Professional Documents
Culture Documents
Open Vmss
Open Vmss
Advanced OpenVMS
System Management
Techniques, Tools,
and Tricks
DJE Systems - http://www.djesys.com/
David J. Dachtera - djesys@earthlink.net
GET CONNECTED
People. Training. Technology.
Agenda
Logical names
Logical name tables
Logical name table search order
Modifying the search order
Since much of the way the VMS environment works is driven by the use
of logical names, well spend a good bit of time talking about them.
Questions in real time are encouraged during this discussion, and we
can always refer back to it as we proceed into those areas where logical
names are used. This will provide an opportunity for reinforcement
through practical examples.
Well also discuss a few gotchas regarding DCL lexical functions as
they relate to OpenVMS and system management.
Agenda
Logical names, contd
Cluster-wide logical names
Caveats
SYS$COMMON Notes
Caveats (VMS$COMMON)
Site-Specific Paths
Organizing local system management code
Agenda
Network Topics
TCP/IP
TCP/IP Services (fka UCX)
Multinet
TCPware
CMU/IP (VAX only)
DECnet
Access control
FAL logging
Agenda
Network Topics, contd
LAT
MOP
Remote Access
Remote procedures
Types
Security concerns
Network Alerts
OPCOM alerts for DECnet network access
OPCOM alerts for FTP network access
Agenda
System Startup
STARTUP phases
STARTUP parameters
Site-Specific startups
Logging SYSTARTUP_VMS.COM
Node-specific startups
Saving a crash dump at start-up time
DEFINE-ing Group Logicals
Soft-coding # of logins allowed at startup
Agenda
System Shutdown
SHUTDOWN parameters
SHUTDOWN$xxxx logical names
AUTOGEN Shutdowns
AGEN$SHUTDOWN_TIME logical name
Cluster Shutdown
REMOVE_NODE, CLUSTER_SHUTDOWN
Being able to startup the system is only half of the story. So, well look
into the system shutdown procedures as well.
Well look at the various parameters and options of the OpenVMSsupplied SHUTDOWN procedure, and some logical names that can be
used to provide default values to certain SHUTDOWN parameters,
including one that is used specifically by the AUTOGEN procedure.
OpenVMS clusters introduce some additional shutdown-time
considerations. So, well look into those as well. The SYSMAN utility
provides some functionality for system and cluster shutdown. Well look
at that as well.
Agenda
AUTOGEN
MODPARAMS.DAT
Reports and outputs
The system STARTUP procedure harks back to the early days of VMS, a
venerable and trusted facility. As such, it contains some artifacts of its
heritage that are worthy of attention. Well take a look at those, since they
could lead to some confusion if used as a current-version example of how
to program DCL procedures.
AUTOGEN is a useful tool for helping to keep OpenVMS systems in tune
and performing well. Well look at using AUTOGEN, setting values for
system parameters in he MODPARAMS.DAT file, and well look at the
reports and outputs of AUTOGEN and how to use them.
Agenda
OpenVMS Security
Essentials
UICs and File/Directory Protection
Access Control Lists (ACLs)
Access Control Entries (ACEs)
Rights Identifiers and ACEs
Propagating ACEs and Default Protections
10
Session 1065
OpenVMS
Logical Names
11
Logical Names
12
LNM$PROCESS_DIRECTORY
13
14
15
Logical Names
Single translation
$ DEFINE lnm value
Search List
$ DEFINE lnm value,value[,]
16
Logical Names
Creating
$ DEFINE lnm value
$ ASSIGN value lnm
Deleting
$ DEASSIGN lnm
17
Logical Names
Access Modes
User
DEFINE/USER
SupervisorDEFINE (/SUPER is default)
Executive DEFINE/EXECUTIVE,
requires CMEXEC privilege.
Kernel
Can only be created by using
the $CRELNM system service,
requires CMKRNL privilege.
Executive and Kernel mode logical names are trusted since
privilege is required to create them.
18
Logical Names
Single Translation
$ DEFINE lnm value
Examples:
"LNM$PROCESS" = "LNM$PROCESS_TABLE" (LNM$PROCESS_DIRECTORY)
"LNM$JOB" = "LNM$JOB_80D27B00" (LNM$PROCESS_DIRECTORY)
"LNM$GROUP" = "LNM$GROUP_000030" (LNM$PROCESS_DIRECTORY)
"LNM$SYSTEM" = "LNM$SYSTEM_TABLE" (LNM$SYSTEM_DIRECTORY)
SYS$LOGIN" = "DKA0:[DDACHTERA]" (LNM$JOB_80D27B00)
19
Logical Names
Search Lists
$ DEFINE lnm value,value[,]
Examples:
$ sh log sys$sysroot
"SYS$SYSROOT" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
= "SYS$COMMON:"
1 "SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
$ sh log user_exe
! Presenters environment, not provided by VMS.
"USER_EXE" = "USER_IMG:" (LNM$JOB_80D27B00)
= "USER_COM:"
= "SYS$SPECIFIC:[SYSEXE]"
= "SYS$COMMON:[SYSEXE]"
1 "USER_IMG" = "USER_ROOT:[EXE.ALPHA]" (LNM$JOB_80D27B00)
1 "USER_COM" = "USER_ROOT:[EXE]" (LNM$JOB_80D27B00)
Here we see some examples of logical names which are set up as search
lists.
Under the translation of SYS$SYSROOT, we also see the translation of
one of its elements: SYS$COMMON. SYS$COMMON is a rooted logical
as is the first translation of SYS$SYSROOT.
The second example, USER_EXE is a search list that is set up in the
environment of a specific users process. Under USER_EXE we see the
translations of two of its elements, USER_IMG and USER_COM.
