diff --git a/opi/phoebus-launch.sh b/opi/phoebus-launch.sh new file mode 100755 index 0000000..8ec5640 --- /dev/null +++ b/opi/phoebus-launch.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# A launcher for the phoebus container that allows X11 forwarding + +thisdir=$(realpath $(dirname ${BASH_SOURCE[0]})) +workspace=$(realpath ${thisdir}/..) + +if [[ $(docker --version 2>/dev/null) == *Docker* ]]; then + docker=docker +else + docker=podman + args="--security-opt=label=type:container_runtime_t" +fi + +XSOCK=/tmp/.X11-unix # X11 socket (but we mount the whole of tmp) +XAUTH=/tmp/.container.xauth.$USER +touch $XAUTH +xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge - +chmod 777 $XAUTH + +x11=" +-e DISPLAY +-v $XAUTH:$XAUTH +-e XAUTHORITY=$XAUTH +--net host +" + +args=${args}" +-it +" + +export MYHOME=/home/${USER} +# mount in your own home dir in same folder for access to external files +mounts=" +-v=/tmp:/tmp +-v=${MYHOME}/.ssh:/root/.ssh +-v=${MYHOME}:${MYHOME} +-v=${workspace}:/workspace +" + +# settings for p47 +settings=" +-resource /workspace/opi/p47-beamline.opi +-settings /workspace/opi/settings.ini +" + +set -x +$docker run ${mounts} ${args} ${x11} ghcr.io/epics-containers/ec-phoebus:latest ${settings} "${@}" diff --git a/opi/settings.ini b/opi/settings.ini new file mode 100644 index 0000000..4f60b71 --- /dev/null +++ b/opi/settings.ini @@ -0,0 +1,2 @@ +# bl47p-ea-serv-01.diamond.ac.uk +org.phoebus.pv.ca/addr_list=172.23.242.47 diff --git a/services/.ioc_template/values.yaml b/services/.ioc_template/values.yaml index 38d0952..6e5415d 100644 --- a/services/.ioc_template/values.yaml +++ b/services/.ioc_template/values.yaml @@ -7,7 +7,7 @@ ioc-instance: # this adds tools and compilers to the container so you # can experiment in the cluster to fix the issue # - # image: ghcr.io/epics-containers/ioc-adsimdetector-developer:2024.4.1 + # image: ghcr.io/epics-containers/ioc-adsimdetector-developer:2024.9.1 # 2. override the entry point to be a sleep infinity # this means you can now use 'ec exec' to get a shell @@ -18,4 +18,4 @@ ioc-instance: # is fixed. # # startCommand: sleep - # startArgs: infinity \ No newline at end of file + # startArgs: infinity diff --git a/services/bl47p-ea-dcam-01/values.yaml b/services/bl47p-ea-dcam-01/values.yaml index dba6e21..7800569 100644 --- a/services/bl47p-ea-dcam-01/values.yaml +++ b/services/bl47p-ea-dcam-01/values.yaml @@ -1,4 +1,4 @@ # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service ioc-instance: - image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.7.2b1 + image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.9.1 diff --git a/services/bl47p-ea-dcam-02/values.yaml b/services/bl47p-ea-dcam-02/values.yaml index dba6e21..7800569 100644 --- a/services/bl47p-ea-dcam-02/values.yaml +++ b/services/bl47p-ea-dcam-02/values.yaml @@ -1,4 +1,4 @@ # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service ioc-instance: - image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.7.2b1 + image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.9.1 diff --git a/services/bl47p-ea-panda-01/values.yaml b/services/bl47p-ea-panda-01/values.yaml index 53f0875..32bbccd 100644 --- a/services/bl47p-ea-panda-01/values.yaml +++ b/services/bl47p-ea-panda-01/values.yaml @@ -1,5 +1,5 @@ # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service ioc-instance: - image: ghcr.io/pandablocks/pandablocks-ioc:0.5.0 + image: ghcr.io/pandablocks/pandablocks-ioc:0.9.0 iocConfig: /epics/ioc diff --git a/services/bl47p-mo-ioc-01/values.yaml b/services/bl47p-mo-ioc-01/values.yaml index 7926967..102ea74 100644 --- a/services/bl47p-mo-ioc-01/values.yaml +++ b/services/bl47p-mo-ioc-01/values.yaml @@ -1,4 +1,4 @@ # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service ioc-instance: - image: ghcr.io/epics-containers/ioc-pmac-runtime:2024.8.1 + image: ghcr.io/epics-containers/ioc-pmac-runtime:2024.9.1 diff --git a/services/cagateway/Chart.yaml b/services/cagateway/Chart.yaml new file mode 100644 index 0000000..864539e --- /dev/null +++ b/services/cagateway/Chart.yaml @@ -0,0 +1,7 @@ +# A Helm Chart for a ca-gateway service +# This is hard coded into the module right now TODO: make a oci chart for this +apiVersion: v2 +name: ec-gateway +version: 1.0.0 + +type: application diff --git a/services/cagateway/compose.yml b/services/cagateway/compose.yml new file mode 100644 index 0000000..ae4db31 --- /dev/null +++ b/services/cagateway/compose.yml @@ -0,0 +1,59 @@ +# When deploying IOCs to a server with docker, the choice is: +# +# 1. Use host network so their PVs available on the subnet +# 2. Run a ca-gateway on each