HP

HP Tru64 UNIX and TruCluster Server Version 5.1B-6

English
  Patch Summary and Release Notes > Chapter 2 Tru64 UNIX Patches   

Prior Release Notes

Because patch kits are cumulative, this kit will install all of the fixes, features, and changes that have been added since you last installed a Version 5.1B patch kit. The following sections describe the changes contained in this kit that were first introduced in prior kits.

Dynamic Pathing in Disk Driver

This kit enhances the CAM disk driver to dynamically recognize and use newly added paths while the device is in use.

The new behavior will now dynamically recognize and use new paths while the device is in use, thereby making all the paths available for I/O.

Before Version 5.1B-5, the disk driver used all paths that were available at open/mount time. Paths added after would not be added to the active set until a close/open or dismount/mount occurred.

Performance Improvement for TCP Applications

The TCP selective acknowledgment feature is enabled by default. When the selective acknowledgments feature is enabled, the data receiver can inform the sender about all the segments that were received successfully, so that the sender needs to retransmit only those segments that were lost. This improves the performance of TCP applications on a network which is experiencing packet loss.

Support for 2 TB LUNs

This kit enhances the Tru64 UNIX CAM (Call Applications Manager ) subsystem to support a LUN size of upto 2 TB from the previous maximum limit of 1 TB. This allows Tru64 UNIX to take advantage of the increased LUN size supported by the storage arrays.

Enhancements to binary.errlog

This kit enhances the error log feature to improve user experience. In some error situations, the entries appear to be missing time sequences within the binary.errlog file, which makes it difficult to determine if the system did not have any events to log or there was some issue (such as low disk free space) that disabled event reporting for a period of time.

This kit introduces the following additional enhancements to binary.errlog file:

  1. Introduce a set of markers in the binary.errlog file frame work to track the events occurring in the CAM layer and log the most recent log that was attempted on the system.

  2. Increase the internal buffer .blbuf through the sysconfigtab variable, if necessary.

  3. Notify the user upon disk full state to clear the disk space and restart the binlogd daemon.

  4. Provide crash extensions to dump .blbuf and the newly introduced track framework data structures.

Updated Printer Support

This kit introduces support for the following 18 printers:

HP LaserJet 1300HP LaserJet 1320
HP LaserJet 2410HP LaserJet 2420
HP LaserJet 2430HP LaserJet 4345 MFP
HP LaserJet 5200HP LaserJet 9000 MFP
HP LaserJet 9040 MFPHP LaserJet 9050 MFP
HP LaserJet 9055 MFPHP ColorLaserJet 3000
HP ColorLaserJet 3700HP ColorLaserJet 3800
HP ColorLaserJet 4730 MFPHP ColorLaserJet 5500
HP ColorLaserJet 5550HP ColorLaserJet 9500 MFP

ICSNET Pseudo Driver Performance Optimization

This kit provides an enhancement to the ICSNET pseudo driver that improves the performance of the ics0 interface in a LAN cluster.

This optimization is helpful for cluster applications that use the ics0 interface to interact with other nodes in the cluster. It does this by avoiding the latency associated with time critical Interconnect Communication Subsystem (ICS) remote procedure calls, and by using available bandwidth of the LAN interconnect directly, which provides increased throughput.

This new functionality is enabled or disabled by the new sysconfigtab attribute, described as follows:

    icsnet:
    icsnet_optimization_enable = 1

The following restrictions and limitations apply to the use of this feature:

  1. This enhancement requires the version switch. Run the /var/adm/patch/noroll/noroll_versw command, after the no-roll installation.

  2. There will not be any change in the statistics of the ics0 interface. All statistics must be checked at the physical cluster interconnect level only.

  3. Tcpdump behavior will change. The sender side behavior remains the same. However, the receiving part of tcpdump must be checked at the physical interface (cluster interconnect) level.

  4. The ics0 interface MTU (Magnetic Tape Unit) will be dependent on the MTU of the physical cluster interconnect. Any change in the MTU of the physical cluster interconnect without a reboot, requires a change in the ics0 interface's MTU as well.

  5. The ICSNET optimization feature is not supported in configurations where cluster interconnects are configured as VLAN (virtual LAN).

sys_Check upgraded to version 145

This kit includes sys_Check Version 145. However, HP recommends that you visit the sys_check website to download and install the latest version of sys_check:

http://h30097.www3.hp.com/sys_check/

Support for the Latest Daylight Saving Time (DST) Changes

This kit updates the /etc/zoneinfo time zone data files to incorporate all changes as of (date of change) in time zones around the world, most notably the following:

Australia

The Australian provinces of Victoria, New South Wales, South Australia, Tasmania, and the Australian Capital Territory decided on harmonising and extending daylight saving arrangements from April 2008.

The Western Australia DST was incorporated starting 3 December 2006.

New Zealand

The New Zealand Government announced its decision to extend the DST starting September — 2007. Clocks will go forward an hour a week earlier than usual - on the last Sunday in September- and back an hour on the first Sunday in April. The Act administered by the Department of Internal Affairs is detailed at:

http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Daylight-Saving-Index?OpenDocument.

Venezuela

The Venezuelan government formalized the intention to change Venezuela timezone to GMT-4:30 effective on 9 December 2007 at 3 AM local time. Previously, the GMT offset Venezuela had been following was -4:00. It is now changed to -4:30.

The announcement can be found at:

http://www.abn.info.ve/go_news5.php?articulo=112279&lee=18.

Argentina

The Argentine government formalized the intention to change Argentine timezone effective on 30 December 2007 at 0 AM local time until 16 March 2008. Previously, Argentina did not have any DST plans for 2007-08.

The announcement can be found at:

http://www.telam.com.ar/vernota.php?tipo=N&idPub=87481&id=201230&sec=1&dis=1.

There are similar updates to the DST of Canada, Bahamas, Bermuda, Brazil, and Uruguay in V5.1B-5.

BIND Updated to Version 9.2.8

This kit replaces the current version of BIND Version 9.2.5 with BIND Version 9.2.8. BIND 9.2.8 fixes the security issues that were faced in the BIND 9.2.5 version.

Updated Tru64 UNIX Documentation on docs.hp.com

Starting with Tru64 UNIX V5.1B-5, the updated documents associated with the Tru64 UNIX release will be posted on HP's Technical documentation website http://docs.hp.com. The updated documentation for this release includes the HP Tru64 UNIX Release Notes for Version 5.1B-6. and the HP Tru64 UNIX and TruCluster Server Version 5.1B-6 Patch Summary and Release Notes documents.

The updated documentation for the Internet Express for Tru64 UNIX and the Advanced Server for UNIX (ASU) will also be posted on http://docs.hp.com.

The existing documentation for Tru64 UNIX is provided on the Documentation V5.1B CD, included with the Tru64 UNIX media kit.

The manuals for the current release, manuals and documentation sets from previous releases of Tru64 UNIX, TruCluster software, ASU, Internet Express, and other products, are also provided online from the following Tru64 UNIX Documentation website:

http://h30097.www3.hp.com/docs/

Standards Conformance

Tru64 UNIX continues to conform to the UNIX 98 and POSIX standards. Several important commands and system calls have been updated to conform to the changes in standards, including printf, pthread_mutexattr_getprotocol, and pwrite.

For more information, see the specific release notes for these commands and calls in the HP Tru64 UNIX and TruCluster Server Version 5.1B- Patch Summary and Release Notes, and the std_unix98 parameter of the sys_attrs_generic manpage.

New Keyword Added to sshd2_config Configuration File for sshd daemon

The new keyword, AuthInteractiveFailureRandomTimeout, adds a random delay to the existing AuthInteractiveFailureTimeout delay. For information on AuthInteractiveFailureTimeout, see the sshd2_config manpage .

The AuthInteractiveFailureRandomTimeout keyword can take a value from 0 to 100 (in seconds). The default is 2 seconds. To disable AuthInteractiveFailureRandomTimeout, specify a value of 0. When a non-zero value is specified for this keyword, a random number of milliseconds up to the number of seconds specified multiplied by 1000 is added to the server delay specified by AuthInteractiveFailureTimeout.

New Option to Ignore Processor Set Boundaries

A new command-line argument, lockinfo, has been added to solve issues related to processor-set boundaries. The new command takes -ignore_pset as an optional argument and when passed, enables the lockinfo command to ignore processor-set boundaries. However, it will honor the RAD (Resource Affinity Domain) set boundaries if the –rad option is used.

Support for Evaluating String Comparison Expressions as per POSIX Standards

The sh-posix built-in test is modified to evaluate string expressions as per the POSIX standard and can interpret "(" and "!" as operands in a string comparison operation.

To produce this POSIX compliant action, set the STDS_FLAG environment variable to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, the test function interprets "(" and "!" as operators in string comparison and reports wrong result. This was the default action before test was modified.

For example, consider a string comparison operation where "(" is passed as operand:

 	# test "(" = "abc" 

The following message is displayed:

 	sh: test: Specify a parameter with this command.

This message indicates that the test function has failed to interpret "(" as an operand. With the flag set, "(" and "!" will be treated as valid operands.

iconv Converter Support Surrogate Pairs in Unicode

The iconv converter has been modified to fix the incorrect processing of surrogate pair characters in Unicode. In order to maintain compatibility, the new environment variable ICONV_OLD_SURROGATE is introduced. If this environment variable is set to a non-NULL value, iconv converter behaves in the same manner as before, that is, iconv converter continues to produce wrong results for Unicode surrogate pairs.

New Sysconfig Tunable to Reduce Contention on AdvFS Frag Files

A new sysconfig tunable AdvfsFragGroupDealloc has been introduced to set the frag group deallocation policy for the AdvFS filesystem. Using this tunable, you can enable or disable the frag group deallocation policy. The default is enabled .

File operations such as rm and close, which release a single frag, can trigger the frag group deallocation process when a list of free frags is encountered. This process holds a lock while processing the frag group. Any other process or thread that tries to manipulate the same frag group experiences a hang due to lock contention. The hang lasts for the duration of the frag group processing. This situation arises when the frag file of a fileset is large and too many files are present with frag. The AdvfsFragGroupDealloc tunable helps in disabling the frag group deallocation, which reduces the lock contention on the frag file.

The AdvfsFragGroupDealloc tunable can be added to the /etc/sysconfigtab file, and a value can be assigned as per the desired frag group deallocation policy. Placing the tunable in the /etc/sysconfigtab file will make the value persist across system reboots. Alternatively, /sbin/sysconfig –r can be used to assign the value for the tunable. However, this does not persist across system reboots.

On a cluster this tunable must be set on all the cluster members.

New rc.config Variables to Hide User Process Arguments and Environmental Variables for ps and w Commands

By default, the ps command displays a process's arguments and the ps e command displays a process's environmental variables. You can prevent users from viewing the arguments and environmental variables of other users' processes. To hide user process arguments and variables, enable the variables in the /etc/rc.config.common file:

              # rcmgr -c set TBL_ARGUMENTS_DISABLE 1
              # rcmgr -c set TBL_ENVIRONMENT_DISABLE 1

However, the root can always view the arguments and environmental variables of all users.

Similarly, the w command displays commands and their arguments. To prevent users from viewing commands and the arguments of other users' processes, enable the variable in the /etc/rc.config.common file:

              # rcmgr -c set TBL_ARGUMENTS_DISABLE 1

However, the root can always view the arguments of all users.

Conformance to Open Group Standards

Set the STDS_FLAG environment variable to ALL so that pthread_mutexattr_getprotocol() conforms to the Open Group standard.

UNIX 98 Compliance with libc

Some libc functions from the printf, scanf, and streams family have been made to comply with UNIX 98 standards. These setting are enabled using the sys_attrs_generic variable, std_unix98. This variable (std_unix98) should not be set to the value of STD_UNIX98_ALL without consulting the Tru64 engineering team. For more information, see the sys_attrs_generic manpage .

Netstat Read Error on Structures in a Live System

When trying to read a structure, the netstat() command displays the following message:

netstat: read from /dev/kmem: No such device or address

This can result from netstat reading structures that are dynamically undergoing change on a live system. This is a transient problem that will be reported to the user.

O_APPEND Flag has no Effect on Behaviour of pwrite()

The pwrite() system call has been modified to conform to UNIX98 standard behavior. O_APPEND flag now will have no effect on the behaviour of pwrite(). The sysconfig tunable pwrite_no_append (in VFS subsystem) has to be set to 1 to enable this behavior.

smmsp User and Group Not Required for sendmail

The smmsp user, group, and the /usr/var/spool/clientmqueue directory were created as a future requirement for sendmail in the previous patch release v5.1B-4. Because, sendmail is not smmsp enabled, the smmsp user, group, and /usr/var/spool/clientmqueue will no longer be required. It is recommended that you remove these items if they are not being used for any other purpose on the system, including alternate sendmail implementation.

The following command displays how to delete the clientmqueue directory tree:

# rm -rf /usr/var/spool/clientmqueue

The following command displays how to delete the smmsp user and group:

# userdel smmsp 
# groupdel smmsp
NOTE: Check the root directory and delete the clientmqueue directory, the user, and group related to the root directory for the patch kit install as follows:
#chroot $_ROOT /sbin/rm -rf /usr/var/spool/clientmqueue 
#chroot  $_ROOT /usr/sbin/userdel smmsp 
#chroot  $_ROOT /usr/sbin/groupdel smmsp
where $_ROOT is the alternate root directory

Possible Performance slowdown of Oracle 8.1.7 after Tru64 UNIX Rebranding

When kernel profiling and auditing were run on Oracle, under Version 5.1B-3, Asynchronous I/O + Direct I/O calls were seen. However, in Version 5.1B-4 and higher versions, no Asynchronous I/O + Direct I/O calls (other than AIO setup calls) were seen.

If this behaviour is seen on your system, you can modify /etc/sysconfigtab under generic to change:

     version_banner = HP Tru64 UNIX
     version_avendor = HP
     version_vendor = Hewlett-Packard Company

to

     version_banner = Compaq Tru64 UNIX
     version_avendor = COMPAQ
     version_vendor = Compaq Computer Corporation

Then reboot the system and check the Oracle performance.

Version 5.1B-5 or Higher Kit Requires Uninstallation of Internet Express System Authentication LDAP Module (IAELDAMXXX)

The Version 5.1 B-5 or higher patch kit installation fails if the Internet Express System Authentication LDAP Module (IAELDAMXXX) is installed on the system. To install the Version 5.1 B-5 or higher patch kit, perform the following steps:

  1. Uninstall Internet Express System Authentication LDAP Module (IAELDAMXXX). For example,

    set1d -d IAELDAMXXX

    where, XXX stands for the IAELDAM version.

  2. Install the Version 5.1 B-5 or higher patch kit.

  3. Install Internet Express System Authentication LDAP Module (IAELDAMXXX). For example:

    setld –l IAELDAMXXX

    where, XXX stands for the IAELDAM version.

IBM Tivoli Storage Manager (TSM) client problems fixed

The following issues with running the IBM Tivoli Storage Manager (TSM) are fixed in the current version:

  • The TSM client performs full backups rather than incremental backups.

  • The TSM client skips files, giving errors indicating the files were changed during the backup process, even when those files were not modified.

Enhancements Introduced in Prior Kits

The following sections describe some of the key features and enhancements that were first delivered in previous patch kits.

Enhanced Cluster Interconnect Extended to 100 KM

This release provides support for Enhanced Distance Clusters. An Enhanced Distance Cluster is a cluster in which the interconnect has been extended up to 100 km using a gigabit LAN Ethernet connection. An Enhanced Distance Cluster provides basic high availability services in the event of the loss of a single component. However, it does not include all of the high availability services provided by TruCluster Server. See Appendix A for information about setting up and configuring an Enhanced Distance Cluster.

Cluster Cloning Offers Alternative to No-Roll Patching

This kit provides a new installation method, generically referred to as cloning, using a new tool named dupclone . The process consists of two primary steps:

  • Creating an exact duplicate of an existing system on an alternate set of disk drives.

  • Using dupclone to install the patch kit to the alternate disk set. After completion, the system can immediately be rebooted using the alternate disks.

See the Patch Installation Instructions document and the new dupclone(8) reference page for information about using dupclone. See “dupclone Error Message Can Be Ignored” for information about a message you may see when using dupclone.

Link Aggregation Extended to Cluster LAN Interconnects

This kit provides enhanced support for link aggregation (LAG) by extending it to cluster LAN interconnects. It does this by decreasing the latency associated with time critical Interconnect Communication Subsystem (ICS) remote procedure calls and by increasing the available bandwidth of the LAN interconnect, thereby allowing increased interconnect throughput.

Latency is improved though multiple active interfaces decreasing queue sizes (link aggregation) and through the separation of ICS channels that prefer low latency from channels that require high bandwidth.

Throughput is improved from multiple active interfaces decreasing queue sizes.

The primary goal is to distribute cluster component channel traffic among the interfaces that form part of the link aggregation group.

These changes are implemented with the following three new sysconfigtab attributes, which configure the interfaces and create the LAG set:

ics_tcp_lag0

Configures a LAN interface to be part of the LAG set.

ics_tcp_lag_dist

Specifies the lag traffic distribution algorithm for a LAG interface.

ics_tcp_lag_serv_weights

Based on this value, the channel traffic for an ICS channel is distributed over the LAG interface.

CAUTION: Do not modify the default value of these attributes unless instructed to do so by support personnel.

The following restrictions apply the to the use of these attributes:

  • Supported only on DEGPA (alt), DEGXA (bcm), and DE60x (ee) network interface cards (NICs).

  • Supported only on Ethernet (802.3 CSMA/CD) links.

  • NetRAIN virtual interfaces cannot be included in link aggregation groups.

  • Ports must be operating in full duplex mode.

  • Ports in the same link aggregation group must operate at the same data rate.

  • Ports in a link aggregation group must be attached to the same system, either server-to-server or server-to-switch.

Link aggregation enables system administrators to combine two or more physical Ethernet Network Interface Cards (NICs) and create a single virtual link. Upper-layer software sees this link aggregation group as a single virtual interface for example: lag0.

The single virtual link can carry traffic at higher data rates than a single interface because the traffic is distributed across all of the physical ports that make up the link aggregation group.

For more information see the Tru64UNIX Technical Overview and the Network Administration: Connections manual. For tuning and configuration information see the lag(7), lagconfig(8), sys_attrs_ee(5), sys_attrs_lag(5), and inet_local(4) reference pages.

NetRAIN over LAG Supported.

With this release, it is now possible to run NetRAIN over link aggregation (LAG).

Previously, you could not simultaneously use NetRAIN for redundant network devices and LAG (trunking) on the same network cards. Although the use of LAG provided redundancy, it could not provide a redundant switch solution because all devices must be connected to the same switch.

With the installation of this kit, you can run NetRAIN over LAG; that is, have two or more LAG trunk groups contained within a NetRAIN set. Although only one LAG group will be active at one time, the benefit is that it allows the use of redundant switches with a high bandwidth LAG group.

To configure this support, first create your LAG groups, then place each group (lag0, lag1) into a newly configured NetRAIN set. Refer to the lagconfig(8) and nr(7) reference pages for details.

Support Provided for 2007 Changes to U.S. Daylight Savings Time

This kit updates/etc/zoneinfo time zone data files to incorporate the most recent changes in various time zones around the world, most notably the US Daylight Saving Time (DST) rule changes that were passed into law on August 8, 2005 and take effect in 2007.

That law moves the start of DST from the first Sunday of April to the second Sunday of March. It moves the return to Standard Time from the last Sunday of October to the first Sunday of November. These changes affect all US time zones and a number of other North American time zones in other countries as well.

BIND Updated to Version 9.2.5

This kit replaces the current version of BIND (V8.2.2) with BIND Version 9.2.5. (See the “Commands Must Be Run on BIND Systems After Kit Installation” sections for information about BIND actions to take when installing this kit.) This new version from the Internet Software Consortium represents a major rewrite of nearly all aspects of the underlying BIND architecture. Some of the important features of BIND 9 are:

  • DNS Security

    • DNSSEC (signed zones)

    • TSIG (signed DNS requests)

  • IP version 6

    • Answers DNS queries on IPv6 sockets

    • IPv6 resource records (AAAA)

  • DNS Protocol Enhancements

    • IXFR, DDNS, Notify, EDNS0

    • Improved standards conformance

  • Views

    • One server process can provide multiple views of the DNS namespace, for example, an “inside” view to certain clients, and an “outside” view to others.

  • Multiprocessor Support

  • Improved Portability Architecture

Library Calls for Fibre Channel HBA Added

This kit provide a wrapper library and HBA-specific library for the Emulex adapter, which conforms to the T11 FC-HBA (T11/1568-D Revision 14) specification.

The purpose of this specification is to provide a host bus adapter (HBA) programming interface for Fibre Channel management applications to gather information about devices in the network in a vendor-neutral way through a set of Application Programming Interface (APIs). As a result of this neutrality, applications do not depend on the platform they run on or for a specific HBA, and therefore will not need to be rewritten.

