Re: Anybody using PigIron z/VM SMAPI client?
Patrick Spinler wrote: Specifically, I'd like to be able to remotely query various dirmaint functions for capacity reporting purposes (e.g. dirmaint dirmap, dirmaint user nopass) Ergo, I've looked at pigiron. Unfortunately, the SMAPI doesn't quite fit what I'm wanting in this circumstance. Do you mean SMAPI itself or the SMAPI client in PigIron? SMAPI can itself be extended in Rexx and PigIron mapped to such extension. My idea in PigIron was that SMAPI + PigIron might end up being what the i/OS services over TCP/IP + JTOpen is to iSeries. Except you can't practically extend the servers on i/OS but you can on z/VM SMAPI. -- Jack J. Woehr# I run for public office from time to time. It's like http://www.well.com/~jax # working out at the gym, you sweat a lot, don't get http://www.softwoehr.com # anywhere, and you fall asleep easily afterwards. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Anybody using PigIron z/VM SMAPI client?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm a relative z/VM newcomer, and when I first heard of this it was also my introduction to SMAPI. I initially got fairly interested as I have a number of problems I was hoping for SMAPI to solve, and pigiron would have been a great aide in using it. Specifically, I'd like to be able to remotely query various dirmaint functions for capacity reporting purposes (e.g. dirmaint dirmap, dirmaint user nopass) Ergo, I've looked at pigiron. Unfortunately, the SNAPI doesn't quite fit what I'm wanting in this circumstance. So sorry, downloaded it, but it didn't fit what I was looking for at the time - -- Pat Jack Woehr wrote: > PigIron the open source Java client for z/VM SMAPI has been downloaded > many times: > > http://pigiron.sourceforge.net > > I'm not getting any user feedback. It would be nice to hear from anyone > who is using PigIron, even > if it's only, "I can't get the @^#! thing installed!" > > Having released the PigLet Servlet and the web Builder the next step > planned is an operations > navigator web application with drag-and-drop complex operation > composition, storage, and parameterized > execution. > > If I continue. > > Would surely like to hear from anyone with any thoughts about PigIron! > > -- > Jack J. Woehr# I run for public office from time to time. > It's like > http://www.well.com/~jax # working out at the gym, you sweat a lot, > don't get > http://www.softwoehr.com # anywhere, and you fall asleep easily afterwards. > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklxLxsACgkQNObCqA8uBsynOgCgqH74ZuIfgSZ4Priq2x4mBUbS WA0AmwSWZ6MW6HD4RmTImuRiqtjx3Idq =BEd2 -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Anybody using PigIron z/VM SMAPI client?
PigIron the open source Java client for z/VM SMAPI has been downloaded many times: http://pigiron.sourceforge.net I'm not getting any user feedback. It would be nice to hear from anyone who is using PigIron, even if it's only, "I can't get the @^#! thing installed!" Having released the PigLet Servlet and the web Builder the next step planned is an operations navigator web application with drag-and-drop complex operation composition, storage, and parameterized execution. If I continue. Would surely like to hear from anyone with any thoughts about PigIron! -- Jack J. Woehr# I run for public office from time to time. It's like http://www.well.com/~jax # working out at the gym, you sweat a lot, don't get http://www.softwoehr.com # anywhere, and you fall asleep easily afterwards. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Adding dasd to LVM
Yes, as long as you add the same number of physical volumes as you have stripes. -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Livio Sousa Sent: Friday, January 16, 2009 2:41 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Adding dasd to LVM Does somebody know if is possible to extend an ext3 stripped volume? On Tue, Jan 13, 2009 at 3:45 PM, Tom Duerbusch wrote: > Thanks Mike > > I see that now. > > Page 185 shows a move of the old directory, onto the new LVM volume. That > stopped me (reading online instead of printing out the book). Two pages > down, it describes extending a current LVM. > > Tom Duerbusch > THD Consulting > > >>> Michael MacIsaac 1/13/2009 6:49 AM >>> > Tom, > > >> The Redbook "z/VM and Linux on IBM System z The Virtualization > > Cookbook for SLES 10 SP2" has a section "11.2 ... > > > It has the documentation for adding 2 volumes to a new logical > > group and moving an existing directory structure to that group. > Huh? Section 11.1 describes how to create a two volume LVM and mount it > over /home. Section 11.2 describes how to extend the volume group and the > same logical volume to three physical volumes. > > "Mike MacIsaac"(845) 433-7061 > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Adding dasd to LVM
