Red Hat Update for System z Shawn Wells, RHCE EMail: swells@redhat.com Lead, Linux on System z

Agenda 45min Update on Red Hat  Today  Tomorrow  Together 2

Introductions  Shawn Wells W/W Lead, Linux on System z Solutions Architect Business Development, Presentations & Demos, Interface to Prod Mgmt, etc 3

Introductions  Shawn Wells W/W Lead, Linux on System z Solutions Architect Business Development, Presentations & Demos, Interface to Prod Mgmt, etc  Also here at T3…..  Brad Hinson Lead, Linux on System z Technical Support  Justin Payne Sr Technical Support Engineer, Linux on System z 4

Red Hat Development Model Community  Development with “upstream” communities  Kernel, glibc, etc  Collaboration with partners, IBM, open source contributors 5

Red Hat Development Model Fedora  Rapid innovation  Latest technologies  Community Supported  Released ~6mo cycles 6

Red Hat Development Model Red Hat Enterprise Linux  Stable, mature, commercial product  Extensive Q&A, performance testing  Hardware & Software Certifications  7yr maintenance  Core ABI compatibility guarantee  Major releases 2-3yr cycle 7

Red Hat Today: Announcements Extended Product Lifecycle Years 1 - 4 Yr 5 Yr 6,7 Pro d Pro d Security Patches Bug Fixes Hardware Enablement Software Enhancements uc tio n1 uc tio Pro d n2 uc tio n3 X X X X X X Full Partial None X 8

Red Hat Today: Announcements Red Hat Enterprise Linux 4.7 Announced Thursday, July 24 2008  2.6.9-78 Kernel Stream Added AIDE Ability to generate SHA-256 and SHA-512 password hashes Updated zFCP driver to include bugfixes Updated qdio driver to fix zFCP/SCSI write to IO stagnates on LPAR /proc/sys/vm/nfs-writeback-lowmem-only param to fix NFS read performance /proc/sys/vm/write-mapped to help select faster NFS read performance autofs5  N_PIV is waiting development acceptance for 4.8 (Already in RHEL5)        Download @ https://rhn.redhat.com/network/software/download_isos_full.pxt 9

Red Hat Today: Announcements What is AIDE?  Intrusion Detection program  Ships with RHEL5, now in 4.7

yum install aide # aide –init

10

Red Hat Today: Announcements What is AIDE?  Intrusion Detection program  Ships with RHEL5, now in 4.7

yum install aide # aide –init # chmod 777 /etc/hosts

11

Red Hat Today: Announcements What is AIDE?  Intrusion Detection program  Ships with RHEL5, now in 4.7

yum install aide # aide –init # chmod 777 /etc/hosts # aide - -check AIDE found differences between database and filesystem!! Changed files: changed:/etc/hosts Detailed information about changes: File: /etc/hosts Permissions: -rw-r—r— , -rwxrwxrwx

12

Red Hat Today: Announcements Red Hat / IBM Alliance Technical Perspective  Dedicated Partner Managers  IBM on-site kernel engineers at Red Hat  Weekly calls with IBM System z Product Mgmt  Emphasis on IBM access to code (making it easier to work together)  Weekly reviews of open bugs & feature requests  Proof of Concept Support Marketing & Sales Perspective  Joint World-Wide Tour  Marist, zNTP, T3, SHARE, zExpo, etc Business Perspective  Dedicated staff from helpdesk to executive 13

IBM Changes to 2.6.x Kernel RHEL4 RHEL5 14

Red Hat Today: RHEL Status Upstream of Code  DASD Drive Updates  zFCP Driver Updates  zFCP multipathing support in RHEL5 installer  Crypto2 Express Support  Hugetblfs  Layer-2 IPv6 support for Hipersockets Marketing Perspective  Joint World-Wide Tour  Marist, zNTP, T3, SHARE, zExpo, etc Sales Perspective  Joint sales calls 15

16

Red Hat Today: RHEL Status RHEL 5.1 ● Improved z/VM scheduling ● Improved performance with key recompiled libraries RHEL 5.2 ● Support for new IBM z10 ● Improved IBM Director support to support fast connection to z/VM ● Improved Virtual Server Management ● Implementation of SCSI dump infrastructure ● Support for Dynamic CHPID reconfiguration ● Better network configuration tool support for System z network adapters ● Improved install experience with support for “ssh -X” with VNC ● Better network performance with skb scatter-gather support ● Implemented device-multipath support for xDR/GDPS RHEL 5.3 ● NSS, CPU Affinity, ETR support planned ● Suggestions? swells@redhat.com 17

Red Hat Today: RHEL Security Status Hardware Enablement  In kernel crypto  S/390 implementation of SHA-384 and SHA-512 digests  Improved encryption performance (i.e. encrypted filesystems)  libica library  Support for updated OpenSSL, PKCS#11, GSKit, and kernel crypto APIs  Device driver performance updates  Crypto2 Express Support 18

