Escolar Documentos
Profissional Documentos
Cultura Documentos
01 Update
Lab Guide
Rev. 12.11
Lab Guide
Rev. 12.11
Use of this material to deliver training without prior written permission from HP is prohibited.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use these materials to deliver training to any person outside of your organization without the written permission of HP. Configuring HP-UX Containers (SRP) v3.01 Update Lab guide March 2012 .
Contents
Lab 0: Accessing the HPVL Environment ............................................................................ 1 Objectives ...................................................................................................... 1 Exercise Accessing the HPVL environment ....................................................... 1 Learner-specific information ........................................................................ 1 Prerequisites ............................................................................................. 1 Accessing the HPVL environment ................................................................. 2 Exiting HPVL ............................................................................................. 6 Lab 1: Install and Configure HP-UX Container ..................................................................... 7 Objectives ...................................................................................................... 7 Hardware and software requirements ................................................................. 7 Exercise 1 Validating and Installing HP-UX Container ........................................ 8 Validating the HP-UX Container depot file .................................................... 8 Installing the package using swinstall .......................................................... 9 Verifying HP-UX Container installation ................................................. 10 Exercise 2 Enabling HP-UX Container using the interactive mode ....................... 1 1 Exercise 3 Creating System Container and viewing its default file set layout ........16 Creating System Container ........................................................................16 Viewing file set layout for System Container .................................................18 Exercise 4 Creating Workload Container and viewing its default file set layout ... 19 Creating Workload Container .................................................................. 19 Viewing file set layout for Workload Container ........................................... 20 Exercise 5 Modifying the pre-defined list of allowed products ........................... 21 Lab 2: Installing and Managing HP 9000 Containers ....................................................... 23 Objectives .................................................................................................... 23 Hardware and software requirements ............................................................... 23 Exercise 1 Validating and installing HP9000 Container ................................... 24 Validating the HP9000 Container depot file .............................................. 24 Installing the package using swinstall ........................................................ 25 Verifying HP-UX Container installation ................................................. 26 Exercise 2 Viewing HP 9000 Containers file system layout ............................... 27 Exercise 3 Administering HP 9000 Containers................................................ 29 Appendix A Transitioning from HP 9000 server .............................................. 30 Appendix B Additional screenshots ............................................................... 35 Creating system container in HP9000........................................................ 35 Lab 3: Configure and Manage Containers....................................................................... 39 Objectives .................................................................................................... 39 Hardware and software requirements ............................................................... 39 Exercise 1 Configuring HP-UX Container using interactive mode ....................... 40 Setting up Process Recourse Manager ....................................................... 42 IPFilter ................................................................................................... 46 IPSec module (ipsec)................................................................................ 47 Creating container using batch mode ........................................................ 48 Exercise 2 Managing containers using the srp command ................................. 49
Rev.12.11
The srp_ps command ............................................................................... 49 Starting and stopping a container ............................................................. 50 System Container .............................................................................. 50 Workload Container ......................................................................... 52 Adding the sshd template to a Workload Container .................................... 53 Deleting a Workload Container ................................................................ 53 Lab 4: Use and Maintain HP UX Containers .................................................................... 55 Objectives .................................................................................................... 55 Hardware and software requirements ............................................................... 55 Exercise 1 Creating a base SRP compartment ................................................ 56 Exercise 2 Networking with containers .......................................................... 58 Lab 5: Integration with Serviceguard ................................................................................61 Objectives .....................................................................................................61 Hardware and software requirements ................................................................61 Exercise 1 Understanding Serviceguard and usage of model ........................... 62 Overview ............................................................................................... 62 Selecting a model ................................................................................... 62 Exercise 2 Creating a container to use with Serviceguard ................................ 63 Exercise 2 Adapting Serviceguard scripts for different type of model ................. 66 Lab 6: Troubleshooting Containers .................................................................................. 73 Objectives .................................................................................................... 73 Hardware and software requirements ............................................................... 73 Exercise 1 Understanding the troubleshooting scenarios .................................. 74 Scenario 1 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 74 Scenario 2 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 74 Scenario 3 ............................................................................................. 74 Symptom ......................................................................................... 74 Solution ........................................................................................... 75 Scenario 4 ............................................................................................. 75 Symptom ......................................................................................... 75 Solution ........................................................................................... 75 Scenario 5 ............................................................................................. 75 Symptom ......................................................................................... 75 Solution ........................................................................................... 76 Scenario 6 ............................................................................................. 76 Symptom ......................................................................................... 76 Solution ........................................................................................... 76 Scenario 7 ............................................................................................. 77 Symptom ......................................................................................... 77 Solution ........................................................................................... 77 Exercise 2 Understanding the advance troubleshooting procedures .................. 78
ii
Rev.12.11
Contents
Using the Security Containment compartment discover feature (workload containers only) ...................................................................................... 78 Removing or disabling IPFilter ................................................................... 82 Removing or disabling IPSec..................................................................... 83 Exercise 3 Removing product using swremove ................................................. 85 Removing (uninstalling) HP-UX Containers .................................................. 85 Removing the HP-UX-SRP bundle for the HP-UX Containers product ............... 87
Rev.12.11
iii
iv
Rev.12.11
Objectives
After completing this lab, you should be able to access the HPVL environment.
