As you might have read in previous blog posts, groov EPIC runs a Linux-based operating system that supports a variety of programming and operating options, including optional secure shell (SSH) access. SSH provides root access to the tools, software, and files on the groov EPIC system.
But how does SSH access work, what is it capable of, and is it right for you? In this post I’ll go into a bit more depth about secure shell and the Linux operating system (OS) on groov EPIC and provide answers to these questions.
One thing that makes the Linux OS special is that it’s not a proprietary platform. It’s free, open-source software that isn’t locked down to a small development team. Linux is supported by a massive community of users and developers who can read and analyze every single line of the source code, so it’s extremely difficult to find any security vulnerabilities that haven’t already been addressed. You can read more about the security of this OS in a recent groov EPIC security series blog post.
The operating system itself is put together by the Yocto Project, which is described on their site as “an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture.” Yocto was a logical choice to generate EPIC's Linux OS because it provides the commonly used Linux platform as well as tools and applications specific to our needs, without being weighed down by anything unnecessary. Standard Linux distributions (distros) like Ubuntu or Fedora include a lot of software that simply does not belong in a PLC. So when we put together the EPIC distro, we didn’t include that extra bloat.
A specific Yocto-built distro is generated by building up layers of “recipes.” Each recipe is essentially the metadata for a set of features, the settings and instructions for building the binary image that ends up in the operating system. Some of the features and applications that are in the EPIC recipe list are the PAC Control and CODESYS runtimes, Node-RED, and groov View, all of which end up in the resulting EPIC firmware image that runs on each processor. This process of generating an operating system based on specific recipes lets us include the features and applications we need, and exclude anything we don’t.
As users, we typically interact with an OS through a graphical user interface—our standard PCs and smartphones are good examples of this—but that’s not the only way to interface with your device. In the very early days of personal computers and programming, there were no graphical interfaces; everything was done through the text-only command line interface or “CLI,” similar to the old DOS prompt of yesteryear. This interface is still included in modern computer systems; it just takes a back seat to the more appealing and convenient graphical interfaces we’re used to using.
Because groov EPIC has a Linux OS, it also has a command line interface. We can provide customers access to it using secure shell (SSH) sessions, if they install the optional, but free GROOV-LIC-SHELL license. What the license does is permit you to enable the SSH server feature along with a unique username and password, so you can selectively allow secure remote access from an authorized SSH client. There are many SSH client software programs, like PuTTY on Windows-based systems, or the built-in Terminal on your Mac or Linux PC. The reason this SSH server does not come as a default option like PAC Control or Node-RED is because it is very powerful, and it’s definitely not for everyone.
Using the command line to perform tasks is often not as straightforward as using a dedicated application, and it can be a double-edged sword: not only can the root/admin user power unlock a lot of potential on groov EPIC, it can also do a lot of damage. While the right set of commands could install and configure some interesting and powerful software packages, the wrong command could break the file system, bring down the firewall, or stop critical control programs from running correctly. (The good news: if you do "break" something with some destructive command through SSH, you can always restore your EPIC back to its factory default settings. Whew!)
With great power comes great responsibility. While SSH access gives you incredible power, it is also your responsibility to be aware of the commands you are using and what effect they will have.
Because of this we recommend shell access only for advanced developers who are familiar with using the Linux command line on other systems and have the knowledge and ability to use online resources to solve any issues that come up while working with the secure shell.
Due to the fairly advanced nature of the command line, support is limited for any modifications made over an SSH session. These limitations are explained thoroughly in the license agreement associated with the secure shell license, but the most important point you should know is that Opto 22 has limited technical support for products configured with secure shell access. Note that our only possible assistance will be to suggest you open a paper clip and initiate the Factory Restore to Defaults procedure. We can only guarantee the software applications on our product as it performs when SSH is not enabled. So, as the secure shell-empowered user, you must take responsibility for troubleshooting and resolving any issues you encounter due to modifications made with SSH.
Keeping these things in mind, you can consider if secure shell is the right tool for you. If it is, you can do some awesome things with custom Python scripts, compiled C++ code, and much, much more. For more detailed ideas of what groov EPIC is capable of with SSH access, check out developer.opto22.com/epicdev/SSH/.