HP-UX Containers (SRP) A.03.00 Administrator’s Guide HP-UX 11iv3 Table of contents Preface ............................................................................................................................................... 5 Intended audience............................................................................................................................ 5 Typographic conventions ...........................................................................................................
5.2 Displaying subsystem properties ................................................................................................ 32 5.3 Disabling HP-UX Containers subsystems ...................................................................................... 33 6 Managing containers using the srp command .................................................................................... 34 6.1 Templates, services, and variables .........................................................................
15.3.2 Audit ............................................................................................................................. 75 15.4 Managing devices ................................................................................................................. 76 15.5 Software management ............................................................................................................ 77 15.5.1 Managing software .....................................................................
B.2 Customize security containment definition (not supported for system containers)............................. 119 B.2.1 Securing containers with compartment rule Include files (Not supported for system containers) . 119 B.2.2 Manually editing configuration data .................................................................................. 120 Appendix C: Template services – detailed description .......................................................................... 123 C.1 The cmpt service .......
Preface This document describes how to install, configure, and troubleshoot HP-UX Containers (formerly Secure Resource Partitions (SRP)). Intended audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX Containers – formerly Secure Resource Partitions (SRP). Administrators are expected to have knowledge of operating system and networking concepts, commands, and configuration.
points of the main text. Related information For more information about the products and subsystems used with HP-UX Containers, see the following documentation: Document Location HP 9000 Containers Administrator’s Guide http://www.hp.com/go/hp9000-containers HP-UX Security Containment and Role-Based Access Control (RBAC), documented in the HP-UX System Administrator's Guide: Security Management: HP-UX 11i v3. http://www.hp.com/go/hpux-core-docs Select the HP-UX 11i v3 product.
This document is located at: www.hp.com/go/virtualization-manuals Select the HP-UX Containers (SRP) Software product. Manufacturing Part Number Supported Operating Systems Supported Versions Publication Date 5900-1316 HP-UX 11i v3 Version 3.0 April 2011 5900-0911 HP-UX 11i v3 Version 2.2 August 2010 5992-5172 HP-UX 11i v3 Version 2.01 December 2009 5992–4679 HP-UX 11i v3 Version 2.0 October 2008 HP encourages your comments HP encourages your comments concerning this document.
Part I: Getting started 8
1 Introduction HP-UX Containers allows you to deploy multiple isolated container-based environments on a single server platform. This allows the enterprise to host multiple workloads on a single operating system instance, thereby better utilizing server resources (CPU, memory, network access) and data center resources (power, cooling, footprint), and reduce the overall number of operating system instances to manage.
1.4 Isolation and namespace Container isolation is provided by applying a combination of access restrictions and private namespace features. Access restrictions HP-UX Containers uses HP-UX Security Containment Compartments features to limit access to file system paths, network interfaces, kernel functionality, inter-process communication (IPC) and process view/signaling for processes executing within containers. Each container is configured with its own compartment definition.
based file system view, hostname, IPC namespace, and service daemons. Common system administration activities such as user management are performed within each system container. • Workload: Provides lightweight workload hosting environment. All workload containers share the global file system view, hostname, IPC namespace, and service daemons. System administration activities are shared with the global view.
Figure 1.1 HP-UX Containers on HP-UX Integrity 1.7 Compatibility with other virtualization continuum products HP-UX Containers is a component of the Virtualization Continuum for HP-UX and is compatible with HP-UX nPartitions, HP-UX vPars, and Integrity Virtual Machine (VM) solutions. You can create a container in any HP-UX OS image; the OS image can exist in an nPartition, vPars, Integrity VM, or directly on non-partitioned server hardware.
2 Installing HP-UX Containers You can acquire and install HP-UX Containers free of charge from HP Software Depot: http://www.software.hp.com For system and environment requirements, see the HP-UX Containers (SRP) A.03.00 Release Notes located at: www.hp.com/go/virtualization-manuals Select the HP-UX Containers (SRP) Software product. 2.1 Upgrading to HP-UX Containers A.03.
Part II: Managing containers 14
3 HP-UX Containers components HP-UX Containers includes the following components to help manage the containers: • • • • • • The The The The The The SRP Manager srp_sys command srp command srp_init daemon srp_su command srp_ps command 3.1 The SRP Manager The SRP Manager is integrated with System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage containers. See 4 Using SRP Manager for more information. 3.
3.5 The srp_su command The /opt/hpsrp/bin/srp_su command allows a user in the global view to launch a shell (via su(1) command) in the specified target container. This can be used by system administrators for the purpose of login or command execution within a container. See 8 Using the srp_su command for more information. 3.6 The srp_ps command The /opt/hpsrp/bin/srp_ps command reports process status for a specific container on your system. See 9 Using the srp_ps command for more information.
4 Using SRP Manager The SRP Manager is integrated in the System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage system and workload containers.
Figure 4.1 SMH: Selecting SRP Manager 4.2 SRP Manager Homepage The SRP Manager homepage provides a view of all containers on the system including current state and resource utilization for each container. Figure 4.2 shows the SRP Manager homepage. Figure 4.2 SRP Manager homepage NOTE: From the SRP Manager help files, select the SRP Listing and Status help menu item for more information on the SRP Manager homepage.
