New Package Request: s390utils.base

[madhu-pillai]

What, if any, are the additional dependencies on the package? (i.e. does it pull in Python, Perl, etc)

root@localhost:~# rpm-ostree install --dry-run /usr/bin/zkey
Checking out tree 5d6cc70... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora updates-archive
Updating metadata for 'fedora-cisco-openh264'... done
Updating metadata for 'updates'... done
Updating metadata for 'fedora'... done
Updating metadata for 'updates-archive'... done
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2023-12-12T17:22:46Z solvables: 4
rpm-md repo 'updates'; generated: 2024-04-16T02:20:37Z solvables: 22313
rpm-md repo 'fedora'; generated: 2023-11-01T00:12:19Z solvables: 60561
rpm-md repo 'updates-archive'; generated: 2024-04-16T02:42:49Z solvables: 40079
Resolving dependencies... done
Installing 61 packages:
  groff-base-1.23.0-3.fc39.s390x (updates)
  perl-AutoLoader-5.74-502.fc39.noarch (updates)
  perl-B-1.88-502.fc39.s390x (updates)
  perl-Carp-1.54-500.fc39.noarch (fedora)
  perl-Class-Struct-0.68-502.fc39.noarch (updates)
  perl-Data-Dumper-2.188-501.fc39.s390x (fedora)
  perl-Digest-1.20-500.fc39.noarch (fedora)
  perl-Digest-MD5-2.58-500.fc39.s390x (fedora)
  perl-DynaLoader-1.54-502.fc39.s390x (updates)
  perl-Encode-4:3.19-500.fc39.s390x (fedora)
  perl-English-1.11-502.fc39.noarch (updates)
  perl-Errno-1.37-502.fc39.s390x (updates)
  perl-Exporter-5.77-500.fc39.noarch (fedora)
  perl-Fcntl-1.15-502.fc39.s390x (updates)
  perl-File-Basename-2.86-502.fc39.noarch (updates)
  perl-File-Path-2.18-500.fc39.noarch (fedora)
  perl-File-Temp-1:0.231.100-500.fc39.noarch (fedora)
  perl-File-stat-1.13-502.fc39.noarch (updates)
  perl-FileHandle-2.05-502.fc39.noarch (updates)
  perl-Getopt-Long-1:2.54-500.fc39.noarch (fedora)
  perl-Getopt-Std-1.13-502.fc39.noarch (updates)
  perl-HTTP-Tiny-0.088-3.fc39.noarch (fedora)
  perl-IO-1.52-502.fc39.s390x (updates)
  perl-IO-Socket-IP-0.42-1.fc39.noarch (fedora)
  perl-IO-Socket-SSL-2.083-3.fc39.noarch (fedora)
  perl-IPC-Open3-1.22-502.fc39.noarch (updates)
  perl-MIME-Base64-3.16-500.fc39.s390x (fedora)
  perl-Mozilla-CA-20230801-1.fc39.noarch (fedora)
  perl-NDBM_File-1.16-502.fc39.s390x (updates)
  perl-Net-SSLeay-1.92-10.fc39.s390x (fedora)
  perl-POSIX-2.13-502.fc39.s390x (updates)
  perl-PathTools-3.89-500.fc39.s390x (fedora)
  perl-Pod-Escapes-1:1.07-500.fc39.noarch (fedora)
  perl-Pod-Perldoc-3.28.01-501.fc39.noarch (fedora)
  perl-Pod-Simple-1:3.45-4.fc39.noarch (fedora)
  perl-Pod-Usage-4:2.03-500.fc39.noarch (fedora)
  perl-Scalar-List-Utils-5:1.63-500.fc39.s390x (fedora)
  perl-SelectSaver-1.02-502.fc39.noarch (updates)
  perl-Socket-4:2.037-3.fc39.s390x (fedora)
  perl-Storable-1:3.32-500.fc39.s390x (fedora)
  perl-Symbol-1.09-502.fc39.noarch (updates)
  perl-Term-ANSIColor-5.01-501.fc39.noarch (fedora)
  perl-Term-Cap-1.18-500.fc39.noarch (fedora)
  perl-Text-ParseWords-3.31-500.fc39.noarch (fedora)
  perl-Text-Tabs+Wrap-2023.0511-3.fc39.noarch (fedora)
  perl-Time-Local-2:1.350-3.fc39.noarch (fedora)
  perl-URI-5.21-1.fc39.noarch (fedora)
  perl-base-2.27-502.fc39.noarch (updates)
  perl-constant-1.33-501.fc39.noarch (fedora)
  perl-if-0.61.000-502.fc39.noarch (updates)
  perl-interpreter-4:5.38.2-502.fc39.s390x (updates)
  perl-libnet-3.15-501.fc39.noarch (fedora)
  perl-libs-4:5.38.2-502.fc39.s390x (updates)
  perl-locale-1.10-502.fc39.noarch (updates)
  perl-mro-1.28-502.fc39.s390x (updates)
  perl-overload-1.37-502.fc39.noarch (updates)
  perl-overloading-0.02-502.fc39.noarch (updates)
  perl-parent-1:0.241-500.fc39.noarch (fedora)
  perl-podlators-1:5.01-500.fc39.noarch (fedora)
  perl-vars-1.05-502.fc39.noarch (updates)
  s390utils-base-2:2.29.0-4.fc39.s390x (updates)
Exiting because of '--dry-run' option

