AIX multi-step patching required

Hi Folks,

We are planning to try and use AIX Patching in BIGFIX and we want to replicate the way we have been doing it via ksh scripting via an NFS mount.

Steps we want to replicate in Bigfix:

  1. take an alt disk
  2. check valid mksysb available in a specific directory (runs daily 6pm via cron)
  3. Run Preview of TL/SP update (latest AIX TL/SP available, already staged on NFS)
  4. If preview is clean, run TL/SP update
  5. Apply latest SSH,SSL and Java 7,7.1 and 8, if installed
  6. Apply latest security ifixes available
  7. Wrap up by checking we now have correct oslevel and ifixes installed, if not somehow notify us we have issue with client updates.

From what I could see in BIGFIX it looks like to accomplish this in one job stream (script) is difficult to integrate due to each funxtion looks like it has to be executed in separate fixlet selections.

We also have many clients running AIX 6.1 and 7.1 so from what I see we would have to seperate the selection of the servers by OS versions since we will be pointing it to an NFS lpp update with a specific version of filesets.

AM I missing something or can this be easily accomplished in bigfix? thanks so much!

I havenā€™t personally done much AIX patching before, but if you understand the script content for each step this should be do-able.

Iā€™d look at creating Tasks for 1, 2, 3, and 7. Each of these should return a failure if you get unexpected results, probably with a statement like
continue if {my condition to check all is well}

Then, youā€™d build a Baseline. Iā€™d create separate component groups - Preinstall, Install, and Postinstall.
Preinstall would have tasks 1, 2, 3, and 4 (which look like they would not change regularly)
Install would contain your Fixlets for tasks 4, 5, and 6.
Postinstall would have your task 7.

When you take action on the baseline, clear the ā€œContinue running all actions regardless of failuresā€ flag, so if the Preinstall group catches a failure the baseline stops running.

Then, set up a Web Report to send you a notification when any actions from this baseline fail.

1 Like

Thanks for your reply Jason.

I can certainly automate this in native ksh scripting but have never tried anything like this using bigfix fixlet or action code.

Is it possible to write a pure ksh script and have bigfix run it?

thanks

The Action in a Task/Fixlet has a drop-down list to select the type, but I think the options are only BigFix ActionScript or shell script using /bin/sh.

What is commonly done is to use the ActionScript commands createfile or appendfile to create a shell script, and then execute that script via the given shell. Iā€™m away from my computer now, but should be able to post examples this afternoon if you donā€™t find any before then (but I expect youā€™d find some shell script examples in the default AIX patch content somewhere). There are a lot of examples of using bash on Linux in the forum, I expect ksh to be similar.

The most frequent ā€˜gotchasā€™ are
ā€¦Bigfix interprets { as the start of a Relevance Substitution; when you want a literal { in your shell script, escape it by replacing it with {{
ā€¦The cwd and $PATH may not be what you expect; the spawned shell is running as root but isnā€™t a login shell and may not have sourced the dot-files you expect. Full pathnames are your friend.

I found the appendfile is very useful to execute any language script, very nice!

ie.

delete __appendfile

appendfile #!/bin/ksh
appendfile mount uosnim:/export/epm-unix /mnt
appendfile /mnt/scripts/preview.ksh
appendfile /mnt/scripts/update.ksh
appendfile umount /mnt

//modify appendfile to allow execution
wait chmod 555 "{(client folder of current site as string) & ā€œ/__appendfileā€}

//execute shell script as written
wait ā€œ{(client folder of current site as string) & ā€œ/__appendfileā€}ā€