There’s
a new NIM HTTP service handler included with AIX 7.2 (due for release
next month, December 2015). This new service is designed “…….to
help Clients better conform to emerging data center policies
restricting the use of NFS, NIM will now have support to apply updates
to AIX or install new packages over HTTPs. Initial AIX installs will still require the use of NFS version 3 or the more secure NFS version 4 protocol.
In
addition to fileset installs, NIM customization activities such as
script execution and file_res copying also support access over HTTPs.
Major Advantages of using HTTP during NIM Management:
- All communication occurs over a single http port, so the authorization through a firewall is quite easy to manage.
- Actions are driven from the client's end (the install target), so remote access isn't necessary for pushing the commands.
- Easy to consume by NIM or other products that currently use the client/server model of NFS.
- Able to extend the end-product to support additional protocols (context driven).”
“How Does it Work?
AIX
ships a new service handler (in 7.2.0) that provides http access to NIM
resources. The service name (defined in /etc/services) is nimhttp
and it listens for requests over port 4901. When active, NIM
clients attempt file access and/or scripting customization requests from
nimhttp. If http access fails or is denied, a failover attempt at
NFS client access occurs. Future support will include options to
remove NFS client attempts altogether.”
“On
startup, the nimhttp service attempts to read the httpd.conf
configuration file -‐-‐ located in the default home directory of the
user. First time users will notice that starting the service
without a configuration file will result in one being created and
populated with default service values.”
“document_root
….for now, the key detail to point out is that NIM expects all http accessible files to exist under the path of /export/nim/.
This path location is defined as the document_root and cannot be
modified at this time. Future enhancements will support multiple
document_root paths. The document root path is not limited in
depth and may contain many sub-directories. Client requests are
able to traverse the path setting by using the enable_directory_listing option. If set to “no”, all files being served must reside in the current working directory of document_root.”
“The
default authentication used in nimhttp for client access is a basic
protocol handshake and is probably considered by some (if not all) as
undesirable. To enable the more secure Digest Authentication
method, users must provide valid paths for certificate authority and
root certificate files for the server. The certificate authority
and root PEM files used in nimhttp are easily created using the existing
SSL management option in NIM. Run the following command on the
NIM master to create the ssl.cert_authority and ssl.pemfiles used by the
nimhttp service:
# nimconfig –c”
I tested this functionality during the AIX 7.2 Early Ship Program.
Warning:
The information shown here was collected from testing conducted with
beta level code. Some details may change in the final release.
Configuring
the service was easy. For the sake of simplicity I chose not to use SSL
with the authentication mechanism. With my NIM master already
configured, all I need to do is confirm that the NIM client fileset is
installed on the master and any client I wish to manage with the HTTP
service.
NIM MASTER:
# lslpp -l | grep nim
bos.sysmgt.nim.master 7.2.0.0 COMMITTED Network Install Manager -
bos.sysmgt.nim.client 7.2.0.0 COMMITTED Network Install Manager –
NIM CLIENT:
# lssrc -s nimsh
Subsystem
Group
PID
Status
nimsh
nimclient
6554064 active
# lslpp -l | grep nim
bos.sysmgt.nim.client 7.2.0.0 COMMITTED Network Install Manager -
Start the NIMHTTP service on the NIM master. This starts the nimhttpd daemon (on the master only) and creates the default httpd.conf file (in root’s home directory, /).
# startsrc -s nimhttp
0513-059 The nimhttp Subsystem has been started. Subsystem PID is 6685178.
# lssrc -s nimhttp
Subsystem
Group
PID Status
nimhttp 6685178 active
# ps -ef | grep nimhttp
root 6685178 4194712 0 Nov 10 - 0:00 /usr/sbin/nimhttpd –v
# ls -ltr /httpd.conf
-rw-r--r--
1 root
system 1159 Nov 05 15:31
/httpd.conf
# cat /httpd.conf
#
#---------------------
# http service defines
#---------------------
#
service.name=nimhttp
# Designates the service name used when discovering the listening port for requests (i.e., nimhttp)
#
service.log=/var/adm/ras/nimhttp.log
# Log of access attempts and equivalent responses. Also useful for debug purposes.
#
# service.proxy_port=
# Designates the service port number used when configured as a proxy.
#
# service.access_list=
# White-list of IP (host) addresses which have access to our http file service. All others are denied.
#
#
#---------------------
# http configuration
#---------------------
#
document_root=/export/nim/
# Designates the directory to serve files from.
#
enable_directory_listing=yes
# Allow requests for listing served files/directories under the document root.
#
enable_proxy=no
# Enable the web service to act as a proxy server.
#
ssl.cert_authority=/ssl_nimsh/certs/root.pem
# Designates the file location of the certificate authority used for digital certificate signing.
#
ssl.pemfile=/ssl_nimsh/certs/server.pem
# Designates the file location of the PEM format file which contains both a certificate and private key.
#
I configured a new lpp_source resource (liveupdaterte) on the NIM master. I ensured that all the files for the lpp_source were in the correct location (i.e. /export/nim)
. This restriction will be lifted in the future, but during my testing
the service required all files to be served from /export/nim, on the
master.