20
Logical Names
Concealed Logical Names
$ DEFINE lnm value/TRANS=CONCEAL
Example:
$ sh log sys$sysdevice
"SYS$SYSDEVICE" = "DJAS01$DKA300:" (LNM$SYSTEM_TABLE)
$ sh log sys$sysdevice/full
"SYS$SYSDEVICE" [exec] = "DJAS01$DKA300:" [concealed,terminal]
(LNM$SYSTEM_TABLE)
21
Logical Names
Rooted Logical Names
$ DEFINE lnm ddcu:[dir.]/TRANS=CONCEAL
Examples:
$ show logical sys$specific,sys$common,user_root
"SYS$SPECIFIC" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
"SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
"USER_ROOT" = "DKA0:[DDACHTERA.]" (LNM$JOB_80D27B00)
22
Logical Names
Using rooted logical names
Examples:
$ show logical sys$sysroot,user_root,user_com,user_img
"SYS$SYSROOT" = "DJAS01$DKA300:[SYS0.]" (LNM$SYSTEM_TABLE)
= "SYS$COMMON:"
1 "SYS$COMMON" = "DJAS01$DKA300:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE)
"USER_ROOT" = "DKA0:[DDACHTERA.]" (LNM$JOB_80D27B00)
"USER_COM" = "USER_ROOT:[EXE]" (LNM$JOB_80D27B00)
"USER_IMG" = "USER_ROOT:[EXE.ALPHA]" (LNM$JOB_80D27B00)
Here we see examples of system and user level uses of rooted logical
names.
SYS$SYROOT we saw in an earlier slide.
USER_ROOT weve seen before, also. Here we see how it is DEFINEd.
The USER_COM and USER_IMG logical names both use the rooted
logical name USER_ROOT.
23
24
New in V7.2.
25
26
27
Logical Names
Notes:
VMS$COMMON usually not found in system logical
names.
It IS possible to have a system with a missing or
corrupted VMS$COMMON.
OpenVMS upgrades will fail.
Difficult to recover.
Running in this condition is not supported.
Note that the VMS$COMMON directory does not appear in the systemwide logical names setup and used by OpenVMS.
In fact it is possible to have a missing or corrupted VMS$COMMON
directory. The author of this presentation observed it in a running nonclustered system.
While the system will boot and run, OpenVMS upgrades will fail.
This situation is difficult to recover. Your best bet is to build a new system
disk and copy over the system-specific files as needed. This is a tedious
and time-consuming task, but it can be used as a last resort if
ANALYZE/DISK/NOREPAIR doesnt turn up the missing directory as a
lost file.
Running a system in this condition is probably not supported by
OpenVMS Support.
28
Logical Names
Leave OpenVMS-provided logical names alone.
ReDEFINE-ing things like SYS$SYSROOT can
jeopardize support position or system certification
(Healthcare, etc.)
If any of these are reDEFINEd, do it at the /PROCESS
level, not system-wide. Make sure to leave the system
account pristine.
In the abstract for this seminar, mention was made of adding a translation
to the SYS$SYSROOT search list. This is not a good idea, and the
author of this presentation does not advocate making any changes to
logical names provided by OpenVMS. It could cause problems with
OpenVMS support if a question comes up involving any such logical
names or any software that uses them. Also, from the perspective of the
healthcare world, this would constitute a significant change to the
operating environment and could raise questions regarding the
environments continued certification.
If reDEFINE-ing any of theses logical names could be helpful, be sure to
only do this at the /PROCESS level, not system-wide. Make sure to keep
the system accounts user environment as pristine as possible so as not
to raise any questions of supportability or certified environment
specifications.
29
Logical Names
Leave OpenVMS-provided logical names alone.
Probably okay to do this in a privileged account other
than SYSTEM.
If these are needed at SYSTARTUP_VMS time, invoke a
proc. to do the DEFINEs, invoke the proc.s that need the
local logical names, then clean up using
DEASSIGN/PROCESS.
30
Logical Names
It is possible to organize your site-specific
procedures and keep them separated from the
OpenVMS files without reDEFINE-ing any logical
names provided by OpenVMS.
31
Logical Names
OpenVMS Logical Names:
Usually contain a $ (dollar sign).
In logical names, symbol names, file names, etc., use of the dollar sign
($) is reserved to OpenVMS. User supplied names should use only
underscores as punctutaion.
Shown are some examples of user-supplied logical names that might
prove useful.
For example:
SYS_MANAGER
SYS_BACKUP
SYS_OPERATOR
SYS_HELP
Any of these logical names can be made search lists, and probably
should. For example, SYS_MANAGER could point first to the directory
where the local site-specific files reside, then to SYS$MANAGER.
Likewise, SYS_HELP could point first to the local site-specific help, then
to SYS$HELP.
32
Logical Names
$ sho log sys_*
(LNM$PROCESS_TABLE)
(LNM$JOB_80D128C0)
(LNM$GROUP_000030)
(LNM$SYSTEM_TABLE)
"SYS_BACKUP" = "SYS_ROOT:[BACKUP]"
"SYS_HELP" = SYS_ROOT:[SYSHLP]"
"SYS_MANAGER" = "SYS_ROOT:[SYSMGR]"
"SYS_OPERATOR" = "SYS_ROOT:[OPERATOR]
SYS_ROOT = SYS$SYSDEVICE:[XYZCORP.]
= SYS$SYSROOT:
33
Logical Names
Site-specific logical names for system
management can be organized in their own logical
name tables.
User Logical name table can be added to
LNM$FILE_DEV, but dont do that system-wide
DEFINE things /PROCESS.
See the earlier example of how to modify the LNM$FILE_DEV
search list for a process.
/PROCESS is the default for DEFINE and ASSIGN if not
specified.
34
Logical Names
None of us is immortal.
Remember to document your customizations
THOROUGHLY!
If you get hit by a bus today, will someone else be able to come in
and understand what youve done?
