configuring hp-ux containers (srp) v3.01 update
TRANSCRIPT
Configuring HP-UX Containers (SRP) v3.01 Update
Lab Guide
Rev. 12.11
Configuring HP-UX Containers (SRP) v3.01 Update
Lab Guide
Rev. 12.11 Use of this material to deliver training without prior written permission from HP is prohibited.
© Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use these materials to deliver training to any person outside of your organization without the written permission of HP. Configuring HP-UX Containers (SRP) v3.01 Update Lab guide March 2012 .
Rev.12.11 i
Contents
Lab 0: Accessing the HPVL Environment ............................................................................ 1 Objectives ...................................................................................................... 1 Exercise — Accessing the HPVL environment ....................................................... 1
Learner-specific information ........................................................................ 1 Prerequisites ............................................................................................. 1 Accessing the HPVL environment ................................................................. 2 Exiting HPVL ............................................................................................. 6
Lab 1: Install and Configure HP-UX Container ..................................................................... 7 Objectives ...................................................................................................... 7 Hardware and software requirements ................................................................. 7 Exercise 1 – Validating and Installing HP-UX Container ........................................ 8
Validating the HP-UX Container depot file .................................................... 8 Installing the package using swinstall .......................................................... 9
Verifying HP-UX Container installation ................................................. 10 Exercise 2 – Enabling HP-UX Container using the interactive mode ....................... 11 Exercise 3 – Creating System Container and viewing its default file set layout ........ 16
Creating System Container ........................................................................ 16 Viewing file set layout for System Container .................................................18
Exercise 4 – Creating Workload Container and viewing its default file set layout ... 19 Creating Workload Container .................................................................. 19 Viewing file set layout for Workload Container ........................................... 20
Exercise 5 – Modifying the pre-defined list of allowed products ........................... 21 Lab 2: Installing and Managing HP 9000 Containers ....................................................... 23
Objectives .................................................................................................... 23 Hardware and software requirements ............................................................... 23 Exercise 1 – Validating and installing HP9000 Container ................................... 24
Validating the HP9000 Container depot file .............................................. 24 Installing the package using swinstall ........................................................ 25
Verifying HP-UX Container installation ................................................. 26 Exercise 2 – Viewing HP 9000 Containers file system layout ............................... 27 Exercise 3 – Administering HP 9000 Containers ................................................ 29 Appendix A – Transitioning from HP 9000 server .............................................. 30 Appendix B – Additional screenshots ............................................................... 35
Creating system container in HP9000 ........................................................ 35 Lab 3: Configure and Manage Containers....................................................................... 39
Objectives .................................................................................................... 39 Hardware and software requirements ............................................................... 39 Exercise 1 – Configuring HP-UX Container using interactive mode ....................... 40
Setting up Process Recourse Manager ....................................................... 42 IPFilter ................................................................................................... 46 IPSec module (ipsec) ................................................................................ 47 Creating container using batch mode ........................................................ 48
Exercise 2 – Managing containers using the srp command ................................. 49
HP-UX Container SRPV3
ii Rev.12.11
The srp_ps command ............................................................................... 49 Starting and stopping a container ............................................................. 50
System Container .............................................................................. 50 Workload Container ......................................................................... 52
Adding the sshd template to a Workload Container .................................... 53 Deleting a Workload Container ................................................................ 53
Lab 4: Use and Maintain HP UX Containers .................................................................... 55 Objectives .................................................................................................... 55 Hardware and software requirements ............................................................... 55 Exercise 1 – Creating a base SRP compartment ................................................ 56 Exercise 2 – Networking with containers .......................................................... 58
Lab 5: Integration with Serviceguard ................................................................................ 61 Objectives ..................................................................................................... 61 Hardware and software requirements ................................................................ 61 Exercise 1 – Understanding Serviceguard and usage of model ........................... 62
Overview ............................................................................................... 62 Selecting a model ................................................................................... 62
Exercise 2 – Creating a container to use with Serviceguard ................................ 63 Exercise 2 – Adapting Serviceguard scripts for different type of model ................. 66
Lab 6: Troubleshooting Containers .................................................................................. 73 Objectives .................................................................................................... 73 Hardware and software requirements ............................................................... 73 Exercise 1 – Understanding the troubleshooting scenarios .................................. 74
Scenario 1 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 74
Scenario 2 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 74
Scenario 3 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 75
Scenario 4 ............................................................................................. 75 Symptom ......................................................................................... 75 Solution ........................................................................................... 75
Scenario 5 ............................................................................................. 75 Symptom ......................................................................................... 75 Solution ........................................................................................... 76
Scenario 6 ............................................................................................. 76 Symptom ......................................................................................... 76 Solution ........................................................................................... 76
Scenario 7 ............................................................................................. 77 Symptom ......................................................................................... 77 Solution ........................................................................................... 77
Exercise 2 – Understanding the advance troubleshooting procedures .................. 78
Contents
Rev.12.11 iii
Using the Security Containment compartment discover feature (workload containers only) ...................................................................................... 78 Removing or disabling IPFilter ................................................................... 82 Removing or disabling IPSec ..................................................................... 83
Exercise 3 – Removing product using swremove ................................................. 85 Removing (uninstalling) HP-UX Containers .................................................. 85 Removing the HP-UX-SRP bundle for the HP-UX Containers product ............... 87
HP-UX Container SRPV3
iv Rev.12.11
Rev. 12.11 L –1
Accessing the HPVL Environment
Objectives After completing this lab, you should be able to access the HPVL environment.
Exercise — Accessing the HPVL environment Learner-specific information
A username and password for you to access the HP Virtual Lab (HPVL) will be provided as part of your HPVL reservation. You will also be assigned a specific set of equipment called a labgroup. Record this information below:
HPVL username: .........................................................................................
HPVL password: .........................................................................................
Labgroup: .................................................................................................
Prerequisites Ensure that the computer you use to access the HPVL meets the requirements described in the Connection Reference Guide (das_guide.pdf) document available at:
http://hpvl.usa.hp.com/access.htm
Configuring HP-UX Containers (SRP) v3.01 Update
L –2 Rev. 12.11
Accessing the HPVL environment To access the HPVL environment:
1. Using a supported Internet browser, access the URL provided to you with the HPVL reservation. Refer to the Connection Reference Guide for details.
Example http://labs.usa.hp.com
2. At the following HPVL screen, review the HPVL Access Notes displayed, provide the login credentials in the Remote Access Logon for HP Virtual Labs fields, and click Logon.
3. At the Terminal Servers screen, click the HPVL Access – VLTS02 link.
Accessing the HPVL Environment
Rev. 12.11 L –3
The following screen displays.
Here, you can use:
• The top-right Minimize, Maximize, and Close buttons to change your view or close the window.
• The Toggle Scrollbar link to enable/disable the scrollbar.
• CTRL+ALT+BREAK on your keyboard to toggle for a window and full-screen view.
• The Close link to close the window.
Configuring HP-UX Containers (SRP) v3.01 Update
L –4 Rev. 12.11
4. At the Access a Lab Group screen, click the link corresponding to your labgroup. Labgroup assignments are done by the HPVL team.
The following screen displays:
Accessing the HPVL Environment
Rev. 12.11 L –5
5. Carefully review the information on this screen. Especially:
a. Read the Overview section.
b. Familiarize yourself with the equipment configuration.
! Important For creating the container in this class, use the IP addresses provided on the webpage shown above.
