Manualshelf

HP 9000 Containers A.03.01 on HP Integrity Server Administrator Guide HP-UX 11i v3 (5900-3112, June 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
51525354555657585960
$ srp_su <srp_name> root c chroot <hp9000_root> \
<command full path> <args>
8.10 Patching HP 9000 Containers
Patching applications that use custom installers must work inside HP 9000 system and classic
container types. HP 9000 classic containers do not support patching using SD. HP 9000 system
containers support SD patching, but with differences as explained in the following sections.
8.10.1 Patching native files inside container
During container configuration, a set of products (mainly NFS) and files (commands such as ipcs,
mount, netstat, ioscan, traceroute, and so on) are copied from the host HP-UX 11i v3
system to an HP 9000 container. This is done because, the corresponding PA-RISC legacy
components do not work with the HP-UX 11i v3 kernel and the differences cannot be bridged using
ARIES user-space emulation. A backup of the copied native files are available in the /var/opt/
HP9000-Containers/native directory inside the container.
When products including the copied native files are patched inside the container, they might get
overwritten by HP 9000 versions. An SD post session script
/usr/lbin/sw/post_session/hp9000_flag_sync is automatically run after patching to
copy the files again from the backup available at /var/opt/HP9000-Containers/native.
Copying files from the host is not a one time process. The following processes trigger the creation
of a file hp9000_needs_recovery inside the container, under /var/adm/sw.
Patching or installation of products including the native files on the host.
Removing products or patches from the host.
Running Update-UX on the host.
Patching or installation of copied files from within the container.
Removing products or patches from within the container.
When the container is restarted, this file is detected and the native files are copied again. You can
trigger the copying manually (when container status is stopped) by running the following command:
$ srp replace <srp_name> -s init
8.10.2 Commands disallowed inside container
Certain commands (mostly related to system administration tasks) are disallowed inside containers.
HP 9000 Containers A.03.01 provides the following ways to restrict these commands:
Deny execute permission for these commands using compartment rules in /opt/
HP9000-Containers/config/hp9000.disallowed.cmds. This also causes the denial
of read permission on command executable files (compartment rules cannot distinguish between
read and execute).
Replace unsupported commands with a dummy command that exits after displaying an error
message. Commands listed in the /opt/HP9000-Containers/config/
hp9000sys_delete_commands file are replaced. This option is available from HP 9000
Containers A.03.01 for system containers.
You can choose to restrict the commands at the time of container creation by answering yes (for
rules) or no (for replacement) to the following question:
Use rules to restrict unsupported commands?
Later, you can change the choice using the replace operation.
$ srp replace <srp_name> -s init,cmpt
54 Administration of HP 9000 Containers