4.3 Accessing SRP Manager help To access help information for any SRP Manager page, click the question mark icon in the upper right corner of the SRP Manager homepage. located 4.4 Setting the HP-UX Containers environment Before you can create any container, you must setup your HP-UX Containers environment. The system properties verify that the subsystem level configuration meets the requirements to configure a container on the host.
4.5 SRP Manager – creating a container You can use the SRP Manager to create a new container on your system. When you create a container, you select the type of container: workload or system. For both types of containers, you can specify optional services (such as PRM, IPFilter, and IPSec). For workload containers, you can specify additional application templates (SSHD, Apache, Tomcat, Custom, and Oracle). To create a container, follow these steps: 1. From the SRP Manager homepage, click Create a container.
NOTE: From the SRP Manager help files, select the Create a container help menu item for more information on creating a container. 4.6 SRP Manager – viewing or modifying a container You can view or modify the configuration of a container once it has been created. Modifying some parameters (such as networking parameters) requires that the container be in the stopped state. To add, delete, or modify an application template configuration, you must restart the container.
Figure 4.5 SRP Manager – viewing or modifying a container NOTE: From the SRP Manager help files, select the Viewing or Modifying a Container help menu item for more information on viewing or modifying a container.
4.7 SRP Manager – starting a container You can start a container if it is currently in the stopped state. The current state of each container is displayed on the SRP Manager homepage. From the SRP Manager homepage, follow these steps to start a container: 1. Click on the container that you want to start. 2. Click Start located in the right hand task bar. In Figure 4.6, the user selected Container_004. Figure 4.
In Figure 4.7, once the user selected Container_004 and clicks on Start…, the following status window is displayed. Figure 4.7 SRP Manager – starting a container NOTE: From the SRP Manager help files, select the Starting a Container help menu item for more information on starting a container.
4.8 SRP Manager – stopping a container You can stop a container if it is currently in the started state. The current state of each container is displayed on the SRP Manager homepage. From the SRP Manager homepage, follow these steps to stop a container: 1. Click on the container that you want to stop. 2. Click Stop located in the right hand task bar. In Figure 4.8, once the user selected Container_004 and clicks on Stop…, the following status window is displayed. Figure 4.
NOTE: From the SRP Manager help files, select the Stopping a Container help menu item for more information on stopping a container.
5 Configuring HP-UX Containers using the srp_sys command The /opt/hpsrp/bin/srp_sys command is used to enable, disable, view, and update systemwide configuration properties that affect the HP-UX Containers product. The srp_sys command has the following syntax: srp_sys [-s[etup]] srp_sys [-e[nable]]|[-d[isable]] [subsystems[,...]] [variable=value [...]] srp_sys [-l[ist]] [subsystems[,...
The srp_sys –enable option allows you to run the srp_sys command in the noninteractive mode. If no subsystem is specified, a default set of required HP-UX subsystems is enabled (coreset, migrate, cmptlogin, prm, and sshd). • Using srp_sys with the –setup option: The srp_sys –setup command ensures that the system is in an appropriate state to successfully configure containers. If a subsystem is not enabled, srp_sys prompts you to specify if you want to enable the service.
explicit network compartment network rule matching the communication attempt. • cmpt_namedstrs Configures named streams to be compartment aware. cmpt_restrict_tl Required for the HP-UX Containers product to support ONC services. Configures the streams loopback driver (TL) to be compartment aware. Compartment login (cmptlogin) This feature is required for configuring workload containers.
apply IPSec policies to encrypt and authenticate packets between the container IP address and a remote IP address. • Secure Shell Daemon for Global View (sshd) The Secure Shell daemon (sshd) in the global view listens to all IP addresses. These interfere with the Secure Shell daemons in the container. To prevent the Secure Shell Daemon from listening on the containers IP addresses, this service restricts sshd to listen to a specific global view assigned IP address.
Migration can be performed at anytime by executing the command '/opt/hpsrp/bin/util/srp_migrate' Migrate all existing workload containers? [y] n RETURN Specify which workload containers to migrate? [n] RETURN ############################## # # cmpt Login configuration # ############################## Checking compartment login feature ...
# ############################## Checking sshd configuration ... [ Not Enabled ] The Secure Shell daemon (sshd) in the global view is listening to all IP addresses. This will interfere with Secure Shell daemons in SRP containers. Restrict the IP addresses that sshd listens to in the global view? [y] RETURN Enter IP addresses, separated by comma ',': [16.92.124.238] sshd will then listen on these interfaces: 16.92.124.238 Saving changes to /opt/ssh/etc/sshd_config [ OK ] Restarting Secure Shell daemon ...
Status Disable on Boot Description The subsystem has been marked to be disabled, but needs a reboot to fully be disabled. Until the reboot has happened, parts of the subsystem will be still enabled. Not Enabled The subsystem is installed, but has not been enabled Not Installed The subsystem software has not been installed You can use the –verbose option to obtain more detailed information Example: Listing the subsystem status # /opt/hpsrp/bin/srp_sys -l Checking SRP core subsystems ...
