Add p5 connection instructions for the user

docs/cerntscms.cern.ch.rdp

+full address:s:cerntscms.cern.ch
+desktopwidth:i:1280
+desktopheight:i:1024
+session bpp:i:16
+compression:i:1
+keyboardhook:i:2
+displayconnectionbar:i:1
+disable wallpaper:i:1
+disable full window drag:i:1
+allow desktop composition:i:0
+allow font smoothing:i:0
+disable menu anims:i:1
+disable themes:i:0
+disable cursor setting:i:0
+bitmapcachepersistenable:i:1
+audiomode:i:0
+redirectprinters:i:1
+redirectcomports:i:0
+redirectsmartcards:i:1
+redirectclipboard:i:1
+redirectposdevices:i:0
+autoreconnection enabled:i:1
+authentication level:i:0
+prompt for credentials:i:0
+negotiate security layer:i:1
+remoteapplicationmode:i:0
+alternate shell:s:
+shell working directory:s:
+gatewayhostname:s:cerngt.cern.ch
+gatewayusagemethod:i:1
+gatewaycredentialssource:i:4
+gatewayprofileusagemethod:i:1
+pr
+ptcredentialonce:i:1
+drivestoredirect:s:

docs/expert/operations/p5-operations.md

@@ -25,164 +25,3 @@ with one entry per line (the NICE username).
     multiple users in one go, but it is interactive, as it also allows you
     to add the users to various privilegd groups and this has not yet been
     scripted.
-
-## Getting connected
-
-If you yourself do not have an account on the technical netowrk, contact
-the GEM responsible, or open the ticket yourself.
-
-Once this has been done, you should have an account on the technical
-network.
-
-!!! note
-    The account will be created simultaneously for both the P5 (`.cms`) and
-    904 (`.cms904`) networks, you do not need to request an account for
-    each.
-
-There are several helpful snippets to include in your `ssh` config file:
-
-### Multi-hop/tunnels
-
-If connecting to the technical network from outside the CERN GPN, you
-will first have to hop through a machine such as `lxplus`. This
-procedure will also be needed to connect to resources that are only
-accessible from the GPN, e.g., databases in IT. To do this easily, add
-the following rule(s) to your `~/.ssh/config` file (or platform
-equipment):
-
-=== "`.cms`"
-
-    ``` bash
-    ### Define a special alias to create all the necessary tunnels
-    Host cmsusrtunnel
-        HostName cmsusr.cern.ch
-        ProxyJump lxplus.cern.ch
-        DynamicForward 1091
-        ### You can configure this to reuse connections
-        # ControlMaster auto
-        ### Local forwards for the x2go machines
-        LocalForward 6122 x2go01:22
-        LocalForward 6222 x2go02:22
-        LocalForward 6322 x2go03:22
-        LocalForward 6422 x2go04:22
-        LocalForward 6522 x2go05:22
-        LocalForward 6622 x2go06:22
-        ### Local forwards for the RCMS logging collector receivers
-        # LocalForward 19021 cmsrc-srv.cms:99021
-        # LocalForward 20021 cmsrc-gem.cms:20021
-        # LocalForward 40021 cmsrc-gemdev.cms:40021
-    
-    ### Match all machines on the .cms network and route them through the special cmsusrremote alias
-    Host x2go*.cms cmsnx*.cms *.cms 10.176.*.* 172.16.*.*
-        ProxyJump cmsusr
-    
-    ### Hop through lxplus to get to the head node
-    Host cmsusr
-        HostName cmsusr.cern.ch
-        ProxyJump lxplus.cern.ch
-    ```
-
-=== "`.cms904`"
-
-    ``` bash
-    ### Define a special alias to create all the necessary tunnels
-    Host cms904usrtunnel
-        HostName cms904usr.cern.ch
-        ProxyJump lxplus.cern.ch
-        DynamicForward 1081
-        ### You can configure this to reuse connections
-        # ControlMaster auto
-        ### Local forwards for the x2go machines
-        LocalForward 7122 cms904x2go:22
-    
-    ### Match all machines on the .cms904 network and route them through the special cms904usr alias
-    Host cms904x2go* *.cms904 10.192.*.*
-        ProxyJump cms904usr
-    
-    ### Hop through lxplus to get to the head node
