Friday, January 7, 2011

Patches? We don need no Stinkin' Patches!

Well, if you are familiar with that famous scene from the “Treasure of the Sierra Madre” you probably have an idea where I am going…

I am having a little fun here with my reference to this classic film and the recent PHP hotfix that was developed to address a processor exploit. The truth is that all systems need patches sooner or later. Some operating systems need them more than others and release them on a weekly basis. Others batch them up and say come and get them when you are ready. But as we know, on the IBM i things are a little bit different.

First, let’s explore what happened. On the Zend website you can read an article that describes the issue. Essentially there was a flaw in the floating point conversion of the Zend Engine that when running on some processors that could cause a site to seize up. As an organization, Zend R&D and several other groups within the company jumped in and deployed the patch in a mere 24 hours from the point of diagnosis. Not bad if you are looking for enterprise support for PHP, I’d say. Here is the important thing, who was exposed? This article goes on to talk about the architectures that were not impacted. Those include Intel 64-bit Linux, MAC OSX and IBM i. So why was IBM i safe? Simply put, Power PC!

People who get embroiled in the religious wars over platforms tend to lose sight of the significant value proposition that we enjoy simply because we run on another processor. Does that mean the PowerPC is without flaws? Hardly. But it does mean that we enjoy a little security through obscurity. Hackers and exploiters are simply not attacking PowerPC. Why? Well probably for the same reason you don’t see too much in the trade press about it. Power PC is powering the Power systems at IBM and some game station like Wii, Xbox, PS3/PS4, etc. so the folks who have a Power System are using it for business, and the gamers are hacking their boxes to load Linux on a 64-bit architecture. Woohoo! We’re safe on this one!

But, enjoying the wonderful safety of IBM i does not mean we should sit back and expect that “Murphy” will never come knocking. The reality is that the IBM i has one of the best “patching” processes in the industry and the fact that most IBM i developers have no clue about it lends itself to significant credibility as most of you simply do not HAVE to know about it. So after talking to so many of you I figured I summarize some of the recent discussion point about PTF’s and Zend as a bit of a refresher. For an in depth discussion on PTF strategy, I would highly recommend Larry “Dr. Franken” Bolhuis' presentation “Managing IBM i PTF’s” at COMMON or a local user group near you! Here are two slides he donated to this blog for your consideration!






First, a refresher on how and where Zend Server runs on IBM i. There are two major worlds that comprise the IBM i Zend Server universe. The first is the IBM HTTP Server Powered by Apache and the second is PASE (Portable Application Solution Environment). Ideally your system manager should have a strategy in place for keeping current with Cumulative and Group PTF’s. If that is the case then you should be good to go. If not, get some religion NOW and some help if you need it. Either way, please read on!

Starting with the Apache server I would direct your attention to the group PTF for HTTP for your respective OS version. It is easy to determine where you are on this food chain as IBM has created a one stop shop to see your current status. Simply run the WRKPTFGRP command from the green screen and press F11 to see the descriptions for the group PTF’s that are currently installed. If, per chance, you run the command and see nothing, there is a very good possibility that you have no group or cumulative PTF’s installed or applied. Need I say more to you about that? I think not. If you have groups installed you should be able to navigate around the screen to see the current level. Find that current level and then head to the IBM website for Fix Central. This page contains a VERY valuable link for current group PTF levels. Compare your level to the IBM level to get a “feel” for how far off you are.

I am pleased that most of my customers tell me they are either current or only a level or two behind. Every once in a while, though, I get someone who cannot install Zend Server and when I ask about their PTF levels they will respond “What’s a PTF?” I walk them through the steps identified above and we discover a lot!

So why do I need PTF’s to implement Zend Server on IBM i? Well, the word “need” is a relative term. When Zend revised the stack from Zend Core to Zend Server on IBM i, several changes were implemented to address a number of customer requirements. Most notable was the dual Apache configuration of Zend Core. To achieve a better performance model and reduce the Apache servers to a manageable ONE, IBM and Zend collaborated on delivering Fast CGI as a method for deploying PHP on IBM i. FastCGI is an open source approach to work with Apache servers and since IBM essentially OWNS the Apache server on IBM i, they have graciously built and provided the FastCGI infrastructure with significant contributions from Zend. IBM implemented these changes as part of the base for i7.1 and via PTF’s for V5R4 and i6.1 as well as the interim releases.

Any company that implements new technology is going to have an aggressive update process. IBM is no stranger to this phenomenon so in order to ensure that you have the latest and greatest fixes and features for FastCGI you should keep current with the group for HTTP as well as your Cumulative PTF package and PASE.