Summary of PowerVC Standard Edition security fixes published March 12, 2015

A number of security exposure and corresponding fixes were published March 12, 2015 for PowerVC Standard Edition.

For your convenience, here is a list of the issues and links to related information.

    • IBM PowerVC Could Allow a Local Attacker to Read a Valid Access Token (CVE-2015-0136)IBM PowerVC could allow a local attacker to read a valid access token. The powervc-iso-import command internally calls another command to which it passes a valid access token as a command line argument. This token may be seen in the process table. Only PowerVC Express installations managing IVM and PowerVC Standard installations managing PowerKVM are affected.

The best way to stay informed of important PowerVC fixes is to subscribe via IBM My Notifications

Posted in AIX & Power Systems Blogroll, Cloud | Tagged , , | Leave a comment

What’s ahead for PowerVC in 2015


As we move into 2015, we are once again planning on two major releases of PowerVC. This will allow us to quickly respond to new customer requirements and take advantage of the capabilities in the OpenStack releases “Kilo” and “M”.

Some of the enhancements we are considering for PowerVC in 2015 include:

  • Additional storage device support (dependent on community contributions by storage vendors)
  • Multi-disk image capture and deploy
  • Enhanced storage management such as resizing volumes, volume sharing and mirroring
  • Increasing management scalability
  • Improved scheduling including VM affinity/anti-affinity, CPU and memory capacity consideration
  • Networking enhancements
  • Support for multiple shared processor pools
  • Physical host groups to allow segregation of workloads to specific servers
  • Redundent HMC support
  • Dynamic resource rebalancing
  • Exploitation of Power Systems Capacity on Demand
  • Remote restart of Virtual Machines
  • Security and logging enhancements
  • Additional client OS support
  • Customer requested features
  • Exploitation of new PowerVM, PowerKVM and Power Systems hardware capabilities

As always, these plans reflect goals and intentions and are subject to change, but think that you can see that we have a lot of good stuff coming in PowerVC in 2015.

Posted in AIX & Power Systems Blogroll, Cloud | Tagged , , | 1 Comment

PowerVC Standard Edition Version 1.2.2


PowerVC Standard Edition Version 1.2.2 is a significant update that significantly expands the storage support including Cisco SAN, IBM XIV and EMC storage devices. Based on the Juno release of OpenStack, PowerVC 1.2.2 planned general availability is December 12, 2014.

New storage support for PowerVM based systems

  • Cisco SAN fabric
  • IBM XIV storage devices
  • EMC VMAX storage devices
  • EMC VNX storage devices
  • EMC PowerPath client support
  • Classic vSCSI (SAN volume backed only, no local disks)

Limited support for storage devices and SAN fabrics has been one of the most significant issues blocking widespread adoption of PowerVC. The PowerVC engineering team worked with IBM storage teams to deliver new support for XIV storage and classic (Non-Shared Storage Pools) VSCSI devices The PowerVC team worked with the OpenStack community to integrate block storage Cinder drivers for Cisco SAN fabric and two classes of EMC storage devices.

The PowerVC engineering team intends to continue working with the community to integrate support for additional storage devices over time but we believe that the new storage devices supported in this release will address many of our client’s storage requirements.

Restrictions and Considerations for new storage support

As in all discussions of resource support, there are conditions and restrictions that you should be aware of for the new storage devices supported. PowerVC relies on the storage vendor provided OpenStack Cinder drivers. The vendor controls the overall requirements and restrictions for the drivers they contribute to OpenStack.

Cisco SAN fabric

We tested with Cisco NX-OS 6.2

IBM XIV storage devices

Only XIV Gen3 devices are supported

vSCSI Classic

Already noted above, PowerVC only supports SAN backed disks (no local disks or LVM backed vSCSI devices. For vSCSI, the client must do the SAN zoning manually. PowerVC will allocate and manage the SAN LUNs automatically.


This support requires the use of an SMI-S provider which currently is only available on X86 platforms (See EMC web for full details). The PowerVC management server must have network connectivity to the server running the EMC SMI-S Solution Enabler server.


This support requires that the EMC Navisphere CLI be installed on the PowerVC management server. Since the Navisphere CLI is only available on X86 platform systems, the PowerVC management server must be installed on an X86 system.

