Re: report archive software?
On Tuesday, 02/05/2008 at 02:19 EST, David Boyes <[EMAIL PROTECTED]>
wrote:
> Commands exist and are shipped with the OS to examine the spool files
> for other users.
There exists no command that an unprivileged user can use to examine
anothers' spool files.
> No commands are provided to examine pages written by CP
> for other users. Both can be circumvented if you have access to the disk
> containing the data, but it's a lot harder. Thus the "fairly easy" --
> give your id class B somehow, and you're done.
Such a user has then been explicitly authorized by you, then, to possess
extra powers. It is misleading to attribute to the whole ("it is easy to
access xx") what applies only to an explicitly selected subset ("it is
easy for a sufficiently privileged user to access xx"). I don't want
newbies to get a warped sence of the security chacteristics of z/VM.
Using the spool to hold data is not a security risk. Choose Linux-based
NJE or use RSCS, but don't use spool as an exclusion criteria (vis a vis
security).
Alan Altmark
z/VM Development
IBM Endicott
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
On Tuesday, 02/05/2008 at 02:19 EST, David Boyes <[EMAIL PROTECTED]> wrote: > Commands exist and are shipped with the OS to examine the spool files > for other users. No commands are provided to examine pages written by CP > for other users. Both can be circumvented if you have access to the disk > containing the data, but it's a lot harder. Thus the "fairly easy" -- > give your id class B somehow, and you're done. Assembling a virtual > machine from pages on disk is a lot harder -- not for ordinary mortals. > > You're overreading the statement -- relax. It's a matter of comparative > degree. Perhaps, but I don't take statements like that lightly. Our Common Criteria certifcation work, in fact, provides assurance that unprivileged users CANNOT get to others' spool or memory without their active cooperation. There is no "comparative degree". Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
On Tuesday, 02/05/2008 at 05:38 EST, Ivan Warren <[EMAIL PROTECTED]> wrote: > For a properly privileged user, examining someone else's memory isn't > that difficult if I remember correctly.. Yes, but that's not at issue. It is a given that a privileged user can do extraordinary things. Since no general user has more than class G, memory and spool are protected. With the ability to put CP commands in the directory, Rob's "less than class G" solutions become far more interesting. E.g. I can take away the SET SECUSER, SET OBSERVER, SPOOL and MESSAGE commands and the ADRSPACE diagnose, as well as limit IUCV activity. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Linux for System z ISV Information
Cross-posted to IBMVM and Linux-390 For anyone that's interested, I managed to rescue a copy of the old linuxproducts.html file from June 21st of 2007. This is the "Software Developer Products for Linux on IBM System z" page that got taken down and for which the replacement is totally useless. web.archive.org had it, just at a different URL than I remembered. I'm going to be putting it up on linuxvm.org relatively soon. If there's anyone out there willing to volunteer to keep it updated as ISVs report changes, that would be helpful. I want to put an email address for ISVs to contact on the page so we can start publicizing it. Hopefully the word will get spread widely enough that it will be reasonably accurate. If anyone absolutely needs a copy of it before it goes up on the web site, let me know, and I'll send you the raw html file. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Tue Feb 05 15:46:15 CST 2008, "Stricklin, Raymond J" <[EMAIL PROTECTED]> wrote: > >> Ohh, I can. If login for non-root users is broken for any >> reason, you're done. (Seen that happen a number of times on >> Intel/AMD systems.) > > That's precisely the sort of thing I was thinking of. The nologin > situation is also a good one. I haven't worked enough with this > part of > Linux to have been more specific, so I chose to punt. If we were > talking > about, for example, Sun or pSeries, I would've been more > strenuous in my > recommendation. > > ok > r. Something we do on my desktop distribution, is require gpg-agent for logging in, if it's installed, and the user has a GPG key (in this case, root). gpg-agent allows you to have more levels of security. You can tie it to the systems xsession file to further secure X sessions... and you can add it to the system profile to to further secure terminal (and console sessions). Depending on how you write your .profile script, it could be required *only* if logging in on the console. What does it do? It requires the person logging in to also enter their gpg key pair passphrase, or get bumped out. It will then cache the passphrase in memory as a daemon during that login session, if you tell it to. How would I deploy it? I'd set your system's /etc/profile or /etc/bash_profile (if root shell is bash) to test for the TTY it's on, if it's on your console TTY, require gpg-agent to execute and finish with a 0 exit code... if any other exit code, exit the shell immediately. Then, keep the passphrase as either an impossible unknown (never allowing root login on console, but user accounts could)... OR Keep the passphrase with whatever responsible management, where only management could release the passphrase if there were an emergency... followed by an act of requiring a passphrase change after such an emergency. This allows you to have a root password + a GNUGP (GPG) passphrase. You can also enable this for network logins, if you wish. Say network logins require authenticating with an SSH key (not a unix password) + a GnuPG passphrase, in a two level authentication. Hope this helps. *Brandon Darbro -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
Alan Altmark wrote: to spool files belonging to others is not. Nor is it possible to access another virtual machine's memory without its cooperation. In fact, data is more secure in memory than it is on disk since, once on disk, anyone with a connection to the disk can see it without restriction. I could be wrong but.. For a properly privileged user, examining someone else's memory isn't that difficult if I remember correctly.. > LOCKMAP < VIRTPAGE REALPAGE < < < then for example > D H> or > DIAG 04 Of course, this requires 'LOCK' and 'DISPLAY HOST' which means classes A+C|E --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
