Setup MIDAS experiment at TRIUMF: Difference between revisions
Stefan Ritt (talk | contribs) |
|||
(58 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{Pagelinks}} | {{Pagelinks}} | ||
=== | == Introduction == | ||
This page describes setting up a MIDAS experiment at TRIUMF. This information can be adapted for other sites. | |||
== Environment variables == | |||
/home/exptuser/ | * '''MIDASSYS''' Base directory of the MIDAS package, midas and mxml should be at the same level. | ||
* '''MIDAS_EXPTAB''' Experiment definition file | |||
* '''MIDAS_SERVER_HOST''' MIDAS host server name for remote midas connections. | |||
* '''MIDAS_EXPT_NAME''' Experiment name | |||
== Standard layout of MIDAS experiment == | |||
The following shows the directory layout of a standard MIDAS experiment: | |||
/home/exptuser/ | |||
packages/ | |||
root <---- ROOT | |||
mxml | |||
mscb | |||
midas/ <---- MIDAS | |||
linux/{lib,bin} <---- binaries matching the selected 64-bit/32-bit flavour of ROOT | |||
linux-m32/{lib,bin} <---- limited function 32-bit binaries for 32-bit frontend machines, build by "make linux32" | |||
linux-m64/{lib,bin} <---- limited function 64-bit binaries (only needed if ROOT and linux/bin are 32-bit) | |||
linux-arm/{lib,bin} <---- full function ARM cross-compiled using "make linuxarm" | |||
linux-crosscompile/{lib,bin} <---- cross-compiled limited function binaries for PPC and ARM frontends (see Makefile) | |||
/data/exptname/current <---- experiment data directory with ODB save files and MIDAS .mid/.mid.gz data files | rootana <---- ROOT analyzer | ||
roody <---- graphical online histogram viewer for MIDAS and ROOTANA | |||
online/ | |||
exptab <---- experiment definition | |||
{.ODB,.SYSTEM,.SYSMSG,etc}.SHM <---- MIDAS shared memory save files | |||
src <---- experiment frontend sources | |||
bin,scripts | |||
elog <---- MIDAS elog | |||
history <---- MIDAS history | |||
data -> /data/exptname/current <---- symlink to the data directory | |||
/data/exptname/current <---- experiment data directory with ODB save files and MIDAS .mid/.mid.gz data files | |||
== Prepare computers == | |||
On some operating systems, several MIDAS functions require administrator access: | |||
* | * on el7 linux (SL7/CC7/CentOS7/RHEL7) - access to mhttpd port 8443 requires special firewall rules, see here: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29 | ||
* on el7 linux - access to mserver to run frontends and other programs on some other computer requires special firewall rules, see here: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29 | |||
* | * on el7 linux - on the frontend machines (and other machines that will connect to the mserver, the same firewall rule needs to be created (use the IP address of the machine running the mserver) | ||
== Prepare the user account == | |||
<div id="NOTES"></div> | |||
* Setup the user account for running this instance of midas. For machines part of the LADD cluster, follow these [http://daq-plone.triumf.ca/SM/docs/local/NewLaddUser] instructions. | * Setup the user account for running this instance of midas. For machines part of the LADD cluster, follow these [http://daq-plone.triumf.ca/SM/docs/local/NewLaddUser] instructions. | ||
* check that the account is using the /bin/ | * check that the account is using the /bin/bash shell | ||
* make $HOME/. | * make $HOME/.profile look like this: | ||
<pre> | |||
#!/bin/echo You must source | |||
export SVN_EDITOR="emacs -nw" | |||
export GIT_EDITOR="emacs -nw" | |||
export MIDASSYS=$HOME/packages/midas | |||
export ROOTANASYS=$HOME/packages/rootana | |||
export MIDAS_EXPTAB=$HOME/online/exptab | |||
# | |||
# setup the MIDAS mserver | |||
# | |||
case `hostname` in | |||
daq07*) | |||
unset MIDAS_SERVER_HOST | |||
;; | |||
*) | |||
export MIDAS_SERVER_HOST=daq07.triumf.ca:7070 | |||
;; | |||
esac | |||
# | |||
# select 64-bit or 32-bit MIDAS and ROOT | |||
# | |||
case `uname -i` in | |||
i386) | |||
source /daq/daqshare/olchansk/root/root_v5.34.01_SL62_32/bin/thisroot.sh | |||
export PATH=.:$MIDASSYS/linux-m32/bin:$PATH | |||
;; | |||
*) | |||
#source /daq/daqshare/olchansk/root/root_v5.34.34_SL67_64/bin/thisroot.sh | |||
source $HOME/packages/root/bin/thisroot.sh | |||
export PATH=.:$MIDASSYS/linux/bin:$PATH | |||
;; | |||
esac | |||
# | |||
export PATH=.:$HOME/online/bin:$HOME/packages/roody/bin:$PATH | |||
# | |||
#end | |||
</pre> | |||
* mkdir $HOME/packages | * mkdir $HOME/packages | ||
* Logout and login again, for .cshrc changes to take effect | * Logout and login again, for .cshrc changes to take effect | ||
== Install ROOT == | |||
* Identify the Linux version: RH9 (Red Hat Linux 9), FC3 (Fedora Core 3), RHEL4/SL4 (Red Hat Enterprise LInux 4/Scientific Linux 4), | * Identify the Linux version: RH9 (Red Hat Linux 9), FC3 (Fedora Core 3), RHEL4/SL4 (Red Hat Enterprise LInux 4/Scientific Linux 4), SL5x, SL6x, (CentOS/CC/SL) el7x: more /etc/redhat-release | ||
* Decide to use 32-bit or 64-bit ROOT ('uname -a') | * Decide to use 32-bit or 64-bit ROOT ('uname -a') | ||
* cd $HOME/packages | * cd $HOME/packages | ||
* ls -l /daq/daqshare/olchansk/root/ ### to see all available ROOT packages | * ls -l /daq/daqshare/olchansk/root/ ### to see all available ROOT packages | ||
* ln -s /daq/daqshare/olchansk/root/root_vNNN_VVV_BB root, where NNN is the latest available version of ROOT ("ls -l /daq/daqshare/olchansk/root"), VVV is the Linux version code (RH9, FC3, SL4, etc) and BB is "_32" or "_64" for 32-bit or 64-bit ROOT. For example: /daq/daqshare/olchansk/root/root_v5.10.00_SL40 | * ln -s /daq/daqshare/olchansk/root/root_vNNN_VVV_BB root, where NNN is the latest available version of ROOT ("ls -l /daq/daqshare/olchansk/root"), VVV is the Linux version code (RH9, FC3, SL4, etc) and BB is "_32" or "_64" for 32-bit or 64-bit ROOT. For example: /daq/daqshare/olchansk/root/root_v5.10.00_SL40 | ||
* Check that ROOT works: " | * for example: ln -s /daq/daqshare/olchansk/root/root_v5.34.34_el72_64 $HOME/packages/root | ||
* Check that ROOT works: "source $HOME/packages/root/bin/thisroot.sh; root". Type ".q" to exit root. | |||
== Install MIDAS == | |||
* cd $HOME/packages | * cd $HOME/packages | ||
* (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/midas/trunk midas, password "svn". (password has to be entered twice) | * (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/midas/trunk midas, password "svn". (password has to be entered twice) | ||
* (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/mxml/trunk mxml | * (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/mxml/trunk mxml | ||
* git clone https://bitbucket.org/tmidas/midas | * git clone https://bitbucket.org/tmidas/midas --recursive | ||
* git clone https://bitbucket.org/tmidas/mxml | * (OBSOLETE) git clone https://bitbucket.org/tmidas/mxml | ||
* (IF BITBUCKET IS DOWN) git clone -v --progress | * (OBSOLETE) git clone https://bitbucket.org/tmidas/mscb | ||
* (IF BITBUCKET IS DOWN) git clone -v --progress | * (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/mxml.git | ||
* (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/mscb.git | |||
* (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/midas.git | |||
* cd midas | * cd midas | ||
* make | * make | ||
Line 110: | Line 120: | ||
You can see a list of other installation problems at [[Common problems & Debugging recipes]]. | You can see a list of other installation problems at [[Common problems & Debugging recipes]]. | ||
=== Install ROOTANA | ;NOTE 1 | ||
: Optional features in MIDAS can be explicitly disabled if desired when making MIDAS using the NO_xxx feature (NO_ROOT,NO_MYSQL,NO_ODBC,NO_SQLITE,NO_MSCB), e.g. "make NO_ROOT=1" to disable ROOT. These NO_xxx Makefile variables are only used to control autodetection. | |||
;NOTE 2 | |||
: Since June 2019 the mxml and mscb packages are submodules of the midas package, so no need to clone them separately. If you have an existing clone of midas but not yet the submodules, you need | |||
$ git submodule update --init --recursive | |||
: To update both midas and the submodules, you need | |||
$ git pull --recurse-submodules | |||
== Install ROOTANA == | |||
* cd $HOME/packages | * cd $HOME/packages | ||
Line 117: | Line 139: | ||
* make | * make | ||
== Install ROODY == | |||
* cd $HOME/packages | * cd $HOME/packages | ||
Line 125: | Line 147: | ||
