Re: hyptop question

2016-05-21 Thread Alan Altmark 
On Friday, 05/20/2016 at 11:02 GMT, Ingo Adlung  wrote:
> I guess the challenge with DIAG 2FC is that not every issuer is 
necessarily
> supposed to see guest information beyond themselves. So while I agree 
with
> your assessment I see reasoning in the approach taken ...

Hi, Ingo.  I see the reasoning, too, but the command and DIAGNOSE handlers 
in CP aren't supposed to be checking the user's privilege class.  That's 
all supposed to be handled prior to starting the handler. 

DIAGNOSE 0x26C suffers a similar issue, though the impact is far less 
since CP QUERY commands can be used instead if it becomes an issue.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-05-20 Thread Ingo Adlung 
Hi Alan,

> This isn't how DIAGNOSE instructions work.  Instead of worrying about
> converting user privclass to IBMCLASS and associating with the running
> DIAGNOSE, it's done in the more primitive hindbrain of CP.
> Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or
> privclass ANY).  They aren't supposed to change behavior based on
> privilege class (directory OPTION, maybe, but not privclass).
>
> DIAGNOSE 2FC is violating that architecture.  I would suggest a PMR so
> that you can discuss with Development whether that violation is Right and

> Proper.

I guess the challenge with DIAG 2FC is that not every issuer is necessarily
supposed to see guest information beyond themselves. So while I agree with
your assessment I see reasoning in the approach taken ...

Best regards
Ingo

Linux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 20.05.2016 17:19:01:

> From: Alan Altmark <alan_altm...@us.ibm.com>
> To: LINUX-390@VM.MARIST.EDU
> Date: 20.05.2016 17:19
> Subject: Re: [LINUX-390] hyptop question
> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU>
>
> On Friday, 05/20/2016 at 06:41 GMT, Karl Kingston
<karlkings...@ongov.net>
> wrote:
> > > For z/VM, the guest virtual machine must have privilege class B
> > > or, preferably, a locally-defined privilege class that contains
> > > diagnose 2fc.
> >
> > How does one do this?Don't like giving my linux guests access to
> CLASS
> > B so I would like to make my own class and give that to the user.
>
> Well, isn't this embarrassing... (blush) (look down) (kick rock)   You
> can't.  I keep forgetting that DIAGNOSE instructions are architecturally
> different than commands.
>
> (For a fascinating description of how CP commands and DIAGNOSE
> instructions are processed, keep reading!)
>
> The system supports privclass-qualified versions of a command.  When you
> enter a command, the highest level (A->9) for which you have the assigned

> privilege class will run.  That is, if a command has a class B version
and
> a class G version, then if you have class ABG, the command will be
> qualified as class B.  If you had class AG, then the command will be
> qualified as class G.  That's the last time CP looks at the issuer's
> privclass.  The system instead looks at the command qualifier.  We refer
> to the command qualifier as the "IBMCLASS".  That is, the IBM-defined
> privilege class associated with the version of the command that's
running.
>  The MODIFY COMMAND command lets you change the association between the
> user privclass and the IBMCLASS.
>
> This all gets resolved before the command actually runs, eliminating any
> need for CP to worry about user privclass.  He just cares about the
> IBMCLASS of the command that's running.  This allows a single entry point

> to handle the command.
>
> This isn't how DIAGNOSE instructions work.  Instead of worrying about
> converting user privclass to IBMCLASS and associating with the running
> DIAGNOSE, it's done in the more primitive hindbrain of CP.
> Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or
> privclass ANY).  They aren't supposed to change behavior based on
> privilege class (directory OPTION, maybe, but not privclass).
>
> DIAGNOSE 2FC is violating that architecture.  I would suggest a PMR so
> that you can discuss with Development whether that violation is Right and

> Proper.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-05-20 Thread Alan Altmark 
On Friday, 05/20/2016 at 06:41 GMT, Karl Kingston  
wrote:
> > For z/VM, the guest virtual machine must have privilege class B
> > or, preferably, a locally-defined privilege class that contains
> > diagnose 2fc.
>
> How does one do this?Don't like giving my linux guests access to 
CLASS
> B so I would like to make my own class and give that to the user.

