container_system.5 (2011 09)
CONTAINER_SYSTEM(5) CONTAINER_SYSTEM(5)
The container IP address may be configured to use a dedicated network interface or to share its network
interface with other containers. The global system administrator configures the container
IP addresses
and network interfaces. The configuration of
IP addresses and network routing tables is not supported
from within a container. The network configuration may be viewed using the standard commands, includ-
ing ifconfig(1M) and netstat(1M).
IPC Isolation
Each system container has its own
IPC
namespace. System V IPC objects (semaphores, shared memory,
and message queues) created in a system container are unique to the container and can only be used for
communication between processes in the same container.
POSIX IPC namespace is not supported in a sys-
tem container.
Resource Entitlements
System containers may be configured with a set of resource entitlements for
CPU and memory usage,
including a guaranteed minimum
CPU and memory allocation. A maximum
CPU and memory entitlement
may be specified in addition to the minimum. Resource entitlements are optional.
Software Management
Software Distributor (
SD) is used to install or remove software. You must be in the global view (see con-
tainer (5)) to install any software, including patch updates and removals. The
SD utility automatically
synchronizes each system container with the global software installation. Installing software using
SD
within a system container is not supported.
Device Access
By default, a system container is provisioned with devices that can operate safely within the scope of the
container only. These devices include pseudo transport devices (such as /dev/tcp, /dev/ip), pseudo-
terminal devices (such as /dev/pty*), mount device (/dev/mnttab), and privilege-aware devices that can
restrict the operations (such as /dev/devkrs, /dev/config).
Additional devices can be made available to a system container from the global view using the srp(1M)
command or the Container Manager. Devices cannot be created within a system container.
Disallowed Privileges
A set of privileges is disallowed in each system container to prevent users from performing administrative
tasks that might have an impact on system wide resources or operations. Commands and system calls
performing the administrative tasks that are disallowed in a system container will return an error. See
the Restrictions section for the prohibited administrative tasks. The following privileges (see
privileges (5)) are disallowed within a system container:
ACCOUNTING
Allows a process to control the process accounting system. Example: acct(1M), acctsh(1M)
AUDCONTROL
Allows a process to start, modify, and stop the auditing system. Example: audsys(1M)
CHANGECMPT
Grants a process the ability to change its compartment. Example: privrun(1M)
CMPTREAD
Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment
rules.
CMPTWRITE
Allows a process to write to a file or directory, bypassing compartment rules.
COMMALLOWED
Allows a process to override compartment rules in the IPC and network subsystems.
CORESYSATTR
Allows a process to manage system attributes such as kernel tunables and system time. Example:
kctune(1M), date(1M)
DLKM
Allows a process to load a kernel module, change the global search path for DLKM.Example:
kcmodule(1M)
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2011