HPE Community
Operating System - HP-UX
1752793 Members
5799 Online
108789 Solutions
New Discussion

HP9000 system containers

 
SOLVED
Go to solution
Steve Lewis
Honored Contributor

‎02-01-2012 07:31 AM

‎02-01-2012 07:31 AM

HP9000 system containers

Hi everybody, long time no posts (from me),

 

I am designing a solution for a customer who is looking to migrate off their old HP9000 PA-RISC kit.

They don't want to migrate any software to 11iv3 but do realise that they must get off the old hardware, so I am proposing a move to HP9000 system containers as a short-medium term solution, while they think about how to replace or upgrade their apps. 

One of the limitations of these containers is that they don't support trusted mode security (/tcb etc).  I think that this may be a consequence of emulated authentication.

Does anybody know if support for trusted mode security is planned in a future release of HP9000 system containers?  It could be a show-stopper because the customer's security standards include password history and all the old boxes use it.

 

The documentation suggests that classic containers would be the only solution for this.  However from what I can glean from the documentation it seems like a mess because it would entail a lot more work re-configuring the software;  the system would be half in the container and half in the host VM; there would be a shared /etc and shared /var; half of the old o/s utilities won't work; I am not sure if classic containers would support 11.11.  I think I would rather tell them to port to AIX.

 

The other issue I have is that they still have some old kit running HP-UX 10.20.  Hopefully the old software will run happily within a HP9000 system  container running at an upgrade to 11.11, within a VM at 11iv3, within a VM host at 11iv3, on an Integrity blade, within an enclosure running VC / flex-10 and VC for FC.

 

Steve

 

0 Kudos
Reply
8 REPLIES 8
Dennis Handly
Acclaimed Contributor

‎02-01-2012 10:37 AM

‎02-01-2012 10:37 AM

Re: HP9000 system containers

>Does anybody know if support for trusted mode security is planned in a future release of HP9000 system containers?

 

Perhaps not since trusted mode is deprecated on 11.31.

0 Kudos
Reply
Rajesh K Chaurasia
Valued Contributor

‎02-01-2012 09:59 PM

‎02-01-2012 09:59 PM

Solution

Re: HP9000 system containers

Trusted mode is supported only with HP 9000 classic containers. As you have discovered this model is less cleaner compared to system model as regards to file system and services isolation from the host OS environment.

 

HP 9000 Containers are built using HP-UX Containers (SRP) and utilize the features/capabilities provided by SRP for name space virtualization. Since trusted mode is deprecated on HP-UX 11i v3, SRP does not provide any name space virtualization capabilities for trusted mode security. Thus HP 9000 system containers do not support trusted mode. Alternative for trusted mode on HP-UX 11i v3 is SMSE (standard mode security extensions) which works with Integrity native HP-UX system containers. However, we cannot use SMSE for HP 9000 Containers built with HP-UX environments prior to HP-UX 11i v2. Furthermore, security infrastructure is invoked through the login process, thus plugging SMSE with older HP-UX environments inside HP 9000 system containers would be difficult to architect implement and likely to be error prone. Lack of trusted mode support inside HP 9000 system containers is not due to ARIES emulation inside contaienrs. ARIES passes down emulated application stystem calls to host OS kernel which lacks the name space virtualization capabilities for trusted mode.

 

If trusted mode with HP 9000 system containers is a critical business requirement in your case, please submit the issue/enhancement request to HP support center. Alternatively, you can use standalone ARIES mode without containers provided you can prepare application inventory (libraries, executables, config files etc) and dependencies for copying over to Integrity server.

 

On your comment about suggesting the client to port to AIX - if porting is an option, you can do so with comparatively lesser effort to HP-UX 11i v3 on HP Integrity servers.

 

Regards

-Rajesh

Reply
Steve Lewis
Honored Contributor

‎02-02-2012 06:25 AM

‎02-02-2012 06:25 AM

Re: HP9000 system containers

Thanks for that comprehensive reply Rajesh.
0 Kudos
Reply
Bob Sobey
Advisor

‎11-19-2012 12:54 PM

‎11-19-2012 12:54 PM

Re: HP9000 containers: Can v11.0 run in a "System" Container

Docs state "Classic" containers have been known to run 10.x and 11.0 environments.... Also states 10.x are not known to work in "System" Container.  Can 11.0 run in a "System" container? Thanks!

0 Kudos
Reply
Rajesh K Chaurasia
Valued Contributor

‎11-20-2012 10:34 PM

‎11-20-2012 10:34 PM

Re: HP9000 containers: Can v11.0 run in a "System" Container

There have been several instances of successful PoC projects and production deployments of HP-UX 10.20 / 11.0 legacy environments with HP 9000 system containers. This configuration is known to work but not supported. Please refer to more recent documentation on HP 9000 Containers.

 

http://h21007.www2.hp.com/portal/download/files/prot/files/hp9000/HP9000_Containers_Admin_Guide.pdf

 

Most recent product update to HP 9000 Containers (A.03.01.04) released during 10/2012 enables support for trusted mode environments with HP 9000 system containers. For software access, visit HP software depot home.

 

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HP9000-Containers

 

Regards

-Rajesh

0 Kudos
Reply
JoyOrton
Frequent Visitor

‎05-02-2013 10:28 AM

‎05-02-2013 10:28 AM

Re: HP9000 system containers

Recently My company accepted a support contract to move an 11.0 box into our datacenter emulated under Aries and Containers. I'd read through the Admin Guide and had a rough idea of how the system works. I'd also seen on the web site that there was training available.

We now have the new system to execute this and I tried to sign up for the training.

Well the Dates link took me to a "Call this number"

I did and was told they have no dates planned for the future.

The Admin Guide is not all inclusively written.(In fact it is lame on points of Vpar Npar and application integration.

I can't get training that Hop said was there on the website.

I don't see much user activity here in the Forums like ITRC used to have. (This environment is difficult to use)

I guess all that is available to be for help on this proprietary emulator is RTFM (Read The Freaking Manual) and buying professional services to do that that were not in the original budget.

I'm highly skilled all I really needed was to see a sample deployment in a class like was advertised on the web page.

Is there any other help Learning this product since it appears HP has simply resorted to RTFM?

0 Kudos
Reply
Bob Sobey
Advisor

‎05-02-2013 10:38 AM

‎05-02-2013 10:38 AM

Re: HP9000 system containers

Thanks for responses. I've since - successfully - POC two 11.0 environments in Containers - SAP no less!  Both on same server, but only can bring up one at a time due to kernel constraints I believe.  Thanks again -

0 Kudos
Reply
Emil Velez_2
Trusted Contributor

‎05-14-2013 12:16 PM

‎05-14-2013 12:16 PM

Re: HP9000 system containers

vpars and npars are not a issue with containers since the container runs in the Vpar, NPAR or VM operating system so the vpar,npar or vm only determines how much cpu and memory is available to the OS which the containers run in. THen you specify how much resources each container gets.


HP 9000 containers are to port a PA RISC environment to a itanium box unmodified. You restore a PA RISC backup into a directory like /9000 then you create the hp9000 container and reference that directory.

This is my cookbook


download and install PHSS_41099 (no reboot)
download and install compartments (part of SRP install)
download and install SRP first (reboot needed) prerequisite.
download and install HP9000 containers (no reboot)

mkdir /home/9000
cd 9000
frecover -r -X -f ../srp/hpmdd78.backup


add user oinstall:

oinstall::110:

in /home/down2


useradd -u 120 -g oinstall -m oracle

chown -R oracle:oinstall /Apps/*


ln -s /home/down2 /9000

srp_sys -setup take defaults

srp -add HP9000

services - default
unix names for administrator - default
List of UNIX user names for login: root,oracle
unix group names: adm,oinstall
PRM all default
IP address 10.10.67.9 (or whatever)
network interface name: lan1:5
gateway: default
autostart

srp -add HP9000 -t sshd -b
srp -start HP9000
srp_ps HP9000 -ef | grep sshd

srp -add HP9000 -t hp9000

Emil Velez
Instructor Storage, Servers, HP-UX and Partner Courses
Hewlett Packard Enterprise Education Services
Ask me about training on StoreServ (3PAR) StoreOnce, StoreEasy, StoreAll, StoreVirtual, HP-UX, ServiceGuard and HPE Partner Ready Certification Training

internet: Linkedin: http://www.linkedin.com/in/emilvelez

HPE Master ASE Server Solutions Architect V3
HPE Master ASE Storage Solutions Architect V2
HP UNIX Certified (ASE HPUX 11iv3 Administration V1)
Certified HPE Instructor
HPE Product Certified - OneView [2016]
HP Sales Certified -Servers, Converged Systems and Services [2015]
HPE Product Certified - Converged Solutions [2017]
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.