What is the size of the package and its dependencies?

[root@localhost ~]# rpm -qi s390utils-base-2.29.0-3.el9.s390x
Name        : s390utils-base
Epoch       : 2
Version     : 2.29.0
Release     : 3.el9
Architecture: s390x
Install Date: Sat Apr 13 09:31:15 2024
Group       : Unspecified
Size        : 8974163
License     : MIT
Signature   : RSA/SHA256, Mon Feb  5 15:40:37 2024, Key ID 199e2f91fd431d51
Source RPM  : s390utils-2.29.0-3.el9.src.rpm
Build Date  : Wed Jan 31 10:15:01 2024
Build Host  : s390-058.build.eng.rdu2.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/ibm-s390-linux/s390-tools
Summary     : S390 base tools
Description :
s390 base tools. This collection provides the following utilities:
   * dasdfmt:
     Low-level format ECKD DASDs with the classical linux disk layout or the
     new z/OS compatible disk layout.

   * fdasd:
     Create or modify partitions on ECKD DASDs formatted with the z/OS
     compatible disk layout.

   * dasdview:
     Display DASD and VTOC information or dump the contents of a DASD to the
     console.

   * dasdinfo:
     Display unique DASD ID, either UID or volser.

   * udev rules:
     - 59-dasd.rules: rules for unique DASD device nodes created in /dev/disk/.

   * zipl:
     Make DASDs or tapes bootable for system IPL or system dump.

   * zgetdump:
     Retrieve system dumps from either tapes or DASDs.

   * qetharp:
     Read and flush the ARP cache on OSA Express network cards.

   * tape390_display:
     Display information on the message display facility of a zSeries tape
     device.

   * tape390_crypt:
     Control and query crypto settings for 3592 zSeries tape devices.

   * qethconf:
     bash shell script simplifying the usage of qeth IPA (IP address
     takeover), VIPA (Virtual IP address) and Proxy ARP.

   * dbginfo.sh:
     Shell script collecting useful information about the current system for
     debugging purposes.

   * zfcpdump:
     Dump tool to create system dumps on fibre channel attached SCSI disks.
     It is installed using the zipl command.

   * zfcpdump_v2:
     Version 2 of the zfcpdump tool. Now based on the upstream 2.6.26 Linux
     kernel.

   * ip_watcher:
     Provides HiperSockets Network Concentrator functionality.
     It looks for addresses in the HiperSockets and sets them as Proxy ARP
     on the OSA cards. It also adds routing entries for all IP addresses
     configured on active HiperSockets devices.
     Use start_hsnc.sh to start HiperSockets Network Concentrator.

   * tunedasd:
     Adjust tunable parameters on DASD devices.

   * vmcp:
     Allows Linux users to send commands to the z/VM control program (CP).
     The normal usage is to invoke vmcp with the command you want to
     execute. The response of z/VM is written to the standard output.

   * vmur:
     Allows to work with z/VM spool file queues (reader, punch, printer).

   * zfcpdbf:
     Display debug data of zfcp. zfcp provides traces via the s390 debug
     feature. Those traces are filtered with the zfcpdbf script, i.e. merge
     several traces, make it more readable etc.

   * scsi_logging_level:
     Create, get or set the logging level for the SCSI logging facility.

