configuring hp-ux containers (srp) v3.01 update

Configuring HP-UX Containers (SRP) v3.01 Update

Lab Guide

Rev. 12.11


Lab Guide

Rev. 12.11 Use of this material to deliver training without prior written permission from HP is prohibited.

© Copyright 2012 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use these materials to deliver training to any person outside of your organization without the written permission of HP. Configuring HP-UX Containers (SRP) v3.01 Update Lab guide March 2012 .

Rev.12.11 i

Contents

Lab 0: Accessing the HPVL Environment ............................................................................ 1 Objectives ...................................................................................................... 1 Exercise — Accessing the HPVL environment ....................................................... 1

Learner-specific information ........................................................................ 1 Prerequisites ............................................................................................. 1 Accessing the HPVL environment ................................................................. 2 Exiting HPVL ............................................................................................. 6

Lab 1: Install and Configure HP-UX Container ..................................................................... 7 Objectives ...................................................................................................... 7 Hardware and software requirements ................................................................. 7 Exercise 1 – Validating and Installing HP-UX Container ........................................ 8

Validating the HP-UX Container depot file .................................................... 8 Installing the package using swinstall .......................................................... 9

Verifying HP-UX Container installation ................................................. 10 Exercise 2 – Enabling HP-UX Container using the interactive mode ....................... 11 Exercise 3 – Creating System Container and viewing its default file set layout ........ 16

Creating System Container ........................................................................ 16 Viewing file set layout for System Container .................................................18

Exercise 4 – Creating Workload Container and viewing its default file set layout ... 19 Creating Workload Container .................................................................. 19 Viewing file set layout for Workload Container ........................................... 20

Exercise 5 – Modifying the pre-defined list of allowed products ........................... 21 Lab 2: Installing and Managing HP 9000 Containers ....................................................... 23

Objectives .................................................................................................... 23 Hardware and software requirements ............................................................... 23 Exercise 1 – Validating and installing HP9000 Container ................................... 24

Validating the HP9000 Container depot file .............................................. 24 Installing the package using swinstall ........................................................ 25

Verifying HP-UX Container installation ................................................. 26 Exercise 2 – Viewing HP 9000 Containers file system layout ............................... 27 Exercise 3 – Administering HP 9000 Containers ................................................ 29 Appendix A – Transitioning from HP 9000 server .............................................. 30 Appendix B – Additional screenshots ............................................................... 35

Creating system container in HP9000 ........................................................ 35 Lab 3: Configure and Manage Containers....................................................................... 39

Objectives .................................................................................................... 39 Hardware and software requirements ............................................................... 39 Exercise 1 – Configuring HP-UX Container using interactive mode ....................... 40

Setting up Process Recourse Manager ....................................................... 42 IPFilter ................................................................................................... 46 IPSec module (ipsec) ................................................................................ 47 Creating container using batch mode ........................................................ 48

Exercise 2 – Managing containers using the srp command ................................. 49

HP-UX Container SRPV3

ii Rev.12.11

The srp_ps command ............................................................................... 49 Starting and stopping a container ............................................................. 50

System Container .............................................................................. 50 Workload Container ......................................................................... 52

Adding the sshd template to a Workload Container .................................... 53 Deleting a Workload Container ................................................................ 53

Lab 4: Use and Maintain HP UX Containers .................................................................... 55 Objectives .................................................................................................... 55 Hardware and software requirements ............................................................... 55 Exercise 1 – Creating a base SRP compartment ................................................ 56 Exercise 2 – Networking with containers .......................................................... 58

Lab 5: Integration with Serviceguard ................................................................................ 61 Objectives ..................................................................................................... 61 Hardware and software requirements ................................................................ 61 Exercise 1 – Understanding Serviceguard and usage of model ........................... 62

Overview ............................................................................................... 62 Selecting a model ................................................................................... 62

Exercise 2 – Creating a container to use with Serviceguard ................................ 63 Exercise 2 – Adapting Serviceguard scripts for different type of model ................. 66

Lab 6: Troubleshooting Containers .................................................................................. 73 Objectives .................................................................................................... 73 Hardware and software requirements ............................................................... 73 Exercise 1 – Understanding the troubleshooting scenarios .................................. 74

Scenario 1 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 74







Exercise 2 – Understanding the advance troubleshooting procedures .................. 78

Contents

Rev.12.11 iii

Using the Security Containment compartment discover feature (workload containers only) ...................................................................................... 78 Removing or disabling IPFilter ................................................................... 82 Removing or disabling IPSec ..................................................................... 83

Exercise 3 – Removing product using swremove ................................................. 85 Removing (uninstalling) HP-UX Containers .................................................. 85 Removing the HP-UX-SRP bundle for the HP-UX Containers product ............... 87

HP-UX Container SRPV3

iv Rev.12.11

Rev. 12.11 L –1

Accessing the HPVL Environment

Objectives After completing this lab, you should be able to access the HPVL environment.

Exercise — Accessing the HPVL environment Learner-specific information

A username and password for you to access the HP Virtual Lab (HPVL) will be provided as part of your HPVL reservation. You will also be assigned a specific set of equipment called a labgroup. Record this information below:

HPVL username: .........................................................................................

HPVL password: .........................................................................................

Labgroup: .................................................................................................

Prerequisites Ensure that the computer you use to access the HPVL meets the requirements described in the Connection Reference Guide (das_guide.pdf) document available at:

http://hpvl.usa.hp.com/access.htm


L –2 Rev. 12.11

Accessing the HPVL environment To access the HPVL environment:

1. Using a supported Internet browser, access the URL provided to you with the HPVL reservation. Refer to the Connection Reference Guide for details.

Example http://labs.usa.hp.com

2. At the following HPVL screen, review the HPVL Access Notes displayed, provide the login credentials in the Remote Access Logon for HP Virtual Labs fields, and click Logon.

3. At the Terminal Servers screen, click the HPVL Access – VLTS02 link.


Rev. 12.11 L –3

The following screen displays.

Here, you can use:

• The top-right Minimize, Maximize, and Close buttons to change your view or close the window.

• The Toggle Scrollbar link to enable/disable the scrollbar.

• CTRL+ALT+BREAK on your keyboard to toggle for a window and full-screen view.

• The Close link to close the window.


L –4 Rev. 12.11

4. At the Access a Lab Group screen, click the link corresponding to your labgroup. Labgroup assignments are done by the HPVL team.

The following screen displays:


Rev. 12.11 L –5

5. Carefully review the information on this screen. Especially:

a. Read the Overview section.

b. Familiarize yourself with the equipment configuration.

! Important For creating the container in this class, use the IP addresses provided on the webpage shown above.


L –6 Rev. 12.11

c. Connect to Telnet to Host server to continue with the HP_UX_Container labs.

d. Read the Lab Cleanup section.