> Ohh, I can. If login for non-root users is broken for any > reason, you're done. (Seen that happen a number of times on > Intel/AMD systems.) That's precisely the sort of thing I was thinking of. The nologin situation is also a good one. I haven't worked enough with this part of Linux to have been more specific, so I chose to punt. If we were talking about, for example, Sun or pSeries, I would've been more strenuous in my recommendation. ok r. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of Mark Post > Sent: Tuesday, February 05, 2008 2:35 PM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: preventing direct root login on the 3270 console > for SLES10 > > > >>> On Tue, Feb 5, 2008 at 3:15 PM, in message > <[EMAIL PROTECTED] > eing.com>, > "Stricklin, Raymond J" <[EMAIL PROTECTED]> wrote: > > -snip- > > It doesn't seem like a good idea in practice, though I > couldn't put my > > finger on exactly why. > > Ohh, I can. If login for non-root users is broken for any > reason, you're done. (Seen that happen a number of times on > Intel/AMD systems.) Securing the physical console of a > midrange server is usually not an issue, if it's on the > raised floor. Not sure who would be wanted to do this. > Certainly not anyone that's going to get called in the middle > of the night to fix it. > > > Mark Post Easy to bork up in this case: sudo touch /etc/nologin sudo /sbin/shutdown -r now -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
To do this, remove or comment the entry for ttyS0 in /etc/securetty. Note that this will make repairing problems harder. The time you need root access on the console most is when everything else is borked, and you already have the CP login password for the virtual machine protecting the console terminal... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
>>> On Tue, Feb 5, 2008 at 3:15 PM, in message <[EMAIL PROTECTED]>, "Stricklin, Raymond J" <[EMAIL PROTECTED]> wrote: -snip- > It doesn't seem like a good idea in practice, though I couldn't put my > finger on exactly why. Ohh, I can. If login for non-root users is broken for any reason, you're done. (Seen that happen a number of times on Intel/AMD systems.) Securing the physical console of a midrange server is usually not an issue, if it's on the raised floor. Not sure who would be wanted to do this. Certainly not anyone that's going to get called in the middle of the night to fix it. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
My mistake here. I am not preventing direct root login on the 3270 console. Any ID you enter on the 3270 console including root allows for no password or incorrect password. I am thinking I must have something not set correctly in one of the /etc/pam.d files ? Any thoughts ? TIA .. Regards, Terry L. Spaulding [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
This was my first thought also, but on second blush, if you have properly set up sudoers, then being able to log in as your own userid, listed in sudoers, is sufficient, and you shouldn't need to log into root from anywhere, in theory. The downside of this theory comes in the form of certain vendor products, which must be installed from root; not from root via an su -, and not from root via sudo, but only from good, old fashioned root at a terminal, having entered the root password. (IBM, you know who you are) -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - "In theory, theory and practice are the same, but in practice, theory and practice are different." On 2/5/08 2:15 PM, "Stricklin, Raymond J" <[EMAIL PROTECTED]> wrote: > > >> I am trying to setup SLES10 to prevent direct login as root >> on the 3270 console for a SLES10 Linux guest. > > Terry; > > In order to do this, you need to remove or comment the entry for ttyS0 > in /etc/securetty. > > It doesn't seem like a good idea in practice, though I couldn't put my > finger on exactly why. > > ok > r. > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
> I hesitate to disgree with David, but that is not what I am seeing (see my > other post in reply to Gerard) > I use only 1 *one* GB of Xstor and even then page life is usually tens of > minutes. > Paging rate is moderate (100-200/s to 32 3390-3) > The situation David describes I know from z/VM 440, but that is long past > and it has improved with each z/VM release. Disagree all you like. I'm sometimes wrong too... just ask my wife. 8-) I think it depends a lot on your SAP application mix. The ones my customer uses still behave as I described, but I don't know if I'd describe their designers as particularly clueful. It sounds like yours are better behaved -- I wish more were. Still, as you say, it has gotten a little bit better over time as VM learns more about handling Linux guests. It's still ugly and no matter what we do, this beast takes up disproportionate amounts of resources, but any improvement has to be a good thing, right? And it's still lots better than LPAR if nothing more than increased manageability. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Tuesday 05 February 2008 15:11, Terry Spaulding wrote: >I am trying to setup SLES10 to prevent direct login as root on the 3270 >console for a SLES10 Linux guest. > >I have disabled that in /etc/ssh/sshd_config with no problem for ssh >sessions. > >Something must be different on SLES10 compared to SLES9. > >I checked the /etc/sysconfig/displaymanager which has some new entries and >some of the entries had different responses compared to SLES9. > >Has anyone found how to disable direct root login on the 3270 console for >SLES10 ? I think you want to comment out lines in /etc/securetty, because the console is treated as a hard-wired tty device. SSH is not involved in logging into the console. See securetty(5) and login(1) for details. - MacK. - Edmund R. MacKenty Software Architect Rocket Software, Inc. Newton, MA USA -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Feb 5, 2008, at 2:11 PM, Terry Spaulding wrote: I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. I have disabled that in /etc/ssh/sshd_config with no problem for ssh sessions. Something must be different on SLES10 compared to SLES9. I checked the /etc/sysconfig/displaymanager which has some new entries and some of the entries had different responses compared to SLES9. Has anyone found how to disable direct root login on the 3270 console for SLES10 ? I'm guessing that removing everything from /etc/securetty will do it for you. I presume that if you ever lose the network on a guest, you're OK with attaching the disks to a different guest and fixing it that way? Adam -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
> I am trying to setup SLES10 to prevent direct login as root > on the 3270 console for a SLES10 Linux guest. Terry; In order to do this, you need to remove or comment the entry for ttyS0 in /etc/securetty. It doesn't seem like a good idea in practice, though I couldn't put my finger on exactly why. ok r. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
>>> On Tue, Feb 5, 2008 at 3:11 PM, in message <[EMAIL PROTECTED]>, Terry Spaulding <[EMAIL PROTECTED]> wrote: -snip- > I checked the /etc/sysconfig/displaymanager which has some new entries and > some of the entries had different responses compared to SLES9. That shouldn't have anything to do with the console. > Has anyone found how to disable direct root login on the 3270 console for > SLES10 ? Try commenting out the line with ttyS0 in /etc/securetty Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Compiling PAM modules
