diff --git a/adc_deploy.yml b/adc_deploy.yml index 6e0a93f..4b62c74 100644 --- a/adc_deploy.yml +++ b/adc_deploy.yml @@ -1,21 +1,9 @@ -- hosts: - - adc_mcn0 - - adc_mcn1 - - adc_mcn2 - - adc_mcn3 - - packet_dump_server +- hosts: adc_mxn remote_user: root - vars_files: - - install_config/group_vars/adc_global.yml roles: - - framework - -- hosts: packet_dump_server - remote_user: root - vars_files: - - install_config/group_vars/adc_global.yml - roles: - - packet_dump + - {role: adc_exporter, tags: adc_exporter} + - {role: adc_exporter_proxy, tags: adc_exporter_proxy} +# - {role: switch_rule, tags: switch_rule} - hosts: adc_mcn0 remote_user: root @@ -23,21 +11,24 @@ - install_config/group_vars/adc_global.yml - install_config/group_vars/adc_mcn0.yml roles: - - telegraf_collect - - kernel-ml - - mrzcpd - - sapp - - tsg_master - - kni - - firewall + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: sapp, tags: sapp} + - {role: tsg_master, tags: tsg_master} + - {role: kni, tags: kni} + - {role: firewall, tags: firewall} # - tsg_app - - http_healthcheck - - redis - - cert-redis - - maat-redis - - certstore - - telegraf_statistic -# - tsg_device_tag + - {role: http_healthcheck,tags: http_healthcheck} + - {role: redis, tags: redis} + - {role: cert-redis, tags: cert-redis} + - {role: maat-redis, tags: maat-redis, when: deploy_mode == "cluster"} + - {role: certstore, tags: certstore} + - {role: telegraf_statistic, tags: telegraf_statistic} + - {role: app_proto_identify, tags: app_proto_identify} + - {role: adc_exporter, tags: adc_exporter} +# - {role: switch_control, tags: switch_control} + - {role: tsg-env-patch, tags: tsg-env-patch} - hosts: adc_mcn1 remote_user: root @@ -45,10 +36,14 @@ - install_config/group_vars/adc_global.yml - install_config/group_vars/adc_mcn1.yml roles: - - telegraf_collect - - kernel-ml - - mrzcpd - - tfe +# - tsg-env-mcn1 + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: tfe, tags: tfe} + - {role: adc_exporter, tags: adc_exporter} +# - {role: switch_control, tags: switch_control} + - {role: tsg-env-patch, tags: tsg-env-patch} - hosts: adc_mcn2 remote_user: root @@ -56,10 +51,14 @@ - install_config/group_vars/adc_global.yml - install_config/group_vars/adc_mcn2.yml roles: - - telegraf_collect - - kernel-ml - - mrzcpd - - tfe +# - tsg-env-mcn2 + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: tfe, tags: tfe} + - {role: adc_exporter, tags: adc_exporter} +# - {role: switch_control, tags: switch_control} + - {role: tsg-env-patch, tags: tsg-env-path} - hosts: adc_mcn3 remote_user: root @@ -67,44 +66,25 @@ - install_config/group_vars/adc_global.yml - install_config/group_vars/adc_mcn3.yml roles: - - telegraf_collect - - kernel-ml - - mrzcpd - - tfe - -- hosts: adc_mcn0 - remote_user: root - roles: - - tsg-diagnose - -- hosts: - - adc_mcn1 - - adc_mcn2 - - adc_mcn3 - remote_user: root - roles: - - tsg-diagnose_sync_ca + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: tfe, tags: tfe} +# - {role: adc_exporter, tags: adc_exporter} + - {role: switch_control, tags: switch_control} + - {role: tsg-env-patch, tags: tsg-env-patch} -- hosts: adc_mcn0 - remote_user: root - roles: - - tsg-diagnose_stop_sync - - -- hosts: - - adc_mcn0 - - adc_mcn1 - - adc_mcn2 - - adc_mcn3 +- hosts: packet_dump_server remote_user: root vars_files: - install_config/group_vars/adc_global.yml roles: - #- reboot + - {role: framework, tags: framework} + - {role: packet_dump, tags: packet_dump} - hosts: app_global remote_user: root vars_files: - install_config/group_vars/app_global.yml roles: - - app_global + - {role: app_global, tags: app_global} diff --git a/install_config/group_vars/.server_as_tun_mode.yml.swp b/install_config/group_vars/.server_as_tun_mode.yml.swp new file mode 100644 index 0000000..1cf82cf Binary files /dev/null and b/install_config/group_vars/.server_as_tun_mode.yml.swp differ diff --git a/install_config/group_vars/adc_global.yml b/install_config/group_vars/adc_global.yml index 3977194..81229fa 100644 --- a/install_config/group_vars/adc_global.yml +++ b/install_config/group_vars/adc_global.yml @@ -3,19 +3,16 @@ tsg_access_type: 2 #####2: ADC; tsg_running_type: 2 - +#####deploy mode: cluster, single +deploy_mode: "cluster" ######################################## #Deploy_finished_reboot Deploy_finished_reboot: 0 -######################################## -#TSG Cluster Mode -tsg_cluster_mode: 0 - ######################################## #IP Config maat_redis_city_server: - address: "10.9.62.253" + address: "10.4.62.253" port: 7002 maat_redis_server: @@ -35,16 +32,10 @@ cert_store_server: port: 9991 log_kafkabrokers: - address: "10.9.61.4:9092,10.9.61.5:9092,10.9.61.6:9092" - -telegraf_kafkabrokers: - address: "\"10.9.61.4:9092\",\"10.9.61.5:9092\",\"10.9.61.6:9092\"" - -monitor_outputs_influxdb: - url: "http://127.0.0.1:58086" + address: ['1.1.1.1:9092','2.2.2.2:9092'] log_minio: - address: "10.9.62.253" + address: "10.4.62.253" port: 9090 ######################################### @@ -55,6 +46,7 @@ fw_mail_log_level: 10 fw_http_log_level: 10 fw_dns_log_level: 10 fw_quic_log_level: 10 +app_control_log_level: 10 capture_packet_log_level: 10 tsg_log_level: 10 tsg_master_log_level: 10 @@ -66,7 +58,7 @@ tfe_http_log_level: FATAL pangu_log_level: FATAL doh_log_level: FATAL -certstore_log_level: 30 +certstore_log_level: FATAL packet_dump_log_level: 10 ####################################### @@ -103,9 +95,12 @@ tfe: ######################################## #Marsio Config #marsio工作在ADC计算板时,建议使用如下配置,以保证更高的处理性能 -mrzcpd: +mcn0_mrzcpd: iocore: 52,53,54,55 +mcn123_mrzcpd: + iocore: 54,55 + mrtunnat: lcore_id: 48,49,50,51 @@ -118,10 +113,12 @@ app_master_log_level: 10 app_sketch_local_log_level: 10 app_control_plug_log_level: 10 - -breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6 - +breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595 data_center: Kyzylorda tsg_master_entrance_id: 9 nic_mgr: name: em1 + +sapp_prometheus_enable: 1 +sapp_prometheus_port: 9273 +sapp_prometheus_url_path: "/metrics" diff --git a/install_config/group_vars/adc_mcn0.yml b/install_config/group_vars/adc_mcn0.yml index d0d8227..60bfaf0 100644 --- a/install_config/group_vars/adc_mcn0.yml +++ b/install_config/group_vars/adc_mcn0.yml @@ -37,5 +37,5 @@ AllotAccess: virturlID_4: 1302 #vvipv4_mask: 24 #vvipv6_mask: 64 - + bladename: mcn0 diff --git a/install_config/group_vars/adc_mcn2.yml b/install_config/group_vars/adc_mcn2.yml index 10d00df..ff33049 100644 --- a/install_config/group_vars/adc_mcn2.yml +++ b/install_config/group_vars/adc_mcn2.yml @@ -15,5 +15,5 @@ nic_inner_ctrl: nic_traffic_mirror: name: ens8f2 use_mrzcpd: 1 - + bladename: mcn2 \ No newline at end of file diff --git a/install_config/group_vars/adc_mcn3.yml b/install_config/group_vars/adc_mcn3.yml index df3846c..51b1e09 100644 --- a/install_config/group_vars/adc_mcn3.yml +++ b/install_config/group_vars/adc_mcn3.yml @@ -15,5 +15,5 @@ nic_inner_ctrl: nic_traffic_mirror: name: ens8f2 use_mrzcpd: 1 - + bladename: mcn3 \ No newline at end of file diff --git a/install_config/group_vars/server_as_tun_mode.yml b/install_config/group_vars/server_as_tun_mode.yml index 21bc996..55e1a28 100644 --- a/install_config/group_vars/server_as_tun_mode.yml +++ b/install_config/group_vars/server_as_tun_mode.yml @@ -1,17 +1,16 @@ ######################################### -#####0: Pcap; 1: Inline_device; 4: ATCA_Vlan_Flipping; 5:ATCA_VXLAN; +#####0: Pcap; 1: Inline_device; 5:ATCA_VXLAN; tsg_access_type: 0 #####0: Tun_mode; 1: normal; tsg_running_type: 0 +#####deploy mode: cluster, single +deploy_mode: "single" + ######################################## #Deploy_finished_reboot Deploy_finished_reboot: 0 -######################################## -#TSG Cluster Mode -tsg_cluster_mode: 0 - ######################################## #Server Basic Config nic_mgr: @@ -44,17 +43,12 @@ cert_store_server: port: 9991 log_kafkabrokers: - address: "10.9.61.4:9092,10.9.61.5:9092,10.9.61.6:9092" - -telegraf_kafkabrokers: - address: "\"10.9.61.4:9092\",\"10.9.61.5:9092\",\"10.9.61.6:9092\"" - -monitor_outputs_influxdb: - url: "http://127.0.0.1:58086" + address: ['1.1.1.1:9092','2.2.2.2:9092'] log_minio: address: "10.9.62.253" port: 9090 + ######################################### #Log Level Config #日志等级 10:DEBUG 20:INFO 30:FATAL @@ -63,6 +57,7 @@ fw_mail_log_level: 10 fw_http_log_level: 10 fw_dns_log_level: 10 fw_quic_log_level: 10 +app_control_log_level: 10 capture_packet_log_level: 10 tsg_log_level: 10 tsg_master_log_level: 10 @@ -165,3 +160,7 @@ breakpad_upload_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347 data_center: Beijing tsg_master_entrance_id: 0 + +sapp_prometheus_enable: 1 +sapp_prometheus_port: 9273 +sapp_prometheus_url_path: "/metrics" diff --git a/install_config/hosts b/install_config/hosts index 8715518..0fe8b50 100644 --- a/install_config/hosts +++ b/install_config/hosts @@ -7,7 +7,8 @@ #20.09版本新增APP部署 #[app_global] #0.0.0.0 -#[server-as-tun-mode] + +#[server_as_tun_mode] #1.1.1.1 device_id=device_1 # #[adc_mxn] @@ -29,19 +30,16 @@ #[adc_mcn3] #10.3.76.1 device_id=device_1 #10.3.76.2 device_id=device_2 + #[app_global] - -#[server-as-tun-mode] -#p -#[adc_mxn] +#[server_as_tun_mode] +#broken warning: +#10.4.52.71 [adc_mcn0] -10.9.51.[1:15] [adc_mcn1] -10.9.52.[1:15] [adc_mcn2] -10.9.53.[1:15] [adc_mcn3] -10.9.54.[1:14] -[packet_dump_server] -10.9.61.3 +[app_global] +[server_as_tun_mode] + diff --git a/roles/adc_exporter/files/freeipmi-1.5.7-3.el7.x86_64.rpm b/roles/adc_exporter/files/freeipmi-1.5.7-3.el7.x86_64.rpm new file mode 100644 index 0000000..17c5b2d Binary files /dev/null and b/roles/adc_exporter/files/freeipmi-1.5.7-3.el7.x86_64.rpm differ diff --git a/roles/adc_exporter/files/ipmi_exporter b/roles/adc_exporter/files/ipmi_exporter new file mode 100644 index 0000000..f57b94a Binary files /dev/null and b/roles/adc_exporter/files/ipmi_exporter differ diff --git a/roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm b/roles/adc_exporter/files/node_exporter similarity index 66% rename from roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm rename to roles/adc_exporter/files/node_exporter index 0bb3681..b0a8b64 100644 Binary files a/roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm and b/roles/adc_exporter/files/node_exporter differ diff --git a/roles/adc_exporter/files/systemd_exporter b/roles/adc_exporter/files/systemd_exporter new file mode 100644 index 0000000..b075967 Binary files /dev/null and b/roles/adc_exporter/files/systemd_exporter differ diff --git a/roles/adc_exporter/tasks/main.yml b/roles/adc_exporter/tasks/main.yml new file mode 100644 index 0000000..826ada9 --- /dev/null +++ b/roles/adc_exporter/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "copy freeipmi tools" + copy: + src: '{{ role_path }}/files/freeipmi-1.5.7-3.el7.x86_64.rpm' + dest: /tmp/ansible_deploy/ + +- name: "Install freeipmi rpm package" + yum: + name: + - "/tmp/ansible_deploy/freeipmi-1.5.7-3.el7.x86_64.rpm" + state: present + +- name: "mkdir /opt/adc-exporter/" + file: + path: /opt/adc-exporter/ + state: directory + +- name: "copy node_exporter" + copy: + src: '{{ role_path }}/files/node_exporter' + dest: /opt/adc-exporter/node_exporter + mode: 0755 + +- name: "copy systemd_exporter" + copy: + src: '{{ role_path }}/files/systemd_exporter' + dest: /opt/adc-exporter/systemd_exporter + mode: 0755 + +- name: "copy ipmi_exporter" + copy: + src: '{{ role_path }}/files/ipmi_exporter' + dest: /opt/adc-exporter/ipmi_exporter + mode: 0755 + +- name: "templates adc-exporter-node.service" + template: + src: "{{role_path}}/templates/adc-exporter-node.service.j2" + dest: /usr/lib/systemd/system/adc-exporter-node.service + tags: template + +- name: "templates adc-exporter-systemd.service" + template: + src: "{{role_path}}/templates/adc-exporter-systemd.service.j2" + dest: /usr/lib/systemd/system/adc-exporter-systemd.service + tags: template + +- name: "templates adc-exporter-ipmi.service" + template: + src: "{{role_path}}/templates/adc-exporter-ipmi.service.j2" + dest: /usr/lib/systemd/system/adc-exporter-ipmi.service + tags: template + +- name: 'adc-exporter-node service start' + systemd: + name: adc-exporter-node + enabled: yes + daemon_reload: yes + state: started + +- name: 'adc-exporter-systemd service start' + systemd: + name: adc-exporter-systemd + enabled: yes + daemon_reload: yes + state: restarted + +- name: 'adc-exporter-ipmi service start' + systemd: + name: adc-exporter-ipmi + enabled: yes + daemon_reload: yes + state: restarted diff --git a/roles/adc_exporter/templates/adc-exporter-ipmi.service.j2 b/roles/adc_exporter/templates/adc-exporter-ipmi.service.j2 new file mode 100644 index 0000000..c9eeb3d --- /dev/null +++ b/roles/adc_exporter/templates/adc-exporter-ipmi.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=IPMI Exporter +After=network.target + +[Service] +Type=simple +ExecStart=/opt/adc-exporter/ipmi_exporter +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/adc_exporter/templates/adc-exporter-node.service.j2 b/roles/adc_exporter/templates/adc-exporter-node.service.j2 new file mode 100644 index 0000000..b28ed3e --- /dev/null +++ b/roles/adc_exporter/templates/adc-exporter-node.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Node Exporter +After=network.target + +[Service] +Type=simple +ExecStart=/opt/adc-exporter/node_exporter +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/adc_exporter/templates/adc-exporter-systemd.service.j2 b/roles/adc_exporter/templates/adc-exporter-systemd.service.j2 new file mode 100644 index 0000000..d5e2f11 --- /dev/null +++ b/roles/adc_exporter/templates/adc-exporter-systemd.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Systemd Exporter +After=network.target + +[Service] +Type=simple +ExecStart=/opt/adc-exporter/systemd_exporter --web.disable-exporter-metrics +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/adc_exporter_ping/files/ping_exporter b/roles/adc_exporter_ping/files/ping_exporter new file mode 100644 index 0000000..a2915fd Binary files /dev/null and b/roles/adc_exporter_ping/files/ping_exporter differ diff --git a/roles/adc_exporter_ping/tasks/main.yml b/roles/adc_exporter_ping/tasks/main.yml new file mode 100644 index 0000000..e951705 --- /dev/null +++ b/roles/adc_exporter_ping/tasks/main.yml @@ -0,0 +1,23 @@ +- name: "mkdir /opt/adc-exporter/" + file: + path: /opt/adc-exporter/ + state: directory + +- name: "copy ping_exporter" + copy: + src: '{{ role_path }}/files/ping_exporter' + dest: /opt/adc-exporter/ping_exporter + mode: 0755 + +- name: "templates ping_exporter.service" + template: + src: "{{role_path}}/templates/adc-exporter-ping.service.j2" + dest: /usr/lib/systemd/system/adc-exporter-ping.service + tags: template + +- name: 'adc-exporter-ping service start' + systemd: + name: adc-exporter-ping + enabled: yes + daemon_reload: yes + state: restarted diff --git a/roles/adc_exporter_ping/templates/adc-exporter-ping.service.j2 b/roles/adc_exporter_ping/templates/adc-exporter-ping.service.j2 new file mode 100644 index 0000000..ebaf8e4 --- /dev/null +++ b/roles/adc_exporter_ping/templates/adc-exporter-ping.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Ping Exporter +After=network.target + +[Service] +Type=simple +ExecStart=/opt/adc-exporter/ping_exporter {{ ping_test.target|join(" ")}} --ping.size=512 --ping.interval=0.5s +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/adc_exporter_proxy/files/adc_exporter_proxy.tar.gz b/roles/adc_exporter_proxy/files/adc_exporter_proxy.tar.gz new file mode 100644 index 0000000..9b31207 Binary files /dev/null and b/roles/adc_exporter_proxy/files/adc_exporter_proxy.tar.gz differ diff --git a/roles/adc_exporter_proxy/tasks/main.yml b/roles/adc_exporter_proxy/tasks/main.yml new file mode 100644 index 0000000..78582fc --- /dev/null +++ b/roles/adc_exporter_proxy/tasks/main.yml @@ -0,0 +1,34 @@ +- name: "mkdir /opt/adc-exporter-proxy/" + file: + path: /opt/adc-exporter-proxy/ + state: directory + +- name: "copy file to device" + copy: + src: '{{ role_path }}/files/' + dest: /tmp/ansible_deploy/ + +- name: "unarchive adc-exporter-proxy(NGINX)" + unarchive: + src: /tmp/ansible_deploy/adc_exporter_proxy.tar.gz + dest: /opt/adc-exporter-proxy + remote_src: yes + +- name: "templates adc-exporter-proxy.service" + template: + src: "{{role_path}}/templates/adc-exporter-proxy.service.j2" + dest: /usr/lib/systemd/system/adc-exporter-proxy.service + tags: template + +- name: "template nginx.conf" + template: + src: "{{role_path}}/templates/nginx.conf.j2" + dest: /opt/adc-exporter-proxy/adc-exporter-proxy/conf/nginx.conf + tags: template + +- name: 'adc-exporter-proxy service start' + systemd: + name: adc-exporter-proxy + enabled: yes + daemon_reload: yes + state: restarted diff --git a/roles/adc_exporter_proxy/templates/adc-exporter-proxy.service.j2 b/roles/adc_exporter_proxy/templates/adc-exporter-proxy.service.j2 new file mode 100644 index 0000000..203ae14 --- /dev/null +++ b/roles/adc_exporter_proxy/templates/adc-exporter-proxy.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=ADC Exporter Proxy (NGINX) for NEZHA +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=simple +ExecStart=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy +ExecReload=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s reload +ExecStop=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s stop + +[Install] +WantedBy=multi-user.target diff --git a/roles/adc_exporter_proxy/templates/nginx.conf.j2 b/roles/adc_exporter_proxy/templates/nginx.conf.j2 new file mode 100644 index 0000000..646282e --- /dev/null +++ b/roles/adc_exporter_proxy/templates/nginx.conf.j2 @@ -0,0 +1,152 @@ + +user nobody; +worker_processes 1; +daemon off; + +error_log logs/error.log; +error_log logs/error.log notice; +error_log logs/error.log info; +pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + tcp_nopush on; + + keepalive_timeout 65; + gzip on; + + server { + listen 9000; + server_name localhost; + + location /metrics/blade/mcn0/node_exporter { + proxy_pass http://192.168.100.1:9100/metrics; + } + + location /metrics/blade/mcn1/node_exporter { + proxy_pass http://192.168.100.2:9100/metrics; + } + + location /metrics/blade/mcn2/node_exporter { + proxy_pass http://192.168.100.3:9100/metrics; + } + + location /metrics/blade/mcn3/node_exporter { + proxy_pass http://192.168.100.4:9100/metrics; + } + + location /metrics/blade/mxn/node_exporter { + proxy_pass http://192.168.100.5:9100/metrics; + } + + location /metrics/blade/mcn0/systemd_exporter { + proxy_pass http://192.168.100.1:9558/metrics; + } + + location /metrics/blade/mcn1/systemd_exporter { + proxy_pass http://192.168.100.2:9558/metrics; + } + + location /metrics/blade/mcn2/systemd_exporter { + proxy_pass http://192.168.100.3:9558/metrics; + } + + location /metrics/blade/mcn3/systemd_exporter { + proxy_pass http://192.168.100.4:9558/metrics; + } + + location /metrics/blade/mcn0/ipmi_exporter { + proxy_pass http://192.168.100.1:9290/metrics; + } + + location /metrics/blade/mcn1/ipmi_exporter { + proxy_pass http://192.168.100.2:9290/metrics; + } + + location /metrics/blade/mcn2/ipmi_exporter { + proxy_pass http://192.168.100.3:9290/metrics; + } + + location /metrics/blade/mcn3/ipmi_exporter { + proxy_pass http://192.168.100.4:9290/metrics; + } + + location /metrics/blade/mxn/ipmi_exporter { + proxy_pass http://192.168.100.5:9290/metrics; + } + + location /metrics/blade/mcn0/certstore { + proxy_pass http://192.168.100.1:9002/metrics; + } + + location /metrics/blade/mcn1/tfe { + proxy_pass http://192.168.100.2:9001/metrics; + } + + location /metrics/blade/mcn2/tfe { + proxy_pass http://192.168.100.3:9001/metrics; + } + + location /metrics/blade/mcn3/tfe { + proxy_pass http://192.168.100.4:9001/metrics; + } + + location /metrics/blade/mcn0/sapp { + proxy_pass http://192.168.100.1:9273/metrics; + } + + location /metrics/blade/mcn0/mrapm_device { + proxy_pass http://192.168.100.1:8901/metrics; + } + + location /metrics/blade/mcn0/mrapm_stream { + proxy_pass http://192.168.100.1:8902/metrics; + } + + location /metrics/blade/mcn1/mrapm_device { + proxy_pass http://192.168.100.2:8901/metrics; + } + + location /metrics/blade/mcn1/mrapm_stream { + proxy_pass http://192.168.100.2:8902/metrics; + } + + location /metrics/blade/mcn2/mrapm_device { + proxy_pass http://192.168.100.3:8901/metrics; + } + + location /metrics/blade/mcn2/mrapm_stream { + proxy_pass http://192.168.100.3:8902/metrics; + } + + location /metrics/blade/mcn3/mrapm_device { + proxy_pass http://192.168.100.4:8901/metrics; + } + + location /metrics/blade/mcn3/mrapm_stream { + proxy_pass http://192.168.100.4:8902/metrics; + } + + location /metrics/blade/mcn0/maat_redis { + proxy_pass http://192.168.100.1:9121/metrics; + } + + location /metrics/blade/mcn0/ping_exporter { + proxy_pass http://192.168.100.1:9427/metrics; + } + } +} diff --git a/roles/app_proto_identify/files/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm b/roles/app_proto_identify/files/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm new file mode 100644 index 0000000..325fb46 Binary files /dev/null and b/roles/app_proto_identify/files/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm differ diff --git a/roles/app_proto_identify/tasks/main.yml b/roles/app_proto_identify/tasks/main.yml new file mode 100644 index 0000000..7e89c6c --- /dev/null +++ b/roles/app_proto_identify/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: "copy app_proto_identify rpm package destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install app_proto_identify" + yum: + name: "{{ app_packages }}" + state: present + skip_broken: yes + vars: + app_packages: + - /tmp/ansible_deploy/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm diff --git a/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm b/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm deleted file mode 100644 index 492e276..0000000 Binary files a/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm and /dev/null differ diff --git a/roles/certstore/files/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm b/roles/certstore/files/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm new file mode 100644 index 0000000..97e3389 Binary files /dev/null and b/roles/certstore/files/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm differ diff --git a/roles/certstore/files/memory.conf b/roles/certstore/files/memory.conf index d6411dc..c9bd857 100644 --- a/roles/certstore/files/memory.conf +++ b/roles/certstore/files/memory.conf @@ -1,2 +1,3 @@ [Service] -MemoryMax=10G \ No newline at end of file +MemoryLimit=16G +ExecStartPost=/bin/bash -c "echo 16G > /sys/fs/cgroup/memory/system.slice/certstore.service/memory.memsw.limit_in_bytes" diff --git a/roles/certstore/tasks/main.yml b/roles/certstore/tasks/main.yml index 33b0b5a..f2569b6 100644 --- a/roles/certstore/tasks/main.yml +++ b/roles/certstore/tasks/main.yml @@ -3,22 +3,22 @@ src: "{{ role_path }}/files/" dest: "/tmp/ansible_deploy/" -- name: "Ensures /opt/tsg exists" +- name: Ensures /opt/tsg exists file: path=/opt/tsg state=directory tags: mkdir -- name: "install certstore" +- name: install certstore yum: name: - - /tmp/ansible_deploy/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm + - /tmp/ansible_deploy/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm state: present -- name: "template certstore configure file" +- name: template certstore configure file template: src: "{{ role_path }}/templates/cert_store.ini.j2" dest: /opt/tsg/certstore/conf/cert_store.ini -- name: "template certstore zlog file" +- name: template certstore zlog file template: src: "{{ role_path }}/templates/zlog.conf.j2" dest: /opt/tsg/certstore/conf/zlog.conf diff --git a/roles/certstore/templates/cert_store.ini.j2 b/roles/certstore/templates/cert_store.ini.j2 index eed801d..e2ced45 100644 --- a/roles/certstore/templates/cert_store.ini.j2 +++ b/roles/certstore/templates/cert_store.ini.j2 @@ -55,4 +55,6 @@ port = {{ maat_redis_server.port }} dbindex = {{ maat_redis_server.db }} [stat] statsd_server=127.0.0.1 -statsd_port=58100 +statsd_port=8100 +statsd_set_prometheus_port=9002 +statsd_set_prometheus_url_path=/metrics diff --git a/roles/firewall/files/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm b/roles/firewall/files/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm new file mode 100644 index 0000000..38a0b1c Binary files /dev/null and b/roles/firewall/files/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm b/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm deleted file mode 100644 index 96db0f0..0000000 Binary files a/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm b/roles/firewall/files/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm new file mode 100644 index 0000000..a40e226 Binary files /dev/null and b/roles/firewall/files/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm b/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm deleted file mode 100644 index 602ab6a..0000000 Binary files a/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm b/roles/firewall/files/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm new file mode 100644 