====== AIX: extract files from an AIX package ======
With the new Power 7 C models, these versions of AIX and VIOS are supported:
AIX 5.3 TL12 SP5
AIX 6.1 TL5 SP7
AIX 6.1 TL6 SP6
AIX 7.1 TL0 SP4
AIX 7.1 TL1
VIOS 2.2.1
===== Standard commands to list AIX levels =====
AIX main level: # oslevel
AIX TL technology level: # oslevel -l
AIX SP service pack: # oslevel -s
# instfix -i : list all APAR (correction for one or more problems)
To list complete or incomplete TL (grep 6100-) and SP (grep 61-) are also consider as APAR
# emgr -P : list efix, it's a temporary fix for 1 problem
# instfix -ci | grep ":-:" : list all packages, into incomplete APARs (packages not at right level)
# instfix -ci |grep 61-06-061140|grep ":-:" : lists all packages at a lower level than the given reference (61-06-061140)
# instfix -ci |grep 61-06-061140|grep ":=:" : lists all packages at the same level than the given reference (61-06-061140)
# instfix -ci |grep 61-06-061140|grep ":+:" : lists all packages at a higher level than the given reference (61-06-061140)
Efix inventory is stored in a text file: "/usr/emgrdata/DBS/efix.db" and "/usr/emgrdata/DBS/pkglck.db"
[root@aix01]/root# cat "/usr/emgrdata/DBS/efix.db"
IJ36810s3a|:|IJ36810 Potential security issue|:|.|:|.|:|.|:|.|:|0|:|1|:|00F7CD554C00121710122121|:|1|:|05/02/22 12:21:09|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
1022103a|:|Ifix for Openssl CVE-2022-0778|:|.|:|.|:|.|:|.|:|0|:|1|:|00F787C74C00042206045322|:|5|:|06/30/22 08:52:53|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
[root@aix01]/root# cat "/usr/emgrdata/DBS/pkglck.db"
IJ36810s3a|:|1|:|/usr/bin/lscore|:|bos.rte.security|:|1|:|1|:|050212051122|:|7.2.5.101
1022103a|:|1|:|/usr/lib/libcrypto.a|:|openssl.base|:|1|:|5|:|063008060322|:|1.0.2.2103
1022103a|:|2|:|/usr/lib/libssl.a|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|3|:|/usr/lib/libcrypto.a.min|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|4|:|/usr/bin/openssl|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|5|:|/usr/bin/openssl64|:|openssl.base|:|1|:|5|:|063008060522|:|1.0.2.2103
==== To find all known maintenance or service levels ====
To see all known maintenance levels: oslevel -rq
To see all known service levels: oslevel -sq
Comparing installed file sets to a given and known service or maintenance level, you can use -l option to list file sets earlier (older) than the reference, or -g to list those later (never) than the reference level.
Example
To list all known service levels:
# oslevel -sq
6100-06-03-1048
6100-06-02-1044
6100-04-06-1034
6100-04-05-1015
6100-04-04-1014
6100-03-07-1036
.
.
.
