Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00.001 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
12345678910
1.4 Frequently Asked Questions
This section includes questions frequently asked about HP-UX SRP.
How can I configure DNS access for an SRP when the remote DNS Server is not accessible from the
SRP, but is accessible from the init compartment?
Q.
With HP-UX SRP A.02.00.001, an SRP only has access to the network interface it is configured to. If
a command or application within an SRP requires access to a remote network service that is not
accessible on the compartment's network, it will fail. Because of this limitation, users and applications
running in an SRP compartment are not able to resolve DNS nodenames.
If applications and tools like nslookup are unable to resolve nodenames when running in an SRP
but work from the default init compartment, then the system file /etc/resolv.conf contains
remote DNS bind servers that are not accessible from the SRP's network interfaces.
To avoid this limitation, grant all SRP compartments UDP access on port 53 to the compartment
which has access to the DNS bind servers. By default, the ifaces compartment owns all network
interfaces (see compartments(4)). Grant access to the ifaces compartment as follows:
1. Edit the /etc/opt/hpsrp/cmpt/base.srp_incl file and add the following lines at the end
of the file:
// grant dns access via ifaces compartment
grant client udp peer port 53 ifaces
2. Enter the following command at the HP-UX command prompt:
HP-UX> setrules
A.
1.5 Known Problems Fixed in HP-UX SRP A.02.00.001
This release provides the following fixes:
Defect number QXCR1000915139
Modified the default SRP compartment rules
(/opt/hpsrp/etc/cmpt/base.srp_incl) to no longer block access to a set
of system files from within an SRP. This prevents a conflict that can cause a system
update to fail when the update process creates a hard link to one of the blocked
files.
Defect number QXCR1000879308
When multiple compartments are configured on the same system, an outgoing
connection to a remote IP address will fail if that IP address has already been
accessed by another compartment.
This problem no longer exists since the patch PHNE_39203 is now installed with
SRP A.02.00.001.
Defect number QXCR1000879308
The IP address for an SRP may not be immediately available when the SRP is
initially started or when the system is rebooted.
1.4 Frequently Asked Questions 9