First commit, at K18-2 Control Center.

deploy.yml

@@ -0,0 +1,128 @@
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+  roles:
+    - framework
+    #- kernel-ml
+    - telegraf_collect
+
+- hosts: adc_mxn
+  remote_user: root
+  roles:
+#    - tsg-env-mxn
+
+- hosts: adc_mcn0
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn0.yml
+  roles:
+#    - tsg-env-mcn0
+    - mrzcpd
+    - sapp
+    - tsg_master
+#    - kni
+    - firewall
+#    - tsg_app
+    - http_healthcheck
+#    - packet_dump
+    - certstore
+    - cert-redis
+    - telegraf_statistic
+#    - tsg_device_tag
+
+- hosts: adc_mcn1
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn1.yml
+  roles:
+#    - tsg-env-mcn1
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn2
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn2.yml
+  roles:
+#    - tsg-env-mcn2
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn3.yml
+  roles:
+#    - tsg-env-mcn3
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose
+
+- hosts: 
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  roles:
+    - tsg-diagnose_sync_ca
+    
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose_stop_sync
+
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+  roles:
+    - reboot
+
+- hosts: server-as-tun-mode
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/server_as_tun_mode.yml
+  roles:
+    - kernel-ml
+    - framework
+    - mrzcpd
+    - tsg-env-tun-mode
+    - sapp
+    - tsg_master
+    - kni
+    - firewall
+    - tsg_app
+    - http_healthcheck
+    - packet_dump
+    - certstore
+    - cert-redis
+    - tfe
+    - telegraf_statistic
+    - telegraf_collect
+    - proxy_status
+#    - tsg_device_tag
+    - reboot
+
+- hosts: app_global
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/app_global.yml
+  roles:
+    - app_global

install_config/group_vars/adc_global.yml

@@ -0,0 +1,111 @@
+#########################################
+#####1: Inline_device;  2: Allot;  3: ADC_Tun_mode;
+tsg_access_type: 3
+#####2: ADC;
+tsg_running_type: 2
+
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 0
+
+########################################
+#IP Config
+maat_redis_server:
+  address: "192.168.100.4"
+  port: 7002
+  db: 0
+
+dynamic_maat_redis_server:
+  address: "192.168.100.4"
+  port: 7002
+  db: 0
+
+cert_store_server:
+  address: "192.168.100.1"
+  port: 9991
+
+log_kafkabrokers:
+  address: "10.4.61.10:9092,10.4.61.11:9092,10.4.61.12:9092,10.4.61.13:9092,10.4.61.14:9092,10.4.61.15:9092,10.4.61.16:9092,10.4.61.17:9092,10.4.61.18:9092,10.4.61.19:9092,10.4.61.20:9092"
+
+monitor_outputs_influxdb:
+  url: "http://127.0.0.1:58086"
+
+log_minio:
+  address: "10.4.62.253"
+  port: 9090
+
+#########################################
+#Log Level Config
+#日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_ftp_log_level: 30
+fw_mail_log_level: 30
+fw_http_log_level: 30
+fw_dns_log_level: 30
+fw_quic_log_level: 30
+capture_packet_log_level: 30
+tsg_log_level: 30
+tsg_master_log_level: 30
+kni_log_level: 30
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: FATAL
+tfe_http_log_level: FATAL
+pangu_log_level: FATAL
+doh_log_level: FATAL
+
+certstore_log_level: 30
+packet_dump_log_level: 30
+
+#######################################
+#Sapp Performance Config
+#Sapp工作在ADC计算板0时，建议使用如下30+8的配置，以保证更高的处理性能
+sapp:
+  worker_threads: 42
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43
+  inbound_route_dir: 1
+
+########################################
+#Kni Config
+kni:
+  global:
+    tfe_node_count: 3
+  watch_dog:
+    switch: 1
+  maat:
+    readconf_mode: 2
+  send_logger:
+    switch: 1
+  tfe_nodes:
+    tfe0_enabled: 1
+    tfe1_enabled: 1
+    tfe2_enabled: 1
+
+########################################
+#Tfe Config
+tfe:
+  nr_threads: 32
+  mirror_enable: 1
+
+########################################
+#Marsio Config
+#marsio工作在ADC计算板时，建议使用如下配置，以保证更高的处理性能
+mrzcpd:
+  iocore: 52,53,54,55
+
+mrtunnat:
+  lcore_id: 48,49,50,51 
+
+#########################################
+#Tsg_app
+tsg_app_enable: 0
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
+
+breakpad_upload_url: http://127.0.0.1/
+
+tsg_master_entrance_id: 4