Pick one of the service levels and list all filesets early than that level:
[root@labotest]/root# oslevel -sg 6100-06-03-1048
Fileset Actual Level Service Pack Level
-----------------------------------------------------------------------------
bos.64bit 6.1.6.3 6.1.6.2
bos.esagent 6.6.6.3 6.6.6.2
bos.rte.install 6.1.6.16 6.1.6.3
bos.rte.libc 6.1.6.3 6.1.6.2
bos.rte.security 6.1.6.3 6.1.6.2
bos.rte.shell 6.1.6.3 6.1.6.2
bos.wpars 6.1.6.2 6.1.6.1
devices.chrp.base.diag 6.1.6.3 6.1.6.2
devices.common.IBM.ethernet.rte 6.1.6.2 6.1.6.1
devices.common.IBM.sissas.rte 6.1.6.2 6.1.6.1
devices.ethernet.ct3.cdli 6.1.6.3 6.1.6.2
devices.fcp.disk.rte 6.1.6.2 6.1.6.1
devices.pci.4f11c800.rte 6.1.6.2 6.1.6.1
devices.pciex.e4143a16e4143009.diag 6.1.6.2 6.1.6.1
devices.pciex.e4143a16e4143009.rte 6.1.6.3 6.1.6.2
printers.rte 6.1.6.2 6.1.6.1
Alternatively use the instfix command which gives more information but less readable:
[root@labotest]/root# instfix -ci |grep 61-06-061140|grep :=:
61-06-061140_SP:bos.rte.install:6.1.6.16:6.1.6.16:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:clic.rte.kernext:4.7.0.1:4.7.0.1:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:clic.rte.lib:4.7.0.1:4.7.0.1:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:devices.chrp.base.ServiceRM:1.5.0.1:1.5.0.1:=:AIX 6100-06-06 Ser
vice Pack
61-06-061140_SP:rsct.compat.basic.hacmp:3.1.0.1:3.1.0.1:=:AIX 6100-06-06 Service
Pack
61-06-061140_SP:rsct.core.errm:3.1.0.2:3.1.0.2:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:rsct.core.fsrm:3.1.0.1:3.1.0.1:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:rsct.core.sec:3.1.0.2:3.1.0.2:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:rsct.core.sensorrm:3.1.0.1:3.1.0.1:=:AIX 6100-06-06 Service Pack
61-06-061140_SP:rsct.core.sr:3.1.0.2:3.1.0.2:=:AIX 6100-06-06 Service Pack
===== Standard commands to manage AIX packages =====
List the content of a repository (with detailed packages)
[root@aix01]/root# installp -L -d /export/softs/PowerHA/7.2.5.3/
cluster.adt.es:cluster.adt.es.client.include:7.2.5.0::I:T:::::N:PowerHA SystemMirror Client Include Files::::0:0743:
cluster.adt.es:cluster.adt.es.client.include:7.2.5.1::S:T:::::N:PowerHA SystemMirror Client Include Files::::0:0743:
# lslpp -l : list all AIX packages
# lslpp -L : list only latest version of packages
# lslpp -Lc : list with ":" as separator
# lslpp -f : list all files from an installed package
# lslpp -w : list the package from which the command belong to
# lslpp -qch : list hostory on packages
# install_all_updates -d ./ -rc -Y : update all packages from current directory (-Y: accept licenses)
# installp -gXY -d ./ rpm.rte : update only one package
# installp -agXY -d ./ xlC.rte : install a specific packages from current directory (-Y: accept licenses)
# installp -F -acN -d ./ cas.agent : Force the reinstall of a broken package
# installp -u -g : remove installed package and dependencies
Best practice for updating you OS:
* first update the install tools
* preview the remainder of the TL update
* apply the TL update
installp -d -i
installp -d -p
installp -d
**IMPORTANT**
If you have a trouble during upgrade of packages like ios.cli.rte on a VIOS, you can use the following command to retry the upgrade on the root part of the package (for this package the base install is not available):
# installp -Or -agX ios.cli.rte
===== Date of package update =====
Date for latest kernel upgrade
root@nimprod /root> lslpp -h | grep -p bos.mp
bos.mp64
7.2.5.203 COMMIT COMPLETE 07/24/23 15:05:28
7.2.5.205 COMMIT COMPLETE 11/15/23 10:27:26
===== installp in debug mode =====
Set the following variable before starting installation
export INST_DEBUG=y
===== check package consistency =====
Check AIX package consistency: normal, checksum, deep, file list, links
# lppchk -v
# lppchk -c
# lppchk -vm3
# lppchk -f
# lppchk -l
===== Convert bff AIX packages =====
In order to have 1 kind of package format, with an extension .U (update) or .I (install); you can convert package .bff or packages without extension into this format with smit bffcreate or this command:
# bffcreate -v -d /software -t /export/softs/tsm all
-v: verbose
-d : for source directory
-t: for target
===== Cleanup an lppsource =====
To remove duplicate packages from a directory ppc and put unused files into /software/ppc (lppmgr command):
# /usr/lib/instl/lppmgr -d ppc -ubx -m /software/lpp -V
===== Manually extract files from an AIX package =====
To list all files into an AIX package:
[root@labotest:/root/]# restore -Tqvf openssh.base.5.4.0.6100.I
New volume on openssh.base.5.4.0.6100.I:
Cluster 51200 bytes (100 blocks).
