(FAQ) Frequently Asked Questions on WPAR (Workload Partitions)

Introduction

The following are my accumulated notes concerning WPARs' (or Workload Partitions) configuration and administration, which is supported on AIX 6.1 and above. WPARs can be created on a dedicated or shared LPAR (Logical Partition), because the LPAR's operating system image and physical resources are shared with the WPAR. WPARs also provide the ability to further isolate a system's workload without creating a full LPAR.

There are two types of WPARs, system and application. The following filesets need to be installed on the LPAR (or global WPAR) prior to creating any type of WPAR:

    bos.wpars

    wio.common

    wio.fcp

    wio.vscsi

Go Back to the Top

System WPARs

A system WPAR is a workload partition that has filesystems created in logical volumes, and its root volume group is created from the global WPAR. You can use the 'smitty simplewpar_sys' or 'mkwpar' commands to create a system WPAR.

To create and start a simple WPAR:

mkwpar -s -n WPAR_name

To stop a WPAR:

stopwpar -v WPAR_name

To remove a WPAR:

rmwpar -s WPAR_name

A system WPAR can also be created with its own root volume group if one or more disk devices are allocated to the WPAR from the global WPAR. This is referred to as a rootvg system WPAR. Rootvg system WPARs can only be created by using/exporting/allocating fibre attached storage devices, fibre channel adapters, or virtual SCSI disks to the rootvg system WPAR.

To make a shared system WPAR with rootvg (where /usr and /opt are shared with the global WPAR):

    1. Check the physical volume configuration. Use only disk devices that are in the available state.
    lspv

    2. Create and start a shared system WPAR with rootvg:
    mkwpar -s -n WPAR_name -D rootvg=yes devname=hdisk_number

*Note: If hdisk_number is currently in a non-rootvg volume group, overwrite the non-rootvg volume group during WPAR creation:
mkwpar -s -n WPAR_name -D rootvg=yes devname=hdisk_number -O

To create a detached system WPAR with rootvg (where /usr and /opt are NOT shared with the global WPAR):

    1. Check the physical volume configuration. Use only disk devices that are in the available state.
    lspv

    2. Create and start a detached system WPAR with rootvg:
    mkwpar -s -n WPAR_name -D rootvg=yes devname=hdisk_number -l

After the WPAR's creation, use the 'chwpar' command to change the WPAR's disk configuration.

To list and delete a WPAR's disk(s):

    lspwar -Da devname WPAR_name | grep hdisk
    chwpar -K -D devname=hdisk_number WPAR_name

Go Back to the Top

CRE (Compatibility Runtime Environment) WPAR

CRE (Compatibility Runtime Environment) WPAR is a system WPAR running AIX 5.2 or AIX 5.3 binaries and libraries on a global WPAR running AIX 7.1 or higher. It is also known as a VWPAR (Versioned Workload Partition). A CRE WPAR should be created as a detached system WPAR, due to /usr. /opt, and /var running AIX 5.2/5.3 binaries and libraries. The following filesets need to be installed on the global WPAR before creating the CRE WPAR:

    bos.wpars

    vwpar.52

    vwpar.53

    vwpar.common

    vwpar.images.52

    vwpar.images.53

    vwpar.images.base

    wio.common

    wio.fcp

You can load the AIX 5.2/5.3 environment from a mksysb image during the CRE WPAR's creation using the following command:
mkwpar -B /WPAR_mksysb_file -C -A -r -v -s -N address=network_address -n WPAR_name -D devname=hdisk_number -D devname=hdisk_number rootvg=yes -l

To check CRE (Compatibility Runtime Environment) WPAR's operating system type:

lswpar -L |grep OStype

*Note: Possible numeric values for OStype:

OStype = 0 (Native or the same as global WPAR's oslevel)

OStype = 1 (AIX 5.2)

OStype = 1024 (AIX 5.3)


To backup and restore a CRE WPAR:

    savewpar -f /backup_filename -i WPAR_name
    lswpar WPAR_name
    rmwpar -F WPAR_name
    lswpar WPAR_name
    cfgmgr
    lspv
    restwpar -a -f /backup_filename -n WPAR_name
    lswpar WPAR_name
    startwpar WPAR_name
    lswpar WPAR_name

Go Back to the Top

WPAR with a bootset

Bootset is a set of disk(s) or filesystem(s) that are used for boot by the rootvg system WPAR. A disk or filesystem that belongs to a bootset can NOT be removed unless the bootset is removed first. The maximum value for the bootset ID is 8.

