S 3.41 Introduction to Linux and z/VM for zSeries systems
Initiation responsibility: Head of IT
Implementation responsibility: Administrator, Head of IT
In addition to the Unix System Services (USS) that run on z/OS, Linux is also available for the zSeries hardware.
Linux for zSeries is the same as Linux for other platforms, the modifications in kernel relate only to the customisation to the zSeries hardware (system environment, CPU architecture and hardware-dependent drivers). As the zSeries Linux is a port, it uses the ASCII character set (unlike the USS HFS file system that runs in the EBCDIC mode). Currently, two Linux versions are available for this platform family: a 31-bit version for S/390 hardware and a 64-bit version for the zSeries hardware (although the S/390 system is a 32-bit system, the software runs on it with 31 bits, as the first bit is needed for the changeover between 24-bit and 31-bit mode).
Linux operating modes on zSeries
Three different Linux operating modes are possible on zSeries:
- Linux native on zSeries hardware
- Linux on a zSeries LPAR
- Linux under the z/VM host system
Linux native on zSeries hardware
In this operating mode, Linux is used as a single system on the zSeries hardware. This means that the entire zSeries hardware is used by the Linux system. In practice, single systems are currently the exception.
Linux in a zSeries LPAR
In this mode, Linux is operated in an LPAR (logical partition) on the zSeries machine. The LPAR mode of the zSeries hardware allows several independent operating system installations to be operated on a zSeries machine. Each individual partition behaves like independent hardware. z/OS or Linux, among others, can be installed as the operating system on these LPARs.
The Linux in a zSeries LPAR operating mode is considered for instance if Internet applications such as web servers are to be used in addition to an existing z/OS database server.
The consolidation of Linux and z/OS on one physical zSeries system instead of two separate systems often reduces the effort for installation and operation.
Linux under the z/VM host system
Several Linux installations can be operated on a zSeries computer or on an LPAR under the z/VM host system. The z/VM provides virtual machines in which each Linux installation can be operated independently of one another.
The Linux under the z/VM host system operating mode is used, for instance, if the z/Series hardware is used as part of a server consolidation project. Here, the installation of Linux is made easier by system cloning. A large number of Linux systems can be operated in parallel on a machine. This constellation also eases central monitoring and administration.
Communications Server for Linux on zSeries
Linux for zSeries supports TCP/IP without additional components. The Communications Server for Linux on zSeries as separate product also enables communication with other systems over SNA or TCP/IP in the following areas:
- Advanced Peer to Peer Networking (APPN)
- High Performance Routing (HPR)
- TN3270E server
- Telnet redirector
- SSL data encryption scalability
- Client authentication
- Application programming support
- Advanced Program to Program Communication (APPC)
- Common Programming Interface for Communications (CPI-C)
The program supports administrators and operators during the installation, configuration and troubleshooting.
HiperSockets
HiperSockets allow communication across LPARs. With this function, a "system-internal network" can be established within the system using TCP/IP without an additional physical connection.
A TCP/IP job issued by Linux is trapped at the machine level and forwarded to the partition addressed. This communication is possible at transmission rates of several GByte/s. For the Linux operating system, this communication interface behaves like a conventional TCP/IP network. z/OS systems in another LPAR can also be connected to Linux systems in this way.
Integrated Facility for Linux (IFL)
This hardware function allows the additional use of Linux on a system. The special IFL processors provide additional computing capacity.
IFL is managed by PR/SM like a separate LPARM; however, it can only support Linux operating systems (or z/VM with Linux operating systems).
z/VM
The z/VM operating systems permits a software-based division of the computer in several parallel virtual machines. z/VM manages the hardware with the Control Program (CP) and makes the virtual machines available to the guest operating systems.
The hardware access is made via the CP that presents the results to the calling operating system in the required form.
Furthermore, z/VM provides the Conversational Monitoring System (CMS) in which, for example, scripts can be run to perform corrective actions or to activate new systems.
Linux security aspects
Hardware
The connection between the Linux operating systems or between Linux and z/OS systems can be made using HiperSockets. They are an integral part of the hardware and provide for a fast and, given correct configuration, secure TCP/IP connection.
With the use of z/VM, the provision and protection of the hardware is partly replaced by a software solution. The resources are therefore not available as real hardware, but are represented virtually in the software (z/VM). Accordingly, the resources must be protected by software means.
RACF/VM
The Resource Access Control Facility for z/VM (RACF/VM) expands the standard-security in z/VM with access control for the resources in the in the z/VM system. It also checks the access to the system resources and the virtual machine.
DIRMAINT
The central configuration file in z/VM is the z/VM system directory. The management of this file is supported by DIRMAINT; the DIRMAINT function covers the following tasks:
- distributed virtual machine management
- automatic minidisk administration (allocation, deletion etc.)
- user support
- auditing
- backup/recovery of the directory
Although the directory can be edited with a conventional editor, DIRMAINT is recommendable for all installations with a large number of users, as the dialog box-based DIRMAINT function simplifies management. This simplification helps to avoid incorrect entries.
Access control
Access control can be configured in Linux essentially using three mechanisms:
- Permission bits as on other Unix operating systems
- Mandatory Access Control (MAC)
- Access Control Lists (ACLs)
While the first method, as a rule, is adequate for normal security requirements, MAC and ACLs should be considered for higher security requirements. Additional software components are required for MAC and ACLs.
Pluggable Authentication Module (PAM)
User management for Linux on LPARs can be centralised by managing the user IDs using a z/OS RACF. For this purpose, the Linux system must have a Pluggable Authentication Module (PAM) and connect to the upstream LDAP server of the z/OS RACF system using HiperSockets.
If the ID is managed in the RACF and if user ID and password are correct, access to the Linux system is granted. Data access can, however, still only be implemented using the security mechanisms in Linux (permission bit).
Transaction Processing Facility (TPF)
TPF is a further operating system for the zSeries platform and is a special platform. This is a transaction-orientated system that is used particularly in the aircraft booking area where high performance is particularly important. Transactions run here directly in the kernel mode.
TPF is mentioned at this point for reasons of completeness and is not subject of the module S/390- and zSeries mainframe of this manual.