HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide
15
• Do not use the INIT compartment to run applications or non-essential services. Any
application or service that is not intended to be shared by SRPs should be run in an SRP and
not in INIT.
• Manage system resources when logged in to the INIT compartment. If a utility manages
system-wide resources or configuration files, such as SMH, run the utility from the INIT
compartment. The SRP utilities manage system resources and should be executed from the
INIT compartment.
• Run swinstall and swremove from the INIT compartment. Do not install system software
or utilities from within an SRP compartment. An SRP compartment might have rules that
prevent you from successfully installing system software.
• If an application hosted in an SRP compartment has associated executables or utilities, run
them from within the SRP compartment. This enables the processes to share common file
system directories, IPC facilities, and network security rules.
1.3.3 Cross-Compartment Network Traffic
SRP compartments provide isolated networking environments. By default, an SRP compartment is
configured so that the only networking traffic allowed is through the compartment-specific IP interface.
If you want to allow network traffic to another compartment on the same system (cross-compartment
network traffic on the same system through the loopback interface), you must manually configure
compartment network rules (compartment grant rules) to do so. However, configuring these rules
also allows the SRP compartment to use all network interfaces accessible to the second compartment.
To avoid configuring grant rules to allow cross-compartment network traffic on the same system, do
not configure network applications in separate SRP compartments if they need to communicate with
each other through the loopback interface.
NOTE: Configuring cross-compartment rules can interfere with the ability to import compartments to
another system. Refer to 15 Exporting and Importing SRPs for more details.
1.3.4 IP Routers and Strong End System (ES) Model
To ensure proper routing, SRP configures the system to use the strong end system (ES) model, as
described in RFC 1122 to provide symmetric routing of connection based network traffic. When the
strong ES model is used, a system cannot act as an IP router. A system with the strong ES model
silently drops incoming IP packets with destination IP addresses that do not match the interface
address. Outbound IP packets must use the interface address as the source IP address.
1.3.4.1 Application Gateway Servers
Although SRP systems cannot be used as IP routers, they can be used as application gateway servers.
Application gateway servers receive IP packets sent to a local IP address, process the packets at an
upper layer, and retransmit the packets using the local IP address as the source address. Local
network applications that communicate with each other on the same system must reside in the same
SRP compartment, or you must manually configure compartment grant rules to allow cross-
compartment network traffic, as described in
1.3.3 Cross-Compartment Network Traffic.
1.3.5 SRP Compartment Administrators and Login Users
The SRP admin service assigns a user with an RBAC role to start and stop an SRP from the INIT
compartment. By contrast, the login service assigns a set of HP-UX users and groups the RBAC
authority to log in to the compartment. Only users in this set will be allowed to login to the SRP. Note:
By default, RBAC configuration also authorizes the root user to log in to all compartments.
1.3.6 Compatibility with the Bastille Revert Feature
If you use the bastille -r command to revert to the Bastille baseline configuration, you may lose
any IPFilter rules configured using SRP that are not in the baseline. HP recommends that you do not