Does somebody know if is possible to extend an ext3 stripped volume? On Tue, Jan 13, 2009 at 3:45 PM, Tom Duerbusch wrote: > Thanks Mike > > I see that now. > > Page 185 shows a move of the old directory, onto the new LVM volume. That > stopped me (reading online instead of printing out the book). Two pages > down, it describes extending a current LVM. > > Tom Duerbusch > THD Consulting > > >>> Michael MacIsaac 1/13/2009 6:49 AM >>> > Tom, > > >> The Redbook "z/VM and Linux on IBM System z The Virtualization > > Cookbook for SLES 10 SP2" has a section "11.2 ... > > > It has the documentation for adding 2 volumes to a new logical > > group and moving an existing directory structure to that group. > Huh? Section 11.1 describes how to create a two volume LVM and mount it > over /home. Section 11.2 describes how to extend the volume group and the > same logical volume to three physical volumes. > > "Mike MacIsaac"(845) 433-7061 > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Security question and using scp
2009/1/17 CHAPLIN, JAMES (CTR) : > We have a security requirement (which is common with Linux) to prevent > ssh login for root (setting PermitRootLogin to no). One problem we > find, as system administrators, we like to use secure copy (remote file > copy program, scp) files between systems. However this will not work for > any root level files, since scp uses ssh to copy files over a network. > Does anyone have a suggested solution or better way around this issue? Still a kludge, but I commonly (if the files I want to grab are world-readable) ssh to the target machine, su and then copy them with scp -p u...@host:/path/to/file /path/to/file Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Security question and using scp
Tom Kern from DOE called me with a good solution, using pubkeys and in the sshd_conf file, set PermitRootLogin to without-password. Did a google search on " PermitRootLogin without-password" and got allot of hits, trying to set up a test right now (phone keeps ringing with other peoples problem;-0). But this is looking like the best solution. Will update soon, thanks for the suggestions. Thanks Tom for pointing me in the right direction. James Chaplin Systems Programmer, MVS, zVM & zLinux Base Technologies, Inc -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Romanowski, John (OFT) Sent: Friday, January 16, 2009 1:49 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Security question and using scp Have the same issue here. As workarounds I sometimes use an NFS mount to transfer multiple files, or a VDISK used a thumb drive to copy multiple files from one guest to another on the same VM system > -Original Message- > From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of > CHAPLIN, JAMES (CTR) > Sent: Friday, January 16, 2009 11:20 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Security question and using scp > > We have a security requirement (which is common with Linux) to prevent > ssh login for root (setting PermitRootLogin to no). One problem we > find, as system administrators, we like to use secure copy (remote file > copy program, scp) files between systems. However this will not work > for > any root level files, since scp uses ssh to copy files over a network. > Does anyone have a suggested solution or better way around this issue? > > > > James Chaplin > > Systems Programmer, MVS, zVM & zLinux > > Base Technologies, Inc > > Supporting the zSeries Platform Team > Data Center Operations Branch > > Enterprise Data Center Operations Group > Enterprise Data Management & Engineering Division > > Office of Information and Technology > > Department of Homeland Security/U.S. Customs & Border Protection > > (703) 921-6220 > > james.chap...@cbp.dhs.gov > > > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 > or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Security question and using scp
