Manualshelf

HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
31323334353637383940
31
explicit network compartment network rule matching the communication attempt.
cmpt_namedstrs
Configures named streams to be compartment aware.
cmpt_restrict_tl
Required for the HP-UX Containers product to support ONC services. Configures
the streams loopback driver (TL) to be compartment aware.
Compartment login (cmptlogin)
This feature is required for configuring workload containers. Enabling this feature configures
the system to control user based authentication (including login) on a per container basis by
enabling the CMPT_LOGIN flag in the /etc/cmpt/cmpt.conf file and verifying that
/etc/pam.conf includes the required pam_hpsec module. See
compartment_login(5) for more information.
IMPORTANT: If the compartment login feature is enabled, only users in the srpgrp group
are allowed to login to the global view. By default, all users (with a password) defined in the
/etc/passwd file are allowed to login to the global view when the cmptlogin subsystem
is enabled using the srp_sys command. To allow additional users to login to the global
view, edit the /etc/group file and add the new users to the srpgrp group.
PRM Service (prm)
This subsystem allows you to associate a PRM group to allocate CPU and memory for a
container using HP Process Resource Manager (PRM). The srp_sys command enables or
disables this service using the prmconfig(1)command.
If PRM is configured for a container, PRM can guarantee both a minimum and optionally (if
configured) a maximum amount of resource available to a container. If the container has not
been configured with PRM service, it automatically uses the resource allocated to the default
PRM group, OTHERS (in
/etc/prmconf). By default, both CPU and memory allocation will
be enabled. Alternatively, the PRM service can be enabled for allocating CPU only. With
the setup option, the user is prompted to choose CPU allocation only. With the enable
option, the prmsubsys variable can be used to enable CPU allocation only.
IPFilter module (ipfilter)
This service allows you to control the network traffic of the container according to the packet
attributes using HP-UX IPFilter. Enabling this service allows you to configure IPFilter rules for
the container. Containers created with the IPFilter service will have all their
inbound
networking traffic blocked and must be enabled on a per container basis.
IMPORTANT: Enabling or disabling IPFilter briefly brings down all IP interfaces on the
system, then brings up only the IP interfaces configured in the
/etc/rc.config.d/netconf
and /etc/rc.config.d/netconf-ipv6
files. HP recommends that you do not enable or
disable IPFilter when critical network applications are running, enable or disable IPFilter only
when interrupting the network connectivity is not disruptive.
IPSec module (ipsec)
Enabling this service allows you to configure HP-UX IPSec policies for the container. If IPSec
module is enabled on the system using srp_sys, then you can configure the container to