IBM AIX 7.2 Standard w/ Latest TL/SP Fix Packs and DNF Toolbox for AIX

Posted on by Beaker

Abstract

This document describes the process of installing the latest updates (TL and SP Fix Packs) from IBM on AIX 7.2, along with the AIX Toolbox of open source applications. Since AIX 7.2 is the latest supported release for POWER7 systems, that’s why we’re not using a newer one.

Test Platform:

  • IBM POWER 740 (8205-E6B)
  • POWER7 3.72GHz (x4 Cores) CPU
  • 32GB RAM / 1TB SAS RAID5
  • IBM AIX 7.2 TL5 SP3 (7200-05-03-2147)

I considered removing the section for installing updates, which IBM used to let you download for free. Now that they want to keep AIX a secret, that’s not possible. So we’ll just install the latest ISO we can find on the Internet and hope there are no massive holes. If you can’t find the latest updates, I’d advise against exposing this system to the world, as it is unsupported in every way. However, I invite some risks and seek intellectual exercises!

If you are lucky enough to have access to current support contract, all you need is an account and system serial number to access the Fix Central bits (here). If not, again, since IBM is not about to let you download a basically deprecated operating system for educational purposes for free, just hunt down the torrent scenes, and surprisingly, archive.org. Releases see daylight occasionally.

Install and Setup the Operating Environment

I won’t go over the installation procedure for AIX in detail, because it is painfully easy. Too easy, actually. You really can’t do anything but pick what software you want. So. I will assume that you performed a base installation, with nothing extra (no CDE, KDE, Gnome, etc.). This is my 4 More Options (Software install options) screen (using the New and Complete Overwrite method):

1.  Graphics Software................................. No 
2.  System Management Client Software................. No 
3.  OpenSSH Client Software............................Yes
4.  OpenSSH Server Software........................... Yes
5.  Enable System Backups to install any system....... No
    (Installs all devices

Make sure you select both the OpenSSH Client and Server Software! AIX 7.2 made this an install-time option. Finally.

You also have the option of which Edition to install, the choices being Standard or Enterprise. I’m just using Standard.

Once you are done that part, the system will reboot and you should be presented with the “Installation Assistant” menu (after accepting the licenses). Here you can set the root password and IP information. If you don’t get this screen, just login as root, set the password, and setup networking by hacking it old school style (mktcpip). Substitute your specific numbers:

# mktcpip -h hostname -a ip_address -m netmask -i en0 -n dns_server -d domain -g gateway_ip -s

Of course, if you like menus, you can use smitty mktcpip.

AIX uses LVM by default for disk partitioning. It has a bit of a learning curve – check the links at the end of this guide for external references. Just make sure you have plenty of room in /usr (most of our activities will be in there – more later) and /var (where most log files will go). Other directories will need to be fattened up as well, for general O/S functionality and patching/binary bits (/opt, /tmp, etc.).

For example, this will increase the size of the /var partition by 20 gigabytes:

# chfs -a size=+20G /var

Oh, and here is a tip: The AIX version of df can take the -m flag to display space in megabytes and -g for gigabytes.

Let’s add a user:

# mkuser id='1000' beaker
# passwd beaker

Another thing we want to fix is the ability to use files greater than 2GB in size. AIX is very stingy when it comes to setting limits on things like file size for users. Which, as a security professional, I can appreciate. But as a lazy user with only development systems, I like to remove. So we need to edit the /etc/security/limits file default stanza so fsize = 2097151 is fsize = -1 (unlimited). Log out and then back in for this to take effect.

Update to Latest Technology Level (TL) and Service Pack (SP)

As of this writing, the latest TL for AIX 7.2 is 5 (November 2020) and SP is 6 (28 April 2023). You can download them (or newer ones if available) from IBM here. Note that for this guide, we installed TL5, so only update that if a newer version has been release, or you used media with an older TL version.

Check the prerequisite requirements for each Fix Pack, and ensure those are installed first. For this effort, we will install the 7200-05-00-2037 TL first (if needed), and then the 7200-05-06-2320 SP second.

There are two ways to do this, depending on whether you’ve downloaded the TL/SP updates as ISOs or individual file sets.