Have the same issue here. As workarounds I sometimes use an NFS mount to transfer multiple files, or a VDISK used a thumb drive to copy multiple files from one guest to another on the same VM system > -Original Message- > From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of > CHAPLIN, JAMES (CTR) > Sent: Friday, January 16, 2009 11:20 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Security question and using scp > > We have a security requirement (which is common with Linux) to prevent > ssh login for root (setting PermitRootLogin to no). One problem we > find, as system administrators, we like to use secure copy (remote file > copy program, scp) files between systems. However this will not work > for > any root level files, since scp uses ssh to copy files over a network. > Does anyone have a suggested solution or better way around this issue? > > > > James Chaplin > > Systems Programmer, MVS, zVM & zLinux > > Base Technologies, Inc > > Supporting the zSeries Platform Team > Data Center Operations Branch > > Enterprise Data Center Operations Group > Enterprise Data Management & Engineering Division > > Office of Information and Technology > > Department of Homeland Security/U.S. Customs & Border Protection > > (703) 921-6220 > > james.chap...@cbp.dhs.gov > > > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 > or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: State of the Art for Linux Dumps
>>> On 1/16/2009 at 12:19 PM, "Scully, William P" >>> wrote: > In z/VM if a server abends we'd take a VMDUMP to collect the needed doc. > For a Linux on zSeries server what's the proper option? Is the best > tool to use LKCD? Or is there a "trick" to using VMDUMP's materials in > a fashion similar to LKCD? You've got a couple of choices. You can take a VM dump of the guest, and then use one of the tools in the s390-utils to convert it to a Linux crash dump format. Or, you can use the Linux standalone dump program. That obviously needs to be configured in advance, but it's not hard to do. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Security question and using scp
Same rule here (if only some of these vendors (cough ibm/tivoli cough) would comprehend... ) 1. "scp -p filename non-rootu...@target.system" and then SSH to the target system, su to root, move the file to the right place and chown it back to what it should be. That's what I mainly do -- except I do the copy and then "ssh ma...@host sudo mv somefile /etc/somefile" Marcy "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Mark Post Sent: Friday, January 16, 2009 8:33 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Security question and using scp >>> On 1/16/2009 at 11:20 AM, "CHAPLIN, JAMES (CTR)" wrote: > We have a security requirement (which is common with Linux) to prevent > ssh login for root (setting PermitRootLogin to no). One problem we > find, as system administrators, we like to use secure copy (remote > file copy program, scp) files between systems. However this will not > work for any root level files, since scp uses ssh to copy files over a network. > Does anyone have a suggested solution or better way around this issue? While I agree with the principle of no direct root logins, this side effect bugs me to no end, since I do a lot of scp work. The only ways I've found to get around it are to: 1. "scp -p filename non-rootu...@target.system" and then SSH to the target system, su to root, move the file to the right place and chown it back to what it should be. 2. Create a tar file with the file in it, scp it as the non-root user, SSH to the target system, su to root, untar the file in place. 3. Enable SSL FTP, then get and use an SSL FTP client. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Please ignore my last post Re: [LINUX-390] State of the Art for Linux Dumps
It ws supposed to be a private reply to Mr. Scully. My humble apologies. -- --Carey Schug -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: State of the Art for Linux Dumps
