AIX 7.2 OpenSSH is now HW GZIP Enabled!

Chris Gibson, cgibson@au1.ibm.com , July 12th 2021

 

The latest version of OpenSSH for AIX 7.2 now supports POWER9 HW GZIP! The requirements for this new capability are as follows :

 

- Processor mode: Power9 (instead of Power9_Base)*

- AIX Level: 7.2 TL 4 and above*

- zlibNX: 7.2.4.0 NX accelerated zlib compression library*

- OpenSSH version: 8.1.102.2102 and above*

- OpenSSL version: 1.0.2.2100 and above *

- ssh commands (like ssh, scp etc) should be run with -C option (compression enabled)

 

*NOTE: It is recommended to have this configuration on both the OpenSSH client and server LPARs for optimal performance.

 

The required OpenSSH packages are available from the AIX Web Download Pack site. https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp&S_PKG=openssh

 

Graphical user interface, application

Description automatically generated

 

From the OpenSSH 8.1.102.2102 README:

 

Text

Description automatically generated

 

For details on downloading and installing the zlibNX library, please refer to the following blog post:

http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html

 

I tested this new capability in my lab today. First I ensured that my LPAR was running in "POWER9" mode and not in "default" or "POWER9_base" mode. Unfortunately there's no way to tell what the "real" Processor compatibility mode is from the AIX OS. So, lsconf may report that your LPAR is running in "POWER 9" mode but this doesn't mean it is running in "POWER9" native mode.

 

root@cgaix /cg # lsconf | grep POWER

Processor Type: PowerPC_POWER9

Processor Implementation Mode: POWER 9

 

More recent levels of AIX 7.2 introduced a new command called nxstat. You can use this tool to display "usage statistics of on-chip hardware accelerators that can implement GZIP functions". It can also verify if the HW GZIP accelerator is configured and available in the LPAR (see below). It is also possible to determine if the NX accelerator is available to the LPAR using the kdb command (please refer to the following blog post for details on using kdb to make this determination http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html).

 

; LPAR is running in POWER9 mode.

 

root@cgaix / # nxstat -S

nx_accel_mask = FFFFFFFFFFFFFFFF

 

GZIP accelerator available  

 

; LPAR is not running in POWER9 mode but POWER9_base mode.

 

# nxstat -S

nx_accel_mask = 0

 

 ** No accelerators available **

 ** Accelerators are not available for partitions in POWER9_base mode

 

You can confirm the processor mode from the HMC CLI or UI (as shown below).

 

hscroot@p9-hmc:~> lssyscfg -r lpar -m "myp9system" -F curr_lpar_proc_compat_mode --filter lpar_names=cgaix

POWER9

 

Graphical user interface

Description automatically generated with medium confidence

 

Graphical user interface, text, application, email

Description automatically generated

 

My LPAR was running AIX 7.2 TL5 SP2 and the zlibNX.rte fileset was installed.

 

root@cgaix / # oslevel -s

7200-05-02-2114

 

root@cgaix / # lslpp -l zlibNX.rte

  Fileset                      Level  State      Description

  ----------------------------------------------------------------------------

Path: /usr/lib/objrepos

  zlibNX.rte                 7.2.4.0  COMMITTED  NX accelerated zlib

                                                 compression library

 

OpenSSH 8.1.102.2102 and OpenSSL 1.0.2.2101 were installed in my LPAR.

 

root@cgaix / # lslpp -l | grep -i openssh

  openssh.base.client   8.1.102.2102  COMMITTED  Open Secure Shell Commands

  openssh.base.server   8.1.102.2102  COMMITTED  Open Secure Shell Server

  openssh.license       8.1.102.2102  COMMITTED  Open Secure Shell License

  openssh.man.en_US     8.1.102.2102  COMMITTED  Open Secure Shell

  openssh.base.client   8.1.102.2102  COMMITTED  Open Secure Shell Commands

  openssh.base.server   8.1.102.2102  COMMITTED  Open Secure Shell Server

 

root@cgaix / # lslpp -l | grep -i openssl

  openssl.base            1.0.2.2101  COMMITTED  Open Secure Socket Layer

  openssl.license         1.0.2.2101  COMMITTED  Open Secure Socket License

  openssl.man.en_US       1.0.2.2101  COMMITTED  Open Secure Socket Layer

  openssl.base            1.0.2.2101  COMMITTED  Open Secure Socket Layer

 

root@cgaix / # ssh -V

OpenSSH_8.1p1, OpenSSL 1.0.2u  20 Dec 2019

 

root@cgaix / # openssl version

OpenSSL 1.0.2u  20 Dec 2019

 

For this simple test (to confirm the use of the NX accelerator by scp), I scp'ed a file from the localhost back to the localhost, over 127.0.0.1. In the debug output (below) you can observe that the libzNX library is called. The -C flag is used with the scp command to enable compression and initiate the use of the accelerator for offloading of this function. At the end of the debug output (below) there is some information about the data compression that took place.

 

root@cgaix /cg # scp -C -v myfile 127.0.0.1:/cg/myfile2

Executing: program /usr//bin/ssh host 127.0.0.1, user (unspecified), command scp -v -t /cg/myfile2

OpenSSH_8.1p1, OpenSSL 1.0.2u  20 Dec 2019

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: oslevel : 7.2.0.0

 

 

debug1: using libzNX from /opt/freeware/ssh/libzNX_c.a(libz.so.1)

 

debug1: init_libz_ptrs success

debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): Could not load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).

