Port Forwarding with systemd

Using Port Forwarding with xinetd has served me well at many occasions. As time proceeds, new technologies show up that allow for similar functionality and others are deprecated. When reading about the obsoletion of xinetd in SLES15, I wondered if you could do the port forwarding also with systemd instead of xinetd.

To accomplish the same port forwarding like in Port Forwarding with xinetd you can proceed as follows.

With systemd, the procedure is twofold. First you have to create a socket that listens on a stream. The second part is to start a proxy service that connects to a remote port. Both are connected by means of their respective name


Just sticking with the previous example, let me use the following:

  • the private has the IP address range
  • the switch is configured with and its management port is 80
  • the jump host with access to both networks has the external address
  • use port 81 to access the switch over the jump host

The first thing we need is a .socket file:

# cat /etc/systemd/system/http-switch.socket


This socket must be connected to a proxy by means of the service name:

# cat /etc/systemd/system/http-switch.service
Description=Remote Switch redirect


After adding these files, the service can be enabled and started with the following commands:

systemctl enable http-switch.socket
systemctl enable http-switch.service
systemctl start http-switch.socket
systemctl start http-switch.service

The previous example is just a very basic one. Especially with the socket file, there is lots and lots of parameters and options available. For more information, see

man 5 systemd.socket
man 5 systemd.service


Posted in Networking, openSUSE, systemd, xinetd | Leave a comment

z/VM SSI: make your Linux relocatable

Virtualization systems like KVM, Xen, or z/VM offer the possibility to move running guests from one physical server to another one without service interruption. This is a cool feature for the system administrator because he can service a virtualization host without shutting down any workload on his cluster.

Before doing such a migration, the system perform a number of checks. Especially z/VM is very strict with this, but also gives high confidence that nothing bad happens with the workload. Unfortunately, the default system you get when running linux on z/VM has a number of devices attached, that prevent z/VM from relocating that guest to a different node. A typical message would look like this:

HCPRLH1940E LINUX001 is not relocatable for the following reason(s):
HCPRLI1996I LINUX001: Virtual machine device 0191 is a link to a local minidisk

For some of the devices it is obvious to the experienced z/VM admin that he can detach them. However some of the devices might also be in use by Linux, and it would definitly confuse the system when just removing the device. Therefore, the z/VM admin has to ask the person reponsible for Linux if it is ok to remove that device. When talking about 10 guests, this might be ok, but when talking about lots and lots of servers and many different Stakeholders, this can get quite painful.

Starting with SLES12 SP2, a new service called “virtsetup” sneaked into the system that can ease this task a lot. When enabled, it removes all the unneeded CMS disks from the guest and thus prepares the guest for live guest relocation.

How to run this service:
# systemctl enable virtsetup
# systemctl start virtsetup

Thats basically everything you have to do for a default setup. If you want some specific disk untouched, just have a look at “/etc/sysconfig/virtsetup”. This is the file where this service is configured.

Enabling this service is not a big deal for the single machine, but it makes a big difference for the z/VM admin. When this is enabled, most machines will simply be eligible for relocation without further action and thus allowing for continuous operation during service of a z/VM Node.

Posted in Mainframe, SLES12, systemd, z Linux, zVM | Leave a comment

Multiple Linux Consoles in z/VM

The standard method to access z/VM is using a 3215 terminal with a terminal emulator. With linux, the x3270 package provides a free emulator for these terminals.

One of the features of z/VM is, that you can define several consoles for a guest. This is very helpful if there are problems with a guest that affect the network connectivity. With z/VM you can even define multiple consoles that allow direct logon to the running guest.

By default, only one terminal is defined for z/VM guests. To define three additional 3270 consoles on a guest at the addresses 0020-0022, use the following commands:

cp define graf 20
cp define graf 21
cp define graf 22

These consoles can also be created online from linux, provided that you got sufficient privileges on the guest. To issue cp commands from linux, use the command vmcp instead of cp.

With SLES 12, several additional steps are needed to activate these consoles.

First, the devices must be made available to the system. This a twofold process:

  1. Remove the devices from the cio ignore list with the command
  2. cio_ignore -r 0.0.0020-0.0.0022
  3. Add the devices to /boot/zipl/active_devices.txt to make this change persistent.
    # cat /boot/zipl/active_devices.txt

The system automatically detects those devices. The corresponding serial devices are found below /dev/3270/tty[123]. Next, tell systemd to run a getty on these devices:

systemctl enable serial-getty@3270-tty1.service
systemctl enable serial-getty@3270-tty2.service
systemctl enable serial-getty@3270-tty3.service
systemctl start serial-getty@3270-tty1.service
systemctl start serial-getty@3270-tty2.service
systemctl start serial-getty@3270-tty3.service

To use the new consoles on a machine called LINUX065, direct the 3270 terminal emulator at z/VM. Instead of logging on as regular user, move the cursor to the COMMAND line and enter the following command:

dial linux065

To redisplay the logon prompt, you might want to press enter once.