   * zconf:
     Set of scripts to configure and list status information of Linux for
     zSeries IO devices.
     - chccwdev:   Modify generic attributes of channel attached devices.
     - lscss:      List channel subsystem devices.
     - lsdasd:     List channel attached direct access storage devices (DASD).
     - lsqeth:     List all qeth-based network devices with their corresponding
                   settings.
     - lstape:     List tape devices, both channel and FCP attached.
     - lszfcp:     Shows information contained in sysfs about zfcp adapters,
                   ports and units that are online.
     - lschp:      List information about available channel-paths.
     - chchp:      Modify channel-path state.
     - lsluns:     List available SCSI LUNs depending on adapter or port.
     - lszcrypt:   Show Information about zcrypt devices and configuration.
     - chzcrypt:   Modify zcrypt configuration.
     - znetconf:   List and configure network devices for System z network
                   adapters.
     - cio_ignore: Query and modify the contents of the CIO device driver
                   blacklist.

   * dumpconf:
     Allows to configure the dump device used for system dump in case a kernel
     panic occurs. This tool can also be used as an init script for etc/init.d.
     Prerequisite for dumpconf is a Linux kernel with the "dump on panic"
     feature.

   * ipl_tools:
     Tools set to configure and list reipl and shutdown actions.
     - lsreipl: List information of reipl device.
     - chreipl: Change reipl device settings.
     - lsshut:  List actions which will be done in case of halt, poff, reboot
                or panic.
     - chshut:  Change actions which should be done in case of halt, poff,
                reboot or panic.

   * cpi:
    Allows to set the system and sysplex names from the Linux guest to
    the HMC/SE using the Control Program Identification feature.

   * genprotimg:
    Tool for the creation of PV images. The image consists of a concatenation of
    a plain text boot loader, the encrypted components for kernel, initrd, and
    cmdline, and the integrity-protected PV header, containing metadata necessary for
    running the guest in PV mode. Protected VMs (PVM) are KVM VMs, where KVM can't
    access the VM's state like guest memory and guest registers anymore.

For more information refer to the following publications:
   * "Device Drivers, Features, and Commands" chapter "Useful Linux commands"
   * "Using the dump tools"

What problem are you trying to solve with this package? Or what functionality does the package provide?

This package is required in configuring IBM Crypto Express card during the kernel module load stage.

1. To load the kernel driver for cex card zcrypt_cex4, pkey, paes_s390
2. generate the secure keys from the crypto controller
3. Validating the luks device.

Can the software provided by the package be run from a container? Explain why or why not.

yes, this package include base component to configure a crypto card along with IBM z specific crypto commands

Can the tool(s) provided by the package be helpful in debugging container runtime issues?

Yes, specific to crypto controller attached containers.

Can the tool(s) provided by the package be helpful in debugging networking issues?

There are few functionality available for ip_watcher to provides hipersockets network concentrator.

Is it possible to layer the package onto the base OS as a day 2 operation? Explain why or why not.

in order to install the cex kernel driver zcrypt_cex4 these packages are required on early boot. Otherwise the cex configured ignition failed to detect the card .

In the case of packages providing services and binaries, can the packaging be adjusted to just deliver binaries?

No. These are s390utils.base packages provided by IBM for the certain base functionality in s390x.

Can the tool(s) provided by the package be used to do things we’d rather users not be able to do in FCOS?

Yes.

Does the software provided by the package have a history of CVEs?

No,

[dustymabe]

Pulling in the perl stack is pretty much an automatic disqualifier here for FCOS.

[dustymabe]

See also coreos/fedora-coreos-config#1831 where we dropped s390utils-base.

[jlebon]

The context for this is coreos/ignition#1820 which add CEX support to Ignition. It needs more tools in the OS and the initramfs to do this. It looks like those tools are currently part of the catch-all base subpackage.

@madhu-pillai I think we'll need to try to get the ones you need broken out into a separate subpackage that we can then add. It seems like that's just zkey and zkey-cryptsetup, right?

/cc @sharkcz

[dustymabe]

further history of s390utils package requests:

• s390x: move genprotimg to s390utils-core.rpm to drop perl dependency #1217

[madhu-pillai]

hi @jlebon ,
Yes, for the luks encryption these are required .

[travier]

What the status for this one? Can we split the required binaries into a sub-package and avoid the Perl dependency?

[travier]

@madhu-pillai can you reach out to the maintainer of that package and start a discussion to split those binaries into a subpackage?

[madhu-pillai]

will do that

[gursewak1997]

@madhu-pillai Any updates/summary on whether there were any discussions regarding the above with the maintainers?

[madhu-pillai]

@madhu-pillai Any updates/summary on whether there were any discussions regarding the above with the maintainers?

@gursewak1997 , I've added you in the email chain with the maintainer.