update

deploy.yml

@@ -17,6 +17,7 @@
     - tsg_master
     - kni
     - firewall
+    - tsg_app
     - http_healthcheck
     - clotho
     - certstore
@@ -91,6 +92,7 @@
     - tsg_master
     - kni
     - firewall
+    - tsg_app
     - http_healthcheck
     - clotho
     - certstore
@@ -99,3 +101,10 @@
     - telegraf_statistic
     - proxy_status
 #    - tsg_device_tag
+
+- hosts: app_global
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/app_global.yml
+  roles:
+    - app_global

install_config/group_vars/adc_global.yml

@@ -50,9 +50,9 @@ clotho_log_level: 10
 #Sapp Performance Config
 #Sapp工作在ADC计算板0时，建议使用如下30+8的配置，以保证更高的处理性能
 sapp:
-  worker_threads: 30
-  send_only_threads_max: 8
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37
+  worker_threads: 37
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38
   inbound_route_dir: 1
 
 ########################################
@@ -75,9 +75,6 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
-  keykeeper:
-    no_cache: 0
   mirror_enable: 1
 
 ########################################
@@ -91,6 +88,5 @@ mrtunnat:
 
 #########################################
 #Tsg_app
-#0: Disable tsg_app   1: Enable tsg_app
 tsg_app_enable: 1
-
+app_global_ip: "1.1.1.1"

install_config/group_vars/app_global.yml

@@ -0,0 +1,10 @@
+#########################################
+app_sketch_global_log_level: 10
+
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+file_stat_ip: "1.1.1.1"
+  

install_config/group_vars/server_as_tun_mode.yml

@@ -58,9 +58,9 @@ clotho_log_level: 10
 #Sapp Performance Config
 #如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
 sapp:
-  worker_threads: 16
-  send_only_threads_max: 8
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
+  worker_threads: 23
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
   inbound_route_dir: 1
 
 #########################################
@@ -90,9 +90,6 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
-  keykeeper:
-    no_cache: 0
   mirror_enable: 1
 
 #########################################
@@ -105,8 +102,8 @@ mrtunnat:
 
 #########################################
 #Tsg_app
-#0: Disable tsg_app   1: Enable tsg_app
-tsg_app_enable: 0
+tsg_app_enable: 1
+app_global_ip: "1.1.1.1"
 
 #########################################
 #ATCA Config

install_config/hosts

@@ -4,6 +4,10 @@
 #变量device_id根据设备序号设置即可
 #变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
 #
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
 #[server-as-tun-mode]
 #1.1.1.1 device_id=device_1
 #
@@ -27,6 +31,7 @@
 #10.3.76.1 device_id=device_1
 #10.3.76.2 device_id=device_2
 
+[app_global]
 [server-as-tun-mode]
 [adc_mxn]
 [adc_mcn0]

roles/app_global/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: "copy app_global rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
+      - /tmp/ansible_deploy/app-sketch-global-1.0.2.20200907.81a5ea4-1.el7.x86_64.rpm
+    state: present
+
+- name: "template the app_sketch_global.conf"
+  template:
+    src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
+
+- name: "Start emqx"
+  systemd:
+    name: emqx.service
+    state: started
+    enabled: yes
+
+- name: "Start app-sketch-global"
+  systemd:
+    name: app-sketch-global.service
+    state: started
+    enabled: yes

roles/app_global/templates/app_sketch_global.conf.j2

@@ -0,0 +1,36 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+#10:DEBUG, 20:INFO, 30:FATAL
+RUN_LOG_LEVEL = {{ app_sketch_global_log_level }}
+RUN_LOG_PATH = ./logs
+
+[CONFIG]
+#Number of running threads
+thread-nu = 1
+timeout = 3600
+address="tcp://127.0.0.1:1883"
+topic_name="APP_SIGNATURE_ID"
+client_name="ExampleClientSub"
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=./resource/table_info.conf
+json_cfg_file=./resource/gtest.json
+stat_file=logs/verify-policy.status
+full_cfg_dir=verify-policy/
+inc_cfg_dir=verify-policy/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[stat]
+statsd_server={{ file_stat_ip }}
+statsd_port=8100
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2

roles/firewall/tasks/main.yml

@@ -25,8 +25,7 @@
       - /tmp/ansible_deploy/mail-1.0.7.9e3be05-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/quic-1.1.9.810857d-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/ssl-1.0.8.0068bd9-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_record-1.0.2.2afb19a-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.v2.0_alpha.af621ca-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.5.63c1e51-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:

roles/sapp/tasks/main.yml

@@ -8,6 +8,7 @@
   copy:
     src: "{{ role_path }}/files/maat_redis_tool"
     dest: /usr/local/bin
+    mode: 0755
 
