New Computing Environments Breed Simple Questions, Not So Simple Answers

Rob McNelly shares things young engineers say, his recent work on IBM i issues and some old photos

There’s something refreshing about (relatively) new engineers asking innocuous questions about new (to them) computing environments.

“Why are you running Power7 and Power8 servers? Why are you running an unsupported version of an operating system?”

Of course, there are numerous reasons this might be the case. Budget is a big one, though businesses may have other priorities that take precedence over system updates. Perhaps there are unsupported applications that cannot run on more modern versions of an operating system, and neither time nor money is available to put toward testing and updating. It could be a matter of perception: the applications are running just fine on a legacy system. It could be that updating the environment would require an infusion of new skills that are not readily attainable.

The answers are seldom simple, but that’s what makes these discussions worth having. There may be a plan to, say, migrate workloads to newer platforms, but even if that isn’t the case, young engineers or anyone new to the team should be made to understand that these systems aren’t being left in a vacuum. A fresh set of eyes, along with a willingness to pose a fresh set of questions, is good for everyone, and us long-timers in particular. You never know what solutions may present themselves just by taking the time to think things through.

Getting Reacquainted With IBM i

As I’ve mentioned, I spent the first few years of my career working on the AS/400—from its 1988 inception into the late 1990s. These days I seldom deal with IBM i issues, but when I do, it’s interesting to see how much I already know from my day-to-day activities on AIX that translates to IBM i as well.

In a way, this is unsurprising—of course, IBM i and AIX each run on Power Systems servers, which creates some functional commonalities between the operating systems. For instance, I can ssh to the HMC. I can then open a console to my AIX machine or my VIO server. I can use a 5250 emulator, connect to the HMC, and open a console for my IBM i LPAR. The methods are slightly different, but the concepts are the same.

Still, given my limited exposure to IBM i, I do have blind spots. For instance, for some reason I thought you could only install IBM i from a DVD or tape, but now I know better. Just as we can use NIM to install AIX over the network, we can install the VIO server from our HMC over the network, and we can do network installs using IBM i:

“This IBM Redpaper addresses IBM i Network Install. The following topics are included:
IBM i scratch installation
IBM i licensed program installation
IBM i operating system upgrade
IBM i program temporary fix (PTF) installation

“Before you install or upgrade an IBM i system through the network, you must set up a Network installation server. This server contains not only images of IBM i Internal Code and Operating System, but also licensed programs, PTFs, and so on.”

Even if I don’t know the precise technical ins and outs of IBM i and the techniques it requires, a high-level overview like this can sometimes be sufficient. Also, when I hear IBM i admins describe a capability, translating that back to something I do all the time helps me understand what they’re trying to accomplish.

SSH Tunnels and Their Many Uses

Do you ever find yourself in an environment that is locked down with only a few open ports? Most of the time the network and firewall team will approve opening ssh on port 22, and I have to remind people about the opportunities that exist when we leverage ssh tunnels. For instance, years ago I was in an environment where we were able to mount NFS filesystems over SSH tunnels. That’s just one example. There’s quite a bit that we can do besides connecting our consoles and copying files.

I recently ran into an issue where an IBM i admin needed to connect to a system using ports 2300 and 2301, which were not opened on the firewall. No problem. We were able to ssh to the HMC with this command:

ssh -L 2301:<hmcipaddress>:2301 -L 2300:<hmcipaddress>:2300 hscroot@<hmcipaddress>

Once they logged in, the tunnel was active and forwarding ports, and they were able to connect their 5250 console to localhost. When they did so, it would forward those ports over the tunnel and make the connection to the HMC, which allowed them to open a console. This article, published more than a decade ago, provides further detail.

As another example, to establish a connection using IBM i Access Client Solutions to connect to the IBM i LPAR (which had ssh running), we ran:

ssh -L 449:<ibmiaddress>:449 -L 8470:<ibmiaddress>:8470 -L 8475:<ibmiaddress>:8475 -L 
8471:<ibmiaddress>:8471 -L 8472:<ibmiaddress>:8472 -L 8473:<ibmiaddress>:8473 -L 
8474:<ibmiaddress>:8474 -L 446:<ibmiaddress>:446 -L 8476:<ibmiaddress>:8476 -L 
23:<ibmiaddress>:23 ibmiuser@<ibmiaddress>

Then we were able to make that 5250 connection as well with all of the capabilities they expected.
On a different day, using a different operating system altogether, a client wanted to change a user’s password across multiple AIX systems. They wanted to run this command:

echo userid:newpassword | /bin/chpasswd

This would create a new password, and prompt users to change their passwords upon logging in the next time.

They were able to run the command across multiple systems using dsh and this syntax:

dsh "echo \"userid:newpasswd\" | /bin/chpasswd"

Configuring Firewalls to Allow NIM Operations

From IBM Support:

This document covers:

• Introduction to NIM service handler (nimsh)
• The install process
• The clean-up process
• Protocols and the ports used by these protocols during a network install
• Breakdown of ports that need to be opened in a firewall for use with NIM
• Other firewall considerations

Not covered:

• In-depth description of nimsh
• How-to steps for performing network installs
• Problem determination or debugging steps for failed network installs
• Ongoing Malware Strain Infecting Linux Machines

Here’s news about a malware strain that’s been infecting Linux machines for at least three years:

“Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

“The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.”

The First IBM Power Champions

Recently I was asked about the first time I was named an IBM Champion, and others who were part of that initial group. Given the history, this answer isn’t as clear cut as it would seem. The first IBM Champions were named in 2011, but the program was discontinued for a few years before being rebooted in 2015 and since growing into such a worthwhile initiative and vibrant community.
As for that first class, I tracked it down here. I even found photos (here, here and here):

“IBM Champions are IT professionals, developers, and educators who lead and mentor others and help them make best use of IBM solutions and services.”

• Aletha Chrietzberg
• Waldemar Mark Duszyk
• Anthony English
• Nigel Fortlage
• Susan Gantner
• Pete Massiello
• Brian May
• Rob McNelly
• Jon Paris
• Trevor Perry
• Roxanne Reynolds-Lair
• Andy Wojnarek

---