industrial control engineering unicos-pvss evolution 2011-2012 hervé milcent en/ice/scd 07/10/2011...
TRANSCRIPT
Ind
ust
rial
Con
trol
En
gin
eeri
ng
1
UNICOS-PVSS evolution 2011-2012
Hervé MilcentEN/ICE/SCD07/10/2011
07/10/2011
Ind
ust
rial
Con
trol
En
gin
eeri
ng
2
Accessing BE/CO infrastructure Description Consequences on the daily work, deployment, access, etc.
Current operational release Christmas release: Core, CPC UNICOS in LabView AOB:
Future release web
07/10/2011
Outline
Ind
ust
rial
Con
trol
En
gin
eeri
ng
3
PVSS manager except Ui in Linux OWS = Ui in Windows and Linux
Linux Ui: accelerators operators (LHC, PS, etc.), from CCC Windows Ui: CRYO operator, from CCC, local control room, trusted console from outside TN via
terminal server OWS: All panels, libs, etc. in Linux Server
Avoid having a copy in each OWS for each project access via SAMBA (Windows) and NFS (Linux) PVSS constraints:
Ui run-time: access in R/W in log and data folder and files Ui editor: access in R/W in log, images, colorDB, panels, scripts, data, pictures
BE/CO infrastructure: 300 servers - 1/3 PVSS servers and a lot of Linux consoles Installation of PVSS Server automated via transfer.ref Synchronization of user and passwd in all servers via e-group :ACC-all containing all the
allowed users. NFS:
Automount to BE/CO NFS server From each server in TN: access via NFS to all the others
SAMBA: simple and easy configuration: no difference between Ui run-time and Ui editor A user allowed via SAMBA = allowed to ssh in all the servers
PVSS project started with a service account: unicryo, qpsop, etc.
07/10/2011
PVSS and BE/CO infrastructure
Ind
ust
rial
Con
trol
En
gin
eeri
ng
4
Refer to atlasecr security issue. IT security issue with service account Tracking who logs in Once in a server, a user can access to all the others via
NFS Corrupt the PVSS project. Many user may start the OWS Ui run-time, and should
not have access to other servers
07/10/2011
Why protecting the access
Ind
ust
rial
Con
trol
En
gin
eeri
ng
5
User must have a CERN account and has signed the OC5 rules Access to a set of servers via SAMBA and ssh
PVSS servers are grouped and assigned with e-group of allowed user, e-group=ACC-UNICOS-xx (admin group to setup the e-group members: ACC-UNICOS-xx-admin), e.g.: ACC-UNICOS-cryolhc, ACC-UNICOS-cryolhc-admins
In this e-groups can only be: Personal NICE account, like milcent Operational account not defined as BE/CO op account like qpsop
A user can be in many e-group A user not the e-group=no access via SAMBA, no ssh Propagation of e-group content in 15 – 30 min (if no problem in IT) Propagation of re-assignment of PVSS Server and e-group: every working day Detailed info https://cern.ch/en-ice/Accessing+BE-CO+Linux+PVSS+Server No difference between a operator (UI run-time) and a developer (Ui editor)
Separate PVSS server for test and production 2 users unicryo for EN/ICE production server use only, password known by ACC-UNICOS-admin
(only EN/ICE staff: application responsible) unitest for EN/ICE test purpose server
ACC-UNICOS-admin: sudoers in all PVSS servers
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS: server configuration
Ind
ust
rial
Con
trol
En
gin
eeri
ng
6
User must have a CERN account and has signed the OC5 rules
OWS console on the technical network (or trusted): as before (usually login with service account: e.g. lhcop)
From GPN (e.g. from the office): PVSS developer, e.g. milcent, it is recommended to use a
VPC (Virtual Personal Computer) and log in with NICE personal account
Operator: log in a terminal server provided by BE/CO as NICE personal account or service account
Outside CERN: Log in cernts with NICE personal account Then same procedure as from GPN
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS: starting a OWS
Ind
ust
rial
Con
trol
En
gin
eeri
ng
7
A user not in a e-group = no samba access, no ssh in both Server and Linux console
For accelerator related application, operators (except accelerator operators) service and personal account will be allowed for log in BE/CO
Windows terminal servers and Windows console in CCC for the operators, e.g. cryomoni, etc.
No access to Linux and Windows console in CCC (or trusted). For experiment application, e.g. CRYO experiment, MCS,
GCS, etc. use personal account only in BE/CO Windows terminal
servers. No access to Linux and Windows console in CCC (or trusted).
Developers: use VPC (Virtual Personal Computer)
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS: consequences
Ind
ust
rial
Con
trol
En
gin
eeri
ng
8
Same strategy ACC-UNICOS-admin added as sudoer in their PVSS
server VAC: use the same CMF package as for UNICOS for OWS
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS: CRYO experiment, MCS, VAC
Ind
ust
rial
Con
trol
En
gin
eeri
ng
9
Windows 7 and Windows 2008 access via SAMBA BE/CO & IT BE/CO & EN/ICE: configuration of folders and files protections
Validation of PVSS Ui in Windows 7, SLC 6, Windows 2008 BE/CO: provide SLC 6 and Windows 2008 EN/ICE/SCD: validation of PVSS Ui in all platform. EN/ICE/SCD: PVSS installation
Procedure to get a VPC well configured BE/CO
Procedure to get access to BE/CO terminal server with personal account BE/CO
Cleaning list of users: remove all EN/ICE from ACC-all (except FESA developers, LabVIEW, ACC-UNICOS-admin) and re-assigning them to e-groups EN/ICE/SCD & BE/CO
MODBUS port re-allocation: EN/ICE & BE/CO
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS: pending issues
Ind
ust
rial
Con
trol
En
gin
eeri
ng
10
Go or not go to Linux server? OWS Ui: log in terminal server with personal account Security issue:
Server on TN Access to the LHC Experiment TN by default nfs automount between TN, experimental
network may need a custom installation
Still missing some servers (G1 type) BE/CO: re-assigning servers …. But if we don’t go …. !
