or wpar

Pulling up notes from emails:

Dependencies (runtime at least) http://www-frec.bull.com/pkg?id=5875

RPM build dependencies https://src.fedoraproject.org/rpms/mariadb/blob/master/f/mariadb.spec#_198
so hopefully most of those map up.

very obvious linux dependencies like systemd/systemtap can obviously be dropped. Not sure if libaio is cross platform

latest ssl https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp
We might have to run 'updtvpkg' after updating openssl.

So wpars are the AIX forms of docker. Two types, system, which is like VM, and application, which is like docker.

Looked up wpars a bit more. wparexec is the main executable for application WPARS. Best documentation I've found so far is the man page.

It requires root to execute (bottom of man page), /etc/security/privcmds has some privs than can be used if RBAC is used to grant bb addition admin privs on creating wpars, so having the aix.wpar.owner accessauth (https://www.ibm.com/support/knowledgecenter/ssw_aix_72/security/rbac_using.html).

/usr/sbin/wparexec:

        accessauths = aix.wpar.owner

        innateprivs = PV_AZ_ROOT,PV_DAC_O,PV_DAC_R,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_PRIV

        inheritprivs = PV_AZ_CHECK,PV_AZ_ROOT,PV_DAC_O,PV_DAC_R,PV_DEV_CONFIG,PV_DEV_LOAD,PV_FS_CHOWN,PV_KER_ACCT,PV_KER_DR,PV_KER_WLM,PV_KER_WPAR,PV_NET_CNTL,PV_NET_PORT,PV_PROC_PRIV,P

V_PROC_SIG,PV_SU_UID,PV_TCB

        euid = 0

        egid = 0

        secflags = FSF_EPS

Its filesystem is shared with the host. Its network and process are isolationed. Options exist to:

• create templates
• control mountpoints (-M)

More complete WPAR documentation.