diff --git a/Almaty_deploy.yml b/Almaty_deploy.yml new file mode 100644 index 0000000..d638dd9 --- /dev/null +++ b/Almaty_deploy.yml @@ -0,0 +1,145 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + - packet_dump_server + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + roles: + - framework + +- hosts: packet_dump_server + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + roles: + - packet_dump + +- hosts: adc_mxn + remote_user: root + roles: +# - tsg-env-mxn + +- hosts: adc_mcn0 + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + - Almaty_install_config/group_vars/adc_mcn0.yml + roles: +# - tsg-env-mcn0 + - telegraf_collect + - kernel-ml + - mrzcpd + - sapp + - tsg_master + - kni + - firewall +# - tsg_app + - http_healthcheck + - redis + - cert-redis + - certstore + - telegraf_statistic +# - tsg_device_tag + +- hosts: adc_mcn1 + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + - Almaty_install_config/group_vars/adc_mcn1.yml + roles: +# - tsg-env-mcn1 + - telegraf_collect + - kernel-ml + - mrzcpd + - tfe + +- hosts: adc_mcn2 + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + - Almaty_install_config/group_vars/adc_mcn2.yml + roles: +# - tsg-env-mcn2 + - telegraf_collect + - kernel-ml + - mrzcpd + - tfe + +- hosts: adc_mcn3 + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + - Almaty_install_config/group_vars/adc_mcn3.yml + roles: + - kernel-ml +# - tsg-env-mcn3 + - telegraf_collect + - redis + - maat-redis + - mrzcpd + - tfe + +- hosts: adc_mcn0 + remote_user: root + roles: + - tsg-diagnose + +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + roles: + - tsg-diagnose_sync_ca + +- hosts: adc_mcn0 + remote_user: root + roles: + - tsg-diagnose_stop_sync + +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + vars_files: + - Almaty_install_config/group_vars/adc_global.yml + roles: + #- reboot + +- hosts: server-as-tun-mode + remote_user: root + vars_files: + - Almaty_install_config/group_vars/server_as_tun_mode.yml + roles: + - kernel-ml + - framework + - mrzcpd + - tsg-env-tun-mode + - sapp + - tsg_master + - kni + - firewall + - tsg_app + - http_healthcheck + - certstore + - redis + - cert-redis + - maat-redis + - tfe + - telegraf_statistic + - telegraf_collect + - proxy_status +# - tsg_device_tag + - reboot + +- hosts: app_global + remote_user: root + vars_files: + - Almaty_install_config/group_vars/app_global.yml + roles: + - app_global diff --git a/Almaty_install_config/group_vars/adc_global.yml b/Almaty_install_config/group_vars/adc_global.yml new file mode 100644 index 0000000..f2c4146 --- /dev/null +++ b/Almaty_install_config/group_vars/adc_global.yml @@ -0,0 +1,123 @@ +######################################### +#####1: Inline_device; 2: Allot; 3: ADC_Tun_mode; +tsg_access_type: 2 +#####2: ADC; +tsg_running_type: 2 + +######################################## +#Deploy_finished_reboot +Deploy_finished_reboot: 0 + +######################################## +#IP Config +maat_redis_city_server: + address: "10.3.62.253" + port: 7002 + +maat_redis_server: + address: "192.168.100.4" + port: 7002 + port_num: 1 + db: 0 + +dynamic_maat_redis_server: + address: "192.168.100.4" + port: 7002 + port_num: 1 + db: 1 + +cert_store_server: + address: "192.168.100.1" + port: 9991 + +log_kafkabrokers: + address: "10.3.61.11:9092,10.3.61.12:9092,10.3.61.13:9092,10.3.61.14:9092,10.3.61.15:9092,10.3.61.16:9092,10.3.61.17:9092,10.3.61.18:9092" + +telegraf_kafkabrokers: + address: "\"10.3.61.11:9092\",\"10.3.61.12:9092\",\"10.3.61.13:9092\",\"10.3.61.14:9092\",\"10.3.61.15:9092\",\"10.3.61.16:9092\",\"10.3.61.17:9092\",\"10.3.61.18:9092\"" + +monitor_outputs_influxdb: + url: "http://127.0.0.1:58086" + +log_minio: + address: "10.3.62.253" + port: 9090 + +######################################### +#Log Level Config +#日志等级 10:DEBUG 20:INFO 30:FATAL +fw_ftp_log_level: 10 +fw_mail_log_level: 10 +fw_http_log_level: 10 +fw_dns_log_level: 10 +fw_quic_log_level: 10 +capture_packet_log_level: 10 +tsg_log_level: 10 +tsg_master_log_level: 10 +kni_log_level: 10 + +#日志等级 DEBUG INFO FATAL +tfe_log_level: FATAL +tfe_http_log_level: FATAL +pangu_log_level: FATAL +doh_log_level: FATAL + +certstore_log_level: 30 +packet_dump_log_level: 10 + +####################################### +#Sapp Performance Config +#Sapp工作在ADC计算板0时,建议使用如下30+8的配置,以保证更高的处理性能 +sapp: + worker_threads: 42 + send_only_threads_max: 1 + bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43 + inbound_route_dir: 1 + +######################################## +#Kni Config +kni: + global: + tfe_node_count: 3 + watch_dog: + switch: 1 + maat: + readconf_mode: 2 + send_logger: + switch: 1 + tfe_nodes: + tfe0_enabled: 1 + tfe1_enabled: 1 + tfe2_enabled: 1 + +######################################## +#Tfe Config +tfe: + nr_threads: 32 + mirror_enable: 1 + +######################################## +#Marsio Config +#marsio工作在ADC计算板时,建议使用如下配置,以保证更高的处理性能 +mrzcpd: + iocore: 52,53,54,55 + +mrtunnat: + lcore_id: 48,49,50,51 + +######################################### +#Tsg_app +tsg_app_enable: 0 +app_global_ip: "1.1.1.1" +applog_level: 10 +app_master_log_level: 10 +app_sketch_local_log_level: 10 +app_control_plug_log_level: 10 + + +breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6 + +data_center: Almaty +tsg_master_entrance_id: 3 +nic_mgr: + name: em1 diff --git a/Almaty_install_config/group_vars/adc_mcn0.yml b/Almaty_install_config/group_vars/adc_mcn0.yml new file mode 100644 index 0000000..333e8a1 --- /dev/null +++ b/Almaty_install_config/group_vars/adc_mcn0.yml @@ -0,0 +1,41 @@ +######################################### +#Mcn0管理口网卡名 +nic_mgr: + name: ens1f3 + +######################################### +#Mcn0流量接入网卡,固定配置 +nic_data_incoming: + name: ens1f4 + +######################################### +#Mcn0其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens1.100 +nic_to_tfe: + tfe0: + name: ens1f5 + tfe1: + name: ens1f6 + tfe2: + name: ens1f7 + +######################################### +#串联设备接入相关配置 +inline_device_config: + keepalive_ip: 192.168.1.30 + keepalive_mask: 255.255.255.252 + +######################################### +#Allot接入相关配置 +AllotAccess: + #virturlInterface_1: ens1f2.103 + #virturlInterface_2: ens1f2.104 + virturlID_1: 1201 + virturlID_2: 1202 + virturlID_3: 1301 + virturlID_4: 1302 + #vvipv4_mask: 24 + #vvipv6_mask: 64 + +bladename: mcn0 diff --git a/Almaty_install_config/group_vars/adc_mcn1.yml b/Almaty_install_config/group_vars/adc_mcn1.yml new file mode 100644 index 0000000..f57e3f0 --- /dev/null +++ b/Almaty_install_config/group_vars/adc_mcn1.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn1管理口网卡名 +nic_mgr: + name: ens1f3 + +######################################### +#Mcn1流量接入网卡,固定配置 +nic_data_incoming: + name: ens1f1 + +######################################### +#Mcn1其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens1.100 +nic_traffic_mirror: + name: ens1f2 + use_mrzcpd: 1 + +bladename: mcn1 \ No newline at end of file diff --git a/Almaty_install_config/group_vars/adc_mcn2.yml b/Almaty_install_config/group_vars/adc_mcn2.yml new file mode 100644 index 0000000..2e30db3 --- /dev/null +++ b/Almaty_install_config/group_vars/adc_mcn2.