-    Host cms904usr
-        HostName cms904usr.cern.ch
-        ProxyJump lxplus.cern.ch
-    ```
-
-=== "904 GPN"
-
-    ``` bash
-    ### Define a special alias to create all the necessary tunnels
-    Host cerngpntunnel
-        HostName lxplus.cern.ch
-        DynamicForward 1085
-        ### You can configure this to reuse connections
-        # ControlMaster auto
-        ### Set up any local forwards here
-        ## OMDS/cms_omds_tunnel.cern.ch/production DB
-        # LocalForward 10131 cmsrac31-v.cern.ch:10121
-        # LocalForward 10132 cmsrac32-v.cern.ch:10121
-        # LocalForward 10141 cmsrac41-v.cern.ch:10121
-        # LocalForward 10142 cmsrac42-v.cern.ch:10121
-        ## CMSONR/cms_rcms.cern.ch/online DB
-        # LocalForward 10151 cmsonr1-v.cern.ch:10121
-        # LocalForward 10152 cmsonr2-v.cern.ch:10121
-        # LocalForward 10153 cmsonr3-v.cern.ch:10121
-        # LocalForward 10154 cmsonr4-v.cern.ch:10121
-        ## int2r.cern.ch/int2r-s.cern.ch/development DB
-        # LocalForward 10161 itrac1601-v.cern.ch:10121
-        # LocalForward 10169 itrac1609-v.cern.ch:10121
-    
-    Host gem904*.cern.ch
-        ProxyJump lxplus.cern.ch
-    ```
-
-!!! important
-    The above snippet uses the `ProxyJump` option of `openSSH`. It is
-    availble in versions greater than 7.3. If you are running a verision
-    older than this, you should replace the `ProxyJump` statements with the
-    appropriate option from the list below:
-    
-    -   `ProxyJump <host>` ## OpenSSH 7.3 and up
-    -   `ProxyCommand ssh <host> -W %h:%p` ## OpenSSH 5.4 and up
-    -   `ProxyCommand ssh <host> nc %h <ssh port on server>` ## all others
-
-### PAC file/proxies
-
-Using a proxy auto-connect (PAC) file will allow you to set up tunnels
-such that you can easily access web resources on the technical network
-or GPN from outside the GPN (or, if not connected to the technical
-network, from the GPN). If you do this, you won't have to individually
-forward specific ports and then access them via `localhost:<port>`,
-instead you simply point your browser to the real URL and the proxy you
-set up with the dynamic forward ensures that the request makes it to the
-correct machine. The file [located
-here](https://cern.ch/cmsgemdaq/guides/data/ssh/cern.pac.h) will assume
-that you have set up the ports as in the examples above. If not, you
-should ensure that the port forwards you use match the rules in the PAC
-file.
-
-Enabling this in `firefox` is done via the "preferences" menu. Inside
-of "preferences" menu is an area for "network settings" click on the
-"settings\..." button and click on "Automatic proxy configuration
-URL". In the text box you can add
-`https://cern.ch/cmsgemdaq/guides/data/cern.pac.h` or if you customize
-the pac file for your environment you can specify the local path on your
-computer with `file:///path/to/pac/file`. To enable on a browser that is
-not firefox, look up instructions for how to add a "Automatic proxy
-configuration URL" and add the path to the PAC file there. It can also
-be enabled system wide on your linux machine, but the setup is different
-depending on your exact configuration. Setup on Mac can be done either
-through the browser or through the network settings. Setup on Windows is
-an exercise left for the reader. More instructions are provided by the
-sysadmin team on the [cluster user's
-guide](https://twiki.cern.ch/twiki/bin/view/CMS/ClusterUsersGuide).
-
-In order to use the proxy, first enable an ssh tunnel:
-
-!!! note
-    For example, if you are on a cern site you can use the cmsusrtunnel
-    located in the script above.
-    
-    ``` bash
-    ssh -q -Nf cmsusrtunnel
-    ```
-    
-    Then if you want to access rcms (for example) type in
-    [http://cmsrc-gem:20000/rcms].