* $HOME/packages/roody/bin/roody, run the program | * $HOME/packages/roody/bin/roody, run the program | ||
=== Prepare VME hardware | == Install additional additional packages == | ||
* cd $HOME/packages | |||
* git clone https://bitbucket.org/ttriumfdaq/vme | |||
* git clone https://bitbucket.org/ttriumfdaq/frontends | |||
== Build special versions of MIDAS == | |||
Build special versions of MIDAS for the case when some MIDAS programs, such as VME frontends, will run on a different computer that may have a different flavour of operating system, i.e. 32-bit linux or an older version of Scientific Linux. | |||
* login to the computer where the frontends will run and: | |||
* if it is a 32-bit linux: cd $HOME/packages/midas; make linux32 | |||
* if it is a 64-bit linux: cd $HOME/packages/midas; make linux64 | |||
* login to the host computer to cross-compile ARM code: | |||
* if it is an ARM linux: cd $HOME/packages/midas; make linuxarm # may need to install ARM cross compilers | |||
== Prepare VME hardware == | |||
Hardware check list: | Hardware check list: | ||
Line 138: | Line 177: | ||
** ./vmescan.exe (or _gef.exe, depending on the VME driver in use) | ** ./vmescan.exe (or _gef.exe, depending on the VME driver in use) | ||
== Install Universe-II VME driver (V7648, V7750, V7805, V7851) == | |||
* login as root (ssh root@localhost) | * login as root (ssh root@localhost) | ||
* | * follow instructions: https://www.triumf.info/wiki/DAQwiki/index.php/VME-CPU#V7648.2C_V7750.2C_V7805.2C_V7851_:_Setup_vme_universe_VME_drivers | ||
* cd ~/packages/vme; vmescan.exe | * cd ~/packages/vme; vmescan.exe | ||
== Install Tsi-148 VME driver (V7865) == | |||
* login as root (ssh root@localhost) | * login as root (ssh root@localhost) | ||
* | * follow instructions: https://www.triumf.info/wiki/DAQwiki/index.php/VME-CPU#V7865_and_XVB-602_:_Setup_gefvme.2Ftsi148_VME_drivers | ||
* cd ~/packages/vme; vmescan_gef.exe | * cd ~/packages/vme; vmescan_gef.exe | ||
== Setup the experiment environment == | |||
* | * Decide which computer will host MIDAS (where MIDAS shared memory buffers will reside). | ||
: This computer will run the [[mserver]], [[mlogger]] and [[mhttpd]] applications. (It is usually the machine where the MIDAS,ROOT etc. packages have been downloaded). It will be referred to as the host machine (localhost). | |||
The environment is slightly different depending on whether all programs run on the host machine, or whether some programs run on remote host(s) : | |||
=== ALL programs run on localhost === | |||
:If all programs run on the host machine (localhost), it is not necessary to run [[mserver]]. [[Environment Variables#MIDAS_SERVER_HOST|MIDAS_SERVER_HOST]] will not be assigned (see example .cshrc [[#Prepare the user account|above]]). | |||
=== Some programs run on REMOTE host(s) === | |||
: '''IMPORTANT:''' | |||
# Since August 2015 '''you must explicitly allow access for clients running on remote machines'''. To do this, follow the '''[[Security#MIDAS programs on remote machines|instructions here]]'''. | |||
# The example code .cshrc ([[#Prepare the user account|see above]]) should be present on both host and remote machine(s). This will ensure that [[Environment Variables#MIDAS_SERVER_HOST|MIDAS_SERVER_HOST]] will NOT be set for the host machine (localhost), but on a remote machine, MIDAS_SERVER_HOST will be set to the MIDAS host machine. | |||
# The client [[mserver]] must be started on the MIDAS host machine. Note that multiple experiments can run on the same host machine by starting several instances of [[mserver]] (one for each experiment) running with different ports (and .cshrc would be edited so that MIDAS_SERVER_HOST is set to the appropriate port for the experiment). | |||
<br> | |||
On the host machine: | |||
* mkdir $HOME/online | * mkdir $HOME/online | ||
* cd $HOME/online | * cd $HOME/online | ||
Line 189: | Line 214: | ||
* logout and login again for all changes to take effect | * logout and login again for all changes to take effect | ||
== Setup experiment startup scripts == | |||
* login to the experiment host computer | * login to the experiment host computer | ||
* echo $MIDAS_SERVER_HOST ### to check correct value - should be blank | * echo $MIDAS_SERVER_HOST ### to check correct value - should be blank | ||
* create $HOME/online/bin/start_daq.sh, replacing XXX with the hostname of the machine running the experiment (and changing the mserver and mhttpd ports, as needed). | * create $HOME/online/bin/start_daq.sh, replacing XXX with the hostname of the machine running the experiment (and changing the mserver and mhttpd ports, as needed). | ||
#!/bin/sh | #!/bin/sh | ||
# start_daq.sh | |||
cd $HOME/online | cd $HOME/online | ||
# | # | ||
Line 211: | Line 233: | ||
# | # | ||
odbedit -c clean | odbedit -c clean | ||
# start [[mhttpd]] on default port. (Mongoose https version - see [[mhttpd]] for other options) | |||
mhttpd -D -a localhost -a XXX.triumf.ca # optionally restrict access to specified hosts | |||
# start [[mhttpd]] on default port. (https version | # | ||
mhttpd -D | # start [[mserver]] on default port (use argument -p to use a different port) | ||
# start [[mserver]] on default port (use argument -p to use a different port) | mserver -D # access must now be specifically allowed - see [[#Setup the experiment environment|above]] | ||
mserver -D | |||
<span style="color:orange;"> | <span style="color:orange;"> | ||
# OR ( | # OR ([[#NOTES|older MIDAS versions]]) | ||
# mhttpd -p 8081 -D -a localhost -a XXX.triumf.ca | # mhttpd -p 8081 -D -a localhost -a XXX.triumf.ca # optionally restrict access to specified hosts | ||
# mserver -p 7071 -D -a localhost -a lxdragon01.triumf.ca -a lxdragon02.triumf.ca -a XXX.triumf.ca | # mserver -p 7071 -D -a localhost -a lxdragon01.triumf.ca -a lxdragon02.triumf.ca -a XXX.triumf.ca # optionally restrict access to specified hosts | ||
</span> | </span> | ||
# | # | ||
Line 227: | Line 247: | ||
#end file | #end file | ||
== Run the MIDAS Web Server == | |||
Let's start the MIDAS webserver for the first time: | |||
Start [[mhttpd]] on the ''experiment host'' (localhost) like this: | |||
<small>[mhostpc] mhttpd</small> | |||
You will get the following messages: | |||
<small>[mhttpd,INFO] ODB subtree /Runinfo corrected successfully | |||
Mongoose web server will listen on ports "8080r,8443s" | |||
[mhttpd,ERROR] [mhttpd.cxx:17892:mongoose,ERROR] cannot find SSL certificate file "/home/agdaq/online/ssl_cert.pem" | |||
[mhttpd,ERROR] [mhttpd.cxx:17893:mongoose,ERROR] please create SSL certificate file: openssl req -new -nodes -newkey rsa:2048 -sha256 -out ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key -out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem | |||
could not start the mongoose web server, see messages and midas.log, bye!</small> | |||
Create a self-signed certificate suitable for initial testing by executing the command printed by mhttpd: | |||
<small> | |||
[mhostpc] openssl req -new -nodes -newkey rsa:2048 -sha256 -out ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key -out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem</small> | |||
For production use, you should create a properly signed certificate, see [[Mhttpd#Create an SSL certificate|create your own SSL certificate]] or you should run mhttpd behind an SSL proxy. | |||
Run mhttpd again. | |||
You will get the following messages: | |||
<small>[mhttpd,INFO] ODB subtree /Runinfo corrected successfully | |||
Mongoose web server will listen on ports "8080r,8443s" | |||
Mongoose web server will use SSL certificate file "/home/johnfoo/packages/midas/ssl_cert.pem" | |||
[mhttpd,ERROR] [mhttpd.cxx:17633:mongoose,ERROR] mongoose web server cannot find password file "/home/johnfoo/online/htpasswd.txt" | |||
[mhttpd,ERROR] [mhttpd.cxx:17634:mongoose,ERROR] please create password file: htdigest -c /home/johnfoo/online/htpasswd.txt Default midas | |||
could not start the mongoose web server, see messages and midas.log, bye!</small> | |||
Create the password file by following the instructions printed by mhttpd. The http digest domain name is the experiment name, suggested default user name is "midas". You will be asked to type in a password | |||
<small> | |||
[mhostpc] htdigest -c /home/johnfoo/online/htpasswd.txt exptname midas | |||
Adding password for midas in realm exptname. | |||
New password: | |||
