zDevOps

KEEPING THE Z IN ENTERPRISE IT

0 notes &

System z - Are we doing it wrong?

The other day I was happily browsing “the youtubes” (mostly Numberphile videos) when I got one of those ‘pesky’ commercials.

You know, the ones where you can’t press SKIP for hours…

Turns out the video actually pleased me. I was hoping the ‘closing tagline’ would be something along the lines of “…..run it on the Linux Mainframe Cloud….” (turns out I was wrong).

You can watch the video below:

I was thinking “WHAT THE HTML! Why don’t we have videos like this to promote System z?”

Seeing as I have had some previous awesome interaction with Mr. Greg Lotko (now former VP for System z at Big Blue) and also had the contact details of his succesor (Michael Desens) I thought “Why not send them email expressing this feeling”.

image

Little could I have know this would result in a surplus amount of information regarding all the cool videos being out there on my favorite platform.

Even the VP System z marketing (thanks Deon!) chimed in resulting in a buckload of links regarding System z videos out there…

In this post I will share (and comment on) the first batch I received. There’s much more I received in the email I recieved, so another post will surely arrive some time soon :)

Can you five minutes without using a Mainframe?

Pretty neat video, addresses your ‘average Joe’ on how much he (or she, if an average Joe can be female too) uses a Mainframe on a daily basis. 

The Least Expensive Cloud Platform

Well, if we’re addressing ‘two-finger-thinking’ this one hits the spot. I don’t think this video will appeal to a lot of non-CFOs (the Financials Officer, not the Fun Officer) but still…..pretty decent :)

Instant Insight

To be honest, yadda-yadda analytics, yadda yadda TL:DR :)
Supporting the previous video though still not giving me the “WHAT THE HTML”-experience of the DigitalOcean video that started all this :)

Mobile

This should ‘wake up’ some of the policy-makers in various Enterprises as Mobile is (and will continue to be) one of the biggest growth areas…still missing some ‘awesomsauce’ if you ask me :)

Trust

Here we’re hitting one of the sweet spots. One of the compelling arguments in favour of my precious platform. Still a bit dull though :)

Enterprise Linux Servers

Aha! Linux! Now we’re talking. This should sound like music to every LinuxLover out there. 60 VM’s per core? Uber-Virtualisation? One box? It’s everything a nerdy sysadm would love…..

Conslusion…..?
To answer my own question whether ‘we’ on System z are “doing it wrong” I still have to come to a real anwser (plus there’s more videos to ‘comment on’).

That being said I don’t think we’re doing it wrong, yet I strongly believe we could do a lot better.

The one question that remains :
"Is Digital Ocean running an Enterprise Linux Server on it’s backend?"

and if not : “Why not???

Stay tuned for the next eight(!) video links I’ve received. 
Feel free to leave your comments below……….

Filed under mainframe doing it wrong or not awesomesauce digitalocean

0 notes &

Updating z1090 dongle-key

Just a short post, to quickly log on how to ‘extend’ your z1090 key.

Mainly because we only do this once a year, and keep forgetting how to :

Head over to http://www-01.ibm.com/software/rational/support/licensing/ to actually get your key (first return the old one, then request a new one)

You will get a .bin file for your trouble. Save this file with a “.upw” extension as the ‘SecureUpdateUtility’ requires this extension :(

Then  sudo ./SecureUpdateUtility -u <name of your file>

And you’re good to go….

Filed under z1090 update secureupdateutility

0 notes &

zEquals - Ruthless Rounding :)

So I was watching one of my favorite YouTube channels, ‘Numberphile’ and seen a great video on ‘zEquals’. Seeing as it starts with a ‘z’ I was naturally attracted to the subject :)

Turns out ‘Ruthless Rounding’ is something we all should be familiar with, and also I think it’s something we all do (unknowingly) at times.

Needing the extra ‘finger practise’ in Python, I decided to implement this as a ‘pip installable module’ with the goal of this growing into something more usable than just my exercise :)

The module has been added to PyPi moments ago, this post can be considered documentation to the module :)

Suppose you have ‘pip installed’ the zequals package you could do the following:

from zequals import zAdd,zSub,zMul,zDiv,z
zMul(1334,342)

@z
def myUberMathFunction(x,y,z,a,b):
  return (((a*x)+(b*y)/(z*z*a))

Take a look at the package (a simple pip install zequals will do) an also help me out (Rob, I really need your 2cc on this lol).

Would zequals(2) need to yield 2 or should it yield 0? (Or maybe even 10?)

That’s it for today. Enjoy, share and flame :)

Oh yeah : start checking out the numberphile channel on YouTube (or their site), it’s awesome (and so it Computerphile btw)

GitHub repo on : https://github.com/zdevops/zequals

Filed under numberphile computerphile robeastaway zequals python

1 note &

GlusterCloud : Running OwnCloud with a GlusterFS Backend

As I tweeted earlier this week I’ve managed to :

Since then I’ve been converting the ‘InstallNotes.odt’ into a more ‘doclike’ ‘ZDO13-9701 HOWTO GLUSTERCLOUD.pdf’. This finally resulted in a document that van be used as some sort of MINIHOWTO regarding this setup. For one, this way I will be able to read (and understand!) the documentation in the years to come. And secondly it gives me the opportunity to ‘share’ this information for anyone interested in doing the same kind of thing.