EMC PowerPath

The initial release of PowerVC Standard Edition V1.2.2 will support the use of EMC PowerPath in the managed client VM/LPARs. PowerVC V1.2.2 does not currently support the use of PowerPath in the VIOS.

Enhanced storage support for PowerVM based systems

  • Export/Import virtual machine images between storage devices
  • Multiple I/O Group support for SAN Volume Controller (SVC)

PowerVC 1.2.2 also eliminates two previous storage limitations. Frist, you can now move captured VM images between storage devices (import/export). For example, you could capture a VM image on a V7000 and import it into a XIV storage device. Second, clients now can use multiple I/O groups when using SVC or V7000 storage.

New managed clients (PowerVM)

  • IBM i (Requires IBM i 7.1 TR7 or 7.2)
  • RHEL 7 (Included in PowerVC 1.2.1 Fixpack 2)

PowerVC can manage IBM i clients on PowerVM based systems. Support for RHEL 7 as a “manage to” client was previously added in Fixpack 2 in August 2014. One additional clarification for AIX managed client support: PowerVC supports all levels of AIX 6 and AIX 7 regardless of the AIX Technology Level.

New managed clients (PowerKVM)

  • SLES 12 (little endian)
  • Ubuntu V14 (little endian)

PowerVC supports management of new, little endian Linux distributions. This support is only available on Linux only, POWER8 processor based systems that use the PowerKVM hypervisor

While the new storage and clients support are the most interesting features of PowerVC V1.2.2 for many clients, there are also some interesting functional enhancements.

Functional enhancements

  • One-Click System Evacuation (aka Maintenance Mode)
  • Add/Remove Virtual network interface (VNIC) after the initial VM deployment
  • IP address pools
  • Expanded auditing
  • Third party supported OpenStack Drivers (Included in PowerVC 1.2.1 Fixpack 2)

The One-Click System Evacuation feature (also known as maintenance mode), allows an administrator to prepare for a planned outage by automatically relocating all virtual machines off of a physical server using a user specified placement policy. Alternatively, the administrator can put the physical server into maintenance mode to prevent the creation of new VMs on that physical server. This video demonstrates the One-Click System Evacuation capability:,

The add/remove VNIC capability allows administrator to add or remove network connections after deploying a virtual machine. Administrators sometimes must change the network configuration for virtual machines after they were deployed and this capability keeps PowerVC “in sync” with those changes.

The IP Pools feature allows the administrator to have PowerVC automatically assign the IP address for a new VM from a pool of eligible IP addresses as an alternative to specifying an individual IP address or relying on DHCP. This capability also allows administrators to reserve IP addresses within the pool to prevent PowerVC from using reserved addresses.

Auditing is now available for almost every PowerVC service including compute, network, storage, image, verification, and metering. (Keystone, the OpenStack identity service, does not yet support auditing). You can use auditing to identify which administrator took a particular action. See the powervc-audit command for more information.

Finally, as of PowerVC 1.2.1 Fixpack 2, administrators can register and use third-party supported OpenStack drivers for block storage that have not yet been tested or integrated by the PowerVC engineering team. Block storage support in OpenStack (aka Cinder) has been rapidly evolving; this capability makes it easier for clients who may wish to test new Cinder drivers. When using this capability, the OpenStack community provides all support for the drivers, not IBM.

As you can see, PowerVC Version 1.2.2 will address many clients’ requirement for additional storage support, especially for Cisco SAN fabrics. We expect this release of PowerVC allow many clients to start building Power Systems based clouds.

Full details in announcement letter at


Posted in AIX & Power Systems Blogroll, Cloud | 3 Comments

A How-To Guide to Cashless Transactions for Scout Units

The United States is rapidly becoming a cashless society with less than 30% of sales transactions involving cash. Your Scout unit can leverage smartphones and free card readers to accept credit and debit card payments.

Portable Card Readers Enable Cashless Fundraising

For years, the only way to accept credit or debit card payments required a rented credit card machine with a contractual commitment and hefty transaction fees. Recently, new transaction processing services have become available that avoid the expense and commitment of commercial transaction readers by leveraging the ubiquitous smartphones that many people carry.