Option 1 – Mount TL/SP ISO Images

  1. Copy TL and SP ISO files to the AIX system to be updated (via SFTP, FTP, USB… whatever). I use the /tmp folder – so if you do as well, make sure it is big enough for these two archives (which are about 15GB together).
  2. Make mount targets in /mnt for these ISO files:
    • mkdir /mnt/TL
    • mkdir /mnt/SP
  3. Mount .ISO files to targets:
    • loopmount -i /tmp/TL_7200-05-00-2037.iso -m /mnt/TL -o "-V cdrfs -o ro"
    • loopmount -i /tmp/SP_7200-05-06-2320.iso -m /mnt/SP -o "-V cdrfs -o ro"

Option 2 – Copy File Sets to Local Drive

IBM recommends creating a separate file system for /usr/sys/inst.images for the following reasons:

  • Downloaded fix packages require a significant amount of disk space
  • By creating a separate file system, you prevent the expansion of the /usr file system

Instead of creating a separate filesystem, we’ll just expand the /usr one to be large enough for this task. TL 7200-05-00-2037 is about 6.2GB and SP 7200-05-06-2320 is about 8.3GB. So let’s bump it up by 30GB just to be safe:
# chfs -a size=+20G /usr

For the updates, I generally keep them all in one big bzip2 archive, like so (using GNU tar on a Linux box):

beaker@saturn AIX_7.2_Fix_Packs]$ ls
SP_7200-05-06-2320  TL_7200-05-00-2037
beaker@saturn AIX_7.2_Fix_Packs]$ tar -cjvf aix-7.2-updates.tar.bz2 *

Now let’s extract them. Since we don’t have GNU tar on this system, we can’t extract and decompress .tar.bz2 files in one step. So we have to be a little more clunky about it. This is just how I do it. You will probably have a different way of getting the Fix Packs on your system:

# cd /usr/sys/inst.images
# bunzip2 *
# tar xvf *

Fix Pack Installations

Now that all the .bff files are in the /usr/sys/inst.images/TL_7200-05-00-2037 / /usr/sys/inst.images/SP_7200-05-06-2320 directories, or mounted to /mnt/TL//mnt/SP, let’s get in there and do the TL first (if you need to). These examples will use the ISO mount method. Adjust if you’re using the local file system.

# cd /mnt/TL

To install all updates from this package that apply to the installed filesets on your system, use the following command.

# smit update_all

The “INPUT device / directory” should be . (then hit enter). Also change the “ACCEPT new license agreements variable” to yes (then hit enter).

When everything is done (it will take a while!), you will be presented with a vague “COMMAND STATUS” page with various Fn options. F10 will get you out. If you’re using an xterm window like me, Esc-0 is a better choice. F10 can do weird things with shortcuts (unless you disable them).

Reboot the system (required for this update to take effect).

After rebooting, enter the following to verify your new TL:

# oslevel -s
TL_7200-05-03-2147

If the TL version doesn’t return the one we installed… well, AIX is a picky little bitch. And if one or two LPPs (Licensed Program Products) are back-leveled, it will show some older numbers. And sometimes, like in this case, it shows a more recent one because of recent SPs in the TL pack. Don’t think too hard about this – you will go mad.

You might have to run smitty update_all a second time to update bos.aso and mcr.rte. Until this is done, the oslevel -s command might not indicate the correct level.

Now we have to install the latest Service Pack (SP).

# cd /mnt/SP

NOTE: /usr/sys/inst.images/SP_7200-05-06-2320 if using local file system.

Then do just like we did for the TL:

# smit update_all

The “INPUT device / directory” should be . (then hit enter). Also change the “ACCEPT new license agreements variable” to yes (then hit enter).

When everything is done (it will take a while!), you will be presented with a vague “COMMAND STATUS” page with various Fn options. F10 will get you out. If you’re using an xterm window like me, Esc-0 is a better choice. F10 can do weird things with shortcuts (unless you disable them).

Once it is all done, check the level again:

# oslevel -s
7200-05-06-2320

We got lucky! However, you might need to run smitty update_all another time or two to ensure all updates are applied.

Now clean house and reboot:

If using ISO method:

  • cd /tmp
  • loopumount -l loop0 -m /mnt/TL /mnt/SP
  • rm *.iso

If using local file system method:

  • # cd /usr/sys/inst.images
  • # rm -rf *

And for good measure:

  • # reboot

Install DNF for AIX (AIX Toolbox) and Configure Environment

Make sure you have enough disk space for this stuff. I use /usr/src for all… well, sources, /opt for AIX Toolbox binaries (like /opt/freeware and other applications), and /usr/local/bin for compiled local binaries. Check out the top of this guide for more information on how to expand LVMs.