> OK. > I used an existing directory as a model and I now have modules/pam_dissen > as a > directory with what appears to be the appropriate make files. > What make command can I issue to compile pam_dissen.c and generate > pam_dissen.so ? Test it with 'make -n' in the same directory as your files. -n says do the evaluation of what needs to be done then tell me, but don't actually do it. If it says it's going to do what you expect, a plain 'make' should work. > >From which directory should I issue the make command? > > I tried > >make modules/pam_dissen > > from the > > Linux-PAM-0.99.9.0 > > directory, with result > > make: Nothing to be done for `modules/pam_dissen'. Yes, and it's right. Unless told otherwise, make assumes you are giving it a target string to find *in the makefile in the current directory*. Use 'make -f modules/pam_dissen/Makefile pam_dissen' (assuming the rule in your makefile in modules/pam_dissen is called 'pam_dissen'). If you omit it, it will build the default target for that makefile. So, first, do the make from the directory containing the source. If you need to integrate it into the larger build, then you'll need to modify the makefiles at the higher levels in the directory tree. There's an excellent tutorial on the intricacies of make in the BSD 4.3 System Administrators Guide (probably available in your local public library), or the OReilly book on make is also good. This online guide: http://www.eng.hawaii.edu/Tutor/Make/index.html is also a good start. > > -- > Binyamin Dissen <[EMAIL PROTECTED]> > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
preventing direct root login on the 3270 console for SLES10
I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. I have disabled that in /etc/ssh/sshd_config with no problem for ssh sessions. Something must be different on SLES10 compared to SLES9. I checked the /etc/sysconfig/displaymanager which has some new entries and some of the entries had different responses compared to SLES9. Has anyone found how to disable direct root login on the 3270 console for SLES10 ? TIA .. Regards, Terry L. Spaulding [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Betr.: Re: SAP Application Servers
> Oh, I understand that. Makes you wonder just what the devil is going on > inside the application. I have a fair idea. Lots and lots of caching, loading of tables into memory etc going on. > As usual, the ability to over commit memory and all the other sharing and > management stuff that z/VM lets you do makes > things more attractive. The resources required just seem wasteful, whether > that's really true or not. On a z doing the I/O may be more attractive (faster? cheaper?) than cache lookup. But not in the case of SAP. The I/O would all go to the DB2 database running on z/OS. And those are the expensive cycles. Far better to use IFL and memory on the Linux side. Best regards, Pieter Harder [EMAIL PROTECTED] tel +31-73-6837133 / +31-6-47272537 Brabant Water N.V. Postbus 1068 5200 BC 's-Hertogenbosch http://www.brabantwater.nl Handelsregister: 16005077 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
I hesitate to disgree with David, but that is not what I am seeing (see my other post in reply to Gerard) I use only 1 *one* GB of Xstor and even then page life is usually tens of minutes. Paging rate is moderate (100-200/s to 32 3390-3) The situation David describes I know from z/VM 440, but that is long past and it has improved with each z/VM release. Best regards, Pieter Harder [EMAIL PROTECTED] tel +31-73-6837133 / +31-6-47272537 >>> David Boyes <[EMAIL PROTECTED]> 02/05/08 6:02 >>> > I am trying to get a feel if the memory requirements on say a pSeries of > 3GB for a SAP APP server would be less on zSeries Linux under zVM, i.e. > the physical would drop to 1 GB with 2GB as swop. Very unlikely. SAP apps of any stripe tend to grab big chunks of memory no matter what they're actually doing and just sit on it. You might be able to get away with allocating lots of XSTOR and tolerating a really, REALLY high paging rate, but application performance will still be affected, and you'll still need to buy a lot of memory. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 Brabant Water N.V. Postbus 1068 5200 BC 's-Hertogenbosch http://www.brabantwater.nl Handelsregister: 16005077 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Compiling PAM modules
On Sun, 3 Feb 2008 20:23:12 -0500 David Boyes <[EMAIL PROTECTED]> wrote: :>> :>I would have a look at how the vendor's built the package(s). Also, :>> :>unless you have good reason not to, the vendor's source is the :>source to :>> :>start from. :>> I would prefer starting off with something other than a sledgehammer. :>Actually, this is rather good advice, especially if you expect your code :>to interoperate and otherwise play nicely with PAM. There are lots of :>moving parts to PAM, and looking at how someone else did it will help :>you get your stuff structured in a compatible way. :>> Thus leading to my question - are there any special options required? :>That's what looking at the distribution build will tell you. The various :>distributions sometimes put PAM headers in different places, and some :>expect particular options to be used when building libraries, etc. :>> Is gcc -o enough? :>No. See above. :>> I would rather concentrate on the code, rather than packaging at this :>> early :>> time. :>> [snip] :>> My issue is not in writing the code - it is in the installation. And I :>> would :>> like as easy a build method as possible as I start this coding. :>The two are fairly closely linked. You need to be conscious of how PAM :>is installed and maintained on your distribution to avoid a lot of extra :>work later in the game. OK. I used an existing directory as a model and I now have modules/pam_dissen as a directory with what appears to be the appropriate make files. What make command can I issue to compile pam_dissen.c and generate pam_dissen.so ? >From which directory should I issue the make command? I tried make modules/pam_dissen from the Linux-PAM-0.99.9.0 directory, with result make: Nothing to be done for `modules/pam_dissen'. -- Binyamin Dissen <[EMAIL PROTECTED]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
Hi Gerard,
first, I think your remark to Mark's post is wrong. z/VM will certainly save
you in the area of memory requirements. And then some in other areas, like
admin, failover setup etc.
To get specific:
- we came from Intel some years ago and reduced a farm of 10 two-ways with a
total of 38 GB of memory to a z900 with one CP (also used for VM/VSE workload)
for z/OS and DB2, and two IFL's with 11 GB of memory. We were on 46C then. Due
to our upgrade to ERP2004 / 640 we had to go to a z9-BC T01 subcapacity CP,
again 2 IFL and about 22 GB of memory. Response times through all that remained
more or less the same.
- how is that broken down?
4 test systems 2 GB Vsize with 8 GB Vdisk swap
1 dev system ditto
1 historic (from before a merger) prod system, ditto
1 current prod system, 8 GB Vsize with 16 GB Vdisk swap
1 Solman system, 1 GB Vsize with 8 GB Vdisk swap
in the same lpar there is also a 1.5 GB Vsize TSM server.
