Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP Process Resource Manager (PRM) D Creating Secure Resource Partitions, “Specifying PRM groups/controlling CPU resource use” (page 54)

1 154

Download 154 pages, 2.04 Mb

D Creating Secure Resource Partitions

The optional HP-UX feature Security Containment, available starting with HP-UX 11i v2 (B.11.23), provides “secure compartments,” which allow you to isolate processes and files. You can place one or more secure compartments in a single PRM group to manage the resource allocation for your secure compartments.

Using these features together, you form Secure Resource Partitions.

You can assign compartments to PRM groups to form Secure Resource Partitions using either the PRM configuration file or the PRM GUI. For more information, see “Specifying PRM groups/controlling CPU resource use” (page 54).

PRM also provides the following utilities for use with Security Containment:

prm2scomp Generates a minimal Security Containment configuration from a PRM configuration. scomp2prm Generates a minimal PRM configuration from a Security Containment configuration.

srpgen Generates Secure Resource Partitions by creating both a minimal Security Containment configuration and a minimal PRM configuration based on your input.

126 Creating Secure Resource Partitions

Contents

Version C.03.05 Page Contents 3 PRM configuration planning 4 Setting up PRM 5 Using PRM with HP System Management Homepage (SMH) 8 Fine-tuningyour PRM configuration Disabling PRM Resetting PRM Monitoring PRM groups Logging PRM memory messages Logging PRM application messages Page Preface Page Page 1 Overview Memory memory. There are two types of memory records: Private Specifies a minimum amount of private memory. Optionally specifies a cap on memory use as well as memory isolation (so that memory cannot Page Balancing resource use between users Prioritizing resource use between users Prioritizing resource use for applications Limiting resource consumption Isolating resource use for applications and users 2 Understanding how PRM manages resources What are processor sets How processor sets work What are shares How shares work Hierarchical PRM groups Page Enables making “Group/CPU record syntax” (page 55) Example: PRM CPU resource management At Time C: CPU resource use for CPU allocation and number of shares assigned “Capping CPU resource use” (page 24) Capping CPU resource use How PRM manages CPU resources for real-timeprocesses rtsched rtprio Hyper-Threading psrset Figure 7 PRM’s process scheduling on MP systems (Hyper-Threadingdisabled) How HP-UXmanages memory Available memory prmavail Table 7 (page 27) Table 7 Example of available memory on a 1024-Mbytesystem How PRM controls memory usage Capping memory use Implementation of shares and caps Isolating a group’s private memory resources How PRM manages shared memory How PRM manages locked memory Example: memory management •System memory use is near 100% Group3 Group1 Group2 After Time D: How application processes are assigned to PRM groups at start-up How PRM handles child processes Pattern matching for filenames /opt/special_apps/bin/*::::GroupS Pattern matching for renamed application processes abb abb NOTE: You cannot use colons in an ERE, as PRM uses colons for field separators ’.*b’ Precedence of PRM group assignments “Setting the application manager’s polling interval” (page 92) The precedence of PRM record types—fromhighest to lowest—is: 1.Compartment record 6.Unix group records 7.Move the process to the OTHERS group To illustrate these rules, consider the following application records: Assume a user starts an application, my_favorite_app, without using prmrun: % my_favorite_app Page 3 PRM configuration planning •Group B: 50 CPU shares, 50 memory shares •Group C: 50 CPU shares, 50 memory shares •Group A: Core 1, 50 memory shares •Group B: Core 2, 50 memory shares •Group C: Core 3, 50 memory shares Page Quick analysis Create a PRM configuration file with a group for each Assign all users to the user default group A resulting configuration might be: •User default group: 60 CPU shares, 70 memory shares Detailed analysis 1.Collect resource data •The length of time that each group consumes these resources •The amount of total resources consumed over time •The amount of resources that are being used by