Prerequisites
Ensure that the computer you use to access the HPVL meets the requirements described in the Connection Reference Guide (das_guide.pdf) document available at:
http://hpvl.usa.hp.com/access.htm
Rev. 12.11
L 1
3.
At the Terminal Servers screen, click the HPVL Access VLTS02 link.
L 2
Rev. 12.11
The top-right Minimize, Maximize, and Close buttons to change your view or close the window.
Rev. 12.11
L 3
4.
At the Access a Lab Group screen, click the link corresponding to your labgroup. Labgroup assignments are done by the HPVL team.
L 4
Rev. 12.11
5.
Carefully review the information on this screen. Especially: a. b. Read the Overview section. Familiarize yourself with the equipment configuration.
Important For creating the container in this class, use the IP addresses provided on the webpage shown above.
Rev. 12.11
L 5
c.
d.
Exiting HPVL
When you are finished with your labs, log out from the connected servers and from HPVL. For exiting your lab, follow the instructions in the Connection Reference Guide (das_guide.pdf) document.
L 6
Rev. 12.11
Objectives
After completing this lab, you should be able to:
Validate and install HP-UX Container Install System Container and view its default file set layout Install Workload Container and view its default file set layout View the predefined list of allowed products
HP-UX-SRP bundle from Software depot NIC/LAN address HP-UX Container requires the following software:
HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.1 1.31.01, which includes the Compartment login feature.
HP-UX Security Containment Extensions patch PHCO_38507 HP-UX IPFilter version A.1 1.31.15.01 or later HP-UX IPSec version A.02.01.01 or later HP Process Resource Manager (PRM) version C.03.03.01 or later
Rev. 12.11
L7
L8
Rev. 12.11
Note If the installation fails, the swinstall command displays an error message. For information on failed installation, check the var/adm/sw/swagent.log file.
Rev. 12.11
L9
If the installation is successful, list of files is displayed. A success message appears after the verification is complete.
L 10
Rev. 12.11
Enter y or just press the Enter key to enable the Core subsystem.
Rev. 12.11
L 11
3.
Enter y or just press the Enter key to enable the Compartment Login feature.
4.
Enter y or just press the Enter key to grant the login group access to the global view.
L 12
Rev. 12.11
5.
Enter y or just press the Enter key to enable Process Resource Manager (PRM).
6.
Enter y or just press the Enter key to restrict the IP address that Secure Shell Daemon (sshd) listens to in the global view. Press the Enter key for enabling the IPFilter for SRP.
Note HP recommends that you should not enable or disable HP-UX IPFilter when critical network applications are running. You should schedule enabling or disabling IPFilter when interrupting network connectivity is not disruptive.
Rev. 12.11
L 13
7.
Enter n or just press the Enter key for enabling IPsec for SRP. This completes the SRP setup.
8.
L 14
Rev. 12.11
9.
To view the list of subsystems that are configured during the setup, enter the following command:
# /opt/hpsrp/bin/srp_sys -l
Rev. 12.11
L 15
Exercise 3 Creating System Container and viewing its default file set layout
Creating System Container
1. To create a System Container, enter the following command:
# /opt/hpsrp/bin/srp -add system_container -t system
2.
The command displays the services which are by default enabled while creating the container:
cmpt admin init prm network provision For the Container's subtype, you can enter either private or shared. For this exercise, enter shared. For Autostart container at system boot, enter yes or press the Enter key. For the root user password, enter HP and reenter it to confirm. For Configure DNS Resolver, enter no or press the Enter key.
L 16
Rev. 12.11
3.
For the rest of the configurations, accept the default values by pressing Enter until you get the prompt to enter the IP address. Enter the IP address as 192.168.67.49 and press Enter.
4.
Next, press Enter to accept the default values. For the Network interface name value, enter the name as lan0. Enter yes to continue.
Rev. 12.11
L 17
L 18
Rev. 12.11
Exercise 4 Creating Workload Container and viewing its default file set layout
Creating Workload Container
1. To create a Workload Container, enter the following command:
# /opt/hpsrp/bin/srp -add workload_container -t workload
2.
3.
Rev. 12.11
L 19
4.
L 20
Rev. 12.11
2.
/classfiles/HP-UX-SRP_A.03.01_HP-UX_B.11.31_IA_PA.depot
Rev. 12.11
L 21
L 22
Rev. 12.11
Objectives
After completing this lab, you should be able to:
Validate and install HP 9000 Containers View HP 9000 Containers file system layout Administer HP 9000 Containers
HP9000 Container bundle from Software depot NIC/LAN address HP-UX Container requires following software:
HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers HP 9000 Containers A.03.01.01 all required dependencies are enforced during software installation. The list of dependencies is documented in release notes. Installation pre-requisites:
HP-UX 1 v3 March 201 update (or later) 1i 1 HP-UX Containers A.03.01 (or later) HP ARIES patch PHSS_41423 or later Perl version 5.8.8 (or later) HP-UX SecureShell version A.05.00.012 (or later)
If any of above dependencies is not already pre-installed, HP9KC depot installation will fail.
Rev. 12.11
L 23
L 24
Rev. 12.11
2.
