AIX 7.2 OpenSSH is now HW GZIP Enabled!

Chris Gibson, cgibson@au1.ibm.com , July 12^th 2021

The latest version of OpenSSH for AIX 7.2 now supports POWER9 HW GZIP! The requirements for this new capability are as follows :

- Processor mode: Power9 (instead of Power9_Base)*

- AIX Level: 7.2 TL 4 and above*

- zlibNX: 7.2.4.0 NX accelerated zlib compression library*

- OpenSSH version: 8.1.102.2102 and above*

- OpenSSL version: 1.0.2.2100 and above *

- ssh commands (like ssh, scp etc) should be run with -C option (compression enabled)

*NOTE: It is recommended to have this configuration on both the OpenSSH client and server LPARs for optimal performance.

The required OpenSSH packages are available from the AIX Web Download Pack site. https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp&S_PKG=openssh

Graphical user interface, application

Description automatically generated

From the OpenSSH 8.1.102.2102 README:

Text

Description automatically generated

For details on downloading and installing the zlibNX library, please refer to the following blog post:

http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html

I tested this new capability in my lab today. First I ensured that my LPAR was running in "POWER9" mode and not in "default" or "POWER9_base" mode. Unfortunately there's no way to tell what the "real" Processor compatibility mode is from the AIX OS. So, lsconf may report that your LPAR is running in "POWER 9" mode but this doesn't mean it is running in "POWER9" native mode.

root@cgaix /cg # lsconf | grep POWER

Processor Type: PowerPC_POWER9

Processor Implementation Mode: POWER 9

More recent levels of AIX 7.2 introduced a new command called nxstat. You can use this tool to display "usage statistics of on-chip hardware accelerators that can implement GZIP functions". It can also verify if the HW GZIP accelerator is configured and available in the LPAR (see below). It is also possible to determine if the NX accelerator is available to the LPAR using the kdb command (please refer to the following blog post for details on using kdb to make this determination http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html).

; LPAR is running in POWER9 mode.

root@cgaix / # nxstat -S

nx_accel_mask = FFFFFFFFFFFFFFFF

GZIP accelerator available

; LPAR is not running in POWER9 mode but POWER9_base mode.

# nxstat -S

nx_accel_mask = 0

** No accelerators available **

** Accelerators are not available for partitions in POWER9_base mode

You can confirm the processor mode from the HMC CLI or UI (as shown below).

hscroot@p9-hmc:~> lssyscfg -r lpar -m "myp9system" -F curr_lpar_proc_compat_mode --filter lpar_names=cgaix

POWER9

Graphical user interface

Description automatically generated with medium confidence

Graphical user interface, text, application, email

Description automatically generated

My LPAR was running AIX 7.2 TL5 SP2 and the zlibNX.rte fileset was installed.

root@cgaix / # oslevel -s

7200-05-02-2114

root@cgaix / # lslpp -l zlibNX.rte

Fileset Level State Description

----------------------------------------------------------------------------

Path: /usr/lib/objrepos

zlibNX.rte 7.2.4.0 COMMITTED NX accelerated zlib

compression library

OpenSSH 8.1.102.2102 and OpenSSL 1.0.2.2101 were installed in my LPAR.

root@cgaix / # lslpp -l | grep -i openssh

openssh.base.client 8.1.102.2102 COMMITTED Open Secure Shell Commands

openssh.base.server 8.1.102.2102 COMMITTED Open Secure Shell Server

openssh.license 8.1.102.2102 COMMITTED Open Secure Shell License

openssh.man.en_US 8.1.102.2102 COMMITTED Open Secure Shell

openssh.base.client 8.1.102.2102 COMMITTED Open Secure Shell Commands

openssh.base.server 8.1.102.2102 COMMITTED Open Secure Shell Server

root@cgaix / # lslpp -l | grep -i openssl

openssl.base 1.0.2.2101 COMMITTED Open Secure Socket Layer

openssl.license 1.0.2.2101 COMMITTED Open Secure Socket License

openssl.man.en_US 1.0.2.2101 COMMITTED Open Secure Socket Layer

openssl.base 1.0.2.2101 COMMITTED Open Secure Socket Layer

root@cgaix / # ssh -V

OpenSSH_8.1p1, OpenSSL 1.0.2u 20 Dec 2019

root@cgaix / # openssl version

OpenSSL 1.0.2u 20 Dec 2019

For this simple test (to confirm the use of the NX accelerator by scp), I scp'ed a file from the localhost back to the localhost, over 127.0.0.1. In the debug output (below) you can observe that the libzNX library is called. The -C flag is used with the scp command to enable compression and initiate the use of the accelerator for offloading of this function. At the end of the debug output (below) there is some information about the data compression that took place.

root@cgaix /cg # scp -C -v myfile 127.0.0.1:/cg/myfile2

Executing: program /usr//bin/ssh host 127.0.0.1, user (unspecified), command scp -v -t /cg/myfile2

OpenSSH_8.1p1, OpenSSL 1.0.2u 20 Dec 2019

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: oslevel : 7.2.0.0

debug1: using libzNX from /opt/freeware/ssh/libzNX_c.a(libz.so.1)

debug1: init_libz_ptrs success

debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): Could not load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).