# lsnim -t lpp_source
lpp_sourceaix72 resources lpp_source
liveupdaterte resources lpp_source
# lsnim -l liveupdaterte
liveu:
class = resources
type = lpp_source
arch = power
Rstate = ready for use
prev_state = unavailable for use
location = /export/nim/cglpp
alloc_count = 0
server = master
# ls –ltr /export/nim/cglpp
total 4864
-rw-r--r-- 1 root system 2483200 Oct 16 04:23 bos.liveupdate.7.2.0.0.I
-rw-r--r--
1 root
system
688 Oct 31 09:33 .toc
From the client I initiated a nimclient pull request, to install the bos.liveupdate.rte fileset.
# nimclient -o cust -a lpp_source=liveupdaterte -a filesets=bos.liveupdate.rte
# lslpp -l bos.liveupdate.rte
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.liveupdate.rte 7.2.0.0 COMMITTED Live Update Runtime
Path: /etc/objrepos
bos.liveupdate.rte 7.2.0.0 COMMITTED Live Update Runtime
The bos.liveupdate.rte fileset installed OK, from the lpp_source and I noticed nimhttp service activity was logged to the /var/adm/ras/nimhttp.log file, on the NIM master.
# tail -f nimhttp.log
Mon Nov 16 13:51:23 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:23 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:23 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:23 2015 file descriptor is : 6
Mon Nov 16 13:51:23 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:23 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:23 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:23 2015 socks: Request string
Mon Nov 16 13:51:23 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:23 2015 socks: Copied string
Mon Nov 16 13:51:23 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:23 2015 Request Type is
Mon Nov 16 13:51:23 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:23 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:23 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:23 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:23 2015 file descriptor is : 6
Mon Nov 16 13:51:23 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:23 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:23 2015 socks: 20004238 128 <- 70 bytes (PLAIN)
Mon Nov 16 13:51:23 2015 socks: Request string GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
Mon Nov 16 13:51:23 2015 nim_buffer: (append) len is 70, buffer length is 70
Mon Nov 16 13:51:23 2015 socks: Copied string GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
Mon Nov 16 13:51:23 2015 nim_http: data string passed to get_http_request: "GET /export/nim/scripts/AIXmig.script HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:23 2015 Request Type is GET
Mon Nov 16 13:51:23 2015 Mime not supported
Mon Nov 16 13:51:23 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:23 2015 Sending file over socket 6. Expected length is 509
Mon Nov 16 13:51:23 2015 Total length sent is 509
Mon Nov 16 13:51:23 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:23 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 54 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 54, buffer length is 54
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp HTTP/1.1
Connection: close
Mon
Nov 16 13:51:24 2015
nim_http: data string passed to get_http_request: "GET /export/nim/cglpp
HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 Sending Response Header "302 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 72
Mon Nov 16 13:51:24 2015 Total length sent is 72
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 59 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 59, buffer length is 59
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: "GET /export/nim/cglpp/.toc HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 755
Mon Nov 16 13:51:24 2015 Total length sent is 755
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 203 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 203, buffer length is 203
Mon Nov 16 13:51:24 2015 socks: Copied string
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: ""
Mon Nov 16 13:51:24 2015 Request Type is
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 nim_http: queue socket create product (memory *)20004238
Mon Nov 16 13:51:24 2015 nim_http: file descriptor is 6
Mon Nov 16 13:51:24 2015 nim_buffer: (resize) buffer size is 0
Mon Nov 16 13:51:24 2015 file descriptor is : 6
Mon Nov 16 13:51:24 2015 family is : 2 (AF_INET)
Mon Nov 16 13:51:24 2015 source address is : 10.1.50.252
Mon Nov 16 13:51:24 2015 socks: 20004238 128 <- 79 bytes (PLAIN)
Mon Nov 16 13:51:24 2015 socks: Request string GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_buffer: (append) len is 79, buffer length is 79
Mon Nov 16 13:51:24 2015 socks: Copied string GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
Mon Nov 16 13:51:24 2015 nim_http: data string passed to get_http_request: "GET /export/nim/cglpp/bos.liveupdate.7.2.0.0.I HTTP/1.1
Connection: close
"
Mon Nov 16 13:51:24 2015 Request Type is GET
Mon Nov 16 13:51:24 2015 Mime not supported
Mon Nov 16 13:51:24 2015 Sending Response Header "200 OK"
Mon Nov 16 13:51:24 2015 Sending file over socket 6. Expected length is 2574336
Mon Nov 16 13:51:24 2015 socks: Removing socksObject 2ff1eca0
Mon Nov 16 13:51:24 2015 Total length sent is 2574336
Mon Nov 16 13:51:24 2015 handle_httpGET: Entering cleanup statement
“Example: Commands supporting nimhttp
If using push operation (From NIM master)
# nim –o cust –a file_res=<obj_name> <client_obj_name>
# nim –o cust –a script=<obj_name> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> -a filesets=<fileset names to install> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> -a installp_bundle=<obj_name> <client_obj_name>
# nim –o cust –a lpp_source=<obj_name> ‐a fixes=update_all <client_obj_name>
If using pull operation (From NIM client)
# nimclient -o cust -a lpp_source=<obj_name> -a filesets=<fileset names to install>
# nimclient –o cust –a file_res=<obj_name>
# nimclient –o cust –a script=<obj_name> nimclient –o cust –a lpp_source=<obj_name> -‐a filesets=<fileset names to install>
# nimclient –o cust –a lpp_source=<obj_name> -a installp_bundle=<obj_name>
# nimclient –o cust –a lpp_source=<obj_name> -a fixes=update”
Tags:
blog
http
chris
nim
gibson
aix