Hi -
I have been playing around with the Puppet AIX agent and trying to get my head around the NIM package provider.
The task I've set myself is to write a basic module that allows me to install the latest OpenSSL/SSH fixes as this has become quite a regular task :)
I've kind of got there, but it's thrown up some odd behaviour in the NIM package provider (and probably the AIX through installp one too... )
What it seems the NIM provider does is enumerate each individual package or actually AIX fileset... it then seems to look for each fileset using lslpp and if it doesn't find it, tries to install it immediately, again as a single fileset.
This kind of works, but does occasionally fall foul of dependencies.
However, it largely misses some of the main functionality used by installp on AIX systems in my view.
For example, when you install an AIX service pack, it a a directory of quite literally hundreds of filesets, and the file names are pretty much incomprehensible in relation to what actual fileset is contained within.
The nimclient command effectively supports two attributes that have default values that make life a lot easier.
filesets=all
fixes=update_all
So, if you want to install all the filesets in the lpp_source listed you'd use the former, and if you want to apply all fixes to only what is installed then you'd use the latter. So for example, to install an AIX fix pack without adding any new features (filesets) to your AIX install you end with something like
nimclient -o cust -a installp_flags=acgXY -a lpp_source=AIXFIXPACK -a fixes=update_all
If you wanted to install all filesets in an lpp source then you'd need something like...
nimclient -o cust -a installp_flags=acgXY -a lpp_source=PRODUCT -a files=all
The other thing I've noticed in the debug output is the handling of multiple filesets in the package name. As mentioned above the nim.rb provider goes through each provided name in sequence checking it exists with lslpp and then if it doesn't trying to immediate install just that fileset.
I can see why this behaviour may be wanted if you want to ensure the exact version of exact filesets, but given that puppet seems to not enforce specifying a version, when it isn't specified, it may be better to just pass all the fileset names to installp.
If you do that, *and* there are any inter-dependencies, installp will figure it out and install all of the filesets, plus any that are required dependents assuming they are in the source directory/resource you are using.
It would also be nice to be able to add any additional command line flags too.... to force the install of a backlevel fileset for example. Dangerous yes, but sometimes useful.