View
247
Download
0
Category
Preview:
Citation preview
ControlsControls
Till StraumannJuly 21, 2011
EPICS CA Tunneling with SSH
Till StraumannJuly 21, 2011
ControlsControls
CA Tunnel2
Till StraumannJuly 21, 2011
Overview
• Introduction; CA Basics• Basic Idea
– CA-TCP tunneling– CA-UDP proxy + tunneling
• The 'caxy' program• Prerequisites• Tunnel Setup / Examples• Summary
ControlsControls
CA Tunnel3
Till StraumannJuly 21, 2011
Introduction – CA Basics
• EPICS Channel Access uses UDP to locate a PV and a TCP connection between CA client and CA server (IOC) for 'real' data transfer.
– Client issues UDP 'CA SEARCH' request for PV 'name' to all addresses listed in EPICS_CA_ADDR_LIST (default: LAN broadcast address) and and an automatically created list based on interface address(es) (if EPICS_CA_AUTO_ADDR_LIST==YES)
– Server/IOC hosting the PV sends UDP reply providing server IP-addr and port.
– Client opens (or uses existing) TCP connection to server using info from UDP reply. Further CA traffic goes via this TCP connection.
IOC-1PV: 'Fred', 'Lisa', ...
IOC-2PV: 'Raúl', 'Eva', ...
Client-1Read 'Eva'
UDP BCST: CA_SEARCH 'Eva'
UDP Reply
TCP Connection (PV Data)
ControlsControls
CA Tunnel4
Till StraumannJuly 21, 2011
Purpose of this Talk
● Most IOCs are not reachable from the internet but are connected to isolated networks.
• CA clients must reside on the same, or a 'close' network (passing firewall) or use a cumbersome CA gateway.
➔ Working remotely (e.g., on a beach in Mexico) is painful (run slow GUI connections to CA client such as edm @ SLAC).
➔ Can only use client software that is installed at SLAC (wanna use latest matlab you have on your laptop?) or must write data to files and copy around.
➔ Wouldn't it be desirable to be able to run CA clients on a remote machine and tunnel CA through a secure connection?
LCLS Controls
IOC
IOC
IOC
sshserver
lcls-builder
sshserverInternet
LaptopCA-Clnt
CA via SSH
ControlsControls
CA Tunnel5
Till StraumannJuly 21, 2011
CA Tunneling
• How can we tunnel CA connections?• CA uses TCP and UDP; both must be
tunneled.• Discuss TCP tunnel first, UDP afterwards.
ControlsControls
CA Tunnel6
Till StraumannJuly 21, 2011
CA TCP Tunnel
• Tunneling TCP is easy (using ssh port-forwarding). E.g.,
ssh -L 5064:iocXY:5064 user@lcls-builder
would allow me to access iocXY as it were on my laptop @localhost:5064.(Showed you how to create a multihop tunnel last time.)
• Problems with this approach:
– Would have to use '-L' for each IOC (but cannot share same local port 5064)
– Need to know IOCs I want to connect to in advance (losing beauty of CA: should be transparent where a PV is hosted)
• Solution: use ssh SOCKS proxy server feature (see last talk) to connect to arbitrary IOCS:
ssh -D 1080 user@lcls-builder socksify caget some_pv
ControlsControls
CA Tunnel7
Till StraumannJuly 21, 2011
CA UDP Tunnel
• Above example does not work, of course, because there is no tunnel for UDP yet (hence caget doesn't know which IOC/port to connect to in order to get 'some_pv').
• Note: even though SOCKS5 defines a UDP feature this is not implemented by ssh's SOCKS server. Also, SOCKS5/UDP only works for 'outgoing' (request/reply-type of) traffic. Impossible to feed CA beacons from IOC to client with SOCKS5/UDP (even if it were available).
ControlsControls
CA Tunnel8
Till StraumannJuly 21, 2011
CA/UDP Tunnel Implementation
• For the following we use the terms
– 'outside': network where CA-client is connected. No direct CA connectivity to IOC.
– 'inside': network were CA-servers/IOCs are reside.
• Basic idea is simple:
– Execute a proxy CA (UDP-part only) server on the 'outside'. It forwards received UDP frames ('serialized') into a secure TCP connection and unpacks serialized UDP frames from the TCP connection and sends them out as UDP frames on the 'outside'.
– Execute a proxy CA client on the 'inside'. It receives serialized UDP frames from the TCP connection and sends them out on the 'inside' network. Any UDP replies are 'serialized' and forwarded to the 'outside' proxy via TCP.
CA / UDPproxy
server
secureTCP CA / UDP
proxyclient port
5064CA client
CA / UDPproxy
server
CA / UDPproxy
server
CA server(IOC)
'outside' 'inside'
reply
CA_SEARCHrequest (BCST)
CA_SEARCH requestCA_SEARCH request
UDPUDP
ControlsControls
CA Tunnel9
Till StraumannJuly 21, 2011
'caxy' CA/UDP Proxy Program
• The 'caxy' program was written implementing the above scheme.
• Same executable can be used (different flags) on 'inside' and 'outside'.
