epics-containers · gilesknap · Aug 23, 2024 · Aug 23, 2024 · Aug 23, 2024 · Aug 23, 2024
diff --git a/opi/phoebus-launch.sh b/opi/phoebus-launch.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# A launcher for the phoebus container that allows X11 forwarding
+
+thisdir=$(realpath $(dirname ${BASH_SOURCE[0]}))
+workspace=$(realpath ${thisdir}/..)
+
+if [[ $(docker --version 2>/dev/null) == *Docker* ]]; then
+    docker=docker
+else
+    docker=podman
+    args="--security-opt=label=type:container_runtime_t"
+fi
+
+XSOCK=/tmp/.X11-unix # X11 socket (but we mount the whole of tmp)
+XAUTH=/tmp/.container.xauth.$USER
+touch $XAUTH
+xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge -
+chmod 777 $XAUTH
+
+x11="
+-e DISPLAY
+-v $XAUTH:$XAUTH
+-e XAUTHORITY=$XAUTH
+--net host
+"
+
+args=${args}"
+-it
+"
+
+export MYHOME=/home/${USER}
+# mount in your own home dir in same folder for access to external files
+mounts="
+-v=/tmp:/tmp
+-v=${MYHOME}/.ssh:/root/.ssh
+-v=${MYHOME}:${MYHOME}
+-v=${workspace}:/workspace
+"
+
+# settings for p47
+settings="
+-resource /workspace/opi/p47-beamline.opi
+-settings /workspace/opi/settings.ini
+"
+
+set -x
+$docker run ${mounts} ${args} ${x11} ghcr.io/epics-containers/ec-phoebus:latest ${settings} "${@}"
diff --git a/opi/settings.ini b/opi/settings.ini
@@ -0,0 +1,2 @@
+# bl47p-ea-serv-01.diamond.ac.uk
+org.phoebus.pv.ca/addr_list=172.23.242.47
diff --git a/services/.ioc_template/values.yaml b/services/.ioc_template/values.yaml
@@ -7,7 +7,7 @@ ioc-instance:
   #    this adds tools and compilers to the container so you
   #    can experiment in the cluster to fix the issue
   #
-  # image: ghcr.io/epics-containers/ioc-adsimdetector-developer:2024.4.1
+  # image: ghcr.io/epics-containers/ioc-adsimdetector-developer:2024.9.1
 
   # 2. override the entry point to be a sleep infinity
   #    this means you can now use 'ec exec' to get a shell
@@ -18,4 +18,4 @@ ioc-instance:
   #    is fixed.
   #
   # startCommand: sleep
-  # startArgs: infinity
+  # startArgs: infinity
diff --git a/services/bl47p-ea-dcam-01/values.yaml b/services/bl47p-ea-dcam-01/values.yaml
@@ -1,4 +1,4 @@
 # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service
 
 ioc-instance:
-  image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.7.2b1
+  image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.9.1
diff --git a/services/bl47p-ea-dcam-02/values.yaml b/services/bl47p-ea-dcam-02/values.yaml
@@ -1,4 +1,4 @@
 # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service
 
 ioc-instance:
-  image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.7.2b1
+  image: ghcr.io/epics-containers/ioc-adaravis-runtime:2024.9.1
diff --git a/services/bl47p-ea-panda-01/values.yaml b/services/bl47p-ea-panda-01/values.yaml
@@ -1,5 +1,5 @@
 # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service
 
 ioc-instance:
-  image: ghcr.io/pandablocks/pandablocks-ioc:0.5.0
+  image: ghcr.io/pandablocks/pandablocks-ioc:0.9.0
   iocConfig: /epics/ioc
diff --git a/services/bl47p-mo-ioc-01/values.yaml b/services/bl47p-mo-ioc-01/values.yaml
@@ -1,4 +1,4 @@
 # yaml-language-server: $schema=https://github.com/epics-containers/ec-helm-charts/releases/download/3.4.4/ioc-instance.schema.json#/$defs/service
 
