1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 <2016> 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 <2016> 2017 2018 2019 2020 2021 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: Gateway on machine with two network cards and running many IOCs? |
From: | Ralph Lange <[email protected]> |
To: | Isabella Rey <[email protected]>, EPICS Tech-Talk <[email protected]> |
Date: | Fri, 22 Jan 2016 13:38:11 +0100 |
Hi Isabella,The ability to bind to only one network (on machines with multiple networks) has been added to EPICS Base in the 3.15 series. There has been a bug, which can be fixed using a patch available on the known problems page. [1]
However, the "usual" setup would definitely have the GW running on a dedicated machine, and that machine would be the only one accessible from the outside. Depending on your cyber security requirements, adding a dedicated machine (which of course can be virtualized) may be an acceptable price to pay for guaranteed read/only access to IOCs running on servers that are unreachable behind a firewall.
I would generally not suggest running the GW on the same machine as IOCs. That is likely to create trouble, especially in multi-GW setups where you have to avoid loops through multiple GWs, which can be hard if requests from the same IP address may come from a GW or an IOC.
But - again - IOCs and GW may be virtualized. Running IOCs directly on a server with the GW running in a VM works fine, same as running the GW directly on the server and the IOCs in a VM (or multiple). With the latter approach you can nicely and easily "hide" IOCs so that they are only available on one of the servers networks.
Any clearer now? Good luck, ~Ralph [1] http://www.aps.anl.gov/epics/base/R3-15/3-docs/KnownProblems.html On 22/01/2016 13:15, Isabella Rey wrote:
Hi All,I have multiple servers, each running multiple IOCs (EPICS base 3.14.12.3), and each connected to two networks: the local lab network, and the site network.In an ideal world, I would like to have read-write access to PVs from any machine within the lab network, but read-only access from the site network.In a test environment, I've seen I should be able to do this by running a gateway on a dedicated machine connected to both networks, and with no IOCs running on it, and disconnecting all other servers from the site network. Fair enough, I have one solution, but having a dedicated server for the gateway seems a big waste...Is there any way of setting up the servers so that by default they don't broadcast any PV to the site network? And then on top of that, could I have a gateway running on one of them (with some IOCs running on that server too) when I want to give read-only access to the site network?I've looked into tech-talk, and found quite a few old threads related to this, but it looks like it's not possible. Is that still the case? The documentation for R3.14 talks about EPICS_CAS_INTF_ADDR_LIST, which should do the job, but it also says it's not implemented in R3.14 and previous releases...!Cheers, Isabella