6 Managing containers using the srp command The srp command is the command level interface available to configure containers. It allows you to add, update, delete, list, and manage containers (see srp(1M)). 6.1 Templates, services, and variables The srp command uses templates to determine the type and actions to be performed on a container. Templates consist of modular units called services which groups the actions performed on each functional component of a container.
Service Name Description container. Variables You can set variables when you create a container and modify them once the container is created. Examples of variables include ip_address and iface. 15.8 System templates lists the variables valid for each system container template. 16.8.1 Workload template lists the variables valid for each workload container template. 6.2 Creating a container The srp -add command creates a container. The -t template option specifies the type of container you are creating.
Example 6.1 Creating a system container using the srp command # /opt/hpsrp/bin/srp -a myContainer –t system Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit.
6.3 Starting and stopping a container If a container is configured to autostart during creation, then it is automatically started at system startup time. All the containers are automatically stopped at system shutdown time. You can use the srp –start command to start a container and the srp –stop command to stop a container. To start a container, enter: srp -start container_name To stop a container, enter: srp -stop container_name Where container_name specifies the name of the container.
Starting HP-UX Webmin-based Admin ....................... N/A Starting the HPUX Webproxy subsystem .................... N/A Starting HP-UX XML Web Server Tools ..................... OK The HP-UX SRP Container is ready. # Example 6.3 Stopping a container # srp -stop myContainer SRP stop in progress ____________________ Stopping HP-UX Apache-based Web Server .......................... OK Stopping HP-UX Tomcat-based Servlet Engine. .................... N/A Stopping HP-UX Webmin-based Admin ...................
Example 6.4 Displaying the status of a container # srp -status myContainer NAME myContainer TYPE system STATE started SUBTYPE shared ROOTPATH /var/hpsrp/myContainer 6.
template and the value for the variable. To list the valid variable names for a service used with a given template, you can use the srp -h -v template template_name -service service_name command. See 6.7 Displaying help text for input parameters to display help text for the input parameters template, service, instance and variable. CAUTION: If you do not specify the -template and/or -service arguments with the –delete option, srp deletes all templates and/or services for the container.
The following template variables have been set to the values shown: prm_cpu_shares = 20 Press return or enter "yes" to make the selected modifications with these values. Do you wish to continue? [yes] RETURN replace prm rules succeeded # In Example 6.7, the user deletes the container myContainer that is in the stopped state but keeps the container’s local files and directories. Example 6.
Valid Input: workload, system, apache, tomcat, custom, oracledb, sshd. Default: base. service Specifies the services for which you want to display parameters. 15.8 System templates lists the services valid for each system container template. 16.8.1 Workload template lists the services valid for each workload container template. Default: The default services that are valid for the template. The factory configured default services are: admin, cmpt, init, login, network, and prm.
• Migrate a container across systems: export and import a container, then delete the original container. • Create a copy of a container for archival purposes. Similarly, a container can be taken offline by exporting and deleting the original container. 6.9.1 Using the srp –export command The srp -export command exports the configuration data and optionally, specified directories, for the specified container.
3. Stop the container: #srp –stop container_name • For workload containers: User and group definitions are system properties that are not container specific and therefore are not exported with the container. The compartment login permissions for users and groups allowed to login to the container will be exported, but you must ensure that the required users and groups are configured on the target system, or are accessible via a common name service, such as LDAP-UX.
You can use the following notation to assign a value to a variable: name=value, name='value', or name="value" 6.9.3 Best practices for exporting and importing a container To simplify the export and import of a container across systems, HP recommends you to keep the properties of containers atomic by not sharing files and data with other containers unnecessarily.
• Use the –preview option to identify a suitable target system You can use the srp –import command with the –preview option to validate if a target system will accept an exchange file for import. • 46 Adjust device configuration after import Configuration that specifies physical paths such as network interface devices and file system mount points require manual configuration changes after import. HP recommends that you adjust these device configurations after completing the import operation.
7 Using the srp_init command The /sbin/srp_init command serves as a daemon and as a command to interact with the daemon. The srp_init daemon is the first process launched inside a container when the container is started. The srp_init daemon is a container process spawner that launches processes based on the entries in the container’s /etc/inittab file. It also monitors the processes it spawns during the lifetime of the container. 7.
NOTE: When running HP-UX commands in the workload container that reference the utmp, wtmp, and btmp database files (for example, who, last, write, and login), the database files referenced are in the global view. Because workload containers do not have private copies of these database files, the output is not specific to the container, but instead to the global view. For a workload container, the old and new run levels will be updated in the /var/hpsrp/container_name/var/opt/hpsrp/tmp/utmp.runlvl file. 7.1.
8 Using the srp_su command The srp_su command executes the su(1) command in the specified container. It can be used to login to a container or execute a single command before returning to the global view. You must execute the srp_su command from within the global view. The srp_su command has the following syntax: srp_su container_name [su_arguments] Where: container_name Specifies the name of the target container. su_arguments Specifies any valid su(1) arguments. 8.
