epics ca tunneling with ssh - stanford university ca tunneling with ssh till straumann july 21, ......

ControlsControls

Till StraumannJuly 21, 2011

EPICS CA Tunneling with SSH


ControlsControls

CA Tunnel2


Overview

• Introduction; CA Basics• Basic Idea

– CA-TCP tunneling– CA-UDP proxy + tunneling

• The 'caxy' program• Prerequisites• Tunnel Setup / Examples• Summary

ControlsControls

CA Tunnel3


Introduction – CA Basics

• EPICS Channel Access uses UDP to locate a PV and a TCP connection between CA client and CA server (IOC) for 'real' data transfer.

– Client issues UDP 'CA SEARCH' request for PV 'name' to all addresses listed in EPICS_CA_ADDR_LIST (default: LAN broadcast address) and and an automatically created list based on interface address(es) (if EPICS_CA_AUTO_ADDR_LIST==YES)

– Server/IOC hosting the PV sends UDP reply providing server IP-addr and port.

– Client opens (or uses existing) TCP connection to server using info from UDP reply. Further CA traffic goes via this TCP connection.

IOC-1PV: 'Fred', 'Lisa', ...

IOC-2PV: 'Raúl', 'Eva', ...

Client-1Read 'Eva'

UDP BCST: CA_SEARCH 'Eva'

UDP Reply

TCP Connection (PV Data)

ControlsControls

CA Tunnel4


Purpose of this Talk

● Most IOCs are not reachable from the internet but are connected to isolated networks.

• CA clients must reside on the same, or a 'close' network (passing firewall) or use a cumbersome CA gateway.

➔ Working remotely (e.g., on a beach in Mexico) is painful (run slow GUI connections to CA client such as edm @ SLAC).

➔ Can only use client software that is installed at SLAC (wanna use latest matlab you have on your laptop?) or must write data to files and copy around.

➔ Wouldn't it be desirable to be able to run CA clients on a remote machine and tunnel CA through a secure connection?

LCLS Controls

IOC

IOC

IOC

sshserver

lcls-builder

sshserverInternet

LaptopCA-Clnt

CA via SSH

ControlsControls

CA Tunnel5


CA Tunneling

• How can we tunnel CA connections?• CA uses TCP and UDP; both must be

tunneled.• Discuss TCP tunnel first, UDP afterwards.

ControlsControls

CA Tunnel6


CA TCP Tunnel

• Tunneling TCP is easy (using ssh port-forwarding). E.g.,

ssh -L 5064:iocXY:5064 user@lcls-builder

would allow me to access iocXY as it were on my laptop @localhost:5064.(Showed you how to create a multihop tunnel last time.)

• Problems with this approach:

– Would have to use '-L' for each IOC (but cannot share same local port 5064)

– Need to know IOCs I want to connect to in advance (losing beauty of CA: should be transparent where a PV is hosted)

• Solution: use ssh SOCKS proxy server feature (see last talk) to connect to arbitrary IOCS:

ssh -D 1080 user@lcls-builder socksify caget some_pv

ControlsControls

CA Tunnel7


CA UDP Tunnel

• Above example does not work, of course, because there is no tunnel for UDP yet (hence caget doesn't know which IOC/port to connect to in order to get 'some_pv').

• Note: even though SOCKS5 defines a UDP feature this is not implemented by ssh's SOCKS server. Also, SOCKS5/UDP only works for 'outgoing' (request/reply-type of) traffic. Impossible to feed CA beacons from IOC to client with SOCKS5/UDP (even if it were available).

ControlsControls

CA Tunnel8


CA/UDP Tunnel Implementation

• For the following we use the terms

– 'outside': network where CA-client is connected. No direct CA connectivity to IOC.

– 'inside': network were CA-servers/IOCs are reside.

• Basic idea is simple:

– Execute a proxy CA (UDP-part only) server on the 'outside'. It forwards received UDP frames ('serialized') into a secure TCP connection and unpacks serialized UDP frames from the TCP connection and sends them out as UDP frames on the 'outside'.

– Execute a proxy CA client on the 'inside'. It receives serialized UDP frames from the TCP connection and sends them out on the 'inside' network. Any UDP replies are 'serialized' and forwarded to the 'outside' proxy via TCP.

CA / UDPproxy

server

secureTCP CA / UDP

proxyclient port

5064CA client

CA / UDPproxy

server

CA / UDPproxy

server

CA server(IOC)

'outside' 'inside'

reply

CA_SEARCHrequest (BCST)

CA_SEARCH requestCA_SEARCH request

UDPUDP

ControlsControls

CA Tunnel9


'caxy' CA/UDP Proxy Program

• The 'caxy' program was written implementing the above scheme.

• Same executable can be used (different flags) on 'inside' and 'outside'.

• Forwards CA beacons, too.• Currently tested: linux, win32.• Needs just EPICS base (+ tools required for

base) to compile.