Note The swinstall command displays an error message, if the installation fails. For information on failed installation, check the var/adm/sw/swagent.log file.
Rev. 12.11
L 25
L 26
Rev. 12.11
3.
To view the files and directory in HP9000 Container bin directory, enter the following command:
#ls /opt/HP9000-Containers/bin
4.
To list the directory structure under the docs folder, enter the following command:
#ls /opt/HP9000-Containers/docs
Rev. 12.11
L 27
5.
To list the directory structure under the config folder, enter the following command:
#ls /opt/HP9000-Containers/config
6.
The list the directory structure under the newconfig folder, enter the following command:
# ls /opt/HP9000-Containers/newconfig
L 28
Rev. 12.11
2.
Rev. 12.11
L 29
Following are the essential steps that need to be followed in transitioning the entire application environment from an HP 9000 server running HP-UX 11i operating system to an HP 9000 Container on an HP-UX 11i v3 instance running on an HP Integrity server: 1. 2. 3. 4. 5. 6. 7. Decide which HP 9000 Container model to use. Create the HP 9000 server file system image. Setup user environment for recovery. Recover HP 9000 files on the HP Integrity server. Complete HP Integrity system configuration Create and configure an HP 9000 Container Start the HP 9000 Container and test applications tweak the HP 9000 Container, if needed There is a need to continue using trusted mode. The environments are legacy (pre HP-UX 11i v1). There is need for a non-emulated login process. There is need for user auditing.
For creating the server system image, you should use tar, cpio.
Note When using tar or cpio ensure that the backup is done without including the / prefix. This is because the backup is intended to be restored under an alternate root, and not at the system root on the Integrity system.
For example:
$ cd / $ tar cvf archive.tar dev etc opt var stand Note cpio is not supported for use with HP 9000 classic containers.
L 30
Rev. 12.11
To setup user environment recovery for System Container: If cpio, tar, or fbackup was used to create the image, there is no need to setup any user environment prior to recovery. HP 9000 Containers provides a tool to recover such archives. Note that Ignite-UX images are also either tar or cpio archives, so they fall into this category.
If any other tool was used for creating the image, and the tool has an option to recover files purely based on numeric UID/GID, then no user environment needs to be setup before the recovery. If the tool used for creating the image gives preference to user name and group name over UID and GID respectively, then the following needs to be done on the host system before the recovery. These steps imply that no users apart from root can login to the system while the recovery is going on.
Edit /etc/nsswitch.conf entry for users to include only files users files. Delete all entries from /etc/group file other than root, other. bin, .sys, .adm, daemon. Delete all entries from /etc/passwd file on host other than root, daemon, bin, sys, adm.
A classic HP 9000 Container shares /etc directory and login mechanism with the HP-UX 11I v3 host system. Hence, HP 9000 users and groups need to be merged into the host before doing the recovery. Recover HP 9000 /etc directory. The input for the user migration process is a copy of the /etc directory from the HP 9000 server. Get a tar archive of /etc and recover it under /tmp on the HP Integrity server. It may also be possible to recover /etc from the complete file system image. For example, here is how to extract /etc from a complete fbackup image:
$ mkdir /tmp/HP9000 $ cat i etc > /tmp/HP9000/graph $ cd /tmp/HP9000 $ frecover x X f <image file> -g /tmp/HP9000/graph
Rev. 12.11
L 31
Enable trusted mode on HP Integrity host using SMH, if HP 9000 server was configured with trusted mode. Enable shadow mode on HP Integrity host using pwconv command, if HP 9000 server was configured with shadow password. Run the user merge tool as:
$ /opt/HP9000-Containers/bin/hp9000_conf_users \ <path to recovered /etc directory>
Check for errors or warnings on stderr and in the log file /var/opt/HP9000Containers/logs/user_config.log
To install and configure user management related products on the host: With the classic container the SSH login process is actually native (does not use products from the HP 9000 image). It is just towards the end of the login process that SSHD does a chroot into the HP 9000 file system and invokes a PA-RISC shell. Hence, if there is a requirement to use NIS, LDAP or any other Active Directory tool, the same needs to be installed and configured on the Integrity host system. To create the root directory for HP 9000 files: Each HP 9000 container will have its own root directory on the host system. It is recommended that the root directory does not reside on the Integrity host root file system. The HP 9000 root directory itself could be a mount point. In fact, if the System Container is being used and there is an intention to host multiple containers on the same host, it is advised that the container root directories be in separate logical volumes. This is the only way to assign disk quotas to containers now. By placing the home for each container in its own LUN, storage performance can be improved. If the container is being created on the primary node of a Serviceguard cluster and the intention is to use the container package model, it is necessary for the HP 9000 root directory to be a mount point. More information can be found in the chapter Integration with Serviceguard. The HP 9000 root directory should not be a symbolic link or a hard link. The requirement for container root directory path is different between the two models of HP 9000 Containers. For System Container, the root directory needs to be created under /var/hpsrp with the name of the container.
