Manualshelf

HP-UX Containers (SRP) A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
12345678910
10
1.4 Isolation and namespace
Container isolation is provided by applying a combination of access restrictions and private
namespace features.
Access restrictions
HP-UX Containers uses HP-UX Security Containment Compartments features to limit access to file
system paths, network interfaces, kernel functionality, inter-process communication (IPC) and process
view/signaling for processes executing within containers. Each container is configured with its own
compartment definition. Access restrictions enforced by compartment definitions take precedence
over standard HP-UX access control mechanisms on all users (including root). The global view
inherits the security properties of the INIT security containment compartment which has no access
restrictions. Some container types allow for the customization of compartment access restrictions.
See Part III Container Type Specific Management for more information.
Private namespaces
A namespace is a scope for unique usage of resource names or other identifiers. When HP-UX
Containers is disabled, HP-UX subsystems provide only a single namespace per server. When HP-UX
Containers is enabled, many HP-UX subsystems support the option to assign a separate namespace
per container. For example, a private hostname namespace allows a container to apply its own
value for hostname. For each subsystem, a container will either be utilizing a private namespace only
visible from within the container, or a shared namespace visible to the global view and all other
containers in the shared namespace. Note that visibility to the shared namespace does not provide
access, which is separately granted through the compartment definition plus standard HP-UX access
control mechanisms.
HP-UX Containers provides the ability to assign private namespaces per container for the following
subsystems:
File system (via chroot)
Host, node, and domain name
Loopback IP address port space
IPC (such as semaphores, message queues, and shared memory)
With the exception of file system namespace in which the per-container private namespaces are
nested within the shared namespace, private namespaces are isolated from other containers. Private
namespace support varies by container type. See Part III Container Type Specific Management for
details on namespace support by container type.
1.5 Container types
HP-UX Containers support multiple container types. When creating a new container on the system,
you must select the container type, which is a permanent attribute that cannot be changed for the life
of the container.
All container types support CPU and memory resource allocations per container, dedicated IP (logical)
network interfaces, process and file access isolation, per container initialization and shutdown,
cloning and migration to and from other HP-UX servers.
The following container types are managed by the HP-UX Container utilities:
System: Provides many of the user space capabilities of a virtual machine guest without the
associated management and performance overhead. Each container has a private chroot-