A New Production Environment for LCLS Controls System Ernest and Jingchen

Migrated to Standalone Production Environment Why needed? –Wide open and vulnerable –Dependent on SCCS services Not for production No 24/7 support Beyond our control Standalone? –The LCLS controls systems hosted on a secure and private network designed for production – CA network (Channel Access network) –All the services required by the controls system provided by MCC instead of SCCS The goal: –To improve the reliability –To improve the security –To improve the performance What missing: Transparency

Services Provided with CA NFS: file server for applications and data DHCP: bootp for network setting TFTP: loading up the kernel NTP: time synchronization DNS: “phone book” for network NIS: Authentication server for account management (in progress) Matlab License Server A cluster of application servers: daemons, elog, archivers, high level apps and etc. A cluster of OPIs: operational consoles Software packages: required to build controls applications Automated patching system Backup/Restore Network and system monitoring and diagnosis User support etc.

lcls-prod02: the Gateway to CA lcls-prod02 –A public machine on DMZ network –Access to CA via lcls-prod02 –Access to the public via lcls-prod02 Log in lcls-prod02 –From any public node in SLAC, e.g., your office desktop –ssh lcls-prod02 No password needed if RSA set properly Valid tokens: –type “tokens” to verify –kinit

lcls-srv01: Your Host on CA lcls-srv01 –On CA network –Served by our services Shared accounts –physics: a shared account for physicists –lclsops: a shared account for operations (e.g., operators in MCC) How to get to CA? –from lcls-prod02 –ssh No password needed if RSA set properly 1.on lcls-prod02, type “ssh-keygen –t rsa”, 2.responds all prompts with Return 3.ask KenB to authorize you for access –You are in the world of CA: lclshome, matlab, lclsarch, and etc.

OPIs: Your Operational Consoles on CA lcls-opi1[-4] –On CA network –In MCC, formerly called Kiosks lcls-opi5[-x] –On CA network –In sectors All are operations consoles and for production only Log in as lclsops –No more AFS token issue –Login session always kept on unless power outage –Production environment properly set Completely independent of SCCS services –No direct access to any public resources: , WEB, your AFS home directory –Log in lcls-prod02 if needed for public resources

In the CA World … lclshome, matlab, lclsarch, SCP button, and etc. Software release –Developed in public AFS/NFS, CVS repository in AFS –Remote cvs $ export $ cvs co $ cvs commit A quick and dirty release if not in CVS $ /. No push from DMZ to CA for now Public resource access –$ WEB: firefox Other applications in AFS Your SLAC $HOME directory in AFS: /afs/slac/u/ /

bash only tcsh: SLAC default login shell –$HOME/.login –$HOME/.cshrc bash: CA default login shell –$HOME/.bash_profile –$HOME/.bashrc. /usr/local/lcls/epics/setup/epicsReset.bash. /usr/local/lcls/tools/matlab/setup/matlabSetup.bash Shell scripts: #!/bin/bash -norc

Production Data /u1/lcls ~]$ ls /u1/lcls alh cmlog epics matlab physics slc sr_info tools Transparent to all nodes on CA as R/W –OPIs –IOCs Visible to nodes on DMZ as R Only –e.g., ssh lcls-prod02 from your office desktop –ls /mccfs2/u1/lcls Availability to the public via protocols like http is under study Data buffer –Any incremental data at high rate Only reasonable amount of data kept online on CA Old data will be staged over to SCCS for final storage in /nfs/slac/g/lcls –Log files trimmed on a regular basis –Other type of data kept online as long as needed

Application Filesystems /usr/local/lcls Transparent to all nodes on CA as R/W Not visible to any node on public networks, including DMZ Areas for physicists: –/usr/local/lcls/physics for applications –/u1/lcls/physics for data files –/home/physics – home directory for physics

The Goal Robust Secure Optimized