Industrial Control Engineering UNICOS-PVSS evolution Hervé Milcent EN/ICE/SCD 07/10/2011 1

Industrial Control Engineering  Accessing BE/CO infrastructure  Description  Consequences on the daily work, deployment, access, etc.  Current operational release  Christmas release: Core, CPC  UNICOS in LabView  AOB:  Future release  web 07/10/20112 Outline

Industrial Control Engineering  PVSS manager except Ui in Linux  OWS = Ui in Windows and Linux  Linux Ui: accelerators operators (LHC, PS, etc.), from CCC  Windows Ui: CRYO operator, from CCC, local control room, trusted console from outside TN via terminal server  OWS: All panels, libs, etc. in Linux Server  Avoid having a copy in each OWS for each project  access via SAMBA (Windows) and NFS (Linux)  PVSS constraints:  Ui run-time: access in R/W in log and data folder and files  Ui editor: access in R/W in log, images, colorDB, panels, scripts, data, pictures  BE/CO infrastructure: 300 servers - 1/3 PVSS servers and a lot of Linux consoles  Installation of PVSS Server automated via transfer.ref  Synchronization of user and passwd in all servers via e-group :ACC-all containing all the allowed users.  NFS:  Automount to BE/CO NFS server  From each server in TN: access via NFS to all the others  SAMBA:  simple and easy configuration: no difference between Ui run-time and Ui editor  A user allowed via SAMBA = allowed to ssh in all the servers  PVSS project started with a service account: unicryo, qpsop, etc. 07/10/20113 PVSS and BE/CO infrastructure

Industrial Control Engineering  Refer to atlasecr security issue.  IT security issue with service account  Tracking who logs in  Once in a server, a user can access to all the others via NFS  Corrupt the PVSS project.  Many user may start the OWS Ui run-time, and should not have access to other servers 07/10/20114 Why protecting the access

Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  Access to a set of servers via SAMBA and ssh  PVSS servers are grouped and assigned with e-group of allowed user, e-group=ACC- UNICOS-xx (admin group to setup the e-group members: ACC-UNICOS-xx-admin), e.g.: ACC-UNICOS-cryolhc, ACC-UNICOS-cryolhc-admins  In this e-groups can only be:  Personal NICE account, like milcent  Operational account not defined as BE/CO op account like qpsop  A user can be in many e-group  A user not the e-group=no access via SAMBA, no ssh  Propagation of e-group content in 15 – 30 min (if no problem in IT)  Propagation of re-assignment of PVSS Server and e-group: every working day  Detailed info   No difference between a operator (UI run-time) and a developer (Ui editor)  Separate PVSS server for test and production  2 users  unicryo for EN/ICE production server use only, password known by ACC-UNICOS- admin (only EN/ICE staff: application responsible)  unitest for EN/ICE test purpose server  ACC-UNICOS-admin: sudoers in all PVSS servers 07/10/20115 BE/CO & EN/ICE proposal for Windows OWS: server configuration

Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  OWS console on the technical network (or trusted): as before (usually login with service account: e.g. lhcop)  From GPN (e.g. from the office):  PVSS developer, e.g. milcent, it is recommended to use a VPC (Virtual Personal Computer) and log in with NICE personal account  Operator: log in a terminal server provided by BE/CO as NICE personal account or service account  Outside CERN:  Log in cernts with NICE personal account  Then same procedure as from GPN 07/10/20116 BE/CO & EN/ICE proposal for Windows OWS: starting a OWS

Industrial Control Engineering  A user not in a e-group = no samba access, no ssh in both Server and Linux console  For accelerator related application, operators (except accelerator operators)  service and personal account will be allowed for log in BE/CO Windows terminal servers and Windows console in CCC for the operators, e.g. cryomoni, etc.  No access to Linux and Windows console in CCC (or trusted).  For experiment application, e.g. CRYO experiment, MCS, GCS, etc.  use personal account only in BE/CO Windows terminal servers.  No access to Linux and Windows console in CCC (or trusted).  Developers: use VPC (Virtual Personal Computer) 07/10/20117 BE/CO & EN/ICE proposal for Windows OWS: consequences

Industrial Control Engineering  Same strategy  ACC-UNICOS-admin added as sudoer in their PVSS server  VAC: use the same CMF package as for UNICOS for OWS 07/10/20118 BE/CO & EN/ICE proposal for Windows OWS: CRYO experiment, MCS, VAC