index 0000000..b40dfbf Binary files /dev/null and b/roles/firewall/files/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm b/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm deleted file mode 100644 index 750c219..0000000 Binary files a/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm b/roles/firewall/files/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm new file mode 100644 index 0000000..9808445 Binary files /dev/null and b/roles/firewall/files/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm b/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm deleted file mode 100644 index badb5fe..0000000 Binary files a/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm b/roles/firewall/files/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm new file mode 100644 index 0000000..046a193 Binary files /dev/null and b/roles/firewall/files/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm b/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm deleted file mode 100644 index 0ebd79a..0000000 Binary files a/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm b/roles/firewall/files/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm new file mode 100644 index 0000000..2473cc4 Binary files /dev/null and b/roles/firewall/files/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm b/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm deleted file mode 100644 index b87e069..0000000 Binary files a/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm b/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm new file mode 100644 index 0000000..8284196 Binary files /dev/null and b/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm b/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm new file mode 100644 index 0000000..7d92f28 Binary files /dev/null and b/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm b/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm deleted file mode 100644 index 1f3597a..0000000 Binary files a/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm b/roles/firewall/files/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm new file mode 100644 index 0000000..d12b9cf Binary files /dev/null and b/roles/firewall/files/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm b/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm deleted file mode 100644 index cba9d25..0000000 Binary files a/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm b/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm deleted file mode 100644 index bba14f2..0000000 Binary files a/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 086f5f9..7c84164 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -11,21 +11,22 @@ skip_broken: yes vars: fw_packages: - - /tmp/ansible_deploy/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm + - /tmp/ansible_deploy/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm - - /tmp/ansible_deploy/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm - - /tmp/ansible_deploy/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm - - /tmp/ansible_deploy/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm - - /tmp/ansible_deploy/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm - - /tmp/ansible_deploy/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm - - /tmp/ansible_deploy/ssl-1.0.9.69f3742-2.el7.x86_64.rpm - - /tmp/ansible_deploy/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm + - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm + - /tmp/ansible_deploy/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm + - /tmp/ansible_deploy/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm - name: "Template the tsgconf/main.conf" template: @@ -40,14 +41,20 @@ dest: /home/mesasoft/sapp_run/tsgconf/maat.conf tags: template -- name: "Template the tsgconf/tsg_log_field.conf" - template: - src: "{{ role_path }}/templates/tsg_log_field.conf.j2" - dest: /home/mesasoft/sapp_run/tsgconf/tsg_log_field.conf - tags: template - - name: "Template the conf/capture_packet_plug.conf.j2" template: src: "{{ role_path }}/templates/capture_packet_plug.conf.j2" dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf tags: template + +- name: "Template the tsgconf/app_l7_proto_id.conf" + template: + src: "{{ role_path }}/templates/app_l7_proto_id.conf.j2" + dest: /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf + +- name: "Template the /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf" + template: + src: "{{ role_path }}/templates/tsg_conn_sketch.inf.j2" + dest: /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf + tags: template + diff --git a/roles/firewall/templates/app_l7_proto_id.conf.j2 b/roles/firewall/templates/app_l7_proto_id.conf.j2 new file mode 100644 index 0000000..714f943 --- /dev/null +++ b/roles/firewall/templates/app_l7_proto_id.conf.j2 @@ -0,0 +1,51 @@ +#TYPE:1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET +#TYPE FIELD VALUE +STRING UNCATEGORIZED 100 +STRING UNCATEGORIZED 101 +STRING UNKNOWN_OTHER 102 +STRING DNS 103 +STRING FTP 104 +STRING FTPS 105 +STRING HTTP 106 +STRING HTTPS 107 +STRING ICMP 108 +STRING IKE 109 +STRING MAIL 110 +STRING IMAPS 111 +STRING IPSEC 112 +STRING XMPP 113 +STRING L2TP 114 +STRING NTP 115 +STRING POP3S 117 +STRING PPTP 118 +STRING QUIC 119 +STRING SIP 120 +STRING SMB 121 +STRING SMTPS 123 +STRING SPDY 124 +STRING SSH 125 +STRING SSL 126 +STRING SOCKS 127 +STRING TELNET 128 +STRING DHCP 129 +STRING RADIUS 130 +STRING OPENVPN 131 +STRING STUN 132 +STRING TEREDO 133 +STRING DTLS 134 +STRING DoH 135 +STRING ISAKMP 136 +STRING MDNS 137 +STRING NETBIOS 138 +STRING NETFLOW 139 +STRING RDP 140 +STRING RTCP 141 +STRING RTP 142 +STRING SLP 143 +STRING SNMP 144 +STRING SSDP 145 +STRING TFTP 146 +STRING BJNP 147 +STRING LDAP 148 +STRING RTMP 149 +STRING RTSP 150 diff --git a/roles/firewall/templates/capture_packet_plug.conf.j2 b/roles/firewall/templates/capture_packet_plug.conf.j2 index d24e2a9..4da1182 100644 --- a/roles/firewall/templates/capture_packet_plug.conf.j2 +++ b/roles/firewall/templates/capture_packet_plug.conf.j2 @@ -19,7 +19,7 @@ ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"{{ data_center }}"}]} [LOG] NIC_NAME={{ nic_mgr.name }} -BROKER_LIST={{ log_kafkabrokers.address }} +BROKER_LIST={{ log_kafkabrokers.address | join(",") }} FIELD_FILE=conf/capture_packet_log_field.conf [SYSTEM] diff --git a/roles/firewall/templates/main.conf.j2 b/roles/firewall/templates/main.conf.j2 index 920356c..1d7193c 100644 --- a/roles/firewall/templates/main.conf.j2 +++ b/roles/firewall/templates/main.conf.j2 @@ -20,6 +20,10 @@ LOG_LEVEL={{ fw_dns_log_level }} LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug" LOG_LEVEL={{ fw_quic_log_level }} +[CONTROL_PLUG] +LOG_PATH="./tsglog/app_control_plug/app_control_plug" +LOG_LEVEL={{ app_control_log_level }} + [MAAT] PROFILE="./tsgconf/maat.conf" SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID" @@ -32,7 +36,7 @@ NIC_NAME="{{ nic_mgr.name }}" MAX_SERVICE=1 LOG_LEVEL={{ tsg_log_level }} LOG_PATH="./tsglog/tsglog" -BROKER_LIST="{{ log_kafkabrokers.address }}" +BROKER_LIST="{{ log_kafkabrokers.address | join(",") }}" COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf" [STATISTIC] @@ -55,3 +59,6 @@ LOG_LEVEL={{ tsg_master_log_level }} LOG_PATH="./tsglog/tsg_master" POLICY_PRIORITY_LABEL="POLICY_PRIORITY" DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'" + +[TSG_CONN_SKETCH] +log_service=2 diff --git a/roles/firewall/templates/tsg_conn_sketch.inf.j2 b/roles/firewall/templates/tsg_conn_sketch.inf.j2 new file mode 100644 index 0000000..170f1e7 --- /dev/null +++ b/roles/firewall/templates/tsg_conn_sketch.inf.j2 @@ -0,0 +1,35 @@ +[PLUGINFO] +PLUGNAME=TSG_CONN_SKETCH +SO_PATH=./plug/business/tsg_conn_sketch/tsg_conn_sketch.so +INIT_FUNC=tsg_conn_record_init +DESTROY_FUNC=tsg_conn_record_destroy + + +[TCP] +FUNC_FLAG=ALL +FUNC_NAME=tsg_record_tcp_entry + +[TCP_ALL] +FUNC_FLAG=ALL +FUNC_NAME=tsg_record_tcpall_entry + +[UDP] +FUNC_FLAG=ALL +FUNC_NAME=tsg_record_udp_entry + +[HTTP] +FUNC_FLAG=ALL +FUNC_NAME=tsg_record_http_entry + +[SSL] +FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL +FUNC_NAME=tsg_record_ssl_entry + +#[DNS] +#FUNC_FLAG=ALL +#FUNC_NAME=tsg_record_dns_entry + +[MAIL] +FUNC_FLAG=ALL +FUNC_NAME=tsg_record_mail_entry + diff --git a/roles/firewall/templates/tsg_log_field.conf.j2 b/roles/firewall/templates/tsg_log_field.conf.j2 deleted file mode 100644 index e8ee44c..0000000 --- a/roles/firewall/templates/tsg_log_field.conf.j2 +++ /dev/null @@ -1,52 +0,0 @@ -#TYPE:1:UCHAR,2:USHORT,3:ULONG,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET -#TYPE TOPIC SERVICE -TOPIC SECURITY-EVENT-LOG 0 -TOPIC CONNECTION-RECORD-LOG 1 -TOPIC CONNECTION-SKETCH 2 - -#TYPE FIELD VALUE -LONG common_policy_id 1 -LONG common_service 2 -LONG common_action 3 -LONG common_start_time 4 -LONG common_end_time 5 -STRING common_l4_protocol 6 -LONG common_address_type 7 -STRING common_server_ip 8 -STRING common_client_ip 9 -LONG common_server_port 10 -LONG common_client_port 11 -LONG common_stream_dir 12 -STRING common_address_list 13 -LONG common_entrance_id 14 -LONG common_device_id 15 -LONG common_link_id 16 -STRING common_isp 17 -LONG common_encapsulation 18 -LONG common_direction 19 -STRING common_sled_ip 20 -STRING common_user_tags 21 -STRING common_user_region 22 -STRING common_app_label 23 -LONG common_app_id 24 -LONG common_protocol_id 25 -LONG common_c2s_pkt_num 26 -LONG common_s2c_pkt_num 27 -LONG common_c2s_byte_num 28 -LONG common_s2c_byte_num 29 -LONG common_con_duration_ms 30 -LONG common_has_dup_traffic 31 -STRING common_stream_error 32 -STRING common_stream_trace_id 33 -STRING common_schema_type 34 -STRING http_host 35 -STRING ssl_sni 36 -LONG common_establish_latency_ms 37 -STRING common_sub_action 38 -STRING common_client_asn 39 -STRING common_server_asn 40 -STRING common_client_location 41 -STRING common_server_location 42 -STRING quic_sni 43 -STRING ssl_ja3_fingerprint 44 -STRING common_data_center 45 diff --git a/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm new file mode 100644 index 0000000..badbcb5 Binary files /dev/null and b/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm deleted file mode 100644 index 98525ab..0000000 Binary files a/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm b/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm new file mode 100644 index 0000000..8c6b2e6 Binary files /dev/null and b/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm b/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm deleted file mode 100644 index d94f5d8..0000000 Binary files a/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm b/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm deleted file mode 100644 index d709550..0000000 Binary files a/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm b/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm new file mode 100644 index 0000000..d3d13db Binary files /dev/null and b/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm differ diff --git a/roles/framework/tasks/main.yml b/roles/framework/tasks/main.yml index fe5d5dd..2735b5d 100644 --- a/roles/framework/tasks/main.yml +++ b/roles/framework/tasks/main.yml @@ -12,14 +12,14 @@ packages: - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm - - /tmp/ansible_deploy/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm - - /tmp/ansible_deploy/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm - - /tmp/ansible_deploy/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm + - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm diff --git a/roles/kernel-ml/tasks/main.yml b/roles/kernel-ml/tasks/main.yml index 9e242d2..1f13b0f 100644 --- a/roles/kernel-ml/tasks/main.yml +++ b/roles/kernel-ml/tasks/main.yml @@ -40,6 +40,6 @@ - tsg_access_type == 4 - t_kernel_ml.changed -#- name: "reboot" -# reboot: -# when: t_kernel_ml.changed +- name: "reboot" + reboot: + when: t_kernel_ml.changed diff --git a/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm b/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm deleted file mode 100644 index 8e8bdd6..0000000 Binary files a/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/kni/files/kni-20.10.20201024.a43de2a-2.el7.x86_64.rpm b/roles/kni/files/kni-20.10.20201024.a43de2a-2.el7.x86_64.rpm deleted file mode 100644 index fd7bfaa..0000000 Binary files a/roles/kni/files/kni-20.10.20201024.a43de2a-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/kni/files/kni-20.12.01.13e663f-2.el7.x86_64.rpm b/roles/kni/files/kni-20.12.01.13e663f-2.el7.x86_64.rpm new file mode 100644 index 0000000..35b17c5 Binary files /dev/null and b/roles/kni/files/kni-20.12.01.13e663f-2.el7.x86_64.rpm differ diff --git a/roles/kni/tasks/main.yml b/roles/kni/tasks/main.yml index f1c8df8..f738af0 100644 --- a/roles/kni/tasks/main.yml +++ b/roles/kni/tasks/main.yml @@ -7,7 +7,7 @@ - name: "install kni rpms from localhost" yum: name: - - /tmp/ansible_deploy/kni-20.10.20201024.a43de2a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/kni-20.12.01.13e663f-2.el7.x86_64.rpm state: present # skip_broken: yes diff --git a/roles/kni/templates/kni.conf.j2 b/roles/kni/templates/kni.conf.j2 index 7183e7b..3b06185 100644 --- a/roles/kni/templates/kni.conf.j2 +++ b/roles/kni/templates/kni.conf.j2 @@ -92,7 +92,7 @@ security_policy_id = 3,10 [ssl_dynamic_bypass] -enabled = 1 +enabled = 0 #kni dynamic bypass [traceid2sslinfo_htable] diff --git a/roles/maat-redis/files/maat-redis-exporter.service b/roles/maat-redis/files/maat-redis-exporter.service new file mode 100644 index 0000000..c3d09f9 --- /dev/null +++ b/roles/maat-redis/files/maat-redis-exporter.service @@ -0,0 +1,11 @@ +[Unit] +Description=Redis Exporter for MAAT-REDIS +After=network.target + +[Service] +ExecStart=/usr/bin/redis_exporter -redis.addr=redis://localhost:7002 -redis-only-metrics +Type=simple + +[Install] +WantedBy=multi-user.target + diff --git a/roles/maat-redis/tasks/main.yml b/roles/maat-redis/tasks/main.yml index a20f36c..c4a0a5f 100644 --- a/roles/maat-redis/tasks/main.yml +++ b/roles/maat-redis/tasks/main.yml @@ -3,14 +3,18 @@ src: "{{ role_path }}/files/maat-redis.service" dest: "/usr/lib/systemd/system" mode: 0644 - when: tsg_cluster_mode == 1 + +- name: "copy maat-redis exporter file to dest" + copy: + src: "{{ role_path }}/files/maat-redis-exporter.service" + dest: "/usr/lib/systemd/system" + mode: 0644 - name: "Template the maat-redis.conf" template: src: "{{ role_path }}/templates/maat-redis.conf.j2" dest: /etc/maat-redis.conf tags: template - when: tsg_cluster_mode == 1 - name: "start maat-redis" systemd: @@ -18,4 +22,10 @@ state: started daemon_reload: yes enabled: yes - when: tsg_cluster_mode == 1 + +- name: "start maat-redis exporter" + systemd: + name: maat-redis-exporter.service + state: started + daemon_reload: yes + enabled: yes diff --git a/roles/mrzcpd/files/memory.conf b/roles/mrzcpd/files/memory.conf deleted file mode 100644 index f082028..0000000 --- a/roles/mrzcpd/files/memory.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -MemoryMax=100G \ No newline at end of file diff --git a/roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm b/roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm similarity index 80% rename from roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm rename to roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm index 153a869..9d2dd37 100644 Binary files a/roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm and b/roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm differ diff --git a/roles/mrzcpd/tasks/main.yml b/roles/mrzcpd/tasks/main.yml index c5c6581..0b3f708 100644 --- a/roles/mrzcpd/tasks/main.yml +++ b/roles/mrzcpd/tasks/main.yml @@ -6,7 +6,7 @@ - name: "install mrzcpd" yum: - name: /tmp/ansible_deploy/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm + name: /tmp/ansible_deploy/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm state: present - name: "update sysconfig/mrzcpd" @@ -145,10 +145,22 @@ when: - tsg_access_type != 0 +- name: "enable prometheus output - monit_device" + systemd: + name: mrapm_device + enabled: yes + daemon_reload: yes + +- name: "enable prometheus output - monit_stream" + systemd: + name: mrapm_stream + enabled: yes + daemon_reload: yes + - name: "enable mrtunnat on master" systemd: name: mrtunnat - enabled: yes + enabled: no daemon_reload: yes when: - nic_traffic_mirror is not defined @@ -161,12 +173,6 @@ daemon_reload: yes when: nic_traffic_mirror is defined -- name: "copy memory limit file to tfe.service.d" - copy: - src: "{{ role_path }}/files/memory.conf" - dest: /etc/systemd/system/mrzcpd.service.d/ - mode: 0644 - - name: "mask mrzcpd on server_tun_mode" systemd: name: mrzcpd diff --git a/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 index 9a28a58..a80a483 100644 --- a/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 +++ b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 @@ -32,7 +32,7 @@ promisc=1 [service] # lcore id for i/o service, use comma to split -iocore={{ mrzcpd.iocore }} +iocore={{ mcn0_mrzcpd.iocore }} distmode=2 hashmode=0 diff --git a/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 index 2e884e8..245aecc 100644 --- a/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 +++ b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 @@ -33,7 +33,7 @@ promisc=1 [service] # lcore id for i/o service, use comma to split -iocore={{ mrzcpd.iocore }} +iocore={{ mcn0_mrzcpd.iocore }} distmode=2 hashmode=0 diff --git a/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 index a6820d7..00e70ab 100644 --- a/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 +++ b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 @@ -10,7 +10,7 @@ clear_tx_flags=1 promisc=1 [service] -iocore={{ mrzcpd.iocore }} +iocore={{ mcn123_mrzcpd.iocore }} [eal] virtaddr=0x7d0000000000 diff --git a/roles/packet_dump/files/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm b/roles/packet_dump/files/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm deleted file mode 100644 index f7450f5..0000000 Binary files a/roles/packet_dump/files/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/packet_dump/files/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm b/roles/packet_dump/files/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm new file mode 100644 index 0000000..cb35f20 Binary files /dev/null and b/roles/packet_dump/files/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm differ diff --git a/roles/packet_dump/tasks/main.yml b/roles/packet_dump/tasks/main.yml index a89e5f0..c0a58d4 100644 --- a/roles/packet_dump/tasks/main.yml +++ b/roles/packet_dump/tasks/main.yml @@ -1,6 +1,6 @@ - name: "copy packet_dump rpm to destination server" copy: - src: "{{ role_path }}/files/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm" + src: "{{ role_path }}/files/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm" dest: /tmp/ansible_deploy/ - name: "copy packet_dump.service to destination server" @@ -12,7 +12,7 @@ - name: "install packet_dump rpm from localhost" yum: name: - - /tmp/ansible_deploy/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm + - /tmp/ansible_deploy/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm state: present - name: "Template the packet_dump.conf" diff --git a/roles/packet_dump/templates/packet_dump.conf.j2 b/roles/packet_dump/templates/packet_dump.conf.j2 index 5b0f3af..a0727ed 100644 --- a/roles/packet_dump/templates/packet_dump.conf.j2 +++ b/roles/packet_dump/templates/packet_dump.conf.j2 @@ -1,5 +1,5 @@ [KAFKA] -BROKER_LIST={{ log_kafkabrokers.address }} +BROKER_LIST={{ log_kafkabrokers.address | join(",")}} KAFKA_OFFSET=largest [SYSTEM] diff --git a/roles/radius/templates/radius.conf b/roles/radius/templates/radius.conf index 9745859..db92a48 100644 --- a/roles/radius/templates/radius.conf +++ b/roles/radius/templates/radius.conf @@ -1,6 +1,6 @@ [RADIUS_PLUG] DEVICE_ID=0 -BROKERLIST={{ log_kafkabrokers.address }} +BROKERLIST={{ log_kafkabrokers.address | join(",") }} COLLECT_TOPIC=RADIUS-RECORD-LOG SERVICE_ID=162 NIC_NAME={{ nic_mgr.name }} diff --git a/roles/reboot/tasks/main.yml b/roles/reboot/tasks/main.yml index a9bb686..777560a 100644 --- a/roles/reboot/tasks/main.yml +++ b/roles/reboot/tasks/main.yml @@ -1,3 +1,3 @@ - name: "reboot" reboot: - when: Deploy_finished_reboot == 1 +# when: Deploy_finished_reboot == 1 diff --git a/roles/redis/files/redis_exporter b/roles/redis/files/redis_exporter new file mode 100644 index 0000000..4a6fe69 Binary files /dev/null and b/roles/redis/files/redis_exporter differ diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index 70413ba..4c00bbb 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -10,3 +10,9 @@ - "/tmp/ansible_deploy/jemalloc-3.6.0-1.el7.x86_64.rpm" - "/tmp/ansible_deploy/redis40u-4.0.14-1.ius.centos7.x86_64.rpm" state: present + +- name: "redis exporter" + copy: + src: '{{ role_path }}/files/' + dest: /usr/bin/ + mode: 0755 diff --git a/roles/sapp/files/memory.conf b/roles/sapp/files/memory.conf index f082028..c0255fc 100644 --- a/roles/sapp/files/memory.conf +++ b/roles/sapp/files/memory.conf @@ -1,2 +1,3 @@ [Service] -MemoryMax=100G \ No newline at end of file +MemoryLimit=80G +ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes" diff --git a/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm deleted file mode 100644 index 67a2b02..0000000 Binary files a/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm deleted file mode 100644 index 078dd04..0000000 Binary files a/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm new file mode 100644 index 0000000..ca045ab Binary files /dev/null and b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm differ diff --git a/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm new file mode 100644 index 0000000..c5cb8cf Binary files /dev/null and b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm differ diff --git a/roles/sapp/files/tera_fake_promisc_setup.conf b/roles/sapp/files/tera_fake_promisc_setup.conf new file mode 100644 index 0000000..f505012 --- /dev/null +++ b/roles/sapp/files/tera_fake_promisc_setup.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/bin/bash tera_fake_promisc_setup.sh diff --git a/roles/sapp/files/tera_fake_promisc_setup.sh b/roles/sapp/files/tera_fake_promisc_setup.sh new file mode 100644 index 0000000..4e8665a --- /dev/null +++ b/roles/sapp/files/tera_fake_promisc_setup.sh @@ -0,0 +1,4 @@ +set -ex +dp_adapter_ether_addr=$(ifconfig ens1f2 | grep ether | awk '{print $2}') +bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:83 or ether dst 02:42:c0:a8:fd:82" +sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml diff --git a/roles/sapp/tasks/main.yml b/roles/sapp/tasks/main.yml index 80cceb9..3b7dd38 100644 --- a/roles/sapp/tasks/main.yml +++ b/roles/sapp/tasks/main.yml @@ -13,7 +13,13 @@ - name: "install sapp rpms from localhost" yum: name: - - /tmp/ansible_deploy/sapp-4.1.13.ed89137-2.el7.x86_64.rpm + - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm + state: present + +- name: "install tcpdump_mesa rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm state: present skip_broken: yes @@ -46,12 +52,24 @@ dest: /home/mesasoft/sapp_run/etc/sapp_log.conf tags: template +- name: Template the sapp_tmpfile.conf + template: + src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2" + dest: /etc/tmpfiles.d/sapp_tmpfile.conf + tags: template + - name: Template the gdev.conf template: src: "{{ role_path }}/templates/gdev.conf.j2" dest: /home/mesasoft/sapp_run/etc/gdev.conf when: tsg_access_type == 1 - + +- name: Template the vlan_flipping_map.conf + template: + src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2" + dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf + when: tsg_access_type == 2 + - name: "Template sapp.service destination server" template: @@ -59,6 +77,26 @@ dest: /usr/lib/systemd/system/sapp.service mode: 0755 +- name: "copy memory limit file to sapp.