to (HTML) - A location to which the HTML report should be
saved, which is /var/adm/hostname_date.html by default.
+ Export to Web (Default) - Export the HTML report to Insight
Manager. Refer to the System Administration manual for information on
Insight Manager.
+ Advanced options - This option displays another screen in which
you can choose a limited number of run time options. The options
are equivalent to certain command-line options listed in the
OPTIONS section.
In this screen, you can also specify an alternate temporary
directory other than the default of /var/tmp.
+ Log file - The location of the log file, which is
/var/adm/hostname_date.log by default.
7. The following is an example of a stanza file advfs.stanza in
/var/recovery/sys_check.*:
advfs:
AdvfsCacheMaxPercent=8
8. The following is an example of a shell script apply.kshin
/var/recovery/sys_check.*:
cd /var/cluster/members/member/recovery/sys_check/
llist="advfs.stanza
vfs.stanza "
for stf in $llist; do
print " $stf "
stanza=`print $stf | awk -F . '{print $1 }'`
print "/sbin/sysconfigdb -m -f $stf $stanza"
/sbin/sysconfigdb -m -f $stf $stanza
done
print "The system may need to be rebooted for these
changes to take effect"
ENVIRONMENT VARIABLES
The following environment variables affect the execution of the sys_check
utility. Normally, you only change these variables under the direction of
your technical support representative, as part of a fault diagnosis pro-
cedure.
TMPDIR
Specifies a default parent directory for the sys_check working sub-
directory, whose name is randomly created; this working subdirectory is
removed when sys_check exits. The default value for TMPDIR is /var/tmp.
LOGLINES
Specifies the number of lines of log file text that sys_check includes
in the HTML output. The default is 500 lines.
BIGNUMFILE
Specifies the number of files in a directory, above which a directory
is considered excessively large. The default is 15 files.
BIGFILE
Specifies the file size, above which a file is considered excessively
large. The default is 3072 KB.
VARSIZE
Specifies the minimum amount of free space that sys_check requires in
the TMPDIR directory. The default is 15 MB and should not be reduced.
The sys_check utility will not run if there is insufficient disk space.
RECOVERY_DIR
Specifies the location for the sys_check recovery data. The default is
/var/recovery. The sys_check utility automatically cleans up data from
previous command runs. The typical size of the output generated by
each sys_check utility run is 400 KB. This data may be useful in
recovering from a catastrophic system failure.
ADHOC_DIR
Specifies the location at which sys_check expects to find the text
files to include in the HTML output. The default is the /var/adhoc
directory.
TOOLS_DIR
Specifies the location at which sys_check expects to find the binaries
for the tools that it calls. The default is /usr/lbin.
FILES
/usr/sbin/sys_check
Specifies the command path.
Note
This file may be a symbolic link.
/usr/lbin/*
Various utilities in this directory are used by sys_check.
Note
These files may be symbolic links.
The sys_check utility reads many system files.
SEE ALSO
Commands: dop(8), sysconfigdb(8), sysman_cli(8), sysman_menu(8)
Miscellaneous: EVM(5), insight_manager(5)
Books: System Administration, System Tuning
1.12.8 mountd Reference Page Update
The following are updates for the
mountd
( ) reference
page:
SYNOPSIS
mountd [-d] [-i] [-n] [-s] [-r] [-R] [exportsfile]
FLAGS
...
-r Have mountd listen for requests on a reserved port. This is the default behavior.
-R mountd may listen on an unreserved port.
1.12.9 UFS Delayed Metadata mount Option
This new
mount
option allows for disabling synchronous
metadata writes on a specified file system.
The new mount option is
delayed
.
To maintain the file system's consistency, UFS metadata (such as inode, directory, and indirect blocks) is updated synchronously by default.
Metadata updates are typically performed synchronously to prevent
file system corruption after a crash.
The trade-off for file system integrity,
however, is performance.
In some cases, such as a file system serving
as a cache, performance (faster metadata update) is more important than
preserving data consistency across a system crash; for example, files under
/tmp
, or Web proxy servers such as Squid.
This has two results. One, multiple updates to one block become only a one block write as opposed to multiple writes of the same block with traditional synchronous metadata update. Two, users can experience much better responsiveness when they run metadata-intensive applications because metadata writes will not go out to the disk immediately, while users get their prompt back as soon as the metadata updates are queued.