install_config/group_vars/adc_mcn0.yml

@@ -0,0 +1,39 @@
+#########################################
+#Mcn0管理口网卡名
+nic_mgr:
+  name: ens1f3
+
+#########################################
+#Mcn0流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens1f4
+
+#########################################
+#Mcn0其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens1.100
+nic_to_tfe:
+  tfe0:
+      name: ens1f5
+  tfe1:
+      name: ens1f6
+  tfe2:
+      name: ens1f7
+
+#########################################
+#串联设备接入相关配置
+inline_device_config:
+  keepalive_ip: 192.168.1.30
+  keepalive_mask: 255.255.255.252
+
+#########################################
+#Allot接入相关配置
+AllotAccess:
+  virturlInterface_1: ens1f2.103
+  virturlInterface_2: ens1f2.104
+  virturlID_1: 103
+  virturlID_2: 104
+  vvipv4_mask: 24
+  vvipv6_mask: 64
+
+bladename: mcn0

install_config/group_vars/adc_mcn1.yml

@@ -0,0 +1,19 @@
+#########################################
+#Mcn1管理口网卡名
+nic_mgr:
+  name: ens1f3
+
+#########################################
+#Mcn1流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens1f1
+
+#########################################
+#Mcn1其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens1.100
+nic_traffic_mirror:
+  name: ens1f2
+  use_mrzcpd: 1
+
+bladename: mcn1

install_config/group_vars/adc_mcn2.yml

@@ -0,0 +1,19 @@
+#########################################
+#Mcn2管理口网卡名
+nic_mgr:
+  name: ens8f3
+
+#########################################
+#Mcn2流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens8f1
+
+#########################################
+#Mcn2其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens8.100
+nic_traffic_mirror:
+  name: ens8f2
+  use_mrzcpd: 1
+  
+bladename: mcn2

install_config/group_vars/adc_mcn3.yml

@@ -0,0 +1,19 @@
+#########################################
+#Mcn3管理口网卡名
+nic_mgr:
+  name: ens8f3
+
+#########################################
+#Mcn3流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens8f1
+
+#########################################
+#Mcn3其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens8.100
+nic_traffic_mirror:
+  name: ens8f2
+  use_mrzcpd: 1
+  
+bladename: mcn3

install_config/group_vars/app_global.yml

@@ -0,0 +1,10 @@
+#########################################
+app_sketch_global_log_level: 10
+
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+file_stat_ip: "1.1.1.1"
+  

install_config/group_vars/server_as_tun_mode.yml

@@ -0,0 +1,145 @@
+#########################################
+#####0: Pcap;  1: Inline_device;  4: ATCA_Vlan_Flipping;  5:ATCA_VXLAN;
+tsg_access_type: 1
+#####0: Tun_mode;  1: normal;
+tsg_running_type: 1
+
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 1
+
+########################################
+#Server Basic Config
+nic_mgr:
+  name: eth0
+
+nic_inner_ctrl:
+  name: eth0.100
+
+#########################################
+#IP Config
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+dynamic_maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+cert_store_server:
+  address: "192.168.100.1"
+  port: 9991
+
+log_kafkabrokers:
+  address: "1.1.1.1:9092,2.2.2.2:9092"
+
+log_minio:
+  address: "192.168.40.168;"
+  port: 9090
+
+#########################################
+#Log Level Config
+#日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_ftp_log_level: 10
+fw_mail_log_level: 10
+fw_http_log_level: 10
+fw_dns_log_level: 10
+fw_quic_log_level: 10
+capture_packet_log_level: 10
+tsg_log_level: 10
+tsg_master_log_level: 10
+kni_log_level: 10
+
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: DEBUG
+tfe_http_log_level: DEBUG
+pangu_log_level: DEBUG
+doh_log_level: DEBUG
+
+certstore_log_level: 10
+packet_dump_log_level: 10
+
+#########################################
+#Sapp Performance Config
+#如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
+sapp:
+  worker_threads: 23
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
+  inbound_route_dir: 1
+
+#########################################
+#Sapp Double-Arm Config
+packet_io:
+  internal_interface: eth2
+  external_interface: eth3
+
+
+#########################################
+#Kni Config
+kni:
+  global:
+    tfe_node_count: 1
+  watch_dog:
+    switch: 1
+  maat:
+    readconf_mode: 2
+  send_logger:
+    switch: 1
+  tfe_nodes:
+    tfe0_enabled: 1
+    tfe1_enabled: 0
+    tfe2_enabled: 0
+
+#########################################
+#Tfe Config
+tfe:
+  nr_threads: 32
+  mirror_enable: 1
+
+#########################################
+#Marsio Config
+mrzcpd:
+  iocore: 39
+
+mrtunnat:
+  lcore_id: 38
+
+#########################################
+#Tsg_app
+tsg_app_enable: 1
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
+#########################################
+#ATCA Config
+#下列配置只在tsg_access_type=4时生效
+ATCA_data_incoming:
+  ethname: enp1s0
+  vf0_name: enp1s2
+  vf1_name: enp1s2f1
+  vf2_name: enp1s2f2
+
+ATCA_VlanFlipping:
+  vlanID_1: 100
+  vlanID_2: 101
+  vlanID_3: 103
+  vlanID_4: 104
+
+#下列配置只在tsg_access_type=5时生效
+ATCA_VXLAN:
+  keepalive_ip: "10.254.19.1"
+  keepalive_mask: "255.255.255.252"
+
+#########################################
+#Inline Device Config
+inline_device_config:
+  keepalive_ip: 192.168.1.30
+  keepalive_mask: 255.255.255.252
+  data_incoming: eth5