To create a WPAR with a bootset of disks:

mkwpar -r -v -t -i -s -n WPAR_name -D devname=hdisk_number -D devname=hdisk_number rootvg=yes -l
lswpar
lswpar -Da devname WPAR_name|grep hdisk
lswpar -Br
chwpar -B devname=hdisk_number WPAR_name
lswpar -Br

*Note: Both hdisk devices should show RootVG = yes. If not,:
stopwpar WPAR_name
startwpar WPAR_name

To boot a WPAR from an alternate bootset:

chwpar -B devname=hdisk_number WPAR_name
lswpar -Br
chwpar -D devname=hdisk_number rootvg=no WPAR_name
lswpar -Br
chwpar -K -B bootset=Bootset_ID WPAR_name
stopwpar WPAR_name
startwpar WPAR_name
lswpar -Br

Go Back to the Top

WPAR with its own network

WPARs can be created with its own network configuration. This enables the administrator to further isolate the WPAR's network traffic, and meet specific network security requirements. WPARs with their own network configuration can use physical interfaces, virtual interfaces, etherchannels, and virtual local area network (VLAN) interfaces. Unless specified, WPARs created with its own network configuration are classified as IPv4.

To create and start a WPAR with an IPv4 network address:

mkwpar -s -n WPAR_name -N address=network_address netmask=network_mask -h hostname

To list a WPAR's network configuration:

lswpar -N WPAR_name

WPARs can also be created with its own network routing table.

To create a detached routing specific WPAR:

mkwpar -A -r -v -s -n WPAR_name -N address=network_address -I rtdest=default rtgateway=gateway_server's_network_address -h hostname

To view a WPAR's routing table:

lswpar -I WPAR_name
netstat -r -@ WPAR_name
netstat -rn -@ WPAR_name

Execute the following commands to setup a WPAR using IPv6 network addressing:

    1. Run 'autoconf6' on the global WPAR to get the link local IP address on the global WPAR:

    To generate the local IPv6 address (beginning with 'fe80::'):

    autoconf6 -A


    Make note of network address beginning with 'fe80::'
    netstat -in


    Make note of the one line beginning with 'inet6' (which is the local IPv6 address):
    ifconfig en0


    Start and check the Neighbor Discovery Protocol daemon:
    startsrc -s ndpd-host
    lssrc -s ndpd-host


    Temporarily enable IPv6 forwarding:
    no -o ip6forwarding=1
    ifconfig en0


    *Note: After starting 'ndpd-host' service, ifconfig output shows 2 lines beginning with 'inet6'. The IPv6 address beginning with '2000 or above' is the global address (generated after connecting to the IPv6 router, which would have the 'ndpd-router' service running).

    2. To create and start a detached rootvg system WPAR using an IPv6 network address:
    lspv
    mkwpar -A -r -v -s -n WPAR_name -N address6=IPv6_local_address_beginning_with_'fe80::'_incremented_by_one interface=en_number prefixlen=The_number_in_the_global/local_IPv6_address_that_is_followed_by_a_forward_slash(/) -D devname=hdisk_number rootvg=yes -l

Ex:

# ifconfig en0
en0: flags=1e084863,14c0 UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),LARGESEND,CHAIN
inet 9.3.66.109 netmask 0xfffffe00 broadcast 9.3.67.255
inet6 2002:926:3e2:66:c0e6:99ff:fe54:9002/64
inet6 fe80::c0e6:99ff:fe54:9002/64
inet6 2002:903:15f:66:c0e6:99ff:fe54:9002/64
tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1
# mkwpar -A -r -v -s -n wpar -N address6=fe80::c0e6:99ff:fe54:9003 interface=en0 prefixlen=64 -D devname=hdisk1 rootvg=yes -l
# lswpar wpar
# lswpar -N wpar
# ping wpar
# topas -@ WPAR_name

*Note: 'topas -@ WPAR_name' was run simultaneously as the 'ping wpar' command in a different telnet session.

Go Back to the Top

Enhanced RBAC on a WPAR

Enhanced RBAC (Role based access control) can be administered on a WPAR, and increases the security threshold on the WPAR. Enhanced RBAC needs to be enabled on the global WPAR before it can be administered on the WPAR.

