1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 <2016> 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 <2016> 2017 2018 2019 2020 2021 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Fwd: Gateway on machine with two network cards and running many IOCs? |
From: | Isabella Rey <[email protected]> |
To: | "[email protected]" <[email protected]> |
Date: | Fri, 22 Jan 2016 14:46:28 +0000 |
Hi Isabella,
The ability to bind to only one network (on machines with multiple networks) has been added to EPICS Base in the 3.15 series.
There has been a bug, which can be fixed using a patch available on the known problems page. [1]
However, the "usual" setup would definitely have the GW running on a dedicated machine, and that machine would be the only one accessible from the outside.
Depending on your cyber security requirements, adding a dedicated machine (which of course can be virtualized) may be an acceptable price to pay for guaranteed read/only access to IOCs running on servers that are unreachable behind a firewall.
I would generally not suggest running the GW on the same machine as IOCs. That is likely to create trouble, especially in multi-GW setups where you have to avoid loops through multiple GWs, which can be hard if requests from the same IP address may come from a GW or an IOC.
But - again - IOCs and GW may be virtualized. Running IOCs directly on a server with the GW running in a VM works fine, same as running the GW directly on the server and the IOCs in a VM (or multiple). With the latter approach you can nicely and easily "hide" IOCs so that they are only available on one of the servers networks.
Any clearer now?
Good luck,
~Ralph
[1] http://www.aps.anl.gov/epics/base/R3-15/3-docs/KnownProblems.html
On 22/01/2016 13:15, Isabella Rey wrote:
Hi All,
I have multiple servers, each running multiple IOCs (EPICS base 3.14.12.3), and each connected to two networks: the local lab network, and the site network.
In an ideal world, I would like to have read-write access to PVs from any machine within the lab network, but read-only access from the site network.
In a test environment, I've seen I should be able to do this by running a gateway on a dedicated machine connected to both networks, and with no IOCs running on it, and disconnecting all other servers from the site network. Fair enough, I have one solution, but having a dedicated server for the gateway seems a big waste...
Is there any way of setting up the servers so that by default they don't broadcast any PV to the site network? And then on top of that, could I have a gateway running on one of them (with some IOCs running on that server too) when I want to give read-only access to the site network?
I've looked into tech-talk, and found quite a few old threads related to this, but it looks like it's not possible. Is that still the case? The documentation for R3.14 talks about EPICS_CAS_INTF_ADDR_LIST, which should do the job, but it also says it's not implemented in R3.14 and previous releases...!
Cheers,
Isabella