 - name: "install sapp rpms from localhost"
   yum:

roles/sapp/templates/conflist.inf.j2

@@ -10,9 +10,7 @@
 #./plug/platform/http_healthcheck/http_healthcheck.inf
 {% endif %}
 ./plug/platform/tsg_master/tsg_master.inf
-{% if tsg_app_enable == 1 %}
 ./plug/platform/app_master/app_master.inf
-{% endif %}
 
 [protocol]
 ./plug/protocol/ssl/ssl.inf
@@ -30,10 +28,7 @@
 ./plug/business/fw_mail_plug/fw_mail_plug.inf
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
 ./plug/business/fw_quic_plug/fw_quic_plug.inf
-./plug/business/tsg_conn_record/tsg_conn_record.inf
 ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 ./plug/business/capture_packet_plug/capture_packet_plug.inf
-{% if tsg_app_enable == 1 %}
 ./plug/business/app_sketch_local/app_sketch_local.inf
 ./plug/business/app_control_plug/app_control_plug.inf
-{% endif %}

roles/tfe/templates/tfe.conf.j2

@@ -14,7 +14,7 @@ breakpad_minidump_dir=/run/tfe/crashreport
 # ask for at least (1 + nr_worker_threads) masks
 # the first  mask for acceptor thread
 # the others mask for worker   thread
-enable_cpu_affinity=1
+enable_cpu_affinity=0
 cpu_affinity_mask=1-9
 # LEAST_CONN = 0; ROUND_ROBIN = 1
 load_balance=1
@@ -67,7 +67,8 @@ service_cache_fail_time_window=30
 # cert
 check_cert_crl=0
 trusted_cert_load_local=1
-trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+#trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
 trusted_cert_dir=resource/tfe/trusted_storage
 
 # master key
@@ -76,7 +77,7 @@ key_log_file=log/sslkeylog.log
 
 # mid cert cache
 mc_cache_enable=1
-mc_cache_eth={{ nic_inner_ctrl.name }}
+mc_cache_eth={{ nic_mgr.name }}
 mc_cache_broker_list={{ log_kafkabrokers.address }}
 mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
 

roles/tsg-app/tasks/main.yml

@@ -1,17 +0,0 @@
----
-- name: "copy tsg-app rpms to destination server"
-  copy:
-    src: "{{ role_path }}/files/"
-    dest: /tmp/ansible_deploy/
-
-- name: "install tsg-app packages"
-  yum:
-    name: "{{ app_packages }}"
-    state: present
-    skip_broken: yes
-  vars:
-    app_packages:
-      - /tmp/ansible_deploy/app_control_plug-1.0.2.a724506-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_sketch_local-1.0.2.fd63c68-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_master-1.0.4.d189dee-2.el7.x86_64.rpm
-  when: tsg-app_enable == 1

roles/tsg-diagnose_sync_ca/tasks/main.yml

@@ -2,5 +2,5 @@
   shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/
 
 - name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle"
-  shell: cat  /tmp/sync/ca-root.crt >> /opt/tsg/tfe/resource/tfe/tls-ca-bundle.pem
+  shell: cat  /tmp/sync/ca-root.crt >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem
 