When systems are really idle they don't use the allocated Vsize and z/VM takes
a lot of real frames elsewhere. So in theory I could reduce the Vsize. But from
experience I have found that this introduces lots of overhead when they are not
idle. So I leave it to CP to schlepp resources around on an as-needed basis.
- now for your question:
It all depends on if your 3GB are used or not. If they are, you need them on
zSeries as well, period. But if there is worst-case headroom in there you are
almost guaranteed to use less. I don't think you will get a 640 down to 1 GB on
a reasonably used instance. But you may very well run in about 1.5 to 2 GB,
only using more as Vdisk swap in heavy usage.
Feel free to ask if you more details.
Best regards,
Pieter Harder
[EMAIL PROTECTED]
tel +31-73-6837133 / +31-6-47272537
>>> "Ceruti, Gerard G" <[EMAIL PROTECTED]> 02/05/08 5:48 >>>
HI Peter, Ron
I am trying to get a feel if the memory requirements on say a pSeries of
3GB for a SAP APP server would be less on zSeries Linux under zVM, i.e.
the physical would drop to 1 GB with 2GB as swop.
Regards
Gerard Ceruti
may the 'z' be with you
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Pieter Harder
Sent: 05 February 2008 03:51 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Betr.: SAP Application Servers
Hi Gerard,
I have only one 700 system (our SolMan 400 system). Our standard is
ERP2004 which is 640 based. Everything running under z/VM 530. We tried
running bare metal in the porting phase, but dropped that for all the
reasons mentioned on the list.
That one 700 instance is running in a 1G VM, while all other 640
instances have at least 2G. But then our SolMan is only used where it
can't be avoided
Anyway, anything specific you want to know?
Best regards,
Pieter Harder
[EMAIL PROTECTED]
tel +31-73-6837133 / +31-6-47272537
>>> "Ceruti, Gerard G" <[EMAIL PROTECTED]> 02/05/08 8:45
>>>
Hi All
Anyone who is running SAP Application servers under zSeries Linux, bare
metal or zVM that could share some information,
SAP kernel 700,710 would be ok, in particular the memory requirements is
of interest to us.
Regards
Gerard Ceruti
may the 'z' be with you
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless
the context clearly indicates otherwise, the property of Standard Bank
Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and
intended for the addressee only. Should you not be the addressee and
receive this e-mail by
mistake, kindly notify the sender, and delete this e-mail, immediately
and do not disclose or use same in any manner whatsoever. Views and
opinions
expressed in this e-mail are those of the sender unless clearly stated
as those of the Group. The Group accepts no liability whatsoever for any
loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or
arising, from the use of this email or its attachments. The Group does
not warrant the integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are
authorised financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37
of 2002 (FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za ( http://www.standardbank.co.za/ ) (
http://www.standardbank.co.za/ )
___
Brabant Water N.V.
Postbus 1068
5200 BC 's-Hertogenbosch
http://www.brabantwater.nl ( http://www.brabantwater.nl/ )
Handelsregister: 16005077
--
For LINUX-390 subscribe / signoff / archive access instructio
Re: report archive software?
> Now you've confused me. Access to your own spool files is easy. Access > to spool files belonging to others is not. Nor is it possible to access > another virtual machine's memory without its cooperation. In fact, data > is more secure in memory than it is on disk since, once on disk, anyone > with a connection to the disk can see it without restriction. > I contest your statement that "spool access is fairly easy". Not by an > unprivileged user, it isn't. Commands exist and are shipped with the OS to examine the spool files for other users. No commands are provided to examine pages written by CP for other users. Both can be circumvented if you have access to the disk containing the data, but it's a lot harder. Thus the "fairly easy" -- give your id class B somehow, and you're done. Assembling a virtual machine from pages on disk is a lot harder -- not for ordinary mortals. You're overreading the statement -- relax. It's a matter of comparative degree. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Z/vm Bacula - Idea's for Installation
> I'm trying to do a bacula under Z/vm, As a proof of concept to keep the > mainframe alive in our company. > I've installed Z/vm and the Novell Sles10 SP1 starter system as a Guest. Good start. 8-) > I'm now going to make another Guest and install Bacula on it. > I'm not very Linux inclined so I really need some ideas on how to go > about it from here? 0) Install the new guest per directions with the starter system. 1) Get the src RPM from Bacula.org. 2) Build it according to the Linux instructions in the docs. 3) Configure clients as shown in the Bacula docs. Bacula is a good choice because it does have extensive documentation. There's a good step-by-step in the docs, and it's not substantially different on Z. The only possible gotcha is tape support. Look in config/vm in the Bacula source for more details on how to make tape work on Z. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Z/vm Bacula - Idea's for Installation
On Feb 5, 2008, at 11:53 AM, Bruce Arro wrote: I want to build a bacula server. OK, then it's slightly more complicated. I recommend you use MySQL as the back end, but of course if you have a good reason to use PostgreSQL or SQLite then you know that you do and why. Are you on the bacula users' and developers' lists? If not, you want to join. Your best bet is to start with the bacula-2.2.8-1.src.rpm source RPM, available from the Bacula site (well, from sourceforge, but I always get there via Bacula) and then to try to build the binary packages with rpmbuild. Then you should just be able to manage them with rpm. Adam -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Z/vm Bacula - Idea's for Installation
I want to build a bacula server. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Adam Thornton Sent: 05 February 2008 07:39 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Z/vm Bacula - Idea's for Installation On Feb 5, 2008, at 11:30 AM, Bruce Arro wrote: > Hi > > > > I'm trying to do a bacula under Z/vm, As a proof of concept to keep > the > mainframe alive in our company. > > > > I've installed Z/vm and the Novell Sles10 SP1 starter system as a > Guest. > > > > > I'm now going to make another Guest and install Bacula on it. > > > > I'm not very Linux inclined so I really need some ideas on how to go > about it from here? > I would start with the Bacula spec file, and do an rpmbuild pointed at the spec file. Are you wanting to build just the client, or director and storage daemon as well? Adam -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Z/vm Bacula - Idea's for Installation
On Feb 5, 2008, at 11:30 AM, Bruce Arro wrote: Hi I'm trying to do a bacula under Z/vm, As a proof of concept to keep the mainframe alive in our company. I've installed Z/vm and the Novell Sles10 SP1 starter system as a Guest. I'm now going to make another Guest and install Bacula on it. I'm not very Linux inclined so I really need some ideas on how to go about it from here? I would start with the Bacula spec file, and do an rpmbuild pointed at the spec file. Are you wanting to build just the client, or director and storage daemon as well? Adam -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
On Tuesday, 02/05/2008 at 11:52 EST, David Boyes <[EMAIL PROTECTED]> wrote: > Specious argument: pages are in shared core at any time as well, but > that's a different argument. AFAIK, CP paging decisions are not directly > accessible inside a guest in any programmatic form (other than > generating bad behavior to get yourself paged out, which is > counterproductive if you're trying to intercept things), whereas spool > access is fairly easy. Now you've confused me. Access to your own spool files is easy. Access to spool files belonging to others is not. Nor is it possible to access another virtual machine's memory without its cooperation. In fact, data is more secure in memory than it is on disk since, once on disk, anyone with a connection to the disk can see it without restriction. I contest your statement that "spool access is fairly easy". Not by an unprivileged user, it isn't. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Z/vm Bacula - Idea's for Installation
Hi I'm trying to do a bacula under Z/vm, As a proof of concept to keep the mainframe alive in our company. I've installed Z/vm and the Novell Sles10 SP1 starter system as a Guest. I'm now going to make another Guest and install Bacula on it. I'm not very Linux inclined so I really need some ideas on how to go about it from here? Regards Bruce Arro -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
Our smallest SAP system that actually does anything is 3GB. We have a
few 4GB systems. All of our
production ECC systems are 6GB. But then on a 6GB system, we can get
almost 300 MMPP
users (to do that we have to have 2 VDISKS and 4 mod3 drives for swap.)
