Manualshelf

HP 9000 Containers A.03.01 on HP Integrity Server Administrator Guide HP-UX 11i v3 (5900-3112, June 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
51525354555657585960
Compartment rules provide a better way to restrict the commands. However, read permission on
these files is disabled and SD operations such as swinstall, swverify, and swremove fail
for products that include these commands.
For example, a quality pack might contain several products some of which might contain files that
belong to the list of restricted commands and installation or rollback of the pack can turn out to be
tedious. A workaround is to temporarily disable the compartment rules when the operation is being
performed. Open /etc/cmpt/<srp_name>.rules on the host HP-UX 11i v3 server and comment
out (using #) the line including hp9000.disallowed.cmds. Then, run the $ setrules
command. After patching is completed, enable the rules by editing the rules file to remove the
comment, and running setrules again.
If the option to replace unsupported commands (which is the default) is chosen, the SD operations
for products including these files are not affected. However, swinstall and swremove run
relatively slower because a post session script is again run to replace the disallowed commands.
IMPORTANT: Do not interrupt the post session scripts.
8.10.3 Applying kernel patches inside the container
An HP 9000 container does not have an active HP 9000 kernel. Therefore, applying kernel patches
inside the container do not have any effect. The swinstall command updates files without
restarting the container.
8.10.4 Patching commands and libraries
HP 9000 Containers A.03.01 provides options to use native HP-UX commands and the latest
versions of system libraries using the cmdv3 and libv3 templates respectively. If any of these
templates are added, there is a risk of overwriting commands and libraries with the legacy
components when patching products that include these files. To restore the HP-UX 11i v3 native
commands and PA-RISC libraries, stop and replace the container:
$ srp replace <srp_name> -t cmdv3
$ srp replace <srp_name> -t libv3
8.10.5 Errors reported by swverify command
The swverify command inside the HP 9000 container might report errors due to the following
reasons:
If compartment rules are used to restrict commands, read permission is not available for the
command files.
If command or library is switched, the file attributes differ from what is stored in the SD
database.
If swremove is performed on a product that includes disallowed commands or other files
copied from the host, the SD database is no longer flagged to ignore errors for these files.
8.10.6 SD post session scripts
As a part of container creation, some scripts and configuration files get copied into the container
to help SD patching, and these scripts and files must be retained. The post session processing takes
care of deleting unsupported services, restoring native files, and overwriting unsupported commands
after patching operations inside the container.
Files related to post session processing are:
/usr/lbin/sw/post_session/hp9000_flag_sync
/usr/lbin/sw/post_session/hp9000_delete_svcs
/var/opt/HP9000-Containers/hp9000sys_sd_filesets
8.10 Patching HP 9000 Containers 55