Configuring HP-UX Containers (SRP) v3.01 Update
L –6 Rev. 12.11
c. Connect to Telnet to Host server to continue with the HP_UX_Container labs.
d. Read the Lab Cleanup section.
Exiting HPVL When you are finished with your labs, log out from the connected servers and from HPVL. For exiting your lab, follow the instructions in the Connection Reference Guide (das_guide.pdf) document.
Rev. 12.11 L – 7
Install and Configure HP-UX Container
Objectives After completing this lab, you should be able to:
Validate and install HP-UX Container
Install System Container and view its default file set layout
Install Workload Container and view its default file set layout
View the predefined list of allowed products
Hardware and software requirements Following are the requirements for this HP-UX Container lab. These are provided by the HPVL.
HP-UX-SRP bundle from Software depot
NIC/LAN address
HP-UX Container requires the following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.
• HP-UX Security Containment Extensions patch PHCO_38507
Following are required to use HP-UX to manage these subsystems:
• HP-UX IPFilter version A.11.31.15.01 or later
• HP-UX IPSec version A.02.01.01 or later
• HP Process Resource Manager (PRM) version C.03.03.01 or later
Configuring HP-UX Containers (SRP) v3.01 Update
L – 8 Rev. 12.11
Exercise 1 – Validating and Installing HP-UX Container Validating the HP-UX Container depot file
Before installing HP-UX Container, you need to validate the HP-UX Container depot file on your system by listing the available bundles in the depot file. To do this, enter the following command from the PuTTY: # swlist -d @ /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot
Install and Configure HP-UX Container
Rev. 12.11 L – 9
Installing the package using swinstall To install the HP-UX-Container, enter the following command: # swinstall -x autoreboot=true -s /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot \*
Note If the installation fails, the swinstall command displays an error message. For information on failed installation, check the var/adm/sw/swagent.log file.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 10 Rev. 12.11
Verifying HP-UX Container installation Run the following command to ensure that the selected products are installed correctly. # swverify HP-UX-SRP
If the installation is successful, list of files is displayed. A success message appears after the verification is complete.
Install and Configure HP-UX Container
Rev. 12.11 L – 11
Exercise 2 – Enabling HP-UX Container using the interactive mode
After successful installation, you need to enable HP-UX Container using the srp_sys command.
1. To configure the subsystems on your system, execute the following command: # /opt/hpsrp/bin/srp_sys –setup
2. Enter y or just press the Enter key to enable the Core subsystem.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 12 Rev. 12.11
3. Enter y or just press the Enter key to enable the Compartment Login feature.
4. Enter y or just press the Enter key to grant the login group access to the global view.
Install and Configure HP-UX Container
Rev. 12.11 L – 13
5. Enter y or just press the Enter key to enable Process Resource Manager (PRM).
6. Enter y or just press the Enter key to restrict the IP address that Secure Shell Daemon (sshd) listens to in the global view. Press the Enter key for enabling the IPFilter for SRP.
Note HP recommends that you should not enable or disable HP-UX IPFilter when critical network applications are running. You should schedule enabling or disabling IPFilter when interrupting network connectivity is not disruptive.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 14 Rev. 12.11
7. Enter n or just press the Enter key for enabling IPsec for SRP. This completes the SRP setup.
8. Enter y or just press the Enter key to reboot the server.
System will reboot after successful installation of HP-UX Container.
Install and Configure HP-UX Container
Rev. 12.11 L – 15
9. To view the list of subsystems that are configured during the setup, enter the following command: # /opt/hpsrp/bin/srp_sys -l
Configuring HP-UX Containers (SRP) v3.01 Update
L – 16 Rev. 12.11
Exercise 3 – Creating System Container and viewing its default file set layout Creating System Container
1. To create a System Container, enter the following command: # /opt/hpsrp/bin/srp -add system_container -t system
2. The command displays the services which are by default enabled while creating the container:
• cmpt
• admin
• init
• prm
• network
• provision
Next, you need to set the following configurations:
• For the Container's subtype, you can enter either private or shared. For this exercise, enter shared.
• For Autostart container at system boot, enter yes or press the Enter key.
• For the root user password, enter HP and reenter it to confirm.
• For Configure DNS Resolver, enter no or press the Enter key.
Install and Configure HP-UX Container
Rev. 12.11 L – 17
3. For the rest of the configurations, accept the default values by pressing Enter until you get the prompt to enter the IP address. Enter the IP address as 192.168.67.49 and press Enter.
4. Next, press Enter to accept the default values. For the Network interface name value, enter the name as lan0. Enter yes to continue.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 18 Rev. 12.11
The System Container is installed.
Viewing file set layout for System Container To view the sub directory path (Shared) of System Container, enter the following command: # ls /var/hpsrp/<system-container-name>
Here, /var/hpsrp is the default directory path of System Container.
Install and Configure HP-UX Container
Rev. 12.11 L – 19
Exercise 4 – Creating Workload Container and viewing its default file set layout Creating Workload Container
1. To create a Workload Container, enter the following command: # /opt/hpsrp/bin/srp -add workload_container -t workload
2. View the default values and press the Enter key.
3. Enter the IP address as 192.168.67.50.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 20 Rev. 12.11
4. To continue, enter yes. The Workload Container in installed.
Viewing file set layout for Workload Container To view the sub directory path (Shared) of Workload Container, enter the following command: # ls /var/hpsrp/<workload-container-name_private>
Here, /var/hpsrp is the default directory path of Workload Container.
Install and Configure HP-UX Container
Rev. 12.11 L – 21
Exercise 5 – Modifying the pre-defined list of allowed products
HP has a predefined list of allowed products, as well as restricted products that can never be added to the bundle.
1. You can modify the allowed products list using the following commands: # cd /opt/hpsrp/bin
#./srp_allowed_product –add_depot /clssfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot
2. To view a list of products in a depot, enter the following command: # /opt/hpsrp/bin/srp_allowed_product -list_depot /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot
Configuring HP-UX Containers (SRP) v3.01 Update
L – 22 Rev. 12.11
This page intentionally left blank
Rev. 12.11 L –23
Installing and Managing HP 9000 Containers
Objectives After completing this lab, you should be able to:
Validate and install HP 9000 Containers
View HP 9000 Containers file system layout
Administer HP 9000 Containers
Hardware and software requirements Following are the requirements for this SRP lab. These are provided by the HPVL.
HP9000 Container bundle from Software depot
NIC/LAN address
HP-UX Container requires following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP 9000 Containers A.03.01.01 all required dependencies are enforced during software installation. The list of dependencies is documented in release notes.
• Installation pre-requisites:
• HP-UX 11i v3 March 2011 update (or later)
• HP-UX Containers A.03.01 (or later)
• HP ARIES patch PHSS_41423 or later
• Perl version 5.8.8 (or later)
• HP-UX SecureShell version A.05.00.012 (or later)
If any of above dependencies is not already pre-installed, HP9KC depot installation will fail.
Configuring HP-UX Containers (SRP) v3.01 Update
L –24 Rev. 12.11
Exercise 1 – Validating and installing HP9000 Container Validating the HP9000 Container depot file
Before installing HP9000 Container, you need to validate the HP9000 Container depot file on your system by listing the available bundles in the depot file. To do this, enter the following command from the PuTTY telnet terminal: # swlist -d @ /classfiles/A.03.01.01_HP9KContainers_A.03.01.01_HP-UX_B.11.31_IA.depot
Installing and Managing HP 9000 Containers
Rev. 12.11 L –25
Installing the package using swinstall To install the package, perform the following steps:
1. Change the directory to the location where the depot file is located by entering the following command: #cd /classfiles
2. To install the HP9000 Container, enter the following command: #swinstall –x autoreboot=true –s /classfiles/A.03.01.01_HP9KContainers_A.03.01_HP-UX_B.11.31_IA.depot \*
Note The swinstall command displays an error message, if the installation fails. For information on failed installation, check the var/adm/sw/swagent.log file.
Configuring HP-UX Containers (SRP) v3.01 Update
L –26 Rev. 12.11
Verifying HP-UX Container installation Run the swverify command to ensure that the selected products are installed correctly. If the installation is successful, list of files are displayed. A success message appears after the verification is complete. # swverify HP9KContainers
Installing and Managing HP 9000 Containers
Rev. 12.11 L –27
Exercise 2 – Viewing HP 9000 Containers file system layout
To view HP 9000 System Container File system layout, perform the following steps:
1. To browse the directory, enter the following command: #cd /opt/HP9000-Containers/
2. To list the directory structure of HP9000-Containers, enter the following command: #ls
3. To view the files and directory in HP9000 Container bin directory, enter the following command: #ls /opt/HP9000-Containers/bin
4. To list the directory structure under the docs folder, enter the following command: #ls /opt/HP9000-Containers/docs
Configuring HP-UX Containers (SRP) v3.01 Update
L –28 Rev. 12.11
5. To list the directory structure under the config folder, enter the following command: #ls /opt/HP9000-Containers/config
6. The list the directory structure under the newconfig folder, enter the following command: # ls /opt/HP9000-Containers/newconfig
Installing and Managing HP 9000 Containers
Rev. 12.11 L –29
Exercise 3 – Administering HP 9000 Containers Most of the administration tasks for HP 9000 containers need to be performed from the HP-UX 11i v3 host system (referred to as the global compartment in the following sections).
By default, the root user on the host system is assigned administrator privilege for lifecycle management (start, stop, export, import, delete, modify) of the container.
1. To create user rohn and give password as rohn, enter the following command: # useradd –m rohn
# passwd rohn
2. To add rohn as SRPadmin, enter the following command: # roleadm add rohn SRPadmin
Configuring HP-UX Containers (SRP) v3.01 Update
L –30 Rev. 12.11
Appendix A – Transitioning from HP 9000 server
Note The steps provided within this exercise are for reference only.
Following are the essential steps that need to be followed in transitioning the entire application environment from an HP 9000 server running HP-UX 11i operating system to an HP 9000 Container on an HP-UX 11i v3 instance running on an HP Integrity server:
1. Decide which HP 9000 Container model to use.
2. Create the HP 9000 server file system image.
3. Setup user environment for recovery.
4. Recover HP 9000 files on the HP Integrity server.
5. Complete HP Integrity system configuration
6. Create and configure an HP 9000 Container
7. Start the HP 9000 Container and test applications tweak the HP 9000 Container, if needed
The general recommendation is to use HP 9000 System Container, except where:
There is a need to continue using trusted mode.
The environments are legacy (pre HP-UX 11i v1).
There is need for a non-emulated login process.
There is need for user auditing.
For creating the server system image, you should use tar, cpio.
Note When using tar or cpio ensure that the backup is done without including the “/” prefix. This is because the backup is intended to be restored under an alternate root, and not at the system root on the Integrity system.
For example: $ cd /
$ tar –cvf archive.tar dev etc opt var stand
Note cpio is not supported for use with HP 9000 classic containers.
Installing and Managing HP 9000 Containers
Rev. 12.11 L –31
To setup user environment recovery for System Container: If cpio, tar, or fbackup was used to create the image, there is no need to
setup any user environment prior to recovery. HP 9000 Containers provides a tool to recover such archives. Note that Ignite-UX images are also either tar or cpio archives, so they fall into this category.
If any other tool was used for creating the image, and the tool has an option to recover files purely based on numeric UID/GID, then no user environment needs to be setup before the recovery.
If the tool used for creating the image gives preference to user name and group name over UID and GID respectively, then the following needs to be done on the host system before the recovery. These steps imply that no users apart from root can login to the system while the recovery is going on.
• Take a backup of host user related files $ cp –p /etc/passwd /etc/passwd.backup
$ cp –p /etc/group /etc/group.backup
$ cp –p /etc/nsswitch.conf /etc/nsswitch.conf.backup
• Edit /etc/nsswitch.conf entry for users to include only files users files.
• Delete all entries from /etc/group file other than root, other. bin, .sys, .adm, daemon.
• Delete all entries from /etc/passwd file on host other than root, daemon, bin, sys, adm.
Setting up environment for Classic Container:
A classic HP 9000 Container shares /etc directory and login mechanism with the HP-UX 11I v3 host system. Hence, HP 9000 users and groups need to be merged into the host before doing the recovery.
Recover HP 9000 /etc directory.
The input for the user migration process is a copy of the /etc directory from the HP 9000 server. Get a tar archive of /etc and recover it under /tmp on the HP Integrity server. It may also be possible to recover /etc from the complete file system image.
For example, here is how to extract /etc from a complete fbackup image: $ mkdir /tmp/HP9000
$ cat “i etc” > /tmp/HP9000/graph
$ cd /tmp/HP9000
$ frecover –x –X –f <image file> -g /tmp/HP9000/graph
Configuring HP-UX Containers (SRP) v3.01 Update
L –32 Rev. 12.11
For system configuration:
Enable trusted mode on HP Integrity host using SMH, if HP 9000 server was configured with trusted mode.
Enable shadow mode on HP Integrity host using pwconv command, if HP 9000 server was configured with shadow password.
For user and group migration:
Run the user merge tool as: $ /opt/HP9000-Containers/bin/hp9000_conf_users \ <path to recovered /etc directory>
Check for errors or warnings on stderr and in the log file /var/opt/HP9000-Containers/logs/user_config.log
To install and configure user management related products on the host:
With the classic container the SSH login process is actually native (does not use products from the HP 9000 image). It is just towards the end of the login process that SSHD does a chroot into the HP 9000 file system and invokes a PA-RISC shell. Hence, if there is a requirement to use NIS, LDAP or any other Active Directory tool, the same needs to be installed and configured on the Integrity host system.
To create the root directory for HP 9000 files:
Each HP 9000 container will have its own root directory on the host system. It is recommended that the root directory does not reside on the Integrity host root file system.
The HP 9000 root directory itself could be a mount point. In fact, if the System Container is being used and there is an intention to host multiple containers on the same host, it is advised that the container root directories be in separate logical volumes. This is the only way to assign disk quotas to containers now. By placing the home for each container in its own LUN, storage performance can be improved.
If the container is being created on the primary node of a Serviceguard cluster and the intention is to use the container package model, it is necessary for the HP 9000 root directory to be a mount point. More information can be found in the chapter Integration with Serviceguard.
The HP 9000 root directory should not be a symbolic link or a hard link. The requirement for container root directory path is different between the two models of HP 9000 Containers.
For System Container, the root directory needs to be created under /var/hpsrp with the name of the container. $ mkdir /var/hpsrp/<srp_name>
For Classic Container, the root needs to be created under “/”. For example: $ mkdir /hp9000
The root directory is referred to as <hp9000_root> in the sections to follow.
Installing and Managing HP 9000 Containers
Rev. 12.11 L –33
To set ownership and permissions: $ chown root:sys <hp9000_root>
$ chmod 0755 <hp9000_root>
It is recommended, for security reasons, that <hp9000_root> is not on the same file system as /usr is, especially for the System Container where multiple containers may be hosted on the same system.
