84 lines
3.9 KiB
YAML
84 lines
3.9 KiB
YAML
# opc-plc — OPC UA PLC simulator from Microsoft Industrial IoT.
|
|
# https://github.com/Azure-Samples/iot-edge-opc-plc
|
|
#
|
|
# Why pinned: MCR tags only go forward; keeping the suite reproducible means
|
|
# we test against a known feature surface. Bump deliberately alongside a
|
|
# driver-side change that needs the newer image.
|
|
services:
|
|
opc-plc:
|
|
image: mcr.microsoft.com/iotedge/opc-plc:2.14.10
|
|
container_name: otopcua-opc-plc
|
|
restart: "no"
|
|
ports:
|
|
- "50000:50000"
|
|
command:
|
|
# --pn: Bind port 50000 (opc-plc default; matches fixture default)
|
|
# --ut: Advertise an Unsecured transport endpoint (SecurityPolicy=None).
|
|
# Tests that need signed/encrypted endpoints pick those off the
|
|
# negotiated endpoint list separately — opc-plc always advertises
|
|
# the secure policies even with --ut on.
|
|
# --aa: Auto-accept client certs. Tests wouldn't otherwise survive the
|
|
# first contact because opc-plc's cert trust store lives inside
|
|
# the container + resets each spin-up.
|
|
# --daa: Disable anonymous auth — forces the driver to go through the
|
|
# Anonymous user-token policy negotiation rather than opc-plc's
|
|
# "no auth required" short-circuit. Would flip to username/cert
|
|
# if we needed that coverage.
|
|
# Commented out for first-pass smoke; flip on when the cert-auth
|
|
# and username-auth smoke tests land.
|
|
# --alm: Turn on alarm simulation (TripAlarm / ExclusiveDeviation /
|
|
# NonExclusiveLevel / DialogCondition). Closes the IAlarmSource
|
|
# gap the OpcUaClient-Test-Fixture doc calls out.
|
|
- "--pn=50000"
|
|
- "--ut"
|
|
- "--aa"
|
|
- "--alm"
|
|
# - "--daa"
|
|
healthcheck:
|
|
# opc-plc doesn't expose an HTTP health endpoint by default; use a TCP
|
|
# probe via a shell the base image ships with. The fixture does its own
|
|
# TCP probe but healthcheck surfaces status in `docker ps` for humans.
|
|
test: ["CMD-SHELL", "netstat -an | grep -q ':50000.*LISTEN' || exit 1"]
|
|
interval: 5s
|
|
timeout: 2s
|
|
retries: 10
|
|
start_period: 10s
|
|
|
|
# opc-plc-rc — reverse-connect (server-initiated) variant. The simulator
|
|
# acts as the OPC UA server but, unlike the regular service above, it dials
|
|
# OUT to the client's listener URL instead of accepting an inbound dial.
|
|
# Mirrors the OT-DMZ topology where the plant firewall only permits
|
|
# outbound traffic from the upstream server. The driver-side test fixture
|
|
# binds opc.tcp://0.0.0.0:4844 and waits for opc-plc-rc to ReverseHello.
|
|
#
|
|
# `--rc` is opc-plc's reverse-connect knob — value is the client URL the
|
|
# simulator should dial when it has no inbound connection. host.docker.internal
|
|
# is the docker-for-windows / docker-for-mac shorthand for the host's IP;
|
|
# on Linux hosts use --add-host=host.docker.internal:host-gateway.
|
|
opc-plc-rc:
|
|
image: mcr.microsoft.com/iotedge/opc-plc:2.14.10
|
|
container_name: otopcua-opc-plc-rc
|
|
restart: "no"
|
|
extra_hosts:
|
|
- "host.docker.internal:host-gateway"
|
|
command:
|
|
# --pn=50001: bind on a different port so this container can run alongside
|
|
# the dial-mode simulator above. Reverse-connect doesn't require
|
|
# the client to know this port (the simulator is the dialer)
|
|
# but it still has to bind one for any incoming admin queries.
|
|
# --rc: reverse-connect target — the simulator dials this URL and
|
|
# presents its OPC UA endpoint over the inbound socket. Must
|
|
# point at the test runner's listener.
|
|
# --ut/--aa/--alm: same flags as the regular profile.
|
|
- "--pn=50001"
|
|
- "--rc=opc.tcp://host.docker.internal:4844"
|
|
- "--ut"
|
|
- "--aa"
|
|
- "--alm"
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "netstat -an | grep -q ':50001.*LISTEN' || exit 1"]
|
|
interval: 5s
|
|
timeout: 2s
|
|
retries: 10
|
|
start_period: 10s
|