USS News in z/OS V1R13

USS News in z/OS V1R13USS News in z/OS V1R13Robert HeringTechnical Support Competence CenterRobert.Hering@de.ibm.comIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13Overview zFS news - overview and installation changes zFS performance comparisons in sysplex sharing USS news – USS and RACF changes Ported Tools sudo TECC offerings2 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13zFS news - overview and installationchangesIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13New zFS functions zFS Direct I/O (DIO)– Performance improvement for USS sysplex sharing zFS internal restart– Improvement for zFS internal failures zFS automatic re-enablement of disabledaggregates– Improvement for zFS aggregate failures zFS DASD space considerations– zFS changed the way of storing data4 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Changes in zFS installation zFS load modules moved to a PDSE library– named SYS1.SIEALNKE, for example UNIX command zfsadm uses a sticky bit ON script– Named IOEZADM that executes module IOEZADM– Sometimes confusing– An external link in /usr/local/bin can be better5 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Command zfsadm$> command -V zfsadmzfsadm is cached /bin/zfsadm$> cat /bin/zfsadm | tail -3PATH=$PATH:/usr/lpp/dfs/global/binIOEZADM "$@"$> ls -l /usr/lpp/dfs/global/bin/IOEZADM | awk '{print $1}'-rwxr-xr-t$> zfsadmIOEZ00233I IOEZADM: Type 'IOEZADM help' or 'IOEZADM help -topic' for help.$> IOEZADM helpIOEZADM: FSUM7351 not found$>6 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Command zfsadm ...$> sudo ln -e IOEZADM /usr/local/bin/zfsadm$> export PATH$> command -V zfsadmzfsadm is /usr/local/bin/zfsadm$> zfsadmIOEZ00233I zfsadm: Type 'zfsadm help' or 'zfsadm help -topic'for help.$> zfsadm help | head -l2IOEZ00229I zfsadm: Commands are:aggrinfo Obtain information on an attached aggregate$> #Be careful when using the bash shell$>7 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13zFS statement of direction z/OS V1R13 is planned to be the last release tosupport multi-file system zFS aggregates, includingzFS clones.– zFS multi-file system aggregates are being removed.– Also, the zFS clone function is being removed.8 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13zFS performance comparisons in sysplexsharingIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13zFS performance comparisons Based on DIO for sysplex-aware mounted R/W zFSfile systems– A client system can have the same performance for dataaccess– Requirement MR1211023911 addressed to zFS solved This is not true for metadata access– Complex finds should still be run on the owining system– Ignoring this can still lead to zFS ownership movement10 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13USS news – USS and RACF changesIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13Symbolic links for version root filesystem New support in z/OS V1R13– This eliminates post-installation actions by definingsymbolic links for utilities to use the version root filesystem in read-only mode.– A ServerPac delivery is provided with the /usr/lib/cron,/usr/mail and /usr/spool directories as symbolic links to/var.– For a CBPDO installation the required directories andsymbolic link structure are created during execution of theBPXMKDIR REXX exec in SYS1.SAMPLIB.– For both a health check that is provided, OA35605 andOA35636, and named ZOSMIGV1R13_RO_SYMLINKS.12 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Symbolic links for version root filesystem... New symbolic links for directories– /usr/lib/cron → ../../var/cron– /usr/spool → ../var/spool– /usr/mail → ../var/mail New symbolic links for uucp files– /usr/lib/uucp/Systems → ../../../var/uucp/System– ...13 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Lost XCF message detection XCF ordered message delivery is utilized along withassigning sequence numbers to messages.– Each message sequence number is checked.– A lost or duplicate message results in a two system dump.– BPXPRMxx parmlib keyword for this support:LOSTMSG(ON|OFF)– SETOMVS command update:SETOMVS LOSTMSG=ON|OFF You may see a performance penalty in high z/OSUNIX traffic environments.14 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Script utility to log session The script command records shell session activity.