Dirk Zimoch, Pikett Training 8.5.2008 Channel Access Gateway

Dirk Zimoch, Pikett Training 8.5.2008

Channel Access Gateway


Channel Access GatewayChannel Access Gateway

What is a Channel Access Gateway?

■It forwards channel access to a different network.■Allows access control and filtering.■Can reduce network traffic.

CA gatewaymedm

IOC

medm

medm

IOC

medm

medm



Reduction of network traffic

■ Monitors from many clients to the same IOC are bundled.►Saves bandwidth, memory and CPU time on IOC.► IOC has to serve only one client: the gateway.

■ Already connected channels are not searched again.►Saves broadcast traffic with many clients of the same channel.

■ Channels stay connected for at least two hours.►Saves broadcast traffic with short-lived clients (caget).

gateway



PSI networkPSI networkOld SLS Network Layout (2007)

SLS Accelerator

Gate

wayBeamlines



PSI networkPSI networkNew SLS Network Layout (now)

SLS Accelerator

Beamline1 Beamline2

Gate

way

Gateway

Firewall Switch



backbone network(control room, central IOCs)

PSI-XFEL Network layout

...

...

EPICS

non EPICS

gun linac 1 linac n undulatorsbeamline 1

beamline nvacuum system PLCs

machine interlock system PLCs

web cameras

VLA

N r

ou

ter

...

CAGW CAGW CAGW CAGWCAGW

CAGW



Installed SLS gateways■ office machine

► Read-only access to machine.

■ 16 beamlines machine► Most channels are read-only► Special beamline related channels

are writable

■ Each gateway computer runs 2 gateway processes► X*-IMPGW imports other channels

into beamline network► X*-EXPGW exports beamline

channels to other networks



Filtering and access control

■ Filtering is done by channel name patterns.►Only configured patterns are forwared, others are blocked.►Saves broadcast traffic if channel is blocked.►Requires simple rules to know network from channel name.►Wrong filter settings make channels unavailable.

■ Access can be read-only or read-write.►Filter rules can be combined with rules for users and hosts.►Beamlines can write only to selected channels on machine.►Beamlines cannot write to other beamlines.►Wrong filter settings give wrong access rights.



Example configuration■ Filename: GATEWAY.pvlist■ Install directory on gateway:

/usr/local/caGateway

■ Copy on fileserver:/exchange/home/zimoch/caGateway

■ CVS repository:G/EPICS/extensions/src/gateway/config

or short: gateway/config

■ Filtering based on Perl regular expressions

EVALUATION ORDER ALLOW, DENY

# get machine and other beamline channelsX(?!12SA).* ALLOWILUUL.* ALLOWA.* ALLOW

# allow statistic channelsX12SA-IMPGW:.* ALLOWX12SA-EXPGW:.* ALLOW

# Orbit Feedback.*-LBB:.* ALLOW

# PLCs: MIS, VCS, LAC.*-MIS.* ALLOW.*-VCS.* ALLOW.*-FE-.* ALLOW.*-LAC:.* ALLOW

# SpecialX12SA-VME-ID.* ALLOWX12SA-ID.* ALLOW WRITEACOAU-ACCU:OP-X12SA(\.VAL)? ALLOW WRITEACOAU-ACCU:ALARM-X12SA(\.VAL)? ALLOW WRITEX12SA-FE-.*:CLOSE4BL(\.VAL)? ALLOW WRITEX12SA-FE-.*:OPEN-BLMODE(\.VAL)? ALLOW WRITEX12SA-FE-FI1:WT_SET(\.VAL)? ALLOW WRITE

# block everything but my own status channels# to my beamline IP to prevent loops!X12SA-IMPGW.* DENY FROM 129.129.122.14



How can I see that a gateway has a problem?

■ Records on other networks ...►… are unavailable. (Most probable error)

● Is the record new? It might not match the filter pattern.

►… disconnect unexpectedly.►… take long to connect.►… update irregularly or delayed.



Diagnostic medm sceens■ medm -x gateways.adl

■ Should work on all SLS networks.■ From office net, type cam first.■ Launcher:

Not existing channels

Existing channels

Documents

Dirk Zimoch, Pikett Training 8.5.2008 Channel Access Gateway