docs/p5.pac

+// PAC file for Firefox, Linux, etc.
+function FindProxyForURL(url, host) {
+  alert("URL: " + url);
+
+  // .cms network
+  if (shExpMatch(url,"*.cms:*") || shExpMatch(url,"*.cms/*")) {
+    alert("CMS Private Network");
+    return "SOCKS5 127.0.0.1:5000";
+  }
+
+  // All other requests go directly to the WWW:
+  return "DIRECT";
+}

docs/teststands.md → docs/setups-description.md

-# Teststand usage
+# Setups description
+
+The supported GEM setups are split in the following systems:
+
+=== "p5"
+
+    This is the main production system in CMS.
+    The operations are organized by GEM Run Coordinators and the Commissioning group.
+
+    _It consists of the `gem-` machines in the `.cms` network._
+
+=== "b904 integration"
+
+    This system is composed of various development and integration setups in b904.
+    Their usage is less constrained and described [below](#integration-setup-usage).
+
+    _It consists of the `gem904-` machines in the `.cms904` network and the `gem904int-` machines in the GPN network._
+
+=== "b904 QC"
+
+    This system is dedicated to the QC7 and QC8 tests of the production detectors in b904.
+    The operations are organized by the production group.
+
+    _It consists of the `gem904qc-` machines in the GPN network._
+
+## Connection
+
+### Account
+
+=== "p5"
+
+    If you do not have an account on the `.cms` technical network, please contact the GEM responsibles as listed [here](https://twiki.cern.ch/twiki/bin/viewauth/CMS/ClusterUsersGuide#Getting_an_account_or_access_to) or the GEM Run Coordinators.
+    Your NICE username is required to complete the account creation.
+
+    Once your acount will be created, you will receive a confirmation on your CERN email address with the credential. They can be changed at any moment with the `passwd` command on `cmsusr`.
+
+    !!! note
+        The account will be created simultaneously for both the p5 (`.cms`) and 904 (`.cms904`) networks, you do not need to request an account for each.
+
+### SSH connection
+
+Some ressources are accessible only from the CERN GPN or from technical networks which themselves must be reached from within the GPN.
+In order to access those ressources tunneling though the right network and machines is required.
+Below are several helpful snippets to include in your `ssh` configuration (`~/.ssh/config` by default) file to help you setting up your system.
+
+Additional options can be used to facilite the usage (such as multiplexed connections), but can be tricky to configure.
+
+=== "p5"
+
+    ```
+    Host cern-tunnel
+        Hostname lxplus.cern.ch
+        User <nice-username>
+        # IdentityFile <lxplus-enabled-ssh-key>
+
+    Host cmsusr.cern.ch cmsusr cmsusr-tunnel
+        Hostname cmsusr.cern.ch
+        User <nice-username>
+
+    # Only cmsusr-tunnel opens the tunnel
+    Host cmsusr-tunnel
+        # SOCKS5 proxy
+        DynamicForward localhost:5000
+        # X2GO server
+        LocalForward 5011 cc7x2go01.cms:22
+        LocalForward 5012 cc7x2go02.cms:22
+        LocalForward 5013 cc7x2go03.cms:22
+        LocalForward 5014 cc7x2go04.cms:22
+        LocalForward 5015 cc7x2go05.cms:22
+        LocalForward 5016 cc7x2go06.cms:22
+
+    # Hop through lxplus only if not in GPN
+    Match host cmsusr.cern.ch !exec "grep -q '^search cern\.ch$' /etc/resolv.conf"
+        ProxyJump cern-tunnel
+
+    # Direct connection to the
+    Host *.cms
+        ProxyJump cmsusr
+        # IdentityFile <cmsusr-enabled-ssh-key>
+        RequestTTY yes
+    ```
+
+    More details and updated information can be found on the [CMS Cluster TWiki](https://twiki.cern.ch/twiki/bin/viewauth/CMS/ClusterUsersGuide#How_to_tune_your_OpenSSH_configu).
+
+!!! important
+    The above snippet uses the `ProxyJump` option of `openSSH`.
+    It is availble in versions greater than 7.3.
+    If you are running a verision older than this, you should replace the `ProxyJump` statements with the appropriate option from the list below:
+
+    - `ProxyJump <host>` for OpenSSH 7.3 and up
+    - `ProxyCommand ssh <host> -W %h:%p` for OpenSSH 5.4 and up
+    - `ProxyCommand ssh <host> nc %h <ssh port on server>` for all others
+
+### Web proxy
+
+Using a proxy auto-connect (PAC) file will allow you to set up tunnels such that you can easily access web resources on the technical network or GPN from outside the GPN (or, if not connected to the technical network, from the GPN).
+If you do this, you won't have to individually forward specific ports and then access them via `localhost:<port>`, instead you simply point your browser to the real URL and the proxy you set up with the dynamic forward ensures that the request makes it to the correct machine.
+The file [located here](p5.pac) will assume that you have set up the ports as in the examples above.
+If not, you should ensure that the port forwards you use match the rules in the PAC file.
+
+Enabling this in `firefox` is done via the "Preferences" menu.
+Inside of "Preferences" menu is an area for "Network settings" click on the "Settings..." button and click on "Automatic proxy configuration URL".
+In the text box you can add [this link](p5.pac) or if you customize the PAC file for your environment you can specify the local path on your computer with `file:///path/to/pac/file`.
+To enable on a browser that is not Firefox, look up instructions for how to add a "Automatic proxy configuration URL" and add the path to the PAC file there.
+It can also be enabled system wide on your linux machine, but the setup is different depending on your exact configuration.
+Setup on Mac can be done either through the browser or through the network settings.
+Setup on Windows is an exercise left for the reader.
+
+!!! important
+    In order to use the proxy, first enable an SSH tunnel:
+
+    ``` bash
+    ssh cmsusr-tunnel
+    ```
+
+
+??? info
+    The following regular expression can be used in proxy extensions (e.g. `FoxyProxy`) instead of a PAC file.
+
+    * p5: `^(?:[^:@/]+(?::[^@/]+)?@)?(?:[\w-]+\.)*(?:cms)(?::\d+)?$`
+
+### DCS
+
+=== "p5"
+
+    You can use the RDP (_Remote Desktop Client_) client of your choice with [this cerntscms configuration file](cerntscms.cern.ch.rdp). No additional tunnel is required.
+
+    On Linux, you can use `xfreerdp` from the command line:
+
+    ``` bash
+    xfreerdp <path-to-the-rdp-file> /size:1918x1060 /gu:CERN\\<nice-username> /u:CERN\\<nice-username>
+    ```
+
+## Integration setup usage
 
