IBM AIX Continuous Availability Features - IBM Redbooks

More documents

Recommendations

Info

3.7.7 User mode protection keys User keys are intended for providing heuristic data protection in order to detect and prevent accidental overlays of memory in an application. User key support is primarily being provided as a RAS feature which could be used, for example, for DB2. Their primary use is to protect the DB2 core from errors in UDFs (user-defined functions). Their secondary use is as a debugging tool to prevent and diagnose internal memory overlay errors. To understand how a user key is useful, take a brief look at DB2. DB2 provides a UDF facility where customers can add extra code to the database. There are two modes UDFs can run in: fenced and unfenced, as explained here: ► Fenced mode UDFs are isolated from the database by execution under a separate process. Shared memory is used to communicate between the database and UDF process. Fenced mode has a significant performance penalty because a context switch is required to execute the UDF. ► Unfenced mode The UDF is loaded directly into the DB2 address space. Unfenced mode greatly improves performance, but introduces a significant RAS exposure. Although DB2 recommends using fenced mode, many customers use unfenced mode for performance reasons. It is expected that only “private” user data can be protected with user keys. There are still exposures in system data, such as library data that is likely to remain unprotected. Hardware keys are separated into a user mode pool and a kernel mode pool for several reasons. First, an important feature of kernel keys is to prevent accidental kernel references to user data. If the same hardware key is used for both kernel and user data, then kernel components that run with that hardware key can store to user space. This is avoided. Separating the hardware keys simplifies user memory access services such as copyin(). Because the hardware keys are separated, the settings for kernel mode access and user mode access can be contained in a single AMR. This avoids a costly requirement to alter the AMR between source and destination buffer accesses. When user keys are disabled, sysconf(_SC_AIX_UKEYS) returns zero (0), indicating that the feature is not available. Applications that discover the feature is not available should not call other user key-related services. These services fail if called when user keys are disabled. Support for user keys is provided for both 32-bit and 64-bit APIs. In 32-bit mode, compiler support for long long is required to use user keys. User key APIs will be provided in an AIX V5.3 update, as well as in AIX V6.1. Applications that use these APIs have an operating system load time requisite. To avoid this requisite, it is recommended that the application conditionally load a wrapper module that makes reference to the new APIs. The wrapper module is only loaded when it is determined that user keys are available; that is, when the configured number of user keys is greater than zero. Types of user keys AIX will provide a default number of user keys. A sysconf (_SC_AIX_UKEYS) call can be used by applications to query the number of user keys. For POWER6, two user keys are available. 100 IBM AIX Continuous Availability Features
This is accomplished by exclusively dedicating hardware keys for use by applications. The primary user key UKEY_PUBLIC is the default storage-key for user data. Access to this key cannot be disabled in user-mode. The UKEY values are an abstraction of storage keys. These key values are the same across all applications. For example, if one process sets a shared page to UKEY_PRIVATE1, all processes need UKEY_PRIVATE1 authority to access that page. The sysconf() service can be used to determine if user keys are available without load time dependencies. Applications must use ukey_enable() to enable user keys before user key APIs can be used. All user memory pages are initialized to be in UKEY_PUBLIC. Applications have the option to alter the user key for specific data pages that should not be publicly accessible. User keys may not be altered on mapped files. The application must have write authority to shared memory to alter the user key. Other considerations for user keys application programming Like kernel key support, user key support is intended as a Reliability and Serviceability feature. It is not intended to provide a security function. A system call permits applications to modify the AMR to allow and disallow access to user data regions, with no authority checking. The kernel manages its own AMR when user keys are in use. When the kernel performs loads or stores on behalf of an application, it respects the user mode AMR that was active when the request was initiated. The user key values are shared among threads in a multithreaded process, but a user mode AMR is maintained per thread. Kernel context switches preserve the AMR. Threaded applications are prevented from running M:N mode with user keys enabled by the ukey_enable() system call and pthread_create(). The user mode AMR is inherited by fork(), and it is reset to its default by exec(). The default user mode value enables only UKEY_PUBLIC (read and write access). A system call, ukeyset_activate() is available to modify the user mode AMR. Applications cannot disable access to UKEY_PUBLIC. Preventing this key from being disabled allows memory that is “unknown” to an application to always be accessible. For example, the TOC or data used by an external key-unsafe library is normally set