Re-type new password: | |||
</small> | |||
It is a good idea to set the password file {{Filepath|path=htpasswd.txt}} readable and writable by owner only. | |||
Now restart {{Utility|name=mhttpd}} | |||
<small>[mhostpc] mhttpd | |||
Mongoose web server will listen on ports "8080r,8443s" **see note | |||
Mongoose web server will use SSL certificate file "/home/suz/packages/midas/ssl_cert.pem" | |||
Mongoose web server will use authentication realm "Default", password file "./htpasswd.txt" | |||
</small> | |||
Now point a web browser running on the same host computer (localhost) to https://localhost:8443 | |||
If the web browser is running on a different computer, go to URL of the form | |||
<small> | |||
https://mhostpc.triumf.ca:8443 (substitute your host machine name and domain for "mhostpc.triumf.ca") | |||
</small> | |||
If you are using the default SSL certificate you will probably get a message: "This Connection is Untrusted". Click "I understand the risks" and add an exception. This is because the test certificate is self-signed. Then confirm an exception. | |||
If instead you get a "connection refused" error, the midas host pc may have the firewall enabled. To make a firewall exception for MIDAS, follow instructions here http://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29 | |||
You should then see an authentication box asking you for the user name and password. The user name is "midas". Enter the password you just created. The Midas [[Status Page]] should appear with multiple buttons for run control as well as equipment listing (no equipments will be listed as yet) and application listings. Please refer to [[mhttpd]] (the MIDAS Web-based Run Control utility) for further information. You can start and stop runs from the main status page, and use the [[ODB Page]] to access the database (ODB). | |||
; Note | |||
: Default ports of 8080 and 8443 are used by [[mhttpd]]. If these ports are in use on your machine, start <span style="color:darkcyan;font-style:italic">mhttpd</span> with alternative ports, e.g. | |||
<small>[mhostpc] mhttpd --https 8448 --http 8089</small> | |||
: or see [[Mhttpd#Usage]] to change the default ports. | |||
== Setup experiment database (ODB) == | |||
* run $HOME/online/bin/start_daq.sh | * run $HOME/online/bin/start_daq.sh | ||
* odbedit, run these commands: (replace user names and directory names) | * odbedit, run these commands: (replace user names and directory names) | ||
<pre> | <pre> | ||
Line 243: | Line 322: | ||
create STRING "/Logger/Elog dir" | create STRING "/Logger/Elog dir" | ||
set "/Logger/Elog dir" "/home/kopio03/online/elog" | set "/Logger/Elog dir" "/home/kopio03/online/elog" | ||
set "/Logger/ODB dump file" "/home/kopio03/online/history/run%05d.xml" | set "/Logger/ODB dump file" "/home/kopio03/online/history/run%05d.xml" | ||
set "/Logger/ODB dump" "y" | set "/Logger/ODB dump" "y" | ||
Line 259: | Line 334: | ||
exit | exit | ||
</pre> | </pre> | ||
* open web browser e.g. firefox. | * open web browser e.g. firefox. | ||
** | * go to the midas status page at https://localhost:8443 (default port). | ||
* | ** if running [[mhttpd]] with Mongoose HTTPS/OpenSSL (the default) for the first time, you will need to create a password file. Follow the instructions (see [[mhttpd#HTTPS/SSL server (Mongoose)]] for details). | ||
** For other options (i.e. HTTPS/SSL proxy) see [[#Secure MIDAS and ELOG Web access]] | |||
*<span style="color:orange;">OR open the midas status page at http://localhost:8081 ([[#NOTES|older MIDAS versions]]) | |||
* midas status page will show most stuff "red" as nothing is running yet | |||
* DON'T DO THIS YET run ./fevme.exe (on the computer with the VME interface, could be different from computer hosting the experiment), observe that corresponding equipments have been created | |||
* save the url bookmark to the "personal toolbar" | * save the url bookmark to the "personal toolbar" | ||
* go to the Programs page, stop mlogger, stop fevme, start mlogger, start fevme | * go to the Programs page, stop mlogger, stop fevme, start mlogger, start fevme | ||
Line 269: | Line 348: | ||
* send signals to the ADC gate | * send signals to the ADC gate | ||
* you should be getting events | * you should be getting events | ||
* to look at data, proceed with setting up the | * to look at data, proceed with setting up the [[ROOTANA|ROOT Analyzer]]. | ||
== Start DAQ programs at boot time == | |||
* add this to /etc/rc.local (replace username and location of the start_daq script) | * add this to /etc/rc.local (replace username and location of the start_daq script) | ||
Line 278: | Line 357: | ||
</pre> | </pre> | ||
== Setup local software version control == | |||
Version control for experiment source code is setup using "git" (http://git-scm.com/) | Version control for experiment source code is setup using "git" (http://git-scm.com/) | ||
Line 295: | Line 374: | ||
* git commit -a | * git commit -a | ||
== Adjust MIDAS buffer sizes == | |||
Default MIDAS SYSTEM buffer size is 8 Mbytes, fairly small for high-data-rate experiments. The rule of thumb is to have at least a few seconds worth of buffer space available. For example, if event size is 10 Kbytes and the event rate is 1 kHz, data rate is 10*10^3*1*10^3 = 10 Mbytes/sec. To buffer 10 seconds of data we need 100 Mbytes of buffer space. | Default MIDAS SYSTEM buffer size is 8 Mbytes, fairly small for high-data-rate experiments. The rule of thumb is to have at least a few seconds worth of buffer space available. For example, if event size is 10 Kbytes and the event rate is 1 kHz, data rate is 10*10^3*1*10^3 = 10 Mbytes/sec. To buffer 10 seconds of data we need 100 Mbytes of buffer space. | ||
Line 308: | Line 387: | ||
* ls -l /dev/shm ### to observe that the size of shared memory is correct | * ls -l /dev/shm ### to observe that the size of shared memory is correct | ||
== Secure MIDAS and ELOG Web access == | |||
In versions prior to May 2015, the default web access to MIDAS and ELOG uses the "http:" protocol which is insecure. In this case, all information is transmitted as clear text meaning that secret, confidential and sensitive information (such as the MIDAS and ELOG passwords and usernames) can be stolen "easily". This means that even "password protected" MIDAS and ELOG pages are not really protected if accessed using the "http" method. | |||
Better security for HTTP is gained by using a password protected '''SSL (https) proxy'''. (It does not provide absolute security because of remaining problems with the security of SSL certificates, security of passwords, etc). Setting up an SSL (https) proxy is described [[#Setting up an HTTP proxy|below]]. | |||
Since May 2015, an ''alternative secure option'' to setting up an HTTP proxy is available to users of MIDAS. Recent versions of elogd (ELOG) do support SSL https:// connections, and [[#mhttpd with HTTPS/SSL server (Mongoose)]] is now available. This option is the default, and provides a similar level of security to an HTTP proxy. | |||
See [[Security#Web Access]] for a comparison of these two secure options. | |||
=== mhttpd with HTTPS/SSL server (Mongoose) === | === mhttpd with HTTPS/SSL server (Mongoose) === | ||
Since May 2015 the MIDAS web server [[mhttpd]] is explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server (see [[mhttpd]]). With this version, default web access to MIDAS uses the "https" protocol. Web access to {{Utility|name=mhttpd}} can be restricted by using the [[ | Since May 2015 the MIDAS web server [[mhttpd]] is explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server (see [[mhttpd]]). With this version, default web access to MIDAS uses the "https" protocol. Web access to {{Utility|name=mhttpd}} can be restricted by using the "-a hostname" switch of [[mhttpd]]. The first time {{Utility|name=mhttpd}} is run, a password file must be created. An SSL certificate is also required. See [[mhttpd#HTTPS/SSL server (Mongoose)|HTTPS/SSL server (Mongoose)]] for instructions. | ||
=== mhttpd using an HTTPS/SSL proxy === | |||
THESE INSTRUCTIONS ARE WRONG, DO NOT DO THIS. | |||
= | An [[#Setting up an HTTP proxy|HTTP proxy]] must be set up. This is the only way of securing older version of [[mhttpd]] (pre August 2015). Older versions of mhttpd are started using the -p port option e.g. | ||
* <span style="color:orange"> mhttpd -D -p 8080 </span> | |||