35
Session 1065
OpenVMS
Networking
36
Networking
Network stacks for OpenVMS:
TCP/IP
DECnet
Phase IV
Phase V (DECnet/OSI)
Utilities:
LANCP (works without DECnet)
37
Networking - TCP/IP
TCP/IP Services for OpenVMS
Formerly known as UCX (Ultrix Connection)
Developed, sold and supported by HP, shared code base
with Tru64 TCP/IP
Management interface somewhat weak.
Some features (like adding secondary name server and setting up
NTP) require editing config. files manually. Access to non-volatile
Database is inconsistent: sometimes SET CONFIG, sometimes
SET/PERMANENT.
TCP/IP Services for OpenVMS is the new official name for the software
that had come to be known as UCX. TCP/IP Services was renamed and
redeveloped so as to share a common code base with the TCP/IP stack
for Tru64.
While TCP/IP Services is developed and supported by the same
company produces OpenVMS, it does have some weaknesses.
TCP/IP Services management interface is somewhat inconsistent when
it comes to setting characteristics in the permanent database.
Sometimes the command form uses SET CONFIG (as contrasted with
just SET that effects only the volatile database) and sometimes the
command form requires a /PERMANENT qualifier to indicate that
something is being set in the non-volatile database.
Also, adding a secondary name server requires manually editing the
configuration files, since the management interface does not provide for
this.
38
Networking - TCP/IP
TCP/IP Services for OpenVMS
V5.4 High Performance Kernel was optional optimized
for SMP.
V5.5 uses this exclusively.
39
Networking TCP/IP
TCPware
Native to and developed on OpenVMS (originally on
VAX/VMS, ported to Alpha).
Developed, sold and supported by Process Software,
Inc.
Proprietary Management Interface, now similar to
Multinet in some ways.
Slightly more functionality than (UCX), performs better
than Multinet and UCX).
40
Networking - TCP/IP
Multinet
Developed from BSD V4.3 code by TGV, Inc. on
VAX/VMS, ported to Alpha. Now developed, sold and
supported by Process Software, Inc.
Proprietary Management Interface.
Functionality similar to TCPware.
The Multinet TCP/IP product is descended from 4.3BSD code and was
developed by a company called TGV on VAX/VMS. It was later ported to
Alpha. TGV sold Multinet to Cisco Systems, and Cisco sold it to Process
Software.
Multinets management interface is proprietary, but consistent. In general,
most functionality of the software is available through the management
interface without manually editing configuration files.
In general, Multinet enjoys feature parity with TCPware since the two
products are now owned and developed by the same company.
Multinet performance is somewhat better than that of UCX. However,
since TCPware is native to OpenVMS its performance is somewhat better
than that of Multinet or UCX.
41
Networking - TCP/IP
Multinet
Performance is less than TCPware.
Uses Direct I/O generates a lot of Interrupts. By
contrast, current UCX uses Buffered I/O.
Sites with high transaction volumes may need to
consider this.
42
Networking - TCP/IP
CMU/IP
Freeware, a bit old.
Originally developed by TEK, released to Carnegie
Mellon Univ. C.S. department - became freeware.
VAX only - no known Alpha port.
TCP/IP-V4 only.
43
Networking - DECnet
Developed by Digital for PDP-11, migrated to VAX,
ported to Alpha and I64.
Phase-IV is in use widely.
Phase V used where it is needed. Also known as
DECnet-Plus or DECnet/OSI.
DECnet is the original network stack available for OpenVMS. Its roots go
back to the days of the PDP/11 operating systems.
DECnet Phase-IV is still widely used, even though it has gone into mature
product support. DECnet-IV is very reliable and simple to manage. Just
set it and forget it, for the most part.
DECnet-V, known as DECnet-OSI and DECnet-Plus is used where the
functionality it provides is needed.
In general though, TCP/IP co-existence has been mandated due to the
need to consolidate onto a single network infrastructure and support
system.
44
Networking - DECnet
DECnet Phase IV
Very SysAdmin friendly, but takes some getting used to.
Set it and forget it - easily configured, does not issue a
lot of OPCOM messages unless there is trouble on the
line(s).
Specification was published, still publicly available on the
web. Google is your friend.
45
Networking - DECnet
DECnet Phase IV
Permanent database
DEFINE commands in NCP
Volatile database
SET commands in NCP
46
Networking - DECnet
DECnet Phase IV
Provides MOP Remote Console
CONNECT command in NCP
47
Networking - DECnet
DECnet Phase V (DECnet-Plus)
More complicated to manage - management paradigm
follows the OSI seven-layer model.
Circuits are built from the bottom up, following the OSI
seven-layer model.
Management is performed using NCL (Network Control
Language).
Non-volatile database is .NCL files - no permanent
database.
48
Networking - DECnet
DECnet Phase V (DECnet-Plus)
OPCOM messages are more plentiful and more verbose
than Phase IV.
Allows for diagnosis of trouble in each layer.
Provides some features not available in Phase IV.
Complete specification is not published.
49
Networking - DECnet
Access Control
Set up proxy records in
SYS$SYSTEM:NET$PROXY.DAT using the
AUTHORIZE program.
Enable proxy access in NCP (Phase-IV): incoming,
outgoing.
Incoming proxy access, if disabled, defaults to the access control
info of the target object instead of the source node/user.
50
Networking - DECnet
Access Control
Create the proxy database if it doesnt already exist. Use
AUTHORIZE, CREATE/PROXY
Set up proxy records in Authorize.
Enable proxy access in NCL (Phase-V): See the SET
SESSION CONTROL statements.
51
Networking - DECnet
FAL Logging
FAL is the DECnet File Access Listener object. It gets started whenever a
remote DECnet node (or the local node) requests network access to a file
for any reason.
There are two undocumented logical names that can be used to expand
the logging information that comes out of the FAL process (FAL$LOG)
and to record that information someplace other than the default file
destination (FAL$OUTPUT).