Determining the appropriate size for an SAP application server is an art
that we are not
very good at. You have to know what sort of SAP buffer and Java sizes
your basis people
are setting up. For example, SAP recommends that out of the box, you
set a Java Heap of
2GB. (Never mind that this may cause huge garbage collection pauses).
You have to have
all of heap resident to get decent response time. So you add some more
RAM for the operating
system, DB2 Connect, etc, and all of a sudden you can have a 2.5 to 3 GB
machine. If your
application does not really require a 2GB heap and you have someone who
will experiment
with heap sizes, you can shrink the RAM requirement. If not you are stuck.
On an ABAP system, you have all of those buffers that the Basis folks
can set to consume
memory. Then there is the SAP extended memory that contains the user
context. Each user
consumes a certain amount of RAM to hold their user context. You want
the person who
signs on in the morning, and does not really do anything until they get
ready to go to lunch,
to get their user context paged out. So for an ABAP system, you need to
hold the operating
system, the SAP kernel, most of the SAP buffers, and the user contexts
for the active users.
Ron
Ceruti, Gerard G wrote:
HI Peter, Ron
I am trying to get a feel if the memory requirements on say a pSeries of
3GB for a SAP APP server would be less on zSeries Linux under zVM, i.e.
the physical would drop to 1 GB with 2GB as swop.
Regards
Gerard Ceruti
may the 'z' be with you
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Pieter Harder
Sent: 05 February 2008 03:51 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Betr.: SAP Application Servers
Hi Gerard,
I have only one 700 system (our SolMan 400 system). Our standard is
ERP2004 which is 640 based. Everything running under z/VM 530. We tried
running bare metal in the porting phase, but dropped that for all the
reasons mentioned on the list.
That one 700 instance is running in a 1G VM, while all other 640
instances have at least 2G. But then our SolMan is only used where it
can't be avoided
Anyway, anything specific you want to know?
Best regards,
Pieter Harder
[EMAIL PROTECTED]
tel +31-73-6837133 / +31-6-47272537
"Ceruti, Gerard G" <[EMAIL PROTECTED]> 02/05/08 8:45
Hi All
Anyone who is running SAP Application servers under zSeries Linux, bare
metal or zVM that could share some information,
SAP kernel 700,710 would be ok, in particular the memory requirements is
of interest to us.
Regards
Gerard Ceruti
may the 'z' be with you
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless
the context clearly indicates otherwise, the property of Standard Bank
Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and
intended for the addressee only. Should you not be the addressee and
receive this e-mail by
mistake, kindly notify the sender, and delete this e-mail, immediately
and do not disclose or use same in any manner whatsoever. Views and
opinions
expressed in this e-mail are those of the sender unless clearly stated
as those of the Group. The Group accepts no liability whatsoever for any
loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or
arising, from the use of this email or its attachments. The Group does
not warrant the integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are
authorised financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37
of 2002 (FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za ( http://www.standardbank.co.za/ )
___
Brabant Water N.V.
Postbus 1068
5200 BC 's-Hertogenbosch
http://www.brabantwater.nl
Handelsregister: 16005077
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unl
Re: SAP Application Servers
>>> On Tue, Feb 5, 2008 at 11:58 AM, in message <[EMAIL PROTECTED]>, "Jim Elliott <[EMAIL PROTECTED]>" <[EMAIL PROTECTED]> wrote: >> I've worked with one customer that was implementing SAP on >> Linux for System z. The memory requirements were obscene. Get >> out your checkbook. > > Mark: It should be noted that the memory requirements for SAP are > huge on ANY platform, not specific to Linux on System z. Mind you > memory on System z does come at a "premium". Oh, I understand that. Makes you wonder just what the devil is going on inside the application. As usual, the ability to over commit memory and all the other sharing and management stuff that z/VM lets you do makes things more attractive. The resources required just seem wasteful, whether that's really true or not. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SAP Application Servers
>>> On Tue, Feb 5, 2008 at 11:48 AM, in message <[EMAIL PROTECTED]>, "Ceruti, Gerard G" <[EMAIL PROTECTED]> wrote: > Hi Mark > > So zVM was no help !, damm Sure it helped. Memory was going to be over committed as usual. It's just that SAP is so huge, that even with that, the memory requirements are still ugly. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
> I am trying to get a feel if the memory requirements on say a pSeries of > 3GB for a SAP APP server would be less on zSeries Linux under zVM, i.e. > the physical would drop to 1 GB with 2GB as swop. Very unlikely. SAP apps of any stripe tend to grab big chunks of memory no matter what they're actually doing and just sit on it. You might be able to get away with allocating lots of XSTOR and tolerating a really, REALLY high paging rate, but application performance will still be affected, and you'll still need to buy a lot of memory. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SAP Application Servers
> I've worked with one customer that was implementing SAP on > Linux for System z. The memory requirements were obscene. Get > out your checkbook. Mark: It should be noted that the memory requirements for SAP are huge on ANY platform, not specific to Linux on System z. Mind you memory on System z does come at a "premium". Jim -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SAP Application Servers
Hi Mark
So zVM was no help !, damm
Regards
Gerard Ceruti
may the 'z' be with you
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Mark Post
Sent: 05 February 2008 06:47 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: SAP Application Servers
>>> On Tue, Feb 5, 2008 at 2:45 AM, in message
<[EMAIL PROTECTED]
.com>,
"Ceruti, Gerard G" <[EMAIL PROTECTED]> wrote:
> Hi All
>
> Anyone who is running SAP Application servers under zSeries Linux,
bare
> metal or zVM that could share some information,
> SAP kernel 700,710 would be ok, in particular the memory requirements
is of
> interest to us.