Then use the srp_su command to create a login session in myContainer, as follows: # srp_su myContainer – admin1 The correct admin1 user password will allow admin1 to login to the container myContainer. NOTE: The audit records of the srp_su target user are attributed to the source user (the user running the srp_su command). To attribute the audit records to the target user instead of the source user, add the line SU_AUDIT_TAG=1 in the global /etc/default/security file.
9 Using the srp_ps command When you run the standard ps command in the global view, it will report all the processes on the system including all the processes in containers. To report process status for a specific container from the global view, use the /sbin/srp_ps command.
10 Establishing a user session in a container HP recommends the following methods to establish a user session in a container: • srp_su Use this command from the global view to establish a user session within any type of container. Note that by default, this command is restricted to the root user. For example: # srp_su myContainer See 8 Using the srp_su command for instructions on how to use the srp_su command.
11 Container startup and shutdown The HP-UX Containers startup and shutdown script (/sbin/init.d/srp) executes when the system transitions to run level 3 during startup, and executes when the system transitions down to run level 2 during shutdown. The following startup and shutdown scripts are linked to /sbin/init.d/srp: /sbin/rc3.d/S999srp /sbin/rc2.d/K001srp Containers that are configured to autostart will be started when the /sbin/rc3.d/S999srp script is run at system startup.
For workload type containers only: The container setup and shutdown script (/var/hpsrp/container_name/.setup/setup) are executed in the global view before and after startup and shutdown of the container. You can modify the script to perform container management activities at container start and stop time that can not be performed inside the container, such as notifying management or auditing systems, or mounting the container home directory (/var/hpsrp/container_name).
12 Networking with containers All container types require an IP address to allow network interaction with remote systems. All network activity between a container and other network endpoints will use the IP address dedicated to the container. Once you have assigned an IP address to a container, the IP address can only be used while the container is started. When the container is stopped, the IP address is unavailable.
You can specify any valid physical interface for the iface parameter that the ifconfig(1M) command will accept. You do not have to specify a logical interface format (lan0:x); the srp command will find the next available, unassigned logical interface for the physical interface that you specify. Once assigned, however, the logical interface is statically configured in the /etc/rc.config.d/netconf[-ipv6] configuration (unless you opted to not manage the network interface in the netconf file).
INTERFACE_SKIP="true" IP_ADDRESS="16.92.121.29" TYPE="ipv4" SUBNET_MASK="255.255.252.0" INTERFACE_STATE="up" BROADCAST_ADDRESS="" DHCP_ENABLE="0" INTERFACE_MODULES="" CMGR_TAG="compartment="myContainer" template="system" service="network" id="1"" ROUTE_DESTINATION="default" ROUTE_SKIP="true" ROUTE_MASK="" ROUTE_GATEWAY="16.92.121.29" ROUTE_COUNT="0" ROUTE_ARGS="" ROUTE_SOURCE="16.92.121.
MEM Entitle:25.00% CPU Entitle:7.69% MEM Max:(none) CPU Max:(none) Usage:6.85% Usage:0.00% If you need to modify any of the managed networking service fields for an existing container instance, use the srp –replace containername –service network –id command to alter one or more of the existing values for the container instance. The instance value should exist in the container configuration. Refer to the srp –list containername –service network –v output for appropriate instance reference.
ROUTE_MASK[10]=”255.255.255.0” ROUTE_GATEWAY[10]=”” ROUTE_COUNT=[10]=”1” ROUTE_ARGS[10]=”” ROUTE_SOURCE[10]=”” The field must be reachable from the address by being on the same subnet as the address. NOTE: You should be familiar with shell scripting when managing the network configuration, as well as syntax for the route(1m) and ifconfig(1m) commands. 12.
specific interface entries; the associated index for each INTERFACE_* variable is applied to the IP address configuration. The ROUTE_SOURCE IP address is used to identify the correct container route entries. Connectivity between containers and the global view are permitted by default. The routing between each area is managed internally without going out on the physical network.
ROUTE_ARGS[9]="" ROUTE_SOURCE[9]="10.2.2.5" ROUTE_PARAMS[9]="force" NOTE: Configuring cross-container rules can interfere with the ability to import containers to another system. See 6.9 Exporting and importing containers for more details. 12.7 IP Routers and strong end system (ES) model To ensure proper routing, HP-UX Containers configures the system to use the strong end system (ES) model, as described in RFC 1122 to provide symmetric routing of connection based network traffic.
13 Using Serviceguard with containers Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity Servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component. In the event that one component fails, the redundant component takes over.
• If you want to use the Serviceguard network failover capability, then Serviceguard must control the management of the network interface. IMPORTANT: Unlike HP-UX Containers, Serviceguard does not support the system network configuration files /etc/rc.config.d/netconf and netconf-ipv6. Therefore, a Serviceguard package during startup can unknowingly use container assigned network interfaces which are not active when the package is started, but are configured in /etc/rc.config.
