topic Re: HP9000 system containers in Operating System - HP-UX

HP9000 system containers

Steve Lewis — Wed, 01 Feb 2012 15:31:45 GMT

Hi everybody, long time no posts (from me),

I am designing a solution for a customer who is looking to migrate off their old HP9000 PA-RISC kit.

They don't want to migrate any software to 11iv3 but do realise that they must get off the old hardware, so I am proposing a move to HP9000 system containers as a short-medium term solution, while they think about how to replace or upgrade their apps.

One of the limitations of these containers is that they don't support trusted mode security (/tcb etc). I think that this may be a consequence of emulated authentication.

Does anybody know if support for trusted mode security is planned in a future release of HP9000 system containers? It could be a show-stopper because the customer's security standards include password history and all the old boxes use it.

The documentation suggests that classic containers would be the only solution for this. However from what I can glean from the documentation it seems like a mess because it would entail a lot more work re-configuring the software; the system would be half in the container and half in the host VM; there would be a shared /etc and shared /var; half of the old o/s utilities won't work; I am not sure if classic containers would support 11.11. I think I would rather tell them to port to AIX.

The other issue I have is that they still have some old kit running HP-UX 10.20. Hopefully the old software will run happily within a HP9000 system container running at an upgrade to 11.11, within a VM at 11iv3, within a VM host at 11iv3, on an Integrity blade, within an enclosure running VC / flex-10 and VC for FC.

Steve

Re: HP9000 system containers

Dennis Handly — Wed, 01 Feb 2012 18:37:24 GMT

>Does anybody know if support for trusted mode security is planned in a future release of HP9000 system containers?

Perhaps not since trusted mode is deprecated on 11.31.

Re: HP9000 system containers

Rajesh K Chaurasia — Thu, 02 Feb 2012 05:59:58 GMT

Trusted mode is supported only with HP 9000 classic containers. As you have discovered this model is less cleaner compared to system model as regards to file system and services isolation from the host OS environment.

HP 9000 Containers are built using HP-UX Containers (SRP) and utilize the features/capabilities provided by SRP for name space virtualization. Since trusted mode is deprecated on HP-UX 11i v3, SRP does not provide any name space virtualization capabilities for trusted mode security. Thus HP 9000 system containers do not support trusted mode. Alternative for trusted mode on HP-UX 11i v3 is SMSE (standard mode security extensions) which works with Integrity native HP-UX system containers. However, we cannot use SMSE for HP 9000 Containers built with HP-UX environments prior to HP-UX 11i v2. Furthermore, security infrastructure is invoked through the login process, thus plugging SMSE with older HP-UX environments inside HP 9000 system containers would be difficult to architect implement and likely to be error prone. Lack of trusted mode support inside HP 9000 system containers is not due to ARIES emulation inside contaienrs. ARIES passes down emulated application stystem calls to host OS kernel which lacks the name space virtualization capabilities for trusted mode.

If trusted mode with HP 9000 system containers is a critical business requirement in your case, please submit the issue/enhancement request to HP support center. Alternatively, you can use standalone ARIES mode without containers provided you can prepare application inventory (libraries, executables, config files etc) and dependencies for copying over to Integrity server.

On your comment about suggesting the client to port to AIX - if porting is an option, you can do so with comparatively lesser effort to HP-UX 11i v3 on HP Integrity servers.

Regards

-Rajesh

Re: HP9000 system containers

Steve Lewis — Thu, 02 Feb 2012 14:25:24 GMT

Thanks for that comprehensive reply Rajesh.

Re: HP9000 containers: Can v11.0 run in a "System" Container

Bob Sobey — Mon, 19 Nov 2012 20:54:55 GMT

Docs state "Classic" containers have been known to run 10.x and 11.0 environments.... Also states 10.x are not known to work in "System" Container. Can 11.0 run in a "System" container? Thanks!

Re: HP9000 containers: Can v11.0 run in a "System" Container

Rajesh K Chaurasia — Wed, 21 Nov 2012 06:34:38 GMT

There have been several instances of successful PoC projects and production deployments of HP-UX 10.20 / 11.0 legacy environments with HP 9000 system containers. This configuration is known to work but not supported. Please refer to more recent documentation on HP 9000 Containers.

http://h21007.www2.hp.com/portal/download/files/prot/files/hp9000/HP9000_Containers_Admin_Guide.pdf

Most recent product update to HP 9000 Containers (A.03.01.04) released during 10/2012 enables support for trusted mode environments with HP 9000 system containers. For software access, visit HP software depot home.

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HP9000-Containers

Regards

-Rajesh

Re: HP9000 system containers

JoyOrton — Thu, 02 May 2013 17:28:08 GMT

Recently My company accepted a support contract to move an 11.0 box into our datacenter emulated under Aries and Containers. I'd read through the Admin Guide and had a rough idea of how the system works. I'd also seen on the web site that there was training available.

We now have the new system to execute this and I tried to sign up for the training.

Well the Dates link took me to a "Call this number"

I did and was told they have no dates planned for the future.

The Admin Guide is not all inclusively written.(In fact it is lame on points of Vpar Npar and application integration.

I can't get training that Hop said was there on the website.

I don't see much user activity here in the Forums like ITRC used to have. (This environment is difficult to use)

I guess all that is available to be for help on this proprietary emulator is RTFM (Read The Freaking Manual) and buying professional services to do that that were not in the original budget.

I'm highly skilled all I really needed was to see a sample deployment in a class like was advertised on the web page.

Is there any other help Learning this product since it appears HP has simply resorted to RTFM?

Re: HP9000 system containers

Bob Sobey — Thu, 02 May 2013 17:38:19 GMT

Thanks for responses. I've since - successfully - POC two 11.0 environments in Containers - SAP no less! Both on same server, but only can bring up one at a time due to kernel constraints I believe. Thanks again -

Re: HP9000 system containers

Emil Velez_2 — Tue, 14 May 2013 19:16:19 GMT

vpars and npars are not a issue with containers since the container runs in the Vpar, NPAR or VM operating system so the vpar,npar or vm only determines how much cpu and memory is available to the OS which the containers run in. THen you specify how much resources each container gets.

HP 9000 containers are to port a PA RISC environment to a itanium box unmodified. You restore a PA RISC backup into a directory like /9000 then you create the hp9000 container and reference that directory.

This is my cookbook

download and install PHSS_41099 (no reboot)
download and install compartments (part of SRP install)
download and install SRP first (reboot needed) prerequisite.
download and install HP9000 containers (no reboot)

mkdir /home/9000
cd 9000
frecover -r -X -f ../srp/hpmdd78.backup

add user oinstall:

oinstall::110:

in /home/down2

useradd -u 120 -g oinstall -m oracle

chown -R oracle:oinstall /Apps/*

ln -s /home/down2 /9000

srp_sys -setup take defaults

srp -add HP9000

services - default
unix names for administrator - default
List of UNIX user names for login: root,oracle
unix group names: adm,oinstall
PRM all default
IP address 10.10.67.9 (or whatever)
network interface name: lan1:5
gateway: default
autostart

srp -add HP9000 -t sshd -b
srp -start HP9000
srp_ps HP9000 -ef | grep sshd

srp -add HP9000 -t hp9000