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/sapp.service.d/ + mode: 0644 + +- name: "copy fake promisc tools for tera mode - service file" + copy: + src: "{{ role_path }}/files/tera_fake_promisc_setup.conf" + dest: /etc/systemd/system/sapp.service.d/ + mode: 0644 + when: tsg_access_type == 2 + +- name: "copy fake promisc tools for tera mode - scripts" + copy: + src: "{{ role_path }}/files/tera_fake_promisc_setup.sh" + dest: /home/mesasoft/sapp_run/tera_fake_promisc_setup.sh + mode: 0755 + when: tsg_access_type == 2 + - name: "enable sapp" systemd: name: sapp diff --git a/roles/sapp/templates/conflist.inf.j2 b/roles/sapp/templates/conflist.inf.j2 index cea2d54..41e4ed3 100644 --- a/roles/sapp/templates/conflist.inf.j2 +++ b/roles/sapp/templates/conflist.inf.j2 @@ -2,16 +2,13 @@ {% if tsg_access_type == 1 %} ./plug/platform/g_device_plug/g_device_plug.inf #./plug/platform/http_healthcheck/http_healthcheck.inf -{% elif tsg_access_type == 2 %} -#./plug/platform/g_device_plug/g_device_plug.inf -./plug/platform/http_healthcheck/http_healthcheck.inf {% else %} #./plug/platform/g_device_plug/g_device_plug.inf #./plug/platform/http_healthcheck/http_healthcheck.inf {% endif %} +./plug/platform/app_proto_identify/app_proto_identify.inf ./plug/platform/tsg_master/tsg_master.inf {% if tsg_app_enable == 1 %} -./plug/platform/app_proto_identify/app_proto_identify.inf ./plug/platform/app_master/app_master.inf {% endif %} @@ -22,6 +19,7 @@ ./plug/protocol/mail/mail.inf ./plug/protocol/ftp/ftp.inf ./plug/protocol/quic/quic.inf +./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf [business] ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf @@ -34,7 +32,11 @@ ./plug/business/fw_ftp_plug/fw_ftp_plug.inf ./plug/business/fw_quic_plug/fw_quic_plug.inf ./plug/business/conn_telemetry/conn_telemetry.inf +./plug/business/app_control_plug/app_control_plug.inf {% if tsg_app_enable == 1 %} ./plug/business/app_sketch_local/app_sketch_local.inf ./plug/business/app_control_plug/app_control_plug.inf {% endif %} +{% if tsg_access_type == 2 %} +./plug/platform/http_healthcheck/http_healthcheck.inf +{% endif %} diff --git a/roles/sapp/templates/sapp.service.j2 b/roles/sapp/templates/sapp.service.j2 index e55f2fc..fc91415 100755 --- a/roles/sapp/templates/sapp.service.j2 +++ b/roles/sapp/templates/sapp.service.j2 @@ -5,9 +5,18 @@ Requires=mrzcpd.service After=mrzcpd.service {% endif %} [Service] +Type=notify WorkingDirectory=/home/mesasoft/sapp_run ExecStart=/home/mesasoft/sapp_run/sapp +TimeoutSec=900s +RestartSec=10s Restart=always -RestartSec=5s +LimitNOFILE=524288 +LimitNPROC=infinity +LimitCORE=0 +TasksMax=infinity +Delegate=yes +KillMode=process + [Install] WantedBy=multi-user.target diff --git a/roles/sapp/templates/sapp.toml.j2 b/roles/sapp/templates/sapp.toml.j2 index a167a69..2fc5896 100644 --- a/roles/sapp/templates/sapp.toml.j2 +++ b/roles/sapp/templates/sapp.toml.j2 @@ -22,16 +22,57 @@ bind_mask=[] bind_mask=[{{ sapp.bind_mask }}] {% endif %} +[MEM] +dictator_enable=0 + [PACKET_IO] -{% if tsg_access_type == 4 %} -### note, used to represent inbound or outbound direction value, -##### because it comes from other device, so it needs to be specified manually, -##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, -##### in other words, outbound_route_dir = 1 ^ inbound_route_dir; -inbound_route_dir={{ sapp.inbound_route_dir }} -{% endif %} + + [overlay_tunnel_definition] +### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, +### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat. + l2_l3_tunnel_support=1 + +### note, optional value is [none, vxlan] + overlay_mode=none + stream_compare_layer_cfg_file="etc/stream_compare_layer.conf" + vlan_flipping_cfg_file="etc/vlan_flipping_map.conf" + asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf" + asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf" + prune_inject_layer_cfg_file="etc/prune_inject_layer.conf" + + [packet_io.feature] + + {% if tsg_access_type == 4 %} + ### note, used to represent inbound or outbound direction value, + ### because it comes from Third party device, so it needs to be specified manually, + ### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, + ### in other words, outbound_route_dir = 1 ^ inbound_route_dir; + inbound_route_dir={{ sapp.inbound_route_dir }} + {% endif %} + ### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as "" -BSD_packet_filter="" + BSD_packet_filter="" + +### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in" + pcap_capture_direction="in" + + +### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway] +### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode; +### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket. +### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. +### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. + inject_pkt_mode=sys_route + +### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port. + inject_mode_inline_device_sport=54789 + +### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway. + inject_mode_single_gateway_device="eth1" +### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device + inject_mode_single_gateway_src_mac="00:11:22:77:88:99" + inject_mode_single_gateway_dst_mac="00:11:22:33:44:55" + dumpfile_sleep_time_before_exit=3 ### note, depolyment.mode options: [mirror, inline, transparent] [packet_io.depolyment] @@ -48,7 +89,7 @@ BSD_packet_filter="" name={{packet_io.internal_interface}} {% else %} type=marsio - name=vxlan_user + name={{nic_data_incoming.name}} {% endif %} [packet_io.external.interface] @@ -64,25 +105,47 @@ BSD_packet_filter="" ### note, polling_priority = call sapp_recv_pkt every call polling_entry times, polling_priority=1 +[PROTOCOL_FEATURE] + ipv6_decapsulation_enabled=1 + ipv6_send_packet_enabled=1 + tcp_drop_pure_ack_pkt=0 + tcp_syn_option_parse_enabled=1 + skip_not_ip_layer_over_eth=0 + treat_vlan_as_mac_in_mac=0 + reverse_ethernet_addr=1 + + [STREAM] +### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" + stream_id_base_time="2018-08-08 08:00:00" [stream.tcp] max=100000 timeout=30 - syn_mandatory=0 - reorder_pkt_max=5 + syn_mandatory=1 + reorder_pkt_max=128 analyse_option_enabled=1 + tuple4_reuse_time_interval=30 + + meaningful_statistics_minimum_pkt=3 + meaningful_statistics_minimum_byte=5 + [stream.tcp.inject] link_mss=1460 [stream.tcp.inject.rst] + auto_remedy=0 number=3 signature_enabled=1 signature_seed1=65535 signature_seed2=13 + remedy_kill_tcp_by_inline_device=0 [stream.udp] max=100000 timeout=60 + meaningful_statistics_minimum_pkt=3 + meaningful_statistics_minimum_byte=5 + [PROFILING] [profiling.pkt_latency] @@ -95,7 +158,7 @@ BSD_packet_filter="" symbol_conflict_enabled=0 [profiling.log] - level=20 + level=10 interval=5 [profiling.log.local] @@ -115,9 +178,14 @@ BSD_packet_filter="" metric_type = default app_name=sapp + [profiling.log.prometheus] + prometheus_enabled={{ sapp_prometheus_enable }} + prometheus_port={{ sapp_prometheus_port }} + prometheus_url_path="{{ sapp_prometheus_url_path }}" + [TOOLS] [tools.pkt_dump] - enabled=0 + enabled=1 ### note, mode options value:[storage, udp_socket] mode=udp_socket BSD_packet_filter="" @@ -131,7 +199,7 @@ BSD_packet_filter="" dump_thread_id=[0,1,2,3,4] [tools.pkt_dump.udp] - command_port=12345 + command_port=9345 [tools.pkt_dump.storage] ### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump" @@ -148,3 +216,10 @@ BSD_packet_filter="" entrylist_path="./etc/entrylist.conf" send_raw_pkt_path="./etc/send_raw_pkt.conf" vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf" + +[breakpad] + disable_coredump=1 + enable_breakpad=1 + breakpad_minidump_dir="/tmp/crashreport" + enable_breakpad_upload=1 + breakpad_upload_url="{{ breakpad_upload_url }}" diff --git a/roles/sapp/templates/sapp_tmpfile.conf.j2 b/roles/sapp/templates/sapp_tmpfile.conf.j2 new file mode 100644 index 0000000..485725b --- /dev/null +++ b/roles/sapp/templates/sapp_tmpfile.conf.j2 @@ -0,0 +1 @@ +d /home/mesasoft/sapp_run/log 0755 - - 2d - diff --git a/roles/sapp/templates/vlan_flipping_map.conf.j2 b/roles/sapp/templates/vlan_flipping_map.conf.j2 new file mode 100644 index 0000000..599e8f8 --- /dev/null +++ b/roles/sapp/templates/vlan_flipping_map.conf.j2 @@ -0,0 +1,11 @@ +#for inline a device vlan flipping +#数据包来自C路由器端, 即C2I(I2E)方向, +#数据包来自I路由器端, 即I2C(E2I)方向, +#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计, +#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了. +#配置文件格式, pattern: +#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转 +#C_router_vlan_id I_router_vlan_id mac_flipping_enable +1301 1302 1 +1201 1202 1 +4000 4001 0 diff --git a/roles/switch_control/files/switch_control_client_non_block b/roles/switch_control/files/switch_control_client_non_block new file mode 100644 index 0000000..cb34506 Binary files /dev/null and b/roles/switch_control/files/switch_control_client_non_block differ diff --git a/roles/switch_control/tasks/main.yml b/roles/switch_control/tasks/main.yml new file mode 100644 index 0000000..adcc3a9 --- /dev/null +++ b/roles/switch_control/tasks/main.yml @@ -0,0 +1,5 @@ +- name: "copy switch_control_client_non_block" + copy: + src: '{{ role_path }}/files/switch_control_client_non_block' + dest: /opt/tsg/env/switch_control_client_non_block + mode: 0755 diff --git a/roles/switch_rule/files/saved_startup b/roles/switch_rule/files/saved_startup new file mode 100644 index 0000000..8eded30 --- /dev/null +++ b/roles/switch_rule/files/saved_startup @@ -0,0 +1,347 @@ +# TestPoint History +load ./Config/libertyTrail/testpoint_startup + +add vlan port 1 0 + +create vlan 100 +add vlan port 100 0,11,37,39,41,43 +set port config 11 pvid 100 +set port config 11 mask 0,37,39,41,43 +set port config 0,11,39,37,41,43 learning on + +create vlan 200 +add vlan port 200 0,37,39,9,10,41,43 +set port config 0 mask 9..44 +set port config 37 mask 0..36,38..44 +set port config 39 mask 0..38,40..44 +set port config 41 mask 0..40,42..44 +set port config 43 mask 0..44 +set port config 0,39,37,41,43 learning on + +create vlan 4000 +add vlan port 4000 43 +create vlan 4001 +add vlan port 4001 43 + +create lag +add lag 9261 9,10 +add vlan port 200 9261 +set port config 9261 pvid 200 +set port config 9261 parser_cfg L4 +set port config 9261 learning on +set port config 9261 mask 0,11..44 + +create vlan all +create lag +add vlan port all 43 +add lag 9293 1,2,3,4 +add vlan port all 9293 +set port config 9293 parser_cfg L4 +set port config 9293 learning on +set port config 9293 mask 0,11..44 +set vlan tagging all 1,2,3,4 tag +set vlan tagging 1 1,2,3,4 untag + +create lag +add lag 9325 5,6,7,8 +add vlan port all 9325 +set port config 9325 parser_cfg L4 +set port config 9325 learning on +set port config 9325 mask 0,11..44 +set vlan tagging all 5,6,7,8 tag +set vlan tagging 1 5,6,7,8 untag + +set port 37,39,41,43 powerdown +set port 37,39,41,43 up +set port 1..36 up + +set port config 11 parser_cfg L4 +set port config 37..44 parser_cfg L4 + +set port config 11..36 max_frame_size 15360 +set switch reserved_mac all switch + +set switch config hashing l234 use_smac on +set switch config hashing l234 use_dmac on +set switch config hashing l234 use_l34 on +set switch config hashing l34 use_dip on +set switch config hashing l34 use_sip on +set switch config hashing l234 symmetric on +set switch config hashing l34 symmetric on + + +set port config 9261,9293,9325 max_frame_size 15360 +create acl 1 + +# Redirect all ARP request to ens1f2 +create acl-rule 1 40 +add acl-rule condition 1 40 src-port 1 +add acl-rule condition 1 40 ethtype 0x0806 +add acl-rule action 1 40 redirect 7214 + +create acl-rule 1 41 +add acl-rule condition 1 41 src-port 2 +add acl-rule condition 1 41 ethtype 0x0806 +add acl-rule action 1 41 redirect 7214 + +create acl-rule 1 42 +add acl-rule condition 1 42 src-port 3 +add acl-rule condition 1 42 ethtype 0x0806 +add acl-rule action 1 42 redirect 7214 + +create acl-rule 1 43 +add acl-rule condition 1 43 src-port 4 +add acl-rule condition 1 43 ethtype 0x0806 +add acl-rule action 1 43 redirect 7214 + +# Redirect all ICMPv4 to ens1f2 -- 10.0.0.0/8 +create acl-rule 1 44 +add acl-rule condition 1 44 src-port 1 +add acl-rule condition 1 44 protocol 0x1/0xff +add acl-rule condition 1 44 sip 10.0.0.0/8 +add acl-rule condition 1 44 dip 10.0.0.0/8 +add acl-rule action 1 44 redirect 7214 + +create acl-rule 1 45 +add acl-rule condition 1 45 src-port 2 +add acl-rule condition 1 45 protocol 0x1/0xff3 +add acl-rule condition 1 45 sip 10.0.0.0/8 +add acl-rule condition 1 45 dip 10.0.0.0/8 +add acl-rule action 1 45 redirect 7214 + +create acl-rule 1 46 +add acl-rule condition 1 46 src-port 3 +add acl-rule condition 1 46 protocol 0x1/0xff +add acl-rule condition 1 46 sip 10.0.0.0/8 +add acl-rule condition 1 46 dip 10.0.0.0/8 +add acl-rule action 1 46 redirect 7214 + +create acl-rule 1 47 +add acl-rule condition 1 47 src-port 4 +add acl-rule condition 1 47 protocol 0x1/0xff +add acl-rule condition 1 47 sip 10.0.0.0/8 +add acl-rule condition 1 47 dip 10.0.0.0/8 +add acl-rule action 1 47 redirect 7214 + +# Redirect all ICMPv4 to ens1f2 -- 192.168.0.0/16 +create acl-rule 1 48 +add acl-rule condition 1 48 src-port 1 +add acl-rule condition 1 48 protocol 0x1/0xff +add acl-rule condition 1 48 sip 192.168.0.0/16 +add acl-rule condition 1 48 dip 192.168.0.0/16 +add acl-rule action 1 48 redirect 7214 + +create acl-rule 1 49 +add acl-rule condition 1 49 src-port 2 +add acl-rule condition 1 49 protocol 0x1/0xff3 +add acl-rule condition 1 49 sip 192.168.0.0/16 +add acl-rule condition 1 49 dip 192.168.0.0/16 +add acl-rule action 1 49 redirect 7214 + +create acl-rule 1 50 +add acl-rule condition 1 50 src-port 3 +add acl-rule condition 1 50 protocol 0x1/0xff +add acl-rule condition 1 50 sip 192.168.0.0/16 +add acl-rule condition 1 50 dip 192.168.0.0/16 +add acl-rule action 1 50 redirect 7214 + +create acl-rule 1 51 +add acl-rule condition 1 51 src-port 4 +add acl-rule condition 1 51 protocol 0x1/0xff +add acl-rule condition 1 51 sip 192.168.0.0/16 +add acl-rule condition 1 51 dip 192.168.0.0/16 +add acl-rule action 1 51 redirect 7214 + +# Redirect all TCP with port 51218, for health check - 192.168.0.0/24 +create acl-rule 1 60 +add acl-rule condition 1 60 src-port 1 +add acl-rule condition 1 60 protocol 0x6/0xff +add acl-rule condition 1 60 sip 192.168.0.0/16 +add acl-rule condition 1 60 dip 192.168.0.0/16 +add acl-rule condition 1 60 l4-dst-port 51218/0xffff +add acl-rule action 1 60 redirect 7214 + +create acl-rule 1 61 +add acl-rule condition 1 61 src-port 2 +add acl-rule condition 1 61 protocol 0x6/0xff +add acl-rule condition 1 61 sip 192.168.0.0/16 +add acl-rule condition 1 61 dip 192.168.0.0/16 +add acl-rule condition 1 61 l4-dst-port 51218/0xffff +add acl-rule action 1 61 redirect 7214 + +create acl-rule 1 62 +add acl-rule condition 1 62 src-port 3 +add acl-rule condition 1 62 protocol 0x6/0xff +add acl-rule condition 1 62 sip 192.168.0.0/16 +add acl-rule condition 1 62 dip 192.168.0.0/16 +add acl-rule condition 1 62 l4-dst-port 51218/0xffff +add acl-rule action 1 62 redirect 7214 + +create acl-rule 1 63 +add acl-rule condition 1 63 src-port 4 +add acl-rule condition 1 63 protocol 0x6/0xff +add acl-rule condition 1 63 sip 192.168.0.0/16 +add acl-rule condition 1 63 dip 192.168.0.0/16 +add acl-rule condition 1 63 l4-dst-port 51218/0xffff +add acl-rule action 1 63 redirect 7214 + +# Redirect all TCP with port 51218, for health check - 10.0.0.0/8 +create acl-rule 1 64 +add acl-rule condition 1 64 src-port 1 +add acl-rule condition 1 64 protocol 0x6/0xff +add acl-rule condition 1 64 sip 10.0.0.0/8 +add acl-rule condition 1 64 dip 10.0.0.0/8 +add acl-rule condition 1 64 l4-dst-port 51218/0xffff +add acl-rule action 1 64 redirect 7214 + +create acl-rule 1 65 +add acl-rule condition 1 65 src-port 2 +add acl-rule condition 1 65 protocol 0x6/0xff +add acl-rule condition 1 65 sip 10.0.0.0/8 +add acl-rule condition 1 65 dip 10.0.0.0/8 +add acl-rule condition 1 65 l4-dst-port 51218/0xffff +add acl-rule action 1 65 redirect 7214 + +create acl-rule 1 66 +add acl-rule condition 1 66 src-port 3 +add acl-rule condition 1 66 protocol 0x6/0xff +add acl-rule condition 1 66 sip 10.0.0.0/8 +add acl-rule condition 1 66 dip 10.0.0.0/8 +add acl-rule condition 1 66 l4-dst-port 51218/0xffff +add acl-rule action 1 66 redirect 7214 + +create acl-rule 1 67 +add acl-rule condition 1 67 src-port 4 +add acl-rule condition 1 67 protocol 0x6/0xff +add acl-rule condition 1 67 sip 10.0.0.0/8 +add acl-rule condition 1 67 dip 10.0.0.0/8 +add acl-rule condition 1 67 l4-dst-port 51218/0xffff +add acl-rule action 1 67 redirect 7214 + +# Redirect all ICMPv6 link-scope packets +create acl-rule 1 70 +add acl-rule condition 1 70 src-port 1 +add acl-rule condition 1 70 frame-type ipv6 +add acl-rule condition 1 70 ttl 255 +add acl-rule action 1 70 redirect 7214 + +create acl-rule 1 71 +add acl-rule condition 1 71 src-port 2 +add acl-rule condition 1 71 frame-type ipv6 +add acl-rule condition 1 71 ttl 255 +add acl-rule action 1 71 redirect 7214 + +create acl-rule 1 72 +add acl-rule condition 1 72 src-port 3 +add acl-rule condition 1 72 frame-type ipv6 +add acl-rule condition 1 72 ttl 255 +add acl-rule action 1 72 redirect 7214 + +create acl-rule 1 73 +add acl-rule condition 1 73 src-port 4 +add acl-rule condition 1 73 frame-type ipv6 +add acl-rule condition 1 73 ttl 255 +add acl-rule action 1 73 redirect 7214 + +create acl-rule 1 74 +add acl-rule condition 1 74 src-port 1 +add acl-rule condition 1 74 frame-type ipv6 +add acl-rule condition 1 74 sip fc00::/7 +add acl-rule condition 1 74 dip fc00::/7 +add acl-rule action 1 74 redirect 7214 + +create acl-rule 1 75 +add acl-rule condition 1 75 src-port 2 +add acl-rule condition 1 75 frame-type ipv6 +add acl-rule condition 1 75 sip fc00::/7 +add acl-rule condition 1 75 dip fc00::/7 +add acl-rule action 1 75 redirect 7214 + +create acl-rule 1 76 +add acl-rule condition 1 76 src-port 3 +add acl-rule condition 1 76 frame-type ipv6 +add acl-rule condition 1 76 sip fc00::/7 +add acl-rule condition 1 76 dip fc00::/7 +add acl-rule action 1 76 redirect 7214 + +create acl-rule 1 77 +add acl-rule condition 1 77 src-port 4 +add acl-rule condition 1 77 frame-type ipv6 +add acl-rule condition 1 77 sip fc00::/7 +add acl-rule condition 1 77 dip fc00::/7 +add acl-rule action 1 77 redirect 7214 + +create acl-rule 1 80 +add acl-rule condition 1 80 src-glort 0x5801 +add acl-rule action 1 80 redirect 9293 + +create acl-rule 1 90 +add acl-rule condition 1 90 src-glort 0x5803 +add acl-rule condition 1 90 vlan 4000 +add acl-rule action 1 90 redirect 7220 +add acl-rule action 1 90 vlan 1 + +create acl-rule 1 91 +add acl-rule condition 1 91 src-glort 0x5803 +add acl-rule condition 1 91 vlan 4001 +add acl-rule action 1 91 redirect 7213 +add acl-rule action 1 91 vlan 1 + +create acl-rule 1 100 +add acl-rule condition 1 100 src-glort 0x5803 +add acl-rule action 1 100 redirect 9293 + +create acl-rule 1 101 +add acl-rule condition 1 101 src-port 1 +add acl-rule action 1 101 redirect 7216 +create acl-rule 1 102 +add acl-rule condition 1 102 src-port 2 +add acl-rule action 1 102 redirect 7216 +create acl-rule 1 103 +add acl-rule condition 1 103 src-port 3 +add acl-rule action 1 103 redirect 7216 +create acl-rule 1 104 +add acl-rule condition 1 104 src-port 4 +add acl-rule action 1 104 redirect 7216 + +create acl-rule 1 200 +add acl-rule condition 1 200 src-glort 0x5804 +add acl-rule action 1 200 redirect 6189 +create acl-rule 1 201 +add acl-rule condition 1 201 src-glort 0x5805 +add acl-rule action 1 201 redirect 5165 +create acl-rule 1 202 +add acl-rule condition 1 202 src-glort 0x5806 +add acl-rule action 1 202 redirect 4141 +create acl-rule 1 203 +add acl-rule condition 1 203 src-glort 0x5000 +add acl-rule action 1 203 redirect 7217 +create acl-rule 1 204 +add acl-rule condition 1 204 src-glort 0x4800 +add acl-rule action 1 204 redirect 7218 +create acl-rule 1 205 +add acl-rule condition 1 205 src-glort 0x4000 +add acl-rule action 1 205 redirect 7219 + +create acl-rule 1 301 +add acl-rule condition 1 301 src-glort 0x5807 +add acl-rule action 1 301 redirect 7216 +add acl-rule action 1 301 vlan 4000 + +create acl-rule 1 302 +add acl-rule condition 1 302 src-glort 0x5800 +add acl-rule action 1 302 redirect 7216 +add acl-rule action 1 302 vlan 4001 + +create acl-rule 1 401 +add acl-rule condition 1 401 src-glort 0x5001 +add acl-rule action 1 401 redirect 9325 +create acl-rule 1 402 +add acl-rule condition 1 402 src-glort 0x4801 +add acl-rule action 1 402 redirect 9325 +create acl-rule 1 403 +add acl-rule condition 1 403 src-glort 0x4001 +add acl-rule action 1 403 redirect 9325 + +apply acl +remote listen diff --git a/roles/switch_rule/tasks/main.yml b/roles/switch_rule/tasks/main.yml new file mode 100644 index 0000000..ac02628 --- /dev/null +++ b/roles/switch_rule/tasks/main.yml @@ -0,0 +1,5 @@ +- name: "copy switch_rule" + copy: + src: '{{ role_path }}/files/saved_startup' + dest: /usr/local/testpoint/perl/Config/libertyTrail/saved_startup + mode: 0755 diff --git a/roles/telegraf_collect/files/telegraf_collect.service b/roles/telegraf_collect/files/telegraf_collect.service deleted file mode 100644 index 64f5800..0000000 --- a/roles/telegraf_collect/files/telegraf_collect.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Statistic information -Documentation=https://github.com/influxdata/telegraf -After=network.target - -[Service] -EnvironmentFile=-/etc/default/telegraf -User=telegraf -ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf_collect.conf -config-directory /etc/telegraf/telegraf_collect.d $TELEGRAF_OPTS -ExecReload=/bin/kill -HUP $MAINPID -Restart=on-failure -RestartForceExitStatus=SIGPIPE -KillMode=control-group - -[Install] -WantedBy=multi-user.target diff --git a/roles/telegraf_collect/tasks/main.yml b/roles/telegraf_collect/tasks/main.yml deleted file mode 100644 index a18f43f..0000000 --- a/roles/telegraf_collect/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: "copy telegraf.rpm to destination server" - copy: - src: "{{ role_path }}/files/telegraf-1.13.0-1.x86_64.rpm" - dest: /tmp - -- name: "install telegraf" - yum: - name: - - /tmp/telegraf-1.13.0-1.x86_64.rpm - state: present - -- name: "Templates telegraf_collect.conf" - template: - src: "{{role_path}}/templates/telegraf_collect.conf_adc.j2" - dest: /etc/telegraf/telegraf_collect.conf - tags: template - when: tsg_running_type == 2 - -- name: "Templates telegraf_collect.conf" - template: - src: "{{role_path}}/templates/telegraf_collect.conf_server.j2" - dest: /etc/telegraf/telegraf_collect.conf - tags: template - when: tsg_running_type != 2 - -- name: "copy telegraf_collect.service to destination server" - copy: - src: "{{ role_path }}/files/telegraf_collect.service" - dest: /usr/lib/systemd/system - mode: 0644 - -- name: "Start telegraf_collect" - systemd: - name: telegraf_collect - state: started - enabled: yes - daemon_reload: yes diff --git a/roles/telegraf_collect/templates/telegraf_collect.conf.j2 b/roles/telegraf_collect/templates/telegraf_collect.conf.j2 deleted file mode 100644 index 0eb75f5..0000000 --- a/roles/telegraf_collect/templates/telegraf_collect.