HP-UX Containers (SRP) A.03.01 Administrator's Guide
130
• 11 Container startup and shutdown.
C.6 The login service (workload containers)
The login service enables you to specify the set of users and user groups whose members are
authorized to log in to the container. If you do not configure the login service and you are using the
default RBAC system configuration, only the root user is authorized to log in to the container.
You can use the login service to grant non-root users the authorization to log in to the container.
C.6.1 Configuration location
The login service controls login access to the container using the Security Containment compartment
login feature. It uses RBAC authorizations to allow specified users and group members to pass PAM
authentication in the module pam_hpsec, which controls PAM-enabled authentication services (used
by login, ftp, and other user session services) occurring within the container.
The login service performs the following tasks:
• Creates the role SRPlogin-container_name. The srp command uses the roleadm add
command to perform this task.
• Assigns the specified user or group ID to the SRPlogin-container_name role. The srp
command uses the roleadm assign command to perform this task.
• Assigns the SRPlogin-container_name role login authorization (the authorization
hpux.security.compartment.login) for the container. The srp command uses the
authadm command to perform this task.
C.7 The ipfilter service
The ipfilter service configures HP-UX IPFilter for the container. The IPFilter configuration for the
primary template allows the following packets to pass to the container:
• All outbound packets from the container IP address
• Inbound TCP, UDP, and ICMP responses to packets sent from the container IP address.
• All inbound ICMP packets to the container IP address.
All other inbound packets are blocked.
You can also configure IPFilter to allow inbound and outbound IPsec packets to pass.
C.7.1 Configuration location
If the container address is an IPv4 address, the srp command adds IPFilter rules to the
/etc/opt/ipf/ipf.conf file. If the container address is an IPv6 address, the srp command adds
IPFilter rules to the /etc/opt/ipf/ipf6.conf file.
The srp command adds the following IPFilter rules for the container, where cmpt_address is the
container IP address:
• Rules that allow all TCP, UDP, and ICMP outbound packets from the container IP address.
These rules specify the keep state keywords to allow inbound replies for these packets:
pass out quick proto tcp from container_address to any keep state
pass out quick proto udp from container_address to any keep state
pass out quick proto icmp from container_address to any keep state