Exiting HPVL When you are finished with your labs, log out from the connected servers and from HPVL. For exiting your lab, follow the instructions in the Connection Reference Guide (das_guide.pdf) document.

Rev. 12.11 L – 7

Install and Configure HP-UX Container

Objectives After completing this lab, you should be able to:

Validate and install HP-UX Container

Install System Container and view its default file set layout

Install Workload Container and view its default file set layout

View the predefined list of allowed products

Hardware and software requirements Following are the requirements for this HP-UX Container lab. These are provided by the HPVL.

HP-UX-SRP bundle from Software depot

NIC/LAN address

HP-UX Container requires the following software:

• HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers

• HP-UX Security Containment Compartment login

Note HP recommends that you should install HP-UX Security Containment Extensions version B.11.31.01, which includes the Compartment login feature.

• HP-UX Security Containment Extensions patch PHCO_38507

Following are required to use HP-UX to manage these subsystems:

• HP-UX IPFilter version A.11.31.15.01 or later

• HP-UX IPSec version A.02.01.01 or later

• HP Process Resource Manager (PRM) version C.03.03.01 or later


L – 8 Rev. 12.11

Exercise 1 – Validating and Installing HP-UX Container Validating the HP-UX Container depot file

Before installing HP-UX Container, you need to validate the HP-UX Container depot file on your system by listing the available bundles in the depot file. To do this, enter the following command from the PuTTY: # swlist -d @ /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot


Rev. 12.11 L – 9

Installing the package using swinstall To install the HP-UX-Container, enter the following command: # swinstall -x autoreboot=true -s /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot \*

Note If the installation fails, the swinstall command displays an error message. For information on failed installation, check the var/adm/sw/swagent.log file.


L – 10 Rev. 12.11

Verifying HP-UX Container installation Run the following command to ensure that the selected products are installed correctly. # swverify HP-UX-SRP

If the installation is successful, list of files is displayed. A success message appears after the verification is complete.


Rev. 12.11 L – 11

Exercise 2 – Enabling HP-UX Container using the interactive mode

After successful installation, you need to enable HP-UX Container using the srp_sys command.

1. To configure the subsystems on your system, execute the following command: # /opt/hpsrp/bin/srp_sys –setup

2. Enter y or just press the Enter key to enable the Core subsystem.


L – 12 Rev. 12.11

3. Enter y or just press the Enter key to enable the Compartment Login feature.

4. Enter y or just press the Enter key to grant the login group access to the global view.


Rev. 12.11 L – 13

5. Enter y or just press the Enter key to enable Process Resource Manager (PRM).

6. Enter y or just press the Enter key to restrict the IP address that Secure Shell Daemon (sshd) listens to in the global view. Press the Enter key for enabling the IPFilter for SRP.

Note HP recommends that you should not enable or disable HP-UX IPFilter when critical network applications are running. You should schedule enabling or disabling IPFilter when interrupting network connectivity is not disruptive.


L – 14 Rev. 12.11

7. Enter n or just press the Enter key for enabling IPsec for SRP. This completes the SRP setup.

8. Enter y or just press the Enter key to reboot the server.

System will reboot after successful installation of HP-UX Container.


Rev. 12.11 L – 15

9. To view the list of subsystems that are configured during the setup, enter the following command: # /opt/hpsrp/bin/srp_sys -l


L – 16 Rev. 12.11

Exercise 3 – Creating System Container and viewing its default file set layout Creating System Container

1. To create a System Container, enter the following command: # /opt/hpsrp/bin/srp -add system_container -t system

2. The command displays the services which are by default enabled while creating the container:

• cmpt

• admin

• init

• prm

• network

• provision

Next, you need to set the following configurations:

• For the Container's subtype, you can enter either private or shared. For this exercise, enter shared.

• For Autostart container at system boot, enter yes or press the Enter key.

• For the root user password, enter HP and reenter it to confirm.

• For Configure DNS Resolver, enter no or press the Enter key.


Rev. 12.11 L – 17

3. For the rest of the configurations, accept the default values by pressing Enter until you get the prompt to enter the IP address. Enter the IP address as 192.168.67.49 and press Enter.

4. Next, press Enter to accept the default values. For the Network interface name value, enter the name as lan0. Enter yes to continue.


L – 18 Rev. 12.11

The System Container is installed.

Viewing file set layout for System Container To view the sub directory path (Shared) of System Container, enter the following command: # ls /var/hpsrp/<system-container-name>

Here, /var/hpsrp is the default directory path of System Container.


Rev. 12.11 L – 19

Exercise 4 – Creating Workload Container and viewing its default file set layout Creating Workload Container

1. To create a Workload Container, enter the following command: # /opt/hpsrp/bin/srp -add workload_container -t workload

2. View the default values and press the Enter key.

3. Enter the IP address as 192.168.67.50.


L – 20 Rev. 12.11

4. To continue, enter yes. The Workload Container in installed.

Viewing file set layout for Workload Container To view the sub directory path (Shared) of Workload Container, enter the following command: # ls /var/hpsrp/<workload-container-name_private>

Here, /var/hpsrp is the default directory path of Workload Container.


Rev. 12.11 L – 21

Exercise 5 – Modifying the pre-defined list of allowed products

HP has a predefined list of allowed products, as well as restricted products that can never be added to the bundle.

1. You can modify the allowed products list using the following commands: # cd /opt/hpsrp/bin

#./srp_allowed_product –add_depot /clssfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot

2. To view a list of products in a depot, enter the following command: # /opt/hpsrp/bin/srp_allowed_product -list_depot /classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot


L – 22 Rev. 12.11

This page intentionally left blank

Rev. 12.11 L –23

Installing and Managing HP 9000 Containers


Validate and install HP 9000 Containers

View HP 9000 Containers file system layout

Administer HP 9000 Containers

Hardware and software requirements Following are the requirements for this SRP lab. These are provided by the HPVL.

HP9000 Container bundle from Software depot

NIC/LAN address

HP-UX Container requires following software:


• HP 9000 Containers A.03.01.01 all required dependencies are enforced during software installation. The list of dependencies is documented in release notes.

• Installation pre-requisites:

• HP-UX 11i v3 March 2011 update (or later)

• HP-UX Containers A.03.01 (or later)

• HP ARIES patch PHSS_41423 or later

• Perl version 5.8.8 (or later)

• HP-UX SecureShell version A.05.00.012 (or later)

If any of above dependencies is not already pre-installed, HP9KC depot installation will fail.


