Modernizing IBM i With Open-Source Solutions
This transcript is edited for clarity.
Charlie Guarino: Hi everybody, this is Charlie Guarino. Welcome to another edition of TechTalk SMB. Today I'm joined by Mr. Wayne Bowers of IBM. Wayne Bowers is a software engineer for IBM in IBM i, Global Support Center based in Rochester, Minnesota, which is clearly the home of IBM i. I have had the great pleasure of speaking many years at conferences and I've seen Wayne there and I can tell you as a fellow speaker that his sessions are almost always the most full sessions I've ever seen. So kudos to you, Wayne. I don't know how you do it, but it's an amazing feat.
Wayne Bowers: Thanks, Charlie. It's good to be with you today.
Charlie: Great. Thank you so much for coming, Wayne. Always a pleasure to see you. Wayne, one of the topics we want to talk about today is open source, specifically people—developers I should say—who are on our platform, IBM i platform, who know they want to get involved with this. They know want to, they know they need to on some level, but they're not entirely sure how to begin. And maybe for some it seems a little overwhelming—when I think it doesn't need to be, but maybe there's a perception that it is like that. So we're hoping today to dispel some of the myths and give people a definite roadmap on how to get started with this.
Wayne: Yeah, that's a great question, a great place to get started here, Charlie. The developers trying to move to developing or modernizing applications with new technology, one of the things with open source is there's a lot of places to look with that, because open source means it's an open community. You don't have to go to a specific software vendor to get the support for their compiler or their development environment, because you can go to a community and you can find a community, you can find a technology, you can find the online classes free—YouTube, whatever, similar to what we're doing here, podcast—on that technology to help you get started. On IBM i, an area that I see a lot of people also struggling, Charlie, is those system administrators, CIOs, the longtime IBM i infrastructure—quote-unquote can we say AS/400?—people that have been a part of the community for a long time. This idea of having open source software on their IBM i system and how would they approach and manage that is actually a hurdle that I see quite a bit that holds not only them, but then their development teams back from being able to embrace and modernize their applications with leveraging these technologies.
Charlie: What do you think some of the hurdles are that they perceive? Is it just maintaining the projects, the application security? What are some of the hurdles that you think that they believe that are out there—that may be false, perhaps—but that they're seeing?
Wayne: Great question, Charlie. Those are all hurdles that we see. They're varying heights. Security is a big one. As the IBM i community, we hang our hat on the platform being the most securable operating system and platform in the industry. But probably the biggest one is it's just a different environment—at least now it is. Let's back up. Give it a little bit of history of where open source technologies have come on the IBM i. I think you could kind of point to the beginning of it, making PHP available on the IBM i. And that was done as making it pretty much exactly like another application on the IBM i. There was an LPP, you could get PTFs, etc. So then when we wanted to take step two and expand some other technologies on IBM i—some of the next ones were Python, Node.js, things like that—we followed that standard IBM i infrastructure.
We created an LPP, 5733-OPS, that you put on the IBM i and different options for that licensed program product installed different open source technologies. And when we wanted to put out an update—I'm just going to throw out Node.js 8 update, whatever it was—we would put out a PTF for that 5733-OPS to put that update to Node.js on your system. And that was something that, okay, the technology is new, but that infrastructure was familiar to our software system administrators, the infrastructure team that supports our IBM i operating systems. But, it kind of held us back because there was a lot of work that had to be done to take these technologies that run in an open environment and put them inside of a licensed program product, put them inside of a PTF. So then the next wave would be where we are today, is to not take these technologies and force them inside of the IBM i-specific licensed program product PTF infrastructure, but to enable an industry standard infrastructure to install, update, and make these open source packages available on the IBM i. And that underlying infrastructure is using technologies called RPM and YUM, which are industry standard technologies for obtaining and updating and installing these type of packages on operating systems. So we were able to jump by doing that. It was so much more efficient for our team, where I think we capped out in that 5733-OPS with under 20 different packages—and there was duplicates there like Node.js 8 and Node.js 10 and Node.js 12—but less than 20 packages to now, where we're well over 300-400 packages that are available in the infrastructure. It's so much more efficient for us to make those packages available for you using this industry standard infrastructure.
Charlie: And RPM and YUM, they're very well defined in the industry, very well utilized, accepted. So anybody should be able to find lots of information on how to use these tools.
Wayne: Correct. Yep. There's lots of cookbooks, toolkits, whatever that tell you how you can leverage the commands that infrastructure to manage this environment. But also on top of that, IBM's tried to make that even easier by adding a tool to the IBM i Access Client Solutions utility called Open Source package management that builds a GUI on top of that infrastructure. So if you're not a shell command line type of person, you kind of like the point and click GUI interface? We have that available for you to help you manage this environment from that.
Charlie: And I know the open source package is right there on the main menu and the main panel. It's so easy, just click on it and brings it right to the list. So it's very easy to administer.
Wayne: Yep.