Volume number 1
Date of backup: Fri Jun 11 20:33:09 2010
Files backed up by name
User BUILD
0 ./
813 ./lpp_name
0 ./usr
0 ./usr/lpp
0 ./usr/lpp/openssh.base
10214 ./usr/lpp/openssh.base/liblpp.a
0 ./usr/lpp/openssh.base/inst_root
15012 ./usr/lpp/openssh.base/inst_root/liblpp.a
2183447 ./usr/sbin/sshd
939809 ./usr/sbin/sftp-server
358171 ./usr/sbin/ssh-pkcs11-helper
0 ./usr/lpp/openssh.base/inst_root/etc/ssh
3173 ./usr/lpp/openssh.base/inst_root/etc/ssh/sshd_config
307 ./usr/lpp/openssh.base/inst_root/etc/rc.d/rc2.d/Ksshd
308 ./usr/lpp/openssh.base/inst_root/etc/rc.d/rc2.d/Ssshd
0 ./usr/lpp/openssh.base/inst_root/var/empty
1591501 ./usr/bin/ssh
175350 ./usr/bin/scp
341077 ./usr/bin/sftp
468780 ./usr/bin/ssh-add
653846 ./usr/bin/ssh-keygen
879015 ./usr/bin/ssh-keyscan
386534 ./usr/bin/ssh-agent
873859 ./usr/sbin/ssh-keysign
128891 ./usr/sbin/ssh-rand-helper
0 ./usr/openssh
3135 ./usr/openssh/README
16000 ./usr/openssh/license_ssh.txt
2341 ./usr/lpp/openssh.base/inst_root/etc/ssh/ssh_prng_cmds
1555 ./usr/lpp/openssh.base/inst_root/etc/ssh/ssh_config
132839 ./usr/lpp/openssh.base/inst_root/etc/ssh/moduli
total size: 9165977
files archived: 31
Extract all files from package (packages have relative paths):
[root@labotest:/root/]# restore -xqvf openssh.base.5.4.0.6100.I
Extract one file:
[root@labotest:/root/]# restore -xqvf openssh.base.5.4.0.6100.I ./usr/lpp/openssh.base/inst_root/liblpp.a
New volume on openssh.base.5.4.0.6100.I:
Cluster 51200 bytes (100 blocks).
Volume number 1
Date of backup: Fri Jun 11 20:33:09 2010
Files backed up by name
User BUILD
x 15012 ./usr/lpp/openssh.base/inst_root/liblpp.a
total size: 15012
files restored: 1
To read header, and scripts files contained into a package:
* First extract the file liblpp.a as above: # restore -xqvf ./usr/lpp//inst_root/liblpp.a
* Then extract from this archive file all the content: # ar -xv ./usr/lpp//inst_root/liblpp.a
To read the content of an archive: ar -tv
* Now you can read all files Example, post install script from openssh package:
[root@labotest:/root/usr/lpp/openssh.base/inst_root/]# cat openssh.base.server.post_i
#!/usr/bin/ksh
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# 61pkgssh54A src/packages/openssh/base/server/root/openssh.base.server.post_i.sh 1.10