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn2管理口网卡名 +nic_mgr: + name: ens8f3 + +######################################### +#Mcn2流量接入网卡,固定配置 +nic_data_incoming: + name: ens8f1 + +######################################### +#Mcn2其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens8.100 +nic_traffic_mirror: + name: ens8f2 + use_mrzcpd: 1 + +bladename: mcn2 \ No newline at end of file diff --git a/Almaty_install_config/group_vars/adc_mcn3.yml b/Almaty_install_config/group_vars/adc_mcn3.yml new file mode 100644 index 0000000..2f9bb33 --- /dev/null +++ b/Almaty_install_config/group_vars/adc_mcn3.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn3管理口网卡名 +nic_mgr: + name: ens8f3 + +######################################### +#Mcn3流量接入网卡,固定配置 +nic_data_incoming: + name: ens8f1 + +######################################### +#Mcn3其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens8.100 +nic_traffic_mirror: + name: ens8f2 + use_mrzcpd: 1 + +bladename: mcn3 \ No newline at end of file diff --git a/Almaty_install_config/group_vars/app_global.yml b/Almaty_install_config/group_vars/app_global.yml new file mode 100644 index 0000000..6ae6663 --- /dev/null +++ b/Almaty_install_config/group_vars/app_global.yml @@ -0,0 +1,10 @@ +######################################### +app_sketch_global_log_level: 10 + +maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +file_stat_ip: "1.1.1.1" + diff --git a/Almaty_install_config/group_vars/server_as_tun_mode.yml b/Almaty_install_config/group_vars/server_as_tun_mode.yml new file mode 100644 index 0000000..cb8838d --- /dev/null +++ b/Almaty_install_config/group_vars/server_as_tun_mode.yml @@ -0,0 +1,145 @@ +######################################### +#####0: Pcap; 1: Inline_device; 4: ATCA_Vlan_Flipping; 5:ATCA_VXLAN; +tsg_access_type: 1 +#####0: Tun_mode; 1: normal; +tsg_running_type: 1 + +######################################## +#Deploy_finished_reboot +Deploy_finished_reboot: 1 + +######################################## +#Server Basic Config +nic_mgr: + name: eth0 + +nic_inner_ctrl: + name: eth0.100 + +######################################### +#IP Config +maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +dynamic_maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +cert_store_server: + address: "192.168.100.1" + port: 9991 + +log_kafkabrokers: + address: "1.1.1.1:9092,2.2.2.2:9092" + +log_minio: + address: "192.168.40.168;" + port: 9090 + +######################################### +#Log Level Config +#日志等级 10:DEBUG 20:INFO 30:FATAL +fw_ftp_log_level: 10 +fw_mail_log_level: 10 +fw_http_log_level: 10 +fw_dns_log_level: 10 +fw_quic_log_level: 10 +capture_packet_log_level: 10 +tsg_log_level: 10 +tsg_master_log_level: 10 +kni_log_level: 10 + + +#日志等级 DEBUG INFO FATAL +tfe_log_level: DEBUG +tfe_http_log_level: DEBUG +pangu_log_level: DEBUG +doh_log_level: DEBUG + +certstore_log_level: 10 +packet_dump_log_level: 10 + +######################################### +#Sapp Performance Config +#如果tsg_access_type=0,sapp跑在pcap模式,则以下配置可忽略 +sapp: + worker_threads: 23 + send_only_threads_max: 1 + bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 + inbound_route_dir: 1 + +######################################### +#Sapp Double-Arm Config +packet_io: + internal_interface: eth2 + external_interface: eth3 + + +######################################### +#Kni Config +kni: + global: + tfe_node_count: 1 + watch_dog: + switch: 1 + maat: + readconf_mode: 2 + send_logger: + switch: 1 + tfe_nodes: + tfe0_enabled: 1 + tfe1_enabled: 0 + tfe2_enabled: 0 + +######################################### +#Tfe Config +tfe: + nr_threads: 32 + mirror_enable: 1 + +######################################### +#Marsio Config +mrzcpd: + iocore: 39 + +mrtunnat: + lcore_id: 38 + +######################################### +#Tsg_app +tsg_app_enable: 1 +app_global_ip: "1.1.1.1" +applog_level: 10 +app_master_log_level: 10 +app_sketch_local_log_level: 10 +app_control_plug_log_level: 10 + +######################################### +#ATCA Config +#下列配置只在tsg_access_type=4时生效 +ATCA_data_incoming: + ethname: enp1s0 + vf0_name: enp1s2 + vf1_name: enp1s2f1 + vf2_name: enp1s2f2 + +ATCA_VlanFlipping: + vlanID_1: 100 + vlanID_2: 101 + vlanID_3: 103 + vlanID_4: 104 + +#下列配置只在tsg_access_type=5时生效 +ATCA_VXLAN: + keepalive_ip: "10.254.19.1" + keepalive_mask: "255.255.255.252" + +######################################### +#Inline Device Config +inline_device_config: + keepalive_ip: 192.168.1.30 + keepalive_mask: 255.255.255.252 + data_incoming: eth5 diff --git a/Almaty_install_config/hosts b/Almaty_install_config/hosts new file mode 100644 index 0000000..c58c2c5 --- /dev/null +++ b/Almaty_install_config/hosts @@ -0,0 +1,47 @@ +################### +# For example # +################### +#变量device_id根据设备序号设置即可 +#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置,其他环境可不填或直接删除变量 +# +#20.09版本新增APP部署 +#[app_global] +#0.0.0.0 + +#[server-as-tun-mode] +#1.1.1.1 device_id=device_1 +# +#[adc_mxn] +#10.3.72.1 +#10.3.72.2 +# +#[adc_mcn0] +#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1 +#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2 +# +#[adc_mcn1] +#10.3.74.1 device_id=device_1 +#10.3.74.2 device_id=device_2 +# +#[adc_mcn2] +#10.3.75.1 device_id=device_1 +#10.3.75.2 device_id=device_2 +# +#[adc_mcn3] +#10.3.76.1 device_id=device_1 +#10.3.76.2 device_id=device_2 + +#[app_global] +#[server-as-tun-mode] +#p +#[adc_mxn] +[adc_mcn0] +10.3.51.1 +[adc_mcn1] +10.3.52.1 +[adc_mcn2] +10.3.53.1 +[adc_mcn3] +10.3.54.1 +[packet_dump_server] +10.3.61.10 diff --git a/NurSultan_deploy.yml b/NurSultan_deploy.yml index 9c17340..03fef4e 100644 --- a/NurSultan_deploy.yml +++ b/NurSultan_deploy.yml @@ -9,8 +9,6 @@ - NurSultan_install_config/group_vars/adc_global.yml roles: - framework - #- kernel-ml - - telegraf_collect - hosts: packet_dump_server remote_user: root @@ -31,6 +29,7 @@ - NurSultan_install_config/group_vars/adc_mcn0.yml roles: # - tsg-env-mcn0 + - telegraf_collect - kernel-ml - mrzcpd - sapp @@ -52,6 +51,7 @@ - NurSultan_install_config/group_vars/adc_mcn1.yml roles: # - tsg-env-mcn1 + - telegraf_collect - kernel-ml - mrzcpd - tfe @@ -63,6 +63,7 @@ - NurSultan_install_config/group_vars/adc_mcn2.yml roles: # - tsg-env-mcn2 + - telegraf_collect - kernel-ml - mrzcpd - tfe @@ -73,10 +74,11 @@ - NurSultan_install_config/group_vars/adc_global.yml - NurSultan_install_config/group_vars/adc_mcn3.yml roles: + - kernel-ml # - tsg-env-mcn3 + - telegraf_collect - redis - maat-redis - - kernel-ml - mrzcpd - tfe diff --git a/NurSultan_install_config/group_vars/adc_global.yml b/NurSultan_install_config/group_vars/adc_global.yml index 8021984..63dd990 100644 --- a/NurSultan_install_config/group_vars/adc_global.yml +++ b/NurSultan_install_config/group_vars/adc_global.yml @@ -115,7 +115,7 @@ app_sketch_local_log_level: 10 app_control_plug_log_level: 10 -breakpad_upload_url: http://127.0.0.1/ +breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6 data_center: Nur-sultan tsg_master_entrance_id: 4 diff --git a/roles/certstore/templates/cert_store.ini.j2 b/roles/certstore/templates/cert_store.ini.j2 index