增加tfe的roles

hosts.hyadc

@@ -1,13 +1,8 @@
 [all:vars]
 ansible_user=root
 
-[switch-blade]
+[blade-00]
-202.43.148.184 ansible_port=51022
-
-[master-blade]
 192.168.10.37
 
-[slave-blade]
+[blade-03]
-#192.168.10.38
-#192.168.10.39
 192.168.10.40

roles/tfe/tasks/main.yml

@@ -6,8 +6,18 @@
 
 - name: "install tfe rpms"
   yum:
-    name: "/tmp/ansible_deploy/{{ packages }}"
+    name: "{{ packages }}"
     state: present
   vars:
     packages:
-      - tfe-debug-4.0.0.1a59abc-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-debug-4.0.0.1a59abc-1.el7.x86_64.rpm
+
+- name: "template the tfe.conf"
+  template:
+    src: "{{ role_path }}/templates/tfe.conf.j2"
+    dest: /home/tsg/tfe/conf/tfe/tfe.conf
+
+- name: "template the pangu_pxy.conf"
+  template:
+    src: "{{ role_path }}/templates/pangu_pxy.conf.j2"
+    dest: /home/tsg/tfe/conf/pangu/pangu_pxy.conf

roles/tfe/templates/pangu_pxy.conf.j2

@@ -0,0 +1,119 @@
+[debug]
+log_level=10
+
+[log]
+nic_name= {{ nic_mgr.name }}
+entrance_id=0
+kafka_brokerlist= {{ log_kafkabrokers.address }}
+kafka_topic=POLICY-EVENT-LOG
+
+#Addresses of minio. Format is defined by WiredLB.
+#minio_ip_list=192.168.10.61-64;
+minio_ip_list= {{ log_minio.address }}
+minio_listen_port= {{ log_minio.port }}
+#Maximum number of connections opened by per host.
+#MAX_CONNECTION_PER_HOST=1
+#Maximum number of requests in a pipeline.
+#MAX_CNNT_PIPELINE_NUM=20
+#Maximum parellel sessions(http and redis) is allowed to open.
+#MAX_CURL_SESSION_NUM=100
+#Maximum time the request is allowed to take(seconds).
+#MAX_CURL_TRANSFER_TIMEOUT_S=0
+
+#Bucket name in minio.
+cache_bucket_name=proxybucket
+#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
+max_used_memroy_size_mb=5120
+#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
+cache_default_ttl_second=3600
+#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
+cache_object_key_hash_switch=1
+
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+cache_store_object_way=0
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+redis_cache_object_size=1024000
+#Configs of WiredLB for Minios load balancer.
+#WIREDLB_OVERRIDE=1
+wiredlb_health_port=42310
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+redis_cluster_ip_list=192.168.10.62-63;
+redis_cluster_port_range=6379
+#wired load balancer configuration
+
+wiredlb_override=1
+wiredlb_topic=MinioFileLog
+wiredlb_datacenter=k18consul-tse
+wiredlb_health_port=52102
+wiredlb_group=FileLog
+
+log_fsstat_appname=tango_log_file
+log_fsstat_filepath=./tango_log_file.fs
+log_fsstat_interval=10
+log_fsstat_trig=1
+log_fsstat_dst_ip=10.4.20.202
+log_fsstat_dst_port=8125
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=resource/pangu/table_info.conf
+json_cfg_file=resource/pangu/pangu_http.json
+stat_file=log/pangu_scan.status
+full_cfg_dir=pangu_policy/full/index/
+inc_cfg_dir=pangu_policy/inc/index/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[dynamic_maat]
+maat_input_mode=1
+table_info=resource/pangu/dynamic_maat_table_info.conf
+maat_redis_server=127.0.0.1
+maat_redis_port_range=6380-6389
+maat_redis_db_index=0
+effect_interval_s=1
+
+[tango_cache]
+enable_cache=0
+minio_ip_list=192.168.10.61-64;
+minio_listen_port=9000
+
+#max_connection_per_host=1
+max_cnnt_pipeline_num=20
+#max_curl_session_num=100
+
+cache_bucket_name=proxybucket
+max_used_memory_size_mb=10240
+cache_default_ttl_second=3600
+cache_object_key_hash_switch=1
+
+#1-minio，2-redis
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+cache_store_object_way=0
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+redis_cache_object_size=102400
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+redis_cluster_ip_list=192.168.10.62-63;
+redis_cluster_port_range=6379
+#wired load balancer configuration
+wiredlb_override=1
+wiredlb_topic=MinioCache
+wiredlb_datacenter=k18consul-tse
+wiredlb_health_port=52101
+wiredlb_group=TangoCache
+
+cache_undefined_obj=1
+query_undefined_obj=0
+statsd_server=192.168.10.72
+statsd_port=8126
+histogram_bins=0.20,0.40,0.6,0.8
+
+log_fsstat_appname=tango_cache
+log_fsstat_filepath=./tango_cache_client.fs
+log_fsstat_interval=10
+log_fsstat_trig=1
+log_fsstat_dst_ip=10.4.20.201
+log_fsstat_dst_port=8125

roles/tfe/templates/tfe.conf.j2

@@ -0,0 +1,64 @@
+[system]
+nr_worker_threads={{ tfe.nr_threads }}
+
+[kni]
+ip=192.168.100.1
+scm_port=2475
+watchdog_switch=1
+watchdog_port=2476
+
+[ssl]
+ssl_max_version=tls13
+ssl_min_version=ssl3
+no_session_cache=0
+no_session_ticket=0
+log_master_key=0
+trusted_cert_load_local=1
+trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+trusted_cert_dir=resource/tfe/trusted_storage
+key_log_file=log/sslkeylog.log
+no_alpn=0
+stek_group_num=4
+stek_rotation_time=3600
+service_cache_expire_seconds=600
+
+[key_keeper]
+#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
+#0 on cache 1 off cache
+mode= {{ tfe.keykeeper.mode }}
+no_cache=0
+cert_store_host= {{ cert_store_server.address }}
+cert_store_port= {{ cert_store_server.port }}
+ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
+untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
+
+[debug]
+passthrough_all_tcp=0
+
+[traffic_mirror]
+device= {{ nic_traffic_mirror.name }}
+
+[ratelimit]
+#read_rate=200000
+#read_burst=200000
+#write_rate=200000
+#write_burst=200000
+
+[tcp]
+so_keepalive=1
+tcp_keepcnt=8
+tcp_keepintvl=15
+tcp_keepidle=30
+tcp_user_timeout=30
+tcp_ttl_upstream=75
+tcp_ttl_downstream=70
+
+[log]
+level=10
+
+[stat]
+statsd_server=192.168.10.72
+statsd_port=8126
+
+[http]
+loglevel=20

site.retry

@@ -1 +0,0 @@
-192.168.10.40

site.yml

@@ -1,63 +1,55 @@
-vars:
+- hosts: blade-03
-  - maat_redis_server:
-    - address: 192.168.11.243
-    - port: 6379
-    - db: 4
-  - cert_store_server:
-    - address: 192.168.10.8
-    - port: 9991
-  - log_kafkabrokers:
-    - address: "0.0.0.0:9092"
-  - log_minio:
-    - address: "10.4.35.42-46;"
-    - port: 9000
-
   roles:
-    - framework
-
-- hosts: blade-00
-  - roles:
-    - framework
-    - sapp
-    - kni
-
-- hosts: blade-01
-  - roles:
-    - net-ctrlblade
-    - tfe-kmod
     - tfe
-  - vars:
+  vars_files:
-    nic_mgr:
+    - "vars/common.yml"
-      - name: eth0
+    - "vars/tfe.yml"
-    nic_data_incoming:
+  vars:
-      - name: eth3
+  - nic_mgr:
-      - address: 172.16.254.1
+      name: eth0
-      - mac: AA:BB:CC:DD:EE:FF
+  - nic_data_incoming:
-      - peer: 172.16.254.254
-    nic_traffic_mirror:
-      - name: eth4
-
-- hosts: blade-02
-    - net-ctrlblade
-    - tfe-kmod
-    - tfe
-  nic_mgr:
-    - name: eth0
-    nic_data_incoming:
       name: eth3
-      inet_addr: 172.16.254.2
+      address: 172.16.254.1
-      inet6_addr: fd00::1
+      mac: AA:BB:CC:DD:EE:FF
-      gw_inet_addr: 172.16.254.254
+      peer: 172.16.254.254
-      gw_ether_addr: BB:CC:DD:EE:FF:AA
+  - nic_traffic_mirror:
-    nic_traffic_mirror:
       name: eth4
 
-- hosts: blade-03
-    - net-ctrlblade
-    - tfe-kmod
-    - tfe
 
-- hosts: blade-04
+
-    - net-ctrlblade
+# - hosts: blade-00
-    - tfe-kmod
+#   - roles:
-    - tfe
+#     - framework
+#     - sapp
+#     - kni
+
+# - hosts: blade-01
+#   - roles:
+#     - framework
+#     - tfe-kmod
+#     - tfe
+#   - vars:
+#     nic_mgr:
+#       - name: eth0
+#     nic_data_incoming:
+#       - name: eth3
+#       - address: 172.16.254.1
+#       - mac: AA:BB:CC:DD:EE:FF
+#       - peer: 172.16.254.254
+#     nic_traffic_mirror:
+#       - name: eth4
+
+# - hosts: blade-02
+#     - net-ctrlblade
+#     - tfe-kmod
+#     - tfe
+#   nic_mgr:
+#     - name: eth0
+#     nic_data_incoming:
+#       name: eth3
+#       inet_addr: 172.16.254.2
+#       inet6_addr: fd00::1
+#       gw_inet_addr: 172.16.254.254
+#       gw_ether_addr: BB:CC:DD:EE:FF:AA
+#     nic_traffic_mirror:
+#       name: eth4

vars/common.yml

@@ -0,0 +1,12 @@
+- maat_redis_server:
+    address: 192.168.11.243
+    port: 6379
+    db: 4
+- cert_store_server:
+    address: 192.168.10.8
+    port: 9991
+- log_kafkabrokers:
+    address: "0.0.0.0:9092"
+- log_minio:
+    address: "10.4.35.42-46;"
+    port: 9000

vars/tfe.yml

@@ -0,0 +1,5 @@
+- tfe:
+    nr_threads: 16
+    keykeeper:
+        mode: "normal"
+        no_cache : 0