Recently I performed some AIX updates and noted a peculiarity. However, before delving into that I should give some information on performing the updates. I can’t stress the importance of updates enough. Too many times companies servers are hacked or compromised in some manner which can be disastrous on so many levels. This is why it is important to keep your systems up-to-date. Of course, updating is not enough. You need stringent procedures in place for the handling of external media, password rules, enforcement, packet analysis in real-time, etc.
Chroot jails are a good start for new or untested software. Anyways, back to updating.
Windows users are familiar with the idea of updating. Typically through the internet (MS update site), the window update feature (in the control panel if I recall) or using a SUS server (usually on a LAN when multiple machines need updating).
In the AIX world, they have TL (formerly known as ML) updates. These are your maintenance updates. These usually have software updates, enhancements, bug and security fixes. Next is the SP (service pack) updates. These are typically interim fixes until the next TL is released. Lastly there are CSP (cumulative Service Pack) if I recall correctly. Typically these are the last SP for a product line.
To actually perform the updates one can typically use a tool in AIX called smitty (aka smit). You can avoid smit and use the cli (command line interface) if you prefer. In addition to this method, one can use IBM’s fixcentral. You can download the updates via a java applet, or ftp bulk download.
Here is an example of doing an update with SMIT.
smit suma, easy downloads, download a TL/ML. Type in what is required here. For this example, let’s assume you are running AIX 6.1 TL6. You want to download TL7. After selecting the TL/ML download option you would say you want to download “6100-07”. The download will commence. By default the download location will be /usr/sys/inst.images/installp/ppc. The file system will be automatically extended if required.
Once they are downloaded you can run use a smit fastpath to install the update. Note: you also could of used fixcentral to download a TL & SP at the same time to your PC. Then transferred it over via ftp, scp, done an nfs mount etc.
To actually perform the AIX update with smit, one would assume it is the same procedure. Sorry, NO !!! Hence my issue with it.
If you downloaded a TL and wish to perform an update, you change directory to the source file directory, run inutoc to create a .toc file, and then run “smit update_all”. This will update all of the affected packages to the TL you downloaded.
If however, you downloaded a specific APAR (let’s say IV22062 for an example) and you do a “smit update_all” it will update ALL APARs it downloaded. Apparently IBM’s mechanism here needs some work. When downloading from IBM, it flags any dependancies and ‘decides’ on what you may need. Hence, why there are multiple APARs downloaded, even though you only selected one specific APAR.
Now to ‘correctly’ install an APAR you would do:
Smit, install software and updates, install a WPAR. In the “APAR text box to install” hit F4 (or esc-4). That will display all of the APARs available. You will notice a lot more APARs than the one you downloaded here. Do a find with “/” and type IV22062. Then you can install JUST apar IV22062.
I should point out a couple of things before performing the update:
By doing this you can roll-back an update. This also is something I had to do recently. My latest one was due to the fact that I did a “smit update_all” for an APAR. Which updated multiple APARs and caused my SP to be updated. Due to a vendor application requirement this had to be rolled back.
Run “lslpp -h”. This will give you a listing of all of the installed filesets, their installed versions (and history), including the install date.
With IV22062 I found that it would update 5 specific file-sets. Thus I ran lslpp -h > /tmp/lslpp.txt and then opened the text file.
I confirmed what filesets should be rolled back (excluding the 5 filesets I wanted to keep) and looked for duplicates. The duplicates can be there if you have installed a couple of updates to a file-set in the applied state. If so, you want to remove the newest and keep the older. Note: packages in the “committed” state is not listed, as they can’t be rolled back once they are in a “committed” state.
Use smit, software maintenance, and reject software, selecting which filesets to remove.
Note: without commit=no and save files=yes this rollback would not be possible.
Cheers