server and add all servers to client's +# EPICS_CA_ADDR_LIST +# +# at present the only available option for podman is to use host network + +services: + + # ca-gateway for development ################################################# + + ca-gateway: &ca-gateway + + image: ghcr.io/epics-containers/docker-ca-gateway:2.1.3ec1 + + expose: + - 5064-5065/udp + - 5064-5065 + + ports: + # bind to localhost to isolate channel access to this host only + - 127.0.0.1:5064:5064/udp + - 127.0.0.1:5064-5065:5064-5065 + + restart: unless-stopped + + networks: + channel_access: + ipv4_address: 172.20.255.254 + + configs: + - source: ca-gateway_config + target: /config + + command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1 + + profiles: + - develop + + # per server ca-gateway for deployment ####################################### + ca-gateway-deploy: + + <<: *ca-gateway + + ports: + # TODO - drop the IP address but also set up pvlist to make sure there + # are no loops - I need to look into safe config for per server ca-gateways + - 127.0.0.1:5064:5064/udp + - 127.0.0.1:5064-5065:5064-5065 + + command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1 + + profiles: + - deploy + +configs: + ca-gateway_config: + file: ./config diff --git a/services/cagateway/config/access b/services/cagateway/config/access new file mode 100644 index 0000000..f69d0e8 --- /dev/null +++ b/services/cagateway/config/access @@ -0,0 +1,6 @@ +# See /EPICS/extensions/src/gateway/GATEWAY.access for more detailed example + +ASG(DEFAULT) { + RULE(1,READ) + RULE(1,WRITE) +} diff --git a/services/cagateway/config/pvlist b/services/cagateway/config/pvlist new file mode 100644 index 0000000..3dc8d4c --- /dev/null +++ b/services/cagateway/config/pvlist @@ -0,0 +1,9 @@ +# See /EPICS/extensions/src/gateway/GATEWAY.pvlist for more detailed example + +EVALUATION ORDER ALLOW, DENY + +BL47P.* ALLOW + +# [0-9].* ALLOW +# [a-z].* ALLOW +# [A-Z].* ALLOW diff --git a/services/cagateway/templates/configmap.yaml b/services/cagateway/templates/configmap.yaml new file mode 100644 index 0000000..3b4c418 --- /dev/null +++ b/services/cagateway/templates/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config + labels: + app: {{ .Release.Name }} +data: + +# contents of the ioc instance config folder +{{ (.Files.Glob "config/*").AsConfig | indent 2 }} \ No newline at end of file diff --git a/services/cagateway/templates/deployment.yaml b/services/cagateway/templates/deployment.yaml new file mode 100644 index 0000000..48c8dc6 --- /dev/null +++ b/services/cagateway/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ .Release.Name }} + enabled: 'true' + ioc_group: p47 + is_ioc: 'true' + location: bl47p + name: {{ .Release.Name }} + namespace: p47-beamline +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + creationTimestamp: null + labels: + app: {{ .Release.Name }} + ioc_group: p47 + is_ioc: 'true' + location: bl47p + rollme: goWO0 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beamline + operator: In + values: + - bl47p + containers: + - command: + - bash + args: + - "-c" + - "/epics/gateway -sport 9064 -cip 172.23.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1" + env: + - name: IOC_NAME + value: {{ .Release.Name }} + - name: IOC_LOCATION + value: bl47p + - name: IOC_GROUP + value: p47 + image: {{ .Values.image }} + imagePullPolicy: Always + name: {{ .Release.Name }} + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + stdin: true + tty: true + volumeMounts: + - mountPath: /config + name: config-volume + hostNetwork: true + restartPolicy: Always + terminationGracePeriodSeconds: 3 + tolerations: + - effect: NoSchedule + key: beamline + operator: Equal + value: bl47p + - effect: NoSchedule + key: location + operator: Equal + value: bl47p + - effect: NoSchedule + key: nodetype + operator: Equal + value: training-rig + volumes: + - configMap: + defaultMode: 420 + name: {{ .Release.Name }}-config + name: config-volume \ No newline at end of file diff --git a/services/cagateway/values.yaml b/services/cagateway/values.yaml new file mode 100644 index 0000000..a839522 --- /dev/null +++ b/services/cagateway/values.yaml @@ -0,0 +1 @@ +image: ghcr.io/epics-containers/docker-ca-gateway-debug:2.1.3ec1 diff --git a/services/values.yaml b/services/values.yaml index 12e82c2..37667b3 100644 --- a/services/values.yaml +++ b/services/values.yaml @@ -10,7 +10,7 @@ global: ioc-instance: # useHostNetwork - use host network for IOC - required for Channel Access # to work outside of the cluster - hostNetwork: true + hostNetwork: false # affinity and tolerations to get the right nodes on pollux securityContext: