Manualshelf

HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
61626364656667686970
62
address configuration. The ROUTE_SOURCE IP address is used to identify the correct container
route entries.
Connectivity between containers and the global view are permitted by default. The routing between
each area is managed internally without going out on the physical network. If routing between
containers, or between a container and the global view is desired to leverage the physical interface
and any firewall rules that may be enforced, then a force option exists that allows this behavior to
be configured (see 12.6 Cross-container network traffic and Force-to-Wire).
12.5 Address collisions with INADDR_ANY and IN6ADDR_ANY sockets
in the global view
Service daemons that bind to the wildcard INADDR_ANY address (or IN6ADDR_ANY for IPv6) and
run in the global view can inadvertently provide an access point for connection attempts to one of the
active container IP addresses, if that container does not also bind to the same TCP or UDP service
port. For this reason, HP recommends that you configure service daemons running in the global view
to bind to a specific global view IP address instead of INADDR_ANY. For services that do not support
an explicit IP address binding configuration, HP recommends configuring the service in a workload
container.
12.6 Cross-container network traffic and Force-to-Wire
Containers provide isolated networking environments. By default, a container is configured so that
the only networking traffic allowed is through the container-specific IP interface. Inter-system container
networking can be configured through loopback networks. HP-UX Containers A.03.00 and later
includes the Force-to-Wire feature where system inter-container network traffic can be routed to the
external network. This can facilitate network monitoring, among other uses.
When connectivity between two locally assigned IP addresses needs to be forced to the network, both
IP addresses must be tagged with the force option. Also, the desired route to be forced must be
tagged in both directions. The ifconfig(1m) and route(1m) commands both support the
force option to enable this configuration.
For example:
Container1 has IP 10.1.1.2 on lan0
Container2 has IP 10.2.2.5 on lan1
Router IP1 on 10.1.1.0 subnet, 10.1.1.1
Router IP2 on 10.2.2.0 subnet, 10.2.2.1
# ifconfig lan0 10.1.1.2 force
# ifconfig lan1 10.2.2.5 force
# route add host 10.1.1.2 10.2.2.1 1 source 10.2.2.5 force
# route add host 10.2.2.5 10.1.1.1 1 source 10.1.1.2 force
NOTE: To automate the force option for an interface entry, configure the corresponding
INTERFACE_STATE[]=”force” in the netconf file. You can add a new entry in the netconf
file for the route entry as follows:
ROUTE_DESTINATION[9]="host 10.1.1.2"
ROUTE_SKIP[9]="true"
ROUTE_MASK[9]=""
ROUTE_GATEWAY[9]="10.2.2.1"
ROUTE_COUNT[9]=1
ROUTE_ARGS[9]=""
ROUTE_SOURCE[9]="10.2.2.5"