install_config/hosts

@@ -0,0 +1,44 @@
+###################
+#   For example   #
+###################
+#变量device_id根据设备序号设置即可
+#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
+#
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
+#[server-as-tun-mode]
+#1.1.1.1 device_id=device_1
+#
+#[adc_mxn]
+#10.3.72.1
+#10.3.72.2
+#
+#[adc_mcn0]
+#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1
+#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2
+#
+#[adc_mcn1]
+#10.3.74.1 device_id=device_1
+#10.3.74.2 device_id=device_2
+#
+#[adc_mcn2]
+#10.3.75.1 device_id=device_1
+#10.3.75.2 device_id=device_2
+#
+#[adc_mcn3]
+#10.3.76.1 device_id=device_1
+#10.3.76.2 device_id=device_2
+
+#[app_global]
+#[server-as-tun-mode]
+#[adc_mxn]
+[adc_mcn0]
+10.4.51.2
+[adc_mcn1]
+10.4.52.2
+[adc_mcn2]
+10.4.53.2
+[adc_mcn3]
+10.4.54.2

roles/app_global/tasks/main.yml

@@ -0,0 +1,36 @@
+- name: "copy app_global rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
+      - /tmp/ansible_deploy/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm
+    state: present
+
+- name: "template the app_sketch_global.conf"
+  template:
+    src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
+
+- name: "template the zlog.conf"
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/zlog.conf
+
+- name: "Start emqx"
+  systemd:
+    name: emqx.service
+    state: started
+    enabled: yes
+    daemon_reload: yes
+    
+
+- name: "Start app-sketch-global"
+  systemd:
+    name: app-sketch-global.service
+    state: started
+    enabled: yes
+    daemon_reload: yes

roles/app_global/templates/app_sketch_global.conf.j2

@@ -0,0 +1,41 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/app-sketch-global/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url={{ breakpad_upload_url }}
+
+[CONFIG]
+#Number of running threads
+thread-nu = 1
+timeout = 3600
+address="tcp://127.0.0.1:1883"
+topic_name="APP_SIGNATURE_ID"
+client_name="ExampleClientSub"
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=./resource/table_info.conf
+json_cfg_file=./resource/gtest.json
+stat_file=logs/verify-policy.status
+full_cfg_dir=verify-policy/
+inc_cfg_dir=verify-policy/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[stat]
+statsd_server={{ file_stat_ip }}
+statsd_port=8100
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2

roles/app_global/templates/zlog.conf.j2

@@ -0,0 +1,12 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ app_sketch_global_log_level }}		"./logs/app_sketch_global.log.%d(%F)"
+
+
+

roles/cert-redis/files/cert-redis/cert-redis.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Redis persistent key-value database
+After=network.target
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/start-cert-redis
+ExecStop=killall redis-server
+Type=forking
+RuntimeDirectory=redis
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+

roles/cert-redis/files/cert-redis/install.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+#
+cp -rf redis-server /usr/local/bin/
+cp -rf redis-cli /usr/local/bin
+cp -rf cert-redis.service /usr/lib/systemd/system/
+cp -rf start-cert-redis /usr/local/bin

roles/cert-redis/files/cert-redis/start-cert-redis

@@ -0,0 +1,4 @@
+#!/bin/bash
+#
+
+/usr/local/bin/redis-server /opt/tsg/cert-redis/6379/6379.conf

roles/cert-redis/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: "copy cert-redis to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /opt/tsg
+    mode: 0755
+
+- name: "install cert-redis"
+  shell: cd /opt/tsg/cert-redis;sh install.sh
+
+- name: "start cert-redis"
+  systemd:
+    name: cert-redis.service
+    state: started
+    daemon_reload: yes
+    enabled: yes

