AIX 7.2 OpenSSH is now HW
GZIP Enabled!
Chris Gibson, cgibson@au1.ibm.com , July 12th
2021
The latest version of OpenSSH for AIX 7.2 now supports POWER9 HW GZIP! The requirements for this new capability are as follows :
- Processor mode: Power9 (instead of Power9_Base)*
- AIX Level: 7.2 TL 4 and above*
- zlibNX: 7.2.4.0 NX accelerated zlib compression library*
- OpenSSH version: 8.1.102.2102 and above*
- OpenSSL version: 1.0.2.2100 and above *
- ssh commands (like ssh, scp etc) should be run with -C option (compression enabled)
*NOTE: It is recommended to have this configuration on both the OpenSSH client and server LPARs for optimal performance.
The required OpenSSH packages are available from the AIX Web Download Pack site. https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp&S_PKG=openssh
From the OpenSSH 8.1.102.2102 README:
For details on downloading and installing the zlibNX library, please refer to the following blog post:
http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html
I tested this new capability in my lab today. First I ensured that my LPAR was running in "POWER9" mode and not in "default" or "POWER9_base" mode. Unfortunately there's no way to tell what the "real" Processor compatibility mode is from the AIX OS. So, lsconf may report that your LPAR is running in "POWER 9" mode but this doesn't mean it is running in "POWER9" native mode.
root@cgaix
/cg # lsconf | grep POWER
Processor
Type: PowerPC_POWER9
Processor
Implementation Mode: POWER 9
More recent levels of AIX 7.2 introduced a new command called nxstat. You can use this tool to display "usage statistics of on-chip hardware accelerators that can implement GZIP functions". It can also verify if the HW GZIP accelerator is configured and available in the LPAR (see below). It is also possible to determine if the NX accelerator is available to the LPAR using the kdb command (please refer to the following blog post for details on using kdb to make this determination http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html).
; LPAR is running
in POWER9 mode.
root@cgaix
/ # nxstat -S
nx_accel_mask
= FFFFFFFFFFFFFFFF
GZIP
accelerator available
; LPAR is not
running in POWER9 mode but POWER9_base mode.
#
nxstat -S
nx_accel_mask
= 0
**
No accelerators available **
** Accelerators are not available for
partitions in POWER9_base
mode
You can confirm the processor mode from the HMC CLI or UI (as shown below).
hscroot@p9-hmc:~>
lssyscfg -r lpar -m "myp9system" -F curr_lpar_proc_compat_mode
--filter lpar_names=cgaix
POWER9
My LPAR was running AIX 7.2 TL5 SP2 and the zlibNX.rte fileset was installed.
root@cgaix
/ # oslevel -s
7200-05-02-2114
root@cgaix
/ # lslpp -l zlibNX.rte
Fileset Level State
Description
----------------------------------------------------------------------------
Path:
/usr/lib/objrepos
zlibNX.rte 7.2.4.0 COMMITTED NX accelerated zlib
compression library
OpenSSH 8.1.102.2102 and OpenSSL 1.0.2.2101 were installed in my LPAR.
root@cgaix
/ # lslpp -l | grep -i openssh
openssh.base.client 8.1.102.2102 COMMITTED Open Secure Shell Commands
openssh.base.server 8.1.102.2102
COMMITTED Open Secure Shell
Server
openssh.license 8.1.102.2102 COMMITTED
Open Secure Shell License
openssh.man.en_US 8.1.102.2102 COMMITTED
Open Secure Shell
openssh.base.client 8.1.102.2102
COMMITTED Open Secure Shell
Commands
openssh.base.server 8.1.102.2102
COMMITTED Open Secure Shell
Server
root@cgaix
/ # lslpp -l | grep -i openssl
openssl.base 1.0.2.2101 COMMITTED Open Secure Socket Layer
openssl.license 1.0.2.2101 COMMITTED
Open Secure Socket License
openssl.man.en_US 1.0.2.2101 COMMITTED
Open Secure Socket Layer
openssl.base 1.0.2.2101 COMMITTED
Open Secure Socket Layer
root@cgaix
/ # ssh -V
OpenSSH_8.1p1,
OpenSSL 1.0.2u 20 Dec 2019
root@cgaix
/ # openssl version
OpenSSL 1.0.2u
20 Dec
2019
For this simple test (to confirm the use of the NX accelerator by scp), I scp'ed a file from the localhost back to the localhost, over 127.0.0.1. In the debug output (below) you can observe that the libzNX library is called. The -C flag is used with the scp command to enable compression and initiate the use of the accelerator for offloading of this function. At the end of the debug output (below) there is some information about the data compression that took place.