System error: No such file or directory

debug1: Error loading Kerberos, disabling Kerberos auth.

debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /.ssh/id_rsa type 0

debug1: identity file /.ssh/id_rsa-cert type -1

debug1: identity file /.ssh/id_dsa type -1

debug1: identity file /.ssh/id_dsa-cert type -1

debug1: identity file /.ssh/id_ecdsa type -1

debug1: identity file /.ssh/id_ecdsa-cert type -1

debug1: identity file /.ssh/id_ed25519 type -1

debug1: identity file /.ssh/id_ed25519-cert type -1

debug1: identity file /.ssh/id_xmss type -1

debug1: identity file /.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_8.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1

debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000

debug1: Authenticating to 127.0.0.1:22 as 'root'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: rsa-sha2-512

debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com

debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-rsa SHA256:lbE7PpHnLiEoZfThEScojzRuZ6VC+qcmYC5KzoT1dDI

debug1: Host '[127.0.0.1]:22' is known and matches the RSA host key.

debug1: Found key in /.ssh/known_hosts:6

debug1: rekey out after 4294967296 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: rekey in after 4294967296 blocks

debug1: Will attempt key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Will attempt key: /.ssh/id_dsa

debug1: Will attempt key: /.ssh/id_ecdsa

debug1: Will attempt key: /.ssh/id_ed25519

debug1: Will attempt key: /.ssh/id_xmss

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Server accepts key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4

debug1: Sent ALLOW_PKCS12_KEYSTORE_CLIENT_FLAG packet

debug1: Enabling compression at level 6.

debug1: Authentication succeeded (publickey).

Authenticated to 127.0.0.1 ([127.0.0.1]:22).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: pledge: network

debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Remote: //.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

debug1: Sending command: scp -v -t /cg/myfile2

Sending file modes: C0644 1073741824 myfile

Sink: C0644 1073741824 myfile

myfile 100% 1024MB 9.8MB/s 01:44

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

debug1: fd 0 clearing O_NONBLOCK

Transferred: sent 12865288, received 634548 bytes, in 104.2 seconds

Bytes per second: sent 123425.8, received 6087.7

debug1: Exit status 0

debug1: compress outgoing: raw data 1074331840, compressed 11289424, factor 0.01

debug1: compress incoming: raw data 280074, compressed 133610, factor 0.48

root@cgaix /cg #

In another session, I ran the nxstat command to confirm that the NX accelerator was being exploited by scp to compress and copy the file. The “Bytes” and “Polls” columns contained non-zero values, confirming the use of the accelerator.

root@cgaix / # nxstat 1 10000

Accelerator GZIP: Window Types: 2 Units: 1 Credits: 5

Type Cred Opens Bytes Faults Intrs Polls Waits

....

ALL 5 0 0.000 B 0 0 0 0

ALL 5 2 14.961 MB 0 0 481 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 107.092 MB 0 0 3426 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2624 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 76.021 MB 0 0 2432 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2559 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 54.296 MB 0 0 1736 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 83.742 MB 0 0 2680 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 74.020 MB 0 0 2368 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2559 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2559 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2493 3

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 83.335 MB 0 0 2664 2

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.709 MB 0 0 2518 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 76.021 MB 0 0 2432 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 81.210 MB 0 0 2598 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 79.959 MB 0 0 2556 2

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.897 MB 0 0 2522 2

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2624 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 79.147 MB 0 0 2532 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.897 MB 0 0 2523 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2624 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 79.834 MB 0 0 2553 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.772 MB 0 0 2584 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 73.458 MB 0 0 2350 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 60.016 MB 0 0 1919 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 76.021 MB 0 0 2431 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 72.020 MB 0 0 2302 2

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2623 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2496 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 76.021 MB 0 0 2431 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2624 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 78.021 MB 0 0 2495 1

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2557 3

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 80.022 MB 0 0 2560 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 82.023 MB 0 0 2624 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 76.021 MB 0 0 2432 0

ALL 5 0 0.000 B 0 0 0 0

ALL 5 0 71.895 MB 0 0 2300 0

ALL 5 0 0.000 B 0 0 0 0

root@cgaix /cg #

Obviously this test was not a performance measurement test. If you wanted to perform such a test, you would need to compare the same operation with

any older OpenSSH level (say 8.1.102.2101 or anything lower).

NOTE: It is possible that, due to a minor defect in 8.1.102.2102, that OpenSSH will (by default) pick up the libzNX library irrespective of -C option. This will be addressed in the next fileset release.

Other resources worth reading:

The benefits of AIX 7.2, XIVE, XGZIP and POWER9 systems

http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html

Power9 GZIP Data Acceleration with IBM AIX

https://community.ibm.com/community/user/power/blogs/brian-veale1/2020/11/09/power9-gzip-data-acceleration-with-ibm-aix?CommunityKey=daa942cb-b783-4fd3-ba27-a2d7462f9530

nxstat command

https://www.ibm.com/docs/en/aix/7.2?topic=n-nxstat-command

Using the POWER9™ NX (gzip) accelerator in AIX

https://www.ibm.com/support/pages/using-power9%E2%84%A2-nx-gzip-accelerator-aix

Performance improvement in AIX OpenSSH with on-chip data compression accelerator in POWER9

https://community.ibm.com/community/user/power/blogs/swetha-narayana/2021/07/27/performance-improvement-in-openssh-with-on-chip-da