ID-INFO blog
IBM i: how to run third-party Open Source repositories without Internet access?
First and foremost, to ensure the security of IBM i (AS/400) systems. In order to protect them from potential external threats and secure the valuable data contained on these machines, which are at the heart of a large number of critical functions in many companies, they are often located behind a firewall and are often completely isolated from the Internet.
However, this can be problematic for teams who have chosen to modernize their system by taking advantage of IBM’s Open Source Module Manager, which enables them to bring in multiple market-leading software solutions such as PHP, Node or Python, for example. These are installed via repositories located on servers potentially on the other side of the planet.
Of course, it’s possible to ask network teams to open up flows when necessary, but this isn’t always possible: lengthy or very strict procedures, often involving external service providers, can be a real obstacle to quickly adding a new feature that’s critical to the development team. What’s more, the installation or updating of Open Source components is, in the majority of cases, a one-off operation: there’s not necessarily a need for a permanent open flow.
It is theoretically possible to clone the repository on a machine on the local network. This configuration can be useful if you ever have a large number of IBM i machines on which to deploy solutions. However, maintaining such a clone can be quite cumbersome, simply to deploy a few solutions on a development machine and a production machine.
IBM has come up with a very simple solution for its own repository: the “SSH Tunneling” option on the Open Source Module Manager connection interface. One small drawback, however, is to add third-party repositories, such as the Seiden Group’s repository for installing new PHP alternatives on IBM i.
Without Internet connectivity, adding the repository fails directly, as can be seen in the following screenshot:
As this repository addition has failed, it will be impossible to use it on the Open Source module manager. As before, you’ll only find IBM’s.
To get around this problem, there’s a very simple solution. Simply open the url of the file defining the repository from your browser, save the text file displayed on your PC and transfer it to your IBM i:
Once the file has been downloaded to your IBM, you can replay the repository addition over SSH by specifying the absolute path on the repository’s IFS:
PATH=/QOpenSys/pkgs/bin:$PATH
export PATH
yum-config-manager --add-repo /QOpenSys/etc/phprepo/seiden_stable.repo
yum repolist
yum clean all
As you can see from the screenshot, we’ve managed to add the repository, but for the moment the IBM i still hasn’t managed to reach it due to the lack of Internet connectivity.
Now is the time to take full advantage of ACS’s “SSH Tunneling” option:
We now have access to a third-party repository despite the fact that the IBM i has no Internet connectivity:
It should be noted that your PC will naturally be used as an intermediary to retrieve the installation files, so tunneling will only be possible if your PC is capable of joining the repositories, and of course throughput will be limited by your machine’s capabilities. Notos-IDInfo strongly recommends that you also use the latest version of ACS.
The Seiden Group’s PHP CommunityPlus+ ( https://www.seidengroup.com/install-communityplus-php/ ) is a good alternative to Zend Server for many use cases. Don’t hesitate to contact us about it.
Do you have any questions about IBM i? Then contact us on 01 88 32 12 34, or via the contact form.