$ mkdir /var/hpsrp/<srp_name>
For Classic Container, the root needs to be created under /. For example:
$ mkdir /hp9000
It is recommended, for security reasons, that <hp9000_root> is not on the same file system as /usr is, especially for the System Container where multiple containers may be hosted on the same system. To configure mount points inside the container root: If the files within the container need to be recovered onto mount points, create them on the HP-UX 11I v3 host. For example:
$ mkdir <hp9000_root>/var $ chown bin:bin <hp9000_root>/var $ chmod 0555 <hp9000_root>/var $ mount F <fstype> <from where> <hp9000_root>/var
Post recovery steps after the recovery is complete: Manually check if all the basic directories (/etc, /home, /opt, /tmp, /usr, /var, /stand) have been recovered properly. Directories that have not been copied over need to be created manually and assigned proper ownership and permissions. For example:
$ mkdir <hp9000_root>/var/adm/crash $ chmod 0755 <hp9000_root>/var/adm/crash $ chown root:root <hp9000_root>/var/adm/crash
For the System Container, when using tools other than cpio, tar, and fbackup if the host files were modified before recovery restore them back.
$ cp p /etc/passwd.backup /etc/passwd $ cp p /etc/group.backup /etc/group $ cp p /etc/nsswitch.conf.backup /etc/nsswitch.conf
Trusted mode is not supported with the System Container. If the recovered file system has trusted mode enabled (search for /tcb under <hp9000_root>), disable it using the following set of commands:
$ mkdir <hp9000_root>/usr/lib/hpux32 $ mount F lofs /usr/lib/hpux32 o ro <hp9000_root>/usr/lib/hpux32 $ chroot <hp9000_root> /usr/lbin/tsconvert r $ umount <hp9000_root>/usr/lib/hpux32
Rev. 12.11
L 33
Configuring the HP 9000 container Pre-requisites User environment has been setup as described in Setting up user environment for recovery. The HP 9000 root directory has been created. In particular, for System Container the root directory /var/hpsrp/<srp_name> is on a file system that is separate from that of /usr/lib. For Classic Container, the entire path up to the root directory is to be owned by root:sys or root:root. The HP 9000 files have been recovered at the root path as described in Recovering HP 9000 files. If PRM is being used for resource allocation between multiple containers, decide on whether FSS (fair share scheduler) or PSET (processor set) will be used for CPU. Also, decide on the number of shares/cores to be allocated for the container. For FSS, the percentage entitlement is calculated as:
Number of shares assigned to a particular PRM Group Sum of the shares assigned to all PRM Groups
L 34
Rev. 12.11
2.
Continue with accepting default values or you can change it according to yourself. When prompted for PRM FSS group CPU shares, enter any number between 1-10 and press the Enter key.
Rev. 12.11
L 35
3.
When you are prompted for PRM group memory shares, enter any number between 1-10 and press the Enter key.
4.
Enter IP address 192.168.67.50, as you will have some free IP address and you need to select one out of it.
!
5.
Important Do not enable IPFilter as it has not been tested with HP 9000 Containers yet.
Enter no when you are prompted for Add IPFilter rules for IPSec and press the Enter key.
6.
Accept default value for Add IP address to netconf file and same you will do for IP subnet mask and enter Network Interface name as lan3.
L 36
Rev. 12.11
7.
Accept the default value for gateway server IP address for default route and enter yes to continue.
Here, you will receive warning stating that you need to enable IPFilter. 8. To enable IPFilter, enter the following command:
# ipfilter e
Rev. 12.11
L 37
L 38
Rev. 12.11
Objectives
After completing this lab, you should be able to:
Configure HP-UX Containers Manage containers using the Secure Resource Partition (srp) command
HP-UX-SRP bundle from Software Depot NIC/LAN address HP-UX SRP requires following software:
HP-UX 1 Version 3 (B.1 1i 1.31) for HP 9000 and HP Integrity servers HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.1 1.31.01, which includes the Compartment login feature.
HP-UX Security Containment Extensions patch PHCO_38507 HP-UX IPFilter version A.1 1.31.15.01 or later HP-UX IPSec version A.02.01.01 or later HP Process Resource Manager (PRM) version C.03.03.01 or later
Rev. 12.11
L 39
L 40
Rev. 12.11
2.
Rev. 12.11
L 41
3.
You can verify that the PRM configuration is loaded for the group used by the container, by entering the prmlist and prmmonitor commands. The default PRM group name is the container name.
L 42
Rev. 12.11
2.
3.
The prmlist -g -s command displays configuration information for PRM groups (-g) and the PRM group for each Security Containment Compartment (-s).
# prmlist g s
Rev. 12.11
L 43
4.
To monitor the containers you have created, enter the following command:
#prmmonitor
5.
To view the PRM configuration of the containers you have created, enter the following command
# prmconfig
L 44
Rev. 12.11
prm_group_type: PRM CPU allocation type (PSET or FSS). Default value is FSS. prm_cores: Number of processor cores allocated (For PSET only). Default value
is 1.
value is 10.
value is No cap.
prm_phys_mem: Memory in MB allocated for shared memory usage. Default value is 0 (no dedicated physical shared memory).
6.
To disable PRM on containers you have created, enter the following command:
# srp_sys disable prm
Rev. 12.11
L 45
IPFilter
This service allows you to control the network traffic of the container according to the packet attributes using HP-UX IPFilter. Enabling this service allows you to configure IPFilter rules for the container. Containers created with the IPFilter service have all their inbound networking traffic blocked and should be enabled on a per container basis.