Do not use the
delayed
option on the
/
or
/usr
file systems.
Use the
delayed
option only on file systems that do not need to survive across
a system crash.
Usage
To enable the
delayed
option, run:
mount -o delayed <device>
<mount point>
or
mount -u -o delayed <mount point>
1.12.10 Changes to the rexecd Reference Page
The following are updates for the
rexecd
( ) reference
page:
OPTIONS
-s Causes rexecd to check for the ptys keyword in the /etc/securettys file
and to deny execution of the request if it is from root and on a pseudoterminal.
DESCRIPTION
6. The rexecd server then validates the user as is done at login time
and, if started with the -s option, verifies that the /etc/securettys
file is not set up to deny the user. If the authentication was suc-
cessful, rexecd changes to the user's home directory, and establishes
the user and group protections for the user. If any of these steps
fail, the connection is aborted with a diagnostic message returned.
1.12.11 3DLabs Oxygen VXI Graphics Card
This patch provides the driver support for the 3DLabs Oxygen VX1 graphics card. To obtain full support for this graphics card, you must also select Patch 750.00, which is the X server portion of the patch.
If you have a system with this new graphics card, you will need to reconfigure and rebuild the kernel after installing this patch.
To reconfigure and rebuild the kernel, follow these steps:
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot genvmunix to single-user mode:
>>>
boot -fi genvmunix -fl s
After the system boots to single-user mode, mount the file
systems, run the
update
command, and activate the swap
partition:
#
sbin/bcheckrc
#
/sbin/update
#
/sbin/update
Run
doconfig
to create a new kernel configuration
file and rebuild the kernel:
#
/usr/sbin/doconfig
Note
Do not specify the
-c
option todoconfig
. If you do,doconfig
will use the existing kernel configuration file which will not have the appropriate controller entry for the 3DLabs Oxygen VX1 graphics card.
Save the old
/vmunix
file and move the
new kernel to
/vmunix
.
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot the new kernel:
>>>
boot
If you remove this patch from your system after you have rebuilt the
kernel to incorporate support for the 3DLabs Oxygen VX1 graphics card as
described, you will need to rebuild the kernel again to restore generic
VGA graphics support.
To do this, follow the previous steps.
The
doconfig
utility running on the original, unpatched
genvmunix
will not recognize the 3DLabs Oxygen VX1 graphics card, and will
include generic VGA graphics support in the resulting kernel.
1.12.12 DEGPA-TA Gigabit Ethernet Device
This patch provides support for DEGPA-TA (1000BaseT) Gigabit Ethernet device. If you have a system with this new Ethernet device, you will need to reconfigure and rebuild the kernel after installing this patch.
To do this, follow these steps:
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot
genvmunix
to single-user mode:
>>>
boot -fi genvmunix -fl s
After the system boots to single-user mode, mount the file
systems, run the
update
command, and activate the
swap partition:
#
/sbin/bcheckrc
#
/sbin/update
#
/sbin/swapon -a
Run
doconfig
to create a new kernel configuration
file and rebuild the kernel:
#
/usr/sbin/doconfig
Note
Do not specify the
-c
option todoconfig
. If you do,doconfig
will use the existing kernel configuration file which will not have the appropriate controller entry for the new graphics card.
Save the old
/vmunix
file and move the
new kernel to
/vmunix
.
Shut down the system:
#
/usr/sbin/shutdown -h now
Boot the new kernel:
>>>
boot
If you remove this patch from your system after you have rebuilt the
kernel to incorporate support for the new Ethernet card as described previously,
you will need to rebuild the kernel.
To do this, follow the previous steps.
Thedoconfig
running on the original, unpatched
genvmunix
will not recognize the new Ethernet driver.
1.13 Release Note for DEC 7000 Upgrades to AlphaServer 8400
This release note concerns systems that were upgraded from DEC 7000 to AlphaServer 8400 that have not installed the DWLPA-AA, DWLPB-AA, or the KFTIA. These are the I/O enhancements for the AlphaServer 8400.
Add the following information to the
/sys/conf/SYSTEMNAME
file:
bus tiop0 at tlsb0 vector tioperror
bus pci0 at tiop0 slot 0
callout after_c "../bin/mkdata pci"
bus isp0 at pci0 slot 0 vector ispintr
controller scsi0 at isp0 slot 0
You must do this every time you reconfigure.