HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator's Guide
38
7.3.3 Deploying Applications with the Application Templates
SRP includes special templates for deploying key applications that use shared executables. The ssh,
apache, and tomcat templates, fully deploy these applications within the SRP using the shared
executable model. The oracledb template configures the SRP for Oracle usage; however you must
first install the Oracle database product on the system in the desired location. Optionally, you may
also use the custom template to deploy an Oracle database for your SRP. If you are installing an
Oracle database under the /var/opt/hpsrp/srp_name directory, the oracledb template is not
required.
7.3.4 Ensuring access to application files located outside the SRP home directory
If the application files are not all located under /var/hpsrp/srp_name/, you must ensure that the
compartment rules definition for the SRP includes sufficient capability to allow execution. For
executable files, READ capability is generally sufficient, while configuration and data files will
typically require READ and WRITE capability. See 11 Using the custom Template for information
on using the custom template to define application specific compartment access rules for your SRP.
Note that in addition to any installed files, the application may also create files and directories during
execution time. See 19 Verifying and Troubleshooting SRP for instructions on using Discover Mode
if you are unable to determine the access rules required by the application.
7.3.5 Best Practices for Application Deployment with SRP
Follow these best practices when deploying application with SRP:
• Deploy as much of the application as possible under the SRP home directory.
This minimizes the need to customize compartment access rules. When the application is
installed entirely under the SRP home directory, customization of the SRPs compartment rules
is usually not necessary. Life cycle management, including cloning and migration of the SRP
will also be simplified as the application files will be managed as part of the SRP.
• Deploy files shared by multiple SRPs under the standard Unix directories for
hosting shared application files (for example, /opt/,/usr/).
By default, SRPs are configured for the READ capability for these directories, and will not
need additional compartment rules configuration.
• If you have applied IPFilter for the SRP, ensure that any additional ports
used by the application are allowed.
When the ipfilter service is enabled for the SRP, by default the inbound network
connections to the SRP are blocked. You must configure the ipfilter service to allow
inbound connections to any network ports that the application will listen on.
• Use the custom template to apply additional capabilities to the SRP for the
application.
This will allow you to manage system configuration changes for the SRP on a per SRP basis.
Use a recognizable identifier, such as the application name for the instance_id parameter
when deploying the custom template. When deploying multiple applications within an SRP,
consider applying the custom template (if needed) once per application.
Figure 7.1 illustrates the installation rules and file locations.