L –24 Rev. 12.11

Exercise 1 – Validating and installing HP9000 Container Validating the HP9000 Container depot file

Before installing HP9000 Container, you need to validate the HP9000 Container depot file on your system by listing the available bundles in the depot file. To do this, enter the following command from the PuTTY telnet terminal: # swlist -d @ /classfiles/A.03.01.01_HP9KContainers_A.03.01.01_HP-UX_B.11.31_IA.depot


Rev. 12.11 L –25

Installing the package using swinstall To install the package, perform the following steps:

1. Change the directory to the location where the depot file is located by entering the following command: #cd /classfiles

2. To install the HP9000 Container, enter the following command: #swinstall –x autoreboot=true –s /classfiles/A.03.01.01_HP9KContainers_A.03.01_HP-UX_B.11.31_IA.depot \*

Note The swinstall command displays an error message, if the installation fails. For information on failed installation, check the var/adm/sw/swagent.log file.


L –26 Rev. 12.11

Verifying HP-UX Container installation Run the swverify command to ensure that the selected products are installed correctly. If the installation is successful, list of files are displayed. A success message appears after the verification is complete. # swverify HP9KContainers


Rev. 12.11 L –27

Exercise 2 – Viewing HP 9000 Containers file system layout

To view HP 9000 System Container File system layout, perform the following steps:

1. To browse the directory, enter the following command: #cd /opt/HP9000-Containers/

2. To list the directory structure of HP9000-Containers, enter the following command: #ls

3. To view the files and directory in HP9000 Container bin directory, enter the following command: #ls /opt/HP9000-Containers/bin

4. To list the directory structure under the docs folder, enter the following command: #ls /opt/HP9000-Containers/docs


L –28 Rev. 12.11

5. To list the directory structure under the config folder, enter the following command: #ls /opt/HP9000-Containers/config

6. The list the directory structure under the newconfig folder, enter the following command: # ls /opt/HP9000-Containers/newconfig


Rev. 12.11 L –29

Exercise 3 – Administering HP 9000 Containers Most of the administration tasks for HP 9000 containers need to be performed from the HP-UX 11i v3 host system (referred to as the global compartment in the following sections).

By default, the root user on the host system is assigned administrator privilege for lifecycle management (start, stop, export, import, delete, modify) of the container.

1. To create user rohn and give password as rohn, enter the following command: # useradd –m rohn

# passwd rohn

2. To add rohn as SRPadmin, enter the following command: # roleadm add rohn SRPadmin


L –30 Rev. 12.11

Appendix A – Transitioning from HP 9000 server

Note The steps provided within this exercise are for reference only.

Following are the essential steps that need to be followed in transitioning the entire application environment from an HP 9000 server running HP-UX 11i operating system to an HP 9000 Container on an HP-UX 11i v3 instance running on an HP Integrity server:

1. Decide which HP 9000 Container model to use.

2. Create the HP 9000 server file system image.

3. Setup user environment for recovery.

4. Recover HP 9000 files on the HP Integrity server.

5. Complete HP Integrity system configuration

6. Create and configure an HP 9000 Container

7. Start the HP 9000 Container and test applications tweak the HP 9000 Container, if needed

The general recommendation is to use HP 9000 System Container, except where:

There is a need to continue using trusted mode.

The environments are legacy (pre HP-UX 11i v1).

There is need for a non-emulated login process.

There is need for user auditing.

For creating the server system image, you should use tar, cpio.

Note When using tar or cpio ensure that the backup is done without including the “/” prefix. This is because the backup is intended to be restored under an alternate root, and not at the system root on the Integrity system.

For example: $ cd /

$ tar –cvf archive.tar dev etc opt var stand

Note cpio is not supported for use with HP 9000 classic containers.


Rev. 12.11 L –31

To setup user environment recovery for System Container: If cpio, tar, or fbackup was used to create the image, there is no need to

setup any user environment prior to recovery. HP 9000 Containers provides a tool to recover such archives. Note that Ignite-UX images are also either tar or cpio archives, so they fall into this category.

If any other tool was used for creating the image, and the tool has an option to recover files purely based on numeric UID/GID, then no user environment needs to be setup before the recovery.

If the tool used for creating the image gives preference to user name and group name over UID and GID respectively, then the following needs to be done on the host system before the recovery. These steps imply that no users apart from root can login to the system while the recovery is going on.

• Take a backup of host user related files $ cp –p /etc/passwd /etc/passwd.backup

$ cp –p /etc/group /etc/group.backup

$ cp –p /etc/nsswitch.conf /etc/nsswitch.conf.backup

• Edit /etc/nsswitch.conf entry for users to include only files users files.

• Delete all entries from /etc/group file other than root, other. bin, .sys, .adm, daemon.

• Delete all entries from /etc/passwd file on host other than root, daemon, bin, sys, adm.

Setting up environment for Classic Container:

A classic HP 9000 Container shares /etc directory and login mechanism with the HP-UX 11I v3 host system. Hence, HP 9000 users and groups need to be merged into the host before doing the recovery.

Recover HP 9000 /etc directory.

The input for the user migration process is a copy of the /etc directory from the HP 9000 server. Get a tar archive of /etc and recover it under /tmp on the HP Integrity server. It may also be possible to recover /etc from the complete file system image.

For example, here is how to extract /etc from a complete fbackup image: $ mkdir /tmp/HP9000

$ cat “i etc” > /tmp/HP9000/graph

$ cd /tmp/HP9000

$ frecover –x –X –f <image file> -g /tmp/HP9000/graph


L –32 Rev. 12.11

For system configuration:

Enable trusted mode on HP Integrity host using SMH, if HP 9000 server was configured with trusted mode.

Enable shadow mode on HP Integrity host using pwconv command, if HP 9000 server was configured with shadow password.

For user and group migration:

Run the user merge tool as: $ /opt/HP9000-Containers/bin/hp9000_conf_users \ <path to recovered /etc directory>

Check for errors or warnings on stderr and in the log file /var/opt/HP9000-Containers/logs/user_config.log

To install and configure user management related products on the host:

With the classic container the SSH login process is actually native (does not use products from the HP 9000 image). It is just towards the end of the login process that SSHD does a chroot into the HP 9000 file system and invokes a PA-RISC shell. Hence, if there is a requirement to use NIS, LDAP or any other Active Directory tool, the same needs to be installed and configured on the Integrity host system.

To create the root directory for HP 9000 files:

Each HP 9000 container will have its own root directory on the host system. It is recommended that the root directory does not reside on the Integrity host root file system.

The HP 9000 root directory itself could be a mount point. In fact, if the System Container is being used and there is an intention to host multiple containers on the same host, it is advised that the container root directories be in separate logical volumes. This is the only way to assign disk quotas to containers now. By placing the home for each container in its own LUN, storage performance can be improved.

If the container is being created on the primary node of a Serviceguard cluster and the intention is to use the container package model, it is necessary for the HP 9000 root directory to be a mount point. More information can be found in the chapter Integration with Serviceguard.