Hi Bill, how are you doing? Still with CA, I see. I'm back looking for a job since Christmas... Ever able, or try to, come to chicago for a CAVMEN meeting? -- --Carey Schug from Northwest Industries -- Original message -- From: "Scully, William P" > In z/VM if a server abends we'd take a VMDUMP to collect the needed doc. > For a Linux on zSeries server what's the proper option? Is the best > tool to use LKCD? Or is there a "trick" to using VMDUMP's materials in > a fashion similar to LKCD? > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
State of the Art for Linux Dumps
In z/VM if a server abends we'd take a VMDUMP to collect the needed doc. For a Linux on zSeries server what's the proper option? Is the best tool to use LKCD? Or is there a "trick" to using VMDUMP's materials in a fashion similar to LKCD? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
We don't use swapgen for exactly this reason. We define the vdisks in the directory, and have an init script that runs very early in the Linux boot that formats and enables the swap partitions. Works fine, and allows us to keep the configuration at a single point. Remember, there's nothing magical about enabling swap. It's done during rc.sysinit, and unless the guest is VERY small, it's unlikely any of the space will be required before the first init script is run. We also use boot-time scripts to configure the network interfaces from files stored on the 191 disk. This way, the IP address can be changed without bringing up the guest. Disadvantage is, every guest needs its own 191 disk, but we get a lot of flexibility this way. There are other ways to handle this I've thought of along the way, but the basic principle is sound. -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Mark Post Sent: Friday, January 16, 2009 11:56 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] SWAPGEN and PROFILE EXEC's >>> On 1/16/2009 at 7:57 AM, Michael MacIsaac wrote: >> I would rather control the VDISK sizes in the directory instead of > having PROFILE EXEC > Makes me wonder - can you pass parameters into PROFILE EXEC by setting the > directory? e.g. "IPL CMS 300 524288 301 1048576"? Then use those > parameters with SWAPGEN to make the correct vaddrs and swap space sizes > ... just a thought. This assumes that no one does anything other than use those values. Rob's point is that someone might do something different and hurt overall system performance. I think the idea of having the VDISK defined in the directory, and using SWAPGEN's REUSE option that Rich mentioned is the "safest" way to do this. As at least one person on the list has seen, if you allow "too much" VDISK to be defined and it _gets_used_, it can really hurt you. Regarding using PROFILE EXEC versus COMMAND statements in the CP directory, there is a place for both. One of the benefits of the COMMAND statement is that it gets executed, regardless of the privileges associated with the virtual machine. So, you can have arbitrary guests issue commands at logon time that they would not otherwise be able to in PROFILE EXEC. The conditional logic that PROFILE EXEC provides gives you all sorts of other flexibiltiy. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing. -- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Installing a New Linux Guest from the Starter System
>>> On 1/16/2009 at 11:41 AM, Ray Waters wrote: -snip- > Once the SLES exec is complete, IPL 150 does not work. What am I missing? > Do I have to LOGIN via PUTTY EXEC to 172.16.24.107 and run some kind of > program named YaST? If so where do I go from there and what do I enter? There > are no further instructions in this manual Well, that is what the system is telling you to do, so yes. :) The actual Linux installation process is covered in other documents, so we definitely didn't want to reproduce them in the starter system doc. That's why we have Appendix D, which talks about what other things you need to look at. In particular, http://www.novell.com/documentation/sles10/sles_admin/sles_admin.pdf If you're interested in cloning and such, the IBM Redbook Virtualization Cookbook is another good place. Simply use the starter system as the network installation source it talks about. http://www.redbooks.ibm.com/redbooks/pdfs/sg247493.pdf Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
