Tunneling Tango - TANGO Controls

# 2 years ago
jan.meyer	Hi, I'm facing a problem, where a detector machine has to be in a special network segment, to be able to access the central storage servers. Sadly the rest of the experiments hardware is on some different, encapsulated part of the network. So they can not see each other. Would it be feasible to tunnel Tango through SSH using a jump host? If so, which ports would be needed in which direction? Any other suggestions are appreciated. Thanks, Jan

# 2 years ago

Hi,

I'm facing a problem, where a detector machine has to be in a special network segment, to be able to access the central storage servers. Sadly the rest of the experiments hardware is on some different, encapsulated part of the network. So they can not see each other.

Would it be feasible to tunnel Tango through SSH using a jump host? If so, which ports would be needed in which direction?

Any other suggestions are appreciated.

Thanks,
Jan

# 2 years ago
Pierre	Hi, I understand that your network has two segment. And you can ssh from one towards another. It means you have a sort of router or firewall between them which allows ssh ? If so, perharps no need to tunnel Tango protocols through ssh but rather just add the right rule to allow them … Just an idea … not tested Regards Pierre

# 2 years ago
jan.meyer	Hi Pierre, well, I have root access to the detector machine as well as to the Tango DB host. But the jump host as well as everything concerning the network is managed by other groups. Of course I am in communication with them to see what's possible, but as this is not just easy (many different departments involved), I'm looking for a workaround I could realise myself. Regards, Jan

# 2 years ago
Thomas	Hi Jan, Up to and including cppTango (the Tango kernel) version 9.3.4, full SSH tunnelling of devices (actually device servers) is not possible due to the fact that a device server's ZMQ event system ports are ephemeral. The feature of configurable ZMQ event system ports has been added to the upcoming 9.3.5 release. In 9.3.5 it will be possible to specify the two ports for the ZMQ event system. This, together with the already existing configuration option for the device server's CORBA port (parameter ORBendPoint), will allow you to run the device server with three fixed and predictable ports. This is turn will make it possible to tunnel them with SSH. Cheers, Thomas

# 2 years ago

Thomas

Hi Jan,

Up to and including cppTango (the Tango kernel) version 9.3.4, full SSH tunnelling of devices (actually device servers) is not possible due to the fact that a device server's ZMQ event system ports are ephemeral. The feature of configurable ZMQ event system ports has been added to the upcoming 9.3.5 release.

In 9.3.5 it will be possible to specify the two ports for the ZMQ event system. This, together with the already existing configuration option for the device server's CORBA port (parameter ORBendPoint), will allow you to run the device server with three fixed and predictable ports. This is turn will make it possible to tunnel them with SSH.

Cheers,
Thomas

# 2 years ago
jan.meyer	Hi Thomas, thanks for the information. Just to clarify and maybe to try it out, once 9.3.5 has been released. Which ports are opened by which programs in case of a DB system? Which connections will be made from where to where in case of a) the startup of a DS and b) if a Tango proxy connects to a DS? I never really cared what exactly is happens in the background and was not able to find quick answers in the net. Regards, Jan

# 2 years ago

jan.meyer

Hi Thomas,

thanks for the information.

Just to clarify and maybe to try it out, once 9.3.5 has been released. Which ports are opened by which programs in case of a DB system? Which connections will be made from where to where in case of
a) the startup of a DS and
b) if a Tango proxy connects to a DS?

I never really cared what exactly is happens in the background and was not able to find quick answers in the net.

Regards,
Jan

# 2 years ago
Thomas	Hi Jan, This is not an extensive list, see below: - Port 10000 on TANGOHOST. - One port per device server, if unspecified ephemeral, for the CORBA comms. - Two ports per device server, if unspecified ephemeral, on receiving the first event subscription request. - More ports, but I do not remember from the top of my head. What I remember is that there was a very nice talk about the event system in a TC webinar. There: https://www.tango-controls.org/community/news/2021/04/29/3rd-tango-kernel-webinar-cpptango-events/ Cheers, Thomas

# 2 years ago

Thomas

Hi Jan,

This is not an extensive list, see below:
- Port 10000 on TANGOHOST.
- One port per device server, if unspecified ephemeral, for the CORBA comms.
- Two ports per device server, if unspecified ephemeral, on receiving the first event subscription request.
- More ports, but I do not remember from the top of my head.

What I remember is that there was a very nice talk about the event system in a TC webinar. There: https://www.tango-controls.org/community/news/2021/04/29/3rd-tango-kernel-webinar-cpptango-events/

Cheers,
Thomas