The HP 9000 root directory should not be a symbolic link or a hard link. The requirement for container root directory path is different between the two models of HP 9000 Containers.

For System Container, the root directory needs to be created under /var/hpsrp with the name of the container. $ mkdir /var/hpsrp/<srp_name>

For Classic Container, the root needs to be created under “/”. For example: $ mkdir /hp9000

The root directory is referred to as <hp9000_root> in the sections to follow.


Rev. 12.11 L –33

To set ownership and permissions: $ chown root:sys <hp9000_root>

$ chmod 0755 <hp9000_root>

It is recommended, for security reasons, that <hp9000_root> is not on the same file system as /usr is, especially for the System Container where multiple containers may be hosted on the same system.

To configure mount points inside the container root:

If the files within the container need to be recovered onto mount points, create them on the HP-UX 11I v3 host. For example: $ mkdir <hp9000_root>/var

$ chown bin:bin <hp9000_root>/var

$ chmod 0555 <hp9000_root>/var

$ mount –F <fstype> <from where> <hp9000_root>/var

Post recovery steps after the recovery is complete:

Manually check if all the basic directories (/etc, /home, /opt, /tmp, /usr, /var, /stand) have been recovered properly.

Directories that have not been copied over need to be created manually and assigned proper ownership and permissions. For example: $ mkdir <hp9000_root>/var/adm/crash

$ chmod 0755 <hp9000_root>/var/adm/crash

$ chown root:root <hp9000_root>/var/adm/crash

For the System Container, when using tools other than cpio, tar, and fbackup if the host files were modified before recovery restore them back. $ cp –p /etc/passwd.backup /etc/passwd

$ cp –p /etc/group.backup /etc/group

$ cp –p /etc/nsswitch.conf.backup /etc/nsswitch.conf

Trusted mode is not supported with the System Container. If the recovered file system has trusted mode enabled (search for /tcb under <hp9000_root>), disable it using the following set of commands: $ mkdir <hp9000_root>/usr/lib/hpux32

$ mount –F lofs /usr/lib/hpux32 –o ro

<hp9000_root>/usr/lib/hpux32

$ chroot <hp9000_root> /usr/lbin/tsconvert –r

$ umount <hp9000_root>/usr/lib/hpux32


L –34 Rev. 12.11

Configuring the HP 9000 container

Pre-requisites

User environment has been setup as described in Setting up user environment for recovery.

The HP 9000 root directory has been created. In particular, for System Container the root directory /var/hpsrp/<srp_name> is on a file system that is separate from that of /usr/lib. For Classic Container, the entire path up to the root directory is to be owned by root:sys or root:root.

The HP 9000 files have been recovered at the root path as described in Recovering HP 9000 files.

If PRM is being used for resource allocation between multiple containers, decide on whether FSS (fair share scheduler) or PSET (processor set) will be used for CPU. Also, decide on the number of shares/cores to be allocated for the container. For FSS, the percentage entitlement is calculated as:

Number of shares assigned to a particular PRM Group

Sum of the shares assigned to all PRM Groups

Creating an HP 9000 Container

For HP 9000 System Container, add the hp9000sys template: $ srp –add <srp_name> -t hp9000sys

For HP 9000 classic container, add the hp9000cl template:

$ srp –add <srp_name> -t hp9000cl

Note For more details regarding a live migration of an HP 9000 server to a HP 9000 Container within an HP Integrity server running HP-UX 11iv3 and SRP v3, refer to HP 9000 Container Administrative Guide for version 3.00 or above.


Rev. 12.11 L –35

Appendix B – Additional screenshots

Note The steps provided within this exercise are for reference only.

Creating system container in HP9000 1. To create a HP9000 Container, enter the following command:

# srp -add sys_9000 -t hp9000sys

2. Continue with accepting default values or you can change it according to yourself. When prompted for PRM FSS group CPU shares, enter any number between 1-10 and press the Enter key.


L –36 Rev. 12.11

3. When you are prompted for PRM group memory shares, enter any number between 1-10 and press the Enter key.

4. Enter IP address 192.168.67.50, as you will have some free IP address and you need to select one out of it.

! Important Do not enable IPFilter as it has not been tested with HP 9000 Containers yet.

5. Enter no when you are prompted for Add IPFilter rules for IPSec and press the

Enter key.

6. Accept default value for Add IP address to netconf file and same you will do for IP subnet mask and enter Network Interface name as lan3.


Rev. 12.11 L –37

7. Accept the default value for gateway server IP address for default route and enter yes to continue.

Here, you will receive warning stating that you need to enable IPFilter.

8. To enable IPFilter, enter the following command: # ipfilter –e


L –38 Rev. 12.11

Rev. 12.11 L – 39

Configure and Manage Containers


Configure HP-UX Containers

Manage containers using the Secure Resource Partition (srp) command

Hardware and software requirements Following are the requirements for this SRP lab. These are provided by the HPVL.

HP-UX-SRP bundle from Software Depot

NIC/LAN address

HP-UX SRP requires following software:










L – 40 Rev. 12.11

Exercise 1 – Configuring HP-UX Container using interactive mode

After successful installation, you should enable HP-UX Container to use srp_sys command. This command requires several subsystems to be configured on your system.

1. To do this, enter the following command and accept all the default values: # /opt/hpsrp/bin/srp_sys –setup


Rev. 12.11 L – 41

2. Press Enter to accept the default values.


L – 42 Rev. 12.11

3. To view the subsystems, enter the following command: # /opt/hpsrp/bin/srp_sys - l

Setting up Process Recourse Manager HP-UX Containers supports the ability to allocate CPU and memory usage per container. By default, each container on the system is assigned a Process Resource Manager (PRM) group. Each PRM group can be assigned CPU and memory allocations.

1. To enable PRM, enter the following command: # srp_sys –enable prm

You can verify that the PRM configuration is loaded for the group used by the container, by entering the prmlist and prmmonitor commands. The default PRM group name is the container name.


Rev. 12.11 L – 43

2. To view the list, enter the following command: # prmlist

3. The prmlist -g -s command displays configuration information for PRM groups (-g) and the PRM group for each Security Containment Compartment (-s). # prmlist –g –s


L – 44 Rev. 12.11

4. To monitor the containers you have created, enter the following command: #prmmonitor

5. To view the PRM configuration of the containers you have created, enter the following command # prmconfig


Rev. 12.11 L – 45

While creating a container using PRM, you should remember following:

prm_group_name: Name of the PRM group dedicated to this container. Default value is the container name.

prm_group_type: PRM CPU allocation type (PSET or FSS). Default value is FSS.

prm_cores: Number of processor cores allocated (For PSET only). Default value is 1.

prm_cpu_shares: Number of CPU shares allocated (For FSS only). Default value is 10.

prm_cpu_max: Maximum percentage of CPU available (For FSS only). Default value is No cap.

prm_mem_shares: Specifies a maximum (upper bound) for memory consumption of system’s memory for user processes.

prm_mem_max: Specifies a maximum (upper bound) for memory consumption of system’s memory for user processes. Default value is No cap.

prm_phys_mem: Memory in MB allocated for shared memory usage. Default value is 0 (no dedicated physical shared memory).