When trying to logon to this console as root, you will find that it won’t let you. The reason for this is, that root logon is only allowed on previously defined consoles. The configuration file for this is /etc/securetty. Add the following lines to the end of this file:


After this, you can directly logon to the linux guest without the need for z/VM credentials.

If you want to avoid the need to redefine the consoles after a logoff of the guest, add the definition to PROFILE EXEC A of the guest.


Posted in 3270, Mainframe, SLES12, z Linux, zVM | Tagged , , , , , | 1 Comment

Online Enabling new DASD from a Linux LPAR on System z

When running a mainframe, there are reasons why you you want to add new control units and DASD disk devices. Assuming that you already added the hardware configuration to the system, you will find that a still running LPAR with linux will just not see any of the changes.

For example, if you have a configuration like the following in the IO configuration:

 CNTLUNIT CUNUMBR=2700,PATH=((CSS(0),41,43,4A,4D,50,51),               *
 IODEVICE ADDRESS=(2700,224),CUNUMBR=(2700),STADET=Y,UNIT=3390B,       *
 IODEVICE ADDRESS=(27E0,32),CUNUMBR=(2700),STADET=Y,UNIT=3390A,        *

The configuration on DS8000 with dscli would look like the following:

dscli> lslcu
Date/Time: July 17, 2013 2:50:45 PM CEST IBM DSCLI Version: DS: IBM.XXXX-XXXXXXX
ID Group addrgrp confgvols subsys conbasetype
06     0 0              36 0x0004 3990-6

Several disks and alias devices have been configured already on logical control unit 6 of DS8000. The alias devices are needed for the HyperPAV feature of the DS8000. :

dscli> lsckdvol -lcu 06
Date/Time: July 17, 2013 2:56:25 PM CEST IBM DSCLI Version: DS: IBM.XXXX-XXXXXXX
Name ID   accstate datastate configstate deviceMTM voltype   orgbvols extpool cap (cyl)
-    0600 Online   Normal    Normal      3390-9    CKD Base  -        P12         27825
-    0601 Online   Normal    Normal      3390-9    CKD Base  -        P14         27825
-    0602 Online   Normal    Normal      3390-3    CKD Base  -        P12          3339
-    0603 Online   Normal    Normal      3390-3    CKD Base  -        P14          3339
-    0604 Online   Normal    Normal      3390-9    CKD Base  -        P12         10017
-    06E0 -        -         -           -         CKD Alias 0600     -               0
-    06FF -        -         -           -         CKD Alias 0600     -               0

When using z/VM, the only thing to be done when you want to activate the devices is a vary online 2700-2704 27E0-27FF. However from a linux in LPAR mode, there is no such command available. Even after activating the devices from z/VM they would not be visible inside the linux LPAR. To check this, you can use the command lscss | grep '0\.0\.2700'.

The solution to make the devices available without rebooting the linux is to vary online one of the chpids that are already online.  If you look at the IOCDS, it shows that there are six chpids online: 41,43,4A,4D,50,51. In our case, these are just shared for all DASD devices and are also used for other device ranges. Thus they are just online. This can be seen with the following command:

# lscss | grep 0.0.2600
0.0.2600 0.0.01e6 3390/0c 3990/e9 fc fc ff 41434a4d 50510000

The numbers at the end just represent the use chipids.  To activate the chpid with number 41, use the following command:

# chchp -v 1 41
Vary online 0.41... done.

After this, the available disks can be checked again:

# lscss | grep '0\.0\.27'
0.0.2700 0.0.02e6 3390/0c 3990/e9 fc fc 2b 41434a4d 50510000
0.0.2701 0.0.02e7 3390/0c 3990/e9 fc fc 13 41434a4d 50510000
0.0.2702 0.0.02e8 3390/0a 3990/e9 fc fc 07 41434a4d 50510000
0.0.2703 0.0.02e9 3390/0a 3990/e9 fc fc 83 41434a4d 50510000
0.0.2704 0.0.02ea 3390/0c 3990/e9 fc fc 43 41434a4d 50510000

Now, the disks on control unit 2700 are also visible on this LPAR. From that point, it is easy to just configure the disks for linux with yast2 dasd or the commandline utility dasd_configure.

Posted in block devices, DS8000, Mainframe, Uncategorized, z Linux | Leave a comment

Port Forwarding with xinetd

In some network environments, where for example administration lans or some private lans are deployed, it might still be necessary to access a specific port of a machine inside that lan from the outside. Commonly, you would have to access a jump host and from there you would be able to reach the respective machine.