52
Networking - DECnet
FAL Logging
FAL$LOG
In SYLOGIN or the DECnet object file:
$ DEFINE FAL$LOG 1/disable=8
This is an unsupported feature
1: file name and file type access information
disable=8 disables Poor Mans Routing:
$ dir node1::node2::node3::
53
Networking - DECnet
FAL Logging
FAL$LOG, contd
Produces copious output - use with discretion.
FAL$OUTPUT
Can be used to specify the name of the log file to create
in place of SYS$OUTPUT
$ DEFINE FAL$OUTPUT FAL.LOG
54
Networking - UCX
Access Control
Trusted Relationships
Enable R services between nodes without having
passwords traverse the network as clear text.
Should be used between nodes on inside networks only
(inside the firewall), and then very judiciously.
55
Networking - UCX
Access Control
Trusted Relationships
No .RHOSTS or HOSTS.EQUIV files.
Use the ADD PROXY command in TCPIP$UCP.
Not well documented:
To make new proxies take effect, issue this command to
TCPIP$UCP:
$ TCPIP
TCPIP> SET TCP/SIGNAL
56
Networking - LAT
LAT - Local Area Transport
Robust, Efficient
Can package data for multiple sessions at the same
MAC address into common packets.
Not routable
No routable info in the network layer
DEC-proprietary (licensed)
Specification published under license
LAT was commonly used for terminal server access prior to the rise of
TCP/IP and TELNET.
LAT is a very efficient and robust protocol. Data for multiple sessions at a
specific MAC address can be packed into a single packet to reduce
network overhead and make better use of the packet size.
LAT is not routable, however, as the packets contain no useful
information that would make routing useful or efficient.
LAT is a DEC-proprietary protocol. The specification is available only
under license. The Open Source community has made efforts to reverseengineer it.
57
Networking - LAT
LAT Control Program (LATCP)
58
Networking MOP
Maintenance Operation Protocol
Not routable
No routable info in the network layer
DEC-proprietary (licensed)
Specification published under license
59
Networking MOP
Maintenance Operation Protocol
LANCP
CONNECT NODE name/DEVICE=enet_dev:
MOP now has three user interface programs at the DCL level:
In DECnet-IV, the NCP program still provides for remote console using
the CONNECT NODE and CONNECT VIA commands.
Even when DECnet is not installed, the LANCP and LANACP programs
are available.
DECnet-V provides for downline loading and upline dumping just like
DECnet-IV. However, remote console is provided by an extension to the
SET HOST command by way of an additional qualifier, /MOP. SET
HOST/MOP can use a known remote node name if the node is set up in
DECnet-V or it supports connecting using the MAC (/PHYSICAL) address
over a specified DECnet-V circuit.
60
Networking MOP
Maintenance Operation Protocol
In DECnet-IV, downline load and upline dump are configured using the
DEFINE or SET NODE command.
As shown in the slide, the system needs to know the devices physical or
MAC address, the circuit over which service will be provided, and the
file(s) that should be sent if the device does not request a specific file.
Note also that for devices requesting a specific load file, any potential
load host which has the requested software and has service enabled can
service the load request. MOP does not provide for loading from only a
specific host.
61
Networking MOP
Maintenance Operation Protocol
LANCP also provides for downline loading. This is mostly intended for
Local Area VMS cluster (LAVc) nodes. The LANCP terminology is DLL
(Down Line Load).
Upline dump is not provided.
Note that unlike the DECnet-IV executor, the LANACP will only answer
load requests for nodes that are in the node database. By contrast, the
DECnet-IV executor will answer any load request if the requested load file
is available.
LANCP is documented in the System Management Utilities A-L manual.
62
DECnet
SET HOST (CTERM)
Remote File Access (FAL)
NML (NCP SET EXECUTOR NODE)
LAT
Connect (from terminal server or PC w/LAT)
SET HOST/LAT
There are many ways to access the system remotely. Outside of dial-up
access to a physical terminal port on the machine itself, DECnet provides
for remote terminal access via the CTERM protocol (SET HOST, no
qualifiers) and provides for remote access to files via the File Access
Listener (FAL). In NCP, you can access the DECnet-IV executor on
another node using the SET EXECUTOR NODE command. The portion
of DECnet used is called the Network Management Layer (NML).
LAT provides for remote connections from terminal servers, PCs that
have an LAT stack and other nodes running LAT. From an OpenVMS
system, you can connect to other systems and nodes that support LAT
using the SET HOST/LAT command. (Note that unlike SET HOST 0, you
cannot SET HOST/LAT to the local node.)
63
TCP/IP:
TELNET
Rshell / Rexec
Rlogin
RCP
SSH, SFTP, etc.
The Various TCP/IP stacks also provide for some common modes of
remote access, including Telnet, Remote Shell (RSHELL), Remote Login
(RLOGIN) and in the case of some of the newer versions of he TCP/IP
stacks for OpenVMS, Secure Shell, Secure FTP (SFTP) and Secure
Socket Layer are provided for along with Kerberos.
See the documentation or the vendor for your TCP/IP stack to see what
is currently available as this tends to change frequently as products
develop and evolve.
64
DECnet
DECnet objects
SUBMIT/REMOTE, PRINT/REMOTE
TCP/IP
RPC (Remote Procedure Call)
Secure Socket Layer (SSL)
65
Again, the DECnet TASK object is best left out or disabled for security
reasons. If needed, care should be taken to keep your system as secure
as possible.
Regardless of how the system is accessed, unsecured accounts (no
password, weak passwords) represent a significant risk. Good system
management must include vigilance in this area.
In-depth security discussion is beyond the scope of this presentation,
although elements of OpenVMS security will be examined near the end of
this presentation.