6. To disable PRM on containers you have created, enter the following command: # srp_sys –disable prm


L – 46 Rev. 12.11

IPFilter This service allows you to control the network traffic of the container according to the packet attributes using HP-UX IPFilter. Enabling this service allows you to configure IPFilter rules for the container. Containers created with the IPFilter service have all their inbound networking traffic blocked and should be enabled on a per container basis.

! Important Enabling or disabling IPFilter briefly brings down all IP interfaces on the system. It then brings up only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/netconf-ipv6 files. HP recommends that you should not enable or disable IPFilter when critical network applications are running. Enable or disable IPFilter only when interrupting the network connectivity is not disruptive.

1. To enable IPFilter on containers you have created, enter the following command:

#srp_sys –enable ipfilter

2. To view the active (loaded) inbound and outbound IPFilter rules, enter the following command: ipfstat –io


Rev. 12.11 L – 47

3. To disable the IPFilter for the containers you have created, enter the following command: # /opt/ipf/bin/ipfilter -d

IPSec module (ipsec) Enabling this service allows you to configure HP-UX IPSec policies for the container. If IPSec module is enabled on the system using srp_sys, you can configure the container to apply IPSec policies to encrypt and authenticate packets between the container IP address and a remote IP address.

ipf_for_ipsec specifies whether to allow IPFilter rules to allow IPSec packets. The default value for this is No.

1. To enable IPSec, you need to set the ipsec_admin password by entering the following command: #ipsec_admin –np

Note Password should be of at least 15 characters long.

2. Next, you have to run the following command: #srp_sys –setup

Note This command is already discussed in the Exercise 1 of this lab.


L – 48 Rev. 12.11

3. Accept all the default values until you get the prompt for IPsec configuration. At the IPsec prompt, enter y or press the Enter key to enable IPsec.

Creating container using batch mode To create the container using the batch mode, enter the following command: # /opt/hpsrp/bin/srp -add newcontainer -batch ip_address=192.168.67.52 iface=lan2

The configuration settings are specified within the command.


Rev. 12.11 L – 49

Exercise 2 – Managing containers using the srp command

The srp command is used for configuring and managing systems and containers. It allows you to add, update, delete, list, and manage containers using command line interface (CLI).

The srp_ps command To report process status for a specific container on the system, enter: /opt/hpsrp/bin/srp_ps

Note Reports from the global view that include processes running in a system container should display user, group, and command string information in an altered form.

To report process status for the global view, login to the global view and enter the following command: # srp_ps –ef


L – 50 Rev. 12.11

Starting and stopping a container System Container

1. To start the System Container, enter the following command: #srp –start sys_con


Rev. 12.11 L – 51

2. To stop the System Container, enter the following command: # srp –stop sys_con


L – 52 Rev. 12.11

3. To view the status of the System Container, enter the following command: #srp –status sys_con

4. To view the status in verbose mode: #srp –status sys_con –verbose

Workload Container 1. To start the Workload Container, enter the following command:

# srp – start wrk_con

2. To stop the Workload Container, enter the following command: # srp –stop wrk_con


Rev. 12.11 L – 53

Adding the sshd template to a Workload Container To add the sshd template to a Workload Container, enter the following command: #srp -add wrk_con -t sshd

Note sshd template will only be applied on a Workload Container.

Deleting a Workload Container To delete a Workload Container, enter the following command: #/opt/hpsrp/bin/srp -d wrk_con


L – 54 Rev. 12.11

Rev. 12.11 L –55

Use and Maintain HP UX Containers


Create a base SRP compartment

Network with containers

Hardware and software requirements Following are the requirements for this lab. These are provided by the HPVL.


NIC/LAN address

HP-UX-SRP requires the following software:










L –56 Rev. 12.11

Exercise 1 – Creating a base SRP compartment Following is the example for creating a base SRP template:

You will create an HP-UX Container for Red Hat Directory Server and remote SSH access. Always start with the base template. Then you will use the ssh and custom templates.

You use the –batch option to fit all the options. If you do not use the –batch option, the system will prompt you for each of the inputs.

Since, you already ran srp_setup, the INIT compartment and the /var/hpsrp directory exist.

The code to create an HP-UX Container for Red Hat Directory Server and remote SSH access as such is:

# srp -add AcmeCo -batch admin_user=root login_group=root ip_address=192.164.37.51 prm_group_type=PSET prm_cores=1 iface=lan1

The system creates the /etc/cmpt/AcmeCo.rules file and the AcmeCo file system to view this you will have to enter the following command: # vi /etc/cmpt/AcmeCo.rules

compartment AcmeCo {

//@tag-start compartment="AcmeCo" template="base" service="network" id="1";

// owns the IP address

interface 192.168.37.51

//@tag-end;

//@tag-start compartment="AcmeCo" template="base" service="cmpt" id="1";

#include "/etc/opt/hpsrp/cmpt/base.srp_incl"

// lock out access to the other compartment's root directory

perm nread /var/hpsrp


Rev. 12.11 L –57

// open access to compartment root

perm all /var/hpsrp/AcmeCo

perm read /var/hpsrp/AcmeCo/.srp

// @tag-end ;

}

~

To view the network configuration of container as well as of network interface, enter the following command: # vi /etc/rc.config.d/netconf

HOSTNAME="rx26-337"

OPERATING_SYSTEM=HP-UX

LOOPBACK_ADDRESS=127.0.0.1

INTERFACE_NAME[2]="lan1:1"

INTERFACE_SKIP[2]=true

IP_ADDRESS[2]="192.168.37.51"

SUBNET_MASK[2]=""

INTERFACE_STATE[2]="up"

BROADCAST_ADDRESS[2]=""

DHCP_ENABLE[2]=0

INTERFACE_MODULES[2]=""

IPV4_CMGR_TAG[2]='compartment="AcmeCo" template="base" service="network"

id="1"'

ROUTE_DESTINATION[2]="default"

ROUTE_SKIP[2]="true"

ROUTE_MASK[2]=""

ROUTE_GATEWAY[2]="192.168.37.51"

ROUTE_COUNT[2]=0

ROUTE_ARGS[2]=""

ROUTE_SOURCE[2]="192.168.37.51"

ROUTE_PARAMS[2]=""


L –58 Rev. 12.11

Exercise 2 – Networking with containers Each container is allocated one or more logical network IP address interfaces. By default, a container will only be allowed access to its assigned interface. Multiple containers can utilize a single physical network interface.

