Re: cio_ignore vs Linux in System z
Indeed, as pointed out by other folks this "feature" was introduced in our very early days, when clients started to install Linux into LPARs with possibly tens of thousands of devices they would need if IPLing z/OS into it. Not only did it take long to boot, but we initially only operated on the first 1024 devices found, and didn't have plugging rules yet. And other z/OS holding permanent RESERVEs on shared ECKD devices it owned didn't help much either. We'd discussed whether to introduce black lists or white lists addressing the challenges at hand and eventually implemented both. Much has changed since then and whether it should be a default or not is a valid discussion to have. You may consider it paranoia but its introduction served a purpose - and still does. If running under z/VM and/or if using Linux in LPAR with your IODF written in a way that only devices the LPAR is supposed to operate on are configured to it you can presumably safely turn it off. Best regards Ingo Ingo AdlungIBM Deutschland Research & IBM Distinguished Engineer Development GmbH Chief Architect, System z Vorsitzender des Aufsichtsrats: Virtualization & Linux Martina Koederitz mail: adl...@de.ibm.comGeschäftsführung: Dirk Wittkopp phone: +49-7031-16-4263Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 Linux on 390 Port wrote on 12.01.2015 20:43:00: > From: Mike Walter > To: LINUX-390@VM.MARIST.EDU > Date: 12.01.2015 20:43 > Subject: Re: [LINUX-390] cio_ignore vs Linux in System z > Sent by: Linux on 390 Port > > Thanks, Sam, Jay, Jim, Harley, and Mark (and anyone else who may > have replied since I looked at the log), > > There are no LPAR-only Linux servers running here, only those > running (RHEL) under z/VM. I suspected that cio_ignore was > something related to security (perhaps an auditor fearing that an > errant z/VM sysprog might attach a wrong device address to a guest, > or poor security rules coupled with use of VMCP would let the wrong > Linux user access the wrong devices), or performance. It appears > that the performance issue was the culprit, but not one of concern > for me with only z/VM guests. > > I've shared the suggestions with our zLinux admins, who will > probably make dynamic updates for the few PoC guests currently > running, and the next Golden Image(s). > > Have to love this list, thanks again! > > Mike Walter > Aon Corporation > The opinions expressed herein are mine alone, not necessarily those > of my employer. > > > > > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
>>> On 1/12/2015 at 02:48 PM, Linker Harley - hlinke wrote: > Until you get around to disabling cio_ignore you can run the following > command to update the blacklist when you add a volume to Linux to enable it > to be seen: > cio_ignore -r 0.0.vdev Better yes, just cio_ignore -R which will wipe out the whole list and need no further action when new devices are added. Just make sure zipl.conf gets updated and zipl rerun so things won't go back to the status quo at the next reboot. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
Mike, Until you get around to disabling cio_ignore you can run the following command to update the blacklist when you add a volume to Linux to enable it to be seen: cio_ignore -r 0.0.vdev Harley Linker -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mike Walter Sent: Monday, January 12, 2015 1:43 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: cio_ignore vs Linux in System z Thanks, Sam, Jay, Jim, Harley, and Mark (and anyone else who may have replied since I looked at the log), There are no LPAR-only Linux servers running here, only those running (RHEL) under z/VM. I suspected that cio_ignore was something related to security (perhaps an auditor fearing that an errant z/VM sysprog might attach a wrong device address to a guest, or poor security rules coupled with use of VMCP would let the wrong Linux user access the wrong devices), or performance. It appears that the performance issue was the culprit, but not one of concern for me with only z/VM guests. I've shared the suggestions with our zLinux admins, who will probably make dynamic updates for the few PoC guests currently running, and the next Golden Image(s). Have to love this list, thanks again! Mike Walter Aon Corporation The opinions expressed herein are mine alone, not necessarily those of my employer. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ *** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
Thanks, Sam, Jay, Jim, Harley, and Mark (and anyone else who may have replied since I looked at the log), There are no LPAR-only Linux servers running here, only those running (RHEL) under z/VM. I suspected that cio_ignore was something related to security (perhaps an auditor fearing that an errant z/VM sysprog might attach a wrong device address to a guest, or poor security rules coupled with use of VMCP would let the wrong Linux user access the wrong devices), or performance. It appears that the performance issue was the culprit, but not one of concern for me with only z/VM guests. I've shared the suggestions with our zLinux admins, who will probably make dynamic updates for the few PoC guests currently running, and the next Golden Image(s). Have to love this list, thanks again! Mike Walter Aon Corporation The opinions expressed herein are mine alone, not necessarily those of my employer. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