>>> On 1/16/2009 at 7:57 AM, Michael MacIsaac wrote: >> I would rather control the VDISK sizes in the directory instead of > having PROFILE EXEC > Makes me wonder - can you pass parameters into PROFILE EXEC by setting the > directory? e.g. "IPL CMS 300 524288 301 1048576"? Then use those > parameters with SWAPGEN to make the correct vaddrs and swap space sizes > ... just a thought. This assumes that no one does anything other than use those values. Rob's point is that someone might do something different and hurt overall system performance. I think the idea of having the VDISK defined in the directory, and using SWAPGEN's REUSE option that Rich mentioned is the "safest" way to do this. As at least one person on the list has seen, if you allow "too much" VDISK to be defined and it _gets_used_, it can really hurt you. Regarding using PROFILE EXEC versus COMMAND statements in the CP directory, there is a place for both. One of the benefits of the COMMAND statement is that it gets executed, regardless of the privileges associated with the virtual machine. So, you can have arbitrary guests issue commands at logon time that they would not otherwise be able to in PROFILE EXEC. The conditional logic that PROFILE EXEC provides gives you all sorts of other flexibiltiy. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Security question and using scp
>>> On 1/16/2009 at 11:20 AM, "CHAPLIN, JAMES (CTR)" wrote: > We have a security requirement (which is common with Linux) to prevent > ssh login for root (setting PermitRootLogin to no). One problem we > find, as system administrators, we like to use secure copy (remote file > copy program, scp) files between systems. However this will not work for > any root level files, since scp uses ssh to copy files over a network. > Does anyone have a suggested solution or better way around this issue? While I agree with the principle of no direct root logins, this side effect bugs me to no end, since I do a lot of scp work. The only ways I've found to get around it are to: 1. "scp -p filename non-rootu...@target.system" and then SSH to the target system, su to root, move the file to the right place and chown it back to what it should be. 2. Create a tar file with the file in it, scp it as the non-root user, SSH to the target system, su to root, untar the file in place. 3. Enable SSL FTP, then get and use an SSL FTP client. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Security question and using scp
We have a security requirement (which is common with Linux) to prevent ssh login for root (setting PermitRootLogin to no). One problem we find, as system administrators, we like to use secure copy (remote file copy program, scp) files between systems. However this will not work for any root level files, since scp uses ssh to copy files over a network. Does anyone have a suggested solution or better way around this issue? James Chaplin Systems Programmer, MVS, zVM & zLinux Base Technologies, Inc Supporting the zSeries Platform Team Data Center Operations Branch Enterprise Data Center Operations Group Enterprise Data Management & Engineering Division Office of Information and Technology Department of Homeland Security/U.S. Customs & Border Protection (703) 921-6220 james.chap...@cbp.dhs.gov -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's - slight OT
On 1/16/09 9:04 AM, "Gentry, Stephen" wrote: > Let's take this in a different direction for a moment (a.k.a. OT) > Disregard the VDISK usage for a moment. The swap disk will be on a > mini-disk. What are the advantages (or disadvantages) of IPL'ing the > boot disk in the directory vs IPL'ing cms, doing some stuff in a profile > exec and then IPL'ing the boot disk (from the profile exec)? > I'm trying to keep storage usage "lean and mean" so IPL'ing CMS seems to > add an extra layer. Given that CMS is a shared segment, only one copy ends up in real storage, so you're really not buying all that much storage savings. You save a few cycles, but give up a lot of flexibility and configurability by removing the ability to have sophisticated REXX logic as part of your startup (you probably could do similar stuff inside the Linux guest, but REXX and CMS have a lot of interfaces and knowledge about the VM environment that have not yet been exposed to Linux. Having the COMMAND stuff in the CP directory does provide some configuration capability, but it isn't able to do conditional stuff. If you're concerned about disk space, put the virtual-machine specific stuff in a SFS directory where you use only the blocks that the specifications actually take up. If you're concerned about commonality, the suggestion of using a common PROFILE EXEC on a shared minidisk that calls a userid-specific EXEC for individual virtual machines is a time-tested and good way to do that. Short version: I can't really see a compelling advantage for putting everything in the CP directory and skipping the CMS IPL. It saves a few cycles at the expense of a lot of command-and-control benefits. -- db -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's - slight OT