Important Enabling or disabling IPFilter briefly brings down all IP interfaces on the system. It then brings up only the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/netconf-ipv6 files. HP recommends that you should not enable or disable IPFilter when critical network applications are running. Enable or disable IPFilter only when interrupting the network connectivity is not disruptive.
1.
To enable IPFilter on containers you have created, enter the following command:
#srp_sys enable ipfilter
2.
To view the active (loaded) inbound and outbound IPFilter rules, enter the following command:
ipfstat io
L 46
Rev. 12.11
3.
To disable the IPFilter for the containers you have created, enter the following command:
# /opt/ipf/bin/ipfilter -d
default value for this is No. 1. To enable IPSec, you need to set the ipsec_admin password by entering the following command:
#ipsec_admin np Note Password should be of at least 15 characters long.
2.
Rev. 12.11
L 47
3.
Accept all the default values until you get the prompt for IPsec configuration. At the IPsec prompt, enter y or press the Enter key to enable IPsec.
L 48
Rev. 12.11
Note Reports from the global view that include processes running in a system container should display user, group, and command string information in an altered form.
To report process status for the global view, login to the global view and enter the following command:
# srp_ps ef
Rev. 12.11
L 49
L 50
Rev. 12.11
2.
Rev. 12.11
L 51
3.
To view the status of the System Container, enter the following command:
#srp status sys_con
4.
Workload Container
1. To start the Workload Container, enter the following command:
# srp start wrk_con
2.
L 52
Rev. 12.11
Rev. 12.11
L 53
L 54
Rev. 12.11
Objectives
After completing this lab, you should be able to:
HP-UX-SRP bundle from Software depot NIC/LAN address HP-UX-SRP requires the following software:
HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.1 1.31.01, which includes the Compartment login feature.
HP-UX Security Containment Extensions patch PHCO_38507 HP-UX IPFilter version A.11.31.15.01 or later HP-UX IPSec version A.02.01.01 or later HP Process Resource Manager (PRM) version C.03.03.01 or later
Rev. 12.11
L 55
The system creates the /etc/cmpt/AcmeCo.rules file and the AcmeCo file system to view this you will have to enter the following command:
# vi /etc/cmpt/AcmeCo.rules compartment AcmeCo { //@tag-start compartment="AcmeCo" template="base" service="network" id="1"; // owns the IP address interface //@tag-end; //@tag-start compartment="AcmeCo" template="base" service="cmpt" id="1"; #include "/etc/opt/hpsrp/cmpt/base.srp_incl" 192.168.37.51
// lock out access to the other compartment's root directory perm nread /var/hpsrp
L 56
Rev. 12.11
// open access to compartment root perm all perm read // @tag-end ; } ~ /var/hpsrp/AcmeCo /var/hpsrp/AcmeCo/.srp
To view the network configuration of container as well as of network interface, enter the following command:
# vi /etc/rc.config.d/netconf HOSTNAME="rx26-337" OPERATING_SYSTEM=HP-UX LOOPBACK_ADDRESS=127.0.0.1 INTERFACE_NAME[2]="lan1:1" INTERFACE_SKIP[2]=true IP_ADDRESS[2]="192.168.37.51" SUBNET_MASK[2]="" INTERFACE_STATE[2]="up" BROADCAST_ADDRESS[2]="" DHCP_ENABLE[2]=0 INTERFACE_MODULES[2]="" IPV4_CMGR_TAG[2]='compartment="AcmeCo" template="base" service="network" id="1"' ROUTE_DESTINATION[2]="default" ROUTE_SKIP[2]="true" ROUTE_MASK[2]="" ROUTE_GATEWAY[2]="192.168.37.51" ROUTE_COUNT[2]=0 ROUTE_ARGS[2]="" ROUTE_SOURCE[2]="192.168.37.51" ROUTE_PARAMS[2]=""
Rev. 12.11
L 57
2.
L 58
Rev. 12.11
3.
4.
5.
Rev. 12.11
L 59
6.
By using this command you can view the statistics of following protocols:
L 60
Rev. 12.11
Objectives
After completing this lab, you should be able to:
Understand Serviceguard and when to use which model Create a container to use with Serviceguard Adapt Serviceguard script for different type of model
HP-UX-SRP bundle from Software depot NIC/LAN address HP-UX Container requires the following software:
HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.1 1.31.01, which includes the Compartment login feature.
HP-UX Security Containment Extensions patch PHCO_38507 HP-UX IPFilter version A.1 1.31.15.01 or later HP-UX IPSec version A.02.01.01 or later HP Process Resource Manager (PRM) version C.03.03.01 or later
Rev. 12.11
L 61
Allow high availability computer application services to carry on with the services in spite of a hardware or software failure. Manage a Serviceguard package executing within a container, or manage the container itself as a Serviceguard package. Coordinate the transfer of components between high availability subsystems. Backup the event. If any component fails then the redundant component takes over.
Selecting a model
Two different models are available when using Serviceguard with HP-UX Containers: the classic model and the container package model. In the classic model, the container is in the started state and Serviceguard has not yet started managing the application inside the container. This model is most compatible with the existing Serviceguard packages. You should use this model:
When Serviceguard has not yet started managing the application inside the container. To ensure compatibility with the existing Serviceguard packages.
