HP Process Resource Manager (PRM) instruction

D Creating Secure Resource Partitions

The optional HP-UX feature Security Containment, available starting with HP-UX 11i v2 (B.11.23), provides “secure compartments,” which allow you to isolate processes and files. You can place one or more secure compartments in a single PRM group to manage the resource allocation for your secure compartments.

Using these features together, you form Secure Resource Partitions.

You can assign compartments to PRM groups to form Secure Resource Partitions using either the PRM configuration file or the PRM GUI. For more information, see “Specifying PRM groups/controlling CPU resource use” (page 54).

PRM also provides the following utilities for use with Security Containment:

prm2scomp Generates a minimal Security Containment configuration from a PRM configuration. scomp2prm Generates a minimal PRM configuration from a Security Containment configuration.

srpgen Generates Secure Resource Partitions by creating both a minimal Security Containment configuration and a minimal PRM configuration based on your input.

126 Creating Secure Resource Partitions

Image 126

HP Process Resource Manager (PRM) manual Creating Secure Resource Partitions

Contents

HP Process Resource Manager User Guide Legal Notice Contents Using PRM with HP System Management Homepage SMH PRM configuration planningSetting up PRM Using PRM with HP Systems Insight Manager SIM Fine-tuning your PRM configuration Administering PRM Command reference 101 Ovpm Glossary 145 Index 148 Supported platforms PrefaceNew in this edition Notational conventions Associated documents Providing feedback Support and patch policies Training What is HP Process Resource Manager? Overview Introduction to PRM commands Why use HP Process Resource Manager? Balancing resource use between users Standard HP-UX resource allocationHow PRM can improve on standard allocation Resources managed by PRM Prioritizing resource use between users Prioritizing resource use for applications Limiting resource consumption Isolating resource use for applications and users Understanding how PRM manages resources How PRM controls resourcesPRM groups How processor sets work? Resource allocationWhat are processor sets? Processor sets example How shares work Altered configurationWhat are shares? Converting shares to percentages Hierarchical PRM groups Parent, child, sibling, and leaf PRM groups Hierarchical PRM groups-top level Hierarchical PRM groups-Development’s child groups How PRM manages CPU resources Example PRM CPU resource management PRM CPU resource management CPU allocation and number of shares assigned Capping CPU resource use How PRM manages CPU resources for real-time processes Hyper-ThreadingMultiprocessors and PRM How PRM manages real memory resources How HP-UX manages memory Available memory How PRM controls memory usageExample of available memory on a 1024-Mbyte system Reducing memory shares Capping memory useImplementation of shares and caps Isolating a group’s private memory resources How PRM manages shared memoryHow PRM manages locked memory Example memory management Locked memory distribution How resource allocations interact How PRM manages applications How PRM handles child processes Pattern matching for filenamesPRM’s group assignments at process start-up Pattern matching for renamed application processes Opt/specialapps/bin/*GroupS Precedence of PRM group assignments Bar MyfavoriteappPrmrun -g GroupA barnone Phonehome Understanding how PRM manages resources Selecting a configuration model PRM configuration planningUsing multiple configurations Budget model configurations Application priority model configurations MEM Identifying resource use Quick analysis Detailed analysis Using prmanalyze to quickly identify resource use Initial configuration based on prmanalyze’s CPU report #prmanalyze -s command -r mem -p -t summary -1filenameInitial configuration based on prmanalyze’s memory report 25% Setting PRM to start automatically at reboot Setting up PRMInstalling PRM Installing PRM Setting PRM to start automatically at reboot Using PRM with HP System Management Homepage SMH Quick start to using PRM’s SMH interface#/opt/prm/bin/prmsmhconfig -c #ps -efP Using PRM with HP Systems Insight Manager SIM Configuring user authorizationsWhat PRM tasks are available through SIM? HP SIM toolboxes needed for PRM administrator role Quick start to using PRM’s SIM interfaceRole PRM administrator Role PRM operator #ps -efP #prmconfig -s -c -fconfigfile Configuring and enabling PRM on the command lineQuick start to using PRM’s command-line interface #prmconfig -i -fconfigfile Configuring PRM PRM configuration file#prmconfig -e Configuration tips and requirements Specifying PRM groups/controlling CPU resource use Reserved PRM groups Group/CPU record syntax Development/Compilers/Fortran Hier Adding/modifying PRM groups and CPU allocations Explained in the section Group/CPU record syntax Capping CPU resource use Removing groups/CPU allocations Controlling memory use Memory record syntaxPrivate memory #!PRMMEM Shared memory Megabytes Adding/modifying shared memory allocations #prmconfig -e MEMAdding/modifying private memory shares/caps Explained in the section Memory record syntax Removing private memory shares Removing shared memory allocations Isolating private memory for a group Missing applications are ignored Controlling applicationsDuplicate application records Application record syntax See Launching a Java program under PRM See Pattern matching for filenames Adding/modifying an application’s group assignment Removing an application’s group assignment #prmconfig -e Appl# prmconfig -k # prmmove critapps -g Launching an application under PRM # prmrun criticalapp Launching an application in a user-specified group Launching a script under PRMLaunching an application in its assigned group #prmrun -g sales CustomerOrder User record syntax Specifying PRM usersLaunching a Java program under PRM Prmmove -p $$groupname User Displaying netgroup expansions Adding/modifying a user’s group assignment Removing a user’s group assignment Example Changing the initial group of a user#prmmove purchasing -u advisor6 Assigning secure compartments to PRM groups Compartment record syntax Adding/modifying a compartment’s group assignment Removing a compartment’s group assignmentExplained in the section Compartment record syntax Assigning Unix groups to PRM groups Unix group record syntaxAdding/modifying a Unix group’s PRM group assignment Removing a Unix group’s PRM group assignment Explained in the section Unix group record syntax Checking the configuration file Loading the PRM configuration Prmconfig Loading the PRM configuration with prmconfigDifferences in loads when a configuration is already loaded Enabling resource managers Updating the configuration Enabling resource managers with prmconfigEnabling specific resource management on the command line #prmconfig -i -fconfigfile -s -c Fine-tuning your PRM configuration Using prmanalyze to analyze your configuration #prmanalyze -r cpu -1 -t hourly -s prmid myacct Example Locating system bottlenecksDaily weekly monthly #prmanalyze -r mem -E -1 -t hourly -s prmid myacct #prmanalyze -t weekly -d 16 *.acct98 Jan.acct99 Feb.acct99 Example Checking for patterns and configuration accuracyExample High-level views of usage #prmanalyze -s prmid -r cpu -p -t daily -x 0 filename Using GlancePlus to analyze your configuration Analyzing memory use GlancePlus information on PRM #tail -f /var/adm/syslog/syslog.log grepPIDofcurrentprm2d #prmconfig -L MEM Stop#ps -ef grep prm2d Var/adm/syslog/syslog.log file Administering PRM Moving processes between PRM groupsDisplaying application filename matches #prmlist -a Displaying netgroup expansionsBin/b*Bapplications #prmlist #prmconfig Displaying accessible PRM groupsDisplaying state and configuration information #prmlist -u +prime Setting the application manager’s polling interval Displaying application and configuration informationSetting the memory manager’s polling interval Setting the interval with prmconfig Resetting PRM with prmconfig Resetting PRMDisabling PRM with prmconfig Disabling PRM Logging PRM memory messages Controlling memory logging with prmconfigControlling application logging with prmconfig Logging PRM application messages Displaying available memory to determine number of shares Displaying groups’ allocated and used resourcesDisplaying user information #prmmonitor 30 Displaying number of cores to determine number of shares Displaying past process informationDisplaying current process information Log global application=prm process dev=disk,lvm transaction Monitoring PRM with GlancePlus#ps -R Others Mwa restart scope PRMCONFIGFILE=/etc/opt/prm/conf/dayconf.prm Automating PRM administration with scriptsProtecting the PRM configuration from reboots PRMSLEEP=n Special case of interest Client/server connections Reconstructing a configuration fileInternal copies of configuration files PRMINTLAPPL=seconds Online cell operations Backing up PRM files Prmagt user options/parameters Command referencePrmagt Prmagt -plock -stop -intervalseconds Plock Prmanalyze -s command -r cpu -t summary /var/adm/pacct StopInterval seconds Prmanalyze options/parameters Auto uid gid command prmidFconfigfile Disk mem cpu Hourly Summary conflict hourly daily weekly monthlyConflict Daily , weekly , monthly Mminimumduration Prmavail Prmavail -p -f CPU Disk MEMDresourcedensity Xexcludevaluekey Prmconfig user options Prmconfig root user optionsConfigfile-i -k -s -c Configuration lock already held by %s ManagerIintervalmanager Lmanager logarg Prminitconfig -a -r -hPrmconfig -r to reset Mmode Prminitconfig options/parameters Group Prmloadconf Prmloadconf -fconfigfile Prmlist user optionsPrmloadconf root user options Resource Differences in output from prmmonitor and topPrmmonitor user options/parameters Interval Prmrecover Prmrecover resource Prmrecover user options/parametersPrmmove user options/parameters Prmrun -w Prmsmhconfig -c -u -hPrmsmhconfig options/parameters Prmrun user options/parameters Scomp2prm -m -pprmpath Prm2scomp -pprmpath-sscomppath-iPrm2scomp options/parameters Scomp2prm options/parameters Srpgen options/parameters Fbasepath HP-UX command/system call support HP-UX commands/system calls that support PRM groupsPRM options in HP-UX commands Monitoring PRM through Snmp Structure of PRM’s Snmp data prmReadOnly Accessing PRM’s Snmp data Using OpenView’s snmpwalk Start xnmbrowsesr Using OpenView’s xnmbrowser#/opt/prm/bin/prmagt #/opt/OV/bin/xnmbrowser Enter public in the field Community Name Navigate to the PRM’s data by following the hierarchy Monitoring PRM through Snmp Graphing resource usage Monitoring PRM through Snmp Databases/order PRM groups in xnmbrowser graphDatabases/inventory Mailserver Creating Secure Resource Partitions Using PRM with Serviceguard SERVICECMD0=/opt/prm/bin/prmrun -g mathdeptapplication EOF1 Using PRM with HP Integrity Virtual Machines PRM and Virtual Machines PRM is not configured PRM error messagesPrmmonitor error messages PRM resource managers disabled Prmconfig error messages Message The -i and -k options cannot be used together Message Cannot display configuration. PRM is not configuredMessage PRM is disabled and not configured -f option requires an argument Prmconfig command -M option requires a keyword argumentUnrecognized keyword argument for -M option Prmmove error messages Requires that PRM be configured Could not find group %s in configuration fileRequires users to be specified by login names User %s does not have permission to move process %d Prmrun error messages Application file %s does not exist Could not launch application %s in group %sperrorUsers Path environment variable is empty Application file %s is empty Prmlist error messages Could not find full path of application %s Could not find group %s in the configuration fileCould not find user %s in the configuration file Please specify only one -s option Prmloadconf error messages Prmrecover error messages Prmavail error messages Prmanalyze error messages File format with acctcom Unable to create temp file in /tmpUnable to open temp file %s Unable to read event temp file %s Prmagt error messages Glossary Alternate group Others group UID Index CPU Syntax, 111 prmrecover Index NIS Index 153 Index