This kit supports the following APIs:

  • HBA_GetVersion

  • HBA_LoadLibrary

  • HBA_FreeLibrary

  • HBA_RegisterLibraryV2

  • HBA_GetWrapperLibraryAttributes

  • HBA_GetVendorLibraryAttributes

  • HBA_GetNumberOfAdapters

  • HBA_RefreshInformation

  • HBA_RefreshAdapterConfiguration

  • HBA_GetAdapterName

  • HBA_OpenAdapter

  • HBA_CloseAdapter

  • HBA_GetAdapterAttributes

  • HBA_GetAdapterPortAttributes

  • HBA_GetDiscoveredPortAttributes

  • HBA_GetPortAttributesByWWN

  • HBA_GetPortStatistics

  • HBA_GetBindingCapability

  • HBA_GetBindingSupport

  • HBA_SetBindingSupport

  • HBA_GetFcpTargetMapping

  • HBA_GetFcpTargetMappingV2

  • HBA_GetFcpPersistentBinding

  • HBA_SendScsiInquiry

  • HBA_ScsiInquiryV2

  • HBA_SendReportLUNs

  • HBA_ScsiReportLunsV2

  • HBA_SendReadCapacity

  • HBA_ScsiReadCapacityV2

For information about each of these APIs, see the Storage Management HBA API (SM-HBA) standard (T11/1695-D) available at the www.t11.org website:

http://www.t11.org/ftp/t11/pub/sm/hba/06-382v1.pdf

The API information is listed under FC-HBA Function Calls.

New Cluster Command Sends ping Packets over TCP

A new TruCluster Server command, clu_ping, sends ping packages over the TCP layer rather than the Internode Communication Subsystem (ICS) layer on clusters with LAN as the interconnect. By default, ping packets are sent over the ICS layer.

For information about using this command, see the clu_ping(8) delivered in this kit.

sendmail Server Updated to Version 8.13.6

The sendmail server has been updated from Version 8.11.1 to Version 8.13.6. Key changes to the sendmail configuration file (sendmail.cf) include the following:

  • The local mailer program, bin/mail, has been changed to /usr/sbin/mail.local

  • The default database format has been changed from dbm to btree

  • An additional security option has been added to the imap deliver program

  • The IPC Mailer argument has been changed to TCP

The Version 8.13.6 sendmail server provides advanced features, including the following:

  • Masquerading

  • Virtual domain hosting

  • Restricted relaying

  • Milter functionality

NOTE: These features can be configured only with the sendmail provided with the HP Tru64 Internet Express Software distribution.

A new account, smmsp, is created as part of the sendmail installation process. This account is required for future enhancements of sendmail.

You can find information about sendmail Version 8.13.6 as follows:

  • The sendmail.org website: http://sendmail.org/.

  • The sendmail documentation provided with the HP Tru64 Internet Express Software distribution.

  • The book Sendmail by Bryan Costales, and Eric Allman, published by O'Reilly & Associates, Inc.

The sendmail v8.13.6 reference pages were not updated in this release.

AdvFS Utilities Improved for Working with Metadata Files

The AdvFS vods utilities (nvbmtpg, nvlogpg, nvtagpg, nvfragpg, and vsbmpg) have been improved and enhanced to make them more useful when working with AdvFS metadata files. New options have been added and some existing options have been improved. Review the revised reference pages included in this kit before using these enhanced tools.

mountd Daemon Gets New Port-Selection Option

A new option to the mountd daemon lets you specify a port number for mountd to bind to.

Currently, when mountd starts it takes an arbitrary port number, which is different every time you boot your system. As a result, some applications may fail because the port number for the applications are defined in /etc/services and mountd may use one of them.

By using the new mountd -p, you can force mountd to bind to the specified port number instead of using the random port number. For example:

# mountd -p 1024

For more information, see the revised mountd(8) reference page that is installed with this kit.

envmond Daemon Modified to Use EVM Events

The envmond daemon has been modified to allow it to use EVM events instead of the hwmgr command to determine the environmental status of the system. On systems with many sensors, this improvement may reduce or eliminate previously seen performance problems.

By default, envmond is configured to use the hwmgr command (the poll method) for environmental monitoring. To configure envmond to use EVM events, set the envconfig ENVMON_MODE variable to event as follows:

# envconfig -c ENVMON_MODE=event

Because threshold values in event mode cannot be set to individual sensor, EVM events are generated only when existing hardware thresholds are exceeded. If you need to monitor individual sensors at thresholds different from the hardware thresholds, use the new envconfig ENVMON_POLL_SENSORS variable in conjunction with the hwmgr. For example:

# envconfig -c ENVMON_POLL_SENSORS="58:59"

To then set the warning threshold for the sensor with ID 58, to 50.0 degrees Celsius, enter the following command:

# /sbin/hwmgr -set attr -id 58 -a warning_threshold=500

To set the fault action for the sensor with ID 58 to noshutdown:

# /sbin/hwmgr -set attr -id 58 -a fault_action=noshutdown

By specifying this set of commands, envmond uses the poll method for sensors 58 and 59 and the EVM event method for the rest of the sensors.

For more information, see the revised envconfig(8) reference page that is installed with this kit.

aha_chim Driver Problem Corrected

This kit corrects the following problems found in the aha_chim driver:

  • The driver would fail to issue a “Bus Reset” instruction when a Bus Device Reset fails to complete for any reason other than a Bus Reset. With the installation of this kit, when a Bus Device Reset fails, a Bus Reset will be issued in order to clear and reset the target.

  • The driver would fail to report the correct event identifier in the error entry of the binary error log when the error condition was caused by the target using an invalid tag ID, thereby resulting in an incorrect diagnosis of the problem. For example, an entry of the following type:

    Event information: Adapter requested initialization,
    caller ID = 10

    should have been:

    Event information: Adapter requested initialization, caller ID =
    74.

Command Option Now Provides Additional EMX Driver Information

After installing this kit, issuing the following command for an EMX adapter will return the hardware revision, firmware revision, SAN address, and full duplex flag attributes:

# hwmgr -get att

New EMX Subsystem Attribute Turns on LLER for Tape I/O

This release provides a new attribute, erp_ller, to the EMX subsystem that allows you to turn on Link Level Error Recovery (LLER) for tape I/O. When enabled, the Emulex adapter attempts to successfully complete I/O that would have otherwise failed to a link error. If the adapter is unable to successfully complete the I/O, the I/O will be returned with an appropriate error.

Setting erp_ller to a value of 1 enables this feature. It is turned off by default due to issues seen with network storage routers and its handling of device resets. Command timeout errors may be returned if a device reset is issued when Link Level Error Recovery is enabled.

If you are experiencing failed tape I/O due to link issues, you can enable this feature and see if it helps.

To view the current setting of the attribute use the following command:

# sysconfig -q emx erp_ller

For more information, see the revised emx(7) reference page delivered in this kit.

Kernel Attributes Protect Against ICMP Security Vulnerability

A new kernel attribute delivered in this kit, icmp_tcpseqcheck, and an existing attribute, icmp_rejectcodemask, can protect your system against potential Internet Control Message Protocol (ICMP) security vulnerabilities. This release note describes these attributes and provides background information on the security issues. For information about setting these attributes, see the revised sys_attrs_inet(5) reference page delivered in this kit.

An overview of these attributes follows:

  • icmp_tcpseqcheck

    Mitigates ICMP attacks against the Transmission Control Protocol (TCP) by checking that the TCP sequence number contained in the payload of the ICMP error message is within the range of the data already sent but not yet acknowledged. An ICMP error message that does not pass this check is discarded. This behavior protects TCP against spoofed ICMP packets.

  • icmp_rejectcodemask

    A bitmask that designates the ICMP codes that the system should reject. The icmp_rejectcodemask attribute can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type.

    In the Requirements for Internet Protocol (IP) Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. HP therefore recommends using the icmp_rejectcodemask attribute to ignore ICMP Source Quench packets.

The ICMP type codes are in /usr/include/netinet/ip_icmp.h.

The ICMP (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC 816), which is the group of actions that hosts and routers take to determine if a network failure has occurred.

The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks:

  • Blind connection reset attacks can be triggered by an attacker sending forged ICMP "Destination Unreachable, host unreachable" packets or ICMP "Destination Unreachable, port unreachable" packets.

  • Blind throughput-reduction attacks can be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.

Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path. An attacker can reduce the throughput of a TCP connection by sending forged ICMP packets (or their IPv6 counterpart) to the discovering host, causing an incorrect Path MTU setting.

caa_relocate Command Improved

The caa_relocate -s source_member command now allows the relocation of a specific resource from the source_member.

The command caa_relocate -s source_member resource_name will relocate the application resource resource_name only if it is running on the source_member. Otherwise it will return an error message.

See the revised caa_relocate(8) reference page delivered in this kit for more information.

collect Utility Improved in Several Ways

The collect utility has been enhanced to support a new -c option, which when specified instructs collect to gather local and remote I/O access statistics for disk and tape devices as seen by the Device Request Dispatcher (DRD) cluster subsystem in a TruCluster Server environment.

The collect utility has also been modified to enable it to support long device names.

The collect(8) reference page has been revised to reflect these changes.

Environment Variable Improves btcreate Kernel Build

This kit provides the means to allow the btcreate command to build the kernel with all options.

Currently, if the kernel built with the current system configuration exceeds the firmware limit, btcreate will remove all options except DVDFS and CDFS. If the newly built kernel with CDFS and DVDFS also fails, btcreate then builds a kernel with mandatory options alone.

To build a kernel with all options, run btcreate by setting the following environment variable:

BTCREATE_MODE=VER-1-1

See the revised btcreate(8) reference page delivered in this kit for more information.

New Variable Aids Performance of AdvFS Administration Commands

A new rc.config variable, ADVFSD, lets you control the boot time invocation of the advfsd daemon. This daemon is not necessary unless you are running the AdvFS graphical interface dtadvfs. Disabling advfsd from starting results in a better performance of AdvFS administration commands. See “Stopping Daemons May Speed Administration Performance” for more information about this problem.

The following list provides information on using the ADVFSD variable to disable and enable the advfsd daemon on different types of systems:

  • Run the following command to disable the advfsd daemon at boot time on a stand-alone system:

    # /usr/sbin/rcmgr set ADVFSD "no"
  • Run the following command on any cluster member to disable the advfsd daemon at boot time on all members of a cluster:

    # /usr/sbin/rcmgr -c set ADVFSD "no"
  • Run the following command to enable the advfsd daemon at boot time on a stand-alone system:

    # /usr/sbin/rcmgr delete ADVFSD
  • Run the following command on any cluster member to enable the advfsd daemon at boot time on all members of a cluster:

    # /usr/sbin/rcmgr -c delete ADVFSD

New ftpd Command Option Prevents Login Delays

A new option to the File Transfer Protocol server daemon, (ftpd -n ), can prevent login delays and time-outs in an environment where host name resolution is sluggish. It does this by disabling reverse lookups of remote host names.

