diff --git a/adc_deploy.yml b/adc_deploy.yml index 4b62c74..a6aaab4 100644 --- a/adc_deploy.yml +++ b/adc_deploy.yml @@ -73,7 +73,26 @@ # - {role: adc_exporter, tags: adc_exporter} - {role: switch_control, tags: switch_control} - {role: tsg-env-patch, tags: tsg-env-patch} - + +- hosts: adc_mcn0 + remote_user: root + roles: + - {role: docker-env, tags: docker-env} + - {role: tsg-diagnose, tags: tsg-diagnose} + +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + roles: + - {role: tsg-diagnose_sync_ca, tags: tsg-diagnose_sync_ca} + +- hosts: adc_mcn0 + remote_user: root + roles: + - {role: tsg-diagnose_stop_sync, tags: tsg-diagnose_stop_sync} + - hosts: packet_dump_server remote_user: root vars_files: diff --git a/roles/docker-env/files/docker-ce.zip b/roles/docker-env/files/docker-ce.zip new file mode 100644 index 0000000..1a35c99 Binary files /dev/null and b/roles/docker-env/files/docker-ce.zip differ diff --git a/roles/docker-env/files/docker-compose.zip b/roles/docker-env/files/docker-compose.zip new file mode 100644 index 0000000..0498c86 Binary files /dev/null and b/roles/docker-env/files/docker-compose.zip differ diff --git a/roles/docker-env/files/python3.zip b/roles/docker-env/files/python3.zip new file mode 100644 index 0000000..5338198 Binary files /dev/null and b/roles/docker-env/files/python3.zip differ diff --git a/roles/docker-env/tasks/docker-ce.yml b/roles/docker-env/tasks/docker-ce.yml new file mode 100644 index 0000000..ee8ed47 --- /dev/null +++ b/roles/docker-env/tasks/docker-ce.yml @@ -0,0 +1,38 @@ +--- +- name: "docker-ce: copy docker-ce.zip to dest device" + copy: + src: '{{ role_path }}/files/docker-ce.zip' + dest: /tmp/ansible_deploy/ + +- name: "docker-ce: unarchive docker-ce.zip" + unarchive: + src: /tmp/ansible_deploy/docker-ce.zip + dest: /tmp/ansible_deploy/ + remote_src: yes + +- name: "docker-ce: install docker-ce rpm package and dependencies" + yum: + name: + - /tmp/ansible_deploy/docker-ce/container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm + - /tmp/ansible_deploy/docker-ce/docker-ce-19.03.13-3.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/docker-ce-cli-19.03.13-3.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/containerd.io-1.3.7-3.1.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/selinux-policy-targeted-3.13.1-266.el7_8.1.noarch.rpm + - /tmp/ansible_deploy/docker-ce/selinux-policy-3.13.1-266.el7_8.1.noarch.rpm + - /tmp/ansible_deploy/docker-ce/policycoreutils-python-2.5-34.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/policycoreutils-2.5-34.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libselinux-utils-2.5-15.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libselinux-python-2.5-15.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libselinux-2.5-15.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/setools-libs-3.3.8-4.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libsepol-2.5-10.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libsemanage-python-2.5-14.el7.x86_64.rpm + - /tmp/ansible_deploy/docker-ce/libsemanage-2.5-14.el7.x86_64.rpm + state: present + +- name: "docker-ce: systemctl start docker and enabled docker" + systemd: + name: docker + enabled: yes + daemon_reload: yes + state: started diff --git a/roles/docker-env/tasks/docker-compose.yml b/roles/docker-env/tasks/docker-compose.yml new file mode 100644 index 0000000..083b0f1 --- /dev/null +++ b/roles/docker-env/tasks/docker-compose.yml @@ -0,0 +1,18 @@ +--- +- name: "docker-compose: copy docker-compose.zip to dest device" + copy: + src: '{{ role_path }}/files/docker-compose.zip' + dest: /tmp/ansible_deploy/ + +- name: "docker-compose: unarchive docker-compose.zip" + unarchive: + src: /tmp/ansible_deploy/docker-compose.zip + dest: /tmp/ansible_deploy/ + remote_src: yes + +- name: "docker-compose: install docker-compose using pip3" + pip: + requirements: /tmp/ansible_deploy/docker-compose/requirements.txt + extra_args: "--no-index --find-links=file:///tmp/ansible_deploy/docker-compose" + state: forcereinstall + executable: pip3 diff --git a/roles/docker-env/tasks/main.yml b/roles/docker-env/tasks/main.yml new file mode 100644 index 0000000..11ad454 --- /dev/null +++ b/roles/docker-env/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include: docker-ce.yml +- include: python3.yml +- include: docker-compose.yml diff --git a/roles/docker-env/tasks/python3.yml b/roles/docker-env/tasks/python3.yml new file mode 100644 index 0000000..27b9347 --- /dev/null +++ b/roles/docker-env/tasks/python3.yml @@ -0,0 +1,21 @@ +--- +- name: "python3: copy python3.zip to dest device" + copy: + src: '{{ role_path }}/files/python3.zip' + dest: /tmp/ansible_deploy/ + +- name: "python3: unarchive python3.zip" + unarchive: + src: /tmp/ansible_deploy/python3.zip + dest: /tmp/ansible_deploy/ + remote_src: yes + +- name: "python3: install python3 rpm package and dependencies" + yum: + name: + - /tmp/ansible_deploy/python3/python3-libs-3.6.8-13.el7.x86_64.rpm + - /tmp/ansible_deploy/python3/python3-3.6.8-13.el7.x86_64.rpm + - /tmp/ansible_deploy/python3/python3-pip-9.0.3-7.el7_7.noarch.rpm + - /tmp/ansible_deploy/python3/python3-setuptools-39.2.0-10.el7.noarch.rpm + - /tmp/ansible_deploy/python3/libtirpc-0.2.4-0.16.el7.x86_64.rpm + state: present diff --git a/roles/tsg-diagnose/files/tsg-diagnose-20.10.03.31f1c1f-1.el7.x86_64.rpm b/roles/tsg-diagnose/files/tsg-diagnose-20.10.03.31f1c1f-1.el7.x86_64.rpm new file mode 100644 index 0000000..b638ba6 Binary files /dev/null and b/roles/tsg-diagnose/files/tsg-diagnose-20.10.03.31f1c1f-1.el7.x86_64.rpm differ diff --git a/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz b/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz new file mode 100644 index 0000000..5e61e27 Binary files /dev/null and b/roles/tsg-diagnose/files/tsg-diagnose-certs.tgz differ diff --git a/roles/tsg-diagnose/tasks/main.yml b/roles/tsg-diagnose/tasks/main.yml new file mode 100644 index 0000000..f6a6ab7 --- /dev/null +++ b/roles/tsg-diagnose/tasks/main.yml @@ -0,0 +1,38 @@ +- name: "Tsg-diagnose:copy file to device" + copy: + src: '{{ role_path }}/files/' + dest: /tmp/ansible_deploy/ + +- name: "Install tsg-diagnose rpm package" + yum: + name: + - "/tmp/ansible_deploy/tsg-diagnose-20.10.03.31f1c1f-1.el7.x86_64.rpm" + state: present + +- name: "Templates tsg-diagnose.config" + template: + src: "{{role_path}}/templates/tsg-diagnose.config.j2" + dest: /opt/tsg/tsg-diagnose/etc/tsg-diagnose.config + tags: template + +- name: "tsg-diagnose:mkdir -p .badssl_cert_dict" + file: + path: /opt/tsg/tsg-diagnose/.badssl_cert_dict + state: directory + + +- name: "tsg-diagnose: unarchive certs" + unarchive: + src: /tmp/ansible_deploy/tsg-diagnose-certs.tgz + dest: /opt/tsg/tsg-diagnose/.badssl_cert_dict + remote_src: yes + +- name: 'Tsg-diagnose service start' + systemd: + name: tsg-diagnose + enabled: yes + daemon_reload: yes + state: started + +- name: "tsg-diagnose init rsync deamon" + shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/rsync/init_rsyncd.sh diff --git a/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 b/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 new file mode 100644 index 0000000..907150e --- /dev/null +++ b/roles/tsg-diagnose/templates/tsg-diagnose.config.j2 @@ -0,0 +1,135 @@ +[test_securityPolicy_bypass] +# enabled = 1 run this case +enabled = 1 +#Connection TIMEOUT, in seconds +conn_timeout = 1 +#max_recv_speed_large byte/s +max_recv_speed_large = 6553600 + +[test_securityPolicy_intercept] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_securityPolicy_intercept_certerrExpired] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_securityPolicy_intercept_certerrSelf_signed] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_securityPolicy_intercept_certerrUntrusted_root] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_ssl_redirect] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_ssl_block] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_ssl_replace] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_ssl_hijack] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_ssl_insert] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_http_redirect] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_http_block] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_http_replace] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_http_hijack] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_proxyPolicy_http_insert] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_1k] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_4k] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_16k] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_64k] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_256k] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_1M] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_4M] +enabled = 1 +conn_timeout = 1 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_16M] +enabled = 1 +conn_timeout = 4 +max_recv_speed_large = 6553600 + +[test_https_con_traffic_64M] +enabled = 1 +conn_timeout = 12 +max_recv_speed_large = 6553600 + +[start_time_random_delay_range] +enabled = 1 +#Left_edge is the left edge of the randomly generated time in seconds +left_edge = 0 +#Left_edge is the right edge of the randomly generated time in seconds +right_edge = 30 + +[telegraf] +host = 192.51.100.1 +port = 58100 +tags_key = app_name +tags_value = tsg-diagnose diff --git a/roles/tsg-diagnose_stop_sync/tasks/main.yml b/roles/tsg-diagnose_stop_sync/tasks/main.yml new file mode 100644 index 0000000..1633c16 --- /dev/null +++ b/roles/tsg-diagnose_stop_sync/tasks/main.yml @@ -0,0 +1,3 @@ +- name: "tsg-diagnose: stop rsync deamon process" + shell: killall -9 rsync + diff --git a/roles/tsg-diagnose_sync_ca/files/tsg_diagnose_ca.pem b/roles/tsg-diagnose_sync_ca/files/tsg_diagnose_ca.pem new file mode 100644 index 0000000..0d1f838 --- /dev/null +++ b/roles/tsg-diagnose_sync_ca/files/tsg_diagnose_ca.