– It is similar to other UNIX and Linux platforms.– It works with the /bin/sh and /bin/tcsh shells.– It works in the OpenSSH, rlogin, telnet and OMVS shellenvironments. Command usage:script [-aq] [file] Use either exit or Ctrl-D to exit the shell process. The script command does not support setting 3270passthrough mode.15 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Script utility to log session... Example session$> scriptScript command is started. The file is typescript.$> iduid=888(HERING) gid=2(SYS1) groups=1047(USSTEST)$> oedit .profileFOMF0141I Unable to set 3270 passthrough mode$> exitScript command is complete. The file is typescript.$> cat ~/typescriptScript command is started on Tue Mar 13 19:08:32 2012.$> iduid=888(HERING) gid=2(SYS1) groups=1047(USSTEST)$> oedit .profileFOMF0141I Unable to set 3270 passthrough mode$> exitScript command is complete on Tue Mar 13 19:09:53 2012.$>16 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Enhancement for D OMVS,W File latch contention is displayed in a new table. Filtering options have been added.– This limits the amount of data being displayed.– Filtering options:• LATCHES | Llatch activity• MESSAGES | M sent and received cross system• OTHER | Odisplay the other waiters table• AGE | Adisplay waiters waiting > 5min• SPECIAL | Sspecial files in other waiters table17 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF support for z/OS UNIX user mounts Mount security requirements– Read access to SUPERUSER.FILESYS.USERMOUNT(in class UNIXPRIV)– RWX access permission to the mount point directory– If sticky bit is set, user must be owner of the mp directory.– The mount point directory must be empty.– RWX access permission to the file system root directory.– If sticky bit is set, user must be owner of the file systemroot directory.18 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF support for z/OS UNIX user mounts... Unmount security requirements– Read access to SUPERUSER.FILESYS.USERMOUNT– User must have mounted the file system. Using the new supportRDEFINE UNIXPRIV SUPERUSER.FILESYS.USERMOUNTUACC(NONE)PERMIT SUPERUSER.FILESYS.USERMOUNTCLASS(UNIXPRIV) ID(userid) ACCESS(READ)SETROPTS RACLIST(UNIXPRIV) REFRESH Appropriate values in BPXPRMxx parmlib member– MAXUSERMOUNTSYS(xx) and MAXUSERMOUNTUSER(yy)19 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF support for z/OS UNIX user mounts... Displaying information about user mount support– D OMVS,F,UID=PRIV|USER|uid– D OMVS,USERMOUNTS– F BPXOINIT,FILESYS=DISPLAY,GLOBAL| …FILESYSTEM=fsn|ALL– ISHELL shows nonprivileged user mount information.– Updated z/OS UNIX shell command df -v displays theuser ID and the effective UID for a nonprivileged usermounted file system.20 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF support for z/OS UNIX user mounts... Performing a nonprivileged user mount$> cn d omvs,o | grep MAXUSERMOUNTSYSMAXUSERMOUNTSYS = 5 MAXUSERMOUNTUSER= 5$> /usr/sbin/mount -f HERING.TEST.ZFS testFOMF0504I mount error: 79 119B063BEINVAL: The parameter is incorrectJrNoSetUID: NOSETUID was not specified on the nonprivilegeduser mount interface.$> /usr/sbin/mount -s nosetuid -f HERING.TEST.ZFS testFOMF0504I mount error: 88 119B063CENOTEMPTY: The directory is not emptyJrNonEmptyMntPtDir: The mount point directory is not empty.$> mkdir -m700 testumnt$> /usr/sbin/mount -s nosetuid -f HERING.TEST.ZFS testumnt$>21 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements BPXPRMxx parmlib statement for non-empty mountpoint directories:NONEMPTYMOUNTPT (NOWARN|WARN|DENY)– This setting can be dynamically changed using the SETOMVS or SETOMVS commands.– If NONEMPTYMOUNTPT is set to WARN a syslogwarning message is provided if a file system is mountedon a nonempty directory.22 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements... Example commands on NONEMPTYMOUNTPT$> cn "d omvs,o" | grep NONEMPTYMOUNTPTSWA = ABOVE NONEMPTYMOUNTPT = NOWARN$> sudo /usr/sbin/mount -f hering.test.zfs test$> sudo /usr/sbin/unmount test$> cn "setomvs nonemptymountpt=deny"BPXO015I THE SETOMVS COMMAND WAS SUCCESSFUL.$> sudo /usr/sbin/mount -f hering.test.zfs testFOMF0504I mount error: 88 55B063CENOTEMPTY: The directory is not emptyJrNonEmptyMntPtDir: The mount point directory is not empty.$> cn "setomvs nonemptymountpt=warn"BPXO015I THE SETOMVS COMMAND WAS SUCCESSFUL.