This option is documented in the revised ftpd(8) included in this kit.

New Features Added to kdbx Debugger

The kdbx command has been enhanced in several ways:

  • A new cluster alias extension, clua, has been added to provide information about cluster aliases.

  • New options, -s and -v, have been added to the netstat extension to expand it usefulness:

    • The -s option, when used alone, displays protocol statistics for all configured interfaces. When used with the -i option, -s displays interface statistics for all configured interfaces.

    • The -v option displays verbose information (including hardware addresses) about all interfaces that are configured on a system.

  • A new option, -p has been added to the inpcb extension to display process ID (PID) information for each connection.

The revised kdbx reference page included in this kit describes the new clua cluster alias extension and the other new options.

Modified rmvol Utility Allows Multiple Volume Removal

Modifications to the AdvFS rmvol utility now allow it to accept more than one volume for removal on the command line. In the following example, rmvol removes three volumes from a domain:

# rmvol dsk5b dsk3a dsk4a rmvol_dmn1
rmvol: Removing 3 volume(s) from domain 'rmvol_dmn1'
rmvol: Removing volume '/dev/disk/dsk5b' from domain 'rmvol_dmn1'
rmvol: Removed volume '/dev/disk/dsk5b' from domain 'rmvol_dmn1'
rmvol: Removing volume '/dev/disk/dsk3a' from domain 'rmvol_dmn1'
rmvol: Removed volume '/dev/disk/dsk3a' from domain 'rmvol_dmn1'
rmvol: Removing volume '/dev/disk/dsk4a' from domain 'rmvol_dmn1'
rmvol: Removed volume '/dev/disk/dsk4a' from domain 'rmvol_dmn1'
rmvol: Removed 3 volume(s) from domain 'rmvol_dmn1'

Also, the new rmvol -s option performs a free-space check before beginning rmvol operations. If calculations determine that not enough free space will be available for the complete migration of all data for all volumes requested for removal, rmvol will fail before migrating any data. Upon failure, the amount of free space needed for complete migration of all data is displayed. For example:

 # rmvol -s dsk1a dsk3b test
rmvol: Removing 2 volume(s) from domain 'test'
rmvol: Not enough free space for complete migration of all volumes
requested for removal.
     Free space needed:    65592K
     Free space available: 46296K
rmvol: Can't remove 2 volume(s) from domain 'test'

See the revised rmvol(8) reference page included in this kit for more information and additional examples.

New disklabel Command Option Expands Partitions

A new option to the disklabel command lets you extend a partition that is currently in use. This option, F, is used with the -e option as follows:

# /sbin/disklabel -e -F disk

For more information, see the revised disklabel(8) reference page included in this kit.

Commands Modified to Conform to POSIX Standard

The following Tru64 UNIX commands have been modified to conform to the POSIX standard. For most of theses commands, the modified action is initiated by using a new environment variable, STDS_FLAG.

  • awk

  • cp

  • ex

  • chmod

  • edit

  • find

  • rm

  • uucp

  • uudecode

  • vi

The following sections describe the changes to these commands.

Changes to ex, edit, and vi

The ex, edit, and vi (vedit/view) commands have been modified so the POSIX compliant shell, /usr/bin/posix/sh, is the default shell when the SHELL environment variable is not set or is set to NULL.

Prior to this fix, vi, ex did not have a command line interpreter when the SHELL environment variable was set to NULL. .

Setting STDS_FLAG to ALL produces the following POSIX compliant behavior:

If C or S is entered in command mode and more than part of a single line is affected, then vi saves the affected text in numeric buffers.

Changes to awk and nawk

The awk and nawk commands have been modified to interpret numbers and the equal sign (=) as text strings when specified as arguments to “program text.

To produce this POSIX compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

When STDS_FLAG is set to ALL, variable names that do not begin with the alphabetic character or underscore are considered invalid.

If STDS_FLAG is not set or is set to NULL, awk interprets this use of numbers and the equal sign as numeric strings when specified as arguments to “program text.” This was the default action before these commands were modified.

Changes to chmod

The chmod command has been modified to force it to consider the umask when the who(ugoa) argument is not specified.

To produce this POSIX compliant-action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, chmod does not consider the umask value while changing to the permissions specified. This was the default action before chmod was modified.

Changes to cp

The cp command has been modified to enable compliance to the following POSIX requirements:

  • When the -i and -f options are used together the -f should not disable a previous -i (that is, turn off prompting).

  • When the -f is set and the target file cannot be opened for writing, cp unlinks the target file.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, when the -i and -f options are used together the one specified last takes effect. This was the default action before cp was modified.

Changes to ex

The ex command has been modified to return 1 as an exit status when a read-only option with write fails.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, ex will return 0 as an exist status when a read-only option with write fails. This was the default action before ex was modified.

Changes to find

The find command has been modified to not treat a hyphen (--) as special if it is first argument. Instead, it ignores the hyphen and lists the file containing the hyphen.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, find will treat the first hyphen as special and exit with an error. This was the default action before find was modified.

Changes to rm

The rm command has been modified to handle an excessive depth of files. Even if the pathname is longer than PATH_MAX by multiple times, rm will delete the directory with all its subdirectories and exit with value 0.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

When STDS_FLAG is not set or set to NULL, rm will not delete files when the pathname exceeds PATH_MAX value. This was the default action before rm was modified.

Changes to uucp

The uucp command has been modified so it can create a regular file when a directory with the same name already exists.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, when uucp, attempts to create a regular file with the same name as an existing directory, the attempt fails and the file attributes are not changed. This was the default action before uucp was modified.

Changes to uudecode

The uudecode command has been enhanced to recognize symbolic file mode.

For example, consider a case in which an editor was used to modify the first line of a source file of an encoded file from this:

begin 744 example.en

to this:

begin u=rwx,go=r example.en

The modified uudecode command would recognize the symbolic mode and create the file example.en.

To produce this POSIX-compliant action, set the new STDS_FLAG to ALL:

STDS_FLAG=ALL

If STDS_FLAG is not set or is set to NULL, when uudecode, will recognize only absolute file mode. This was the default action before uudecode was modified.

New Generic Subsystem Attribute Corrects UNIX98 Standards Violations

A new tunable system attribute, std_unix98, has been added under the generic subsystem to cause the waitpid( ) and poll( ) system calls to conform to UNIX98 standard behavior.

See the revised sys_attris_generic(5) reference page delivered in this kit for more information. Refer to the standards(5) reference page for more information about industry standards and associated tags.

waitpid() System Call

Prior to the installation of this kit, the waitpid() system call failed to conform to the following UNIX98 requirement:

A call to pid_t waitpid(pid_t pid, int *stat_loc, int options) when

  • the calling process has SA_NOCLDWAIT set or has SIGCHLD set to SIG_IGN and

  • has no unwaited for children that were transformed into zombie processes shall block until all of its children terminate, fail, and set errno to ECHILD.

The new std_unix98 attribute enables waitpid( ) to conform to UNIX98 standard behavior.

For example, consider a situation in which a calling process has multiple children and no unwaited-for child zombie and you call waitpid( ) with a specific child PID:

  • If you set std_unix98=1 or std_unix98=4, waitpid( ) blocks until all of its children terminate (UNIX98 standard behavior).

  • If you set std_unix98=0 waitpid( ) blocks until any of its children exits.

poll() System Call

Prior to the installation of this kit, the poll() system call fails to conform to the following UNIX98 requirement:

When no priority band has been written to on this STREAM, then a successful call to int poll(struct pollfd fds[], nfds_t nfds, int timeout) shall examine each element of the fds array for instances where the POLLWRBAND flag is set in the events member and data for a priority band greater than 0 can be written to the file descriptor specified by the fd member without blocking and shall set the POLLWRBAND flag in the corresponding revents member when found.

When no writes have taken place on any of the priority bands, a call to poll( ) blocks will time out and return failure.

The poll( ) system call has been modified so if you need standards-compliant behavior, you can use the new std_unix98 attribute.

If std_unix98 is set to a value of either 1 or 2, then the UNIX98_POLLWRBAND bit (defined as a macro in the /usr/sys/include/sys/param.h file) gets set, which results in the internal processing becoming indifferent to whichever external mapping of POLLWRBAND is in play. By default, this bit in std_unix98 is not set, so poll( ) will behave the same way as it does today.

See the revised poll(2) reference page delivered in this kit.

New I/O Subsystem Attributes Can Improve Booting Speed

Three new I/O subsystem attributes control path registration during the boot process, allowing systems with multiple paths to a large number of devices to boot faster. The following list provides a brief description of these attributes. For additional information and settings, see the revised sys_attrs_io(5) reference page delivered in this kit.

  • boot_wait_hwc_reg

    When disabled, causes a boot to the login prompt without waiting for hwc path registrations.

  • hwc_reg_cmplt_notify_type

    Controls how you get notified when device registration is done.

  • hwc_registration_complete

    Proves a query to determine if hwc path registration is complete.

By default, booting will wait for all hwc registrations to be completed. However, you can force the boot process to complete to the login prompt earlier by changing boot_wait_hwc_regs to 0. In either case hwc_registration_complete can be queried. This will be set to 1 as soon as registration is complete. In addition, you can also choose to receive a console message, an EVM event, or both when all paths have registered.

To get the biggest speed improvement when booting, you can elect to finish booting without waiting for path registration, which is not needed to access the storage subsystem (for example, an Oracle® database). However, if you do this, you temporarily have an incomplete hierarchy view from the commonly run hwmgr command.

Each of the following actions can help you determine when to run the hwmgr command in order to see the complete hierarchy:

  • Enable the EVM notification option, log in, and start evmwatch to look for the EVM event, although the EVM event could have already occurred by the time you log in.

  • Enable the console log message notification option and look in the messages file for the message.

  • Query sysconfig to ensure the I/O hwc_registration_complete attribute is set before proceeding. This action can be used regardless of how you set the notification option.

New Attributes Added to NFS and RPC Subsystems

Several new tunable attributes have been added to the NFS server subsystem, nfs_server, the NFS client subsystem, nfs, and the Remote Procedure Call (RPC) subsystem, rpc Previously, the configurations produced by these attributes could only be changed by using the dbx command. Now, you can easily use and modify these kernel subsystem configurations with the sysconfig command.