To configure mount points inside the container root:
If the files within the container need to be recovered onto mount points, create them on the HP-UX 11I v3 host. For example: $ mkdir <hp9000_root>/var
$ chown bin:bin <hp9000_root>/var
$ chmod 0555 <hp9000_root>/var
$ mount –F <fstype> <from where> <hp9000_root>/var
Post recovery steps after the recovery is complete:
Manually check if all the basic directories (/etc, /home, /opt, /tmp, /usr, /var, /stand) have been recovered properly.
Directories that have not been copied over need to be created manually and assigned proper ownership and permissions. For example: $ mkdir <hp9000_root>/var/adm/crash
$ chmod 0755 <hp9000_root>/var/adm/crash
$ chown root:root <hp9000_root>/var/adm/crash
For the System Container, when using tools other than cpio, tar, and fbackup if the host files were modified before recovery restore them back. $ cp –p /etc/passwd.backup /etc/passwd
$ cp –p /etc/group.backup /etc/group
$ cp –p /etc/nsswitch.conf.backup /etc/nsswitch.conf
Trusted mode is not supported with the System Container. If the recovered file system has trusted mode enabled (search for /tcb under <hp9000_root>), disable it using the following set of commands: $ mkdir <hp9000_root>/usr/lib/hpux32
$ mount –F lofs /usr/lib/hpux32 –o ro
<hp9000_root>/usr/lib/hpux32
$ chroot <hp9000_root> /usr/lbin/tsconvert –r
$ umount <hp9000_root>/usr/lib/hpux32
Configuring HP-UX Containers (SRP) v3.01 Update
L –34 Rev. 12.11
Configuring the HP 9000 container
Pre-requisites
User environment has been setup as described in Setting up user environment for recovery.
The HP 9000 root directory has been created. In particular, for System Container the root directory /var/hpsrp/<srp_name> is on a file system that is separate from that of /usr/lib. For Classic Container, the entire path up to the root directory is to be owned by root:sys or root:root.
The HP 9000 files have been recovered at the root path as described in Recovering HP 9000 files.
If PRM is being used for resource allocation between multiple containers, decide on whether FSS (fair share scheduler) or PSET (processor set) will be used for CPU. Also, decide on the number of shares/cores to be allocated for the container. For FSS, the percentage entitlement is calculated as:
Number of shares assigned to a particular PRM Group
Sum of the shares assigned to all PRM Groups
Creating an HP 9000 Container
For HP 9000 System Container, add the hp9000sys template: $ srp –add <srp_name> -t hp9000sys
For HP 9000 classic container, add the hp9000cl template:
$ srp –add <srp_name> -t hp9000cl
Note For more details regarding a live migration of an HP 9000 server to a HP 9000 Container within an HP Integrity server running HP-UX 11iv3 and SRP v3, refer to HP 9000 Container Administrative Guide for version 3.00 or above.
Installing and Managing HP 9000 Containers
Rev. 12.11 L –35
Appendix B – Additional screenshots
Note The steps provided within this exercise are for reference only.
Creating system container in HP9000 1. To create a HP9000 Container, enter the following command:
# srp -add sys_9000 -t hp9000sys
2. Continue with accepting default values or you can change it according to yourself. When prompted for PRM FSS group CPU shares, enter any number between 1-10 and press the Enter key.
Configuring HP-UX Containers (SRP) v3.01 Update
L –36 Rev. 12.11
3. When you are prompted for PRM group memory shares, enter any number between 1-10 and press the Enter key.
4. Enter IP address 192.168.67.50, as you will have some free IP address and you need to select one out of it.
! Important Do not enable IPFilter as it has not been tested with HP 9000 Containers yet.
5. Enter no when you are prompted for Add IPFilter rules for IPSec and press the
Enter key.
6. Accept default value for Add IP address to netconf file and same you will do for IP subnet mask and enter Network Interface name as lan3.
Installing and Managing HP 9000 Containers
Rev. 12.11 L –37
7. Accept the default value for gateway server IP address for default route and enter yes to continue.
Here, you will receive warning stating that you need to enable IPFilter.
8. To enable IPFilter, enter the following command: # ipfilter –e
Configuring HP-UX Containers (SRP) v3.01 Update
L –38 Rev. 12.11
Rev. 12.11 L – 39
Configure and Manage Containers
Objectives After completing this lab, you should be able to:
Configure HP-UX Containers
Manage containers using the Secure Resource Partition (srp) command
Hardware and software requirements Following are the requirements for this SRP lab. These are provided by the HPVL.
HP-UX-SRP bundle from Software Depot
NIC/LAN address
HP-UX SRP requires following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.
• HP-UX Security Containment Extensions patch PHCO_38507
Following are required to use HP-UX to manage these subsystems:
• HP-UX IPFilter version A.11.31.15.01 or later
• HP-UX IPSec version A.02.01.01 or later
• HP Process Resource Manager (PRM) version C.03.03.01 or later
Configuring HP-UX Containers (SRP) v3.01 Update
L – 40 Rev. 12.11
Exercise 1 – Configuring HP-UX Container using interactive mode
After successful installation, you should enable HP-UX Container to use srp_sys command. This command requires several subsystems to be configured on your system.
1. To do this, enter the following command and accept all the default values: # /opt/hpsrp/bin/srp_sys –setup
Configure and Manage Containers
Rev. 12.11 L – 41
2. Press Enter to accept the default values.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 42 Rev. 12.11
3. To view the subsystems, enter the following command: # /opt/hpsrp/bin/srp_sys - l
Setting up Process Recourse Manager HP-UX Containers supports the ability to allocate CPU and memory usage per container. By default, each container on the system is assigned a Process Resource Manager (PRM) group. Each PRM group can be assigned CPU and memory allocations.
1. To enable PRM, enter the following command: # srp_sys –enable prm
You can verify that the PRM configuration is loaded for the group used by the container, by entering the prmlist and prmmonitor commands. The default PRM group name is the container name.
Configure and Manage Containers
Rev. 12.11 L – 43
2. To view the list, enter the following command: # prmlist
3. The prmlist -g -s command displays configuration information for PRM groups (-g) and the PRM group for each Security Containment Compartment (-s). # prmlist –g –s
Configuring HP-UX Containers (SRP) v3.01 Update
L – 44 Rev. 12.11
4. To monitor the containers you have created, enter the following command: #prmmonitor
5. To view the PRM configuration of the containers you have created, enter the following command # prmconfig
Configure and Manage Containers
Rev. 12.11 L – 45
While creating a container using PRM, you should remember following:
prm_group_name: Name of the PRM group dedicated to this container. Default value is the container name.
prm_group_type: PRM CPU allocation type (PSET or FSS). Default value is FSS.
prm_cores: Number of processor cores allocated (For PSET only). Default value is 1.
prm_cpu_shares: Number of CPU shares allocated (For FSS only). Default value is 10.
prm_cpu_max: Maximum percentage of CPU available (For FSS only). Default value is No cap.
prm_mem_shares: Specifies a maximum (upper bound) for memory consumption of system’s memory for user processes.
prm_mem_max: Specifies a maximum (upper bound) for memory consumption of system’s memory for user processes. Default value is No cap.
prm_phys_mem: Memory in MB allocated for shared memory usage. Default value is 0 (no dedicated physical shared memory).