to UKEY_PUBLIC. The ucontext_t structure is extended to allow the virtualized user mode AMR to be saved and restored. The sigcontext structure is not changed. The jmp_buf structure is not extended to contain an AMR, so callers of setjmp(), _setjmp(), and sig_setjmp() must perform explicit AMR management. A ukey_setjmp() API is provided that is a front-end to setjmp() and manages the user mode AMR. The user mode AMR is reset to contain only UKEY_PUBLIC when signals are delivered and the interrupted AMR is saved in the ucontext_t structure. Signal handlers that access storage that is not mapped UKEY_PUBLIC are responsible for establishing their user mode AMR. Hardware and operating system considerations ► AIX APIs for application user keys will be made available in AIX 5.3 TL6 running on POWER6 hardware. AIX V5.3 does not support kernel keys. ► In AIX V5.3 TL6, application interfaces that exploit user keys only function with the 64-bit kernel. When the 32-bit kernel is running, these user keys APIs fail. ► User keys are considered an optional platform feature. APIs are present to query if user keys are supported at runtime, and how many user keys are available. ► User keys are available in 32-bit and 64-bit user-mode APIs. ► User keys can be used by threaded applications in 1:1 mode. They are not supported in M:N mode. Chapter 3. AIX advanced continuous availability tools and features 101
Page 1:
Front cover IBM AIX Continuous Avai
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.3.7 Minidump . . . . . . . . . .
Page 8 and 9:
vi IBM AIX Continuous Availability
Page 10 and 11:
Trademarks The following terms are
Page 12 and 13:
Engineering degree in Computer Scie
Page 14 and 15:
Find out more about the residency p
Page 16 and 17:
1.1 Overview In May 2007, IBM intro
Page 18 and 19:
1.5 Continuous operations Continuou
Page 20 and 21:
1.6.2 Availability 1.6.3 Serviceabi
Page 22 and 23:
IBM has tried to enhance FFDC featu
Page 24 and 25:
10 IBM AIX Continuous Availability
Page 26 and 27:
2.1 System availability AIX is buil
Page 28 and 29:
On AIX 5.3, the only way to persist
Page 30 and 31:
When used on a standalone server (s
Page 32 and 33:
mirrored volume group on the client
Page 34 and 35:
2.2.1 Error checking Run-Time Error
Page 36 and 37:
The PowerPC hardware gives software
Page 38 and 39:
System dumps can also be user-initi
Page 40 and 41:
Live dumps are small dumps that do
Page 42 and 43:
Trace is a valuable tool for observ
Page 44 and 45:
Component Trace uses mechanisms sim
Page 46 and 47:
2.3.14 syslog To display the boot l
Page 48 and 49:
Logging can be added to many of the
Page 50 and 51:
compression: on path specification:
Page 52 and 53:
2.4.4 EtherChannel network traffic
Page 54 and 55:
2.4.6 2-Port Adapter-based Ethernet
Page 56 and 57:
operations) without affecting produ
Page 58 and 59:
Quorum A quorum is a vote of the nu
Page 60 and 61:
2.5.8 Journaled File System-related
Page 62 and 63:
Fast I/O failure is controlled by a
Page 64 and 65: display its output in a format suit
Page 66 and 67: For more detailed information about
Page 68 and 69: 54 IBM AIX Continuous Availability
Page 70 and 71: 3.1 AIX Reliability, Availability,
Page 72 and 73: This means that traditional AIX sys
Page 74 and 75: used by IBM service personnel, so t
Page 76 and 77: also be used to obtain a snapshot o
Page 78 and 79: 3.5 Live dump and component dump Li
Page 80 and 81: lfs filesystem ._0 | NO | ON/3 | OF
Page 82 and 83: .vmker | YES | ON/3 | OFF/3 .vmpool
Page 84 and 85: The output of Start a Live Dump is
Page 86 and 87: Table 3-3 Concurrent update termino
Page 88 and 89: We tested the installation of an ef
Page 90 and 91: Setting efix state to: STABLE +----
Page 92 and 93: mode, storage keys are called user
Page 94 and 95: Example 3-19 shows the SMIT menu fo
Page 96 and 97: might share a given hardware key. M
Page 98 and 99: KKEY_UPUBLIC, KKEY_FILE_DATA KKEY_U
Page 100 and 101: Note: Kernel keys and keysets, whic
Page 102 and 103: extension key-aware is determining
Page 104 and 105: added a protection gate for the int
Page 106 and 107: } printf("hardware keyset after KER
Page 108 and 109: } param=atoi(*(argv+1)); printf("Te
Page 110 and 111: Load the kernel extension so that a
Page 112 and 113: 3 : 000000000000000A r4 : F10006C00
Page 116 and 117: ► The APIs provided by the system
Page 118 and 119: if (!strcmp(*(argv+1),"read")){ if
Page 120 and 121: strlen() at 0xd010da00 _doprnt(??,
Page 122 and 123: int pthread_attr_setukeyset_np (pth
Page 124 and 125: Machine State Save Area iar : 00000
Page 126 and 127: As a consequence, determining the r
Page 128 and 129: A Vue script or Vue program is a pr
Page 130 and 131: ► An optional predicate The predi
Page 132 and 133: 3. Interval probe manager The inter
Page 134 and 135: { int count; count = count +1; prin
Page 136 and 137: ► Errno names ► Signal names
Page 138 and 139: * will result in error out of read(
Page 140 and 141: This places a large part of the bur
Page 142 and 143: Note: The frequency of checks made
Page 144 and 145: Non-fragments 00000066 Promotions 0
Page 146 and 147: immediately after the returned stor
Page 148 and 149: This option should be used with car
Page 150 and 151: 3.9.6 KDB commands for XMDBG ► xm
Page 154 and 155: Name AIX version Hardware required
Page 160 and 161: Online resources These Web sites ar
Page 162 and 163: sysdumpdev 27 tprof 28 trace 28 trc
Page 164:
subsequent reboot 71, 133 SUE 18 Sy
show all

IBM AIX Continuous Availability Features - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?