Well, isn't this embarrassing... (blush) (look down) (kick rock)   You 
can't.  I keep forgetting that DIAGNOSE instructions are architecturally 
different than commands.

(For a fascinating description of how CP commands and DIAGNOSE 
instructions are processed, keep reading!)

The system supports privclass-qualified versions of a command.  When you 
enter a command, the highest level (A->9) for which you have the assigned 
privilege class will run.  That is, if a command has a class B version and 
a class G version, then if you have class ABG, the command will be 
qualified as class B.  If you had class AG, then the command will be 
qualified as class G.  That's the last time CP looks at the issuer's 
privclass.  The system instead looks at the command qualifier.  We refer 
to the command qualifier as the "IBMCLASS".  That is, the IBM-defined 
privilege class associated with the version of the command that's running. 
 The MODIFY COMMAND command lets you change the association between the 
user privclass and the IBMCLASS.

This all gets resolved before the command actually runs, eliminating any 
need for CP to worry about user privclass.  He just cares about the 
IBMCLASS of the command that's running.  This allows a single entry point 
to handle the command.

This isn't how DIAGNOSE instructions work.  Instead of worrying about 
converting user privclass to IBMCLASS and associating with the running 
DIAGNOSE, it's done in the more primitive hindbrain of CP. 
Architecturally, a DIAGNOSE is associated a SINGLE privilege class (or 
privclass ANY).  They aren't supposed to change behavior based on 
privilege class (directory OPTION, maybe, but not privclass).

DIAGNOSE 2FC is violating that architecture.  I would suggest a PMR so 
that you can discuss with Development whether that violation is Right and 
Proper.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-05-20 Thread Karl Kingston 
Linux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 01/07/2016 08:28:52
AM:

> From: Michael Holzheu <holz...@linux.vnet.ibm.com>
> To: LINUX-390@VM.MARIST.EDU
> Date: 01/07/2016 08:28 AM
> Subject: Re: hyptop question
> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU>
>
> On Tue, 5 Jan 2016 14:48:17 -0500
> Alan Altmark <alan_altm...@us.ibm.com> wrote:
>
> > On Tuesday, 01/05/2016 at 06:31 GMT, Mark Post <mp...@suse.com> wrote:
> > >
> > > >  For z/VM, the guest virtual machine must be class B.  For  LPAR,
> > > >  on  the  HMC or SE security menu of the LPAR activation profile,
> > > >  select the Global performance data control checkbox.
> > >
> > > For z/VM guests, that is CP privilege class B. For systems running
in an
> > LPAR
> > > (PR/SM), use the HMC Customize/Delete Activation Profiles function
to
> > ensure
> > > the Global performance data control checkbox is checked. This can be
> > found in
> > > the Image profile, under the Security heading.
> >
> > What class B CP commands or DIAGNOSE instructions does the virtual
machine
> > use?  Those functions should be copied to locally-defined privilege
class.
> >  Do not give class B to virtual machines that aren't in the business
of
> > performing real device management.
>
> We use diag 2fc.
>
> Should we say something like:
>
> For z/VM, the guest virtual machine must have privilege class B
> or, preferably, a locally-defined privilege class that contains
> diagnose 2fc.

How does one do this?Don't like giving my linux guests access to CLASS
B so I would like to make my own class and give that to the user.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-07 Thread Michael Holzheu 
On Tue, 5 Jan 2016 14:48:17 -0500
Alan Altmark  wrote:

> On Tuesday, 01/05/2016 at 06:31 GMT, Mark Post  wrote:
> >
> > >  For z/VM, the guest virtual machine must be class B.  For  LPAR,
> > >  on  the  HMC or SE security menu of the LPAR activation profile,
> > >  select the Global performance data control checkbox.
> >
> > For z/VM guests, that is CP privilege class B. For systems running in an
> LPAR
> > (PR/SM), use the HMC Customize/Delete Activation Profiles function to
> ensure
> > the Global performance data control checkbox is checked. This can be
> found in
> > the Image profile, under the Security heading.
>
> What class B CP commands or DIAGNOSE instructions does the virtual machine
> use?  Those functions should be copied to locally-defined privilege class.
>  Do not give class B to virtual machines that aren't in the business of
> performing real device management.

