Re: hyptop question
On Friday, 05/20/2016 at 11:02 GMT, Ingo Adlungwrote: > I guess the challenge with DIAG 2FC is that not every issuer is necessarily > supposed to see guest information beyond themselves. So while I agree with > your assessment I see reasoning in the approach taken ... Hi, Ingo. I see the reasoning, too, but the command and DIAGNOSE handlers in CP aren't supposed to be checking the user's privilege class. That's all supposed to be handled prior to starting the handler. DIAGNOSE 0x26C suffers a similar issue, though the impact is far less since CP QUERY commands can be used instead if it becomes an issue. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
Hi Alan, > This isn't how DIAGNOSE instructions work. Instead of worrying about > converting user privclass to IBMCLASS and associating with the running > DIAGNOSE, it's done in the more primitive hindbrain of CP. > Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or > privclass ANY). They aren't supposed to change behavior based on > privilege class (directory OPTION, maybe, but not privclass). > > DIAGNOSE 2FC is violating that architecture. I would suggest a PMR so > that you can discuss with Development whether that violation is Right and > Proper. I guess the challenge with DIAG 2FC is that not every issuer is necessarily supposed to see guest information beyond themselves. So while I agree with your assessment I see reasoning in the approach taken ... Best regards Ingo Linux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 20.05.2016 17:19:01: > From: Alan Altmark <alan_altm...@us.ibm.com> > To: LINUX-390@VM.MARIST.EDU > Date: 20.05.2016 17:19 > Subject: Re: [LINUX-390] hyptop question > Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> > > On Friday, 05/20/2016 at 06:41 GMT, Karl Kingston <karlkings...@ongov.net> > wrote: > > > For z/VM, the guest virtual machine must have privilege class B > > > or, preferably, a locally-defined privilege class that contains > > > diagnose 2fc. > > > > How does one do this?Don't like giving my linux guests access to > CLASS > > B so I would like to make my own class and give that to the user. > > Well, isn't this embarrassing... (blush) (look down) (kick rock) You > can't. I keep forgetting that DIAGNOSE instructions are architecturally > different than commands. > > (For a fascinating description of how CP commands and DIAGNOSE > instructions are processed, keep reading!) > > The system supports privclass-qualified versions of a command. When you > enter a command, the highest level (A->9) for which you have the assigned > privilege class will run. That is, if a command has a class B version and > a class G version, then if you have class ABG, the command will be > qualified as class B. If you had class AG, then the command will be > qualified as class G. That's the last time CP looks at the issuer's > privclass. The system instead looks at the command qualifier. We refer > to the command qualifier as the "IBMCLASS". That is, the IBM-defined > privilege class associated with the version of the command that's running. > The MODIFY COMMAND command lets you change the association between the > user privclass and the IBMCLASS. > > This all gets resolved before the command actually runs, eliminating any > need for CP to worry about user privclass. He just cares about the > IBMCLASS of the command that's running. This allows a single entry point > to handle the command. > > This isn't how DIAGNOSE instructions work. Instead of worrying about > converting user privclass to IBMCLASS and associating with the running > DIAGNOSE, it's done in the more primitive hindbrain of CP. > Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or > privclass ANY). They aren't supposed to change behavior based on > privilege class (directory OPTION, maybe, but not privclass). > > DIAGNOSE 2FC is violating that architecture. I would suggest a PMR so > that you can discuss with Development whether that violation is Right and > Proper. > > Alan Altmark > > Senior Managing z/VM and Linux Consultant > Lab Services System z Delivery Practice > IBM Systems & Technology Group > ibm.com/systems/services/labservices > office: 607.429.3323 > mobile; 607.321.7556 > alan_altm...@us.ibm.com > IBM Endicott > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
On Friday, 05/20/2016 at 06:41 GMT, Karl Kingstonwrote: > > For z/VM, the guest virtual machine must have privilege class B > > or, preferably, a locally-defined privilege class that contains > > diagnose 2fc. > > How does one do this?Don't like giving my linux guests access to CLASS > B so I would like to make my own class and give that to the user. Well, isn't this embarrassing... (blush) (look down) (kick rock) You can't. I keep forgetting that DIAGNOSE instructions are architecturally different than commands. (For a fascinating description of how CP commands and DIAGNOSE instructions are processed, keep reading!) The system supports privclass-qualified versions of a command. When you enter a command, the highest level (A->9) for which you have the assigned privilege class will run. That is, if a command has a class B version and a class G version, then if you have class ABG, the command will be qualified as class B. If you had class AG, then the command will be qualified as class G. That's the last time CP looks at the issuer's privclass. The system instead looks at the command qualifier. We refer to the command qualifier as the "IBMCLASS". That is, the IBM-defined privilege class associated with the version of the command that's running. The MODIFY COMMAND command lets you change the association between the user privclass and the IBMCLASS. This all gets resolved before the command actually runs, eliminating any need for CP to worry about user privclass. He just cares about the IBMCLASS of the command that's running. This allows a single entry point to handle the command. This isn't how DIAGNOSE instructions work. Instead of worrying about converting user privclass to IBMCLASS and associating with the running DIAGNOSE, it's done in the more primitive hindbrain of CP. Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or privclass ANY). They aren't supposed to change behavior based on privilege class (directory OPTION, maybe, but not privclass). DIAGNOSE 2FC is violating that architecture. I would suggest a PMR so that you can discuss with Development whether that violation is Right and Proper. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
Linux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 01/07/2016 08:28:52 AM: > From: Michael Holzheu <holz...@linux.vnet.ibm.com> > To: LINUX-390@VM.MARIST.EDU > Date: 01/07/2016 08:28 AM > Subject: Re: hyptop question > Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> > > On Tue, 5 Jan 2016 14:48:17 -0500 > Alan Altmark <alan_altm...@us.ibm.com> wrote: > > > On Tuesday, 01/05/2016 at 06:31 GMT, Mark Post <mp...@suse.com> wrote: > > > > > > > For z/VM, the guest virtual machine must be class B. For LPAR, > > > > on the HMC or SE security menu of the LPAR activation profile, > > > > select the Global performance data control checkbox. > > > > > > For z/VM guests, that is CP privilege class B. For systems running in an > > LPAR > > > (PR/SM), use the HMC Customize/Delete Activation Profiles function to > > ensure > > > the Global performance data control checkbox is checked. This can be > > found in > > > the Image profile, under the Security heading. > > > > What class B CP commands or DIAGNOSE instructions does the virtual machine > > use? Those functions should be copied to locally-defined privilege class. > > Do not give class B to virtual machines that aren't in the business of > > performing real device management. > > We use diag 2fc. > > Should we say something like: > > For z/VM, the guest virtual machine must have privilege class B > or, preferably, a locally-defined privilege class that contains > diagnose 2fc. How does one do this?Don't like giving my linux guests access to CLASS B so I would like to make my own class and give that to the user. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
On Tue, 5 Jan 2016 14:48:17 -0500 Alan Altmarkwrote: > On Tuesday, 01/05/2016 at 06:31 GMT, Mark Post wrote: > > > > > For z/VM, the guest virtual machine must be class B. For LPAR, > > > on the HMC or SE security menu of the LPAR activation profile, > > > select the Global performance data control checkbox. > > > > For z/VM guests, that is CP privilege class B. For systems running in an > LPAR > > (PR/SM), use the HMC Customize/Delete Activation Profiles function to > ensure > > the Global performance data control checkbox is checked. This can be > found in > > the Image profile, under the Security heading. > > What class B CP commands or DIAGNOSE instructions does the virtual machine > use? Those functions should be copied to locally-defined privilege class. > Do not give class B to virtual machines that aren't in the business of > performing real device management. We use diag 2fc. Should we say something like: For z/VM, the guest virtual machine must have privilege class B or, preferably, a locally-defined privilege class that contains diagnose 2fc. Regards, Michael -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
Gregor, > Is it possible to see stats for virtual machines in other z/vm lpars FWIW zoom can run hyptop on multiple z/VM systems. If SSH as root is not permitted, hyptop must be in /etc/sudoers on the zoom servers. In the example that follows, the ':' is a wildcard for all zoom servers, thus all z/VM systems in the zoom cluster. In this example, just two systems. Each line of output is prefixed with the server's host name: $ zruncommand --servers : sudo /usr/sbin/hyptop -b -n1 server1.example.com: 08:39:58 CPU-T: UN(1) ?=help server1.example.com: system #cpu cpu Cpu+online memuse memmax wcur server1.example.com: (str) (#) (%) (hm) (dhm) (GiB) (GiB) (#) server1.example.com: LOHCOST 1 0.10 0:09 35:23:45 0.04 0.75 10 server1.example.com: PERFSVM 1 0.09 0:50 179:21:06 0.03 0.120 ... server2.example.com: PORTMAP 10.00 0:00 2:07:24 0.00 0.03 100 server2.example.com: FTPSERVE10.00 0:00 2:07:24 0.01 0.03 100 server2.example.com: SFSZVPS 10.00 0:00 2:07:25 0.00 0.06 100 server2.example.com: OPERSYMP10.00 0:00 2:07:25 0.01 0.03 100 server2.example.com: 461 1030.01 168:41 2:07:26 681.90 950.23 5000 -Mike MacIsaac -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
>>> On 1/5/2016 at 08:26 AM, Michael Holzheu>>> wrote: -snip- > What about: > > You can always monitor the guest operating system where hyptop > runs. You can always monitor the operating system where hyptop is running. > To monitor any other guest operating system on the same hypervi- > sor as the operating system instance of hyptop, you need the > following additional permissions: To monitor any other operating system(s) _running_on_the_same_hypervisor as hyptop (whether z/VM or PR/SM), you will need additional permissions. (I think underlining or italicizing the "running on the same hypervisor" will help even more.) > For z/VM, the guest virtual machine must be class B. For LPAR, > on the HMC or SE security menu of the LPAR activation profile, > select the Global performance data control checkbox. For z/VM guests, that is CP privilege class B. For systems running in an LPAR (PR/SM), use the HMC Customize/Delete Activation Profiles function to ensure the Global performance data control checkbox is checked. This can be found in the Image profile, under the Security heading. Is there any verbiage that should be added for KVM guests? I haven't tried it myself, but does hyptop work there? Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