To run a new version of mhttpd using an HTTP proxy, use the options provided to run the old (non-Mongoose) webserver on a given port, i.e. | |||
* <span style="color:green"> mhttpd --oldserver 8080 --nomg -D </span> | |||
When using an SSL proxy, only access from the SSL proxy (and maybe some special trusted machines) should be permitted. | |||
This is done using the "-a hostname" switch of [[mhttpd]]. Normally there will be only "-a localhost" switch, enabling access only for the local machine (where the SSL proxy is running). Additional "-a hostname" switches enable access from listed local machines. No "-a xxx" enables access from everywhere (defeating the purpose of the SSL proxy, unless access controls are enforced elsewhere, i.e. by a site firewall or by local firewall rules). | |||
== Setting up an HTTP proxy == | |||
In this example, we use APACHE HTTPD to password-protect a typical midas/mhttpd and elog installation. | In this example, we use APACHE HTTPD to password-protect a typical midas/mhttpd and elog installation. | ||
In this configuration, one uses the Linux stock httpd that accepts encrypted https:// connections and forwards them to mhttpd and elogd. Instead of (or in addition to) using mhttpd and elogd passwords, one configures password protection in httpd via the regular apache httpd password mechanisms (htpasswd, etc). | In this configuration, one uses the Linux stock httpd that accepts encrypted https:// connections and forwards them to mhttpd and elogd. Instead of (or in addition to) using mhttpd and elogd passwords, one configures password protection in httpd via the regular apache httpd password mechanisms (htpasswd, etc). | ||
Recent versions of elogd do support SSL https:// connections, but if one | Recent versions of elogd do support SSL https:// connections, but if one is running an SSL proxy for anyway, it is simpler to run both through the same SSL proxy using the same SSL host certificate and the same httpd password file. | ||
it is simpler to run both through the same SSL proxy using the same SSL host certificate and the same httpd password file | |||
=== Restricting http: access to elogd === | === Restricting http: access to elogd === | ||
;Note | ;Note | ||
:Recent versions of elogd | :Recent versions of elogd do support SSL https:// connections. The following information is for those using an HTTP proxy (see above). | ||
For elogd, this is done using the "-n localhost" switch with enables only access from the same machine if present, or access from anywhere is absent (defeating the purpose of the SSL proxy, unless access controls are enforced elsewhere). | For elogd, this is done using the "-n localhost" switch with enables only access from the same machine if present, or access from anywhere is absent (defeating the purpose of the SSL proxy, unless access controls are enforced elsewhere). | ||
Line 343: | Line 433: | ||
(It is recommended to run elogd from the same user as the main daq user and to keep elogd.cfg and all logbooks in the home directory of this user, where they are captured by the normal site backup system) | (It is recommended to run elogd from the same user as the main daq user and to keep elogd.cfg and all logbooks in the home directory of this user, where they are captured by the normal site backup system) | ||
== | == Install standalone elog == | ||
* login into the user account that will run the elog | |||
* cd $HOME/packages | |||
* git clone https://bitbucket.org/ritt/elog | |||
< | * cd elog | ||
* make | |||
* create new file start_elogd with this contents: | |||
<pre> | |||
#!/bin/sh | |||
killall elogd | killall elogd | ||
Line 355: | Line 448: | ||
killall -KILL elogd | killall -KILL elogd | ||
sleep 1 | sleep 1 | ||
/ | $HOME/packages/elog/elogd -n localhost -x -c $HOME/packages/elog/elogd.cfg -p 8082 -D | ||
#end</pre> | #end | ||
</pre> | |||
* chmod a+x start_elogd | |||
< | * edit elogd.cfg to read: | ||
<pre> | |||
[global] | |||
port = 8082 | port = 8082 | ||
SMTP host = smtp.triumf.ca | SMTP host = smtp.triumf.ca | ||
URL = https:// | URL = https://titan00.triumf.ca/elog/ | ||
Reverse sort = 1 | Reverse sort = 1 | ||
Display Mode = full | Display Mode = full | ||
List Menu commands = New, Find, Admin, Help | #List Menu commands = New, Find, Admin, Help | ||
Menu commands = New, Edit, Reply, Find, Duplicate, Help | #Menu commands = New, Edit, Reply, Find, Duplicate, Help | ||
Entries Per Page = 30 | Entries Per Page = 30 | ||
Supress Email on edit = 1 | Supress Email on edit = 1 | ||
Default encoding = 1 | Default encoding = 1 | ||
Page title = | Page title = TITAN ELOG | ||
Resolve host names = 1 | Resolve host names = 1 | ||
Logfile = /home/ | Logfile = /home/titan/packages/elog/elogd.log | ||
#Logging level = 3 | #Logging level = 3 | ||
Line 416: | Line 507: | ||
Omit Email To = 1 | Omit Email To = 1 | ||
Email System General = xxx</pre> | Email System General = xxx | ||
</pre> | |||
* ./start_elogd & | |||
* firefox http://localhost:8082 # hould show the elog message index | |||
To start elogd automatically when the machine is rebooted, login as root and | |||
* add this text to /etc/rc.local: | |||
<pre> | |||
su - titan -c "/home/titan/packages/elog/start_elogd" | |||
</pre> | |||
* chmod a+x /etc/rc.local | |||
* systemctl start rc-local | |||
To import elog entries from the mhttpd elog, do this: | |||
* cd ~/packages/elog/logbooks | |||
* ln -s /home/t2km11/online/elog midas | |||
* cd midas | |||
* ~/packages/elog/elconv) | |||
== Install https proxy == | |||
THESE INSTRUCTIONS ARE OBSOLETE, INSTEAD, | |||
* GO HERE: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Configure_HTTPS_server_.28CentOS7.29 | |||
* AND GO HERE: https://midas.triumf.ca/MidasWiki/index.php/Quickstart_Linux#Run_the_MIDAS_Web_Server | |||
FOLLOWING INSTRUCTIONS ARE OBSOLETE... | |||
* login as root to the | * login as root to the https proxy machine | ||
* cd ~root | * cd ~root | ||
* yum install mod_ssl | |||
* yum install crypto-utils # see http://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_monitoring_of_HTTPS_certificates | |||
* create a certificate request (replace ladd09 with your hostname): openssl req -new -nodes -newkey rsa:2048 -sha256 -out ladd09.csr -keyout ladd09.key (answer: CA, BC, Vancouver, TRIUMF, DAQ, ladd09.triumf.ca, email@email.com | * create a certificate request (replace ladd09 with your hostname): openssl req -new -nodes -newkey rsa:2048 -sha256 -out ladd09.csr -keyout ladd09.key (answer: CA, BC, Vancouver, TRIUMF, DAQ, ladd09.triumf.ca, email@email.com | ||
* | * sign it by TRIUMF: | ||
** mail -s "Certificate request" yourself@email.com < ladd09.csr | |||
** forward this request to Andrew Daviel | |||
** he will email the signed crt file, copy it to this system as ladd09.crt | |||
* sign it yourself: openssl x509 -req -days 365 -sha256 -in ladd09.csr -signkey ladd09.key -out ladd09.crt | * sign it yourself: openssl x509 -req -days 365 -sha256 -in ladd09.csr -signkey ladd09.key -out ladd09.crt | ||
* if the certificate expires, renew it by signing it again | * (if the certificate expires, renew it by signing it again) | ||
* explore the private key: openssl pkey -in ladd09.key -text -noout | * Additional commands for working with certificates: | ||
* explore the certificate request: openssl req -in ladd00.csr -text -noout | ** explore the private key: openssl pkey -in ladd09.key -text -noout | ||
* explore the certificate: openssl x509 -in ladd09.crt -noout -text | ** explore the certificate request: openssl req -in ladd00.csr -text -noout | ||
* | ** explore the certificate: openssl x509 -in ladd09.crt -noout -text | ||
* | * move certificate files to proper system locations: | ||
* mv ladd09.key /etc/pki/tls/private/ | |||
* mv ladd09.crt /etc/pki/tls/certs/ | |||
* if selinux is enabled, do this: | |||
** restorecon -Rv /etc/pki/tls/certs/ | |||
** restorecon -Rv /etc/pki/tls/private/ | |||
** /usr/sbin/setsebool -P httpd_can_network_connect 1 | |||
* open /etc/httpd/conf.d/ssl.conf in a text editor, go to the very bottom and right before the "</VirtualHost>" entry, add following text: | |||
<pre> | <pre> | ||
... | ... | ||
SSLCertificateFile / | SSLCertificateFile /etc/pki/tls/certs/ladd09.crt | ||
SSLCertificateKeyFile / | SSLCertificateKeyFile /etc/pki/tls/private/ladd09.key | ||
ProxyPass /elog/ http://localhost:8082/ retry=1 | ProxyPass /elog/ http://localhost:8082/ retry=1 | ||