I've worked with one customer that was implementing SAP on Linux for
System z. The memory requirements were obscene. Get out your
checkbook.
Mark Post
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless the
context clearly indicates otherwise, the property of Standard Bank Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and intended
for the addressee only. Should you not be the addressee and receive this e-mail
by
mistake, kindly notify the sender, and delete this e-mail, immediately and do
not disclose or use same in any manner whatsoever. Views and opinions
expressed in this e-mail are those of the sender unless clearly stated as those
of the Group. The Group accepts no liability whatsoever for any loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or arising,
from the use of this email or its attachments. The Group does not warrant the
integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are authorised
financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37 of 2002
(FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za
___
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Betr.: SAP Application Servers
HI Peter, Ron
I am trying to get a feel if the memory requirements on say a pSeries of
3GB for a SAP APP server would be less on zSeries Linux under zVM, i.e.
the physical would drop to 1 GB with 2GB as swop.
Regards
Gerard Ceruti
may the 'z' be with you
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Pieter Harder
Sent: 05 February 2008 03:51 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Betr.: SAP Application Servers
Hi Gerard,
I have only one 700 system (our SolMan 400 system). Our standard is
ERP2004 which is 640 based. Everything running under z/VM 530. We tried
running bare metal in the porting phase, but dropped that for all the
reasons mentioned on the list.
That one 700 instance is running in a 1G VM, while all other 640
instances have at least 2G. But then our SolMan is only used where it
can't be avoided
Anyway, anything specific you want to know?
Best regards,
Pieter Harder
[EMAIL PROTECTED]
tel +31-73-6837133 / +31-6-47272537
>>> "Ceruti, Gerard G" <[EMAIL PROTECTED]> 02/05/08 8:45
>>>
Hi All
Anyone who is running SAP Application servers under zSeries Linux, bare
metal or zVM that could share some information,
SAP kernel 700,710 would be ok, in particular the memory requirements is
of interest to us.
Regards
Gerard Ceruti
may the 'z' be with you
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless
the context clearly indicates otherwise, the property of Standard Bank
Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and
intended for the addressee only. Should you not be the addressee and
receive this e-mail by
mistake, kindly notify the sender, and delete this e-mail, immediately
and do not disclose or use same in any manner whatsoever. Views and
opinions
expressed in this e-mail are those of the sender unless clearly stated
as those of the Group. The Group accepts no liability whatsoever for any
loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or
arising, from the use of this email or its attachments. The Group does
not warrant the integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are
authorised financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37
of 2002 (FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za ( http://www.standardbank.co.za/ )
___
Brabant Water N.V.
Postbus 1068
5200 BC 's-Hertogenbosch
http://www.brabantwater.nl
Handelsregister: 16005077
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless the
context clearly indicates otherwise, the property of Standard Bank Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and intended
for the addressee only. Should you not be the addressee and receive this e-mail
by
mistake, kindly notify the sender, and delete this e-mail, immediately and do
not disclose or use same in any manner whatsoever. Views and opinions
expressed in this e-mail are those of the sender unless clearly stated as those
of the Group. The Group accepts no liability whatsoever for any loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or arising,
from the use of this email or its attachments. The Group does not warrant the
integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are authorised
financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37 of 2002
(FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za
___
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SAP Application Servers
>>> On Tue, Feb 5, 2008 at 2:45 AM, in message <[EMAIL PROTECTED]>, "Ceruti, Gerard G" <[EMAIL PROTECTED]> wrote: > Hi All > > Anyone who is running SAP Application servers under zSeries Linux, bare > metal or zVM that could share some information, > SAP kernel 700,710 would be ok, in particular the memory requirements is of > interest to us. I've worked with one customer that was implementing SAP on Linux for System z. The memory requirements were obscene. Get out your checkbook. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
> On Tuesday, 02/05/2008 at 09:40 EST, David Boyes <[EMAIL PROTECTED]> > wrote: > > There are some good arguments for doing the NJE processing directly in > > the Linux guest if you're dealing with personal information (no chance > > for it to be intercepted in the VM spooling area). > > Red herring. The contents of a virtual machine are potentially on dasd at > any time, so the choice of protocol is not relevant to security. Specious argument: pages are in shared core at any time as well, but that's a different argument. AFAIK, CP paging decisions are not directly accessible inside a guest in any programmatic form (other than generating bad behavior to get yourself paged out, which is counterproductive if you're trying to intercept things), whereas spool access is fairly easy. That's why I said "some good arguments". Never claimed it to be exhaustive, or definitive. > > (VSE is so much better behaved as a VM guest. Would it really be such a > > big deal to add VM UR device support to z/OS permanently? *sigh*) > Have you opened a PMR with z/OS (JES2?) support to indicate that > isn't working when running as a guest? They sure aren't going > to change anything unless people open up PMRs. You can't ask the support people to change something that doesn't exist in the product -- that triggers the "function not in product" response and the PMR gets closed SUGG (which pretty much is a black hole, viewed externally). Unless its changed recently, there's nothing equivalent to the simple ",VM" option that VSE has for UR devices. That takes us into the realm of requirements, and we've been there recently. AFAIK, JES development has rejected this requirement 8 times that I'm aware of in the last 27 years. At some point, one takes "no" at face value, and goes back to coding the JES mods needed to get the job done. -- db -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
On Tuesday, 02/05/2008 at 09:40 EST, David Boyes <[EMAIL PROTECTED]> wrote: > There are some good arguments for doing the NJE processing directly in > the Linux guest if you're dealing with personal information (no chance > for it to be intercepted in the VM spooling area). Red herring. The contents of a virtual machine are potentially on dasd at any time, so the choice of protocol is not relevant to security. > (VSE is so much better behaved as a VM guest. Would it really be such a > big deal to add VM UR device support to z/OS permanently? *sigh*) Have you opened a PMR with z/OS (JES2?) support to indicate that isn't working when running as a guest? They sure aren't going to change anything unless people open up PMRs. Tell two friends. Tell them to tell two friends. Not that Alan would advocate a letter-writing campaign, the goody-two- Sorry about that. He got out when I wasn't looking. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
> If a back-port of the IBM Unit Record driver works its way into SLES or > RHEL then I would guess you can just stream the data into a RDR without > any need for NJE under Linux. > All that would be required is that the setup between z/OS and z/VM were > made, and that z/VM then queues the output to the correct Linux Guest's > RDR for processing. That would work if the Linux and z/OS systems were within the same VM instance. You'd need RSCS if they aren't, and then you're back to NJE - the question then is whether you do it directly in the Linux guest or via RSCS. If you go the VM spool route, you'd also need to teach JES to play nice in terms of closing output files, etc, which would mean a local exit and somebody having to maintain same. There are some good arguments for doing the NJE processing directly in the Linux guest if you're dealing with personal information (no chance for it to be intercepted in the VM spooling area). (VSE is so much better behaved as a VM guest. Would it really be such a big deal to add VM UR device support to z/OS permanently? *sigh*) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SAP Application Servers
We run Netweaver 6.40.
Ron Foser
Ceruti, Gerard G wrote:
Hi All
Anyone who is running SAP Application servers under zSeries Linux, bare metal
or zVM that could share some information,
SAP kernel 700,710 would be ok, in particular the memory requirements is of
interest to us.
Regards
Gerard Ceruti
may the 'z' be with you
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless the
context clearly indicates otherwise, the property of Standard Bank Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and intended
for the addressee only. Should you not be the addressee and receive this e-mail by
mistake, kindly notify the sender, and delete this e-mail, immediately and do
not disclose or use same in any manner whatsoever. Views and opinions
expressed in this e-mail are those of the sender unless clearly stated as those
of the Group. The Group accepts no liability whatsoever for any loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or arising,
from the use of this email or its attachments. The Group does not warrant the
integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are authorised
financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37 of 2002
(FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za
___
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Betr.: SAP Application Servers
Hi Gerard,
I have only one 700 system (our SolMan 400 system). Our standard is ERP2004
which is 640 based. Everything running under z/VM 530. We tried running bare
metal in the porting phase, but dropped that for all the reasons mentioned on
the list.
That one 700 instance is running in a 1G VM, while all other 640 instances have
at least 2G. But then our SolMan is only used where it can't be avoided
Anyway, anything specific you want to know?
Best regards,
Pieter Harder
[EMAIL PROTECTED]
tel +31-73-6837133 / +31-6-47272537
>>> "Ceruti, Gerard G" <[EMAIL PROTECTED]> 02/05/08 8:45 >>>
Hi All
Anyone who is running SAP Application servers under zSeries Linux, bare metal
or zVM that could share some information,
SAP kernel 700,710 would be ok, in particular the memory requirements is of
interest to us.
Regards
Gerard Ceruti
may the 'z' be with you
__
Standard Bank Disclaimer and Confidentiality Note
This e-mail, its attachments and any rights attaching hereto are, unless the
context clearly indicates otherwise, the property of Standard Bank Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and intended
for the addressee only. Should you not be the addressee and receive this e-mail
by
mistake, kindly notify the sender, and delete this e-mail, immediately and do
not disclose or use same in any manner whatsoever. Views and opinions
expressed in this e-mail are those of the sender unless clearly stated as those
of the Group. The Group accepts no liability whatsoever for any loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or arising,
from the use of this email or its attachments. The Group does not warrant the
integrity
of this e-mail nor that it is free of errors, viruses, interception or
interference. Licensed divisions of the Standard Bank Group are authorised
financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37 of 2002
(FAIS).
For information about the Standard Bank Group Limited visit our website
http://www.standardbank.co.za ( http://www.standardbank.co.za/ )
___
Brabant Water N.V.