07/10/2011
GCS:
Ind
ust
rial
Con
trol
En
gin
eeri
ng
11
Question ?OK to proceed?
07/10/2011
BE/CO & EN/ICE proposal for Windows OWS
Ind
ust
rial
Con
trol
En
gin
eeri
ng
12
300 servers 1/3 PVSS Servers Many consoles Limited resource number in BE/COLittle pre-emptive maintenanceAction only when problem Let’s try to reduce the list of servers and group
project per shutdown time E.g.: CNGS and POPS, CRYO and CIET portal Consequence:
re-deployment in MOON and in servers RBAC setup.
07/10/2011
BE/CO servers
Ind
ust
rial
Con
trol
En
gin
eeri
ng
13
Question ?OK to proceed?
07/10/2011
BE/CO servers
Ind
ust
rial
Con
trol
En
gin
eeri
ng
14
unicos-pvss-5.2.0 for PVSS 3.8-SP2 Content (most important issues)
feature to ease the work of the standby service. Remove spurious alarm: to have at the end a systemIntegrity alarm as a real alarm to be looked at Handle the automatic restart of critical failing manager: LHCLogging Request from POPS: EventList
Mandatory issue for CPC 6 Expert name: - expert name in UNICOS used for information only. No filtering, no search on expert name,
the expert name is just used like a description Device/unicos configuration: extra storage
Children/parent relationship …
CPC 6 compatibility: import/export, widget/faceplate, CPC 6 functions Unicos-pvss Core compatible with CPC 5 and other packages Export/import WindowTree/TrendTree in XML Distributed control: same notation as in the installation tool no need to clean the config file Import functions called from a PVSSctrl
allow an automatic import without the import panel very useful for icemoon, NA62
Easy way to find systemIntegrity alarm value: useful for SBS From SystemStatus, etc. not only from the systemIntegrity alarm panel.
Recipe: import, duplicate existing recipe instance, create new recipe instance, modify recipe instance
07/10/2011
current release: unicos-pvss-5.2.0 PVSS 3.8-SP2
Ind
ust
rial
Con
trol
En
gin
eeri
ng
15
unCore Clean separation between component Explanation of the systemIntegrity alarm in
systemIntegrity view and Front-end diagnostic views More check during the import: existing alias, MODBUS
com&data unSystemIntegrity
Configuration on remote system, stop/start of scripts No kill of valarch during online backup MAIL/SMS at startup configurable
unLHCServices Bug fix in PVSS00Laser when dealing with alert
07/10/2011
Christmas release: unicos-pvss-5.2.1
Ind
ust
rial
Con
trol
En
gin
eeri
ng
16
unCore: Stop/start/add driver/simulator from import panel Stop/start unicos scripts remotely eventList/alarmList in faceplate Comment on device Device action: many privilege, list of action per
domain/privilege unSystemIntegrity
Bool to syatemIntegrity alarm
07/10/2011
Christmas release: issues may be included
Ind
ust
rial
Con
trol
En
gin
eeri
ng
1707/10/2011
Christmas release: CPC
Ind
ust
rial
Con
trol
En
gin
eeri
ng
18
All remaining PVSS 3.6-SP2 servers PVSS 3.8-SP2 and new hardwareneed between ½ to 1 day intervention per server: no
need to keep of IP like for CRYOBE/CO: up to 10/day in parallel before Christmas, 6/day
after All packages must be ready for PVSS 3.8-SP2 Re-organizing servers and projects
pvss2, pops, cv, others? Upgrade of installation tool
07/10/2011
Christmas: reminder
Ind
ust
rial
Con
trol
En
gin
eeri
ng
19
CPC devices except AnalogParameter, DigitalParameter and WordParameter Faceplate, widget, device action: 90% done, only run-time trend Import: nearly 100% done
Device access control Not yet, not sure if it will be included
Graphical Frame: Tree device overview not yet EventList: based on 0.5sec time resolution not yet AlarmList not yet Panel design: old implementation TrendTree/WindowTree: old implementation
Packaging: not yet TSPP S7 and Modbus frame decoding:
Linux: connection to Siemens OK Windows: no connection yet to Siemens Decoding: not yet done.
07/10/2011
News: UNICOS in LabView
Ind
ust
rial
Con
trol
En
gin
eeri
ng
20
Web http://cern.ch/en-ice/UNICOS Similar to JCOP Missing EDMS.
Future release: 5.3.0: Spring-Summer
Comment on devices Device action access control
5.4.0: End of 2012 XML import
07/10/2011
AOB