These new services require no setup fees or commitment and allow almost anyone to accept credit or debit cards for a nominal percentage of the transaction. These services also allow you to manage cash and check payments. All of these services provide a free card reader that plugs into the headphone jack on your smartphone and apps for IOS or Android.

Several companies provide these services:

  • Square was the first of these services. Square charges 2.75% of each transaction
  • Paypal Here charges 2.7% of each transaction and also allows you to accept Mobile PayPal
  • Intuit GoPayment charges 2.75% per transaction but also has subscription plans that allow you to pay a monthly fee of $12.95 to get a lower rate of 1.75% per transaction. It also integrates with Intuit QuickBooks.

This is only a partial list. There are a number of other vendors jumping into this area so you might want to look around for the best deal. Payment plans and rates are subject to change, so be sure and check the vendor web site for the latest rates and plans.

Do not let the transaction percentage scare you off. Using any of these services is going to cost you a small percent of the sales, but the point of using these services is to make sales that you would otherwise lose.

For example, one of my Troop’s major fundraising events is Christmas tree sales. Traditionally we only accepted cash or checks, but started using Square on an exception basis in 2012. That first year, about one third of our sales were made using Square—sales that we might have lost if we could not accept credit cards. In 2013, about 70% of our sales were through Square.

How Do Cashless Transactions work?

Since my Scout Troop uses Square, my experience is with that particular service. I would expect that using one of the other providers would be similar.

  • During a transaction, the seller would plug the Square Reader into the smartphone headphone plug and start up the Square Register app.
  • You enter the transaction amount and then swipe the customer’s credit card using the reader.
  • The customer then signs the screen using their finger.
  • If the customer wants a receipt, you can have them enter their email address. In about 24 hours, the money, minus the transaction fee, is deposited to your bank account.

Getting Started with Square

There are only a few setup steps needed to accept payments via Square but it does take a few business days to get everything done. Do not wait until the last minute!

What you will need:

  1. An email address (for Square transactions and notices).
    • I used an account with automatic forwarding so that all Square emails are sent to me and to our unit finance chair. By default, Square will send an email for each transaction.
  2. A check for the Scout unit checking account for bank routing and account number information
    • I strongly recommend that you do not use your personal checking account
  3. A smartphone (iPhone, Android or iPad) with a data plan
    • See Square’s web site for supported devices
  4. Time to receive the Square reader in the mail and to validate the bank account
    • It took about four business days for the bank account to get validated and for deposits to start showing up
    • Square says that it should take about 7-10 days to receive the free Square reader from them. You can also purchase a Square reader from Target and other stores for $10 if you cannot wait.

 Setting Up Your Square Account

  1. Got to and click on “Get Started” Square_get_started
  2. Enter the email information and choose a non-trivial password
  3. Press “Create Account” square_create_account
  4. Enter the address where you want your free Square Card Reader to ship to. Click “Continue”
  5. Select your business type from the drop-down list. Enter your business and personal information. I choose the name “BSA Troop 413 Austin” because that is what will show up on the receipt. I also uploaded a logo with the Troop information on it. Click “Continue.”
  6. You will answer a few questions to verify your identity. When completed, click “Finish.”
  7. Now you will link your bank account to your Square account.  Click “Add Account”




Square will make a series of small deposits and matched withdrawals to validate that the new account is valid. This may take several business days.

  1. Confirm your mailing address to ensure your Square card reader arrives at the correct location. Click “Send my Reader.”
  2. After you have completed the basic registration, You can add a list of items to make it easy to perform the transactions. Click on “Items” at the top of the Square profile to add common transaction items.

For example, I set up a number of “Christmas Tree” items at several common price points.


Square provides the capability to process refunds. As an extra security measure, I set up the account to require a PIN to process refunds.

  1. Click on “Employees” to set the PIN and select which tasks require a PIN.


A special note about tax reporting.

Square automatically file a IRS form 1099-K for all businesses that have more than $20,000 in gross sales and more than 200 transactions in a calendar year. Non-profit organizations are included. If you anticipate anticipate total sales of this level, you should insure that your Square account includes your Employer Identification Number (EIN).

  1. To enter your Tax EIN and other related info, go to


  1. Download the “Square Register” App for your phone.

Now all you have to do is wait for your free Square reader to arrive in the mail.

