There’s a new NIM HTTP service handler included with AIX 7.2 (due for release next month, December 2015). This new service is designed “…….to help Clients better conform to emerging data center policies restricting the use of NFS, NIM will now have support to apply updates to AIX or install new packages over HTTPs. Initial AIX installs will still require the use of NFS version 3 or the more secure NFS version 4 protocol.
In addition to fileset installs, NIM customization activities such as script execution and file_res copying also support access over HTTPs.
Major Advantages of using HTTP during NIM Management:
“How Does it Work?
AIX ships a new service handler (in 7.2.0) that provides http access to NIM resources. The service name (defined in /etc/services) is nimhttp and it listens for requests over port 4901. When active, NIM clients attempt file access and/or scripting customization requests from nimhttp. If http access fails or is denied, a failover attempt at NFS client access occurs. Future support will include options to remove NFS client attempts altogether.”
“On startup, the nimhttp service attempts to read the httpd.conf configuration file -‐-‐ located in the default home directory of the user. First time users will notice that starting the service without a configuration file will result in one being created and populated with default service values.”
“document_root
….for now, the key detail to point out is that NIM expects all http accessible files to exist under the path of /export/nim/. This path location is defined as the document_root and cannot be modified at this time. Future enhancements will support multiple document_root paths. The document root path is not limited in depth and may contain many sub-directories. Client requests are able to traverse the path setting by using the enable_directory_listing option. If set to “no”, all files being served must reside in the current working directory of document_root.”
“The default authentication used in nimhttp for client access is a basic protocol handshake and is probably considered by some (if not all) as undesirable. To enable the more secure Digest Authentication method, users must provide valid paths for certificate authority and root certificate files for the server. The certificate authority and root PEM files used in nimhttp are easily created using the existing SSL management option in NIM. Run the following command on the NIM master to create the ssl.cert_authority and ssl.pemfiles used by the nimhttp service:
# nimconfig –c”
I tested this functionality during the AIX 7.2 Early Ship Program.
Warning: The information shown here was collected from testing conducted with beta level code. Some details may change in the final release.
Configuring the service was easy. For the sake of simplicity I chose not to use SSL with the authentication mechanism. With my NIM master already configured, all I need to do is confirm that the NIM client fileset is installed on the master and any client I wish to manage with the HTTP service.
NIM MASTER:
# lslpp -l | grep nim
bos.sysmgt.nim.master 7.2.0.0 COMMITTED Network Install Manager -
bos.sysmgt.nim.client 7.2.0.0 COMMITTED Network Install Manager –
NIM CLIENT:
# lssrc -s nimsh
Subsystem Group PID Status
nimsh nimclient 6554064 active
# lslpp -l | grep nim
bos.sysmgt.nim.client 7.2.0.0 COMMITTED Network Install Manager -
Start the NIMHTTP service on the NIM master. This starts the nimhttpd daemon (on the master only) and creates the default httpd.conf file (in root’s home directory, /).
# startsrc -s nimhttp
0513-059 The nimhttp Subsystem has been started. Subsystem PID is 6685178.
# lssrc -s nimhttp
Subsystem Group PID Status
nimhttp 6685178 active
# ps -ef | grep nimhttp
root 6685178 4194712 0 Nov 10 - 0:00 /usr/sbin/nimhttpd –v
# ls -ltr /httpd.conf
-rw-r--r-- 1 root system 1159 Nov 05 15:31 /httpd.conf
# cat /httpd.conf
#
#---------------------
# http service defines
#---------------------
#
service.name=nimhttp
# Designates the service name used when discovering the listening port for requests (i.e., nimhttp)
#
service.log=/var/adm/ras/nimhttp.log
# Log of access attempts and equivalent responses. Also useful for debug purposes.
#
# service.proxy_port=
# Designates the service port number used when configured as a proxy.
#
# service.access_list=
# White-list of IP (host) addresses which have access to our http file service. All others are denied.
#
#
#---------------------
# http configuration
#---------------------
#
document_root=/export/nim/
# Designates the directory to serve files from.
#
enable_directory_listing=yes
# Allow requests for listing served files/directories under the document root.
#
enable_proxy=no
# Enable the web service to act as a proxy server.
#
ssl.cert_authority=/ssl_nimsh/certs/root.pem
# Designates the file location of the certificate authority used for digital certificate signing.
#
ssl.pemfile=/ssl_nimsh/certs/server.pem
# Designates the file location of the PEM format file which contains both a certificate and private key.
#
I configured a new lpp_source resource (liveupdaterte) on the NIM master. I ensured that all the files for the lpp_source were in the correct location (i.e. /export/nim) . This restriction will be lifted in the future, but during my testing the service required all files to be served from /export/nim, on the master.