root@cgaix
/cg # scp -C -v myfile 127.0.0.1:/cg/myfile2
Executing:
program /usr//bin/ssh host 127.0.0.1, user (unspecified), command scp -v -t
/cg/myfile2
OpenSSH_8.1p1,
OpenSSL 1.0.2u 20 Dec 2019
debug1:
Reading configuration data /etc/ssh/ssh_config
debug1:
oslevel : 7.2.0.0
debug1: using libzNX from
/opt/freeware/ssh/libzNX_c.a(libz.so.1)
debug1: init_libz_ptrs success
debug1:
Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): Could not load module
/usr/krb5/lib/libkrb5.a(libkrb5.a.so).
System
error: No such file or directory
debug1:
Error loading Kerberos, disabling Kerberos auth.
debug1:
Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1:
Connection established.
debug1:
identity file /.ssh/id_rsa type 0
debug1:
identity file /.ssh/id_rsa-cert type -1
debug1:
identity file /.ssh/id_dsa type -1
debug1:
identity file /.ssh/id_dsa-cert type -1
debug1:
identity file /.ssh/id_ecdsa type -1
debug1:
identity file /.ssh/id_ecdsa-cert type -1
debug1:
identity file /.ssh/id_ed25519 type -1
debug1:
identity file /.ssh/id_ed25519-cert type -1
debug1:
identity file /.ssh/id_xmss type -1
debug1:
identity file /.ssh/id_xmss-cert type -1
debug1:
Local version string SSH-2.0-OpenSSH_8.1
debug1:
Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1:
match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug1:
Authenticating to 127.0.0.1:22 as 'root'
debug1:
SSH2_MSG_KEXINIT sent
debug1:
SSH2_MSG_KEXINIT received
debug1:
kex: algorithm: curve25519-sha256
debug1:
kex: host key algorithm: rsa-sha2-512
debug1:
kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com
compression: zlib@openssh.com
debug1:
kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com
compression: zlib@openssh.com
debug1:
expecting SSH2_MSG_KEX_ECDH_REPLY
debug1:
Server host key: ssh-rsa SHA256:lbE7PpHnLiEoZfThEScojzRuZ6VC+qcmYC5KzoT1dDI
debug1:
Host '[127.0.0.1]:22' is known and matches the RSA host key.
debug1:
Found key in /.ssh/known_hosts:6
debug1:
rekey out after 4294967296 blocks
debug1:
SSH2_MSG_NEWKEYS sent
debug1:
expecting SSH2_MSG_NEWKEYS
debug1:
SSH2_MSG_NEWKEYS received
debug1:
rekey in after 4294967296 blocks
debug1:
Will attempt key: /.ssh/id_rsa RSA
SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4
debug1:
Will attempt key: /.ssh/id_dsa
debug1:
Will attempt key: /.ssh/id_ecdsa
debug1:
Will attempt key: /.ssh/id_ed25519
debug1:
Will attempt key: /.ssh/id_xmss
debug1:
SSH2_MSG_EXT_INFO received
debug1:
kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1:
SSH2_MSG_SERVICE_ACCEPT received
debug1:
Authentications that can continue: publickey,password,keyboard-interactive
debug1:
Next authentication method: publickey
debug1:
Offering public key: /.ssh/id_rsa RSA SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4
debug1:
Server accepts key: /.ssh/id_rsa RSA
SHA256:ofSfF12bF23VvjxCFHBQynRvpd5vfUb8fOp4rQOEpc4
debug1:
Sent ALLOW_PKCS12_KEYSTORE_CLIENT_FLAG packet
debug1:
Enabling compression at level 6.
debug1:
Authentication succeeded (publickey).
