HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

121

122

123

124

125

126

127

128

129

130

123

Appendix B: Direct customization of container properties

In most cases, the srp command is sufficient to modify the properties of a container. However, you

can directly modify the container specific scripts of system configuration entries to:

• Execute customer defined operations from the global view when a container is created,

deleted, or started and stopped (not supported for system containers).

• Customize security containment definition (not supported for system containers).

• Configure subsystem parameters not controlled by the srp command.

B.1 Execute customer defined operations via provision scripts

A provision script performs the tasks needed to provision a container or deploy an instance of an

application in a container. These tasks can include copying data from an application's normal

installation directory to the home directory for the container, or in the case of the custom template-

apply customer defined operations. The srp command passes selected arguments and variables to

the provision scripts, such as the srp operation, the container name, container IP address, container

data and execution paths, and other application-specific variables.

You can modify the provision scripts to add tasks needed to deploy an application. The provision

scripts provided with HP-UX Containers are:

• apache: /opt/hpsrp/bin/util/apache_setup

• tomcat:/opt/hpsrp/bin/util/tomcat_setup

• ssh: /opt/hpsrp/bin/util/secsh_setup

• custom: provided as an input variable to the

srp- add operation

B.2 Customize security containment definition (not supported for system

containers)

The srp command uses include files to configure Security Containment compartment rules. There is an

include file for each template, including the primary template that defines the container type. If you

modify the contents of an include file for a template, all containers that have applied the template will

use the modified include file.

The include file names have the following format:

/opt/hpsrp/etc/cmpt/template_name.srp_incl

For example,

/opt/hpsrp/etc/cmpt/apache.srp_incl.

B.2.1 Securing containers with compartment rule Include files (Not supported for system containers)

The primary template rules file delivered with the product provides a rule set designed to allow

maximum application compatibility while providing restricted access to files not needed to be

modified or accessed by applications or user sessions. To increase the security of your environment,

you can replace this file with a more restrictive rule set tuned to your application requirements and

local security policy.

You can create an environment with the minimal compartment access rights, as follows:

1. Make a copy of the default base compartment rules file,

/opt/hpsrp/etc/cmpt/base.srp_incl. For example: