Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 7 Compartments

Compartments in HP Serviceguard Clusters
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

If you use compartments with HP Serviceguard, you must configure all Serviceguard daemons in the default INIT compartment. However, you can configure Serviceguard packages in other compartments. See the latest editions of Managing Serviceguard and Using Serviceguard Extension for RAC for daemons required in Serviceguard and Serviceguard extensions for Oracle Real Application Cluster (RAC).

Serviceguard packages can belong to specific compartments. Applications monitored as part of a Serviceguard package can also be configured in specific compartments. When you set up the compartment for a package, be sure that the resources required by that package (such as volume groups, file systems, network addresses, and so on) are accessible by that compartment. Compartment rules are node-specific and do not get carried over during Serviceguard failover operations. To ensure proper operation after a failover, all nodes in the cluster must have identical compartment configurations.

When a primary LAN interface fails over to a standby LAN interface, the compartment label of the primary interface is automatically copied over to the standby interface as long as the standby is not online. If the standby interface is already configured online, the standby interface and the primary interface must be configured in the same compartment to fail over successfully. If the standby interface is configured in a different compartment from the primary interface, but is offline at the time of the failover, the standby interface is updated to the primary interface compartment configuration when the interface fails over.

To maintain proper Serviceguard operations when deploying compartments in HP Serviceguard nodes or packages:

  • Do not modify the INIT compartment specifications in any way.

  • Ensure inetd runs in the INIT compartment.

  • Ensure that all Serviceguard daemons in a cluster run in the INIT compartment. For example, the daemons for Serviceguard Version A.11.16 include cmclconfd, cmcld, cmlogd, cmlvmd, cmomd, and cmsnmpd. See Managing Serviceguard for a list of all Serviceguard daemons.

  • Ensure that all Serviceguard cluster requirements are met for Serviceguard Extensions for RAC clusters. Additionally, clusters with Serviceguard Extension for RAC Version A.11.16 need the cmsmgd daemon to run in the INIT compartment. RAC processes must have access to the libnmapi2 library, and must communicate with cmsmgd. See Using Serviceguard Extension for RAC for required daemons and libraries.

  • Do not configure standby LAN interfaces in a compartment.

  • Set up the compartments and rules identically on all nodes in the cluster. Compartments and rules are specific to a system and do not get carried over when a system fails over.

NOTE: If a standby interface is configured in a compartment, running the setrules command applies this compartment to the standby interface even if it has been successfully switched from a primary interface. If the configured standby interface compartment does not match the primary interface compartment, the primary interface compartment is overwritten when you run setrules. This can cause security violations.

There are no changes made to the Serviceguard scripts to facilitate the use of compartments, fine-grained privileges, or RBAC.



Using Discover Mode to Generate Initial Compartment Configuration
  		 


Chapter 8 Fine-Grained Privileges  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.