Stephen Gentry wrote: > I'm trying to keep storage usage "lean and mean" so IPL'ing CMS > seems to add an extra layer. Only for a few seconds. Then the storage CMS used is gone. Although if there were few other guests running CMS, it could cause your CMS DCSS to be briefly paged in. Douglas Wooster -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
On Friday, 01/16/2009 at 09:43 EST, Bruce Hayden wrote: > Since the PROFILE EXEC is called by SYSPROF EXEC who does get the > parameters, it is possible to access the parms in the PROFILE EXEC > using pipelines: > 'PIPE literal INSPARMS| varfetch 1 toload | varload' > say insparms > > Whether or not this is the best way to solve this problem is up to > you. I've used this "trick" in the past to xautolog some worker > machines and tell them what to do, before we had the COMMAND directory > statement. Using the tag data with COMMAND would certainly work also. You're right, I forgot about that little trick. You can do that as long as you run SYSPROF. With XAUTOLOG you have the option of supplying parameters to the guest w/o mucking with IPL. XAUTOLOG CMSGUEST#my parameters (You type that with #CP prefix or as XAUTOLOG CMSGUEST"#my parameters) "my parameters" are presented to the guest as though they had been entered at the console. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's - slight OT
On Friday, 01/16/2009 at 09:23 EST, "van Sleeuwen, Berry" wrote: > I let the guest setup some environment settings before it will boot the > linux itself. Settings like PF-keys, RUN, EMSG, MSG, CHARDEL and indeed > the VDISK setup. You could argue if these settings couldn't be changed > from within the linux boot process but then I'd have to include these > commands in all linuxguests. In the PROFILE EXEC the settings are the > same for every guest because the 191 is a shared R/O disk and I don't > have to think about it with a new guest. All handled via INCLUDEs that contain COMMANDs in the directory. With the advent of the COMMAND directive, the need to IPL CMS to perform CP functions has pretty much evaporated. Where CMS is still useful in that respect is when you want to do something based on conditional logic or that requires a CMS service. E.g. Do something different if you detect you are not on your 'home' system (DR) and you want to use the CMS IDENTIFY command rather than QUERY USERID. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
Since the PROFILE EXEC is called by SYSPROF EXEC who does get the parameters, it is possible to access the parms in the PROFILE EXEC using pipelines: 'PIPE literal INSPARMS| varfetch 1 toload | varload' say insparms Whether or not this is the best way to solve this problem is up to you. I've used this "trick" in the past to xautolog some worker machines and tell them what to do, before we had the COMMAND directory statement. Using the tag data with COMMAND would certainly work also. On Fri, Jan 16, 2009 at 8:51 AM, Alan Altmark wrote: > > The IPL parameters (IPL CMS PARM xx y ) are not saved > anywhere. What you can do is to add COMMAND TAG DEV 00E to > the directory and then extract it in a profile (whether Linux or CMS) via > TAG QUERY DEV 00E. > > Alan Altmark > z/VM Development > IBM Endicott > -- Bruce Hayden Linux on System z Advanced Technical Support IBM, Endicott, NY -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's - slight OT