To check for enhanced RBAC status on the global WPAR:

lsattr -El sys0 -a enhanced_RBAC

To enable enhanced RBAC on the global WPAR:

chdev -l sys0 -a enhanced_RBAC=true

Run the following commands to create WPARs as a RBAC user:

    1. On the global WPAR, create authorizations for the role:
    mkauth new_authorization_name
    OR
    smitty rbac

    Ex:

    # mkauth test_wpar

    2. Set the role to the RBAC user on the global WPAR:
    setsecattr -c accessauths=new_authorization_name /full_path_of_the_command

    Ex:

    # setsecattr -c accessauths=test_wpar /usr/sbin/mkwpar
    # setsecattr -c accessauths=test_wpar /usr/sbin/lswpar
    # setsecattr -c accessauths=test_wpar /usr/sbin/chwpar
    # setsecattr -c accessauths=test_wpar /usr/sbin/rmwpar
    # setsecattr -c accessauths=test_wpar /usr/sbin/wparexec
    # setsecattr -c accessauths=test_wpar /usr/sbin/stopwpar
    # setsecattr -c accessauths=test_wpar /usr/sbin/clogin

    mkrole authorizations=new_authorization_name new_role_name

    Ex:

    # mkrole authorizations=test_wpar wpar_role


    mkuser roles=new_role_name user

    Ex:

    # mkuser roles=wpar_role marie


    setkst
    passwd user
    su - user
    swrole new_role_name

    Ex:

    $ swrole wpar_role
    $ rolelist -e
    $ lswpar
    $ mkwpar -v -A -s -r -n WPAR_name -D devname=hdisk_number rootvg=yes -l -N address=network_address interface=en_number

Go Back to the Top

Application WPARs

An application WPAR hosts one or more applications. The 'wparexec' command creates the application WPAR. The command used to start an application(s) will be used as the argument for the 'wparexec' command. Once the application(s) exits, that specific application WPAR ceases to exist. An application WPAR will share the global WPAR's filesystem, and will NOT run system service daemons.

A user can test an application WPAR's functionality by using AIX performance statistical commands as an argument to the 'wparexec' command:
# wparexec -v -n WPAR_name /full_path_of_the_command_that_preferably_runs_for_some_time

Ex:

# wparexec -v -n appwpar /usr/bin/vmstat -Itw 120 600
wparexec: Verifying file systems...
Workload partition appwpar created successfully.
Starting workload partition 'appwpar'.
Mounting all workload partition file systems.
Loading workload partition.

appwpar configuration: @lcpu=8 @mem=4352MB @ent=2.00
kthr memory page faults cpu time
----------- --------------------- ------------------------------------ ------------------ ----------------------- --------
@ @ @ @ @
r b p avm fre fi fo pi po fr sr in sy cs us sy id wa pc ec hr mi se
0 0 0 277483 204786 0 0 0 0 0 0 0 2 1 18 82 - - 0.00 0.0 15:41:11
0 0 0 277488 204778 0 0 0 0 0 0 0 2 1 2 98 - - 0.00 0.0 15:43:11
0 0 0 277489 204775 0 0 0 0 0 0 0 2 0 3 97 - - 0.00 0.0 15:45:11
0 0 0 277528 204732 0 0 0 0 0 0 0 2 0 2 98 - - 0.00 0.0 15:47:11
0 0 0 277529 204730 0 0 0 0 0 0 0 2 0 36 64 - - 0.00 0.0 15:49:11
0 0 0 277565 204715 0 0 0 0 0 0 0 2 1 2 98 - - 0.00 0.0 15:51:11
0 0 0 277567 204710 0 0 0 0 0 0 0 2 1 2 98 - - 0.00 0.0 15:53:11
0 0 0 277567 204732 0 0 0 0 0 0 0 2 0 14 86 - - 0.00 0.0 15:55:11
0 0 0 277606 204690 0 0 0 0 0 0 0 2 0 3 97 - - 0.00 0.0 15:57:11
0 0 0 277607 204687 0 0 0 0 0 0 0 2 0 3 97 - - 0.00 0.0 15:59:11

. . . .
# lswpar

Ex:

# lswpar

Name State Type Hostname Directory RootVG WPAR
----------------------------------------------------------------------------------------------------
appwpar A A appwpar / no

Go Back to the Top