ControlsControls

CA Tunnel10


UDP Tunnel Options

• TCP link which is used to tunnel UDP packets can use– Forwarded TCP connection (IPC ssh/caxy is TCP link)

(explicit: '-L<port>:localhost:<port>' or 'proxified': '-D' option)

– ssh STDIO (IPC ssh/caxy is STDIO). Advantage: no dedicated port needs to be opened by 'caxy' on 'inside' machine. Downside: a bit cumbersome to set up (on win$, that is).

sshclient

sshserver

caxyport

local TCP link

outside machine

portcaxy port port

local TCP link

sshclient

sshserver

caxy

outside machine

caxySTDIO STDIO

inside machine

inside machine

ControlsControls

CA Tunnel11


Prerequisites

• CA client (edm, caget, …) on 'outside' machine (laptop in a ski-resort) - must be non-SUID for proxifier to work.

• ssh server running on an 'inside' machine.

• Reasonably recent ssh client with SOCKS proxy server support (openssh [lin], putty [win]).

• 'proxifier' package (dante [lin], tsocks [lin], widecap [win, didn't work under win7], proxycap [win,$], proxifier [win,$]).

• 'caxy' CA/UDP proxy. One copy must run on 'inside' machine where 'sshd' executes, another copy runs on CA client machine. Host-architecture needn't be the same.

ControlsControls

CA Tunnel12


Setup

•On the 'inside' (CA network) the EPICS_CA_SERVER_PORT (default: CA_SERVER_PORT), EPICS_CA_ADDR_LIST (default: NONE), EPICS_CA_REPEATER_PORT (default: CA_REPEATER_PORT)environment variables must be set correctly prior to starting 'caxy'.NOTE: caxy does not construct an 'auto-addr-list'. EPICS_CA_ADDR_LIST (and/or -a options) must be set. It does not try to start a caRepeater either. If no repeater is running then no beacons are sent to the client. Repeaters must run on both, the 'inside' and 'outside' machines.

•On the 'outside' the usual defaults for server and repeater ports are used (but you can change them using the same env-vars if you like). They need not be identical to inside values.

•proxifier package must be set up (consult documentation) so that it knows which routes to proxify and what proxies to use. (Usually a simple task requiring a few lines in a config file).

ControlsControls

CA Tunnel13


Use of caxy with CAJ/CSS/BOY

• Java natively supports SOCKS (albeit – by default – only a 'proxify-all-or-nothing' policy). No need for a proxifier (tsocks & friends).

• Unfortunately, SocketChannel class used by CAJ ignores proxy settings defined by user.

• Need a small patch (by T.S.) to CAJ [as of 1.1.8] which implements SOCKS support.

• Start

java DsocksProxyHost=localhost DsocksProxyPort=1080 myCAJClass

ControlsControls

CA Tunnel14


Use of caxy with CSS/BOY

• Require patched CAJ (as of 1.1.8).

• Require additional eclipse plugin (as of eclipse 3.6.2) since Eclipse proxy-selector is different from vanilla java's:

org.eclipse.scout.net_3.7.0.201106070527.jar

• Eclipse has proxy settings (see Appendix)

Preferences General Network Connections

(define SOCKS proxy host 127.0.0.1, port 1080, select: Active Provider: 'manual')

ControlsControls

CA Tunnel15


Where to Obtain 'caxy'

• GIT repo (for now: clone 'caxy_mt' branch!) @ ~strauman/epics/caxy/

• Documentation @ ~strauman/epics/caxy/README

• Some on-line help caxy h

ControlsControls

CA Tunnel16


Example 1

• Use a named pipe 'mypipe' to stitch STDIO of caxy and ssh together (assume 'mypipe' exists).Also assumes that epicsReset.bash configures PATH so that caxy is found (not the case yet).# start tunnel; leave in foreground so you can take it down hitting CtlC

caxy p0 < mypipe | ssh C D 1080 lclsbuilder \ bash c '”. /usr/local/lcls/epics/setup/epicsReset.bash;”'\'” caxy I p0”' > mypipe &

# In another terminal window start proxified CA client

proxify edm

ControlsControls

CA Tunnel17


Summary

• CA can be tunneled via SSH using– ssh as SOCKS proxy server and encrypted tunnel

– caxy CA/UDP proxy program

– proxifier for CA clients or SOCKS-aware client (java/CAJ)

• Provides secure and efficient CA connectivity with the possibility to run CA clients locally on a remote/outside machine

• Read on for more examples...