>>> On 1/12/2015 at 12:13 PM, "Cohen, Sam" wrote: > Mike, > > This is a RedHat "feature"; it isn't an issue with SuSE. It is an SUSE, please. (It's been 11 years now.) > implementation choice by the distributor. Beginning with SLES12, a feature request from IBM means that (by _changeable_ default), cio_ignore=all,!ipldev,!condev will be added to the kernel parms at install time. As others have indicated this is primarily intended for LPAR installs. I personally see no significant benefit to using it in a virtual machine, whether z/VM or KVM. It does provide a very noticeable speed up in booting an LPAR with even a relatively small number of devices defined. This will almost certainly be included in SLES11 SP4 as well. You can avoid the problems/confusion it causes by setting "blacklisting of devices" to off during the install process. Either way, it can be easily turned on or off afterward. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
Mike, I don't have this problem with my SLES 11 SP3 systems on System z as cio-ignore was not enabled, by default, at installation time. I encountered this problem with SLES 12 on System z as cio-ignore is enabled by default. I was just playing with SLES 12 to make note of the changes from SLES 11 . When I install SLES 12 in non-play mode, I will disable this option as we only allow a guest to see the dasd volumes that it needs. Harley Linker Acxiom Corporation P.S. I may see you at the upcoming CAVMEN meeting. -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mike Walter Sent: Monday, January 12, 2015 11:09 AM To: LINUX-390@VM.MARIST.EDU Subject: cio_ignore vs Linux in System z The cio_ignore table within Linux (at least in RHEL6.5) is used to restrict access devices, both real and virtual. Being new the Linux on System z, this has become an occasional stumbling block for our Linux admins; when we z/VM sysprogs attach a new virtual or real device and the guest cannot see it immediately. I'm told that on distributed x86 (at least x86 here), the servers can see all the hardware. Is there a good reason that on Linux on System z the default is to prevent access to all devices unless they are manually removed from the cio_ignore table? I understand that an authorized user could attach a wrong device to a zLinux guest, so let's accept that risk as having been minimized. Are there other reasons to prevent every guest from accessing whatever devices are given to it? Thanks! Mike Walter Aon Corporation The opinions expressed herein are mine alone, not necessarily those of my employer. FWIW, I subscribe in digest mode - so my responses may be slightly delayed. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ *** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
It's also about efficiency. Recall that there aren't many other processors out there whose I/O architecture is built on (sub)channels. If the cio_ignore data indicates that signals arriving from certain channels needn't be processed, then that's less work the kernel has to engage in. In cases where the assignment of devices has been done in an imprecise manner, cio_ignore can be a godsend, allowing you to blacklist all devices except those which you know your machine uses. If cio_ignore is bothering you, it's rather easily dealt with -- you just have to remember to do it. See https://www.mail-archive.com/linux-390@vm.marist.edu/msg61591.html for an earlier (brief) discussion of practical living with cio_ignore. If you don't have any devices worthy of blacklisting, then just set up your kernel parm line to omit the cio_ignore specification altogether. Regards, --Jim-- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
It's there for when you bring Linux up in an LPAR with bajillions of devices defined, like an old z/OS LPAR for example. The IPL takes forever as udev enumerates all those devices in /sys and /dev, and then you're running a system that can touch all the devices which it should not have access to. If you're running under z/VM, you can disable the cio_ignore feature entirely by removing the cio_ignore statement from the kernel paramater in /etc/zipl.conf and rewriting the ipltest with the zipl command. If you're running under LPAR, you really ought to be removing non Linux devices from the IODF access list anyway, but it does allow you an additional layer of configurability if you decide you want it. -- Jay Brenneman -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: cio_ignore vs Linux in System z
Mike, This is a RedHat "feature"; it isn't an issue with SuSE. It is an implementation choice by the distributor. Thanks, Sam Cohen Levi, Ray & Shoup, Inc. -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mike Walter Sent: Monday, January 12, 2015 10:09 AM To: LINUX-390@VM.MARIST.EDU Subject: cio_ignore vs Linux in System z The cio_ignore table within Linux (at least in RHEL6.5) is used to restrict access devices, both real and virtual. Being new the Linux on System z, this has become an occasional stumbling block for our Linux admins; when we z/VM sysprogs attach a new virtual or real device and the guest cannot see it immediately. I'm told that on distributed x86 (at least x86 here), the servers can see all the hardware. Is there a good reason that on Linux on System z the default is to prevent access to all devices unless they are manually removed from the cio_ignore table? I understand that an authorized user could attach a wrong device to a zLinux guest, so let's accept that risk as having been minimized. Are there other reasons to prevent every guest from accessing whatever devices are given to it? Thanks! Mike Walter Aon Corporation The opinions expressed herein are mine alone, not necessarily those of my employer. FWIW, I subscribe in digest mode - so my responses may be slightly delayed. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/