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -[global_tags] - blade = "{{bladename}}" -[agent] - interval = "5s" - round_interval = true - metric_batch_size = 1000000 - metric_buffer_limit = 1000000 - collection_jitter = "0s" - flush_interval = "1s" - flush_jitter = "0s" - precision = "" - debug = false - quiet = false - logfile = "" - hostname = "" - omit_hostname = false - -[[outputs.file]] - files = ["stdout", "/tmp/collect.out"] - data_format = "json" - rotation_interval = "1h" - rotation_max_size = "100MB" - rotation_max_archives = 5 - -[[outputs.socket_writer]] - address = "udp://192.168.100.1:8100" - - -{% if bladename == "mcn0" %} -[[inputs.procstat]] - exe= "sapp" -[[inputs.procstat]] - exe="certstore" -{% else %} -[[inputs.procstat]] - exe= "tfe" -{% endif %} - -[[inputs.systemd_units]] - unittype = "service" - timeout = "1s" - -[[inputs.cpu]] - percpu = false - totalcpu = true - collect_cpu_time = false - report_active = false - fieldpass = ["usage_idle", "usage_iowait", "usage_system", "usage_user"] - -[[inputs.system]] - fieldpass = ["load1", "load5", "load15"] - -[[inputs.mem]] - fieldpass = ["available"] - -[[inputs.disk]] - fieldpass = ["free", "inodes_free", "used_percent"] - ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"] - -[[inputs.diskio]] - fieldpass = ["read_bytes", "write_bytes", "reads","writes"] - -[[inputs.netstat]] - -[[inputs.net]] - ignore_protocol_stats = false - interfaces = ["ens*"] - -[[inputs.kernel]] - -[[inputs.udp_listener]] - ServiceAddress= ":58100" - data_format = "influx" \ No newline at end of file diff --git a/roles/telegraf_collect/templates/telegraf_collect.conf_adc.j2 b/roles/telegraf_collect/templates/telegraf_collect.conf_adc.j2 deleted file mode 100644 index 0eb75f5..0000000 --- a/roles/telegraf_collect/templates/telegraf_collect.conf_adc.j2 +++ /dev/null @@ -1,73 +0,0 @@ -[global_tags] - blade = "{{bladename}}" -[agent] - interval = "5s" - round_interval = true - metric_batch_size = 1000000 - metric_buffer_limit = 1000000 - collection_jitter = "0s" - flush_interval = "1s" - flush_jitter = "0s" - precision = "" - debug = false - quiet = false - logfile = "" - hostname = "" - omit_hostname = false - -[[outputs.file]] - files = ["stdout", "/tmp/collect.out"] - data_format = "json" - rotation_interval = "1h" - rotation_max_size = "100MB" - rotation_max_archives = 5 - -[[outputs.socket_writer]] - address = "udp://192.168.100.1:8100" - - -{% if bladename == "mcn0" %} -[[inputs.procstat]] - exe= "sapp" -[[inputs.procstat]] - exe="certstore" -{% else %} -[[inputs.procstat]] - exe= "tfe" -{% endif %} - -[[inputs.systemd_units]] - unittype = "service" - timeout = "1s" - -[[inputs.cpu]] - percpu = false - totalcpu = true - collect_cpu_time = false - report_active = false - fieldpass = ["usage_idle", "usage_iowait", "usage_system", "usage_user"] - -[[inputs.system]] - fieldpass = ["load1", "load5", "load15"] - -[[inputs.mem]] - fieldpass = ["available"] - -[[inputs.disk]] - fieldpass = ["free", "inodes_free", "used_percent"] - ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"] - -[[inputs.diskio]] - fieldpass = ["read_bytes", "write_bytes", "reads","writes"] - -[[inputs.netstat]] - -[[inputs.net]] - ignore_protocol_stats = false - interfaces = ["ens*"] - -[[inputs.kernel]] - -[[inputs.udp_listener]] - ServiceAddress= ":58100" - data_format = "influx" \ No newline at end of file diff --git a/roles/telegraf_collect/templates/telegraf_collect.conf_server.j2 b/roles/telegraf_collect/templates/telegraf_collect.conf_server.j2 deleted file mode 100644 index b2699a4..0000000 --- a/roles/telegraf_collect/templates/telegraf_collect.conf_server.j2 +++ /dev/null @@ -1,70 +0,0 @@ -[global_tags] - blade = "server" -[agent] - interval = "5s" - round_interval = true - metric_batch_size = 1000000 - metric_buffer_limit = 1000000 - collection_jitter = "0s" - flush_interval = "1s" - flush_jitter = "0s" - precision = "" - debug = false - quiet = false - logfile = "" - hostname = "" - omit_hostname = false - -[[outputs.file]] - files = ["stdout", "/tmp/collect.out"] - data_format = "json" - rotation_interval = "1h" - rotation_max_size = "100MB" - rotation_max_archives = 5 - -[[outputs.socket_writer]] - address = "udp://192.168.100.1:8100" - - -[[inputs.procstat]] - exe= "sapp" -[[inputs.procstat]] - exe="certstore" -[[inputs.procstat]] - exe= "tfe" - -[[inputs.systemd_units]] - unittype = "service" - timeout = "1s" - -[[inputs.cpu]] - percpu = false - totalcpu = true - collect_cpu_time = false - report_active = false - fieldpass = ["usage_idle", "usage_iowait", "usage_system", "usage_user"] - -[[inputs.system]] - fieldpass = ["load1", "load5", "load15"] - -[[inputs.mem]] - fieldpass = ["available"] - -[[inputs.disk]] - fieldpass = ["free", "inodes_free", "used_percent"] - ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"] - -[[inputs.diskio]] - fieldpass = ["read_bytes", "write_bytes", "reads","writes"] - -[[inputs.netstat]] - -[[inputs.net]] - ignore_protocol_stats = false - interfaces = ["ens*"] - -[[inputs.kernel]] - -[[inputs.udp_listener]] - ServiceAddress= ":58100" - data_format = "influx" diff --git a/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 b/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 index b7e970e..c52161a 100755 --- a/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 +++ b/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 @@ -21,39 +21,12 @@ rotation_max_size = "100MB" rotation_max_archives = 5 -[[aggregators.basicstats]] - period = "15s" - namepass = ["TRAFFIC", "intercept", "hit_share", "tcp_links", "udp_links", "success_log", "failed_log", "bypass", "drop_log", - "byp_intcp_err","e_get_link_mode_err","e_no_link_mode_bysyn","e_asym_route","e_no_syn","e_no_s/a","e_ip_hdr","e_exc_mtu", - "e_tfe_tx","e_tup2stm_add","e_no_tfe","e_dup_tfc","e_cmsg_add","intcp_stm","intcp_B","ipv4_stm","ipv6_stm","ssl_stm", - "http_stm","dup_tfc_stm","dup_tfc_B","intcp_rdy_stm","intcp_rdy_B","pme_new","pme_free","pme_cnt","e_sendlog","e_id2pme_add", - "e_id2pme_del","e_tup2stm_add","e_tup2stm_del","e_sapp_inject","e_bloom_srch","e_bloom_add","id2pme_add_S","id2pme_del_S", - "id2pme_cnt","tup2stm_add_S","tup2stm_del_S","tup2stm_hit","tup2stm_miss","sendlog_S","sapp_inject_S","bloom_hit","bloom_miss", - "id2ssl_add_S","id2ssl_del_S","id2ssl_cnt","ssl2pass_add_S","ssl2pass_del_S","ssl2pass_cnt","dy_pass_stm","dy_pass_B", - "dy_pass_ipv6_stm","dy_pass_ipv4_stm","bloom_cnt","tuple2stm_cnt","usess_hit", "dsess_hit", "dtkt_hit", "SIGPIPE", "fd_rx", - "fd_rx_err", "fd_inst_cls", "stm_open", "stm_cls", "dstm_eof","ustm_eof", "dstm_err", "ustm_err", "stm_kill", "stm_incpt", - "stm_byp", "stm_incpt_B", "dstm_incpt_B", "ustm_incpt_B","plain", "ssl", "ussl_new", "ussl_err", "ussl_e_ciph", "ussl_e_prt", - "ussl_clsing", "ussl_clsd", "ussl_dt_cls", "usess_cache","dssl_new", "dssl_err", "dssl_e_cert", "dssl_e_fb", "dssl_clsing", - "dssl_clsd", "dssl_dt_cls", "dsess_cache", "dtkt_new","dtkt_notfnd", "ssl_no_chlo", "ssl_no_sni", "ssl_fk_crt", "kyr_cache", - "kyr_ask", "kyr_new", "ssl_pinning", "ssl_mauth","ssl_ct_crt", "ssl_ev_crt", "app_no_pinning", "trusted_cert_nums", "doh_sess", - "doh_log", "doh_hijack", "http_sess", "log_num","intcp_mon_num", "intcp_deny_num", "intcp_rdirt_num", "intcp_repl_num", - "intcp_hijk_num", "hijk_bytes", "intcp_ins_num", "ins_bytes","intcp_allow_num", "suspending"] - drop_original = false - stats = ["sum"] - [[outputs.kafka]] - brokers = [ {{ telegraf_kafkabrokers.address }} ] - fieldpass = [ "*_conn_num", "*_bytes", "*_in_packets", "*_out_packets", "intercept", "hit_share", "tcp_links", "udp_links", "success_log", "failed_log", "bypass", "drop_log","pinning_num","*pinning_num","intcp_*_num"] + brokers = [ "{{ log_kafkabrokers.address | join("\",\"") }}" ] topic = "TRAFFIC-METRICS-LOG" data_format = "json" -[[outputs.prometheus_client]] - listen = ":9273" - path = "/metrics" [[inputs.tcp_listener]] [[inputs.udp_listener]] ServiceAddress= ":8100" data_format = "influx" -[[outputs.influxdb]] - urls = ["{{ monitor_outputs_influxdb.url }}"] - database = "tsg_stat" diff --git a/roles/tfe/files/memory.conf b/roles/tfe/files/memory.conf index f082028..1593247 100644 --- a/roles/tfe/files/memory.conf +++ b/roles/tfe/files/memory.conf @@ -1,2 +1,3 @@ [Service] -MemoryMax=100G \ No newline at end of file +MemoryLimit=100G +ExecStartPost=/bin/bash -c "echo 100G > /sys/fs/cgroup/memory/system.slice/tfe.service/memory.memsw.limit_in_bytes" diff --git a/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm deleted file mode 100644 index f2755aa..0000000 Binary files a/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm and /dev/null differ diff --git a/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm deleted file mode 100644 index 4e430da..0000000 Binary files a/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm and /dev/null differ diff --git a/roles/tfe/files/tfe-4.3.16.b1c3ba7-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.16.b1c3ba7-1.el7.x86_64.rpm deleted file mode 100644 index 38fe1a2..0000000 Binary files a/roles/tfe/files/tfe-4.3.16.b1c3ba7-1.el7.x86_64.rpm and /dev/null differ diff --git a/roles/tfe/files/tfe-4.3.28.ce28c42-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.28.ce28c42-1.el7.x86_64.rpm new file mode 100644 index 0000000..a200eea Binary files /dev/null and b/roles/tfe/files/tfe-4.3.28.ce28c42-1.el7.x86_64.rpm differ diff --git a/roles/tfe/files/tfe.service b/roles/tfe/files/tfe.service index 86f2d11..16bbab9 100755 --- a/roles/tfe/files/tfe.service +++ b/roles/tfe/files/tfe.service @@ -8,7 +8,7 @@ After=tfe-env.service Type=notify ExecStart=/opt/tsg/tfe/bin/tfe WorkingDirectory=/opt/tsg/tfe/ -TimeoutSec=7200s +TimeoutSec=900s RestartSec=10s Restart=always LimitNOFILE=524288 diff --git a/roles/tfe/files/tsg_diagnose_ca.pem b/roles/tfe/files/tsg_diagnose_ca.pem new file mode 100644 index 0000000..0d1f838 --- /dev/null +++ b/roles/tfe/files/tsg_diagnose_ca.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIGWzCCBEOgAwIBAgIJAMimxpHS+4hRMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eTAeFw0yMDEwMjYwODQ3NDZaFw00MDEwMjEwODQ3NDZa +MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T +YW4gRnJhbmNpc2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS +b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAKnefEvaekYAdlfFtpnaPaKYgl+X3FOXUEiYLHuX9YZjuhjVAf/I +19iW7+k6mln3jSxD05YZQk/jUVTTVjYgQftHzlZiJG086AGhG86QwDIPb9nQIGy8 +3DscFFQGGOoYPdV9E+s1cFDTIFGqqqlJ5T5jpjnAL/3WR2LxrgzPVkBjcOTJnkU6 +Gv2jqwQYGSz8+A6FYsGLqO6Pv7uKY1OPELNcTGnSwD1uctsMHn/Xqx4nMaBoMuSc +TZQEneSagGDgF1dVqEFhVEPo4VXiVthhS82xA3xK69UKfKLFkjjy+icH8LllKUFo +Psu+w/9V3OZ4xfzjEdpoRwRUmOesS5wlEkd3rLKEWXG/A8Uul5iCZ2Dez9nE6wi7 +w7JD7R1InPoD+7KXtT2JWS+9sj+Vre7XIjSEQuBRGiTOXnDcuYjFOkvCqS7OToUc +fOJAlKHCndqBnzLoLJHU2ozrqgz8SU0Iv1CPW6YXLtRFFX3K9WUvX7XNTonh+oWS +6IGifWnVcYh2N5peUuNVT4heD4QfIDpCvjwUAp2IWr1GnEjvjhPaHialRotHhfCi +t3T0F58IhFQ6+CLQwE57Yd+7zGbc7osqTe1hbiK2wcciTuajmGZyfev8atFey+Y5 +N/7jD3U0a6u4Z+DyGcc08Pj94cM5AJ7SA45LKwt6xhmGLzhemmdGLJLNAgMBAAGj +gekwgeYwHQYDVR0OBBYEFMGs0F0ycvMIQgM6oTyOBrxzjCPKMIGpBgNVHSMEgaEw +gZ6AFMGs0F0ycvMIQgM6oTyOBrxzjCPKoXukeTB3MQswCQYDVQQGEwJVUzETMBEG +A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UE +CgwGQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo +b3JpdHmCCQDIpsaR0vuIUTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAgEAeZzR9GKvTRiKfRqCzjhylk+7IbymWjxNTc2LQ3+O6lww +kw6Z2ybzvR3i/IZ7Hw+DBo1MXku9qHW/1uKR2BssoLHU1p1iHCBrZ1nw9MXxqXa3 +PhgxUZZu39NdXFc12fY/SYP8XQkNVzQCNouOvb75hj087ZDHvGztHIaB3VNUs1p+ +qMvGm8RVUGfDDqynUBZ814N32eCu+13N+dGL7yxASzD6Y3/myhVjixUuoUG3zFTW +NnIWspbC8MxhP/3QUMYi4KJM4KDiJQxPhGkMBwlhgAz/QPEJApKq0Cl0Reez7Gyd +KdnrqvCKhf8K53Su8L1GeRvzzKb7Hi+kMWIZVJPGz2DHgOymP5RCsIuWG6cDgx5E +3LfZYEPG63ezj+qMZmkdEMnD9SVBi85dOTOJ+OJgxxX2OahUKPUdDP89ZmHdOjR9 +CqUxnA+eqRNz1TajnjRFXir3/20SoBtrHBck3bxpmZwsF7A6Sg5RdlvQjK2Oy6g0 +9LrkPUgu9O/sBfz8uyG/HlQD7EuUNo0NQHqznnde3T+w5wY2vL3XUAl39qcpNPF6 +auCS8+aygYYmCUooZVzKlXGU3VUPGwcfmLE4gnPLT0+pnHtBS8tKLOzXAJjYQ3s+ +QpP3aO4lJvoZ6Oes/JRxNPW8dmaLxTKPqsaPEWWuoSYr0higPTBXQNg+++PYRY4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB8jCCAVugAwIBAgIJAP3GpXchIMWHMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV +BAsMBkdFRURHRTAgFw0yMDAzMDkxNjEyNTlaGA8yMDUwMDMwMjE2MTI1OVowETEP +MA0GA1UECwwGR0VFREdFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCraZpH +Fca2Iu+9E9HzKbEi2Akdk4RrUJxkQjB2Tr7fGxwPDXqdGvSoXDdgnSA0I0bbNqMs +drgiCWimjnGiWfY0sssKg7plNTQ4i7Zz7P9Isyf6TuxvB09CzdhH2FQ3lLRTb8pv +BA0E28CCYiZhtX1/3RlDSvxaRKOM3yEt0q+FRQIDAQABo1AwTjAdBgNVHQ4EFgQU +NqrpSlpCuMBJlCLZEE/D5ZpBy8swHwYDVR0jBBgwFoAUNqrpSlpCuMBJlCLZEE/D +5ZpBy8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBsybFxUAjzhJ5H +VbSLhyillxtAJ3vEKtLrMVnAgRUEwamyu1JQGndF9kh8RapSmHhmuZM9iTc+NsNb +DKGKmEOY0vQMw83xE7EGYj4Nhww9UMyGglmTLbd3yB+uJA97beNVduU2mifDHGmN +4buMiPl3AozGRl9p5UCzZM5XxMMw1A== +-----END CERTIFICATE----- diff --git a/roles/tfe/tasks/main.yml b/roles/tfe/tasks/main.yml index 7842372..e22fa5f 100644 --- a/roles/tfe/tasks/main.yml +++ b/roles/tfe/tasks/main.yml @@ -14,9 +14,14 @@ yum: name: - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm - - /tmp/ansible_deploy/tfe-4.3.16.b1c3ba7-1.el7.x86_64.rpm + - /tmp/ansible_deploy/tfe-4.3.28.ce28c42-1.el7.x86_64.rpm state: present +- name: "tfe:copy cert file to device" + copy: + src: '{{ role_path }}/files/tsg_diagnose_ca.pem' + dest: /opt/tsg/tfe/resource/tfe/ + - name: "template tfe-env config" template: src: "{{ role_path }}/templates/tfe-env-config.j2" diff --git a/roles/tfe/templates/future.conf.j2 b/roles/tfe/templates/future.conf.j2 index 80254b9..a90dcf0 100755 --- a/roles/tfe/templates/future.conf.j2 +++ b/roles/tfe/templates/future.conf.j2 @@ -1,7 +1,7 @@ [STAT] no_stats=0 -statsd_server=127.0.0.1 -statsd_port=58100 +statsd_server=192.168.100.1 +statsd_port=8100 histogram_bins=0.50,0.80,0.9,0.95 statsd_cycle=5 # FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 diff --git a/roles/tfe/templates/pangu_pxy.conf.j2 b/roles/tfe/templates/pangu_pxy.conf.j2 index 936d4b2..89b0efa 100644 --- a/roles/tfe/templates/pangu_pxy.conf.j2 +++ b/roles/tfe/templates/pangu_pxy.conf.j2 @@ -34,7 +34,7 @@ cache_store_object_way=0 redis_cache_object_size=1024000 #Configs of WiredLB for Minios load balancer. #WIREDLB_OVERRIDE=1 -wiredlb_health_port=42310 +#wiredlb_health_port=42310 #If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object. redis_cluster_ip_list=192.168.10.62-63; redis_cluster_port_range=6379 @@ -43,7 +43,7 @@ redis_cluster_port_range=6379 wiredlb_override=1 wiredlb_topic=MinioFileLog wiredlb_datacenter=k18consul-tse -wiredlb_health_port=52102 +wiredlb_health_port=8560 wiredlb_group=FileLog log_fsstat_appname=tango_log_file @@ -103,7 +103,3 @@ log_fsstat_dst_ip=10.4.20.201 log_fsstat_dst_port=8125 -[traffic_mirror] -table_info=resource/pangu/table_info_traffic_mirror.conf -stat_file=log/traffic_mirror.status - diff --git a/roles/tfe/templates/tfe.conf.j2 b/roles/tfe/templates/tfe.conf.j2 index ea4f3b4..6aa98dc 100644 --- a/roles/tfe/templates/tfe.conf.j2 +++ b/roles/tfe/templates/tfe.conf.j2 @@ -63,7 +63,7 @@ service_cache_slots=4194304 service_cache_expire_seconds=300 service_cache_fail_as_pinning_cnt=4 service_cache_fail_as_proto_err_cnt=5 -service_cache_succ_as_app_not_pinning_cnt=0 +#service_cache_succ_as_app_not_pinning_cnt=0 service_cache_fail_time_window=30 # cert @@ -84,9 +84,11 @@ key_log_file=log/sslkeylog.log # mid cert cache mc_cache_enable=1 mc_cache_eth={{ nic_mgr.name }} -mc_cache_broker_list={{ log_kafkabrokers.address }} +mc_cache_broker_list={{ log_kafkabrokers.address | join(",") }} mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT +ssl_ja3_table=PXY_SSL_FINGERPRINT + [key_keeper] #Mode: debug - generate cert with ca_path, normal - generate cert with cert store #0 on cache 1 off cache @@ -132,12 +134,14 @@ tcp_ttl_upstream=75 tcp_ttl_downstream=70 [stat] -statsd_server=127.0.0.1 -statsd_port=58100 +statsd_server=192.168.100.1 +statsd_port=8100 statsd_cycle=5 # 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE statsd_format=2 histogram_bins=0.5,0.8,0.9,0.95 +statsd_set_prometheus_port=9001 +statsd_set_prometheus_url_path=/metrics [traffic_mirror] {% if tsg_running_type != 2 %} @@ -151,11 +155,13 @@ device={{ nic_traffic_mirror.name }} # 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO type=1 {% endif %} +table_info=resource/pangu/table_info_traffic_mirror.conf +stat_file=log/traffic_mirror.status [kafka] enable=1 NIC_NAME={{ nic_mgr.name }} -kafka_brokerlist={{ log_kafkabrokers.address }} +kafka_brokerlist={{ log_kafkabrokers.address | join(",") }} kafka_topic=PROXY-EVENT-LOG device_id_filepath=/opt/tsg/etc/tsg_sn.json @@ -170,13 +176,6 @@ stat_file=log/pangu_scan.fs2 effect_interval_s=1 deferred_load_on=0 -# Pangu uses accept_tags to support the effective range of the device. -# Traffic mirroring does not need to support the effective range of the device, -# but pangu and traffic mirroring use the same maat configuration file. -# Therefore, there is no need to set accept_tags in tfe.conf, -# just set accept_tags in the tfe_resource_init() code -# accept_tags={"tags":[{"tag":"device_id","value":"device_1"}]} - # json mode conf iterm json_cfg_file=resource/pangu/pangu_http.json diff --git a/roles/tsg-diagnose/files/install_docker.zip b/roles/tsg-diagnose/files/install_docker.zip deleted file mode 100644 index 7725529..0000000 Binary files a/roles/tsg-diagnose/files/install_docker.zip and /dev/null differ diff --git a/roles/tsg-diagnose/files/tsg-diagnose-20.10.02.6d0631a-1.el7.x86_64.rpm b/roles/tsg-diagnose/files/tsg-diagnose-20.10.02.6d0631a-1.el7.x86_64.rpm deleted file mode 100644 index ceb3bcd..0000000 Binary files a/roles/tsg-diagnose/files/tsg-diagnose-20.10.02.6d0631a-1.el7.x86_64.rpm and /dev/null differ diff --git a/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz b/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz deleted file mode 100644 index 5e61e27..0000000 Binary files a/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz and /dev/null differ diff --git a/roles/tsg-diagnose/tasks/main.yml b/roles/tsg-diagnose/tasks/main.yml deleted file mode 100644 index a8da49b..0000000 --- a/roles/tsg-diagnose/tasks/main.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: "Tsg-diagnose:copy file to device" - copy: - src: '{{ role_path }}/files/' - dest: /tmp/ansible_deploy/ - -- name: "unarchive install_docker.zip" - unarchive: - src: /tmp/ansible_deploy/install_docker.zip - dest: /tmp/ansible_deploy/ - remote_src: yes - -- name: "exec docker install shell" - shell: cd /tmp/ansible_deploy/install_docker; sh setup_docker.sh - -- name: 'Docker service start and enable' - systemd: - name: docker - enabled: yes - state: started - daemon_reload: yes - -- name: "Install tsg-diagnose rpm package" - yum: - name: - - "/tmp/ansible_deploy/tsg-diagnose-20.10.02.6d0631a-1.el7.x86_64.rpm" - state: present - -- name: "Templates tsg-diagnose.config" - template: - src: "{{role_path}}/templates/tsg-diagnose.config.j2" - dest: /opt/tsg/tsg-diagnose/etc/tsg-diagnose.config - tags: template - -- name: "tsg-diagnose:mkdir -p .badssl_cert_dict" - file: - path: /opt/tsg/tsg-diagnose/.badssl_cert_dict - state: directory - - -- name: "tsg-diagnose: unarchive certs" - unarchive: - src: /tmp/ansible_deploy/tsg-diagnose-certs.tgz - dest: /opt/tsg/tsg-diagnose/.badssl_cert_dict - remote_src: yes - -- name: 'Tsg-diagnose service start' - systemd: - name: tsg-diagnose - enabled: yes - daemon_reload: yes - -- name: "tsg-diagnose init rsync deamon" - shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/rsync/init_rsyncd.sh diff --git a/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 b/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 deleted file mode 100644 index 907150e..0000000 --- a/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 +++ /dev/null @@ -1,135 +0,0 @@ -[test_securityPolicy_bypass] -# enabled = 1 run this case -enabled = 1 -#Connection TIMEOUT, in seconds -conn_timeout = 1 -#max_recv_speed_large byte/s -max_recv_speed_large = 6553600 - -[test_securityPolicy_intercept] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_securityPolicy_intercept_certerrExpired] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_securityPolicy_intercept_certerrSelf_signed] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_securityPolicy_intercept_certerrUntrusted_root] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_ssl_redirect] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_ssl_block] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_ssl_replace] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_ssl_hijack] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_ssl_insert] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_http_redirect] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_http_block] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_http_replace] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_http_hijack] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_proxyPolicy_http_insert] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_1k] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_4k] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_16k] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_64k] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_256k] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_1M] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_4M] -enabled = 1 -conn_timeout = 1 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_16M] -enabled = 1 -conn_timeout = 4 -max_recv_speed_large = 6553600 - -[test_https_con_traffic_64M] -enabled = 1 -conn_timeout = 12 -max_recv_speed_large = 6553600 - -[start_time_random_delay_range] -enabled = 1 -#Left_edge is the left edge of the randomly generated time in seconds -left_edge = 0 -#Left_edge is the right edge of the randomly generated time in seconds -right_edge = 30 - -[telegraf] -host = 192.51.100.1 -port = 58100 -tags_key = app_name -tags_value = tsg-diagnose diff --git a/roles/tsg-diagnose_stop_sync/tasks/main.yml b/roles/tsg-diagnose_stop_sync/tasks/main.yml deleted file mode 100644 index 1633c16..0000000 --- a/roles/tsg-diagnose_stop_sync/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: "tsg-diagnose: stop rsync deamon process" - shell: killall -9 rsync - diff --git a/roles/tsg-diagnose_sync_ca/tasks/main.yml b/roles/tsg-diagnose_sync_ca/tasks/main.yml deleted file mode 100644 index c577a8a..0000000 --- a/roles/tsg-diagnose_sync_ca/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: "tsg-diagnose: rsync badssl ca certs" - shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/ - -- name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle" - shell: cat /tmp/sync/ca-root.crt > /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem && cat /tmp/sync/wpr_cert.pem >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem - diff --git a/roles/tsg-env-patch/files/replace_switch_non_block_with_nc_v2.patch b/roles/tsg-env-patch/files/replace_switch_non_block_with_nc_v2.patch new file mode 100644 index 0000000..a149c6d --- /dev/null +++ b/roles/tsg-env-patch/files/replace_switch_non_block_with_nc_v2.patch @@ -0,0 +1,8 @@ +99c99 +< ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" +--- +> echo "show version" | nc ${TP_SVR} ${TP_PORT} +136c136 +< MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` +--- +> MAC_TABLE=$(echo "show mac table all" | nc ${TP_SVR} ${TP_PORT}) diff --git a/roles/tsg-env-patch/tasks/main.yml b/roles/tsg-env-patch/tasks/main.yml new file mode 100644 index 0000000..cc4f163 --- /dev/null +++ b/roles/tsg-env-patch/tasks/main.yml @@ -0,0 +1,5 @@ +- name: "patch setup scripts in tsg-env" + patch: + src: "{{ role_path }}/files/replace_switch_non_block_with_nc_v2.patch" + dest: /opt/tsg/env/setup + backup: true diff --git a/roles/tsg-env-patch/templates/maat-redis.conf.j2 b/roles/tsg-env-patch/templates/maat-redis.conf.j2 new file mode 100644 index 0000000..960ba10 --- /dev/null +++ b/roles/tsg-env-patch/templates/maat-redis.conf.j2 @@ -0,0 +1,1317 @@ +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf + +# Note on units: when memory size is needed, it is possible to specify +# it in the usual form of 1k 5GB 4M and so forth: +# +# 1k => 1000 bytes +# 1kb => 1024 bytes +# 1m => 1000000 bytes +# 1mb => 1024*1024 bytes +# 1g => 1000000000 bytes +# 1gb => 1024*1024*1024 bytes +# +# units are case insensitive so 1GB 1Gb 1gB are all the same. + +################################## INCLUDES ################################### + +# Include one or more other config files here. This is useful if you +# have a standard template that goes to all Redis servers but also need +# to customize a few per-server settings. Include files can include +# other files, so use this wisely. +# +# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# from admin or Redis Sentinel. Since Redis always uses the last processed +# line as value of a configuration directive, you'd better put includes +# at the beginning of this file to avoid overwriting config change at runtime. +# +# If instead you are interested in using includes to override configuration +# options, it is better to use include as the last line. +# +# include /path/to/local.conf +# include /path/to/other.conf + +################################## MODULES ##################################### + +# Load modules at startup. If the server is not able to load modules +# it will abort. It is possible to use multiple loadmodule directives. +# +# loadmodule /path/to/my_module.so +# loadmodule /path/to/other_module.so + +################################## NETWORK ##################################### + +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all the network interfaces available on the server. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 +# bind 127.0.0.1 ::1 +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only into +# the IPv4 lookback interface address (this means Redis will be able to +# accept connections only from clients running into the same computer it +# is running). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# JUST COMMENT THE FOLLOWING LINE. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +#bind 127.0.0.1 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and if: +# +# 1) The server is not binding explicitly to a set of addresses using the +# "bind" directive. +# 2) No password is configured. +# +# The server only accepts connections from clients connecting from the +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain +# sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured, nor a specific set of interfaces +# are explicitly listed using the "bind" directive. +protected-mode no + +# Accept connections on the specified port, default is 6379 (IANA #815344). +# If port 0 is specified Redis will not listen on a TCP socket. +port {{ maat_redis_city_server.port }} + +# TCP listen() backlog. +# +# In high requests-per-second environments you need an high backlog in order +# to avoid slow clients connections issues. Note that the Linux kernel +# will silently truncate it to the value of /proc/sys/net/core/somaxconn so +# make sure to raise both the value of somaxconn and tcp_max_syn_backlog +# in order to get the desired effect. +tcp-backlog 511 + +# Unix socket. +# +# Specify the path for the Unix socket that will be used to listen for +# incoming connections. There is no default, so Redis will not listen +# on a unix socket when not specified. +# +# unixsocket /tmp/redis.sock +# unixsocketperm 700 + +# Close the connection after a client is idle for N seconds (0 to disable) +timeout 0 + +# TCP keepalive. +# +# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence +# of communication. This is useful for two reasons: +# +# 1) Detect dead peers. +# 2) Take the connection alive from the point of view of network +# equipment in the middle. +# +# On Linux, the specified value (in seconds) is the period used to send ACKs. +# Note that to close the connection the double of the time is needed. +# On other kernels the period depends on the kernel configuration. +# +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. +tcp-keepalive 300 + +################################# GENERAL ##################################### + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +daemonize no + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous liveness pings back to your supervisor. +supervised no + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. +pidfile /var/run/redis_{{ maat_redis_city_server.port }}.pid + +# Specify the server verbosity level. +# This can be one of: +# debug (a lot of information, useful for development/testing) +# verbose (many rarely useful info, but not a mess like the debug level) +# notice (moderately verbose, what you want in production probably) +# warning (only very important / critical messages are logged) +loglevel notice + +# Specify the log file name. Also the empty string can be used to force +# Redis to log on the standard output. Note that if you use standard +# output for logging but daemonize, logs will be sent to /dev/null +logfile /var/log/redis/redis.log + +# To enable logging to the system logger, just set 'syslog-enabled' to yes, +# and optionally update the other syslog parameters to suit your needs. +# syslog-enabled no + +# Specify the syslog identity. +# syslog-ident redis + +# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. +# syslog-facility local0 + +# Set the number of databases. The default database is DB 0, you can select +# a different one on a per-connection basis using SELECT where +# dbid is a number between 0 and 'databases'-1 +databases 16 + +# By default Redis shows an ASCII art logo only when started to log to the +# standard output and if the standard output is a TTY. Basically this means +# that normally a logo is displayed only in interactive sessions. +# +# However it is possible to force the pre-4.0 behavior and always show a +# ASCII art logo in startup logs by setting the following option to yes. +always-show-logo yes + +################################ SNAPSHOTTING ################################ +# +# Save the DB on disk: +# +# save +# +# Will save the DB if both the given number of seconds and the given +# number of write operations against the DB occurred. +# +# In the example below the behaviour will be to save: +# after 900 sec (15 min) if at least 1 key changed +# after 300 sec (5 min) if at least 10 keys changed +# after 60 sec if at least 10000 keys changed +# +# Note: you can disable saving completely by commenting out all "save" lines. +# +# It is also possible to remove all the previously configured save +# points by adding a save directive with a single empty string argument +# like in the following example: +# +# save "" + +save 900 1 +save 300 10 +save 60 10000 + +# By default Redis will stop accepting writes if RDB snapshots are enabled +# (at least one save point) and the latest background save failed. +# This will make the user aware (in a hard way) that data is not persisting +# on disk properly, otherwise chances are that no one will notice and some +# disaster will happen. +# +# If the background saving process will start working again Redis will +# automatically allow writes again. +# +# However if you have setup your proper monitoring of the Redis server +# and persistence, you may want to disable this feature so that Redis will +# continue to work as usual even if there are problems with disk, +# permissions, and so forth. +stop-writes-on-bgsave-error yes + +# Compress string objects using LZF when dump .rdb databases? +# For default that's set to 'yes' as it's almost always a win. +# If you want to save some CPU in the saving child set it to 'no' but +# the dataset will likely be bigger if you have compressible values or keys. +rdbcompression yes + +# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. +# This makes the format more resistant to corruption but there is a performance +# hit to pay (around 10%) when saving and loading RDB files, so you can disable it +# for maximum performances. +# +# RDB files created with checksum disabled have a checksum of zero that will +# tell the loading code to skip the check. +rdbchecksum yes + +# The filename where to dump the DB +dbfilename dump.rdb + +# The working directory. +# +# The DB will be written inside this directory, with the filename specified +# above using the 'dbfilename' configuration directive. +# +# The Append Only File will also be created inside this directory. +# +# Note that you must specify a directory here, not a file name. +dir /var/lib/redis + +################################# REPLICATION ################################# + +# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# another Redis server. A few things to understand ASAP about Redis replication. +# +# 1) Redis replication is asynchronous, but you can configure a master to +# stop accepting writes if it appears to be not connected with at least +# a given number of slaves. +# 2) Redis slaves are able to perform a partial resynchronization with the +# master if the replication link is lost for a relatively small amount of +# time. You may want to configure the replication backlog size (see the next +# sections of this file) with a sensible value depending on your needs. +# 3) Replication is automatic and does not need user intervention. After a +# network partition slaves automatically try to reconnect to masters +# and resynchronize with them. +# + slaveof {{ maat_redis_city_server.address }} {{ maat_redis_city_server.port }} + +# If the master is password protected (using the "requirepass" configuration +# directive below) it is possible to tell the slave to authenticate before +# starting the replication synchronization process, otherwise the master will +# refuse the slave request. +# +# masterauth + +# When a slave loses its connection with the master, or when the replication +# is still in progress, the slave can act in two different ways: +# +# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# still reply to client requests, possibly with out of date data, or the +# data set may just be empty if this is the first synchronization. +# +# 2) if slave-serve-stale-data is set to 'no' the slave will reply with +# an error "SYNC with master in progress" to all the kind of commands +# but to INFO and SLAVEOF. +# +slave-serve-stale-data yes + +# You can configure a slave instance to accept writes or not. Writing against +# a slave instance may be useful to store some ephemeral data (because data +# written on a slave will be easily deleted after resync with the master) but +# may also cause problems if clients are writing to it because of a +# misconfiguration. +# +# Since Redis 2.6 by default slaves are read-only. +# +# Note: read only slaves are not designed to be exposed to untrusted clients +# on the internet. It's just a protection layer against misuse of the instance. +# Still a read only slave exports by default all the administrative commands +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve +# security of read only slaves using 'rename-command' to shadow all the +# administrative / dangerous commands. +slave-read-only yes + +# Replication SYNC strategy: disk or socket. +# +# ------------------------------------------------------- +# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY +# ------------------------------------------------------- +# +# New slaves and reconnecting slaves that are not able to continue the replication +# process just receiving differences, need to do what is called a "full +# synchronization". An RDB file is transmitted from the master to the slaves. +# The transmission can happen in two different ways: +# +# 1) Disk-backed: The Redis master creates a new process that writes the RDB +# file on disk. Later the file is transferred by the parent +# process to the slaves incrementally. +# 2) Diskless: The Redis master creates a new process that directly writes the +# RDB file to slave sockets, without touching the disk at all. +# +# With disk-backed replication, while the RDB file is generated, more slaves +# can be queued and served with the RDB file as soon as the current child producing +# the RDB file finishes its work. With diskless replication instead once +# the transfer starts, new slaves arriving will be queued and a new transfer +# will start when the current one terminates. +# +# When diskless replication is used, the master waits a configurable amount of +# time (in seconds) before starting the transfer in the hope that multiple slaves +# will arrive and the transfer can be parallelized. +# +# With slow disks and fast (large bandwidth) networks, diskless replication +# works better. +repl-diskless-sync no + +# When diskless replication is enabled, it is possible to configure the delay +# the server waits in order to spawn the child that transfers the RDB via socket +# to the slaves. +# +# This is important since once the transfer starts, it is not possible to serve +# new slaves arriving, that will be queued for the next RDB transfer, so the server +# waits a delay in order to let more slaves arrive. +# +# The delay is specified in seconds, and by default is 5 seconds. To disable +# it entirely just set it to 0 seconds and the transfer will start ASAP. +repl-diskless-sync-delay 5 + +# Slaves send PINGs to server in a predefined interval. It's possible to change +# this interval with the repl_ping_slave_period option. The default value is 10 +# seconds. +# +# repl-ping-slave-period 10 + +# The following option sets the replication timeout for: +# +# 1) Bulk transfer I/O during SYNC, from the point of view of slave. +# 2) Master timeout from the point of view of slaves (data, pings). +# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# +# It is important to make sure that this value is greater than the value +# specified for repl-ping-slave-period otherwise a timeout will be detected +# every time there is low traffic between the master and the slave. +# +# repl-timeout 60 + +# Disable TCP_NODELAY on the slave socket after SYNC? +# +# If you select "yes" Redis will use a smaller number of TCP packets and +# less bandwidth to send data to slaves. But this can add a delay for +# the data to appear on the slave side, up to 40 milliseconds with +# Linux kernels using a default configuration. +# +# If you select "no" the delay for data to appear on the slave side will +# be reduced but more bandwidth will be used for replication. +# +# By default we optimize for low latency, but in very high traffic conditions +# or when the master and slaves are many hops away, turning this to "yes" may +# be a good idea. +repl-disable-tcp-nodelay no + +# Set the replication backlog size. The backlog is a buffer that accumulates +# slave data when slaves are disconnected for some time, so that when a slave +# wants to reconnect again, often a full resync is not needed, but a partial +# resync is enough, just passing the portion of data the slave missed while +# disconnected. +# +# The bigger the replication backlog, the longer the time the slave can be +# disconnected and later be able to perform a partial resynchronization. +# +# The backlog is only allocated once there is at least a slave connected. +# +# repl-backlog-size 1mb + +# After a master has no longer connected slaves for some time, the backlog +# will be freed. The following option configures the amount of seconds that +# need to elapse, starting from the time the last slave disconnected, for +# the backlog buffer to be freed. +# +# Note that slaves never free the backlog for timeout, since they may be +# promoted to masters later, and should be able to correctly "partially +# resynchronize" with the slaves: hence they should always accumulate backlog. +# +# A value of 0 means to never release the backlog. +# +# repl-backlog-ttl 3600 + +# The slave priority is an integer number published by Redis in the INFO output. +# It is used by Redis Sentinel in order to select a slave to promote into a +# master if the master is no longer working correctly. +# +# A slave with a low priority number is considered better for promotion, so +# for instance if there are three slaves with priority 10, 100, 25 Sentinel will +# pick the one with priority 10, that is the lowest. +# +# However a special priority of 0 marks the slave as not able to perform the +# role of master, so a slave with priority of 0 will never be selected by +# Redis Sentinel for promotion. +# +# By default the priority is 100. +slave-priority 100 + +# It is possible for a master to stop accepting writes if there are less than +# N slaves connected, having a lag less or equal than M seconds. +# +# The N slaves need to be in "online" state. +# +# The lag in seconds, that must be <= the specified value, is calculated from +# the last ping received from the slave, that is usually sent every second. +# +# This option does not GUARANTEE that N replicas will accept the write, but +# will limit the window of exposure for lost writes in case not enough slaves +# are available, to the specified number of seconds. +# +# For example to require at least 3 slaves with a lag <= 10 seconds use: +# +# min-slaves-to-write 3 +# min-slaves-max-lag 10 +# +# Setting one or the other to 0 disables the feature. +# +# By default min-slaves-to-write is set to 0 (feature disabled) and +# min-slaves-max-lag is set to 10. + +# A Redis master is able to list the address and port of the attached +# slaves in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover slave instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a master. +# +# The listed IP and address normally reported by a slave is obtained +# in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the slave to connect with the master. +# +# Port: The port is communicated by the slave during the replication +# handshake, and is normally the port that the slave is using to +# list for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the slave may be actually reachable via different IP and port +# pairs. The following two options can be used by a slave in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# slave-announce-ip 5.5.5.5 +# slave-announce-port 1234 + +################################## SECURITY ################################### + +# Require clients to issue AUTH before processing any other +# commands. This might be useful in environments in which you do not trust +# others with access to the host running redis-server. +# +# This should stay commented out for backward compatibility and because most +# people do not need auth (e.g. they run their own servers). +# +# Warning: since Redis is pretty fast an outside user can try up to +# 150k passwords per second against a good box. This means that you should +# use a very strong password otherwise it will be very easy to break. +# +# requirepass foobared + +# Command renaming. +# +# It is possible to change the name of dangerous commands in a shared +# environment. For instance the CONFIG command may be renamed into something +# hard to guess so that it will still be available for internal-use tools +# but not available for general clients. +# +# Example: +# +# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 +# +# It is also possible to completely kill a command by renaming it into +# an empty string: +# +# rename-command CONFIG "" +# +# Please note that changing the name of commands that are logged into the +# AOF file or transmitted to slaves may cause problems. + +################################### CLIENTS #################################### + +# Set the max number of connected clients at the same time. By default +# this limit is set to 10000 clients, however if the Redis server is not +# able to configure the process file limit to allow for the specified limit +# the max number of allowed clients is set to the current file limit +# minus 32 (as Redis reserves a few file descriptors for internal uses). +# +# Once the limit is reached Redis will close all the new connections sending +# an error 'max number of clients reached'. +# +# maxclients 10000 + +############################## MEMORY MANAGEMENT ################################ + +# Set a memory usage limit to the specified amount of bytes. +# When the memory limit is reached Redis will try to remove keys +# according to the eviction policy selected (see maxmemory-policy). +# +# If Redis can't remove keys according to the policy, or if the policy is +# set to 'noeviction', Redis will start to reply with errors to commands +# that would use more memory, like SET, LPUSH, and so on, and will continue +# to reply to read-only commands like GET. +# +# This option is usually useful when using Redis as an LRU or LFU cache, or to +# set a hard memory limit for an instance (using the 'noeviction' policy). +# +# WARNING: If you have slaves attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the slaves are subtracted +# from the used memory count, so that network problems / resyncs will +# not trigger a loop where keys are evicted, and in turn the output +# buffer of slaves is full with DELs of keys evicted triggering the deletion +# of more keys, and so forth until the database is completely emptied. +# +# In short... if you have slaves attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for slave +# output buffers (but this is not needed if the policy is 'noeviction'). +# +# maxmemory + +# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory +# is reached. You can select among five behaviors: +# +# volatile-lru -> Evict using approximated LRU among the keys with an expire set. +# allkeys-lru -> Evict any key using approximated LRU. +# volatile-lfu -> Evict using approximated LFU among the keys with an expire set. +# allkeys-lfu -> Evict any key using approximated LFU. +# volatile-random -> Remove a random key among the ones with an expire set. +# allkeys-random -> Remove a random key, any key. +# volatile-ttl -> Remove the key with the nearest expire time (minor TTL) +# noeviction -> Don't evict anything, just return an error on write operations. +# +# LRU means Least Recently Used +# LFU means Least Frequently Used +# +# Both LRU, LFU and volatile-ttl are implemented using approximated +# randomized algorithms. +# +# Note: with any of the above policies, Redis will return an error on write +# operations, when there are no suitable keys for eviction. +# +# At the date of writing these commands are: set setnx setex append +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby +# getset mset msetnx exec sort +# +# The default is: +# +# maxmemory-policy noeviction + +# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. For default Redis will check five keys and pick the one that was +# used less recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs more CPU. 3 is faster but not very accurate. +# +# maxmemory-samples 5 + +############################# LAZY FREEING #################################### + +# Redis has two primitives to delete keys. One is called DEL and is a blocking +# deletion of the object. It means that the server stops processing new commands +# in order to reclaim all the memory associated with an object in a synchronous +# way. If the key deleted is associated with a small object, the time needed +# in order to execute the DEL command is very small and comparable to most other +# O(1) or O(log_N) commands in Redis. However if the key is associated with an +# aggregated value containing millions of elements, the server can block for +# a long time (even seconds) in order to complete the operation. +# +# For the above reasons Redis also offers non blocking deletion primitives +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and +# FLUSHDB commands, in order to reclaim memory in background. Those commands +# are executed in constant time. Another thread will incrementally free the +# object in the background as fast as possible. +# +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled. +# It's up to the design of the application to understand when it is a good +# idea to use one or the other. However the Redis server sometimes has to +# delete keys or flush the whole database as a side effect of other operations. +# Specifically Redis deletes objects independently of a user call in the +# following scenarios: +# +# 1) On eviction, because of the maxmemory and maxmemory policy configurations, +# in order to make room for new data, without going over the specified +# memory limit. +# 2) Because of expire: when a key with an associated time to live (see the +# EXPIRE command) must be deleted from memory. +# 3) Because of a side effect of a command that stores data on a key that may +# already exist. For example the RENAME command may delete the old key +# content when it is replaced with another one. Similarly SUNIONSTORE +# or SORT with STORE option may delete existing keys. The SET command +# itself removes any old content of the specified key in order to replace +# it with the specified string. +# 4) During replication, when a slave performs a full resynchronization with +# its master, the content of the whole database is removed in order to +# load the RDB file just transfered. +# +# In all the above cases the default is to delete objects in a blocking way, +# like if DEL was called. However you can configure each case specifically +# in order to instead release memory in a non-blocking way like if UNLINK +# was called, using the following configuration directives: + +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +slave-lazy-flush no + +############################## APPEND ONLY MODE ############################### + +# By default Redis asynchronously dumps the dataset on disk. This mode is +# good enough in many applications, but an issue with the Redis process or +# a power outage may result into a few minutes of writes lost (depending on +# the configured save points). +# +# The Append Only File is an alternative persistence mode that provides +# much better durability. For instance using the default data fsync policy +# (see later in the config file) Redis can lose just one second of writes in a +# dramatic event like a server power outage, or a single write if something +# wrong with the Redis process itself happens, but the operating system is +# still running correctly. +# +# AOF and RDB persistence can be enabled at the same time without problems. +# If the AOF is enabled on startup Redis will load the AOF, that is the file +# with the better durability guarantees. +# +# Please check http://redis.io/topics/persistence for more information. + +appendonly no + +# The name of the append only file (default: "appendonly.aof") + +appendfilename "appendonly.aof" + +# The fsync() call tells the Operating System to actually write data on disk +# instead of waiting for more data in the output buffer. Some OS will really flush +# data on disk, some other OS will just try to do it ASAP. +# +# Redis supports three different modes: +# +# no: don't fsync, just let the OS flush the data when it wants. Faster. +# always: fsync after every write to the append only log. Slow, Safest. +# everysec: fsync only one time every second. Compromise. +# +# The default is "everysec", as that's usually the right compromise between +# speed and data safety. It's up to you to understand if you can relax this to +# "no" that will let the operating system flush the output buffer when +# it wants, for better performances (but if you can live with the idea of +# some data loss consider the default persistence mode that's snapshotting), +# or on the contrary, use "always" that's very slow but a bit safer than +# everysec. +# +# More details please check the following article: +# http://antirez.com/post/redis-persistence-demystified.html +# +# If unsure, use "everysec". + +# appendfsync always +appendfsync everysec +# appendfsync no + +# When the AOF fsync policy is set to always or everysec, and a background +# saving process (a background save or AOF log background rewriting) is +# performing a lot of I/O against the disk, in some Linux configurations +# Redis may block too long on the fsync() call. Note that there is no fix for +# this currently, as even performing fsync in a different thread will block +# our synchronous write(2) call. +# +# In order to mitigate this problem it's possible to use the following option +# that will prevent fsync() from being called in the main process while a +# BGSAVE or BGREWRITEAOF is in progress. +# +# This means that while another child is saving, the durability of Redis is +# the same as "appendfsync none". In practical terms, this means that it is +# possible to lose up to 30 seconds of log in the worst scenario (with the +# default Linux settings). +# +# If you have latency problems turn this to "yes". Otherwise leave it as +# "no" that is the safest pick from the point of view of durability. + +no-appendfsync-on-rewrite no + +# Automatic rewrite of the append only file. +# Redis is able to automatically rewrite the log file implicitly calling +# BGREWRITEAOF when the AOF log size grows by the specified percentage. +# +# This is how it works: Redis remembers the size of the AOF file after the +# latest rewrite (if no rewrite has happened since the restart, the size of +# the AOF at startup is used). +# +# This base size is compared to the current size. If the