Charlie: Really great. So, let's shift gears a little bit. I'm talking about the open source package management tool now itself, and then we get into the conversation of package management, and what does that specifically mean and things like versions. I'm on the list right now, I see different versions out there, things like that, different repositories. If someone has that very screen open right now and they're looking at this—and I see three columns, package version and repository. What do those mean to me? How do I interpret what I'm looking at right now?
Wayne: Right. Great question. First of all, I'd like to just draw your eyes up another level, and how we provide this three different lists of these packages for you there. First one is packages that are already installed on your system. So these are already there, they're available, they can be utilized, they're on your system. And then the next one would be updates that are available. So this takes and compares the packages you currently have installed and says, are there any newer versions of only those packages that are available? So you will only see things in there that are newer versions to the packages you have. So that brings us to your question of the version column. What does that mean? Well, to me, I'm just looking at my list here, curl is a pretty common technology. I personally don't use it a whole lot, I'm somewhat familiar with what it does. The version 7.76.1-2 that I currently see installed on one of my systems, that is a version that's been decided on by the curl community. The open source community that develop and make those builds available have decided on that versioning. So if I want to know what's different between Curl 7.76 and Curl 7.77 or 7.76-1 versus 1-2, I would go out to the curl community because there's a reason why I want that on my system. I want to interact with it. And I would look to them as to what's different in that versioning. And I would look to them as saying, is there a reason why I shouldn't be on 7.76? I should be on 7.78 or whatever it is. And that's where I would get the understanding about what that specific versioning means, is from that community. IBM does not decide the version on these packages. That comes from that community.
Charlie: So if I'm in a shop and we decide that we want to go down this road, and the reason why we want to go down this road is because we want to start extending our applications using more functionality that's available today in traditional RPG/COBOL environments. I'm assuming that's the main reason, that's one of the main drivers here, right?
Wayne: Right, that's one of the main drivers is you're able to add some capabilities, generally some modernization, some new ways of doing things that work well that can leverage these open source technologies to do that. Instead of maybe trying to write that infrastructure yourself or buying something from a vendor—there's obviously reasons to do that. We love our vendors that work in industry and on the IBM i community, but there's reasons to look at the open source technology. And so, boy, I could really do something cool if I could leverage or add on some capabilities from this open source technology into my business application needs on the IBM i. So this is why I would want to bring it into my environment.
Charlie: So if there's a particular project or packaging I'm looking at right now and I want to start using it—or begin playing with it if you will—what might be some of the typical challenges you might have seen in your working with customers that they generally have? And so if somebody's hearing this for the first time, it may help them. Are there any obvious gotchas that we need to be aware of?
Wayne: Right. So there's a couple of different levels. The direction I come at it is more from getting that technology available on the IBM i, but from the developer perspective, it's a community. We probably hear the term—I don't know if it is exactly, correctly applied—but crowdsourced. Now there's people that are in charge of the product, they check the code and they're making sure that people aren't putting obvious vulnerabilities or something in it. But it's crowdsourced—it's a community environment. There are some classes, learning environments, Udemy, whatever it might be. You can go on and you can get some education on these environments, but you can also just Google search, find the communities. You're going to be learning from other people within the community. You're not going to go to a vendor and say necessarily, what do you have? Where's the documentation? Where's the manual for this? You're not going to get a three-ring binder shipped with it from the vendor that you bought it from because it's going to be crowdsourced. So you're going to be looking out, finding a community that you can interact with, finding the resources that are more available online. Now, there are people that focus on learning that have also provided learning modules for these technologies, especially the more common ones that you could also look at leveraging. Back to the systems administrator, again, that's a hurdle I find is the development community, even if they're like, hey, I think I know enough. I want to try to deploy a Python-based, a Node.js-based, a whatever-based project on my IBM i. Let's go talk to not only my systems administrator, my CIO, to get these technologies on the i. And those are some hurdles, just getting our heads wrapped around the differences and how that environment is managed, how the infrastructure is intended that you get these packages from IBM onto your system. And there's various hurdles within there.
Charlie: We touched on it already briefly, and that is security. And I know you cannot really have this conversation, or almost any conversation in technology today, without talking about security on some level. And clearly in this environment, we need to address security on some level as well. What might be some of the basic security concerns somebody might have and how do we allay that? I mean we talk about maybe on a particular security level perhaps, or I don't know. What have you seen out there so far on the security? How do you address that particular concern?