6. To disable PRM on containers you have created, enter the following command: # srp_sys –disable prm
Configuring HP-UX Containers (SRP) v3.01 Update
L – 46 Rev. 12.11
IPFilter This service allows you to control the network traffic of the container according to the packet attributes using HP-UX IPFilter. Enabling this service allows you to configure IPFilter rules for the container. Containers created with the IPFilter service have all their inbound networking traffic blocked and should be enabled on a per container basis.
! Important Enabling or disabling IPFilter briefly brings down all IP interfaces on the system. It then brings up only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/netconf-ipv6 files. HP recommends that you should not enable or disable IPFilter when critical network applications are running. Enable or disable IPFilter only when interrupting the network connectivity is not disruptive.
1. To enable IPFilter on containers you have created, enter the following command:
#srp_sys –enable ipfilter
2. To view the active (loaded) inbound and outbound IPFilter rules, enter the following command: ipfstat –io
Configure and Manage Containers
Rev. 12.11 L – 47
3. To disable the IPFilter for the containers you have created, enter the following command: # /opt/ipf/bin/ipfilter -d
IPSec module (ipsec) Enabling this service allows you to configure HP-UX IPSec policies for the container. If IPSec module is enabled on the system using srp_sys, you can configure the container to apply IPSec policies to encrypt and authenticate packets between the container IP address and a remote IP address.
ipf_for_ipsec specifies whether to allow IPFilter rules to allow IPSec packets. The default value for this is No.
1. To enable IPSec, you need to set the ipsec_admin password by entering the following command: #ipsec_admin –np
Note Password should be of at least 15 characters long.
2. Next, you have to run the following command: #srp_sys –setup
Note This command is already discussed in the Exercise 1 of this lab.
Configuring HP-UX Containers (SRP) v3.01 Update
L – 48 Rev. 12.11
3. Accept all the default values until you get the prompt for IPsec configuration. At the IPsec prompt, enter y or press the Enter key to enable IPsec.
Creating container using batch mode To create the container using the batch mode, enter the following command: # /opt/hpsrp/bin/srp -add newcontainer -batch ip_address=192.168.67.52 iface=lan2
The configuration settings are specified within the command.
Configure and Manage Containers
Rev. 12.11 L – 49
Exercise 2 – Managing containers using the srp command
The srp command is used for configuring and managing systems and containers. It allows you to add, update, delete, list, and manage containers using command line interface (CLI).
The srp_ps command To report process status for a specific container on the system, enter: /opt/hpsrp/bin/srp_ps
Note Reports from the global view that include processes running in a system container should display user, group, and command string information in an altered form.
To report process status for the global view, login to the global view and enter the following command: # srp_ps –ef
Configuring HP-UX Containers (SRP) v3.01 Update
L – 50 Rev. 12.11
Starting and stopping a container System Container
1. To start the System Container, enter the following command: #srp –start sys_con
Configure and Manage Containers
Rev. 12.11 L – 51
2. To stop the System Container, enter the following command: # srp –stop sys_con
Configuring HP-UX Containers (SRP) v3.01 Update
L – 52 Rev. 12.11
3. To view the status of the System Container, enter the following command: #srp –status sys_con
4. To view the status in verbose mode: #srp –status sys_con –verbose
Workload Container 1. To start the Workload Container, enter the following command:
# srp – start wrk_con
2. To stop the Workload Container, enter the following command: # srp –stop wrk_con
Configure and Manage Containers
Rev. 12.11 L – 53
Adding the sshd template to a Workload Container To add the sshd template to a Workload Container, enter the following command: #srp -add wrk_con -t sshd
Note sshd template will only be applied on a Workload Container.
Deleting a Workload Container To delete a Workload Container, enter the following command: #/opt/hpsrp/bin/srp -d wrk_con
Configuring HP-UX Containers (SRP) v3.01 Update
L – 54 Rev. 12.11
Rev. 12.11 L –55
Use and Maintain HP UX Containers
Objectives After completing this lab, you should be able to:
Create a base SRP compartment
Network with containers
Hardware and software requirements Following are the requirements for this lab. These are provided by the HPVL.
HP-UX-SRP bundle from Software depot
NIC/LAN address
HP-UX-SRP requires the following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.
• HP-UX Security Containment Extensions patch PHCO_38507
Following are required to use HP-UX to manage these subsystems:
• HP-UX IPFilter version A.11.31.15.01 or later
• HP-UX IPSec version A.02.01.01 or later
• HP Process Resource Manager (PRM) version C.03.03.01 or later
Configuring HP-UX Containers (SRP) v3.01 Update
L –56 Rev. 12.11
Exercise 1 – Creating a base SRP compartment Following is the example for creating a base SRP template:
You will create an HP-UX Container for Red Hat Directory Server and remote SSH access. Always start with the base template. Then you will use the ssh and custom templates.
You use the –batch option to fit all the options. If you do not use the –batch option, the system will prompt you for each of the inputs.
Since, you already ran srp_setup, the INIT compartment and the /var/hpsrp directory exist.
The code to create an HP-UX Container for Red Hat Directory Server and remote SSH access as such is:
# srp -add AcmeCo -batch admin_user=root login_group=root ip_address=192.164.37.51 prm_group_type=PSET prm_cores=1 iface=lan1
The system creates the /etc/cmpt/AcmeCo.rules file and the AcmeCo file system to view this you will have to enter the following command: # vi /etc/cmpt/AcmeCo.rules
compartment AcmeCo {
//@tag-start compartment="AcmeCo" template="base" service="network" id="1";
// owns the IP address
interface 192.168.37.51
//@tag-end;
//@tag-start compartment="AcmeCo" template="base" service="cmpt" id="1";
#include "/etc/opt/hpsrp/cmpt/base.srp_incl"
// lock out access to the other compartment's root directory
perm nread /var/hpsrp
Use and Maintain HP UX Containers
Rev. 12.11 L –57
// open access to compartment root
perm all /var/hpsrp/AcmeCo
perm read /var/hpsrp/AcmeCo/.srp
// @tag-end ;
}
~
To view the network configuration of container as well as of network interface, enter the following command: # vi /etc/rc.config.d/netconf
HOSTNAME="rx26-337"
OPERATING_SYSTEM=HP-UX
LOOPBACK_ADDRESS=127.0.0.1
INTERFACE_NAME[2]="lan1:1"
INTERFACE_SKIP[2]=true
IP_ADDRESS[2]="192.168.37.51"
SUBNET_MASK[2]=""
INTERFACE_STATE[2]="up"
BROADCAST_ADDRESS[2]=""
DHCP_ENABLE[2]=0
INTERFACE_MODULES[2]=""
IPV4_CMGR_TAG[2]='compartment="AcmeCo" template="base" service="network"
id="1"'
ROUTE_DESTINATION[2]="default"
ROUTE_SKIP[2]="true"
ROUTE_MASK[2]=""
ROUTE_GATEWAY[2]="192.168.37.51"
ROUTE_COUNT[2]=0
ROUTE_ARGS[2]=""
ROUTE_SOURCE[2]="192.168.37.51"
ROUTE_PARAMS[2]=""
Configuring HP-UX Containers (SRP) v3.01 Update
L –58 Rev. 12.11
Exercise 2 – Networking with containers Each container is allocated one or more logical network IP address interfaces. By default, a container will only be allowed access to its assigned interface. Multiple containers can utilize a single physical network interface.