ProxyPass / http://localhost: | ProxyPass / http://localhost:8080/ retry=1 | ||
<Location /> | <Location /> | ||
SSLRequireSSL | SSLRequireSSL | ||
AuthType Basic | AuthType Basic | ||
Line 464: | Line 579: | ||
</Location> | </Location> | ||
</VirtualHost> | </VirtualHost> | ||
... | |||
</pre> | </pre> | ||
* comment out duplicate "SSLCertificateFile" and "SSLCertificateKeyFile" elsewhere in the file | |||
* (optionally) If you got a certificate that is signed by DigiCert or RapidSSL then you'll need to add a line specifying the certificate chain file: | |||
<pre> | |||
... | |||
SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt | |||
... | |||
</pre> | |||
* touch /etc/httpd/htpasswd | |||
* htpasswd /etc/httpd/htpasswd midas # enter password midas | |||
* chkconfig httpd on | * chkconfig httpd on | ||
* service httpd restart | * service httpd restart | ||
* firewall-cmd --add-port=443/tcp --permanent | |||
* firewall-cmd --reload | |||
* firewall-cmd --list-all | |||
* test it | * test it | ||
** test the SSL proxy: https://host/ should yield the midas status page, https://host/elog/ should yield the elog message index | ** test the SSL proxy: https://host/ should yield the midas status page, https://host/elog/ should yield the elog message index | ||
* in ODB, set "/Elog/URL" to "https://host/elog/" | * in ODB, set "/Elog/URL" to "https://host/elog/" | ||
* now from the midas status page, the "Elog" button should take us to the https Elog URL | * now from the midas status page, the "Elog" button should take us to the https Elog URL | ||
In needed, enable user directories: https://blah/~user in ~user/public_html | |||
* edit /etc/httpd/conf.d/userdir.conf, replace "UserDir disabled" with "UserDir enabled" | |||
* setsebool -P httpd_enable_homedirs true | |||
* systemctl restart httpd | |||
== Setup the history mhttpd for faster access to history plots == | == Setup the history mhttpd for faster access to history plots == | ||
When running an SSL proxy, | |||
* start the main mhttpd (<span style="color:orange">orange</span> command for old mhttpd, <span style="color:green">green</span> for new mhttpd with Mongoose(post August2015): | |||
** <span style="color:orange">"mhttpd -p 8071 -D" </span> or | |||
** <span style="color:green"> "mhttpd -D --oldserver 8071 --nomg" </span> | |||
* start the | * start the history mhttpd | ||
* | ** <span style="color:orange"> "mhttpd -p 8072 -D -H"</span> or | ||
** <span style="color:green"> "mhttpd -D -H --oldserver 8072 --nomg" </span> | |||
* set ODB /History/URL to "http://alphacpc09.cern.ch:8072/HS/" | * set ODB /History/URL to "http://alphacpc09.cern.ch:8072/HS/" | ||
* open the MIDAS status page | * open the MIDAS status page | ||
Line 490: | Line 629: | ||
** apxs -c -I. -I/usr/include/libxml2 -i mod_xml2enc.c | ** apxs -c -I. -I/usr/include/libxml2 -i mod_xml2enc.c | ||
** cd /etc/httpd/conf.d, add this to ssl.conf: | ** cd /etc/httpd/conf.d, add this to ssl.conf: | ||
;before the ProxyPass statements: | |||
<pre> | <pre> | ||
# proxy the MIDAS web servers | # proxy the MIDAS web servers | ||
Line 501: | Line 641: | ||
ProxyRequests off | ProxyRequests off | ||
</pre> | </pre> | ||
;after the ProxyPass statements: | |||
<pre> | <pre> | ||
# ALPHA1 history access | # ALPHA1 history access | ||
Line 510: | Line 650: | ||
ProxyHTMLURLMap http://alphacpc09.cern.ch:8072/HS/ /alpha1/history/ | ProxyHTMLURLMap http://alphacpc09.cern.ch:8072/HS/ /alpha1/history/ | ||
</pre> | </pre> | ||
;adjust: | |||
*"alpha1" is the experiment name | |||
*"alphacpc09.cern.ch" is the machine running mhttpd | |||
*"8071" is the port number of the main mhttpd | |||
**** "8072" is the port number of the history mhttpd | ** <span style="color:orange">"mhttpd -p 8071 -D" </span> or | ||
** <span style="color:green"> "mhttpd -D --oldserver 8071 --nomg" </span> | |||
* "8072" is the port number of the history mhttpd | |||
** <span style="color:orange">"mhttpd -p 8072 -D -H" </span> or | |||
** <span style="color:green"> "mhttpd -D -H --oldserver 8072 --nomg" </span> | |||
[[Category: | [[Category:Installation]] [[Category:Buffer]] [[Category:Driver]] |
Latest revision as of 10:56, 11 June 2019
Introduction
This page describes setting up a MIDAS experiment at TRIUMF. This information can be adapted for other sites.
Environment variables
- MIDASSYS Base directory of the MIDAS package, midas and mxml should be at the same level.
- MIDAS_EXPTAB Experiment definition file
- MIDAS_SERVER_HOST MIDAS host server name for remote midas connections.
- MIDAS_EXPT_NAME Experiment name
Standard layout of MIDAS experiment
The following shows the directory layout of a standard MIDAS experiment:
/home/exptuser/ packages/ root <---- ROOT mxml mscb midas/ <---- MIDAS linux/{lib,bin} <---- binaries matching the selected 64-bit/32-bit flavour of ROOT linux-m32/{lib,bin} <---- limited function 32-bit binaries for 32-bit frontend machines, build by "make linux32" linux-m64/{lib,bin} <---- limited function 64-bit binaries (only needed if ROOT and linux/bin are 32-bit) linux-arm/{lib,bin} <---- full function ARM cross-compiled using "make linuxarm" linux-crosscompile/{lib,bin} <---- cross-compiled limited function binaries for PPC and ARM frontends (see Makefile) rootana <---- ROOT analyzer roody <---- graphical online histogram viewer for MIDAS and ROOTANA online/ exptab <---- experiment definition {.ODB,.SYSTEM,.SYSMSG,etc}.SHM <---- MIDAS shared memory save files src <---- experiment frontend sources bin,scripts elog <---- MIDAS elog history <---- MIDAS history data -> /data/exptname/current <---- symlink to the data directory /data/exptname/current <---- experiment data directory with ODB save files and MIDAS .mid/.mid.gz data files
Prepare computers
On some operating systems, several MIDAS functions require administrator access:
- on el7 linux (SL7/CC7/CentOS7/RHEL7) - access to mhttpd port 8443 requires special firewall rules, see here: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29
- on el7 linux - access to mserver to run frontends and other programs on some other computer requires special firewall rules, see here: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29
- on el7 linux - on the frontend machines (and other machines that will connect to the mserver, the same firewall rule needs to be created (use the IP address of the machine running the mserver)
Prepare the user account
- Setup the user account for running this instance of midas. For machines part of the LADD cluster, follow these [1] instructions.
- check that the account is using the /bin/bash shell
- make $HOME/.profile look like this:
#!/bin/echo You must source export SVN_EDITOR="emacs -nw" export GIT_EDITOR="emacs -nw" export MIDASSYS=$HOME/packages/midas export ROOTANASYS=$HOME/packages/rootana export MIDAS_EXPTAB=$HOME/online/exptab # # setup the MIDAS mserver # case `hostname` in daq07*) unset MIDAS_SERVER_HOST ;; *) export MIDAS_SERVER_HOST=daq07.triumf.ca:7070 ;; esac # # select 64-bit or 32-bit MIDAS and ROOT # case `uname -i` in i386) source /daq/daqshare/olchansk/root/root_v5.34.01_SL62_32/bin/thisroot.sh export PATH=.:$MIDASSYS/linux-m32/bin:$PATH ;; *) #source /daq/daqshare/olchansk/root/root_v5.34.34_SL67_64/bin/thisroot.sh source $HOME/packages/root/bin/thisroot.sh export PATH=.:$MIDASSYS/linux/bin:$PATH ;; esac # export PATH=.:$HOME/online/bin:$HOME/packages/roody/bin:$PATH # #end
- mkdir $HOME/packages
- Logout and login again, for .cshrc changes to take effect
Install ROOT
- Identify the Linux version: RH9 (Red Hat Linux 9), FC3 (Fedora Core 3), RHEL4/SL4 (Red Hat Enterprise LInux 4/Scientific Linux 4), SL5x, SL6x, (CentOS/CC/SL) el7x: more /etc/redhat-release
- Decide to use 32-bit or 64-bit ROOT ('uname -a')
- cd $HOME/packages
- ls -l /daq/daqshare/olchansk/root/ ### to see all available ROOT packages
- ln -s /daq/daqshare/olchansk/root/root_vNNN_VVV_BB root, where NNN is the latest available version of ROOT ("ls -l /daq/daqshare/olchansk/root"), VVV is the Linux version code (RH9, FC3, SL4, etc) and BB is "_32" or "_64" for 32-bit or 64-bit ROOT. For example: /daq/daqshare/olchansk/root/root_v5.10.00_SL40
- for example: ln -s /daq/daqshare/olchansk/root/root_v5.34.34_el72_64 $HOME/packages/root
- Check that ROOT works: "source $HOME/packages/root/bin/thisroot.sh; root". Type ".q" to exit root.