current size is +# bigger than the specified percentage, the rewrite is triggered. Also +# you need to specify a minimal size for the AOF file to be rewritten, this +# is useful to avoid rewriting the AOF file even if the percentage increase +# is reached but it is still pretty small. +# +# Specify a percentage of zero in order to disable the automatic AOF +# rewrite feature. + +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb + +# An AOF file may be found to be truncated at the end during the Redis +# startup process, when the AOF data gets loaded back into memory. +# This may happen when the system where Redis is running +# crashes, especially when an ext4 filesystem is mounted without the +# data=ordered option (however this can't happen when Redis itself +# crashes or aborts but the operating system still works correctly). +# +# Redis can either exit with an error when this happens, or load as much +# data as possible (the default now) and start if the AOF file is found +# to be truncated at the end. The following option controls this behavior. +# +# If aof-load-truncated is set to yes, a truncated AOF file is loaded and +# the Redis server starts emitting a log to inform the user of the event. +# Otherwise if the option is set to no, the server aborts with an error +# and refuses to start. When the option is set to no, the user requires +# to fix the AOF file using the "redis-check-aof" utility before to restart +# the server. +# +# Note that if the AOF file will be found to be corrupted in the middle +# the server will still exit with an error. This option only applies when +# Redis will try to read more data from the AOF file but not enough bytes +# will be found. +aof-load-truncated yes + +# When rewriting the AOF file, Redis is able to use an RDB preamble in the +# AOF file for faster rewrites and recoveries. When this option is turned +# on the rewritten AOF file is composed of two different stanzas: +# +# [RDB file][AOF tail] +# +# When loading Redis recognizes that the AOF file starts with the "REDIS" +# string and loads the prefixed RDB file, and continues loading the AOF +# tail. +# +# This is currently turned off by default in order to avoid the surprise +# of a format change, but will at some point be used as the default. +aof-use-rdb-preamble no + +################################ LUA SCRIPTING ############################### + +# Max execution time of a Lua script in milliseconds. +# +# If the maximum execution time is reached Redis will log that a script is +# still in execution after the maximum allowed time and will start to +# reply to queries with an error. +# +# When a long running script exceeds the maximum execution time only the +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be +# used to stop a script that did not yet called write commands. The second +# is the only way to shut down the server in the case a write command was +# already issued by the script but the user doesn't want to wait for the natural +# termination of the script. +# +# Set it to 0 or a negative value for unlimited execution without warnings. +lua-time-limit 5000 + +################################ REDIS CLUSTER ############################### +# +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however +# in order to mark it as "mature" we need to wait for a non trivial percentage +# of users to deploy it in production. +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# A slave of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a slave to actually have an exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple slaves able to failover, they exchange messages +# in order to try to give an advantage to the slave with the best +# replication offset (more data from the master processed). +# Slaves will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single slave computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the slave will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a slave will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * slave-validity-factor) + repl-ping-slave-period +# +# So for example if node-timeout is 30 seconds, and the slave-validity-factor +# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the +# slave will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large slave-validity-factor may allow slaves with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a slave at all. +# +# For maximum availability, it is possible to set the slave-validity-factor +# to a value of 0, which means, that slaves will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-slave-validity-factor 10 + +# Cluster slaves are able to migrate to orphaned masters, that are masters +# that are left without working slaves. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working slaves. +# +# Slaves migrate to orphaned masters only if there are still at least a +# given number of other working slaves for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a slave +# will migrate only if there is at least 1 other working slave for its master +# and so forth. It usually reflects the number of slaves you want for every +# master in your cluster. +# +# Default is 1 (slaves migrate only if their masters remain with at least +# one slave). To disable migration just set it to a very large value. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least an hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# This option, when set to yes, prevents slaves from trying to failover its +# master during master failures. However the master can still perform a +# manual failover, if forced to do so. +# +# This is useful in different scenarios, especially in the case of multiple +# data center operations, where we want one side to never be promoted if not +# in the case of a total DC failure. +# +# cluster-slave-no-failover no + +# In order to setup your cluster make sure to read the documentation +# available at http://redis.io web site. + +########################## CLUSTER DOCKER/NAT support ######################## + +# In certain deployments, Redis Cluster nodes address discovery fails, because +# addresses are NAT-ted or because ports are forwarded (the typical case is +# Docker and other containers). +# +# In order to make Redis Cluster working in such environments, a static +# configuration where each node knows its public address is needed. The +# following two options are used for this scope, and are: +# +# * cluster-announce-ip +# * cluster-announce-port +# * cluster-announce-bus-port +# +# Each instruct the node about its address, client port, and cluster message +# bus port. The information is then published in the header of the bus packets +# so that other nodes will be able to correctly map the address of the node +# publishing the information. +# +# If the above options are not used, the normal Redis Cluster auto-detection +# will be used instead. +# +# Note that when remapped, the bus port may not be at the fixed offset of +# clients port + 10000, so you can specify any port and bus-port depending +# on how they get remapped. If the bus-port is not set, a fixed offset of +# 10000 will be used as usually. +# +# Example: +# +# cluster-announce-ip 10.1.1.5 +# cluster-announce-port 6379 +# cluster-announce-bus-port 6380 + +################################## SLOW LOG ################################### + +# The Redis Slow Log is a system to log queries that exceeded a specified +# execution time. The execution time does not include the I/O operations +# like talking with the client, sending the reply and so forth, +# but just the time needed to actually execute the command (this is the only +# stage of command execution where the thread is blocked and can not serve +# other requests in the meantime). +# +# You can configure the slow log with two parameters: one tells Redis +# what is the execution time, in microseconds, to exceed in order for the +# command to get logged, and the other parameter is the length of the +# slow log. When a new command is logged the oldest one is removed from the +# queue of logged commands. + +# The following time is expressed in microseconds, so 1000000 is equivalent +# to one second. Note that a negative number disables the slow log, while +# a value of zero forces the logging of every command. +slowlog-log-slower-than 10000 + +# There is no limit to this length. Just be aware that it will consume memory. +# You can reclaim memory used by the slow log with SLOWLOG RESET. +slowlog-max-len 128 + +################################ LATENCY MONITOR ############################## + +# The Redis latency monitoring subsystem samples different operations +# at runtime in order to collect data related to possible sources of +# latency of a Redis instance. +# +# Via the LATENCY command this information is available to the user that can +# print graphs and obtain reports. +# +# The system only logs operations that were performed in a time equal or +# greater than the amount of milliseconds specified via the +# latency-monitor-threshold configuration directive. When its value is set +# to zero, the latency monitor is turned off. +# +# By default latency monitoring is disabled since it is mostly not needed +# if you don't have latency issues, and collecting data has a performance +# impact, that while very small, can be measured under big load. Latency +# monitoring can easily be enabled at runtime using the command +# "CONFIG SET latency-monitor-threshold " if needed. +latency-monitor-threshold 0 + +############################# EVENT NOTIFICATION ############################## + +# Redis can notify Pub/Sub clients about events happening in the key space. +# This feature is documented at http://redis.io/topics/notifications +# +# For instance if keyspace events notification is enabled, and a client +# performs a DEL operation on key "foo" stored in the Database 0, two +# messages will be published via Pub/Sub: +# +# PUBLISH __keyspace@0__:foo del +# PUBLISH __keyevent@0__:del foo +# +# It is possible to select the events that Redis will notify among a set +# of classes. Every class is identified by a single character: +# +# K Keyspace events, published with __keyspace@__ prefix. +# E Keyevent events, published with __keyevent@__ prefix. +# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... +# $ String commands +# l List commands +# s Set commands +# h Hash commands +# z Sorted set commands +# x Expired events (events generated every time a key expires) +# e Evicted events (events generated when a key is evicted for maxmemory) +# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# +# The "notify-keyspace-events" takes as argument a string that is composed +# of zero or multiple characters. The empty string means that notifications +# are disabled. +# +# Example: to enable list and generic events, from the point of view of the +# event name, use: +# +# notify-keyspace-events Elg +# +# Example 2: to get the stream of the expired keys subscribing to channel +# name __keyevent@0__:expired use: +# +# notify-keyspace-events Ex +# +# By default all notifications are disabled because most users don't need +# this feature and the feature has some overhead. Note that if you don't +# specify at least one of K or E, no events will be delivered. +notify-keyspace-events "" + +############################### ADVANCED CONFIG ############################### + +# Hashes are encoded using a memory efficient data structure when they have a +# small number of entries, and the biggest entry does not exceed a given +# threshold. These thresholds can be configured using the following directives. +hash-max-ziplist-entries 512 +hash-max-ziplist-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-ziplist-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 + +# Sets have a special encoding in just one case: when a set is composed +# of just strings that happen to be integers in radix 10 in the range +# of 64 bit signed integers. +# The following configuration setting sets the limit in the size of the +# set in order to use this special memory saving encoding. +set-max-intset-entries 512 + +# Similarly to hashes and lists, sorted sets are also specially encoded in +# order to save a lot of space. This encoding is only used when the length and +# elements of a sorted set are below the following limits: +zset-max-ziplist-entries 128 +zset-max-ziplist-value 64 + +# HyperLogLog sparse representation bytes limit. The limit includes the +# 16 bytes header. When an HyperLogLog using the sparse representation crosses +# this limit, it is converted into the dense representation. +# +# A value greater than 16000 is totally useless, since at that point the +# dense representation is more memory efficient. +# +# The suggested value is ~ 3000 in order to have the benefits of +# the space efficient encoding without slowing down too much PFADD, +# which is O(N) with the sparse encoding. The value can be raised to +# ~ 10000 when CPU is not a concern, but space is, and the data set is +# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. +hll-sparse-max-bytes 3000 + +# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in +# order to help rehashing the main Redis hash table (the one mapping top-level +# keys to values). The hash table implementation Redis uses (see dict.c) +# performs a lazy rehashing: the more operation you run into a hash table +# that is rehashing, the more rehashing "steps" are performed, so if the +# server is idle the rehashing is never complete and some more memory is used +# by the hash table. +# +# The default is to use this millisecond 10 times every second in order to +# actively rehash the main dictionaries, freeing memory when possible. +# +# If unsure: +# use "activerehashing no" if you have hard latency requirements and it is +# not a good thing in your environment that Redis can reply from time to time +# to queries with 2 milliseconds delay. +# +# use "activerehashing yes" if you don't have such hard requirements but +# want to free memory asap when possible. +activerehashing yes + +# The client output buffer limits can be used to force disconnection of clients +# that are not reading data from the server fast enough for some reason (a +# common reason is that a Pub/Sub client can't consume messages as fast as the +# publisher can produce them). +# +# The limit can be set differently for the three different classes of clients: +# +# normal -> normal clients including MONITOR clients +# slave -> slave clients +# pubsub -> clients subscribed to at least one pubsub channel or pattern +# +# The syntax of every client-output-buffer-limit directive is the following: +# +# client-output-buffer-limit +# +# A client is immediately disconnected once the hard limit is reached, or if +# the soft limit is reached and remains reached for the specified number of +# seconds (continuously). +# So for instance if the hard limit is 32 megabytes and the soft limit is +# 16 megabytes / 10 seconds, the client will get disconnected immediately +# if the size of the output buffers reach 32 megabytes, but will also get +# disconnected if the client reaches 16 megabytes and continuously overcomes +# the limit for 10 seconds. +# +# By default normal clients are not limited because they don't receive data +# without asking (in a push way), but just after a request, so only +# asynchronous clients may create a scenario where data is requested faster +# than it can read. +# +# Instead there is a default limit for pubsub and slave clients, since +# subscribers and slaves receive data in a push fashion. +# +# Both the hard or the soft limit can be disabled by setting them to zero. +client-output-buffer-limit normal 0 0 0 +client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit pubsub 32mb 8mb 60 + +# Client query buffers accumulate new commands. They are limited to a fixed +# amount by default in order to avoid that a protocol desynchronization (for +# instance due to a bug in the client) will lead to unbound memory usage in +# the query buffer. However you can configure it here if you have very special +# needs, such us huge multi/exec requests or alike. +# +# client-query-buffer-limit 1gb + +# In the Redis protocol, bulk requests, that are, elements representing single +# strings, are normally limited ot 512 mb. However you can change this limit +# here. +# +# proto-max-bulk-len 512mb + +# Redis calls an internal function to perform many background tasks, like +# closing connections of clients in timeout, purging expired keys that are +# never requested, and so forth. +# +# Not all tasks are performed with the same frequency, but Redis checks for +# tasks to perform according to the specified "hz" value. +# +# By default "hz" is set to 10. Raising the value will use more CPU when +# Redis is idle, but at the same time will make Redis more responsive when +# there are many keys expiring at the same time, and timeouts may be +# handled with more precision. +# +# The range is between 1 and 500, however a value over 100 is usually not +# a good idea. Most users should use the default of 10 and raise this up to +# 100 only in environments where very low latency is required. +hz 10 + +# When a child rewrites the AOF file, if the following option is enabled +# the file will be fsync-ed every 32 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +aof-rewrite-incremental-fsync yes + +# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good +# idea to start with the default settings and only change them after investigating +# how to improve the performances and how the keys LFU change over time, which +# is possible to inspect via the OBJECT FREQ command. +# +# There are two tunable parameters in the Redis LFU implementation: the +# counter logarithm factor and the counter decay time. It is important to +# understand what the two parameters mean before changing them. +# +# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis +# uses a probabilistic increment with logarithmic behavior. Given the value +# of the old counter, when a key is accessed, the counter is incremented in +# this way: +# +# 1. A random number R between 0 and 1 is extracted. +# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1). +# 3. The counter is incremented only if R < P. +# +# The default lfu-log-factor is 10. This is a table of how the frequency +# counter changes with a different number of accesses with different +# logarithmic factors: +# +# +--------+------------+------------+------------+------------+------------+ +# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits | +# +--------+------------+------------+------------+------------+------------+ +# | 0 | 104 | 255 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 1 | 18 | 49 | 255 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 10 | 10 | 18 | 142 | 255 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# | 100 | 8 | 11 | 49 | 143 | 255 | +# +--------+------------+------------+------------+------------+------------+ +# +# NOTE: The above table was obtained by running the following commands: +# +# redis-benchmark -n 1000000 incr foo +# redis-cli object freq foo +# +# NOTE 2: The counter initial value is 5 in order to give new objects a chance +# to accumulate hits. +# +# The counter decay time is the time, in minutes, that must elapse in order +# for the key counter to be divided by two (or decremented if it has a value +# less <= 10). +# +# The default value for the lfu-decay-time is 1. A Special value of 0 means to +# decay the counter every time it happens to be scanned. +# +# lfu-log-factor 10 +# lfu-decay-time 1 + +########################### ACTIVE DEFRAGMENTATION ####################### +# +# WARNING THIS FEATURE IS EXPERIMENTAL. However it was stress tested +# even in production and manually tested by multiple engineers for some +# time. +# +# What is active defragmentation? +# ------------------------------- +# +# Active (online) defragmentation allows a Redis server to compact the +# spaces left between small allocations and deallocations of data in memory, +# thus allowing to reclaim back memory. +# +# Fragmentation is a natural process that happens with every allocator (but +# less so with Jemalloc, fortunately) and certain workloads. Normally a server +# restart is needed in order to lower the fragmentation, or at least to flush +# away all the data and create it again. However thanks to this feature +# implemented by Oran Agra for Redis 4.0 this process can happen at runtime +# in an "hot" way, while the server is running. +# +# Basically when the fragmentation is over a certain level (see the +# configuration options below) Redis will start to create new copies of the +# values in contiguous memory regions by exploiting certain specific Jemalloc +# features (in order to understand if an allocation is causing fragmentation +# and to allocate it in a better place), and at the same time, will release the +# old copies of the data. This process, repeated incrementally for all the keys +# will cause the fragmentation to drop back to normal values. +# +# Important things to understand: +# +# 1. This feature is disabled by default, and only works if you compiled Redis +# to use the copy of Jemalloc we ship with the source code of Redis. +# This is the default with Linux builds. +# +# 2. You never need to enable this feature if you don't have fragmentation +# issues. +# +# 3. Once you experience fragmentation, you can enable this feature when +# needed with the command "CONFIG SET activedefrag yes". +# +# The configuration parameters are able to fine tune the behavior of the +# defragmentation process. If you are not sure about what they mean it is +# a good idea to leave the defaults untouched. + +# Enabled active defragmentation +# activedefrag yes + +# Minimum amount of fragmentation waste to start active defrag +# active-defrag-ignore-bytes 100mb + +# Minimum percentage of fragmentation to start active defrag +# active-defrag-threshold-lower 10 + +# Maximum percentage of fragmentation at which we use maximum effort +# active-defrag-threshold-upper 100 + +# Minimal effort for defrag in CPU percentage +# active-defrag-cycle-min 25 + +# Maximal effort for defrag in CPU percentage +# active-defrag-cycle-max 75 + diff --git a/roles/tsg_app/templates/main.conf.j2 b/roles/tsg_app/templates/main.conf.j2 index bcde656..ed96819 100644 --- a/roles/tsg_app/templates/main.conf.j2 +++ b/roles/tsg_app/templates/main.conf.j2 @@ -14,7 +14,7 @@ PROFILE=./appconf/maat.conf MODE=1 LOG_LEVEL={{ applog_level }} LOG_PATH=./applog/applog -BROKER_LIST={{ log_kafkabrokers.address }} +BROKER_LIST={{ log_kafkabrokers.address | join(",") }} COMMON_FIELD_FILE=appconf/app_log_field.conf [FIELD_STAT] diff --git a/roles/tsg_device_tag/tasks/main.yml b/roles/tsg_device_tag/tasks/main.yml index 21e4217..28f7ac7 100644 --- a/roles/tsg_device_tag/tasks/main.yml +++ b/roles/tsg_device_tag/tasks/main.yml @@ -3,12 +3,7 @@ path: /opt/tsg/etc state: directory -- name: "Template tsg_sn.json" +- name: "Template tsg_device_tag.json" template: - src: "{{ role_path }}/templates/tsg_sn.json.j2" - dest: /opt/tsg/etc/tsg_sn.json - -- name: "Template tsg_tag.json" - template: - src: "{{ role_path }}/templates/tsg_tags.json.j2" - dest: /opt/tsg/etc/tsg_tags.json + src: "{{ role_path }}/templates/tsg_device_tag.json.j2" + dest: /opt/tsg/etc/tsg_device_tag.json diff --git a/roles/tsg_device_tag/templates/tsg_sn.json.j2 b/roles/tsg_device_tag/templates/tsg_sn.json.j2 deleted file mode 100644 index a88f0a5..0000000 --- a/roles/tsg_device_tag/templates/tsg_sn.json.