Thanks for catching my typo! That
explains why I changed my startup to use localhost and went back to hardcoding
the IP it still worked. I had a typo in the local host IP in my –cip parameter!
I feel dumb know but a lot better for
knowing why it wasn’t working J
Behalf Of Ralph Lange
Sent: Thursday, May 19, 2011 12:17
Subject: Re: problem with gateway
and softIoc running on same server
All (soft) IOCs run the rsrv server code, so they will bind to all network
The Gateway runs the CAS server code, so it will honor EPICS_CAS_INTF_ADDR_LIST
and only bind to the interface(s) defined therein.
In your log, the Gateway is configured not to use a broadcast to find channels.
Its client end points to 18.104.22.168:8164 and 192.168.134.51:8064, so it
will only find channels on these two addresses/ports.
Its server end is configured to 22.214.171.124, which obviously is in a third
As you say the server only has two network cards - is that a typo, maybe?
As Dirk pointed out, you can run multiple soft IOCs on a server. (I've heard of
installations running 200+ soft IOCs on one box.) You won't be able to reliably
contact PVs on that host when using unicast name resolution, i.e. when the
client sets EPICS_CA_AUTO_ADDR_LIST=NO and addresses in EPICS_CA_ADDR_LIST.
Running soft IOCs and a Gateway on one host means a client can in general
always access the Gateway and the soft IOCs (directly). There is no way to make
a soft IOC "hide" itself from one of the existing networks. You can
obfuscate things by running the soft IOC on a different port, but a client that
connects to that port will still see the soft IOC channels directly. If you
want to securely hide the soft IOC from a client, the soft IOC must either run
on a different machine behind the Gateway (seen from the client), on a network
the client can not access, or you have to setup the firewall to not allow
access to the special port from the client's network.
Note: On PC hardware, you may create a private network for the soft IOC using
virtualization techniques. Running the soft IOC on a virtual machine connected
to the server by a host-only network will make the soft IOC inaccessible from
the client, but allow a Gateway running on that server to connect to the soft
IOC through the host-only net.
Running a CA client (e.g. caget) on the server with no environment setting will
always return multiple hits, as the soft IOC is visible on all configured
network interfaces. When you set EPICS_CA_AUTO_ADDR_LIST=NO (to shut off
broadcasts) and EPICS_CA_ADDR_LIST to exactly one of the configured network addresses,
you should be able to connect without warnings.
For your setup, running the soft IOC with a special server port, and mentioning
exactly one of its addresses in the Gateway's EPICS_CA_ADDR_LIST should work.
If you setup the firewall to block access to the special port from the client's
network, this should even be quite secure. You could further narrow it down by
the firewall only allowing access to the special port from localhost, in which
case everyone except the server has to go through the Gateway.
On 19.05.2011 05:49 Kevin Tsubota wrote:
I want a gateway to publish PVs from
192.168.134.51:8064 which is on a private network connected to 126.96.36.199
(where a softIoc is already running) because I can’t access this private
I have the situation where I have a solaris-8 server
(188.8.131.52) with two network cards. One goes to our observatory
network and the other goes to a private network running a windows based softIoc
(192.168.134.51). Now I need access to the PVs of the widows softIoc from
other IPs on the observatory network.
I can successfully get the gateway to publish the
windows softIoc PVs without any problems. However, I have a solaris
softIoc running on the same server as the gateway and this is where I’m
having problems. I’ve tried using different EPICS_CA_SERVER_PORTS for
both IOCs but no matter what I try I can’t get the gateway to see the
solaris IOC on the same IP. If I manually set my EPICS_CA_SERVER_PORT at
the command line then issue a caget, it successfully returns the PV value but
it reports that there’s multiple instances of the PV.
My question is: can a gateway co-exist with a softIoc
in the same ip address?
If so, what do I need to do to make it happen?
Using different EPICS_CA_SERVER_PORTs doesn’t seem to be it.
Is this related to the fact that I can’t run multiple softIocs on the
same server unless I change port numbers? In which case I’d want a
gateway to interface to them as well.
Here’s my startup command run on the solaris
-debug 1 -pvlist k1lmct.pvlist -access GATEWAY.access -home $HOME -log
k1lmct.log -sip "184.108.40.206" -sport 5064 -cip
"220.127.116.11:8164 192.168.134.51:8064" -prefix k1:lmct:gateway&
Here’s the start of the debug output log:
PV Gateway Version 18.104.22.168
[Feb 20 2008 16:27:23]
EPICS 3.14.9 PID=13539
Thank you in advance!
W.M. Keck Observatory