The following list provides a brief description of these new attributes. For more information about setting the attributes, see the new sys_attrs_nfs(5) reference page delivered in this kit.

  • nfs_server:

    • nfs_write_gather and nfs3_write_gather

      Improves NFS V2 and V3 performance by gathering several write requests, performing a single sync, and sending all of the replies.

    • nfs_ufs_lbolt and nfs3_ufs_lbolt

      Enables or disables a delay when NFS V2 and NFS V3 returns writes. This attribute affects write gathering for all file systems (not just UFS) for NFS V2 and V3.

  • nfs:

    • nfs_cto

      Enables or disables Close-To-Open (CTO) consistency to reduce the number of client caches that provide applications with stale NFS data.

    • nfs_quicker_attr

      Enables or disables synchronous cache flush.

    • nfs3_broken_lookup

      Controls the frequency of console messages related to an NFS V3 problem on some servers where a file lookup would return erroneous data for the parent directory.

    • do_client_readdirplus

      Enables or disables the operating system from issuing the readdirplus procedure.

    • nfs3_maxreadahead

      Controls the number of outstanding read-aheads.

    • nfs3_readaheads

      Controls the number of read-aheads for NFS V3.

  • rpc:

    • use_fastsend

      Enables or disables the optimization of client and server code used by NFS over UDP.

    • use_fastroute

      Enables or disables improved fastsend optimization that affect the NFS server.

New cam Attribute Controls Path Usage

A new attribute, cam_ccfg_aa_enable, has been added to the cam subsystem to control preferred path usage.

When enabled, this attribute utilizes the target port group information from the storage controller to determine the optimal paths and use these optimal paths for I/O access. When disabled, all paths to that device are used.

Active-active asymmetric storage controllers may incur a performance penalty when accessed on non-optimal paths.

For more information, including setting this attribute, see the revised sys_attrs_cam(5) reference page delivered in this kit.

LSM hot-sparing Improved

The Logical Storage Manager (LSM) command volwatch has been enhanced to improve LSM hot-sparing, which pro-actively replaces plexes that are based on failing storage devices and recovers their data.

Now when hot-sparing is performing a recovery, it will avoid using a plex that it is relocating — unless it has no other choice.

New Option Changes Configuration File Used by aliasd Daemon

A new option, custom_gated, has been added to the cluamgr command to change the configuration file used by the aliasd daemon.

You can cause aliasd to use the file /etc/gated.conf instead of /etc/gated.conf.memberX as the gated configuration file and restart gated in either of the following ways:

  • Specify the cluamgr command as follows:

    # cluamgr -r gated,custom_gated,start
  • Modify the /etc/rc.config.common file by specifying the following command:

    # rcmgr -c set CLUAMGR_ROUTE_ARGS "gated,custom_gated"

    After running the rcmgr -c command, restart network services by running the rcinet command on all cluster nodes:

    # rcinet restart

For more information about the custom_gated option, see the revised cluamgr(8) reference page included in this kit.

fsdb Utility Now Operates on File System Image

The fsdb utility is now capable of operating on a file system image as well as a special file. The name argument will first be processed as a special file; should that fail, it will be processed as a regular file. To avoid conflict, an optional f argument will force the name argument to be processed only as a regular file. See the revised fsdb(8) reference page delivered in this kit.

sendmail Log Problem Corrected

This kit corrects a problem with sendmail registration as a PSM (Process Set Manager) process. EVM would incorrectly log the following statements when sendmail was stopped or started or restarted:

PSM instance pid exited in category _unknown_ on node nodename
PSM instance pid created in category
_unknown_ on node nodename

Where pid is the process ID of the sendmail daemon and nodename is the host where sendmail runs.

The sendmail program now correctly registers itself with the PSM and the same is reflected in log records.

New Tunable Attribute Corrects NetRAIN Failover Problem

A new tunable attribute fixes a NetRAIN failover problem that occurs in a “quiet” network. In a two interface NetRAIN set, if the current active interface goes down, the secondary (backup) interface fails to become the new primary (active) interface. To correct this problem, set the new nr_use_link_state attribute as follows:

# sysconfig -r netrain nr_use_link_state=1

For information about this attribute, see the revised sys_attrs_netrain(5) reference page delivered in this kit.

New Attribute Controls Tape Driver Path Control

A new cam tape subsystem attribute, enable_preferred_path, lets you control preferred path behavior for a tape driver. Enabling this attribute (1) causes the tape driver to assign different paths to different tape drives. The default (0) disables preferred path behavior. The revised sys_attrs_cam(5) reference page delivered in this kit describes the enable_preferred_path attribute.

A problem may exist when using preferred path behavior when you use a no-rewind tape device. If the application is not expecting the tape to change position between a previous tape close and a subsequent tape open, the data already on the tape may be lost with the next write command, possibly resulting in unusable backups. This problem only occurs when a system has multiple initiators.

The following steps will prevent this problem from occurring:

  • Before performing a backup, reserve the device and lock down the path as follows:

    # mt -f /dev/ntape/tape0 reserve
  • After performing the backup, release the device and unlock the path as follows:

    # mt -f /dev/ntape/tape0 release

pr Command Behavior Now Works as Described in Reference Page

The pr command has been modified to handle the i [character] [gap] option (which replaces multiple space characters with tab characters) so that it performs as documented in the pr(1) reference page.

Kit's Session Log Made More Useful

If you view the session log for this release, you may notice that it is smaller than it has been in the past. We edited this file to remove non-essential information that the system generates automatically.

Sys_Check Version 143 Provided

This kit includes Sys_Check Version 143. However, HP recommends that you visit the sys_check website to download and install the version there if it is more recent than Version 143:

http://h30097.www3.hp.com/sys_check/

New Variables Protect Against Attack

This kit provides two new kernel tunable variables, tcp_rst_win and tcp_syn_win to protect systems against potential vulnerabilities called TCP RST attack and TCP SYN attack. For more information, see “Potential Security Vulnerability Identified” and a revised sys_attrs_inet(8) reference page, which is installed with this kit.

New fuser Option Aids Query Search

A new option, -a, has been added to the fuser command to expand a query to search of all cluster members. See the fuser(8) reference page for more information.

New /etc/printcap Option Provided

This kit provides a new boolean /etc/printcap option, sr, to suppress the reprinting of jobs under conditions that indicate to the print daemon that a reprint is needed. The syntax for this entry is similar to that of the sh (suppress header) option.

You can use this option to suppress an unexpected or unneeded reprinting of jobs that are completed but are reprinted a second time due to miscommunication between the printer and the print daemon.

Be aware that if you set this option, incomplete jobs that trigger reprint conditions will not reprint.

A fix to remote job reprinting that this patch kit provides can trigger reprints which, under conditions previously described, do not appear to be needed.

Support for the Name Services Switch Added

The Name Service Switch (NSS) has been added to Tru64 UNIX as a replacement for the svc.conf database service selection. The NSS provides a more extensible database service selector and supports a dynamic list of databases. Using the NSS allows you to add LDAP as a source for netgroup data.

Configuring the NSS converts entries from the /etc/svc.conf file into entries for /etc/nsswitch.conf file. The/etc/svc.conf is then only used for pre-nsswitch statically-built applications and sendmail. For more information about this feature, see nssetup(8), nsswitch(4), and nss2svc(8)

New Hardware Support

This patch kit provides the following new hardware support.

Support for 64 Processor AlphaServer GS1280 Systems

This patch kit provides support for AlphaServer GS1280 systems configured with 64 processors.

Support for AlphaServer and AlphaStation DS15 Systems

The AlphaServer/AlphaStation DS15 3U Systems include:

  • Alpha 1 GHz CPU with 2 MB onboard ECC cache

  • 512-MB, 1 GB, or 2 GB SDRAM memory - expandable to 4 GB

  • Onboard dual 10/100 BaseT Ethernet ports

  • Four 64-bit PCI expansion slots

  • Onboard Ultra160 SCSI controller

HP StorageWorks FCA2384

Support has been added for the FCA2384 - 2 GB, 64-Bit/133 MHz PCI- X-to-Fibre Channel Host Bus Adapter.

Production Version of Motif 2.1 Provided

This kit replaces the Motif 2.1 Advanced Developer's Kit (ADK) with a production version of Motif 2.1. This new version will be supported in future Version 5.1B releases. The production version of Motif 2.1 will also be available for downloading from the Web.

Protection Against Buffer Overflow Exploitation Added

This kit provides a security feature to prevent the execution of instructions that reside in heap or other data areas of process memory. The result is additional protection against buffer overflow exploits. This feature is similar in concept to Tru64 UNIX executable stack protection.

This feature is implemented as a dynamic sysconfig tunable variable, executable_data, in the proc subsystem. The supported settings allow system administrators to cause requests from privileged processes for writable and executable memory to fail, or to be treated as a request for writable memory, and to optionally generate a message when such a request occurs.

In a buffer overflow exploitation, an attacker feeds a privileged program an unexpectedly large volume of carefully constructed data through inputs such as command line arguments and environment variables. If the program is not coded defensively, the attacker can overwrite areas of memory adjacent to the buffer.

Depending upon the location of the buffer (stack, heap, data area), the attacker can deceive these programs into executing malicious code that takes advantage of the program's privileges or alter a security-sensitive program variable to redirect program flow.

With some expertise, such an attack can be used to gain root access to the system.

Enabling the executable_data tunable changes a potential system compromise into, at worst, a denial-of-service attack. A vulnerable program may still contain a buffer overflow, but an exploit that writes an instruction stream into the buffer and attempts to transfer control to those instructions will fail, because memory protection will prohibit instruction execution from that area of memory.

Many applications never execute from the memory even though they unnecessarily request write-execute memory directly or as a result of an underlying function acting on their behalf. By substituting writable memory for the requested write-execute memory, the executable_data tunable allows such applications to benefit from the additional protection without requiring application modification. See sys_attrs_proc(5) for more information.

Before enabling executable_data (changing it from the default value of 0), you must run the /usr/sbin/javaexecutedata script. Otherwise, privileged Java™ applications will fail in unpredictable ways. See javaexecutedata(8) for more information.

NOTE: The Java language interprets byte code at runtime. Unless marked as exempt, privileged applications written in Java will receive an error when they attempt to execute instructions residing in the unexecutable memory. The manner in which these errors are handled is application-specific and thus unpredictable. This is why you must run the /usr/sbin/javaexecutedata before you enable executable_data.