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{ - "sn": "GN202000000000000000" -} diff --git a/roles/tsg_device_tag/templates/tsg_tags.json.j2 b/roles/tsg_device_tag/templates/tsg_tags.json.j2 deleted file mode 100644 index c275588..0000000 --- a/roles/tsg_device_tag/templates/tsg_tags.json.j2 +++ /dev/null @@ -1 +0,0 @@ -{"tags":[{"tag":"data_center","value":"Beijing"}]} diff --git a/roles/tsg_master/files/tsg_master-3.3.15.7ddb2f1-2.el7.x86_64.rpm b/roles/tsg_master/files/tsg_master-3.3.15.7ddb2f1-2.el7.x86_64.rpm new file mode 100644 index 0000000..9e8e64e Binary files /dev/null and b/roles/tsg_master/files/tsg_master-3.3.15.7ddb2f1-2.el7.x86_64.rpm differ diff --git a/roles/tsg_master/files/tsg_master-3.3.5.66dda7c-2.el7.x86_64.rpm b/roles/tsg_master/files/tsg_master-3.3.5.66dda7c-2.el7.x86_64.rpm deleted file mode 100644 index 5424c1d..0000000 Binary files a/roles/tsg_master/files/tsg_master-3.3.5.66dda7c-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/tsg_master/tasks/main.yml b/roles/tsg_master/tasks/main.yml index 2843552..33d0a28 100644 --- a/roles/tsg_master/tasks/main.yml +++ b/roles/tsg_master/tasks/main.yml @@ -6,6 +6,6 @@ - name: "install tsg_master from localhost" yum: name: - - /tmp/ansible_deploy/tsg_master-3.3.5.66dda7c-2.el7.x86_64.rpm + - /tmp/ansible_deploy/tsg_master-3.3.15.7ddb2f1-2.el7.x86_64.rpm state: present skip_broken: yes diff --git a/server_deploy.yml b/server_deploy.yml index e8721f7..3a73772 100644 --- a/server_deploy.yml +++ b/server_deploy.yml @@ -3,37 +3,40 @@ vars_files: - install_config/group_vars/server_as_tun_mode.yml roles: - - kernel-ml - - framework - - mrzcpd - - tsg-env-tun-mode - - sapp - - tsg_master - - kni - - firewall - - tsg_app - - http_healthcheck - - certstore - - redis - - cert-redis - - maat-redis - - tfe - - telegraf_statistic - - telegraf_collect - - tsg_device_tag - - reboot + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: tsg-env-tun-mode, tags: tsg-env-tun-mode} + - {role: sapp, tags: sapp} + - {role: tsg_master, tags: tsg_master} + - {role: kni, tags: kni} + - {role: firewall, tags: firewall} + - {role: tsg_app, tags: tsg_app} + - {role: http_healthcheck,tags: http_healthcheck} + - {role: certstore, tags: certstore} + - {role: redis, tags: redis} + - {role: cert-redis, tags: cert-redis} + - {role: maat-redis, tags: maat-redis, when: deploy_mode == "cluster"} + - {role: tfe, tags: tfe} + - {role: telegraf_statistic, tags: telegraf_statistic} + - {role: app_proto_identify, tags: app_proto_identify} +# - {role: proxy_status, tags: proxy_status} +# - {role: adc_exporter, tags: adc_exporter} +# - {role: adc_exporter_proxy, tags: adc_exporter_proxy} +# - tsg_device_tag +# - reboot - hosts: packet_dump_server remote_user: root vars_files: - - install_config/group_vars/server_as_tun_mode.yml + - install_config/group_vars/adc_global.yml roles: - - framework - - packet_dump + - {role: framework, tags: framework} + - {role: packet_dump, tags: packet_dump} - hosts: app_global remote_user: root vars_files: - install_config/group_vars/app_global.yml roles: - - app_global + - {role: app_global, tags: app_global} diff --git a/tasks/diabled_tsg-monitor.yml b/tasks/diabled_tsg-monitor.yml new file mode 100644 index 0000000..538063f --- /dev/null +++ b/tasks/diabled_tsg-monitor.yml @@ -0,0 +1,13 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'Tsg-monitor service start' + systemd: + name: tsg-monitor + enabled: no + state: stopped + daemon_reload: yes diff --git a/tasks/option-tsg-diagnose/start_tsg_diagnose.yml b/tasks/option-tsg-diagnose/start_tsg_diagnose.yml new file mode 100644 index 0000000..791e97b --- /dev/null +++ b/tasks/option-tsg-diagnose/start_tsg_diagnose.yml @@ -0,0 +1,8 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: 'mcn0 start tsg-diagnose service' + systemd: + name: tsg-diagnose + state: started + enabled: yes diff --git a/tasks/option-tsg-diagnose/stop_tsg_diagnose.yml b/tasks/option-tsg-diagnose/stop_tsg_diagnose.yml new file mode 100644 index 0000000..c2fa938 --- /dev/null +++ b/tasks/option-tsg-diagnose/stop_tsg_diagnose.yml @@ -0,0 +1,8 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: 'mcn0 stop tsg-diagnose service' + systemd: + name: tsg-diagnose + state: stopped + enabled: no diff --git a/tasks/reboot/reboot_adc.yml b/tasks/reboot/reboot_adc.yml new file mode 100644 index 0000000..db38bac --- /dev/null +++ b/tasks/reboot/reboot_adc.yml @@ -0,0 +1,9 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: "reboot" + reboot: diff --git a/tasks/reboot/reboot_adc_mcn_by_ipmitool.yml b/tasks/reboot/reboot_adc_mcn_by_ipmitool.yml new file mode 100644 index 0000000..040a85e --- /dev/null +++ b/tasks/reboot/reboot_adc_mcn_by_ipmitool.yml @@ -0,0 +1,11 @@ +- hosts: adc_mxn + remote_user: root + tasks: + - name: "reboot adc in mxn by ipmitool" + shell: "{{ item }}" + ignore_errors: true + with_items: + - ipmitool -t 0x90 chassis power reset + - ipmitool -t 0x80 chassis power reset + - ipmitool -t 0x98 chassis power reset + - ipmitool -t 0x88 chassis power reset diff --git a/tasks/reboot/reboot_adc_mcn_by_ssh.yml b/tasks/reboot/reboot_adc_mcn_by_ssh.yml new file mode 100644 index 0000000..d901da3 --- /dev/null +++ b/tasks/reboot/reboot_adc_mcn_by_ssh.yml @@ -0,0 +1,13 @@ +- hosts: adc_mxn + remote_user: root + tasks: + - name: "reboot adc mcn*" + shell: "{{ item }}" + ignore_errors: true + with_items: + - ssh 192.168.100.1 reboot + - ssh 192.168.100.2 reboot + - ssh 192.168.100.3 reboot + - ssh 192.168.100.4 reboot + - reboot + diff --git a/tasks/remove_mrzcpd_system_edit.yml b/tasks/remove_mrzcpd_system_edit.yml new file mode 100644 index 0000000..77cbb92 --- /dev/null +++ b/tasks/remove_mrzcpd_system_edit.yml @@ -0,0 +1,9 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'remove mrzcpd system edit memory config' + shell: rm /etc/systemd/system/mrzcpd.service.d/memory.conf diff --git a/tasks/reset_maat_redis.yml b/tasks/reset_maat_redis.yml new file mode 100644 index 0000000..90ef462 --- /dev/null +++ b/tasks/reset_maat_redis.yml @@ -0,0 +1,5 @@ +- hosts: adc_mcn3 + remote_user: root + tasks: + - name: 'reset maat-redis' + shell: systemctl daemon-reload; systemctl reset-failed maat-redis diff --git a/tasks/restart_process/restart_adc-exporter-systemd.yml b/tasks/restart_process/restart_adc-exporter-systemd.yml new file mode 100644 index 0000000..625abba --- /dev/null +++ b/tasks/restart_process/restart_adc-exporter-systemd.yml @@ -0,0 +1,15 @@ +- hosts: + - adc_mxn + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'adc-exporter-systemd service start' + systemd: + name: adc-exporter-systemd + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/restart_process/restart_certstore.yml b/tasks/restart_process/restart_certstore.yml new file mode 100644 index 0000000..ddb1baf --- /dev/null +++ b/tasks/restart_process/restart_certstore.yml @@ -0,0 +1,11 @@ +- hosts: + - adc_mcn0 + remote_user: root + tasks: + - name: 'certstore service start' + systemd: + name: certstore + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/restart_process/restart_mrzcpd.yml b/tasks/restart_process/restart_mrzcpd.yml new file mode 100644 index 0000000..39e12ed --- /dev/null +++ b/tasks/restart_process/restart_mrzcpd.yml @@ -0,0 +1,14 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'mrzcpd service start' + systemd: + name: mrzcpd + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/restart_process/restart_process.yml b/tasks/restart_process/restart_process.yml new file mode 100644 index 0000000..4df97bd --- /dev/null +++ b/tasks/restart_process/restart_process.yml @@ -0,0 +1,7 @@ +--- +- include: restart_telegraf_statistic.yml +- include: restart_mrzcpd.yml +- include: restart_sapp.yml +- include: restart_certstore.yml +- include: restart_tfe.yml +- include: restart_adc-exporter-systemd.yml diff --git a/tasks/restart_process/restart_sapp.yml b/tasks/restart_process/restart_sapp.yml new file mode 100644 index 0000000..71775fd --- /dev/null +++ b/tasks/restart_process/restart_sapp.yml @@ -0,0 +1,11 @@ +- hosts: + - adc_mcn0 + remote_user: root + tasks: + - name: 'sapp service start' + systemd: + name: sapp + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/restart_process/restart_sapp_tfe_certstore.yml b/tasks/restart_process/restart_sapp_tfe_certstore.yml new file mode 100644 index 0000000..dd10ef2 --- /dev/null +++ b/tasks/restart_process/restart_sapp_tfe_certstore.yml @@ -0,0 +1,4 @@ +--- +- include: restart_sapp.yml +- include: restart_certstore.yml +- include: restart_tfe.yml diff --git a/tasks/restart_process/restart_telegraf_statistic.yml b/tasks/restart_process/restart_telegraf_statistic.yml new file mode 100644 index 0000000..da182db --- /dev/null +++ b/tasks/restart_process/restart_telegraf_statistic.yml @@ -0,0 +1,11 @@ +- hosts: + - adc_mcn0 + remote_user: root + tasks: + - name: 'telegraf_statistic service start' + systemd: + name: telegraf_statistic + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/restart_process/restart_tfe.yml b/tasks/restart_process/restart_tfe.yml new file mode 100644 index 0000000..2754d8f --- /dev/null +++ b/tasks/restart_process/restart_tfe.yml @@ -0,0 +1,13 @@ +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'tfe service start' + systemd: + name: tfe + enabled: yes + daemon_reload: yes + state: restarted + diff --git a/tasks/stop_telegraf_collect.yml b/tasks/stop_telegraf_collect.yml new file mode 100644 index 0000000..3c3f2b4 --- /dev/null +++ b/tasks/stop_telegraf_collect.yml @@ -0,0 +1,15 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: 'mcn* stop telegraf_collect service' + systemd: + name: telegraf_collect + state: stopped + enabled: no + + - name: 'telegraf_collect config file and service file' + shell: rm /etc/telegraf/telegraf_collect.conf; rm /usr/lib/systemd/system/telegraf_collect.service; systemctl daemon-reload diff --git a/tasks/uninstall/uninstall_maat_redis.yml b/tasks/uninstall/uninstall_maat_redis.yml new file mode 100644 index 0000000..378f031 --- /dev/null +++ b/tasks/uninstall/uninstall_maat_redis.yml @@ -0,0 +1,24 @@ +- hosts: host_uninstall_redis + remote_user: root + tasks: + - name: "maat-redis-uninstall: stop maat-redis service" + systemd: + name: "{{ item }}" + state: stopped + with_items: + - maat-redis.service + - redis.service + + - name: "maat-redis-uninstall: rm maat-redis.conf and maat-redis.service" + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/maat-redis.conf + - /usr/lib/systemd/system/maat-redis.service + + - name: remove redis + yum: + name: redis + state: absent + diff --git a/tasks/uninstall/uninstall_node-exporter.yml b/tasks/uninstall/uninstall_node-exporter.yml new file mode 100644 index 0000000..e30e809 --- /dev/null +++ b/tasks/uninstall/uninstall_node-exporter.yml @@ -0,0 +1,26 @@ +- hosts: adc_mxn + remote_user: root + tasks: + + - name: "stop node-exporter service" + shell: systemctl stop node-exporter + ignore_errors: true + + - name: "disable node-exporter service" + shell: systemctl disable node-exporter + ignore_errors: true + + - name: "remove node-exporter service" + shell: rm /usr/lib/systemd/system/node-exporter.service + ignore_errors: true + + - name: 'reset node-exporter in mxn' + shell: systemctl daemon-reload; systemctl reset-failed node-exporter + ignore_errors: true + + + - name: 'start adc-exporter-node service' + systemd: + name: adc-exporter-node + state: started + enabled: yes diff --git a/tasks/uninstall/uninstall_redis40u.yml b/tasks/uninstall/uninstall_redis40u.yml new file mode 100644 index 0000000..54f54c6 --- /dev/null +++ b/tasks/uninstall/uninstall_redis40u.yml @@ -0,0 +1,14 @@ +- hosts: adc_mcn3 + remote_user: root + tasks: + - name: 'redis service stop' + systemd: + name: redis + enabled: no + daemon_reload: yes + state: stopped + + - name: remove the redis40u + yum: + name: redis40u + state: absent diff --git a/tasks/uninstall/uninstall_rpm_node-exporter.yml b/tasks/uninstall/uninstall_rpm_node-exporter.yml new file mode 100644 index 0000000..07955c7 --- /dev/null +++ b/tasks/uninstall/uninstall_rpm_node-exporter.yml @@ -0,0 +1,7 @@ +- hosts: adc_mxn + remote_user: root + tasks: + - name: remove the node-exporter + yum: + name: node-exporter + state: absent diff --git a/tasks/verify/verify_process_md5_hash.yml b/tasks/verify/verify_process_md5_hash.yml new file mode 100644 index 0000000..1163412 --- /dev/null +++ b/tasks/verify/verify_process_md5_hash.yml @@ -0,0 +1,13 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: "verify sapp md5 in mcn0" + shell: md5sum /home/mesasoft/sapp_run/sapp + register: sapp_md5sum + + - name: assert + assert: + that: + - sapp_md5sum.stdout.find('1ca2eb92e4269066c6a056e41bb394b3') != -1 + fail_msg: "FAIL" + success_msg: "PASS" diff --git a/tasks/verify/verify_systemctl_sapp.yml b/tasks/verify/verify_systemctl_sapp.yml new file mode 100644 index 0000000..37c0496 --- /dev/null +++ b/tasks/verify/verify_systemctl_sapp.yml @@ -0,0 +1,13 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: "register systemctl status sapp result" + shell: systemctl status sapp + register: sapp_results + + - name: assert + assert: + that: + - sapp_results.stdout.find('active (running)') != -1 + fail_msg: "FAIL" + success_msg: "PASS" diff --git a/tasks/verify/verify_systemctl_tfe.yml b/tasks/verify/verify_systemctl_tfe.yml new file mode 100644 index 0000000..4204c15 --- /dev/null +++ b/tasks/verify/verify_systemctl_tfe.yml @@ -0,0 +1,16 @@ +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: "register systemctl status tfe result" + shell: systemctl status tfe + register: tfe_results + + - name: assert + assert: + that: + - tfe_results.stdout.find('active (running)') != -1 + fail_msg: "FAIL" + success_msg: "PASS" diff --git a/tasks/verify/verify_tfe_md5_hash.yml b/tasks/verify/verify_tfe_md5_hash.yml new file mode 100644 index 0000000..80e23be --- /dev/null +++ b/tasks/verify/verify_tfe_md5_hash.yml @@ -0,0 +1,16 @@ +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + tasks: + - name: "verify tfe md5 in mcn0" + shell: md5sum /opt/tsg/tfe/bin/tfe + register: tfe_md5sum + + - name: assert + assert: + that: + - tfe_md5sum.stdout.find('0f45d2844dbff2edbde44bab0359cead') != -1 + fail_msg: "FAIL" + success_msg: "PASS" diff --git a/tasks/verify/verify_tsg_diagnose.yml b/tasks/verify/verify_tsg_diagnose.yml new file mode 100644 index 0000000..0a927bb --- /dev/null +++ b/tasks/verify/verify_tsg_diagnose.yml @@ -0,0 +1,13 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: "register tsg-diagnose exec result" + shell: docker exec -it unittest_tsg-diagnose /bin/sh -c 'python3 /root/unittest/tsg_diagnose.py' + register: tsgdiagnoseresults + + - name: assert + assert: + that: + - tsgdiagnoseresults.stdout.find('FAIL') == -1 + fail_msg: "FAIL" + success_msg: "PASS" diff --git a/tasks/verify/verify_tsg_diagnose_once.yml b/tasks/verify/verify_tsg_diagnose_once.yml new file mode 100644 index 0000000..9b8f9ae --- /dev/null +++ b/tasks/verify/verify_tsg_diagnose_once.yml @@ -0,0 +1,31 @@ +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: 'mcn0 start tsg-diagnose service' + systemd: + name: tsg-diagnose + state: started + enabled: yes + +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: "register tsg-diagnose exec result" + shell: docker exec -it unittest_tsg-diagnose /bin/sh -c 'python3 /root/unittest/tsg_diagnose.py' + register: tsgdiagnoseresults + + - name: assert + assert: + that: + - tsgdiagnoseresults.stdout.find('FAIL') == -1 + fail_msg: "FAIL" + success_msg: "PASS" + +- hosts: adc_mcn0 + remote_user: root + tasks: + - name: 'mcn0 stop tsg-diagnose service' + systemd: + name: tsg-diagnose + state: stopped + enabled: no diff --git a/uninstall/roles/backup_framework_config/tasks/main.yml b/uninstall/roles/backup_framework_config/tasks/main.yml deleted file mode 100644 index 9bc9482..0000000 --- a/uninstall/roles/backup_framework_config/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: "create backup_dest_path" - file: - path: "{{ backup_dest_path }}" - state: directory - ignore_errors: true - -- name: "optMESA_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip" - register: optMESA_directory - ignore_errors: true - -- name: "backup /opt/MESA to destination path" - archive: - path: /opt/MESA - dest: "{{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - optMESA_directory.rc != 0 - - backup.framework == 1 - ignore_errors: true - diff --git a/uninstall/roles/backup_marsio_config/tasks/main.yml b/uninstall/roles/backup_marsio_config/tasks/main.yml deleted file mode 100644 index 99804d8..0000000 --- a/uninstall/roles/backup_marsio_config/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: "create backup_dest_path" - file: - path: "{{ backup_dest_path }}" - state: directory - ignore_errors: true - -- name: "mrzcpd_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip" - register: mrzcpd_directory - ignore_errors: true - -- name: "backup /opt/mrzcpd to destination path" - archive: - path: /opt/mrzcpd - dest: "{{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - mrzcpd_directory.rc != 0 - - backup.marsio == 1 - ignore_errors: true diff --git a/uninstall/roles/backup_sapp_config/tasks/main.yml b/uninstall/roles/backup_sapp_config/tasks/main.yml deleted file mode 100644 index b799c4f..0000000 --- a/uninstall/roles/backup_sapp_config/tasks/main.yml +++ /dev/null @@ -1,82 +0,0 @@ -- name: "create backup_dest_path" - file: - path: "{{ backup_dest_path }}" - state: directory - ignore_errors: true - -- name: "sapp_etc_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip" - register: sapp_etc - ignore_errors: true - -- name: "sapp_plug_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip" - register: sapp_plug - ignore_errors: true - -- name: "sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip" - register: sapp_tsgconf - ignore_errors: true - -- name: "sapp_appconf_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip" - register: sapp_appconf - ignore_errors: true - -- name: "sapp_conf_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip" - register: sapp_conf - ignore_errors: true - -- name: "backup sapp_run/etc to destination path" - archive: - path: /home/mesasoft/sapp_run/etc - dest: "{{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - sapp_etc.rc != 0 - - backup.sapp_etc == 1 - ignore_errors: true - -- name: "backup sapp_run/plug to destination path" - archive: - path: /home/mesasoft/sapp_run/plug - dest: "{{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - sapp_plug.rc != 0 - - backup.sapp_plug == 1 - ignore_errors: true - -- name: "backup sapp_run/tsgconf/ to destination path" - archive: - path: /home/mesasoft/sapp_run/tsgconf - dest: "{{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - sapp_tsgconf.rc != 0 - - backup.sapp_tsgconf == 1 - ignore_errors: true - -- name: "backup sapp_run/appconf/ to destination path" - archive: - path: /home/mesasoft/sapp_run/appconf - dest: "{{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - sapp_appconf.rc != 0 - - backup.sapp_appconf == 1 - ignore_errors: true - -- name: "backup sapp_run/conf/ to destination path" - archive: - path: /home/mesasoft/sapp_run/conf - dest: "{{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - sapp_conf.rc != 0 - - backup.sapp_conf == 1 - ignore_errors: true - - diff --git a/uninstall/roles/backup_tfe_config/tasks/main.yml b/uninstall/roles/backup_tfe_config/tasks/main.yml deleted file mode 100644 index 4774ae5..0000000 --- a/uninstall/roles/backup_tfe_config/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: "create backup_dest_path" - file: - path: "{{ backup_dest_path }}" - state: directory - ignore_errors: true - -- name: "tfe_conf_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip" - register: tfeconf_directory - ignore_errors: true - -- name: "backup /opt/tsg/tfe/conf to destination path" - archive: - path: /opt/tsg/tfe/conf - dest: "{{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - tfeconf_directory.rc != 0 - - backup.tfe == 1 - ignore_errors: true diff --git a/uninstall/roles/backup_tsgenv_config/tasks/main.yml b/uninstall/roles/backup_tsgenv_config/tasks/main.yml deleted file mode 100644 index 40c61ac..0000000 --- a/uninstall/roles/backup_tsgenv_config/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: "create backup_dest_path" - file: - path: "{{ backup_dest_path }}" - state: directory - ignore_errors: true - -- name: "tsg_env_{{ uninstall_version }}_{{ date }}.zip exist?" - shell: "ls {{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip" - register: tsgenv_directory - ignore_errors: true - -- name: "backup /opt/tsg/env to destination path" - archive: - path: /opt/tsg/env - dest: "{{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip" - format: zip - when: - - tsgenv_directory.rc != 0 - - backup.tsg_env == 1 - ignore_errors: true diff --git a/uninstall/roles/cert_redis/tasks/main.yml b/uninstall/roles/cert_redis/tasks/main.yml deleted file mode 100644 index d463140..0000000 --- a/uninstall/roles/cert_redis/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: "[uninstall cert_redis] stop cert-redis" - systemd: - name: cert-redis - state: stopped - enabled: no - when: uninstall.certredis == 1 - ignore_errors: true diff --git a/uninstall/roles/certstore/tasks/main.yml b/uninstall/roles/certstore/tasks/main.yml deleted file mode 100644 index 006cb80..0000000 --- a/uninstall/roles/certstore/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: "[uninstall certstore] stop certstore" - systemd: - name: certstore - state: stopped - enabled: no - when: - - uninstall.certstore == 1 - ignore_errors: true - -- name: "[uninstall certstore] uninstall certstore" - yum: - name: - - "{{ certstore }}" - state: absent - when: uninstall.certstore == 1 - diff --git a/uninstall/roles/clotho/tasks/main.yml b/uninstall/roles/clotho/tasks/main.yml deleted file mode 100644 index 9c19251..0000000 --- a/uninstall/roles/clotho/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -#################### -#Uninstall clotho -- name: "[uninstall clotho] stop clotho" - systemd: - name: clotho - state: stopped - enabled: no - when: uninstall.clotho == 1 - ignore_errors: true - -- name: "[uninstall clotho] uninstall clotho" - yum: - name: - - "{{ clotho }}" - state: absent - when: uninstall.clotho == 1 diff --git a/uninstall/roles/firewall/tasks/main.yml b/uninstall/roles/firewall/tasks/main.yml deleted file mode 100644 index 7b36ca3..0000000 --- a/uninstall/roles/firewall/tasks/main.yml +++ /dev/null @@ -1,72 +0,0 @@ -#################### -#Uninstall firewall -- name: "[uninstall firewall] stop sapp" - systemd: - name: sapp - state: stopped - enabled: no - when: - - uninstall.firewall == 1 - ignore_errors: true - -- name: "[uninstall firewall] create /home/mesasoft/sapp_runetc/" - file: - path: /home/mesasoft/sapp_runetc/ - state: directory - when: uninstall.firewall == 1 - -- name: "[uninstall firewall] create entrylist.conf" - file: - path: /home/mesasoft/sapp_runetc/entrylist.conf - state: touch - when: uninstall.firewall == 1 - -- name: "[uninstall firewall] uninstall firewall" - yum: - name: - - "{{ capture_packet_plug }}" - - "{{ dns }}" - - "{{ ftp }}" - - "{{ http }}" - - "{{ quic }}" - - "{{ ssl }}" - - "{{ mail }}" - - "{{ fw_dns }}" - - "{{ fw_ftp }}" - - "{{ fw_http }}" - - "{{ fw_ssl }}" - - "{{ fw_mail }}" - state: absent - when: uninstall.firewall == 1 - -- name: "[uninstall firewall] uninstall fw_quic" - yum: - name: - - "{{ fw_quic }}" - state: absent - when: uninstall.firewall == 1 - ignore_errors: true - -- name: "[uninstall firewall] uninstall tsg_conn_record" - yum: - name: - - "{{ tsg_conn_record }}" - state: absent - when: uninstall.firewall == 1 - ignore_errors: true - -- name: "[uninstall firewall] uninstall tsg_conn_sketch" - yum: - name: - - "{{ tsg_conn_sketch }}" - state: absent - when: uninstall.firewall == 1 - ignore_errors: true - - -- name: "[uninstall firewall] remove /home/mesasoft/sapp_runetc" - file: - path: /home/mesasoft/sapp_runetc - state: absent - when: uninstall.firewall == 1 - diff --git a/uninstall/roles/framework/tasks/main.yml b/uninstall/roles/framework/tasks/main.yml deleted file mode 100644 index 8604367..0000000 --- a/uninstall/roles/framework/tasks/main.