Presentation is loading. Please wait.

Presentation is loading. Please wait.

Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1.

Published byMarcus Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1."— Presentation transcript:

1 Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1

2 Industrial Control Engineering  Accessing BE/CO infrastructure  Description  Consequences on the daily work, deployment, access, etc.  Current operational release  Christmas release: Core, CPC  UNICOS in LabView  AOB:  Future release  web 07/10/20112 Outline

3 Industrial Control Engineering  PVSS manager except Ui in Linux  OWS = Ui in Windows and Linux  Linux Ui: accelerators operators (LHC, PS, etc.), from CCC  Windows Ui: CRYO operator, from CCC, local control room, trusted console from outside TN via terminal server  OWS: All panels, libs, etc. in Linux Server  Avoid having a copy in each OWS for each project  access via SAMBA (Windows) and NFS (Linux)  PVSS constraints:  Ui run-time: access in R/W in log and data folder and files  Ui editor: access in R/W in log, images, colorDB, panels, scripts, data, pictures  BE/CO infrastructure: 300 servers - 1/3 PVSS servers and a lot of Linux consoles  Installation of PVSS Server automated via transfer.ref  Synchronization of user and passwd in all servers via e-group :ACC-all containing all the allowed users.  NFS:  Automount to BE/CO NFS server  From each server in TN: access via NFS to all the others  SAMBA:  simple and easy configuration: no difference between Ui run-time and Ui editor  A user allowed via SAMBA = allowed to ssh in all the servers  PVSS project started with a service account: unicryo, qpsop, etc. 07/10/20113 PVSS and BE/CO infrastructure

4 Industrial Control Engineering  Refer to atlasecr security issue.  IT security issue with service account  Tracking who logs in  Once in a server, a user can access to all the others via NFS  Corrupt the PVSS project.  Many user may start the OWS Ui run-time, and should not have access to other servers 07/10/20114 Why protecting the access

5 Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  Access to a set of servers via SAMBA and ssh  PVSS servers are grouped and assigned with e-group of allowed user, e-group=ACC- UNICOS-xx (admin group to setup the e-group members: ACC-UNICOS-xx-admin), e.g.: ACC-UNICOS-cryolhc, ACC-UNICOS-cryolhc-admins  In this e-groups can only be:  Personal NICE account, like milcent  Operational account not defined as BE/CO op account like qpsop  A user can be in many e-group  A user not the e-group=no access via SAMBA, no ssh  Propagation of e-group content in 15 – 30 min (if no problem in IT)  Propagation of re-assignment of PVSS Server and e-group: every working day  Detailed info  https://cern.ch/en-ice/Accessing+BE-CO+Linux+PVSS+Serverhttps://cern.ch/en-ice/Accessing+BE-CO+Linux+PVSS+Server  No difference between a operator (UI run-time) and a developer (Ui editor)  Separate PVSS server for test and production  2 users  unicryo for EN/ICE production server use only, password known by ACC-UNICOS- admin (only EN/ICE staff: application responsible)  unitest for EN/ICE test purpose server  ACC-UNICOS-admin: sudoers in all PVSS servers 07/10/20115 BE/CO & EN/ICE proposal for Windows OWS: server configuration

6 Industrial Control Engineering  User must have a CERN account and has signed the OC5 rules  OWS console on the technical network (or trusted): as before (usually login with service account: e.g. lhcop)  From GPN (e.g. from the office):  PVSS developer, e.g. milcent, it is recommended to use a VPC (Virtual Personal Computer) and log in with NICE personal account  Operator: log in a terminal server provided by BE/CO as NICE personal account or service account  Outside CERN:  Log in cernts with NICE personal account  Then same procedure as from GPN 07/10/20116 BE/CO & EN/ICE proposal for Windows OWS: starting a OWS