I let the guest setup some environment settings before it will boot the linux itself. Settings like PF-keys, RUN, EMSG, MSG, CHARDEL and indeed the VDISK setup. You could argue if these settings couldn't be changed from within the linux boot process but then I'd have to include these commands in all linuxguests. In the PROFILE EXEC the settings are the same for every guest because the 191 is a shared R/O disk and I don't have to think about it with a new guest. Regards, Berry. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ÿþD i t b e r i c h t i s v e r t r o u w e l i j k e n k a n g e h e i m e i n f o r m a t i e b e v a t t e n e n k e l b e s t e m d v o o r d e g e a d r e s s e e r d e . I n d i e n d i t b e r i c h t n i e t v o o r u i s b e s t e m d , v e r z o e k e n w i j u d i t o n m i d d e l l i j k a a n o n s t e m e l d e n e n h e t b e r i c h t t e v e r n i e t i g e n . A a n g e z i e n d e i n t e g r i t e i t v a n h e t b e r i c h t n i e t v e i l i g g e s t e l d i s m i d d e l s v e r z e n d i n g v i a i n t e r n e t , k a n A t o s O r i g i n n i e t a a n s p r a k e l i j k w o r d e n g e h o u d e n v o o r d e i n h o u d d a a r v a n . H o e w e l w i j o n s i n s p a n n e n e e n v i r u s v r i j n e t w e r k t e h a n t e r e n , g e v e n w i j g e e n e n k e l e g a r a n t i e d a t d i t b e r i c h t v i r u s v r i j i s , n o c h a a n v a a r d e n w i j e n i g e a a n s p r a k e l i j k h e i d v o o r d e m o g e l i j k e a a n w e z i g h e i d v a n e e n v i r u s i n d i t b e r i c h t . O p a l o n z e r e c h t s v e r h o u d i n g e n , a a n b i e d i n g e n e n o v e r e e n k o m s t e n w a a r o n d e r A t o s O r i g i n g o e d e r e n e n / o f d i e n s t e n l e v e r t z i j n m e t u i t s l u i t i n g v a n a l l e a n d e r e v o o r w a a r d e n d e L e v e r i n g s v o o r w a a r d e n v a n A t o s O r i g i n v a n t o e p a s s i n g . D e z e w o r d e n u o p a a n v r a a g d i r e c t k o s t e l o o s t o e g e z o n d e n . T h i s e - m a i l a n d t h e d o c u m e n t s a t t a c h e d a r e c o n f i d e n t i a l a n d i n t e n d e d s o l e l y f o r t h e a d d r e s s e e ; i t m a y a l s o b e p r i v i l e g e d . I f y o u r e c e i v e t h i s e - m a i l i n e r r o r , p l e a s e n o t i f y t h e s e n d e r i m m e d i a t e l y a n d d e s t r o y i t . A s i t s i n t e g r i t y c a n n o t b e s e c u r e d o n t h e I n t e r n e t , t h e A t o s O r i g i n g r o u p l i a b i l i t y c a n n o t b e t r i g g e r e d f o r t h e m e s s a g e c o n t e n t . A l t h o u g h t h e s e n d e r e n d e a v o u r s t o m a i n t a i n a c o m p u t e r v i r u s - f r e e n e t w o r k , t h e s e n d e r d o e s n o t w a r r a n t t h a t t h i s t r a n s m i s s i o n i s v i r u s - f r e e a n d w i l l n o t b e l i a b l e f o r a n y d a m a g e s r e s u l t i n g f r o m a n y v i r u s t r a n s m i t t e d . O n a l l o f f e r s a n d a g r e e m e n t s u n d e r w h i c h A t o s O r i g i n s u p p l i e s g o o d s a n d / o r s e r v i c e s o f w h a t e v e r n a t u r e , t h e T e r m s o f D e l i v e r y f r o m A t o s O r i g i n e x c l u s i v e l y a p p l y . T h e T e r m s o f D e l i v e r y s h a l l b e p r o m p t l y s u b m i t t e d t o y o u o n y o u r r e q u e s t . A t o s O r i g i n N e d e r l a n d B . V . / U t r e c h t K v K U t r e c h t 3 0 1 3 2 7 6 2
Re: SWAPGEN and PROFILE EXEC's
I do almost the same, but use a default, unless an fsstate of the 'userid() exec' file says to do otherwise. We only have a handful of exceptions, so the maintenance issue is minimal. Patrick Carroll | Enterprise Architect L.L.Bean, Inc.(r) | Double L St. | Freeport ME 04033 http://www.llbean.com | pcarr...@llbean.com | 207.552.2426 -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Richard Clapper Sent: Thursday, January 15, 2009 7:37 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: SWAPGEN and PROFILE EXEC's I'm pointing each Linux guest's 191 to a common minidisk on another UserID, where all guests execute the same PROFILE EXEC. It IPLs Linux if the Linux guest is started disconnected. The PROFILE also does "EXEC userid()", for which there is a unique EXEC on the common 191 for the guest. That way I can get all kinds of uniqueness for each guest, although I'm only using it for SWAPGEN right now. >>> The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's - slight OT
Let's take this in a different direction for a moment (a.k.a. OT) Disregard the VDISK usage for a moment. The swap disk will be on a mini-disk. What are the advantages (or disadvantages) of IPL'ing the boot disk in the directory vs IPL'ing cms, doing some stuff in a profile exec and then IPL'ing the boot disk (from the profile exec)? I'm trying to keep storage usage "lean and mean" so IPL'ing CMS seems to add an extra layer. Thanks, Steve -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
