基于NIM 的mksysb 完全实现手册.doc

基于NIM 的mksysb 完全实现手册之所以想写这样的一个文档，是因为看到IBM技术支持中心已经有了一篇同样内容的资料（中文的），但其实有些操作方面，是不对的，甚至效率低，才CU上也看到有人写了一个PDF文档，也是按照那样的思路来做的，实际上，NIM本身的设计思想，并不是让我们这样去实现mksysb的（其实我主要指的是，他们实现的方式，是本地mksysb 一个image file ，然后Ftp到NIM SERVER，然后单独创建mksysb resource，然后又 ，而且并没有谈到对应SPOT的创建 ） Ok ， 开始干活了 ， 全程记录本次过程 Let me see ， 第一步做啥呢，呵，肯定是登陆到NIM SERVER再说了，需要安装的是一个LPAR，裸机，哈。 环境介绍一下吧，这次我是想将一个670上的系统通过nim mksysb的方式，安装到570的一个LPAR上面，磁带机？ 磁带？ sorry，这些东西咱都不需要，但网络上必须通，至于怎么通的，请咨询网络工程师。 670 要添加到NIM SERVER中，创建一个NIM CLIENT 570的那个LPAR，也要在NIMSERVER上首先创建一个NIM CLIENT/etc/hosts 中，都写好 （写啥就不说了） 第一步： 在NIM SERVER中添加670的NIM CLIENT smitty nim - Perform NIM Administration Tasks - Manage Machines -Manage Machines Define a MachineType or select a value for the entry field.Press Enter AFTER making all desired changes. Entry Fields* Host Name of Machine loveunix -这个是670的hostname ， /etc/hosts中也要有所定义 (Primary Network Install Interface) 第二步： 开始直接创建mksysb 的image resource smitty nim_mkres resource type 选择 mksysb = a mksysb image Define a ResourceType or select values in entry fields.Press Enter AFTER making all desired changes. TOP Entry Fields* Resource Name loveunix_mksysb_res* Resource Type mksysb* Server of Resource master + * Location of Resource /export/spot/mksysb/loveunix.mksysb /Comments Source for Replication + -OR-System Backup Image Creation Options: CREATE system backup image? yes + NIM CLIENT to backup loveunix + PREVIEW only? no + IGNORE space requirements? no + EXPAND /tmp if needed? no + Create MAP files? no + Backup extended attributes? yes + COMMAND STATUSCommand: running stdout: yes stderr: noBefore command completion, additional instructions may appear below.+-+ System Backup Image Space Information (Sizes are displayed in 1024-byte blocks.)+-+Required = 10169413 (9932 MB) Available = 25653008 (25052 MB)Creating information file (/image.data) for rootvg.Creating list of files to back up.OK, 开始mksysb 到远程的Nim server 同时创建好该mksysb resource ,该过程时间较长，请耐心等待 。创建完了Nim-srv/etc#lsnim -l loveunixibpapp2: class = resources type = mksysb arch = power Rstate = ready for usebprev_state= unavailable for use/b location = /export/spot/mksysb/loveunix.mksysb version = 5 release = 3 mod = 0 oslevel_r = 5300-05 alloc_count = 0 server = master第三步： 给所要安装的机器，在NIM SERVER中，添加该client , 例如名字为aix 方法如第一步中所示。 第四步：根据该mksysb resource，创建所对应的SPOT，从而引导所需要安装的nim client smitty nim_mkres, 类型选择SPOT Define a ResourceType or select values in entry fields.Press Enter AFTER making all desired changes. Entry Fields* Resource Name aix_spot* Resource Type spot* Server of Resource master +* Source of Install Images aix +* Location of Resource /export/spot/ /Expand file systems if space needed? yes +Comments installp FlagsCOMMIT software updates? no +SAVE replaced files? yes +AUTOMATICALLY install requisite software? yes +OVERWRITE same or newer versions? no +VERIFY install and check file sizes? no +该步骤时间较长，继续耐心等待 COMMAND STATUSCommand: running stdout: yes stderr: noBefore command completion, additional instructions may appear below.Creating SPOT in /export/spot/ on machine master from ibpapp2 .Restoring files from BOS image.This may take several minutes . 从nmon来看lqDisk-I/O-StatisticsqKBytes/second (K=1024)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqkxDisk BusyReadWrite 0-25-50-75-100 xx Name KB/s KB/s | | | | | xxhdisk1 0% 0 0| | xxhdisk0 100% 1785 0|RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR 等吧。第五步 ： 开始安装了 smitty nim_bosinst -aix (选择要安装的NIM CLIENT，目前该机器还是裸机) - mksysb - Install from a mksysb - ibpapp2 resources mksysb (iSelect the MKSYSB to use for the installation ) -选择之前定义的mksysb resource -选择和该mksysb对应的SPOT 在后面生成的菜单中，选择ACCEPT new license agreements? yes 之后，给570的那个LPAR power on ， 然后在IPL中，设置network boot 相关的network config，设置该client的地址，Nim server的地址，然后做Pingtest ，然后选择引导的网卡，就可以启动安装了之后的过程，就和用本地磁带引导恢复安装一样的。第六步： 总结回顾整个过程，有一些技术细节，例如如果做了安全的设置，禁用了rsh tftp nfs bootps 等，NIM的实施将不会成功 ，对于真实的企业IT环境，存在防火墙的情况，请参考如下： Firewall Considerations NIM makes use of several protocols which are generally considered risky services on firewall machines. It is recommended that users who desire firewall protection within their NIM environment follow a few rules: 1. The NFS program usually runs at port 2049 which is outside of the privileged port space. Normally, access to portmapper (port 111) is needed to find which port this service runs on, but since most installations run NFS on this port, hackers can bypass NFS and try this port directly. NFS was designed as a LAN service and contains numerous security vulnerabilities when used over the Internet. NFS services should not be run on firewall machines; if a NIM master resides on a firewall machine, then resources should reside on another client - clients may also be used as resource servers in a NIM environment. 2. If possible, TFTP servers should not be placed on firewall machines since no authentication is needed when requesting service. The TFTP protocol does allow for denying access based on entries contained in /etc/tftpaccess.ctl. NIM manages access to files in /tftpboot only; so all other directory locations should be off limits. When managed properly, TFTP access can be viewed as acceptable in the NIM environment. 3. Since rsh is the standard method of client control, clients participating in the NIM environment must allow shell service (514) or enable Kerberos in the NIM environment per client. In order to reduce the amount of open ports in the NIM environment, the following rules may be applied: * For every NIM communication using rsh, leave five (5) ports open starting at 1023 and decrementing from there. So if a client is communicating in the NIM environment, the client should leave open ports (1023-1019) and the master should leave open ports (1023-1019). This is an estimate and may not work in all environments since other services may call rreservport() prior to, or during, NIM operations. When monitored, this approach should w