1. To view the IP address of the server, enter the following command: # ifconfig lan0
2. To display network configuration of the container, enter the following command: # srp –l system_container –v –s network
Use and Maintain HP UX Containers
Rev. 12.11 L –59
3. To display the status of container, enter the following command: # srp –status system_container
4. To view the detail of routing table, enter the following command: # netstat -r
5. To view the detail of network interface, enter the following command: # netstat -i
Configuring HP-UX Containers (SRP) v3.01 Update
L –60 Rev. 12.11
6. By using this command you can view the statistics of following protocols:
• TCP
• UDP
• IP
• IPv6
• IGMP
• ICMP
• ICMPv6
Rev. 12.11 L –61
Integration with Serviceguard
Objectives After completing this lab, you should be able to:
Understand Serviceguard and when to use which model
Create a container to use with Serviceguard
Adapt Serviceguard script for different type of model
Hardware and software requirements Following are the requirements for this lab. These are provided by the HPVL.
HP-UX-SRP bundle from Software depot
NIC/LAN address
HP-UX Container requires the following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.
• HP-UX Security Containment Extensions patch PHCO_38507
Following are required to use HP-UX to manage these subsystems:
• HP-UX IPFilter version A.11.31.15.01 or later
• HP-UX IPSec version A.02.01.01 or later
• HP Process Resource Manager (PRM) version C.03.03.01 or later
Configuring HP-UX Containers (SRP) v3.01 Update
L –62 Rev. 12.11
Exercise 1 – Understanding Serviceguard and usage of model Overview
Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component.
You can use Serviceguard to:
Allow high availability computer application services to carry on with the services in spite of a hardware or software failure.
Manage a Serviceguard package executing within a container, or manage the container itself as a Serviceguard package.
Coordinate the transfer of components between high availability subsystems.
Backup the event. If any component fails then the redundant component takes over.
Selecting a model Two different models are available when using Serviceguard with HP-UX Containers: the classic model and the container package model.
In the classic model, the container is in the started state and Serviceguard has not yet started managing the application inside the container. This model is most compatible with the existing Serviceguard packages. You should use this model:
When Serviceguard has not yet started managing the application inside the container.
To ensure compatibility with the existing Serviceguard packages.
In the container package model, the container itself is the Serviceguard package. This model takes advantage of the capabilities of HP-UX Containers by simplifying the Serviceguard scripts and allowing application startup and shutdown to be managed by HP-UX Containers. You should use this container to:
Start the container initialization and shutdown process.
Stop the applications within the container.
Simplify the Serviceguard packages and lesser maintenance and administration of startup and shutdown activities.
Choose either Serviceguard or HP-UX Containers to control the file system mounting and the network interface management.
Integration with Serviceguard
Rev. 12.11 L –63
Exercise 2 – Creating a container to use with Serviceguard
If you want to create a container that will use Serviceguard, you must first determine how HP-UX Containers and Serviceguard will interact together. The following steps will give you the information that you need to configure a container appropriately:
1. Select the model.
If you have existing Serviceguard control scripts that you want to leverage, it is recommended that you use the classic model. For a new deployment of a Serviceguard package, it is recommended that you use the container package model as it is easier to create.
2. Select which application will have control.
Determine whether HP-UX Containers or Serviceguard will control the mounting of file systems and management of the network interface, as follows:
• If you have selected the classic model, then use Serviceguard to control the mounting of file systems and management of the network interface. If you have selected the container package model, then use HP-UX Containers to control the file system mounting and management of the network interface.
• If you want to use the Serviceguard network failover capability, then Serviceguard must control the management of the network interface.
! Important Unlike HP-UX Containers, Serviceguard does not support the system network configuration files /etc/rc.config.d/netconf and netconf-ipv6. Therefore, a Serviceguard package during startup can unknowingly use container assigned network interfaces which are not active when the package is started, but are configured in /etc/rc.config.d/netconf or netconf-ipv6 for a container’s use. When the container with the conflicting network interface is started, the active Serviceguard package can fail or result in loss of network connectivity. As a rule, a Serviceguard managed container and a non-Serviceguard managed container on the system must not share the same physical network interface.
Network interface configuration: DEFAULT_INTERFACE_MODULES=" "
INTERFACE_NAME[1]="lan1"
IP_ADDRESS[1]="192.168.67.32"
SUBNET_MASK[1]="255.255.255.0"
DHCP_ENABLE[1]="0"
LANCONFIG_ARGS[0]=ether
ROUTE_DESTINATION[1]=default
ROUTE_GATEWAY[1]=10.99.0.251
Configuring HP-UX Containers (SRP) v3.01 Update
L –64 Rev. 12.11
ROUTE_COUNT[1]=1
DEFAULT_INTERFACE_MODULES=" "
INTERFACE_NAME[1]="lan1"
IP_ADDRESS[1]="192.168.67.32"
SUBNET_MASK[1]="255.255.255.0"
DHCP_ENABLE[1]="0"
LANCONFIG_ARGS[0]=ether
ROUTE_DESTINATION[1]=default
ROUTE_GATEWAY[1]=10.99.0.251
ROUTE_COUNT[1]=1
3. Create the container.
When you create a container that will use Serviceguard, you must indicate in the Container Manager or the command line interface to support the desired Serviceguard behavior as follows:
a. Enter the following command to create a container: # srp –add containerw –t workload
b. You will be prompted for various options. All these options are already discussed in Exercise 3 of Lab 1 – Install and Configure HP-UX Container.
c. When prompted for adding IP address to netconf file, press Enter to instruct HP-UX Containers to control network interface management. Enter no to defer control of network management to Serviceguard.
Note If you use the srp command for configuration, you can use the variable assign_ip=yes|no to specify the behavior. This option informs HP-UX Containers whether or not the container controls the starting and stopping of the assigned network interface. Either option may be used with Serviceguard, but entering no allows Serviceguard to control the interface, allowing support of network interface failover.
Integration with Serviceguard
Rev. 12.11 L –65
d. When prompted for Autostart SRP container at system boot, press Enter for the classic model or enter no for the container package model.
e. Enter yes to make the selected modifications with these values.
f. For Serviceguard network failover capability, you need to create a secondary (failover) container.
To create a secondary container, you can use the export and import features to clone the container on a secondary system.
Note In the HPVL environment, only Workload Containers support the sharing of container home directory (using Serviceguard volume) between cloned containers in different physical systems.
Configuring HP-UX Containers (SRP) v3.01 Update
L –66 Rev. 12.11
Exercise 2 – Adapting Serviceguard scripts for different type of model
The example in this exercise shows the classic model approach to modify an existing Serviceguard script to work with HP-UX Containers. If you want Serviceguard to manage or monitor the applications executing within the managed container, use the srp_su command to let Serviceguard access the container.
You must prepend the srp_su command to the command that requires execution within a container.
Serviceguard package was modified to control container, a package executing in the container. The service_cmd value is the only value that changed in the script:
Before change in script:
service_name service_ping
service_cmd "/usr/sbin/ping node_a"
service_restart unlimited
service_fail_fast_enabled no
service_halt_timeout 300
After change made in script:
service_name service_ping
service_cmd "/opt/hpsrp/bin/srp_su myContainer root –c ‘/usr/sbin/ping node_a’"
service_restart unlimited
service_fail_fast_enabled no
service_halt_timeout 300
Either HP-UX Containers or Serviceguard can manage the network interfaces.
If Serviceguard is managing the network interfaces, then the package is configured to create the default route for any container IP address.