# lsnim -t lpp_source
lpp_sourceaix72 resources lpp_source
liveupdaterte resources lpp_source
# lsnim -l liveupdaterte
liveu:
class = resources
type = lpp_source
arch = power
Rstate = ready for use
prev_state = unavailable for use
location = /export/nim/cglpp
alloc_count = 0
server = master
# ls –ltr /export/nim/cglpp
total 4864
-rw-r--r-- 1 root system 2483200 Oct 16 04:23 bos.liveupdate.7.2.0.0.I
-rw-r--r-- 1 root system 688 Oct 31 09:33 .toc
From the client I initiated a nimclient pull request, to install the bos.liveupdate.rte fileset.
# nimclient -o cust -a lpp_source=liveupdaterte -a filesets=bos.liveupdate.rte
# lslpp -l bos.liveupdate.rte
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.liveupdate.rte 7.2.0.0 COMMITTED Live Update Runtime
Path: /etc/objrepos
bos.liveupdate.rte 7.2.0.0 COMMITTED Live Update Runtime
The bos.liveupdate.rte fileset installed OK, from the lpp_source and I noticed nimhttp service activity was logged to the /var/adm/ras/nimhttp.log file, on the NIM master.
# tail -f nimhttp.log
Mon Nov 16 13:51:23 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:23 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:23 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:23 2015 file descriptor is : 6
Mon Nov 16 13:51:23 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:23 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:23 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:23 2015 socks: Request string
Mon Nov 16 13:51:23 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:23 2015 socks: Copied string
Mon Nov 16 13:51:23 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:23 2015 Request Type is
Mon Nov 16 13:51:23 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:23 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:23 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:23 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:23 2015 file descriptor is : 6
Mon Nov 16 13:51:23 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:23 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:23 2015 socks: 20004238 128 <- 70 bytes (PLAIN)
Mon Nov 16 13:51:23 2015 socks: Request string GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
Mon Nov 16 13:51:23 2015 nim_buffer: (append) len is 70, buffer length is 70
Mon Nov 16 13:51:23 2015 socks: Copied string GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
Mon Nov 16 13:51:23 2015 nim_http: data string passed to get_http_request: "GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:23 2015 Request Type is GET
Mon Nov 16 13:51:23 2015 Mime not supported
Mon Nov 16 13:51:23 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:23 2015 Sending file over socket 6. Expected length is 509
Mon Nov 16 13:51:23 2015 Total length sent is 509
Mon Nov 16 13:51:23 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:23 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 54 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 54, buffer length is 54
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: "GET /export/nim/cglpp HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 Sending Response Header "302 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 72
Mon Nov 16 13:51:24 2015 Total length sent is 72
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 59 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 59, buffer length is 59
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: "GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 755
Mon Nov 16 13:51:24 2015 Total length sent is 755
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 79 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 79, buffer length is 79
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: "GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 2574336
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 Total length sent is 2574336
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
“Example: Commands supporting nimhttp
If using push operation (From NIM master)
# nim –o cust –a file_res=<obj_name> <client_obj_name>
# nim –o cust –a script=<obj_name> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> -a filesets=<fileset names to install> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> -a installp_bundle=<obj_name> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> ‐a fixes=update_all <client_obj_name>
If using pull operation (From NIM client)
# nimclient -o cust -a lpp_source=<obj_name> -a filesets=<fileset names to install>
# nimclient –o cust –a file_res=<obj_name>
# nimclient –o cust –a script=<obj_name> nimclient –o cust –a lpp_source=<obj_name> -‐a filesets=<fileset names to install>
# nimclient –o cust –a lpp_source=<obj_name> -a installp_bundle=<obj_name>
# nimclient –o cust –a lpp_source=<obj_name> -a fixes=update”