Using Square

  1. Plug the Square Reader into your headphone jack on your smartphone and start the “Register” app.
  2. Log into the app using the email address and password you used for your Square account in Step 2 above.
  3. You can now enter an amount for the transaction and a note.

If you set up Items in Step 9 above, you can press the center icon on the screen to bring up the Item list (right, below). If you have multiple price points for an item a secondary list will be shown (left)


  1. Click on an item to select it (or just enter the amount if you are not using pre-built Items)

In this example, I clicked on the “$100 Christmas Tree” item.

Note that the number of items is “1” and that the total is “$100”. The list of items stays up so you could add more items.


  1. Click on the “Charge $100” on the screen.
  2. The Register app will now give a choice of how to pay. Click on the Credit Card icon


  1. You should now be able to swipe credit or debit cards using the Square Reader.

Some people have more luck laying the phone flat when they swipe the card.

  1. Then the client signs with their finger.


  1. If the customer wants a receipt to be mailed or texted to them, you can do that next.

If not, you are done!

More than Just For Popcorn and Christmas Trees

These transaction-processing services have obvious uses during fundraising activities, but the fact that you can take payment from a credit card can also help parents pay for expensive items like Summer Camp or High Adventure trips. Instead of parents making multiple payments to the unit for these trips, the unit could swipe their credit card for the total amount; simplifying unit bookkeeping.

You could also considering using these services as a way to collect for Friends of Scouting by collecting contributions during the FOS presentation and later cutting a check for the total amount to the Council.

Square also provides reports on your sales that can help you target particular times or days where you expect the best sales.


Square and similar services allow Scout units to take advantage of the consumer trend away from cash payments. Not only is it more convenient for customers, but it also shows that Scouts are able to leverage the most recent technology.

Jay Kruemcke
BSA Troop 413 / Armadillo District / Capitol Area Council
April 2014


Posted in Scouting | Leave a comment

PowerVC V1.2.1 adds support for POWER8, PowerVM Shared Storage Pools and the PowerKVM hypervisor

PowerVC version 1.2.1 was announced today includes significant enhancements for current and new clients.

The enhancements include:PowerVC_Square100x100

  • Support for PowerVM Shared Storage Pools (SSP)
  • Support for POWER8 processor-based systems
  • PowerVC has now been translated and localized for multiple languages including simplified and traditional Chinese, French, German, Italian, Russian, Spanish, Japanese, Korean, Portuguese (Brazil)
  • Support to manage PowerKVM virtualized environments including support for:
    • PowerKVM hypervisor
    • Local storage, iSCSI data volumes, NFS
    • VM relocation, packing and striping scheduler policies
    • Image Import/Export
    • Open vswitch network virtualization support
  • Support for the CloudInit activation engine for Linux clients
  • PowerVC 1.2.1 is based on the Icehouse release of OpenStack

Support for Shared Storage Pools is one of the key enhancements for our existing clients. As many of you know, the availability of OpenStack drivers for fiber channel storage devices has been one of key challenges. Shared Storage Pools provides an alternative support path for storage devices not currently supported by OpenStack and PowerVC.

IBM also announced today that it is introducing the KVM hypervisor for Power Systems. PowerVC 1.2.1 will include the capability to manage PowerKVM based systems such as the POWER8 processor-based S812L and S822L Linux only scale out systems. PowerKVM is intended to enable exploitation of Power Systems hardware capabilities while leveraging the Open Source community and Linux virtualization administration skills.

PowerVC 1.2.1 also introduces the CloudInit activation engine (currently only for Linux clients). CloudInit is an emerging Open Source project focused on the initial configuration of the virtual machine after deployment. The Virtual System Activation Engine will remain the default, but clients using PowerVC to deploy Linux can start leveraging CloudInit.

The management platform for PowerVC 1.2.1 is supported on RHEL 6.4 and 6.5 on Power or X86 hardware.

PowerVC 1.2.1 planned availability date is  June 10, 2014

Full details are in the announcement letter at

Posted in AIX & Power Systems Blogroll, Cloud | Leave a comment

Do You Have A High Functioning Information Technology Organization?

One of the benefits of my job is that I get to meet with lots of people in Information Technology (IT). Recently I met with a client who told me that his IT organization was “high functioning” and that got me to thinking:
“What is does a high functioning IT organization look like?”


All IT organizations need to balance three mandates:

  • Providing Business Value
  • Managing Cost
  • Mitigating Risk

The first mandate, Providing Business Value, is the most important. IT organizations that do not provide business value to the company will eventually become irrelevant: either the business will find another way to meet its IT needs or it will fail.

These three mandates are usually in conflict. For example, providing the absolute best high availability solution may be impractically expensive or may slow application performance to unacceptable levels. A high performing IT organization consistently focuses on providing business value while managing cost and risk.

Organizational Indicators of High Performance

When evaluating an IT organization, one of the biggest clues I look for is management silos. IT organizations that have a relatively flat structure and report to a single executive tend to be more efficient and flexible. These types of IT organizations also tend to make better technology decisions because they can pick the right technology for a particular task without the need to defend a particular technology turf. Clients who develop applications in-house can extend this flat structure to include application development as part of a DevOps implementation.

On the other hand, an IT organization that has multiple senior managers such as a VP of Operations, a VP of Storage, a VP of Mainframe, etc., usually produces an IT organization that has trouble working together. This inefficiency is the natural result of the friction caused by each team optimizing their operation for the benefit of that specific team and not for the overall business.

In extreme cases, I have seen IT organizations incapacitated because of management silos. For example, I met one team that waited six months for a single new IP address!

Providing Business Value

Information technology organizations provide business value by delivering the technology that supports the core functions of the business. IT should evaluate all policies, procedures and practices against the mandate to provide business value. IT organizations that prioritize providing business value above all other mandates will also usually end up being more efficient.

A high functioning IT organization can respond quickly to requests for new service, are responsive and accessible to end users, proactively plan for problems and respond quickly (ideally before) a problem impacts business operations. High functioning IT organizations exhibit ownership of the workloads they support and have strong relationships with their end clients.

Nobody sets out to provide poor business value but it happens anyway. Why? Usually it is because the IT organization thinks other than providing business value.

One of the big problems is that it can be difficult to measure how well IT is delivering business value. There are a number of academic approaches to quantifying the value of information technology to the business but those methods do require effort. The key is not to get into the downward spiral of evaluating IT investments only in terms of a single metric such as expense.

It is even harder to measure the impact of IT not providing a service or doing it poorly. I once did an analysis for a CIO that concluded that the business was wasting about 10% of its productivity on “shadow IT”. People in the business were spending a lot of time informally supporting each other or “living with” IT problems. The employees would do just about anything to avoid contacting their poorly performing IT help desk. That 10% was the equivalent of 100 people over a year.

Unfortunately, the expense of lost productivity did not appear on any accounting ledger but the expense to staff an effective help desk did. As a result, the IT organization chose to spend minimally on their help desk even though that decision cost the company much more in lost productivity than they saved in staff costs.

Managing Cost

Despite decades of talk about the strategic value of Information Technology, most IT organizations are still treated as cost centers. The pressure to minimize IT expense drives all aspects of IT from staffing, to capital equipment costs, to software selection.

Of course, the IT organization does not exist in a vacuum—IT gets “help” managing expense from the business financial organization. The successful IT organization can express the true costs of providing a service in business terms that their financial colleagues can understand.

An important aspect of managing IT expense today is the use of virtualization to consolidate workloads. Consolidation reduces costs by allowing you to use resources more effectively though increasing utilization. The mainframe people figured this out thirty years ago, but it still does not get the amount of attention it deserves.

By its nature, managing consolidated workloads is more complex that running a single workload or a small group of workloads on a server. Consolidation requires discipline in areas such as capacity planning that seem hard to justify when you can buy a small server for a few thousand dollars.

High functioning IT organizations look at the total expense for supporting a workload that includes capital, operational, energy, floor space and software expenses. When you add up all those things, a “cheap” server is often much more expensive than adding an incremental workload on a larger consolidated server.

Standardization is another important contributor to efficient and cost effective IT management. IT shops that have multiple levels of operating systems and application software will spend considerably more on operational management and will typically be less able to consolidate workloads. You must be careful not to sacrifice flexibility on the altar of standardization—no artisan has a tool bag filled only with hammers.

