120 likes | 256 Views
A New Production Environment for LCLS Controls System. Ernest and Jingchen. Migrated to Standalone Production Environment. Why needed? Wide open and vulnerable Dependent on SCCS services Not for production No 24/7 support Beyond our control Standalone?
E N D
A New Production Environment for LCLS Controls System Ernest and Jingchen
Migrated to Standalone Production Environment • Why needed? • Wide open and vulnerable • Dependent on SCCS services • Not for production • No 24/7 support • Beyond our control • Standalone? • The LCLS controls systems hosted on a secure and private network designed for production – CA network (Channel Access network) • All the services required by the controls system provided by MCC instead of SCCS • The goal: • To improve the reliability • To improve the security • To improve the performance • What missing: Transparency
Services Provided with CA • NFS: file server for applications and data • DHCP: bootp for network setting • TFTP: loading up the kernel • NTP: time synchronization • DNS: “phone book” for network • NIS: Authentication server for account management (in progress) • Matlab License Server • A cluster of application servers: daemons, elog, archivers, high level apps and etc. • A cluster of OPIs: operational consoles • Software packages: required to build controls applications • Automated patching system • Backup/Restore • Network and system monitoring and diagnosis • User support • etc.
lcls-prod02: the Gateway to CA • lcls-prod02 • A public machine on DMZ network • Access to CA via lcls-prod02 • Access to the public via lcls-prod02 • Log in lcls-prod02 • From any public node in SLAC, e.g., your office desktop • ssh lcls-prod02 • No password needed if RSA set properly • Valid tokens: • type “tokens” to verify • kinit
lcls-srv01: Your Host on CA • lcls-srv01 • On CA network • Served by our services • Shared accounts • physics: a shared account for physicists • lclsops: a shared account for operations (e.g., operators in MCC) • How to get to CA? • from lcls-prod02 • ssh physics@lcls-srv01 • No password needed if RSA set properly • on lcls-prod02, type “ssh-keygen –t rsa”, • responds all prompts with Return • ask KenB to authorize you for access • You are in the world of CA: lclshome, matlab, lclsarch, and etc.
OPIs: Your Operational Consoles on CA • lcls-opi1[-4] • On CA network • In MCC, formerly called Kiosks • lcls-opi5[-x] • On CA network • In sectors • All are operations consoles and for production only • Log in as lclsops • No more AFS token issue • Login session always kept on unless power outage • Production environment properly set • Completely independent of SCCS services • No direct access to any public resources: email, WEB, your AFS home directory • Log in lcls-prod02 if needed for public resources
In the CA World … • lclshome, matlab, lclsarch, SCP button, and etc. • Software release • Developed in public AFS/NFS, CVS repository in AFS • Remote cvs $ export CVSROOT=:ext:<username>@lcls-prod02:/afs/slac/g/lcls/cvs $ cvs co <module> $ cvs commit • A quick and dirty release if not in CVS $ scp <username>@lcls-prod02:/<path>/<filename> . No push from DMZ to CA for now • Public resource access • $ ssh <username>@lcls-prod02 • WEB: firefox • Other applications in AFS • Your SLAC $HOME directory in AFS: /afs/slac/u/<group>/<username>
bash only • tcsh: SLAC default login shell • $HOME/.login • $HOME/.cshrc • bash: CA default login shell • $HOME/.bash_profile • $HOME/.bashrc . /usr/local/lcls/epics/setup/epicsReset.bash . /usr/local/lcls/tools/matlab/setup/matlabSetup.bash • Shell scripts: #!/bin/bash -norc
Production Data • /u1/lcls [physics@lcls-srv01 ~]$ ls /u1/lcls alh cmlog epics matlab physics slc sr_info tools • Transparent to all nodes on CA as R/W • OPIs • IOCs • Visible to nodes on DMZ as R Only • e.g., ssh lcls-prod02 from your office desktop • ls /mccfs2/u1/lcls • Availability to the public via protocols like http is under study • Data buffer • Any incremental data at high rate • Only reasonable amount of data kept online on CA • Old data will be staged over to SCCS for final storage in /nfs/slac/g/lcls • Log files trimmed on a regular basis • Other type of data kept online as long as needed
Application Filesystems • /usr/local/lcls • Transparent to all nodes on CA as R/W • Not visible to any node on public networks, including DMZ • Areas for physicists: • /usr/local/lcls/physics for applications • /u1/lcls/physics for data files • /home/physics – home directory for physics
The Goal • Robust • Secure • Optimized