Serviceguard access the container. You must prepend the srp_su command to the command that requires execution within a container. In the following example, the representative Serviceguard package was modified to control myContainer, a package executing in the container.
directory, then the Serviceguard package should mount and unmount the home directory before starting and stopping the container. Either HP-UX Containers or Serviceguard can manage the network interfaces. Similar to the classic model, if Serviceguard is managing the network interfaces, HP recommends that the package is configured to create the default route for any container IP addresses. See Appendix A: Container default route script for Serviceguard for an example.
Part III: Container type specific management 66
14 Container types HP-UX Containers supports deployment of containers of different types on the same system. In order to choose the container type best suited for your workload, you should determine which container properties best meet your needs. 14.1 System containers System containers provide additional virtualization and private namespace capabilities over workload containers that give users the look and feel of a private operating system instance.
Property Workload Container System Container (private FS) Memory overhead per container Negligible CPU/ networking/storage access overhead per container Negligible CPU and memory allocation controls Guaranteed minimum or dedicated Private namespace support Network portspace Processes Isolated System services provisioned per container Secure Shell (optional) Lifecycle Per container init processing, start, stop, import, and export. User management Managed from the global view.
Property Workload Container Installed once from the global view. Products with targeted install location may be installed into container. System Container (private FS) Installed from the global view and pushed to each container. SD Product Installation restrictions None Only products that are on the allowed list will be pushed to the containers. Import target system software requirements HP-UX Containers product version compatibility.
14.4 Choosing a container type HP-UX Containers provide multiple container types to meet consolidation needs of the environment. However, it is important to choose the right container type for the workload before embarking on your consolidation effort. A workload can be defined as a related set of applications and supporting services – far more than just an application.
15 System container With a system container, you can perform various management tasks only from the global view (see 15.7 Limitations and disallowed operations), and others from within the container.
A system container with a shared file system subtype has a smaller disk footprint and is faster to create as the system binary directories /usr and /sbin are shared with the global view. It is ideal for application deployment that does not require write access to /usr and /sbin and the software version can be in sync with the global view version. A system container with a private filesystem subtype provides write access to all the directories except /stand.
character device (for example, /dev/rdisk/disk10) within the system container as described in 15.4 Managing Devices. Since operations such as creating a file system on a device using the mkfs command is not allowed within a system container, you must create the file system on a device before provisioning it in the container. NFS mount must be done within a container. NFS mounting from the global view to a path under a container root directory (/var/hpsrp/container_name) is not supported.
# ls /dev/vg53/lvol4 /dev/vg53/lvol4 not found In the previous sample output example: • The first entry refers to the container root (/) . • The next two entries are mounts created for the container from the global view. • The last entry refers to a lofs mount created within the container. 15.2 Users, groups and authentication System containers are provisioned with a separate set of configuration files and service daemons to manage user and groups, login authentication, and name service resolution.
kctune srp_obfuscate_enabled=1 kctune srp_obfuscate_enabled=2 kctune srp_obfuscate_enabled=3 (default) # to enable UID and GID obfuscation only # to enable process name obfuscation only # to enable all process related obfuscation 15.3 Security features 15.3.1 Extended security attributes Extended security attributes for binary files (see setfilexsec(1M) and getfilexsec(1M)) are maintained on a per-container basis for system containers.
15.3.2.2 Audit record viewing in the global view An administrator in the global view can use the auditdp(1M) command to view audit records generated by processes in any system container or in the global view. When viewed in the global view, audit records generated in system containers can have incorrect mapping between user/group IDs and names.
• • • • • • Pseudo-transport devices (such as /dev/tcp and /dev/ip) Pseudo-terminal devices (such as /dev/pty*) Mount device (/dev/mnttab) Random number generator (/dev/random) Null device (/dev/null) Privilege-aware devices that can restrict the operations (such as /dev/devkrs and /dev/config). Devices cannot be created from within a system container. Additional devices can be provisioned to a system container from the global view using the srp command with the –tune option.
SD command swremove swconfig Global view Enhanced Enhanced System container Not supported (blocked) Not supported (blocked) 15.5.1 Managing software 15.5.1.1 Installing software The swinstall command is used to install the software selection from a software source. By default, the software is configured to use after installation. On HP-UX Containers enabled system, the software source must be a local software depot, it must not be a remote network registered depot (see 15.5.
To remove a product from the system and all the configured system containers, execute the swremove command in the global view as follows: # swremove MY_PRODUCT 15.5.1.4 Configure, unconfigure, or reconfigure installed software The swconfig command is used to configure, unconfigure or reconfigure installed software. The operation is first performed in the global view and repeated in each system container on the system.
For example, you can copy a remote registered depot to the global system as follows: # swcopy -s remote_machine:/depots/remote.depot PRODUCT @ /depots/myproduct.depot 15.5.3 Allowed products The products that are installed in the system containers are a subset of the products installed in the global system. HP has a predefined list of allowed products, as well as a list of HP restricted products that can never be added. The list of allowed products is configurable using the utility srp_allowed_product.