 It is important to realize we are all sharing a set of common equipment
 and are working towards a common goal. Furthermore you and your
@@ -8,9 +141,9 @@ first important point:
 
 !!! warning
     **Leave the teststand how you found it**.
-    
+
     This specifically refers to the:
-    
+
     1.  Teststand infrastructure (e.g., fiber patch panels, power supplies,
         DAQ computer, etc\...), and
     2.  State of software (e.g., `rpcmodules`) and firmware of backend
@@ -38,7 +171,7 @@ Once you realize this you should:
 3.  Use the appropriate e-log `gemos-elogs`{.interpreted-text
     role="ref"} to log all activities
 
-## Available teststands & their uses
+### Available teststands & their uses
 
 The following 904 teststands exist
 
@@ -65,12 +198,12 @@ Unless you are involved in, or performing a test for, the sustained
 operations group or QC8 for GE1/1 qualification you should default to
 using the "Coffin" setup.
 
-## Teststand infrastructure
+### Teststand infrastructure
 
 Mainframes, fiber patch panels, μTCA crate numbers & names, AMC's,
-etc\...
+etc...
 
-## Electronic logbook (e-log)
+### Electronic logbook (e-log)
 
 For each of the teststands described in the section
 `gemos-available-teststands`{.interpreted-text role="ref"}, a
@@ -90,7 +223,7 @@ When using a teststand you should:
     encountered, and
 4.  State when you are finished using the stand
 
-## Requesting time on GEM teststands
+### Requesting time on GEM teststands
 
 Each stand has its own requisition page on SuperSAAS to manage testing
 and ensure we do not collide with other users. To see the available

mkdocs.yml

@@ -14,6 +14,7 @@ theme:
 
 markdown_extensions:
   - admonition
+  - pymdownx.details
   - pymdownx.superfences
   - pymdownx.tabbed
   - pymdownx.arithmatex:
@@ -27,7 +28,7 @@ extra_javascript:
 nav:
   - Getting started:
     - index.md
-    - teststands.md
+    - setups-description.md
     - contact.md
   - Electronics primer:
     - electronics/index.md