roles/certstore/files/memory.conf

@@ -0,0 +1,2 @@
+[Service]
+MemoryMax=10G

roles/certstore/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: "copy certstore rpm to destination"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: Ensures /opt/tsg exists
+  file: path=/opt/tsg state=directory
+  tags: mkdir
+
+- name: install certstore
+  yum:
+    name:
+      - /tmp/ansible_deploy/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm
+    state: present
+
+- name: template certstore configure file
+  template:
+    src: "{{ role_path }}/templates/cert_store.ini.j2"
+    dest: /opt/tsg/certstore/conf/cert_store.ini
+
+- name: template certstore zlog file
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/certstore/conf/zlog.conf
+
+- name: "copy memory limit file to certstore.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/certstore.service.d/
+    mode: 0644
+
+- name: "start certstore"
+  systemd:
+    name: certstore.service
+    state: started
+    enabled: yes
+    daemon_reload: yes

roles/certstore/templates/cert_store.ini.j2

@@ -0,0 +1,58 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/certstore/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url= {{ breakpad_upload_url }}
+
+[CONFIG]
+#Number of running threads
+thread-nu = 4
+#1 rsync, 0 sync
+mode=1
+#Local default root certificate is valid for 30 days by default
+expire_after = 30
+#Local default root certificate path
+local_debug = 1
+ca_path = ./cert/tango-ca-v3-trust-ca.pem
+untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem
+
+[MAAT]
+#Configure the load mode,
+#0: using the configuration distribution network
+#1: using local json
+#2: using Redis reads
+maat_json_switch=2
+#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
+effective_interval=1
+#Specify the location of the configuration library table file
+table_info=./conf/table_info.conf
+#Incremental profile path
+inc_cfg_dir=./rule/inc/index
+#Full profile path
+full_cfg_dir=./rule/full/index
+#Json file path when json schema is used
+pxy_obj_keyring=./conf/pxy_obj_keyring.json
+
+[LIBEVENT]
+#Local monitor port number, default is 9991
+port = 9991
+
+[CERTSTORE_REDIS]
+#The Redis server IP address and port number where the certificate is stored locally
+ip = 127.0.0.1
+port = 6379
+
+[MAAT_REDIS]
+#Maat monitors the Redsi server IP address and port number
+ip = {{ maat_redis_server.address }}
+port = {{ maat_redis_server.port }}
+dbindex =  {{ maat_redis_server.db }}
+[stat]
+statsd_server=127.0.0.1
+statsd_port=58100

roles/certstore/templates/zlog.conf.j2

@@ -0,0 +1,10 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ certstore_log_level }}        "./logs/certstore.log.%d(%F)"
+

roles/firewall/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: "copy firewall rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install firewall packages"
+  yum:
+    name: "{{ fw_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    fw_packages:
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.9.69f3742-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm
+
+- name: "Template the tsgconf/main.conf"
+  template:
+    src: "{{ role_path }}/templates/main.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/main.conf
+  tags: template
+
+
+- name: "Template the tsgconf/maat.conf"
+  template:
+    src: "{{ role_path }}/templates/maat.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/maat.conf
+  tags: template
+
+- name: "Template the conf/capture_packet_plug.conf.j2"
+  template:
+    src: "{{ role_path }}/templates/capture_packet_plug.conf.j2"
+    dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf
+  tags: template

roles/firewall/templates/capture_packet_plug.conf.j2

@@ -0,0 +1,25 @@
+[MAAT]
+MAAT_MODE=2
+#EFFECTIVE_FLAG=
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=conf/capture_packet_tableinfo.conf
+STAT_FILE=capture_packet_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX=0
+JSON_CFG_FILE=conf/capture_packet_maat.json
+INC_CFG_DIR=capture_packet_rule/inc/index/
+FULL_CFG_DIR=capture_packet_rule/full/index/
+
+[LOG]
+NIC_NAME={{ nic_mgr.name }}
+BROKER_LIST={{ log_kafkabrokers.address }}
+FIELD_FILE=conf/capture_packet_log_field.conf
+
+[SYSTEM]
+LOG_LEVEL={{ capture_packet_log_level }}
+LOG_PATH=./tsglog/capture_packet_plug/capture_packet
+

roles/firewall/templates/maat.conf.j2

@@ -0,0 +1,32 @@
+[STATIC]
+###0:location 1:json 2:redis
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/tsg_static_tableinfo.conf
+STAT_FILE=tsg_static_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=0
+JSON_CFG_FILE=tsgconf/tsg_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+
+[DYNAMIC]
+###0:location 1:json 2:redis
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf
+STAT_FILE=tsg_dynamic_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ dynamic_maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=1
+JSON_CFG_FILE=tsgconf/tsg_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+