• If the local_srp_list option is set and the global_srp option is not specified, then the install, remove, configure will occur only in the listed system containers. You can use these new options to recover a container after software installation failure (see 15.5.5 Recovering unsynchronized containers) or when installing/removing a product from the global view that is not part of the system containers.
For swinstall, you can reissue the command without targeting the container since the operation will proceed to the system container even if the product is installed in the global view. For swremove, you must target the system container that had the issue, since swremove will not proceed past a global system in which the remove has already occurred.
container basis. Use a recognizable identifier, such as the application name for the instance_id parameter when deploying the custom template. When deploying multiple applications within a container, consider applying the custom template (if needed) once per application. 15.7 Limitations and disallowed operations All users in a system container (including root) are prevented from performing the following list of administrative tasks. These administrative tasks must be performed in the global view.
Disallowed Privilege CHANGECMPT Description Example Grants a process the ability to change its compartment. privrun (1M) CMPTREAD Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment rules. CMPTWRITE Allows a process to write to a file or directory, bypassing compartment rules. COMMALLOWED Allows a process to override compartment rules in the IPC and network subsystems.
Disallowed Privilege Description Example Capacity product. SWAPCTL Allows a process to manage and configure swap space. SYSNFS Allows a process to export a file system. TRIALMODE Allows a process to log privileges required to execute in the syslog file. swapctl(2), swapon(1M) 15.8 System templates The following table describes the templates that can be included for a system container: Template system (required) Description The system template is the primary template for system containers.
Service Variable change_password domain_name dns_server_ip device_list device Provision_fs delete_files_ok prm prm_group_name prm_group_type prm_cores prm_cpu_shares prm_cpu_max prm_mem_shares prm_mem_max prm_phys_mem network* ip_address(+) assign_ip iface(+) 86 Description Specify whether the container's root user password should be changed when the container is replaced. Default: No DNS administrative domain to which this container belongs.
Service Variable ip_mask gw_ip_address ipfilter ipf_for_ipsec ipsec ipsec_peer_addr(+) ipsec_transform Description Default: None. IP subnet mask for this container (For IPv4 address only). Default: The network mask for the address class, as specified in RFC791 (IETF specification). Gateway IP address for the default route for the configured container IP address. Enter the value 0 to specify no gateway IP address. Default: Same as the IP address configured for this container.
16 Workload Container Workload containers provide access control based isolation of workload without utilizing namespace based isolation features. While not providing the user space virtualization properties of system containers, the absence of private file namespace usage allows the container to be more lightweight, and not require SD software synchronization with the global view, decreasing maintenance cost, and simplifying cloning and Serviceguard integration.
16.3 Security features HP-UX Containers provides a framework for managing container and networking security. This framework is primarily enforced with Security Containment compartment access rules. The default set of container access rules delivered with HP-UX Containers has been developed to favor functional isolation, application compatibility, and user session functionality over strong security containment.
16.6 Deploying applications In order to determine how to deploy applications for use by workload containers, you must first determine if the application is supported for single or multi-instance deployment. 16.6.1 Single instance applications While nearly all applications can be executed within a container environment, some applications do not support multiple instances of the same application executing on the same system concurrently.
installed entirely under the container home directory, customization of the container’s compartment rules is usually not necessary. Life cycle management, including cloning and migration of the container will also be simplified as the application files will be managed as part of the container. • Deploy files shared by multiple containers under the standard UNIX directories for hosting shared application files (for example, /opt/ and /usr/).
Templates Description to install a separate instance of the Oracle database software inside the container, you do not need to use this template. See 16.8.5 Oracle template. custom (Optional) Accommodates additional application. Allows defining application specific compartment access rules, ipfilter rules and provisioning. See 16.8.6 Custom template. 16.8.1 Workload template The workload template includes the following services and variables: Table 16.
Service Variable login login_group login_user init* autostart provision_fs delete_files_ok prm prm_group_name prm_group_type prm_cores prm_cpu_shares prm_cpu_max prm_mem_shares prm_mem_max prm_phys_mem network* ip_address(+) assign_ip iface(+) ip_mask gw_ip_address Description Default: root Comma separated list of existing groups authorized to login to the container. Default: None Comma separated list of existing users authorized to login to the container.
Service Variable ipfilter ipf_for_ipsec ipsec ipsec_peer_addr(+) ipsec_transform Description Default: Same as the IP address configured for this container. Specify whether to allow IPFilter rules to allow IPSec packets (Yes or No). Default: No. Destination IP address for the IPSec policies. Valid Input: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. Default: None Transform for IPSec host policy.
Service Description • Uses the SSH ssh-keygen utility to generate an RSA key pair to use for the sshd host key pair. These keys are stored in the container-specific sshd data path directory (/var/hpsrp/container_name/opt/ssh) with the following names: o o ssh_host_rsa_key (RSA private key) ssh_host_rsa_key.
Service Ipfilter Variable ipf_tcp_ports Variable Description Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1-65535, separated by commas. Default: 22. This is the IANA registered port number for SSH remote login. Provision data_path exec_path data_src Same as described in cmpt service. Same as described in cmpt service.