66
Network Alerts
OPCOM Alerts for network access
SET AUDIT/ENABLE=CONNECTION
DECnet (Phase IV)
$IPC
SYSMAN
SET AUDIT/ENABLE=LOGIN=
ALL, BATCH, DETACHED, DIALUP, LOCAL,
NETWORK, REMOTE, SUBPROCESS
Simple things that can help alert the OpenVMS System Manager to
security issues include enabling Security Audits of incoming connections
via Telnet, CTERM, DECnet, etc.
In addition to login failures (LOGFAIL), successful logins can likewise be
audited to help ensure that everyones tracks can be followed, so to
speak. Here again, care must be taken to not audit too much so that disk
space and processing resources are not overly dedicated to security
issues, unless that is the purpose of the system.
67
Network Alerts
Additional OPCOM Alerts for FTP
Additional OPCOM alerts can be set up for FTP using the service
procedures supplied with TCP/IP stack or by building your own wrapper
around the vendors scripts.
These can be as general or as specific as deemed necessary and/or
appropriate for each situation.
The best source of information is the vendor of your TCP/IP stack or FTP
server software.
68
Session 1065
System Startup
Procedure
69
System Startup
Default /STARTUP procedure:
SYS$SYSTEM:STARTUP.COM
70
System Startup
STARTUP Phases:
In SYS$STARTUP:VMS$VMS.DAT
RMS Indexed file
Changes to this area of the startup are *NOT* supported
by HP.
71
System Startup
STARTUP Phases:
$ TY SYS$STARTUP:VMS$VMS.DAT
BASEENVIRON DVMS$BASEENVIRON-050_VMS.COM
E*BASEENVIRON DVMS$BASEENVIRON-050_SMISERVER.COM
E*BASEENVIRON DVMS$BASEENVIRON-050_LIB.COM
E*BASEENVIRON DDECDTM$STARTUP.COM
E*BASEENVIRON DLICENSE_CHECK.EXE
E*CONFIG
DVMS$CONFIG-050_VMS.COM
E*CONFIG
DVMS$CONFIG-050_ERRFMT.COM
E*CONFIG
DVMS$CONFIG-050_CACHE_SERVER.COM
E*CONFIG
DVMS$CONFIG-050_CSP.COM
E*CONFIG
DVMS$CONFIG-050_OPCOM.COM
E*CONFIG
DVMS$CONFIG-050_AUDIT_SERVER.COM
E*CONFIG
DVMS$CONFIG-050_JOBCTL.COM
E*CONFIG
DVMS$CONFIG-050_LMF.COM
E*CONFIG
DVMS$CONFIG-050_SHADOW_SERVER.COM
E*CONFIG
DVMS$CONFIG-050_SECURITY_SERVER.COM
E*DEVICES
DVMS$DEVICE_STARTUP.COM
E*INITIAL
DVMS$INITIAL-050_VMS.COM
E*INITIAL
DVMS$INITIAL-050_LIB.COM
E*INITIAL
CVMS$INITIAL-050_CONFIGURE.COM
E*LPBEGIN
DVMS$LPBEGIN-050_STARTUP.COM
E*PRECONFIG
DIPC$STARTUP.COM
E*PRECONFIG
DVMS$SPIRALOG_STARTUP.COM
E*
72
PRECONFIG
CONFIG
SYSECURITY
BASEENVIRON
LPBEGIN
SYSTARTUP_VMS
LPMAIN
LPBETA
END
73
PRECONFIG
CONFIG
SYSECURITY
BASEENVIRON
LPBEGIN
SYSTARTUP_VMS
LPMAIN
LPBETA
END
Note that even during a minimum boot, some procedures are always a
part of the startup sequence. It is best not to MOUNT disks in these
procedures unless it will always be okay to do so, even in a minimal
startup.
74
System Startup
Site-Specific STARTUPs:
In SYS$MANAGER path
SYSTARTUP_V5.COM in V5.x
SYSTARTUP.COM in V4 and earlier.
75
System Startup
STARTUP Parameters:
STARTUP_P1
blank - Normal System Startup
MIN - Minimal Startup
No SYSTARTUP_VMS but
Most of the other SY*.COM proc.s will still be run.
76
System Startup
STARTUP Parameters:
STARTUP_P2
blank - Normal System Startup
1, YES or TRUE - Verify on
77
System Startup
SYSTARTUP_VMS :
$ @MOUNT_DISKS
$ @DEFINE_GROUP_LOGICALS
The author of this presentation prefers to keep redundant, cut-andpaste code down to a bare minimum, and so advocates keeping the
system startup procedures modular.
This has multiple advantages.
Individual startup procedures can be run manually at anytime without
having to run the entire site-specific startup procedure.
Maintenance of individual procedures is eased by having less code to
wade through. Changes typically need to be done in only one place rather
than many.
Startups that differ between nodes can be separated by exploiting the
SYS$SYSROOT search list. Node-specific procedures can be placed in
node-specific roots while cluster common procedures can be placed in
the cluster common path. This allows for non-redundant code for
common events as well as node specific additions and exclusions.
78
System Startup
SYSTARTUP_VMS :
79
System Startup
SYSTARTUP_VMS :
Logging SYSTARTUP_VMS:
$ SET NOON
$ DEFINE SYS$OUTPUT SYS$MANAGER:SYSTARTUP_VMS.LOG
.
.
.
$ DEASSIGN SYS$OUTPUT
This slide illustrates a trick for providing a log of events occurring during
the site-specific startup procedure.
Near the top of the procedure, insert a DEFINE SYS$OUTPUT
command. DCL will recognize this and direct subsequent output to the
file. A SET NOON helps insure that the procedure will run to completion
in spite of errors that may occur during it, and enables the procedure to
detect the success or failure of each element.
Near the bottom of the procedure, insert a DEASSIGN SYS$OUTPUT
command. DCL will detect this and close the file. SYS$OUTPUT data will
again show up on OPA0:.