 ioc-instance:
-  image: ghcr.io/epics-containers/ioc-pmac-runtime:2024.8.1
+  image: ghcr.io/epics-containers/ioc-pmac-runtime:2024.9.1
diff --git a/services/cagateway/Chart.yaml b/services/cagateway/Chart.yaml
@@ -0,0 +1,7 @@
+# A Helm Chart for a ca-gateway service
+# This is hard coded into the module right now TODO: make a oci chart for this
+apiVersion: v2
+name: ec-gateway
+version: 1.0.0
+
+type: application
diff --git a/services/cagateway/compose.yml b/services/cagateway/compose.yml
@@ -0,0 +1,59 @@
+# When deploying IOCs to a server with docker, the choice is:
+#
+# 1. Use host network so their PVs available on the subnet
+# 2. Run a ca-gateway on each server and add all servers to client's
+#    EPICS_CA_ADDR_LIST
+#
+# at present the only available option for podman is to use host network
+
+services:
+
+  # ca-gateway for development #################################################
+
+  ca-gateway: &ca-gateway
+
+    image: ghcr.io/epics-containers/docker-ca-gateway:2.1.3ec1
+
+    expose:
+      - 5064-5065/udp
+      - 5064-5065
+
+    ports:
+      # bind to localhost to isolate channel access to this host only
+      - 127.0.0.1:5064:5064/udp
+      - 127.0.0.1:5064-5065:5064-5065
+
+    restart: unless-stopped
+
+    networks:
+      channel_access:
+        ipv4_address: 172.20.255.254
+
+    configs:
+      - source: ca-gateway_config
+        target: /config
+
+    command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1
+
+    profiles:
+      - develop
+
+  # per server ca-gateway for deployment #######################################
+  ca-gateway-deploy:
+
+    <<: *ca-gateway
+
+    ports:
+    # TODO - drop the IP address but also set up pvlist to make sure there
+    # are no loops - I need to look into safe config for per server ca-gateways
+    - 127.0.0.1:5064:5064/udp
+    - 127.0.0.1:5064-5065:5064-5065
+
+    command: -cip 172.20.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1
+
+    profiles:
+      - deploy
+
+configs:
+  ca-gateway_config:
+    file: ./config
diff --git a/services/cagateway/config/access b/services/cagateway/config/access
@@ -0,0 +1,6 @@
+# See /EPICS/extensions/src/gateway/GATEWAY.access for more detailed example
+
+ASG(DEFAULT) {
+   RULE(1,READ)
+   RULE(1,WRITE)
+}
diff --git a/services/cagateway/config/pvlist b/services/cagateway/config/pvlist
@@ -0,0 +1,9 @@
+# See /EPICS/extensions/src/gateway/GATEWAY.pvlist for more detailed example
+
+EVALUATION ORDER ALLOW, DENY
+
+BL47P.*            ALLOW
+
+# [0-9].*          ALLOW
+# [a-z].*          ALLOW
+# [A-Z].*          ALLOW
diff --git a/services/cagateway/templates/configmap.yaml b/services/cagateway/templates/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name:  {{ .Release.Name }}-config
+  labels:
+    app: {{ .Release.Name }}
+data:
+
+# contents of the ioc instance config folder
+{{ (.Files.Glob "config/*").AsConfig | indent 2 }}
diff --git a/services/cagateway/templates/deployment.yaml b/services/cagateway/templates/deployment.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Release.Name }}
+    enabled: 'true'
+    ioc_group: p47
+    is_ioc: 'true'
+    location: bl47p
+  name: {{ .Release.Name }}
+  namespace: p47-beamline
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: {{ .Release.Name }}
+        ioc_group: p47
+        is_ioc: 'true'
+        location: bl47p
+        rollme: goWO0
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: beamline
+                    operator: In
+                    values:
+                      - bl47p
+      containers:
+        - command:
+           - bash
+          args:
+           - "-c"
+           - "/epics/gateway -sport 9064 -cip 172.23.255.255 -pvlist /config/pvlist -access /config/access -log /dev/stdout -debug 1"
+          env:
+            - name: IOC_NAME
+              value: {{ .Release.Name }}
+            - name: IOC_LOCATION
+              value: bl47p
+            - name: IOC_GROUP
+              value: p47
+          image: {{ .Values.image }}
+          imagePullPolicy: Always
+          name: {{ .Release.Name }}
+          resources:
+            limits:
+              cpu: 500m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 64Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+          stdin: true
+          tty: true
+          volumeMounts:
+            - mountPath: /config
+              name: config-volume
+      hostNetwork: true
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 3
+      tolerations:
+        - effect: NoSchedule
+          key: beamline
+          operator: Equal
+          value: bl47p
+        - effect: NoSchedule
+          key: location
+          operator: Equal
+          value: bl47p
+        - effect: NoSchedule
+          key: nodetype
+          operator: Equal
+          value: training-rig
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: {{ .Release.Name }}-config
+          name: config-volume
diff --git a/services/cagateway/values.yaml b/services/cagateway/values.yaml
@@ -0,0 +1 @@
+image: ghcr.io/epics-containers/docker-ca-gateway-debug:2.1.3ec1
diff --git a/services/values.yaml b/services/values.yaml
@@ -10,7 +10,7 @@ global:
 ioc-instance:
   # useHostNetwork - use host network for IOC - required for Channel Access
   # to work outside of the cluster
-  hostNetwork: true
+  hostNetwork: false
 
   # affinity and tolerations to get the right nodes on pollux
   securityContext:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# bl47p-ea-serv-01.diamond.ac.uk
		org.phoebus.pv.ca/addr_list=172.23.242.47
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		image: ghcr.io/epics-containers/docker-ca-gateway-debug:2.1.3ec1