We use diag 2fc.

Should we say something like:

For z/VM, the guest virtual machine must have privilege class B
or, preferably, a locally-defined privilege class that contains
diagnose 2fc.

Regards,
Michael

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-05 Thread Michael MacIsaac 
Gregor,

> Is it possible to see stats for virtual machines in other z/vm lpars

FWIW zoom can run hyptop on multiple z/VM systems. If SSH as root is not
permitted, hyptop must be in /etc/sudoers on the zoom servers. In the
example that follows, the ':' is a wildcard for all zoom servers, thus all
z/VM systems in the zoom cluster. In this example, just two systems. Each
line of output is prefixed with the server's host name:

$ zruncommand --servers : sudo /usr/sbin/hyptop -b -n1
server1.example.com: 08:39:58 CPU-T: UN(1) ?=help
server1.example.com: system   #cpu  cpu Cpu+online memuse memmax wcur
server1.example.com: (str) (#)  (%) (hm) (dhm)  (GiB)  (GiB)  (#)
server1.example.com: LOHCOST 1 0.10 0:09  35:23:45   0.04   0.75  10
server1.example.com: PERFSVM 1 0.09 0:50 179:21:06   0.03   0.120
...
server2.example.com: PORTMAP 10.00   0:00 2:07:24   0.00   0.03  100
server2.example.com: FTPSERVE10.00   0:00 2:07:24   0.01   0.03  100
server2.example.com: SFSZVPS 10.00   0:00 2:07:25   0.00   0.06  100
server2.example.com: OPERSYMP10.00   0:00 2:07:25   0.01   0.03  100
server2.example.com:   461 1030.01 168:41 2:07:26 681.90 950.23 5000

-Mike MacIsaac

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-05 Thread Mark Post 
>>> On 1/5/2016 at 08:26 AM, Michael Holzheu  
>>> wrote: 
-snip-
> What about:
> 
>  You  can  always monitor the guest operating system where hyptop 
>  runs.

You can always monitor the operating system where hyptop is running.

>  To monitor any other guest operating system on the same hypervi-
>  sor  as  the  operating  system instance of hyptop, you need the 
>  following additional permissions: 

To monitor any other operating system(s) _running_on_the_same_hypervisor as 
hyptop (whether z/VM or PR/SM), you will need additional permissions.

(I think underlining or italicizing the "running on the same hypervisor" will 
help even more.)

>  For z/VM, the guest virtual machine must be class B.  For  LPAR,
>  on  the  HMC or SE security menu of the LPAR activation profile,
>  select the Global performance data control checkbox.

For z/VM guests, that is CP privilege class B. For systems running in an LPAR 
(PR/SM), use the HMC Customize/Delete Activation Profiles function to ensure 
the Global performance data control checkbox is checked. This can be found in 
the Image profile, under the Security heading.


Is there any verbiage that should be added for KVM guests?  I haven't tried it 
myself, but does hyptop work there?


Mark Post

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-05 Thread Alan Altmark 
On Tuesday, 01/05/2016 at 06:31 GMT, Mark Post  wrote:
>
> >  For z/VM, the guest virtual machine must be class B.  For  LPAR,
> >  on  the  HMC or SE security menu of the LPAR activation profile,
> >  select the Global performance data control checkbox.
>
> For z/VM guests, that is CP privilege class B. For systems running in an 
LPAR
> (PR/SM), use the HMC Customize/Delete Activation Profiles function to 
ensure
> the Global performance data control checkbox is checked. This can be 
found in
> the Image profile, under the Security heading.