80
System Startup
SYSTARTUP_VMS :
Logging SYSTARTUP_VMS:
Caveat: May not work with some application startups
Example: MiSys (Sunquest) FlexiLAB
(MUMPS application, runs in InterSystemss Cache RDB
environment)
Expects a response to a prompt, chokes on the log file as
SYS$OUTPUT.
81
System Startup
Saving/reporting a crash dump at System Startup
time:
$ ANALYZE/CRASH_DUMP SYS$SYSTEM:SYSDUMP.DMP
COPY ddcu:<dir>:SAVEDUMP.DMP
! For VAX
READ SYS$LOADABLE_IMAGES:SYSDEF
! For Alpha
SHOW CRASH
SHOW STACK /ALL
SHOW SUMMARY
SHOW PROCESS /PCB /PHD /REGISTERS
SHOW SYMBOL /ALL
EXIT
82
System Startup
Saving/reporting a crash dump at System Startup time:
COPY in SDA only copies the portion of the dump file that was actually
written during the last dump.
The result is usually much smaller than the actual dump file, unless the
dump file is too small.
$ ANALYZE/CRASH_DUMP SYS$SYSTEM:SYSDUMP.DMP
COPY ddcu:<dir>:SAVEDUMP.DMP
SET OUTPUT SYS$MANAGER:SYSDUMP.LIS
READ/EXEC
! READ SYS$SYSTEM:SYSDEF
READ SYS$LOADABLE_IMAGES:SYSDEF ! For Alpha
SHOW CRASH
SHOW STACK /ALL
SHOW SUMMARY
SHOW PROCESS /PCB /PHD /REGISTERS
SHOW SYMBOL /ALL
EXIT
The COPY command in SDA copies only that portion of the dump file that
was actually written during the most recent dump. Thus, the COPY
destination can be significantly smaller than the dump file itself and can
more easily be FTPed to VMS Support for analysis.
83
System Startup
DEFINE-ing Group Logicals at Startup:
SET up a DCL procedure to DEFINE (or assign) the
needed logicals using /GROUP and whatever access
mode is appropriate.
Invoke that procedure as a detached process at system
startup time.
84
System Startup
DEFINE-ing Group Logicals at Startup:
Example:
$ RUN SYS$SYSTEM:LOGINOUT.EXE/UIC=[300,1]/INPUT=GROUP_300_LOGICALS.COM/OUTPUT=GROUP_300_LOGICALS.LOG
85
System Startup
DEFINE-ing Group Logicals at Startup:
Alternate Example:
$ RUN SYS$SYSTEM:LOGINOUT.EXE/UIC=[300,1]/INPUT=NLA0:/OUTPUT=NLA0:
86
System Startup
Setting logins at Startup:
A problem that has dogged VMS System Managers since the dawn of
VMS is to have the required number of interactive logins set at system
startup time.
Currently, a global DCL symbol (global to the STARTUP process) is set
up during SYS$STARTUP:VMS$BASEENVIRON-050_VMS.COM:
$startup$interactive_logins == 64. It is assigned an arbitrary value of 64,
which happens to also be the default value for the IJOBLIM system
parameter. IJOBLIM limits the number of interactive logins available at
any given time.
87
System Startup
Setting logins at Startup, contd:
88
System Startup
Setting logins at Startup, contd:
89
System Startup
Setting logins at Startup, contd:
$ startup$interactive_logins == F$GETSYI( IJOBLIM )
Notes:
Set the desired value for IJOBLIM in
MODPARAMS and run AUTOGEN, or change the
CURRENT value using SYSMAN or SYSGEN.
Change takes effect on next boot.
90
System Startup
Setting logins at Startup, contd:
$ startup$interactive_logins == F$GETSYI( IJOBLIM )
Notes, contd:
IJOBLIM is a dynamic parameter. The SET
LOGINS/INTERACTIVE command displays or
varies its value. See the HELP.
91
System Startup
Setting logins at Startup, contd:
SET LOGINS/INTERACTIVE caveat:
92
System Startup
Setting logins at Startup, contd:
SET LOGINS/INTERACTIVE caveat:
For the reason outlined in the notes on the previous slide, the author of
this presentation recommends that this command NEVER be used in the
site-specific startup procedure or any that it invokes. Use the global DCL
symbol instead.
93
94
System startup files that are unique to a system or a cluster are usually
found in the SYS$MANAGER path.
The translation of the logical name SYS$MANAGER is
SYS$SYSROOT:[SYSMGR].
Since SYS$SYSROOT is a search list, care should be taken when setting
SYS$MANAGER as your default. If you are editing files, the revised
versions of those files will be written back to their original location. If
found in SYS$SPECIFIC:[SYSMGR], thats where the new version will be
written. If found in SYS$COMMON:[SYSMGR], thats where the new
version will be written. If you create a new file, and your default is set to
SYS$MANAGER, the new file will be created in the directory indicated by
the first element of SYS$MANAGER, namely the node-specific path.
Note that the translation of SYS$SPECIFIC is the same as the first
translation of the SYS$SYSROOT search list.
95
Session 1065
SYSMAN and
STARTUP
96
97
While SYSMAN does provide this ability, there are some caveats and
notes:
This method of entering site-specific startups into the startup sequence is
not as flexible as doing so from the site specific startup procedure.
Making startups conditional upon the success or failure of previous
startups becomes more cumbersome as does inserting startups that are
local to a node rather than common to the cluster.
This method of modifying the startup sequence is not as widely used or
as widely known. Those who come after you may have difficulty
understanding or supporting modifications to the startup database made
using SYSMAN.
The good news, however, is that SYSMAN provides for specifying that
procedures added this way should run detached, in batch, in a
subprocess or in-line (DIRECT).