$> sudo /usr/sbin/mount -f hering.test.zfs test$>23 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements... Updates for the shell command /usr/sbin/mount– This also applies to the TSO MOUNT command.– File system type is dynamically determined if option -t isnot used and file system option –o was specified.• This may cause problems if old HFS option is used!– File system name length is now verified and the mountfails if the name is larger than 44 characters.– File system name is changed to uppercase letters ifoption –t is not used and type is determined to be zFS.24 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements... Demonstrating new mount behavior in some cases$> sudo /usr/sbin/mount -f hering.test.zfs test$> zfsowner hering.test.zfszFS Owner : SC74 - Aggregate read-only=N, sysplex-aware=Y$> mkdir -m755 test/test2$> sudo /usr/sbin/mount -f hering.test2.zfs -o norwshare test/test2$> zfsowner hering.test2.zfszFS Owner : SC74 - Aggregate read-only=N, sysplex-aware=N$>25 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements... Updates for the shell command /usr/sbin/unmount– The default behavior has been changed to unmount a filesystem only if the path specified is a mount point.– A new option –m has been created to retain the originalbehavior.• This means that the path specified can be any file ordirectory contained in the file system.26 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Additional mount and unmount enhancements... New unmount processing on path specification$> sudo /usr/sbin/mount -qv test----A- HERING.TEST2.ZFS /u/hering/test/test2----A- HERING.TEST.ZFS /u/hering/test$> sudo /usr/sbin/unmount test/test2$> sudo /usr/sbin/unmount test/test2FOMF0512I Path is not a mountpoint: test/test2$> sudo /usr/sbin/unmount -m test/test2$> sudo /usr/sbin/unmount testFOMF0512I Path is not a mountpoint: test$>27 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13z/OS UNIX System Services file system access New control for access to z/OS UNIX mounted filesystems– The checking is done based on the MVS identity.– This checking is supported for zFS and NFS.– Administrator does not require UNIX command expertise. It provides compliance and audit verification forRACF-centric installations. You can build user groups with USS sharing!28 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13z/OS UNIX System Services file system access... Using the new interface– Access control independent of permission, ACLs, UID 0– Used only if a profile covers the file system name– Successful access continues with existing UNIX checks– RACF AUDITOR attribute bypasses the check.– UPDATE access is required to the FSACCESS classresource name.– Checking is only performed if the FSACCESS class isactive.29 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF setup and an exampleRACF set-up commandsSETROPTS CLASSACT(FSACCESS)SETROPTS RACLIST(FSACCESS)ICH14063I SETROPTS command complete.RDEFINE FSACCESS HERING.TESTNEW.ZFS UACC(NONE)ICH10006I RACLISTED PROFILES FOR FSACCESS WILL NOT REFLECT THEADDITION(S) UNTIL A SETROPTS REFRESH IS ISSUED.PERMIT HERING.TESTNEW.ZFS CLASS(FSACCESS) ID(HERING)ACCESS(UPDATE)ICH06011I RACLISTED PROFILES FOR FSACCESS WILL NOT REFLECT THEUPDATE(S) UNTIL A SETROPTS REFRESH IS ISSUEDSETROPTS RACLIST(FSACCESS) REFRESHICH14063I SETROPTS command complete.31 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF setup and an example...Sample commands$> iduid=888(HERING) gid=2(SYS1) groups=1047(USSTEST)$> /usr/sbin/mount -qv test.access 2>/dev/null----A- HERING.TESTNEW.ZFS /u/hering/test.access$> cat test.access/testfileaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaazzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz$> su - -s lafitte#> rexx "say userid()"LAFITTE#> id -u0#> cat /u/hering/test.access/testfilecat: /u/hering/test.access/testfile: EDC5111I Permission denied.#> exit$>32 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13RACF setup and an example...Operlog error messageICH408I USER(LAFITTE ) GROUP(SYS1 ) NAME(JEAN-LOUIS LAFITTE )/u/hering/test.access/testfileCL(DIRSRCH ) FID(E2C2D6E7F1D508650000000000010001)INSUFFICIENT AUTHORITY TO OPENACCESS INTENT(--X) ACCESS ALLOWED(FSACCESS ---)EFFECTIVE UID(0000000000) EFFECTIVE GID(0000000002)33 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Ported Tools „sudo“ utilityIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13Overview The sudo utility is an open source tool.