hipersockets

2015-11-19 Thread Grzegorz Powiedziuk 
I am planning to use hipersockets for internal communication between oracle
nodes in each RAC cluster (oracle nodes run in different lpars).
I've never used real hipersockets before so I am no sure if I understand
this correctly.

>From what I've learned so far, In order to achieve this, we need to have a
shared chpid  between LPARS. Hipersockets on the same chpid can communicate
with each other.
Ok, we've done that. We have defined a set of hipersockets on one chipd for
every LPAR and it works. Linux in one LPAR can talk to another linux in
different lpar.

But we will have many more "pairs" like that. How to set up networking?
First, I thought about just assigning different networks to every pair for
example:

Cluster 1
Linux1 - 192.168.100.1/28  (or even smaller)
Linux2 - 192.168.100.2/28

Cluster 2
Linux3 - 192.168.200.1/28
Linux4 - 192.168.200.2/28

So only Linux1 can talks to Linux2 and only Linux3 can talk to Linux4

But...that's not really secure is it? If someone hacks in to Linux3 and
changes the ip address of it's hsi0 interface to match ip in cluster's 1
network, things might go wrong. They are on same chpid after all.

Do I need to have a separate chpid for every cluster? Doesn't really make
sense, does it?
Am I missing something?

Thanks
Gregory

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hipersockets

2015-11-19 Thread David Kreuter 
Hi - I've done the hipersocket VLAN implementation. It works well and of
course Alan's comments are correct.

Another approach I've used is to create a VSWITCH on each LPAR using the
same set of OSAs. Now when you use VLANs on this VSWITCH RACF can be
involved for better protection.

OK won't be as fast as hipersocket but it doesn't go far out of the box
either.
David Kreuter 



 Original Message 
Subject: Re: hipersockets
From: Alan Altmark 
Date: Thu, November 19, 2015 3:05 pm
To: LINUX-390@VM.MARIST.EDU

On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk 
 wrote:
> From what I've learned so far, In order to achieve this, we need to have 
a
> shared chpid between LPARS. Hipersockets on the same chpid can 
communicate
> with each other.

Hosts using the same VLAN on the same HiperSocket chpid can talk to each

other. There are no controls on the VLAN ID that a host is permitted to 
use, so from a security perspective, don't rely on HiperSocket VLAN 
controls.

> Ok, we've done that. We have defined a set of hipersockets on one chipd 
for
> every LPAR and it works. Linux in one LPAR can talk to another linux in
> different lpar.
:
> Do I need to have a separate chpid for every cluster? Doesn't really 
make
> sense, does it?
> Am I missing something?

It depends entirely on your security posture. If you need enforced 
isolation of each pair, then you need one chpid per pair.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hipersockets

2015-11-19 Thread Grzegorz Powiedziuk 
Thank you for a really quick answer Alan.
So I did get it right more or less. I didn't know that I can do vlans which
will make things cleaner to some extent.

But I was hopping for a different answer when it comes to security.
We will have at least non-prod and prod environments on separate chpids
then.

Thank you
Gregory


2015-11-19 15:05 GMT-05:00 Alan Altmark :

> On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk
>  wrote:
> > From what I've learned so far, In order to achieve this, we need to have
> a
> > shared chpid  between LPARS. Hipersockets on the same chpid can
> communicate
> > with each other.
>
> Hosts using the same VLAN on the same HiperSocket chpid can talk to each
> other.  There are no controls on the VLAN ID that a host is permitted to
> use, so from a security perspective, don't rely on HiperSocket VLAN
> controls.
>
> > Ok, we've done that. We have defined a set of hipersockets on one chipd
> for
> > every LPAR and it works. Linux in one LPAR can talk to another linux in
> > different lpar.
> :
> > Do I need to have a separate chpid for every cluster? Doesn't really
> make
> > sense, does it?
> > Am I missing something?
>
> It depends entirely on your security posture.  If you need enforced
> isolation of each pair, then you need one chpid per pair.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hipersockets

2015-11-19 Thread Alan Altmark 
On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk 
 wrote:
> From what I've learned so far, In order to achieve this, we need to have 
a
> shared chpid  between LPARS. Hipersockets on the same chpid can 
communicate
> with each other.

Hosts using the same VLAN on the same HiperSocket chpid can talk to each 
other.  There are no controls on the VLAN ID that a host is permitted to 
use, so from a security perspective, don't rely on HiperSocket VLAN 
controls.

> Ok, we've done that. We have defined a set of hipersockets on one chipd 
for
> every LPAR and it works. Linux in one LPAR can talk to another linux in
> different lpar.
:
> Do I need to have a separate chpid for every cluster? Doesn't really 
make
> sense, does it?
> Am I missing something?

It depends entirely on your security posture.  If you need enforced 
isolation of each pair, then you need one chpid per pair.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hipersockets

2015-11-19 Thread Grzegorz Powiedziuk 
Thanks David.
I thought about doing vswitch but then AFIK I would end up with with
virtual hipersockets on linux guest. And I've read in IBMs redbook for
oracle 12:

IBM HiperSockets™ are certified and
supported for the private network. Only a network that is configured with
*real* HiperSockets is
possible, as z/VM guest LAN HiperSockets cannot be configured on layer 2,
which is required
for ARP.


Gregory


2015-11-19 15:20 GMT-05:00 David Kreuter :

> Hi - I've done the hipersocket VLAN implementation. It works well and of
> course Alan's comments are correct.
>
> Another approach I've used is to create a VSWITCH on each LPAR using the
> same set of OSAs. Now when you use VLANs on this VSWITCH RACF can be
> involved for better protection.
>
> OK won't be as fast as hipersocket but it doesn't go far out of the box
> either.
> David Kreuter
>
>
>
>  Original Message 
> Subject: Re: hipersockets
> From: Alan Altmark 
> Date: Thu, November 19, 2015 3:05 pm
> To: LINUX-390@VM.MARIST.EDU
>
> On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk
>  wrote:
> > From what I've learned so far, In order to achieve this, we need to have
> a
> > shared chpid between LPARS. Hipersockets on the same chpid can
> communicate
> > with each other.
>
> Hosts using the same VLAN on the same HiperSocket chpid can talk to each
>
> other. There are no controls on the VLAN ID that a host is permitted to
> use, so from a security perspective, don't rely on HiperSocket VLAN
> controls.
>
> > Ok, we've done that. We have defined a set of hipersockets on one chipd
> for
> > every LPAR and it works. Linux in one LPAR can talk to another linux in
> > different lpar.
> :
> > Do I need to have a separate chpid for every cluster? Doesn't really
> make
> > sense, does it?
> > Am I missing something?
>
> It depends entirely on your security posture. If you need enforced
> isolation of each pair, then you need one chpid per pair.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hipersockets

2015-11-19 Thread Alan Altmark 
On Thursday, 11/19/2015 at 08:35 GMT, Grzegorz Powiedziuk 
 wrote:
> I thought about doing vswitch but then AFIK I would end up with with
> virtual hipersockets on linux guest. 

Linux guests can use real HiperSockets with the HiperSocket VSWITCH bridge 
on z/VM.  Their traffic will automatically be bridged to a physical LAN 
that can be accessed by z/OS.   z/OS doesn't support the HiperSocket 
technology that would let it participate in a direct HiperSocket 
connection with the Linux guests on the bridge. 

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/