container_system.5 (2011 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5)

NAME

container_system - Describes the HP-UX system containers

DESCRIPTION

System containers provide virtualization and private namespace capabilities that give users the look and

feel of a private operating system instance. They provide process view isolation,

IPC isolation, and a dedi-

cated

IP address interface. All system containers have a private set of conﬁguration ﬁles and service dae-

mons. System containers provide a private namespace for ﬁle system view, hostname, nodename, domain-

name, System V IPC,and Loopback IP address. They require system software installation synchronization

with the system.

Process View

Only processes within a system container are visible in a container, processes in one container cannot

view or signal processes outside of the container.

Host, Node, and Domain Names

Each system container has its own hostname, nodename, and domain name. These names are initially

deﬁned when the container is created, but they can be modiﬁed from within the container. Processes

within a system container will see the host, node, and domain name of the container.

User and Groups

System containers are provisioned with a separate set of conﬁguration ﬁles and service daemons used to

manage user and groups, login authentication, and name service resolution. Administration of these

activities must be performed inside of each system container.

File Systems

A system container may be created with either a private or a shared ﬁle system. If a system container is

created with a private ﬁle system, it will be populated with its own read/write copy of the system direc-

tories, excluding the /stand directory. The /stand directory will be a read-only loopback mounted ﬁle

system mounted from the global /stand directory. If a system container is created with a shared ﬁle sys-

tem, it will be populated with its own read/write copies of the system directories, excluding the /stand,

/usr, and /sbin directories; these directories will be read-only loopback mounted ﬁle systems mounted

from the corresponding global view directories.

When a container is conﬁgured, srp(1M) creates a new container home directory (/var/hpsrp/<container

name>). All processes running in a system container are chrooted to the container home directory, thus

providing a unique ﬁle system view for the container.

NFS and AutoFS Mounted File Systems

NFS server functionality is supported only in the global view (using the primary system

IP address) and

not in the system containers. You must conﬁgure directory shares as an absolute path from the global

system root directory, and the directories must be mounted when the shares are exported in the global

view.

NFS and Autofs mount is supported inside a system container as in a standard system. The NFS mount

must be done inside the container, NFS mount from the global view on behalf of a container (such as

specifying the mount point as a path under a container home directory /var/hpsrp/<container_name>)is

not supported. Access to container

NFS mounted directories are denied from the global view.

The shares exported from the global view can be mounted inside a system container by using the global

view hostname as the

NFS server inside a system container.

Mounted File Systems

File Systems such as NFS, LOFS, and VxFS may be mounted in a system container when the container is

started if there is an appropriate entry in the container’s /etc/fstab ﬁle as described in fstab(4).

Network Isolation

Each system container is provided with its own IP address and private network port space. Processes in a

system container can only bind to addresses local to the container. Packets destined to a container IP

address are delivered to the appropriate network endpoints in the container. Packets originated from a

container will have the source address set to the container IP address.

HP-UX 11i Version 3: September 2011 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5) NAME container_system - Describes the HP-UX system containers DESCRIPTION System containers provide virtualization and private namespace capabilities that give users the look and feel of a private operating system instance. They provide process view isolation, IPC isolation, and a dedicated IP address interface. All system containers have a private set of configuration files and service daemons.
PAGE 2
CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5) The container IP address may be configured to use a dedicated network interface or to share its network interface with other containers. The global system administrator configures the container IP addresses and network interfaces. The configuration of IP addresses and network routing tables is not supported from within a container. The network configuration may be viewed using the standard commands, including ifconfig(1M) and netstat(1M).
PAGE 3
CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5) FSS, FSSTHREAD Allows a process or thread to configure fair share scheduler. MKNOD Allows a process to create character or block special files. Example: mknod(1M) MPCTL Allows a process to change processor binding, locality domain binding, or launch policy of a process. NETADMIN Allows a process to perform network administrative operations such as configuring IP address and routing tables.
PAGE 4
CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5) • Logical volume management • Physical devices management • Network interface card configuration • IP Address configuration • Network tunable configuration • Compartment rule configuration • Bypassing compartment rules using overriding privileges • Enable/disable auditing • Enable/disable accounting • IPFilter configuration • IPSec configuration • SRP configuration • Software installation Note: All containers run within a single instance of