each group #prmanalyze -scommand -rcpu -p -tsummary -1filename|sort -r+5 #prmanalyze -suid -rcpu -xroot -p -tsummary -1filename|sort -r+5 #prmanalyze -scommand -rmem -p -tsummary -1filename Page 4 Setting up PRM 5 Using PRM with HP System Management Homepage (SMH) #ps -efP 6 Using PRM with HP Systems Insight Manager (SIM) Role: PRM administrator Role: PRM operator Page 7 Configuring and enabling PRM on the command line 6.Enable PRM: #prmconfig -e The PRM configuration file The PRM configuration file contains the following record types: •Group/CPU PRM automatically assigns system processes to the group The user default group •Nonroot users cannot have access to the system group PRM_SYS (PRMID 0) The generic configuration file contains: A PRM group/CPU record for the user default group Reserved PRM groups Group/CPU record syntax explicitly.) PSET PRM group PRMIDs are assigned by PRM and are not specified in the group record HIER you cannot use PRMID 0 for a child group. You can, however, use PRMID 1 for a child group Adding/modifying PRM groups and CPU allocations Capping CPU resource use Removing groups/CPU allocations Memory record syntax A white paper, titled , on the web at http://h20338.www2.hp.com/hpux11i/downloads/5983-1676EN.pdf presents a case study of setting memory allocations for PRM groups Use the following syntax to specify a memory record: A memory record for PRMID 6, which grants 20 memory shares. The memory is Shared memory Use the following syntax to specify a shared memory record: #!SHARED_MEM Indicates the start of a shared memory record Adding/modifying private memory shares/caps Adding/modifying shared memory allocations Removing private memory shares Removing shared memory allocations Isolating private memory for a group Duplicate application records Missing applications are ignored Application record syntax appear in either the file /etc/shells or the file /opt/prm/shells For Java programs, the path of the Java being used—asdisplayed in ps output—mustappear in either /etc/shells or /opt/prm/shells. For an example see “Launching a Java program under PRM” (page 71) You can use wildcards ([, ], ?, and *) to specify the filename, but not the Adding/modifying an application’s group assignment Removing an application’s group assignment Launching an application under PRM Launching a script under PRM Launching a Java program under PRM User record syntax Page Adding/modifying a user’s group assignment Removing a user’s group assignment Compartment record syntax Adding/modifying a compartment’s group assignment Removing a compartment’s group assignment Unix group record syntax Adding/modifying a Unix group’s PRM group assignment Removing a Unix group’s PRM group assignment Checking the configuration file configfile Validation checks for: •Duplicate group names •Duplicate user names Loading the PRM configuration with prmconfig “Fine-tuning your PRM configuration ” (page 83) Enabling resource managers with prmconfig Table 15 Enabling specific resource management on the command line Page 8 Fine-tuningyour PRM configuration The command to generate these reports: [LINEBREAK]prmanalyze -t{hourly | daily | weekly | monthly} •Conflict The command to generate this report: prmanalyze -tconflict ” (page 102) Sales Example: High-levelviews of usage #prmanalyze -tweekly -d16 *.acct98 Jan.acct99 Feb.acct99 Example: Checking for patterns and configuration accuracy #prmanalyze -sprmid -rcpu -p -tdaily -x0 filename #prmanalyze -scommand -rcpu -tconflict -1 -d .4 -xmrkt_rsch -xfinancials PRM ID Load the PRM configuration you want to analyze with -ie 3.Change your PRM configuration based on your review of the GlancePlus data 5.Repeat Step 2, Step 3, and Step 4 as needed #ps -ef| grep prm2d #tail -f /var/adm/syslog/syslog.log| grepPID_of_current_prm2d #prmconfig -LMEM STOP 9 Administering PRM Bapplications /bin/b*::::Bapplications To get a listing of these applications, enter the command: #prmlist -a netgroup #prmlist -u+prime #prmconfig For more information on prmconfig, see the section “prmconfig” (page 106) For more information on prmlist, see the section “prmlist ” (page 109) The default polling interval for the memory manager is 10 seconds Setting the interval with prmconfig interval_in_seconds Disabling PRM differs from resetting PRM in that: •PRM daemons remain