Authenticated
to 127.0.0.1 ([127.0.0.1]:22).
debug1:
channel 0: new [client-session]
debug1:
Requesting no-more-sessions@openssh.com
debug1:
Entering interactive session.
debug1:
pledge: network
debug1:
client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1:
Remote: //.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding
pty user-rc x11-forwarding
debug1:
Remote: //.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding
pty user-rc x11-forwarding
debug1:
Sending command: scp -v -t /cg/myfile2
Sending
file modes: C0644 1073741824 myfile
Sink:
C0644 1073741824 myfile
myfile
100% 1024MB 9.8MB/s
01:44
debug1:
client_input_channel_req: channel 0 rtype exit-status reply 0
debug1:
channel 0: free: client-session, nchannels 1
debug1:
fd 0 clearing O_NONBLOCK
Transferred:
sent 12865288, received 634548 bytes, in 104.2 seconds
Bytes
per second: sent 123425.8, received 6087.7
debug1:
Exit status 0
debug1: compress outgoing: raw data 1074331840, compressed
11289424, factor 0.01
debug1: compress incoming: raw data 280074, compressed 133610, factor
0.48
root@cgaix
/cg #
In another session, I ran the nxstat command to confirm that the NX accelerator was being exploited by scp to compress and copy the file. The “Bytes” and “Polls” columns contained non-zero values, confirming the use of the accelerator.
root@cgaix
/ # nxstat 1 10000
Accelerator
GZIP: Window Types: 2
Units: 1 Credits:
5
Type
Cred Opens Bytes Faults Intrs Polls Waits
....
ALL
5 0 0.000
B 0 0 0 0
ALL
5 2 14.961 MB 0 0 481 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 107.092 MB 0 0 3426 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0 0 2624 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 76.021 MB 0 0 2432 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2559 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 54.296 MB 0 0 1736 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 83.742 MB 0 0 2680 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 74.020 MB 0 0 2368 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2495 1
ALL
5 0
0.000 B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2559 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2559 1
ALL
5 0 0.000
B 0
0 0 0
ALL
5 0 78.021 MB 0 0 2493 3
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 83.335 MB 0 0 2664 2
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.709 MB 0 0 2518 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 76.021 MB 0 0 2432 0
ALL
5 0 0.000
B 0 0 0 0
ALL 5
0 81.210 MB 0 0 2598 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 79.959 MB 0 0 2556 2
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.897 MB 0 0 2522 2
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0
0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0 0 2624 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2495 1
ALL
5 0
0.000 B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 79.147 MB 0 0 2532 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.897 MB 0 0 2523 1
ALL
5 0 0.000
B 0
0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0 0 2624 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2495 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 79.834 MB 0 0 2553 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.772 MB 0 0 2584 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 73.458 MB 0 0 2350 0
ALL
5 0 0.000
B 0 0 0 0
ALL 5
0 60.016 MB 0 0 1919 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 76.021 MB 0 0 2431 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 72.020 MB 0 0 2302 2
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0
0.000 B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2495 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0 0 2623 1
ALL
5 0 0.000
B 0
0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2496 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 76.021 MB 0 0 2431 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 78.021 MB 0 0 2495 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0 0 2624 0
ALL
5 0 0.000
B 0 0 0 0
ALL 5
0 78.021 MB 0 0 2495 1
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2557 3
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 80.022 MB 0 0 2560 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 82.023 MB 0
0 2624 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 76.021 MB 0 0 2432 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 71.895 MB 0 0 2300 0
ALL
5 0
0.000 B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0
0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
ALL
5 0 0.000
B 0 0 0 0
root@cgaix
/cg #
Obviously this test was not a performance measurement test. If you wanted to perform such a test, you would need to compare the same operation with
any older OpenSSH level (say 8.1.102.2101 or anything lower).
NOTE: It is possible that, due to a minor defect in 8.1.102.2102, that OpenSSH will (by default) pick up the libzNX library irrespective of -C option. This will be addressed in the next fileset release.
Other resources worth reading:
The benefits of AIX 7.2, XIVE, XGZIP and POWER9 systems
http://gibsonnet.net/blog/cgaix/html/AIX72_XIVE_XGZIP_and_POWER9.html
Power9 GZIP Data Acceleration with IBM AIX
nxstat command
https://www.ibm.com/docs/en/aix/7.2?topic=n-nxstat-command
Using the POWER9™ NX (gzip) accelerator in AIX
https://www.ibm.com/support/pages/using-power9%E2%84%A2-nx-gzip-accelerator-aix
Performance improvement in AIX OpenSSH with on-chip data compression accelerator in POWER9