The following example demonstrates the failing behavior to expect for a privileged process if execute_data is set to 53 but runs the /usr/sbin/javaexecutedata script. Other Java applications run with privilege may exhibit different (but still failing) behavior.

# java -classic -jar SwingSet2.jar 
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
(...) 
Process 1185 Invalid write/execute mmap call denied.
Process 1185 Invalid write/execute mmap call denied.
**Out of memory, exiting**

The following example demonstrates the failing behavior to expect for a privileged processes if execute_data is set to 37 but runs the /usr/sbin/javaexecutedata script. Other java applications run with privilege may exhibit different (but still failing) behavior.

# java -classic -jar SwingSet2.jar
Process 1185 Invalid write/execute mmap call modified. 
Process 1185 Invalid write/execute mmap call modified.
(...) 
Process 1185 Invalid write/execute mmap call modified. 
Process 1185 Invalid write/execute mmap call modified.
Process 1185 Invalid write/execute mmap call modified.
SIGSEGV   11*  segmentation violation 
(...) 
Abort (core dumped)

Certain privileged Pascal programs may also fail when executable_data is enabled. Such programs should also be marked as exempt, using the new chatr utility as follows:

$chatr +ed enable priv_pascal_executable
  current values:
     64-bit COFF executable 
     execute from data: disabled   
  new values: 
     64-bit COFF executable
     execute from data: enabled

See chatr(1) for information about the chatr utility.

Enhancements to pmgrd Daemon and collect Utility

Patches in this kit provide enhancements to the performance manager metrics server daemon, pmgrd, and the collect utility.

Performance Manager Metrics Server Daemon (pmgrd)

The following features have been added to pmgrd:

  • Support for monitoring the disk I/O rates.

    Enables pmgrd to provide details on disk I/O rates, such as the average number of bytes transferred per second and the average number of transfers completed per second over the past 1 minute, 5 minutes, 30 minutes, and 60 minutes.

  • Support for monitoring the AdvFS statistics.

    Enables pmgrd to provide the following types of details on AdvFS file systems:

    • The domain name

    • The fileset name

    • Number of files and blocks

    • Soft and hard limits of files

    • Soft and hard limits of blocks

    • The status of user and group quotas

    • Grace time and fileset clone information

    It can also provide AdvFS volume details such as available blocks, percentage of volume used, I/O consolidation mode, and the number of read/write blocks. The new MIB file pmAdvfs.mib has been added to provide these statistics.

    The collect utility displays these new AdvFS statistics. (See “New Features Added to collect Utility”).

As a result of the improvements made to pmgrd, we recommend that you use the SysMan Menu to manage AdvFS file systems rather than the dtadvfs graphical user interface and the advfsd daemon. To use SysMan Menu, select Storage - File System Management Utilities - Advanced File System (AdvFS) Utilities. You can also enter the following command:

# sysman advfs

See pmgrd(8) for more details.

New Features Added to collect Utility

The following features have been added to the collect utility, which is updated from Version 2.0.0 to 2.0.5:

  • AdvFS monitoring capability. (See “Enhancements to pmgrd Daemon and collect Utility” for a list of AdvFS metrics that are monitored.)

    Enables collect to report AdvFS volume I/O queue and fileset vnode operation statistics. You can specify the domain or fileset to be monitored, using the -A option.

  • Viewing CPU and memory metrics on a per Resource Affinity Domain (RAD) basis.

    When run on a NUMA platform, enables collect to automatically retrieve CPU and memory metrics for each RAD.

See collect(8) for more details.

File System Management Applications Enhanced

Enhancements to the SysMan Menu file system management applications delivered in this patch kit significantly improve their performance.

New Control Option for /usr/sbin/audit_tool Command

This kit provides the following new control option for the /usr/sbin/audit_tool command:

# /usr/sbin/audit_tool -. [path]

This option causes audit_tool to use [path] for the archive/recovery directory that contains archived audit logs, thereby overriding the directory specified in the audit log, which by default is /var/audit.

Change to envmond Improves Performance on Some Systems

This patch kit modifies the Environmental Monitoring daemon, envmond, to improve performance on systems with many sensors.

With the default monitor period of envmond (ENVMON_MONITOR_PERIOD), systems having large number of sensors may experience a performance degradation. The changes to envmond address this problem by polling sensors at a lower frequency.

Release Notes Introduced in Prior Kits

The release notes in this section were included in previous patch kits.

Authentication Choice Affects sftp Transfer Rate

The performance of secure FTP (sftp) will be always less than ftp due to the authentication and encryption involved in sftp communication. The transfer rate of sftp depends on the type of authentication it employs. You can achieve better transfer rate performance by choosing the Message Authentication Code (MAC) algorithm hmac-md5 for authentication, but at the cost of security. The default MAC is hmac-sha1, which is more secure than hmac-md5. See sftp(1) for information about secure FTP and ssh2_config(4) for information about supported MACs and ciphers.

Tru64 UNIX Rebranding Results in File Changes

As a consequence of the rebranding of Tru64 UNIX from the Compaq name to HP, the following files have changed:

  • version.abbrev_vendor from COMPAQ to HP

  • version.banner from Compaq Tru64 UNIX to HP Tru64 UNIX

  • version.vendor from Compaq Computer Corporation to Hewlett-Packard Company

The .mrg..sysconfigtab file has been modified to incorporate these changes into the generic sysconfig subsystem in the /etc/sysconfigtab file.

If the rebranding of HP Tru64 UNIX version information impacts any applications or layered products, you can manually change generic system version attributes. See the sysconfigtab(4) and sys_attrs_generic(5) reference pages for more information on how to modify generic system version attributes.

Insight Manager Components DUMP Core

Some Insight Manger components included in Tru64 UNIX Version 5.1B-4, such as cpq_mibs and the config_hmmod, and sysman_hmmod daemons, may core dump during reboots.

You can correct this problem by installing the latest version of the Insight Manager. At the time Version 5.1B-4 was released, the most current Insight Management Agents kit was Version 3.6. You can download this version from the HP Insight Management Agents for Tru64 UNIX website:

http://h30097.www3.hp.com/cma/

If you have not installed Version 3.7 and the Insight Manager processes do not run after rebooting your system, restart them using the Insight Manger startup scripts.

Autoloader Firmware Upgrade Changes WWND

A firmware upgrade to v1.50 or N14r on the 1x8 Autoloader causes the WWID to change. As a result, the existing device associated with the media changer is no longer accessible. For complete details see the Customer Advisory available at:

http://h30097.www3.hp.com/unix/erp/c00753663.html

Some Smart Array Errors May Not Be Recoverable

When booting your system you may see a message similar to the following:

Smart Array at ciss(1) not responding - disabled.

A system reboot may be able to re-enable the hardware. If that does not work, you need to call Field Service and have the unit repaired.

Do Not Use dxarchiver to Verify Bootable Tape

Do not use dxarchiver command to verify a bootable tape. Instead, use the mt and restore commands as follows:

# mt fsf 1
# restore -i <device>

The first command skips the first file on the tape.

When preparing for a btcreate session, verify the size of the file system to ensure that you have sufficient tape volumes, depending on the maximum storage capacity of your tape device. The btcreate command prompts you to load a new tape volume if it runs out of storage space. Label the tapes in sequence.

securenets File Requires localhost Entry

If the /var/yp/securenets file is in use as part of NIS, it must contain the following localhost entry:

255.255.255.255     127.0.0.1

If the /var/yp/securenets file is used without a localhost entry you will see severe delays on logins. See ypserv(8) for more information.

SIA sialog Use Limitation Required

The Security Integration Architecture (SIA) sialog logging process is only intended for use in debugging SIA problems. It should not be enabled for extended periods of time. Doing so can cause login delays or other problems.

Use the audit subsystem to monitor authentications on the system, not the sialog process

To disable sialog debug logging, delete the /var/adm/sialog file. For more information, see the sialog(4) and sia_log(3) reference pages and the Tru64 UNIX Security Programming manual.

Note that when used in a TruCluster Server cluster, the sialog file is a cluster-wide file.

Change to executable_data Attribute Requires Running Script

Prior to setting the tunable attribute executable_data to a non-zero value, you must run the following script:

# /usr/sbin/javaexecutedata

Potential Security Vulnerability Identified

The industry standard TCP specification, RFC793, has a vulnerability in which an attacker can reset established TCP connections using the TCP RST (Reset) or SYN (Synchronize) flags.

These packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.

The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP. According to RFC 793, an RST or SYN attack is only possible when the source IP address and TCP port can be forged (also called spoofed). In that case TCP sessions, including Telnet, SSH, SFTP and HTTP may be disconnected without warning. TCP sessions that have been disconnected can be re-established.

Normally, a TCP SYN packet (request for a new connection) that arrives on a server using a matching IP address, port number, and matching sequence number for an existing connection causes a TCP RST packet to be returned to the client. An attacker can guess the proper sequence number, along with the port and IP addresses, to cause an existing connection to be terminated with a TCP RST.

When a client is rebooted without closing an old connection to the server, a subsequent attempt to connect to the server that matches the old connection tuple and sequence number will require a TCP RST in order to purge the old (stale) connection.

HP has addressed these potential vulnerabilities, called TCP RST attack and TCP SYN attack, by providing two new kernel tunable variables, tcp_rst_win (TCP RST window) and tcp_syn_win (TCP SYN window).

These variables mitigate the TCP reset attack by reducing the window sizes in which a TCP RST/SYN packet will be accepted by the Tru64 UNIX system.

The attributes for these variables are described in a revised sys_attrs_inet(5) reference page included in this kit.

After the patch kit is installed, you can adjust the variables using the sysconfig and sysconfigdb commands, as described in the following sections.

Adjusting the tcp_rst_win Variable

You can adjust the TCP RST window variable, tcp_rst_win, as follows:

# sysconfig -q inet tcp_rst_win
  inet:
  tcp_rst_win = -1

# sysconfig -r inet tcp_rst_win=2048
  tcp_rst_win: reconfigured

# sysconfig -q inet tcp_rst_win
  inet:
  tcp_rst_win = 2048

# sysconfig -q inet tcp_rst_win  /tmp/tcp_rst_win_merge

# sysconfigdb -m -f /tmp/tcp_rst_win_merge inet

# sysconfigdb -l inet
  inet:
  tcp_rst_win = 2048
Adjusting the tcp_syn_win Variable

You can adjust the TCP SYN window variable, tcp_syn_win, as follows:

# sysconfig -q inet tcp_syn_win
  inet:
  tcp_syn_win = -1

# sysconfig -r inet tcp_syn_win=2048
  tcp_syn_win: reconfigured

# sysconfig -q inet tcp_syn_win
  inet:
  tcp_syn_win = 2048

# sysconfig -q inet tcp_syn_win  /tmp/tcp_syn_win_merge

# sysconfigdb -m -f /tmp/tcp_syn_win_merge inet

# sysconfigdb -l inet
  inet:
  tcp_syn_win = 2048

Modification to Changer Driver May Affect Some Applications

As a side effect of resolving issues with multiple access to the changer, the changer driver now requires a short period of exclusive access to the changer device as part of opening the device. For applications that have several threads or processes accessing a single changer simultaneously, this can result in waits for access to the changer device in the process of an open call. That wait can be lengthy as some changer commands can have long response times.

