| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 <2022> 2023 2024 2025 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | Re: procServer unix socket configuration |
| From: | Han Lee via Tech-talk <tech-talk at aps.anl.gov> |
| To: | Michael Davidsaver <mdavidsaver at gmail.com> |
| Cc: | EPICS Tech Talk <tech-talk at aps.anl.gov> |
| Date: | Mon, 23 May 2022 20:47:25 -0700 |
Hi Michael,Unfortunately, the embedded system in which I am working doesn't have the python environment, and quite limited applications, which I can use.It is enough to cross-compile any software without proper toolchains for me. I don't want to add the python environment into that system.Successfully, I compiled socat, screen, and procServ, with a heavily customized (by myself) vendor providing cc tools, which are limited to doing full integration.The system uses a "root" account to run an IOC with the old procServ. I want to make the system a bit more secure than what the vendor provides due to network security concerns.I evaluated socat, such as `socat UNIX-client://unix-socket stdio`It perfectly works, but I cannot escape. So, I also do this within a screen, then I realize why not just use the screen instead of procServ.It was a simple question. I have enough answers to decide what to do on this embedded system.Thank you always!Best,HanOn Mon, May 23, 2022 at 12:36 PM Michael Davidsaver <mdavidsaver at gmail.com> wrote:On 5/23/22 12:06, Han Lee via Tech-talk wrote:
> Hi Ralph,
>
> I didn't look at the man page, because I only install the binary files into an embedded system.
>
> My first thought to see the introduction of the unix socket domain was to make the secure or complete isolated connection to the procSev without any telnet service in the similar way that MariaDB (MySQL) does, which makes our LBNL IT security team happy.
>
> I am looking for a similar instruction, which should be an interactive console or session on USAGE, in case I am using the unix domain socket, here is the existing man page for telnet.
>
> ---- snip snip ---
> To connect to the IOC, log into the soft IOC's host and connect to port 20000 using
>
> telnet localhost 20000
>
> ---- snip snip ---
>
> For example,
> To connect to the IOC, log into the soft IOC's host and connect to ..........?????
"telnet" (aka. bsd telnet, aka linux-netkit) doesn't understand unix sockets.
I haven't been able to find any simple CLI program which does, and also processes
telnet escape sequences. You'll find references to use "nc" or "socat", which can
connect to unix sockets, but don't handle telnet escapes.
The conserver daemon can though. In fact the conserver integration in procServUtils
("manage-procs write-procs-cf") uses this.
https://github.com/ralphlange/procServ/blob/cd68a34da12ec156c4126932b62947ee195b6210/procServUtils/manage.py#L239-L243
Combining procServ, manage-procs, and conserver allows procServ over unix sockets only.
> Best,
> Han
>
>
>
>
> On Sat, May 21, 2022 at 10:16 AM Ralph Lange via Tech-talk <tech-talk at aps.anl.gov <mailto:tech-talk at aps.anl.gov>> wrote:
>
> I assume you did look at the man page...
>
> *unix:</path/to/socket>*::
> Bind to a named unix domain socket that will be created at the specified
> absolute or relative path. The server process must have permission to
> create files in the enclosing directory.
> The socket file will be owned by the uid and primary gid of the procServ
> server process with permissions 0666 (equivalent to a TCP socket bound to
> localhost).
>
> *unix:<user>:<group>:<perm>:</path/to/socket>*::
> Bind to a named unix domain socket that will be created at the specified
> absolute or relative path. The server process must have permission to
> create files in the enclosing directory.
> The socket file will be owned by the specified _<user>_ and _<group>_
> with _<perm>_ permissions.
> Any of _<user>_, _<group>_, and/or _<perm>_ may be omitted.
> E.g. "-P unix::grp:0660:/run/procServ/foo/control" will create the named
> socket with 0660 permissions and allow the "grp" group connect to it.
> This requires that procServ be run as root or a member of "grp".
>
> *unix:@</path/to/socket>*::
> Bind to an abstract unix domain socket (Linux specific).
> Abstract sockets do not exist on the filesystem, and have no permissions
> checks.
> They are functionally similar to a TCP socket bound to localhost,
> but identified with a name string instead of a port number.
>
> What additional information do you need?
>
> Cheers,
> ~Ralph
>
>
> On Sat, 21 May 2022 at 00:44, Han Lee via Tech-talk <tech-talk at aps.anl.gov <mailto:tech-talk at aps.anl.gov>> wrote:
>
> Hi,
>
> I am looking for any available documents regarding procServ unix socket options.
>
> Does anyone have information for a dummy like me?
>
> Best,
> Han
>
> --
> Jeong Han Lee, Dr.rer.nat
> Staff Scientist and Engineer
> Lawrence Berkeley National Laboratory
> 1 Cyclotron Road Mailstop 46R0161
> Berkeley, CA 94720, United States
> Tel :+1-510-486-6163
> Cell:+1-510-384-3868
>
>
>
> --
> Jeong Han Lee, Dr.rer.nat
> Staff Scientist and Engineer
> Lawrence Berkeley National Laboratory
> 1 Cyclotron Road Mailstop 46R0161
> Berkeley, CA 94720, United States
> Tel :+1-510-486-6163
> Cell:+1-510-384-3868
--Jeong Han Lee, Dr.rer.natStaff Scientist and EngineerLawrence Berkeley National Laboratory1 Cyclotron Road Mailstop 46R0161Berkeley, CA 94720, United StatesTel :+1-510-486-6163Cell:+1-510-384-3868