• Forwards CA beacons, too.• Currently tested: linux, win32.• Needs just EPICS base (+ tools required for
base) to compile.
ControlsControls
CA Tunnel10
Till StraumannJuly 21, 2011
UDP Tunnel Options
• TCP link which is used to tunnel UDP packets can use– Forwarded TCP connection (IPC ssh/caxy is TCP link)
(explicit: '-L<port>:localhost:<port>' or 'proxified': '-D' option)
– ssh STDIO (IPC ssh/caxy is STDIO). Advantage: no dedicated port needs to be opened by 'caxy' on 'inside' machine. Downside: a bit cumbersome to set up (on win$, that is).
sshclient
sshserver
caxyport
local TCP link
outside machine
portcaxy port port
local TCP link
sshclient
sshserver
caxy
outside machine
caxySTDIO STDIO
inside machine
inside machine
ControlsControls
CA Tunnel11
Till StraumannJuly 21, 2011
Prerequisites
• CA client (edm, caget, …) on 'outside' machine (laptop in a ski-resort) - must be non-SUID for proxifier to work.
• ssh server running on an 'inside' machine.
• Reasonably recent ssh client with SOCKS proxy server support (openssh [lin], putty [win]).
• 'proxifier' package (dante [lin], tsocks [lin], widecap [win, didn't work under win7], proxycap [win,$], proxifier [win,$]).
• 'caxy' CA/UDP proxy. One copy must run on 'inside' machine where 'sshd' executes, another copy runs on CA client machine. Host-architecture needn't be the same.
ControlsControls
CA Tunnel12
Till StraumannJuly 21, 2011
Setup
•On the 'inside' (CA network) the EPICS_CA_SERVER_PORT (default: CA_SERVER_PORT), EPICS_CA_ADDR_LIST (default: NONE), EPICS_CA_REPEATER_PORT (default: CA_REPEATER_PORT)environment variables must be set correctly prior to starting 'caxy'.NOTE: caxy does not construct an 'auto-addr-list'. EPICS_CA_ADDR_LIST (and/or -a options) must be set. It does not try to start a caRepeater either. If no repeater is running then no beacons are sent to the client. Repeaters must run on both, the 'inside' and 'outside' machines.
•On the 'outside' the usual defaults for server and repeater ports are used (but you can change them using the same env-vars if you like). They need not be identical to inside values.
•proxifier package must be set up (consult documentation) so that it knows which routes to proxify and what proxies to use. (Usually a simple task requiring a few lines in a config file).
ControlsControls
CA Tunnel13
Till StraumannJuly 21, 2011
Use of caxy with CAJ/CSS/BOY
• Java natively supports SOCKS (albeit – by default – only a 'proxify-all-or-nothing' policy). No need for a proxifier (tsocks & friends).
• Unfortunately, SocketChannel class used by CAJ ignores proxy settings defined by user.
• Need a small patch (by T.S.) to CAJ [as of 1.1.8] which implements SOCKS support.
• Start
java DsocksProxyHost=localhost DsocksProxyPort=1080 myCAJClass
ControlsControls
CA Tunnel14
Till StraumannJuly 21, 2011
Use of caxy with CSS/BOY
• Require patched CAJ (as of 1.1.8).
• Require additional eclipse plugin (as of eclipse 3.6.2) since Eclipse proxy-selector is different from vanilla java's:
org.eclipse.scout.net_3.7.0.201106070527.jar
• Eclipse has proxy settings (see Appendix)
Preferences General Network Connections
(define SOCKS proxy host 127.0.0.1, port 1080, select: Active Provider: 'manual')
ControlsControls
CA Tunnel15
Till StraumannJuly 21, 2011
Where to Obtain 'caxy'
• GIT repo (for now: clone 'caxy_mt' branch!) @ ~strauman/epics/caxy/
• Documentation @ ~strauman/epics/caxy/README
• Some on-line help caxy h
ControlsControls
CA Tunnel16
Till StraumannJuly 21, 2011
Example 1
• Use a named pipe 'mypipe' to stitch STDIO of caxy and ssh together (assume 'mypipe' exists).Also assumes that epicsReset.bash configures PATH so that caxy is found (not the case yet).# start tunnel; leave in foreground so you can take it down hitting CtlC
caxy p0 < mypipe | ssh C D 1080 lclsbuilder \ bash c '”. /usr/local/lcls/epics/setup/epicsReset.bash;”'\'” caxy I p0”' > mypipe &
# In another terminal window start proxified CA client
proxify edm
ControlsControls
CA Tunnel17
Till StraumannJuly 21, 2011
Summary
• CA can be tunneled via SSH using– ssh as SOCKS proxy server and encrypted tunnel
– caxy CA/UDP proxy program
– proxifier for CA clients or SOCKS-aware client (java/CAJ)
• Provides secure and efficient CA connectivity with the possibility to run CA clients locally on a remote/outside machine
• Read on for more examples...
