Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP) Software
123456789
4
For example:
> swlist | grep HPUX11i
HPUX11i-DC-OE B.11.31.0903 HP-UX Data Center Operating Environment
1.5 Frequently Asked Questions
This section includes questions frequently asked about HP-UX SRP.
Q. How can I configure DNS access for an SRP when the remote DNS Server is not accessible
from the SRP, but is accessible from the init compartment?
A.
With HP-UX SRP A.02.01, an SRP only has access to the network interface it is configured to.
If a command or application within an SRP requires access to a remote network service that is
not accessible on the compartment's network, it will fail. Because of this limitation, users and
applications running in an SRP compartment are not able to resolve DNS nodenames.
If applications and tools like nslookup are unable to resolve nodenames when running in an
SRP but work from the default init compartment, then the system file /etc/resolv.conf
contains remote DNS bind servers that are not accessible from the SRP's network interfaces.
To avoid this limitation, grant all SRP compartments UDP access on port 53 to the
compartment which has access to the DNS bind servers. By default, the ifaces compartment
owns all network interfaces (see compartments(4)). Grant access to the ifaces compartment
as follow:
1. Edit the /etc/opt/hpsrp/cmpt/base.srp_incl file and add the following lines
at the end of the file:
// grant dns access via ifaces compartment grant client udp
peer port 53 ifaces
2. Enter the following command at the HP-UX command prompt:
HP-UX> setrules
1.6 Known Problems Fixed in HP-UX SRP A.02.01
This release provides the following fixes:
Non-root users can now login to the INIT compartment.
In SRP A.02.00.01 or earlier versions, only the root user was allowed to login to the INIT
compartment. To allow users to login to the INIT compartment after compartment login is
enabled, do the following:
1. Run
srp_sys setup to re-enable compartment login.
2. To allow an individual user to login to the INIT compartment, assign the user the
SRPlogin-init role:
# roleadm assign <user_name> SRPlogin-init
3. To allow all users in a user group (from /etc/groups) to log into the INIT
compartment, assign the group the SRPlogin-init role:
# roleadm assign “&<group_name>” SRPlogin-init