CA over TCP

From EPICSWIKI
Revision as of 18:15, 15 April 2008 by RalphLange (talk | contribs) (→‎Name Resolution: old (rsrv) servers are ignored)
Jeff Hill and Ralph Lange, Codeathon 2008
(This refers to the CA over TCP topic of Andrew's project list.)

Goal

Provide a way to run CA on TCP circuits. Intended use: Run CA clients remotely that use an ssh tunnel to safely and securely connect to the control system. For security reasons these tunneled connections should connect to a CA Gateway.

Approach

TCP connections can easily be tunneled through ssh. To allow CA connections through a TCP tunnel, the use of UDP (currently for name resolution and server beacons) must be avoided.

Beacons

We are just ignoring the beacon topic for the time being. With the current EPICS release, CA clients do not raise the search interval above a certain limit. Even without beacon anomalies being detected, all unresolved channels will connect sooner or later. That should be good enough for a start.

Name Resolution

A new environment variable EPICS_CA_NAME_SERVERS will be used to configure TCP name resolution. This variable takes a list of IP addresses. The client will open regular TCP connections (default port 5064) to those servers at init time and issue name resolution requests over TCP in addition to issuing the UDP requests to addresses in EPICS_CA_ADDR_LIST.

The CAS server will be changed to forward the name resolution requests coming from TCP directly to the server tool. The rsrv server will not be changed, i.e. name resolution over TCP will only work against CAS.

Servers that are not capable of handling name requests over TCP (e.g. rsrv) will be ignored, i.e. the client will not see the requested channels through TCP and not connect unless a different (name) server answers the request.

List of Necessary Changes

CA Client

  • tcpiiu changes
    • add bool _nameService private member data flag
    • pass bool nameService arg to tcpiiu constructor (setting private bool flag)
    • if _nameService, constructor registers member SearchDest with cac
    • if _nameService, destructor unregisters member SearchDest with cac
    • if _nameService flag is set send thread sleeps and then tries to connect again if connect fails
    • if _nameService flag set the receive thread, upon receiving disconnect notification from the socket
      • command send thread to exit
      • waits for send thread exit
      • (clear all buffers)
      • sleep
      • restarts the send thread
      • exits
    • private member class deriving from SearchDest called TCPSearchDest
    • private member of type TCPSearchDest called _searchDest
    • implement code calling Callback :: notify () when resp to search request arrives
    • implement SearchDest :: searchRequest () that issues a tcp search request if server is capable, else directly calls the Callback :: notify ()
  • udpiiu changes
    • private member class deriving from SearchDest called UDPSearchDest
      • instances on the search list
    • private member class deriving from SearchDest :: Callback called UDPSearchDestCB
      • implement UDPSearchDestCB  :: notify ()
    • implement code calling Callback :: notify () when resp to search request arrives
    • build udp search dest objects
      • remove "dest" member data
      • add private tsDLLList < SearchDest > list called _searchDestList
      • build address list ELLLIST using iocinf.c code parsing addr list and traversing NICs
      • for each member of this list create private SearchDest derived objects
      • install the SearchDest derived objects in _searchDestList
      • destroy ELLLIST members
    • add public register/unregister SearchDest to udpiiu (called by cac)
  • cac changes
    • code parsing EPICS_CA_NAME_SERVERS (in constructor?)
    • creates tcpiiu specifying nameService is true to its constructor
    • add public register/unregister SearchDest to cac (called by tcpiiu const and dest)
    • in destructor guarantee that udpiiu is shutdown prior to deleting nameService tcpiiu

CAS

to be identified

rsrv

None.