599 lines
22 KiB
XML
599 lines
22 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<seiscomp>
|
|
<module name="caps" category="Acquisition">
|
|
<description>Realtime and archive waveform server</description>
|
|
<command-line>
|
|
<synopsis>
|
|
caps [options]
|
|
</synopsis>
|
|
|
|
<group name="Generic">
|
|
<optionReference>generic#help</optionReference>
|
|
<optionReference>generic#version</optionReference>
|
|
<optionReference>generic#config-file</optionReference>
|
|
<optionReference>generic#plugins</optionReference>
|
|
<optionReference>generic#daemon</optionReference>
|
|
</group>
|
|
|
|
<group name="Verbosity">
|
|
<optionReference>verbosity#verbosity</optionReference>
|
|
<optionReference>verbosity#v</optionReference>
|
|
<optionReference>verbosity#quiet</optionReference>
|
|
<optionReference>verbosity#print-component</optionReference>
|
|
<optionReference>verbosity#print-context</optionReference>
|
|
<optionReference>verbosity#component</optionReference>
|
|
<optionReference>verbosity#syslog</optionReference>
|
|
<optionReference>verbosity#lockfile</optionReference>
|
|
<optionReference>verbosity#console</optionReference>
|
|
<optionReference>verbosity#debug</optionReference>
|
|
<optionReference>verbosity#trace</optionReference>
|
|
<optionReference>verbosity#log-file</optionReference>
|
|
</group>
|
|
|
|
<group name="Server">
|
|
<option long-flag="server-port" flag="p" argument="int" param-ref="AS.port"/>
|
|
<option long-flag="server-ssl-port" argument="int" param-ref="AS.SSL.port"/>
|
|
<option long-flag="plugin-port" flag="P" argument="int" param-ref="AS.plugins.port"/>
|
|
<option long-flag="http-port" argument="int" param-ref="AS.http.port"/>
|
|
<option flag="" long-flag="read-only">
|
|
<description>
|
|
Do not store any packets.
|
|
</description>
|
|
</option>
|
|
</group>
|
|
<group name="Test">
|
|
<option flag="" long-flag="configtest">
|
|
<description>
|
|
Run a configuration file syntax test. It parses the
|
|
configuration files and either reports Syntax Ok or detailed
|
|
information about the particular syntax error.
|
|
</description>
|
|
</option>
|
|
<option flag="" long-flag="print-access">
|
|
<description>
|
|
Print access information for one or more channels from a
|
|
given IP and a user with password, format: NET.STA.LOC.CHA,
|
|
e.g.,
|
|
|
|
IP check
|
|
|
|
caps --print-access GE.*.*.* 127.0.0.1
|
|
|
|
IP and user:password check
|
|
|
|
caps --print-access GE.APE.*.* --user gempa:gempa 127.0.0.1
|
|
|
|
The stream ID filter supports wildcards. Use option -v to
|
|
enable the trace mode to get detailed information about the
|
|
rule evaluation.
|
|
</description>
|
|
</option>
|
|
<option flag="u" long-flag="user">
|
|
<description>
|
|
Server user and password. Format: user:password .
|
|
</description>
|
|
</option>
|
|
</group>
|
|
</command-line>
|
|
|
|
<configuration>
|
|
<group name="AS">
|
|
<description>CAPS server control parameters</description>
|
|
<parameter name="filebase" type="string" default="@ROOTDIR@/var/lib/caps/archive">
|
|
<description>
|
|
Defines the path to the archive directory.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="port" type="int" default="18002">
|
|
<description>
|
|
Defines the server port for client requests.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="clientBufferSize" type="int" default="16384" unit="B">
|
|
<description>
|
|
Size of the client buffer in bytes. In case the client fails to read the buffered data
|
|
in time (buffer overflow) the connection falls back to archive requests.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="minDelay" type="int" default="-1" unit="s">
|
|
<description>
|
|
Limits the retrieval of real-time data. The value
|
|
specifies the maximum relative end time of the time range
|
|
to be requested. The maximum absolute end time is
|
|
now - minDelay. This is only valid for FDSNWS and WWS.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="inventory" type="path" default="">
|
|
<description>
|
|
The path to an optional inventory XML file with SeisComP3
|
|
schema. This inventory information is used by WWS to populate
|
|
the channel coordinates. In future possibly more endpoints
|
|
will make use of it.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="logRequests" type="boolean" default="false">
|
|
<description>
|
|
Whether to maintain a request log file or not. Each request
|
|
will be logged and partly traced.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="logAnonymousIP" type="boolean" default="false">
|
|
<description>
|
|
Log only parts of the IP to respect users privacy.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="logPurge" type="boolean" default="false">
|
|
<description>
|
|
Whether to maintain a purge log file or not. Each purge
|
|
operation will be logged.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="allow" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are allowed to access the caps(s) port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="deny" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are not allowed to access the caps(s) port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
|
|
<group name="filebase">
|
|
<description>
|
|
File buffer control parameters
|
|
</description>
|
|
<parameter name="logFile" type="path">
|
|
<description>
|
|
The path to the archive log file which contains the
|
|
stream start and end times. By default it is written
|
|
to $filebase/archive.log.
|
|
</description>
|
|
</parameter>
|
|
<group name="cache">
|
|
<description>
|
|
CAPS does not keep all files of all streams open. It
|
|
tries to keep open the most frequently used files and closes
|
|
all others. The more files CAPS can keep open the faster
|
|
the population of the archive. The limit of open
|
|
files depends on the security settings of the user under
|
|
which CAPS is running.
|
|
</description>
|
|
<parameter name="openFileLimit" type="int" default="250">
|
|
<description>
|
|
The maximum number of open files. Because a stream
|
|
file can have an associated index file this value
|
|
is half of the physically opened files in worst case.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="unusedFileLimit" type="int" default="1000">
|
|
<description>
|
|
Limit of cached files in total. This value affects also
|
|
files that are actually explicitly closed by the
|
|
application. CAPS will keep them open (respecting
|
|
the openFileLimit parameter) as long as possible and
|
|
preserve a file handle to speed up reopening the
|
|
file later.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<group name="params">
|
|
<parameter name="writeMetaOnClose" type="boolean" default="false">
|
|
<description>
|
|
This is an optimization to write the datafile meta record only
|
|
on file close and not every time a new record has been added
|
|
to a file. To save IO bandwidth when handling many channels,
|
|
this could be helpful.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="alignIndexPages" type="boolean" default="false">
|
|
<description>
|
|
This forces to align index pages in the file at 4k boundaries.
|
|
In order to achieve that, NULL chunks must be inserted to
|
|
allow padding. This will lead to less device page updates
|
|
but slightly larger data files.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="priority" type="int" default="0">
|
|
<description>
|
|
A value greater than 0 will raise the write thread
|
|
priority to the given value. This value is in
|
|
accordance to the pthread_setschedparam function.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="q" type="int" default="1000">
|
|
<description>
|
|
The real-time notification queue size.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="concurrency" type="int" default="1">
|
|
<description>
|
|
The number of concurrent writes to the database. The
|
|
higher the value the more concurrent write operations
|
|
are issued distributed across the files. A single file
|
|
can only be updated sequentially. This value is most
|
|
effective if many records of different channels are
|
|
pushed, like the output of scmssort.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<parameter name="keep" type="list:string" default="*.*.*.*:-1">
|
|
<description>
|
|
Number of days to keep data per stream ID before
|
|
"AS.filebase.purge.referenceTime". For
|
|
stream-specific configuration create a list of pairs
|
|
consisting of stream ID : days. Separate pairs by
|
|
comma. The first occurrence in the list takes priority.
|
|
|
|
Example keeping all streams but AM.* and GR.* for 14 days:
|
|
|
|
GR.*:-1, AM.*.*.*:365, *.*.*.*:14
|
|
|
|
Default (empty parameter) or -1: keep all data forever.
|
|
</description>
|
|
</parameter>
|
|
<group name="purge">
|
|
<description>
|
|
Parameters controlling IO resources occupied by the purge operation.
|
|
The deletion of many data files at once may have a significant impact
|
|
on the server performance. E.g. if the server did not run for a while
|
|
or the keep parameter was reduced significantly, the purge operation
|
|
may slow down the processing of real-time data.
|
|
</description>
|
|
<parameter name="referenceTime" type="string" default="EndTime" values="EndTime,Now">
|
|
<description>
|
|
The reference time defining the end of the time window
|
|
to keep the data. The window length is set by
|
|
"AS.filebase.keep".
|
|
Data outside the window will be purged. Available values:
|
|
|
|
EndTime: The reference time is the end time per stream.
|
|
This keeps older data if no more recent data arrive.
|
|
|
|
Now: The reference time is current time. This
|
|
deletes old data even if no recent data arrive.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="idleTime" type="double" default="5" unit="s">
|
|
<description>
|
|
Idle time between two purge runs.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="initIdleTime" type="double" default="0" unit="s">
|
|
<description>
|
|
Idle time before the first purge run starts. Normally
|
|
after a start the server tries to catch up all data which
|
|
might be an IO intensive operation. In case of a huge archive the purge
|
|
operation slow downs the read/write performace of the system too. To
|
|
reduce the load at start it is a good idea to postpone this operation.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="maxProcessTime" type="double" default="1" unit="s">
|
|
<description>
|
|
Maximum processing time for one purge run. If exceeded the
|
|
purge task will pause for AS.filebase.purge.idleTime
|
|
seconds freeing IO resources.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="startTime" type="string" default="00:30">
|
|
<description>
|
|
Time of the day when to run the daily purge run. Time is in UTC.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<parameter name="preallocationSize" type="int" default="65535" unit="B">
|
|
<description>
|
|
Preallocation size of data files in bytes. Some file system allow to reserve
|
|
disk space for files in advance. Especially on spinning disks the read
|
|
performance will be improved if data can be read sequentially. The speed is
|
|
traded for disk space consumed by the file since its size will be a multiple
|
|
of the specified value. Set the value to 0 to disable this feature.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<group name="SSL">
|
|
<description>
|
|
Parameters for SSL-based data requests
|
|
</description>
|
|
<parameter name="port" type="int">
|
|
<description>
|
|
Defines the SSL server port for client requests. By default
|
|
SSL requests are disabled.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="certificate" type="string">
|
|
<description>
|
|
Defines the path to the SSL certificate to use.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="key" type="string">
|
|
<description>
|
|
Defines the path to the private SSL key to use. This key
|
|
is not shared with clients.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<group name="auth">
|
|
<description>
|
|
Parameters controlling the authentication system for data requests
|
|
based on user ID, IP addresses, access roles and access control lists.
|
|
</description>
|
|
<parameter name="backend" type="string" default="basic">
|
|
<description>
|
|
The server provides an authentication plug-in interface. An authentication plugin
|
|
implements access control checks. It is free where it gets the access information from e.g
|
|
from a local database/file or a remote server. The option sets which authentication plugin
|
|
should be used for authentication. Don't forget to load the plugin in the plugin section.
|
|
The basic plugin is built-in.
|
|
</description>
|
|
</parameter>
|
|
<group name="basic">
|
|
<description>
|
|
Basic authentication parameters. The configuration can
|
|
be reloaded without restarting the server. Use
|
|
"seiscomp reload caps`" to reload the
|
|
authentication parameters without a restart.
|
|
</description>
|
|
<parameter name="access-list" type="file" default="@SYSTEMCONFIGDIR@/caps/access.cfg">
|
|
<description>
|
|
Path to the access control list controlling access based on rules.
|
|
By default access is unrestricted. Allow rules are evaluated first.
|
|
|
|
AM.DENY = 127.0.0.1
|
|
|
|
AM.ALLOW = 127.0.0.1
|
|
|
|
This example rule set prohibits all AM network stations for localhost because
|
|
the DENY rule is evaluated after the ALLOW rule.
|
|
|
|
IP restrictions apply to the guest user only. In addition to IPs the access can
|
|
be also restricted by user or group. In the latter case
|
|
the "%" must be placed in front of the group name. Here an example:
|
|
|
|
AM.ALLOW = %users
|
|
|
|
AM.R44F5.ALLOW = sysop
|
|
|
|
Rules are evaluated on the basis of one another. This can lead to misunderstandings. Here an
|
|
example:
|
|
|
|
AM.ALLOW = sysop
|
|
|
|
This rule will allow the AM network for sysop only. But
|
|
|
|
DENY = %users
|
|
AM.ALLOW = sysop
|
|
|
|
will allow the access to the AM network for all users except those are member of the group users.
|
|
</description>
|
|
</parameter>
|
|
<group name="users">
|
|
<parameter name="shadow" type="file" default="@SYSTEMCONFIGDIR@/caps/shadow.cfg">
|
|
<description>
|
|
Location of the users authentication file. For each user one line
|
|
of the following format must exist:
|
|
|
|
username:encrypted_pwd
|
|
|
|
To encrypt the password mkpasswd can be used. It is recommended to
|
|
apply a strong algorithm such as sha-256 or sha-512. The command
|
|
|
|
u=sysop pw=`mkpasswd -m sha-512` && echo $u:$pw
|
|
|
|
generates one line for user "sysop".
|
|
Add the line to the authentication file.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="passwd" type="file" default="@SYSTEMCONFIGDIR@/caps/passwd.cfg">
|
|
<description>
|
|
Location of the users access control file. Each
|
|
line starts with a user ID (uid) or a group ID (gid)
|
|
and a list of access properties in the form:
|
|
|
|
uid:prop1,prop2
|
|
|
|
or
|
|
|
|
%gid:prop1,prop2
|
|
|
|
"%" indicates a gid instead of a uid.
|
|
The properties grant access to certain CAPS
|
|
features. Supported access property values are:
|
|
read, write, admin.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="group" type="file" default="@SYSTEMCONFIGDIR@/caps/group.cfg">
|
|
<description>
|
|
Location of the optional group file. Each line maps a group id
|
|
to a list of users in format
|
|
|
|
gid:user1,user2,user3
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
</group>
|
|
</group>
|
|
<group name="plugins">
|
|
<parameter name="port" type="int" default="18003">
|
|
<description>
|
|
Defines the server port to use for plugin connections.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="allow" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are allowed to access the plugin port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="deny" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are not allowed to access the plugin port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<group name="SSL">
|
|
<parameter name="port" type="int">
|
|
<description>
|
|
Defines the SSL server port to use for plugin SSL connections.