1. To view the IP address of the server, enter the following command: # ifconfig lan0

2. To display network configuration of the container, enter the following command: # srp –l system_container –v –s network


Rev. 12.11 L –59

3. To display the status of container, enter the following command: # srp –status system_container

4. To view the detail of routing table, enter the following command: # netstat -r

5. To view the detail of network interface, enter the following command: # netstat -i


L –60 Rev. 12.11

6. By using this command you can view the statistics of following protocols:

• TCP

• UDP

• IP

• IPv6

• IGMP

• ICMP

• ICMPv6

Rev. 12.11 L –61

Integration with Serviceguard


Understand Serviceguard and when to use which model

Create a container to use with Serviceguard

Adapt Serviceguard script for different type of model



NIC/LAN address

HP-UX Container requires the following software:










L –62 Rev. 12.11

Exercise 1 – Understanding Serviceguard and usage of model Overview

Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component.

You can use Serviceguard to:

Allow high availability computer application services to carry on with the services in spite of a hardware or software failure.

Manage a Serviceguard package executing within a container, or manage the container itself as a Serviceguard package.

Coordinate the transfer of components between high availability subsystems.

Backup the event. If any component fails then the redundant component takes over.

Selecting a model Two different models are available when using Serviceguard with HP-UX Containers: the classic model and the container package model.

In the classic model, the container is in the started state and Serviceguard has not yet started managing the application inside the container. This model is most compatible with the existing Serviceguard packages. You should use this model:

When Serviceguard has not yet started managing the application inside the container.

To ensure compatibility with the existing Serviceguard packages.

In the container package model, the container itself is the Serviceguard package. This model takes advantage of the capabilities of HP-UX Containers by simplifying the Serviceguard scripts and allowing application startup and shutdown to be managed by HP-UX Containers. You should use this container to:

Start the container initialization and shutdown process.

Stop the applications within the container.

Simplify the Serviceguard packages and lesser maintenance and administration of startup and shutdown activities.

Choose either Serviceguard or HP-UX Containers to control the file system mounting and the network interface management.


Rev. 12.11 L –63

Exercise 2 – Creating a container to use with Serviceguard

If you want to create a container that will use Serviceguard, you must first determine how HP-UX Containers and Serviceguard will interact together. The following steps will give you the information that you need to configure a container appropriately:

1. Select the model.

If you have existing Serviceguard control scripts that you want to leverage, it is recommended that you use the classic model. For a new deployment of a Serviceguard package, it is recommended that you use the container package model as it is easier to create.

2. Select which application will have control.

Determine whether HP-UX Containers or Serviceguard will control the mounting of file systems and management of the network interface, as follows:

• If you have selected the classic model, then use Serviceguard to control the mounting of file systems and management of the network interface. If you have selected the container package model, then use HP-UX Containers to control the file system mounting and management of the network interface.

• If you want to use the Serviceguard network failover capability, then Serviceguard must control the management of the network interface.

! Important Unlike HP-UX Containers, Serviceguard does not support the system network configuration files /etc/rc.config.d/netconf and netconf-ipv6. Therefore, a Serviceguard package during startup can unknowingly use container assigned network interfaces which are not active when the package is started, but are configured in /etc/rc.config.d/netconf or netconf-ipv6 for a container’s use. When the container with the conflicting network interface is started, the active Serviceguard package can fail or result in loss of network connectivity. As a rule, a Serviceguard managed container and a non-Serviceguard managed container on the system must not share the same physical network interface.

Network interface configuration: DEFAULT_INTERFACE_MODULES=" "

INTERFACE_NAME[1]="lan1"

IP_ADDRESS[1]="192.168.67.32"

SUBNET_MASK[1]="255.255.255.0"

DHCP_ENABLE[1]="0"

LANCONFIG_ARGS[0]=ether

ROUTE_DESTINATION[1]=default

ROUTE_GATEWAY[1]=10.99.0.251


L –64 Rev. 12.11

ROUTE_COUNT[1]=1

DEFAULT_INTERFACE_MODULES=" "

INTERFACE_NAME[1]="lan1"

IP_ADDRESS[1]="192.168.67.32"

SUBNET_MASK[1]="255.255.255.0"

DHCP_ENABLE[1]="0"

LANCONFIG_ARGS[0]=ether

ROUTE_DESTINATION[1]=default

ROUTE_GATEWAY[1]=10.99.0.251

ROUTE_COUNT[1]=1

3. Create the container.

When you create a container that will use Serviceguard, you must indicate in the Container Manager or the command line interface to support the desired Serviceguard behavior as follows:

a. Enter the following command to create a container: # srp –add containerw –t workload

b. You will be prompted for various options. All these options are already discussed in Exercise 3 of Lab 1 – Install and Configure HP-UX Container.

c. When prompted for adding IP address to netconf file, press Enter to instruct HP-UX Containers to control network interface management. Enter no to defer control of network management to Serviceguard.

Note If you use the srp command for configuration, you can use the variable assign_ip=yes|no to specify the behavior. This option informs HP-UX Containers whether or not the container controls the starting and stopping of the assigned network interface. Either option may be used with Serviceguard, but entering no allows Serviceguard to control the interface, allowing support of network interface failover.


Rev. 12.11 L –65

d. When prompted for Autostart SRP container at system boot, press Enter for the classic model or enter no for the container package model.

e. Enter yes to make the selected modifications with these values.

f. For Serviceguard network failover capability, you need to create a secondary (failover) container.

To create a secondary container, you can use the export and import features to clone the container on a secondary system.

Note In the HPVL environment, only Workload Containers support the sharing of container home directory (using Serviceguard volume) between cloned containers in different physical systems.


L –66 Rev. 12.11

Exercise 2 – Adapting Serviceguard scripts for different type of model

The example in this exercise shows the classic model approach to modify an existing Serviceguard script to work with HP-UX Containers. If you want Serviceguard to manage or monitor the applications executing within the managed container, use the srp_su command to let Serviceguard access the container.

You must prepend the srp_su command to the command that requires execution within a container.

Serviceguard package was modified to control container, a package executing in the container. The service_cmd value is the only value that changed in the script:

Before change in script:

service_name service_ping

service_cmd "/usr/sbin/ping node_a"

service_restart unlimited

service_fail_fast_enabled no

service_halt_timeout 300

After change made in script:

service_name service_ping

service_cmd "/opt/hpsrp/bin/srp_su myContainer root –c ‘/usr/sbin/ping node_a’"

service_restart unlimited

service_fail_fast_enabled no

service_halt_timeout 300

Either HP-UX Containers or Serviceguard can manage the network interfaces.

If Serviceguard is managing the network interfaces, then the package is configured to create the default route for any container IP address.