Integration with Serviceguard
Rev. 12.11 L –67
Serviceguard package was modified to add a default route, external_script:
Before change in script:
# SG ip address
ip_subnet 192.168.67.0
ip_address 192.168.67.49
After change made in script:
# SG ip address
ip_subnet 192.10.25.0
ip_address 192.10.25.12
# srp_route_script configures the required source based routing entries for
# the SG managed IP addresses
external_script /etc/cmcluster/pkg1/srp_route_script
Container default route script for Serviceguard can be viewed below using the following command: srp_route_script
The following script can be used by a Serviceguard package to assign a default route for an IP address associated with a container. This script is included with the HP-UX Containers Serviceguard and you will find this script using the following command : #vi /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script
# Copyright (c) 2009 Hewlett-Packard Development Company L.P.
#
# This script runs the 'route' command to manage source based routing entry
# for the SRP.
#
# This script should be configured into the package configuration file
# as the first "external_script" parameter entry. It will be executed
# right after Serviceguard IP addresses assignment during package start time,
# and before removing IP addresses during package halt time.
#
# This script uses the environment variable SRP_SG_MANAGED_IP and
# SRP_SG_GATEWAY. The environment variables must be set in the
# srp_script.incl file in the same directory as this script.
#
###########################
# Source utility functions.
Configuring HP-UX Containers (SRP) v3.01 Update
L –68 Rev. 12.11
###########################
if [[ -z $SG_UTILS ]]
then
. /etc/cmcluster.conf
SG_UTILS=$SGCONF/scripts/mscripts/utils.sh
fi
if [[ -f ${SG_UTILS} ]]; then
. ${SG_UTILS}
if (( $? != 0 ))
then
echo "ERROR: Unable to source package utility functions file: ${SG_UTILS}"
exit 1
fi
else
echo "ERROR: Unable to find package utility functions file: ${SG_UTILS}"
exit 1
fi
###################################################################
#
# Get the environment for this package through utility function
# sg_source_pkg_env().
#
###################################################################
sg_source_pkg_env $*
###################################################################
#
# Get the SRP environment from "/etc/cmcluster/hpsrp/<srp>/srp_script.incl"
#
# Environemnt variable example: use a local gateway on the host
# SRP_SG_MANAGED_IP[0]="192.0.0.99"
# SRP_SG_GATEWAY[0]="192.0.0.99"
#
# Environemnt variable example: use a remote gateway
# SRP_SG_MANAGED_IP[1]="10.1.1.99"121
# SRP_SG_GATEWAY[1]="10.1.1.1"
####################################################################
. d̀irname $0̀ /srp_script.incl
###################################################################
Integration with Serviceguard
Rev. 12.11 L –69
#
# Functions
#
###################################################################
# add routing entry
function srp_route_add
{
# run 'route' command for each IP address
rval=0
index=0
last_index=${#SRP_SG_MANAGED_IP[@]}
while [ "$index" -lt "$last_index" ]
do
srp_ip="${SRP_SG_MANAGED_IP[$index]}"
srp_gateway="${SRP_SG_GATEWAY[$index]}";
if [ -z "$srp_ip" ] # skip empty slot in the array
then
let index=$index+1
let last_index=$last_index+1
continue
fi
if [ "$srp_ip" = "$srp_gateway" ]
then
# use local IP as gateway
emsg=$(/usr/sbin/route add default $srp_gateway 0 \
source $srp_ip 2>&1)
else
# use remote gateway
emsg=$(/usr/sbin/route add default $srp_gateway 1 \
source $srp_ip 2>&1)
fi
if (($? != 0)); then
print "ERROR: $emsg" >$2
rval=1
fi
let index=$index+1
done
return $rval
Configuring HP-UX Containers (SRP) v3.01 Update
L –70 Rev. 12.11
}
# delete routing entry
function srp_route_delete
{
# run 'route' command for each IP address
rval=0
index=0
last_index=${#SRP_SG_MANAGED_IP[@]}
while [ "$index" -lt "$last_index" ]
do
srp_ip="${SRP_SG_MANAGED_IP[$index]}"
srp_gateway="${SRP_SG_GATEWAY[$index]}";
if [ -z "$srp_ip" ] # skip empty slot in the array
then
let index=$index+1
let last_index=$last_index+1
continue
fi
if [ "$srp_ip" = "$srp_gateway" ]
then
# use local IP as gateway
emsg=$(/usr/sbin/route delete default $srp_gateway 0 \
source $srp_ip 2>&1)
else
# use remote gateway
emsg=$(/usr/sbin/route delete default $srp_gateway 1 \
source $srp_ip 2>&1)
fi
if (($? != 0)); then
print "ERROR: $emsg" >$2
rval=1
fi
let index=$index+1
done
return $rval
}
################
# main routine
Integration with Serviceguard
Rev. 12.11 L –71
################
sg_log 5 "SRP routing entry configuration script"
#########################################################################
#
# Customer defined external script must be specified with three required
# entry points: start, stop, and validate.
#
# It's not recommended to add additional entry points to the script
# due to potential name space collision with future Serviceguard releases.
#
#########################################################################
typeset -i exit_val=0
case ${1} in
start)
srp_route_add
exit_val=$?
;;
stop)
srp_route_delete
exit_val=$?
;;
validate)
exit_val=0
;;
*)
sg_log 0 "INFO: Unknown operation: $1"
;;
esac
exit $exit_val
Configuring HP-UX Containers (SRP) v3.01 Update
L –72 Rev. 12.11
Rev. 12.11 L –73
Troubleshooting Containers
Objectives After completing this lab, you should be able to:
Understand the troubleshooting scenarios
Understand the advance troubleshooting procedures
Remove product using swremove
Hardware and software requirements Following are the requirements for this lab. These are provided by the HPVL.
HP-UX-SRP bundle from Software depot
NIC/LAN address
HP-UX-SRP requires the following software:
• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers
• HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.
• HP-UX Security Containment Extensions patch PHCO_38507
Following are required to use HP-UX to manage these subsystems:
• HP-UX IPFilter version A.11.31.15.01 or later
• HP-UX IPSec version A.02.01.01 or later
• HP Process Resource Manager (PRM) version C.03.03.01 or later
Configuring HP-UX Containers (SRP) v3.01 Update
L –74 Rev. 12.11
Exercise 1 – Understanding the troubleshooting scenarios
Following are few troubleshooting scenarios:
Scenario 1 A non-root user is unable to login to the global view of the HP-UX Containers enabled system.
Symptom Telnet or rlogin fails with the following error: Compartment access check failed: User is not authorized to login to the compartment associated with this network service. Connection to host lost.
Solution Only users in the group srpgrp are authorized to login to the system. Add the user to the group srpgrp.
Scenario 2 Installing a product update fails.
Symptom
The swinstall command fails with the error:
ERROR: Cannot continue "swinstall". The shared srp's must be in the stopped state. <container_name> is in the started state.
Here, the <container_name> is the name of the container.
Solution Change the state of the container to stopped using the srp –stop container_name command.
Scenario 3 Installing a product update from a remote source fails.
Symptom swinstall fails with the following error: ERROR: The source depot specified using a host target selection (host:/path). Installing from a remote source is not supported in SRP environment. To install from a remote source, either mount it
locally or copy the software locally using swcopy.
Troubleshooting Containerss
Rev. 12.11 L –75
Solution Installation of software update from a remote source is not supported in the HP-UX Containers environment. The software must be available locally. To make the source depot available locally, do the following:
Use the swcopy command to copy the depot to the local system.
If the software is in a media, mount the depot locally.
Use NFS to mount the depot from the remote server to the local file system.