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIGWzCCBEOgAwIBAgIJAMimxpHS+4hRMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp +c2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eTAeFw0yMDEwMjYwODQ3NDZaFw00MDEwMjEwODQ3NDZa +MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T +YW4gRnJhbmNpc2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS +b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAKnefEvaekYAdlfFtpnaPaKYgl+X3FOXUEiYLHuX9YZjuhjVAf/I +19iW7+k6mln3jSxD05YZQk/jUVTTVjYgQftHzlZiJG086AGhG86QwDIPb9nQIGy8 +3DscFFQGGOoYPdV9E+s1cFDTIFGqqqlJ5T5jpjnAL/3WR2LxrgzPVkBjcOTJnkU6 +Gv2jqwQYGSz8+A6FYsGLqO6Pv7uKY1OPELNcTGnSwD1uctsMHn/Xqx4nMaBoMuSc +TZQEneSagGDgF1dVqEFhVEPo4VXiVthhS82xA3xK69UKfKLFkjjy+icH8LllKUFo +Psu+w/9V3OZ4xfzjEdpoRwRUmOesS5wlEkd3rLKEWXG/A8Uul5iCZ2Dez9nE6wi7 +w7JD7R1InPoD+7KXtT2JWS+9sj+Vre7XIjSEQuBRGiTOXnDcuYjFOkvCqS7OToUc +fOJAlKHCndqBnzLoLJHU2ozrqgz8SU0Iv1CPW6YXLtRFFX3K9WUvX7XNTonh+oWS +6IGifWnVcYh2N5peUuNVT4heD4QfIDpCvjwUAp2IWr1GnEjvjhPaHialRotHhfCi +t3T0F58IhFQ6+CLQwE57Yd+7zGbc7osqTe1hbiK2wcciTuajmGZyfev8atFey+Y5 +N/7jD3U0a6u4Z+DyGcc08Pj94cM5AJ7SA45LKwt6xhmGLzhemmdGLJLNAgMBAAGj +gekwgeYwHQYDVR0OBBYEFMGs0F0ycvMIQgM6oTyOBrxzjCPKMIGpBgNVHSMEgaEw +gZ6AFMGs0F0ycvMIQgM6oTyOBrxzjCPKoXukeTB3MQswCQYDVQQGEwJVUzETMBEG +A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UE +CgwGQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo +b3JpdHmCCQDIpsaR0vuIUTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAgEAeZzR9GKvTRiKfRqCzjhylk+7IbymWjxNTc2LQ3+O6lww +kw6Z2ybzvR3i/IZ7Hw+DBo1MXku9qHW/1uKR2BssoLHU1p1iHCBrZ1nw9MXxqXa3 +PhgxUZZu39NdXFc12fY/SYP8XQkNVzQCNouOvb75hj087ZDHvGztHIaB3VNUs1p+ +qMvGm8RVUGfDDqynUBZ814N32eCu+13N+dGL7yxASzD6Y3/myhVjixUuoUG3zFTW +NnIWspbC8MxhP/3QUMYi4KJM4KDiJQxPhGkMBwlhgAz/QPEJApKq0Cl0Reez7Gyd +KdnrqvCKhf8K53Su8L1GeRvzzKb7Hi+kMWIZVJPGz2DHgOymP5RCsIuWG6cDgx5E +3LfZYEPG63ezj+qMZmkdEMnD9SVBi85dOTOJ+OJgxxX2OahUKPUdDP89ZmHdOjR9 +CqUxnA+eqRNz1TajnjRFXir3/20SoBtrHBck3bxpmZwsF7A6Sg5RdlvQjK2Oy6g0 +9LrkPUgu9O/sBfz8uyG/HlQD7EuUNo0NQHqznnde3T+w5wY2vL3XUAl39qcpNPF6 +auCS8+aygYYmCUooZVzKlXGU3VUPGwcfmLE4gnPLT0+pnHtBS8tKLOzXAJjYQ3s+ +QpP3aO4lJvoZ6Oes/JRxNPW8dmaLxTKPqsaPEWWuoSYr0higPTBXQNg+++PYRY4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB8jCCAVugAwIBAgIJAP3GpXchIMWHMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV +BAsMBkdFRURHRTAgFw0yMDAzMDkxNjEyNTlaGA8yMDUwMDMwMjE2MTI1OVowETEP +MA0GA1UECwwGR0VFREdFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCraZpH +Fca2Iu+9E9HzKbEi2Akdk4RrUJxkQjB2Tr7fGxwPDXqdGvSoXDdgnSA0I0bbNqMs +drgiCWimjnGiWfY0sssKg7plNTQ4i7Zz7P9Isyf6TuxvB09CzdhH2FQ3lLRTb8pv +BA0E28CCYiZhtX1/3RlDSvxaRKOM3yEt0q+FRQIDAQABo1AwTjAdBgNVHQ4EFgQU +NqrpSlpCuMBJlCLZEE/D5ZpBy8swHwYDVR0jBBgwFoAUNqrpSlpCuMBJlCLZEE/D +5ZpBy8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBsybFxUAjzhJ5H +VbSLhyillxtAJ3vEKtLrMVnAgRUEwamyu1JQGndF9kh8RapSmHhmuZM9iTc+NsNb +DKGKmEOY0vQMw83xE7EGYj4Nhww9UMyGglmTLbd3yB+uJA97beNVduU2mifDHGmN +4buMiPl3AozGRl9p5UCzZM5XxMMw1A== +-----END CERTIFICATE----- diff --git a/roles/tsg-diagnose_sync_ca/tasks/main.yml b/roles/tsg-diagnose_sync_ca/tasks/main.yml new file mode 100644 index 0000000..2922f6f --- /dev/null +++ b/roles/tsg-diagnose_sync_ca/tasks/main.yml @@ -0,0 +1,15 @@ +- name: "tsg-diagnose: rsync badssl ca certs" + shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/ + ignore_errors: true + +- name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle" + shell: cat /tmp/sync/ca-root.crt > /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem && cat /tmp/sync/wpr_cert.pem >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem + ignore_errors: true + register: result_tsg_diagnose_sync_cert_shell + +- name: "Tsg-diagnose:copy cert file to device" + copy: + src: '{{ role_path }}/files/tsg_diagnose_ca.pem' + dest: /opt/tsg/tfe/resource/tfe/ + when: result_tsg_diagnose_sync_cert_shell.rc==1 +