roles/firewall/templates/main.conf.j2

@@ -0,0 +1,57 @@
+[FTP_PLUG]
+LOG_PATH="./tsglog/fw_ftp_plug/fw_ftp_plug"
+LOG_LEVEL={{ fw_ftp_log_level }}
+TIMEOUT=600
+
+[MAIL_PLUG]
+LOG_PATH="./tsglog/fw_mail_plug/fw_mail_plug"
+LOG_LEVEL={{ fw_mail_log_level }}
+TIMEOUT=600
+
+[HTTP_PLUG]
+LOG_PATH="./tsglog/fw_http_plug/fw_http_plug"
+LOG_LEVEL={{ fw_http_log_level }}
+
+[DNS_PLUG]
+LOG_PATH="./tsglog/fw_dns_plug/fw_dns_plug"
+LOG_LEVEL={{ fw_dns_log_level }}
+
+[QUIC_PLUG]
+LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug"
+LOG_LEVEL={{ fw_quic_log_level }}
+
+[MAAT]
+PROFILE="./tsgconf/maat.conf"
+SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID"
+CB_SUBSCRIBER_IP_TABLE="TSG_DYN_SUBSCRIBER_IP"
+IP_ADDR_TABLE="TSG_SECURITY_ADDR"
+
+[TSG_LOG]
+MODE=1
+NIC_NAME="{{ nic_mgr.name }}"
+MAX_SERVICE=1
+LOG_LEVEL={{ tsg_log_level }}
+LOG_PATH="./tsglog/tsglog"
+BROKER_LIST="{{ log_kafkabrokers.address }}"
+COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
+
+[STATISTIC]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP="127.0.0.1"
+OUTPUT_PATH="./tsg_statistic.log"
+APP_NAME="statistic"
+
+[FIELD_STAT]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP="127.0.0.1"
+OUTPUT_PATH="./tsg_stat.log"
+APP_NAME="tsg_master"
+
+[SYSTEM]
+ENTRANCE_ID={{ tsg_master_entrance_id }}
+LOG_LEVEL={{ tsg_master_log_level }}
+LOG_PATH="./tsglog/tsg_master"
+POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
+DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'"

roles/framework/files/framework.conf

@@ -0,0 +1 @@
+/opt/MESA/lib/

roles/framework/tasks/main.yml

@@ -0,0 +1,40 @@
+- name: "copy framework rpms to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install framework packages"
+  yum:
+    name: "{{ packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    packages:
+      - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm
+
+- name: "mkdir /etc/ld.so.conf.d/"
+  file:
+    path: /etc/ld.so.conf.d/
+    state: directory
+
+- name: "copy framework.conf to destination server"
+  copy:
+    src: "{{ role_path }}/files/framework.conf"
+    dest: /etc/ld.so.conf.d/
+
+- name: "update ld"
+  command: ldconfig

roles/http_healthcheck/tasks/main.yml

@@ -0,0 +1,10 @@
+- name: "copy http_healthcheck rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install http_healthcheck from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/http_healthcheck-20.04-1.el7.x86_64.rpm
+    state: present

roles/kernel-ml/files/grub

@@ -0,0 +1,8 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL="serial console"
+GRUB_SERIAL_COMMAND="serial --speed=115200"
+GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses"
+GRUB_DISABLE_RECOVERY="true"

roles/kernel-ml/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: "copy framework rpms to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install kernels-ml"
+  yum:
+    name:
+      - /tmp/ansible_deploy/pkgconfig-0.27.1-4.el7.x86_64.rpm
+      - /tmp/ansible_deploy/zlib-devel-1.2.7-17.el7.x86_64.rpm
+      - /tmp/ansible_deploy/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm
+      - /tmp/ansible_deploy/dkms-2.7.1-1.el7.noarch.rpm
+    state: present
+  register: t_kernel_ml
+
+- name: "set kernel-ml as default kernel"
+  command: /usr/sbin/grub2-set-default 0
+  when: t_kernel_ml.changed
+
+- name: "copy /etc/default/grub"
+  copy:
+    src: "{{ role_path }}/files/grub"
+    dest: "/etc/default"
+  when: 
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "BIOS:grub2-mkconfig"
+  shell: grub2-mkconfig -o /boot/grub2/grub.cfg
+  when:
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "UEFI:grub2-mkconfig"
+  shell: grub2-mkconfig  -o /boot/efi/EFI/centos/grub.cfg
+  when:
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+#- name: "reboot"
+#  reboot:
+#  when: t_kernel_ml.changed

roles/kni/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "copy kni to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install kni rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm
+    state: present
+#    skip_broken: yes
+
+- name: Template the kni.conf
+  template:
+    src: "{{ role_path }}/templates/kni.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/kni/kni.conf
+  tags: template
+ 
+- name: "enable sapp"
+  systemd:
+    name: sapp
+    enabled: yes
+    daemon_reload: yes