Install MIDAS
- cd $HOME/packages
- (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/midas/trunk midas, password "svn". (password has to be entered twice)
- (OBSOLETE) svn co svn+ssh://svn@savannah.psi.ch/repos/meg/mxml/trunk mxml
- git clone https://bitbucket.org/tmidas/midas --recursive
- (OBSOLETE) git clone https://bitbucket.org/tmidas/mxml
- (OBSOLETE) git clone https://bitbucket.org/tmidas/mscb
- (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/mxml.git
- (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/mscb.git
- (IF BITBUCKET IS DOWN) git clone -v --progress https://daq.triumf.ca/~daqweb/git/midas.git
- cd midas
- make
- (only if needed) make linux32 ### build the 32-bit MIDAS libraries
- ls -l linux/bin/odbedit ### check that odbedit has been created (do not run it yet)
You can see a list of other installation problems at Common problems & Debugging recipes.
- NOTE 1
- Optional features in MIDAS can be explicitly disabled if desired when making MIDAS using the NO_xxx feature (NO_ROOT,NO_MYSQL,NO_ODBC,NO_SQLITE,NO_MSCB), e.g. "make NO_ROOT=1" to disable ROOT. These NO_xxx Makefile variables are only used to control autodetection.
- NOTE 2
- Since June 2019 the mxml and mscb packages are submodules of the midas package, so no need to clone them separately. If you have an existing clone of midas but not yet the submodules, you need
$ git submodule update --init --recursive
- To update both midas and the submodules, you need
$ git pull --recurse-submodules
Install ROOTANA
- cd $HOME/packages
- git clone https://bitbucket.org/tmidas/rootana
- cd rootana
- make
Install ROODY
- cd $HOME/packages
- git clone https://bitbucket.org/tmidas/roody
- cd roody
- make
- $HOME/packages/roody/bin/roody, run the program
Install additional additional packages
- cd $HOME/packages
- git clone https://bitbucket.org/ttriumfdaq/vme
- git clone https://bitbucket.org/ttriumfdaq/frontends
Build special versions of MIDAS
Build special versions of MIDAS for the case when some MIDAS programs, such as VME frontends, will run on a different computer that may have a different flavour of operating system, i.e. 32-bit linux or an older version of Scientific Linux.
- login to the computer where the frontends will run and:
- if it is a 32-bit linux: cd $HOME/packages/midas; make linux32
- if it is a 64-bit linux: cd $HOME/packages/midas; make linux64
- login to the host computer to cross-compile ARM code:
- if it is an ARM linux: cd $HOME/packages/midas; make linuxarm # may need to install ARM cross compilers
Prepare VME hardware
Hardware check list:
- VME crate
- VME processor (supported are V77xx, V7805, V7865)
- On all VME modules, set the VME address jumpers as described here: http://daq-plone.triumf.ca/SM/docs/local/vme_jumpers
- run vmescan to confirm correct VME addresses
- cd $HOME/packages
- svn checkout https://ladd00.triumf.ca/svn/daqsvn/trunk/vme
- cd vme
- make
- ./vmescan.exe (or _gef.exe, depending on the VME driver in use)
Install Universe-II VME driver (V7648, V7750, V7805, V7851)
- login as root (ssh root@localhost)
- follow instructions: https://www.triumf.info/wiki/DAQwiki/index.php/VME-CPU#V7648.2C_V7750.2C_V7805.2C_V7851_:_Setup_vme_universe_VME_drivers
- cd ~/packages/vme; vmescan.exe
Install Tsi-148 VME driver (V7865)
- login as root (ssh root@localhost)
- follow instructions: https://www.triumf.info/wiki/DAQwiki/index.php/VME-CPU#V7865_and_XVB-602_:_Setup_gefvme.2Ftsi148_VME_drivers
- cd ~/packages/vme; vmescan_gef.exe
Setup the experiment environment
- Decide which computer will host MIDAS (where MIDAS shared memory buffers will reside).
- This computer will run the mserver, mlogger and mhttpd applications. (It is usually the machine where the MIDAS,ROOT etc. packages have been downloaded). It will be referred to as the host machine (localhost).
The environment is slightly different depending on whether all programs run on the host machine, or whether some programs run on remote host(s) :
ALL programs run on localhost
- If all programs run on the host machine (localhost), it is not necessary to run mserver. MIDAS_SERVER_HOST will not be assigned (see example .cshrc above).
Some programs run on REMOTE host(s)
- IMPORTANT:
- Since August 2015 you must explicitly allow access for clients running on remote machines. To do this, follow the instructions here.
- The example code .cshrc (see above) should be present on both host and remote machine(s). This will ensure that MIDAS_SERVER_HOST will NOT be set for the host machine (localhost), but on a remote machine, MIDAS_SERVER_HOST will be set to the MIDAS host machine.
- The client mserver must be started on the MIDAS host machine. Note that multiple experiments can run on the same host machine by starting several instances of mserver (one for each experiment) running with different ports (and .cshrc would be edited so that MIDAS_SERVER_HOST is set to the appropriate port for the experiment).
On the host machine:
- mkdir $HOME/online
- cd $HOME/online
- create directories for local programs, sources, elog and history: mkdir bin src elog history
- create data directory: mkdir -p /ladd/data1/t2kvme5/data; ln -s /ladd/data1/t2kvme5/data $HOME/online
- create the exptab file "$HOME/online/exptab" following the example below. The first entry (exptname) is the name if the DAQ system (MIDAS experiment name), the second entry (/home/USER/online) is the location of MIDAS shared memory buffers (by convention, $HOME/online), the third entry (kopio03) is your username.
exptname /home/kopio03/online kopio03
- logout and login again for all changes to take effect
Setup experiment startup scripts
- login to the experiment host computer
- echo $MIDAS_SERVER_HOST ### to check correct value - should be blank
- create $HOME/online/bin/start_daq.sh, replacing XXX with the hostname of the machine running the experiment (and changing the mserver and mhttpd ports, as needed).
#!/bin/sh # start_daq.sh cd $HOME/online # case `hostname` in XXX*) echo "Good, we are on XXX!" ;; *) echo "The start_daq script should be executed on XXX" exit 1 ;; esac # odbedit -c clean # start mhttpd on default port. (Mongoose https version - see mhttpd for other options) mhttpd -D -a localhost -a XXX.triumf.ca # optionally restrict access to specified hosts # # start mserver on default port (use argument -p to use a different port) mserver -D # access must now be specifically allowed - see above # OR (older MIDAS versions) # mhttpd -p 8081 -D -a localhost -a XXX.triumf.ca # optionally restrict access to specified hosts # mserver -p 7071 -D -a localhost -a lxdragon01.triumf.ca -a lxdragon02.triumf.ca -a XXX.triumf.ca # optionally restrict access to specified hosts # mlogger -D #end file
Run the MIDAS Web Server
Let's start the MIDAS webserver for the first time:
Start mhttpd on the experiment host (localhost) like this:
[mhostpc] mhttpd
You will get the following messages:
[mhttpd,INFO] ODB subtree /Runinfo corrected successfully Mongoose web server will listen on ports "8080r,8443s" [mhttpd,ERROR] [mhttpd.cxx:17892:mongoose,ERROR] cannot find SSL certificate file "/home/agdaq/online/ssl_cert.pem" [mhttpd,ERROR] [mhttpd.cxx:17893:mongoose,ERROR] please create SSL certificate file: openssl req -new -nodes -newkey rsa:2048 -sha256 -out ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key -out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem could not start the mongoose web server, see messages and midas.log, bye!
Create a self-signed certificate suitable for initial testing by executing the command printed by mhttpd:
[mhostpc] openssl req -new -nodes -newkey rsa:2048 -sha256 -out ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key -out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem
For production use, you should create a properly signed certificate, see create your own SSL certificate or you should run mhttpd behind an SSL proxy.
Run mhttpd again.
You will get the following messages:
[mhttpd,INFO] ODB subtree /Runinfo corrected successfully Mongoose web server will listen on ports "8080r,8443s" Mongoose web server will use SSL certificate file "/home/johnfoo/packages/midas/ssl_cert.pem" [mhttpd,ERROR] [mhttpd.cxx:17633:mongoose,ERROR] mongoose web server cannot find password file "/home/johnfoo/online/htpasswd.txt" [mhttpd,ERROR] [mhttpd.cxx:17634:mongoose,ERROR] please create password file: htdigest -c /home/johnfoo/online/htpasswd.txt Default midas could not start the mongoose web server, see messages and midas.log, bye!
