Manualshelf

Reference Architecture: Consolidating Oracle Databases with Secure Resource Partitions in a Serviceguard Cluster Whitepaper

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
12345678910
9
NDD_VALUE[2]=1
TRANSPORT_NAME[3]=ip6
NDD_NAME[3]=ip6_ire_cmpt_route_lookup_policy
NDD_VALUE[3]=1
The required patches previously listed add functionality to the underlying HP-UX subsystems used by
SRP (Security Containment and ARPA Transport). Use the following kctune commands to enable use
of the new features:
# kctune cmpt_net_enhs=3
# kctune cmpt_fs_enhs=1
New features available:
Enable all cross SRP network connections:
Enabling this feature allows network connections between all SRPs by default. These connections
are subject to compartment rules, but are not subject to ipfilter rules. By default,
cmpt_allow_local is disabled, denying local network communication between processes
running in different SRPs unless a compartment rule is configured to allow the connection.
This feature is controlled by the cmpt_allow_local tunable. Set it using the kctune command:
# kctune cmpt_allow_local=1
Enable local ―compartment to compartment‖ network connection per SRP
Two new network compartment rules enable you to allow or deny local network connections
between compartments. These new settings control only the local network access between two
compartments. The new configuration options include:
Grant-local: Allows access between two processes using loopback communications.
Deny-local: Denies access between two processes using loopback communications.
Syntactically, you can use these options in networking rules the same way you use grant/deny
options. For example:
Allow local TCP connections from this compartment to port 1521 in the MKTPRD compartment. Port
1521 is the default SQLnet port, so in this case, it enables you to connect to the database from
within the SRP.
grant-local client tcp peer port 1521 MKTPRD
New compartment file system rule: nread
The nread rule enables processes in the compartment to list the contents of the directory. The
nread rule is not inherited by child directories.
SRP can configure multiple HP-UX subsystems, but you must enable each subsystem before creating an
SRP that uses it. Use the srp_sys setup command to enable the following subsystems:
Compartments
PRM
IPFilter
Compartment login
In addition to enabling these subsystems, the srp_sys setup command modifies several system
configuration settings. See the srp_sys(1m) man page for details.
2. Run the srp_sys setup command. You need to run it only once. You can run it again to
change system settings.