ControlsControls

CA Tunnel18


Example 2

• Use explicit port forwarding for UDP over TCP tunnel.# start tunnel (using explicit portfwd; ports 5000) in the background# epicsReset.bash configures EPICS_CA_ADDR_LIST & friends for us.# Assume that caRepeater is already running on lclsbuilder.

ssh C D 1080 L 5000:localhost:5000 iocegr@lclsbuilder \ bash c '”. /usr/local/lcls/epics/setup/epicsReset.bash;”'\'” caxy I p 5000”' &

# in another window start local caxy

caxy p 5000 &

# use proxified CA client

socksify caget IOC:IN20:EV01:PABIG_STATE

mailto:iocegr@lcls-builder

ControlsControls

CA Tunnel19


Example 3

• Multiple users may share the 'inside' caxy program which runs as a daemon/server (-S option):

– Somebody (e.g., admin) starts caxy server on lcls-builder:# On lclsbuilder, some time in the past the administrator# started caxy as a server:. /usr/local/lcls/epics/setup/epicsReset.bashcaxy S I

– User (on 'outside' laptop) sets up tunnel (assume proxifier can proxify route to localhost → proxyhost; e.g., dante can, tsocks cannot):ssh C D 1080 lclsbuilder

– In another window ('outside' machine), proxified caxy is launched and a proxified CA client is started:. socksify #all commands hereafter are proxifiedcaxy &edm &caget SOME_PV

ControlsControls

CA Tunnel20


Example 4

• Start tunnel + caxy via bash or perl script. Demo scripts are in the distribution (not polished; need to edit to fill-in your data/info, paths...).# Leave in foreground so you can kill the tunnel with CtrlC

./catun.sh

# In another window launch CA client(s). socksifyedm &caget BLAH_BLAH

ControlsControls

CA Tunnel21


Example 5

• Start tunnel in a win$ 'command' window using perl script.(sigh – getting this to work took quite some effort – but I'm not that windows-fluent).

• I needed to use perl 'unsafe' signals in order to be able to kill the tunnel with Ctrl-C (win7). This sometimes panics (while dying anyways) – there is room for improvement (of the script).

• I used the demo version of 'proxycap' as well as 'putty' which both must be set up first (but it wasn't hard). Again, you may need to modify some values in the script.set PERL_SIGNALS=unsafeperl ./catun.pl

ControlsControls

CA Tunnel22


Appendix 1 – Dante Config File

• Dante configuration (only additions to defaults [ubuntu 10.10] shown) – you can put a config file anywhere (if you're not administrator of your own laptop) and set-env SOCKS_CONF=<path>:# Comment 'debug' to avoid tons of output#debug: 2

# silence log to avoid minor outputlogoutput: /dev/null

# Route to SLAC shall be proxified using (ssh) proxy on localhost:1080route { from: 0.0.0.0/0 to: 134.79.0.0/16 via: 127.0.0.1 port = 1080 protocol: tcp proxyprotocol: socks_v5 socks_v4 method: none # no authentication}

# Route to localhost:5056 (deflt. caxy port) shall be proxified to# 'localhost' at other end of tunnel. This permits proxified caxy to# use D1080 ssh option. No need for L.route { from: 0.0.0.0/0 to: 127.0.0.1/32 port=5056 via: 127.0.0.1 port = 1080 protocol: tcp proxyprotocol: socks_v5 socks_v4 method: none}

ControlsControls

CA Tunnel23


Appendix 2 – ssh Config File

• ssh (client) configuration for multi-hop to lcls-builder# Just some public machine. By using the 'slac_gw' alias# you only need to change the 'HostName' below if you want/need to# use another gateway machineHost slac_gwHostName yakut14.slac.stanford.edu

# Door to lclsbuilder. Again: we define an alias. This is not reachable# from the internet, so we use 'slac_gw' as a proxyHost doorHostName lclsprod02.slac.stanford.eduProxyCommand ssh slac_gw /usr/bin/nc %h %p

# Finally, the lclsbuilder; only reachable via 'door' (we again use that as a proxy)# Switchoff GSSAPI; currently no kerberos on the builder# and we don't want to wait for ssh to find out.# Also need to explicitly specify different User on that machine.Host lclsbuilderUser iocegrHostName lclsbuilder.slac.stanford.eduProxyCommand ssh door /usr/bin/nc %h %pGSSAPIAuthentication noGSSAPIKeyExchange no

# But by default we definitely want to use GSSAPI. We also set the default User name hereHost *User youGSSAPIAuthentication yesGSSAPIDelegateCredentials yesGSSAPIKeyExchange yes

ControlsControls

CA Tunnel24


Appendix 3 – proxycap Config

• Win 'proxycap' configuration

ControlsControls

CA Tunnel25


Appendix 4 – Win SW Suggestions

• win: putty – GUI ssh client• 'plink' (comes with putty) is a command-line

ssh client, most options are openssh compatible.

• No 'ProxyCommand' equivalent (only from GUI; only 1 hop; couldn't get it to work)→ use 'plink <options> host1 ssh <options> host2 … cmd'

chain. (Consult 'catun.pl' script for example.)

ControlsControls

CA Tunnel26


Appendix 5 – CSS Proxy Settings

ControlsControls

CA Tunnel27


Appendix 6 – CSS/Ecplise Plugin

• Extra 'ProxySelector' compatibility plugin

epics ca tunneling with ssh - stanford university ca tunneling with ssh till straumann july 21, ......

Documents