System error: No such file or directory

 

debug1: Error loading Kerberos, disabling Kerberos auth.

debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /.ssh/id_rsa type 0

debug1: identity file /.ssh/id_rsa-cert type -1

debug1: identity file /.ssh/id_dsa type -1

debug1: identity file /.ssh/id_dsa-cert type -1

debug1: identity file /.ssh/id_ecdsa type -1

debug1: identity file /.ssh/id_ecdsa-cert type -1

debug1: identity file /.ssh/id_ed25519 type -1

debug1: identity file /.ssh/id_ed25519-cert type -1

debug1: identity file /.ssh/id_xmss type -1

debug1: identity file /.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_8.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1

debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000

debug1: Authenticating to 127.0.0.1:22 as 'root'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: rsa-sha2-512

debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com

debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-rsa SHA256:lbE7PpHnLiEoZfThEScojzRuZ6VC+qcmYC5KzoT1dDI

debug1: Host '[127.0.0.1]:22' is known and matches the RSA host key.

debug1: Found key in /.ssh/known_hosts:6

debug1: rekey out after 4294967296 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: rekey in after 4294967296 blocks

debug1: Will attempt key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Will attempt key: /.ssh/id_dsa

debug1: Will attempt key: /.ssh/id_ecdsa

debug1: Will attempt key: /.ssh/id_ed25519

debug1: Will attempt key: /.ssh/id_xmss

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Server accepts key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Sent ALLOW_PKCS12_KEYSTORE_CLIENT_FLAG packet

debug1: Enabling compression at level 6.

debug1: Authentication succeeded (publickey).

Authenticated to 127.0.0.1 ([127.0.0.1]:22).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: pledge: network

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Remote: //.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug1: Remote: //.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug1: Sending command: scp -v -t /cg/myfile2

Sending file modes: C0644 1073741824 myfile

Sink: C0644 1073741824 myfile

myfile                                                                                                                                           100% 1024MB   9.8MB/s   01:44

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

debug1: fd 0 clearing O_NONBLOCK

Transferred: sent 12865288, received 634548 bytes, in 104.2 seconds

Bytes per second: sent 123425.8, received 6087.7

debug1: Exit status 0

debug1: compress outgoing: raw data 1074331840, compressed 11289424, factor 0.01

debug1: compress incoming: raw data 280074, compressed 133610, factor 0.48

root@cgaix /cg #

 

In another session, I ran the nxstat command to confirm that the NX accelerator was being exploited by scp to compress and copy the file. The “Bytes” and “Polls” columns contained non-zero values, confirming the use of the accelerator.

 

root@cgaix / # nxstat 1 10000

Accelerator GZIP:   Window Types:  2    Units:  1   Credits:    5

Type Cred   Opens          Bytes   Faults      Intrs         Polls         Waits

....

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       2      14.961 MB        0          0           481             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0     107.092 MB        0          0          3426             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2624             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      76.021 MB        0          0          2432             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2559             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      54.296 MB        0          0          1736             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      83.742 MB        0          0          2680             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      74.020 MB        0          0          2368             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2559             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2559             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2493             3

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      83.335 MB        0          0          2664             2

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.709 MB        0          0          2518             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      76.021 MB        0          0          2432             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      81.210 MB        0          0          2598             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      79.959 MB        0          0          2556             2

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.897 MB        0          0          2522             2

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2624             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      79.147 MB        0          0          2532             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.897 MB        0          0          2523             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2624             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      79.834 MB        0          0          2553             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.772 MB        0          0          2584             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      73.458 MB        0          0          2350             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      60.016 MB        0          0          1919             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      76.021 MB        0          0          2431             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      72.020 MB        0          0          2302             2

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2623             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2496             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      76.021 MB        0          0          2431             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2624             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      78.021 MB        0          0          2495             1

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2557             3

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      80.022 MB        0          0          2560             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      82.023 MB        0          0          2624             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      76.021 MB        0          0          2432             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0      71.895 MB        0          0          2300             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

 ALL    5       0       0.000  B        0          0             0             0

root@cgaix /cg #

 

Obviously this test was not a performance measurement test. If you wanted to perform such a test, you would need to compare the same operation with

any older OpenSSH level (say 8.1.102.2101 or anything lower).

 

NOTE: It is possible that, due to a minor defect in 8.1.102.2102, that OpenSSH will (by default) pick up the libzNX library irrespective of -C option. This will be addressed in the next fileset release.

 

Other resources worth reading:

 

The benefits of AIX 7.2, XIVE, XGZIP and POWER9 systems

http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html

 

Power9 GZIP Data Acceleration with IBM AIX

https://community.ibm.com/community/user/power/blogs/brian-veale1/2020/11/09/power9-gzip-data-acceleration-with-ibm-aix?CommunityKey=daa942cb-b783-4fd3-ba27-a2d7462f9530

 

nxstat command

https://www.ibm.com/docs/en/aix/7.2?topic=n-nxstat-command

 

Using the POWER9™ NX (gzip) accelerator in AIX

https://www.ibm.com/support/pages/using-power9%E2%84%A2-nx-gzip-accelerator-aix

 

Performance improvement in AIX OpenSSH with on-chip data compression accelerator in POWER9

https://community.ibm.com/community/user/power/blogs/swetha-narayana/2021/07/27/performance-improvement-in-openssh-with-on-chip-da