Rev. 12.11 L –67

Serviceguard package was modified to add a default route, external_script:

Before change in script:

# SG ip address

ip_subnet 192.168.67.0

ip_address 192.168.67.49

After change made in script:

# SG ip address

ip_subnet 192.10.25.0

ip_address 192.10.25.12

# srp_route_script configures the required source based routing entries for

# the SG managed IP addresses

external_script /etc/cmcluster/pkg1/srp_route_script

Container default route script for Serviceguard can be viewed below using the following command: srp_route_script

The following script can be used by a Serviceguard package to assign a default route for an IP address associated with a container. This script is included with the HP-UX Containers Serviceguard and you will find this script using the following command : #vi /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script

# Copyright (c) 2009 Hewlett-Packard Development Company L.P.

#

# This script runs the 'route' command to manage source based routing entry

# for the SRP.

#

# This script should be configured into the package configuration file

# as the first "external_script" parameter entry. It will be executed

# right after Serviceguard IP addresses assignment during package start time,

# and before removing IP addresses during package halt time.

#

# This script uses the environment variable SRP_SG_MANAGED_IP and

# SRP_SG_GATEWAY. The environment variables must be set in the

# srp_script.incl file in the same directory as this script.

#

###########################

# Source utility functions.


L –68 Rev. 12.11

###########################

if [[ -z $SG_UTILS ]]

then

. /etc/cmcluster.conf

SG_UTILS=$SGCONF/scripts/mscripts/utils.sh

fi

if [[ -f ${SG_UTILS} ]]; then

. ${SG_UTILS}

if (( $? != 0 ))

then

echo "ERROR: Unable to source package utility functions file: ${SG_UTILS}"

exit 1

fi

else

echo "ERROR: Unable to find package utility functions file: ${SG_UTILS}"

exit 1

fi

###################################################################

#

# Get the environment for this package through utility function

# sg_source_pkg_env().

#

###################################################################

sg_source_pkg_env $*

###################################################################

#

# Get the SRP environment from "/etc/cmcluster/hpsrp/<srp>/srp_script.incl"

#

# Environemnt variable example: use a local gateway on the host

# SRP_SG_MANAGED_IP[0]="192.0.0.99"

# SRP_SG_GATEWAY[0]="192.0.0.99"

#

# Environemnt variable example: use a remote gateway

# SRP_SG_MANAGED_IP[1]="10.1.1.99"121

# SRP_SG_GATEWAY[1]="10.1.1.1"

####################################################################

. d̀irname $0̀ /srp_script.incl

###################################################################


Rev. 12.11 L –69

#

# Functions

#

###################################################################

# add routing entry

function srp_route_add

{

# run 'route' command for each IP address

rval=0

index=0

last_index=${#SRP_SG_MANAGED_IP[@]}

while [ "$index" -lt "$last_index" ]

do

srp_ip="${SRP_SG_MANAGED_IP[$index]}"

srp_gateway="${SRP_SG_GATEWAY[$index]}";

if [ -z "$srp_ip" ] # skip empty slot in the array

then

let index=$index+1

let last_index=$last_index+1

continue

fi

if [ "$srp_ip" = "$srp_gateway" ]

then

# use local IP as gateway

emsg=$(/usr/sbin/route add default $srp_gateway 0 \

source $srp_ip 2>&1)

else

# use remote gateway

emsg=$(/usr/sbin/route add default $srp_gateway 1 \


fi

if (($? != 0)); then

print "ERROR: $emsg" >$2

rval=1

fi

let index=$index+1

done

return $rval


L –70 Rev. 12.11

}

# delete routing entry

function srp_route_delete

{

# run 'route' command for each IP address

rval=0

index=0

last_index=${#SRP_SG_MANAGED_IP[@]}

while [ "$index" -lt "$last_index" ]

do

srp_ip="${SRP_SG_MANAGED_IP[$index]}"

srp_gateway="${SRP_SG_GATEWAY[$index]}";

if [ -z "$srp_ip" ] # skip empty slot in the array

then

let index=$index+1

let last_index=$last_index+1

continue

fi

if [ "$srp_ip" = "$srp_gateway" ]

then

# use local IP as gateway

emsg=$(/usr/sbin/route delete default $srp_gateway 0 \


else

# use remote gateway

emsg=$(/usr/sbin/route delete default $srp_gateway 1 \


fi

if (($? != 0)); then

print "ERROR: $emsg" >$2

rval=1

fi

let index=$index+1

done

return $rval

}

################

# main routine


Rev. 12.11 L –71

################

sg_log 5 "SRP routing entry configuration script"

#########################################################################

#

# Customer defined external script must be specified with three required

# entry points: start, stop, and validate.

#

# It's not recommended to add additional entry points to the script

# due to potential name space collision with future Serviceguard releases.

#

#########################################################################

typeset -i exit_val=0

case ${1} in

start)

srp_route_add

exit_val=$?

;;

stop)

srp_route_delete

exit_val=$?

;;

validate)

exit_val=0

;;

*)

sg_log 0 "INFO: Unknown operation: $1"

;;

esac

exit $exit_val


L –72 Rev. 12.11

Rev. 12.11 L –73

Troubleshooting Containers


Understand the troubleshooting scenarios

Understand the advance troubleshooting procedures

Remove product using swremove



NIC/LAN address

HP-UX-SRP requires the following software:










L –74 Rev. 12.11

Exercise 1 – Understanding the troubleshooting scenarios

Following are few troubleshooting scenarios:

Scenario 1 A non-root user is unable to login to the global view of the HP-UX Containers enabled system.

Symptom Telnet or rlogin fails with the following error: Compartment access check failed: User is not authorized to login to the compartment associated with this network service. Connection to host lost.

Solution Only users in the group srpgrp are authorized to login to the system. Add the user to the group srpgrp.

Scenario 2 Installing a product update fails.

Symptom

The swinstall command fails with the error:

ERROR: Cannot continue "swinstall". The shared srp's must be in the stopped state. <container_name> is in the started state.

Here, the <container_name> is the name of the container.

Solution Change the state of the container to stopped using the srp –stop container_name command.

Scenario 3 Installing a product update from a remote source fails.

Symptom swinstall fails with the following error: ERROR: The source depot specified using a host target selection (host:/path). Installing from a remote source is not supported in SRP environment. To install from a remote source, either mount it

locally or copy the software locally using swcopy.

Troubleshooting Containerss

Rev. 12.11 L –75

Solution Installation of software update from a remote source is not supported in the HP-UX Containers environment. The software must be available locally. To make the source depot available locally, do the following:

Use the swcopy command to copy the depot to the local system.

If the software is in a media, mount the depot locally.

Use NFS to mount the depot from the remote server to the local file system.

Once the software depot is available locally, run the swinstall command to point to the local source.

Scenario 4 The GUI version of the swinstall command does not work in the HP-UX Containers environment.

