IBM z/OS Container Extensions network overview

IBM® z/OS® Container Extensions (zCX) provides an execution environment allowing z/OS to host applications based on Linux® that are managed with docker containers. Each instance of zCX (unique zCX job) is provisioned within a unique z/OS address space. The zCX address space represents a virtual server which hosts applications managed in docker containers. The virtual server does not require operational tasks from the z/OS environment or the z/OS administrator. From an operational perspective, the virtual server is transparent to the z/OS environment. The zCX environment is configured using z/OSMF. For information about configuring the zCX environment, see IBM z/OS Management Facility Online Help for Configuration Workflow.

z/OS Communications Server provides network communications and network related services for the zCX workloads. The Linux virtual server is represented by a unique type of application instance DVIPA called a zCX DVIPA. The VIPARange statement is used with the ZCX keyword to create zCX DVIPAs. Defining zCX DVIPAs is the primary IP configuration task and in many instances it will be the only required configuration task.

The following figure provides an overview of the z/OS Communications Server support provided for the zCX environment.

Figure 1. z/OS Communications Server support provided for the z/CX environment
An overview of the z/OS Communications Server support provided for the z/CX environment

Users define zCX DVIPAs to TCP/IP using VIPARange with the ZCX parameter using Network Configuration Assistant or directly in their TCP/IP profile.

The remaining steps are automatic:
  1. EZAZCX interface is automatically created1 by TCP/IP and connected to a dynamically created internal network represented by a dynamically created TRLE called IUTZCX4n. A unique instance of the IUTZCX4n DLC is created for each TCP/IP stack connecting to zCX servers. The n represents the instance of each IUTZCX4n DLC created.
  2. When the zCX job is started by the user:
    1. this instance of zCX binds to the DVIPA and connects to TCP/IP over EZAZCX
    2. DVIPA (zCX) is activated / added to the home list
    3. TCP/IP creates a static route to the zCX DVIPAs for its own internal use. This route is local to and controlled by the stack that owns the zCX and is not advertised using dynamic routing.
  3. When using dynamic routing the zCX DVIPAs are treated by OMPROUTE as application-instance DVIPAs and are advertised accordingly.2
  4. CS TCP/IP forwards packets for 1.1.1.1 over the zCX IP route and the EZAZCX Interface.
Note: IP filters can be configured and applied during IP forwarding. IPSec tunnels can be applied to the external IP routes. If you have IP filters defined, updates to your IP filter rules are required. You must ensure that you permit ROUTED and LOCAL (EITHER) traffic for the zCX DVIPAs.

z/OS Container Extensions IPv6 network overview

z/OS supports zCX instances with both IPv4 and IPv6 connectivity. A zCX instance can support just IPv4 or both IPv4 and IPv6 connectivity.

Defining zCX DVIPAs using VIPARange remains as the primary IP configuration task that controls and enables each zCX instance for each specific IP version. When the zCX job is started, the appropriate zCX interfaces will be started.

Configuring and enabling zCX IPv6 requires that your zCX instance is already enabled for IPv4 (see the above IPv4 steps) and then the required IPv6 steps are summarized below for the following two use cases:

  • z/OS TCP/IP users who already have enabled z/OS for IPv6 (key steps):
    1. Define IPv6 zCX DVIPAs using the VIPARange statement.
      Note:
      1. A separate IPv6 VIPARange statement should be created for each zCX instance that requires IPv6 connectivity.
      2. For supporting high availability for zCX, your IPv6 VIPARange statements should be configured in all z/OS TCP/IP instances within the sysplex eligible to host this zCX IPv6 instance.
    2. Specify the IPv6 DVIPA in the z/OSMF zCX workflows (provisioning or reconfiguration workflows). Optionally specify any other IPv6 addresses or hostnames for any zCX configuration options, such as DNS, Registry, Proxy, or LDAP addresses using the z/OSMF zCX workflows.
    3. Common IPv6 configuration steps:

      Most existing z/OS IPv6 users will have already completed the following common IPv6 steps, but here are some key steps to consider:

      1. External IPv6 Interfaces:

        To enable IPv6 communications with hosts external to this z/OS TCP/IP instance you must enable the associated z/OS IPv6 interfaces, such as OSA or HiperSockets.

      2. IPv6 Dynamic XCF must be enabled.3
      3. If using dynamic routing, define your IPv6 DVIPAs to OMPRoute.
        Note: IP filters can be configured and applied during IP forwarding. IPSec tunnels can be applied to the external IPv6 routes. If you have IP filters defined, updates to your IP filter rules are required. You must ensure that you permit ROUTED and LOCAL (EITHER) traffic for the zCX DVIPAs.
  • z/OS TCP/IP users who have not enabled z/OS for IPv6:
    1. This type of user must first complete the z/OS IPv6 migration or enablement. This type of user must start with the z/OS Communications Server: IPv6 Network and Appl Design Guide.
    2. Once your z/OS TCP/IP stack is enabled for IPv6, review the first list above for the specific zCX IPv6 steps.
1 The EZAZCX interface is automatically created when the IUTSAMEH interface is created (either by DYNAMICXCF or static DEVICE/LINK/HOME for IUTSAMEH) and at least one VIPARANGE ZCX is configured. The EZAZCX interface transitions to ready when the first zCX DVIPA is activated. The EZAZCX interface is created for zCX instances using an IPv4 DVIPA. If the zCX instance is using an IPv6 DVIPA, the interface created is EZ6ZCX and the TRLE created is IUTZCX6n.
2 When using dynamic routing, you must define the zCX DVIPAs to OMPRoute just like any other application-instance DVIPA. OMPROUTE will then advertise the zCX DVIPA when it activates on the host. When the DVIPA is moved, external hosts will automatically (with dynamic routing updates) find the new location of the DVIPA and the related zCX applications. If OMPROUTE is not being used, you must ensure the zCX DVIPAs can be reached by other hosts by defining static routes on other hosts that need to reach the zCX instance.
3 The EZAZCX interface is automatically created when the IUTSAMEH interface is created (either by IPCONFIG(6) DYNAMICXCF or static DEVICE/LINK/HOME for IUTSAMEH) and at least one VIPARANGE ZCX is configured. The EZAZCX interface transitions to ready when the first zCX DVIPA is activated. The EZAZCX interface is created for zCX instances using an IPv4 DVIPA. If the zCX instance is using an IPv6 DVIPA, the interface created is EZ6ZCX and the TRLE created is IUTZCX6n.