roles/kni/templates/kni.conf.j2

@@ -0,0 +1,144 @@
+[global]
+log_path = ./log/kni/kni.log
+log_level = {{ kni_log_level }}
+tfe_node_count = {{ kni.global.tfe_node_count }}
+manage_eth = {{ nic_mgr.name }}
+{% if tsg_running_type != 2 %}
+deploy_mode = tun
+{% else %}
+deploy_mode = normal
+{% endif %}
+tun_name = tun_kni
+src_mac_addr = 00:0e:c6:d6:72:c1
+dst_mac_addr = fe:65:b7:03:50:bd
+{% if tsg_access_type == 4 %}
+[tfe0]
+enabled = 1
+dev_eth_symbol = {{ ATCA_data_incoming.vf1_name }}
+ip_addr = 192.168.100.1
+{% elif tsg_running_type == 2 %}
+[tfe0]
+enabled = {{ kni.tfe_nodes.tfe0_enabled }}
+dev_eth_symbol = {{ nic_to_tfe.tfe0.name }}
+ip_addr = 192.168.100.2
+
+[tfe1]
+enabled = {{ kni.tfe_nodes.tfe1_enabled }}
+dev_eth_symbol = {{ nic_to_tfe.tfe1.name }}
+ip_addr = 192.168.100.3
+
+[tfe2]
+enabled = {{ kni.tfe_nodes.tfe2_enabled }}
+dev_eth_symbol = {{ nic_to_tfe.tfe2.name }}
+ip_addr = 192.168.100.4
+{% endif %}
+
+[tfe_cmsg_receiver]
+listen_eth = {{ nic_inner_ctrl.name }}
+listen_port = 2475
+
+[watch_dog]
+switch = {{ kni.watch_dog.switch }}
+listen_eth = {{ nic_inner_ctrl.name }}
+listen_port = 2476
+keepalive_idle = 2
+keepalive_intvl = 1
+keepalive_cnt = 3
+
+[marsio]
+appsym = knifw
+
+[dup_traffic]
+switch = 1
+action = 2
+capacity = 10000000
+error_rate = 0.00001
+expiry_time = 60
+
+[traceid2pme_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 640000
+mho_hash_max_element_num = 2560000
+mho_expire_time = 30
+mho_eliminate_type = LRU
+
+#per thread
+[tuple2stream_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 0
+mho_mutex_num = 160
+mho_hash_slot_size = 80000
+mho_hash_max_element_num = 320000
+mho_expire_time = 0
+mho_eliminate_type = LRU
+
+[field_stat]
+remote_switch = 1
+remote_ip = 127.0.0.1
+remote_port = 58100
+local_path = ./fs2_kni.status
+stat_cycle = 1
+print_mode = 1
+# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
+statsd_format = 2
+APP_NAME = fs2_kni
+
+#self test Shunt rules security policy id
+[tsg_diagnose]
+enabled = 1
+security_policy_id = 3,10
+
+
+[ssl_dynamic_bypass]
+enabled = 1
+
+#kni dynamic bypass
+[traceid2sslinfo_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 80000
+mho_hash_max_element_num = 320000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[sslinfo2bypass_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 640000
+mho_hash_max_element_num = 2560000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[proxy_tcp_option]
+enabled = 1
+maat_table_compile = PXY_TCP_OPTION_COMPILE
+maat_table_addr = PXY_TCP_OPTION_ADDR
+maat_table_fqdn = PXY_TCP_OPTION_SERVER_FQDN
+enable_override = 0
+client_tcp_maxseg_enable = 0
+client_tcp_maxseg = 1460
+client_tcp_nodelay =  1
+client_tcp_ttl = 70
+client_tcp_keepalive_enable = 1
+client_tcp_keepalive_keepcnt = 8
+client_tcp_keepalive_keepidle = 30
+client_tcp_keepalive_keepintvl = 15
+client_tcp_user_timeout = 600
+server_tcp_maxseg_enable = 0
+server_tcp_maxseg = 1460
+server_tcp_nodelay = 1
+server_tcp_ttl = 75
+server_tcp_keepalive_enable = 1
+server_tcp_keepalive_keepcnt = 8
+server_tcp_keepalive_keepidle = 30
+server_tcp_keepalive_keepintvl = 15
+server_tcp_user_timeout = 600
+bypass_duplicated_packet = 0
+tcp_passthrough = 0
+
+[share_session_attribute]
+SESSION_ATTRIBUTE_LABEL=TSG_MASTER_INTERNAL_LABEL