roles/tsg_app/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: "copy tsg_app rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install tsg_app packages"
+  yum:
+    name: "{{ app_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    app_packages:
+      - /tmp/ansible_deploy/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_proto_identify-1.0.3.6c893f2-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm
+  when: tsg_app_enable == 1
+
+- name: "Template the appconf/main.conf"
+  template:
+    src: "{{ role_path }}/templates/main.conf.j2"
+    dest: /home/mesasoft/sapp_run/appconf/main.conf
+  tags: template
+  when: tsg_app_enable == 1
+
+- name: "Template the appconf/maat.conf"
+  template:
+    src: "{{ role_path }}/templates/maat.conf.j2"
+    dest: /home/mesasoft/sapp_run/appconf/maat.conf
+  tags: template
+  when: tsg_app_enable == 1

roles/tsg_app/templates/maat.conf.j2

@@ -0,0 +1,34 @@
+[APP_SIGNATURE_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=appconf/app_id_tableinfo.conf
+STAT_FILE=app_id_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX={{ maat_redis_server.db }}
+JSON_CFG_FILE=appconf/app_id_maat.json
+INC_CFG_DIR=apprule/inc/index/
+FULL_CFG_DIR=apprule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/app/etc/app_device_tag.json
+
+[APP_ACTION_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=appconf/app_action_tableinfo.conf
+STAT_FILE=app_action_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX={{ maat_redis_server.db }}
+JSON_CFG_FILE=appconf/app_action_maat.json
+INC_CFG_DIR=apprule/inc/index/
+FULL_CFG_DIR=apprule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+[MAAT]
+ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"device_1"}]}

roles/tsg_app/templates/main.conf.j2

@@ -0,0 +1,39 @@
+[FEEDBACK]
+QOS=1
+PUBLISH_TOPIC=APP_SIGNATURE_ID
+#CLIENT_ID=
+BROKER_LIST=tcp://192.168.40.161:1883
+
+[LUA]
+ENABLE=1
+
+[MAAT]
+PROFILE=./appconf/maat.conf
+
+[APP_LOG]
+MODE=1
+LOG_LEVEL={{ applog_level }}
+LOG_PATH=./applog/applog
+BROKER_LIST={{ log_kafkabrokers.address }}
+COMMON_FIELD_FILE=appconf/app_log_field.conf
+
+[FIELD_STAT]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP=127.0.0.1
+OUTPUT_PATH=./app_stat.log
+APP_NAME=app_master
+
+[SYSTEM]
+LOG_LEVEL={{ app_master_log_level }}
+LOG_PATH=./applog/app_master
+NIC_NAME={{ nic_mgr.name }}
+
+[APP_SKETCH_LOCAL]
+LOG_LEVEL={{ app_sketch_local_log_level }}
+LOG_PATH=./applog/app_sketch_local/app_sketch_local
+
+[CONTROL_PLUG]
+LOG_LEVEL={{ app_control_plug_log_level }}
+LOG_PATH=./applog/app_control_plug/app_control_plug
+

roles/tsg_master/tasks/main.yml

@@ -6,6 +6,6 @@
 - name: "install tsg_master from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tsg_master-3.2.8.e57ad7f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_master-3.2.9.d1a6f00-2.el7.x86_64.rpm
     state: present
     skip_broken: yes

uninstall/roles/package_list/20.09.yml

@@ -58,7 +58,6 @@ fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64
 fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64
 fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64
 fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64
-tsg_conn_record: tsg_conn_record-1.0.2.2afb19a-1.x86_64
 tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64
 