The awesome thing to do would be to share this document via the ownCloud infrastructure it describes. However, as I am already hinting to ‘glusterception’ in the document I was afraid this would totally collapse the universe :)

Hence the document is made available (for free) via scribd.com via http://www.scribd.com/doc/149329452/ZDO13-9701-01

Looking forward to your feedback….

Filed under glusterfs owncloud pound glusterception howto

0 notes &

PRISM in J2EE (WebSphere) Applications?

With all the commotion lately on PRISM (US-984XN for insiders) I thought it would be time for a little blogpost on how to detect and circumvent any ‘prismatic’ activities within your J2EE applications running in a WebSphere Application Server.

Detecting PRISM activity
If you are unsure whether or not your application has any ‘pre-built’ prism-collection interfaces running from within frameworks you’re always using (but never bothered to check what they’re really doing) you should first enable the ‘Health Center Agent’ within your Application Server.

To enable the Agent make sure your ‘Java Arguments’ are

-Xhealthcenter:port=pppp,transport=jrmp 

Where ‘pppp’ is the port number the client can connect to.

Once activated you can connect to the Agent with the Health Center Application as provided with the “IBM Support Assistant”.

From within this application you can ‘see’ class loading via the profiling option as shown below.

In order to see if any of your frameworks are using the PRISM classes filter on any of the following methods:

  • gov.nsa.headless.prism.*
  • java.xn984.*
  • spring.facade.loop.sendxn984.*
  • com.java.prism.sniffer

If any of these pop up, you are most certain you’ve got a ‘prism-trojan’ hiding in there somewhere.

If you are luncky (or unlucky) enough to be running your WebSphere Application Server on a z/OS operating system you can set the WebSphere variable “server_SMF_request_prism_activity_enabled” to “1”. You can then ask your systems programmer for a subset of the SMF120 records. Make sure he includes these (undocumented) records from subtype-9: (all unsigned int, 2bytes starting at the 'reserved' area at offset 23C)

  • SMF1209PL : Prism Load Times
  • SMF1209PU : Prism Uploaded Bytes
  • SMF1209PX : Prism ByteCode Injections

This will give you a more detailed insight into any ‘suspicious’ behaviour and the the mentioned class names (java/xn984 et al) will be visible in SMF1209EM for any ‘weird’ EJB calls.

But then again, who is really running WebSphere on z/OS nowadays anyway :)

Disabling PRISM activity
Oooooops, you’ve discovered there are some of the aforementioned classes being loaded in your Application Server. Now what?

The first thing you should do is add a ‘JVM argument’ to your server startup.

-Xtune:virtualized,prismdisable=yes
-XprismEnable:false,remoteOverride=null,all=yes

That wil make sure the ‘backdoors’ will be closed shut and bolted down. You still have to make sure there are no ‘xn984’-stubs running from within your frameworks. These might not adhere to the ‘common nsa naming conventions’ and thus cannot be disabled via the ‘prismEnable:false’ option.

But then again, you are not using any ‘frameworks’ you’re not familiar with now are you?

update : Inside sources tell me the “Liberty Profile” as per default (configuration as an exception) has all the ‘block prismatic activites’ features enabled…….

Filed under PRISM websphere howto humorous xn984 smf120 liberty

0 notes &

The Liberty Profile Just Lost Another Restraint

The WebSphere Liberty Profile has been around for little over a year. From the very first moment on I was pretty charmed with with concept and as of 8.5.5 it got even more exciting.

The Liberty profile is what I would call a JITted-Runtime for running your Java Applications. Within your ‘average’ Corporate Enterprise IT Environment these would generally reside in a full-blown WebSphere ND Environment. These would typically run on an AIX or z/OS environment, and there even some ‘sexier’ environments out there running a Node Deployment Cell on Linux (or even Linux for System z).

Back to the ‘jittyness’ of the Liberty Profile. As stated it’s a self-contained WebSphere Application Server Runtime packaged in a ‘55MB footprint with a <5sec startup time’. Configuration as an Exception™, in-flight-config-changes and the extreme portability of the ‘package’ are things everybody working with a WAS-environment of some form or the other should really love.

As proven early last year(!!) this Liberty Profile even runs on a Rapsberry PI (how’s that for portability?)

Anyway, back to the added sexyness in 8.5.5. With this release of WebSphere Application Server it’s possible for your Liberty Profile to ‘do JMS' (just make sure your MQ has APAR IC92914).

Having this ‘feature’ enabled in/for your Liberty Profile means there are even an extra amount of business-applications no longer needing an ND-environment.