In the container package model, the container itself is the Serviceguard package. This model takes advantage of the capabilities of HP-UX Containers by simplifying the Serviceguard scripts and allowing application startup and shutdown to be managed by HP-UX Containers. You should use this container to:
Start the container initialization and shutdown process. Stop the applications within the container. Simplify the Serviceguard packages and lesser maintenance and administration of startup and shutdown activities. Choose either Serviceguard or HP-UX Containers to control the file system mounting and the network interface management.
Rev. 12.11
L 62
If you have selected the classic model, then use Serviceguard to control the mounting of file systems and management of the network interface. If you have selected the container package model, then use HP-UX Containers to control the file system mounting and management of the network interface. If you want to use the Serviceguard network failover capability, then Serviceguard must control the management of the network interface.
Important Unlike HP-UX Containers, Serviceguard does not support the system network configuration files /etc/rc.config.d/netconf and netconf-ipv6. Therefore, a Serviceguard package during startup can unknowingly use container assigned network interfaces which are not active when the package is started, but are configured in /etc/rc.config.d/netconf or netconf-ipv6 for a containers use. When the container with the conflicting network interface is started, the active Serviceguard package can fail or result in loss of network connectivity. As a rule, a Serviceguard managed container and a non-Serviceguard managed container on the system must not share the same physical network interface.
L 63
ROUTE_COUNT[1]=1 DEFAULT_INTERFACE_MODULES=" " INTERFACE_NAME[1]="lan1" IP_ADDRESS[1]="192.168.67.32" SUBNET_MASK[1]="255.255.255.0" DHCP_ENABLE[1]="0" LANCONFIG_ARGS[0]=ether ROUTE_DESTINATION[1]=default ROUTE_GATEWAY[1]=10.99.0.251 ROUTE_COUNT[1]=1
3.
Create the container. When you create a container that will use Serviceguard, you must indicate in the Container Manager or the command line interface to support the desired Serviceguard behavior as follows: a. Enter the following command to create a container:
b. c.
You will be prompted for various options. All these options are already discussed in Exercise 3 of Lab 1 Install and Configure HP-UX Container. When prompted for adding IP address to netconf file, press Enter to instruct HP-UX Containers to control network interface management. Enter no to defer control of network management to Serviceguard.
Note If you use the srp command for configuration, you can use the variable assign_ip=yes|no to specify the behavior. This option informs HP-UX Containers whether or not the container controls the starting and stopping of the assigned network interface. Either option may be used with Serviceguard, but entering no allows Serviceguard to control the interface, allowing support of network interface failover. L 64
Rev. 12.11
d.
When prompted for Autostart SRP container at system boot, press Enter for the classic model or enter no for the container package model.
e.
f.
For Serviceguard network failover capability, you need to create a secondary (failover) container. To create a secondary container, you can use the export and import features to clone the container on a secondary system.
Note In the HPVL environment, only Workload Containers support the sharing of container home directory (using Serviceguard volume) between cloned containers in different physical systems.
Rev. 12.11
L 65
Either HP-UX Containers or Serviceguard can manage the network interfaces. If Serviceguard is managing the network interfaces, then the package is configured to create the default route for any container IP address.
L 66
Rev. 12.11
Serviceguard package was modified to add a default route, external_script: Before change in script: # SG ip address ip_subnet ip_address # SG ip address ip_subnet ip_address 192.10.25.0 192.10.25.12 192.168.67.0 192.168.67.49
# srp_route_script configures the required source based routing entries for # the SG managed IP addresses external_script /etc/cmcluster/pkg1/srp_route_script Container default route script for Serviceguard can be viewed below using the following command:
srp_route_script
The following script can be used by a Serviceguard package to assign a default route for an IP address associated with a container. This script is included with the HP-UX Containers Serviceguard and you will find this script using the following command :
#vi /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script # Copyright (c) 2009 Hewlett-Packard Development Company L.P. # # This script runs the 'route' command to manage source based routing entry # for the SRP. # # This script should be configured into the package configuration file # as the first "external_script" parameter entry. It will be executed # right after Serviceguard IP addresses assignment during package start time, # and before removing IP addresses during package halt time. # # This script uses the environment variable SRP_SG_MANAGED_IP and # SRP_SG_GATEWAY. The environment variables must be set in the # srp_script.incl file in the same directory as this script. # ########################### # Source utility functions.
