First you have to enable the Trace forwareder on the panel
Then you have to start a tool on the host where you have installed TIA with Unified (change IP to your Panel IP):
"c:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceTool.exe" -mode receiver -host 192.168.210.128 -tcpThen you can start the trace viewer on the PC:
"C:\Program Files\Siemens\Automation\WinCCUnified\bin\RTILtraceViewer.exe"Create a file “override.conf” in /etc/systemd/system/docker.service.d
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376Reload and restart the Docker daemon:
systemctl daemon-reload
systemctl restart docker.serviceNow you can connect for example the Siemens Industrial Edge Publisher to the Docker engine and create a Industrial App from images on your Docker host.
Linux: /etc/exports add a line /home/vogler *(rw,no_subtree_check,insecure) exports -a In this example we do it very insecure...
Windows: mount -o anon <hostname>:/home/vogler z:
Add a label object into your screen and add some lines of code to get a QR image. In this example a mobile phone app will scan the QR code and send username and password via a GraphQL server to WinCC OA and set it on datapoints (username and password should additionally be encrypted).
#uses "CtrlQRCode"
string g_code;
main()
{
g_code = createUuid();
strreplace(g_code,"{", "");
strreplace(g_code,"}", "");
DebugTN(g_code);
string fpath = PROJ_PATH+"/pictures/";
string fname = "login_qr_code_"+myUiNumber();
int ret = createQRCodeFile(g_code, fpath+fname);
this.image=fname+".png";
dpConnect("work", false, "QRLogin.code", "QRLogin.usr", "QRLogin.pwd");
}
void work(string dp, string code, string dp1, string usr, string dp2, string pwd)
{
if (code == g_code)
{
setInputFocus(myModuleName(), myPanelName(), txt_username.name());
txt_username.text = usr;
setInputFocus(myModuleName(), myPanelName(), txt_password.name());
txt_password.text = pwd;
m_loginFrameworkController.doContinue();
}
}
A GraphQL server can also be queried with a simple GET request:
wget -O - "https://server.rocworks.at/graphql?query=query { getTag(name: \"Input\") { tag { current { value time } } } }"Lot of times my ssh session get broken because I didn’t do anything for a while. Sometimes I have started “top” just that the connection does not get broken because of inactivity. But this is not really what I wanna do everytime. Luckily the SSH client can be configured to send alive telegrams for every session so that you do not need to pass arguments every time you open a SSH conneciton.
Following settings will make the SSH client to send alive telegrams to the other side every 60 seconds, and give up if it doesn’t receive any response after 2 tries.
~/.ssh/config
Host *
ServerAliveInterval 60
ServerAliveCountMax 2
Initially you have to init the certbot and get the certificate manually.
# Directories used:
/var/www
/var/www/certbot # handshake sites from certbot
/etc/letsencrypt # certificates are stored here# Initialize Certbot:
docker run --rm -ti \
-v /var/www:/var/www \
-v /etc/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --webroot -w /var/www/certbot -d <yor-domain-name> --email your.email@something.com The letsencrypt and the www directory must be mounted on both containers. Certbot will check the certificates every 12h and nginx must reload the configuration periodically.
nginx:
image: nginx:1.17.8
ports:
- 80:80
- 443:443
volumes:
- /var/www:/var/www
- /etc/nginx.conf:/etc/nginx/nginx.conf
- /etc/letsencrypt:/etc/letsencrypt
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- /var/www:/var/www
- /etc/letsencrypt:/etc/letsencrypt
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/html; sleep 12h & wait $${1}; done;'"Nginx must be configured to publish the certbots well-known sites for the handshake and your sites must be configured to use the certificates from letsencrypt.
server {
listen 80;
server_name <your-domain-name>;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name vcm.winccoa.at;
ssl_certificate /etc/letsencrypt/live/<your-domain-name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<your-domain-name>/privkey.pem;
root /var/www;
index index.html;
location / {
try_files $uri $uri/ =404;
}This repository on Github contains Dockerfiles and samples to build Docker images for WinCC OA products.
Download and unzip the CentOS WinCC OA rpm’s to the centos/software directory.
Only put those WinCC OA rpm’s into the directory which you want to have installed in your image. For a minimum image you only need the base packag of WinCC OA.
WinCC_OA_3.16-base-rhel-0-17.x86_64.rpm
Build your WinCC OA Docker image with:
docker build -t winccoa:3.16 .
The project should be mounted on /proj/start as a volume to your docker container.
And you may also mount a shield file to your docker container.
Example how to startup a WinCC OA project in a container:
docker run -d
--name winccoa
--hostname winccoa-server
-v ~/shield.txt:/opt/WinCC_OA/3.16/shield.txt
-v /proj/DemoApplication_3.16:/proj/start
-p 5678:5678
winccoa:3.16 To start a WinCC OA client application like a Gedi or a User-Interface you have to adapt your config file so that the proxy settings point to the WinCC OA server container. You can just create a copy of your config file (e.g. config.ui) and adapt the settings.
[general]
data = "winccoa-server"
event = "winccoa-server"
mxProxy = "winccoa-server <your-docker-host-name>:5678 cert" Then you can startup a Gedi/Ui with:
docker run --rm
-e DISPLAY=$DISPLAY
-v /tmp/.X11-unix:/tmp/.X11-unix
-v /proj/DemoApplication_3.16:/proj/default
-v /proj/DemoApplication_3.16/config/config.ui:/proj/default/config/config
winccoa:3.16
WCCOAui -autoreg -m gedi -proj default Sure you can also use a copy of your project directory (or a git checkout if you use git) and adapt the config file.
With the Project Administration you can create a new project in the /proj directory.
docker run -ti --rm
-e DISPLAY=$DISPLAY
-v /tmp/.X11-unix:/tmp/.X11-unix
-v /proj:/proj
winccoa:3.16
WCCOAui -projAdminFor sure what we have done with the Gedi can also be done with Control-Managers and Drivers. And in theory that can also be done with Kubernetes and so you can run your SCADA project in a Kubernetes Cluster.
This is a simple example how to query a GraphQL server from WinCC OA ctrl via HTTP.
{
string url = "https://server.rocworks.at/graphql";
string query = "query($tag: String!){getTag(name: $tag){tag{current{value}}}}";
mapping variables = makeMapping("tag", "Input");
mapping content = makeMapping("query", query, "variables", variables);
mapping data = makeMapping(
"headers", makeMapping("Content-Type", "application/json"),
"content", jsonEncode(content)
);
mapping result;
netPost(url, data, result);
if (result["httpStatusText"]=="OK") {
DebugTN(result["content"]);
}
else {
return "Error";
}
}Output:
{
"data": {
"getTag": {
"tag": {
"current": {
"value": 280.87696028711866
}
}
}
}
}The subdomain server.rocworks.at is redirected by my provider to my IP at home where Nginx (with Letsencrypt Certificate) is running and it forwards /grafana to my Grafana Docker Instance. Access to Grafana is possible via https://server.rocworks.at/grafana.
Nginx Configuration (sites-enabled/default)
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name server.rocworks.at;
location / {
try_files $uri $uri/ =404;
}
location /grafana/ {
proxy_pass http://docker1:3000/;
}
}Grafana Configuration (/etc/grafana/grafana.ini)
[server]
# Protocol (http or https)
protocol = http
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = server.rocworks.at
# Root Url (NOTE: there is not Port in the URL)
root_url = %(protocol)s://%(domain)s/grafana
enforce_domain = false