In general this behavioral change will not affect the overall throughput to a changer device, as this wait would have occurred at the time of any I/O (for example, IOCTLS) to the changer.

If having the changer wait in this fashion presents a problem, the old behavior can be approximated by passing either the O_NONBLOCK or O_NDELAY flags at the open of the changer device. In that situation the first actual I/O (usually an IOCTL) may incur the wait as the open is partially delayed in that case.

Data Sorting of Audit Records May Be Required on Single CPU System

The net_tcp_stray_packet, net_udp_stray_packet, and net_tcp_rejectd_conn network events are handled by the audit subsystem differently from other auditable events. As a result, these events may be placed into the audit log out of order with respect to other events.

Previously, the sorting of audit data on single CPU systems was unnecessary. This changed, however, when the capability for auditing these network events was introduced. Now, to view these network events in order with respect to other events, you must sort the data on a single CPU system. To do this, use the audit_tool -S command.

new_wire_method Tunable Attribute Retired

The tunable attribute new_wire_method has been retired. After you install this kit, setting new_wire_method to either 0 or 1 will no longer affect your system.

Stopping Daemons May Speed Administration Performance

When using AdvFS administration commands, the advfsd and smsd daemons rescan filesets, domains and volumes for system information. Depending on the number of filesets, domains, and volumes, you may experience a pause — sometimes quite long — between the commands.

If you experience this performance degradation, you may want to stop advfsd (required for dtadvfs, the AdvFS graphical user interface) and smsd (required for SysMan Station) daemons before running multiple AdvFS administration commands.

See “New Variable Aids Performance of AdvFS Administration Commands” for information on disabling the advfsd daemon at boot time.

To temporarily stop the daemons enter the following commands:

# /sbin/init.d/advfsd stop 
# /sbin/init.d/smsd stop  

To restart the daemons enter the following commands:

# /sbin/init.d/advfsd start 
# /sbin/init.d/smsd start  

sendmail Application Size/Length Limits Can Cause Problems

When upgrading older releases of sendmail, be aware that the 5.1B version of sendmail has MIME header/content marker size limits and message header length limits. These limits have been added to stop a Denial of Service (DoS) attack on the sendmail server. The values default to the following:

MIME Header Length Size = 2048 characters
MIME Content Marker Size = 1024 characters

The MaxHeadersLength value is the maximum message header length allowed and its size can be installation dependent (the value defaults to 8192 bytes).

Some legacy applications may be affected by this security addition if the application is sending mail messages with long lines of text and no new-line markers. These limitations may cause sendmail to insert a carriage return at these boundaries.

To revert back to the old sendmail behavior, do the following:

  1. Verify the V2/Digital header line is in the /var/adm/sendmail/sendmail.cf file. If the line is there, proceed to step 2. If it's not there, add it above the # predefined line. For example:

    # vi sendmail.cf
    
    
    ############################################################
    V2/Digital  
    
    ## predefined
  2. Add the following lines to the /var/adm/sendmail/sendmail.cf file:

    O MaxMimeHeaderLength=0/0
    O MaxHeadersLength=-1/-1
  3. Restart sendmail

Increasing RDG max_objs Value Recommended

For certain applications where Oracle instances are running in a cluster and Memory Channel is used as the interconnect, console messages of “rdg: out of objects” may occur.

Tuning the sysconfigtab value max_objs (under the rdg subsystem) can eliminate these messages. We recommend doubling your current value.

Because this parameter is not dynamic, you can only change it by modifying the sysconfigtab file and rebooting your system. After doing this, observe your cluster to see if the messages have been eliminated.

You can set this value to a maximum of 50,000.

Reboot May Resolve Problem with Smart Array Controller

If a problem with your Smart Array controller generates the following message, try rebooting your system:

Smart Array at ciss(1) not responding - disabled.

If the reboot does not re-enable the hardware, you will need to call your HP support representative to have the unit repaired.

Additional Steps for IPsec Connections

This kit fixes a potential security vulnerability in IP security (IPsec). If you have one or more IPsec connections configured on your system, you need to ensure that you have restricted access to each IPsec connection based on the identity of the remote hosts. You can accomplish this after installing this kit by starting the IPsec SysMan configuration tool from the command line:

# sysman ipsec

Once you have started SysMan, you will need to modify the configuration of each IPsec and IKE connection to add the identity of the remote hosts that are allowed to connect.

You enter this information on the third dialog box you see during the connection configuration wizard; the dialog box is titled “Manage IPsec: Add/Modify Connection: IKE Proposal.” Although you can leave the “Restrict To The Following Remote IDs” list empty, doing so will mean that any identity given to the local machine by the remote hosts will be considered valid as long as they send the correct certificate or preshared key.

Potential NFS Duplicate Request Cache Scalability Limitation with High Loads and Uncharacteristic File Access Behavior on Clustered NFS Servers

Repeated simultaneous overwriting of many files can cause retransmitted writes to be processed after recent writes of a file to the same location. This problem occurs more often on systems configured with a LAN cluster interconnect than on those configured with Memory Channel.

This behavior is inherent in the "stateless" design of NFS. Although the behavior has been mitigated via a "duplicate request cache" that replays old replies instead of reexecuting retransmitted requests, extremely heavy loads on large systems can overwhelm the cache when requests are stalled. Customers are unlikely to see problems because applications rarely rewrite files almost immediately.

If the problem occurs, the NFS server displays the following message several times a minute on the system console, indicating that the NFS server is being overwhelmed with requests :

"NFS server xxx not responding"

When an "overwhelmed duplicate request cache" condition has occurred, the NFS client will display multiple occurrences of either of the following messages:

NFS3 server xxx not responding still trying
NFS3 server xxx ok

NFS2 server xxx not responding still trying
NFS2 server xxx ok

This indicates that the client is observing transient unresponsive periods at the server. This is the only notification that the client will display if the server's duplicate request cache becomes overwhelmed. When the client detects this behavior, it increases the retransmission interval until it gets a response from the server. This behavior is generally indistinguishable from the server going up and down, except that the messages are displayed with such frequency that the server system/member cannot have gone down and then come back up in that short an interval.

You can minimize the likelihood of these problems as follows:

  • Avoid congestion on your LAN and cluster interconnect.

  • Ensure your servers have enough excess capacity to respond quickly to NFS requests that modify the file system (writes, file and directory creation, and so forth.)

  • Increase the size of the server's duplicate request cache when the nfsstat command shows a large number of retransmits to clients. For instructions on increasing the size of the cache, see “Tuning the NFS Server Duplicate Request Cache”.

You can monitor the number of NFS retransmissions using the nfsstat -c command. The retrans field indicates the number of retransmissions. A retransmission rate higher than 2% indicates a potential problem.

The following example shows the output from the nfstat -c command. The retransmission fields are marked with asterisks (*). This example is of a client workstation in a typical environment.

% nfsstat -c Client rpc: tcp: calls badxids badverfs timeouts newcreds 0 0 0 0 0 creates connects badconns inputs avails interrupts 0 0 0 0 0 0 udp: calls badxids badverfs timeouts newcreds *retrans* 224518870 959 0 101985 0 0 badcalls timers waits 102013 110894 0 Client nfs: calls * retrans* badcalls nclget nclsleep ndestroys ncleans 224414222 4248 28 224414282 0 6219 224408063 \

If an overwhelmed duplicate request cache condition occurs, we recommend you perform one or more of the following tasks:

  • Ensure that there are short periods of idle time on the I/O subsystem and network links.

  • After a file is written, do not rewrite it for a few minutes.

  • Delete and recreate files instead of overwriting the same file repeatedly.

  • Use Memory Channel cluster interconnect.

To avoid overwhelming the duplicate request cache:

  • Do not run hundreds of simultaneous processes that write files

  • Do not operate the system under so heavy a load that NFS operations frequently take several seconds to complete.

Use the netstat command to determine if your network is saturated. For Ethernet networks, a high number of collisions indicates that the network may be saturated. The following example shows the output from the netstat -I tu0 command:

Name Mtu Network Address Ipkts Ierrs Opkts Oerrs *Coll* tu0 1500 <Link xx:xx:xx:xx:xx 840386045 0 254319298 5121 5014223 tu0 1500 network client 840386045 0 254319298 5121 5014223 tu0 1500 DLI none 840386045 0 254319298 5121 5014223

Tuning the NFS Server Duplicate Request Cache

The NFS server maintains a list of recently completed non-repeatable requests. This list is used to reply to client retransmissions of the request in the event that the initial request transmission's reply was lost or that the server took too long to satisfy the request.

Problems may occur with the duplicate request cache in some cases, under heavy NFS server load and over high aggregate network bandwidth involving changes to file systems (changes caused by the use of the creat, link, unlink, mkdir, rmdir, truncate, utimes, and write commands). These problems can occur if all the elements in the duplicate request cache are cycled between an initial client transmission and subsequent retransmission. If this occurs, the NFS server cannot detect that the retransmission is in fact a retransmission. This may result in the repetition of a request and may cause out-of-order writes or truncation and subsequent retruncation of a file.

This patch kit provides a tuning variable, nfs_dupcache_size, to control the size of the NFS server's duplicate request cache, which is measured in the number of elements that are allocated at NFS server initialization.

If it is determined that the size of the duplicate cache needs to be modified, you should change nfs_dupcache_size. The new value for nfs_dupcache_size should be set to equal two times the value of nfs_dupcache_entries.

You must use the dbx command to modify nfs_dupcache_size. There is no sysconfig interface to this tuning variable.

Performance of hwmgr Commands on Large System Configurations

On large system configurations, certain hwmgr commands may take a long time to run and can produce voluminous output. For example:

  • On a system connected to a large storage area network, the hwmgr -view devices command can take a long time to begin displaying output, because it must first select devices from all of the hardware components in the system and then retrieve, format, and sort the output report.

  • On a maximally configured AlphaServer GS1280 system with highly interconnected storage, the hwmgr -view hierarchy command generates thousands of lines of output.