Service Description • Creating a container-specific http.conf file with container-specific configuration data, such as setting data paths to the appropriate directories below the container Apache home directory and setting the IP address to the container IP address. Enables the mod_ajp module for Apache Tomcat integration. • Creating container-specific initialization scripts and startup file to start Apache with the container-specific http.conf file when the container startup script is executed.
Service Variable https_port ajp_port ipf_tcp_ports provision wss_version, data_path http_port https_port ajp_port data_src user start_apache startssl_apache Description Valid Input: A TCP port number in the range 1-65535. Default: 80, the IANA registered port number for HTTP. Specifies the TCP port number on which the container Apache server will receive HTTPS (SSL) requests. Valid Input: A TCP port number in the range 1-65535. Default: 443, the IANA registered port number for HTTPS.
Service Description system rules to allow the container to access the specified Apache directories in global view. The srp command adds entries to the container rules file (/etc/cmpt/container_name.rules) that authorizes access to the directories specified in exec_path, data_path, and java_path variables. The srp command also adds an include statement to add the rules from the /opt/hpsrp/etc/cmpt/tomcat.srp_incl file. As delivered by HP, this file is empty.
Table 16.9 Variables for the tomcat template Service Variable Variable Description wss_version cmpt The HP-UX Webserver Suite version of Tomcat Servlet Engine to be used to configure the template Default: 3.0. exec_path The root directory for Tomcat executables. Default: /opt/hpws22/tomcat. data_src The directory from which you want to copy Tomcat data. The provision service creates a copy of this subtree and its contents and installs it in the specified data_path for use by the container.
16.8.5 Oracle template The oracledb template allows you to configure a container to share a single set of Oracle executables with other containers. You do not need to use this template if you are installing a separate instance of the Oracle executables in the container. Table 16.10 Services for the oracle template Service Description cmpt The cmpt service for the oracledb template configures Security Containment file system rules to allow the container to access the specified Oracle directories.
Service ipfilter Variable provision exec_path ipf_tcp_ports data_path Description Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1-65535, separated by commas. Default: 1521. This is the default port number for the Oracle Net Listener process (commonly referred to as the listener). Same as described in cmpt service. Same as described in cmpt service. 16.8.
all_access no_access ipfilter ipf_tcp_ports ipf_udp_ports provision script Specifies directories to configure with all access in the compartment rules file for this container. To specify multiple directories, use commas to separate directory names. Default: None. Specifies directories to configure with none access in the compartment rules file for this container.
17 Compatibility with other HP-UX products 17.1 Bastille revert feature Bastille provides the ability to save and restore a baseline configuration of an HP-UX system. If you use the bastille -r command to revert to the Bastille baseline configuration, you can lose any IPFilter rules configured using HP-UX Containers that are not in the baseline configuration. HP recommends that you do not configure the IPFilter service with HP-UX Containers if you are using Bastille to manage IPFilter rules.
18 Verifying and troubleshooting containers This chapter contains procedures for verifying and troubleshooting containers. This chapter addresses the following topics: NOTE: You can run system administration and performance tools (such as glance, gpm, kprof, kgmon, ktrace, and caliper) in the global view. 18.
o Use NFS to mount the depot from the remote server to the local filesystem. Once the software depot is available locally, run the swinstall command to point to the local source. • Scenario 4: The GUI version of the swinstall command does not work in the HP-UX Containers environment. Symptom: The swinstall command invoked with no command line options fails with the following error message: # swinstall ERROR: The interactive UI is not supported in SRP environment.
• Scenario 7: Process respawn does not work in the container. Symptom: Processes configured for respawn in the container's /etc/inittab file does not respawn.
One method to reduce the number of unrelated audit entries is to disable auditing for all users, then enable auditing for the user ID used to execute the application. Next, configure auditing for failed attempts for common file and IPC operations. For example: audevent -F -e open -e create -e delete -e ipccreat -e ipcopen \ -e ipcclose -s kill 18.3.
Compartment Default PRM Group _____________________________________________ EntDir EntDir MktDB MktDB MktWeb MktWeb SRP2 SRP2 The prmmonitor utility displays statistics for each PRM group. # prmmonitor PRM configured from file: File last modified: HP-UX habs /etc/prmconf Tue Oct 14 12:57:58 2008 B.11.
For example: # ipfstat -io pass out quick proto tcp from 192.0.2.1/32 to any keep state pass out quick proto udp from 192.0.2.1/32 to any keep state pass out quick proto icmp from 192.0.2.1/32 to any keep state pass in quick proto icmp from any to 192.0.2.1/32 block in quick from any to 192.0.2.1/32 18.3.
Rule Name: SRP-web2-base-1 ID: 8 Cookie: 3 Priority: 30 Src IP Addr: 192.0.2.1 Prefix: 32 Port number: 0 Dst IP Addr: 10.2.2.
