Secure Resource Partitions enable the resources under the control of a single operating system to be further divided into secure compartments for the purposes of running workloads. Figure 7-1 shows a set of workloads running in separate operating systems on separate hardware platforms. While this environment is highly isolated, not all workloads require that level of isolation. In addition, computing environments such as those shown in Figure 7-1 typically experience lower resource utilization because none of the hardware resources are shared. When a workload is not busy, the hardware is left idle.
Figure 7-1. Workloads Running in Isolation
Secure Resource Partitions rely on features of the HP-UX kernel to provide resource and security isolation between workloads. Figure 7-2 demonstrates the consolidation of Workloads A, B, and C to a single server platform. In this environment, each workload is isolated in a Secure Resource Partition. The SRP guarantees that a specified amount of system resources will be available for each workload when needed. In addition, each SRP is isolated from a security standpoint with the result that no workload is able to affect another workload either intentionally or unintentionally. The consolidated environment results in higher resource utilization because resources that aren't needed by Workload A, for example, can be used by Workload B. In addition, the environment shown in Figure 7-2 requires a single operating system, as opposed to a distinct operating system for each workload; this results in lower maintenance time. Finally, SRPs provide the ability to overprovision a system with workloads that have peaks that are not aligned.
Figure 7-2. Consolidated Workloads Running in Secure Resource Partitions
SRPs also offer the ability to install, configure, and maintain a single application with multiple instances running in each of the SRPs. Applications such as databases work well in this type of environment. This saves administration costs; it is necessary to maintain only one instance of the application. In addition, application licensing costs will likely be decreased because applications are typically priced based on the number of CPUs. Using SRPs results in a lower requirement for hardware resources and has the result of achieving higher utilization of resources.
Secure Resource Partitions offer the ability to control several areas of a system. These controls can be enabled and disabled independently and there is no requirement that all of these controls be used when SRPs are employed. The following system attributes can be controlled and managed with SRPs based on the requirements of the workloads.
The fundamental technology behind SRPs is the Process Resource Manager product (PRM). PRM has been available on HP-UX for many years and continues to increase its capabilities. The CPU, memory, and disk I/O bandwidth resource controls are all handled through PRM. The security-isolation aspect of SRPs is available through integration of PRM with the HP-UX Security Containment product.
The HP-UX Security Containment product contains several features designed to provide a highly secure operating environment that does not require users to modify applications. The secure compartment feature within the HP-UX Security Containment product provides security isolation between workloads that prevents workloads running under a single operating system from affecting one another. The integration of secure compartments and PRM is not illustrated in the example scenario presented in this chapter; however, several tools are provided with the PRM product to facilitate the integration with secure compartments. See the HP Process Resource Manager User's Guide version C.03.00 for details on integrating PRM and HP-UX Security Containment.
The HP-UX Security Containment product is available beginning with HP-UX 11i v2.