100 likes | 115 Views
This presentation discusses the problems with the common beamline network and proposes a new network layout for safer communication. It includes firewall and gateway setups, safety measures, hardware specifications, and data safety considerations.
E N D
SLS Beamline Networksand Data Storage Dirk Zimoch, EPICS Collaboration Meeting October 2008
PSI network Old Network Layout (last year) SLS Accelerator Gate way Beamlines Dirk Zimoch, EPICS Collaboration Meeting October 2008
The Problem • Common beamline network is not safe • Badly programmed CA clients can flood the network with broadcasts • Users may accidently write to records of other beamlines • Viruses etc may spread over all beamlines • Industrial users want their data safe and protected • Separate beamline networks need safe communication • Access to machine and other beamlines • Access from outside (e.g. offices) • Internet access from beamline • Storage access Dirk Zimoch, EPICS Collaboration Meeting October 2008
PSI network New Network Layout (now) Firewall Switch SLS Accelerator Gate way Gate way Beamline1 Beamline2 Dirk Zimoch, EPICS Collaboration Meeting October 2008
Channel Access Gateway Setup • All gateways connect to central accelerator network • Assumption: Beamline to beamline traffic is low • Central services in accelerator network (e.g. archiver) • All gateways are bi-directional • Full write access from accelerator • Limited write access from beamlines to machine(We trust the accelerator but not the beamlines) • No write access from beamline to beamline • Take care to prevent loops • Access from outside world is read-only Dirk Zimoch, EPICS Collaboration Meeting October 2008
PSI network Firewall Beamline Network Firewall blocks incoming traffic except ssh to login gateway. Beamline hutch vmWare Login gateway IOC Accelerator CA gateway IOC Bootserver Compute node Softioc Compute node Compute node User Laptop Compute node Console Fileserver Fileserver GPFS Detector Dirk Zimoch, EPICS Collaboration Meeting October 2008
Safety Measures • Firewall allows ssh from outside only to login gateway • Other machines with less strict security cannot compromise system • Login gateway has list of trusted users (PAM) • Beamline scientists • Beamline supporters • People doing on-call service • No external beamline users • Servers are located in server room, not at the beamline • No physical access • Better cooling • Uninterruptible power supply Dirk Zimoch, EPICS Collaboration Meeting October 2008
HP blade system 16 blades per enclosure Dual core Opteron 2.4 GHz 2 GB RAM 2 network connections Accelerator 16 beamlines via VLAN VmWare for virtual machines 256 MB per virtual machine VmWare Server System Dirk Zimoch, EPICS Collaboration Meeting October 2008
controller 0 controller 0 controller 0 controller 0 controller 1 controller 1 controller 1 controller 1 Beamline Storage 2 x 4 Gbit/sec Fibre Channel 500 GB SATA • Up to 30 TB netto • 400 MB/sec from one host • 600-700 MB/sec total Up to 4 disk arrays per beamline RAID 6 Dirk Zimoch, EPICS Collaboration Meeting October 2008
Data safety • Double redundancy with RAID 6 • Individual LDAP accounts for users • No access to data of other users • Automated account generation • No long term storage • 30 TB is just enough for one month • No backup • Users take data home on constantly synchronized external hard disk (Firewire or USB) Dirk Zimoch, EPICS Collaboration Meeting October 2008