VMS/IRAF Installation and Site Manager's Guide
VMS/IRAF Installation and Site Manager's Guide
This section contains notes on the new V2.10 IRAF networking interface as
implemented for VMS. Further information can be found in
§5.6 of
this manual, the IRAF Version 2.10 Revisions Summary, and the
VMS/IRAF system notes file, iraf$local/notes.vms.
The VMS/IRAF networking code was extensively revised for V2.10 to permit
client access to a VMS node via TCP/IP, and runtime selection of TCP/IP or
DECNET for the transport method.
- Selection of the transport protocol is made in the dev$hosts file, as in
the examples below.
robur r : robur::0=irafks
ursa u : ursa!/local/iraf/bin.sparc/irafks.e
- The first example above states that logical node robur, with alias r, is a
DECNET domain node named robur. The DECNET connection is to be made by
executing the command "irafks" on the remote node. User login information
is supplied by the user's .irafhosts file if any, otherwise by dev$irafhosts.
A numbered DECNET object could be used instead, in which case the syntax on
the right would change to "robur::n", where n is the number
of the DECNET object to connect to.
The second example states that logical node ursa, with alias u, is a TCP/IP
domain node with network name ursa. The network connection is made by
executing, on the remote node ursa, the host command given after the "!".
VMS/IRAF supports only the IRAF rexec connect protocol for outgoing
connections to TCP/IP servers. TCP/IP connections are discussed in more
detail below.
In the simplest form of a DECNET connection the hosts file entry for the
server node will reference a zero-numbered network object as in the example,
e.g., "hostname::0=irafks" (or "hostname::task=irafks"). If "irafks" is
not a defined DECNET network object then the user must have a file
IRAFKS.COM in their login directory, similar to the following:
$! IRAFKS.COM -- Fire up the iraf kernel server under DECNET.
$!
$ if f$mode() .nes. "NETWORK" then exit
$!
$! iraf ! uncomment if not in login.com
$ irafks :== "$irafbin:irafks" ! define irafks as a foreign task
$ irafks dn.irafks ! start the iraf kernel server
$ logout
- This works, but has the disadvantage that every user account must have
an IRAFKS.COM file in the login directory, or IRAF DECNET-based networking
will not work. A better approach is to define IRAFKS as a known network
object which will execute the file IRAFKS.COM supplied in the IRAFHLIB
directory with V2.10 VMS/IRAF. This eliminates the need for each user to
have a private copy of the IRAFKS.COM file, and makes proxy logins possible,
which can eliminate the need for password prompts.
The following is an example of how to install irafks as a known network
object. This must be done on each DECNET host. The device name USR$3:
shown in the example should be replaced by the value of IRAFDISK: on the
local system.
$ run sys$system:ncp
ncp> define object irafks -
number 0 file usr$3:[iraf.vms.hlib]irafks.com
ncp> set object irafks -
number 0 file usr$3:[iraf.vms.hlib]irafks.com
ncp> exit
- In normal operation the NCP configuration is automatically preserved when
the system is rebooted. If the local system has a network configuration
procedure to redefine the NCP settings in the event of damage to the network
database, then an NCP DEFINE command similar to that shown should be added
to this file.
An alternative to the above scheme is to define IRAFKS as a numbered system
object. This works as above, except that the "number 0" becomes "number
n", where n is the network object number, and the dev$hosts file
syntax for the server becomes "hostname::n".
The DECNET proxy login capability allows DECNET connections to be made
between a set of well-known cooperating systems (e.g., the local cluster)
without the need to supply login authentication information every time a
network connection is made. The effect is to eliminate password prompts,
thereby making networking much more transparent to the user. In some cases
eliminating password prompts is necessary to make the software function
correctly, for example when using a VMS host as a gateway machine
interactive prompting for passwords is not possible, and the gateway cannot
function correctly without some way to disable password prompts. In the
case of IRAF networking this can be done by having the user put password
information in their .irafhosts file, but the use of proxy logins is preferred
since it avoids plaintext passwords and avoids the need for the .irafhosts
file altogether.
To enable proxy logins for IRAF networking one must first define IRAFKS (the
IRAF kernel server) as a known network object, as outlined in the previous
section. The VMS authorize utility is then used to enable proxy
logins.