Create the password file by following the instructions printed by mhttpd. The http digest domain name is the experiment name, suggested default user name is "midas". You will be asked to type in a password
[mhostpc] htdigest -c /home/johnfoo/online/htpasswd.txt exptname midas Adding password for midas in realm exptname. New password: Re-type new password:
It is a good idea to set the password file htpasswd.txt readable and writable by owner only.
Now restart mhttpd
[mhostpc] mhttpd Mongoose web server will listen on ports "8080r,8443s" **see note Mongoose web server will use SSL certificate file "/home/suz/packages/midas/ssl_cert.pem" Mongoose web server will use authentication realm "Default", password file "./htpasswd.txt"
Now point a web browser running on the same host computer (localhost) to https://localhost:8443 If the web browser is running on a different computer, go to URL of the form
https://mhostpc.triumf.ca:8443 (substitute your host machine name and domain for "mhostpc.triumf.ca")
If you are using the default SSL certificate you will probably get a message: "This Connection is Untrusted". Click "I understand the risks" and add an exception. This is because the test certificate is self-signed. Then confirm an exception.
If instead you get a "connection refused" error, the midas host pc may have the firewall enabled. To make a firewall exception for MIDAS, follow instructions here http://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_firewall_for_MIDAS_.28CentOS7.29
You should then see an authentication box asking you for the user name and password. The user name is "midas". Enter the password you just created. The Midas Status Page should appear with multiple buttons for run control as well as equipment listing (no equipments will be listed as yet) and application listings. Please refer to mhttpd (the MIDAS Web-based Run Control utility) for further information. You can start and stop runs from the main status page, and use the ODB Page to access the database (ODB).
- Note
- Default ports of 8080 and 8443 are used by mhttpd. If these ports are in use on your machine, start mhttpd with alternative ports, e.g.
[mhostpc] mhttpd --https 8448 --http 8089
- or see Mhttpd#Usage to change the default ports.
Setup experiment database (ODB)
- run $HOME/online/bin/start_daq.sh
- odbedit, run these commands: (replace user names and directory names)
set "/Logger/Message file" "/home/kopio03/online/midas.log" set "/Logger/Data Dir" "/home/kopio03/online/data" create STRING "/Logger/History dir" set "/Logger/History dir" "/home/kopio03/online/history" create STRING "/Logger/Elog dir" set "/Logger/Elog dir" "/home/kopio03/online/elog" set "/Logger/ODB dump file" "/home/kopio03/online/history/run%05d.xml" set "/Logger/ODB dump" "y" set "/Logger/Channels/0/Settings/Filename" "run%05dsub%03d.mid.gz" set "/Logger/Channels/0/Settings/Subrun byte limit" "1000000000" set "/Logger/Channels/0/Settings/Compression" 1 set "/Logger/Channels/0/Settings/ODB Dump" "y" set "/Programs/Logger/Required" y set "/Programs/Logger/Start command" "mlogger -D" set "/Programs/fevme/Required" "y" set "/Programs/fevme/Start command" "ssh -n lxdaq09 $HOME/online/src/fevme_gef.exe -O" exit
- open web browser e.g. firefox.
- go to the midas status page at https://localhost:8443 (default port).
- if running mhttpd with Mongoose HTTPS/OpenSSL (the default) for the first time, you will need to create a password file. Follow the instructions (see mhttpd#HTTPS/SSL server (Mongoose) for details).
- For other options (i.e. HTTPS/SSL proxy) see #Secure MIDAS and ELOG Web access
- OR open the midas status page at http://localhost:8081 (older MIDAS versions)
- midas status page will show most stuff "red" as nothing is running yet
- DON'T DO THIS YET run ./fevme.exe (on the computer with the VME interface, could be different from computer hosting the experiment), observe that corresponding equipments have been created
- save the url bookmark to the "personal toolbar"
- go to the Programs page, stop mlogger, stop fevme, start mlogger, start fevme
- go to the Status page, start run, stop run
- go back to the Status page, everything should be green
- start a run
- send signals to the ADC gate
- you should be getting events
- to look at data, proceed with setting up the ROOT Analyzer.
Start DAQ programs at boot time
- add this to /etc/rc.local (replace username and location of the start_daq script)
su - alpha -c /home/alpha/online/bin/start_daq.sh
Setup local software version control
Version control for experiment source code is setup using "git" (http://git-scm.com/)
- cd $HOME/online
- git init
- git add exptab
- git add bin/start_daq.sh
- git add .gitignore ### contents can be
*~ *.o *.exe
- git add src/Makefile src/*.cxx ...
- git commit -a
Adjust MIDAS buffer sizes
Default MIDAS SYSTEM buffer size is 8 Mbytes, fairly small for high-data-rate experiments. The rule of thumb is to have at least a few seconds worth of buffer space available. For example, if event size is 10 Kbytes and the event rate is 1 kHz, data rate is 10*10^3*1*10^3 = 10 Mbytes/sec. To buffer 10 seconds of data we need 100 Mbytes of buffer space.
To resize the MIDAS event buffers (SYSTEM, etc) do this:
- stop all frontends, stop mlogger
- start odbedit:
- cd "/Experiment/Buffer sizes"
- set SYSTEM 100000000
- run "mdump -z SYSTEM"
- if mdump complains about the size of .SYSTEM.SHM, remove it, try again.
- ls -l /dev/shm ### to observe that the size of shared memory is correct
Secure MIDAS and ELOG Web access
In versions prior to May 2015, the default web access to MIDAS and ELOG uses the "http:" protocol which is insecure. In this case, all information is transmitted as clear text meaning that secret, confidential and sensitive information (such as the MIDAS and ELOG passwords and usernames) can be stolen "easily". This means that even "password protected" MIDAS and ELOG pages are not really protected if accessed using the "http" method.
Better security for HTTP is gained by using a password protected SSL (https) proxy. (It does not provide absolute security because of remaining problems with the security of SSL certificates, security of passwords, etc). Setting up an SSL (https) proxy is described below.
Since May 2015, an alternative secure option to setting up an HTTP proxy is available to users of MIDAS. Recent versions of elogd (ELOG) do support SSL https:// connections, and #mhttpd with HTTPS/SSL server (Mongoose) is now available. This option is the default, and provides a similar level of security to an HTTP proxy.
See Security#Web Access for a comparison of these two secure options.
mhttpd with HTTPS/SSL server (Mongoose)
Since May 2015 the MIDAS web server mhttpd is explicitly linked with OpenSSL to provide secure HTTPS connections via the Mongoose web server (see mhttpd). With this version, default web access to MIDAS uses the "https" protocol. Web access to mhttpd can be restricted by using the "-a hostname" switch of mhttpd. The first time mhttpd is run, a password file must be created. An SSL certificate is also required. See HTTPS/SSL server (Mongoose) for instructions.
mhttpd using an HTTPS/SSL proxy
THESE INSTRUCTIONS ARE WRONG, DO NOT DO THIS.
An HTTP proxy must be set up. This is the only way of securing older version of mhttpd (pre August 2015). Older versions of mhttpd are started using the -p port option e.g.
- mhttpd -D -p 8080
To run a new version of mhttpd using an HTTP proxy, use the options provided to run the old (non-Mongoose) webserver on a given port, i.e.
- mhttpd --oldserver 8080 --nomg -D
When using an SSL proxy, only access from the SSL proxy (and maybe some special trusted machines) should be permitted. This is done using the "-a hostname" switch of mhttpd. Normally there will be only "-a localhost" switch, enabling access only for the local machine (where the SSL proxy is running). Additional "-a hostname" switches enable access from listed local machines. No "-a xxx" enables access from everywhere (defeating the purpose of the SSL proxy, unless access controls are enforced elsewhere, i.e. by a site firewall or by local firewall rules).
Setting up an HTTP proxy
In this example, we use APACHE HTTPD to password-protect a typical midas/mhttpd and elog installation.
In this configuration, one uses the Linux stock httpd that accepts encrypted https:// connections and forwards them to mhttpd and elogd. Instead of (or in addition to) using mhttpd and elogd passwords, one configures password protection in httpd via the regular apache httpd password mechanisms (htpasswd, etc).
Recent versions of elogd do support SSL https:// connections, but if one is running an SSL proxy for anyway, it is simpler to run both through the same SSL proxy using the same SSL host certificate and the same httpd password file.
Restricting http: access to elogd
- Note
- Recent versions of elogd do support SSL https:// connections. The following information is for those using an HTTP proxy (see above).
For elogd, this is done using the "-n localhost" switch with enables only access from the same machine if present, or access from anywhere is absent (defeating the purpose of the SSL proxy, unless access controls are enforced elsewhere).