This means easier deployments (just run the developper provided packages with slight changes to backends), shorter downtimes (app generally boots in <5 secs), smaller footprint and an epic reduction of ‘CPU cycles burned’.

Long story short, it will make people happy and it will potentially give rise to a more efficient (and thus cheaper) environment.

Because of all these awesome technology upgrades I am starting to question ‘the need’ for the ‘full blown ND environments’ I see running at a lot of sites.

Ok, Liberty still does not do full EJB’s (though it does do EJB-Lite), but for the rest, I think there won’t be a lot of ‘J2EE’ applications not feeling happy when we run them on a Liberty Profile…..

As a closing ‘open question’ I’ll share the first slide of a presentation I’m working on…..looking forward to your comments, replies or flames :)

Filed under websphere liberty z/os

0 notes &

Cardcopy 0.0.3 :)

So it occurred to me it would be ‘handy’ to have a computer copy (or move) all images from a CompactFlash (or SD) card onto the harddrive by itself.

After some research and some trial and error I implemented it on a Linux environment using ‘udev-rules’.

The first (0.0.1) version worked better than expected. All it really was was one udev rule kicking off a script whenever a hotswappable device was plugged in.

SUBSYSTEM==”block”, ACTION==”add”, ENV{DEVTYPE}==”partition”, ENV{DEVLINKS}==”*usb*”, ENV{DEVNAME}==”/dev/sd[b-c]1”, RUN=”/usr/local/bin/cardcopy”

This worked like a charm (the cardcopy script in /usr/local/bin is just a ‘mount device, copy images, finished’-kindo of script) however, when copying large cards (with a lot of photos) the script takes too long and receives the udev equivalent of a SEC3. It times out.

In order to circumvent this I turned the trigger into calling a service, where the service-module then ‘runs’ the script. This way, timeouts are not an issue anymore.

The version as available on github (here)is what I’m currently using. It still needs some ‘tweaks’, ‘sanity checks’ and ‘added features’, however for now it’s considered (by me at least) to be of a Good Enough status.

Some links that helped me out a lot setting this up:

http://larsmichelsen.com/open-source/photo-autocopy-from-sd-card/
http://patrakov.blogspot.nl/2011/01/writing-systemd-service-files.html
http://www.freedesktop.org/software/systemd/man/systemd.unit.html

Go and head over to https://github.com/zdevops/cardcopy to copy, alter or even downvote this ‘package’…..

Cheers!

Filed under udev.rules systemd photos automated linux

0 notes &

SDSF via Rexx in Batch vs. ISFPRMxx

So there I was, happily hacking away at a quick&dirty (don’t we all at times?) REXX script for getting job output to a file.

Basically via this setup:

rc=isfcalls('ON')
isfprefix = '*'
isfowner = '*'
Address SDSF "ISFEXEC ST (DELAYED)"
do ix=1 to JNAME.0
  /* some stuff */
end

Executing this ‘in the foreground’ worked like a charm. At some stage I wanted to ‘schedule’ these actions, so a with a little help from my good friend IKJEFT01 I quickly whipped up a JCL-stream to do my bidding.

Alas!

Turns out, SDSF authorization (more specifically group assignment) is *very* different between running via REXX in foreground (from TSO) than via BATCH (eg. via IKJEFT01).

Try the following REXX and see for yourself:

/* REXX */
Address SDSF "ISFEXEC WHO"
do i = 1 to isfresp.0
  say isfresp.i
end

Now go ahead an run this from TSO (TSO EXEC ‘dsn.of.your(rexx)’ and via IKJEFT01.

You’ll see the group-assignment is totally different. This is caused by
PROC=ISPFPROC (when running from TSO) and PROC=REXX (when running from IKJEFT01). This totally messes up group assignments as this PROC=REXX environment is “only” TSOAUTH(JCL) whereas the foreground execution is TSOAUTH(JCL,OPER) (in my case).

I first thought the protip I got via twitter (prefixing in SRSS, or WTFYT’79. If you ISFEC there, you won’t get these PFTT’s anymore) would solve it, but alas that was not the case :)

I finally manged to solve it by setting up a special group in ISFPRMxx so my JOB would get proper group assignment (and authorization) to perform the required actions with ISFEXEC. This solution was greatly based on this post from IBMMAIN [2008!] (kudos for Mark Zelden).

For this group I removed the TSOAUTH (obviously) and replaced it with a IUID(grpname) and added an NTBL so the proper users would ‘fall into this group’.

Then I also learned the order in which one defines the groups in ISFPRMxx is somewhat important, as my job kept being assigned in the ISFUSER group as this matched ‘before’ my new group.

It was quite a headache. I wonder if these problems will not be ‘circumvented’ when using a SAF-only-setup for SDSF security. Looking forward to any comments on this………..

Filed under ISFEXEC REXX ISFPRMxx IKJEFT01 SDSF isfprefix eek