|
|
The SSL port is disabled by default.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="certificate" type="string">
|
|
<description>
|
|
Defines the path to the SSL certificate to use.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="key" type="string">
|
|
<description>
|
|
Defines the path to the private SSL key to use. This key
|
|
is not shared with clients.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
</group>
|
|
<group name="http">
|
|
<description>
|
|
Web interface control parameters
|
|
</description>
|
|
<parameter name="port" type="int">
|
|
<description>
|
|
Defines the server port for HTTP connections. By default the Web interface is disabled.
|
|
|
|
Typical value: 18081
|
|
</description>
|
|
</parameter>
|
|
<parameter name="allow" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are allowed to access the http(s) port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="deny" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are not allowed to access the http(s) port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="resolveProxyClient" type="boolean" default="false">
|
|
<description>
|
|
Sets if the X-Forwarded-For HTTP header is evaluated to
|
|
retrieve the real client IP address from a proxy server.
|
|
This is important if the web frontend is behind a proxy,
|
|
e.g. Apache. Since data access is configured per IP, the
|
|
real IP is required to grant access to requested channels.
|
|
Enabling this opens a possible security hole as clients
|
|
can then easily spoof their IP if the proxy does not
|
|
correctly maintain this header or if CAPS does not run
|
|
behind a proxy.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="disableBasicAuthorization" type="boolean" default="false">
|
|
<description>
|
|
Controls whether basic authorization is enabled or not.
|
|
In case you are running CAPS behind a proxy which already
|
|
configures basic authorization then enable this flag.
|
|
If basic authorization is disabled then the default
|
|
HTTP user should have access without a password.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="fdsnws" type="string" default="">
|
|
<description>
|
|
Sets the optional relative FDSNWS path which is being
|
|
used by the CAPS frontend client. Do not append
|
|
"fdsnws/dataselect/1/query" as this is done
|
|
automatically. Set it to "/" if the CAPS
|
|
frontend is running with a relative path behind e.g.
|
|
Nginx.
|
|
</description>
|
|
</parameter>
|
|
<group name="SSL">
|
|
<description>
|
|
Use https instead of http when setting the following parameters
|
|
</description>
|
|
<parameter name="port" type="int">
|
|
<description>
|
|
Defines the server port for HTTPS connections.
|
|
By default the SSL Web interface is disabled.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="certificate" type="string">
|
|
<description>
|
|
Defines the path to the SSL certificate to use.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="key" type="string">
|
|
<description>
|
|
Defines the path to the private SSL key to use. This
|
|
key is not shared with clients.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
</group>
|
|
<group name="FDSNWS">
|
|
<description>
|
|
FDSNWS control parameters for dataselect. The FDSNWS service
|
|
is provided through the "AS.http.port".
|
|
</description>
|
|
<parameter name="maxTimeWindow" type="int" unit="s" default ="0">
|
|
<description>
|
|
Maximum length of time window per request. A value
|
|
greater than zero limits the maximum request time window
|
|
including all data. 0 disables the limit.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="maxRequests" type="int" default="1000">
|
|
<description>
|
|
Maximum number of requests per post. A value greater than
|
|
or equal to zero limits the number
|
|
of request lines per POST request.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
<group name="WWS">
|
|
<description>
|
|
Winston waveform server (WWS) control parameters. When set,
|
|
CAPS will also serve WWS.
|
|
</description>
|
|
<parameter name="port" type="int">
|
|
<description>
|
|
Server port for WWS connections. Please note that
|
|
inventory information (see AS.inventory) is required to
|
|
fully support WWS requests otherwise empty values for
|
|
the channel location and unit will be returned.
|
|
|
|
Default (no value): The WWS interface is disabled.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="maxTimeWindow" type="int" unit="s" default="90000">
|
|
<description>
|
|
Maximum length of time window in seconds per request.
|
|
A value greater than zero limits the maximum request time window
|
|
including all data. 0 disables the limit.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="maxRequests" type="int" default="100">
|
|
<description>
|
|
A value greater than or equal to zero limits the number
|
|
of request lines per POST request.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="allow" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are allowed to access the WWS port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
<parameter name="deny" type="list:string" default="">
|
|
<description>
|
|
List of IPs which are not allowed to access the WWS port.
|
|
By default access is unrestricted.
|
|
</description>
|
|
</parameter>
|
|
</group>
|
|
</group>
|
|
</configuration>
|
|
</module>
|
|
</seiscomp>
|