OPC UA Connection Problem

hadi-saeidi

I have a problem establishing a connection to the OPCUA server in the Node-RED app I've developed. I'm using the EPC1522 gateway. I'm encountering this issue:

I can establish a connection when I manually start the Docker image I used for developing the app (using 'docker run'). This leads me to suspect that the error only occurs when I build an app from this image using 'Podman'.

Hier ist the Conf Node.

I would greatly appreciate your assistance with this.

BR,

Hadi Saeidi

Martin PLCnext Team

The OPC UA server is running on the EPC 1522, is that correct?

What device is the Node Red application running on - is it also on the EPC 1522?

The Node Red application is running in an OCI container, is that correct?

What command did you use to run the OCI image using Docker? Is that command executed as root user, or as a "normal" user?

What command did you use to run the OCI image using Podman? Is that command executed as root user, or as a "normal" user?

If you're trying to run an OCI image on a PLCnext Control device using Podman, please be aware that this is not currently supported. Podman is only included on PLCnext Control devices for PLCnext Store apps (I know this is not clear in the documentation).

hadi-saeidi

Yes, the OPC UA server is running on the EPC 1522. Otherwise, we wouldn't have been able to establish a connection with the server. (I have attached an image in the previous discussion.)

The device, as I mentioned in the previous discussion, is the EPC 1522.

Yes, my Node-Red app is running in an OCI container at the URL http://192.168.2.10:1881/.

I have created an image from my custom Node-Red. This image can be started on the host by executing the simple command "Docker run image-name." This way, I can establish a connection with the OPC UA server on the Edge Gateway. The gateway is connected to my host via a LAN cable.

From the image, I have developed an application that can be launched through the 'Web Based Management' interface, similar to the official Node-Red application in the PLCnext App Store. However, it does not establish a connection to the OPC UA server, even though a connection is established on my host.

Martin PLCnext Team

Does the same problem happen if you install Docker on the EPC 1522, and start the OCI container using Docker from the command line, just like on the host machine?

hadi-saeidi

It works if i install Docker on the EPC 1522 and start the OCI container using Docker from the command line.

But i need an App from my Image that can be launched through the 'Web Based Management'

Martin PLCnext Team

So to summarise the problem:

• On an EPC 1522, launching an image from the OCI container using Docker on the command-line works OK. You can connect to the Node Red instance from a remote PC, on port 1881, and the Node Red application can connect to the OPC UA server on the EPC.
• On the same EPC 1522, launching an image from the same OCI container using exactly the same command on the command line, but using Podman instead of Docker, does not work properly. You can connect to the Node Red instance from a remote PC, on port 1881, but the Node Red application cannot connect to the OPC UA server on the EPC.

Is all that correct?

I am wondering if this is related to the permissions that Podman uses, compared with Docker. If the above summary is correct then I will see if our PLCnext Store experts can explain this behaviour - they may have seen this type of behaviour in other container-based PLCnext Store apps.

hadi-saeidi

The first thing is right, but I'm not sure about your reference to "Podman"

I made an "Container App" from my image using a template and it seems like this template uses "Podman" I can start the app on Port 1881 through the Web-Based Management (WBM) without having to type any commands manually to run it from the OCI container. I just click to start my app in WBM.

Here is the structure of the template I'm using:

Martin PLCnext Team

Podman is a container engine that is installed on PLCnext Control devices, for use by PLCnext Store apps.

If you're able to start a container using docker on the command line, then you should be able to use exactly the same command to start a container using podman on the command line - just replace the "docker" command with "podman". You might need to execute the podman command with sudo. If you start the container using podman on the command line, with the same parameters as you used with docker, is the Node Red application in the container able to connect to the OPC UA Server?

hadi-saeidi

using podman:

root@epc1522:/opt/plcnext/# sudo podman run -it -p 1880:1880 -v node_red_data:/data --name nodered localhost/tresmonodereddocker

Error: OCI runtime error: runc: container_linux.go:349: starting container process caused "error adding seccomp filter rule for syscall bdflush: requested action matches default action of filter"

Martin PLCnext Team

Using firmware 2023.0, I added "docker.io" to the unqualified-search-registries in /etc/containers/registries.conf, and then:

root@axcf2152:/opt/plcnext/# podman run -it -p 1880:1880 -v myNodeREDdata:/data --name mynodered nodered/node-red:latest-minimal
Resolving "nodered/node-red" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/nodered/node-red:latest-minimal...
Getting image source signatures
Copying blob 0b56328dfb0b done  
   :
Copying config 70715d2d08 done  
Writing manifest to image destination
Storing signatures
7 Nov 12:03:12 - [info] 

Welcome to Node-RED
===================

7 Nov 12:03:13 - [info] Node-RED version: v3.1.0
7 Nov 12:03:13 - [info] Node.js version: v16.20.2
7 Nov 12:03:13 - [info] Linux 5.4.193-rt74-pxc arm LE
7 Nov 12:03:23 - [info] Loading palette nodes
7 Nov 12:03:36 - [info] Settings file : /data/settings.js
7 Nov 12:03:36 - [info] Context store : 'default' [module=memory]
7 Nov 12:03:36 - [info] User directory : /data
7 Nov 12:03:36 - [warn] Projects disabled : editorTheme.projects.enabled=false
7 Nov 12:03:36 - [info] Flows file   : /data/flows.json
7 Nov 12:03:36 - [warn] 

---------------------------------------------------------------------
Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.
---------------------------------------------------------------------

7 Nov 12:03:36 - [info] Server now running at http://127.0.0.1:1880/
7 Nov 12:03:36 - [warn] Encrypted credentials not found
7 Nov 12:03:36 - [info] Starting flows
7 Nov 12:03:36 - [info] Started flows

... then I was able to access Node-Red from a browser on port 1880.

So it looks like podman is working OK in this firmware version. If the same command works for you, then I don't understand how docker can start a container from your image, but podman cannot. I wonder if docker installed an older version of runc, which might be messing with podman? If that's the case, then maybe you can try clearing the EPC (using a Type 1 reset) and then try the podman command again.

hadi-saeidi

After clearing the EPC (using a Type 1 reset), i was able to access my Node-Red using command line and connect to OPC UA server. I'll create an app from the OCI Container and let you know if it works.