running •Processes are tagged with the PRMIDs of their associated groups Disabling PRM with prmconfig Disable PRM manually by entering the following command: Controlling memory logging with prmconfig #prmconfig -LMEM Controlling application logging with prmconfig #prmconfig -LAPPL #prmconfig -LAPPL STOP prmmonitor •Date •Time •Length of sample intervals •PRM state #acctcom -P (page 102) (page 83) #ps -P #ps -l -P #ps -ROTHERS You can use HP’s optional performance and monitoring tool GlancePlus to: •Display PRM reports •Display resource use in real-time •Set alarms to report when resource use is excessive mwa restart scope cron To configure PRM on reboot, set PRM_CONFIG equal to one: PRM_CONFIG=1 PRM_CONFIG_FILE PRM_INTL_APPL PRM_INTL_APPL=seconds PRM_INTL_MEM PRM_INTL_MEM=seconds PRM_LOG_APPL If you want to perform online cell operations, and: •Your PRM configuration contains memory records •Your PRM configuration uses PSETs [-f file A Command reference Table 17 prmagt user options/parameters. (continued) Syntax: prmanalyze config_file [-d ][-m acctcom Table 18 prmanalyze options/parameters Table 18 prmanalyze options/parameters (continued) prmavail [-p] [-f][CPU | DISK | MEM] Availability: Any user can run the prmavail command The options are: -V Displays version information and exits CPU Displays the number of cores on the system interval manager logarg mode Table 19 prmconfig user options Table 20 describes the prmconfig options that are available only to root users Table 20 prmconfig root user options (continued) prminitconfig [{ -a| -r}] [-h] Table 21 prminitconfig options/parameters group user compartment LogicalVolumeGroup Table 22 prmlist user options (continued) prmloadconf [-fconfigfile] Availability: Only root users can execute this command Table 23 shows the prmloadconf options Table 23 prmloadconf root user options prmmonitor [resource| STOPPED] [-h] [-w] [-t] [-s][interval[iterations]] Availability: Any user can run the prmmonitor command Table 24 shows the available options Table 24 prmmonitor user options/parameters Differences in output from prmmonitor and top Table 25 prmmove user options/parameters prmrecover resource Availability: The prmrecover command should be run by a superuser Table 26 describes the available options Table 26 prmrecover user options/parameters prmrun [-w] prmrun [-gtargetgrp| -i] [application[arguments]] [-g Table 27 prmrun user options/parameters prmsmhconfig [{ -c| -u}] [-h] Page Table 31 srpgen options/parameters B HP-UXcommand/system call support C Monitoring PRM through SNMP Table 34 Structure of PRM’s SNMP data (prmReadOnly) (continued) snmpwalk xnmbrowser Using OpenView’s snmpwalk To use snmpwalk to view the PRM data: #/opt/prm/bin/prmagt If you need to stop the agent, use its -stop option Run #/opt/OV/bin/snmpwalk hostname hp.hpSysMgt.hpUXSysMgt.hpPRM.prmReadOnly Page Page Page Graphing resource usage Page Page D Creating Secure Resource Partitions E Using PRM with Serviceguard #users root::::PRM_SYS #application records EOF1 F Using PRM with HP Integrity Virtual Machines G PRM error messages Page Page Page again 296Message Unable to change the polling interval of the %s manager: (HP-UXerror message) You are not running as root, the manager is no longer enabled, or an internal system failure Page Configure PRM with prmconfig -k or -i before executing prmmove Could not find process %d Verify that indicated process ID is valid no action is possible Could not find process group %d User's PATH environment variable is empty User’s PATH environment variable is not set Add application’s directory to PATH environment variable and retry prmrun Could not launch application %s in group %s(perror) Exec of command %s failed for the reason indicated in message Page Page Page Page illegal resource type %s The specified resource is not valid Re-enterthe command using a valid type: disk, mem, or cpu illegal sort key %s The specified sort key is not valid Page Page Glossary lockable memory mlock() plock() cannot be paged or swapped out Logical Volume real memory real user ID resource manager the CPU manager (CPU), and the memory manager (MEM) secure Index Page defined, 145 introduction specifying the number of shares, 54 CPU max creating the configuration file with prmloadconf, 51, 53 cron command disabling PRM prmconfig syntax displaying