Red Hat Today: RHEL Security Status Kernel Enablement  SELinux  Policies  Contexts  Roles  ExecShield, { targeted, strict, MLS } { root:system_r:httpd_sys_script_t } { system_r, object_r } FORTIFY_SOURCE, and Canary Values  kernel.exec-shield (/proc/sys/kernel/exec-shield)  ACL Lists setfactl, getfacl 19

Red Hat Today: SELinux Use Case 20

Red Hat Today: SELinux Use Case 21

Red Hat Today: SELinux Use Case 22

Red Hat Today: RHEL Security Status SELinux Use Case   Apache should not be allowed to overwrite content  Therefore, Apache – and any program started by Apache – is not given write access to the data  SELinux constrains the program, regardless of the user running executable  The content is protected, even if the Apache PHP/CGI user owns the files When attacker uses the same exploit, with SELinux turned on: Mar 3 23:02:04 rhel4-u4-as kernel: audit(1170820924.171:108): avc: denied { write } for pid=26760 comm=”sh” name=”phpbb” dev=dm-0 ino=1114119 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=dir 23

Red Hat Today: RHEL Security Status SELinux Loadable Policy Modules ● In the past, all policy changes had to be made to the policy source ● ● ● Modules allow for the creation of self-contained policy modules ● ● ● ● Required the entire policy re-compiled Requiring a full set of policy development tools on production systems. Safely linked together to create system policies Add policy on the fly Remove policy on the fly Framework to allow ISV/OEM partners to ship their own modular SELinux policy 24

Red Hat Today: RHEL Security Status Who cares about SELinux Loadable Policy Modules? 25

Red Hat Today: RHEL Security Status Who cares about SELinux Loadable Policy Modules? or I just turn off SELinux anyway 26

Red Hat Today: RHEL Security Status SELinux  Red Hat gives employees a “Corporate Standard Build”  Customized RHEL Desktop  Includes VPN Configuration  VPN Broke in last update! time->Wed Mar 5 07:22:55 2008 type=SYSCALL msg=audit(1204719775.306:738): arch=40000003 syscall=54 success=no exit=-19 a0=4 a1=8933 a2=bfcec1bc a3=bfcec1bc items=0 ppid=3900 pid=5003 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm=”ip” exe=”/sbin/ip” subj=user_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1204719775.306:738): avc: denied { sys_module } for pid=5003 comm=”ip” capability=16 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:ifconfig_t:s0 tclass=capability 27

Red Hat Today: RHEL Security Status SELinux <snip> …………. comm=”ip” exe=”/sbin/ip” subj=user_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1204719775.306:738): avc: denied { sys_module } for pid=5003 comm=”ip” capability=16 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:ifconfig_t:s0 tclass=capability …………. </snip>

ausearch -x “/sbin/ip” | audit2allow -M myVPNfix # semodule -i myVPNfix

28

Red Hat Tomorrow: Here comes XCCDF XCCFD Format Language for describing policy “your password will be…” 29

Red Hat Tomorrow: Here comes XCCDF OVAL Format Language for defining compliance “prove that your password is…” XCCFD Format Language for describing policy “your password will be…” 30

Red Hat Tomorrow: Here comes XCCDF CVE Dictionary Standard vulnerability & exposure names OVAL Format Language for defining compliance “prove that your password is…” XCCFD Format Language for describing policy “your password will be…” 31

Red Hat Tomorrow: Using XCCDF <definitions> <definition class=”vulnerability” id=”OVAL9999” instance=”1”> <affected family=”Linux”> linux:platformRed Hat Enterprise Linux</linux:platform> <product>RHEL5.2</product> </affected> <description>SELinux is turned off</description> <reference source=”CVE”>CVE-SELinux-test</reference> <status>ACCEPTED</status> <version>1</version> <criteria result=”1”> <criteria comment=”SELinux Turned off. Turn back on.” test_ref=”XCCDFSection1” version=”1”/> </criteria> </definition> </definitions> 32

Red Hat Today: Systems Management Red Hat Network A systems management platform designed to provide complete life cycle management of the operating system and applications.  Provision/re-provision machines without touching them  Manage 1,000 systems as easily as 1  Ensure security fixes / config changes applied consistently across enterprise 33

What is Red Hat Network? Satellite  Enterprise solution, enhanced control  All system information stored locally on your network  Custom content distribution  Ability to run disconnected from internet 34

RHN Satellite Deployment Model RHN Satellite RHN Hosted ● ● Software Distribution Subscription Management • Software Distribution • Account Management • Channel Management • Monitoring • Provisioning WEB INTERFACE RHN Proxy API LAYER MANAGED SYSTEMS IT Applications Custom Content 35

What is Red Hat Network? Update 36

37

What is Red Hat Network? Update Manage 38

39

What is Red Hat Network? Update Manage Provision 40

41

What is Red Hat Network? Update Manage Provision Monitor 42

RHN Satellite Is Now Open Source http://spacewalk.redhat.com  Announced at Red Hat Summit 2008  …. remember the Fedora -> RHEL model? 43

Thank You Shawn Wells Solutions Architect Lead, Linux on System z Email: Phone: swells@redhat.com +1 443 534 0130 http://redhat.com/z 44

