Manualshelf

HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
81828384858687888990
86
If you have applied IPFilter for the container, ensure that any additional
ports used by the application are allowed.
When the ipfilter service is enabled for the container, by default the inbound network
connections to the container are blocked. You must configure the ipfilter service to allow
inbound connections to any network ports that the application will listen on.
Use the custom template to apply additional IPFilter capabilities to the
container for the application.
This will allow you to manage system configuration changes for the container on a per
container basis. Use a recognizable identifier, such as the application name for the
instance_id parameter when deploying the custom template. When deploying multiple
applications within a container, consider applying the custom template (if needed) once per
application.
15.7 Limitations and disallowed operations
All users in a system container (including root) are prevented from performing the following list of
administrative tasks. These administrative tasks must be performed in the global view.
Kernel configuration management
Kernel tunable management
System boot configuration
Reading kernel memory
Make kernel
System crash configuration
KRS (Kernel Registry Services)
DLKM management
Creating device files
Changing system time
Shutdown/reboot the physical system
Swap space management
Logical volume management
Physical devices management
Network interface card configuration
IP Address configuration
Network tunable configuration
Compartment rule configuration
Bypassing compartment rules using overriding privileges
Enable/disable auditing
Enable/disable accounting
IPFilter configuration
IPSec configuration
SRP configuration
Software installation (swinstall/swremove/swconfig)
In order to prevent the above disallowed operations, the following privileges (see privileges(5))
are disallowed in a system container. Commands and system calls performing the administrative tasks
disallowed in a system container will return an error.