7 Industrial Control Engineering  A user not in a e-group = no samba access, no ssh in both Server and Linux console  For accelerator related application, operators (except accelerator operators)  service and personal account will be allowed for log in BE/CO Windows terminal servers and Windows console in CCC for the operators, e.g. cryomoni, etc.  No access to Linux and Windows console in CCC (or trusted).  For experiment application, e.g. CRYO experiment, MCS, GCS, etc.  use personal account only in BE/CO Windows terminal servers.  No access to Linux and Windows console in CCC (or trusted).  Developers: use VPC (Virtual Personal Computer) 07/10/20117 BE/CO & EN/ICE proposal for Windows OWS: consequences

8 Industrial Control Engineering  Same strategy  ACC-UNICOS-admin added as sudoer in their PVSS server  VAC: use the same CMF package as for UNICOS for OWS 07/10/20118 BE/CO & EN/ICE proposal for Windows OWS: CRYO experiment, MCS, VAC

9 Industrial Control Engineering  Windows 7 and Windows 2008 access via SAMBA  BE/CO & IT  BE/CO & EN/ICE: configuration of folders and files protections  Validation of PVSS Ui in Windows 7, SLC 6, Windows 2008  BE/CO: provide SLC 6 and Windows 2008  EN/ICE/SCD: validation of PVSS Ui in all platform.  EN/ICE/SCD: PVSS installation  Procedure to get a VPC well configured  BE/CO  Procedure to get access to BE/CO terminal server with personal account  BE/CO  Cleaning list of users: remove all EN/ICE from ACC-all (except FESA developers, LabVIEW, ACC-UNICOS-admin) and re-assigning them to e-groups  EN/ICE/SCD & BE/CO  MODBUS port re-allocation:  EN/ICE & BE/CO 07/10/20119 BE/CO & EN/ICE proposal for Windows OWS: pending issues

10 Industrial Control Engineering  Go or not go to Linux server?  OWS Ui: log in terminal server with personal account  Security issue:  Server on TN  Access to the LHC Experiment TN  by default nfs automount between TN, experimental network  may need a custom installation   Still missing some servers (G1 type)  BE/CO: re-assigning servers ….  But if we don’t go …. ! 07/10/201110 GCS:

11 Industrial Control Engineering Question ? OK to proceed? 07/10/201111 BE/CO & EN/ICE proposal for Windows OWS

12 Industrial Control Engineering  300 servers  1/3 PVSS Servers  Many consoles  Limited resource number in BE/CO  Little pre-emptive maintenance  Action only when problem  Let’s try to reduce the list of servers and group project per shutdown time  E.g.: CNGS and POPS, CRYO and CIET portal  Consequence:  re-deployment in MOON and in servers  RBAC setup. 07/10/201112 BE/CO servers

13 Industrial Control Engineering Question ? OK to proceed? 07/10/201113 BE/CO servers

14 Industrial Control Engineering unicos-pvss-5.2.0 for PVSS 3.8-SP2  Content (most important issues)  feature to ease the work of the standby service.  Remove spurious alarm: to have at the end a systemIntegrity alarm as a real alarm to be looked at  Handle the automatic restart of critical failing manager: LHCLogging  Request from POPS: EventList  Mandatory issue for CPC 6  Expert name: - expert name in UNICOS used for information only. No filtering, no search on expert name, the expert name is just used like a description  Device/unicos configuration: extra storage  Children/parent relationship  …  CPC 6 compatibility: import/export, widget/faceplate, CPC 6 functions  Unicos-pvss Core compatible with CPC 5 and other packages  Export/import WindowTree/TrendTree in XML  Distributed control: same notation as in the installation tool  no need to clean the config file  Import functions called from a PVSSctrl  allow an automatic import without the import panel  very useful for icemoon, NA62  Easy way to find systemIntegrity alarm value: useful for SBS  From SystemStatus, etc. not only from the systemIntegrity alarm panel.  Recipe: import, duplicate existing recipe instance, create new recipe instance, modify recipe instance 07/10/201114 current release: unicos-pvss-5.2.0 PVSS 3.8-SP2