Get dnf_aixtoolbox.sh Installation Script

If your FTP session hangs when attempting to GET a file, chances are the reason is passive mode. So don’t forget the -p and -s flags when connecting (IBM requires SSL/TLS for FTP connections now)!

Note: Server responses are omitted.

# cd /usr/src
# mkdir dnf
# cd dnf
# ftp -p -s public.dhe.ibm.com
Connected to blah blah blah...
Name: anonymous
Password: anonymous
ftp> cd /aix/freeSoftware/aixtoolbox/ezinstall/ppc
ftp> get dnf_aixtoolbox.sh
ftp> quit
221 Goodbye.

OpenSSL (and OpenSSH!)

As you move forward with the AIX Toolbox (and source compilations), you will inevitably get nothing provides libcrypto.a(libcrypto.so.1.1) and nothing provides libssl.a(libssl.so.1.1) errors. That’s because the crypto libraries included with AIX 7.2 are rather outdated (v1.x). You will need to update these, and to do that, we need to grab the latest bits from IBM’s website (and do OpenSSH at the same time). I’m sorry – it’s a sucky method, but the only way out of this mess.

Here’s a decent guide: https://www.ibm.com/support/pages/node/720655

NOTE: There is no OpenSSL v2.x – it was kicked over the cliff in favor of v3.x. So be sure to get the latest v3.x release available!

Run Installation Script

# chmod +x dnf_aixtoolbox.sh
# ./dnf_aixtoolbox.sh -d (-d installs/configures DNF without YUM, which is deprecated)

NOTE: If you get the following error, go up one section in this guide – “OpenSSL (and OpenSSH!)” and update those ancient bits (oh, and the link they return is broken at this moment):

# ./dnf_aixtoolbox.sh -d
Please install openssl 1.1.x and higher version.
You can download and install latest openssl from AIX web download site
https://www-01.ibm.com/marketing/iwm/platform/mrs/assets?source=aixbp

That’s it! By default three IBM repos are enabled for RPM packages in /opt/freeware/etc/dnf/dnf.conf. You will be prompted to update your DNF repository, but dnf is not in your PATH yet. Let’s do that next.

Configure PATH, Shell Environment, and Date/Time/Time Zone

Anytime we enter a command, we want to use the application it references in the following order:

  1. Locally Compiled Software
  2. AIX (GNU) Toolbox
  3. AIX Default Application

To do this, we need to set the user’s PATH to look in /usr/local/bin and /opt/freeware/bin before /usr/bin.

For the root user, edit the /etc/environment file so that the PATH line looks like this:

PATH=/usr/local/bin:/opt/freeware/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java8_64/jre/bin:/usr/java8_64/bin

For system users, edit the user’s .profile file so that the PATH line looks like this (or whatever you like – I like using the system PATH and just adding a local directory pointer):

PATH=$PATH:.

I like bash way more than ksh. To make this your default shell, first install it:

# /opt/freeware/bin/dnf install bash

Then edit the /etc/passwd file so that the shell listed for your user (and root!) is /opt/freeware/bin/bash instead of /usr/bin/ksh.

It’d be nice to have the clock stay accurate. Or at least start accurate. Add an NTP server to the /etc/ntp.conf file:

# echo "server time.nist.gov" >> /etc/ntp.conf

NTP doesn’t like big time gaps, so if you’re still set to epoch or something, manually set the date/time first (and the time zone, if you didn’t do it at initial setup):

# smitty chtz_date

And to make it easy, just run the following and select BOTH to start the NTP client now and at boot time:

# smitty xntpd

Install Important Stuff

Helpful utilities! And while we’re here, let’s get GNU tar. It’s much better. Oh, and wget!

# /opt/freeware/bin/dnf install tar bzip2 wget grep sed

For all this to take affect without rebooting, log out completely and then back in to the system. Actually, I think you need to reboot for the time zone change to take… not positive. Anyway, welcome to your new AIX environment!

Helpful Links:

Leave a Reply

Your email address will not be published. Required fields are marked *