Technote (FAQ)


Question

How can I configure my NIM master to export NIM resources outside of the NIM environment?

Answer

The information in this document pertains to NIM at levels of AIX 5.3, 6.1 and 7.1. This document will describe how to properly export a filesystem/directory from the global environment of a NIM master without interfering with how the NIM master exports its resources.

The resources MUST be exported globally (meaning that they are exported to EVERYONE) in order for this to work. You cannot export to a specific server for this to work. What this document does and does not cover:

Does cover
Overview of globally exporting NIM resources and how the NIM environment is effected.
Setting up the NIM environment to enable global exports
Setting up the /etc/exports file to allow for global exports if 'global_exports' IS enabled in the NIM environment
Modifying the /etc/exports file, if NOT enabling global exports in NIM environment
‘smit/smitty’ and command line processes for the operations covered in this document.


Does not cover:
- In-depth description of NFS rules
- How-to steps for creating NIM resources
- Any websm interface procedures on how to use NIM




Overview of globally exporting NIM resources and how the NIM environment is effected.


Sometimes people like to have a filesystem or directory that contains an lpp_source (or some other sort of NIM resource) exported at all times. This is so that servers may access the filesystem(s) or directories for things such as executing updates or creating mksysb files. This may bring about problems when trying to run NIM operations with resources that are located in the filesystems or directories that are already exported.
NIM likes to export resources itself at the time of an operation. Problems may arise like the NIM master not being able to export a file or directory because it (or its parent filesystem/directory) is already exported. One of the problems that can arise is that the filesystem or directory that was previously exported globally by an administrator might be removed from the export list at the time of the NIM clean up, as a result of global exports not being set up correctly.
The first rule of NFS exporting is that you cannot export a directory that is either a parent directory or a subdirectory of one that is currently exported and within the same filesystem.

If you have the following filesystem/directory structure on your NIM master:
/export/lpp_source   		(filesystem)
/export/lpp_source/5300		(directory containing different 5.3 lpp_sources)
/export/lpp_source/5300/5300_11	(parent directory specifically 5300-11 lpp_source)

You cannot manually export '/export/lpp_source/5300', and then try to run a NIM operation that would export either
'/export/lpp_source'
'/export/lpp_source/5300'
-or- '/export/lpp_source/5300/5300_11'
without first enabling global exports (or setting up the /etc/exports file with the proper flags so that NIM can properly use the already exported filesystem/directory for the NIM operation).
The action of exporting a subdirectory of an already exported filesystem/directory is just not allowed by NFS rules.




Setting up the NIM environment to enable global exports



*NOTE: The ‘anon=0’ option should NOT be added to the specific line for an export in the /etc/exports file if you enable global exports on the NIM master.


When resources are allocated (NFS-exported by NIM) for use during NIM operations, especially if operations are performed simultaneously on many different clients, the /etc/exports and /etc/xtab files may become very large on the resource servers (the NIM master, or any client being used as a resource server). This may negatively affect NIM performance as the files are locked and modified for each resource allocation or deallocation. The following will relieve the NIM master of this problem:


Enabling global exports on the NIM master

To enable global exports from command line:
# nim –o change –a global_export=yes master

To enable global exports from smit:
# smitty nim_global_export -->

                                  Export NIM Resources Globally

                                          [Entry Fields]
* Enable/Disable Global Exporting of NIM Resources?  [enable]


Disabling global exports on the NIM master

To disable global exports from command line:

# nim –o change –a global_export=no master


To disable global exports from smit:

# smitty nim_global_export -->

                                  Export NIM Resources Globally

                                          [Entry Fields]
* Enable/Disable Global Exporting of NIM Resources?  [disable]

***NOTE:
Make sure that there are NO resources allocated to any clients when you enable or disable global exports on the NIM master. This can lead to situations where resources are exported with incorrect permissions. Attempting to enable or disable global exports on the NIM master when resources are allocated will result in a failure to change the enablement or disablement of global exports. DO NOT enable or disable global exports when there are resources allocated.

Do not modify /etc/exports (adding 'anon=0') and enable global exports in the NIM environment at the same time


Setting up the /etc/exports file to allow for global exports if 'global_exports' is enabled in the NIM environment

A NIM resource, filesystem, or directory can be exported globally using SMIT, or the command line interface.

When resources are allocated (NFS-exported by NIM) for use during NIM operations, especially if operations are performed simultaneously on many different clients, the /etc/exports and /etc/xtab files may become very large on the resource servers (the NIM master, or any client being used as a resource server). This may negatively affect NIM performance as the files are locked and modified for each resource allocation or deallocation.

In environments where administrators are not concerned about who has access to the NIM resources, they may globally export the resources and eliminate the updates made to the /etc/exports and /etc/xtab files. The only limitation for globally exporting resources is that resources used exclusively by diskless and dataless clients cannot be exported. The global export of a NIM resource will make it readable by any machine in the network, not just those in the NIM environment. The resource will be globally exported as long as it is allocated to any client.

Directories that get exported outside of NIM that are in the same filesystem structure as a NIM resource may cause problems during allocation and deallocation of the NIM resource. Specifically, some administrators may export directories by just adding the '-ro' option to the line in the /etc/exports file. This causes the directory that was manually exported by the user to get removed from the /etc/exports file when a NIM resource residing in a sub directory deallocated by NIM. Also remember that the filesystem/directory must me exported via the command line. If you export a filesystem using 'smit/smitty' the filesystem/directory will look like the following example:

 # cat /etc/exports
/export/lpp_source -sec=sys:krb5p:krb5i:krb5:dh,ro

NIM does not work with the security values "-sec=sys:krb5p:krb5i:krb5:dh,ro". Many times you will receive an error when you have exported a filesystem or directory with security values, and this filesystem or directory contains a NIM resource that NIM will try to export for on operation.

Export a filesystem/directory that can be used with NIM when global exports has been enabled on the NIM master, by running the following:
# mknfsexp -d /export/lpp_source -t ro

Once exported as such, you should see the following:
 
# cat /etc/exports
/export/lpp_source -ro

Modifying the /etc/exports file if 'global_exports' is NOT enabled on the NIM master


*If you are not going to enable global exports on the NIM master, you MUST modify the exports environment (the /etc/exports file) as follows. Do not modify /etc/exports (adding 'anon=0') and enable global exports in the NIM environment at the same time:

Export the directory/filesystem:
# mknfsexp –d /export/lpp_source –t ro

*Remember that the filesystem/directory must me exported via the command line. If you export a filesystem using 'smit/smitty' the filesystem/directory will have the value "-sec=sys:krb5p:krb5i:krb5:dh,ro". NIM does not work with the security values "-sec=sys:krb5p:krb5i:krb5:dh,ro", so make sure to use the command line to export the filesystem/directory.

Once exported from command line, you should see the following:
# cat /etc/exports
/export/lppsource –ro

You must then edit the file adding ‘anon=0’ to the line. Once you have done this it should look like the following:
# cat /etc/exports
/export/lpp_source –ro,anon=0

This will cause NIM to leave the parent directory alone in the /etc/exports and /etc/xtab files when deallocating a NIM resource that has a location that is a subdirectory of the parent directory.

*NOTE: This technique (adding ‘anon=0’ to the exports file) ONLY works if global exports are disabled on the NIM master. If global exports are enabled on the NIM master, then 'anon=0' should NOT be added to the line in the /etc/exports file for filesystems/directories that get exported outside of NIM.

Do not modify /etc/exports (adding 'anon=0') and enable global exports in the NIM environment at the same time