Industrial Control Engineering  Windows 7 and Windows 2008 access via SAMBA  BE/CO & IT  BE/CO & EN/ICE: configuration of folders and files protections  Validation of PVSS Ui in Windows 7, SLC 6, Windows 2008  BE/CO: provide SLC 6 and Windows 2008  EN/ICE/SCD: validation of PVSS Ui in all platform.  EN/ICE/SCD: PVSS installation  Procedure to get a VPC well configured  BE/CO  Procedure to get access to BE/CO terminal server with personal account  BE/CO  Cleaning list of users: remove all EN/ICE from ACC-all (except FESA developers, LabVIEW, ACC-UNICOS-admin) and re-assigning them to e-groups  EN/ICE/SCD & BE/CO  MODBUS port re-allocation:  EN/ICE & BE/CO 07/10/20119 BE/CO & EN/ICE proposal for Windows OWS: pending issues

Industrial Control Engineering  Go or not go to Linux server?  OWS Ui: log in terminal server with personal account  Security issue:  Server on TN  Access to the LHC Experiment TN  by default nfs automount between TN, experimental network  may need a custom installation   Still missing some servers (G1 type)  BE/CO: re-assigning servers ….  But if we don’t go …. ! 07/10/ GCS:

Industrial Control Engineering Question ? OK to proceed? 07/10/ BE/CO & EN/ICE proposal for Windows OWS

Industrial Control Engineering  300 servers  1/3 PVSS Servers  Many consoles  Limited resource number in BE/CO  Little pre-emptive maintenance  Action only when problem  Let’s try to reduce the list of servers and group project per shutdown time  E.g.: CNGS and POPS, CRYO and CIET portal  Consequence:  re-deployment in MOON and in servers  RBAC setup. 07/10/ BE/CO servers

Industrial Control Engineering Question ? OK to proceed? 07/10/ BE/CO servers

Industrial Control Engineering unicos-pvss for PVSS 3.8-SP2  Content (most important issues)  feature to ease the work of the standby service.  Remove spurious alarm: to have at the end a systemIntegrity alarm as a real alarm to be looked at  Handle the automatic restart of critical failing manager: LHCLogging  Request from POPS: EventList  Mandatory issue for CPC 6  Expert name: - expert name in UNICOS used for information only. No filtering, no search on expert name, the expert name is just used like a description  Device/unicos configuration: extra storage  Children/parent relationship  …  CPC 6 compatibility: import/export, widget/faceplate, CPC 6 functions  Unicos-pvss Core compatible with CPC 5 and other packages  Export/import WindowTree/TrendTree in XML  Distributed control: same notation as in the installation tool  no need to clean the config file  Import functions called from a PVSSctrl  allow an automatic import without the import panel  very useful for icemoon, NA62  Easy way to find systemIntegrity alarm value: useful for SBS  From SystemStatus, etc. not only from the systemIntegrity alarm panel.  Recipe: import, duplicate existing recipe instance, create new recipe instance, modify recipe instance 07/10/ current release: unicos-pvss PVSS 3.8-SP2

Industrial Control Engineering  unCore  Clean separation between component  Explanation of the systemIntegrity alarm in systemIntegrity view and Front-end diagnostic views  More check during the import: existing alias, MODBUS com&data  unSystemIntegrity  Configuration on remote system, stop/start of scripts  No kill of valarch during online backup  MAIL/SMS at startup configurable  unLHCServices  Bug fix in PVSS00Laser when dealing with alert 07/10/ Christmas release: unicos-pvss-5.2.1

Industrial Control Engineering  unCore:  Stop/start/add driver/simulator from import panel  Stop/start unicos scripts remotely  eventList/alarmList in faceplate  Comment on device  Device action: many privilege, list of action per domain/privilege  unSystemIntegrity  Bool to syatemIntegrity alarm 07/10/ Christmas release: issues may be included

Industrial Control Engineering 07/10/ Christmas release: CPC

Industrial Control Engineering  All remaining PVSS 3.6-SP2 servers  PVSS 3.8-SP2 and new hardware  need between ½ to 1 day intervention per server: no need to keep of IP like for CRYO  BE/CO: up to 10/day in parallel before Christmas, 6/day after  All packages must be ready for PVSS 3.8-SP2  Re-organizing servers and projects  pvss2, pops, cv, others?  Upgrade of installation tool 07/10/ Christmas: reminder

Industrial Control Engineering  CPC devices except AnalogParameter, DigitalParameter and WordParameter  Faceplate, widget, device action: 90% done, only run-time trend  Import: nearly 100% done  Device access control  Not yet, not sure if it will be included  Graphical Frame:  Tree device overview  not yet  EventList: based on 0.5sec time resolution  not yet  AlarmList  not yet  Panel design: old implementation  TrendTree/WindowTree: old implementation  Packaging:  not yet  TSPP S7 and Modbus frame decoding:  Linux: connection to Siemens OK  Windows: no connection yet to Siemens  Decoding: not yet done. 07/10/ News: UNICOS in LabView

Industrial Control Engineering  Web   Similar to JCOP  Missing EDMS.  Future release:  5.3.0: Spring-Summer  Comment on devices  Device action access control  5.4.0: End of 2012  XML import 07/10/ AOB