 ####################

uninstall/rpm_list.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+mrzcpd=`rpm -qa |grep ^mrzcpd`
+libcjson=`rpm -qa |grep ^libcjson`
+libdocument=`rpm -qa |grep ^libdocument`
+libmaatframe=`rpm -qa |grep ^libmaatframe`
+libMESA_field_stat=`rpm -qa |grep ^libMESA_field_stat-`
+libMESA_field_stat2=`rpm -qa |grep ^libMESA_field_stat2`
+libMESA_handle_logger=`rpm -qa |grep ^libMESA_handle_logger`
+libMESA_htable=`rpm -qa |grep ^libMESA_htable`
+libMESA_prof_load=`rpm -qa |grep ^libMESA_prof_load`
+librdkafka=`rpm -qa |grep ^librdkafka`
+librulescan=`rpm -qa |grep ^librulescan`
+libwiredcfg=`rpm -qa |grep ^libwiredcfg`
+libWiredLB=`rpm -qa |grep ^libWiredLB`
+lz4=`rpm -qa |grep ^lz4`
+libtsglua=`rpm -qa |grep ^libtsglua`
+sapp=`rpm -qa |grep ^sapp`
+tsg_master=`rpm -qa |grep ^tsg_master`
+kni=`rpm -qa |grep ^kni`
+capture_packet_plug=`rpm -qa |grep ^capture_packet_plug`
+dns=`rpm -qa |grep ^dns-`
+ftp=`rpm -qa |grep ^ftp-`
+mail=`rpm -qa |grep ^mail-`
+ssl=`rpm -qa |grep ^ssl-`
+quic=`rpm -qa |grep ^quic-`
+http=`rpm -qa |grep ^http-2`
+fw_dns=`rpm -qa |grep ^fw_dns`
+fw_ftp=`rpm -qa |grep ^fw_ftp`
+fw_http=`rpm -qa |grep ^fw_http`
+fw_quic=`rpm -qa |grep ^fw_quic`
+fw_ssl=`rpm -qa |grep ^fw_ssl`
+fw_mail=`rpm -qa |grep ^fw_mail`
+tsg_conn_sketch=`rpm -qa |grep ^tsg_conn_sketch`
+tsg_conn_record=`rpm -qa |grep ^tsg_conn_record`
+app_sketch_local=`rpm -qa |grep ^app_sketch_local`
+app_control_plug=`rpm -qa |grep ^app_control_plug`
+app_master=`rpm -qa |grep ^app_master`
+tfe=`rpm -qa |grep ^tfe-4`
+tfe_kmod=`rpm -qa |grep ^tfe-kmod`
+http_healthcheck=`rpm -qa |grep ^http_healthcheck`
+clotho=`rpm -qa |grep ^clotho`
+certstore=`rpm -qa |grep ^certstore`
+
+
+cat > ./tsg_version.yml <<EOF
+####################
+#marsio
+mrzcpd: $mrzcpd
+
+####################
+#kernel
+kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64
+kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64
+dkms: dkms-2.7.1-1.el7.noarch
+elfutils_libelf_devel: elfutils-libelf-devel-0.168-8.el7.x86_64
+pkgconfig: pkgconfig-0.27.1-4.el7.x86_64
+zlib_devel: zlib-devel-1.2.7-17.el7.x86_64
+
+####################
+#framework
+libcjson: $libcjson
+libdocument: $libdocument
+libmaatframe: $libmaatframe
+libMESA_field_stat: $libMESA_field_stat
+libMESA_field_stat2: $libMESA_field_stat2
+libMESA_handle_logger: $libMESA_handle_logger
+libMESA_htable: $libMESA_htable
+libMESA_prof_load: $libMESA_prof_load
+librdkafka: $librdkafka
+librulescan: $librulescan
+libwiredcfg: $libwiredcfg
+libWiredLB: $libWiredLB
+lz4: $lz4
+libtsglua: $libtsglua
+
+####################
+#sapp
+sapp: $sapp
+
+####################
+#tsg_master
+tsg_master: $tsg_master
+
+####################
+#kni
+kni: $kni
+
+####################
+#firewall
+capture_packet_plug: $capture_packet_plug
+dns: $dns
+ftp: $ftp
+http: $http
+quic: $quic
+ssl: $ssl
+mail: $mail
+fw_dns: $fw_dns
+fw_ftp: $fw_ftp
+fw_http: $fw_http
+fw_quic: $fw_quic
+fw_ssl: $fw_ssl
+fw_mail: $fw_mail
+tsg_conn_sketch: $tsg_conn_sketch
+tsg_conn_record: $tsg_conn_record
+
+####################
+#Tsg_app
+app_sketch_local: $app_sketch_local
+app_control_plug: $app_control_plug
+app_master: $app_master
+
+####################
+#tfe
+tfe: $tfe
+tfe_kmod: $tfe_kmod
+
+####################
+#http_healthcheck
+http_healthcheck: $http_healthcheck
+
+#####################
+#clotho
+clotho: $clotho
+
+#####################
+#certstore
+certstore: $certstore
+
+EOF