Useful Links  Technical mailing list (linux-390@vm.marist.edu)  Subscribe: http://www2.marist.edu/htbin/wlvindex?linux-390  Archive: http://www.mail-archive.com/linux-390@vm.marist.edu/  RHEL 5 Virtualization Cookbook  http://www.linuxvm.org/present/misc/virt-cookbook-RH5.pdf  Update to 5.2 coming soon (currently under technical review)  Presentations from SHARE user conferences and other links  http://www.linuxvm.org/present/  http://www.linuxvm.org/ http://www.redhat.com/z 45

Open Discussion

Supplemental: Red Hat Use Case

System z Use Case: How Red Hat Uses Z  IBM zSeries 2094 (z9)  IBM zSeries 2084 (z990)  Shark storage (ESS unit 2105, 16 full drawers of disk)  Provided via FCP layer emulation  Fully loaded z10 comes July ‘08 48

System z Use Case: How Red Hat Uses Z  Training (internal/external)  Development VMs  s390utils, kernel, integrating DeveloperWorks, etc  Quality Engineering  VM for each RHEL distro released since RHEL 4 (4.0, 4.1….. 5.1)  Support Desk  Emulating user problems 49

System z Use Case: How Red Hat Uses Z  JBoss Development (dev, test, prod)  Red Hat Network Development (dev, test, prod)  Enterprise IPA Development (dev, test, prod)  Cross compilation of all RHEL architectures  Staff accounts (sandbox environments, demos) 50

System z Use Case: How Red Hat Z  Red Hat Network for deployment of new VMs, patching  Managed by one staff member Allows patching, reprovision z/VM guests, etc 51

System z Use Case: How Red Hat Z  RHN for Z: Lesson Learned  When configuring the kickstart through the web interface, choose Static IP instead of DHCP.  In the Extra Kernel Parameters text box, enter the information normally found in the CMS CONF file. Single line! DASD=100 HOSTNAME=example IPADDR=192.168.5.100 … Documented at: http://kbase.redhat.com/faq/FAQ_49_12902.shtm 52

Supplemental: RHEL 5.2 Bug Fixes

RHEL 5.2 Bug Fixes, Installer Related  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=237508 [Private]  Summary: LCS device not found at install  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=305331 [Private]  Summary: sudo-1.6.8p12-10 segfaults when using ldap on s390  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354661 [Private]  Summary: multipath paths fail using PAV Devices on DS8000 DS6000  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=279201 [Private]  Summary: zfcpconf.sh fails in rc.sysinit if / partition and /usr partition are separated 54

RHEL 5.2 Bug Fixes, Storage Related  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=360701 [Private]  Summary: swap_dup: Bad swap file entry <xxxxxxxx> without swap configured  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=360611 [Private]  Summary: FICON DS8000: File ID Miscompare after CHPID off via HMC 55

RHEL 5.2 Bug Fixes, I/O Related  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=360821 [Private]  Summary: qdio: too many interrupts on qdio-driven devices  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=360631 [Private]  Summary: qdio: time calculation is wrong  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354801 [Private]  Summary: cio: Disable channel path measurements on shutdown/reboot  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354831 [Private]  Summary: cio: Handle invalid subchannel set id in stsch  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354821 [Private]  Summary: cio: Device status validity 56

RHEL 5.2 Bug Fixes, Networking Related  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=281241 [Private]  Summary: tcpdump does not show outgoing packets with fake_ll=1  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354891 [Private]  Summary: qeth: recognize/handle RC=19 from Hydra 3 OSA  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354851 [Private]  Summary: qeth: increment sequence number for incoming packets  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=267381 [Private]  Summary: QDIO based network connections hang with QIOASSIST ON 57

RHEL 5.2 Bug Fixes, Stability Related, p1  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=360591 [Private]  Summary: Operating System Message: Kernel panic - not syncing: Fatal exception in interrupt  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=253275 [Private]  Summary: Placing a kprobe on ‘bc’ instruction can crash the system  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354811 [Private]  Summary: I/O stall, system crash due to scanning for units from FC transport class  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=354871 [Private]  Summary: qdio: System hang with zfcp in case of adapter problems 58

RHEL 5.2 Bug Fixes, Stability Related, p2  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=350861 [Private]  Summary: Kernel panic with lcs interface as dhcp server  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=330211 [Private]  Summary: qeth: crash during reboot after failing online setting  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=380981 [Private]  Summary: Kernel Panic during activation of OSA-devices with fake_ll  BZ: https://bugzilla.redhat.com/show_bug.cgi?id=325451  Summary: ptrace compatibility problem with PTRACE_{PEEK,POKE}USR_AREA 59

Red Hat Update for System z

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

yum install aide # aide –init

Slide 11

yum install aide # aide –init # chmod 777 /etc/hosts

Slide 12

yum install aide # aide –init # chmod 777 /etc/hosts # aide - -check AIDE found differences between database and filesystem!! Changed files: changed:/etc/hosts Detailed information about changes: File: /etc/hosts Permissions: -rw-r—r— , -rwxrwxrwx

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

ausearch -x “/sbin/ip” | audit2allow -M myVPNfix # semodule -i myVPNfix

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59