98
SYSMAN allows for entering items into the startup sequence that run
after SYSTARTUP_VMS. So, these notes should be borne in mind when
planning and implementing startup modifications through SYSMAN:
SYSTARTUP_VMS is invoked during the LPBEGIN phase. This phase is
not executed in a minimal startup. Neither are any of the other LP
(Layered Product) phases.
Valid phases for startup sequence modifications entered using SYSMAN
are LPBEGIN, LPMAIN, LPBETA and END, in order of execution.
When adding a startup that occurs after SYSTARTUP_VMS is completed
be aware that SYSTARTUP_VMS, or a procedure that it invokes may
have enabled logins and users may already be accessing the system,
before the startup sequence is complete.
99
Session 1065
Conversational Boot,
Minimum Startup
100
Conversational Boot
HP Integrity Servers EFI Shell
Shell> set vms_flags x,1
or
Shell> fs0:\efi\vms\vms_loader.efi fl x,1
Using a shell alias:
Shell> alias b fs0:\efi\vms\vms_loader.efi
Shell> b fl x,1
101
Conversational Boot
Most Current Alphas, most old Alphas (including
Multia), VAX 7000:
>>> boot fl x,1
VAX 6000
>>> BOOT boot_profile/R5=1
>>> BOOT boot_profile/R5=x0000001
VAX 8000s
See the manual
102
Minimum Boot
>>> b fl 10,1
SYSBOOT> SET STARTUP_P1 MIN
SYSBOOT> CONTINUE
Use SET WRITESYSPARAMS 0 before CONTINUE for a
one-time minimum boot.
103
Session 1065
System Shutdown
Procedure
104
System Shutdown
$ @SYS$SYSTEM:SHUTDOWN
Prompts interactively for parameters
Parameters can also be specified on the command line
that invokes the procedure.
See the SHUTDOWN and REBOOT symbols in
SYS$MANAGER:LOGIN.TEMPLATE
105
System Shutdown
SYS$SYSTEM:SHUTDOWN.COM
Parameters:
P1 = Minutes to final shutdown
P2 = Reason for Shutdown
P3 = Spin down disk volumes? (Y/N)
P4 = Invoke SYSHUTDWN.COM? (Y/N)
P5 = When will system be rebooted?
P6 = Should auto. reboot be performed? (Y/N)
P7 = Options (SAVE_FEEDBACK, etc.)
P5 and P6 are reverse order to the prompts.
106
Just as there is a site-specific startup procedure, there is also a sitespecific shutdown procedure. SYS$MANAGER:SYSHUTDWN.COM is
run as part of the SHUTDOWN sequence if this option is selected in
SHUTDOWN.
Use SYSHUTDWN to stop applications, databases, daemons, etc. that
may be holding files open. This provides that such software can be
shutdown gracefully instead of letting SHUTDOWN STOP them abruptly
later on in the SHUTDOWN sequence.
Like SYSTARTUP_VMS, the author recommends keeping SYSHUTDWN
modular so that individual shutdowns can be invoked at will for testing,
problem solving, etc.
107
System Shutdown
SYS$SYSTEM:SHUTDOWN.COM
Logical Names
SHUTDOWN$MINIMUM_MINUTES
Default value for minutes to final shutdown.
AGEN$SHUTDOWN_TIME
Used by AUTOGEN as minutes to final SHUTDOWN or
REBOOT.
SHUTDOWN$INFORM_NODES
Cluster nodes to receive REPLY messages from SHUTDOWN
SHUTDOWN$VERIFY
Allows SET VERIFY to be in effect during SHUTDOWN
108
Shutdown Options
REBOOT_CHECK
SAVE_FEEDBACK
DISABLE_AUTOSTART
POWER_OFF
109
Shutdown Options
REBOOT_CHECK
The reboot check option performs some very basic checks for the
existence of some key files. Some examples include the APB or VMB
bootstraps, SYSBOOT and others.
Note, however, that this check is not comprehensive. It does not attempt
to detect corrupted or unreadable files, for instance, nor does it check the
integrity of the boot block. It can catch certain situations that would
prevent a successful reboot; the author has found this useful. The errors
were fixed and a successful shutdown and reboot was done.
110
Shutdown Options
SAVE_FEEDBACK
111
Shutdown Options
DISABLE_AUTOSTART
112
Shutdown Options
POWER_OFF
Some of the newer Alpha console subsystems allow for the hardware
system to be powered down under software control. The POWER_OFF
shutdown option was added to support this feature.
The POWER_OFF option is new as of OpenVMS V7.
113
114
Every Shutdown
115
Session 1065
AUTOGEN
116
AUTOGEN
SYS$UPDATE:AUTOGEN.COM
117
AUTOGEN
118
AUTOGEN - MODPARAMS
SYS$SYSTEM:MODPARAMS.DAT
119
AUTOGEN - MODPARAMS
parameter_name = needed_value
120
AUTOGEN - MODPARAMS
MIN_parameter_name = minimum_value
121
AUTOGEN - MODPARAMS
MAX_parameter_name = maximum_value
122
AUTOGEN - MODPARAMS
ADD_parameter_name = addtl_value
123
AUTOGEN - Phases
SAVPARAMS
GETDATA
GENPARAMS
TESTFILES
GENFILES
SETPARAMS
SHUTDOWN
REBOOT
- Collects Feedback
- Collects all other data
- Generates new parameters
- Calculates new sys file sizes
- Generates new system files
- Creates new boot param.s
- Shutdown the system
- Reboot the system
HELP
124
AUTOGEN - Phases
SAVPARAMS
125
AUTOGEN - Phases
GETDATA
126
AUTOGEN - Phases
GENPARAMS
Performs calculations and generates the new system
parameters (but does not yet set them into the Current
parameters).
Creates the new list of installed images based on the state
of the currently running system.