Once the software depot is available locally, run the swinstall command to point to the local source.
Scenario 4 The GUI version of the swinstall command does not work in the HP-UX Containers environment.
Symptom The swinstall command invoked with no command line options fails with the following error message: # swinstall
ERROR: The interactive UI is not supported in SRP environment.
Solution The GUI version of swinstall is not supported. Instead, use the command line interface in the HP-UX Containers environment.
Scenario 5 Container fails to start.
Symptom The srp –start <container_name> command gives the following error:
# srp -start <container_name> SRP container_name not started:
The SRP must be (re)synchronized with the system's installed product database.
Run /opt/hpsrp/bin/util/srp_check to identify the list of products to install or remove from this SRP.
Configuring HP-UX Containers (SRP) v3.01 Update
L –76 Rev. 12.11
Solution 1. Run the srp_check command and identify the products that are uncoordinated
with the global.
2. Check the /var/adm/sw/swagent.log file in the container to identify the problem. To login to the container, first change its state to maintenance using the srp –maint <container_name> command and then use the –M option with the srp_su command as:
srp_su –M <container_name>
3. Take corrective action (if any) based on the information in the swagent.log file.
4. Change the state of the container back to stopped.
5. Install the patch targeting the container as:
swinstall –x local_srp_list=<container_name> \ –s <depot location> Product name
Scenario 6 Unable to telnet or rlogin to a container.
Symptom Remote login to a container fails with one of the following messages: # telnet container_name
Trying...
telnet: Unable to connect to remote host: Connection refused
# rlogin container_name
rcmd_af: connect: container_name: Connection refused
Solution The container must be in started state to accept login requests. If the container is of type workload, then you can login to the container using ssh only. To verify if the container is of type workload, run the srp –status command in the system where the container resides and check the second field TYPE.
Troubleshooting Containerss
Rev. 12.11 L –77
Scenario 7 Process respawn does not work in the container.
Symptom Processes configured for respawn in the container's /etc/inittab file does not respawn.
Solution Verify and confirm that the srp_init daemon is up and running inside the container by executing the following command in the container: # ps -ef | grep srp_init
If the srp_init daemon is running, enter the following command to re-examine the /etc/inittab file entries without changing the run level: # /sbin/srp_init q
If the srp_init daemon is not running, restart srp_init within the container using the /sbin/srp_init daemon.
Configuring HP-UX Containers (SRP) v3.01 Update
L –78 Rev. 12.11
Exercise 2 – Understanding the advance troubleshooting procedures
This section includes advanced troubleshooting procedures:
Using the Security Containment compartment discover feature (workload containers only)
In a secure environment, you can use the Security Containment discover feature to remove compartment restrictions and view the rules that are needed to allow access.
Note If you are not in a secure environment, you can use IPFilter to allow access from only trusted systems before removing compartment restrictions.
You can use the discover feature as follows:
1. To stop the container, enter the following command: # srp –stop system_container
Troubleshooting Containerss
Rev. 12.11 L –79
2. Edit the compartment rules file etc/cmpt/container_name.rules, and tag the container definition at the beginning of the file with the discover keyword. This opens the container for all access. # vi /etc/cmpt/system_container.rules
For example: discover compartment system_container {
//@tag-start compartment="system_container" template="system" service="network"
id="1";
// owns the IP address
interface 192.168.67.49
//@tag-end;
//@tag-start compartment="system_container" template="system" service="cmpt" id="1";
#define _SRP_HOME_ /var/hpsrp/system_container
#define _SRP_USR_PERM_ none
#define _SRP_USR_ROOT_
#define _SRP_SBIN_PERM_ none
#define _SRP_SBIN_ROOT_
#include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl"
// @tag-end ;
}
3. To start the container, enter the srp -start system_container command.
Configuring HP-UX Containers (SRP) v3.01 Update
L –80 Rev. 12.11
4. Attempt to access the container applications. After you successfully access the applications, enter the following command to generate the rules used to access the container: # getrules -m system_container
Troubleshooting Containerss
Rev. 12.11 L –81
5. Compare the output from the getrules command with the compartment rules file and make the necessary changes.
6. Stop the container, remove the discover keyword from the compartment rules file, and then restart the container. # srp –stop system_container
Configuring HP-UX Containers (SRP) v3.01 Update
L –82 Rev. 12.11
7. Now enter the following command to remove the discover keyword: vi /etc/cmpt/system_container.rules
For example: discover compartment system_container {
//@tag-start compartment="system_container" template="system" service="network"
id="1";
// owns the IP address
interface 192.168.67.49
//@tag-end;
//@tag-start compartment="system_container" template="system" service="cmpt" id="1";
#define _SRP_HOME_ /var/hpsrp/system_container
#define _SRP_USR_PERM_ none
#define _SRP_USR_ROOT_
#define _SRP_SBIN_PERM_ none
#define _SRP_SBIN_ROOT_
#include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl"
// @tag-end ;
}
Removing or disabling IPFilter If you are using IPFilter with HP-UX Containers, you can see if IPFilter rules are blocking access to the container applications. You can do this by removing the ipfilter service from the container, as follows: # srp -d system_container -t system -s ipfilter
Troubleshooting Containerss
Rev. 12.11 L –83
If you do not specify the -t argument, the srp command removes the IPFilter configuration for the template (base for the Workload Container and system for the System Container).
To add the ipfilter service back to the container after you have completed your testing, enter: # srp -add system_container -t system -s ipfilter
Removing or disabling IPSec 1. If you are using IPSec with HP-UX Containers, you can see if IPSec policies are
blocking access to the container applications. One method to determine if IPSec policies are blocking packets is by removing the ipsec service from the container, as follows: # srp -d system_container -s ipsec
2. To add the ipsec service back to the container after you have completed testing, enter the IP address that you have assigned to the container: # srp -add system_container -s ipsec
Configuring HP-UX Containers (SRP) v3.01 Update
L –84 Rev. 12.11
3. Press Enter when you are prompted for IPSec transform. Currently you will not have the preshared key. Enter presharedkey as key and again press the Enter key.
Another method to test if IPSec policies are blocking access to the container applications is by stopping the IPSec product, as follows: # /usr/sbin/ipsec_admin –stop
To restart IPSec after you have completed testing, enter: # /usr/sbin/ipsec_admin –start
Troubleshooting Containerss
Rev. 12.11 L –85
Exercise 3 – Removing product using swremove Removing (uninstalling) HP-UX Containers
To remove (uninstall) the HP-UX Containers product from your HP-UX 11i v3 March 2011 (or later) system or the HP-UX SRP product from your HP-UX 11i v3 system, perform the following steps:
1. Log in to your system as the root user.
2. For HP-UX Containers, stop all configured containers by entering the following command: # srp -stop system_container
Configuring HP-UX Containers (SRP) v3.01 Update
L –86 Rev. 12.11
3. For HP-UX Containers, remove all configured containers by entering the following command: # srp -delete system_container
4. For HP-UX Containers, disable HP-UX Containers by entering the following command: # srp_sys –disable
Troubleshooting Containerss
Rev. 12.11 L –87
Removing the HP-UX-SRP bundle for the HP-UX Containers product
1. To remove the HP-UX-SRP bundle for the HP-UX Containers product, enter the following command: # swremove –x autoreboot=true HP-UX-SRP
2. The system will automatically reboot now, if it does not, then reboot manually by entering the following command: # reboot
Configuring HP-UX Containers (SRP) v3.01 Update
L –88 Rev. 12.11