– It allows a system administrator to delegate authority• to run some or all commands as a superuser and is• providing an audit trail of the commands and their arguments It is a very good solution for granularity andflexibility in many situations. The sudo utility is commonly available on otherUNIX/Linux platforms.35 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Usage examples for sudoUID = 20GID = 21Groups = 21,22MVS ID = JOECase #1sudoUID = 0GID = 1Groups = 1,2MVS ID = BPXROOTCase #2sudoUID = 0GID = 1Groups = 1,2MVS ID = JOEUID = 0GID = 3Groups = 3,4MVS ID = ADMINCase #3sudoUID = 0GID = 3Groups = 3,4MVS ID = ADMIN38 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Comparing several z/OS UNIX interfacesCommand / Authoriyz/OS UNIXID ChangeMVS IDChangeShell AccessCommandControlsudo Optional Optional Optional Optionalsu Yes Yes Yes Nosu-s(i.e. SURROGAT)su (i.e.BPX.SUPERUSER)Yes Yes Yes NoYes No Yes NoUNIXPRIV No NO No Partial39 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Installation considerations The sudoers grammar can be confusing.– Therefore, use examples. Make user specifications as specific as possible. Specify commands with arguments or use “”– to ensure commands are run without arguments. Minimize shell access and shell escapes. See z/OS IBM Ported Tools for z/OS: SupplementaryToolkit for z/OS Feature User's Guide andReference, SA23-2234 for more information.40 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Some specific settings and comments By default, sudo will initialize the group vector tothe list of groups the target user is in.– To change this use following setting in the sudoers file:Defaults preserve_groups– You can achieve the same when using sudo option -P. With following entry in the sudoers file you can setthe editor to be used via envvar „SUDO_EDITOR“:Defaults env_keep=SUDO_EDITOR– For editing use sudo -e or sudoedit.41 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Some specific settings and comments... The following user privilege specification in thesudoers file achieve a behavior similar to allowingthe user read access to BPX.SUPERUSER:HERING ALL = NOPASSWD: ALL42 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13sudo command example Entry in sudoers file for team BACKUPS allowing torun a specific pax command:Defaults umask=077User_Alias BACKUPS = june, fred, maryBACKUPS ALL = (admin) /bin/pax -x pax ...-wf /u/code/src.pax /u/code/src Sudo command allowed:sudo –u admin pax -x pax -wf .../u/code/src.pax /u/code/src– The backup team is not allowed to view the data and– is not allowed to run other pax commands.43 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13TECC OfferingsKundenindividuelle Workshops & moreIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13Workshop Portfolio des TECC SW– Microsoft Windows Server und Client OS (2008 R2, Windows 7)– Linux (SuSE Linux Enterprise Server 10 & 11))– z/VM– DB2 for z/OS– z/OS – Networking, also: - z/OS On Demand Workshop Kundenreferenz– für Banken - Softwarehaus - Handel - Versicherung - Dienstleister - Industrie ...– z/OS Release Update & SYSREXX– z/OS Advanced Problem Determination - Websphere, LE, USS, JAVA– z/OS Workshop zFS / USS / NFS– z/OS Advanced System Customization - USS Sysplex Sharing– HFS to zFS Conversion Workshop– Basic IPCS, USS and LE Debug– z/OSMF Implementation & Hands On45 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Kontakt - Info Marco StrausHechtsheimer Str.255131 MainzEmail:mstraus@de.ibm.com Hans HerzogHechtsheimer Str.255131 MainzEmail:hans.herzog@de.ibm.com46 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation

USS News in z/OS V1R13Redbook InformationIBM TSCC SW Mainz 14.03.12 © 2009 IBM Corporation

USS News in z/OS V1R13Redbook information z/OS Distributed File Service zSeries File SystemImplementation z/OS V1R13, SG24-6580-05– Draft version available (December 26, 2011) zFS Reorganization Tool, REDP-4769-00– Final version available (January 24, 2012) z/OS Version 1 Release 13 Implementation, SG24-7946-00– Draft version available (November 2, 2011) Available from IBM Redbooks– http://www.redbooks.ibm.com/48 IBM TSCC SW Mainz 14.03.12© 2009 IBM Corporation