#
# Licensed Materials - Property of IBM
#
# COPYRIGHT International Business Machines Corp. 2001,2003
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
# Create the 'host' private and public keys for the sshd daemon to load
#
# chkconfig: 2345 55 25
# Check to see if customer is installing ssh during a BOS install
if [[ -n $INUBOSTYPE ]]; then
# Customer is doing a BOS install. ssh does not have the necessary
# random bits to perform ssh-keygen right now. Instead, we want this
# script to run after the machine has rebooted from BOS install, so
# copy this script over to /etc/firstboot
# We need to touch the hostkey files. Otherwirse, the install will fail,
# reporting that the hostkey files do not exist. We will touch the files now
# and create the real hostkeys after the reboot.
touch /etc/ssh/ssh_host_key
touch /etc/ssh/ssh_host_key.pub
touch /etc/ssh/ssh_host_rsa_key
touch /etc/ssh/ssh_host_rsa_key.pub
touch /etc/ssh/ssh_host_dsa_key
touch /etc/ssh/ssh_host_dsa_key.pub
# After the BOS install reboot, remove the touched hostkey files, otherwise the ssh-keygen
# command will stop and ask the user if these files should be overwritten
print "rm -f /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub" >> /etc/firstboot
print "/usr/lpp/openssh.base/inst_root/openssh.base.server.post_i" >> /etc/firstboot
else
# Not doing a BOS install, so perform ssh installation as normal
#generate the RSA host key
if [ ! -s /etc/ssh/ssh_host_rsa_key ]
then
/usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "RSA key generation failed"
exit 1
fi
fi
# generate the RSA1 host key for the ssh daemon
if [ ! -s /etc/ssh/ssh_host_key ]
then
/usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N '' > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo "RSA1 key generation failed"
exit 1
fi
fi
#generate the DSA host key
if [ ! -s /etc/ssh/ssh_host_dsa_key ]
then
/usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "DSA key generation failed"
exit 1
fi
fi
fi
exit 0
===== Library static/library dynamic =====
List libraries contained into .a
[root@nim]/tmp/bull# ar -X32_64 -t -v /opt/freeware/lib/libintl.a
rwxr-xr-x 0/0 81732 Mar 9 16:28 2017 libintl.so.9
rwxr-xr-x 0/0 89207 Mar 9 16:40 2017 libintl.so.9
rwxr-xr-x 0/0 114582 Mar 9 16:40 2017 libintl.so.1
rwxr-xr-x 0/0 130986 Mar 9 16:40 2017 libintl.so.1
rwxr-xr-x 0/0 81610 Mar 9 16:40 2017 libintl.so.8
rwxr-xr-x 0/0 89181 Mar 9 16:40 2017 libintl.so.8
Extract the 32 bit library so.9
[root@aix01]/tmp/bull# ar -X32 -x -v /opt/freeware/lib/libintl.a -o libintl.so.9
ar: 0707-109 Member name -o does not exist.
x - libintl.so.9
Covert the .so.9 in .a:
[root@aix01]/tmp/bull# ar -rv libintl.a libintl.so.9
ar: Creating an archive file libintl.a.
a - libintl.so.9
List version of .so library
[root@aix01]/tmp/bull# dump -H /usr/opt/freeware/lib/libsqlite3.so
/usr/opt/freeware/lib/libsqlite3.so:
***Loader Section***
Loader Header Information
VERSION# #SYMtableENT #RELOCent LENidSTR
0x00000001 0x00000152 0x00000a6f 0x0000006d
#IMPfilID OFFidSTR LENstrTBL OFFstrTBL
0x00000004 0x00009d04 0x00001951 0x00009d71
***Import File Strings***
INDEX PATH BASE MEMBER
0 /opt/freeware/lib:/opt/freeware/lib:/usr/lib:/lib
1 libgcc_s.a shr.o
2 libc.a shr.o
3 libpthread.a shr_xpg5.o
===== To convert a library file .so from dynamic to a static file .a =====
* Use the command:
# ar -rv
===== To convert a library file .a from static to a dynamic file .so =====
* Use the command (here 64 bits):
# /opt/freeware/bin/gcc -maix64 -shared -Wall /opt/freeware/lib/libgmp.a -o libgmp.so.10
Now check if library 32 or 64 bits (32b 'll failed)
[root@aix06] /opt/freeware/lib> dump -X32 -H /opt/freeware/lib/libgmp.so.10
/opt/freeware/lib/libgmp.so.10:
dump: /opt/freeware/lib/libgmp.so.10: 0654-108 file is not valid in the current object file mode.
Use the -X option to specify the desired object mode.
[root@aix06] /opt/freeware/lib> dump -X64 -H /opt/freeware/lib/libgmp.so.10
/opt/freeware/lib/libgmp.so.10:
***Loader Section***
Loader Header Information
VERSION# #SYMtableENT #RELOCent LENidSTR
0x00000001 0x00000007 0x0000001c 0x000000d3
#IMPfilID OFFidSTR LENstrTBL OFFstrTBL
0x00000002 0x000002a0 0x0000009b 0x00000373
***Import File Strings***
INDEX PATH BASE MEMBER
0 /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/10/ppc64:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/10:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/10/../../..:/opt/freeware/lib:/usr/lib:/lib
1 libgcc_s.a shr.o
Old command
# gcc -shared -Wl,--whole-archive library.a -o library.so
===== When a reboot is needed ? =====
If process **init** appears in the list after upgrade, the reboot you LPAR:
[root@nim]/root# genld -u
Proc_pid: 1 Proc_name: init
Proc_pid: 15466758 Proc_name: sshd
...