Experimental Physics and Industrial Control System
|
Hi Isabella,
The ability to bind to only one network (on machines with multiple
networks) has been added to EPICS Base in the 3.15 series.
There has been a bug, which can be fixed using a patch available on the
known problems page. [1]
However, the "usual" setup would definitely have the GW running on a
dedicated machine, and that machine would be the only one accessible
from the outside.
Depending on your cyber security requirements, adding a dedicated
machine (which of course can be virtualized) may be an acceptable price
to pay for guaranteed read/only access to IOCs running on servers that
are unreachable behind a firewall.
I would generally not suggest running the GW on the same machine as
IOCs. That is likely to create trouble, especially in multi-GW setups
where you have to avoid loops through multiple GWs, which can be hard if
requests from the same IP address may come from a GW or an IOC.
But - again - IOCs and GW may be virtualized. Running IOCs directly on a
server with the GW running in a VM works fine, same as running the GW
directly on the server and the IOCs in a VM (or multiple). With the
latter approach you can nicely and easily "hide" IOCs so that they are
only available on one of the servers networks.
Any clearer now?
Good luck,
~Ralph
[1] http://www.aps.anl.gov/epics/base/R3-15/3-docs/KnownProblems.html
On 22/01/2016 13:15, Isabella Rey wrote:
Hi All,
I have multiple servers, each running multiple IOCs (EPICS base
3.14.12.3), and each connected to two networks: the local lab network,
and the site network.
In an ideal world, I would like to have read-write access to PVs from
any machine within the lab network, but read-only access from the site
network.
In a test environment, I've seen I should be able to do this by
running a gateway on a dedicated machine connected to both networks,
and with no IOCs running on it, and disconnecting all other servers
from the site network. Fair enough, I have one solution, but having a
dedicated server for the gateway seems a big waste...
Is there any way of setting up the servers so that by default they
don't broadcast any PV to the site network? And then on top of that,
could I have a gateway running on one of them (with some IOCs running
on that server too) when I want to give read-only access to the site
network?
I've looked into tech-talk, and found quite a few old threads related
to this, but it looks like it's not possible. Is that still the case?
The documentation for R3.14 talks about EPICS_CAS_INTF_ADDR_LIST,
which should do the job, but it also says it's not implemented in
R3.14 and previous releases...!
Cheers,
Isabella
- References:
- Gateway on machine with two network cards and running many IOCs? Isabella Rey
- Navigate by Date:
- Prev:
Gateway on machine with two network cards and running many IOCs? Isabella Rey
- Next:
Re: Gateway on machine with two network cards and running many IOCs? Hartman, Steven M.
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
<2016>
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Gateway on machine with two network cards and running many IOCs? Isabella Rey
- Next:
Fwd: Gateway on machine with two network cards and running many IOCs? Isabella Rey
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
<2016>
2017
2018
2019
2020
2021
2022
2023
2024
|
ANJ, 15 Jul 2016 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
·
Search
·
EPICS V4
·
IRMIS
·
Talk
·
Bugs
·
Documents
·
Links
·
Licensing
·
|