ControlsControls
CA Tunnel18
Till StraumannJuly 21, 2011
Example 2
• Use explicit port forwarding for UDP over TCP tunnel.# start tunnel (using explicit portfwd; ports 5000) in the background# epicsReset.bash configures EPICS_CA_ADDR_LIST & friends for us.# Assume that caRepeater is already running on lclsbuilder.
ssh C D 1080 L 5000:localhost:5000 iocegr@lclsbuilder \ bash c '”. /usr/local/lcls/epics/setup/epicsReset.bash;”'\'” caxy I p 5000”' &
# in another window start local caxy
caxy p 5000 &
# use proxified CA client
socksify caget IOC:IN20:EV01:PABIG_STATE
ControlsControls
CA Tunnel19
Till StraumannJuly 21, 2011
Example 3
• Multiple users may share the 'inside' caxy program which runs as a daemon/server (-S option):
– Somebody (e.g., admin) starts caxy server on lcls-builder:# On lclsbuilder, some time in the past the administrator# started caxy as a server:. /usr/local/lcls/epics/setup/epicsReset.bashcaxy S I
– User (on 'outside' laptop) sets up tunnel (assume proxifier can proxify route to localhost → proxyhost; e.g., dante can, tsocks cannot):ssh C D 1080 lclsbuilder
– In another window ('outside' machine), proxified caxy is launched and a proxified CA client is started:. socksify #all commands hereafter are proxifiedcaxy &edm &caget SOME_PV
ControlsControls
CA Tunnel20
Till StraumannJuly 21, 2011
Example 4
• Start tunnel + caxy via bash or perl script. Demo scripts are in the distribution (not polished; need to edit to fill-in your data/info, paths...).# Leave in foreground so you can kill the tunnel with CtrlC
./catun.sh
# In another window launch CA client(s). socksifyedm &caget BLAH_BLAH
ControlsControls
CA Tunnel21
Till StraumannJuly 21, 2011
Example 5
• Start tunnel in a win$ 'command' window using perl script.(sigh – getting this to work took quite some effort – but I'm not that windows-fluent).
• I needed to use perl 'unsafe' signals in order to be able to kill the tunnel with Ctrl-C (win7). This sometimes panics (while dying anyways) – there is room for improvement (of the script).
• I used the demo version of 'proxycap' as well as 'putty' which both must be set up first (but it wasn't hard). Again, you may need to modify some values in the script.set PERL_SIGNALS=unsafeperl ./catun.pl
ControlsControls
CA Tunnel22
Till StraumannJuly 21, 2011
Appendix 1 – Dante Config File
• Dante configuration (only additions to defaults [ubuntu 10.10] shown) – you can put a config file anywhere (if you're not administrator of your own laptop) and set-env SOCKS_CONF=<path>:# Comment 'debug' to avoid tons of output#debug: 2
# silence log to avoid minor outputlogoutput: /dev/null
# Route to SLAC shall be proxified using (ssh) proxy on localhost:1080route { from: 0.0.0.0/0 to: 134.79.0.0/16 via: 127.0.0.1 port = 1080 protocol: tcp proxyprotocol: socks_v5 socks_v4 method: none # no authentication}
# Route to localhost:5056 (deflt. caxy port) shall be proxified to# 'localhost' at other end of tunnel. This permits proxified caxy to# use D1080 ssh option. No need for L.route { from: 0.0.0.0/0 to: 127.0.0.1/32 port=5056 via: 127.0.0.1 port = 1080 protocol: tcp proxyprotocol: socks_v5 socks_v4 method: none}
ControlsControls
CA Tunnel23
Till StraumannJuly 21, 2011
Appendix 2 – ssh Config File
• ssh (client) configuration for multi-hop to lcls-builder# Just some public machine. By using the 'slac_gw' alias# you only need to change the 'HostName' below if you want/need to# use another gateway machineHost slac_gwHostName yakut14.slac.stanford.edu
# Door to lclsbuilder. Again: we define an alias. This is not reachable# from the internet, so we use 'slac_gw' as a proxyHost doorHostName lclsprod02.slac.stanford.eduProxyCommand ssh slac_gw /usr/bin/nc %h %p
# Finally, the lclsbuilder; only reachable via 'door' (we again use that as a proxy)# Switchoff GSSAPI; currently no kerberos on the builder# and we don't want to wait for ssh to find out.# Also need to explicitly specify different User on that machine.Host lclsbuilderUser iocegrHostName lclsbuilder.slac.stanford.eduProxyCommand ssh door /usr/bin/nc %h %pGSSAPIAuthentication noGSSAPIKeyExchange no
# But by default we definitely want to use GSSAPI. We also set the default User name hereHost *User youGSSAPIAuthentication yesGSSAPIDelegateCredentials yesGSSAPIKeyExchange yes
ControlsControls
CA Tunnel24
Till StraumannJuly 21, 2011
Appendix 3 – proxycap Config
• Win 'proxycap' configuration
ControlsControls
CA Tunnel25
Till StraumannJuly 21, 2011
Appendix 4 – Win SW Suggestions
• win: putty – GUI ssh client• 'plink' (comes with putty) is a command-line
ssh client, most options are openssh compatible.
• No 'ProxyCommand' equivalent (only from GUI; only 1 hop; couldn't get it to work)→ use 'plink <options> host1 ssh <options> host2 … cmd'
chain. (Consult 'catun.pl' script for example.)
Recommended