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: "[uninstall framework] create project_list.conf" - file: - path: /home/mesasoft/sapp_run/etc/project_list.conf - state: touch - when: uninstall.framework == 1 - ignore_errors: true - -- name: "[uninstall framework] create conflist.inf" - file: - path: /home/mesasoft/sapp_run/plug/conflist.inf - state: touch - when: uninstall.framework == 1 - ignore_errors: true - -- name: "[uninstall framework] uninstall framework" - yum: - name: - - "{{ libcjson }}" - - "{{ libdocument }}" - - "{{ libmaatframe }}" - - "{{ libMESA_field_stat }}" - - "{{ libMESA_field_stat2 }}" - - "{{ libMESA_handle_logger }}" - - "{{ libMESA_htable }}" - - "{{ libMESA_prof_load }}" - - "{{ librdkafka }}" - - "{{ librulescan }}" - - "{{ libwiredcfg }}" - - "{{ libWiredLB }}" - - "{{ lz4 }}" - state: absent - when: uninstall.framework == 1 - -- name: "[uninstall framework] uninstall framework" - yum: - name: - - "{{ libtsglua }}" - state: absent - when: uninstall.framework == 1 - ignore_errors: true diff --git a/uninstall/roles/http_healthcheck/tasks/main.yml b/uninstall/roles/http_healthcheck/tasks/main.yml deleted file mode 100644 index 27cedc7..0000000 --- a/uninstall/roles/http_healthcheck/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -#################### -#Uninstall http_healthcheck -- name: "[uninstall http_healthcheck] uninstall http_healthcheck" - yum: - name: - - "{{ http_healthcheck }}" - state: absent - when: uninstall.http_healthcheck == 1 - diff --git a/uninstall/roles/kernel/tasks/main.yml b/uninstall/roles/kernel/tasks/main.yml deleted file mode 100644 index d1755fc..0000000 --- a/uninstall/roles/kernel/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ -#################### -#Uninstall Kernel -- name: "[uninstall kernel] reset default kernel" - shell: grub2-set-default '{{ origin_kernel }}' - when: uninstall.kernel == 1 - -- name: "[uninstall kernel] reboot" - reboot: - when: uninstall.kernel == 1 - -- name: "[uninstall kernel] uninstall tfe-kmod and kernel" - yum: - name: - - "{{ tfe_kmod }}" - - "{{ dkms }}" - - "{{ kernel_ml }}" - - "{{ kernel_ml_devel }}" - - "{{ elfutils_libelf_devel }}" - - "{{ zlib_devel }}" - state: absent - when: uninstall.kernel == 1 - ignore_errors: true - diff --git a/uninstall/roles/kni/tasks/main.yml b/uninstall/roles/kni/tasks/main.yml deleted file mode 100644 index d0cbd3b..0000000 --- a/uninstall/roles/kni/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -#################### -#Uninstall kni -- name: "[uninstall kni] stop sapp" - systemd: - name: sapp - state: stopped - enabled: no - when: - - uninstall.kni == 1 - ignore_errors: true - -- name: "[uninstall kni] uninstall kni" - yum: - name: - - "{{ kni }}" - state: absent - when: uninstall.kni == 1 - diff --git a/uninstall/roles/marsio/tasks/main.yml b/uninstall/roles/marsio/tasks/main.yml deleted file mode 100644 index 8af7055..0000000 --- a/uninstall/roles/marsio/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -#################### -#Uninstall Marsio -- name: "[uninstall marsio] stop mrzcpd" - systemd: - name: mrzcpd - state: stopped - enabled: no - when: - - uninstall.marsio == 1 - ignore_errors: true - -- name: "[uninstall marsio] stop mrtunnat" - systemd: - name: mrtunnat - state: stopped - enabled: no - when: - - uninstall.marsio == 1 - ignore_errors: true - -- name: "[uninstall marsio] uninstall mrzcpd" - yum: - name: - - "{{ mrzcpd }}" - state: absent - when: uninstall.marsio == 1 diff --git a/uninstall/roles/package_list/20.06.1.yml b/uninstall/roles/package_list/20.06.1.yml deleted file mode 100644 index ff6f8eb..0000000 --- a/uninstall/roles/package_list/20.06.1.yml +++ /dev/null @@ -1,82 +0,0 @@ -#################### -#marsio -mrzcpd: mrzcpd-4.3.21.26314ca-1.el7.x86_64 - -#################### -#kernel -origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) -#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 - -kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 -kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 -dkms: dkms-2.7.1-1.el7.noarch -elfutils_libelf_devel: null -pkgconfig: null -zlib_devel: null - -#################### -#framework -libcjson: libcjson-1.7.8.542ad7f-1.x86_64 -libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 -libmaatframe: libmaatframe-2.9.2.7519c63-1.x86_64 -libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 -libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 -libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 -libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 -libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 -librdkafka: librdkafka-0.11.4-1.el7.x86_64 -librulescan: librulescan-2.2.0.900d2b3-1.x86_64 -libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 -libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 -lz4: lz4-1.7.5-3.el7.x86_64 - -#################### -#sapp -sapp: sapp-4.0.14.91cbc1b-1.x86_64 - -#################### -#tsg_master -tsg_master: tsg_master-1.3.3.65833d7-1.x86_64 - -#################### -#kni -kni: kni-20.06-1.el7.x86_64 - -#################### -#firewall -capture_packet_plug: capture_packet_plug-debug-1.0.0.-1.el7.x86_64 -dns: dns-2.0.2.5effe72-1.x86_64 -ftp: ftp-1.0.4.5d3a283-1.x86_64 -http: http-2.0.1.e8f12ee-1.x86_64 -quic: quic-1.1.4.9c2e0ba-1.x86_64 -ssl: ssl-1.0.0.73e5273-1.x86_64 -mail: mail-1.0.3.cbc6034-1.x86_64 -fw_dns: fw_dns_plug-debug-1.0.3.ea8e0f6-1.el7.centos.x86_64 -fw_ftp: fw_ftp_plug-1.1.0.74c9a05-1.x86_6 -fw_http: fw_http_plug-1.2.0.a7e63c0-1.x86_64 -fw_quic: fw_quic_plug-1.0.1.e8cded4-1.x86_64 -fw_ssl: fw_ssl_plug-1.0.3.30fcf35-1.x86_64 -fw_mail: fw_mail_plug-1.1.0.a42c5a0-1.x86_64 -tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 -tsg_conn_sketch: null - -#################### -#tfe -tfe: tfe-4.3.5.0db794c-1.el7.x86_64 -tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch - -#################### -#http_healthcheck -http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 - -##################### -#clotho -clotho: clotho-debug-1.0.0.-1.el7.x86_64 - -##################### -#certstore -certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 - -##################### -#telegraf -telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.07.rc1.yml b/uninstall/roles/package_list/20.07.rc1.yml deleted file mode 100644 index 8646117..0000000 --- a/uninstall/roles/package_list/20.07.rc1.yml +++ /dev/null @@ -1,82 +0,0 @@ -#################### -#marsio -mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 - -#################### -#kernel -origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) -#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 - -kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 -kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 -dkms: dkms-2.7.1-1.el7.noarch -elfutils_libelf_devel: null -pkgconfig: null -zlib_devel: null - -#################### -#framework -libcjson: libcjson-1.7.8.542ad7f-1.x86_64 -libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 -libmaatframe: libmaatframe-3.0.2.dc1fced-1.x86_64 -libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 -libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 -libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 -libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 -libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 -librdkafka: librdkafka-0.11.4-1.el7.x86_64 -librulescan: librulescan-2.2.0.900d2b3-1.x86_64 -libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 -libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 -lz4: lz4-1.7.5-3.el7.x86_64 - -#################### -#sapp -sapp: sapp-4.0.18.bb2effd-1.x86_64 - -#################### -#tsg_master -tsg_master: tsg_master-3.0.3.3c9cf15-1.x86_64 - -#################### -#kni -kni: kni-20.07-1.el7.x86_64 - -#################### -#firewall -capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 -dns: dns-2.0.6.d8317e9-1.x86_64 -ftp: ftp-1.0.6.2710506-1.x86_64 -http: http-2.0.3.9218b4b-1.x86_64 -quic: quic-1.1.6.d6755d8-1.x86_64 -ssl: ssl-1.0.3.e8482a4-1.x86_64 -mail: mail-1.0.7.9e3be05-1.x86_64 -fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 -fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 -fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 -fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 -fw_ssl: fw_ssl_plug-3.0.0.3a29c3f-1.x86_64 -fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 -tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 -tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 - -#################### -#tfe -tfe: tfe-4.3.7.39bff00-1.el7.x86_64 -tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch - -#################### -#http_healthcheck -http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 - -##################### -#clotho -clotho: clotho-debug-1.0.0.-1.el7.x86_64 - -##################### -#certstore -certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 - -##################### -#telegraf -telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.07.yml b/uninstall/roles/package_list/20.07.yml deleted file mode 100644 index 73cea94..0000000 --- a/uninstall/roles/package_list/20.07.yml +++ /dev/null @@ -1,82 +0,0 @@ -#################### -#marsio -mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 - -#################### -#kernel -origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) -#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 - -kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 -kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 -dkms: dkms-2.7.1-1.el7.noarch -elfutils_libelf_devel: null -pkgconfig: null -zlib_devel: null - -#################### -#framework -libcjson: libcjson-1.7.8.542ad7f-1.x86_64 -libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 -libmaatframe: libmaatframe-3.0.2.dc1fced-1.x86_64 -libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 -libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 -libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 -libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 -libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 -librdkafka: librdkafka-0.11.4-1.el7.x86_64 -librulescan: librulescan-2.2.0.900d2b3-1.x86_64 -libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 -libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 -lz4: lz4-1.7.5-3.el7.x86_64 - -#################### -#sapp -sapp: sapp-4.0.18.bb2effd-1.x86_64 - -#################### -#tsg_master -tsg_master: tsg_master-3.0.4.40fa047-1.x86_64 - -#################### -#kni -kni: kni-20.07-1.el7.x86_64 - -#################### -#firewall -capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 -dns: dns-2.0.6.d8317e9-1.x86_64 -ftp: ftp-1.0.6.2710506-1.x86_64 -http: http-2.0.3.9218b4b-1.x86_64 -quic: quic-1.1.6.d6755d8-1.x86_64 -ssl: ssl-1.0.3.e8482a4-1.x86_64 -mail: mail-1.0.7.9e3be05-1.x86_64 -fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 -fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 -fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 -fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 -fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 -fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 -tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 -tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 - -#################### -#tfe -tfe: tfe-4.3.8.11b62a2-1.el7.x86_64 -tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch - -#################### -#http_healthcheck -http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 - -##################### -#clotho -clotho: clotho-debug-1.0.0.-1.el7.x86_64 - -##################### -#certstore -certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 - -##################### -#telegraf -telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.08.yml b/uninstall/roles/package_list/20.08.yml deleted file mode 100644 index bad5cbf..0000000 --- a/uninstall/roles/package_list/20.08.yml +++ /dev/null @@ -1,82 +0,0 @@ -#################### -#marsio -mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 - -#################### -#kernel -origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) -#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 - -kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 -kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 -dkms: dkms-2.7.1-1.el7.noarch -elfutils_libelf_devel: elfutils-libelf-devel-0.168-8.el7.x86_64 -pkgconfig: pkgconfig-0.27.1-4.el7.x86_64 -zlib_devel: zlib-devel-1.2.7-17.el7.x86_64 - -#################### -#framework -libcjson: libcjson-1.7.8.542ad7f-1.x86_64 -libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 -libmaatframe: libmaatframe-3.0.3.5931b44-1.x86_64 -libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 -libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 -libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 -libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 -libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 -librdkafka: librdkafka-0.11.4-1.el7.x86_64 -librulescan: librulescan-2.2.0.900d2b3-1.x86_64 -libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 -libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 -lz4: lz4-1.7.5-3.el7.x86_64 - -#################### -#sapp -sapp: sapp-4.0.20.b59c12a-1.x86_64 - -#################### -#tsg_master -tsg_master: tsg_master-3.1.2.7002e1b-1.x86_64 - -#################### -#kni -kni: kni-20.07-1.el7.x86_64 - -#################### -#firewall -capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 -dns: dns-2.0.6.d8317e9-1.x86_64 -ftp: ftp-1.0.6.2710506-1.x86_64 -http: http-2.0.3.9218b4b-1.x86_64 -quic: quic-1.1.6.d6755d8-1.x86_64 -ssl: ssl-1.0.3.e8482a4-1.x86_64 -mail: mail-1.0.7.9e3be05-1.x86_64 -fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 -fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 -fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 -fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 -fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 -fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 -tsg_conn_record: tsg_conn_record-1.0.2.2afb19a-1.x86_64 -tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 - -#################### -#tfe -tfe: tfe-4.3.9.4d7957e-1.el7.x86_64 -tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch - -#################### -#http_healthcheck -http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 - -##################### -#clotho -clotho: clotho-debug-1.0.0.-1.el7.x86_64 - -##################### -#certstore -certstore: certstore-2.1.2.20200828.f507b3e-1.el7.x86_64 - -##################### -#telegraf -telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.09.yml b/uninstall/roles/package_list/20.09.yml deleted file mode 100644 index 02c6ea0..0000000 --- a/uninstall/roles/package_list/20.09.yml +++ /dev/null @@ -1,93 +0,0 @@ -#################### -#marsio -mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 - -#################### -#kernel -origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) -#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 - -kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 -kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 -dkms: dkms-2.7.1-1.el7.noarch -elfutils_libelf_devel: elfutils-libelf-devel-0.168-8.el7.x86_64 -pkgconfig: pkgconfig-0.27.1-4.el7.x86_64 -zlib_devel: zlib-devel-1.2.7-17.el7.x86_64 - -#################### -#framework -libcjson: libcjson-1.7.8.542ad7f-1.x86_64 -libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 -libmaatframe: libmaatframe-3.0.7.34de556-1.x86_64 -libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 -libMESA_field_stat2: libMESA_field_stat2-2.9.1.d80b5fb-1.x86_64 -libMESA_handle_logger: libMESA_handle_logger-2.0.4.1502550-1.x86_64 -libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 -libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 -librdkafka: librdkafka-0.11.4-1.el7.x86_64 -librulescan: librulescan-2.2.0.900d2b3-1.x86_64 -libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 -libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 -lz4: lz4-1.7.5-3.el7.x86_64 -libtsglua: libtsglua-1.0.7.0864e4a-1.x86_64 - -#################### -#sapp -sapp: sapp-4.1.7.4f2839a-1.x86_64 - -#################### -#tsg_master -tsg_master: tsg_master-3.2.9.d1a6f00-1.x86_64 - -#################### -#kni -kni: kni-20.09-1.el7.x86_64 - -#################### -#firewall -capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 -dns: dns-2.0.8.beb1d09-1.x86_64 -ftp: ftp-1.0.6.2710506-1.x86_64 -http: http-2.0.3.9218b4b-1.x86_64 -quic: quic-1.1.9.810857d-1.x86_64 -ssl: ssl-1.0.8.0068bd9-1.x86_64 -mail: mail-1.0.7.9e3be05-1.x86_64 -fw_dns: fw_dns_plug-3.0.1.453c533-1.x86_64 -fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 -fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 -fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 -fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 -fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 -tsg_conn_sketch: tsg_conn_sketch-2.0.5.63c1e51-1.x86_64 - -#################### -#Tsg_app -app_sketch_local: app_sketch_local-1.0.4.0edaf58-2.x86_64 -app_control_plug: app_control_plug-1.0.3.447fc53-2.x86_64 -app_proto_identify: app_proto_identify-1.0.3.6c893f2-2.x86_64 -app_master: app_master-1.0.4.d189dee-1.x86_64 - -#################### -#tfe -tfe: tfe-4.3.10.fb02543-1.el7.x86_64 -tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch - -#################### -#http_healthcheck -http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 - -##################### -#clotho -clotho: clotho-debug-1.0.0.-1.el7.x86_64 - -##################### -#certstore -certstore: certstore-2.1.2.202009.87fcacf-1.el7.x86_64 - -##################### -#telegraf -telegraf_statistic: telegraf-1.13.0-1.x86_64 - -##################### -#tsg-diagnose -tsg-diagnose: tsg-diagnose-20.09-1.el7.x86_64 diff --git a/uninstall/roles/packet_dump/tasks/main.yml b/uninstall/roles/packet_dump/tasks/main.yml deleted file mode 100644 index 74de743..0000000 --- a/uninstall/roles/packet_dump/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -#################### -#Uninstall packet_dump -- name: "[uninstall packet_dump] stop packet_dump" - systemd: - name: packet_dump - state: stopped - enabled: no - when: uninstall.packet_dump == 1 - ignore_errors: true - -- name: "[uninstall packet_dump] uninstall packet_dump" - yum: - name: - - "{{ packet_dump }}" - state: absent - when: uninstall.packet_dump == 1 diff --git a/uninstall/roles/remove_files/tasks/main.yml b/uninstall/roles/remove_files/tasks/main.yml deleted file mode 100644 index a29f227..0000000 --- a/uninstall/roles/remove_files/tasks/main.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: "remove /home/mesasoft/sapp_run" - file: - path: /home/mesasoft/sapp_run - state: absent - when: remove.sapp == 1 - ignore_errors: true - -- name: "remove sapp.service" - file: - path: /usr/lib/systemd/system/sapp.service - state: absent - when: remove.sapp == 1 - ignore_errors: true - -- name: "remove clotho files" - file: - path: /home/mesasoft/clotho - state: absent - when: remove.clotho == 1 - ignore_errors: true - -- name: "remove clotho.service" - file: - path: /usr/lib/systemd/system/clotho.service - state: absent - when: remove.clotho == 1 - ignore_errors: true - -- name: "remove http_healthcheck files" - file: - path: /home/mesasoft/http_healthcheck - state: absent - when: remove.http_healthcheck == 1 - ignore_errors: true - -- name: "remove telegraf_statistic files" - file: - path: /etc/telegraf/telegraf_statistic.conf - state: absent - when: remove.telegraf_statistic == 1 - ignore_errors: true - -- name: "remove /tmp/metrics.out" - file: - path: /tmp/metrics.out - state: absent - when: remove.telegraf_statistic == 1 - ignore_errors: true - -- name: "remove /home/tsg/certstore files" - file: - path: /home/tsg/certstore - state: absent - when: remove.certstore == 1 - ignore_errors: true - -- name: "remove /opt/tsg/certstore files" - file: - path: /opt/tsg/certstore - state: absent - when: remove.certstore == 1 - ignore_errors: true - -- name: "remove certstore.service" - file: - path: /usr/lib/systemd/system/certstore.service - state: absent - when: remove.certstore == 1 - ignore_errors: true - -- name: "remove /opt/tsg/cert-redis files" - file: - path: /opt/tsg/cert-redis - state: absent - when: remove.certredis == 1 - ignore_errors: true - -- name: "remove /home/tsg/cert-redis files" - file: - path: /home/tsg/cert-redis - state: absent - when: remove.certredis == 1 - ignore_errors: true - -- name: "remove /opt/proxy_status" - file: - path: /opt/proxy_status - state: absent - ignore_errors: true - -- name: "remove /tmp/ansible_deploy" - file: - path: /tmp/ansible_deploy - state: absent - ignore_errors: true - diff --git a/uninstall/roles/remove_framework_files/tasks/main.yml b/uninstall/roles/remove_framework_files/tasks/main.yml deleted file mode 100644 index 8f5e7b5..0000000 --- a/uninstall/roles/remove_framework_files/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: "remove framework files" - file: - path: /opt/MESA - state: absent - when: remove.framework == 1 - ignore_errors: true diff --git a/uninstall/roles/remove_marsio_files/tasks/main.yml b/uninstall/roles/remove_marsio_files/tasks/main.yml deleted file mode 100644 index 8e877bb..0000000 --- a/uninstall/roles/remove_marsio_files/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: "remove marsio files" - file: - path: /opt/mrzcpd - state: absent - when: remove.marsio == 1 - ignore_errors: true - -- name: "remove mrzcpd.service" - file: - path: /usr/lib/systemd/system/mrzcpd.service - state: absent - when: remove.marsio == 1 - ignore_errors: true - -- name: "remove mrtunnat.service" - file: - path: /usr/lib/systemd/system/mrtunnat.service - state: absent - when: remove.marsio == 1 - ignore_errors: true - diff --git a/uninstall/roles/remove_tfe_files/tasks/main.yml b/uninstall/roles/remove_tfe_files/tasks/main.yml deleted file mode 100644 index f84c689..0000000 --- a/uninstall/roles/remove_tfe_files/tasks/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: "remove /opt/tsg/tfe" - file: - path: /opt/tsg/tfe - state: absent - when: remove.tfe == 1 - ignore_errors: true - -- name: "remove tfe.service" - file: - path: /usr/lib/systemd/system/tfe.service - state: absent - when: remove.tfe == 1 - ignore_errors: true - -- name: "remove tfe-env.service" - file: - path: /usr/lib/systemd/system/tfe-env.service - state: absent - when: remove.tfe == 1 - ignore_errors: true - -- name: "remove tfe-env-tun-mode.service" - file: - path: /usr/lib/systemd/system/tfe-env-tun-mode.service - state: absent - when: remove.tfe == 1 - ignore_errors: true - diff --git a/uninstall/roles/sapp/tasks/main.yml b/uninstall/roles/sapp/tasks/main.yml deleted file mode 100644 index 951f467..0000000 --- a/uninstall/roles/sapp/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -#################### -#Uninstall sapp -- name: "[uninstall sapp] stop sapp" - systemd: - name: sapp - state: stopped - enabled: no - when: - - uninstall.sapp == 1 - ignore_errors: true - -- name: "[uninstall sapp] uninstall sapp" - yum: - name: - - "{{ sapp }}" - state: absent - when: uninstall.sapp == 1 diff --git a/uninstall/roles/telegraf_statistic/tasks/main.yml b/uninstall/roles/telegraf_statistic/tasks/main.yml deleted file mode 100644 index c091efc..0000000 --- a/uninstall/roles/telegraf_statistic/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -#################### -#Uninstall telegraf_statistic -- name: "[uninstall telegraf_statistic] stop telegraf_statistic" - systemd: - name: telegraf_statistic - state: stopped - enabled: no - when: uninstall.telegraf_statistic == 1 - ignore_errors: true - diff --git a/uninstall/roles/tfe/tasks/main.yml b/uninstall/roles/tfe/tasks/main.yml deleted file mode 100644 index de736d1..0000000 --- a/uninstall/roles/tfe/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -#################### -#Uninstall tfe -- name: "[uninstall tfe] stop tfe" - systemd: - name: tfe - state: stopped - enabled: no - when: - - uninstall.tfe == 1 - ignore_errors: true - -- name: "[uninstall tfe] stop tfe-env" - systemd: - name: tfe-env - state: stopped - enabled: no - when: - - uninstall.tfe == 1 - ignore_errors: true - -- name: "[uninstall tfe] uninstall tfe" - yum: - name: - - "{{ tfe }}" - - "{{ tfe_kmod }}" - state: absent - when: uninstall.tfe == 1 diff --git a/uninstall/roles/tsg_app/tasks/main.yml b/uninstall/roles/tsg_app/tasks/main.yml deleted file mode 100644 index eefb626..0000000 --- a/uninstall/roles/tsg_app/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ -#################### -#Tsg-app -- name: "[uninstall tsg-app] stop sapp" - systemd: - name: sapp - state: stopped - enabled: no - when: - - uninstall_version >= 20.09 - - uninstall.tsg_app == 1 - ignore_errors: true - -- name: "[uninstall tsg-app] uninstall tsg_app" - yum: - name: - - "{{ app_sketch_local }}" - - "{{ app_control_plug }}" - - "{{ app_proto_identify }}" - - "{{ app_master }}" - state: absent - when: - - uninstall_version >= 20.09 - - uninstall.tsg_app == 1 - diff --git a/uninstall/roles/tsg_master/tasks/main.yml b/uninstall/roles/tsg_master/tasks/main.yml deleted file mode 100644 index ebd7d17..0000000 --- a/uninstall/roles/tsg_master/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -#################### -#Uninstall tsg_master -- name: "[uninstall tsg_master] stop sapp" - systemd: - name: sapp - state: stopped - enabled: no - when: - - uninstall.tsgmaster == 1 - ignore_errors: true - -- name: "[uninstall tsg_master] uninstall tsg_master" - yum: - name: - - "{{ tsg_master }}" - state: absent - when: uninstall.tsgmaster == 1 - diff --git a/uninstall/rpm_list.sh b/uninstall/rpm_list.sh deleted file mode 100755 index fec05cb..0000000 --- a/uninstall/rpm_list.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash -# -mrzcpd=`rpm -qa |grep ^mrzcpd` -libcjson=`rpm -qa |grep ^libcjson` -libdocument=`rpm -qa |grep ^libdocument` -libmaatframe=`rpm -qa |grep ^libmaatframe` -libMESA_field_stat=`rpm -qa |grep ^libMESA_field_stat-` -libMESA_field_stat2=`rpm -qa |grep ^libMESA_field_stat2` -libMESA_handle_logger=`rpm -qa |grep ^libMESA_handle_logger` -libMESA_htable=`rpm -qa |grep ^libMESA_htable` -libMESA_prof_load=`rpm -qa |grep ^libMESA_prof_load` -librdkafka=`rpm -qa |grep ^librdkafka` -librulescan=`rpm -qa |grep ^librulescan` -libwiredcfg=`rpm -qa |grep ^libwiredcfg` -libWiredLB=`rpm -qa |grep ^libWiredLB` -lz4=`rpm -qa |grep ^lz4` -libtsglua=`rpm -qa |grep ^libtsglua` -sapp=`rpm -qa |grep ^sapp` -tsg_master=`rpm -qa |grep ^tsg_master` -kni=`rpm -qa |grep ^kni` -capture_packet_plug=`rpm -qa |grep ^capture_packet_plug` -dns=`rpm -qa |grep ^dns-` -ftp=`rpm -qa |grep ^ftp-` -mail=`rpm -qa |grep ^mail-` -ssl=`rpm -qa |grep ^ssl-` -quic=`rpm -qa |grep ^quic-` -http=`rpm -qa |grep ^http-2` -fw_dns=`rpm -qa |grep ^fw_dns` -fw_ftp=`rpm -qa |grep ^fw_ftp` -fw_http=`rpm -qa |grep ^fw_http` -fw_quic=`rpm -qa |grep ^fw_quic` -fw_ssl=`rpm -qa |grep ^fw_ssl` -fw_mail=`rpm -qa |grep ^fw_mail` -tsg_conn_sketch=`rpm -qa |grep ^tsg_conn_sketch` -tsg_conn_record=`rpm -qa |grep ^tsg_conn_record` -app_sketch_local=`rpm -qa |grep ^app_sketch_local` -app_control_plug=`rpm -qa |grep ^app_control_plug` -app_proto_identify=`rpm -qa |grep ^app_proto_identify` -app_master=`rpm -qa |grep ^app_master` -tfe=`rpm -qa |grep ^tfe-4` -tfe_kmod=`rpm -qa |grep ^tfe-kmod` -http_healthcheck=`rpm -qa |grep ^http_healthcheck` -clotho=`rpm -qa |grep ^clotho` -packet_dump=`rpm -qa |grep ^packet_dump` -certstore=`rpm -qa |grep ^certstore` - - -cat > ./tsg_version.yml <