Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
11121314151617181920
Run swinstall and swremove from the INIT compartment. Do not install system software
or utilities from within an SRP compartment. An SRP compartment might have rules that
prevent you from successfully installing system software.
If an application hosted in an SRP compartment has associated executables or utilities, run
them from within the SRP compartment. This enables the processes to share common file
system directories, IPC facilities, and network security rules.
NOTE: In a high-security environment, you can choose to configure associated applications
in independent SRP compartments and limit shared resources and communication
mechanisms to the minimum required. This requires you to configure customized
compartment rules for the applications and how they are used in your environment.
Cross-Compartment Network Traffic
SRP compartments provide isolated networking environments. By default, an SRP compartment
is configured so that the only networking traffic allowed is through the compartment-specific
IP interface. If you want to allow network traffic to another compartment on the same system
(cross-compartment network traffic on the same system through the loopback interface), you
must manually configure compartment network rules (compartment grant rules) to do so.
However, configuring these rules also allows the SRP compartment to use all network interfaces
accessible to the second compartment.
To avoid configuring grant rules to allow cross-compartment network traffic on the same
system, do not configure network applications in separate SRP compartments if they need to
communicate with each other through the loopback interface.
IP Routers and Strong End System (ES) Model
The SRP architecture assumes that most customers will use a dedicated IP interface for each SRP
compartment, so that the system is multihomed (has multiple IP addresses). To ensure proper
routing, SRP configures the system to use the strong end system (ES) model, as described in RFC
1122. When the strong ES model is enabled, a system cannot act as an IP router. A system with
the strong ES model enabled silently drops incoming IP packets with destination IP addresses
that do not match the interface address. The source IP address of an outbound packet must match
the address of the interface used to transmit the packet.
The srp_setup utility enables the strong ES model using the ndd utility and the /etc/
rc.config.d/nddconf file. See ndd(1m) for more information.
Application Gateway Servers
Although an SRP system with the strong ES model enabled cannot act as an IP router, it can be
used as an application gateway server. Application gateway servers receive IP packets sent to a
local IP address, process the packets at an upper layer, and retransmit the packets using the local
IP address as the source address. Local network applications that communicate with each other
on the same system must reside in the same SRP compartment, or you must manually configure
compartment grant rules to allow cross-compartment network traffic, as described in
“Cross-Compartment Network Traffic” (page 20).
Compartment Login and Access for Non-root Users
If you enable the compartment login feature with the default RBAC configuration, all users not
assigned to the RBAC Administrator role are denied login access to the system. By default,
the Administrator role is assigned only to the root user.
You must explicitly add permission for additional users to login to the INIT compartment by
either adding additional users to the RBAC Administrator role or by creating and assigning
users to an additional RBAC role authorized to login to the INIT compartment. You can use the
20 Introduction