The output from these commands is gathered and sorted in memory before the report begins to be displayed. In a system with hundreds or thousands of attached storage units, the processing stage can take several minutes and you will not see any output during that time.

When using the command hwmgr -view devices -cluster, the time can be even longer and the size of the report can be larger because in most clustered configurations, mass storage devices are reported by every member and thus appear multiple times in the generated report. Therefore, you may need to relax the memory limits for the process running the command, because with such a large number of devices in the configuration, the system may be unable to gather all of the data with the default memory limit.

We recommend that you run commands that generate large reports in the background (for example, in a batch job) and save their output into a file or set of files for subsequent examination or historical comparison.

LSM Spin Lock Issue

A patch in this kit addresses a spin lock issue in the LSM kernel that may occur under extremely heavy I/O loads on multiprocessor systems.

To reduce the need for certain spin locks in the kernel I/O code, you can set a new sysconfigtab variable, Max_LSM_IO_PERFORMANCE, to 1 (the default is 0). Doing this will increase LSM I/O performance if it is found that performance is degraded because of a highly contentious spin lock.

Note that using this spin lock performance feature reduces some of the debugging statistics that are normally maintained.

In order to use this feature, you must allow at least one LSM I/O daemon (voliod). The voliod daemon was changed to prevent the number of LSM kernel I/O daemons from being set to zero if this spin lock performance feature is turned on.

The change to the following voliod command produces an error and the number of LSM kernel I/O daemons remain unchanged:

# voliod -f set 0
lsm:voliod: ERROR: VOL_IO_DAEMON_SET failed: Permission denied

Possible Problem when Processing Many Command Parameters

When running commands or scripts that must process a large amount of command parameters, your system may hang or you may see an error similar to this: /sbin/ls: arg list too long.

If this occurs, try rerunning the command or script after entering the following command to relax the command-line limits:

# sysconfig -r proc exec_disable_arg_limit=1

This kernel setting should not be used as a default. It should only be enabled when encountering a problem where the exec() argument size limit has been approached.

You can also use the xargs command to break a long argument list into smaller lists. For more information, see the xargs(1) reference page.

Loading Firmware from a BOOTP Server

The fwupgrade command has been modified to allow the specified firmware update image to be loaded from a BOOTP server in a connected network. This process must use the bootpd daemon.

Create a symbolic link from the shipping location of bootpd to the expected location:

# ln -s /usr/opt/obsolete/usr/sbin/bootpd /usr/sbin/bootp

You must manually create the bootptab file on the server. The following is an example of how to set up the bootptab file on the server for this procedure:

# Example bootptab file for BOOTP support

.default1:\ 
:hd=/install/firmware:\ 
:sm=255.255.255.0\ 
:gw=16.69.255.1:

# 
tab:tc=.default1:ht=ethernet:ha=08002b86f234:ip=16.69.222.42:
bobafett:tc=.default1:ht=ethernet:ha=0008c73a5a47:ip=16.69.222.48:

#

In this example, the directory /install/firmware was created on the bootp server. This directory must contain the firmware of the systems to be updated. The file names must match the entry on the fwupgrade command line. The firmware files must have read permissions, that is, 444.

You must edit the inetd.conf file so that the file name passed by fwupgrade is found by the console firmware. Edit the line /etc/inetd.conf file on the bootp server to look like the following:

tftp   dgram   udp  wait root /usr/sbin/tftpd tftp -r /install/firmware

Enable bootpd to start by removing the comment symbol (#) from the beginning of the line in the /etc/inetd.conf file;

bootps dgram   udp  wait root /usr/sbin/bootpd  bootpd

See the fwupgrade(8), bootptab(4), and bootpd(8) reference pages for more information.

Changes to tar, pax, and cpio Behavior

When extracting or listing an archive using the tar, pax, or cpio commands, specifying a slash (/) at the end of argument will cause the command to act upon the directory and not the contents in the directory. For example:

# tar xvf filename.tar dir1/

When creating an archive with these commands, specifying multiple slashes will result in the placement of one slash for any directory entry in the archive header. Previously, specifying multiple slashes would put these slashes in the archive header. For example:

# tar cvf filename.tar dir1//////////

Specifying a single slash when creating the archive will cause tar, pax, or cpio to pick up all of the directory's contents. For example:

# tar cvf filename.tar dir1/

Changes to vdump and vrestore Disallow Larger Record Sizes

The vdump and vrestore programs have been tuned to disallow block sizes greater than 64 KB blocks. This is to avoid forward compatibility problems. With the installation of this kit, the valid range is 2 through 64 KB blocks.

Problem Seen on Systems with Smart Array Controller

This section describes the steps you should take if your system is configured with a Smart Array controller and you see the following event logged:

Host name: unx104
SCSI CAM ERROR PACKET
SCSI device class: CISS (Smart Array)
Bus Number: 6
Target Number: 4
Lon Number: 0
…
...
Event Information: Command timed out...resetting controller

If this occurs, take the following steps:

  1. Create a file named ciss.temp with the following lines:

    ciss:
    ciss_throttle_threshold=5 
  2. Execute the following command:

    # sysconfigdb -m -f ciss.temp 
  3. Reboot your system:

    # shutdown -r now

Broken Links Reported During Baselining

When performing a baseline analysis with the dupatch utility, you will encounter the following message during Phase 4:

Phase 4 - Report changed systemfiles and missing files
=======================================================
This phase provides information to help you make choices later in
this process. It reports both 'missing' and files whose origin 
cannot be determined. Some of these files may affect patch 
installation.You will want to consider this information when you
later make decisions in phase 5.   

* list of changed files with unknown origin:
------------------------------------------
./etc/lprsetup.dat                            OSFPRINT540 UNKNOWN 
./usr/share/doclib/annex/man/man3/Thread.3    OSFTCLBASE540 UNKNOWN 
BROKEN HARDLINK TO ./usr/share/doclib/annex/man/man3/Tcl_ConditionNotify.3
./usr/share/doclib/annex/man/man3/Tcl_ConditionNotify.3  OSFTCLBASE540 
UNKNOWNBROKEN HARDLINK TO ./usr/share/doclib/annex/man/man3/Thread.3

Press RETURN to proceed...

You can disregard this information. The presence of these broken links will not affect your system operation, the installation of dupatch or dupatch tools, the successful installation of patches, or the rebuilding of kernels on the system.

Russian Keyboard

The new Russian 3R-LKQ48–BT keyboard, for which this kit provides an updated keyboard map, comes with five extra keycaps. To enable any of those extra keycaps, you will need to modify the file /usr/lib/X11/xkb/symbols/digital/russian. For example:

//    KEY <AD09 can be replaced by an extra keycap.
//    If you replace it with the extra keycap, please uncomment 
//    the following definition and comment out the original one. 
//
//    key <AD09 { 
//      symbols[Group1]=3D [               o,               O ], 
//      symbols[Group2]=3D [     Ukrainian_i,     Ukrainian_I ] 
//    };     
    key <AD09 { 
        symbols[Group1]=3D [               o,               O ],
        symbols[Group2]=3D [  Cyrillic_shcha,  Cyrillic_SHCHA ]     
};

General and Problem Information for AlphaServer ES47, ES80, and GS1280 Systems

The following information pertains to the new AlphaServer ES47, ES80, and GS1280 systems, which require Tru64 UNIX Version 5.1B operating system and patch kit to be installed.

Time Loss on Systems with Firmware Lower Than V6.4-12

The ES47, ES80, and GS1280 AlphaServers may experience a time loss as a result of console callbacks for environmental information if the server's firmware is lower than V6.4-12.

Updating your firmware to V6.4-12 or higher will keep the problem from occurring or correct the problem if it has occurred.

If your firmware is lower than V6.4-12, the problem is experienced if one or both of the following conditions exists:

  • The system manager uses the following hwmgr utility commands:

    # hwmgr -view devices
    # hwmgr -view hierarchy
  • The Environmental Monitoring daemon, envmond, is running.

As a workaround to the problem, you can modify one of the following two files and then reboot your system for the new setting to take effect:

  • /etc/rc.config

    Turn off environmental monitoring by changing the entry ENVMON_CONFIGURED=1 to ENVMON_CONFIGURED=0

    You can also use the envconfig utility to modify the /etc/rc.config file. See envconfig(8) for information.

  • /etc/sysconfigtab

    At the end of the file, add the following line:

    marvel_srvmgmt: MV_Env_Support = 0 

    You must remove this setting after you install firmware V6.4-11 or higher.

CPU Offline Restrictions

The Primary CPU cannot be taken off line.

CPUs that have I/O hoses attached to them can only be taken off line if another CPU without I/O attached is present in the system . A failure to adhere to this restriction will cause the psradm command to return an error.

In a two-CPU configuration, the AlphaServer ES47 and ES80 do not allow any CPUs to be taken off line.

Problem with Capacity-on-Demand Process

A problem has been discovered with the capacity on demand process in which a CPU can be designated as spare, but is not taken off line as expected.

With the capacity-on-demand process, the codconfig [cpu_id_list] command lets you specify which CPUs you have paid for and which are spares. The command is supposed to mark the others as spare and then take them off line. Once a CPU is marked as spare, the hwmgr command and Manage CPUs suitlet will not let you put them on line until you use the ccod -l or ccod -p command to either loan or purchase the CPU.

The workaround is to use the codconfig [cpu_id_list] command to mark the CPUs as spare, and then use either the hwmgr command or the Manage CPUs suitlet to take them off line (sometimes referred to as offlining them). In the following example, N is the CPU number.

# hwmgr -offline -name cpuN

If, for example, the codconfig command returns the message "Error for CPU 2: Unable to offline this CPU," you would enter the following hwmgr command:

# hwmgr -offline -name cpu2

For more information, see codconfig(8) and hwmgr(8).

The Manage CPUs suitlet is available from the SysMan Menu and SysMan Station.

Repeated Reboots May Cause Panic

Repeated reboots of the system may cause a kernel memory fault panic, but does not result in the loss of data. A reboot after the panic should be successful. A fix for this problem will be included in a future release.

Caution on Updating to Version 5.1B with DEGXA NICs

Do not attempt to do an update installation or rolling upgrade from Version 5.1A to Version 5.1B when the network device is a DEGXA-TA or DEGXA-SA and you have the Version 5.1A Patch Kit 4 and the New Hardware Devices V6 (NHD6) Kit installed.

The NHD6 kit and Patch Kit 4 have provided fixes that are not in the base operating system release for Version 5.1B. Once the update is completed using another network device and the Version 5.1B Patch Kit 1 or higher has been applied, the DEGXA network interface cards (NICs) can again be used for the network connection.