18.4.2 Removing or disabling IPFilter If you are using IPFilter with HP-UX Containers, you can see if IPFilter rules are blocking access to the container applications. You can do this by removing the ipfilter service from the container, as follows: srp -d container_name [-t template] -s ipfilter If you do not specify the -t argument, the srp command removes the IPFilter configuration for the template ( base for the workload container and system for the system container).
contract for your product, you can still obtain support services for a fee, based on the amount of time and material required to solve your problem. 4. If you are requested to supply any information pertaining to the problem, gather the necessary information and submit it. Include the following information: • The output from the following command: srp -l container_name –v • The contents of the container initialization log file, /var/hpsrp/container_name/etc/rc.log.
Glossary compartment Security Containment compartments. Manages isolation and privilege restrictions for sets of HP-UX processes. Each container includes a corresponding compartment definition. container A container provides process view isolation, IPC isolation, and a dedicated IP address interface. HP-UX Containers includes two types of containers: system and workload. container administrator A global view user that has been granted the administrator role to manage one or more containers.
private file system A system container subtype. The private file system has only the /stand directory from the global view. All other directories are private to the container. shared file system A system container subtype. The shared file system has the /usr, /sbin, and /stand directories from the global view mounted as read-only. All other directories are private to the container. system container System containers provide process view isolation, IPC isolation, and a dedicated IP address interface.
Appendix A: Container default route script for Serviceguard The following script can be used by a Serviceguard package to assign a default route for an IP address associated with a container. This script is included with the HP-UX Containers Serviceguard Reference Implementation for containers and is installed with the HP-UX Containers product at: /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script # # # # # # # # # # # # # # Copyright (c) 2009 Hewlett-Packard Development Company L.P.
# SRP_SG_GATEWAY[1]="10.1.1.1" # ################################################################### . `dirname $0`/srp_script.
then # use local IP as gateway emsg=$(/usr/sbin/route delete default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remote gateway emsg=$(/usr/sbin/route delete default $srp_gateway 1 \ source $srp_ip 2>&1) fi if (($? != 0)); then print "ERROR: $emsg" >$2 rval=1 fi let index=$index+1 done return $rval } ################ # main routine ################ sg_log 5 "SRP routing entry configuration script" ######################################################################### # # Customer defined external sc
Appendix B: Direct customization of container properties In most cases, the srp command is sufficient to modify the properties of a container. However, you can directly modify the container specific scripts of system configuration entries to: • • • Execute customer defined operations from the global view when a container is created, deleted, or started and stopped (not supported for system containers). Customize security containment definition (not supported for system containers).
# cd /opt/hpsrp/etc/ # cp base.srp_incl myCustom.srp_incl 2. Remove the rules in the original (base.srp_incl) file. This creates an empty security compartment rules file. A container that uses only this file for its compartment rule set will have no access to any files, system IPC, or network interfaces. NOTE: Creating an empty security compartment rules file for the base template files affects all containers using this file, including those previously created.
The specific tag format for each subsystem is described in the sections that follow. B.2.2.2 Security Containment compartment tag format NOTE: Customization of the Security Containment compartment rules file is not supported for system containers. Data is stored in the /etc/cmpt/container_name.rules file by default.
IPv6 Interfaces The data is similar for IPv6 interfaces, with the following differences: • • • The data is stored in the /etc/rc.config.d/netconf-ipv6 file. The names of the interface parameters are correct for IPv6 interfaces, such as IPV6_INTERFACE, IPV6_ADDRESS, IPV6_INTERFACE_STATE. HP-UX Containers does not add or manage IPv6 route entries. B.2.2.5 PRM Tag Format Data is stored in the /etc/prmconf file by default.
Appendix C: Template services – detailed description C.1 The cmpt service The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of each container. You must use the cmpt service when you create a container. C.1.
• Assigns the authorization hpux.SRPadmin-container_name to execute the container master startup script /opt/hpsrp/bin/srp_rc in the container. This enables the administrator to start up and shut down the container. The RBAC cmdprivadm add command is used to perform this task. Configuring an administrative user does not grant that user login or srp_su access to the compartment. C.3 The prm service The prm service creates a new PRM group for a container.
Route information The srp command provides an option to add or modify the default gateway routing table entry for the container IP address. The container IP address is always used as the source IP address. If no target default gateway IP address is provided, the container IP address is used, with a hop (route) count set to 0. If a target default gateway IP address is provided, the hop (route) count is set to 1. The srp command adds the routing configuration data to /etc/rc.config.
C.6 The login service (workload containers) The login service enables you to specify the set of users and user groups whose members are authorized to log in to the container. If you do not configure the login service and you are using the default RBAC system configuration, only the root user is authorized to log in to the container. You can use the login service to grant non-root users the authorization to log in to the container. C.6.
• A rule that allows inbound ICMP packets from any address to the container IP address: pass in quick proto icmp from any to container_address If the container address is an IPv6 address, the rule is pass in quick proto icmpv6 from any to container_address.
• An authentication record The authentication record contains the specified remote IP address and preshared key value. The default HP-UX IPSec values are used for all other parameters. HP-UX IPSec default parameter values For IPSec parameters not directly managed by the srp command, default values are read from the IPSec profile file, /var/adm/ipsec/.ipsec_profile. You can view this text file to determine the default IPSec parameters and determine what values need to be configured on the peer system.
Technology for better business outcomes © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