c227eed..9a8d056 100644 --- a/roles/certstore/templates/cert_store.ini.j2 +++ b/roles/certstore/templates/cert_store.ini.j2 @@ -7,7 +7,7 @@ RUN_LOG_PATH = "conf/zlog.conf" disable_coredump=0 enable_breakpad=1 breakpad_minidump_dir=/tmp/certstore/crashreport -enable_breakpad_upload=0 +enable_breakpad_upload=1 breakpad_upload_url= {{ breakpad_upload_url }} [CONFIG] diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index b3cda52..580e937 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -40,6 +40,12 @@ dest: /home/mesasoft/sapp_run/tsgconf/maat.conf tags: template +- name: "Template the tsgconf/tsg_log_field.conf" + template: + src: "{{ role_path }}/templates/tsg_log_field.conf.j2" + dest: /home/mesasoft/sapp_run/tsgconf/tsg_log_field.conf + tags: template + - name: "Template the conf/capture_packet_plug.conf.j2" template: src: "{{ role_path }}/templates/capture_packet_plug.conf.j2" diff --git a/roles/firewall/templates/tsg_log_field.conf.j2 b/roles/firewall/templates/tsg_log_field.conf.j2 new file mode 100644 index 0000000..e8ee44c --- /dev/null +++ b/roles/firewall/templates/tsg_log_field.conf.j2 @@ -0,0 +1,52 @@ +#TYPE:1:UCHAR,2:USHORT,3:ULONG,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET +#TYPE TOPIC SERVICE +TOPIC SECURITY-EVENT-LOG 0 +TOPIC CONNECTION-RECORD-LOG 1 +TOPIC CONNECTION-SKETCH 2 + +#TYPE FIELD VALUE +LONG common_policy_id 1 +LONG common_service 2 +LONG common_action 3 +LONG common_start_time 4 +LONG common_end_time 5 +STRING common_l4_protocol 6 +LONG common_address_type 7 +STRING common_server_ip 8 +STRING common_client_ip 9 +LONG common_server_port 10 +LONG common_client_port 11 +LONG common_stream_dir 12 +STRING common_address_list 13 +LONG common_entrance_id 14 +LONG common_device_id 15 +LONG common_link_id 16 +STRING common_isp 17 +LONG common_encapsulation 18 +LONG common_direction 19 +STRING common_sled_ip 20 +STRING common_user_tags 21 +STRING common_user_region 22 +STRING common_app_label 23 +LONG common_app_id 24 +LONG common_protocol_id 25 +LONG common_c2s_pkt_num 26 +LONG common_s2c_pkt_num 27 +LONG common_c2s_byte_num 28 +LONG common_s2c_byte_num 29 +LONG common_con_duration_ms 30 +LONG common_has_dup_traffic 31 +STRING common_stream_error 32 +STRING common_stream_trace_id 33 +STRING common_schema_type 34 +STRING http_host 35 +STRING ssl_sni 36 +LONG common_establish_latency_ms 37 +STRING common_sub_action 38 +STRING common_client_asn 39 +STRING common_server_asn 40 +STRING common_client_location 41 +STRING common_server_location 42 +STRING quic_sni 43 +STRING ssl_ja3_fingerprint 44 +STRING common_data_center 45 diff --git a/roles/packet_dump/tasks/main.yml b/roles/packet_dump/tasks/main.yml index a4d5d2a..b8291ae 100644 --- a/roles/packet_dump/tasks/main.yml +++ b/roles/packet_dump/tasks/main.yml @@ -26,3 +26,9 @@ name: packet_dump.service enabled: yes daemon_reload: yes + +- name: "enable httpd" + systemd: + name: httpd + enabled: yes + daemon_reload: yes diff --git a/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm new file mode 100644 index 0000000..4e430da Binary files /dev/null and b/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm differ diff --git a/roles/tfe/tasks/main.yml b/roles/tfe/tasks/main.yml index 2fee00b..6fa3558 100644 --- a/roles/tfe/tasks/main.yml +++ b/roles/tfe/tasks/main.yml @@ -14,7 +14,7 @@ yum: name: - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm - - /tmp/ansible_deploy/tfe-4.3.14.13d2607-1.el7.x86_64.rpm + - /tmp/ansible_deploy/tfe-4.3.15.99731ae-1.el7.x86_64.rpm state: present - name: "template tfe-env config"