Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
21222324252627282930
If IPFilter is not enabled on the system, srp_setup prompts if you want to enable it.
CAUTION: Enabling IPFilter briefly brings down all IP interfaces on the system, then brings
up all IP interfaces configured in the /etc/rc.config.d/netconf and /etc/
rc.config.d/netconf-ipv6 files. This causes the system to briefly lose network
connectivity and removes all dynamically configured IP interfaces.
Unless there is heavy network traffic, the interruption in network connectivity has no or
little effect on existing connections. However, some applications might interpret a network
interruption as a card failure. For example, Serviceguard might interpret a network
interruption as a card failure, which can cause it to reform the cluster. In addition, services
that use dynamically configured IP interfaces (such as Serviceguard) will lose connectivity
through these interfaces.
HP recommends that you do not enable HP-UX IPFilter when critical network applications
are running. HP recommends that you enable IPFilter when interrupting network connectivity
is not disruptive.
The srp_setup utility prompts you for the name of the system sshd configuration file. If
this file is used to start the sshd daemon in the INIT compartment and it configures the
sshd daemon to listen on a wildcard IP address (the ListenAddress variable is absent,
or is set to 0.0.0.0 or ::), an address collision can occur with sshd daemons running in
other compartments. To avoid this problem, srp_setup prompts if you want to configure
specific IP addresses for the system sshd configuration file. For more information about
address collisions, see Address Collisions with INADDR_ANY and IN6ADDR_ANY Sockets
in the INIT Compartment” (page 19).
Example
In this example, the user presses RETURN and accepts the default values for each prompt.
# /opt/hpsrp/bin/srp_setup
##############################
#
# Setup SRP default template
#
##############################
Loading SRP default template ... [ OK ]
The default services do not include IPFilter or IPSec. You can add them to the set of default
services in the following dialog.
Enable SRP configuration for the following services:
admin (compartment administrator) [y] RETURN
init (compartment startup and shutdown scripts) [y] RETURN
login (compartment login via pam_security) [y] RETURN
network (IP address and network interface management [y] RETURN
prm (Process Resource Management) [y] RETURN
ipfilter (ipfilter host firewall rules) [n] RETURN
ipsec (ipsec secure transport rules) [n] RETURN
provision (run customizable provision script) [n] RETURN
Selected SRP service(s) are: cmpt,admin,init,login,network,prm
Would you like to save the changes? [y] RETURN
Saving SRP default template ... [ OK ]
##############################
26 Setting Up SRP