Managing Risk

Another important indicator of a high functioning IT organization is how they manage risk. Commonly recognized IT risks including maintaining availability, providing for disaster recovery, managing performance, and insuring security.

High functioning IT organizations manage those risks and also plan for growth, manage technology lifecycles, provide skills development, cross train, maintain sufficient depth of skilled personnel, keep abreast of technology trends, and most importantly, maintain effective communications with their stakeholders so that they can understand the business drivers that affect IT requirements.

A high functioning IT organization is able to take action to manage an acceptable level of risk while providing business value and managing costs. Appropriate risk management should include things like regular updates to keep software current, change management processes that allow the IT organization to respond quickly to requests, and a guarded approach to exploiting new technology.

Avoid establishing risk avoidance policies in an immediate response to a problem. These type of policies may satisfy the need to “do something” but may result in inflexibility and even higher risk. For example, a client who experienced a problem after installing a software update may be reluctant to install subsequent updates, even though installing those updates would close known security vulnerabilities and avoid known problems.

IT organizations should periodically review their change management and other risk avoidance processes to insure that the impact to providing business value caused by these polices is less than the impact of avoided risk. Excessive bureaucracy, particularly slow and inflexible change management processes, can paralyze an IT organization and make it impossible to support the requirements of the business.


A high functioning IT organization needs to do many things well to succeed, but a low functioning IT organization only needs to do a few things poorly to be ineffective.

The single key factor to being a high functioning IT organization is to focus on the value to the business. Evaluate how every action, policy and process provides value to the business. Limit activity that does not contribute to the success of the business. Make reasonable decisions concerning protection from risk and managing costs.

Posted in AIX & Power Systems Blogroll, Information Technology | 1 Comment

Why OpenStack for PowerVC?

One of the big differences between PowerVC and other management solutions is the use of OpenStack as a foundation. Like many of you, I wondered why IBM chose OpenStack, so I asked someone who was intimately involved in that decision–Mike Williams, distinguished engineer for IBM Cloud Systems Software.

The overall goal for PowerVC was to provide robust management for clouds built on IBM Power Systems. Managing a cloud-computing infrastructure requires a different approach than managing a traditional IT infrastructure. IBM identified several key architectural requirements for this product:

  • The management software had to encompass servers, storage, and networking. The management silos of the past simply did not meet the needs of a cloud environment.
  • The management architecture needed to be flexible, reliable, and scalable. A management architecture based on a loosely coupled service-oriented architecture with well-defined interfaces fulfills this requirement well. The general concept was a kernel of core services surrounded by plug-in modules to provide management of specific resources. The management application also needed to scale both vertically and horizontally.
  • The architecture had to be adaptable to allow expansion to new resource types and new management operations without requiring changes to the underlying architecture.

OpenStack fits these requirements well. OpenStack has the concept of drivers to support different resources (plug-ability), a built in foundation of middleware (service-oriented architecture) and well defined APIs tying everything together. There is an extensive open source community around OpenStack and it has a well-established governance model, and design tenets based on a loosely coupled, resilient architecture that scales horizontally.

There was another pragmatic reason for IBM to use OpenStack as the base for PowerVC: by building on OpenStack, IBM was able to get PowerVC to the market much more quickly and spent more energy working on capabilities with higher client value rather than building infrastructure “plumbing”. 


It is important to note that PowerVC is a solution based on OpenStack, it is not OpenStack.

IBM built PowerVC based on the OpenStack architecture using OpenStack components, but IBM also provides enhancements and components that are not part of OpenStack, such as the management user interface and the Platform Enterprise Grid Optimizer (Platform EGO).

These extensions are designed to provide additional capability for our clients compared to the base capabilities provided by OpenStack. IBM  contributes to the OpenStack community, but some of our enhancements will remain proprietary to IBM.

openstack_powervcPowerVC is more than just OpenStack for Power. While other companies have delivered OpenStack offerings that are just big bags of technology, IBM built PowerVC on OpenStack technology to deliver a virtualization management solution for Power Systems.

As they say, “the proof is in the pudding” By building PowerVC on OpenStack, IBM has been able to deliver two releases in one year. This would have been impossible building it from scratch.

Posted in AIX & Power Systems Blogroll, Cloud, Uncategorized | 1 Comment