Wayne: So let's talk a little bit about the actual packages, the actual technologies themselves. Again, these are being used as business level, they're being used across the industry. Particularly on other platforms, Linux is probably a leading platform. AIX, as one of the IBM cousins on the cognitive Power Systems platform has had this for a while. Even though we have questions—it's created by a community. How do I trust that technology to not be inherently damaging to my system? How do I trust that? And yes, it's an open source community, but it's well managed generally. The ones that we're putting on the i, making available, they're generally well managed. Before any code is included in the version, it's checked, there's reviews of it—peer reviews, etc. So it's obviously a good concern to have, but generally you go and you look, you find a community, you find a technology, you get comfortable with how that community makes it available. You're not going to just be installing malware on your IBM i by any stretch of the imagination by putting any of these packages on your system. But there's bad people, bad actors out there, right? They try to find new ways to expose vulnerabilities and these technologies also have them. So one thing you do need to do is if you choose to put an open source technology on the IBM i, you also need to then take some level of responsibility to check for vulnerabilities for that. Check for updates on it. Do I need to put this update to Python or curl on my system? Oh, it's adding new function and there's really not addressing any significant high CVE vulnerabilities? I don't need to do that. But oh, here's one that has a higher CVE vulnerability. I need to then go and update that package on the IBM i so I get to a higher level of that technology to address that security concern. So that's kind of with the package itself. Some things I see frequently from a system perspective is this infrastructure of how your system goes and gets an open source package from the IBM repository and makes it available on the IBM i is, by default, based around the IBM i having some level—it can be fairly narrow—but some ability to connect to make an https secure port 443 connection out to an IBM website to pull that .rpm file down to the IBM i for it then to be installed. And some customers, they can work and they're comfortable and it fits within their security to open up a port, a pathway from the IBM i to make that port 443 encrypted https connection out to an IBM web server to pull that down. But other customers are like, nope, my IBM i is not going to connect to the internet in any way, shape, or form. So for those customers, we've built tooling into the open source package management utility that uses the PC that Access Client Solutions is running on as a https proxy provider. So the ACS PC makes that connection out to the internet and downloads the package. It just opens up a proxy connection where the package download goes right through the PC to the IBM i over your ssh connection to the IBM i. And that generally resolves most of those issues because their PC can make an http secure connection out to a website to pull that product down.
Charlie: And most shops today are indeed running ssh. That's not up for debate anymore, is it?
Wayne: No, I mean some don't have it started, but again, most of them, it's not a big deal to start that ssh damon on the IBM i and have that running. It's included as part of the TCP/IP suite of applications on the IBM i for a long time now, so that's not usually a huge hurdle to go over.
Charlie: Where can somebody go today if they're looking for customers who have already gone down this path, successful implementations and they want to get some inspiration or maybe even a different perspective on a roadmap to adopting open source technology. They don't want to be pioneers, and they wouldn't be. Many companies have done this already. But where can I go as somebody who's new to this to find out good stories?
Wayne: Right. So we have an IBM i open source resources website, and there's a lot of great information out there about getting started. Some helpful IBM i-related documentation on some of the most common technologies—Node.js, Python, Ruby, etc.—but if we go down further, near the bottom on that, we have IBM i customer stories that are available. Individual customer stories using Node.js to integrate with Amazon Alexa. A company did that to leverage that within their environment. Using PHP for web presence. Some other examples here. So there's customer stories and then there's some more deep case studies too that are available there that you can go and look at and see what our other friends in the IBM i community are doing to leverage these open source technologies to solve business needs, business issues to get those solutions out there.
Charlie: I know at the beginning of our discussion you did mention the other community things like River you mentioned, and Git and even Slack.
Wayne: Right, yes. So also available on that same webpage where you can go, there's a community area on that same website. We have an IBM i open source chat on River. You can join that. We have an IBM i community Slack channel that you can join out there. So those are places that are open just within this GitHub. I wanted to mention there's an issues area where you can report an issue with implementing or leveraging that open source technology on i, and members of the IBM i open source community, including some of the developers, respond and communicate and give advice out there in that GitHub community.
Charlie: This is real good stuff. I love discussing new technologies like this. Wayne, we can wrap this up with my great thanks to you, but are there any kind of last thoughts you want to give out to everybody who's listening to this podcast on inspiring them to go forward, or anything else on that track?
Wayne: Particularly what I see the most common is probably people that have been a part of our IBM i community for a long time and they're very comfortable with that infrastructure. Especially a common scenario that I see is that somebody brings in a newer developer. Maybe they haven't been on IBM i for all their career. They came from a Linux or an AIX background or whatever. And they're like, you know what? We could really do some cool things with this open source technology. Don't discount that and say we're an RPG shop. That's how we've always done it. Look at it, see what could be done, and don't be scared to make a foray into this environment. I'm here to help you get those technologies available on the IBM i. And then we have great friends, Charlie, that also then take you the next step to help you leverage those technologies. My friends in the community like Jesse Gorzinski, who's the open source architect on IBM i, Liam Allen, Mark Irish, etc. There's other people in the community that would love to help you embrace this. So go down the path. I think it'll really help you and your business take those steps towards the future and modernizing application on your IBM i.
Charlie: Right. Extending in ways you may not be aware of today.
Wayne: Correct. Yep.
Charlie: Perfect. Wayne, I want to thank you so much for your time. It's always a pleasure to see you. Looking forward to seeing you in person again in the future conferences as always.
Wayne: Sounds good. Likewise, Charlie. I've enjoyed chatting with you today.
Charlie: Thank you. And for everybody who else is listening, please check out the TechChannel website. There are so many different resources out there on great topics—IBM i and other platforms. It, it's really worth your while. And until next month, everybody, we will speak to you soon. Take care. Bye now.