127
AUTOGEN - Phases
TESTFILES
Calculates new page and swap file sizes, but does not
apply any changes.
128
AUTOGEN - Phases
GENFILES
Generates new swap and page files based on AUTOGEN
calculations.
Use entries in MODPARAMS to override:
DUMPFILE=0
SWAPFILE=0
PAGEFILE=0
129
AUTOGEN - Phases
SETPARAMS
Creates the new boot-time (current) parameters.
Changes take effect on the next boot.
130
AUTOGEN - Phases
SHUTDOWN
Shutdown the system and leave it ready for a manual boot
or other console-level operations.
Caveat: Does *NOT* invoke SYSHUTDWN!
131
AUTOGEN - Phases
REBOOT
Reboot the system using the newly generated parameters
and/or system files.
Caveat: Does *NOT* invoke SYSHUTDWN!
The REBOOT phase allows AUTOGEN to shut the system down and
specify that automatic reboot should be performed. This is what typically
happens at the end of an OpenVMS upgrade or install.
A caveat about REBOOT is that the site-specific shutdown procedure,
SYSHUTDWN is not executed during the REBOOT or SHUTDOWN
phase of AUTOGEN.
The SHUTDOWN and REBOOT phases of AUTOGEN invoke
SYS$SYSTEM:SHUTDOWN.COM.
132
AUTOGEN - Phases
HELP
Display HELP information for how to use AUTOGEN.
Useful to output this to a file:
$ @SYS$UPDATE:AUTOGEN/OUTPUT=AGEN_HELP.LIS HELP
133
AUTOGEN - Phases
Typical uses:
See if current MODPARAMS settings are suitable:
$ @SYS$UPDATE:AUTOGEN SAVPARAMS TESTFILES
Generate new system parameters for next boot:
$ @SYS$UPDATE:AUTOGEN SAVPARAMS SETPARAMS
AUTOGEN using previously saved feedback:
$ @SYS$UPDATE:AUTOGEN GENPARAMS SETPARAMS
134
AUTOGEN - Phases
Typical uses:
AUTOGEN ignoring feedback:
$ @SYS$UPDATE:AUTOGEN _$ GENPARAMS SETPARAMS NOFEEDBACK
AUTOGEN using previously saved feedback, if it is valid:
$ @SYS$UPDATE:AUTOGEN _$ GENPARAMS SETPARAMS CHECK_FEEDBACK
135
AUTOGEN - Report
SYS$SYSTEM:AGEN$PARAMS.REPORT
Generated on each run of AUTOGEN during the
GENPARAMS phase.
Indicates any MODPARAMS errors detected by AUTOGEN.
Indicates the results of AUTOGEN calculations and
resulting changes to system parameters.
136
AUTOGEN - Logging
AUTOGEN issues useful information on SYS$OUTPUT,
also.
Some SysAdmins find this useful:
$ @SYS$UPDATE:AUTOGEN/OUT=AGEN.LOG start_phase end_phase
137
Session 1065
Useful Tips
and Tricks
138
139
140
141
142
143
Example
(Small Alpha with direct-attached RZ29B, 4.3GB SCSI disk):
$ ld connect dka100:/lbn=(start=0,count=3145728) lda1/allo=1
$ ld connect dka100:/lbn=(start=3145728,count=3145728) lda3
$ ld connect dka200:/lbn=(start=0,count=3145728) lda2
$ ld connect dka200:/lbn=(start=3145728,count=3145728) lda4
$ moun/noassi/syst dsa1/shad=($1$lda1,$1$lda2) shadow1 shadow1
$ moun/noassi/syst dsa2/shad=($1$lda3,$1$lda4) shadow2 shadow2
144
Session 1065
OpenVMS
Security Elements
145
146
147
148
149
150
151
152
153
154
DELETE
CONTROL
EXECUTE
Object owner always has CONTROL
155
Rights Identifiers for use in setting up Access Control Entries (ACEs) are
created and managed using the AUTHORIZE utility.
Identifiers can be simple identifiers or they can be associated with
common resources, such as to cause disk usage for a file to be charged
against a specific UICs disk quota. There are other types of identifiers
also, such as those associated with protected subsystems and those
associated with UICs.
Identifiers can be GRANTed to users or REVOKEd from users by using
AUTHORIZE program.
Note that identifiers can be dynamic - non-privileged users can acquire
and release them using the SET RIGHTS_LIST command in DCL.
156
157
158
Session 1065
Closing Comments,
Q&A
159
Freeware Sources
The OpenVMS Freeware CDs are online at the
OpenVMS website.
The DFWCUG DECUS CD-ROM Archive:
ftp://ftp.montagar.com/decus/
Here is a brief list of some sites where OpenVMS freeware (or links to it)
can be found.
The contents of the OpenVMS Freeware CDs V4 and V5 can be found on
line at the OpenVMS website.
The Dallas / Fort Worth LUG maintains an extensive archive of free
software and DECUS CDs.
Note that the ftp://ftp.montagar.com/ URLs were tested successfully with
an older Netscape (V4.77). The site was also accessed successfully
using the Multinet FTP client on OpenVMS. Attempts to access the site
using Internet Explorer V6 on Windows were less than successful.
160
Freeware Sources
OpenVMS FAQ
http://www.hp.com/go/openvms/faq
DJE Systems OpenVMS Freeware archive:
http://www.djesys.com/freeware/vms/
This session is based on a pre-symposium seminar given at HP/ETS2002 in St. Louis, Missouri (USA). The presentation and associated
freeware are available at the DJE Systems VMS Freeware archive:
4038_freeware.zip
seminar_1024_2002.zip
This presentation can be found on-line shortly after the symposium at this
URL: http://www.djesys.com/vms/support/
161
Session 1065
Thanks for coming!
Disclaimer: All information is correct to the best of
the authors knowledge.
Please fill out the evaluation forms, if available.
162