What class B CP commands or DIAGNOSE instructions does the virtual machine 
use?  Those functions should be copied to locally-defined privilege class. 
 Do not give class B to virtual machines that aren't in the business of 
performing real device management.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-05 Thread Michael Holzheu 
On Mon, 4 Jan 2016 13:57:15 -0700
Mark Post  wrote:

> >>> On 1/4/2016 at 03:38 PM, Grzegorz Powiedziuk  
> >>> wrote:
> > Hi,
> > When I run hyptop I can see performance stats for virtual machines running
> > in the same z/VM LPAR.
> -snip-
> > At least I should be able to see stats for other LPARS from the PR/SM
> > perspective, right?
> > But I don't and I am not sure why.
>
> I don't think you should be able to see that information.  Hyptop queries 
> whichever hypervisor it is running on.  In your case, that's z/VM.  z/VM 
> isn't looking around to see what other LPARs are running and gathering 
> information on them, so it's not going to present anything like that to 
> hyptop's query.
>
> If you want information from PR/SM's perspective, then you'll need to be 
> running a Linux system in an LPAR and use hyptop there.  When I do that, I do 
> see information about the other LPARS, but nothing about z/VM guests that 
> might be running in them, since PR/SM doesn't know about them.

I can confirm what Mark said.

Hyptop can only show data of the level where it is running. If you are running
in an LPAR you can see your neighbor LPARs, if you run in a VM guest you can
see your neighbor VM guests.

> I think the man page for hyptop could use a little clarification.  The way 
> it's worded would tend to suggest that a z/VM guest with CP class B would be 
> seeing information about other LPARs.

I agree that without background knowledge the text can be misleading.

The current text is:

 To  monitor  all  LPARs  or  z/VM guest operating systems of the
 hypervisor, your system must have  additional  permissions:  For
 z/VM,  the  guest  virtual machine must be class B. For LPAR, on
 the HMC or SE security menu  of  the  LPAR  activation  profile,
 select the Global performance data control checkbox.

What about:

 You  can  always monitor the guest operating system where hyptop
 runs.

 To monitor any other guest operating system on the same hypervi-
 sor  as  the  operating  system instance of hyptop, you need the
 following additional permissions:

 For z/VM, the guest virtual machine must be class B.  For  LPAR,
 on  the  HMC or SE security menu of the LPAR activation profile,
 select the Global performance data control checkbox.

Michael

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: hyptop question

2016-01-04 Thread Mark Post 
>>> On 1/4/2016 at 03:38 PM, Grzegorz Powiedziuk  wrote: 
> Hi,
> When I run hyptop I can see performance stats for virtual machines running
> in the same z/VM LPAR.
-snip-
> At least I should be able to see stats for other LPARS from the PR/SM
> perspective, right?
> But I don't and I am not sure why.

I don't think you should be able to see that information.  Hyptop queries 
whichever hypervisor it is running on.  In your case, that's z/VM.  z/VM isn't 
looking around to see what other LPARs are running and gathering information on 
them, so it's not going to present anything like that to hyptop's query.

If you want information from PR/SM's perspective, then you'll need to be 
running a Linux system in an LPAR and use hyptop there.  When I do that, I do 
see information about the other LPARS, but nothing about z/VM guests that might 
be running in them, since PR/SM doesn't know about them.

I think the man page for hyptop could use a little clarification.  The way it's 
worded would tend to suggest that a z/VM guest with CP class B would be seeing 
information about other LPARs.


Mark Post

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

hyptop question

2016-01-04 Thread Grzegorz Powiedziuk 
Hi,
When I run hyptop I can see performance stats for virtual machines running
in the same z/VM LPAR.

Is it possible to see stats for virtual machines in other z/vm lpars (I
assume that the answer is "no" when I think about but I want to make sure).

At least I should be able to see stats for other LPARS from the PR/SM
perspective, right?
But I don't and I am not sure why.


My virtual machine has A-G priv, the global performance data control on SE
is "on", the debugfs is mounted, the s390_hypfs is mounted.

I can see diag_204 and diag_2fc inside of s390_hypfs and both have read
permissions.

OS: RHEL7

What am I missing?
Thanks!
Gregory

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/