In our case, we had to reach the management port of a switch in a private lan. For example:

  • the private has the IP address range
  • the switch is configured with and its management port is 80
  • the jump host with access to both networks has the external address

To access the switch directly at address with port 81, you can configure xinetd on the jump host with the following configuration:

# cat /etc/xinetd.d/http-switch
service http-switch
 disable = no
 type = UNLISTED
 socket_type = stream
 protocol = tcp
 wait = no
 redirect = 80
 bind =
 port = 81
 user = nobody

After reloading (or starting if not yet done so) xinetd, you can reach the switch by pointing your browser to

chkconfig xinetd on
rcxinetd restart

The same principle can also be used when forwarding e.g. ssh ports of machines.

Posted in Networking, openSUSE, xinetd | Leave a comment

libvirt: chardev: opening backend “pty” failed: Permission denied

Recently I found myself in front of a strange problem that prevented me from creating new virtual machines with libvirt on KVM. Everytime I tried to create a virtual machine, I got a message similar to this:

Error: internal error Process exited while reading console log output: chardev: opening backend "pty" failed: Permission denied

Interestingly, directly after a reboot of the host, the same guest configuration would simply work. I did some searches in the internet and found, that there only view other people had this same problem, but I could not find a solution.

After tracing libvirtd and pestering some of my colleagues, I found that it actually could not access /dev/pts correctly. It turned out, that some change root environment also mounted /dev/pts although not with the right mount parameters. This had the effect, that the original /dev/pts also was remounted with the wrong mounting parameters.

So, to solve this issue, you need to

  1. find who is mounting /dev/pts in a wrong way and correct it
  2. remount /dev/pts correctly

The remount can be done with the following command:

mount -n -t devpts -o remount,mode=0620,gid=5 devpts /dev/pts

After this, libvirtd will be able again to access the device and work as desired.

Posted in KVM, libvirt | Tagged | Leave a comment

Persistent IUCV Network Devices

On mainframes, Inter User Communication Vehicle provides a means to exchange data between two guests in z/VM. Some time ago, this has been one of the preferred networking methods between two Users (virtual machines) on z/VM. From a linux perspective, IUCV is not a supported networking method anymore, although it actually still works quite nicely.

Setup as a pointopoint connection, IUCV needs a special machine that is run as a pointopoint partner and routes to the rest of the network if needed. With linux, it is quite easy to setup IUCV interfaces. The problems arise when you have more than one IUCV interface and must make sure that the IP configuration in /etc/sysconfig/network/ifcfg-iucv* is setup for the correct User.

In SLES11 and later, the hardware configuration of IUCV interfaces is done with udev rules. For each available connection, there is an extra file with a ruleset below /etc/udev/rules.d. By default, such a rules file looks like this:

# cat /etc/udev/rules.d/51-iucv-LINUX001.rules
ACTION=="add", SUBSYSTEM=="subsystem", KERNEL=="iucv", RUN+="/sbin/modprobe netiucv"
ACTION=="add", SUBSYSTEM=="drivers", KERNEL=="netiucv", ATTR{connection}="LINUX001"

The issue is, that during network device setup, all of the devices are simply setup as they are found. This is unfortunately not persistent and commonly results in connecting a User (virtual machine) with the IP address of a completely different machine. In the end, networking is simply broken.

For example, if you look at the  netiucv0 user, the following is found:

# cat /sys/devices/iucv/netiucv0/user

However the actual device is configured in /etc/sysconfig/network/ifcfg-iucv36. To solve this, a special iucv device below the netiucv device must be configured. This is a task for udev. The above udev rule needs an extra line at the end:

ACTION=="add", SUBSYSTEM=="subsystem", KERNEL=="iucv", RUN+="/sbin/modprobe netiucv"
ACTION=="add", SUBSYSTEM=="drivers", KERNEL=="netiucv", ATTR{connection}="LINUX001"
ACTION=="add", SUBSYSTEM=="net", KERNEL=="iucv*", SUBSYSTEMS=="iucv", ATTRS{user}=="LINUX001", NAME="iucv36"

After this, the netiucv0/user is still LINUX001. In this case, an extra iucv36 is configured like this:

# cat /sys/devices/iucv/netiucv0/net/iucv36/device/user

and now, the iucv36 device, like it is found in /proc/net/dev is the one that is configured with ifcfg-iucv36, really uses LINUX001 as pointopoint partner. For the sake of completeness, here is the configuration as it is found in /etc/sysconfig/network/:

# cat ifcfg-iucv36

Note, that it is possible to use the same IPADDR for all of the configured IUCV interfaces. Only the pointopoint partners that are configured with REMOTE_IPADDR must have their own unique addresses.

When configuring the partner User, IPADDR and REMOTE_IPADDR are swapped of course.

Posted in Mainframe, Networking, udev, z Linux | Tagged , , | Leave a comment