Rev. 12.11
L 67
########################### if [[ -z $SG_UTILS ]] then . /etc/cmcluster.conf SG_UTILS=$SGCONF/scripts/mscripts/utils.sh fi if [[ -f ${SG_UTILS} ]]; then . ${SG_UTILS} if (( $? != 0 )) then echo "ERROR: Unable to source package utility functions file: ${SG_UTILS}" exit 1 fi else echo "ERROR: Unable to find package utility functions file: ${SG_UTILS}" exit 1 fi ################################################################### # # Get the environment for this package through utility function # sg_source_pkg_env(). # ################################################################### sg_source_pkg_env $* ################################################################### # # Get the SRP environment from "/etc/cmcluster/hpsrp/<srp>/srp_script.incl" # # Environemnt variable example: use a local gateway on the host # # # # Environemnt variable example: use a remote gateway # # SRP_SG_MANAGED_IP[1]="10.1.1.99"121 SRP_SG_GATEWAY[1]="10.1.1.1" SRP_SG_MANAGED_IP[0]="192.0.0.99" SRP_SG_GATEWAY[0]="192.0.0.99"
################################################################### L 68
Rev. 12.11
# # Functions # ################################################################### # add routing entry function srp_route_add { # run 'route' command for each IP address rval=0 index=0 last_index=${#SRP_SG_MANAGED_IP[@]} while [ "$index" -lt "$last_index" ] do srp_ip="${SRP_SG_MANAGED_IP[$index]}" srp_gateway="${SRP_SG_GATEWAY[$index]}"; if [ -z "$srp_ip" ] # skip empty slot in the array then let index=$index+1 let last_index=$last_index+1 continue fi if [ "$srp_ip" = "$srp_gateway" ] then # use local IP as gateway emsg=$(/usr/sbin/route add default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remote gateway emsg=$(/usr/sbin/route add default $srp_gateway 1 \ source $srp_ip 2>&1) fi if (($? != 0)); then print "ERROR: $emsg" >$2 rval=1 fi let index=$index+1 done return $rval
Rev. 12.11
L 69
} # delete routing entry function srp_route_delete { # run 'route' command for each IP address rval=0 index=0 last_index=${#SRP_SG_MANAGED_IP[@]} while [ "$index" -lt "$last_index" ] do srp_ip="${SRP_SG_MANAGED_IP[$index]}" srp_gateway="${SRP_SG_GATEWAY[$index]}"; if [ -z "$srp_ip" ] # skip empty slot in the array then let index=$index+1 let last_index=$last_index+1 continue fi if [ "$srp_ip" = "$srp_gateway" ] then # use local IP as gateway emsg=$(/usr/sbin/route delete default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remote gateway emsg=$(/usr/sbin/route delete default $srp_gateway 1 \ source $srp_ip 2>&1) fi if (($? != 0)); then print "ERROR: $emsg" >$2 rval=1 fi let index=$index+1 done return $rval } ################ # main routine L 70
Rev. 12.11
################ sg_log 5 "SRP routing entry configuration script" ######################################################################### # # Customer defined external script must be specified with three required # entry points: start, stop, and validate. # # It's not recommended to add additional entry points to the script # due to potential name space collision with future Serviceguard releases. # ######################################################################### typeset -i exit_val=0 case ${1} in start) srp_route_add exit_val=$? ;; stop) srp_route_delete exit_val=$? ;; validate) exit_val=0 ;; *) sg_log 0 "INFO: Unknown operation: $1" ;; esac exit $exit_val
Rev. 12.11
L 71
L 72
Rev. 12.11
Troubleshooting Containers
Objectives
After completing this lab, you should be able to:
Understand the troubleshooting scenarios Understand the advance troubleshooting procedures Remove product using swremove
HP-UX-SRP bundle from Software depot NIC/LAN address HP-UX-SRP requires the following software:
HP-UX 11i Version 3 (B.11.31) for HP 9000 and HP Integrity servers HP-UX Security Containment Compartment login
Note HP recommends that you should install HP-UX Security Containment Extensions version B.1 1.31.01, which includes the Compartment login feature.
HP-UX Security Containment Extensions patch PHCO_38507 HP-UX IPFilter version A.11.31.15.01 or later HP-UX IPSec version A.02.01.01 or later HP Process Resource Manager (PRM) version C.03.03.01 or later
Rev. 12.11
L 73
Scenario 1
A non-root user is unable to login to the global view of the HP-UX Containers enabled system.
Symptom
Telnet or rlogin fails with the following error:
Compartment access check failed: User is not authorized to login to the compartment associated with this network service. Connection to host lost.
Solution
Only users in the group srpgrp are authorized to login to the system. Add the user to the group srpgrp.
Scenario 2
Installing a product update fails.
Symptom
The swinstall command fails with the error:
ERROR: Cannot continue "swinstall". The shared srp's must be in the stopped state. <container_name> is in the started state.
Solution
Change the state of the container to stopped using the srp stop container_name command.
Scenario 3
Installing a product update from a remote source fails.
Symptom
swinstall fails with the following error: ERROR: The source depot specified using a host target selection (host:/path). Installing from a remote source is not supported in SRP environment. To install from a remote source, either mount it locally or copy the software locally using swcopy.
L 74
Rev. 12.11
Troubleshooting Containerss
Solution
Installation of software update from a remote source is not supported in the HP-UX Containers environment. The software must be available locally. To make the source depot available locally, do the following:
Use the swcopy command to copy the depot to the local system. If the software is in a media, mount the depot locally. Use NFS to mount the depot from the remote server to the local file system.
Once the software depot is available locally, run the swinstall command to point to the local source.
Scenario 4
The GUI version of the swinstall command does not work in the HP-UX Containers environment.
Symptom
The swinstall command invoked with no command line options fails with the following error message:
# swinstall ERROR: The interactive UI is not supported in SRP environment.
Solution
The GUI version of swinstall is not supported. Instead, use the command line interface in the HP-UX Containers environment.
Scenario 5
Container fails to start.