15 Industrial Control Engineering  unCore  Clean separation between component  Explanation of the systemIntegrity alarm in systemIntegrity view and Front-end diagnostic views  More check during the import: existing alias, MODBUS com&data  unSystemIntegrity  Configuration on remote system, stop/start of scripts  No kill of valarch during online backup  MAIL/SMS at startup configurable  unLHCServices  Bug fix in PVSS00Laser when dealing with alert 07/10/201115 Christmas release: unicos-pvss-5.2.1

16 Industrial Control Engineering  unCore:  Stop/start/add driver/simulator from import panel  Stop/start unicos scripts remotely  eventList/alarmList in faceplate  Comment on device  Device action: many privilege, list of action per domain/privilege  unSystemIntegrity  Bool to syatemIntegrity alarm 07/10/201116 Christmas release: issues may be included

17 Industrial Control Engineering 07/10/201117 Christmas release: CPC

18 Industrial Control Engineering  All remaining PVSS 3.6-SP2 servers  PVSS 3.8-SP2 and new hardware  need between ½ to 1 day intervention per server: no need to keep of IP like for CRYO  BE/CO: up to 10/day in parallel before Christmas, 6/day after  All packages must be ready for PVSS 3.8-SP2  Re-organizing servers and projects  pvss2, pops, cv, others?  Upgrade of installation tool 07/10/201118 Christmas: reminder

19 Industrial Control Engineering  CPC devices except AnalogParameter, DigitalParameter and WordParameter  Faceplate, widget, device action: 90% done, only run-time trend  Import: nearly 100% done  Device access control  Not yet, not sure if it will be included  Graphical Frame:  Tree device overview  not yet  EventList: based on 0.5sec time resolution  not yet  AlarmList  not yet  Panel design: old implementation  TrendTree/WindowTree: old implementation  Packaging:  not yet  TSPP S7 and Modbus frame decoding:  Linux: connection to Siemens OK  Windows: no connection yet to Siemens  Decoding: not yet done. 07/10/201119 News: UNICOS in LabView

20 Industrial Control Engineering  Web  http://cern.ch/en-ice/UNICOS http://cern.ch/en-ice/UNICOS  Similar to JCOP  Missing EDMS.  Future release:  5.3.0: Spring-Summer  Comment on devices  Device action access control  5.4.0: End of 2012  XML import 07/10/201120 AOB

Download ppt "Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1."

Similar presentations

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
Experiment Control Systems at the LHC An Overview of the System Architecture An Overview of the System Architecture JCOP Framework Overview JCOP Framework.

Experiment Control Systems at the LHC An Overview of the System Architecture An Overview of the System Architecture JCOP Framework Overview JCOP Framework.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Industrial Control Engineering Industrial Controls in the Injectors: You (will) know that they are here Hervé Milcent On behalf of EN/ICE IEFC workshop.

Industrial Control Engineering Industrial Controls in the Injectors: "You (will) know that they are here" Hervé Milcent On behalf of EN/ICE IEFC workshop.
Isabelle Laugier, AT/VAC/ICM Section February 7 th 2008.

Isabelle Laugier, AT/VAC/ICM Section February 7 th 2008.
E. Hatziangeli – LHC Beam Commissioning meeting - 17th March 2009.

E. Hatziangeli – LHC Beam Commissioning meeting - 17th March 2009.
130 October 2009 PIC - WIC - LHC_CIRCUIT UNICOS PVSS.

130 October 2009 PIC - WIC - LHC_CIRCUIT UNICOS PVSS.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.

Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
What you’ll take away: 1.Define team and schedule 2.Software and hardware specifications 3.Analysing 4.Configuration and migration 5.Validation and Test.

What you’ll take away: 1.Define team and schedule 2.Software and hardware specifications 3.Analysing 4.Configuration and migration 5.Validation and Test.
Automatic Generation Tools UNICOS Application Builder Overview 11/02/2014 Ivan Prieto Barreiro - EN-ICE1.

Automatic Generation Tools UNICOS Application Builder Overview 11/02/2014 Ivan Prieto Barreiro - EN-ICE1.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.

Similar presentations

Ads by Google