(It is recommended to run elogd from the same user as the main daq user and to keep elogd.cfg and all logbooks in the home directory of this user, where they are captured by the normal site backup system)
Install standalone elog
- login into the user account that will run the elog
- cd $HOME/packages
- git clone https://bitbucket.org/ritt/elog
- cd elog
- make
- create new file start_elogd with this contents:
#!/bin/sh killall elogd sleep 1 killall -KILL elogd sleep 1 $HOME/packages/elog/elogd -n localhost -x -c $HOME/packages/elog/elogd.cfg -p 8082 -D #end
- chmod a+x start_elogd
- edit elogd.cfg to read:
[global] port = 8082 SMTP host = smtp.triumf.ca URL = https://titan00.triumf.ca/elog/ Reverse sort = 1 Display Mode = full #List Menu commands = New, Find, Admin, Help #Menu commands = New, Edit, Reply, Find, Duplicate, Help Entries Per Page = 30 Supress Email on edit = 1 Default encoding = 1 Page title = TITAN ELOG Resolve host names = 1 Logfile = /home/titan/packages/elog/elogd.log #Logging level = 3 [midas] List page Title = T2K M11 MIDAS ELOG Comment = T2K M11 MIDAS ELOG Page Title = T2K M11 MIDAS ELOG RSS Title = [$logbook - $type - $system] $subject, posted by $author Attributes = Author, Subject, Run, Type, System Show Attributes Edit = Run, Author, Subject, Type, System Required Attributes = Author, Type, System, Subject Options Type = Routine, Reply, Shift Summary, Modification, Question, Info, Problem Options System = General, DAQ, Beamline Preset Run = $shell(MIDASSYS=. /home/t2km11/packages/midas/linux/bin/odbedit -d Runinfo -c 'ls -v \"run number\"') Preset On Reply Type = Reply Preset On Reply Run = $shell(MIDASSYS=. /home/t2km11/packages/midas/linux/bin/odbedit -d Runinfo -c 'ls -v \"run number\"') List Display = Date, Subject, Type, System, Author, ID Quick Filter = Date, Type, ID Remove on reply = Author Quote on reply = 1 Use lock = 1 ************* Email Functionality **************** Use Email Subject = [T2KM11 - $System] $Subject Omit Email To = 1 Email System General = xxx
- ./start_elogd &
- firefox http://localhost:8082 # hould show the elog message index
To start elogd automatically when the machine is rebooted, login as root and
- add this text to /etc/rc.local:
su - titan -c "/home/titan/packages/elog/start_elogd"
- chmod a+x /etc/rc.local
- systemctl start rc-local
To import elog entries from the mhttpd elog, do this:
- cd ~/packages/elog/logbooks
- ln -s /home/t2km11/online/elog midas
- cd midas
- ~/packages/elog/elconv)
Install https proxy
THESE INSTRUCTIONS ARE OBSOLETE, INSTEAD,
- GO HERE: https://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Configure_HTTPS_server_.28CentOS7.29
- AND GO HERE: https://midas.triumf.ca/MidasWiki/index.php/Quickstart_Linux#Run_the_MIDAS_Web_Server
FOLLOWING INSTRUCTIONS ARE OBSOLETE...
- login as root to the https proxy machine
- cd ~root
- yum install mod_ssl
- yum install crypto-utils # see http://www.triumf.info/wiki/DAQwiki/index.php/SLinstall#Enable_monitoring_of_HTTPS_certificates
- create a certificate request (replace ladd09 with your hostname): openssl req -new -nodes -newkey rsa:2048 -sha256 -out ladd09.csr -keyout ladd09.key (answer: CA, BC, Vancouver, TRIUMF, DAQ, ladd09.triumf.ca, email@email.com
- sign it by TRIUMF:
- mail -s "Certificate request" yourself@email.com < ladd09.csr
- forward this request to Andrew Daviel
- he will email the signed crt file, copy it to this system as ladd09.crt
- sign it yourself: openssl x509 -req -days 365 -sha256 -in ladd09.csr -signkey ladd09.key -out ladd09.crt
- (if the certificate expires, renew it by signing it again)
- Additional commands for working with certificates:
- explore the private key: openssl pkey -in ladd09.key -text -noout
- explore the certificate request: openssl req -in ladd00.csr -text -noout
- explore the certificate: openssl x509 -in ladd09.crt -noout -text
- move certificate files to proper system locations:
- mv ladd09.key /etc/pki/tls/private/
- mv ladd09.crt /etc/pki/tls/certs/
- if selinux is enabled, do this:
- restorecon -Rv /etc/pki/tls/certs/
- restorecon -Rv /etc/pki/tls/private/
- /usr/sbin/setsebool -P httpd_can_network_connect 1
- open /etc/httpd/conf.d/ssl.conf in a text editor, go to the very bottom and right before the "</VirtualHost>" entry, add following text:
... SSLCertificateFile /etc/pki/tls/certs/ladd09.crt SSLCertificateKeyFile /etc/pki/tls/private/ladd09.key ProxyPass /elog/ http://localhost:8082/ retry=1 ProxyPass / http://localhost:8080/ retry=1 <Location /> SSLRequireSSL AuthType Basic AuthName "password protected site" Require valid-user # create password file: touch /etc/httpd/htpasswd # to add new user or change password: htpasswd /etc/httpd/htpasswd username AuthUserFile /etc/httpd/htpasswd </Location> </VirtualHost> ...
- comment out duplicate "SSLCertificateFile" and "SSLCertificateKeyFile" elsewhere in the file
- (optionally) If you got a certificate that is signed by DigiCert or RapidSSL then you'll need to add a line specifying the certificate chain file:
... SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt ...
- touch /etc/httpd/htpasswd
- htpasswd /etc/httpd/htpasswd midas # enter password midas
- chkconfig httpd on
- service httpd restart
- firewall-cmd --add-port=443/tcp --permanent
- firewall-cmd --reload
- firewall-cmd --list-all
- test it
- test the SSL proxy: https://host/ should yield the midas status page, https://host/elog/ should yield the elog message index
- in ODB, set "/Elog/URL" to "https://host/elog/"
- now from the midas status page, the "Elog" button should take us to the https Elog URL
In needed, enable user directories: https://blah/~user in ~user/public_html
- edit /etc/httpd/conf.d/userdir.conf, replace "UserDir disabled" with "UserDir enabled"
- setsebool -P httpd_enable_homedirs true
- systemctl restart httpd
Setup the history mhttpd for faster access to history plots
When running an SSL proxy,
- start the main mhttpd (orange command for old mhttpd, green for new mhttpd with Mongoose(post August2015):
- "mhttpd -p 8071 -D" or
- "mhttpd -D --oldserver 8071 --nomg"
- start the history mhttpd
- "mhttpd -p 8072 -D -H" or
- "mhttpd -D -H --oldserver 8072 --nomg"
- set ODB /History/URL to "http://alphacpc09.cern.ch:8072/HS/"
- open the MIDAS status page
- go to the history section, try to open any history plot, observe that the history plot gif image loads correctly, inspect it's URL (use "copy image URL" or "view source", etc), it should point to port 8072 causing connection to the history mhttpd.
- continue with these instructions to setup history mhttpd access through an SSL proxy:
- setup SSL proxy access (required mod_proxy_html)
- login as root to the SSL proxy machine
- on SL5, install the missing mod_proxy_html httpd module:
- yum install httpd-devel libxml2-devel
- wget http://apache.webthing.com/mod_proxy_html/mod_proxy_html.tar.bz2
- tar xjvf mod_proxy_html.tar.bz2
- cd mod_proxy_html
- apxs -c -I. -I/usr/include/libxml2 -i mod_proxy_html.c
- apxs -c -I. -I/usr/include/libxml2 -i mod_xml2enc.c
- cd /etc/httpd/conf.d, add this to ssl.conf:
- before the ProxyPass statements
# proxy the MIDAS web servers LoadModule xml2enc_module modules/mod_xml2enc.so LoadModule proxy_html_module modules/mod_proxy_html.so ProxyHTMLLinks a href ProxyHTMLLinks link href ProxyHTMLLinks img src #ProxyHTMLEnable On ProxyRequests off
- after the ProxyPass statements
# ALPHA1 history access ProxyPass /alpha1/history/ http://alphacpc09.cern.ch:8072/HS/ retry=1 ProxyPass /alpha1/ http://alphacpc09.cern.ch:8071/ retry=1 ProxyHTMLEnable On ProxyHTMLURLMap http://alphacpc09.cern.ch:8072/HS/ /alpha1/history/
- adjust
- "alpha1" is the experiment name
- "alphacpc09.cern.ch" is the machine running mhttpd
- "8071" is the port number of the main mhttpd
- "mhttpd -p 8071 -D" or
- "mhttpd -D --oldserver 8071 --nomg"
- "8072" is the port number of the history mhttpd
- "mhttpd -p 8072 -D -H" or
- "mhttpd -D -H --oldserver 8072 --nomg"