HP-UX Containers (SRP) A.03.01 Administrator's Guide
92
16 Workload Container
Workload containers provide access control based isolation of workload without utilizing namespace
based isolation features. While not providing the user space virtualization properties of system
containers, the absence of private file namespace usage allows the container to be more lightweight,
and not require SD software synchronization with the global view, decreasing maintenance cost, and
simplifying cloning and Serviceguard integration. By default, all administration tasks are allowed in a
workload container.
16.1 File system
Workload containers have a restricted view of the entire file system, instead of the private, chroot-
based view of the file system that system containers have. In addition to the container home
directory, the workload container has a configurable view of other directories on the server.
The following diagram shows the file system layout for a workload container.
16.2 Users, groups and authorization
Workload containers use the HP-UX Containers login service to assign a set of HP-UX users and
groups managed from the global view to log in to the container. When the compartment login feature
is enabled, using the srp_sys command, only users in this set will be allowed to login to the
container. HP recommends that you create a group for each container and apply this group to the
HP-UX Containers login service.
NOTE: By default, RBAC configuration also authorizes the root user to log in to all containers.