hipersockets
I am planning to use hipersockets for internal communication between oracle nodes in each RAC cluster (oracle nodes run in different lpars). I've never used real hipersockets before so I am no sure if I understand this correctly. >From what I've learned so far, In order to achieve this, we need to have a shared chpid between LPARS. Hipersockets on the same chpid can communicate with each other. Ok, we've done that. We have defined a set of hipersockets on one chipd for every LPAR and it works. Linux in one LPAR can talk to another linux in different lpar. But we will have many more "pairs" like that. How to set up networking? First, I thought about just assigning different networks to every pair for example: Cluster 1 Linux1 - 192.168.100.1/28 (or even smaller) Linux2 - 192.168.100.2/28 Cluster 2 Linux3 - 192.168.200.1/28 Linux4 - 192.168.200.2/28 So only Linux1 can talks to Linux2 and only Linux3 can talk to Linux4 But...that's not really secure is it? If someone hacks in to Linux3 and changes the ip address of it's hsi0 interface to match ip in cluster's 1 network, things might go wrong. They are on same chpid after all. Do I need to have a separate chpid for every cluster? Doesn't really make sense, does it? Am I missing something? Thanks Gregory -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hipersockets
Hi - I've done the hipersocket VLAN implementation. It works well and of course Alan's comments are correct. Another approach I've used is to create a VSWITCH on each LPAR using the same set of OSAs. Now when you use VLANs on this VSWITCH RACF can be involved for better protection. OK won't be as fast as hipersocket but it doesn't go far out of the box either. David Kreuter Original Message Subject: Re: hipersockets From: Alan AltmarkDate: Thu, November 19, 2015 3:05 pm To: LINUX-390@VM.MARIST.EDU On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk wrote: > From what I've learned so far, In order to achieve this, we need to have a > shared chpid between LPARS. Hipersockets on the same chpid can communicate > with each other. Hosts using the same VLAN on the same HiperSocket chpid can talk to each other. There are no controls on the VLAN ID that a host is permitted to use, so from a security perspective, don't rely on HiperSocket VLAN controls. > Ok, we've done that. We have defined a set of hipersockets on one chipd for > every LPAR and it works. Linux in one LPAR can talk to another linux in > different lpar. : > Do I need to have a separate chpid for every cluster? Doesn't really make > sense, does it? > Am I missing something? It depends entirely on your security posture. If you need enforced isolation of each pair, then you need one chpid per pair. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hipersockets
Thank you for a really quick answer Alan. So I did get it right more or less. I didn't know that I can do vlans which will make things cleaner to some extent. But I was hopping for a different answer when it comes to security. We will have at least non-prod and prod environments on separate chpids then. Thank you Gregory 2015-11-19 15:05 GMT-05:00 Alan Altmark: > On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk > wrote: > > From what I've learned so far, In order to achieve this, we need to have > a > > shared chpid between LPARS. Hipersockets on the same chpid can > communicate > > with each other. > > Hosts using the same VLAN on the same HiperSocket chpid can talk to each > other. There are no controls on the VLAN ID that a host is permitted to > use, so from a security perspective, don't rely on HiperSocket VLAN > controls. > > > Ok, we've done that. We have defined a set of hipersockets on one chipd > for > > every LPAR and it works. Linux in one LPAR can talk to another linux in > > different lpar. > : > > Do I need to have a separate chpid for every cluster? Doesn't really > make > > sense, does it? > > Am I missing something? > > It depends entirely on your security posture. If you need enforced > isolation of each pair, then you need one chpid per pair. > > Alan Altmark > > Senior Managing z/VM and Linux Consultant > Lab Services System z Delivery Practice > IBM Systems & Technology Group > ibm.com/systems/services/labservices > office: 607.429.3323 > mobile; 607.321.7556 > alan_altm...@us.ibm.com > IBM Endicott > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hipersockets
On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziukwrote: > From what I've learned so far, In order to achieve this, we need to have a > shared chpid between LPARS. Hipersockets on the same chpid can communicate > with each other. Hosts using the same VLAN on the same HiperSocket chpid can talk to each other. There are no controls on the VLAN ID that a host is permitted to use, so from a security perspective, don't rely on HiperSocket VLAN controls. > Ok, we've done that. We have defined a set of hipersockets on one chipd for > every LPAR and it works. Linux in one LPAR can talk to another linux in > different lpar. : > Do I need to have a separate chpid for every cluster? Doesn't really make > sense, does it? > Am I missing something? It depends entirely on your security posture. If you need enforced isolation of each pair, then you need one chpid per pair. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hipersockets
Thanks David. I thought about doing vswitch but then AFIK I would end up with with virtual hipersockets on linux guest. And I've read in IBMs redbook for oracle 12: IBM HiperSockets™ are certified and supported for the private network. Only a network that is configured with *real* HiperSockets is possible, as z/VM guest LAN HiperSockets cannot be configured on layer 2, which is required for ARP. Gregory 2015-11-19 15:20 GMT-05:00 David Kreuter: > Hi - I've done the hipersocket VLAN implementation. It works well and of > course Alan's comments are correct. > > Another approach I've used is to create a VSWITCH on each LPAR using the > same set of OSAs. Now when you use VLANs on this VSWITCH RACF can be > involved for better protection. > > OK won't be as fast as hipersocket but it doesn't go far out of the box > either. > David Kreuter > > > > Original Message > Subject: Re: hipersockets > From: Alan Altmark > Date: Thu, November 19, 2015 3:05 pm > To: LINUX-390@VM.MARIST.EDU > > On Thursday, 11/19/2015 at 07:38 GMT, Grzegorz Powiedziuk > wrote: > > From what I've learned so far, In order to achieve this, we need to have > a > > shared chpid between LPARS. Hipersockets on the same chpid can > communicate > > with each other. > > Hosts using the same VLAN on the same HiperSocket chpid can talk to each > > other. There are no controls on the VLAN ID that a host is permitted to > use, so from a security perspective, don't rely on HiperSocket VLAN > controls. > > > Ok, we've done that. We have defined a set of hipersockets on one chipd > for > > every LPAR and it works. Linux in one LPAR can talk to another linux in > > different lpar. > : > > Do I need to have a separate chpid for every cluster? Doesn't really > make > > sense, does it? > > Am I missing something? > > It depends entirely on your security posture. If you need enforced > isolation of each pair, then you need one chpid per pair. > > Alan Altmark > > Senior Managing z/VM and Linux Consultant > Lab Services System z Delivery Practice > IBM Systems & Technology Group > ibm.com/systems/services/labservices > office: 607.429.3323 > mobile; 607.321.7556 > alan_altm...@us.ibm.com > IBM Endicott > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hipersockets
On Thursday, 11/19/2015 at 08:35 GMT, Grzegorz Powiedziukwrote: > I thought about doing vswitch but then AFIK I would end up with with > virtual hipersockets on linux guest. Linux guests can use real HiperSockets with the HiperSocket VSWITCH bridge on z/VM. Their traffic will automatically be bridged to a physical LAN that can be accessed by z/OS. z/OS doesn't support the HiperSocket technology that would let it participate in a direct HiperSocket connection with the Linux guests on the bridge. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/