Symptom The swinstall command invoked with no command line options fails with the following error message: # swinstall

ERROR: The interactive UI is not supported in SRP environment.

Solution The GUI version of swinstall is not supported. Instead, use the command line interface in the HP-UX Containers environment.

Scenario 5 Container fails to start.

Symptom The srp –start <container_name> command gives the following error:

# srp -start <container_name> SRP container_name not started:

The SRP must be (re)synchronized with the system's installed product database.

Run /opt/hpsrp/bin/util/srp_check to identify the list of products to install or remove from this SRP.


L –76 Rev. 12.11

Solution 1. Run the srp_check command and identify the products that are uncoordinated

with the global.

2. Check the /var/adm/sw/swagent.log file in the container to identify the problem. To login to the container, first change its state to maintenance using the srp –maint <container_name> command and then use the –M option with the srp_su command as:

srp_su –M <container_name>

3. Take corrective action (if any) based on the information in the swagent.log file.

4. Change the state of the container back to stopped.

5. Install the patch targeting the container as:

swinstall –x local_srp_list=<container_name> \ –s <depot location> Product name

Scenario 6 Unable to telnet or rlogin to a container.

Symptom Remote login to a container fails with one of the following messages: # telnet container_name

Trying...

telnet: Unable to connect to remote host: Connection refused

# rlogin container_name

rcmd_af: connect: container_name: Connection refused

Solution The container must be in started state to accept login requests. If the container is of type workload, then you can login to the container using ssh only. To verify if the container is of type workload, run the srp –status command in the system where the container resides and check the second field TYPE.


Rev. 12.11 L –77

Scenario 7 Process respawn does not work in the container.

Symptom Processes configured for respawn in the container's /etc/inittab file does not respawn.

Solution Verify and confirm that the srp_init daemon is up and running inside the container by executing the following command in the container: # ps -ef | grep srp_init

If the srp_init daemon is running, enter the following command to re-examine the /etc/inittab file entries without changing the run level: # /sbin/srp_init q

If the srp_init daemon is not running, restart srp_init within the container using the /sbin/srp_init daemon.


L –78 Rev. 12.11

Exercise 2 – Understanding the advance troubleshooting procedures

This section includes advanced troubleshooting procedures:

Using the Security Containment compartment discover feature (workload containers only)

In a secure environment, you can use the Security Containment discover feature to remove compartment restrictions and view the rules that are needed to allow access.

Note If you are not in a secure environment, you can use IPFilter to allow access from only trusted systems before removing compartment restrictions.

You can use the discover feature as follows:

1. To stop the container, enter the following command: # srp –stop system_container


Rev. 12.11 L –79

2. Edit the compartment rules file etc/cmpt/container_name.rules, and tag the container definition at the beginning of the file with the discover keyword. This opens the container for all access. # vi /etc/cmpt/system_container.rules

For example: discover compartment system_container {

//@tag-start compartment="system_container" template="system" service="network"

id="1";


interface 192.168.67.49

//@tag-end;

//@tag-start compartment="system_container" template="system" service="cmpt" id="1";

#define _SRP_HOME_ /var/hpsrp/system_container

#define _SRP_USR_PERM_ none

#define _SRP_USR_ROOT_

#define _SRP_SBIN_PERM_ none

#define _SRP_SBIN_ROOT_

#include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl"

// @tag-end ;

}

3. To start the container, enter the srp -start system_container command.


L –80 Rev. 12.11

4. Attempt to access the container applications. After you successfully access the applications, enter the following command to generate the rules used to access the container: # getrules -m system_container


Rev. 12.11 L –81

5. Compare the output from the getrules command with the compartment rules file and make the necessary changes.

6. Stop the container, remove the discover keyword from the compartment rules file, and then restart the container. # srp –stop system_container


L –82 Rev. 12.11

7. Now enter the following command to remove the discover keyword: vi /etc/cmpt/system_container.rules

For example: discover compartment system_container {

//@tag-start compartment="system_container" template="system" service="network"

id="1";


interface 192.168.67.49

//@tag-end;

//@tag-start compartment="system_container" template="system" service="cmpt" id="1";

#define _SRP_HOME_ /var/hpsrp/system_container

#define _SRP_USR_PERM_ none

#define _SRP_USR_ROOT_

#define _SRP_SBIN_PERM_ none

#define _SRP_SBIN_ROOT_

#include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl"

// @tag-end ;

}

Removing or disabling IPFilter If you are using IPFilter with HP-UX Containers, you can see if IPFilter rules are blocking access to the container applications. You can do this by removing the ipfilter service from the container, as follows: # srp -d system_container -t system -s ipfilter


Rev. 12.11 L –83

If you do not specify the -t argument, the srp command removes the IPFilter configuration for the template (base for the Workload Container and system for the System Container).

To add the ipfilter service back to the container after you have completed your testing, enter: # srp -add system_container -t system -s ipfilter

Removing or disabling IPSec 1. If you are using IPSec with HP-UX Containers, you can see if IPSec policies are

blocking access to the container applications. One method to determine if IPSec policies are blocking packets is by removing the ipsec service from the container, as follows: # srp -d system_container -s ipsec

2. To add the ipsec service back to the container after you have completed testing, enter the IP address that you have assigned to the container: # srp -add system_container -s ipsec


L –84 Rev. 12.11

3. Press Enter when you are prompted for IPSec transform. Currently you will not have the preshared key. Enter presharedkey as key and again press the Enter key.

Another method to test if IPSec policies are blocking access to the container applications is by stopping the IPSec product, as follows: # /usr/sbin/ipsec_admin –stop

To restart IPSec after you have completed testing, enter: # /usr/sbin/ipsec_admin –start


Rev. 12.11 L –85

Exercise 3 – Removing product using swremove Removing (uninstalling) HP-UX Containers

To remove (uninstall) the HP-UX Containers product from your HP-UX 11i v3 March 2011 (or later) system or the HP-UX SRP product from your HP-UX 11i v3 system, perform the following steps:

1. Log in to your system as the root user.

2. For HP-UX Containers, stop all configured containers by entering the following command: # srp -stop system_container


L –86 Rev. 12.11

3. For HP-UX Containers, remove all configured containers by entering the following command: # srp -delete system_container

4. For HP-UX Containers, disable HP-UX Containers by entering the following command: # srp_sys –disable


Rev. 12.11 L –87

Removing the HP-UX-SRP bundle for the HP-UX Containers product

1. To remove the HP-UX-SRP bundle for the HP-UX Containers product, enter the following command: # swremove –x autoreboot=true HP-UX-SRP

2. The system will automatically reboot now, if it does not, then reboot manually by entering the following command: # reboot


L –88 Rev. 12.11

configuring hp-ux containers (srp) v3.01 update

Documents