Symptom
The srp start <container_name> command gives the following error:
# srp -start <container_name> SRP container_name not started: The SRP must be (re)synchronized with the system's installed product database. Run /opt/hpsrp/bin/util/srp_check to identify the list of products to install or remove from this SRP.
Rev. 12.11
L 75
Solution
1. 2. Run the srp_check command and identify the products that are uncoordinated with the global. Check the /var/adm/sw/swagent.log file in the container to identify the problem. To login to the container, first change its state to maintenance using the srp maint <container_name> command and then use the M option with the srp_su command as:
srp_su M <container_name>
3. 4. 5.
Take corrective action (if any) based on the information in the swagent.log file. Change the state of the container back to stopped. Install the patch targeting the container as:
swinstall x local_srp_list=<container_name> \ s <depot location> Product name
Scenario 6
Unable to telnet or rlogin to a container.
Symptom
Remote login to a container fails with one of the following messages:
# telnet container_name Trying... telnet: Unable to connect to remote host: Connection refused # rlogin container_name rcmd_af: connect: container_name: Connection refused
Solution
The container must be in started state to accept login requests. If the container is of type workload, then you can login to the container using ssh only. To verify if the container is of type workload, run the srp status command in the system where the container resides and check the second field TYPE.
L 76
Rev. 12.11
Troubleshooting Containerss
Scenario 7
Process respawn does not work in the container.
Symptom
Processes configured for respawn in the container's /etc/inittab file does not respawn.
Solution
Verify and confirm that the srp_init daemon is up and running inside the container by executing the following command in the container:
# ps -ef | grep srp_init
If the srp_init daemon is running, enter the following command to re-examine the /etc/inittab file entries without changing the run level:
# /sbin/srp_init q
If the srp_init daemon is not running, restart srp_init within the container using the /sbin/srp_init daemon.
Rev. 12.11
L 77
Using the Security Containment compartment discover feature (workload containers only)
In a secure environment, you can use the Security Containment discover feature to remove compartment restrictions and view the rules that are needed to allow access.
Note If you are not in a secure environment, you can use IPFilter to allow access from only trusted systems before removing compartment restrictions.
You can use the discover feature as follows: 1. To stop the container, enter the following command:
# srp stop system_container
L 78
Rev. 12.11
Troubleshooting Containerss
2.
Edit the compartment rules file etc/cmpt/container_name.rules, and tag the container definition at the beginning of the file with the discover keyword. This opens the container for all access.
# vi /etc/cmpt/system_container.rules
For example:
discover compartment system_container { //@tag-start compartment="system_container" template="system" service="network" id="1"; // owns the IP address interface //@tag-end; //@tag-start compartment="system_container" template="system" service="cmpt" id="1"; #define _SRP_HOME_ /var/hpsrp/system_container #define _SRP_USR_PERM_ #define _SRP_USR_ROOT_ #define _SRP_SBIN_PERM_ #define _SRP_SBIN_ROOT_ #include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl" // @tag-end ; } none none 192.168.67.49
3.
Rev. 12.11
L 79
4.
Attempt to access the container applications. After you successfully access the applications, enter the following command to generate the rules used to access the container:
# getrules -m system_container
L 80
Rev. 12.11
Troubleshooting Containerss
5.
Compare the output from the getrules command with the compartment rules file and make the necessary changes.
6.
Stop the container, remove the discover keyword from the compartment rules file, and then restart the container.
# srp stop system_container
Rev. 12.11
L 81
7.
For example:
discover compartment system_container { //@tag-start compartment="system_container" template="system" service="network" id="1"; // owns the IP address interface //@tag-end; //@tag-start compartment="system_container" template="system" service="cmpt" id="1"; #define _SRP_HOME_ /var/hpsrp/system_container #define _SRP_USR_PERM_ #define _SRP_USR_ROOT_ #define _SRP_SBIN_PERM_ #define _SRP_SBIN_ROOT_ #include "/etc/opt/hpsrp/cmpt/sysbase.srp_incl" // @tag-end ; } none none 192.168.67.49
L 82
Rev. 12.11
Troubleshooting Containerss
If you do not specify the -t argument, the srp command removes the IPFilter configuration for the template (base for the Workload Container and system for the System Container). To add the ipfilter service back to the container after you have completed your testing, enter:
# srp -add system_container -t system -s ipfilter
2.
To add the ipsec service back to the container after you have completed testing, enter the IP address that you have assigned to the container:
# srp -add system_container -s ipsec
Rev. 12.11
L 83
3.
Press Enter when you are prompted for IPSec transform. Currently you will not have the preshared key. Enter presharedkey as key and again press the Enter key.
Another method to test if IPSec policies are blocking access to the container applications is by stopping the IPSec product, as follows:
# /usr/sbin/ipsec_admin stop
L 84
Rev. 12.11
Troubleshooting Containerss
Rev. 12.11
L 85
3.
For HP-UX Containers, remove all configured containers by entering the following command:
# srp -delete system_container
4.
For HP-UX Containers, disable HP-UX Containers by entering the following command:
# srp_sys disable
L 86
Rev. 12.11
Troubleshooting Containerss
2.
The system will automatically reboot now, if it does not, then reboot manually by entering the following command:
# reboot
Rev. 12.11
L 87
L 88
Rev. 12.11