On Tuesday, 01/05/2016 at 06:31 GMT, Mark Postwrote: > > > For z/VM, the guest virtual machine must be class B. For LPAR, > > on the HMC or SE security menu of the LPAR activation profile, > > select the Global performance data control checkbox. > > For z/VM guests, that is CP privilege class B. For systems running in an LPAR > (PR/SM), use the HMC Customize/Delete Activation Profiles function to ensure > the Global performance data control checkbox is checked. This can be found in > the Image profile, under the Security heading. What class B CP commands or DIAGNOSE instructions does the virtual machine use? Those functions should be copied to locally-defined privilege class. Do not give class B to virtual machines that aren't in the business of performing real device management. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
On Mon, 4 Jan 2016 13:57:15 -0700 Mark Postwrote: > >>> On 1/4/2016 at 03:38 PM, Grzegorz Powiedziuk > >>> wrote: > > Hi, > > When I run hyptop I can see performance stats for virtual machines running > > in the same z/VM LPAR. > -snip- > > At least I should be able to see stats for other LPARS from the PR/SM > > perspective, right? > > But I don't and I am not sure why. > > I don't think you should be able to see that information. Hyptop queries > whichever hypervisor it is running on. In your case, that's z/VM. z/VM > isn't looking around to see what other LPARs are running and gathering > information on them, so it's not going to present anything like that to > hyptop's query. > > If you want information from PR/SM's perspective, then you'll need to be > running a Linux system in an LPAR and use hyptop there. When I do that, I do > see information about the other LPARS, but nothing about z/VM guests that > might be running in them, since PR/SM doesn't know about them. I can confirm what Mark said. Hyptop can only show data of the level where it is running. If you are running in an LPAR you can see your neighbor LPARs, if you run in a VM guest you can see your neighbor VM guests. > I think the man page for hyptop could use a little clarification. The way > it's worded would tend to suggest that a z/VM guest with CP class B would be > seeing information about other LPARs. I agree that without background knowledge the text can be misleading. The current text is: To monitor all LPARs or z/VM guest operating systems of the hypervisor, your system must have additional permissions: For z/VM, the guest virtual machine must be class B. For LPAR, on the HMC or SE security menu of the LPAR activation profile, select the Global performance data control checkbox. What about: You can always monitor the guest operating system where hyptop runs. To monitor any other guest operating system on the same hypervi- sor as the operating system instance of hyptop, you need the following additional permissions: For z/VM, the guest virtual machine must be class B. For LPAR, on the HMC or SE security menu of the LPAR activation profile, select the Global performance data control checkbox. Michael -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: hyptop question
>>> On 1/4/2016 at 03:38 PM, Grzegorz Powiedziukwrote: > Hi, > When I run hyptop I can see performance stats for virtual machines running > in the same z/VM LPAR. -snip- > At least I should be able to see stats for other LPARS from the PR/SM > perspective, right? > But I don't and I am not sure why. I don't think you should be able to see that information. Hyptop queries whichever hypervisor it is running on. In your case, that's z/VM. z/VM isn't looking around to see what other LPARs are running and gathering information on them, so it's not going to present anything like that to hyptop's query. If you want information from PR/SM's perspective, then you'll need to be running a Linux system in an LPAR and use hyptop there. When I do that, I do see information about the other LPARS, but nothing about z/VM guests that might be running in them, since PR/SM doesn't know about them. I think the man page for hyptop could use a little clarification. The way it's worded would tend to suggest that a z/VM guest with CP class B would be seeing information about other LPARs. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
hyptop question
Hi, When I run hyptop I can see performance stats for virtual machines running in the same z/VM LPAR. Is it possible to see stats for virtual machines in other z/vm lpars (I assume that the answer is "no" when I think about but I want to make sure). At least I should be able to see stats for other LPARS from the PR/SM perspective, right? But I don't and I am not sure why. My virtual machine has A-G priv, the global performance data control on SE is "on", the debugfs is mounted, the s390_hypfs is mounted. I can see diag_204 and diag_2fc inside of s390_hypfs and both have read permissions. OS: RHEL7 What am I missing? Thanks! Gregory -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/