- For example, assume we have two nodes ROBUR and DRACO.
$ run sys$system:authorize ! run on node robur
authorize> add/proxy draco::* */default
$ run sys$system:authorize ! run on node draco
authorize> add/proxy robur::* */default
- This would enable proxy logins between nodes draco and robur for all user
accounts that have the same user login name on both systems. Alternatively
one could do this for only a specified set of user accounts. The authorize
utility automatically updates the affected disk files so that the change
will be preserved the next time the system is booted.
To eliminate the password prompts during IRAF networking connections one
must also edit the user .irafhosts file, or the system irafhosts file (in
dev) to disable login authentication. For example, if the dev$irafhosts
file contains
# dev$irafhosts
draco : <user> none
robur : <user> none
* : <user> ?
- then authentication will be disabled for connections made between nodes
draco and robur, but a password will be required to connect to any other
node. The above irafhosts file would result in a DECNET login request
such as
hostname"username"::"0=irafks"
- which forces a login as "username" on the remote host. If the user name is
omitted, the default proxy login on the remote node is used.
The user's .irafhosts file, if present, will be used instead and should
be configured similarly.
These changes make IRAF DECNET based networking transparent between
cooperating nodes in a local network, without requiring users to place
password information in .irafhosts files. This is especially desirable if a
routing node is used to route IRAF networking connections between TCP/IP and
DECNET networks.
For incoming TCP/IP connections (VMS node acting as server) VMS/IRAF supports
two connect protocols, rexec and rexec-callback. The rsh
protocol, the default connect protocol for V2.10 UNIX/IRAF systems, is not
supported by VMS/IRAF. To act as a TCP/IP server a VMS node must run a
host-level networking package (such as Multinet) which supports the
rexecd networking daemon.
- On the UNIX side the dev$hosts entry for a directly-connected VMS node
should be similar to the following example.
robur r : -rcb robur!irafks
- This specifies that for logical node robur, alias r, the rexec-callback
connect protocol (TCP/IP) should be used to connect to the network node
robur. The command to be executed on the remote node is whatever is to
the right of the "!", i.e., the command "irafks" in our example.
When the rexecd daemon executing on the remote VMS node responds,
the first thing it will do is login using the username and password
supplied with the rexec request, and execute the user's LOGIN.COM file.
For an IRAF user this must contain the command iraf, which causes
the IRAFUSER.COM file in [IRAF.VMS.HLIB] to be interpreted by DCL.
This defines all the IRAF logical names and symbols. One of the sybols
defined is the irafks command which is subsequently executed to
complete the rexec network request. The irafks command is defined
in IRAFUSER.COM as follows:
$ irafks :== $irafbin:irafks ! IRAF network kernel server
- Hence, as might be expected, the result of the rexec connect is to run the
IRAF kernel server irafbin:irafks.exe on the server node. In the case of
the rexec-callback connect protocol, the actual command passed to DCL
includes command line arguments to the IRAF kernel server telling it how to
call the client back on a private network socket. What happens is that the
client reserves a port and creates a socket on this port, then issues a
rexec call to the VMS system to run the kernel server. The port and host
name are passed on the rexec command line. The rexecd daemon on the
server runs the irafks.exe process on the VMS node, and irafks calls the
client back on the socket reserved by the client. The end result is a high
bandwidth direct socket connection between the client and server processes.
See the discussion in
§5.6 for a discussion of TCP/IP and DECNET
internetworking, including examples of how to configure a VMS node as an
Internet gateway for IRAF networking.
One potential consequence of IRAF networking is that, if IRAF networking is
not properly configured (either at the system level or at the user level),
network connection attempts may fail, and IRAF in its normal operation may
repeatedly generate failed connection attempts. Repeated failed connection
attempts can trigger network security alarms on a VMS system, even though no
real security problem exists. VMS systems managers should be aware of this
possibility so that they don't waste time trying to track down a potential
network security problem which doesn't exist. Should this circumstance
occur, the best solution is to properly configure IRAF networking so that
the connection attempts succeed, e.g., by setting up the user's .irafhosts
file, or by enabling proxy logins for the user.