1 / 12

A New Production Environment for LCLS Controls System

A New Production Environment for LCLS Controls System. Ernest and Jingchen. Migrated to Standalone Production Environment. Why needed? Wide open and vulnerable Dependent on SCCS services Not for production No 24/7 support Beyond our control Standalone?

chione
Download Presentation

A New Production Environment for LCLS Controls System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A New Production Environment for LCLS Controls System Ernest and Jingchen

  2. Migrated to Standalone Production Environment • Why needed? • Wide open and vulnerable • Dependent on SCCS services • Not for production • No 24/7 support • Beyond our control • Standalone? • The LCLS controls systems hosted on a secure and private network designed for production – CA network (Channel Access network) • All the services required by the controls system provided by MCC instead of SCCS • The goal: • To improve the reliability • To improve the security • To improve the performance • What missing: Transparency

  3. Services Provided with CA • NFS: file server for applications and data • DHCP: bootp for network setting • TFTP: loading up the kernel • NTP: time synchronization • DNS: “phone book” for network • NIS: Authentication server for account management (in progress) • Matlab License Server • A cluster of application servers: daemons, elog, archivers, high level apps and etc. • A cluster of OPIs: operational consoles • Software packages: required to build controls applications • Automated patching system • Backup/Restore • Network and system monitoring and diagnosis • User support • etc.

  4. lcls-prod02: the Gateway to CA • lcls-prod02 • A public machine on DMZ network • Access to CA via lcls-prod02 • Access to the public via lcls-prod02 • Log in lcls-prod02 • From any public node in SLAC, e.g., your office desktop • ssh lcls-prod02 • No password needed if RSA set properly • Valid tokens: • type “tokens” to verify • kinit

  5. lcls-srv01: Your Host on CA • lcls-srv01 • On CA network • Served by our services • Shared accounts • physics: a shared account for physicists • lclsops: a shared account for operations (e.g., operators in MCC) • How to get to CA? • from lcls-prod02 • ssh physics@lcls-srv01 • No password needed if RSA set properly • on lcls-prod02, type “ssh-keygen –t rsa”, • responds all prompts with Return • ask KenB to authorize you for access • You are in the world of CA: lclshome, matlab, lclsarch, and etc.

  6. OPIs: Your Operational Consoles on CA • lcls-opi1[-4] • On CA network • In MCC, formerly called Kiosks • lcls-opi5[-x] • On CA network • In sectors • All are operations consoles and for production only • Log in as lclsops • No more AFS token issue • Login session always kept on unless power outage • Production environment properly set • Completely independent of SCCS services • No direct access to any public resources: email, WEB, your AFS home directory • Log in lcls-prod02 if needed for public resources

  7. In the CA World … • lclshome, matlab, lclsarch, SCP button, and etc. • Software release • Developed in public AFS/NFS, CVS repository in AFS • Remote cvs $ export CVSROOT=:ext:<username>@lcls-prod02:/afs/slac/g/lcls/cvs $ cvs co <module> $ cvs commit • A quick and dirty release if not in CVS $ scp <username>@lcls-prod02:/<path>/<filename> . No push from DMZ to CA for now • Public resource access • $ ssh <username>@lcls-prod02 • WEB: firefox • Other applications in AFS • Your SLAC $HOME directory in AFS: /afs/slac/u/<group>/<username>

  8. bash only • tcsh: SLAC default login shell • $HOME/.login • $HOME/.cshrc • bash: CA default login shell • $HOME/.bash_profile • $HOME/.bashrc . /usr/local/lcls/epics/setup/epicsReset.bash . /usr/local/lcls/tools/matlab/setup/matlabSetup.bash • Shell scripts: #!/bin/bash -norc

  9. Production Data • /u1/lcls [physics@lcls-srv01 ~]$ ls /u1/lcls alh cmlog epics matlab physics slc sr_info tools • Transparent to all nodes on CA as R/W • OPIs • IOCs • Visible to nodes on DMZ as R Only • e.g., ssh lcls-prod02 from your office desktop • ls /mccfs2/u1/lcls • Availability to the public via protocols like http is under study • Data buffer • Any incremental data at high rate • Only reasonable amount of data kept online on CA • Old data will be staged over to SCCS for final storage in /nfs/slac/g/lcls • Log files trimmed on a regular basis • Other type of data kept online as long as needed

  10. Application Filesystems • /usr/local/lcls • Transparent to all nodes on CA as R/W • Not visible to any node on public networks, including DMZ • Areas for physicists: • /usr/local/lcls/physics for applications • /u1/lcls/physics for data files • /home/physics – home directory for physics

  11. The Goal • Robust • Secure • Optimized

More Related