HP-UX Containers (SRP) A.03.01.004 Release Notes (5992-5696, September 2012)
13
UX Containers. Refer to cmpt_restrict_tl(5) and compartments(5) for more
information.
1.11 Restrictions on system containers
System containers provide the image of an individual system with its own root file system, system
services, hostname, private user/group management that enable similar or different workloads to
execute independently on the same physical system. Although each system container appears to be a
separate system to the local user, all system containers are executing within a single instance of the
operating system and share hardware resources for efficient use. To protect one system container from
affecting other containers or the system as a whole, certain restrictions are in place. These restrictions
may lead to behavioral differences in a system container when compared to an individual physical
system.
1.11.1 Disallowed operations in system containers
All users in a system container (including root) are prevented from performing the following list of
administrative tasks. These administrative tasks must be performed in the global view:
• Kernel configuration management
• Kernel tunable management
• System boot configuration
• Reading kernel memory
• Make kernel
• System crash configuration
• Kernel Registry Services
• DLKM management
• Creating device files
• Changing system time
• Shutdown/reboot the physical system
• Swap space management
• Logical volume management
• Physical devices management
• Network interface card configuration
• IP Address configuration
• Network tunable configuration
• Compartment rule configuration
• Bypassing compartment rules using overriding privileges
• Enable/disable auditing
• Enable/disable accounting
• IPFilter configuration
• IPSec configuration
• SRP configuration
• SD software installation (swinstall/swremove/swconfig)
1.11.2 Disallowed privileges in system containers
A set of privileges is disallowed in each system container to prevent users from performing
administrative tasks that might have an impact on system wide resources or operations. Commands
and system calls performing the administrative tasks that are disallowed in a system container will