On Friday, 01/16/2009 at 07:58 EST, Michael MacIsaac/Poughkeepsie/i...@ibmus wrote: > Makes me wonder - can you pass parameters into PROFILE EXEC by setting the > directory? e.g. "IPL CMS 300 524288 301 1048576"? Then use those > parameters with SWAPGEN to make the correct vaddrs and swap space sizes > ... just a thought. The IPL parameters (IPL CMS PARM xx y ) are not saved anywhere. What you can do is to add COMMAND TAG DEV 00E to the directory and then extract it in a profile (whether Linux or CMS) via TAG QUERY DEV 00E. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
Hi, Mike. Yes, you could pass IPL parms to a Linux v.m. at IPL time to set VDISK definitions, but I believe you would need to modify SYSPROF EXEC for that to work. It's not something I would recommend. Have a good one. Michael MacIsaac wrote: I would rather control the VDISK sizes in the directory instead of having PROFILE EXEC Makes me wonder - can you pass parameters into PROFILE EXEC by setting the directory? e.g. "IPL CMS 300 524288 301 1048576"? Then use those parameters with SWAPGEN to make the correct vaddrs and swap space sizes ... just a thought. "Mike MacIsaac"(845) 433-7061 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
> I would rather control the VDISK sizes in the directory instead of having PROFILE EXEC Makes me wonder - can you pass parameters into PROFILE EXEC by setting the directory? e.g. "IPL CMS 300 524288 301 1048576"? Then use those parameters with SWAPGEN to make the correct vaddrs and swap space sizes ... just a thought. "Mike MacIsaac"(845) 433-7061 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
SWAPGEN has option to use a previously defined VDISK (in the directory). I requested and use this option because I would rather control the VDISK sizes in the directory instead of having PROFILE EXEC or PROFILE exceptions for each Linux virtual machine. Rob van der Heij wrote: On Fri, Jan 16, 2009 at 1:41 AM, Scott Rohling wrote: That works too - but the down side is little individual PROFILE execs with duplicated logic across them. I know disk space is cheap -- but I look at every individual, unique EXEC as something that must be maintained and worried about... So I tend to lean towards control files and common code that uses those files. Again: ;-) The downside of this flexibility is that you don't enforce or control it. Typically, when the virtual machine can issue the relevant commands during the PROFILE EXEC, it will also be able to issue a lot of other commands that you do not need (mistakes, misconduct, or maybe a compromised root account). If you want to be able to define the VDISK out of the PROFILE EXEC, you must set the USRLIM high enough to allow the largest requirement. That would allow any Linux server to acquire that amount; something you may not be prepared for. When the VDISK is defined by an MDISK statement in the directory, it bypasses that check and you can enforce a per-user maximum. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SWAPGEN and PROFILE EXEC's
On Fri, Jan 16, 2009 at 1:41 AM, Scott Rohling wrote: > That works too - but the down side is little individual PROFILE execs with > duplicated logic across them. I know disk space is cheap -- but I look at > every individual, unique EXEC as something that must be maintained and > worried about... So I tend to lean towards control files and common code > that uses those files. Again: ;-) The downside of this flexibility is that you don't enforce or control it. Typically, when the virtual machine can issue the relevant commands during the PROFILE EXEC, it will also be able to issue a lot of other commands that you do not need (mistakes, misconduct, or maybe a compromised root account). If you want to be able to define the VDISK out of the PROFILE EXEC, you must set the USRLIM high enough to allow the largest requirement. That would allow any Linux server to acquire that amount; something you may not be prepared for. When the VDISK is defined by an MDISK statement in the directory, it bypasses that check and you can enforce a per-user maximum. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390