We mentioned in a recent post that we had built an automated process to find any PTF’s associated with a security bulletin issued for the IBM i/OS that were missing from your system and download them automatically to an Image Catalog on your system. This was as a result of our work on the IBM i monitoring tool we provide called AAG. Another check that we provide with AAG looks up the latest PTF Group level available from IBM Fix Central and compares that with the Group level installed, if we do security bulletins we should probably do the PTF Groups in the same manner..
What seemed like a fairly straight forward process turned out to have a few hidden gotcha’s which resulted in us having to resort to using our website as an intermediary to the IBM website. The fact that we have so many function rich libraries on the Linux system that are not available on the IBM i also made this a better option than trying to write code to handle XML sorts and File downloads via HTTP.
We normally use Fix Central to order all of our PTF groups in one shot, this means we can download all of the PTF groups at once and use the same image files on each system (we tend to keep all of the LPAR running the same OS at the same PTF level). Doing it individually on each LPAR could have been an issue but the same binary files can be used on each system anyhow, we just needed to figure out which system would be the base. Using Fix Central also added a lot of manual effort, we had to sign onto the site and set up the order for each of the PTF Groups (We ordered everyone and the CUM package every time), then place the order.
IBM would send us emails stating how to download the files using FTP (we have used the Download Director process as well), with this information we would sign onto the relevant IBM FTP server using the credentials provided and download all of the items to a PC. Once everything was on the PC we would then FTP each file to the relevant LPAR, add each binary file individually to the Image Catalog before running the PTF install process. As you can see this was a lot of manual effort and it generally took us a couple of days to complete.
One reason we did not carry out the process very often was the amount of time and effort it took. This meant the systems were down level for months at a time before we bit the bullet and and went through the process for each LPAR. Now we can do all of the ordering and downloading automatically, it even adds the binary files to the Image Catalog so all you have to do is to mount the Image Catalog to a Virtual Optical Drive and run the PTF install process.
We downloaded the latest group PTF’s last Monday and installed all of the PTF’s on Saturday just passed, when we checked there were already 3 new PTF groups released by IBM (as notified by AAG)! this allowed me to test the new process against one of the LPARs (it is running V7R3 and the last download of the PTF groups and CUM was over 24GB), it correctly identified the 3 PTF groups that had been released and downloaded the images to the Image Catalog in a few minutes. I would have spent more time just signing onto Fix Central than this took! Once the files were there it took me another few minutes to mount the Image Catalog to our Virtual Optical Drive and install all of the PTF’s. We can also use the downloaded files on out other LPARs running the same OS Version.
This is yet another great addition to the AAG product, it will be available in the next update which we hope to ship in January 2023. I did ask a few customers if something like this would be a benefit to which we had a mixed response, some felt they would use it while others say they only update the PTF’s every 6 months or so. Personally we like to keep the systems as up to date as possible, when we contact IBM with a problem (the hosted LPAR and SNDPTFORD issue was exactly the same) IBM generally asks that we get to the latest PTF level before they will engage, so getting ahead of the game is also saving us time when we need IBM support.
We are finding Nagios and AAG to be a great tool for our in-house IBM i systems management, it has saved us a lot of time in terms of manual effort required to continually monitor the IBM i checking for out of spec situations. Now with the new tools we are adding it is also reducing the effort required to keep the systems in perfect working order and reducing the possibility of external attacks against known exposures. All of this for less than the cost of a cup of (decent) coffee per day.
Happy Days… Chris…