Postbus 1068
5200 BC 's-Hertogenbosch
http://www.brabantwater.nl
Handelsregister: 16005077
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SLES10 ssh X Forwarding
I had a similar problem :) Here's what I would do: 1) xauth has to be available on the system you ssh to 2) delete/clean your .Xauthority files on your target system 2) there are 2! ways to foreward your X connection *ssh -X|Y* in my case it was -Y which did the trick. With -X I got some weird authentication failure. Look into man ssh for the specific difference in -X|-Y. Hope some of this helps :) Christian Fargusson.Alan schrieb am 01.02.2008 20:53: > There are two problems here. > > First: doing a "sudo echo $DISPLAY" does not echo the DISPLAY that sudo is > using. The shell will replace the $DISPLAY before starting the sudo command. > > Second: DISPLAY=localhost can't work. I don't see how xclock can be working. > > -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of Kim > Goldenberg > Sent: Friday, February 01, 2008 11:48 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: SLES10 ssh X Forwarding > > > Edmund R. MacKenty wrote: >> On Friday 01 February 2008 13:53, Kim Goldenberg wrote: >> >>> Mark - I still get "Gtk-WARNING **: cannot open display: " with a "sudo >>> gedit foo" command that works when I use "gedit foo". >>> >> If you pasted the entire error message here, then it looks like the DISPLAY >> variable is not set in your environment. Is that the case? Of course, you >> could have just left of the display number at the end of the message... >> >> I always try to run a very basic X-Windows command to see if authentication >> is >> working: xclock. If you can't run xclock, then you have either a display >> specification problem or an X authentication problem. The first thing is to >> make sure DISPLAY is set on your remote system >> to ":.", where "" is the name of your >> local X server system (resolvable from the remote system), and and >> are usually zero. >> - MacK. >> > MacK - No, that's the whole error message. I got the same ideas as you, > but as you can see below, that does not seem to be the case. xclock > works from the non-root user, but not under sudo. > > [EMAIL PROTECTED]:~> echo $DISPLAY > localhost:10.0 > [EMAIL PROTECTED]:~> sudo echo $DISPLAY > localhost:10.0 > [EMAIL PROTECTED]:~> su > Password: > lnxb0003:/home/otsgold # echo $DISPLAY > localhost:10.0 > lnxb0003:/home/otsgold # uname -a > Linux lnxb0003 2.6.16.54-0.2.3-default #1 SMP Thu Nov 22 18:32:07 UTC > 2007 s390x s390x s390x GNU/Linux > lnxb0003:/home/otsgold # cat /etc/SuSE-release > SUSE Linux Enterprise Server 10 (s390x) > VERSION = 10 > PATCHLEVEL = 1 > lnxb0003:/home/otsgold # > > -- > Kim Goldenberg > Systems Programmer I > State of NJ - OIT > 609-777-3722 > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > > > CONFIDENTIALITY NOTICE: This email from the State of California is for the > sole use of the intended recipient and may contain confidential and > privileged information. Any unauthorized review or use, including disclosure > or distribution, is prohibited. If you are not the intended recipient, > please contact the sender and destroy all copies of this email. > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Christian Langer |Zentrum für Informationsverarbeitung | und Informationstechnik |Haus I Raum 339 |An der Kueppe 2 |53225 Bonn |Mail: [EMAIL PROTECTED] |Tel: 0228 99680 5199 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 signature.asc Description: OpenPGP digital signature
Re: Migrating Data to zLinux from z/OS and maintain ACLs and Permission
RPN01 wrote: The problem isn't just "Does FRED exist?" - it is "Does FRED exist, and does FRED have the same GID on both systems?" Remember that very few things are tar does store the names. I think cpio does. pax. should, according to the archive format it's creating.. Here is some evidence: 20:22 [EMAIL PROTECTED] tmp]$ pax -w -x ustar zonker | xxd | grep -v ' ' 000: 7a6f 6e6b 6572 zonker.. 060: 3030 3030 3636 3400 3030 3031 664.0001 070: 3735 3000 3030 3031 3735 3000 3030 3030 750.0001750. 080: 3030 3030 3030 3000 3130 3735 3230 3432 000.10752042 090: 3534 3000 3030 3133 3230 3200 3000 540.0013202.0... 100: 0075 7374 6172 0030 3073 756d 6d65 7200 .ustar.00summer. 120: 0073 756d 6d65 7200 .summer. 140: 0030 3030 3030 3030 .000 150: 0030 3030 3030 3030 .000 20:22 [EMAIL PROTECTED] tmp]$ \ls -l zonker -rw-rw-r-- 1 summer summer 0 Feb 5 20:15 zonker 20:23 [EMAIL PROTECTED] tmp]$ actually stored using the actual user name; most of it is stored as the UID / GID, which is just a number. If you haven't done UID / GID leveling between your systems, then you're opening a huge security risk, because you have no idea who you're granting permissions to. if you restore as root, then you can "give" files to others, but not otherwise. <> On 2/1/08 4:50 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: My first concern would be whether the ACLs can be expressed in Linux, and what preparation needs to be done. An ACL to grant access to group FRED might not transfer if FRED does not exist, -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Copying ACLs from USS to z/Linux
Patrick Spinler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | North, Quinn wrote: |> That being said, Linux can do ACL's just fine. They work the same way |> on both systems (albeit with a slight syntax change in the command). |> The big assumption here is that the two will be compatible. I figured |> I'd post out on the list to see if anyone had done something similar |> before. We can't be the only shop using ACL's ... can we?? We do use ACLs on linux fairly heavily, and they work well for us. I just didn't know anything about z/OS HFS ACL's. The only issue I'm aware of for using ACL's on linux was already mentioned: many standard backup tools don't back up or restore them. Caveat emptor, I guess. My concern is that, however USS stores them, it's not the same way Linux does. If there is any difference, a new plan is called for. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: report archive software?
Neale Ferguson wrote: Not wishing to advertise but... NJE on a Linux guest would allow z/OS to send output to it. The output can be placed in a central location, converted to PDF, post-processed by a user defined routine, placed in a spot only accessible to a given user etc. Neale If a back-port of the IBM Unit Record driver works its way into SLES or RHEL then I would guess you can just stream the data into a RDR without any need for NJE under Linux. All that would be required is that the setup between z/OS and z/VM were made, and that z/VM then queues the output to the correct Linux Guest's RDR for processing. mark -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Kernel BUG at drivers/s390/cio/device_fsm.c:1291
Ron Foster at Baldor-IS wrote: I have a problem that I have not been able to find a solution for, so I have joined the list. Welcome :-). kernel BUG at drivers/s390/cio/device_fsm.c:1291! Anyone have any ideas on what to do or who to contact ? BUG() is a macro that kernel developers use to indicate "something bad went wrong here, and I don't know how to recover". In this case, it is in "our" code, and needs fixing. So, I guess there are two answers: - if you have a service contract, shrink-wrap the kernel's debut output and hand it to your service representative, and make him open a customer problem record. - if not, go the "linux" way and look at /usr/src/linux/drivers/s390/cio/device_fsm.c, contact the developers named in that file and inform them about your situation. They will be interrested to track down the issue on a best-can-do basis. cheers, Carsten -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