roles/mrzcpd/files/memory.conf

@@ -0,0 +1,2 @@
+[Service]
+MemoryMax=100G

roles/mrzcpd/tasks/main.yml

@@ -0,0 +1,186 @@
+---
+- name: "copy mrzcpd to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install mrzcpd"
+  yum:
+    name: /tmp/ansible_deploy/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm
+    state: present
+
+- name: "update sysconfig/mrzcpd"
+  template:
+    src: "{{ role_path }}/templates/mrzcpd.j2"
+    dest: /etc/sysconfig/mrzcpd
+
+- name: "update mrglobal.conf - traffic_mirror"
+  template:
+    src: "{{ role_path }}/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: nic_traffic_mirror is defined
+
+
+- name: "copy mrapp.sapp4.conf to destination server"
+  template:
+    src: "{{ role_path }}/templates/mrapp.sapp4.conf "
+    dest: /opt/mrzcpd/etc/mrapp.sapp4.conf 
+  when: 
+    - tsg_access_type == 4
+
+- name: "update mrglobal.conf.adc_inline"
+  template:
+    src: "{{ role_path }}/templates/adc_inline/mrglobal.conf.adc_inline.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type == 2
+
+- name: "update mrglobal.conf.server_inline"
+  template:
+    src: "{{ role_path }}/templates/server_inline/mrglobal.conf.server_inline.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type != 2
+
+- name: "update mrglobal.conf.allot - mcn0"
+  template:
+    src: "{{ role_path }}/templates/allot_access/mrglobal.conf.allot_access.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 2
+
+- name: "update mrglobal.conf.adc_tun_mode - mcn0"
+  template:
+    src: "{{ role_path }}/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+
+- name: "update mrglobal.conf.ATCA_Vlan_Flipping"
+  template:
+    src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4
+
+- name: "update mrglobal.conf.ATCA_VXLAN"
+  template:
+    src: "{{ role_path }}/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when:
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 5
+
+- name: "update mrtunnat.conf.adc_inline"
+  template:
+    src: "{{ role_path }}/templates/adc_inline/mrtunnat.conf.adc_inline.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type == 2 
+
+- name: "update mrtunnat.conf.server_inline"
+  template:
+    src: "{{ role_path }}/templates/server_inline/mrtunnat.conf.server_inline.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type != 2 
+
+- name: "update mrtunnat.conf.allot_access - mcn0"
+  template:
+    src: "{{ role_path }}/templates/allot_access/mrtunnat.conf.allot_access.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 2
+
+- name: "update mrtunnat.conf.adc_tun_mode - mcn0"
+  template:
+    src: "{{ role_path }}/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+- name: "update mrtunnat.conf.ATCA_Vlan_Flipping"
+  template:
+    src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4
+
+- name: "update mrtunnat.conf.ATCA_VXLAN"
+  template:
+    src: "{{ role_path }}/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when:
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 5
+
+- name: "enable mrenv"
+  systemd:
+    name: mrenv
+    enabled: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
+
+- name: "enable mrzcpd"
+  systemd:
+    name: mrzcpd
+    enabled: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
+
+- name: "enable mrtunnat on master"
+  systemd:
+    name: mrtunnat
+    enabled: yes
+    daemon_reload: yes
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type != 0
+
+- name: "disable mrtunnat on slave"
+  systemd:
+    name: mrtunnat
+    enabled: no
+    daemon_reload: yes
+  when: nic_traffic_mirror is defined
+
+- name: "copy memory limit file to tfe.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/mrzcpd.service.d/
+    mode: 0644
+
+- name: "mask mrzcpd on server_tun_mode"
+  systemd:
+    name: mrzcpd
+    enabled: no
+    masked: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type == 0
+
+- name: "mask mrtunnat on server_tun_mode"
+  systemd:
+    name: mrtunnat
+    enabled: no
+    masked: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type == 0

roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2

@@ -0,0 +1,57 @@
+[device]
+device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:{{ATCA_data_incoming.vf0_name}}]
+mtu=4096
+clear_tx_flags=1
+hw_strip_crc=1
+in_addr={{ ATCA_VXLAN.keepalive_ip }}
+in_mask={{ ATCA_VXLAN.keepalive_mask }}
+#rssmode=3
+
+[device:{{ ATCA_data_incoming.vf1_name }}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=1
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}
+forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}

roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2

@@ -0,0 +1,20 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{ATCA_data_incoming.vf0_name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=0
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0

roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2

@@ -0,0 +1,60 @@
+[device]
+device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:{{ATCA_data_incoming.vf0_name}}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow={{ ATCA_VlanFlipping.vlanID_1 }},{{ ATCA_VlanFlipping.vlanID_2 }},{{ ATCA_VlanFlipping.vlanID_3 }},{{ ATCA_VlanFlipping.vlanID_4 }}
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+#rssmode=3
+
+[device:{{ ATCA_data_incoming.vf1_name }}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=1
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}
+forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}

roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2

@@ -0,0 +1,23 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{ATCA_data_incoming.vf0_name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_1 }}
+i_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_2 }}
+en_mac_flipping_0=0
+c_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_3 }}
+i_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_4 }}
+en_mac_flipping_1=0

roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2

@@ -0,0 +1,67 @@
+[device]
+device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_data_incoming.name}}]
+in_addr={{inline_device_config.keepalive_ip}}
+in_mask={{inline_device_config.keepalive_mask}}
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow=1000,1001,4000,4001
+
+[device:{{nic_to_tfe.tfe0.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe1.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe2.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}
+forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}

roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2

@@ -0,0 +1,21 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0
+c_router_vlan_id_1=4000
+i_router_vlan_id_1=4001
+en_mac_flipping_1=0

roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2

@@ -0,0 +1,68 @@
+[device]
+device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_data_incoming.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow=1000,1001,2000,2001,4000,4001
+vlan-pvid=0
+vlan-pvid-mode=2
+promisc=1
+
+[device:{{nic_to_tfe.tfe0.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe1.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe2.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}
+forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}

roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2

@@ -0,0 +1,24 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0
+c_router_vlan_id_1=2000
+i_router_vlan_id_1=2001
+en_mac_flipping_1=0
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0

roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2

@@ -0,0 +1,69 @@
+[device]
+device=ens1f4,ens1f5,ens1f6,ens1f7,vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:ens1f4]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }},4000,4001,1000,1001
+vlan-pvid=0
+vlan-pvid-mode=2
+promisc=1
+
+[device:ens1f5]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:ens1f6]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:ens1f7]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,ens1f4,ens1f4
+forward_rule_1=vp,ens1f4,ens1f4
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,ens1f5,ens1f5
+forward_rule_5=vp,ens1f5,ens1f5
+forward_rule_6=pv,ens1f6,ens1f6
+forward_rule_7=vp,ens1f6,ens1f6
+forward_rule_8=pv,ens1f7,ens1f7
+forward_rule_9=vp,ens1f7,ens1f7
+

roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2

@@ -0,0 +1,25 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev=ens1f4
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0={{ AllotAccess.virturlID_1 }}
+i_router_vlan_id_0={{ AllotAccess.virturlID_2 }}
+en_mac_flipping_0=1
+c_router_vlan_id_1=1000
+i_router_vlan_id_1=1001
+en_mac_flipping_1=0
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0
+

roles/mrzcpd/templates/mrapp.sapp4.conf

@@ -0,0 +1,2 @@
+[bpfdump:vxlan_user]
+enable=1

roles/mrzcpd/templates/mrzcpd.j2

@@ -0,0 +1,3 @@
+MRZCPD_ROOT=/opt/mrzcpd
+HUGEPAGE_NUM_2M=16384
+DEFAULT_UIO_MODULE="igb_uio"

roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2

@@ -0,0 +1,47 @@
+[device]
+device={{inline_device_config.data_incoming}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{inline_device_config.data_incoming}}]
+in_addr={{inline_device_config.keepalive_ip}}
+in_mask={{inline_device_config.keepalive_mask}}
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+
+#[device:]
+#jumbo_frame=1
+#max_rx_pkt_len=15360
+#clear_tx_flags=1
+#promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=4
+forward_rule_0=pv,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}}
+forward_rule_1=vp,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd

roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2

@@ -0,0 +1,18 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{inline_device_config.data_incoming}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=0
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0

roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2

@@ -0,0 +1,27 @@
+[device]
+device={{nic_traffic_mirror.name}}
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_traffic_mirror.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+iocore={{ mrzcpd.iocore }}
+
+[eal]
+virtaddr=0x7d0000000000
+loglevel=7
+
+[keepalive]
+check_spinlock=1
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096

roles/packet_dump/files/packet_dump.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=packet dump service
+After=After=network.target
+
+[Service]
+Type=fork
+WorkingDirectory=/home/mesasoft/packet_dump
+ExecStart=/home/mesasoft/packet_dump/packet_dump
+TimeoutSec=60s
+RestartSec=10s
+Restart=always
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target

roles/packet_dump/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: "copy packet_dump rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm"
+    dest: /tmp/ansible_deploy/
+
+- name: "copy  packet_dump.service to destination server"
+  copy:
+    src: "{{ role_path }}/files/packet_dump.service"
+    dest: /usr/lib/systemd/system
+    mode: 0755
+
+- name: "install packet_dump rpm from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm
+    state: present
+
+- name: "Template the packet_dump.conf"
+  template:
+    src: "{{ role_path }}/templates/packet_dump.conf.j2"
+    dest: /home/mesasoft/packet_dump/conf/packet_dump.conf 
+  tags: template
+ 
+- name: "start packet_dump"
+  systemd:
+    name: packet_dump.service
+    enabled: yes
+    daemon_reload: yes

roles/packet_dump/templates/packet_dump.conf.j2

@@ -0,0 +1,14 @@
+[KAFKA]
+BROKER_LIST={{ log_kafkabrokers.address }}
+
+[SYSTEM]
+NIC_NAME={{ nic_mgr.name }}
+LOG_LEVEL={{ packet_dump_log_level }}
+LOG_PATH=log/packet_dump
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/packet_dump/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url={{ breakpad_upload_url }}